示例#1
0
        /// <summary>
        /// apply registry security settings to user profiles
        /// </summary>
        /// <param name="where"></param>
        /// <param name="keyname"></param>
        /// <param name="username"></param>
        /// <returns></returns>
        public static Boolean RegSec(pInvokes.structenums.RegistryLocation where, string keyname, string username)
        {
            try
            {
                IdentityReference  UserIRef = new NTAccount(String.Format("{0}\\{1}", Environment.MachineName, username));
                SecurityIdentifier UserSid  = (SecurityIdentifier)UserIRef.Translate(typeof(SecurityIdentifier));

                using (RegistryKey key = pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
                {
                    RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
                    string           SDDL        = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
                    //LibraryLogging.Info(SDDL);

                    foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
                    {
                        //LibraryLogging.Info("registry ACE user: {0} {1} {2}", key.Name, user.InheritanceFlags.ToString(), user.IdentityReference.Value);
                        if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(UserIRef.Value))
                        {
                            //LibraryLogging.Info("mod registry ACE:{0} from unknown user:{1} to {2} {3} {4}", key.Name, user.IdentityReference.Value, username, user.RegistryRights.ToString(), user.AccessControlType.ToString());

                            SDDL = SDDL.Replace(user.IdentityReference.Value, UserSid.Value);
                            //LibraryLogging.Info(SDDL);
                            keySecurity.SetSecurityDescriptorSddlForm(SDDL);
                            key.SetAccessControl(keySecurity);

                            break;
                        }
                    }
                    foreach (string subkey in key.GetSubKeyNames())
                    {
                        if (!RegSec(where, keyname + "\\" + subkey, username))
                        {
                            return(false);
                        }
                    }
                }
            }
            catch (SystemException ex)
            {
                LibraryLogging.Warn("RegSec:{0} Warning {1}", keyname, ex.Message);
            }
            catch (Exception ex)
            {
                LibraryLogging.Error("RegSec:{0} Error:{1}", keyname, ex.Message);
                return(false);
            }

            return(true);
        }
示例#2
0
        public void ReplaceRegistry(string rootKey, bool recursive)
        {
            ActionObserver.NotifyAction("Search/Replace SID", "Registry", rootKey, Hostname);
            try {
                RegistryKey key = Tools.WinTool.OpenKey(Hostname, rootKey);
                try {
                    RegistrySecurity security = key.GetAccessControl(AccessControlSections.All);
                    string           sddl     = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
                    foreach (Tuple <SecurityIdentifier, SecurityIdentifier> item in ReplaceList)
                    {
                        string searchItem  = item.Item1.ToString();
                        string replaceItem = item.Item2.ToString();
                        string newSddl     = sddl.Replace(searchItem, replaceItem);
                        if (newSddl != sddl)
                        {
                            ActionObserver.NotifyInformation(
                                "RegistryKey '{0}' replaced '{1}' with '{2}'",
                                rootKey, searchItem, replaceItem
                                );
                        }
                        sddl = newSddl;
                    }
                    security.SetSecurityDescriptorSddlForm(sddl, AccessControlSections.All);
                    key.SetAccessControl(security);
                } catch (Exception error) {
                    ActionObserver.NotifyError("Unable to search SIDs on registry key '{0}' due to error '{1}'", rootKey, error.Message);
                }

                if (recursive)
                {
                    foreach (string subKey in Tools.WinTool.GetSubKeys(Hostname, rootKey))
                    {
                        if (Tools.WinTool.KeyExists(Hostname, subKey))
                        {
                            ReplaceRegistry(subKey, recursive);
                        }
                        else
                        {
                            ActionObserver.NotifyWarning("Unable to access key '{0}'", subKey);
                        }
                    }
                }
            } catch (Exception error) {
                ActionObserver.NotifyError("Unable to search/replace SIDs on registry key '{0}' due to error='{1}'", rootKey, error.Message);
            }
        }
示例#3
0
        /// <summary>
        /// apply registry security settings to user profiles
        /// </summary>
        public static bool RegSec(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation where, string keyname, SecurityIdentifier userSid)
        {
            try
            {
                using (RegistryKey key = Abstractions.WindowsApi.pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
                {
                    RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
                    string           sddl        = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);

                    foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
                    {
                        if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(userSid.Value))
                        {
                            sddl = sddl.Replace(user.IdentityReference.Value, userSid.Value);
                            keySecurity.SetSecurityDescriptorSddlForm(sddl);
                            key.SetAccessControl(keySecurity);

                            break;
                        }
                    }
                    foreach (string subkey in key.GetSubKeyNames())
                    {
                        if (!RegSec(where, keyname + "\\" + subkey, userSid))
                        {
                            return(false);
                        }
                    }
                }
            }
            catch (SystemException ex)
            {
                Log.WarnFormat("RegSec:{0} Warning {1}", keyname, ex.Message);
            }
            catch (Exception ex)
            {
                Log.ErrorFormat("RegSec:{0} Error:{1}", keyname, ex.Message);
                return(false);
            }

            return(true);
        }
示例#4
0
 static void Query(string Computer, string KeyName, string ValueName, string SearchTeam)
 {
     try
     {
         RegistryKey hive;
         if (Computer.ToUpper() != "LOCAL")
         {
             hive = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, Computer, RegistryView.Default);
         }
         else
         {
             hive = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Default);
         }
         var key = hive.OpenSubKey(KeyName);
         if (ValueName.ToUpper() == "COUNT")
         {
             try
             {
                 Console.WriteLine("\nThere are {0} subkeys under {1}.", key.SubKeyCount.ToString(), key.Name);
                 hive.Close();
                 return;
             }
             catch { }                     // Used to ignore exceptions
         }
         else if (ValueName.ToUpper() == "PERMS")
         {
             try
             {
                 RegistrySecurity registrySecurity = key.GetAccessControl();
                 Console.WriteLine("\n{0}\n", key.Name);
                 Console.WriteLine("[*] None:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.None));
                 Console.WriteLine("[*] Audit:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Audit));
                 Console.WriteLine("[*] Access:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
                 Console.WriteLine("[*] Group:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Group));
                 var rules = registrySecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
                 foreach (var rule in rules.Cast <AuthorizationRule>())
                 {
                     Console.WriteLine("{0}", rule.IdentityReference.Value);
                 }
                 hive.Close();
                 return;
             }
             catch { }                     // Used to ignore exceptions
         }
         else if (ValueName.ToUpper() == "ALL")
         {
             Console.WriteLine();
             foreach (string oVal in key.GetValueNames())
             {
                 Console.WriteLine("    {0}    REG_{1}    {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
             }
             Console.WriteLine();
             foreach (string oSubKey in key.GetSubKeyNames())
             {
                 Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
             }
             hive.Close();
             return;
         }
         else if (ValueName.ToUpper() == "RECURSE")
         {
             Console.WriteLine();
             foreach (string oVal in key.GetValueNames())
             {
                 Console.WriteLine("    {0}    REG_{1}    {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
             }
             Console.WriteLine();
             foreach (string oSubKey in key.GetSubKeyNames())
             {
                 Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
                 Console.WriteLine();
                 var skey = hive.OpenSubKey(KeyName + "\\" + oSubKey);
                 foreach (string osVal in skey.GetValueNames())
                 {
                     Console.WriteLine("    {0}    REG_{1}    {2}", osVal, skey.GetValueKind(osVal).ToString().ToUpper(), skey.GetValue(osVal).ToString());
                 }
                 Console.WriteLine();
             }
             hive.Close();
             return;
         }
         else if (ValueName.ToUpper() == "GREP")
         {
             Console.WriteLine();
             foreach (string oVal in key.GetValueNames())
             {
                 if (oVal.Contains(SearchTeam))
                 {
                     try
                     {
                         Console.WriteLine("    {0}    REG_{1}    {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
                     }
                     catch { }                             // Used to ignore exceptions
                 }
             }
             Console.WriteLine();
             foreach (string oSubKey in key.GetSubKeyNames())
             {
                 if (oSubKey.Contains(SearchTeam))
                 {
                     Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
                 }
                 try
                 {
                     var skey = hive.OpenSubKey(KeyName + "\\" + oSubKey);
                     foreach (string osVal in skey.GetValueNames())
                     {
                         try
                         {
                             if (osVal.Contains(SearchTeam) || skey.GetValue(osVal).ToString().Contains(SearchTeam))
                             {
                                 Console.WriteLine("\n{0}\\{1}", KeyName, oSubKey);
                                 Console.WriteLine("\n    {0}    REG_{1}    {2}", osVal, skey.GetValueKind(osVal).ToString().ToUpper(), skey.GetValue(osVal).ToString());
                             }
                         }
                         catch { }                                 // Used to ignore exceptions
                     }
                 }
                 catch { }                         // Used to ignore exceptions
             }
             Console.WriteLine();
             hive.Close();
             return;
         }
         else
         {
             if (key.GetValueKind(ValueName).ToString().ToUpper() == "BINARY")
             {
                 byte[] BinData   = (byte[])key.GetValue(ValueName);
                 string BinString = BitConverter.ToString(BinData).Replace("-", "");;
                 Console.WriteLine("\n    {0}    REG_{1}    {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), BinString.ToString());
             }
             else if (key.GetValueKind(ValueName).ToString().ToUpper() == "MULTISTRING")
             {
                 Console.WriteLine();
                 string[] tArray = (string[])key.GetValue(ValueName);
                 for (int i = 0; i < tArray.Length; i++)
                 {
                     Console.WriteLine("    {0}    REG_{1}    {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), tArray[i]);
                 }
             }
             else
             {
                 Console.WriteLine("\n    {0}    REG_{1}    {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), key.GetValue(ValueName).ToString());
             }
             hive.Close();
             return;
         }
     }
     catch (Exception e)
     {
         Console.WriteLine("\n [!] {0}: {1}", e.GetType().Name, e.Message);
         return;
     }
 }
示例#5
0
 public override string ToString()
 {
     return("SecDesc:" + _secDesc.GetSecurityDescriptorSddlForm(AccessControlSections.All) + " (refCount:" + _usageCount + ")");
 }