public static List <SecurityIdentifier> Export(string ServerName) { int status; NativeMethods.UNICODE_STRING serverName = new NativeMethods.UNICODE_STRING(); serverName.Initialize(ServerName); List <SecurityIdentifier> output = new List <SecurityIdentifier>(); IntPtr hServerHandle, hBuiltinHandle, hAliasHandle; IntPtr membersSid; int memberRetourned; status = NativeMethods.SamConnect(ref serverName, out hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, 0); if (status != 0) { throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status)); } try { byte[] builtin = new byte[SecurityIdentifier.MaxBinaryLength]; new SecurityIdentifier("S-1-5-32").GetBinaryForm(builtin, 0); status = NativeMethods.SamOpenDomain(hServerHandle, DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP, builtin, out hBuiltinHandle); if (status != 0) { throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status)); } try { status = NativeMethods.SamOpenAlias(hBuiltinHandle, ALIAS_LIST_MEMBERS, DOMAIN_ALIAS_RID_ADMINS, out hAliasHandle); if (status != 0) { throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status)); } try { status = NativeMethods.SamGetMembersInAlias(hAliasHandle, out membersSid, out memberRetourned); if (status != 0) { throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status)); } for (int i = 0; i < memberRetourned; i++) { SecurityIdentifier sid = new SecurityIdentifier(Marshal.ReadIntPtr(membersSid, Marshal.SizeOf(typeof(IntPtr)) * i)); output.Add(sid); } NativeMethods.SamFreeMemory(membersSid); } finally { NativeMethods.SamCloseHandle(hAliasHandle); } } finally { NativeMethods.SamCloseHandle(hBuiltinHandle); } } finally { NativeMethods.SamCloseHandle(hServerHandle); } return(output); }
protected override string GetCsvData(string computer) { StringBuilder sb = new StringBuilder(); NativeMethods.UNICODE_STRING us = new NativeMethods.UNICODE_STRING(); NativeMethods.LSA_OBJECT_ATTRIBUTES loa = new NativeMethods.LSA_OBJECT_ATTRIBUTES(); us.Initialize(computer); IntPtr PolicyHandle = IntPtr.Zero; uint ret = NativeMethods.LsaOpenPolicy(ref us, ref loa, 0x00000800, out PolicyHandle); us.Dispose(); if (ret != 0) { Trace.WriteLine("LsaOpenPolicy 0x" + ret.ToString("x") + " for " + computer); sb.Append(computer); sb.Append("\tUnable to connect\tPingCastle couldn't connect to the computer. The error was 0x" + ret.ToString("x")); return(sb.ToString()); } var names = new NativeMethods.UNICODE_STRING[RemoteReference.Count + customService.Count]; try { int i = 0; foreach (var entry in RemoteReference) { names[i] = new NativeMethods.UNICODE_STRING(); names[i].Initialize("NT Service\\" + entry.Key); i++; } foreach (var entry in customService) { names[i] = new NativeMethods.UNICODE_STRING(); names[i].Initialize("NT Service\\" + entry); i++; } IntPtr ReferencedDomains, Sids; ret = NativeMethods.LsaLookupNames(PolicyHandle, names.Length, names, out ReferencedDomains, out Sids); if (ret == 0xC0000073) //STATUS_NONE_MAPPED { sb.Append(computer); sb.Append("\tNo known service found\tIf you think that the information is incorrect, please contact PingCastle support to add the antivirus in the checked list."); return(sb.ToString()); } if (ret != 0 && ret != 0x00000107) // ignore STATUS_SOME_NOT_MAPPED { Trace.WriteLine("LsaLookupNames 0x" + ret.ToString("x")); sb.Append(computer); sb.Append("\tUnable to lookup\tPingCastle couldn't translate the SID to the computer. The error was 0x" + ret.ToString("x")); return(sb.ToString()); } try { var domainList = (NativeMethods.LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure(ReferencedDomains, typeof(NativeMethods.LSA_REFERENCED_DOMAIN_LIST)); if (domainList.Entries > 0) { var trustInfo = (NativeMethods.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(domainList.Domains, typeof(NativeMethods.LSA_TRUST_INFORMATION)); } NativeMethods.LSA_TRANSLATED_SID[] translated; MarshalUnmananagedArray2Struct <NativeMethods.LSA_TRANSLATED_SID>(Sids, names.Length, out translated); i = 0; foreach (var entry in RemoteReference) { if (translated[i].DomainIndex >= 0) { if (sb.Length != 0) { sb.Append("\r\n"); } sb.Append(computer); sb.Append("\t"); sb.Append(entry.Key); sb.Append("\t"); sb.Append(entry.Value); } i++; } foreach (var entry in customService) { if (sb.Length != 0) { sb.Append("\r\n"); } sb.Append(computer); sb.Append("\t"); sb.Append(entry); sb.Append("\t"); sb.Append("Custom search"); i++; } } finally { NativeMethods.LsaFreeMemory(ReferencedDomains); NativeMethods.LsaFreeMemory(Sids); } } finally { NativeMethods.LsaClose(PolicyHandle); for (int k = 0; k < names.Length; k++) { names[k].Dispose(); } } return(sb.ToString()); }
public void EnumerateAccount(SecurityIdentifier DomainSid, int MaximumNumber, StreamWriter sw) { NativeMethods.UNICODE_STRING us = new NativeMethods.UNICODE_STRING(); NativeMethods.LSA_OBJECT_ATTRIBUTES loa = new NativeMethods.LSA_OBJECT_ATTRIBUTES(); us.Initialize(Server); IntPtr PolicyHandle = IntPtr.Zero; uint ret = NativeMethods.LsaOpenPolicy(ref us, ref loa, 0x00000800, out PolicyHandle); us.Dispose(); if (ret != 0) { DisplayError("Error when connecting to the remote domain LsaOpenPolicy 0x" + ret.ToString("x")); } try { DisplayAdvancement("Connection established"); uint currentRid = 500; int iteration = 0; uint returnCode = 0; int UserEnumerated = 0; // allows 10*1000 sid non resolved int retrycount = 0; while ((returnCode == 0 || returnCode == 0x00000107 || (retrycount < 10 && returnCode == 0xC0000073)) && UserEnumerated < MaximumNumber) { Trace.WriteLine("LsaLookupSids iteration " + iteration++); List <GCHandle> HandleToFree = new List <GCHandle>(); IntPtr Names = IntPtr.Zero, ReferencedDomains = IntPtr.Zero; try { SecurityIdentifier[] SidEnumBuffer = new SecurityIdentifier[1000]; IntPtr[] SidHandles = new IntPtr[SidEnumBuffer.Length]; for (int i = 0; i < SidEnumBuffer.Length; i++) { SidEnumBuffer[i] = NullSessionTester.BuildSIDFromDomainSidAndRid(DomainSid, currentRid++); byte[] sid = new byte[SidEnumBuffer[i].BinaryLength]; SidEnumBuffer[i].GetBinaryForm(sid, 0); GCHandle handlesid = GCHandle.Alloc(sid, GCHandleType.Pinned); HandleToFree.Add(handlesid); SidHandles[i] = handlesid.AddrOfPinnedObject(); } GCHandle sidHandle = GCHandle.Alloc(SidHandles, GCHandleType.Pinned); HandleToFree.Add(sidHandle); returnCode = NativeMethods.LsaLookupSids(PolicyHandle, SidEnumBuffer.Length, sidHandle.AddrOfPinnedObject(), out ReferencedDomains, out Names); if (returnCode == 0 || returnCode == 0x00000107) { retrycount = 0; NativeMethods.LSA_TRANSLATED_NAME[] lsaNames = new NativeMethods.LSA_TRANSLATED_NAME[SidEnumBuffer.Length]; NativeMethods.LSA_REFERENCED_DOMAIN_LIST domainList = (NativeMethods.LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure(ReferencedDomains, typeof(NativeMethods.LSA_REFERENCED_DOMAIN_LIST)); for (int i = 0; i < SidEnumBuffer.Length; i++) { lsaNames[i] = (NativeMethods.LSA_TRANSLATED_NAME)Marshal.PtrToStructure( new IntPtr(Names.ToInt64() + i * Marshal.SizeOf(typeof(NativeMethods.LSA_TRANSLATED_NAME))) , typeof(NativeMethods.LSA_TRANSLATED_NAME)); if (lsaNames[i].Use > 0 && lsaNames[i].Use != NativeMethods.SID_NAME_USE.SidTypeUnknown) { string account = lsaNames[i].Name.ToString(); if (!String.IsNullOrEmpty(account)) { NativeMethods.LSA_TRUST_INFORMATION trustInfo = (NativeMethods.LSA_TRUST_INFORMATION)Marshal.PtrToStructure (new IntPtr(domainList.Domains.ToInt64() + lsaNames[i].DomainIndex * Marshal.SizeOf(typeof(NativeMethods.LSA_TRUST_INFORMATION))), typeof(NativeMethods.LSA_TRUST_INFORMATION)); sw.WriteLine(SidEnumBuffer[i] + "\t" + new NTAccount(trustInfo.Name.ToString(), account).Value); UserEnumerated++; if (UserEnumerated % 100 == 0) { DisplayAdvancement("Account enumerated: " + UserEnumerated); } } } } } else { retrycount++; Trace.WriteLine("LsaLookupSids " + returnCode); } } finally { if (ReferencedDomains != IntPtr.Zero) { NativeMethods.LsaFreeMemory(ReferencedDomains); } if (Names != IntPtr.Zero) { NativeMethods.LsaFreeMemory(Names); } foreach (GCHandle handle in HandleToFree) { handle.Free(); } } } } finally { NativeMethods.LsaClose(PolicyHandle); } }