-
-
Notifications
You must be signed in to change notification settings - Fork 16
/
Operation.cpp
215 lines (183 loc) · 6.8 KB
/
Operation.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
#include "Operation.h"
#include "InputOutput.h"
#include "Helpers.h"
#include <regex>
PSID Operation::GetSidFromAce(PACE_ACCESS_HEADER tAce) noexcept
{
PSID pSid = &((ACCESS_ALLOWED_ACE*) tAce)->SidStart;
if (tAce->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE ||
tAce->AceType == ACCESS_DENIED_OBJECT_ACE_TYPE ||
tAce->AceType == SYSTEM_AUDIT_OBJECT_ACE_TYPE)
{
ACCESS_ALLOWED_OBJECT_ACE* oObjectAce = (ACCESS_ALLOWED_OBJECT_ACE*)tAce;
LPBYTE pSidStart = (LPBYTE)&oObjectAce->ObjectType;
if (oObjectAce->Flags & ACE_OBJECT_TYPE_PRESENT) pSidStart += sizeof(GUID);
if (oObjectAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) pSidStart += sizeof(GUID);
pSid = (SID*)pSidStart;
}
return pSid;
}
bool Operation::ProcessAclAction(const WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PACL & tCurrentAcl, bool & bAclReplacement)
{
// return immediately if acl is null
if (tCurrentAcl == nullptr) return false;
// flag to note whether a change was actually made
bool bMadeChange = false;
bool bSkipIncrement = false;
PACE_ACCESS_HEADER tAce = FirstAce(tCurrentAcl);
for (ULONG iEntry = 0; iEntry < tCurrentAcl->AceCount;
tAce = (bSkipIncrement) ? tAce : NextAce(tAce), iEntry += (bSkipIncrement) ? 0 : 1)
{
// reset skip increment variable
bSkipIncrement = false;
// do not bother with inherited aces
if (IsInherited(tAce)) continue;
// convenience variable for sid associated with ace
PSID const tCurrentSid = GetSidFromAce(tAce);
PSID tResultantSid;
const SidActionResult tResult = DetermineSid(sSdPart, tObjectEntry, tCurrentSid, tResultantSid);
if (tResult == SidActionResult::Remove)
{
DeleteAce(tCurrentAcl, iEntry);
bMadeChange = true;
bSkipIncrement = true;
continue;
}
else if (tResult == SidActionResult::Replace)
{
PSID const tOldSid = GetSidFromAce(tAce);
PSID const tNewSid = tResultantSid;
const DWORD iOldLen = SidGetLength(tOldSid);
const DWORD iNewLen = SidGetLength(tNewSid);
// if the old sid in the ace matches the new sid, just return immediately
if (SidMatch(tOldSid, tNewSid)) return false;
// at this point, we know we are going to make a change so set the flag
bMadeChange = true;
// if lengths are equals just overwrite the old sid with the new sid
if (iOldLen == iNewLen)
{
memcpy(tOldSid, tNewSid, iNewLen);
continue;
}
// casted convenience variables
PACL const tAcl = tCurrentAcl;
PBYTE const tAclLoc = (PBYTE)tAcl;
PBYTE const tAceLoc = (PBYTE)tAce;
PBYTE const tOldSidLoc = (PBYTE)tOldSid;
// if the new length is less than the old length, then copy the new sid
// and then shift the remaining bytes in the acl down to collapse the gap
if (iNewLen < iOldLen)
{
memcpy(tOldSid, tNewSid, iNewLen);
memmove(tOldSidLoc + iNewLen, tOldSidLoc + iOldLen, tAcl->AclSize - ((tOldSidLoc - tAclLoc) + iOldLen));
}
// if the size is bigger than we should expand the acl to accommodate the
// new size and then copy the various parts into the new memory
else
{
PBYTE const tNewAcl = (PBYTE)LocalAlloc(LMEM_FIXED, tAcl->AclSize + (iNewLen - iOldLen));
if (tNewAcl == nullptr)
{
wprintf(L"ERROR: Unable to allocate memory for new SID.\n");
std::exit(-1);
}
memcpy(tNewAcl, tAclLoc, tOldSidLoc - tAclLoc);
memcpy(tNewAcl + (tOldSidLoc - tAclLoc), tNewSid, iNewLen);
memcpy(tNewAcl + (tOldSidLoc - tAclLoc) + iNewLen, tOldSidLoc + iOldLen, tAcl->AclSize - ((tOldSidLoc - tAclLoc) + iOldLen));
// free the existing pointer and update the value that was passed
if (bAclReplacement) LocalFree(tAcl);
tAce = (PACE_ACCESS_HEADER)(tNewAcl + (tAceLoc - tAclLoc));
tCurrentAcl = (PACL)tNewAcl;
bAclReplacement = true;
}
// update size in ace header
tAce->AceSize += (WORD)(iNewLen - iOldLen);
// update size in acl header and return size differential
tCurrentAcl->AclSize += (WORD)(iNewLen - iOldLen);
}
}
// return flag to indicate something has actually changed
return bMadeChange;
}
std::vector<std::wstring> Operation::SplitArgs(std::wstring sInput, const std::wstring & sDelimiter)
{
const std::wregex oRegex(sDelimiter);
const std::wsregex_token_iterator oFirst{ sInput.begin(), sInput.end(), oRegex, -1 }, oLast;
return { oFirst, oLast };
}
bool Operation::ProcessSidAction(const WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PSID & tCurrentSid, bool & bSidReplacement)
{
PSID tResultantSid;
const SidActionResult tResult = DetermineSid(sSdPart, tObjectEntry, tCurrentSid, tResultantSid);
bool bMadeChange = false;
if (tResult == SidActionResult::Remove)
{
// populate the default sid value to be used if the sid is empty
tCurrentSid = DefaultSidWhenEmpty;
bMadeChange = true;
}
else if (tResult == SidActionResult::Replace)
{
// only process change if sid is actually different
if (SidNotMatch(tCurrentSid, tResultantSid))
{
// substitute sid
tCurrentSid = tResultantSid;
bMadeChange = true;
}
}
// return flag to indicate something has actually changed
return bMadeChange;
}
Operation::Operation(std::queue<std::wstring> & oArgList)
{
SID_IDENTIFIER_AUTHORITY tAuthNt = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&tAuthNt, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &DefaultSidWhenEmpty);
};
std::vector<std::wstring> Operation::ProcessAndCheckArgs(int iArgsRequired, std::queue<std::wstring> & oArgList, const std::wstring & sDelimiter)
{
// check if around arguments exist yet
if (iArgsRequired > 0 && oArgList.empty())
{
wprintf(L"ERROR: An option that was specified is missing a required parameter.\n");
std::exit(-1);
}
// parse the parameters, splitting on :
const std::wstring sArg = oArgList.front(); oArgList.pop();
std::vector<std::wstring> oSubArgs = SplitArgs(sArg, sDelimiter);
// verify we have enough parameters
if (oSubArgs.size() < (size_t) iArgsRequired)
{
wprintf(L"ERROR: An option that was specified is missing a required parameter.\n");
std::exit(-1);
}
// return the parsed args
return oSubArgs;
}
void Operation::ProcessGranularTargetting(std::wstring sScope)
{
// parse the parameters, splitting on :
const std::wregex oRegex(L",");
const std::wsregex_token_iterator oFirst{ sScope.begin(), sScope.end(), oRegex, -1 }, oLast;
const std::vector<std::wstring> sScopeOpts = { oFirst, oLast };
// default all to false if calling this method
AppliesToDacl = false;
AppliesToSacl = false;
AppliesToOwner = false;
AppliesToGroup = false;
AppliesToObject = false;
for (auto& sScopeOpt : sScopeOpts)
{
if (sScopeOpt == L"DACL") AppliesToDacl = true;
else if (sScopeOpt == L"SACL") AppliesToSacl = true;
else if (sScopeOpt == L"OWNER") AppliesToOwner = true;
else if (sScopeOpt == L"GROUP") AppliesToGroup = true;
else
{
// complain
wprintf(L"ERROR: Unrecognized scope qualifier '%s'\n", sScopeOpt.c_str());
std::exit(-1);
}
}
}