-
Notifications
You must be signed in to change notification settings - Fork 35
/
NtUiLib.AutoCompletion.Sid.Common.pas
259 lines (218 loc) · 7.12 KB
/
NtUiLib.AutoCompletion.Sid.Common.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
unit NtUiLib.AutoCompletion.Sid.Common;
{
The module registers additional SID recognizers and name providers, allowing
parsing and representing of some common SIDs.
Parsing:
- NT SERVICE\*
- NT TASK\*
- NT AUTHORITY\LogonSessionId_*_*
- Process Trust\*
Representation:
- Process Trust\*
}
interface
const
SERVICE_SID_DOMAIN = 'NT SERVICE';
TASK_SID_DOMAIN = 'NT TASK';
PROCESS_TRUST_DOMAIN = 'Process Trust'; // custom
implementation
uses
Ntapi.WinNt, Ntapi.ntrtl, Ntapi.Versions, NtUtils, NtUtils.Security.Sid,
NtUtils.SysUtils;
{$BOOLEVAL OFF}
{$IFOPT R+}{$DEFINE R+}{$ENDIF}
{$IFOPT Q+}{$DEFINE Q+}{$ENDIF}
function RtlxLogonSidRecognizer(
const StringSid: String;
out Sid: ISid
): Boolean;
const
FULL_PREFIX = 'NT AUTHORITY\LogonSessionId_';
SHORT_PREFIX = 'LogonSessionId_';
var
LogonIdStr: String;
SplitIndex: Integer;
LogonIdHighString, LogonIdLowString: String;
LogonIdHigh, LogonIdLow: Cardinal;
i: Integer;
begin
// LSA lookup functions automatically convert S-1-5-5-X-Y to
// NT AUTHORITY\LogonSessionId_X_Y and then refuse to parse them back.
// Fix this issue by parsing such strings manually.
// Check if the string has the logon SID prefix and strip it
LogonIdStr := StringSid;
if not RtlxPrefixStripString(FULL_PREFIX, LogonIdStr) and not
RtlxPrefixString(SHORT_PREFIX, LogonIdStr) then
Exit(False);
// Find the underscore between high and low parts
SplitIndex := -1;
for i := Low(LogonIdStr) to High(LogonIdStr) do
if LogonIdStr[i] = '_' then
begin
SplitIndex := i;
Break;
end;
if SplitIndex < 0 then
Exit(False);
// Split the string
LogonIdHighString := Copy(LogonIdStr, 1, SplitIndex - Low(String));
LogonIdLowString := Copy(LogonIdStr, SplitIndex - Low(String) + 2,
Length(LogonIdStr) - SplitIndex + Low(String));
// Parse and construct the SID
Result :=
(Length(LogonIdHighString) > 0) and
(Length(LogonIdLowString) > 0) and
RtlxStrToUInt(LogonIdHighString, LogonIdHigh) and
RtlxStrToUInt(LogonIdLowString, LogonIdLow) and
RtlxCreateSid(Sid, SECURITY_NT_AUTHORITY,
[SECURITY_LOGON_IDS_RID, LogonIdHigh, LogonIdLow]).IsSuccess;
end;
function RtlxServiceSidRecognizer(
const StringSid: String;
out Sid: ISid
): Boolean;
const
PREFIX = SERVICE_SID_DOMAIN + '\';
ALL_SERVICES = 'ALL SERVICES';
var
ServiceName: String;
begin
// Service SIDs are deterministically derived from the service name.
// We can parse them even without the help of LSA.
Result := False;
ServiceName := StringSid;
if not RtlxPrefixStripString(PREFIX, ServiceName) then
Exit;
// NT SERVICE\ALL SERVICES is a reserved name
if RtlxEqualStrings(ServiceName, ALL_SERVICES) then
Result := RtlxCreateSid(Sid, SECURITY_NT_AUTHORITY,
[SECURITY_SERVICE_ID_BASE_RID, SECURITY_SERVICE_ID_GROUP_RID]).IsSuccess
else
Result := RtlxCreateServiceSid(ServiceName, Sid).IsSuccess;
end;
function RtlxTaskSidRecognizer(
const StringSid: String;
out Sid: ISid
): Boolean;
const
PREFIX = TASK_SID_DOMAIN + '\';
var
TaskName: String;
begin
// Task SIDs are deterministically derived from the task path name.
// We can parse them even without the help of LSA.
TaskName := StringSid;
Result := RtlxPrefixStripString(PREFIX, TaskName) and
RtlxCreateVirtualAccountSid(TaskName, SECURITY_TASK_ID_BASE_RID,
Sid).IsSuccess;
end;
function RtlxTrustSidRecognizer(
const SidString: String;
out Sid: ISid
): Boolean;
const
PROCESS_TRUST_PREFIX = PROCESS_TRUST_DOMAIN + '\';
var
Name: String;
TrustType: TSecurityTrustType;
TrustLevel: TSecurityTrustLevel;
begin
Name := SidString;
Result := RtlxPrefixStripString(PROCESS_TRUST_PREFIX, Name);
if not Result then
Exit;
if RtlxEqualStrings(Name, 'None') then
begin
TrustType := SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID;
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID;
end
else
begin
if RtlxPrefixStripString('None ', Name) then
TrustType := SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID
else if RtlxPrefixStripString('Light ', Name) then
TrustType := SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID
else if RtlxPrefixStripString('Full ', Name) then
TrustType := SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID
else
Exit(False);
if RtlxEqualStrings('(None)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID
else if RtlxEqualStrings('(Authenticode)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID
else if RtlxEqualStrings('(Antimalware)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_ANTIMALWARE_RID
else if RtlxEqualStrings('(Store)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID
else if RtlxEqualStrings('(Windows)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID
else if RtlxEqualStrings('(WinTcb)', Name) then
TrustLevel := SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID
else
Exit(False);
end;
// Generate the SID
Result := RtlxCreateSid(Sid, SECURITY_PROCESS_TRUST_AUTHORITY,
[TrustType, TrustLevel]).IsSuccess;
end;
function RtlxTrustSidProvider(
const Sid: ISid;
out SidType: TSidNameUse;
out SidDomain: String;
out SidUser: String
): Boolean;
var
TrustType: TSecurityTrustType;
TrustLevel: TSecurityTrustLevel;
begin
// Check the SID structure
Result := (RtlxIdentifierAuthoritySid(Sid) = SECURITY_PROCESS_TRUST_AUTHORITY)
and (RtlxSubAuthorityCountSid(Sid) =
SECURITY_PROCESS_TRUST_AUTHORITY_RID_COUNT);
if not Result then
Exit;
SidDomain := PROCESS_TRUST_DOMAIN;
SidType := SidTypeWellKnownGroup;
TrustType := RtlxSubAuthoritySid(Sid, 0);
TrustLevel := RtlxSubAuthoritySid(Sid, 1);
// Shortcut for no trust
if (TrustType = SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID) and
(TrustLevel = SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID) then
begin
SidUser := 'None';
Exit;
end;
case TrustType of
SECURITY_PROCESS_PROTECTION_TYPE_NONE_RID: SidUser := 'None';
SECURITY_PROCESS_PROTECTION_TYPE_LITE_RID: SidUser := 'Light';
SECURITY_PROCESS_PROTECTION_TYPE_FULL_RID: SidUser := 'Full';
else
Exit(False);
end;
case TrustLevel of
SECURITY_PROCESS_PROTECTION_LEVEL_NONE_RID:
SidUser := SidUser + ' (None)';
SECURITY_PROCESS_PROTECTION_LEVEL_AUTHENTICODE_RID:
SidUser := SidUser + ' (Authenticode)';
SECURITY_PROCESS_PROTECTION_LEVEL_ANTIMALWARE_RID:
SidUser := SidUser + ' (Antimalware)';
SECURITY_PROCESS_PROTECTION_LEVEL_APP_RID:
SidUser := SidUser + ' (Store)';
SECURITY_PROCESS_PROTECTION_LEVEL_WINDOWS_RID:
SidUser := SidUser + ' (Windows)';
SECURITY_PROCESS_PROTECTION_LEVEL_WINTCB_RID:
SidUser := SidUser + ' (WinTcb)';
else
Exit(False);
end;
end;
initialization
RtlxRegisterSidNameRecognizer(RtlxLogonSidRecognizer);
RtlxRegisterSidNameRecognizer(RtlxServiceSidRecognizer);
RtlxRegisterSidNameRecognizer(RtlxTaskSidRecognizer);
if RtlOsVersionAtLeast(OsWin81) then
begin
RtlxRegisterSidNameProvider(RtlxTrustSidProvider);
RtlxRegisterSidNameRecognizer(RtlxTrustSidRecognizer);
end;
end.