解读RtlCreateServiceSid
2017-03-22 21:48
176 查看
解读RtlCreateServiceSid
//----- (0000000180003E40)----------------------------------------------------
__int64 __fastcall IsKeyProtected(HKEYhKey,
__int64 a2, __int16 a3, _DWORD *a4)
{
hKeya =0i64;
v4 =a4;
v5 =a3;
v6 =hKey;
v7 =0i64;
UnicodeString = {0 };
cbSecurityDescriptor =
0;
*a4=
0;
if (a2
)
{
if (!(unsigned__int8)RtlCreateUnicodeString(&UnicodeString)
)
{
LABEL_3:
v8 =8;
goto LABEL_18;
}
v9 =UnicodeString.Buffer;
LODWORD(v10)
=
(unsigned int)UnicodeString.Length>>
1;
v11 =v5 &
0x300|
0x20019;
do
{
v12 =RegOpenKeyExW(v6, v9,
0, v11, &hKeya);
v8 =v12;
if (!v12
)
break;
if (v12 !=
2)
goto LABEL_18;
if (!(_DWORD)v10
)
break;
v9 =UnicodeString.Buffer;
while (
1 )
{
v10 =(unsigned int)(v10
-
1);
if ( UnicodeString.Buffer[v10]
==
92 )
break;
if ( !(_DWORD)v10
)
goto LABEL_13;
}
UnicodeString.Buffer[v10]
=
0;
v9 =UnicodeString.Buffer;
LABEL_13:
;
}
while ((_DWORD)v10);
}
v8 =RegGetKeySecurity(v6, 5u, 0i64,
&cbSecurityDescriptor);
if (v8 ==
122) //传递给系统调用的数据区域太小。
{
v7 =LocalAlloc(0x40u, 0i64);
if (!v7
)
goto LABEL_3;
v8 =RegGetKeySecurity(v6, 5u, v7,
&cbSecurityDescriptor);
if (!v8
)
*v4= IsWrpKeyDescriptor(v7);
}
LABEL_18:
if (v7
)
LocalFree(v7);
if (UnicodeString.Buffer
)
RtlFreeUnicodeString(&UnicodeString);
return (unsignedint)v8;
}
//----- (0000000180003FC4)----------------------------------------------------
__int64 __fastcall IsWrpKeyDescriptor(PSECURITY_DESCRIPTORpSecurityDescriptor)
{
pDacl =0i64;
pAclInformation =
0;
v12 =0i64;
v1 =0;
v2 =0;
v3 =pSecurityDescriptor;
v4 =InitTrustedSid();
if (v4
)
{
if (GetSecurityDescriptorDacl(v3,
&bDaclPresent,
&pDacl,&bDaclDefaulted)
)
{
if (pDacl
)
{
if ( GetAclInformation(pDacl,
&pAclInformation, 0xCu, AclSizeInformation)
)
{
if ( pAclInformation
)
{
v5 =
0;
if ( pAclInformation
>0
)
{
do
{
if ( GetAce(pDacl,v5,
&pAce))
{
if (
(unsigned__int8)RtlEqualSid(v4,
(char*)pAce+
8)
)
{
if ( *(_BYTE
*)pAce
||
*((_DWORD *)pAce
+
1) !=
0x10000000 &&*((_DWORD*)pAce+
1) !=
983103 )
{
if ( *(_BYTE
*)pAce
==
1 )
gotoLABEL_20;
}
else
{
v2 =
1;
}
}
else if ( !*(_BYTE
*)pAce
&&*((_DWORD*)pAce+
1) &
0x500D0006 )
{
goto LABEL_20;
}
}
++v5;
}
while ( v5 <pAclInformation
);
if ( v2
)
v1 =
1;
}
}
}
}
}
LABEL_20:
LocalFree(v4);
}
return (unsignedint)v1;
}
//----- (0000000180006660)----------------------------------------------------
void *InitTrustedSid()
{
DestinationString = {
0 };
LODWORD(uBytes)
=
0;
RtlInitUnicodeString(&DestinationString,L"TrustedInstaller");
v0 =RtlCreateServiceSid(&DestinationString, 0i64,
&uBytes);
if (v0 ==
-1073741789
)
{
v1 =LocalAlloc(0,(unsigned int)uBytes);
v2 =v1;
v0 =-1073741801;
if (!v1
)
{
LABEL_7:
v4 =RtlNtStatusToDosError((unsigned int)v0);
SetLastError(v4);
return 0i64;
}
v0 =RtlCreateServiceSid(&DestinationString, v1,
&uBytes);
if (v0 >=
0)
return v2;
LocalFree(v2);
}
if (v0 <
0)
goto LABEL_7;
return 0i64;
}
//----- (0000000180003E40)----------------------------------------------------
__int64 __fastcall IsKeyProtected(HKEYhKey,
__int64 a2, __int16 a3, _DWORD *a4)
{
hKeya =0i64;
v4 =a4;
v5 =a3;
v6 =hKey;
v7 =0i64;
UnicodeString = {0 };
cbSecurityDescriptor =
0;
*a4=
0;
if (a2
)
{
if (!(unsigned__int8)RtlCreateUnicodeString(&UnicodeString)
)
{
LABEL_3:
v8 =8;
goto LABEL_18;
}
v9 =UnicodeString.Buffer;
LODWORD(v10)
=
(unsigned int)UnicodeString.Length>>
1;
v11 =v5 &
0x300|
0x20019;
do
{
v12 =RegOpenKeyExW(v6, v9,
0, v11, &hKeya);
v8 =v12;
if (!v12
)
break;
if (v12 !=
2)
goto LABEL_18;
if (!(_DWORD)v10
)
break;
v9 =UnicodeString.Buffer;
while (
1 )
{
v10 =(unsigned int)(v10
-
1);
if ( UnicodeString.Buffer[v10]
==
92 )
break;
if ( !(_DWORD)v10
)
goto LABEL_13;
}
UnicodeString.Buffer[v10]
=
0;
v9 =UnicodeString.Buffer;
LABEL_13:
;
}
while ((_DWORD)v10);
}
v8 =RegGetKeySecurity(v6, 5u, 0i64,
&cbSecurityDescriptor);
if (v8 ==
122) //传递给系统调用的数据区域太小。
{
v7 =LocalAlloc(0x40u, 0i64);
if (!v7
)
goto LABEL_3;
v8 =RegGetKeySecurity(v6, 5u, v7,
&cbSecurityDescriptor);
if (!v8
)
*v4= IsWrpKeyDescriptor(v7);
}
LABEL_18:
if (v7
)
LocalFree(v7);
if (UnicodeString.Buffer
)
RtlFreeUnicodeString(&UnicodeString);
return (unsignedint)v8;
}
//----- (0000000180003FC4)----------------------------------------------------
__int64 __fastcall IsWrpKeyDescriptor(PSECURITY_DESCRIPTORpSecurityDescriptor)
{
pDacl =0i64;
pAclInformation =
0;
v12 =0i64;
v1 =0;
v2 =0;
v3 =pSecurityDescriptor;
v4 =InitTrustedSid();
if (v4
)
{
if (GetSecurityDescriptorDacl(v3,
&bDaclPresent,
&pDacl,&bDaclDefaulted)
)
{
if (pDacl
)
{
if ( GetAclInformation(pDacl,
&pAclInformation, 0xCu, AclSizeInformation)
)
{
if ( pAclInformation
)
{
v5 =
0;
if ( pAclInformation
>0
)
{
do
{
if ( GetAce(pDacl,v5,
&pAce))
{
if (
(unsigned__int8)RtlEqualSid(v4,
(char*)pAce+
8)
)
{
if ( *(_BYTE
*)pAce
||
*((_DWORD *)pAce
+
1) !=
0x10000000 &&*((_DWORD*)pAce+
1) !=
983103 )
{
if ( *(_BYTE
*)pAce
==
1 )
gotoLABEL_20;
}
else
{
v2 =
1;
}
}
else if ( !*(_BYTE
*)pAce
&&*((_DWORD*)pAce+
1) &
0x500D0006 )
{
goto LABEL_20;
}
}
++v5;
}
while ( v5 <pAclInformation
);
if ( v2
)
v1 =
1;
}
}
}
}
}
LABEL_20:
LocalFree(v4);
}
return (unsignedint)v1;
}
//----- (0000000180006660)----------------------------------------------------
void *InitTrustedSid()
{
DestinationString = {
0 };
LODWORD(uBytes)
=
0;
RtlInitUnicodeString(&DestinationString,L"TrustedInstaller");
v0 =RtlCreateServiceSid(&DestinationString, 0i64,
&uBytes);
if (v0 ==
-1073741789
)
{
v1 =LocalAlloc(0,(unsigned int)uBytes);
v2 =v1;
v0 =-1073741801;
if (!v1
)
{
LABEL_7:
v4 =RtlNtStatusToDosError((unsigned int)v0);
SetLastError(v4);
return 0i64;
}
v0 =RtlCreateServiceSid(&DestinationString, v1,
&uBytes);
if (v0 >=
0)
return v2;
LocalFree(v2);
}
if (v0 <
0)
goto LABEL_7;
return 0i64;
}
相关文章推荐
- How to create a hyperlink in SQL Server Reporting Services
- How To Create An ASM Diskgroup Using XML code Thru ASMCMD [ID 1290550.1]
- CREATE UNIQUE INDEX 终止,因为发现了索引 ID 1 的重复键。最重要的主键为 'type 6c, len 9'。
- 【首发】阿里巴巴夺中文语法大赛全球冠军,iDST自然语言处理团队解读技术细节
- The description for Event ID ( 27745 ) in Source ( Windows SharePoint Services 3 ) cannot be found问题解决
- 11gR2 Database Services for "Policy" and "Administrator" Managed Databases (文件 ID 1481647.1)
- RtlAdjustPrivilege进程提权,权限ID对照表
- Impdp Fails with ORA-39126 ORA-911 During Create Function (文档 ID 1254246.1)
- iOS Failed to create IXPlaceholder for app bundle ID***
- "sc.exe create/delete" - Create or Delete Services
- android 使用Tabhost 发生could not create tab content because could not find view with id 错...
- Your Apple ID account is also attached to other iTunes providers. You will need to create a new user
- How to:Create, Configure, Consume SharePoint 2010 Secure Store in Business Connectivity Services
- Android使用TabHost程序异常终止could not create tab content because could not find view with id 错误
- How To Configure Client Failover For Dataguard Connections Using Database Services (Doc ID 1429223.1
- Troubleshooting "Global Enqueue Services Deadlock detected" (Doc ID 1443482.1)
- java.lang.NullPointerException:com.cloudera.server.cmf.cluster.RulesCluster createServicesIfNeeded
- mysql 追加update_time、create_time、id三字段
- ONT-How to Create a Debug File in Shipping Execution (文档 ID 290432.1)
- Create a new job (in shared HR), Errors: 'ID&ID for the flexfield segment &SEGMENT does not exist in