解读RtlCreateServiceSid

最新推荐文章于 2023-04-09 23:33:38 发布

原创最新推荐文章于 2023-04-09 23:33:38 发布 · 1.1k 阅读

0 ·

CC 4.0 BY-SA版权

系统维护同时被 3 个专栏收录

248 篇文章

订阅专栏

操作系统相关

179 篇文章

订阅专栏

WCP

86 篇文章

订阅专栏

解读RtlCreateServiceSid

//----- (0000000180003E40)----------------------------------------------------
__int64 __fastcall IsKeyProtected(HKEYhKey, __int64 a2, __int16 a3, _DWORD *a4)
{

hKeya =0i64;
v4 =a4;
v5 =a3;
v6 =hKey;
v7 =0i64;

UnicodeString = {0 };
cbSecurityDescriptor = 0;
*a4= 0;
if (a2 )
{
    if (!(unsigned__int8)RtlCreateUnicodeString(&UnicodeString) )
    {
LABEL_3:
      v8 =8;
      goto LABEL_18;
    }
    v9 =UnicodeString.Buffer;
    LODWORD(v10) = (unsigned int)UnicodeString.Length>> 1;
    v11 =v5 & 0x300| 0x20019;
    do
    {
      v12 =RegOpenKeyExW(v6, v9, 0, v11, &hKeya);
      v8 =v12;
      if (!v12 )
        break;
      if (v12 != 2)
        goto LABEL_18;
      if (!(_DWORD)v10 )
        break;
      v9 =UnicodeString.Buffer;
      while ( 1 )
      {
        v10 =(unsigned int)(v10 - 1);
        if ( UnicodeString.Buffer[v10] == 92 )
          break;
        if ( !(_DWORD)v10 )
          goto LABEL_13;
      }
      UnicodeString.Buffer[v10] = 0;
      v9 =UnicodeString.Buffer;
LABEL_13:
      ;
    }
    while ((_DWORD)v10);
}
v8 =RegGetKeySecurity(v6, 5u, 0i64, &cbSecurityDescriptor);
if (v8 == 122) //传递给系统调用的数据区域太小。
{
    v7 =LocalAlloc(0x40u, 0i64);
    if (!v7 )
      goto LABEL_3;
    v8 =RegGetKeySecurity(v6, 5u, v7, &cbSecurityDescriptor);
    if (!v8 )
      *v4= IsWrpKeyDescriptor(v7);
}
LABEL_18:
if (v7 )
    LocalFree(v7);
if (UnicodeString.Buffer )
    RtlFreeUnicodeString(&UnicodeString);
return (unsignedint)v8;
}

//----- (0000000180003FC4)----------------------------------------------------
__int64 __fastcall IsWrpKeyDescriptor(PSECURITY_DESCRIPTORpSecurityDescriptor)
{

pDacl =0i64;
pAclInformation = 0;
v12 =0i64;
v1 =0;
v2 =0;
v3 =pSecurityDescriptor;
v4 =InitTrustedSid();
if (v4 )
  {
    if (GetSecurityDescriptorDacl(v3, &bDaclPresent, &pDacl,&bDaclDefaulted) )
    {
      if (pDacl )
      {
        if ( GetAclInformation(pDacl, &pAclInformation, 0xCu, AclSizeInformation) )
        {
          if ( pAclInformation )
          {
            v5 = 0;
            if ( pAclInformation >0 )
            {
              do
              {
                if ( GetAce(pDacl,v5, &pAce))
                {
                  if ( (unsigned__int8)RtlEqualSid(v4, (char*)pAce+ 8) )
                  {
                    if ( *(_BYTE *)pAce || *((_DWORD *)pAce + 1) != 0x10000000 &&*((_DWORD*)pAce+ 1) != 983103 )
                    {
                      if ( *(_BYTE *)pAce == 1 )
                        gotoLABEL_20;
                    }
                    else
                    {
                      v2 = 1;
                    }
                  }
                  else if ( !*(_BYTE *)pAce &&*((_DWORD*)pAce+ 1) & 0x500D0006 )
                  {
                    goto LABEL_20;
                  }
                }
                ++v5;
              }
              while ( v5 <pAclInformation );
              if ( v2 )
                v1 = 1;
            }
          }
        }
      }
    }
LABEL_20:
    LocalFree(v4);
}
return (unsignedint)v1;
}

//----- (0000000180006660)----------------------------------------------------
void *InitTrustedSid()
{

DestinationString = { 0 };
LODWORD(uBytes) = 0;
RtlInitUnicodeString(&DestinationString,L"TrustedInstaller");
v0 =RtlCreateServiceSid(&DestinationString, 0i64, &uBytes);
if (v0 == -1073741789 )
{
    v1 =LocalAlloc(0,(unsigned int)uBytes);
    v2 =v1;
    v0 =-1073741801;
    if (!v1 )
    {
LABEL_7:
      v4 =RtlNtStatusToDosError((unsigned int)v0);
      SetLastError(v4);
      return 0i64;
    }
    v0 =RtlCreateServiceSid(&DestinationString, v1, &uBytes);
    if (v0 >= 0)
      return v2;
    LocalFree(v2);
}
if (v0 < 0)
    goto LABEL_7;
return 0i64;
}