rtdmpsec.c File Reference

#include "cmp.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

Go to the source code of this file.

Classes
struct	_KNOWN_ACE
Defines
#define	WORK_SIZE   1024
#define	FirstAce(Acl)   ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
#define	NextAce(Ace)   ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
Typedefs
typedef _KNOWN_ACE	KNOWN_ACE
typedef _KNOWN_ACE *	PKNOWN_ACE
Functions
VOID	InitVars ()
VOID	PrintAcl (IN PACL Acl)
VOID	PrintAccessMask (IN ACCESS_MASK AccessMask)
void __cdecl	main (int, char *)
void	processargs ()
void	print (PUNICODE_STRING)
void	DumpSecurity (HANDLE Handle)
void	Dump (HANDLE Handle)
void __cdecl	main (int argc, char *argv[])
void	processargs (int argc, char *argv[])
BOOLEAN	SidTranslation (PSID Sid, PSTRING AccountName)
VOID	DisplayAccountSid (PSID Sid)
Variables
UNICODE_STRING	WorkName
WCHAR	workbuffer [WORK_SIZE]
PSID	NullSid
PSID	WorldSid
PSID	LocalSid
PSID	CreatorOwnerSid
PSID	NtAuthoritySid
PSID	DialupSid
PSID	NetworkSid
PSID	BatchSid
PSID	InteractiveSid
PSID	LocalSystemSid

---

Define Documentation

#define FirstAce (  Acl   )     ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))

Definition at line 53 of file rtdmpsec.c. Referenced by DumpAcl(), PrintAcl(), RtlAddAce(), RtlDeleteAce(), RtlFirstFreeAce(), RtlGetAce(), RtlpApplyAclToObject(), RtlpConvertAclToAutoInherit(), RtlpCopyAces(), RtlpCreateServerAcl(), RtlpGenerateInheritAcl(), RtlpInheritAcl2(), RtlpIsDuplicateAce(), SeFastTraverseCheck(), SepAccessCheck(), SepExamineSacl(), SepExamineSaclEx(), SepMaximumAccessCheck(), SepNormalAccessCheck(), and SepPrintAcl().

#define NextAce (  Ace   )     ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))

Definition at line 59 of file rtdmpsec.c. Referenced by DumpAcl(), PrintAcl(), RtlAddAce(), RtlDeleteAce(), RtlFirstFreeAce(), RtlGetAce(), RtlpApplyAclToObject(), RtlpConvertAclToAutoInherit(), RtlpCopyAces(), RtlpCreateServerAcl(), RtlpGenerateInheritAcl(), RtlpIsDuplicateAce(), SeFastTraverseCheck(), SepAccessCheck(), SepExamineSacl(), SepExamineSaclEx(), SepMaximumAccessCheck(), SepNormalAccessCheck(), and SepPrintAcl().

#define WORK_SIZE   1024

Definition at line 47 of file rtdmpsec.c.

---

Typedef Documentation

typedef struct _KNOWN_ACE KNOWN_ACE

Referenced by RtlpCopyEffectiveAce(), RtlpCreateServerAcl(), and RtlValidAcl().

typedef struct _KNOWN_ACE * PKNOWN_ACE

Referenced by PrintAcl(), and RtlValidAcl().

---

Function Documentation

VOID DisplayAccountSid (  PSID  Sid  )

Definition at line 447 of file rtdmpsec.c. References Buffer, RtlIdentifierAuthoritySid(), RtlSubAuthorityCountSid(), RtlSubAuthoritySid(), SidTranslation(), and USHORT. { UCHAR Buffer[128]; STRING AccountName; UCHAR i; ULONG Tmp; PSID_IDENTIFIER_AUTHORITY IdentifierAuthority; UCHAR SubAuthorityCount; Buffer[0] = 0; AccountName.MaximumLength = 127; AccountName.Length = 0; AccountName.Buffer = (PVOID)&Buffer[0]; if (SidTranslation( (PSID)Sid, &AccountName) ) { printf("%s\n", AccountName.Buffer ); } else { IdentifierAuthority = RtlIdentifierAuthoritySid(Sid); // // HACK! HACK! // The next line prints the revision of the SID. Since there is no // rtl routine which gives us the SID revision, we must make due. // luckily, the revision field is the first field in the SID, so we // can just cast the pointer. // printf("S-%u-", (USHORT) *((PUCHAR) Sid) ); if ( (IdentifierAuthority->Value[0] != 0) || (IdentifierAuthority->Value[1] != 0) ){ printf("0x%02hx%02hx%02hx%02hx%02hx%02hx", IdentifierAuthority->Value[0], IdentifierAuthority->Value[1], IdentifierAuthority->Value[2], IdentifierAuthority->Value[3], IdentifierAuthority->Value[4], IdentifierAuthority->Value[5] ); } else { Tmp = IdentifierAuthority->Value[5] + (IdentifierAuthority->Value[4] << 8) + (IdentifierAuthority->Value[3] << 16) + (IdentifierAuthority->Value[2] << 24); printf("%lu", Tmp); } SubAuthorityCount = *RtlSubAuthorityCountSid(Sid); for (i=0;i<SubAuthorityCount ;i++ ) { printf("-%lu", (*RtlSubAuthoritySid(Sid, i))); } printf("\n"); } }

void Dump (  HANDLE  Handle  )

Referenced by Dump(), List(), and main().

void DumpSecurity (  HANDLE  Handle  )

Definition at line 283 of file rtdmpsec.c. References Dacl, exit, Handle, NT_SUCCESS, NtQuerySecurityObject(), NTSTATUS(), NULL, PrintAcl(), RtlGetDaclSecurityDescriptor(), and Status. { PSECURITY_DESCRIPTOR SecurityDescriptor; NTSTATUS Status; ULONG Length; PACL Dacl; BOOLEAN DaclPresent; BOOLEAN DaclDefaulted; Status = NtQuerySecurityObject( Handle, DACL_SECURITY_INFORMATION, NULL, 0, &Length ); if (Status != STATUS_BUFFER_TOO_SMALL) { printf("DumpSecurity t0: NtQuerySecurityObject failed %lx\n",Status); exit(1); } SecurityDescriptor = malloc(Length); if (SecurityDescriptor == NULL) { printf("DumpSecurity: couldn't malloc buffer\n"); exit(1); } Status = NtQuerySecurityObject( Handle, DACL_SECURITY_INFORMATION, SecurityDescriptor, Length, &Length ); if (!NT_SUCCESS(Status)) { printf("DumpSecurity t1: NtQuerySecurityObject failed %lx\n",Status); exit(1); } Dacl = NULL; Status = RtlGetDaclSecurityDescriptor( SecurityDescriptor, &DaclPresent, &Dacl, &DaclDefaulted ); if (!NT_SUCCESS(Status)) { printf("DumpSecurity t2: RtlGetDaclSecurityDescriptor failed %lx\n",Status); } if (DaclPresent) { PrintAcl(Dacl); } else { printf("\tAcl not present\n"); } }

VOID InitVars (   )

Definition at line 511 of file rtdmpsec.c. References BatchSid, CreatorOwnerSid, DialupSid, InteractiveSid, LocalSid, LocalSystemSid, NetworkSid, NtAuthoritySid, NullSid, RtlInitializeSid(), RtlLengthRequiredSid(), RtlSubAuthoritySid(), and WorldSid. Referenced by main(). { ULONG SidWithZeroSubAuthorities; ULONG SidWithOneSubAuthority; ULONG SidWithThreeSubAuthorities; ULONG SidWithFourSubAuthorities; SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; // // The following SID sizes need to be allocated // SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 ); SidWithOneSubAuthority = RtlLengthRequiredSid( 1 ); SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 ); SidWithFourSubAuthorities = RtlLengthRequiredSid( 4 ); // // Allocate and initialize the universal SIDs // NullSid = (PSID)malloc(SidWithOneSubAuthority); WorldSid = (PSID)malloc(SidWithOneSubAuthority); LocalSid = (PSID)malloc(SidWithOneSubAuthority); CreatorOwnerSid = (PSID)malloc(SidWithOneSubAuthority); RtlInitializeSid( NullSid, &NullSidAuthority, 1 ); RtlInitializeSid( WorldSid, &WorldSidAuthority, 1 ); RtlInitializeSid( LocalSid, &LocalSidAuthority, 1 ); RtlInitializeSid( CreatorOwnerSid, &CreatorSidAuthority, 1 ); *(RtlSubAuthoritySid( NullSid, 0 )) = SECURITY_NULL_RID; *(RtlSubAuthoritySid( WorldSid, 0 )) = SECURITY_WORLD_RID; *(RtlSubAuthoritySid( LocalSid, 0 )) = SECURITY_LOCAL_RID; *(RtlSubAuthoritySid( CreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID; // // Allocate and initialize the NT defined SIDs // NtAuthoritySid = (PSID)malloc(SidWithZeroSubAuthorities); DialupSid = (PSID)malloc(SidWithOneSubAuthority); NetworkSid = (PSID)malloc(SidWithOneSubAuthority); BatchSid = (PSID)malloc(SidWithOneSubAuthority); InteractiveSid = (PSID)malloc(SidWithOneSubAuthority); LocalSystemSid = (PSID)malloc(SidWithOneSubAuthority); RtlInitializeSid( NtAuthoritySid, &NtAuthority, 0 ); RtlInitializeSid( DialupSid, &NtAuthority, 1 ); RtlInitializeSid( NetworkSid, &NtAuthority, 1 ); RtlInitializeSid( BatchSid, &NtAuthority, 1 ); RtlInitializeSid( InteractiveSid, &NtAuthority, 1 ); RtlInitializeSid( LocalSystemSid, &NtAuthority, 1 ); *(RtlSubAuthoritySid( DialupSid, 0 )) = SECURITY_DIALUP_RID; *(RtlSubAuthoritySid( NetworkSid, 0 )) = SECURITY_NETWORK_RID; *(RtlSubAuthoritySid( BatchSid, 0 )) = SECURITY_BATCH_RID; *(RtlSubAuthoritySid( InteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID; *(RtlSubAuthoritySid( LocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID; return; }

void __cdecl main (  int  argc, char *  argv[] )

Definition at line 126 of file rtdmpsec.c. References Dump(), exit, InitVars(), L, NT_SUCCESS, NtOpenKey(), NTSTATUS(), NULL, ObjectAttributes, processargs(), WORK_SIZE, workbuffer, and WorkName. { NTSTATUS status; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE BaseHandle; InitVars(); // // Process args // WorkName.MaximumLength = WORK_SIZE; WorkName.Length = 0L; WorkName.Buffer = &(workbuffer[0]); processargs(argc, argv); // // Set up and open KeyPath // printf("rtdmpsec: starting\n"); InitializeObjectAttributes( &ObjectAttributes, &WorkName, 0, (HANDLE)NULL, NULL ); ObjectAttributes.Attributes |= OBJ_CASE_INSENSITIVE; status = NtOpenKey( &BaseHandle, MAXIMUM_ALLOWED, &ObjectAttributes ); if (!NT_SUCCESS(status)) { printf("rtdmpsec: t0: %08lx\n", status); exit(1); } Dump(BaseHandle); }

void __cdecl main (  int  , char *  )

void print (  PUNICODE_STRING   )

Referenced by Dump(), and DumpValues().

VOID PrintAccessMask (  IN ACCESS_MASK  AccessMask  )

Definition at line 722 of file rtdmpsec.c. Referenced by PrintAcl(). { printf("\n\tAccess Mask: "); if (AccessMask == KEY_ALL_ACCESS) { printf("KEY_ALL_ACCESS\n\t "); return; } if (AccessMask == KEY_READ) { printf("KEY_READ\n\t "); return; } if (AccessMask == KEY_WRITE) { printf("KEY_WRITE\n\t "); return; } if (AccessMask & KEY_QUERY_VALUE) { printf("KEY_QUERY_VALUE\n\t "); } if (AccessMask & KEY_SET_VALUE) { printf("KEY_SET_VALUE\n\t "); } if (AccessMask & KEY_CREATE_SUB_KEY) { printf("KEY_CREATE_SUB_KEY\n\t "); } if (AccessMask & KEY_ENUMERATE_SUB_KEYS) { printf("KEY_ENUMERATE_SUB_KEYS\n\t "); } if (AccessMask & KEY_NOTIFY) { printf("KEY_NOTIFY\n\t "); } if (AccessMask & KEY_CREATE_LINK) { printf("KEY_CREATE_LINK\n\t "); } if (AccessMask & GENERIC_ALL) { printf("GENERIC_ALL\n\t "); } if (AccessMask & GENERIC_EXECUTE) { printf("GENERIC_EXECUTE\n\t "); } if (AccessMask & GENERIC_WRITE) { printf("GENERIC_WRITE\n\t "); } if (AccessMask & GENERIC_READ) { printf("GENERIC_READ\n\t "); } if (AccessMask & GENERIC_READ) { printf("GENERIC_READ\n\t "); } if (AccessMask & MAXIMUM_ALLOWED) { printf("MAXIMUM_ALLOWED\n\t "); } if (AccessMask & ACCESS_SYSTEM_SECURITY) { printf("ACCESS_SYSTEM_SECURITY\n\t "); } if (AccessMask & WRITE_OWNER) { printf("WRITE_OWNER\n\t "); } if (AccessMask & WRITE_DAC) { printf("WRITE_DAC\n\t "); } if (AccessMask & READ_CONTROL) { printf("READ_CONTROL\n\t "); } if (AccessMask & DELETE) { printf("DELETE\n\t "); } }

VOID PrintAcl (  IN PACL  Acl  )

Definition at line 585 of file rtdmpsec.c. References DisplayAccountSid(), FALSE, FirstAce, NextAce, NULL, PKNOWN_ACE, PrintAccessMask(), and TRUE. Referenced by DumpSecurity(). : This routine dumps an Acl for debug purposes (via printf). It is specialized to dump standard aces. Arguments: Acl - Supplies the Acl to dump Return Value: None --*/ { ULONG i; PKNOWN_ACE Ace; BOOLEAN KnownType; PCHAR AceTypes[] = { "Access Allowed", "Access Denied ", "System Audit ", "System Alarm " }; if (Acl == NULL) { printf("\tAcl == ALL ACCESS GRANTED!\n"); return; } // // Dump the Acl header // printf("\tRevision: %02x", Acl->AclRevision); printf(" Size: %04x", Acl->AclSize); printf(" AceCount: %04x\n", Acl->AceCount); // // Now for each Ace we want do dump it // for (i = 0, Ace = FirstAce(Acl); i < Acl->AceCount; i++, Ace = NextAce(Ace) ) { // // print out the ace header // printf("\n\tAceHeader: %08lx ", *(PULONG)Ace); // // special case on the standard ace types // if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) || (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) || (Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) || (Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE)) { // // The following array is indexed by ace types and must // follow the allowed, denied, audit, alarm seqeuence // PCHAR AceTypes[] = { "Access Allowed", "Access Denied ", "System Audit ", "System Alarm " }; printf(AceTypes[Ace->Header.AceType]); PrintAccessMask(Ace->Mask); KnownType = TRUE; } else { KnownType = FALSE; printf(" Unknown Ace Type\n"); } printf("\n"); printf("\tAceSize = %d\n",Ace->Header.AceSize); printf("\tAce Flags = "); if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) { printf("OBJECT_INHERIT_ACE\n"); printf(" "); } if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) { printf("CONTAINER_INHERIT_ACE\n"); printf(" "); } if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) { printf("NO_PROPAGATE_INHERIT_ACE\n"); printf(" "); } if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) { printf("INHERIT_ONLY_ACE\n"); printf(" "); } if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) { printf("SUCCESSFUL_ACCESS_ACE_FLAG\n"); printf(" "); } if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) { printf("FAILED_ACCESS_ACE_FLAG\n"); printf(" "); } printf("\n"); printf("\tSid = "); DisplayAccountSid(&Ace->SidStart); } }

void processargs (  int  argc, char *  argv[] )

Definition at line 360 of file rtdmpsec.c. References exit, FALSE, RtlAnsiStringToUnicodeString(), RtlInitAnsiString(), and WorkName. { ANSI_STRING temp; if ( (argc != 2) ) { printf("Usage: %s <KeyPath>\n", argv[0]); exit(1); } RtlInitAnsiString( &temp, argv[1] ); RtlAnsiStringToUnicodeString( &WorkName, &temp, FALSE ); return; }

void processargs (   )

BOOLEAN SidTranslation (  PSID  Sid, PSTRING  AccountName )

Definition at line 390 of file rtdmpsec.c. References BatchSid, FALSE, InteractiveSid, LocalSid, LocalSystemSid, NetworkSid, RtlEqualSid(), RtlInitString(), TRUE, and WorldSid. Referenced by DisplayAccountSid(). { if (RtlEqualSid(Sid, WorldSid)) { RtlInitString( AccountName, "WORLD"); return(TRUE); } if (RtlEqualSid(Sid, LocalSid)) { RtlInitString( AccountName, "LOCAL"); return(TRUE); } if (RtlEqualSid(Sid, NetworkSid)) { RtlInitString( AccountName, "NETWORK"); return(TRUE); } if (RtlEqualSid(Sid, BatchSid)) { RtlInitString( AccountName, "BATCH"); return(TRUE); } if (RtlEqualSid(Sid, InteractiveSid)) { RtlInitString( AccountName, "INTERACTIVE"); return(TRUE); } if (RtlEqualSid(Sid, LocalSystemSid)) { RtlInitString( AccountName, "SYSTEM"); return(TRUE); } // // if (RtlEqualSid(Sid, LocalManagerSid)) { // RtlInitString( AccountName, "LOCAL MANAGER"); // return(TRUE); // } // if (RtlEqualSid(Sid, LocalAdminSid)) { // RtlInitString( AccountName, "LOCAL ADMIN"); // return(TRUE); // } return(FALSE); }

---

Variable Documentation

PSID BatchSid

Definition at line 121 of file rtdmpsec.c. Referenced by InitVars(), SidTranslation(), TestSeSid(), and TSeVariableInitialization().

PSID CreatorOwnerSid

Definition at line 111 of file rtdmpsec.c. Referenced by InitVars(), and RtlpConvertAclToAutoInherit().

PSID DialupSid

Definition at line 119 of file rtdmpsec.c. Referenced by InitVars(), TestSeSid(), and TSeVariableInitialization().

PSID InteractiveSid

Definition at line 122 of file rtdmpsec.c. Referenced by InitVars(), SidTranslation(), TestSeSid(), and TSeVariableInitialization().

PSID LocalSid

Definition at line 110 of file rtdmpsec.c. Referenced by InitVars(), SidTranslation(), TestSeSid(), and TSeVariableInitialization().

PSID LocalSystemSid

Definition at line 123 of file rtdmpsec.c. Referenced by InitVars(), SidTranslation(), TestSeSid(), TestTokenAssignPrimary(), and TSeVariableInitialization().

PSID NetworkSid

Definition at line 120 of file rtdmpsec.c. Referenced by InitVars(), SidTranslation(), TestSeSid(), and TSeVariableInitialization().

PSID NtAuthoritySid

Definition at line 117 of file rtdmpsec.c. Referenced by InitVars(), TestSeSid(), and TSeVariableInitialization().

PSID NullSid

Definition at line 108 of file rtdmpsec.c. Referenced by InitVars(), TestSeSid(), and TSeVariableInitialization().

WCHAR workbuffer[WORK_SIZE]

Definition at line 102 of file rtdmpsec.c.

UNICODE_STRING WorkName

Definition at line 101 of file rtdmpsec.c.

PSID WorldSid

Definition at line 109 of file rtdmpsec.c. Referenced by CmpHiveRootSecurityDescriptor(), CreateBSMEventSD(), CreateDAclToken(), GenerateDescriptor(), InitVars(), SidTranslation(), TestSeSid(), TestTokenAdjustGroups(), TestTokenAssignPrimary(), TestTokenCreate(), TestTokenFilter(), TestTokenQuery(), and TSeVariableInitialization().

---