/// <summary>
/// Enumerates rights explicitly given to the specified SID. If the given SID
/// doesn't have any directly applied rights, returns an empty collection.
/// </summary>
public static IEnumerable <string> LsaEnumerateAccountRights(LsaHandle policyHandle, ref SID sid)
{
NTSTATUS status = Imports.LsaEnumerateAccountRights(policyHandle, ref sid, out var rightsBuffer, out uint rightsCount);
switch (status)
{
case NTSTATUS.STATUS_OBJECT_NAME_NOT_FOUND:
return(Enumerable.Empty <string>());
case NTSTATUS.STATUS_SUCCESS:
break;
default:
throw ErrorMethods.GetIoExceptionForNTStatus(status);
}
List <string> rights = new List <string>();
Reader reader = new Reader(rightsBuffer);
for (int i = 0; i < rightsCount; i++)
{
rights.Add(reader.ReadUNICODE_STRING());
}
return(rights);
}
public void EnumerateAccountRights_NoRightsFails()
{
LsaHandle handle = Security.LsaOpenLocalPolicy(PolicyAccessRights.Read);
SID sid = Security.CreateWellKnownSid(WellKnownSID.AllApplicationPackages);
Security.LsaEnumerateAccountRights(handle, in sid).Should().BeEmpty();
}
public void EnumerateAccountRights_BadSidFails()
{
LsaHandle handle = Security.LsaOpenLocalPolicy(PolicyAccessRights.Read);
SID sid = new SID();
Action action = () => Security.LsaEnumerateAccountRights(handle, in sid);
action.Should().Throw<ArgumentException>();
}
public void EnumerateAccountRights_NoRightsFails()
{
LsaHandle handle = AuthenticationMethods.LsaOpenLocalPolicy(PolicyAccessRights.POLICY_READ);
SID sid = AuthorizationMethods.CreateWellKnownSid(WELL_KNOWN_SID_TYPE.WinBuiltinAnyPackageSid);
SecurityMethods.LsaEnumerateAccountRights(handle, ref sid).Should().BeEmpty();
}
public void EnumerateAccountRights_ReadRightsFails()
{
LsaHandle handle = Security.LsaOpenLocalPolicy(PolicyAccessRights.Read);
SID sid = Security.CreateWellKnownSid(WellKnownSID.Users);
Action action = () => Security.LsaEnumerateAccountRights(handle, in sid);
action.Should().Throw<UnauthorizedAccessException>();
}
public LsarCloseResponse(byte[] buffer)
{
NDRParser parser = new NDRParser(buffer);
PolicyHandle = new LsaHandle();
parser.ReadStructure(PolicyHandle);
}
public void EnumerateAccountRights_UserGroup()
{
LsaHandle handle = Security.LsaOpenLocalPolicy(PolicyAccessRights.Execute);
SID sid = Security.CreateWellKnownSid(WellKnownSID.Users);
var rights = Security.LsaEnumerateAccountRights(handle, in sid);
rights.Should().NotBeEmpty();
rights.Should().Contain("SeChangeNotifyPrivilege");
}
public void EnumerateAccountRights_BadSidFails()
{
LsaHandle handle = AuthenticationMethods.LsaOpenLocalPolicy(PolicyAccessRights.POLICY_READ);
SID sid = new SID();
Action action = () => SecurityMethods.LsaEnumerateAccountRights(handle, ref sid);
action.ShouldThrow <ArgumentException>();
}
public void EnumerateAccountRights_ReadRightsFails()
{
LsaHandle handle = AuthenticationMethods.LsaOpenLocalPolicy(PolicyAccessRights.POLICY_READ);
SID sid = AuthorizationMethods.CreateWellKnownSid(WELL_KNOWN_SID_TYPE.WinBuiltinUsersSid);
Action action = () => SecurityMethods.LsaEnumerateAccountRights(handle, ref sid);
action.ShouldThrow <UnauthorizedAccessException>();
}
public void EnumerateAccountRights_UserGroup()
{
LsaHandle handle = AuthenticationMethods.LsaOpenLocalPolicy(PolicyAccessRights.POLICY_EXECUTE);
SID sid = AuthorizationMethods.CreateWellKnownSid(WELL_KNOWN_SID_TYPE.WinBuiltinUsersSid);
var rights = SecurityMethods.LsaEnumerateAccountRights(handle, ref sid);
rights.Should().NotBeEmpty();
rights.Should().Contain("SeChangeNotifyPrivilege");
}
public static void LsaClose(RPCCallHelper rpc, LsaHandle handle, out NTStatus status)
{
LsarCloseRequest closeRequest = new LsarCloseRequest();
closeRequest.handle = handle;
LsarCloseResponse closeResponse;
status = rpc.ExecuteCall((ushort)LsaRemoteServiceOpName.LsarClose, closeRequest, out closeResponse);
if (status != NTStatus.STATUS_SUCCESS)
{
return;
}
}
public static List <string> LsaLookupSids(RPCCallHelper rpc, LsaHandle handle, List <SID> sids, out NTStatus status)
{
LsarLookupSidsRequest lookupSidsRequest = new LsarLookupSidsRequest();
lookupSidsRequest.handle = handle;
lookupSidsRequest.SIDEnumBuffer = new LsaSIDEnumBuffer();
lookupSidsRequest.SIDEnumBuffer.Entries = (uint)sids.Count;
lookupSidsRequest.SIDEnumBuffer.SIDInfos = new LsaSIDArray();
lookupSidsRequest.SIDEnumBuffer.SIDInfos.SIDs = sids;
lookupSidsRequest.TranslatedNames = new LsaTranslatedArray <LsaTranslatedName>();
LsarLookupSidsResponse lookupSidsResponse;
status = rpc.ExecuteCall((ushort)LsaRemoteServiceOpName.LsarLookupSids, lookupSidsRequest, out lookupSidsResponse);
if (status != NTStatus.STATUS_SUCCESS)
{
return(null);
}
if (sids.Count != lookupSidsResponse.TranslatedSids.Items.Count)
{
status = NTStatus.STATUS_NOT_SUPPORTED;
return(null);
}
List <string> output = new List <string>();
foreach (LsaTranslatedName translated in lookupSidsResponse.TranslatedSids.Items)
{
if (translated.Use == LsaSIDNameUse.SidTypeUnknown)
{
output.Add(null);
}
else
{
string domain = lookupSidsResponse.DomainList.Names[(int)translated.DomainIndex].Name;
output.Add(domain + "\\" + translated.Name);
}
}
return(output);
}
public static List <SID> LsaLookupNames(RPCCallHelper rpc, LsaHandle handle, List <string> names, out NTStatus status)
{
LsarLookupNamesRequest lookupNamesRequest = new LsarLookupNamesRequest();
lookupNamesRequest.handle = handle;
lookupNamesRequest.Names = new NDRConformantArray <LsaUnicodeString>();
foreach (string name in names)
{
lookupNamesRequest.Names.Add(new LsaUnicodeString(name));
}
lookupNamesRequest.TranslatedSids = new LsaTranslatedArray <LsaTranslatedSid>();
LsarLookupNamesResponse lookupNamesResponse;
status = rpc.ExecuteCall((ushort)LsaRemoteServiceOpName.LsarLookupNames, lookupNamesRequest, out lookupNamesResponse);
if (status != NTStatus.STATUS_SUCCESS)
{
return(null);
}
if (names.Count != lookupNamesResponse.TranslatedNames.Items.Count)
{
status = NTStatus.STATUS_NOT_SUPPORTED;
return(null);
}
List <SID> output = new List <SID>();
foreach (LsaTranslatedSid sid in lookupNamesResponse.TranslatedNames.Items)
{
if (sid.Use == LsaSIDNameUse.SidTypeUnknown)
{
output.Add(null);
}
else
{
output.Add(sid.GetSID(lookupNamesResponse.DomainList.Names[(int)sid.DomainIndex].Sid));
}
}
return(output);
}
public static List <SID> ResolveNames(ISMBClient client, List <string> names, out NTStatus status)
{
List <SID> output = null;
using (RPCCallHelper rpc = new RPCCallHelper(client, LsaRemoteService.ServicePipeName, LsaRemoteService.ServiceInterfaceGuid, LsaRemoteService.ServiceVersion))
{
status = rpc.BindPipe();
if (status != NTStatus.STATUS_SUCCESS)
{
return(null);
}
LsaHandle handle = LsaOpenPolicy(rpc, (AccessMask)0x801, out status);
if (handle != null)
{
output = LsaLookupNames(rpc, handle, names, out status);
LsaClose(rpc, handle, out status);
}
}
return(output);
}
public void LsaOpenPolicy_StandardRead()
{
LsaHandle handle = AuthenticationMethods.LsaOpenLocalPolicy(PolicyAccessRights.POLICY_READ);
handle.IsInvalid.Should().BeFalse();
}
public static extern NTStatus LsaEnumerateAccountRights(
LsaHandle PolicyHandle,
in SID AccountSid,
public void LsaOpenPolicy_StandardRead()
{
LsaHandle handle = Security.LsaOpenLocalPolicy(PolicyAccessRights.Read);
handle.IsInvalid.Should().BeFalse();
}
public unsafe static extern NTStatus LsaOpenPolicy(
UNICODE_STRING *SystemName,
LSA_OBJECT_ATTRIBUTES *ObjectAttributes,
PolicyAccessRights DesiredAccess,
out LsaHandle PolicyHandle);
public static extern NTSTATUS LsaEnumerateAccountRights(
LsaHandle PolicyHandle,
ref SID AccountSid,
out LsaMemoryHandle UserRights,
out uint CountOfRights);
