/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
string key_path = Win32Path ? NtKeyUtils.Win32KeyNameToNt(KeyPath) : KeyPath;
using (ObjectAttributes name = new ObjectAttributes(key_path, AttributeFlags.CaseInsensitive))
{
if ((LoadFlags & LoadKeyFlags.AppKey) == 0)
{
using (NtToken token = NtToken.OpenProcessToken())
{
TokenPrivilege priv = token.GetPrivilege(TokenPrivilegeValue.SeRestorePrivilege);
if (priv == null || (priv.Attributes & PrivilegeAttributes.Enabled) == 0)
{
WriteWarning("Loading a non-app hive should require SeRestorePrivilege");
}
}
}
else
{
if (!KeyPath.StartsWith(@"\Registry\A\", System.StringComparison.OrdinalIgnoreCase))
{
WriteWarning(@"Loading app hive outside of \Registry\A\ will fail on an up to date system.");
}
}
return(NtKey.LoadKey(name, obj_attributes, LoadFlags, Access));
}
}
public void AdjustToken(bool enable)
{
var p = Process.GetCurrentProcess();
var at = new AccessTokenProcess(p.Id, TokenAccessType.TOKEN_ADJUST_PRIVILEGES);
var tp = new TokenPrivilege(TokenPrivilege.SE_SHUTDOWN_NAME, enable);
at.EnablePrivilege(tp);
}
/// <summary>
/// Constructor.
/// </summary>
public NewNtTokenCmdlet()
{
AuthenticationId = NtToken.LocalSystemAuthId;
TokenType = TokenType.Primary;
ExpirationTime = DateTime.Now.AddYears(10);
Group = new Sid[0];
Privilege = new TokenPrivilegeValue[0];
UserPrivilege = new TokenPrivilege[0];
UserGroup = new UserGroup[0];
DefaultAcl = new Acl();
DefaultAcl.AddAccessAllowedAce(GenericAccessRights.GenericAll, AceFlags.None, "SY");
DefaultAcl.AddAccessAllowedAce(GenericAccessRights.GenericAll, AceFlags.None, "BA");
IntegrityLevel = TokenIntegrityLevel.System;
SecurityQualityOfService = new SecurityQualityOfService(SecurityImpersonationLevel.Anonymous, SecurityContextTrackingMode.Static, false);
}
private void enablePrivilegeToolStripMenuItem_Click(object sender, EventArgs e)
{
if (listViewPrivs.SelectedItems.Count > 0)
{
TokenPrivilege priv = listViewPrivs.SelectedItems[0].Tag as TokenPrivilege;
try
{
_token.EnablePrivilege(priv, !priv.IsEnabled());
UpdatePrivileges();
}
catch (Win32Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
private void contextMenuStripPrivileges_Opening(object sender, CancelEventArgs e)
{
if (listViewPrivs.SelectedItems.Count > 0)
{
TokenPrivilege priv = listViewPrivs.SelectedItems[0].Tag as TokenPrivilege;
if (priv != null)
{
if (priv.IsEnabled())
{
enablePrivilegeToolStripMenuItem.Text = "Disable Privilege";
}
else
{
enablePrivilegeToolStripMenuItem.Text = "Enable Privilege";
}
}
}
}
/// <summary>
/// Computes effective access rights upon acquiring the necessary security information such as Share's security,
/// Central Policy and Resource's security as maybe applicable.
/// </summary>
public void Evaluate()
{
using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security))
{
try
{
//
// SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the
// file's SD
//
seSecurityPrivilege.Enable();
var securityObjects = new Dictionary <string, FileSecurityObject>();
//
// First include the Share's SD if available. If the share denies a permission, anything else that
// denies a permission is of lesser consequence.
//
if (shareSD != null)
{
securityObjects.Add("Share", new FileSecurityObject(shareSD));
}
SecurityIdentifier capId = null;
{
RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Scope);
if (scopeSD != null)
{
if (scopeSD.SystemAcl != null)
{
foreach (GenericAce ace in scopeSD.SystemAcl)
{
//
// Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType
//
// Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier
// for a Central Policy, extract it explicitly.
//
byte[] rawAce = new byte[ace.BinaryLength];
ace.GetBinaryForm(rawAce, 0);
if ((ace.AceFlags & AceFlags.InheritOnly) == 0)
{
long sidOffset = (long)Marshal.OffsetOf(
typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE),
"SidStart");
if (sidOffset < ace.BinaryLength)
{
capId = new SecurityIdentifier(rawAce, (int)sidOffset);
//
// The first Central Policy is the only one honored when there are multiple
// in a Security Descriptor. Ignore everything else.
//
break;
}
}
}
}
}
}
//
// Obtain file SD
//
RawSecurityDescriptor fileSD = GetFileSecInfoSD(
handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Dacl
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute);
if (capId != null)
{
var availableCaps = new AvailableCentralPolicies(targetMachine);
Dictionary <string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId);
if (CARs == null || CARs.Count == 0)
{
//
// If the Central Policy or any of its Central Access Rules could not be retrieved, fall
// back to just the granularity of Central Policy. For this, use the file's SD with the
// CAP ID.
//
securityObjects.Add("Central Policy",
new FileSecurityObject(
GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute
| NativeMethods.SecurityInformationClass.Scope)));
}
else
{
//
// The merged security descriptor for each Central Access Rule is generated as follows:
// Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule
//
// If the AppliesTo predicate is present, then we do the following:
// Owned + Group + SACL (all from resource's SD)
// + A fabricated DACL with an allowed callback ACE containingn the selected user
// principal and the AppliesTo predicate appended.
//
foreach (var rule in CARs)
{
var sd = new RawSecurityDescriptor(fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
rule.Value.EffectivePolicy.DiscretionaryAcl);
if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition))
{
string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" +
rule.Value.AppliesToCondition + ")";
var appliesToSD = new RawSecurityDescriptor(
fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
(new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl);
securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD));
}
else
{
securityObjects.Add(rule.Key, new FileSecurityObject(sd));
}
}
}
}
securityObjects.Add("File permissions", new FileSecurityObject(fileSD));
results = ComputeEffectiveAccessResult(targetMachine, securityObjects);
}
finally
{
seSecurityPrivilege.Revert();
}
}
}
public static extern int OpenProcessToken( System.IntPtr ProcessHandle, // handle to process TokenPrivilege DesiredAccess, // desired access to process ref IntPtr TokenHandle // handle to open access token );
public static extern bool SetPrivilege(IntPtr token, bool release, ref TokenPrivilege newState, uint zero1, IntPtr zero2, IntPtr zero3);
/// <summary>
/// Computes effective access rights upon acquiring the necessary security information such as Share's security,
/// Central Policy and Resource's security as maybe applicable.
/// </summary>
public void Evaluate()
{
using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security))
{
try
{
//
// SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the
// file's SD
//
seSecurityPrivilege.Enable();
var securityObjects = new Dictionary<string, FileSecurityObject>();
//
// First include the Share's SD if available. If the share denies a permission, anything else that
// denies a permission is of lesser consequence.
//
if (shareSD != null)
{
securityObjects.Add("Share", new FileSecurityObject(shareSD));
}
SecurityIdentifier capId = null;
{
RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Scope);
if (scopeSD != null)
{
if (scopeSD.SystemAcl != null)
{
foreach (GenericAce ace in scopeSD.SystemAcl)
{
//
// Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType
//
// Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier
// for a Central Policy, extract it explicitly.
//
byte[] rawAce = new byte[ace.BinaryLength];
ace.GetBinaryForm(rawAce, 0);
if ((ace.AceFlags & AceFlags.InheritOnly) == 0)
{
long sidOffset = (long)Marshal.OffsetOf(
typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE),
"SidStart");
if (sidOffset < ace.BinaryLength)
{
capId = new SecurityIdentifier(rawAce, (int)sidOffset);
//
// The first Central Policy is the only one honored when there are multiple
// in a Security Descriptor. Ignore everything else.
//
break;
}
}
}
}
}
}
//
// Obtain file SD
//
RawSecurityDescriptor fileSD = GetFileSecInfoSD(
handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Dacl
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute);
if (capId != null)
{
var availableCaps = new AvailableCentralPolicies(targetMachine);
Dictionary<string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId);
if (CARs == null || CARs.Count == 0)
{
//
// If the Central Policy or any of its Central Access Rules could not be retrieved, fall
// back to just the granularity of Central Policy. For this, use the file's SD with the
// CAP ID.
//
securityObjects.Add("Central Policy",
new FileSecurityObject(
GetFileSecInfoSD(handle,
NativeMethods.SecurityInformationClass.Owner
| NativeMethods.SecurityInformationClass.Group
| NativeMethods.SecurityInformationClass.Label
| NativeMethods.SecurityInformationClass.Attribute
| NativeMethods.SecurityInformationClass.Scope)));
}
else
{
//
// The merged security descriptor for each Central Access Rule is generated as follows:
// Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule
//
// If the AppliesTo predicate is present, then we do the following:
// Owned + Group + SACL (all from resource's SD)
// + A fabricated DACL with an allowed callback ACE containingn the selected user
// principal and the AppliesTo predicate appended.
//
foreach (var rule in CARs)
{
var sd = new RawSecurityDescriptor(fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
rule.Value.EffectivePolicy.DiscretionaryAcl);
if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition))
{
string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" +
rule.Value.AppliesToCondition + ")";
var appliesToSD = new RawSecurityDescriptor(
fileSD.ControlFlags,
fileSD.Owner,
fileSD.Group,
fileSD.SystemAcl,
(new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl);
securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD));
}
else
{
securityObjects.Add(rule.Key, new FileSecurityObject(sd));
}
}
}
}
securityObjects.Add("File permissions", new FileSecurityObject(fileSD));
results = ComputeEffectiveAccessResult(targetMachine, securityObjects);
}
finally
{
seSecurityPrivilege.Revert();
}
}
}
