public static void DecryptSecret(_RPC_UNICODE_STRING input, byte[] sessionKey, out _RPC_UNICODE_STRING output) { output = new _RPC_UNICODE_STRING(); uint blockLength = CRYPT_BLOCK_LENGTH; //encrypt every 8 bytes uint keyLength = CRYPT_KEY_LENGTH; //used to compute output key uint keyIndex = 0; //the key index of sessionKey byte[] buffer = new byte[blockLength]; byte[] inputBuffer = new byte[input.Length]; Buffer.BlockCopy(input.Buffer, 0, inputBuffer, 0, input.Length); DesEcbLmDecode(ArrayUtility.SubArray(inputBuffer, 0, (int)blockLength), sessionKey, out buffer); //output.Length and version are combined in 8 bytes as the header, each of them occupys 4 bytes. output.Length = TypeMarshal.ToStruct <ushort>(buffer); uint version = TypeMarshal.ToStruct <uint>(ArrayUtility.SubArray(buffer, 4, sizeof(uint))); byte[] outputBuffer = new byte[0]; if (version != CRYPT_VERSION) { throw new ArgumentException("failed in checking version."); } //get the next 7 bytes in sessionKey as the key of DesEcbLm //if not enough, keyIndex = AdvanceKey(keyIndex); uint remaining = input.Length - blockLength; uint count = 1; while (remaining > blockLength) { DesEcbLmDecode(ArrayUtility.SubArray(inputBuffer, (int)(count * blockLength), (int)blockLength), ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer); outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer); keyIndex = AdvanceKey(keyIndex); count++; remaining -= blockLength; } if (remaining > 0) { byte[] temp = new byte[blockLength]; Buffer.BlockCopy(inputBuffer, (int)(count * blockLength), temp, 0, (int)remaining); DesEcbLmDecode(temp, ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer); outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer); } output.Buffer = new ushort[outputBuffer.Length / sizeof(ushort)]; output.MaximumLength = (ushort)outputBuffer.Length; Buffer.BlockCopy(outputBuffer, 0, output.Buffer, 0, outputBuffer.Length); }
public S4UDelegationInfo(string s4uProxyTarget, string[] s4uTransitedServices) { Type = PacInfoBufferType.S4U2Proxy; _RPC_UNICODE_STRING[] tmp = new _RPC_UNICODE_STRING[s4uTransitedServices.Length]; int c = 0; foreach (string s4uTransitedService in s4uTransitedServices) { tmp[c] = new _RPC_UNICODE_STRING(s4uTransitedService); c += 1; } s4u = new _S4U_DELEGATION_INFO(new _RPC_UNICODE_STRING(s4uProxyTarget), s4uTransitedServices.Length, tmp); }
public static void EncryptSecret(_RPC_UNICODE_STRING input, byte[] sessionKey, out _RPC_UNICODE_STRING output) { output = new _RPC_UNICODE_STRING(); uint blockLength = CRYPT_BLOCK_LENGTH; //encrypt every 8 bytes uint keyLength = CRYPT_KEY_LENGTH; //used to compute output key uint keyIndex = 0; //the key index of sessionKey byte[] buffer = new byte[blockLength]; uint version = CRYPT_VERSION; //the version must be 1, defined in TD. //copy input.Length and version to buffer, each of them occupys 4 bytes //It's the encrypted data's header, when decrypting, the length and version would be decoded in //the same format. Array.Copy(BitConverter.GetBytes(input.Length), buffer, sizeof(ushort)); Array.Copy(BitConverter.GetBytes(version), 0, buffer, 4, sizeof(uint)); byte[] outputBuffer = new byte[buffer.Length]; DesEcbLmEncode(buffer, sessionKey, out outputBuffer); byte[] inputBuffer = new byte[input.Length]; Buffer.BlockCopy(input.Buffer, 0, inputBuffer, 0, input.Length); keyIndex = AdvanceKey(keyIndex); uint remaining = input.Length; uint count = 0; while (remaining > blockLength) { DesEcbLmEncode(ArrayUtility.SubArray(inputBuffer, (int)(count * blockLength), (int)blockLength), ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer); outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer); keyIndex = AdvanceKey(keyIndex); count++; remaining -= blockLength; } if (remaining > 0) { byte[] temp = new byte[blockLength]; Buffer.BlockCopy(inputBuffer, (int)(count * blockLength), temp, 0, (int)remaining); DesEcbLmEncode(temp, ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer); outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer); } output.Length = (ushort)outputBuffer.Length; output.MaximumLength = (ushort)outputBuffer.Length; //output.Length is the length in bytes of output.Buffer output.Buffer = new ushort[output.Length / sizeof(ushort)]; Buffer.BlockCopy(outputBuffer, 0, output.Buffer, 0, output.Length); }
/// <summary> /// Creates an S4uDelegationInfo instance using the specified s4U2proxyTarget and /// s4UTransitedServices. /// </summary> /// <param name="s4U2proxyTarget">the name of the principal to whom the application /// can be constraint delegated.</param> /// <param name="s4UTransitedServices">The list of all services that configured to /// be delegated.</param> /// <returns>The created S4uDelegationInfo instance.</returns> public static S4uDelegationInfo CreateS4uInfoBuffer( string s4U2proxyTarget, params string[] s4UTransitedServices) { S4uDelegationInfo s4uInfo = new S4uDelegationInfo(); s4uInfo.NativeS4uDelegationInfo.S4U2proxyTarget = DtypUtility.ToRpcUnicodeString(s4U2proxyTarget); s4uInfo.NativeS4uDelegationInfo.TransitedListSize = (uint)s4UTransitedServices.Length; _RPC_UNICODE_STRING[] transitedServiceArray = new _RPC_UNICODE_STRING[s4UTransitedServices.Length]; for (int i = 0; i < transitedServiceArray.Length; i++) { transitedServiceArray[i] = DtypUtility.ToRpcUnicodeString(s4UTransitedServices[i]); } s4uInfo.NativeS4uDelegationInfo.S4UTransitedServices = transitedServiceArray; return(s4uInfo); }
/// <summary> /// Method to read the Wellknown Principal Names from ptfconfig file /// which are given in Section 7.1.1.2.6 of ADTS document, and convert them into RPC_UNICODE_STRING format. /// </summary> /// <param name="numberOfUsers">Contains the number of well known users.</param> /// <param name="securityPrincipals">The security principals of well known users.</param> /// <param name="rpcNameBuffer">The RPC name.</param> public static void InitializeWellknownPrincipalNames( uint numberOfUsers, string[] securityPrincipals, ref _RPC_UNICODE_STRING[] rpcNameBuffer) { rpcNameBuffer = new _RPC_UNICODE_STRING[numberOfUsers]; nameString = new string[numberOfUsers]; for (int index = 0; index < numberOfUsers; index++) { nameString[index] = securityPrincipals[index]; char[] nameArray = new char[nameString[index].Length]; nameArray = nameString[index].ToCharArray(); rpcNameBuffer[index].Buffer = new ushort[nameArray.Length]; Array.Copy(nameArray, rpcNameBuffer[index].Buffer, nameArray.Length); rpcNameBuffer[index].Length = (ushort)(2 * rpcNameBuffer[index].Buffer.Length); rpcNameBuffer[index].MaximumLength = (ushort)(rpcNameBuffer[index].Length + 2); } }
public static _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[] DomainInformation(string testDomainName, int trustDirection) { _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[] DomainInformation = new _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[1]; _RPC_UNICODE_STRING[] DomainName = new _RPC_UNICODE_STRING[1]; GetTheDomainName(testDomainName, ref DomainName); DomainName[0].Length = (ushort)(DomainName[0].Buffer.Length * 2); DomainName[0].MaximumLength = (ushort)(2 + DomainName[0].Length); DomainInformation[0].Name = new _RPC_UNICODE_STRING(); DomainInformation[0].Name = DomainName[0]; DomainInformation[0].FlatName = DomainName[0]; DomainInformation[0].Sid = Utilities.GetSid(testDomainName); DomainInformation[0].TrustAttributes = MS_ADTS_SecurityRequirementsValidator.TrustAttributes; DomainInformation[0].TrustDirection = (uint)trustDirection; DomainInformation[0].TrustType = TrustType_Values.ActiveDirectory; return(DomainInformation); }
public ErrorStatus DeleteObject( int handleInput, ObjectEnum usedObject, out Handle handleOutput) { _LSAPR_OBJECT_ATTRIBUTES[] objectAttributesForDelete = new _LSAPR_OBJECT_ATTRIBUTES[1]; _RPC_UNICODE_STRING[] SecretName = new _RPC_UNICODE_STRING[1]; IntPtr? deleteHandle = IntPtr.Zero; IntPtr? PolicyHandle2 = IntPtr.Zero; IntPtr? deletedHandle = IntPtr.Zero; Hashtable htCheckHandle = new Hashtable(); if (TurstDomainFlag && usedObject == ObjectEnum.TrustDomainObject) { ////Check if Interdomain Trust Account exist and is valid bool isInterdomainTrustAccountExist = !CheckInterdomainTrustAccount(); uintMethodStatus = lsadClientStack.LsarDeleteObject(ref validTrustHandle); handleOutput = (IntPtr.Zero == validTrustHandle) ? Handle.Null : Handle.Invalid; TurstDomainFlag = false; ////Check if interdomain trust account is deleted along with the trusted domain if (isInterdomainTrustAccountExist) { #region MS-LSAD_R1062 // Add the comment information including the location information. TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "Verify MS-LSAD_R1062"); // Verify requirement 1062 TestClassBase.BaseTestSite.CaptureRequirement( "MS-LSAD", 1062, @"If the object being deleted is a trusted domain, then the server MUST also check whether an interdomain trust account with name ""<Trusted Domain NetBIOS Name>$"" exists."); #endregion //// The server must delete that account along with the trusted domain, so check the accounts exists //// or not We expect the trusted domain is not existed #region MS-LSAD_R1063 // Add the comment information including the location information. TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "Verify MS-LSAD_R1063"); // Verify requirement 1063 TestClassBase.BaseTestSite.CaptureRequirement( "MS-LSAD", 1063, @"If an interdomain trust account with name ""<Trusted Domain NetBIOS Name>$""] exists, the server MUST delete that account along with the trusted domain."); #endregion } } else { if (secretFlag && usedObject == ObjectEnum.SecretObject) { objectAttributesForDelete[0].RootDirectory = null; IntPtr?tempSecretHandle = IntPtr.Zero; IntPtr?tempSecretHandle2 = IntPtr.Zero; IntPtr?objDeletHandle = IntPtr.Zero; if (stSecretInformation.UIntSecretHandleAccessCount != handleInput) { utilities.nameOfSecretObject(ResOfNameChecked.Valid, ref SecretName); lsadClientStack.LsarOpenPolicy( utilities.ConversionfromStringtoushortArray("name"), objectAttributesForDelete[0], ACCESS_MASK.POLICY_CREATE_SECRET, out PolicyHandle2); lsadClientStack.LsarOpenSecret( PolicyHandle2.Value, SecretName[0], ACCESS_MASK.DELETE, out tempSecretHandle2); if (tempSecretHandle2 != IntPtr.Zero) { lsadClientStack.LsarDeleteObject(ref tempSecretHandle2); } lsadClientStack.LsarCreateSecret( PolicyHandle2.Value, SecretName[0], ACCESS_MASK.DELETE, out tempSecretHandle); lsadClientStack.LsarOpenSecret( PolicyHandle2.Value, SecretName[0], ACCESS_MASK.DELETE, out tempSecretHandle2); lsadClientStack.LsarDeleteObject(ref tempSecretHandle); deletedHandle = tempSecretHandle; objDeletHandle = tempSecretHandle2; } else if ((uintAccessMask & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) { objDeletHandle = objSecretHandle; } else if (stPolicyInformation.PHandle == handleInput) { objDeletHandle = PolicyHandle; } else { objDeletHandle = objSecretHandle; } uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objDeletHandle); deletedHandle = objDeletHandle; handleOutput = (0 == uintMethodStatus) ? Handle.Null : Handle.Invalid; } else { uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED; objAccountSid[0].Revision = 0x01; uintMethodStatus = lsadClientStack.LsarOpenPolicy( serverName, objectAttributesForDelete[0], uintDesrAccess, out objPolicyHandle); if (stPolicyInformation.PHandle == handleInput) { uintMethodStatus = lsadClientStack.LsarOpenPolicy( serverName, objectAttributesForDelete[0], uintDesrAccess, out objPolicyHandle); deleteHandle = objPolicyHandle; uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objPolicyHandle); deletedHandle = objPolicyHandle; } else if ((stPolicyInformation.PHandle + 1 != handleInput) || ((htAccHandle.Count == 0) && (checkTrustHandle == false))) { #region Passing InvalidHandle uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out deleteHandle); if (uintMethodStatus != 0) { uintMethodStatus = lsadClientStack.LsarCreateAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out deleteHandle); } uintMethodStatus = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objAccountHandle); uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle); #endregion Passing InvalidHandle deleteHandle = objAccountHandle; uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle); deletedHandle = objAccountHandle; } else { if (uintOpenAccAccess != 0) { objAccountSid[0].Revision = 0x01; uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED; } else { uintDesrAccess = ACCESS_MASK.NONE; htCheckHandle.Add("DeleteHandle", 0); } lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintDesrAccess, out objAccountHandle); deleteHandle = validAccountHandle; if (uintOpenAccAccess != 0) { uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle); } else { if ((checkTrustHandle == true) && (htAccHandle.Count == 0)) { deleteHandle = validTrustHandle; uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle); } else { uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle); deletedHandle = objAccountHandle; } } } handleOutput = (IntPtr.Zero == deleteHandle) ? Handle.Null : Handle.Invalid; } if (secretFlag && usedObject == ObjectEnum.SecretObject) { if (stSecretInformation.UIntSecretHandleAccessCount != handleInput) { #region MS-LSAD_R844 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 844, @"The server MUST make all subsequent requests to the deleted object fail with STATUS_INVALID_HANDLE, even if the requests come in through other open handles."); #endregion } else if ((uintAccessMask & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) { #region MS-LSAD_R843 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 843, @"The handle in LsarDeleteObject MUST have been opened for DELETE access, and the server MUST fail the request with STATUS_ACCESS_DENIED otherwise."); #endregion } else if (stPolicyInformation.PHandle == handleInput) { #region MS-LSAD_R842 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 842, @"Policy objects cannot be deleted. Attempts to delete policy objects MUST fail with STATUS_INVALID_PARAMETER."); #endregion } else { #region MS-LSAD_R840 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 840, @"LsarDeleteObject MUST return STATUS_SUCCESS if the request was successfully completed."); #endregion #region MS-LSAD_R845 TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue( (((uint)uintMethodStatus == (uint)ErrorStatus.Success) && deletedHandle == IntPtr.Zero), "MS-LSAD", 845, @"The deleted ObjectHandle of LsarDeleteObject MUST be automatically closed by the server; the caller need not close it."); #endregion } if (objSecretHandle != IntPtr.Zero) { objectAttributesForDelete[0].RootDirectory = null; utilities.nameOfSecretObject(ResOfNameChecked.Valid, ref SecretName); lsadClientStack.LsarOpenPolicy2( "name", objectAttributesForDelete[0], ACCESS_MASK.DELETE | ACCESS_MASK.POLICY_CREATE_SECRET, out PolicyHandle2); lsadClientStack.LsarCreateSecret( PolicyHandle2.Value, SecretName[0], ACCESS_MASK.DELETE, out objSecretHandle); lsadClientStack.LsarOpenSecret( PolicyHandle2.Value, SecretName[0], ACCESS_MASK.DELETE, out objSecretHandle); lsadClientStack.LsarDeleteObject(ref objSecretHandle); } secretFlag = false; } else { if (stPolicyInformation.PHandle == handleInput) { #region MS-LSAD_R842 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 842, @"Policy objects cannot be deleted. Attempts to delete policy objects MUST fail with STATUS_INVALID_PARAMETER."); #endregion } else if ((stPolicyInformation.PHandle + 1 != handleInput) || ((htAccHandle.Count == 0) && (checkTrustHandle == false))) { #region MS-LSAD_R841 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 841, @"If the ObjectHandle of LsarDeleteObject is not a valid context handle to an object, the server MUST return STATUS_INVALID_HANDLE."); #endregion #region MS-LSAD_R844 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 844, @"The server MUST make all subsequent requests to the deleted object fail with STATUS_INVALID_HANDLE, even if the requests come in through other open handles."); #endregion } else if (((uintAccess & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) && ((uintOpenAccAccess & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) && (htAccHandle.Count != 0)) { #region MS-LSAD_R843 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 843, @"The handle in LsarDeleteObject MUST have been opened for DELETE access, and the server MUST fail the request with STATUS_ACCESS_DENIED otherwise."); #endregion } else { NtStatus checkDeleteHandle = lsadClientStack.LsarOpenAccount( objPolicyHandle.Value, objAccountSid[0], uintAccessMask, out objAccountHandle); if (checkDeleteHandle == (NtStatus)0xC0000034) { #region MS-LSAD_R840 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 840, @"LsarDeleteObject MUST return STATUS_SUCCESS if the request was successfully completed."); #endregion #region MS-LSAD_R845 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 845, @"The deleted ObjectHandle of LsarDeleteObject MUST be automatically closed by the server; the caller need not close it."); #endregion #region MS-LSAD_R224 TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 224, @"Deleting an object to which the caller has an open handle (by calling LsarDeleteObject), if successful, MUST also close the handle."); #endregion } } if (htAccHandle.Count != 0) { utilities.DeleteExistAccount(); htAccHandle.Remove("AccHandle"); } utilities.CreateExistAccount(uintOpenAccAccess); if (htAddAccRight.Count != 0) { htAddAccRight.Remove("htAddAccRight"); } } } return((ErrorStatus)uintMethodStatus); }
/// <summary> /// The LookupPrivilegeValue method is invoked to map the name of a privilege /// into a locally unique identifier (luid) by which it is known on the server. /// The locally unique value of the privilege can then be used in subsequent calls /// to other methods, such as LsarAddPrivilegesToAccount. /// </summary> /// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param> /// <param name="name">It is for validating the privilege name passed in </param> /// <param name="privilegeName">Contains privilege name </param> /// <param name="luid">Out param contains valid or invalid /// luid of the passed in privilege name </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to /// perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns InvalidParameter if one or more of the supplied parameters was invalid /// Returns NoSuchPrivilege if the privilege name is not recognized by the server</returns> public ErrorStatus LookupPrivilegeValue( int handleInput, ValidString name, string privilegeName, out PrivilegeLUID luid) { _RPC_UNICODE_STRING inputPrivilegeName = new _RPC_UNICODE_STRING(); Hashtable htPrivilegeNameNLUID = new Hashtable(); _LUID?outputPrivilegeLUID = new _LUID(); utilities.privilegeInformation(ref htPrivilegeNameNLUID); if (name == ValidString.Invalid) { utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName); inputPrivilegeName.Length = (ushort)((2 * inputPrivilegeName.Buffer.Length) + 1); inputPrivilegeName.MaximumLength = (ushort)(inputPrivilegeName.Length + 2); } else if (stPolicyInformation.PHandle != handleInput) { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); utilities.inValidHandle(); } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName); } else { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); } uintMethodStatus = lsadClientStack.LsarLookupPrivilegeValue( PolicyHandle.Value, inputPrivilegeName, out outputPrivilegeLUID); luid = (outputPrivilegeLUID.Value.HighPart == 0 & outputPrivilegeLUID.Value.LowPart == 0) ? PrivilegeLUID.Invalid : PrivilegeLUID.Valid; if (name == ValidString.Invalid) { #region MS-LSAD_R807 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 807, @"In LsarLookupPrivilegeValue method server MUST return STATUS_INVALID_PARAMETER if One or more of the supplied parameters was invalid."); #endregion } else if (stPolicyInformation.PHandle != handleInput) { #region MS-LSAD_R804 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 804, @"In LsarLookupPrivilegeValue method,If PolicyHandle is not a valid context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE."); #endregion lsadClientStack.LsarDeleteObject(ref PolicyHandle); PolicyHandle = utilities.tempPolicyHandle; } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { #region MS-LSAD_R805 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 805, @"In PolicyHandle parameter of LsarLookupPrivilegeValue method, server MUST verify that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise"); #endregion } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { #region MS-LSAD_R806 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NoSuchPrivilege, (uint)uintMethodStatus, "MS-LSAD", 806, @"In LsarLookupPrivilegeValue method , If the value in the Name argument is not recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE"); #endregion } else { htPrivilegeNameNLUID.Clear(); #region MS-LSAD_R808 if ((uint)ErrorStatus.Success == (uint)uintMethodStatus) { Site.CaptureRequirement( "MS-LSAD", 808, @"In LsarLookupPrivilegeValue method server MUST return STATUS_SUCCESS if request is successfully completed."); } #endregion } return((ErrorStatus)uintMethodStatus); }
/// <summary> /// The LookupPrivilegeDisplayName method is invoked to map the name /// of a privilege into a display text string in the caller's language. /// </summary> /// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param> /// <param name="name">It is for validating the privilege name passed in </param> /// <param name="privilegeName">Contains privilege name </param> /// <param name="displayName">Out param contains valid or invalid /// display text of the passed in privilegename </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to /// perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns InvalidParameter if one or more of the supplied parameters was invalid /// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns> public ErrorStatus LookupPrivilegeDisplayName( int handleInput, ValidString name, string privilegeName, out ValidString displayName) { _RPC_UNICODE_STRING?inputPrivilegeName = new _RPC_UNICODE_STRING(); _RPC_UNICODE_STRING inputPrivilegeName1 = new _RPC_UNICODE_STRING(); _RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING(); Hashtable htPrivilegeNameNLUID = new Hashtable(); short shortClientLanguage = 0, shortClientSystemDefaultLanguage = 0; ushort?ushortLanguageReturned = 0; utilities.privilegeInformation(ref htPrivilegeNameNLUID); inputPrivilegeName1 = (_RPC_UNICODE_STRING)inputPrivilegeName; if (name == ValidString.Invalid) { shortClientLanguage = 9; utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName1); inputPrivilegeName1.Length = (ushort)((2 * inputPrivilegeName1.Buffer.Length) + 1); inputPrivilegeName1.MaximumLength = (ushort)(inputPrivilegeName1.Length + 2); } else if (stPolicyInformation.PHandle != handleInput) { shortClientLanguage = 9; utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1); utilities.inValidHandle(); } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { shortClientLanguage = 9; utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName1); } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1); shortClientLanguage = 9; } else { shortClientLanguage = 9; utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1); } inputPrivilegeName = inputPrivilegeName1; uintMethodStatus = lsadClientStack.LsarLookupPrivilegeDisplayName( PolicyHandle.Value, inputPrivilegeName, shortClientLanguage, shortClientSystemDefaultLanguage, out outputPrivilegeName, out ushortLanguageReturned); displayName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid; if (name == ValidString.Invalid) { #region MS-LSAD_R823 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 823, @"In LsarLookupPrivilegeDisplayName method server MUST return STATUS_INVALID_PARAMETER if One or more of the supplied parameters was invalid."); #endregion } else if (stPolicyInformation.PHandle != handleInput) { lsadClientStack.LsarDeleteObject(ref PolicyHandle); PolicyHandle = utilities.tempPolicyHandle; #region MS-LSAD_R814 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 814, @"In LsarLookupPrivilegeDisplayName method,If PolicyHandle is not a valid context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE."); #endregion } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { #region MS-LSAD_R815 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 815, @"In PolicyHandle parameter of LsarLookupPrivilegeDisplayName method ,server MUST verify that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise"); #endregion } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { #region MS-LSAD_R817 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NoSuchPrivilege, (uint)uintMethodStatus, "MS-LSAD", 817, @"In LsarLookupPrivilegeDisplayName method , If the entry cannot be located, the server MUST return STATUS_NO_SUCH_PRIVILEGE."); #endregion } else { htPrivilegeNameNLUID.Clear(); #region MS-LSAD_R822 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 822, @"In LsarLookupPrivilegeDisplayName method server MUST return STATUS_SUCCESS if request is successfully completed."); #endregion #region MS-LSAD_R816 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 816, @"In LsarLookupPrivilegeDisplayName method server MUST locate the entry with the same name in the data store (RPC_UNICODE_STRING)."); #endregion #region MS-LSAD_R521 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 821, @"In LsarLookupPrivilegeDisplayName method , If neither ClientLanguage nor ClientSystemDefaultLanguage can be found, the server MUST return the description in the server's own language."); #endregion } return((ErrorStatus)uintMethodStatus); }
/// <summary> /// The LookupPrivilegeName method is invoked to map the luid of a privilege /// into a string name by which it is known on the server. /// </summary> /// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param> /// <param name="luid">It is for validating the privilege luid passed in </param> /// <param name="privilegeLuid">Contains privilege luid </param> /// <param name="privilegeName">Out param contains valid or invalid /// privilegeName of the passed in privilege luid </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to /// perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns InvalidParameter if one or more of the supplied parameters was invalid /// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns> public ErrorStatus LookupPrivilegeName( int handleInput, PrivilegeLUID luid, string privilegeLuid, out ValidString privilegeName) { _RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING(); _RPC_UNICODE_STRING outputComparePrivilegeName = new _RPC_UNICODE_STRING(); _LUID[] inputPrivilegeLUID = new _LUID[1]; Hashtable htPrivilegeNameNLUID = new Hashtable(); string nameOfPrivilege = string.Empty; char[] charNameOfPrivilege = new char[25]; bool isEqual = false; nameOfPrivilege = PrivilegeName; charNameOfPrivilege = nameOfPrivilege.ToCharArray(); outputComparePrivilegeName.Buffer = new ushort[nameOfPrivilege.Length]; Array.Copy(charNameOfPrivilege, outputComparePrivilegeName.Buffer, charNameOfPrivilege.Length); outputComparePrivilegeName.Length = (ushort)(2 * outputComparePrivilegeName.Buffer.Length); outputComparePrivilegeName.MaximumLength = (ushort)(outputComparePrivilegeName.Length + 2); utilities.privilegeInformation(ref htPrivilegeNameNLUID); if (luid == PrivilegeLUID.Invalid) { utilities.valuesOfLUID(PrivilegeLUID.Invalid, ref inputPrivilegeLUID); inputPrivilegeLUID[0].LowPart = 56; inputPrivilegeLUID[0].HighPart = 0; } else if (stPolicyInformation.PHandle != handleInput) { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); utilities.inValidHandle(); } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); } else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid)) { utilities.valuesOfLUID(PrivilegeLUID.NotPresentLuid, ref inputPrivilegeLUID); } else { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); } uintMethodStatus = lsadClientStack.LsarLookupPrivilegeName( PolicyHandle.Value, inputPrivilegeLUID[0], out outputPrivilegeName); if (outputPrivilegeName != null) { isEqual = utilities.CheckTheRpcStrings(outputPrivilegeName.Value, outputComparePrivilegeName); if (isEqual) { privilegeName = ValidString.Valid; } else { privilegeName = ValidString.Invalid; } } else { privilegeName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid; } if (!(luid == PrivilegeLUID.Invalid)) { if (stPolicyInformation.PHandle != handleInput) { #region MS-LSAD_R809 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 809, @"In LsarLookupPrivilegeName method ,If PolicyHandle is not a valid context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE"); #endregion lsadClientStack.LsarDeleteObject(ref PolicyHandle); PolicyHandle = utilities.tempPolicyHandle; } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { #region MS-LSAD_R810 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 810, @"In PolicyHandle parameter of LsarLookupPrivilegeName method, server MUST verify that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise."); #endregion } else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid)) { #region MS-LSAD_R811 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NoSuchPrivilege, (uint)uintMethodStatus, "MS-LSAD", 811, @"In LsarLookupPrivilegeName method,If the LUID in the Value argument is not recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE"); #endregion } else { htPrivilegeNameNLUID.Clear(); #region MS-LSAD_R813 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 813, @"In LsarLookupPrivilegeName method server MUST return STATUS_SUCCESS if request is successfully completed."); #endregion } } return((ErrorStatus)uintMethodStatus); }