Just a small thing, a total of 2 and a half! Of course, I also added the middle to learn Object and DACL. I used to read it, and I have read only a part of myself, you must have an application. To have a desire to learn, boring books will become very good ,,,
Don't give up and be careful, if you get at the HKEY you get through Regopenkey at the beginning, you will be able to change the DACL. If you don't succeed. No matter how big or more things can try again ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, User_groupname is written as "everyone", and I spent a mistake in one night, and I have practiced my own debugging, but I still feel worthless, and this is a problem.
Each button in the registration table is an object, and the windows is all Object ,,, take the example in Phrack 59 0x10.
typedef struct _OBJECT_HEADER {/ * 000 * / DWORD PointerCount; // number of references / * 004 * / DWORD HandleCount; // number of open handles / * 008 * / POBJECT_TYPE ObjectType; // pointer to object type struct / * 00C * / BYTE NameOffset; // OBJECT_NAME offset / * 00D * / BYTE HandleDBOffset; // OBJECT_HANDLE_DB offset / * 00E * / BYTE QuotaChargesOffset; // OBJECT_QUOTA_CHARGES offset / * 00F * / BYTE ObjectFlags; // OB_FLAG _ * / * 010 * / union {// OB_FLAG_CREATE_INFO ObjectCreateInfo: QuotaBlock / * 010 * / PQUOTA_BLOCK QuotaBlock; / * 010 * / POBJECT_CREATE_INFO ObjectCreateInfo;?}; / * 014 * / PSECURITY_DESCRIPTOR SecurityDescriptor; / * 018 * /} OBJECT_HEADER, * POBJECT_HEADER;
Different Object have different ObjectType ,,, head is all the same Object_Header in front of the Object body, I am still unclear, the object_header, the object_type structure, the location in memory In front of Object_Header, that is, if you are looking for NameOffset, you want Object_Header - NameOffset
kd> object / Device / PhysicAlMemoryObject:! e1001250 Type: (81899040) Section ObjectHeader: e1001238 HandleCount: 0 PointerCount: 3 Directory Object: 8189a180 Name:! PhysicalMemorykd> dd e1001238 L 6e1001238 00000003 00000000 81899040 16300020e1001248 00000001 e1008bd8kd> sd e1008bd8 // Check SecurityDescriptor-> Revision: 0x1-> SBZ1: 0x0-> Control: 0x8004 SE_DACL_PRESENT SE_SELF_RALATIVE-> OWNER: S-1-5-32-544-> Group: S-1-5-18-> DAP: -> DACL: -> ACLREVISION: 0X2-> DACL: -> SBZ1: 0x0-> Dacl: -> aclsize: 0x44-> dacl: -> acecount: 0x2-> dacl: -> sbz2: 0x0-> dacl: -> ace [0 ]: -> acetype: -> ace [0]: -> aceflags: 0x0-> dacl: -> ace [0]: -> acesize: 0x14-> dacl: -> ace [0]: -> Mask: 0x000f001f-> Dacl: -> ace [0]: -> SID: S-1-5-18-> DACL: -> ACE [1]: -> acetype: access_allowed_ce_type-> dacl: -> ace [1]: -> aceflags: 0x0-> DACL: -> ace [1]: -> acesize: 0x18-> dacl: -> ace [1]: -> Mask: 0x0002000D-> DACL: -> ace [1]: -> SID: S-1-5-32-544
-> Sacl: Is Null
The DACL contains an ACE, each ACE represents a rule of access, with a user or group's SID, an accessmask represents the corresponding permission bit, if it is Deny_ace, the permissions that prohibits AccessMask, Allow_ace indicates allowed DENY_ACE has always played a role in front of allow_ace, that is, there are two same accessmask, the same SID ACE, one is deny, one is allow, then the result is Deny.
SACL is not permission, but those need to record, System Access-Control List (SACL) Specifies Which Operations by Which Users Should Be Logged in The Security Audit Log. This may be the audit in the system, no SACL ,
The program is so simple, it is very simple, after knowing how to do it, then a few APIs are finished, you can depressed me before this, and go to the CS, add 20 Expert. Robot, in a full-awah, 嘿, 爽 死
Handle, who has received registry keys, I am afraid, and I have not succeeded. Because, if you read Machine / Sam / Sam, you have no read permissions. When you open a handle, you will fail,, oh ,,, Such a procedure is nothing more than a few APIs, and there is no qualified joke. Java is like building blocks, and is less likely to understand the operating system. It must be changed when it is, and the process must be changed. There is a written DACL permission. Since there is a write DACL permission because the default SAM is written, so if you don't have any words, if there is no, INSIDE WIN2K said: Administrator can put your own program Permission to TOKEN of the process refers to SetakeOwnership
SetakeownershipRequired to Take Ownership of an Object without Being Grand Discretionary Access
If the caller has the take-ownership privilege, the security system grants write-owner access and then examines the DACL. However, if write-owner access was the only access requested by a caller with take-ownership privilege, the security system grants that Access And Never Examines The Dacl. That is to say, there is a set of Write-Owner permissions, and then use those functions written to Owner to change Owner, setsecurityDescriptorowner
If the caller is the owner of the object, the read-control and write-DACL access rights are granted. If these rights were the only access rights that caller requested, access is granted without examining the DACL. Then we also had write- DACL's permissions, and then you can,
However, the program doesn't have so much function, and the general words can only have the original Write-DACL.
/ ************************************************** ************* * This registry authority is permission to write DACL in the registry * Writen by uty @ uaty ******************* *********************************************************** ********* / # include
/ / # define specific_rights_all 0x0000ffff // # define standard_rights_required 0x000f0000 // # Define standARD_Rights_all 0x001f0000
INT getPrivilege (LPCTSTR Privilege);
int main (int Argc, char * Argv []) {long ret = 0; PSECURITY_DESCRIPTOR pSecurityDescriptor; PACL pAcl; PACL pNewAcl; // TRUSTEE trustee; // ACCESS_MASK AccessmAsk; EXPLICIT_ACCESS eA; char * user_groupnAme; char * keypAth; char sid [64]; DWORD SIDLEDA; DWORD SIDTYPE; CHAR SIDTOMAIN [128]; DWORD SIDDOMAINLEN; INT AceIndex = 0; // Char UserName [128]; /// debug // dword usernamelen = 128;
IF (Argc! = 5) {Printf ("USAGE:% s registrypath user | group username | groupname deny | allow | readonly / n / n", argv [0]); Printf ("IT's a Simple Work / N" RegisterPath Like this machine // security .... / n "" predefined registry keys: / "clarsses_root /", / "current_user /", / "machine /", and / "users /" / n / n "); Return 0;
Keypath = argv [1]; user_groupname = argv [3];
getPrivilege; // i don't WHETER ITRILY WORK, But Result IS OK GetPrivilege (SE_RESTORE_NAME); getPrivilege; getPrivilege (SE_TAKE_OWNERSHIP_NAME);
getPrivilege (SE_DEBUG_NAME);
ret = GetNamedSecurityInfo (keypAth, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, & pAcl, NULL, & pSecurityDescriptor); if (ret = ERROR_SUCCESS!) {printf ( "GetNAmedSecurityInfo fAiled:% d / n ret% d / n", GetLastError (), ret); LocalFree (pSecurityDescriptor); return -1;} /// this pArt just show the former ACE AccessmAsk /*trustee.pMultipleTrustee = NULL; trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee.TrusteeForm = TRUSTEE_IS_NAME; trustee.TrusteeType = TRUSTEE_IS_USER; Trustee.ptstrname = user_groupname;
ret = GetEffectiveRightsFromAcl (pAcl, & trustee, & AccessmAsk); if (ret = ERROR_SUCCESS!) {printf ( "GetEffectiveRightsFromAcl fAiled / n"); LocalFree (pSecurityDescriptor); return -1;} * //// get the sid sidlen = 64 Siddomainlen = 128; if (stricmp [2], "group") == 0) {sIDTYPE = SIDTYPEGROUP;} else f (Strics (Argv [2], "user") == 0) {sidtype = sidtypeuser } Else {printf ("??, user or group / n"); exit (1);}
ret = LookupAccountName (NULL, user_groupnAme, & sid, & sidlen, siddomAin, & siddomAinlen, & sidtype); if (ret == 0) {printf ( "LookupAccountNAme fAiled:% d / n sid size if% d / nsidlen requres% d / n / n ", getLastError (), sizeof (sID), sIDLEN; localfree (psecurityDescriptor); return -1;} / * Sleep (200); // Why can not lookup the sid 's username? STILL DON' 'KNOW
Ret = lookupaccountsid (NULL, (PSID) (SID), Username, & SidDomainlen, & SidType; Printf ("Debug: Ret =% D, getLastError =% D / N", RET, GetLastError ()); Printf ("% s / n", username; return 0; /// * / Delete the previous Ace While with the user or the same group (getAce (PACL, ACEINDEX, (PVOID) & receiveDace) {if (EqualsId ((PSID) ) SID, (PSID) (ACE_HEADER) SIZEOF (Access_Mask))) {// if Equal, returnireo deleteace (PACL, ACEINDEX); Continue;} else {aceIndex ;}}
/ * While (reset) {Printf ("debug: Ret =% D / N", RET); Printf ("% d / n", getLastError ());} // printf (" Last deletece ErrorCode% D / N ", getLastError ()); * /
memset (& eA, 0, sizeof (EXPLICIT_ACCESS)); if (stricmp (Argv [4], "ALLOW") == 0) {eA.grfAccessMode = GRANT_ACCESS; eA.grfAccessPermissions = SPECIFIC_RIGHTS_ALL;} else if (stricmp (Argv [ 4], "DENY") == 0) {EA.GRFACCESSMODE = DENY_ACCESS; EA.GRFACCESSPERMISSIONS = Specific_Rights_all;} Else IF (Strics (Argv [4], "Readonly") == 0) {EA.GRFACCESSMODE = DENY_ACCESS; EA.GRFACCESSPERMISSIONS = 0xff06; // Yun, The First 6 Bits Are The query value setting value creation child enumeration sub-item notification creation connection // 0 1 2 3 4 5} else {printf ("??, allow or deny or READONLY / n "); exit (1);} eA.grfInheritance = CONTAINER_INHERIT_ACE; eA.Trustee .MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; eA.Trustee .pMultipleTrustee = NULL; eA.Trustee .TrusteeForm = TRUSTEE_IS_NAME; if (stricmp (Argv [2 ], "Group") == 0) {EA.Trustee .trustetyEtype = trustee_is_group;} else f (Strics (Argv [2], "User") == 0) {EA.Trustee .trustetype = trustee_is_user;} else { Printf ("??, user or group / n "); Exit (1);} ele.trustee .ptstrname = user_groupname
RET = STENTRIESINACL (1, & EA, PACL, & PNEWACL); if (Ret! = Error_Success) {Printf ("STENTRIESINACL FAILED:% D / N", getLastError ()); LocalFree (psecurityDescriptor); return -1;} Ret = SetNamedSecurityInfo (keypAth, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewAcl, NULL); if (ret = ERROR_SUCCESS!) {printf ( "SetNAmedSecurityInfo fAiled:% d / n", GetLastError ()); LocalFree (pSecurityDescriptor); return -1 }
Return 0;} // -------------------------------------------- ----------------------- Int getPrivilege (LPCTSTR Privilege) {Handle HProcesstoken = NULL; Token_Privileges TP; Luid Luid; // Open token if (!! OpenProcesstoken (), Token_all_access, & hprocessToken) {Printf ("/ Nopen Current Process Token Failed:% D", getLastError ()); return -1;} // lookup Luid if (! Lookuppprivilerage "(NULL, Privilege, & Luid) {Printf ("/ nlookupprivilerage Error:% D", getLastError ()); return -1;} tp.privilegect = 1; / means only one // one privilege to set tp.privileges [0]. Luid = luid; tp.Privileges [0] .Attributes = SE_PRIVILEGE_ENABLED; // add to the token authority AdjustTokenPrivileges (hProcessToken, FALSE, & tp, sizeof (TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL);
IF (getLastError ()! = error_success) {printf ("AdjustTokenPrivileges Failed:% D / N", getLastError ()); return -1;} /// Return 0;} // --------- -------------------------------------------------- ---------
What is this blog? Why do you give me a row?
