|
|
/*++
Copyright (c) 1990 Microsoft Corporation
Module Name:
obdir.c
Abstract:
Utility to obtain a directory of Object Manager Directories for NT.
Author:
Darryl E. Havens (DarrylH) 9-Nov-1990
Revision History:
--*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <malloc.h>
#include <ntlsa.h>
#define BUFFERSIZE 1024
#define Error(N,S) { \
printf(#S); \ printf(" Error %08lX\n", S); \ }
typedef struct _TYPEINFO { PWSTR pszName; char * * AccessRights; DWORD NumberRights;} TYPEINFO, * PTYPEINFO;
�////////////////////////////////////////////////////////
// //
// Internal Prototypes //
// //
////////////////////////////////////////////////////////
BOOLEANEnableAllPrivileges( VOID );
VOIDQueryDirectory( IN PSTRING DirectoryName );
NTSTATUSOpenObject( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name, IN ACCESS_MASK DesiredAccess, OUT PHANDLE Object );
VOIDOpenAndDisplaySacl( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name );
VOIDQueryAndDisplaySacl( IN HANDLE Object, IN PWSTR Type
);
NTSTATUSDisplaySacl( PSECURITY_DESCRIPTOR SD, IN PWSTR Type );
VOIDOpenAndDisplayDacl( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name );
VOIDQueryAndDisplayDacl( IN HANDLE Object, IN PWSTR Type );
NTSTATUSDisplayDacl( PSECURITY_DESCRIPTOR SD, IN PWSTR Type );
VOIDDumpAce( PACE_HEADER Ace, BOOLEAN AclIsDacl, PTYPEINFO TypeInfo );
VOIDDumpStandardAceInfo( PACE_HEADER Ace, BOOLEAN AclIsDacl, PTYPEINFO TypeInfo );
VOIDDisplaySid( IN PSID Sid );
VOIDConnectToLsa( VOID );
VOIDUsage( VOID );
�////////////////////////////////////////////////////////
// //
// Global Variables //
// //
////////////////////////////////////////////////////////
UCHAR Buffer[BUFFERSIZE];
LSA_HANDLE LsaHandle;
BOOLEAN CompoundLineOutput = FALSE; DumpDacl = FALSE; // May be changed by command parameter
DumpDaclFull = FALSE; // May be changed by command parameter
DumpSacl = FALSE; // May be changed by command parameter
DumpSaclFull = FALSE; // May be changed by command parameter
char * AccessMask[] = { "Delete", "ReadControl", "WriteDac", "WriteOwner", "Synch", "", "", "", "Sacl", "MaxAllowed", "", "", "GenericAll", "GenericExec", "GenericWrite", "GenericRead"};
char * TokenRights[] = {"AssignPrimary", "Duplicate", "Impersonate", "Query", "QuerySource", "AdjustPriv", "AdjustGroup", "AdjustDef" };
char * KeyRights[] = { "QueryValue", "SetValue", "CreateSubKey", "EnumSubKey", "Notify", "CreateLink", "", "" };
char * EventRights[] = {"QueryState", "ModifyState" };
char * MutantRights[]={ "QueryState" };
char * SemaphoreRights[] = { "QueryState", "ModifyState" };
char * TimerRights[] = {"QueryState", "ModifyState" };
char * ProfileRights[]={"Control"};
char * ProcessRights[]={"Terminate", "CreateThread", "", "VMOp", "VMRead", "VMWrite", "DupHandle", "CreateProcess", "SetQuota", "SetInfo", "QueryInfo", "SetPort" };
char * ThreadRights[] ={"Terminate", "Suspend", "Alert", "GetContext", "SetContext", "SetInfo", "QueryInfo", "SetToken", "Impersonate", "DirectImpersonate" };
char * SectionRights[]={"Query", "MapWrite", "MapRead", "MapExecute", "Extend"};
char * FileRights[] = { "Read/List", "Write/Add", "Append/SubDir/CreatePipe", "ReadEA", "WriteEA", "Execute/Traverse", "DelChild", "ReadAttr", "WriteAttr"};
char * PortRights[] = { "Connect" };
char * DirRights[] = { "Query", "Traverse", "Create", "CreateSubdir" };
char * SymLinkRights[]={"Query" };
char * WinstaRights[]={ "EnumDesktops", "ReadAttr", "Clipboard", "CreateDesktop", "WriteAttr", "GlobalAtom", "ExitWindows", "", "Enumerate", "ReadScreen" };
char * DesktopRights[]={"ReadObjects", "CreateWindow", "CreateMenu", "HookControl", "JournalRecord", "JournalPlayback", "Enumerate", "WriteObjects", "SwitchDesktop" };
char * CompletionRights[] = { "Query", "Modify" };
char * ChannelRights[] = { "ReadMessage", "WriteMessage", "Query", "SetInfo" };
char * JobRights[] = { "AssignProcess", "SetAttr", "Query", "Terminate", "SetSecAttr" };
#define TYPE_NONE 0
#define TYPE_EVENT 1
#define TYPE_SECTION 2
#define TYPE_FILE 3
#define TYPE_PORT 4
#define TYPE_DIRECTORY 5
#define TYPE_LINK 6
#define TYPE_MUTANT 7
#define TYPE_WINSTA 8
#define TYPE_SEM 9
#define TYPE_KEY 10
#define TYPE_TOKEN 11
#define TYPE_PROCESS 12
#define TYPE_THREAD 13
#define TYPE_DESKTOP 14
#define TYPE_COMPLETE 15
#define TYPE_CHANNEL 16
#define TYPE_TIMER 17
#define TYPE_JOB 18
#define TYPE_WPORT 19
#define TYPE_MAX 20
LPWSTR pszTypeNames[TYPE_MAX] = { L"None", L"Event", L"Section", L"File", L"Port", L"Directory", L"SymbolicLink", L"Mutant", L"WindowStation", L"Semaphore", L"Key", L"Token", L"Process", L"Thread", L"Desktop", L"IoCompletion", L"Channel", L"Timer", L"Job", L"WaitablePort" };
TYPEINFO TypeNames[TYPE_MAX] = { { L"Unknown", NULL, 0 }, { L"Event", EventRights, 2 }, { L"Section", SectionRights, 5 }, { L"File", FileRights, 9 }, { L"Port", PortRights, 1 }, { L"Directory", DirRights, 4 }, { L"SymbolicLink", SymLinkRights, 1 }, { L"Mutant", MutantRights, 2 }, { L"WindowStation", WinstaRights, 10 }, { L"Semaphore", SemaphoreRights, 2 }, { L"Key", KeyRights, 6 }, { L"Token", TokenRights, 8 }, { L"Process", ProcessRights, 12 }, { L"Thread", ThreadRights, 10 }, { L"Desktop", DesktopRights, 10 }, { L"IoCompletion", CompletionRights, 2 }, { L"Channel", ChannelRights, 4 }, { L"Timer", TimerRights, 2 }, { L"Job", JobRights, 5 }, { L"WaitablePort", PortRights, 1 } };
DWORDGetObjectTypeIndex( PWSTR TypeName ){ DWORD i;
for ( i = 1 ; i < TYPE_MAX ; i++ ) { if (_wcsicmp( TypeNames[i].pszName, TypeName ) == 0 ) { return( i ); } }
return( 0 );}
VOID DisplayFlags( ULONG Flags, ULONG FlagLimit, char *flagset[], ULONG Indent, ULONG LineBreak, ULONG BufferSize, UCHAR * buffer){ char * offset; char * limit ; char * linelimit ; DWORD mask, test, i, flagsize ; DWORD scratch;
if ( LineBreak > BufferSize ) { strcpy( (CHAR *)buffer, "Invalid Parameter"); return; }
mask = 0; offset = (CHAR *) buffer; test = 1;
limit = offset + BufferSize ;
if ( LineBreak ) { linelimit = offset + LineBreak ; } else {
linelimit = limit ; }
if ( linelimit > limit ) { linelimit = limit ; }
memset(offset, ' ', Indent); offset += Indent ;
if (!Flags) { strcpy( offset, "None"); return; }
for ( i = 0 ; i < FlagLimit ; i++ ) { if ( ( Flags & test ) != 0 ) { //
// Found a flag set in the flag word. Try to write the text
// form into the buffer
//
flagsize = strlen( flagset[ i ] );
if ( offset + flagsize + 2 > limit ) { return; }
if ( offset + flagsize + 2 > linelimit ) { //
// Need to do a linebreak:
//
*offset++ = '\r'; *offset++ = '\n';
if ( LineBreak ) { linelimit = offset + LineBreak ; } else {
linelimit = limit ; }
if ( linelimit > limit ) { linelimit = limit ;
}
memset(offset, ' ', Indent); offset += Indent ;
if ( offset + flagsize + 2 > linelimit ) { *offset++ = '\0'; return; } }
CopyMemory( offset, flagset[ i ], flagsize );
offset += flagsize ;
mask |= test;
if ( ( Flags & (~mask) ) != 0 ) { *offset++ = ' ' ; } }
test <<= 1 ; }
*offset = '\0';
}
�////////////////////////////////////////////////////////
// //
// Routines //
// //
////////////////////////////////////////////////////////
VOID__cdecl main( int argc, char *argv[] ){
STRING String;
int arg;
char *s;
BOOLEAN DirectoryNameArg;
//
// process any qualifiers
//
// All arguments are considered qualifiers until we reach a backslash ("\").
// If we reach a backslash, then that argument is accepted as the last argument
// and it is expected to the the name of the directory to be listed.
//
DirectoryNameArg = FALSE; arg = 1; while (arg < argc) {
s = argv[arg];
if (*s == '\\') { DirectoryNameArg = TRUE; break; // break out of while loop
}
if (*s != '/') { Usage(); return; } s++;
if (*s == 'd') {
//
// Dump DACL qualifier
//
if (DumpDaclFull == TRUE) { printf("\n\n Conflicting qualifiers: /d and /D\n"); Usage(); return; } DumpDacl = TRUE; DumpDaclFull = FALSE; CompoundLineOutput = TRUE;
} else if (*s == 'D') {
//
// Dump DACL qualifier
//
if ((DumpDacl== TRUE) && (DumpDaclFull == FALSE)) { printf("\n\n Conflicting qualifiers: /d and /D\n"); Usage(); return; } DumpDacl = TRUE; DumpDaclFull = TRUE; CompoundLineOutput = TRUE;
} else if (*s == 's') {
//
// Dump SACL qualifier
//
if (DumpSaclFull == TRUE) { printf("\n\n Conflicting qualifiers: /s and /S\n"); Usage(); return; } DumpSacl = TRUE; DumpSaclFull = FALSE; CompoundLineOutput = TRUE;
} else if (*s == 'S') {
//
// Dump SACL qualifier
//
if ((DumpSacl== TRUE) && (DumpSaclFull == FALSE)) { printf("\n\n Conflicting qualifiers: /s and /S\n"); Usage(); return; } DumpSacl = TRUE; DumpSaclFull = TRUE; CompoundLineOutput = TRUE;
} else {
Usage(); return; }
arg++; } // end_while
if (DumpDacl || DumpSacl) { ConnectToLsa(); }
//
// Set up the name of the directory to list
//
if (!DirectoryNameArg) { RtlInitString( &String, "\\" ); } else { RtlInitString( &String, argv[arg] ); }
if (EnableAllPrivileges()) { QueryDirectory( &String ); }}
�WCHAR LinkTargetBuffer[ 1024 ];
typedef struct _DIR_ENTRY { PWSTR Name; PWSTR Type;} DIR_ENTRY, *PDIR_ENTRY;
#define MAX_DIR_ENTRIES 1024
ULONG NumberOfDirEntries;DIR_ENTRY DirEntries[ MAX_DIR_ENTRIES ];
int__cdeclCompareDirEntry( void const *p1, void const *p2 ){ return _wcsicmp( ((PDIR_ENTRY)p1)->Name, ((PDIR_ENTRY)p2)->Name );}
VOIDQueryDirectory( IN PSTRING DirectoryName )//
// DumpDacl and DumpSacl are expected to be set prior to calling this routine.
//
{ NTSTATUS Status; HANDLE DirectoryHandle, LinkHandle; ULONG Context = 0; ULONG i, ReturnedLength; UNICODE_STRING LinkTarget;
POBJECT_DIRECTORY_INFORMATION DirInfo; POBJECT_NAME_INFORMATION NameInfo; OBJECT_ATTRIBUTES Attributes; UNICODE_STRING UnicodeString; ACCESS_MASK ExtraAccess = 0; UNICODE_STRING Match = { 0 }; UNICODE_STRING Separators = { 0 }; USHORT Offset ; ULONG DisplayedEntries = 0 ; BOOLEAN PrefixMatch = FALSE ; BOOLEAN SuffixMatch = FALSE ; ULONG ObjectNameLength ; BOOL PrefixMatched, SuffixMatched ;
//
// Perform initial setup
//
RtlZeroMemory( Buffer, BUFFERSIZE );
if (DumpDacl) { ExtraAccess |= READ_CONTROL; } if (DumpSacl) { ExtraAccess |= ACCESS_SYSTEM_SECURITY; }
//
// Open the directory for list directory access
//
Status = RtlAnsiStringToUnicodeString( &UnicodeString, DirectoryName, TRUE ); ASSERT( NT_SUCCESS( Status ) ); InitializeObjectAttributes( &Attributes, &UnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenDirectoryObject( &DirectoryHandle, DIRECTORY_QUERY | ExtraAccess, &Attributes );
if ( ( Status == STATUS_OBJECT_TYPE_MISMATCH ) || ( Status == STATUS_OBJECT_NAME_NOT_FOUND ) || ( Status == STATUS_OBJECT_PATH_NOT_FOUND ) ) {
RtlInitUnicodeString( &Separators, L"\\" );
Status = RtlFindCharInUnicodeString( RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END, &UnicodeString, &Separators, &Offset );
if ( NT_SUCCESS( Status ) ) { UnicodeString.Length = Offset ; RtlInitUnicodeString( &Match, UnicodeString.Buffer + ((Offset + 2) / sizeof( WCHAR ) ) );
if ( Match.Buffer[ 0 ] == L'*' ) { Match.Buffer++ ; Match.Length -= sizeof( WCHAR ); SuffixMatch = TRUE ; }
if ( Match.Buffer[ Match.Length / sizeof( WCHAR ) - 1 ] == L'*' ) { Match.Buffer[ Match.Length / sizeof( WCHAR ) - 1 ] = L'\0'; Match.Length -= sizeof( WCHAR ); PrefixMatch = TRUE ; }
if ( PrefixMatch && SuffixMatch ) { printf("Too complicated a search\n" ); return; }#if DBG
printf("Searching for %c%ws%c\n", (SuffixMatch ? '*' : ' '), Match.Buffer, (PrefixMatch ? '*' : ' ') );#endif
Status = NtOpenDirectoryObject( &DirectoryHandle, DIRECTORY_QUERY | ExtraAccess, &Attributes );
}
}
if (!NT_SUCCESS( Status )) {
if (Status == STATUS_OBJECT_TYPE_MISMATCH) {
printf( "%Z is not a valid Object Directory Object name\n", DirectoryName ); } else { Error( OpenDirectory, Status ); }
return; }
//
// Get the actual name of the object directory object.
//
NameInfo = (POBJECT_NAME_INFORMATION) &Buffer[0]; if (!NT_SUCCESS( Status = NtQueryObject( DirectoryHandle, ObjectNameInformation, NameInfo, BUFFERSIZE, (PULONG) NULL ) )) { printf( "Unexpected error obtaining actual object directory name\n" ); printf( "Error was: %X\n", Status ); return; }
//
// Output initial informational message
//
printf( "Directory of: %wZ\n", &NameInfo->Name );
if ( Match.Length == 0 ) { if (DumpDacl) { QueryAndDisplayDacl( DirectoryHandle, L"Directory" ); } if (DumpSacl) { QueryAndDisplaySacl( DirectoryHandle, L"Directory" ); } printf( "\n" ); }
//
// Query the entire directory in one sweep
//
NumberOfDirEntries = 0; for (Status = NtQueryDirectoryObject( DirectoryHandle, &Buffer, BUFFERSIZE, FALSE, FALSE, &Context, &ReturnedLength ); NT_SUCCESS( Status ); Status = NtQueryDirectoryObject( DirectoryHandle, &Buffer, BUFFERSIZE, FALSE, FALSE, &Context, &ReturnedLength ) ) {
//
// Check the status of the operation.
//
if (!NT_SUCCESS( Status )) { if (Status != STATUS_NO_MORE_FILES) { Error( Status, Status ); } break; }
//
// For every record in the buffer type out the directory information
//
//
// Point to the first record in the buffer, we are guaranteed to have
// one otherwise Status would have been No More Files
//
DirInfo = (POBJECT_DIRECTORY_INFORMATION) &Buffer[0];
while (TRUE) {
//
// Check if there is another record. If there isn't, then get out
// of the loop now
//
if (DirInfo->Name.Length == 0) { break; }
//
// Print out information about the file
//
if (NumberOfDirEntries >= MAX_DIR_ENTRIES) { printf( "OBJDIR: Too many directory entries.\n" ); exit( 1 ); }
DirEntries[ NumberOfDirEntries ].Name = RtlAllocateHeap( RtlProcessHeap(), HEAP_ZERO_MEMORY, DirInfo->Name.Length + sizeof( UNICODE_NULL ) ); DirEntries[ NumberOfDirEntries ].Type = RtlAllocateHeap( RtlProcessHeap(), HEAP_ZERO_MEMORY, DirInfo->TypeName.Length + sizeof( UNICODE_NULL ) ); memmove( DirEntries[ NumberOfDirEntries ].Name, DirInfo->Name.Buffer, DirInfo->Name.Length ); memmove( DirEntries[ NumberOfDirEntries ].Type, DirInfo->TypeName.Buffer, DirInfo->TypeName.Length );
NumberOfDirEntries++;
//
// There is another record so advance DirInfo to the next entry
//
DirInfo = (POBJECT_DIRECTORY_INFORMATION) (((PUCHAR) DirInfo) + sizeof( OBJECT_DIRECTORY_INFORMATION ) );
}
RtlZeroMemory( Buffer, BUFFERSIZE );
}
qsort( DirEntries, NumberOfDirEntries, sizeof( DIR_ENTRY ), CompareDirEntry ); for (i=0; i<NumberOfDirEntries; i++) {
if ( Match.Length ) { ObjectNameLength = wcslen( DirEntries[ i ].Name );
if ( PrefixMatch ) { PrefixMatched = _wcsnicmp( DirEntries[ i ].Name, Match.Buffer, Match.Length / sizeof( WCHAR ) ) == 0 ; }
if ( SuffixMatch ) { if ( ObjectNameLength >= Match.Length / sizeof( WCHAR ) ) { SuffixMatched = _wcsnicmp( DirEntries[ i ].Name + ( ObjectNameLength - (Match.Length / sizeof( WCHAR ) )), Match.Buffer, Match.Length / sizeof( WCHAR) ) == 0 ; } else { SuffixMatched = FALSE ; } }
if ( SuffixMatch && !SuffixMatched ) { continue; }
if ( PrefixMatch && !PrefixMatched ) { continue; }
if ( (!SuffixMatch) && (!PrefixMatch) && _wcsicmp( Match.Buffer, DirEntries[ i ].Name ) ) { continue; } }
DisplayedEntries++ ;
printf( "%-32ws ", DirEntries[ i ].Name); if (CompoundLineOutput) { printf("\n "); } printf( "%ws", DirEntries[ i ].Type );
if (!wcscmp( DirEntries[ i ].Type, L"SymbolicLink" )) { RtlInitUnicodeString( &UnicodeString, DirEntries[ i ].Name ); InitializeObjectAttributes( &Attributes, &UnicodeString, OBJ_CASE_INSENSITIVE, DirectoryHandle, NULL ); Status = NtOpenSymbolicLinkObject( &LinkHandle, SYMBOLIC_LINK_QUERY, &Attributes ); if (NT_SUCCESS( Status )) { LinkTarget.Buffer = LinkTargetBuffer; LinkTarget.Length = 0; LinkTarget.MaximumLength = sizeof( LinkTargetBuffer ); Status = NtQuerySymbolicLinkObject( LinkHandle, &LinkTarget, NULL ); NtClose( LinkHandle ); }
if (!NT_SUCCESS( Status )) { printf( " - unable to query link target (Status == %09X)\n", Status ); } else { printf( " - %wZ\n", &LinkTarget ); } } else { printf( "\n" ); }
if (DumpDacl) { OpenAndDisplayDacl( DirectoryHandle, DirEntries[ i ].Type, DirEntries[ i ].Name); } if (DumpSacl) { OpenAndDisplaySacl( DirectoryHandle, DirEntries[ i ].Type, DirEntries[ i ].Name); } }
//
// Output final messages
//
if ( Match.Length != 0 ) { if ( DisplayedEntries == 0 ) { printf("not found\n" ); } else if ( DisplayedEntries == 1 ) { printf("\n1 entry\n" ); } else {
printf("\n%ld entries\n", DisplayedEntries ); } } else {
if (NumberOfDirEntries == 0) { printf( "no entries\n" ); } else if (NumberOfDirEntries == 1) { printf( "\n1 entry\n" ); } else { printf( "\n%ld entries\n", NumberOfDirEntries ); }
}
//
// Now close the directory object
//
(VOID) NtClose( DirectoryHandle );
//
// And return to our caller
//
return;
}
�BOOLEANEnableAllPrivileges( VOID )/*++
Routine Description:
This routine enables all privileges in the token.
If we are being asked to dump SACLs then we will check to make sure we have SE_SECURITY_PRIVILEGE enabled too.
Arguments:
None.
Return Value:
None.
--*/{ HANDLE Token; ULONG ReturnLength, Index; PTOKEN_PRIVILEGES NewState; BOOLEAN Result; LUID SecurityPrivilege;
SecurityPrivilege = RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
Token = NULL; NewState = NULL;
Result = (OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token ) ? 1 : 0); if (Result) { ReturnLength = 4096; NewState = malloc( ReturnLength ); Result = (BOOLEAN)(NewState != NULL); if (Result) { Result = (GetTokenInformation( Token, // TokenHandle
TokenPrivileges, // TokenInformationClass
NewState, // TokenInformation
ReturnLength, // TokenInformationLength
&ReturnLength // ReturnLength
) ? 1 : 0);
if (Result) { //
// Set the state settings so that all privileges are enabled...
//
if (DumpSacl) { Result = FALSE; }
if (NewState->PrivilegeCount > 0) { for (Index = 0; Index < NewState->PrivilegeCount; Index++ ) { NewState->Privileges[Index].Attributes = SE_PRIVILEGE_ENABLED; if (RtlEqualLuid(&NewState->Privileges[Index].Luid, &SecurityPrivilege )) { Result = TRUE; } } } if (!Result) { // Don't have privilege to dump SACL
ASSERT(DumpSacl);
printf("\n\n You do not have sufficient privilege to display SACLs.\n\n"); } else { Result = (AdjustTokenPrivileges( Token, // TokenHandle
FALSE, // DisableAllPrivileges
NewState, // NewState (OPTIONAL)
ReturnLength, // BufferLength
NULL, // PreviousState (OPTIONAL)
&ReturnLength // ReturnLength
) ? 1 : 0); if (!Result) { DbgPrint( "AdjustTokenPrivileges( %lx ) failed - %u\n", Token, GetLastError() ); } } } else { DbgPrint( "GetTokenInformation( %lx ) failed - %u\n", Token, GetLastError() ); } } else { DbgPrint( "malloc( %lx ) failed - %u\n", ReturnLength, GetLastError() ); } } else { DbgPrint( "OpenProcessToken( %lx ) failed - %u\n", GetCurrentProcess(), GetLastError() ); }
if (NewState != NULL) { free( NewState ); }
if (Token != NULL) { CloseHandle( Token ); }
return( Result );}
�NTSTATUSOpenObject( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name, IN ACCESS_MASK DesiredAccess, OUT PHANDLE Object )
{ NTSTATUS Status, IgnoreStatus;
UNICODE_STRING UnicodeName;
OBJECT_ATTRIBUTES Attributes;
IO_STATUS_BLOCK Iosb;
RtlInitUnicodeString( &UnicodeName, Name ); InitializeObjectAttributes( &Attributes, &UnicodeName, OBJ_CASE_INSENSITIVE, Root, NULL );
//
// This is effectively a big switch statement of object types
// that we know how to open...
//
if (!wcscmp( Type, L"SymbolicLink" )) {
Status = NtOpenSymbolicLinkObject( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Device" )) {
Status = NtOpenFile( Object, DesiredAccess, &Attributes, &Iosb, 0, 0 );
} else if (!wcscmp( Type, L"Event" )) {
Status = NtOpenEvent( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"EventPair" )) {
Status = NtOpenEventPair( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Mutant" )) {
Status = NtOpenMutant( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Timer" )) {
Status = NtOpenTimer( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Semaphore" )) {
Status = NtOpenSemaphore( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Section" )) {
Status = NtOpenSection( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Directory" )) {
Status = NtOpenDirectoryObject( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"Process" )) {
Status = NtOpenProcess( Object, DesiredAccess, &Attributes, NULL );
} else if (!wcscmp( Type, L"Job" )) {
Status = NtOpenJobObject( Object, DesiredAccess, &Attributes );
} else if (!wcscmp( Type, L"WindowStation" )) {
*Object = OpenWindowStationW( Name, FALSE, DesiredAccess );
if (*Object) { Status = STATUS_SUCCESS; } else { Status = STATUS_ACCESS_DENIED; }
} else if (!wcscmp( Type, L"Desktop" )) {
*Object = OpenDesktopW( Name, 0, FALSE, DesiredAccess );
if (*Object) { Status = STATUS_SUCCESS; } else { Status = STATUS_ACCESS_DENIED; }
} else {
//
// this utility doesn't yet support opening this type of object
//
Status = STATUS_NOT_SUPPORTED; }
return(Status);}
�VOIDOpenAndDisplaySacl( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name )
{ NTSTATUS Status, IgnoreStatus;
HANDLE Object;
Status = OpenObject( Root, Type, Name, ACCESS_SYSTEM_SECURITY, &Object);
if (NT_SUCCESS(Status)) {
QueryAndDisplaySacl( Object, Type ); IgnoreStatus = NtClose( Object ); ASSERT(NT_SUCCESS(IgnoreStatus)); }
if (!NT_SUCCESS(Status)) { if (Status == STATUS_NOT_SUPPORTED) { printf(" Utility doesn't yet query SACLs for this type of object.\n\n"); } else { printf(" Error attempting to query SACL: 0x%lx.\n\n", Status); } } return;}
�VOIDQueryAndDisplaySacl( IN HANDLE Object, IN PWSTR Type ){ NTSTATUS Status;
PSECURITY_DESCRIPTOR SD;
ULONG LengthNeeded, TypeIndex ;
Status = NtQuerySecurityObject( Object, SACL_SECURITY_INFORMATION, NULL, 0, &LengthNeeded ); ASSERT(!NT_SUCCESS(Status));
if (Status == STATUS_BUFFER_TOO_SMALL) {
SD = RtlAllocateHeap( RtlProcessHeap(), 0, LengthNeeded ); if (SD == NULL) { Status = STATUS_NO_MEMORY; } else {
Status = NtQuerySecurityObject( Object, SACL_SECURITY_INFORMATION, SD, LengthNeeded, &LengthNeeded ); if (NT_SUCCESS(Status)) {
//
// Display the SACL
//
Status = DisplaySacl( SD, Type ); } } } return;}
�NTSTATUSDisplaySacl( PSECURITY_DESCRIPTOR SD, PWSTR Type )/*++
Routine Description:
This function dumps out a SACL
If an error status is returned, then the caller is responsible for printing a message.
--*/{ NTSTATUS Status;
BOOLEAN AclPresent, AclDefaulted;
PACL Acl;
ACL_SIZE_INFORMATION AclInfo;
ULONG i;
PACE_HEADER Ace;
ULONG TypeIndex ;
TypeIndex = GetObjectTypeIndex( Type );
Status = RtlGetSaclSecurityDescriptor ( SD, &AclPresent, &Acl, &AclDefaulted );
if (NT_SUCCESS(Status)) {
printf(" SACL - "); if (!AclPresent) { printf("No SACL present on object\n"); } else {
if (AclDefaulted) { printf("SACL Defaulted flag set\n "); }
if (Acl == NULL) { printf("NULL SACL - no auditing performed.\n"); } else { Status = RtlQueryInformationAcl ( Acl, &AclInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation); ASSERT(NT_SUCCESS(Status));
if (AclInfo.AceCount == 0) { printf("No ACEs in ACL, Auditing performed.\n"); } else { printf("\n"); for (i=0; i<AclInfo.AceCount; i++) {
Status = RtlGetAce( Acl, i, &Ace ); ASSERT(NT_SUCCESS(Status));
printf(" Ace[%2d] - ", i); DumpAce( Ace, FALSE, &TypeNames[ TypeIndex ] ); printf("\n"); } } } } } printf("\n");
return(Status);
}
�VOIDOpenAndDisplayDacl( IN HANDLE Root, IN PWCHAR Type, IN PWCHAR Name )
{ NTSTATUS Status, IgnoreStatus;
HANDLE Object;
ULONG TypeIndex ;
Status = OpenObject( Root, Type, Name, READ_CONTROL, &Object);
if (NT_SUCCESS(Status)) { QueryAndDisplayDacl( Object, Type );
IgnoreStatus = NtClose( Object );
ASSERT(NT_SUCCESS(IgnoreStatus)); }
if (!NT_SUCCESS(Status)) { if (Status == STATUS_ACCESS_DENIED) { printf(" Protection on object prevented querying the DACL.\n\n"); } else if (Status == STATUS_NOT_SUPPORTED) { printf(" Utility doesn't yet query DACLs for this type of object.\n\n"); } else { printf(" Error attempting to query DACL: 0x%lx.\n\n", Status); } } return;}
�VOIDQueryAndDisplayDacl( IN HANDLE Object, IN PWSTR Type ){ NTSTATUS Status;
PSECURITY_DESCRIPTOR SD;
ULONG LengthNeeded;
Status = NtQuerySecurityObject( Object, DACL_SECURITY_INFORMATION, NULL, 0, &LengthNeeded ); ASSERT(!NT_SUCCESS(Status));
if (Status == STATUS_BUFFER_TOO_SMALL) {
SD = RtlAllocateHeap( RtlProcessHeap(), 0, LengthNeeded ); if (SD == NULL) { Status = STATUS_NO_MEMORY; } else {
Status = NtQuerySecurityObject( Object, DACL_SECURITY_INFORMATION, SD, LengthNeeded, &LengthNeeded ); if (NT_SUCCESS(Status)) {
//
// Display the DACL
//
Status = DisplayDacl( SD, Type ); } } } return;}
�NTSTATUSDisplayDacl( PSECURITY_DESCRIPTOR SD, PWSTR Type )/*++
Routine Description:
This function dumps out a DACL
If an error status is returned, then the caller is responsible for printing a message.
--*/{ NTSTATUS Status;
BOOLEAN AclPresent, AclDefaulted;
PACL Acl;
ACL_SIZE_INFORMATION AclInfo;
ULONG i;
PACE_HEADER Ace;
ULONG TypeIndex ;
TypeIndex = GetObjectTypeIndex( Type );
Status = RtlGetDaclSecurityDescriptor ( SD, &AclPresent, &Acl, &AclDefaulted );
if (NT_SUCCESS(Status)) {
printf(" DACL - "); if (!AclPresent) { printf("No DACL present on object\n"); } else {
if (AclDefaulted) { printf("DACL Defaulted flag set\n "); }
if (Acl == NULL) { printf("NULL DACL - grants all access to Everyone\n"); } else { Status = RtlQueryInformationAcl ( Acl, &AclInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation); ASSERT(NT_SUCCESS(Status));
if (AclInfo.AceCount == 0) { printf("No ACEs in ACL, Denies all access to everyone\n"); } else { printf("\n"); for (i=0; i<AclInfo.AceCount; i++) {
Status = RtlGetAce( Acl, i, &Ace ); ASSERT(NT_SUCCESS(Status));
printf(" Ace[%2d] - ", i); DumpAce( Ace, TRUE, &TypeNames[ TypeIndex ] ); printf("\n"); } } } } } printf("\n");
return(Status);
}
�VOIDDumpAce( PACE_HEADER Ace, BOOLEAN AclIsDacl, PTYPEINFO TypeInfo )/*++
Routine Description:
This function displays a single ACE
Arguments:
Ace - Points to an ACE.
AclIsDacl - TRUE if acl is a DACL. False if acl is an SACL.
Return Value:
None.
--*/{
if ((Ace->AceFlags & INHERIT_ONLY_ACE) != 0) { printf("Inherit Only - "); }
switch (Ace->AceType) { case ACCESS_ALLOWED_ACE_TYPE:
printf("Grant -"); DumpStandardAceInfo(Ace, AclIsDacl, TypeInfo); break;
case ACCESS_DENIED_ACE_TYPE:
printf("Deny -"); DumpStandardAceInfo(Ace, AclIsDacl, TypeInfo); break;
case SYSTEM_AUDIT_ACE_TYPE:
printf("Audit "); DumpStandardAceInfo(Ace, AclIsDacl, TypeInfo); break;
default: printf(" ** Unknown ACE Type **"); } return;}
�VOIDDumpStandardAceInfo( PACE_HEADER Ace, BOOLEAN AclIsDacl, PTYPEINFO TypeInfo )/*++
Routine Description:
This function dumps out the standard information for a single ACE.
Arguments:
Ace - Points to an ACE_HEADER. The ACE must be one of the known types.
AclIsDacl - TRUE if acl is a DACL. False if acl is an SACL.
Return Value:
None.
--*/{
PACCESS_ALLOWED_ACE Local;
ACCESS_MASK Specific;
CHAR FlagBuffer[ 256 ];
//
// WARNING -
//
// It is assumed that all the known ACE types have their ACCESS_MASK
// and SID fields in the same location as the ACCESS_ALLOWED_ACE.
//
Local = (PACCESS_ALLOWED_ACE)(Ace);
if (Ace->AceType == SYSTEM_AUDIT_ACE_TYPE) { printf("["); if (Ace->AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) { printf("S"); if (Ace->AceFlags & FAILED_ACCESS_ACE_FLAG) { printf(",F"); } } else if (Ace->AceFlags & FAILED_ACCESS_ACE_FLAG) { printf(" ,F"); } else { printf("Neither Success nor Failure flag set]"); return; } printf("] -"); }
printf(" 0x%lx - ", Local->Mask ); DisplaySid( (PSID)(&Local->SidStart) );
//
// Everything else is only printed for FULL displays
if (AclIsDacl && !DumpDaclFull) { return; } if (!AclIsDacl && !DumpSaclFull) { return; }
//
// Print the inheritance
//
printf("\n Inherit: ");
if ((Ace->AceFlags & INHERIT_ONLY_ACE) != 0) { printf("IO "); }
if ((Ace->AceFlags & OBJECT_INHERIT_ACE) != 0) { printf("OI "); }
if ((Ace->AceFlags & CONTAINER_INHERIT_ACE) != 0) { printf("CI "); }
if ((Ace->AceFlags & NO_PROPAGATE_INHERIT_ACE) != 0) { printf("NPI"); }
//
// Print the accesses
//
Specific = (Local->Mask & 0xFFFF); printf("\n Access: 0x%04lX", Specific);
if ( TypeInfo->NumberRights ) { DisplayFlags( Specific, TypeInfo->NumberRights, TypeInfo->AccessRights, 38, 80, sizeof( Buffer ), (PUCHAR) Buffer );
printf("\n%s\n ", Buffer);
} if (Local->Mask != Specific) { printf(" and ("); }
if ((Local->Mask & DELETE) != 0) { printf(" D"); }
if ((Local->Mask & READ_CONTROL) != 0) { printf(" RCtl"); }
if ((Local->Mask & WRITE_OWNER) != 0) { printf(" WOwn"); }
if ((Local->Mask & WRITE_DAC) != 0) { printf(" WDacl"); } if ((Local->Mask & SYNCHRONIZE) != 0) { printf(" Synch"); } if ((Local->Mask & GENERIC_READ) != 0) { printf(" R"); }
if ((Local->Mask & GENERIC_WRITE) != 0) { printf(" W"); }
if ((Local->Mask & GENERIC_EXECUTE) != 0) { printf(" E"); }
if ((Local->Mask & GENERIC_ALL) != 0) { printf(" ALL"); }
if ((Local->Mask & ACCESS_SYSTEM_SECURITY) != 0) { printf(" ACC_SYS_SEC"); } if ((Local->Mask & MAXIMUM_ALLOWED) != 0) { printf(" MAX_ALLOWED"); }
if (Local->Mask != Specific) { printf(" )"); } printf("\n");
return;}
�VOIDDisplaySid( IN PSID Sid )
/*++
Routine Description:
This function calls LSA to lookup a SID and displays the result.
Arguments:
Sid
Return Value:
None.
--*/{ NTSTATUS Status;
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains;
PLSA_TRANSLATED_NAME SidName;
ULONG DomainIndex;
UNICODE_STRING SidString;
if (LsaHandle == NULL) { printf("Can't call LSA to lookup sid"); return; }
Status = LsaLookupSids( LsaHandle, 1, &Sid, &ReferencedDomains, &SidName ); if (!NT_SUCCESS(Status)) { RtlConvertSidToUnicodeString( &SidString, Sid, TRUE ); printf("%ws (Unable to translate)", SidString.Buffer ); RtlFreeUnicodeString( &SidString ); return; }
DomainIndex = SidName[0].DomainIndex;
printf("%wZ", &ReferencedDomains->Domains[DomainIndex].Name ); if (ReferencedDomains->Domains[DomainIndex].Name.Length != 0) { printf("\\"); } printf("%wZ", &SidName[0].Name ); LsaFreeMemory( ReferencedDomains ); LsaFreeMemory( SidName ); return;}
�VOIDConnectToLsa( VOID )/*++
Routine Description:
This function connects to LSA in preparation for expected SID lookup calls.
--*/{ NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, 0, NULL );
LsaHandle = NULL; Status = LsaOpenPolicy( NULL, // SystemName
&ObjectAttributes, POLICY_LOOKUP_NAMES, // DesiredAccess
&LsaHandle );
if (!NT_SUCCESS(Status)) { LsaHandle = NULL; }
return;}
�VOIDUsage(VOID){ printf("\n\n" " Usage:\n" " objdir [/d | /D] [/s | /S] [<dir_name>]\n\n" " Where:\n" " /d - causes DACLs to be displayed in short form.\n\n" " /D - causes DACLs to be displayed in long form.\n\n" " /s - causes SACLs to be displayed in short form.\n\n" " /S - causes SACLs to be displayed in long form.\n\n" " <dir_name> - is the name of the directory you\n" " would like to see displayed. Default\n" " is the root directory.\n\n" " Examples:\n" " objdir /d\n" " - displays dacls of objects in root directory\n\n" " objdir \\DosDevices\n" " - displays objects in \\DosDevices\n\n" " objdir /d \\BaseNamedObjects\n" " - displays dacls of objects in \\BaseNamedObjects\n\n" " objdir /s /d \\Windows\n" " - displays sacls and dacls of objects in \\Windowss\n\n" " objdir /d \\Windows\\Windowstations\\Service*\n" " - displays dacls of all windowstations beginning with 'service'\n\n" " objdir \\Global??\\w*\n" " - displays objects starting with w in \\Global??\n\n" ); return;}
|
