public static List <SecurityIdentifier> Export(string ServerName)
{
int status;
NativeMethods.UNICODE_STRING serverName = new NativeMethods.UNICODE_STRING();
serverName.Initialize(ServerName);
List <SecurityIdentifier> output = new List <SecurityIdentifier>();
IntPtr hServerHandle, hBuiltinHandle, hAliasHandle;
IntPtr membersSid;
int memberRetourned;
status = NativeMethods.SamConnect(ref serverName, out hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, 0);
if (status != 0)
{
throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status));
}
try
{
byte[] builtin = new byte[SecurityIdentifier.MaxBinaryLength];
new SecurityIdentifier("S-1-5-32").GetBinaryForm(builtin, 0);
status = NativeMethods.SamOpenDomain(hServerHandle, DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP, builtin, out hBuiltinHandle);
if (status != 0)
{
throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status));
}
try
{
status = NativeMethods.SamOpenAlias(hBuiltinHandle, ALIAS_LIST_MEMBERS, DOMAIN_ALIAS_RID_ADMINS, out hAliasHandle);
if (status != 0)
{
throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status));
}
try
{
status = NativeMethods.SamGetMembersInAlias(hAliasHandle, out membersSid, out memberRetourned);
if (status != 0)
{
throw new Win32Exception(NativeMethods.LsaNtStatusToWinError(status));
}
for (int i = 0; i < memberRetourned; i++)
{
SecurityIdentifier sid = new SecurityIdentifier(Marshal.ReadIntPtr(membersSid, Marshal.SizeOf(typeof(IntPtr)) * i));
output.Add(sid);
}
NativeMethods.SamFreeMemory(membersSid);
}
finally
{
NativeMethods.SamCloseHandle(hAliasHandle);
}
}
finally
{
NativeMethods.SamCloseHandle(hBuiltinHandle);
}
}
finally
{
NativeMethods.SamCloseHandle(hServerHandle);
}
return(output);
}
protected override string GetCsvData(string computer)
{
StringBuilder sb = new StringBuilder();
NativeMethods.UNICODE_STRING us = new NativeMethods.UNICODE_STRING();
NativeMethods.LSA_OBJECT_ATTRIBUTES loa = new NativeMethods.LSA_OBJECT_ATTRIBUTES();
us.Initialize(computer);
IntPtr PolicyHandle = IntPtr.Zero;
uint ret = NativeMethods.LsaOpenPolicy(ref us, ref loa, 0x00000800, out PolicyHandle);
us.Dispose();
if (ret != 0)
{
Trace.WriteLine("LsaOpenPolicy 0x" + ret.ToString("x") + " for " + computer);
sb.Append(computer);
sb.Append("\tUnable to connect\tPingCastle couldn't connect to the computer. The error was 0x" + ret.ToString("x"));
return(sb.ToString());
}
var names = new NativeMethods.UNICODE_STRING[RemoteReference.Count + customService.Count];
try
{
int i = 0;
foreach (var entry in RemoteReference)
{
names[i] = new NativeMethods.UNICODE_STRING();
names[i].Initialize("NT Service\\" + entry.Key);
i++;
}
foreach (var entry in customService)
{
names[i] = new NativeMethods.UNICODE_STRING();
names[i].Initialize("NT Service\\" + entry);
i++;
}
IntPtr ReferencedDomains, Sids;
ret = NativeMethods.LsaLookupNames(PolicyHandle, names.Length, names, out ReferencedDomains, out Sids);
if (ret == 0xC0000073) //STATUS_NONE_MAPPED
{
sb.Append(computer);
sb.Append("\tNo known service found\tIf you think that the information is incorrect, please contact PingCastle support to add the antivirus in the checked list.");
return(sb.ToString());
}
if (ret != 0 && ret != 0x00000107) // ignore STATUS_SOME_NOT_MAPPED
{
Trace.WriteLine("LsaLookupNames 0x" + ret.ToString("x"));
sb.Append(computer);
sb.Append("\tUnable to lookup\tPingCastle couldn't translate the SID to the computer. The error was 0x" + ret.ToString("x"));
return(sb.ToString());
}
try
{
var domainList = (NativeMethods.LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure(ReferencedDomains, typeof(NativeMethods.LSA_REFERENCED_DOMAIN_LIST));
if (domainList.Entries > 0)
{
var trustInfo = (NativeMethods.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(domainList.Domains, typeof(NativeMethods.LSA_TRUST_INFORMATION));
}
NativeMethods.LSA_TRANSLATED_SID[] translated;
MarshalUnmananagedArray2Struct <NativeMethods.LSA_TRANSLATED_SID>(Sids, names.Length, out translated);
i = 0;
foreach (var entry in RemoteReference)
{
if (translated[i].DomainIndex >= 0)
{
if (sb.Length != 0)
{
sb.Append("\r\n");
}
sb.Append(computer);
sb.Append("\t");
sb.Append(entry.Key);
sb.Append("\t");
sb.Append(entry.Value);
}
i++;
}
foreach (var entry in customService)
{
if (sb.Length != 0)
{
sb.Append("\r\n");
}
sb.Append(computer);
sb.Append("\t");
sb.Append(entry);
sb.Append("\t");
sb.Append("Custom search");
i++;
}
}
finally
{
NativeMethods.LsaFreeMemory(ReferencedDomains);
NativeMethods.LsaFreeMemory(Sids);
}
}
finally
{
NativeMethods.LsaClose(PolicyHandle);
for (int k = 0; k < names.Length; k++)
{
names[k].Dispose();
}
}
return(sb.ToString());
}
public void EnumerateAccount(SecurityIdentifier DomainSid, int MaximumNumber, StreamWriter sw)
{
NativeMethods.UNICODE_STRING us = new NativeMethods.UNICODE_STRING();
NativeMethods.LSA_OBJECT_ATTRIBUTES loa = new NativeMethods.LSA_OBJECT_ATTRIBUTES();
us.Initialize(Server);
IntPtr PolicyHandle = IntPtr.Zero;
uint ret = NativeMethods.LsaOpenPolicy(ref us, ref loa, 0x00000800, out PolicyHandle);
us.Dispose();
if (ret != 0)
{
DisplayError("Error when connecting to the remote domain LsaOpenPolicy 0x" + ret.ToString("x"));
}
try
{
DisplayAdvancement("Connection established");
uint currentRid = 500;
int iteration = 0;
uint returnCode = 0;
int UserEnumerated = 0;
// allows 10*1000 sid non resolved
int retrycount = 0;
while ((returnCode == 0 || returnCode == 0x00000107 || (retrycount < 10 && returnCode == 0xC0000073)) && UserEnumerated < MaximumNumber)
{
Trace.WriteLine("LsaLookupSids iteration " + iteration++);
List <GCHandle> HandleToFree = new List <GCHandle>();
IntPtr Names = IntPtr.Zero, ReferencedDomains = IntPtr.Zero;
try
{
SecurityIdentifier[] SidEnumBuffer = new SecurityIdentifier[1000];
IntPtr[] SidHandles = new IntPtr[SidEnumBuffer.Length];
for (int i = 0; i < SidEnumBuffer.Length; i++)
{
SidEnumBuffer[i] = NullSessionTester.BuildSIDFromDomainSidAndRid(DomainSid, currentRid++);
byte[] sid = new byte[SidEnumBuffer[i].BinaryLength];
SidEnumBuffer[i].GetBinaryForm(sid, 0);
GCHandle handlesid = GCHandle.Alloc(sid, GCHandleType.Pinned);
HandleToFree.Add(handlesid);
SidHandles[i] = handlesid.AddrOfPinnedObject();
}
GCHandle sidHandle = GCHandle.Alloc(SidHandles, GCHandleType.Pinned);
HandleToFree.Add(sidHandle);
returnCode = NativeMethods.LsaLookupSids(PolicyHandle, SidEnumBuffer.Length, sidHandle.AddrOfPinnedObject(), out ReferencedDomains, out Names);
if (returnCode == 0 || returnCode == 0x00000107)
{
retrycount = 0;
NativeMethods.LSA_TRANSLATED_NAME[] lsaNames = new NativeMethods.LSA_TRANSLATED_NAME[SidEnumBuffer.Length];
NativeMethods.LSA_REFERENCED_DOMAIN_LIST domainList = (NativeMethods.LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure(ReferencedDomains, typeof(NativeMethods.LSA_REFERENCED_DOMAIN_LIST));
for (int i = 0; i < SidEnumBuffer.Length; i++)
{
lsaNames[i] = (NativeMethods.LSA_TRANSLATED_NAME)Marshal.PtrToStructure(
new IntPtr(Names.ToInt64() + i * Marshal.SizeOf(typeof(NativeMethods.LSA_TRANSLATED_NAME)))
, typeof(NativeMethods.LSA_TRANSLATED_NAME));
if (lsaNames[i].Use > 0 && lsaNames[i].Use != NativeMethods.SID_NAME_USE.SidTypeUnknown)
{
string account = lsaNames[i].Name.ToString();
if (!String.IsNullOrEmpty(account))
{
NativeMethods.LSA_TRUST_INFORMATION trustInfo = (NativeMethods.LSA_TRUST_INFORMATION)Marshal.PtrToStructure
(new IntPtr(domainList.Domains.ToInt64() + lsaNames[i].DomainIndex * Marshal.SizeOf(typeof(NativeMethods.LSA_TRUST_INFORMATION))), typeof(NativeMethods.LSA_TRUST_INFORMATION));
sw.WriteLine(SidEnumBuffer[i] + "\t" + new NTAccount(trustInfo.Name.ToString(), account).Value);
UserEnumerated++;
if (UserEnumerated % 100 == 0)
{
DisplayAdvancement("Account enumerated: " + UserEnumerated);
}
}
}
}
}
else
{
retrycount++;
Trace.WriteLine("LsaLookupSids " + returnCode);
}
}
finally
{
if (ReferencedDomains != IntPtr.Zero)
{
NativeMethods.LsaFreeMemory(ReferencedDomains);
}
if (Names != IntPtr.Zero)
{
NativeMethods.LsaFreeMemory(Names);
}
foreach (GCHandle handle in HandleToFree)
{
handle.Free();
}
}
}
}
finally
{
NativeMethods.LsaClose(PolicyHandle);
}
}
