diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /testprogs/win32/prepare_dcpromo/prepare_dcpromo.c | |
parent | Initial commit. (diff) | |
download | samba-upstream.tar.xz samba-upstream.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testprogs/win32/prepare_dcpromo/prepare_dcpromo.c')
-rwxr-xr-x | testprogs/win32/prepare_dcpromo/prepare_dcpromo.c | 1074 |
1 files changed, 1074 insertions, 0 deletions
diff --git a/testprogs/win32/prepare_dcpromo/prepare_dcpromo.c b/testprogs/win32/prepare_dcpromo/prepare_dcpromo.c new file mode 100755 index 0000000..91b819b --- /dev/null +++ b/testprogs/win32/prepare_dcpromo/prepare_dcpromo.c @@ -0,0 +1,1074 @@ +/* + Copyright (C) Stefan Metzmacher <metze@samba.org> 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + Published to the public domain + */ + +/* + * This tool can set the DOMAIN-SID and nextRid counter in + * the local SAM on windows servers (tested with w2k8r2) + * + * dcpromo will use this values for the ad domain it creates. + * + * This might be useful for upgrades from a Samba3 domain. + */ + +#include <windows.h> +#include <stdio.h> +#include <stdlib.h> +#include <ctype.h> + +/* Convert a binary SID to a character string */ +static DWORD SidToString(const SID *sid, + char **string) +{ + DWORD id_auth; + int i, ofs, maxlen; + char *result; + + if (!sid) { + return ERROR_INVALID_SID; + } + + maxlen = sid->SubAuthorityCount * 11 + 25; + + result = (char *)malloc(maxlen); + if (result == NULL) { + return ERROR_NOT_ENOUGH_MEMORY; + } + + /* + * BIG NOTE: this function only does SIDS where the identauth is not + * >= ^32 in a range of 2^48. + */ + + id_auth = sid->IdentifierAuthority.Value[5] + + (sid->IdentifierAuthority.Value[4] << 8) + + (sid->IdentifierAuthority.Value[3] << 16) + + (sid->IdentifierAuthority.Value[2] << 24); + + ofs = snprintf(result, maxlen, "S-%u-%lu", + (unsigned int)sid->Revision, (unsigned long)id_auth); + + for (i = 0; i < sid->SubAuthorityCount; i++) { + ofs += snprintf(result + ofs, maxlen - ofs, "-%lu", + (unsigned long)sid->SubAuthority[i]); + } + + *string = result; + return ERROR_SUCCESS; +} + +static DWORD StringToSid(const char *str, + SID *sid) +{ + const char *p; + char *q; + DWORD x; + + if (!sid) { + return ERROR_INVALID_PARAMETER; + } + + /* Sanity check for either "S-" or "s-" */ + + if (!str + || (str[0]!='S' && str[0]!='s') + || (str[1]!='-')) + { + return ERROR_INVALID_PARAMETER; + } + + /* Get the SID revision number */ + + p = str+2; + x = (DWORD)strtol(p, &q, 10); + if (x==0 || !q || *q!='-') { + return ERROR_INVALID_SID; + } + sid->Revision = (BYTE)x; + + /* Next the Identifier Authority. This is stored in big-endian + in a 6 byte array. */ + + p = q+1; + x = (DWORD)strtol(p, &q, 10); + if (!q || *q!='-') { + return ERROR_INVALID_SID; + } + sid->IdentifierAuthority.Value[5] = (x & 0x000000ff); + sid->IdentifierAuthority.Value[4] = (x & 0x0000ff00) >> 8; + sid->IdentifierAuthority.Value[3] = (x & 0x00ff0000) >> 16; + sid->IdentifierAuthority.Value[2] = (x & 0xff000000) >> 24; + sid->IdentifierAuthority.Value[1] = 0; + sid->IdentifierAuthority.Value[0] = 0; + + /* now read the the subauthorities */ + + p = q +1; + sid->SubAuthorityCount = 0; + while (sid->SubAuthorityCount < 6) { + x=(DWORD)strtoul(p, &q, 10); + if (p == q) + break; + if (q == NULL) { + return ERROR_INVALID_SID; + } + sid->SubAuthority[sid->SubAuthorityCount++] = x; + + if ((*q!='-') || (*q=='\0')) + break; + p = q + 1; + } + + /* IF we ended early, then the SID could not be converted */ + + if (q && *q!='\0') { + return ERROR_INVALID_SID; + } + + return ERROR_SUCCESS; +} + +#define MIN(a,b) ((a)<(b)?(a):(b)) +static void print_asc(const unsigned char *buf,int len) +{ + int i; + for (i=0;i<len;i++) + printf("%c", isprint(buf[i])?buf[i]:'.'); +} + +static void dump_data(const unsigned char *buf1,int len) +{ + const unsigned char *buf = (const unsigned char *)buf1; + int i=0; + if (len<=0) return; + + printf("[%03X] ",i); + for (i=0;i<len;) { + printf("%02X ",(int)buf[i]); + i++; + if (i%8 == 0) printf(" "); + if (i%16 == 0) { + print_asc(&buf[i-16],8); printf(" "); + print_asc(&buf[i-8],8); printf("\n"); + if (i<len) printf("[%03X] ",i); + } + } + if (i%16) { + int n; + n = 16 - (i%16); + printf(" "); + if (n>8) printf(" "); + while (n--) printf(" "); + n = MIN(8,i%16); + print_asc(&buf[i-(i%16)],n); printf( " " ); + n = (i%16) - n; + if (n>0) print_asc(&buf[i-n],n); + printf("\n"); + } +} + +static DWORD calc_tmp_HKLM_SECURITY_SD(SECURITY_DESCRIPTOR *old_sd, + SID *current_user_sid, + SECURITY_DESCRIPTOR **_old_parent_sd, + SECURITY_DESCRIPTOR **_old_child_sd, + SECURITY_DESCRIPTOR **_new_parent_sd, + SECURITY_DESCRIPTOR **_new_child_sd) +{ + LONG status; + DWORD cbSecurityDescriptor = 0; + SECURITY_DESCRIPTOR *old_parent_sd = NULL; + SECURITY_DESCRIPTOR *old_child_sd = NULL; + SECURITY_DESCRIPTOR *new_parent_sd = NULL; + SECURITY_DESCRIPTOR *new_child_sd = NULL; + BOOL ok; + ACL *old_Dacl = NULL; + ACL *new_Dacl = NULL; + ACL_SIZE_INFORMATION dacl_info; + DWORD i = 0; + SECURITY_DESCRIPTOR *AbsoluteSD = NULL; + DWORD dwAbsoluteSDSize = 0; + DWORD dwRelativeSDSize = 0; + DWORD dwDaclSize = 0; + ACL *Sacl = NULL; + DWORD dwSaclSize = 0; + SID *Owner = NULL; + DWORD dwOwnerSize = 0; + SID *PrimaryGroup = NULL; + DWORD dwPrimaryGroupSize = 0; + ACCESS_ALLOWED_ACE *ace = NULL; + + ok = MakeAbsoluteSD(old_sd, + NULL, + &dwAbsoluteSDSize, + NULL, + &dwDaclSize, + NULL, + &dwSaclSize, + NULL, + &dwOwnerSize, + NULL, + &dwPrimaryGroupSize); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + AbsoluteSD = (SECURITY_DESCRIPTOR *)malloc(dwAbsoluteSDSize+1024); + if (AbsoluteSD == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + old_Dacl = (ACL *)malloc(dwDaclSize + 1024); + if (old_Dacl == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + Sacl = (ACL *)malloc(dwSaclSize); + if (Sacl == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + Owner = (SID *)malloc(dwOwnerSize); + if (Owner == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + PrimaryGroup = (SID *)malloc(dwPrimaryGroupSize); + if (PrimaryGroup == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + ok = MakeAbsoluteSD(old_sd, + AbsoluteSD, + &dwAbsoluteSDSize, + old_Dacl, + &dwDaclSize, + Sacl, + &dwSaclSize, + Owner, + &dwOwnerSize, + PrimaryGroup, + &dwPrimaryGroupSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + AbsoluteSD->Control |= SE_DACL_AUTO_INHERITED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_PROTECTED; + dwRelativeSDSize = 0; + ok = MakeSelfRelativeSD(AbsoluteSD, + NULL, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return ERROR_NOT_ENOUGH_MEMORY; + } + + old_parent_sd = (SECURITY_DESCRIPTOR *)malloc(dwRelativeSDSize); + if (old_parent_sd == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + ok = MakeSelfRelativeSD(AbsoluteSD, + old_parent_sd, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ok = GetAclInformation(old_Dacl, + &dacl_info, + sizeof(dacl_info), + AclSizeInformation); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + new_Dacl = (ACL *)calloc(dacl_info.AclBytesInUse + 1024, 1); + if (new_Dacl == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + InitializeAcl(new_Dacl, dacl_info.AclBytesInUse + 1024, ACL_REVISION); + + ok = AddAccessAllowedAce(new_Dacl, ACL_REVISION, + KEY_ALL_ACCESS, current_user_sid); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ok = GetAce(new_Dacl, 0, (LPVOID *)&ace); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ace->Header.AceFlags |= CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE; + + for (i=0; i < dacl_info.AceCount; i++) { + ok = GetAce(old_Dacl, i, (LPVOID *)&ace); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ok = AddAce(new_Dacl, ACL_REVISION, MAXDWORD, + ace, ace->Header.AceSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + } + + AbsoluteSD->Dacl = new_Dacl; + dwRelativeSDSize = 0; + ok = MakeSelfRelativeSD(AbsoluteSD, + NULL, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return ERROR_NOT_ENOUGH_MEMORY; + } + + new_parent_sd = (SECURITY_DESCRIPTOR *)malloc(dwRelativeSDSize); + if (new_parent_sd == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + ok = MakeSelfRelativeSD(AbsoluteSD, + new_parent_sd, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + for (i=0; i < dacl_info.AceCount; i++) { + ok = GetAce(old_Dacl, i, (LPVOID *)&ace); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ace->Header.AceFlags |= INHERITED_ACE; + } + + AbsoluteSD->Control &= ~SE_DACL_PROTECTED; + AbsoluteSD->Dacl = old_Dacl; + dwRelativeSDSize = 0; + ok = MakeSelfRelativeSD(AbsoluteSD, + NULL, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return ERROR_NOT_ENOUGH_MEMORY; + } + + old_child_sd = (SECURITY_DESCRIPTOR *)malloc(dwRelativeSDSize); + if (old_child_sd == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + ok = MakeSelfRelativeSD(AbsoluteSD, + old_child_sd, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + for (i=0; i < dacl_info.AceCount + 1; i++) { + ok = GetAce(new_Dacl, i, (LPVOID *)&ace); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ace->Header.AceFlags |= INHERITED_ACE; + } + + AbsoluteSD->Dacl = new_Dacl; + dwRelativeSDSize = 0; + ok = MakeSelfRelativeSD(AbsoluteSD, + NULL, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return ERROR_NOT_ENOUGH_MEMORY; + } + + new_child_sd = (SECURITY_DESCRIPTOR *)malloc(dwRelativeSDSize); + if (new_child_sd == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + ok = MakeSelfRelativeSD(AbsoluteSD, + new_child_sd, + &dwRelativeSDSize); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + *_old_parent_sd = old_parent_sd; + *_old_child_sd = old_child_sd; + *_new_parent_sd = new_parent_sd; + *_new_child_sd = new_child_sd; + return ERROR_SUCCESS; +} + +static DWORD inherit_SD(HKEY parent_hk, + char *current_key, + BOOL reset, + SECURITY_DESCRIPTOR *current_sd, + SECURITY_DESCRIPTOR *child_sd) +{ + DWORD status; + DWORD i = 0; + HKEY current_hk; + + if (!reset) { + status = RegOpenKeyEx(parent_hk, + current_key, + 0, /* options */ + WRITE_DAC, /* samDesired */ + ¤t_hk); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + status = RegSetKeySecurity(current_hk, + DACL_SECURITY_INFORMATION | + PROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_SACL_SECURITY_INFORMATION, + current_sd /* pSecurityDescriptor */ + ); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + RegCloseKey(current_hk); + } + + status = RegOpenKeyEx(parent_hk, + current_key, + 0, /* options */ + KEY_ENUMERATE_SUB_KEYS, /* samDesired */ + ¤t_hk); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + for (i=0; ; i++) { + char subkey[10240]; + HKEY hk_child; + + memset(subkey, 0, sizeof(subkey)); + status = RegEnumKey(current_hk, i, subkey, sizeof(subkey)); + if (status == ERROR_NO_MORE_ITEMS) { + break; + } + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + +#if 0 + printf("subkey: %s\n", subkey); +#endif + + status = inherit_SD(current_hk, subkey, reset, + child_sd, child_sd); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + } + + RegCloseKey(current_hk); + + if (reset) { + status = RegOpenKeyEx(parent_hk, + current_key, + 0, /* options */ + WRITE_DAC, /* samDesired */ + ¤t_hk); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + status = RegSetKeySecurity(current_hk, + DACL_SECURITY_INFORMATION | + PROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_SACL_SECURITY_INFORMATION, + current_sd /* pSecurityDescriptor */ + ); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + RegCloseKey(current_hk); + } + + return ERROR_SUCCESS; +} + +static DWORD replaceSIDBuffer(BYTE *buf, DWORD len, + SID *oldDomainSid, + SID *newDomainSid) +{ + DWORD ret = 0; + BYTE *oldb = ((BYTE *)oldDomainSid)+2; + BYTE *newb = ((BYTE *)newDomainSid)+2; + int cmp; + +#if 0 + printf("replaceSIDBuffer: %u\n", len); + dump_data(buf, len); +#endif + + if (len < 24) { + return 0; + } + + if (buf[0] != SID_REVISION) { + return 0; + } + + switch (buf[1]) { + case 4: + ret = 24; + break; + case 5: + if (len < 28) { + return 0; + } + ret = 28; + break; + default: + return 0; + } + +#if 0 + printf("oldb:\n"); + dump_data(oldb, 22); +#endif + cmp = memcmp(&buf[2], oldb, 22); + if (cmp != 0) { + return 0; + } + + memcpy(&buf[2], newb, 22); + + return ret; +} + +static DWORD replaceSID(HKEY parent_hk, + const char *parent_path, + const char *current_key, + SID *oldDomainSid, + SID *newDomainSid) +{ + DWORD status; + DWORD i = 0; + HKEY current_hk; + char current_path[10240]; + + snprintf(current_path, sizeof(current_path), "%s\\%s", + parent_path, current_key); + + status = RegOpenKeyEx(parent_hk, + current_key, + 0, /* options */ + KEY_ALL_ACCESS, /* samDesired */ + ¤t_hk); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + for (i=0; ; i++) { + char subkey[10240]; + HKEY hk_child; + + memset(subkey, 0, sizeof(subkey)); + status = RegEnumKey(current_hk, i, subkey, sizeof(subkey)); + if (status == ERROR_NO_MORE_ITEMS) { + break; + } + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + +#if 0 + printf("subkey: %s\n", subkey); +#endif + + status = replaceSID(current_hk, current_path, subkey, + oldDomainSid, newDomainSid); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + } + + for (i=0; ; i++) { + char valueName[10240]; + DWORD cbValueName; + DWORD valueType = 0; + BYTE *valueData = NULL; + DWORD cbValueData = 0; + DWORD ofs = 0; + BOOL modified = FALSE; + + memset(valueName, 0, sizeof(valueName)); + cbValueName = sizeof(valueName)-1; + status = RegEnumValue(current_hk, i, + valueName, &cbValueName, + NULL, NULL, + NULL, &cbValueData); + if (status == ERROR_NO_MORE_ITEMS) { + break; + } + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + valueData = (BYTE *)malloc(cbValueData); + if (valueData == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return ERROR_NOT_ENOUGH_MEMORY; + } + + cbValueName = sizeof(valueName)-1; + status = RegEnumValue(current_hk, i, + valueName, &cbValueName, + NULL, &valueType, + valueData, &cbValueData); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + if (valueType != REG_BINARY) { + free(valueData); + continue; + } + + for (ofs=0; ofs < cbValueData;) { + DWORD len; + + len = replaceSIDBuffer(valueData + ofs, + cbValueData - ofs, + oldDomainSid, + newDomainSid); + if (len == 0) { + ofs += 4; + continue; + } + +#if 0 + printf("%s value[%u]:%s modified ofs:%u (0x%X) len:%u\n", + current_path, i, valueName, ofs, ofs, len); +#endif + + ofs += len; + modified = TRUE; + } + + if (!modified) { + free(valueData); + continue; + } + + printf("%s value[%u]:%s replacing data\n", + current_path, i, valueName); + status = RegSetValueEx(current_hk, + valueName, + 0, + valueType, + valueData, + cbValueData); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + free(valueData); + } + + RegCloseKey(current_hk); + + return ERROR_SUCCESS; +} + +int main(int argc, char *argv[]) +{ + LONG status; + HANDLE tokenHandle = NULL; + TOKEN_USER *tokenUser = NULL; + DWORD cbTokenUser = 0; + HKEY hklm; + HKEY hk_security; + HKEY hk_account_domain; + DWORD cbSecurityDescriptor = 0; + SECURITY_DESCRIPTOR *security_old_sd = NULL; + SECURITY_DESCRIPTOR *security_parent_old_sd = NULL; + SECURITY_DESCRIPTOR *security_child_old_sd = NULL; + SECURITY_DESCRIPTOR *security_parent_new_sd = NULL; + SECURITY_DESCRIPTOR *security_child_new_sd = NULL; + SID *currentUserSid = NULL; + char *currentUserSidString = NULL; + BOOL ok; + DWORD cbTmp = 0; + BYTE *AccountDomainF = NULL; + DWORD cbAccountDomainF = 0; + DWORD AccountDomainFType = 0; + DWORD *nextRid = NULL; + DWORD oldNextRid = 0; + DWORD newNextRid = 0; + BYTE *AccountDomainV = NULL; + DWORD cbAccountDomainV = 0; + SID *oldDomainSid = NULL; + char *oldDomainSidString = NULL; + SID *newDomainSid = NULL; + const char *newDomainSidString = NULL; + + if (argc < 2 || argc > 3) { + printf("Usage: %s <DOMAINSID> [<NEXTRID>]\n", argv[0]); + return -1; + } + + newDomainSidString = argv[1]; + + newDomainSid = (SID *)malloc(24); + if (newDomainSid == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return -1; + } + + status = StringToSid(newDomainSidString, newDomainSid); + if (status != ERROR_SUCCESS) { + printf("Failed to parse DOMAINSID[%s]: Error: %d (0x%X)\n", + newDomainSidString, status, status); + return -1; + } + if (newDomainSid->SubAuthorityCount != 4) { + printf("DOMAINSID[%s]: Invalid SubAuthorityCount[%u] should be 4\n", + newDomainSidString, newDomainSid->SubAuthorityCount); + return -1; + } + + if (argc == 3) { + char *q = NULL; + newNextRid = (DWORD)strtoul(argv[2], &q, 10); + if (newNextRid == 0 || newNextRid == 0xFFFFFFFF || !q || *q!='\0') { + printf("Invalid newNextRid[%s]\n", argv[2]); + return -1; + } + if (newNextRid < 1000) { + printf("newNextRid[%u] < 1000\n", newNextRid); + return -1; + } + } + + ok = OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &tokenHandle); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + ok = GetTokenInformation(tokenHandle, TokenUser, + NULL, 0, &cbTokenUser); + if (!ok) { + status = GetLastError(); + } + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + tokenUser = (TOKEN_USER *)malloc(cbTokenUser); + if (tokenUser == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return -1; + } + + ok = GetTokenInformation(tokenHandle, TokenUser, + tokenUser, cbTokenUser, &cbTokenUser); + if (!ok) { + status = GetLastError(); + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + currentUserSid = tokenUser->User.Sid; + + status = SidToString(currentUserSid, ¤tUserSidString); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + status = RegConnectRegistry(NULL, HKEY_LOCAL_MACHINE, &hklm); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + status = RegOpenKeyEx(hklm, "SECURITY", + 0, /* options */ + READ_CONTROL, /* samDesired */ + &hk_security); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + status = RegGetKeySecurity(hk_security, + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION | + PROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_SACL_SECURITY_INFORMATION, + NULL, /* pSecurityDescriptor */ + &cbSecurityDescriptor /* lpcbSecurityDescriptor */ + ); + if (status != ERROR_INSUFFICIENT_BUFFER) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + security_old_sd = (SECURITY_DESCRIPTOR *)malloc(cbSecurityDescriptor); + if (security_old_sd == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return -1; + } + + status = RegGetKeySecurity(hk_security, + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION | + PROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_DACL_SECURITY_INFORMATION | + UNPROTECTED_SACL_SECURITY_INFORMATION, + security_old_sd, /* pSecurityDescriptor */ + &cbSecurityDescriptor /* lpcbSecurityDescriptor */ + ); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + RegCloseKey(hk_security); + + printf("currentUserSid: %s\n", currentUserSidString); + + status = calc_tmp_HKLM_SECURITY_SD(security_old_sd, + currentUserSid, + &security_parent_old_sd, + &security_child_old_sd, + &security_parent_new_sd, + &security_child_new_sd); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + printf("Grant full access to HKLM\\SECURITY\n"); + status = inherit_SD(hklm, "SECURITY", FALSE, + security_parent_new_sd, security_child_new_sd); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + status = RegOpenKeyEx(hklm, "SECURITY\\SAM\\Domains\\Account", + 0, /* options */ + KEY_ALL_ACCESS, /* samDesired */ + &hk_account_domain); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + status = RegQueryValueEx(hk_account_domain, + "F", NULL, NULL, + NULL, + &cbAccountDomainF); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + AccountDomainF = (BYTE *)malloc(cbAccountDomainF); + if (AccountDomainF == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return -1; + } + + status = RegQueryValueEx(hk_account_domain, + "F", NULL, NULL, + AccountDomainF, + &cbAccountDomainF); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + nextRid = (DWORD *)((BYTE *)AccountDomainF + 0x48); + oldNextRid = *nextRid; + if (newNextRid == 0) { + newNextRid = oldNextRid; + } + printf("AccountDomainF: %u bytes\n", cbAccountDomainF); + + status = RegQueryValueEx(hk_account_domain, + "V", NULL, NULL, + NULL, + &cbAccountDomainV); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + AccountDomainV = (BYTE *)malloc(cbAccountDomainV); + if (AccountDomainV == NULL) { + printf("LINE:%u: Error: no memory\n", __LINE__); + return -1; + } + + status = RegQueryValueEx(hk_account_domain, + "V", NULL, NULL, + AccountDomainV, + &cbAccountDomainV); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + printf("AccountDomainV: %u bytes\n", cbAccountDomainV); + oldDomainSid = (SID *)((BYTE *)AccountDomainV + (cbAccountDomainV - 24)); + + status = SidToString(oldDomainSid, &oldDomainSidString); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + + printf("Old Domain:%s, NextRid: %u (0x%08X)\n", + oldDomainSidString, oldNextRid, oldNextRid); + printf("New Domain:%s, NextRid: %u (0x%08X)\n", + newDomainSidString, newNextRid, newNextRid); + + status = replaceSID(hklm, "HKLM", "SECURITY\\SAM\\Domains", + oldDomainSid, newDomainSid); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + goto failed; + } + + status = RegQueryValueEx(hk_account_domain, + "F", NULL, &AccountDomainFType, + AccountDomainF, + &cbAccountDomainF); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + nextRid = (DWORD *)((BYTE *)AccountDomainF + 0x48); + *nextRid = newNextRid; + + printf("AccountDomainF replacing data (nextRid)\n"); + status = RegSetValueEx(hk_account_domain, + "F", + 0, + AccountDomainFType, + AccountDomainF, + cbAccountDomainF); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return status; + } + + printf("Withdraw full access to HKLM\\SECURITY\n"); + status = inherit_SD(hklm, "SECURITY", TRUE, + security_parent_old_sd, security_child_old_sd); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + printf("DONE!\n"); + return 0; +failed: + printf("Withdraw full access to HKLM\\SECURITY\n"); + status = inherit_SD(hklm, "SECURITY", TRUE, + security_parent_old_sd, security_child_old_sd); + if (status != ERROR_SUCCESS) { + printf("LINE:%u: Error: %d (0x%X)\n", __LINE__, status, status); + return -1; + } + printf("FAILED!\n"); + return 0; +} |