static extern bool LookupAccountSid(
string lpSystemName,
[MarshalAs(UnmanagedType.LPArray)] byte[] Sid,
StringBuilder lpName,
ref uint cchName,
StringBuilder referencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
static extern bool LookupAccountName(
string lpSystemName,
string lpAccountName,
[MarshalAs(UnmanagedType.LPArray)] byte[] Sid,
ref uint cbSid,
StringBuilder ReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
internal static extern bool LookupAccountName(string systemName,
string accountName,
[MarshalAs(UnmanagedType.LPArray)]
byte[] sid,
ref uint sidLength,
StringBuilder domainName,
ref uint domainNameLength,
out SID_NAME_USE peUse);
private static extern bool LookupAccountSid(
string systemName,
IntPtr sid,
StringBuilder name,
ref int cbName,
StringBuilder domainName,
ref int cbDomainName,
out SID_NAME_USE use);
public static extern BOOL LookupAccountSid(
string lpSystemName,
PSID Sid,
[Out] char[] Name,
ref DWORD cchName,
[Out] char[] ReferencedDomainName,
ref DWORD cchReferencedDomainName,
out SID_NAME_USE peUse);
static extern bool LookupAccountName(
string systemName,
string accountName,
[MarshalAs(UnmanagedType.LPArray)] byte[] Sid,
ref uint cbSid,
StringBuilder referencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE nameUse);
public static extern bool LookupAccountName(
string SystemName,
string AccountName,
IntPtr SID,
out int SIDSize,
int ReferencedDomainName,
int ReferencedDomainNameSize,
out SID_NAME_USE Use
);
internal static extern bool LookupAccountName(
string lpSystemName,
string lpAccountName,
byte[] Sid,
ref uint cbSid,
StringBuilder ReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse
);
public ATGroup(string sidName, IntPtr sidPtr, int attributes, string name, string domain, SID_NAME_USE tpe)
{
this.SIDPtr = sidPtr;
this.SIDString = sidName;
this.Attributes = attributes;
this.Name = name;
this.Domain = domain;
this.Type = tpe;
}
public static extern BOOL LookupAccountName(
string lpSystemName,
string lpAccountName,
PSID Sid,
ref DWORD cbSid,
[Out] char[] DomainName,
ref DWORD cbDomainName,
out SID_NAME_USE peUse
);
private static extern bool _LookupAccountName(
String lpSystemName,
String lpAccountName,
byte[] Sid,
ref uint cbSid,
StringBuilder lpReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse
);
public static extern bool LookupAccountName([MarshalAs(UnmanagedType.LPWStr)]
string lpSystemName,
[MarshalAs(UnmanagedType.LPWStr)]
string lpAccountName,
IntPtr Sid,
ref uint cbSid,
StringBuilder ReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
internal unsafe static extern bool LookupAccountSidW(
[MarshalAs(UnmanagedType.LPWStr), In]
string lpSystemName, // name of local or remote computer
[In] System.IntPtr Sid, // security identifier
[In, Out] byte [] Name, // account name buffer
[In, Out] ref System.UInt32 cbName, // size of account name buffer
[In, Out] byte [] DomainName, // domain name
[In, Out] ref System.UInt32 cbDomainName, // size of domain name buffer
[Out] out SID_NAME_USE peUse // SID type
);
public static bool LookupAccountSid(
string lpSystemName,
byte[] sid,
out string name,
out string refDomain,
out SID_NAME_USE peUse
)
{
// Initialize returns.
name = null;
refDomain = null;
peUse = SID_NAME_USE.SidTypeUnknown;
// Validate input.
if (sid == null)
{
return(false);
}
// Allocate buffers.
StringBuilder nameBldr = new StringBuilder(NameLength);
if (nameBldr == null)
{
return(false);
}
StringBuilder refDomBldr = new StringBuilder(NameLength);
if (refDomBldr == null)
{
return(false);
}
uint nameBldrSize = (uint)nameBldr.Capacity;
uint refDomBldrSize = (uint)refDomBldr.Capacity;
// Lookup account by SID.
uint rc = Win32Errors.ERROR_SUCCESS;
if (!_LookupAccountSid(lpSystemName, sid, nameBldr, ref nameBldrSize,
refDomBldr, ref refDomBldrSize, out peUse))
{
rc = checked ((uint)Marshal.GetLastWin32Error());
}
else
{
name = nameBldr.ToString();
refDomain = refDomBldr.ToString();
}
return(rc == Win32Errors.ERROR_SUCCESS);
}
public static bool LookupAccountName(
String lpSystemName,
String lpAccountName,
out byte[] sid,
out string refDomain,
out SID_NAME_USE peUse
)
{
// Init returns.
sid = null;
refDomain = null;
peUse = SID_NAME_USE.SidTypeUnknown;
// Validate inputs.
if (lpAccountName == null || lpAccountName.Length == 0)
{
return(false);
}
// Allocate buffers.
byte[] bSid = new byte[SidLength];
if (bSid == null)
{
return(false);
}
StringBuilder refDomBldr = new StringBuilder(NameLength);
if (refDomBldr == null)
{
return(false);
}
uint bSidSize = (uint)bSid.Length;
uint refDomBldrSize = (uint)refDomBldr.Capacity;
// Lookup account by name.
uint rc = Win32Errors.ERROR_SUCCESS;
if (!_LookupAccountName(lpSystemName, lpAccountName, bSid, ref bSidSize,
refDomBldr, ref refDomBldrSize, out peUse))
{
rc = checked ((uint)Marshal.GetLastWin32Error());
}
else
{
sid = bSid;
refDomain = refDomBldr.ToString();
}
return(rc == Win32Errors.ERROR_SUCCESS);
}
private PSID GetSid(string accountName)
{
int sidSize = 0, nameSize = 0;
SID_NAME_USE accountType = 0;
LookupAccountName(svr, accountName, new PSID(), ref sidSize, null, ref nameSize, ref accountType);
var domainName = new System.Text.StringBuilder(nameSize);
var sid = new PSID(sidSize);
if (!LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType))
{
throw new System.ComponentModel.Win32Exception();
}
return(sid);
}
public SidInfo(string sddlSid, string name, SID_NAME_USE usage = SID_NAME_USE.SidTypeGroup)
{
this.Position = -10;
this.Attributes = ((usage & SID_NAME_USE.SidTypeGroup) == SID_NAME_USE.SidTypeGroup) ? SID_ATTRIBUTE_INFORMATION.SE_GROUP_FROM_ENUM :
SID_ATTRIBUTE_INFORMATION.SE_GROUP_FROM_ENUM |
SID_ATTRIBUTE_INFORMATION.SE_GROUP_USER_FROM_ENUM;
this.Sid = sddlSid;
this.NTName = name;
if (this.IsGroup)
{
CheckSidType(sddlSid);
}
}
//获取进程的用户是否是SYSTEM
public static Boolean GetTokenInformationToUsername(TOKEN_STATISTICS tokenStatistics, ref String userName)
{
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(_LUID)));
Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false);
if (IntPtr.Zero == lpLuid)
{
return(false);
}
IntPtr ppLogonSessionData = new IntPtr();
if (0 != LsaGetLogonSessionData(lpLuid, out ppLogonSessionData))
{
return(false);
}
if (IntPtr.Zero == ppLogonSessionData)
{
return(false);
}
SECURITY_LOGON_SESSION_DATA securityLogonSessionData = (SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData, typeof(SECURITY_LOGON_SESSION_DATA));
if (IntPtr.Zero == securityLogonSessionData.Sid || IntPtr.Zero == securityLogonSessionData.UserName.Buffer || IntPtr.Zero == securityLogonSessionData.LogonDomain.Buffer)
{
return(false);
}
StringBuilder lpName = new StringBuilder();
UInt32 cchName = (UInt32)lpName.Capacity;
StringBuilder lpReferencedDomainName = new StringBuilder();
UInt32 cchReferencedDomainName = (UInt32)lpReferencedDomainName.Capacity;
SID_NAME_USE sidNameUse = new SID_NAME_USE();
LookupAccountSid(String.Empty, securityLogonSessionData.Sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out sidNameUse);
userName = lpName.ToString();
if (!userName.ToUpper().Equals("System".ToUpper()))
{
return(false);
}
return(true);
}
internal static unsafe bool LookupAccountSid(string lpSystemName,
IntPtr sid,
Span <char> userName,
ref int cchName,
Span <char> domainName,
ref int cchDomainName,
out SID_NAME_USE peUse)
{
fixed(char *userNamePtr = &MemoryMarshal.GetReference(userName))
fixed(char *domainNamePtr = &MemoryMarshal.GetReference(domainName))
{
return(LookupAccountSid(lpSystemName,
sid,
userNamePtr,
ref cchName,
domainNamePtr,
ref cchDomainName,
out peUse));
}
}
/// <summary>
/// Obtains the localized name for the "BUILTIN\Users" group in this machine
/// </summary>
/// <returns></returns>
public static string GetNormalUsersGroupName()
{
StringBuilder name = new StringBuilder();
uint cchName = (uint)name.Capacity;
StringBuilder referencedDomainName = new StringBuilder();
uint cchReferencedDomainName = (uint)referencedDomainName.Capacity;
SID_NAME_USE sidUse = default(SID_NAME_USE);
// Sid for BUILTIN\Users
byte[] Sid = new byte[] { 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 33, 2 };
int err = NO_ERROR;
if (!LookupAccountSid(null, Sid, name, ref cchName, referencedDomainName, ref cchReferencedDomainName, out sidUse))
{
err = System.Runtime.InteropServices.Marshal.GetLastWin32Error();
if (err == ERROR_INSUFFICIENT_BUFFER)
{
name.EnsureCapacity((int)cchName);
referencedDomainName.EnsureCapacity((int)cchReferencedDomainName);
err = NO_ERROR;
if (!LookupAccountSid(null, Sid, name, ref cchName, referencedDomainName, ref cchReferencedDomainName, out sidUse))
{
err = System.Runtime.InteropServices.Marshal.GetLastWin32Error();
}
}
}
if (err == 0)
{
return(name.ToString());
}
else
{
throw new InvalidOperationException(string.Format("Error when obtaining BUILTIN\\Users localized name: {0}", err));
}
}
public static extern bool LookupAccountNameA([In][MarshalAs(UnmanagedType.LPStr)] string lpSystemName, [In][MarshalAs(UnmanagedType.LPStr)] string lpAccountName, IntPtr Sid, ref uint cbSid, [Out][MarshalAs(UnmanagedType.LPStr)] System.Text.StringBuilder ReferencedDomainName, ref uint cchReferencedDomainName, [Out] out SID_NAME_USE peUse);
static extern bool LookupAccountSid(string lpSystemName, IntPtr Sid, System.Text.StringBuilder lpName, ref uint cchName, System.Text.StringBuilder ReferencedDomainName, ref uint cchReferencedDomainName, out SID_NAME_USE peUse);
private bool GetEffectiveSecurityAccessRights()
{
try
{
bool daclPresent = false;
bool defaulted = false;
int sidSize = 0;
SID_NAME_USE usage = SID_NAME_USE.SidTypeGroup;
StringBuilder domain = new StringBuilder(80);
int domainSize = 80;
// lookup the account name, first call gets the size
LookupAccountName(IntPtr.Zero, _accountName, IntPtr.Zero, ref sidSize, domain, ref domainSize, ref usage);
// allocate the memory for the SID
_pSid = Marshal.AllocHGlobal(sidSize);
// and calling again we get the sid
domainSize = 80;
LookupAccountName(IntPtr.Zero, _accountName, _pSid, ref sidSize, domain, ref domainSize, ref usage);
// Create a the Trustee data structure.
TRUSTEE2 trustee = new TRUSTEE2();
trustee.MultipleTrusteeOperation = MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE;
trustee.pMultipleTrustee = IntPtr.Zero;
trustee.ptstrName = _pSid;
trustee.TrusteeForm = TRUSTEE_FORM.TRUSTEE_IS_SID;
trustee.TrusteeType = TRUSTEE_TYPE.TRUSTEE_IS_UNKNOWN;
this.GetFileSecurityDescriptor(_path, SecurityInformation.DACL, out _pSecurityDescriptor);
if (_pSecurityDescriptor == IntPtr.Zero)
{
System.Diagnostics.Debug.WriteLine("File security descriptor is null");
return(false);;
}
// get the dacl from the descriptor
GetSecurityDescriptorDacl(_pSecurityDescriptor, ref daclPresent, out _pDacl, ref defaulted);
// if the dacl is null or one is not found then all access is allowed
if (!daclPresent || _pDacl == IntPtr.Zero)
{
return(true);
}
// get the rights for the dacl
int result = GetEffectiveRightsFromAcl(_pDacl, ref trustee, ref _accessGranted);
// int result = GetAuditedPermissionsFromAcl(_pDacl, ref trustee, ref _accessGranted, ref _accessDenied);
if (result != ERROR_SUCCESS)
{
throw new System.ComponentModel.Win32Exception(result);
}
return(true);
}
catch (Exception ex)
{
Debug.WriteLine(ex);
}
// by default fail on the side of good
return(true);
}
public static extern BOOL LookupAccountName( string lpSystemName, string lpAccountName, PSID Sid, ref DWORD cbSid, [Out] char[] DomainName, ref DWORD cbDomainName, out SID_NAME_USE peUse );
public static extern bool LookupAccountSid(string lpSystemName, PSID lpSid, StringBuilder lpName, ref int cchName,
StringBuilder lpReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
public static extern bool LookupAccountName(string lpSystemName, string lpAccountName, SafePSID Sid, ref int cbSid,
StringBuilder ReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
private static extern Boolean LookupAccountName(IntPtr NoSystemName, String lpAccountName, IntPtr Sid, ref int cbSid, StringBuilder DomainName, ref int cbDomainName, ref SID_NAME_USE peUse);
internal static extern bool LookupAccountSid(string lpSystemName, IntPtr Sid, IntPtr lpName, ref int cchName, IntPtr ReferencedDomainName, ref int cchReferencedDomainName, out SID_NAME_USE peUse);
/// <summary>
/// The LookupAccountName hook function. This will be called instead of the original LookupAccountName once hooked.
/// </summary>
/// <returns></returns>
bool lookupAccountName_Hook(string lpSystemName, string lpAccountName, [MarshalAs(UnmanagedType.LPArray)] byte[] Sid, ref uint cbSid, StringBuilder ReferencedDomainName, ref uint cchReferencedDomainName, out SID_NAME_USE peUse)
{
bool result;
// Filter for the correct calling type
if (lpSystemName == null)
{
// Hook if SystemName is null
peUse = SID_NAME_USE.SidTypeUser;
ReferencedDomainName.Clear().Append(_ReplaceDomainName);
result = true;
}
else
{
// now call the original API...
result = LookupAccountName(lpSystemName, lpAccountName, Sid, ref cbSid, ReferencedDomainName, ref cchReferencedDomainName, out peUse);
}
try
{
lock (this._messageQueue)
{
if (this._messageQueue.Count < 1000)
{
// Add message to send to FileMonitor
this._messageQueue.Enqueue(
string.Format("[{0}:{1}]: Access LookupAccountName for account {2} -> {3}",
EasyHook.RemoteHooking.GetCurrentProcessId(), EasyHook.RemoteHooking.GetCurrentThreadId(), lpAccountName, ReferencedDomainName.ToString()));
}
}
}
catch
{
// swallow exceptions so that any issues caused by this code do not crash target process
}
return(result);
}
public static extern bool LookupAccountSid(string SystemName,
int SID, StringBuilder Name, out int NameSize,
StringBuilder ReferencedDomainName, out int ReferencedDomainNameSize,
out SID_NAME_USE Use);
public static extern bool LookupAccountSid(
string lpSystemName,
[MarshalAs(UnmanagedType.LPArray)]
byte[] lpSid,
StringBuilder lpName,
ref uint cchName,
StringBuilder lpReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
public static extern bool LookupAccountName(
string SystemName,
string AccountName,
IntPtr SID,
out int SIDSize,
int ReferencedDomainName,
int ReferencedDomainNameSize,
out SID_NAME_USE Use
);
public static extern bool LookupAccountSid(string SystemName,
int SID, StringBuilder Name, out int NameSize,
StringBuilder ReferencedDomainName, out int ReferencedDomainNameSize,
out SID_NAME_USE Use);
public static bool LookupAccountName(string systemName, string accountName, out SafePSID sid, out string domainName, out SID_NAME_USE snu)
{
var sb = new StringBuilder(1024);
sid = new SafePSID(256);
var sidSz = sid.Size;
var sbSz = sb.Capacity;
var ret = LookupAccountName(systemName, accountName, sid, ref sidSz, sb, ref sbSz, out snu);
domainName = sb.ToString();
return(ret);
}
internal static extern bool LookupAccountSid(string lpSystemName, IntPtr Sid, StringBuilder lpName, ref uint cchName, StringBuilder ReferencedDomainName, ref uint cchReferencedDomainName, out SID_NAME_USE peUse);
private static extern bool LookupAccountSid([MarshalAs(UnmanagedType.LPTStr)]string lpSystemName,
IntPtr lpSid,
IntPtr lpName,
ref uint cchName,
IntPtr lpReferencedDomainName,
ref uint cchReferencedDomainName,
out SID_NAME_USE peUse);
public static extern BOOL LookupAccountSid( string lpSystemName, PSID Sid, [Out] char[] Name, ref DWORD cchName, [Out] char [] ReferencedDomainName, ref DWORD cchReferencedDomainName, out SID_NAME_USE peUse);
public static extern bool LookupAccountSid(string SystemName, byte[] bSid, StringBuilder Name, ref int cbName, StringBuilder DomainName, ref int cbDomainName, ref SID_NAME_USE peUse);
private AccessTokenUser(string user, string domain, SID_NAME_USE t)
{
this.Username = user;
this.Domain = domain;
this.Type = t;
}
private static bool IsValidSid(SID_NAME_USE use) => Array.IndexOf(new[] { 1, 2, 4, 5, 9 }, (int)use) != -1;
public static extern bool LookupAccountSid(
string lpSystemName,
IntPtr Sid,
[Out] StringBuilder lpName,
out uint cchName,
[Out] StringBuilder lpReferencedDomainName,
out uint cchReferencedDomainName,
ref SID_NAME_USE peUse
);
