|
|
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
rtdmpsec.c
Abstract:
NT level registry security test program #1, basic non-error paths.
Dump out the security descriptors of a sub-tree of the registry.
rtdmpsec <KeyPath>
Will ennumerate and dump out the subkeys and values of KeyPath, and then apply itself recursively to each subkey it finds.
It assumes data values are null terminated strings.
Example:
rtdmpsec \REGISTRY\MACHINE\TEST\bigkey
Author:
John Vert (jvert) 24-Jan-92
based on rtdmp.c by
Bryan Willman (bryanwi) 10-Dec-91
and getdacl.c by RobertRe
Revision History:
Richard Ward (richardw) 14 April 1992 Changed ACE_HEADER
--*/
#include "cmp.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define WORK_SIZE 1024
//
// Get a pointer to the first ace in an acl
//
#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
//
// Get a pointer to the following ace
//
#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
//
// Generic ACE structure, to be used for casting ACE's of known types
//
typedef struct _KNOWN_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } KNOWN_ACE, *PKNOWN_ACE;
VOIDInitVars();
VOIDPrintAcl ( IN PACL Acl );
VOIDPrintAccessMask( IN ACCESS_MASK AccessMask );
void __cdecl main(int, char *);void processargs();
void print(PUNICODE_STRING);
voidDumpSecurity( HANDLE Handle );
voidDump( HANDLE Handle );
UNICODE_STRING WorkName;WCHAR workbuffer[WORK_SIZE];
//
// Universal well known SIDs
//
PSID NullSid;PSID WorldSid;PSID LocalSid;PSID CreatorOwnerSid;
//
// Sids defined by NT
//
PSID NtAuthoritySid;
PSID DialupSid;PSID NetworkSid;PSID BatchSid;PSID InteractiveSid;PSID LocalSystemSid;
void__cdecl main( int argc, char *argv[] ){ NTSTATUS status; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE BaseHandle;
InitVars();
//
// Process args
//
WorkName.MaximumLength = WORK_SIZE; WorkName.Length = 0L; WorkName.Buffer = &(workbuffer[0]);
processargs(argc, argv);
//
// Set up and open KeyPath
//
printf("rtdmpsec: starting\n");
InitializeObjectAttributes( &ObjectAttributes, &WorkName, 0, (HANDLE)NULL, NULL ); ObjectAttributes.Attributes |= OBJ_CASE_INSENSITIVE;
status = NtOpenKey( &BaseHandle, MAXIMUM_ALLOWED, &ObjectAttributes ); if (!NT_SUCCESS(status)) { printf("rtdmpsec: t0: %08lx\n", status); exit(1); }
Dump(BaseHandle);}
�voidDump( HANDLE Handle ){ NTSTATUS status; PKEY_BASIC_INFORMATION KeyInformation; OBJECT_ATTRIBUTES ObjectAttributes; ULONG NamePos; ULONG index; STRING enumname; HANDLE WorkHandle; ULONG ResultLength; static char buffer[WORK_SIZE]; PUCHAR p;
KeyInformation = (PKEY_BASIC_INFORMATION)buffer; NamePos = WorkName.Length;
//
// Print name of node we are about to dump out
//
printf("\n"); print(&WorkName); printf("::\n");
//
// Print out node's values
//
DumpSecurity(Handle);
//
// Enumerate node's children and apply ourselves to each one
//
for (index = 0; TRUE; index++) {
RtlZeroMemory(KeyInformation, WORK_SIZE); status = NtEnumerateKey( Handle, index, KeyBasicInformation, KeyInformation, WORK_SIZE, &ResultLength );
if (status == STATUS_NO_MORE_ENTRIES) {
WorkName.Length = NamePos; return;
} else if (!NT_SUCCESS(status)) {
printf("rtdmpsec: dump1: status = %08lx\n", status); exit(1);
}
enumname.Buffer = &(KeyInformation->Name[0]); enumname.Length = KeyInformation->NameLength; enumname.MaximumLength = KeyInformation->NameLength;
p = WorkName.Buffer; p += WorkName.Length; *p = '\\'; p++; *p = '\0'; WorkName.Length += 2;
RtlAppendStringToString((PSTRING)&WorkName, (PSTRING)&enumname);
InitializeObjectAttributes( &ObjectAttributes, &enumname, 0, Handle, NULL ); ObjectAttributes.Attributes |= OBJ_CASE_INSENSITIVE;
status = NtOpenKey( &WorkHandle, MAXIMUM_ALLOWED, &ObjectAttributes ); if (!NT_SUCCESS(status)) { if (status == STATUS_ACCESS_DENIED) { printf("\n"); print(&WorkName); printf("::\n\tAccess denied!\n"); } else { printf("rtdmpsec: dump2: %08lx\n", status); exit(1); } } else { Dump(WorkHandle); NtClose(WorkHandle); }
WorkName.Length = NamePos; }}
�voidDumpSecurity( HANDLE Handle ){ PSECURITY_DESCRIPTOR SecurityDescriptor; NTSTATUS Status; ULONG Length; PACL Dacl; BOOLEAN DaclPresent; BOOLEAN DaclDefaulted;
Status = NtQuerySecurityObject( Handle, DACL_SECURITY_INFORMATION, NULL, 0, &Length );
if (Status != STATUS_BUFFER_TOO_SMALL) { printf("DumpSecurity t0: NtQuerySecurityObject failed %lx\n",Status); exit(1); }
SecurityDescriptor = malloc(Length); if (SecurityDescriptor == NULL) { printf("DumpSecurity: couldn't malloc buffer\n"); exit(1); }
Status = NtQuerySecurityObject( Handle, DACL_SECURITY_INFORMATION, SecurityDescriptor, Length, &Length );
if (!NT_SUCCESS(Status)) { printf("DumpSecurity t1: NtQuerySecurityObject failed %lx\n",Status); exit(1); }
Dacl = NULL;
Status = RtlGetDaclSecurityDescriptor( SecurityDescriptor, &DaclPresent, &Dacl, &DaclDefaulted ); if (!NT_SUCCESS(Status)) { printf("DumpSecurity t2: RtlGetDaclSecurityDescriptor failed %lx\n",Status); }
if (DaclPresent) { PrintAcl(Dacl); } else { printf("\tAcl not present\n"); }
}
�voidprint( PUNICODE_STRING String ){ static ANSI_STRING temp; static char tempbuffer[WORK_SIZE];
temp.MaximumLength = WORK_SIZE; temp.Length = 0L; temp.Buffer = tempbuffer;
RtlUnicodeStringToAnsiString(&temp, String, FALSE); printf("%s", temp.Buffer); return;}
�voidprocessargs( int argc, char *argv[] ){ ANSI_STRING temp;
if ( (argc != 2) ) { printf("Usage: %s <KeyPath>\n", argv[0]); exit(1); }
RtlInitAnsiString( &temp, argv[1] );
RtlAnsiStringToUnicodeString( &WorkName, &temp, FALSE );
return;}
�BOOLEANSidTranslation( PSID Sid, PSTRING AccountName )// AccountName is expected to have a large maximum length
{ if (RtlEqualSid(Sid, WorldSid)) { RtlInitString( AccountName, "WORLD"); return(TRUE); }
if (RtlEqualSid(Sid, LocalSid)) { RtlInitString( AccountName, "LOCAL");
return(TRUE); }
if (RtlEqualSid(Sid, NetworkSid)) { RtlInitString( AccountName, "NETWORK");
return(TRUE); }
if (RtlEqualSid(Sid, BatchSid)) { RtlInitString( AccountName, "BATCH");
return(TRUE); }
if (RtlEqualSid(Sid, InteractiveSid)) { RtlInitString( AccountName, "INTERACTIVE"); return(TRUE); }
if (RtlEqualSid(Sid, LocalSystemSid)) { RtlInitString( AccountName, "SYSTEM"); return(TRUE); }
//
// if (RtlEqualSid(Sid, LocalManagerSid)) {
// RtlInitString( AccountName, "LOCAL MANAGER");
// return(TRUE);
// }
// if (RtlEqualSid(Sid, LocalAdminSid)) {
// RtlInitString( AccountName, "LOCAL ADMIN");
// return(TRUE);
// }
return(FALSE);
}
�VOIDDisplayAccountSid( PSID Sid ){ UCHAR Buffer[128]; STRING AccountName; UCHAR i; ULONG Tmp; PSID_IDENTIFIER_AUTHORITY IdentifierAuthority; UCHAR SubAuthorityCount;
Buffer[0] = 0;
AccountName.MaximumLength = 127; AccountName.Length = 0; AccountName.Buffer = (PVOID)&Buffer[0];
if (SidTranslation( (PSID)Sid, &AccountName) ) {
printf("%s\n", AccountName.Buffer );
} else { IdentifierAuthority = RtlIdentifierAuthoritySid(Sid);
//
// HACK! HACK!
// The next line prints the revision of the SID. Since there is no
// rtl routine which gives us the SID revision, we must make due.
// luckily, the revision field is the first field in the SID, so we
// can just cast the pointer.
//
printf("S-%u-", (USHORT) *((PUCHAR) Sid) );
if ( (IdentifierAuthority->Value[0] != 0) || (IdentifierAuthority->Value[1] != 0) ){ printf("0x%02hx%02hx%02hx%02hx%02hx%02hx", IdentifierAuthority->Value[0], IdentifierAuthority->Value[1], IdentifierAuthority->Value[2], IdentifierAuthority->Value[3], IdentifierAuthority->Value[4], IdentifierAuthority->Value[5] ); } else { Tmp = IdentifierAuthority->Value[5] + (IdentifierAuthority->Value[4] << 8) + (IdentifierAuthority->Value[3] << 16) + (IdentifierAuthority->Value[2] << 24); printf("%lu", Tmp); }
SubAuthorityCount = *RtlSubAuthorityCountSid(Sid); for (i=0;i<SubAuthorityCount ;i++ ) { printf("-%lu", (*RtlSubAuthoritySid(Sid, i))); } printf("\n");
}
}
VOIDInitVars(){ ULONG SidWithZeroSubAuthorities; ULONG SidWithOneSubAuthority; ULONG SidWithThreeSubAuthorities; ULONG SidWithFourSubAuthorities;
SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
//
// The following SID sizes need to be allocated
//
SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 ); SidWithOneSubAuthority = RtlLengthRequiredSid( 1 ); SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 ); SidWithFourSubAuthorities = RtlLengthRequiredSid( 4 );
//
// Allocate and initialize the universal SIDs
//
NullSid = (PSID)malloc(SidWithOneSubAuthority); WorldSid = (PSID)malloc(SidWithOneSubAuthority); LocalSid = (PSID)malloc(SidWithOneSubAuthority); CreatorOwnerSid = (PSID)malloc(SidWithOneSubAuthority);
RtlInitializeSid( NullSid, &NullSidAuthority, 1 ); RtlInitializeSid( WorldSid, &WorldSidAuthority, 1 ); RtlInitializeSid( LocalSid, &LocalSidAuthority, 1 ); RtlInitializeSid( CreatorOwnerSid, &CreatorSidAuthority, 1 );
*(RtlSubAuthoritySid( NullSid, 0 )) = SECURITY_NULL_RID; *(RtlSubAuthoritySid( WorldSid, 0 )) = SECURITY_WORLD_RID; *(RtlSubAuthoritySid( LocalSid, 0 )) = SECURITY_LOCAL_RID; *(RtlSubAuthoritySid( CreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
//
// Allocate and initialize the NT defined SIDs
//
NtAuthoritySid = (PSID)malloc(SidWithZeroSubAuthorities); DialupSid = (PSID)malloc(SidWithOneSubAuthority); NetworkSid = (PSID)malloc(SidWithOneSubAuthority); BatchSid = (PSID)malloc(SidWithOneSubAuthority); InteractiveSid = (PSID)malloc(SidWithOneSubAuthority); LocalSystemSid = (PSID)malloc(SidWithOneSubAuthority);
RtlInitializeSid( NtAuthoritySid, &NtAuthority, 0 ); RtlInitializeSid( DialupSid, &NtAuthority, 1 ); RtlInitializeSid( NetworkSid, &NtAuthority, 1 ); RtlInitializeSid( BatchSid, &NtAuthority, 1 ); RtlInitializeSid( InteractiveSid, &NtAuthority, 1 ); RtlInitializeSid( LocalSystemSid, &NtAuthority, 1 );
*(RtlSubAuthoritySid( DialupSid, 0 )) = SECURITY_DIALUP_RID; *(RtlSubAuthoritySid( NetworkSid, 0 )) = SECURITY_NETWORK_RID; *(RtlSubAuthoritySid( BatchSid, 0 )) = SECURITY_BATCH_RID; *(RtlSubAuthoritySid( InteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID; *(RtlSubAuthoritySid( LocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
return;
}
�VOIDPrintAcl ( IN PACL Acl )
/*++
Routine Description:
This routine dumps an Acl for debug purposes (via printf). It is specialized to dump standard aces.
Arguments:
Acl - Supplies the Acl to dump
Return Value:
None
--*/
{ ULONG i; PKNOWN_ACE Ace; BOOLEAN KnownType; PCHAR AceTypes[] = { "Access Allowed", "Access Denied ", "System Audit ", "System Alarm " };
if (Acl == NULL) {
printf("\tAcl == ALL ACCESS GRANTED!\n"); return;
}
//
// Dump the Acl header
//
printf("\tRevision: %02x", Acl->AclRevision); printf(" Size: %04x", Acl->AclSize); printf(" AceCount: %04x\n", Acl->AceCount);
//
// Now for each Ace we want do dump it
//
for (i = 0, Ace = FirstAce(Acl); i < Acl->AceCount; i++, Ace = NextAce(Ace) ) {
//
// print out the ace header
//
printf("\n\tAceHeader: %08lx ", *(PULONG)Ace);
//
// special case on the standard ace types
//
if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) || (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) || (Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) || (Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE)) {
//
// The following array is indexed by ace types and must
// follow the allowed, denied, audit, alarm seqeuence
//
PCHAR AceTypes[] = { "Access Allowed", "Access Denied ", "System Audit ", "System Alarm " };
printf(AceTypes[Ace->Header.AceType]); PrintAccessMask(Ace->Mask); KnownType = TRUE;
} else {
KnownType = FALSE; printf(" Unknown Ace Type\n");
}
printf("\n");
printf("\tAceSize = %d\n",Ace->Header.AceSize);
printf("\tAce Flags = "); if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) { printf("OBJECT_INHERIT_ACE\n"); printf(" "); }
if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) { printf("CONTAINER_INHERIT_ACE\n"); printf(" "); }
if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) { printf("NO_PROPAGATE_INHERIT_ACE\n"); printf(" "); }
if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) { printf("INHERIT_ONLY_ACE\n"); printf(" "); }
if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) { printf("SUCCESSFUL_ACCESS_ACE_FLAG\n"); printf(" "); }
if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) { printf("FAILED_ACCESS_ACE_FLAG\n"); printf(" "); }
printf("\n");
printf("\tSid = "); DisplayAccountSid(&Ace->SidStart); }
}
�VOIDPrintAccessMask( IN ACCESS_MASK AccessMask ){ printf("\n\tAccess Mask: ");
if (AccessMask == KEY_ALL_ACCESS) { printf("KEY_ALL_ACCESS\n\t "); return; } if (AccessMask == KEY_READ) { printf("KEY_READ\n\t "); return; } if (AccessMask == KEY_WRITE) { printf("KEY_WRITE\n\t "); return; }
if (AccessMask & KEY_QUERY_VALUE) { printf("KEY_QUERY_VALUE\n\t "); } if (AccessMask & KEY_SET_VALUE) { printf("KEY_SET_VALUE\n\t "); } if (AccessMask & KEY_CREATE_SUB_KEY) { printf("KEY_CREATE_SUB_KEY\n\t "); } if (AccessMask & KEY_ENUMERATE_SUB_KEYS) { printf("KEY_ENUMERATE_SUB_KEYS\n\t "); } if (AccessMask & KEY_NOTIFY) { printf("KEY_NOTIFY\n\t "); } if (AccessMask & KEY_CREATE_LINK) { printf("KEY_CREATE_LINK\n\t "); } if (AccessMask & GENERIC_ALL) { printf("GENERIC_ALL\n\t "); } if (AccessMask & GENERIC_EXECUTE) { printf("GENERIC_EXECUTE\n\t "); } if (AccessMask & GENERIC_WRITE) { printf("GENERIC_WRITE\n\t "); } if (AccessMask & GENERIC_READ) { printf("GENERIC_READ\n\t "); } if (AccessMask & GENERIC_READ) { printf("GENERIC_READ\n\t "); } if (AccessMask & MAXIMUM_ALLOWED) { printf("MAXIMUM_ALLOWED\n\t "); } if (AccessMask & ACCESS_SYSTEM_SECURITY) { printf("ACCESS_SYSTEM_SECURITY\n\t "); } if (AccessMask & WRITE_OWNER) { printf("WRITE_OWNER\n\t "); } if (AccessMask & WRITE_DAC) { printf("WRITE_DAC\n\t "); } if (AccessMask & READ_CONTROL) { printf("READ_CONTROL\n\t "); } if (AccessMask & DELETE) { printf("DELETE\n\t "); }}
|
