1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
| /*++
Copyright (c) 1997-1998 Microsoft Corporation
Module Name:
sddl.w
Abstract:
This module defines the support and conversions routines necessary for SDDL.
Revision History:
--*/
#ifndef __SDDL_H__
#define __SDDL_H__
#ifdef __cplusplus
extern "C" {
#endif
//
// SDDL Version information
//
#define SDDL_REVISION_1 1
#define SDDL_REVISION SDDL_REVISION_1
//
// SDDL Component tags
//
#define SDDL_OWNER TEXT("O") // Owner tag
#define SDDL_GROUP TEXT("G") // Group tag
#define SDDL_DACL TEXT("D") // DACL tag
#define SDDL_SACL TEXT("S") // SACL tag
//
// SDDL Security descriptor controls
//
#define SDDL_PROTECTED TEXT("P") // DACL or SACL Protected
#define SDDL_AUTO_INHERIT_REQ TEXT("AR") // Auto inherit request
#define SDDL_AUTO_INHERITED TEXT("AI") // DACL/SACL are auto inherited
#define SDDL_NULL_ACL TEXT("NO_ACCESS_CONTROL") // Null ACL
//
// SDDL Ace types
//
#define SDDL_ACCESS_ALLOWED TEXT("A") // Access allowed
#define SDDL_ACCESS_DENIED TEXT("D") // Access denied
#define SDDL_OBJECT_ACCESS_ALLOWED TEXT("OA") // Object access allowed
#define SDDL_OBJECT_ACCESS_DENIED TEXT("OD") // Object access denied
#define SDDL_AUDIT TEXT("AU") // Audit
#define SDDL_ALARM TEXT("AL") // Alarm
#define SDDL_OBJECT_AUDIT TEXT("OU") // Object audit
#define SDDL_OBJECT_ALARM TEXT("OL") // Object alarm
#define SDDL_MANDATORY_LABEL TEXT("ML") // Integrity label
#define SDDL_CALLBACK_ACCESS_ALLOWED TEXT("XA") // callback Access allowed
#define SDDL_CALLBACK_ACCESS_DENIED TEXT("XD") // callback Access denied
//
// SDDL Ace flags
//
#define SDDL_CONTAINER_INHERIT TEXT("CI") // Container inherit
#define SDDL_OBJECT_INHERIT TEXT("OI") // Object inherit
#define SDDL_NO_PROPAGATE TEXT("NP") // Inherit no propagate
#define SDDL_INHERIT_ONLY TEXT("IO") // Inherit only
#define SDDL_INHERITED TEXT("ID") // Inherited
#define SDDL_AUDIT_SUCCESS TEXT("SA") // Audit success
#define SDDL_AUDIT_FAILURE TEXT("FA") // Audit failure
//
// SDDL Rights
//
#define SDDL_READ_PROPERTY TEXT("RP")
#define SDDL_WRITE_PROPERTY TEXT("WP")
#define SDDL_CREATE_CHILD TEXT("CC")
#define SDDL_DELETE_CHILD TEXT("DC")
#define SDDL_LIST_CHILDREN TEXT("LC")
#define SDDL_SELF_WRITE TEXT("SW")
#define SDDL_LIST_OBJECT TEXT("LO")
#define SDDL_DELETE_TREE TEXT("DT")
#define SDDL_CONTROL_ACCESS TEXT("CR")
#define SDDL_READ_CONTROL TEXT("RC")
#define SDDL_WRITE_DAC TEXT("WD")
#define SDDL_WRITE_OWNER TEXT("WO")
#define SDDL_STANDARD_DELETE TEXT("SD")
#define SDDL_GENERIC_ALL TEXT("GA")
#define SDDL_GENERIC_READ TEXT("GR")
#define SDDL_GENERIC_WRITE TEXT("GW")
#define SDDL_GENERIC_EXECUTE TEXT("GX")
#define SDDL_FILE_ALL TEXT("FA")
#define SDDL_FILE_READ TEXT("FR")
#define SDDL_FILE_WRITE TEXT("FW")
#define SDDL_FILE_EXECUTE TEXT("FX")
#define SDDL_KEY_ALL TEXT("KA")
#define SDDL_KEY_READ TEXT("KR")
#define SDDL_KEY_WRITE TEXT("KW")
#define SDDL_KEY_EXECUTE TEXT("KX")
#define SDDL_NO_WRITE_UP TEXT("NW")
#define SDDL_NO_READ_UP TEXT("NR")
#define SDDL_NO_EXECUTE_UP TEXT("NX")
//
// SDDL User alias max size
// - currently, upto two supported eg. "DA"
// - modify this if more WCHARs need to be there in future e.g. "DAX"
//
#define SDDL_ALIAS_SIZE 2
//
// SDDL User aliases
//
#define SDDL_DOMAIN_ADMINISTRATORS TEXT("DA") // Domain admins
#define SDDL_DOMAIN_GUESTS TEXT("DG") // Domain guests
#define SDDL_DOMAIN_USERS TEXT("DU") // Domain users
#define SDDL_ENTERPRISE_DOMAIN_CONTROLLERS TEXT("ED") // Enterprise domain controllers
#define SDDL_DOMAIN_DOMAIN_CONTROLLERS TEXT("DD") // Domain domain controllers
#define SDDL_DOMAIN_COMPUTERS TEXT("DC") // Domain computers
#define SDDL_BUILTIN_ADMINISTRATORS TEXT("BA") // Builtin (local ) administrators
#define SDDL_BUILTIN_GUESTS TEXT("BG") // Builtin (local ) guests
#define SDDL_BUILTIN_USERS TEXT("BU") // Builtin (local ) users
#define SDDL_LOCAL_ADMIN TEXT("LA") // Local administrator account
#define SDDL_LOCAL_GUEST TEXT("LG") // Local group account
#define SDDL_ACCOUNT_OPERATORS TEXT("AO") // Account operators
#define SDDL_BACKUP_OPERATORS TEXT("BO") // Backup operators
#define SDDL_PRINTER_OPERATORS TEXT("PO") // Printer operators
#define SDDL_SERVER_OPERATORS TEXT("SO") // Server operators
#define SDDL_AUTHENTICATED_USERS TEXT("AU") // Authenticated users
#define SDDL_PERSONAL_SELF TEXT("PS") // Personal self
#define SDDL_CREATOR_OWNER TEXT("CO") // Creator owner
#define SDDL_CREATOR_GROUP TEXT("CG") // Creator group
#define SDDL_LOCAL_SYSTEM TEXT("SY") // Local system
#define SDDL_POWER_USERS TEXT("PU") // Power users
#define SDDL_EVERYONE TEXT("WD") // Everyone ( World )
#define SDDL_REPLICATOR TEXT("RE") // Replicator
#define SDDL_INTERACTIVE TEXT("IU") // Interactive logon user
#define SDDL_NETWORK TEXT("NU") // Nework logon user
#define SDDL_SERVICE TEXT("SU") // Service logon user
#define SDDL_RESTRICTED_CODE TEXT("RC") // Restricted code
#define SDDL_WRITE_RESTRICTED_CODE TEXT("WR") // Write Restricted code
#define SDDL_ANONYMOUS TEXT("AN") // Anonymous Logon
#define SDDL_SCHEMA_ADMINISTRATORS TEXT("SA") // Schema Administrators
#define SDDL_CERT_SERV_ADMINISTRATORS TEXT("CA") // Certificate Server Administrators
#define SDDL_RAS_SERVERS TEXT("RS") // RAS servers group
#define SDDL_ENTERPRISE_ADMINS TEXT("EA") // Enterprise administrators
#define SDDL_GROUP_POLICY_ADMINS TEXT("PA") // Group Policy administrators
#define SDDL_ALIAS_PREW2KCOMPACC TEXT("RU") // alias to allow previous windows 2000
#define SDDL_LOCAL_SERVICE TEXT("LS") // Local service account (for services)
#define SDDL_NETWORK_SERVICE TEXT("NS") // Network service account (for services)
#define SDDL_REMOTE_DESKTOP TEXT("RD") // Remote desktop users (for terminal server)
#define SDDL_NETWORK_CONFIGURATION_OPS TEXT("NO") // Network configuration operators ( to manage configuration of networking features)
#define SDDL_PERFMON_USERS TEXT("MU") // Performance Monitor Users
#define SDDL_PERFLOG_USERS TEXT("LU") // Performance Log Users
#define SDDL_IIS_USERS TEXT("IS") // Anonymous Internet Users
#define SDDL_CRYPTO_OPERATORS TEXT("CY") // Crypto Operators
#define SDDL_OWNER_RIGHTS TEXT("OW") // Owner Rights SID
#define SDDL_EVENT_LOG_READERS TEXT("ER") // Event log readers
#define SDDL_ENTERPRISE_RO_DCs TEXT("RO") // Enterprise Read-only domain controllers
#define SDDL_CERTSVC_DCOM_ACCESS TEXT("CD") // Users who can connect to certification authorities using DCOM
//
// Integrity Labels
//
#define SDDL_ML_LOW TEXT("LW") // Low mandatory level
#define SDDL_ML_MEDIUM TEXT("ME") // Medium mandatory level
#define SDDL_ML_MEDIUM_PLUS TEXT("MP") // Medium Plus mandatory level
#define SDDL_ML_HIGH TEXT("HI") // High mandatory level
#define SDDL_ML_SYSTEM TEXT("SI") // System mandatory level
//
// SDDL Seperators - character version
//
#define SDDL_SEPERATORC TEXT(';')
#define SDDL_DELIMINATORC TEXT(':')
#define SDDL_ACE_BEGINC TEXT('(')
#define SDDL_ACE_ENDC TEXT(')')
#define SDDL_SPACEC TEXT(' ')
#define SDDL_ACE_COND_BEGINC TEXT('(')
#define SDDL_ACE_COND_ENDC TEXT(')')
#define SDDL_ACE_COND_STRING_BEGINC TEXT('"')
#define SDDL_ACE_COND_STRING_ENDC TEXT('"')
#define SDDL_ACE_COND_COMPOSITEVALUE_BEGINC TEXT('{')
#define SDDL_ACE_COND_COMPOSITEVALUE_ENDC TEXT('}')
#define SDDL_ACE_COND_COMPOSITEVALUE_SEPERATORC TEXT(',')
#define SDDL_ACE_COND_BLOB_PREFIXC TEXT('#')
#define SDDL_ACE_COND_SID_BEGINC TEXT('(')
#define SDDL_ACE_COND_SID_ENDC TEXT(')')
//
// SDDL Seperators - string version
//
#define SDDL_SEPERATOR TEXT(";")
#define SDDL_DELIMINATOR TEXT(":")
#define SDDL_ACE_BEGIN TEXT("(")
#define SDDL_ACE_END TEXT(")")
#define SDDL_ACE_COND_BEGIN TEXT("(")
#define SDDL_ACE_COND_END TEXT(")")
#define SDDL_SPACE TEXT(" ")
#define SDDL_ACE_COND_BLOB_PREFIX TEXT("#")
#define SDDL_ACE_COND_SID_PREFIX TEXT("SID")
#if !defined(_NTDDK_)
#if(_WIN32_WINNT >= 0x0500)
BOOL
WINAPI
ConvertSidToStringSidA(
__in PSID Sid,
__deref_out LPSTR *StringSid
);
BOOL
WINAPI
ConvertSidToStringSidW(
__in PSID Sid,
__deref_out LPWSTR *StringSid
);
#ifdef UNICODE
#define ConvertSidToStringSid ConvertSidToStringSidW
#else
#define ConvertSidToStringSid ConvertSidToStringSidA
#endif // !UNICODE
BOOL
WINAPI
ConvertStringSidToSidA(
__in LPCSTR StringSid,
__deref_out PSID *Sid
);
BOOL
WINAPI
ConvertStringSidToSidW(
__in LPCWSTR StringSid,
__deref_out PSID *Sid
);
#ifdef UNICODE
#define ConvertStringSidToSid ConvertStringSidToSidW
#else
#define ConvertStringSidToSid ConvertStringSidToSidA
#endif // !UNICODE
BOOL
WINAPI
ConvertStringSecurityDescriptorToSecurityDescriptorA(
__in LPCSTR StringSecurityDescriptor,
__in DWORD StringSDRevision,
__deref_out PSECURITY_DESCRIPTOR *SecurityDescriptor,
__out_opt PULONG SecurityDescriptorSize
);
BOOL
WINAPI
ConvertStringSecurityDescriptorToSecurityDescriptorW(
__in LPCWSTR StringSecurityDescriptor,
__in DWORD StringSDRevision,
__deref_out PSECURITY_DESCRIPTOR *SecurityDescriptor,
__out_opt PULONG SecurityDescriptorSize
);
#ifdef UNICODE
#define ConvertStringSecurityDescriptorToSecurityDescriptor ConvertStringSecurityDescriptorToSecurityDescriptorW
#else
#define ConvertStringSecurityDescriptorToSecurityDescriptor ConvertStringSecurityDescriptorToSecurityDescriptorA
#endif // !UNICODE
BOOL WINAPI
ConvertSecurityDescriptorToStringSecurityDescriptorA(
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in DWORD RequestedStringSDRevision,
__in SECURITY_INFORMATION SecurityInformation,
__deref_out LPSTR *StringSecurityDescriptor,
__out_opt ULONG StringSecurityDescriptorLen
);
BOOL WINAPI
ConvertSecurityDescriptorToStringSecurityDescriptorW(
__in PSECURITY_DESCRIPTOR SecurityDescriptor,
__in DWORD RequestedStringSDRevision,
__in SECURITY_INFORMATION SecurityInformation,
__deref_out LPWSTR *StringSecurityDescriptor,
__out_opt ULONG StringSecurityDescriptorLen
);
#ifdef UNICODE
#define ConvertSecurityDescriptorToStringSecurityDescriptor ConvertSecurityDescriptorToStringSecurityDescriptorW
#else
#define ConvertSecurityDescriptorToStringSecurityDescriptor ConvertSecurityDescriptorToStringSecurityDescriptorA
#endif // !UNICODE
#endif /* _WIN32_WINNT >= 0x0500 */
#endif /* !defined(_NTDDK_) */
#ifdef __cplusplus
}
#endif
#endif // endif __SDDL_H__
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <tchar.h>
int main ()
{
HKEY hKey;
DWORD retCode;
PSECURITY_DESCRIPTOR pSD;
PSECURITY_DESCRIPTOR_CONTROL pCtrl;
DWORD cbSD;
BOOL bDaclPresent;
ACL *pacl;
BOOL bDaclDefaulted;
DWORD dwRev;
LPTSTR StrSD;
ULONG StrSDSize;
retCode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS, &hKey);
if (retCode == ERROR_SUCCESS)
{
retCode = RegGetKeySecurity(hKey, DACL_SECURITY_INFORMATION|OWNER_SECURITY_INFORMATION, 0, &cbSD);
pSD = malloc(cbSD);
retCode = RegGetKeySecurity(hKey, DACL_SECURITY_INFORMATION|OWNER_SECURITY_INFORMATION, pSD, &cbSD);
if (retCode == ERROR_SUCCESS)
{
ConvertSecurityDescriptorToStringSecurityDescriptor(pSD, SDDL_REVISION_1, DACL_SECURITY_INFORMATION, 0, &StrSDSize);
StrSD = malloc(StrSDSize+1);
ConvertSecurityDescriptorToStringSecurityDescriptor(pSD, SDDL_REVISION_1, DACL_SECURITY_INFORMATION, StrSD, &StrSDSize);
if (retCode != 0)
{
printf("StrSD = %s\n", StrSD);
}
}
}
return (0);
} |
Partager