├── readme.txt ├── Secure2Csv.exe ├── Secure2Csv64.exe ├── .gitattributes ├── .gitignore ├── import-sql └── import-csv-secure.sql ├── Secure-schema.sql ├── readme-secure2csv-mysql.txt ├── changelog.txt ├── LICENSE.md ├── SecureConstants.au3 └── Secure2Csv.au3 /readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jschicht/Secure2Csv/HEAD/readme.txt -------------------------------------------------------------------------------- /Secure2Csv.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jschicht/Secure2Csv/HEAD/Secure2Csv.exe -------------------------------------------------------------------------------- /Secure2Csv64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jschicht/Secure2Csv/HEAD/Secure2Csv64.exe -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear on external disk 35 | .Spotlight-V100 36 | .Trashes 37 | 38 | # Directories potentially created on remote AFP share 39 | .AppleDB 40 | .AppleDesktop 41 | Network Trash Folder 42 | Temporary Items 43 | .apdisk 44 | -------------------------------------------------------------------------------- /import-sql/import-csv-secure.sql: -------------------------------------------------------------------------------- 1 | LOAD DATA INFILE "__PathToCsv__" 2 | INTO TABLE secure 3 | CHARACTER SET 'latin1' 4 | COLUMNS TERMINATED BY '|' 5 | OPTIONALLY ENCLOSED BY '"' 6 | ESCAPED BY '"' 7 | LINES TERMINATED BY '\n' 8 | IGNORE 1 LINES 9 | (`Offset`, `SecurityDescriptorHash`, @SecurityId, `Control`, `SidOwner`, SidGroup, @SAclRevision, @SAceCount, SAceType, `SAceFlags`, SAceMask, SAceObjectFlags, SAceObjectType, SAceInheritedObjectType, SAceSIDofTrustee, @DAclRevision, @DAceCount, DAceType, DAceFlags, DAceMask, DAceObjectFlags, DAceObjectType, DAceInheritedObjectType, DAceSIDofTrustee) 10 | SET 11 | SecurityId = nullif(@SecurityId,''), 12 | SAclRevision = nullif(@SAclRevision,''), 13 | SAceCount = nullif(@SAceCount,''), 14 | DAclRevision = nullif(@DAclRevision,''), 15 | DAceCount = nullif(@DAceCount,'') 16 | ; -------------------------------------------------------------------------------- /Secure-schema.sql: -------------------------------------------------------------------------------- 1 | 2 | CREATE TABLE secure( 3 | `Id` INT(11) NOT NULL AUTO_INCREMENT 4 | ,`Offset` VARCHAR(18) 5 | ,`SecurityDescriptorHash` VARCHAR(10) 6 | ,`SecurityId` INTEGER 7 | ,`Control` MEDIUMTEXT 8 | ,`SidOwner` VARCHAR(128) 9 | ,`SidGroup` VARCHAR(128) 10 | ,`SAclRevision` INTEGER 11 | ,`SAceCount` INTEGER 12 | ,`SAceType` MEDIUMTEXT 13 | ,`SAceFlags` MEDIUMTEXT 14 | ,`SAceMask` MEDIUMTEXT 15 | ,`SAceObjectFlags` MEDIUMTEXT 16 | ,`SAceObjectType` MEDIUMTEXT 17 | ,`SAceInheritedObjectType` MEDIUMTEXT 18 | ,`SAceSIDofTrustee` MEDIUMTEXT 19 | ,`DAclRevision` INTEGER 20 | ,`DAceCount` INTEGER 21 | ,`DAceType` MEDIUMTEXT 22 | ,`DAceFlags` MEDIUMTEXT 23 | ,`DAceMask` MEDIUMTEXT 24 | ,`DAceObjectFlags` MEDIUMTEXT 25 | ,`DAceObjectType` MEDIUMTEXT 26 | ,`DAceInheritedObjectType` MEDIUMTEXT 27 | ,`DAceSIDofTrustee` MEDIUMTEXT 28 | ,PRIMARY KEY (Id) 29 | ); -------------------------------------------------------------------------------- /readme-secure2csv-mysql.txt: -------------------------------------------------------------------------------- 1 | As of version 1.0.0.6, the output csv of secure2csv supports import into MySql database. Attached is the database schema, secure-schema.sql, which should be used to create the database on MySql 5.6.4 or higher. That version is when precision in the timestamp was added. Earlier versions can be used, but then all DATETIME(6) occurrences must be replaced with VARCHAR(28). Timestamps are not applicable to secure2csv, but if used in conjunction with other tools like Mft2Csv, LogFileParser and UsnJrnl2Csv. In those cases it is important to use timestamp format 6. Precision of MilliSec or NanoSec is optional, but recommended. If NanoSec precision is used, then precision separator 2 must be empty (default value). It is also important to keep the timestamp error value to something valid for MySql, which the default value is. A nice sql client to use is HeidiSql. To import the csv into the database, use the import-csv-secure.sql. Remember to change the path to csv at the top of file, and also the separator if the default was changed. Alternatively just use the autogenerated sql that will have correct settings anyway. 2 | 3 | For manual database creation use following statement: 4 | 5 | CREATE DATABASE IF NOT EXISTS Ntfs 6 | CHARACTER SET 'utf8' 7 | COLLATE 'utf8_general_ci'; 8 | 9 | -------------------------------------------------------------------------------- /changelog.txt: -------------------------------------------------------------------------------- 1 | 2 | v1.0.0.10 3 | Several fixes in the handling of $SII. 4 | Added feature to extract 3 different slack types from $SDS when including $SII in input. 5 | Deactivated $SDH usage on input. 6 | 7 | v1.0.0.9 8 | Fixed a bug that caused undocumented IdentifierAuthority values to not display the correct decimal value in the SID. 9 | Removed unused variables. 10 | 11 | v1.0.0.8 12 | Moved the import sql files into the new import-sql sub directory so that compilation works with the project as is. 13 | 14 | v1.0.0.7 15 | Fixed a bug that caused commandline mode to crash when using either $SDH or $SII as input. 16 | Fixed a bug that caused the $SII and $SDH parsers to sometimes throw a warning about invalid INDX signature. 17 | Added a an output logfile for writing verbose information. 18 | Removed the output files Secure__FixedSII.bin and Secure__FixedSDH.bin that seemed useless. 19 | 20 | v1.0.0.6 21 | Added support for command line mode. 22 | Added option to specify output directory. 23 | Implemented support for importing output into MySql database. An sql with schema, and an autogenerated sql for importing of csv is added. 24 | 25 | v1.0.0.5 26 | Fixed incorrect decode of GUID's. 27 | 28 | v1.0.0.4 29 | Added support for parsing $SII and $SDH indexes from $INDEX_ROOT attribute. 30 | 31 | v1.0.0.3 32 | Renamed program from SecureParser to Secure2Csv. 33 | 34 | v1.0.0.2 35 | First official version. -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | License 2 | 3 | THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. 4 | 5 | BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 6 | 7 | 1. Definitions 8 | a."Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. 9 | b."Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License. 10 | c."Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. 11 | d."Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. 12 | e."Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. 13 | f."Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. 14 | g."You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. 15 | h."Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. 16 | i."Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. 17 | 18 | 2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. 19 | 20 | 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: 21 | a.to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; 22 | b.to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified."; 23 | c.to Distribute and Publicly Perform the Work including as incorporated in Collections; and, 24 | d.to Distribute and Publicly Perform Adaptations. 25 | 26 | e.For the avoidance of doubt: 27 | i.Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; 28 | ii.Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, 29 | iii.Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. 30 | 31 | 32 | The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. 33 | 34 | 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: 35 | a.You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested. 36 | b.If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. 37 | c.Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. 38 | 39 | 5. Representations, Warranties and Disclaimer 40 | 41 | UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 42 | 43 | 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 44 | 45 | 7. Termination 46 | a.This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. 47 | b.Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 48 | 49 | 8. Miscellaneous 50 | a.Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. 51 | b.Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. 52 | c.If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. 53 | d.No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. 54 | e.This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. 55 | f.The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. 56 | -------------------------------------------------------------------------------- /SecureConstants.au3: -------------------------------------------------------------------------------- 1 | 2 | ;ACE header 3 | Global $tagACCESS_ALLOWED_ACE = "dword Mask;dword SidStart" 4 | Global $tagACCESS_ALLOWED_CALLBACK_ACE = "dword Mask;dword SidStart" 5 | Global $tagACCESS_ALLOWED_CALLBACK_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 6 | Global $tagACCESS_ALLOWED_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 7 | 8 | Global $tagACCESS_DENIED_ACE = "dword Mask;dword SidStart" 9 | Global $tagACCESS_DENIED_CALLBACK_ACE = "dword Mask;dword SidStart" 10 | Global $tagACCESS_DENIED_CALLBACK_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 11 | Global $tagACCESS_DENIED_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 12 | 13 | ;Unsupported 14 | ;SYSTEM_ALARM_ACE 15 | ;SYSTEM_ALARM_CALLBACK_ACE 16 | ;SYSTEM_ALARM_CALLBACK_OBJECT_ACE 17 | ;SYSTEM_ALARM_OBJECT_ACE 18 | 19 | Global $tagSYSTEM_AUDIT_ACE = "dword Mask;dword SidStart" 20 | Global $tagSYSTEM_AUDIT_CALLBACK_ACE = "dword Mask;dword SidStart" 21 | Global $tagSYSTEM_AUDIT_CALLBACK_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 22 | Global $tagSYSTEM_AUDIT_OBJECT_ACE = "dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 23 | 24 | Global $tagSYSTEM_MANDATORY_LABEL_ACE = "dword Mask;dword SidStart" 25 | Global $tagSYSTEM_RESOURCE_ATTRIBUTE_ACE = "dword Mask;dword SidStart" 26 | Global $tagSYSTEM_SCOPED_POLICY_ID_ACE = "dword Mask;dword SidStart" 27 | #cs 28 | Global Const $GENERIC_READ = 0x80000000 29 | Global Const $GENERIC_WRITE = 0x4000000 30 | Global Const $GENERIC_EXECUTE = 0x20000000 31 | Global Const $GENERIC_ALL = 0x10000000 32 | Global Const $MAXIMUM_ALLOWED = 0x02000000 33 | Global Const $ACCESS_SYSTEM_SECURITY = 0x01000000 34 | Global Const $SYNCHRONIZE = 0x00100000 35 | Global Const $WRITE_OWNER = 0x00080000 36 | Global Const $WRITE_DACL = 0x00040000 37 | Global Const $READ_CONTROL = 0x00020000 38 | Global Const $DELETE = 0x00010000 39 | #ce 40 | ;AceType (1 byte): An unsigned 8-bit integer that specifies the ACE types. This field MUST be one of the following values. 41 | Global Const $ACCESS_ALLOWED_ACE_TYPE = 0x00 ;Access-allowed ACE that uses the ACCESS_ALLOWED_ACE (section 2.4.4.2) structure. 42 | Global Const $ACCESS_DENIED_ACE_TYPE = 0x01 ;Access-denied ACE that uses the ACCESS_DENIED_ACE (section 2.4.4.4) structure. 43 | Global Const $SYSTEM_AUDIT_ACE_TYPE = 0x02 ;System-audit ACE that uses the SYSTEM_AUDIT_ACE (section 2.4.4.10) structure. 44 | Global Const $SYSTEM_ALARM_ACE_TYPE = 0x03 ;Reserved for future use. 45 | Global Const $ACCESS_ALLOWED_COMPOUND_ACE_TYPE = 0x04 ;Reserved for future use. 46 | Global Const $ACCESS_ALLOWED_OBJECT_ACE_TYPE = 0x05 ;Object-specific access-allowed ACE that uses the ACCESS_ALLOWED_OBJECT_ACE (section 2.4.4.3) structure.<31> 47 | Global Const $ACCESS_DENIED_OBJECT_ACE_TYPE = 0x06 ;Object-specific access-denied ACE that uses the ACCESS_DENIED_OBJECT_ACE (section 2.4.4.5) structure.<32> 48 | Global Const $SYSTEM_AUDIT_OBJECT_ACE_TYPE = 0x07 ;Object-specific system-audit ACE that uses the SYSTEM_AUDIT_OBJECT_ACE (section 2.4.4.11) structure.<33> 49 | Global Const $SYSTEM_ALARM_OBJECT_ACE_TYPE = 0x08 ;Reserved for future use. 50 | Global Const $ACCESS_ALLOWED_CALLBACK_ACE_TYPE = 0x09 ;Access-allowed callback ACE that uses the ACCESS_ALLOWED_CALLBACK_ACE (section 2.4.4.6) structure.<34> 51 | Global Const $ACCESS_DENIED_CALLBACK_ACE_TYPE = 0x0A ;Access-denied callback ACE that uses the ACCESS_DENIED_CALLBACK_ACE (section 2.4.4.7) structure.<35> 52 | Global Const $ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE = 0x0B ;Object-specific access-allowed callback ACE that uses the ACCESS_ALLOWED_CALLBACK_OBJECT_ACE (section 2.4.4.8) structure.<36> 53 | Global Const $ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE = 0x0C ;Object-specific access-denied callback ACE that uses the ACCESS_DENIED_CALLBACK_OBJECT_ACE (section 2.4.4.9) structure.<37> 54 | Global Const $SYSTEM_AUDIT_CALLBACK_ACE_TYPE = 0x0D ;System-audit callback ACE that uses the SYSTEM_AUDIT_CALLBACK_ACE (section 2.4.4.12) structure.<38> 55 | Global Const $SYSTEM_ALARM_CALLBACK_ACE_TYPE = 0x0E ;Reserved for future use. 56 | Global Const $SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE = 0x0F ;Object-specific system-audit callback ACE that uses the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE (section 2.4.4.14) structure. 57 | Global Const $SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE = 0x10 ;Reserved for future use. 58 | Global Const $SYSTEM_MANDATORY_LABEL_ACE_TYPE = 0x11 ;Mandatory label ACE that uses the SYSTEM_MANDATORY_LABEL_ACE (section 2.4.4.13) structure. 59 | Global Const $SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE = 0x12 ;Resource attribute ACE that uses the SYSTEM_RESOURCE_ATTRIBUTE_ACE (section 2.4.4.15) 60 | Global Const $SYSTEM_SCOPED_POLICY_ID_ACE_TYPE = 0x13 ;A central policy ID ACE that uses the SYSTEM_SCOPED_POLICY_ID_ACE (section 2.4.4.16) 61 | Global Const $SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE = 0x14 62 | ;AceFlags (1 byte): An unsigned 8-bit integer that specifies a set of ACE type-specific control flags. This field can be a combination of the following values. 63 | Global Const $CONTAINER_INHERIT_ACE = 0x02 ;Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. 64 | Global Const $FAILED_ACCESS_ACE_FLAG = 0x80 ;Used with system-audit ACEs in a system access control list (SACL) to generate audit messages for failed access attempts. 65 | Global Const $INHERIT_ONLY_ACE = 0x08 ;Indicates an inherit-only ACE, which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE that controls access to the object to which it is attached. Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags. 66 | Global Const $INHERITED_ACE = 0x10 ;Indicates that the ACE was inherited. The system sets this bit when it propagates an inherited ACE to a child object.<40> 67 | Global Const $NO_PROPAGATE_INHERIT_ACE = 0x04 ;If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects. 68 | Global Const $OBJECT_INHERIT_ACE = 0x01 ;Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. 69 | Global Const $SUCCESSFUL_ACCESS_ACE_FLAG = 0x40 ;Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts. 70 | ;AceObjectFlags A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values. 71 | Global Const $ACE_NO_VALID_OBJECT_TYPE_PRESENT = 0x00000000 ;Neither ObjectType nor InheritedObjectType are valid. 72 | Global Const $ACE_OBJECT_TYPE_PRESENT = 0x00000001 ;ObjectType is valid. 73 | Global Const $ACE_INHERITED_OBJECT_TYPE_PRESENT = 0x00000002 ;InheritedObjectType is valid. If this value is not specified, all types of child objects can inherit the ACE. 74 | ;Access masks used with object types 75 | Global Const $ADS_RIGHT_DS_CONTROL_ACCESS = 0x00000100 ;The ObjectType GUID identifies an extended access right. 76 | Global Const $ADS_RIGHT_DS_CREATE_CHILD = 0x00000001 ;The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object. 77 | Global Const $ADS_RIGHT_DS_READ_PROP = 0x00000010 ;The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set. 78 | Global Const $ADS_RIGHT_DS_WRITE_PROP = 0x00000020 ;The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set. 79 | Global Const $ADS_RIGHT_DS_SELF = 0x00000008 ;The ObjectType GUID identifies a validated write. 80 | 81 | 82 | 83 | ;AceSize (2 bytes): An unsigned 16-bit integer that specifies the size, in bytes, of the ACE. The AceSize field can be greater than the sum of the individual fields, 84 | ;but MUST be a multiple of 4 to ensure alignment on a DWORD boundary. In cases where the AceSize field encompasses additional data for the callback ACEs types, 85 | ;that data is implementation-specific. Otherwise, this additional data is not interpreted and MUST be ignored. 86 | 87 | ;SECURITY_DESCRIPTOR_CONTROL 88 | Global Const $SE_OWNER_DEFAULTED = 0x0001 89 | Global Const $SE_GROUP_DEFAULTED = 0x0002 90 | Global Const $SE_DACL_PRESENT = 0x0004 91 | Global Const $SE_DACL_DEFAULTED = 0x0008 92 | Global Const $SE_SACL_PRESENT = 0x0010 93 | Global Const $SE_SACL_DEFAULTED = 0x0020 94 | Global Const $SE_DACL_UNTRUSTED = 0x0040 95 | Global Const $SE_SERVER_SECURITY = 0x0080 96 | Global Const $SE_DACL_AUTO_INHERIT_REQ = 0x0100 97 | Global Const $SE_SACL_AUTO_INHERIT_REQ = 0x0200 98 | Global Const $SE_DACL_AUTO_INHERITED = 0x0400 99 | Global Const $SE_SACL_AUTO_INHERITED = 0x0800 100 | Global Const $SE_DACL_PROTECTED = 0x1000 101 | Global Const $SE_SACL_PROTECTED = 0x2000 102 | Global Const $SE_RM_CONTROL_VALID = 0x4000 103 | Global Const $SE_SELF_RELATIVE = 0x8000 104 | 105 | Func _IsSmallAceStruct($input) 106 | Select 107 | Case $input=$ACCESS_ALLOWED_ACE_TYPE Or $input=$ACCESS_DENIED_ACE_TYPE Or $input=$SYSTEM_AUDIT_ACE_TYPE 108 | Return 1 109 | Case $input=$ACCESS_ALLOWED_CALLBACK_ACE_TYPE Or $input=$ACCESS_DENIED_CALLBACK_ACE_TYPE Or $input=$SYSTEM_AUDIT_CALLBACK_ACE_TYPE 110 | Return 1 111 | Case $input=$SYSTEM_MANDATORY_LABEL_ACE_TYPE Or $input=$SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE Or $input=$SYSTEM_SCOPED_POLICY_ID_ACE_TYPE Or $input=$SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE 112 | Return 1 113 | Case $input=$ACCESS_ALLOWED_OBJECT_ACE_TYPE Or $input=$ACCESS_DENIED_OBJECT_ACE_TYPE Or $input=$SYSTEM_AUDIT_OBJECT_ACE_TYPE 114 | Return 0 115 | Case $input=$ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE Or $input=$ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE Or $input=$SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE 116 | Return 0 117 | EndSelect 118 | EndFunc 119 | 120 | Func _DecodeAceFlags($input) 121 | Local $output = "" 122 | If $input = 0x00 Then Return 'ZERO' 123 | If BitAND($input, $CONTAINER_INHERIT_ACE) Then $output &= 'CONTAINER_INHERIT_ACE+' 124 | If BitAND($input, $FAILED_ACCESS_ACE_FLAG) Then $output &= 'FAILED_ACCESS_ACE_FLAG+' 125 | If BitAND($input, $INHERIT_ONLY_ACE) Then $output &= 'INHERIT_ONLY_ACE+' 126 | If BitAND($input, $INHERITED_ACE) Then $output &= 'INHERITED_ACE+' 127 | If BitAND($input, $NO_PROPAGATE_INHERIT_ACE) Then $output &= 'NO_PROPAGATE_INHERIT_ACE+' 128 | If BitAND($input, $OBJECT_INHERIT_ACE) Then $output &= 'OBJECT_INHERIT_ACE+' 129 | If BitAND($input, $SUCCESSFUL_ACCESS_ACE_FLAG) Then $output &= 'SUCCESSFUL_ACCESS_ACE_FLAG+' 130 | $output = StringTrimRight($output, 1) 131 | Return $output 132 | EndFunc 133 | 134 | Func _DecodeAceType($input) 135 | ;Local $output = "" 136 | If $input = $ACCESS_ALLOWED_ACE_TYPE Then Return 'ACCESS_ALLOWED_ACE_TYPE' 137 | If $input = $ACCESS_DENIED_ACE_TYPE Then Return 'ACCESS_DENIED_ACE_TYPE' 138 | If $input = $SYSTEM_AUDIT_ACE_TYPE Then Return 'SYSTEM_AUDIT_ACE_TYPE' 139 | If $input = $SYSTEM_ALARM_ACE_TYPE Then Return 'SYSTEM_ALARM_ACE_TYPE' 140 | If $input = $ACCESS_ALLOWED_COMPOUND_ACE_TYPE Then Return 'ACCESS_ALLOWED_COMPOUND_ACE_TYPE' 141 | If $input = $ACCESS_ALLOWED_OBJECT_ACE_TYPE Then Return 'ACCESS_ALLOWED_OBJECT_ACE_TYPE' 142 | If $input = $ACCESS_DENIED_OBJECT_ACE_TYPE Then Return 'ACCESS_DENIED_OBJECT_ACE_TYPE' 143 | If $input = $SYSTEM_AUDIT_OBJECT_ACE_TYPE Then Return 'SYSTEM_AUDIT_OBJECT_ACE_TYPE' 144 | If $input = $SYSTEM_ALARM_OBJECT_ACE_TYPE Then Return 'SYSTEM_ALARM_OBJECT_ACE_TYPE' 145 | If $input = $ACCESS_ALLOWED_CALLBACK_ACE_TYPE Then Return 'ACCESS_ALLOWED_CALLBACK_ACE_TYPE' 146 | If $input = $ACCESS_DENIED_CALLBACK_ACE_TYPE Then Return 'ACCESS_DENIED_CALLBACK_ACE_TYPE' 147 | If $input = $ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE Then Return 'ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE' 148 | If $input = $ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE Then Return 'ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE' 149 | If $input = $SYSTEM_AUDIT_CALLBACK_ACE_TYPE Then Return 'SYSTEM_AUDIT_CALLBACK_ACE_TYPE' 150 | If $input = $SYSTEM_ALARM_CALLBACK_ACE_TYPE Then Return 'SYSTEM_ALARM_CALLBACK_ACE_TYPE' 151 | If $input = $SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE Then Return 'SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE' 152 | If $input = $SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE Then Return 'SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE' 153 | If $input = $SYSTEM_MANDATORY_LABEL_ACE_TYPE Then Return 'SYSTEM_MANDATORY_LABEL_ACE_TYPE' 154 | If $input = $SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE Then Return 'SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE' 155 | If $input = $SYSTEM_SCOPED_POLICY_ID_ACE_TYPE Then Return 'SYSTEM_SCOPED_POLICY_ID_ACE_TYPE' 156 | If $input = $SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE Then Return 'SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE' 157 | ; $output = StringTrimRight($output, 1) 158 | Return "UNKNOWN" 159 | EndFunc 160 | #cs 161 | Func _DecodeAceType($input) 162 | Local $output = "" 163 | ConsoleWrite("_DecodeAceType(): " & $input & @CRLF) 164 | If BitAND($input, $ACCESS_ALLOWED_ACE_TYPE) Then $output &= 'ACCESS_ALLOWED_ACE_TYPE+' 165 | If BitAND($input, $ACCESS_DENIED_ACE_TYPE) Then $output &= 'ACCESS_DENIED_ACE_TYPE+' 166 | If BitAND($input, $SYSTEM_AUDIT_ACE_TYPE) Then $output &= 'SYSTEM_AUDIT_ACE_TYPE+' 167 | If BitAND($input, $SYSTEM_ALARM_ACE_TYPE) Then $output &= 'SYSTEM_ALARM_ACE_TYPE+' 168 | If BitAND($input, $ACCESS_ALLOWED_COMPOUND_ACE_TYPE) Then $output &= 'ACCESS_ALLOWED_COMPOUND_ACE_TYPE+' 169 | If BitAND($input, $ACCESS_ALLOWED_OBJECT_ACE_TYPE) Then $output &= 'ACCESS_ALLOWED_OBJECT_ACE_TYPE+' 170 | If BitAND($input, $ACCESS_DENIED_OBJECT_ACE_TYPE) Then $output &= 'ACCESS_DENIED_OBJECT_ACE_TYPE+' 171 | If BitAND($input, $SYSTEM_AUDIT_OBJECT_ACE_TYPE) Then $output &= 'SYSTEM_AUDIT_OBJECT_ACE_TYPE+' 172 | If BitAND($input, $SYSTEM_ALARM_OBJECT_ACE_TYPE) Then $output &= 'SYSTEM_ALARM_OBJECT_ACE_TYPE+' 173 | If BitAND($input, $ACCESS_ALLOWED_CALLBACK_ACE_TYPE) Then $output &= 'ACCESS_ALLOWED_CALLBACK_ACE_TYPE+' 174 | If BitAND($input, $ACCESS_DENIED_CALLBACK_ACE_TYPE) Then $output &= 'ACCESS_DENIED_CALLBACK_ACE_TYPE+' 175 | If BitAND($input, $ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE) Then $output &= 'ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE+' 176 | If BitAND($input, $ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE) Then $output &= 'ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE+' 177 | If BitAND($input, $SYSTEM_AUDIT_CALLBACK_ACE_TYPE) Then $output &= 'SYSTEM_AUDIT_CALLBACK_ACE_TYPE+' 178 | If BitAND($input, $SYSTEM_ALARM_CALLBACK_ACE_TYPE) Then $output &= 'SYSTEM_ALARM_CALLBACK_ACE_TYPE+' 179 | If BitAND($input, $SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE) Then $output &= 'SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE+' 180 | If BitAND($input, $SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE) Then $output &= 'SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE+' 181 | If BitAND($input, $SYSTEM_MANDATORY_LABEL_ACE_TYPE) Then $output &= 'SYSTEM_MANDATORY_LABEL_ACE_TYPE+' 182 | If BitAND($input, $SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE) Then $output &= 'SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE+' 183 | If BitAND($input, $SYSTEM_SCOPED_POLICY_ID_ACE_TYPE) Then $output &= 'SYSTEM_SCOPED_POLICY_ID_ACE_TYPE+' 184 | $output = StringTrimRight($output, 1) 185 | ConsoleWrite("_DecodeAceType(): " & $output & @CRLF) 186 | Return $output 187 | EndFunc 188 | #ce 189 | Global $tagACL = "byte AclRevision;byte Sbz1;word AclSize;word AceCount;word Sbz2" 190 | Global $tagACE_HEADER = "byte AceType;byte AceFlags;word AceSize" 191 | 192 | 193 | 194 | Func _SecurityDescriptorControl($input) 195 | Local $output = "" 196 | If BitAND($input, $SE_OWNER_DEFAULTED) Then $output &= 'SE_OWNER_DEFAULTED+' 197 | If BitAND($input, $SE_GROUP_DEFAULTED) Then $output &= 'SE_GROUP_DEFAULTED+' 198 | If BitAND($input, $SE_DACL_PRESENT) Then $output &= 'SE_DACL_PRESENT+' 199 | If BitAND($input, $SE_DACL_DEFAULTED) Then $output &= 'SE_DACL_DEFAULTED+' 200 | If BitAND($input, $SE_SACL_PRESENT) Then $output &= 'SE_SACL_PRESENT+' 201 | If BitAND($input, $SE_SACL_DEFAULTED) Then $output &= 'SE_SACL_DEFAULTED+' 202 | If BitAND($input, $SE_DACL_UNTRUSTED) Then $output &= 'SE_DACL_UNTRUSTED+' 203 | If BitAND($input, $SE_SERVER_SECURITY) Then $output &= 'SE_SERVER_SECURITY+' 204 | If BitAND($input, $SE_DACL_AUTO_INHERIT_REQ) Then $output &= 'SE_DACL_AUTO_INHERIT_REQ+' 205 | If BitAND($input, $SE_SACL_AUTO_INHERIT_REQ) Then $output &= 'SE_SACL_AUTO_INHERIT_REQ+' 206 | If BitAND($input, $SE_DACL_AUTO_INHERITED) Then $output &= 'SE_DACL_AUTO_INHERITED+' 207 | If BitAND($input, $SE_SACL_AUTO_INHERITED) Then $output &= 'SE_SACL_AUTO_INHERITED+' 208 | If BitAND($input, $SE_DACL_PROTECTED) Then $output &= 'SE_DACL_PROTECTED+' 209 | If BitAND($input, $SE_SACL_PROTECTED) Then $output &= 'SE_SACL_PROTECTED+' 210 | If BitAND($input, $SE_RM_CONTROL_VALID) Then $output &= 'SE_RM_CONTROL_VALID+' 211 | If BitAND($input, $SE_SELF_RELATIVE) Then $output &= 'SE_SELF_RELATIVE+' 212 | $output = StringTrimRight($output, 1) 213 | Return $output 214 | EndFunc 215 | 216 | Func _DecodeAceObjectFlag($input) 217 | ;Local $output = "" 218 | If $input = $ACE_NO_VALID_OBJECT_TYPE_PRESENT Then Return 'ACE_NO_VALID_OBJECT_TYPE_PRESENT' 219 | If $input = $ACE_OBJECT_TYPE_PRESENT Then Return 'ACE_OBJECT_TYPE_PRESENT' 220 | If $input = $ACE_INHERITED_OBJECT_TYPE_PRESENT Then Return 'ACE_INHERITED_OBJECT_TYPE_PRESENT' 221 | Return "UNKNOWN" 222 | ; If BitAND($input, $ACE_OBJECT_TYPE_PRESENT) Then $output &= 'ACE_OBJECT_TYPE_PRESENT+' 223 | ; If BitAND($input, $ACE_INHERITED_OBJECT_TYPE_PRESENT) Then $output &= 'ACE_INHERITED_OBJECT_TYPE_PRESENT+' 224 | ; $output = StringTrimRight($output, 1) 225 | ; Return $output 226 | EndFunc -------------------------------------------------------------------------------- /Secure2Csv.au3: -------------------------------------------------------------------------------- 1 | #Region ;**** Directives created by AutoIt3Wrapper_GUI **** 2 | #AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\au3.ico 3 | #AutoIt3Wrapper_Outfile=Secure2Csv.exe 4 | #AutoIt3Wrapper_Outfile_x64=Secure2Csv64.exe 5 | #AutoIt3Wrapper_Compile_Both=y 6 | #AutoIt3Wrapper_UseX64=y 7 | #AutoIt3Wrapper_Change2CUI=y 8 | #AutoIt3Wrapper_Res_Comment=Decode NTFS $Secure information ($SDS) 9 | #AutoIt3Wrapper_Res_Description=Decode NTFS $Secure information ($SDS) 10 | #AutoIt3Wrapper_Res_Fileversion=1.0.0.10 11 | #AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker 12 | #AutoIt3Wrapper_AU3Check_Parameters=-w 3 -w 5 13 | #AutoIt3Wrapper_Run_Au3Stripper=y 14 | #Au3Stripper_Parameters=/sf /sv /rm /pe 15 | #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** 16 | ;https://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx 17 | ;http://www.ntfs.com/ntfs-permissions-file-structure.htm 18 | ;http://0cch.net/ntfsdoc/attributes/security_descriptor.html 19 | ;https://msdn.microsoft.com/en-us/library/windows/hardware/ff556610(v=vs.85).aspx 20 | ;https://msdn.microsoft.com/en-us/library/cc230286.aspx 21 | ;https://msdn.microsoft.com/en-us/library/cc230371.aspx 22 | ;https://msdn.microsoft.com/en-us/library/gg465313.aspx 23 | ;https://msdn.microsoft.com/en-us/library/dd302645.aspx 24 | ;https://msdn.microsoft.com/en-us/library/cc980032.aspx 25 | #Include "SecureConstants.au3" 26 | #Include 27 | #Include 28 | #Include 29 | #include 30 | #Include 31 | 32 | Global $SDHArray[1][1],$SIIArray[1][1],$CommandlineMode, $DebugOutFile 33 | Global $de="|",$de2=":",$SecureCsvFile,$hSecureCsv,$WithQuotes=0,$EncodingWhenOpen=2,$OutputPath=@ScriptDir,$SeparatorInput,$AceSeparatorInput 34 | Global $TargetSDSOffsetHex,$SecurityDescriptorHash,$SecurityId,$ControlText,$SidOwner,$SidGroup 35 | Global $SAclRevision,$SAceCount,$SAceTypeText,$SAceFlagsText,$SAceMask,$SAceObjectType,$SAceInheritedObjectType,$SAceSIDString,$SAceObjectFlagsText 36 | Global $DAclRevision,$DAceCount,$DAceTypeText,$DAceFlagsText,$DAceMask,$DAceObjectType,$DAceInheritedObjectType,$DAceSIDString,$DAceObjectFlagsText 37 | Global $SDSFile,$SDHFile,$SIIFile,$DoSDH=0,$DoSII=0,$OnlySDS=0 38 | Global $ProgressSDS, $ProgressSDH, $ProgressSII, $CurrentProgress=-1, $ProgressStatus, $ProgressSize 39 | Global $begin, $ElapsedTime, $CurrentDescriptor, $MaxDescriptors 40 | 41 | Global Const $GUI_EVENT_CLOSE = -3 42 | Global Const $GUI_CHECKED = 1 43 | Global Const $GUI_UNCHECKED = 4 44 | ;Global Const $ES_AUTOVSCROLL = 64 45 | Global Const $WS_VSCROLL = 0x00200000 46 | Global Const $DT_END_ELLIPSIS = 0x8000 47 | Global Const $GUI_DISABLE = 128 48 | 49 | Global $Progversion = "NTFS $Secure Parser - Secure2Csv - 1.0.0.10" 50 | 51 | If $cmdline[0] > 0 Then 52 | $CommandlineMode = 1 53 | ConsoleWrite($Progversion & @CRLF) 54 | _GetInputParams() 55 | _Main() 56 | Else 57 | DllCall("kernel32.dll", "bool", "FreeConsole") 58 | $CommandlineMode = 0 59 | 60 | Opt("GUICloseOnESC", 1) 61 | $Form = GUICreate($Progversion, 540, 460, -1, -1) 62 | 63 | $LabelSDS = GUICtrlCreateLabel("$SDS:",20,10,80,20) 64 | $SDSField = GUICtrlCreateInput("mandatory",70,10,350,20) 65 | GUICtrlSetState($SDSField, $GUI_DISABLE) 66 | $ButtonSDS = GUICtrlCreateButton("Select $SDS", 430, 10, 100, 20) 67 | 68 | $LabelSDH = GUICtrlCreateLabel("$SDH:",20,35,80,20) 69 | $SDHField = GUICtrlCreateInput("Disabled",70,35,350,20) 70 | GUICtrlSetState($SDHField, $GUI_DISABLE) 71 | $ButtonSDH = GUICtrlCreateButton("Select $SDH", 430, 35, 100, 20) 72 | GUICtrlSetState($ButtonSDH, $GUI_DISABLE) 73 | 74 | $LabelSII = GUICtrlCreateLabel("$SII:",20,60,80,20) 75 | $SIIField = GUICtrlCreateInput("optional, but recommended for speed",70,60,350,20) 76 | GUICtrlSetState($SIIField, $GUI_DISABLE) 77 | $ButtonSII = GUICtrlCreateButton("Select $SII", 430, 60, 100, 20) 78 | 79 | $LabelSeparator = GUICtrlCreateLabel("Set output field separator:",20,100,130,20) 80 | $SeparatorInput = GUICtrlCreateInput($de,150,100,20,20) 81 | $SeparatorInput2 = GUICtrlCreateInput($de,180,100,30,20) 82 | GUICtrlSetState($SeparatorInput2, $GUI_DISABLE) 83 | 84 | $LabelAceSeparator = GUICtrlCreateLabel("Set Ace separator:",20,125,130,20) 85 | $AceSeparatorInput = GUICtrlCreateInput($de2,150,125,20,20) 86 | $AceSeparatorInput2 = GUICtrlCreateInput($de2,180,125,30,20) 87 | GUICtrlSetState($AceSeparatorInput2, $GUI_DISABLE) 88 | 89 | $ButtonOutput = GUICtrlCreateButton("Output path", 430, 85, 100, 25) 90 | $ButtonStart = GUICtrlCreateButton("Start", 430, 115, 100, 30) 91 | $myctredit = GUICtrlCreateEdit("", 0, 150, 540, 120, BitOr($ES_AUTOVSCROLL,$WS_VSCROLL)) 92 | _GUICtrlEdit_SetLimitText($myctredit, 128000) 93 | GUISetState(@SW_SHOW) 94 | 95 | While 1 96 | $nMsg = GUIGetMsg() 97 | Sleep(100) 98 | _TranslateSeparator() 99 | _TranslateSeparatorAce() 100 | 101 | Select 102 | Case $nMsg = $ButtonSDS 103 | _SelectSDS() 104 | Case $nMsg = $ButtonSDH 105 | ; _SelectSDH() 106 | Case $nMsg = $ButtonSII 107 | _SelectSII() 108 | Case $nMsg = $ButtonOutput 109 | $OutputPath = FileSelectFolder("Select output folder.", "",7,@ScriptDir) 110 | If Not @error And FileExists($OutputPath)=1 then 111 | _DisplayInfo("New output folder: " & $OutputPath & @CRLF) 112 | Else 113 | _DisplayInfo("Error setting new output path" & @CRLF) 114 | $OutputPath = @ScriptDir 115 | EndIf 116 | Case $nMsg = $ButtonStart 117 | _Main() 118 | Case $nMsg = $GUI_EVENT_CLOSE 119 | Exit 120 | EndSelect 121 | WEnd 122 | EndIf 123 | 124 | Func _Main() 125 | Local $nBytes 126 | If Not $CommandlineMode Then 127 | GUICtrlSetData($ProgressSDS, 0) 128 | GUICtrlSetData($ProgressSDH, 0) 129 | GUICtrlSetData($ProgressSII, 0) 130 | EndIf 131 | 132 | If Not $CommandlineMode Then 133 | If $SDSFile = "" Or FileExists($SDSFile)=0 Then 134 | _DisplayInfo("Error: $SDS must be set" & @crlf) 135 | Return 136 | EndIf 137 | 138 | If StringLen(GUICtrlRead($SeparatorInput)) <> 1 Then 139 | _DisplayInfo("Error: Separator not set properly" & @crlf) 140 | ConsoleWrite("Error: Separator not set properly: " & GUICtrlRead($SeparatorInput) & @crlf) 141 | Return 142 | Else 143 | $de = GUICtrlRead($SeparatorInput) 144 | ConsoleWrite("Using separator: " & $de & @crlf) 145 | EndIf 146 | 147 | If StringLen(GUICtrlRead($AceSeparatorInput)) <> 1 Then 148 | _DisplayInfo("Error: Ace separator not set properly" & @crlf) 149 | ConsoleWrite("Error: Ace separator not set properly: " & GUICtrlRead($AceSeparatorInput) & @crlf) 150 | Return 151 | Else 152 | $de2 = GUICtrlRead($AceSeparatorInput) 153 | ConsoleWrite("Using Ace separator: " & $de2 & @crlf) 154 | EndIf 155 | EndIf 156 | 157 | If $DoSDH=0 And $DoSII=0 Then 158 | $OnlySDS=1 159 | ; _DisplayInfo("Error: Must have either $SII or $SDH" & @CRLF) 160 | ; Return 161 | EndIf 162 | $hSDS = _WinAPI_CreateFile("\\.\" & $SDSFile,2,2,7) 163 | If $hSDS = 0 Then 164 | ConsoleWrite("Error in CreateFile for " & $SDSFile & " : " & _WinAPI_GetLastErrorMessage()) 165 | If Not $CommandlineMode Then _DisplayInfo("Error in CreateFile for " & $SDSFile & " : " & _WinAPI_GetLastErrorMessage()) 166 | Return 167 | EndIf 168 | $SizeSDS = _WinAPI_GetFileSizeEx($hSDS) 169 | 170 | If Not $CommandlineMode Then _DisplayInfo("Using $SDS: " & $SDSFile & @crlf) 171 | 172 | $TimestampStart = @YEAR & "-" & @MON & "-" & @MDAY & "_" & @HOUR & "-" & @MIN & "-" & @SEC 173 | 174 | $DebugOutFile = FileOpen($OutputPath & "\Secure_"&$TimestampStart&".log", $EncodingWhenOpen) 175 | If @error Then 176 | ConsoleWrite("Error: Could not create log file" & @CRLF) 177 | MsgBox(0,"Error","Could not create log file") 178 | Exit 179 | EndIf 180 | 181 | $SecureCsvFile = $OutputPath & "\Secure_"&$TimestampStart&".csv" 182 | $hSecureCsv = FileOpen($SecureCsvFile, $EncodingWhenOpen) 183 | If @error Then 184 | ConsoleWrite("Error creating: " & $SecureCsvFile & @CRLF) 185 | If Not $CommandlineMode Then 186 | _DisplayInfo("Error creating: " & $SecureCsvFile & @CRLF) 187 | Else 188 | _DumpOutput("Error creating: " & $SecureCsvFile & @CRLF) 189 | EndIf 190 | Return 191 | EndIf 192 | 193 | $SecureSqlFile = $OutputPath & "\Secure_"&$TimestampStart&".sql" 194 | FileInstall(".\import-sql\import-csv-secure.sql", $SecureSqlFile) 195 | $FixedPath = StringReplace($SecureCsvFile,"\","\\") 196 | Sleep(500) 197 | _ReplaceStringInFile($SecureSqlFile,"__PathToCsv__",$FixedPath) 198 | _ReplaceStringInFile($SecureSqlFile,"latin1", "utf8") 199 | 200 | _DumpOutput($Progversion & @CRLF) 201 | _DumpOutput("Using $Secure $SDS: " & $SDSFile & @CRLF) 202 | _DumpOutput("Using $Secure $SDH: " & $SDHFile & @CRLF) 203 | _DumpOutput("Using $Secure $SII: " & $SIIFile & @CRLF) 204 | _DumpOutput("Filesize $SDS: " & $SizeSDS & @CRLF) 205 | _DumpOutput("Using $SecureCsvFile: " & $SecureCsvFile & @CRLF) 206 | _DumpOutput("Using $SecureSqlFile: " & $SecureSqlFile & @CRLF) 207 | 208 | _WriteCSVHeader() 209 | 210 | If Not $CommandlineMode Then 211 | $Progress = GUICtrlCreateLabel("Decoding security descriptors in $SDS", 10, 280,540,20) 212 | GUICtrlSetFont($Progress, 12) 213 | $ProgressStatus = GUICtrlCreateLabel("", 10, 310, 520, 20) 214 | $ElapsedTime = GUICtrlCreateLabel("", 10, 325, 520, 20) 215 | $ProgressSDH = GUICtrlCreateProgress(10, 350, 520, 30) 216 | $ProgressSII = GUICtrlCreateProgress(10, 385, 520, 30) 217 | $ProgressSDS = GUICtrlCreateProgress(10, 420, 520, 30) 218 | EndIf 219 | 220 | Select 221 | Case $DoSII 222 | $hSII = _WinAPI_CreateFile("\\.\" & $SIIFile,2,2,7) 223 | If $hSII = 0 Then 224 | _DumpOutput("Error in CreateFile for " & $SIIFile & " : " & _WinAPI_GetLastErrorMessage()) 225 | If Not $CommandlineMode Then _DisplayInfo("Error in CreateFile for " & $SIIFile & " : " & _WinAPI_GetLastErrorMessage()) 226 | Return 227 | EndIf 228 | $SizeSII = _WinAPI_GetFileSizeEx($hSII) 229 | _DumpOutput("$SizeSII: " & $SizeSII & @CRLF) 230 | If Not $CommandlineMode Then _DisplayInfo("Using $SII: " & $SIIFile & @crlf) 231 | ;$FixedSIIEntries = $OutputPath & "\Secure_"&$TimestampStart&"_FixedSII"&".bin" 232 | ;$hFixedSII = FileOpen($FixedSIIEntries,16+2) 233 | $tBuffer3 = DllStructCreate("byte["&$SizeSII&"]") 234 | _WinAPI_ReadFile($hSII, DllStructGetPtr($tBuffer3), $SizeSII, $nBytes) 235 | $RawContentSII = DllStructGetData($tBuffer3, 1) 236 | If Not StringMid($RawContentSII,3,8) = "494E4458" Then 237 | $CoreSII = StringMid($RawContentSII,3) 238 | Else 239 | $CoreSII = _GetIndx($RawContentSII) 240 | EndIf 241 | ;FileWrite($hFixedSII,"0x"&$CoreSII) 242 | _DumpOutput("Starting decode of $SII" & @CRLF) 243 | _DecodeIndxEntriesSII($CoreSII) 244 | _DumpOutput("Security descriptors referenced in $SII: " & UBound($SIIArray)-1 & @CRLF) 245 | ;_ArrayDisplay($SIIArray,"$SIIArray") 246 | ;SDS 247 | $tBuffer = DllStructCreate("byte["&$SizeSDS&"]") 248 | _WinAPI_ReadFile($hSDS, DllStructGetPtr($tBuffer), $SizeSDS, $nBytes) 249 | $RawContentSDS = DllStructGetData($tBuffer, 1) 250 | _DumpOutput("Starting decode of $SDS" & @CRLF) 251 | 252 | $begin = TimerInit() 253 | If Not $CommandlineMode Then AdlibRegister("_SDSProgress", 500) 254 | 255 | Local $chunkChars = 0 256 | 257 | Local $outFile1 = $OutputPath & "\Secure_"&$TimestampStart&"_sds_slack1.bin" 258 | Local $hFileOut1 = _WinAPI_CreateFile("\\.\" & $outFile1, 3, 6, 7) 259 | If $hFileOut1 Then 260 | _GetSDSSlack1($hSDS, $hFileOut1) 261 | EndIf 262 | _WinAPI_CloseHandle($hFileOut1) 263 | 264 | Local $outFile2 = $OutputPath & "\Secure_"&$TimestampStart&"_sds_slack2.bin" 265 | Local $hFileOut2 = _WinAPI_CreateFile("\\.\" & $outFile2, 3, 6, 7) 266 | 267 | $MaxDescriptors=Ubound($SIIArray)-1 268 | For $i = 0 To Ubound($SIIArray)-1 269 | $CurrentDescriptor=$i 270 | ;Retrieve information about where security descriptor is stored within $SDS 271 | $TargetSDSOffset = $SIIArray[$i][0] 272 | $TargetSDSSize = $SIIArray[$i][1] 273 | $TargetSDSChunk = StringMid($RawContentSDS,3+($TargetSDSOffset*2),$TargetSDSSize*2) 274 | $TargetSDSOffsetHex = "0x"&Hex($TargetSDSOffset,8) 275 | ;Parse a given security descriptor 276 | $chunkChars = _DecodeSDSChunk($TargetSDSChunk, $SIIArray[$i][3]) 277 | If $TargetSDSSize - ($chunkChars/2) > 16 Then 278 | ;_DumpOutput("Dumping slack bytes from offset " & $TargetSDSOffset + $chunkChars/2 & @CRLF) 279 | ;_DumpOutput(_HexEncode("0x" & StringMid($TargetSDSChunk, 1 + $chunkChars)) & @CRLF) 280 | _GetSDSSlack2($hFileOut2, StringMid($TargetSDSChunk, 1 + $chunkChars)) 281 | EndIf 282 | ;Write information to csv 283 | _WriteCsv() 284 | ;Make sure all global variables for csv are cleared 285 | _ClearVar() 286 | Next 287 | 288 | _WinAPI_CloseHandle($hFileOut2) 289 | 290 | Local $outFile3 = $OutputPath & "\Secure_"&$TimestampStart&"_sds_slack3.bin" 291 | Local $hFileOut3 = _WinAPI_CreateFile("\\.\" & $outFile3, 3, 6, 7) 292 | _GetSDSSlack3($hSDS, $hFileOut3) 293 | _WinAPI_CloseHandle($hFileOut3) 294 | 295 | _DumpOutput("Slack output 1: " & $outFile1 & @CRLF) 296 | _DumpOutput("Slack output 2: " & $outFile2 & @CRLF) 297 | _DumpOutput("Slack output 3: " & $outFile3 & @CRLF) 298 | 299 | If Not $CommandlineMode Then 300 | AdlibUnRegister("_SDSProgress") 301 | GUICtrlSetData($ProgressStatus, "[$SDS] Processing security descriptor " & $CurrentDescriptor & " of " & $MaxDescriptors) 302 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 303 | GUICtrlSetData($ProgressSDS, 100 * $CurrentDescriptor / $MaxDescriptors) 304 | _DisplayInfo("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 305 | EndIf 306 | _DumpOutput("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 307 | 308 | _WinAPI_CloseHandle($hSDS) 309 | _WinAPI_CloseHandle($hSII) 310 | FileClose($hSecureCsv) 311 | ;FileClose($hFixedSII) 312 | 313 | 314 | Case $DoSDH 315 | $hSDH = _WinAPI_CreateFile("\\.\" & $SDHFile,2,2,7) 316 | If $hSDH = 0 Then 317 | _DumpOutput("Error in CreateFile for " & $SDHFile & " : " & _WinAPI_GetLastErrorMessage()) 318 | If Not $CommandlineMode Then _DisplayInfo("Error in CreateFile for " & $SDHFile & " : " & _WinAPI_GetLastErrorMessage()) 319 | Return 320 | EndIf 321 | $SizeSDH = _WinAPI_GetFileSizeEx($hSDH) 322 | _DumpOutput("$SizeSDH: " & $SizeSDH & @CRLF) 323 | If Not $CommandlineMode Then _DisplayInfo("Using $SDH: " & $SDHFile & @crlf) 324 | ;$FixedSDHEntries = $OutputPath & "\Secure_"&$TimestampStart&"_FixedSDH"&".bin" 325 | ;$hFixedSDH = FileOpen($FixedSDHEntries,16+2) 326 | $tBuffer2 = DllStructCreate("byte["&$SizeSDH&"]") 327 | _WinAPI_ReadFile($hSDH, DllStructGetPtr($tBuffer2), $SizeSDH, $nBytes) 328 | $RawContentSDH = DllStructGetData($tBuffer2, 1) 329 | If Not StringMid($RawContentSDH,3,8) = "494E4458" Then 330 | $CoreSDH = StringMid($RawContentSDH,3) 331 | Else 332 | $CoreSDH = _GetIndx($RawContentSDH) 333 | EndIf 334 | ;FileWrite($hFixedSDH,"0x"&$CoreSDH) 335 | _DumpOutput("Starting decode of $SDH" & @CRLF) 336 | _DecodeIndxEntriesSDH($CoreSDH) 337 | _DumpOutput("Security descriptors referenced in $SDH: " & UBound($SDHArray)-1 & @CRLF) 338 | ;_ArrayDisplay($SDHArray,"$SDHArray") 339 | ;SDS 340 | $tBuffer = DllStructCreate("byte["&$SizeSDS&"]") 341 | _WinAPI_ReadFile($hSDS, DllStructGetPtr($tBuffer), $SizeSDS, $nBytes) 342 | $RawContentSDS = DllStructGetData($tBuffer, 1) 343 | _DumpOutput("Starting decode of $SDS" & @CRLF) 344 | 345 | $begin = TimerInit() 346 | If Not $CommandlineMode Then AdlibRegister("_SDSProgress", 500) 347 | $MaxDescriptors=Ubound($SDHArray)-1 348 | For $i = 1 To Ubound($SDHArray)-1 349 | $CurrentDescriptor=$i 350 | ;Retrieve information about where security descriptor is stored within $SDS 351 | $TargetSDSOffset = Dec($SDHArray[$i][0]) 352 | $TargetSDSSize = Dec($SDHArray[$i][1]) 353 | $TargetSDSChunk = StringMid($RawContentSDS,3+($TargetSDSOffset*2),$TargetSDSSize*2) 354 | $TargetSDSOffsetHex = "0x"&Hex($TargetSDSOffset,8) 355 | ;Parse a given security descriptor 356 | _DecodeSDSChunk($TargetSDSChunk, $SDHArray[$i][4]) 357 | ;Write information to csv 358 | _WriteCsv() 359 | ;Make sure all global variables for csv are cleared 360 | _ClearVar() 361 | Next 362 | If Not $CommandlineMode Then 363 | AdlibUnRegister("_SDSProgress") 364 | GUICtrlSetData($ProgressStatus, "[$SDS] Processing security descriptor " & $CurrentDescriptor & " of " & $MaxDescriptors) 365 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 366 | GUICtrlSetData($ProgressSDS, 100 * $CurrentDescriptor / $MaxDescriptors) 367 | _DisplayInfo("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 368 | Else 369 | _DumpOutput("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 370 | EndIf 371 | 372 | _WinAPI_CloseHandle($hSDS) 373 | _WinAPI_CloseHandle($hSDH) 374 | FileClose($hSecureCsv) 375 | ;FileClose($hFixedSDH) 376 | #cs 377 | $SizeAcc=0 378 | For $i = 1 To Ubound($SDHArray)-1 379 | $SizeAcc += Dec($SDHArray[$i][1]) 380 | Next 381 | $SizeAverage = $SizeAcc/Ubound($SDHArray)-1 382 | ConsoleWrite("Average size of security descriptor: " & $SizeAverage & @CRLF) 383 | #ce 384 | 385 | Case $OnlySDS 386 | ;Average size is 268 bytes 387 | $tBuffer = DllStructCreate("byte["&$SizeSDS&"]") 388 | _WinAPI_ReadFile($hSDS, DllStructGetPtr($tBuffer), $SizeSDS, $nBytes) 389 | $RawContentSDS = DllStructGetData($tBuffer, 1) 390 | _DumpOutput("Starting decode of $SDS" & @CRLF) 391 | $EstimatedDescriptors = Round($SizeSDS/268) 392 | $StartOffset = 3 393 | $BytesProcessed = 0 394 | $CurrentDescriptor = 0 395 | $begin = TimerInit() 396 | If Not $CommandlineMode Then AdlibRegister("_SDSProgress", 500) 397 | $MaxDescriptors=$EstimatedDescriptors 398 | ;$BigChunks = Ceiling($SizeSDS/262144) 399 | While 1 400 | $CurrentDescriptor += 1 401 | ; ConsoleWrite("$CurrentDescriptor: " & $CurrentDescriptor & @CRLF) 402 | If $BytesProcessed >= $SizeSDS Then 403 | _DumpOutput("End of $SDS reached" & @CRLF) 404 | ExitLoop 405 | EndIf 406 | $TargetSDSOffset = StringMid($RawContentSDS,$StartOffset + 16, 16) 407 | $TargetSDSOffset = Dec(_SwapEndian($TargetSDSOffset),2) 408 | 409 | $TargetSDSSize = StringMid($RawContentSDS,$StartOffset + 32, 8) 410 | $TargetSDSSize = Dec(_SwapEndian($TargetSDSSize),2) 411 | 412 | If $TargetSDSOffset >= $SizeSDS Then 413 | _DumpOutput("End of $SDS reached" & @CRLF) 414 | ExitLoop 415 | EndIf 416 | 417 | $TargetSDSOffsetHex = "0x"&Hex(Int(($StartOffset-3)/2),8) 418 | ; ConsoleWrite("$TargetSDSOffsetHex: " & $TargetSDSOffsetHex & @CRLF) 419 | 420 | If $TargetSDSOffset = 0 And $TargetSDSSize = 0 Then 421 | If Mod(($StartOffset-3)/2,262144) Then ; Align 0x40000 422 | Do 423 | $StartOffset+=2 424 | Until Mod(($StartOffset-3)/2,262144)=0 425 | ContinueLoop ;Move to next block 426 | Else 427 | ExitLoop ;We are at end 428 | EndIf 429 | EndIf 430 | 431 | If Mod($TargetSDSSize,16) Then ; Align SDS size to 16 bytes 432 | Do 433 | $TargetSDSSize+=1 434 | Until Mod($TargetSDSSize,16)=0 435 | EndIf 436 | $TargetSDSHash = StringMid($RawContentSDS,$StartOffset, 8) 437 | $TargetSDSChunk = StringMid($RawContentSDS,3+($TargetSDSOffset*2), $TargetSDSSize*2) 438 | ; ConsoleWrite("$TargetSDSSize: " & $TargetSDSSize & @CRLF) 439 | _DecodeSDSChunk($TargetSDSChunk, $TargetSDSHash) 440 | ;Write information to csv 441 | _WriteCsv() 442 | ;Make sure all global variables for csv are cleared 443 | _ClearVar() 444 | $BytesProcessed+=$TargetSDSSize 445 | $StartOffset+=$TargetSDSSize*2 446 | WEnd 447 | $MaxDescriptors = $CurrentDescriptor 448 | If Not $CommandlineMode Then 449 | AdlibUnRegister("_SDSProgress") 450 | GUICtrlSetData($ProgressStatus, "[$SDS] Processing security descriptor " & $CurrentDescriptor & " of " & $MaxDescriptors) 451 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 452 | GUICtrlSetData($ProgressSDS, 100 * $CurrentDescriptor / $MaxDescriptors) 453 | _DisplayInfo("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 454 | EndIf 455 | _DumpOutput("$SDS processed " & $CurrentDescriptor & " descriptors in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 456 | 457 | EndSelect 458 | 459 | If Not $CommandlineMode Then 460 | _DisplayInfo("Done! " & @crlf) 461 | GUICtrlSetData($SDSField,"") 462 | GUICtrlSetData($SIIField,"") 463 | GUICtrlSetData($SDHField,"") 464 | Else 465 | _DumpOutput("Done! " & @crlf) 466 | EndIf 467 | $DoSDH=0 468 | $DoSII=0 469 | EndFunc 470 | 471 | Func _DecodeSDSChunk($InputData, $Hash) 472 | ; return number of chars 473 | ;https://msdn.microsoft.com/en-us/library/cc230366.aspx 474 | Local $StartOffset = 1 475 | ;Global $SecurityDescriptorHash,$SecurityId,$ControlText,$SidOwner,$SidGroup 476 | ; ConsoleWrite("_DecodeSDSChunk() " & @CRLF) 477 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 478 | $SecurityDescriptorHash = StringMid($InputData, $StartOffset, 8) 479 | ; $SecurityDescriptorHash = _SwapEndian($SecurityDescriptorHash) 480 | If $SecurityDescriptorHash <> $Hash Then 481 | _DumpOutput("Error: Hash mismatch" & @CRLF) 482 | Return 8 483 | EndIf 484 | $SecurityDescriptorHash = "0x" & $SecurityDescriptorHash 485 | 486 | $SecurityId = StringMid($InputData, $StartOffset + 8, 8) 487 | $SecurityId = _SwapEndian($SecurityId) 488 | $SecurityId = Dec($SecurityId,2) 489 | 490 | $EntryOffset = StringMid($InputData, $StartOffset + 16, 16) 491 | $EntryOffset = _SwapEndian($EntryOffset) 492 | 493 | $EntrySize = StringMid($InputData, $StartOffset + 32, 8) 494 | $EntrySize = _SwapEndian($EntrySize) 495 | 496 | ; Start SelfrelativeSecurityDescriptor 497 | $Revision = StringMid($InputData, $StartOffset + 40, 2) 498 | 499 | $Revision = Dec($Revision) 500 | If $Revision <> 1 Then 501 | _DumpOutput("Error: Revision invalid: " & $Revision & @CRLF) 502 | ; Return 503 | EndIf 504 | ;$Sbz1 = StringMid($InputData, $StartOffset + 42, 2) 505 | 506 | $SECURITY_DESCRIPTOR_CONTROL = StringMid($InputData, $StartOffset + 44, 4) 507 | $SECURITY_DESCRIPTOR_CONTROL = _SwapEndian($SECURITY_DESCRIPTOR_CONTROL) 508 | 509 | $ControlText = _SecurityDescriptorControl("0x"&$SECURITY_DESCRIPTOR_CONTROL) 510 | 511 | If Not BitAND("0x"&$SECURITY_DESCRIPTOR_CONTROL, $SE_SELF_RELATIVE) Then 512 | _DumpOutput("Error: Descriptor not self relative. Nothing to do" & @CRLF) 513 | Return 48 514 | EndIf 515 | 516 | $PSidOwner = StringMid($InputData, $StartOffset + 48, 8) 517 | $PSidOwner = _SwapEndian($PSidOwner) 518 | $PSidOwner = Dec($PSidOwner) 519 | 520 | $PSidGroup = StringMid($InputData, $StartOffset + 56, 8) 521 | $PSidGroup = _SwapEndian($PSidGroup) 522 | $PSidGroup = Dec($PSidGroup) 523 | 524 | $PSacl = StringMid($InputData, $StartOffset + 64, 8) 525 | $PSacl = _SwapEndian($PSacl) 526 | $PSacl = Dec($PSacl) 527 | 528 | $PDacl = StringMid($InputData, $StartOffset + 72, 8) 529 | $PDacl = _SwapEndian($PDacl) 530 | $PDacl = Dec($PDacl) 531 | 532 | Local $length = 80, $count = 0 533 | 534 | If $PSidOwner > 0 Then 535 | $count = Dec(StringMid($InputData,$StartOffset+40+2+$PSidOwner*2, 2)) 536 | $length += 16 + ($count * 8) 537 | $SidOwner = _DecodeSID(StringMid($InputData,$StartOffset+40+$PSidOwner*2)) 538 | EndIf 539 | If $PSidGroup > 0 Then 540 | $count = Dec(StringMid($InputData,$StartOffset+40+2+$PSidGroup*2, 2)) 541 | $length += 16 + ($count * 8) 542 | $SidGroup = _DecodeSID(StringMid($InputData,$StartOffset+40+$PSidGroup*2)) 543 | EndIf 544 | If $PSacl > 0 Then 545 | $length += _DecodeAcl_S(StringMid($InputData,$StartOffset+40+$PSacl*2)) 546 | EndIf 547 | If $PDacl > 0 Then 548 | $length += _DecodeAcl_D(StringMid($InputData,$StartOffset+40+$PDacl*2)) 549 | EndIf 550 | #cs 551 | ConsoleWrite("$SecurityDescriptorHash: " & $SecurityDescriptorHash & @CRLF) 552 | ConsoleWrite("$SecurityId: " & $SecurityId & @CRLF) 553 | ConsoleWrite("$EntryOffset: " & $EntryOffset & @CRLF) 554 | ConsoleWrite("$EntrySize: " & $EntrySize & @CRLF) 555 | ConsoleWrite("$Revision: " & $Revision & @CRLF) 556 | ConsoleWrite("$Sbz1: " & $Sbz1 & @CRLF) 557 | ConsoleWrite("$SECURITY_DESCRIPTOR_CONTROL: " & $SECURITY_DESCRIPTOR_CONTROL & @CRLF) 558 | ConsoleWrite("$ControlText: " & $ControlText & @CRLF) 559 | ConsoleWrite("$PSidOwner: " & $PSidOwner & @CRLF) 560 | ConsoleWrite("$PSidGroup: " & $PSidGroup & @CRLF) 561 | ConsoleWrite("$PSacl: " & $PSacl & @CRLF) 562 | ConsoleWrite("$PDacl: " & $PDacl & @CRLF) 563 | #ce 564 | Return $length 565 | EndFunc 566 | 567 | Func _DecodeAcl_S($InputData) 568 | ;https://msdn.microsoft.com/en-us/library/cc230297.aspx 569 | Local $StartOffset = 1, $AceDataCounter = 0 570 | ;Global $SAclRevision,$SAceCount,$SAceTypeText,$SAceFlagsText,$SAceMask,$SAceObjectFlagsText,$SAceObjectType,$SAceInheritedObjectType,$SAceSIDString 571 | ; ConsoleWrite("_DecodeAcl_S() " & @CRLF) 572 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 573 | ; ACL header 8 bytes 574 | $SAclRevision = StringMid($InputData, $StartOffset, 2) 575 | 576 | If $SAclRevision <> "02" And $SAclRevision <> "04" Then 577 | _DumpOutput("Error: Invalid SAclRevision: " & $SAclRevision & @CRLF) 578 | EndIf 579 | ;$Sbz1 = StringMid($InputData, $StartOffset + 2, 2) 580 | 581 | $AclSize = StringMid($InputData, $StartOffset + 4, 4) 582 | $AclSize = _SwapEndian($AclSize) 583 | 584 | $AclSize = Dec($AclSize) 585 | $SAceCount = StringMid($InputData, $StartOffset + 8, 4) 586 | $SAceCount = _SwapEndian($SAceCount) 587 | 588 | $SAceCount = Dec($SAceCount) 589 | ;$Sbz2 = StringMid($InputData, $StartOffset + 12, 4) 590 | #cs 591 | ConsoleWrite("$SAclRevision: " & $SAclRevision & @CRLF) 592 | ConsoleWrite("$Sbz1: " & $Sbz1 & @CRLF) 593 | ConsoleWrite("$AclSize: " & $AclSize & @CRLF) 594 | ConsoleWrite("$SAceCount: " & $SAceCount & @CRLF) 595 | ConsoleWrite("$Sbz2: " & $Sbz2 & @CRLF) 596 | #ce 597 | If $SAceCount < 1 Then Return 8 598 | For $j = 1 To $SAceCount 599 | 600 | ;ACE_HEADER 4 bytes 601 | ;https://msdn.microsoft.com/en-us/library/cc230296.aspx 602 | $AceType = StringMid($InputData, $StartOffset + $AceDataCounter + 16, 2) 603 | 604 | $AceTypeText = _DecodeAceType(Number("0x"&$AceType)) 605 | If $AceTypeText = "" Then 606 | _DumpOutput("Error: AceType invalid" & @CRLF) 607 | ; ContinueLoop 608 | EndIf 609 | If $AceTypeText = "UNKNOWN" Then _DumpOutput("Unknown ace flags: " & $AceType & @CRLF) 610 | 611 | $AceFlags = StringMid($InputData, $StartOffset + $AceDataCounter + 18, 2) 612 | 613 | $AceFlagsText = _DecodeAceFlags(Number("0x"&$AceFlags)) 614 | 615 | If $j > 1 Then 616 | $SAceTypeText &= $de2 & $AceTypeText 617 | $SAceFlagsText &= $de2 & $AceFlagsText 618 | Else 619 | $SAceTypeText = $AceTypeText 620 | $SAceFlagsText = $AceFlagsText 621 | EndIf 622 | $AceSize = StringMid($InputData, $StartOffset + $AceDataCounter + 20, 4) 623 | $AceSize = _SwapEndian($AceSize) 624 | $AceSize = Dec($AceSize) 625 | 626 | ;Remaining bytes of ACE depends on AceType 627 | $Mask="" 628 | ;$Flags="" 629 | $ObjectType="" 630 | $InheritedObjectType="" 631 | $SIDString="" 632 | If _IsSmallAceStruct("0x"&$AceType) Then 633 | ; ConsoleWrite("Small struct " & @CRLF) 634 | ;"dword Mask;dword SidStart" 635 | ;https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx 636 | $Mask = StringMid($InputData, $StartOffset + $AceDataCounter + 24, 8) 637 | $Mask = "0x"&_SwapEndian($Mask) 638 | 639 | $SIDString = _DecodeSID(StringMid($InputData,$StartOffset + $AceDataCounter + 32, $AceSize*2)) 640 | If $j > 1 Then 641 | $SAceMask &= $de2 & $Mask 642 | $SAceSIDString &= $de2 & $SIDString 643 | Else 644 | $SAceMask = $Mask 645 | $SAceSIDString = $SIDString 646 | EndIf 647 | Else 648 | ; ConsoleWrite("Big struct " & @CRLF) 649 | ;"dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 650 | $Mask = StringMid($InputData, $StartOffset + $AceDataCounter + 24, 8) 651 | $Mask = "0x"&_SwapEndian($Mask) 652 | 653 | $ObjectFlags = StringMid($InputData, $StartOffset + $AceDataCounter + 32, 8) 654 | $ObjectFlags = _SwapEndian($ObjectFlags) 655 | $ObjectFlagsText = _DecodeAceObjectFlag($ObjectFlags) 656 | 657 | $ObjectType = StringMid($InputData, $StartOffset + $AceDataCounter + 40, 32) 658 | $ObjectType = _HexToGuidStr($ObjectType) 659 | $InheritedObjectType = StringMid($InputData, $StartOffset + $AceDataCounter + 72, 32) 660 | $InheritedObjectType = _HexToGuidStr($InheritedObjectType) 661 | 662 | $SIDString = _DecodeSID(StringMid($InputData,$StartOffset + $AceDataCounter + 104, $AceSize*2)) 663 | If $j > 1 Then 664 | $SAceMask &= $de2 & $Mask 665 | $SAceObjectFlagsText &= $de2 & $ObjectFlagsText 666 | $SAceObjectType &= $de2 & $ObjectType 667 | $SAceInheritedObjectType &= $de2 & $InheritedObjectType 668 | $SAceSIDString &= $de2 & $SIDString 669 | Else 670 | $SAceMask = $Mask 671 | $SAceObjectFlagsText = $ObjectFlagsText 672 | $SAceObjectType = $ObjectType 673 | $SAceInheritedObjectType = $InheritedObjectType 674 | $SAceSIDString = $SIDString 675 | EndIf 676 | EndIf 677 | #cs 678 | ConsoleWrite(@CRLF & "Ace number: " & $j & @CRLF) 679 | ConsoleWrite("$AceType: " & $AceType & @CRLF) 680 | ConsoleWrite("$AceTypeText: " & $AceTypeText & @CRLF) 681 | ConsoleWrite("$AceFlags: " & $AceFlags & @CRLF) 682 | ConsoleWrite("$AceFlagsText: " & $AceFlagsText & @CRLF) 683 | ConsoleWrite("$AceSize: " & $AceSize & @CRLF) 684 | ConsoleWrite("$Mask: " & $Mask & @CRLF) 685 | ConsoleWrite("$Flags: " & $Flags & @CRLF) 686 | ConsoleWrite("$ObjectType: " & $ObjectType & @CRLF) 687 | ConsoleWrite("$InheritedObjectType: " & $InheritedObjectType & @CRLF) 688 | ConsoleWrite("$SIDString: " & $SIDString & @CRLF) 689 | #ce 690 | $AceDataCounter += $AceSize*2 691 | Next 692 | Return $AceDataCounter + 16 693 | EndFunc 694 | 695 | Func _DecodeAcl_D($InputData) 696 | ;https://msdn.microsoft.com/en-us/library/cc230297.aspx 697 | Local $StartOffset = 1, $AceDataCounter = 0 698 | ;Global $DAclRevision,$DAceCount,$DAceTypeText,$DAceFlagsText,$DAceMask,$DAceObjectFlagsText,$DAceObjectType,$DAceInheritedObjectType,$DAceSIDString 699 | ; ConsoleWrite("_DecodeAcl_D() " & @CRLF) 700 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 701 | ; ACL header 8 bytes 702 | $DAclRevision = StringMid($InputData, $StartOffset, 2) 703 | 704 | If $DAclRevision <> "02" And $DAclRevision <> "04" Then 705 | _DumpOutput("Error: Invalid DAclRevision: " & $DAclRevision & @CRLF) 706 | EndIf 707 | ;$Sbz1 = StringMid($InputData, $StartOffset + 2, 2) 708 | 709 | $AclSize = StringMid($InputData, $StartOffset + 4, 4) 710 | $AclSize = _SwapEndian($AclSize) 711 | 712 | $AclSize = Dec($AclSize) 713 | $DAceCount = StringMid($InputData, $StartOffset + 8, 4) 714 | $DAceCount = _SwapEndian($DAceCount) 715 | 716 | $DAceCount = Dec($DAceCount) 717 | ;$Sbz2 = StringMid($InputData, $StartOffset + 12, 4) 718 | #cs 719 | ConsoleWrite("$DAclRevision: " & $DAclRevision & @CRLF) 720 | ConsoleWrite("$Sbz1: " & $Sbz1 & @CRLF) 721 | ConsoleWrite("$AclSize: " & $AclSize & @CRLF) 722 | ConsoleWrite("$DAceCount: " & $DAceCount & @CRLF) 723 | ConsoleWrite("$Sbz2: " & $Sbz2 & @CRLF) 724 | #ce 725 | If $DAceCount < 1 Then Return 8 726 | For $j = 1 To $DAceCount 727 | 728 | ;ACE_HEADER 4 bytes 729 | ;https://msdn.microsoft.com/en-us/library/cc230296.aspx 730 | $AceType = StringMid($InputData, $StartOffset + $AceDataCounter + 16, 2) 731 | 732 | $AceTypeText = _DecodeAceType(Number("0x"&$AceType)) 733 | If $AceTypeText = "" Then 734 | _DumpOutput("Error: AceType invalid" & @CRLF) 735 | ; ContinueLoop 736 | EndIf 737 | 738 | $AceFlags = StringMid($InputData, $StartOffset + $AceDataCounter + 18, 2) 739 | 740 | $AceFlagsText = _DecodeAceFlags(Number("0x"&$AceFlags)) 741 | 742 | If $j > 1 Then 743 | $DAceTypeText &= $de2 & $AceTypeText 744 | $DAceFlagsText &= $de2 & $AceFlagsText 745 | Else 746 | $DAceTypeText = $AceTypeText 747 | $DAceFlagsText = $AceFlagsText 748 | EndIf 749 | $AceSize = StringMid($InputData, $StartOffset + $AceDataCounter + 20, 4) 750 | $AceSize = _SwapEndian($AceSize) 751 | $AceSize = Dec($AceSize) 752 | 753 | ;Remaining bytes of ACE depends on AceType 754 | $Mask="" 755 | ;$Flags="" 756 | $ObjectType="" 757 | $InheritedObjectType="" 758 | $SIDString="" 759 | If _IsSmallAceStruct("0x"&$AceType) Then 760 | ; ConsoleWrite("Small struct " & @CRLF) 761 | ;"dword Mask;dword SidStart" 762 | ;https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx 763 | $Mask = StringMid($InputData, $StartOffset + $AceDataCounter + 24, 8) 764 | $Mask = "0x"&_SwapEndian($Mask) 765 | 766 | $SIDString = _DecodeSID(StringMid($InputData,$StartOffset + $AceDataCounter + 32, $AceSize*2)) 767 | 768 | If $j > 1 Then 769 | $DAceMask &= $de2 & $Mask 770 | $DAceSIDString &= $de2 & $SIDString 771 | Else 772 | $DAceMask = $Mask 773 | $DAceSIDString = $SIDString 774 | EndIf 775 | Else 776 | ; ConsoleWrite("Big struct " & @CRLF) 777 | ;"dword Mask;dword Flags;GUID ObjectType;GUID InheritedObjectType;dword SidStart" 778 | $Mask = StringMid($InputData, $StartOffset + $AceDataCounter + 24, 8) 779 | $Mask = "0x"&_SwapEndian($Mask) 780 | 781 | $ObjectFlags = StringMid($InputData, $StartOffset + $AceDataCounter + 32, 8) 782 | $ObjectFlags = _SwapEndian($ObjectFlags) 783 | $ObjectFlagsText = _DecodeAceObjectFlag($ObjectFlags) 784 | 785 | $ObjectType = StringMid($InputData, $StartOffset + $AceDataCounter + 40, 32) 786 | $ObjectType = _HexToGuidStr($ObjectType) 787 | $InheritedObjectType = StringMid($InputData, $StartOffset + $AceDataCounter + 72, 32) 788 | $InheritedObjectType = _HexToGuidStr($InheritedObjectType) 789 | 790 | $SIDString = _DecodeSID(StringMid($InputData,$StartOffset + $AceDataCounter + 104, $AceSize*2)) 791 | 792 | If $j > 1 Then 793 | $DAceMask &= $de2 & $Mask 794 | $DAceObjectFlagsText &= $de2 & $ObjectFlagsText 795 | $DAceObjectType &= $de2 & $ObjectType 796 | $DAceInheritedObjectType &= $de2 & $InheritedObjectType 797 | $DAceSIDString &= $de2 & $SIDString 798 | Else 799 | $DAceMask = $Mask 800 | $DAceObjectFlagsText = $ObjectFlagsText 801 | $DAceObjectType = $ObjectType 802 | $DAceInheritedObjectType = $InheritedObjectType 803 | $DAceSIDString = $SIDString 804 | EndIf 805 | EndIf 806 | #cs 807 | ConsoleWrite(@CRLF & "Ace number: " & $j & @CRLF) 808 | ConsoleWrite("$AceType: " & $AceType & @CRLF) 809 | ConsoleWrite("$AceTypeText: " & $AceTypeText & @CRLF) 810 | ConsoleWrite("$AceFlags: " & $AceFlags & @CRLF) 811 | ConsoleWrite("$AceFlagsText: " & $AceFlagsText & @CRLF) 812 | ConsoleWrite("$AceSize: " & $AceSize & @CRLF) 813 | ConsoleWrite("$Mask: " & $Mask & @CRLF) 814 | ConsoleWrite("$Flags: " & $Flags & @CRLF) 815 | ConsoleWrite("$ObjectType: " & $ObjectType & @CRLF) 816 | ConsoleWrite("$InheritedObjectType: " & $InheritedObjectType & @CRLF) 817 | ConsoleWrite("$SIDString: " & $SIDString & @CRLF) 818 | #ce 819 | $AceDataCounter += $AceSize*2 820 | Next 821 | Return $AceDataCounter + 16 822 | EndFunc 823 | 824 | Func _DecodeSID($InputData) 825 | ;https://msdn.microsoft.com/en-us/library/cc230371.aspx 826 | Local $StartOffset = 1, $SIDString = "S" 827 | ; ConsoleWrite("_DecodeSID() " & @CRLF) 828 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 829 | $Revision = StringMid($InputData, $StartOffset, 2) 830 | $Revision = Dec($Revision) 831 | If $Revision <> 1 Then 832 | _DumpOutput("Error: Revision invalid: " & $Revision & @CRLF) 833 | Return SetError(1,0,0) 834 | EndIf 835 | $SIDString &= "-" & $Revision 836 | $SubAuthorityCount = StringMid($InputData, $StartOffset + 2, 2) 837 | $SubAuthorityCount = Dec($SubAuthorityCount) 838 | If $SubAuthorityCount > 15 Then 839 | _DumpOutput("Error: SubAuthorityCount invalid: " & $SubAuthorityCount & @CRLF) 840 | Return SetError(1,0,0) 841 | EndIf 842 | ;SID_IDENTIFIER_AUTHORITY 843 | $IdentifierAuthority = StringMid($InputData, $StartOffset + 4, 12) 844 | ; ConsoleWrite("$IdentifierAuthority: " & $IdentifierAuthority & @CRLF) 845 | ;$IdentifierAuthorityString = _DecodeSidIdentifierAuthorityString($IdentifierAuthority) 846 | 847 | $IdentifierAuthority = _DecodeSidIdentifierAuthority($IdentifierAuthority) 848 | 849 | $SIDString &= "-" & $IdentifierAuthority 850 | ;SubAuthority (variable) 851 | If $SubAuthorityCount < 1 Or $SubAuthorityCount > 15 Then 852 | _DumpOutput("Error: $SubAuthorityCount seems invalid: " & $SubAuthorityCount & @CRLF) 853 | Return SetError(1,0,0) 854 | EndIf 855 | For $j = 1 To $SubAuthorityCount 856 | $SubAuthority = StringMid($InputData, $StartOffset + (($j-1)*8) + 16, 8) 857 | ; ConsoleWrite("$SubAuthority: " & $SubAuthority & @CRLF) 858 | $SIDString &= "-" & Dec(_SwapEndian($SubAuthority),2) 859 | Next 860 | #cs 861 | ConsoleWrite("$Revision: " & $Revision & @CRLF) 862 | ConsoleWrite("$SubAuthorityCount: " & $SubAuthorityCount & @CRLF) 863 | ConsoleWrite("$IdentifierAuthorityString: " & $IdentifierAuthorityString & @CRLF) 864 | ConsoleWrite("$IdentifierAuthority: " & $IdentifierAuthority & @CRLF) 865 | ConsoleWrite("$SIDString: " & $SIDString & @CRLF) 866 | #ce 867 | Return $SIDString 868 | EndFunc 869 | 870 | Func _DecodeSidIdentifierAuthority($InputData) 871 | ; ConsoleWrite("_DecodeSidIdentifierAuthority() " & @CRLF) 872 | Return Dec($InputData) 873 | EndFunc 874 | 875 | Func _DecodeSidIdentifierAuthorityString($InputData) 876 | ; ConsoleWrite("_DecodeSidIdentifierAuthorityString() " & @CRLF) 877 | Select 878 | Case $InputData = "000000000000" 879 | Return "NULL_SID_AUTHORITY" 880 | Case $InputData = "000000000001" 881 | Return "WORLD_SID_AUTHORITY" 882 | Case $InputData = "000000000002" 883 | Return "LOCAL_SID_AUTHORITY" 884 | Case $InputData = "000000000003" 885 | Return "CREATOR_SID_AUTHORITY" 886 | Case $InputData = "000000000004" 887 | Return "NON_UNIQUE_AUTHORITY" 888 | Case $InputData = "000000000005" 889 | Return "SECURITY_NT_AUTHORITY" 890 | Case $InputData = "00000000000F" 891 | Return "SECURITY_APP_PACKAGE_AUTHORITY" 892 | Case $InputData = "000000000010" 893 | Return "SECURITY_MANDATORY_LABEL_AUTHORITY" 894 | Case $InputData = "000000000011" 895 | Return "SECURITY_SCOPED_POLICY_ID_AUTHORITY" 896 | Case $InputData = "000000000012" 897 | Return "SECURITY_AUTHENTICATION_AUTHORITY" 898 | Case $InputData = "000000000013" 899 | Return "SECURITY_PROCESS_TRUST_AUTHORITY" 900 | Case Else 901 | Return "UNKNOWN" 902 | EndSelect 903 | EndFunc 904 | 905 | Func _DecodeIndxEntriesSDH($InputData) 906 | Local $StartOffset = 1, $Counter = 0 907 | Local $InputDataSize = BinaryLen("0x"&$InputData) 908 | ReDim $SDHArray[100+1+$InputDataSize/48][6] 909 | $SDHArray[0][0] = "OffsetInSDS" 910 | $SDHArray[0][1] = "SizeInSDS" 911 | $SDHArray[0][2] = "SecurityDescriptorHashKey" 912 | $SDHArray[0][3] = "SecurityIdKey" 913 | $SDHArray[0][4] = "SecurityDescriptorHashData" 914 | $SDHArray[0][5] = "SecurityIdData" 915 | 916 | ; _ArrayDisplay($SDHArray,"$SDHArray") 917 | ; ConsoleWrite("_DecodeIndxEntriesSDH() " & @CRLF) 918 | ; ConsoleWrite("Input size: " & $InputDataSize & @CRLF) 919 | ; ConsoleWrite("$InputData: " & @CRLF) 920 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 921 | 922 | $MaxDescriptors=UBound($SDHArray)-101 923 | $begin = TimerInit() 924 | If Not $CommandlineMode Then AdlibRegister("_SDHProgress", 500) 925 | While 1 926 | If $StartOffset >= $InputDataSize*2 Then ExitLoop 927 | $Counter+=1 928 | $CurrentDescriptor=$Counter 929 | 930 | $DataOffset = StringMid($InputData, $StartOffset, 4) 931 | $DataOffset = _SwapEndian($DataOffset) 932 | 933 | $DataSize = StringMid($InputData, $StartOffset + 4, 4) 934 | $DataSize = _SwapEndian($DataSize) 935 | 936 | If $DataOffset = 0 Or $DataSize = 0 Then $StartOffset+=16 937 | 938 | ;Padding 4 bytes 939 | $IndexEntrySize = StringMid($InputData, $StartOffset + 16, 4) 940 | $IndexEntrySize = _SwapEndian($IndexEntrySize) 941 | 942 | $IndexKeySize = StringMid($InputData, $StartOffset + 20, 4) 943 | $IndexKeySize = _SwapEndian($IndexKeySize) 944 | 945 | $Flags = StringMid($InputData, $StartOffset + 24, 4) 946 | $Flags = _SwapEndian($Flags) 947 | 948 | ;Padding 2 bytes 949 | ;Start of SDH index entry 950 | ; $StartOffset = $StartOffset+24 951 | $SecurityDescriptorHashKey = StringMid($InputData, $StartOffset + 32, 8) 952 | ; $SecurityDescriptorHashKey = _SwapEndian($SecurityDescriptorHashKey) 953 | 954 | $SecurityIdKey = StringMid($InputData, $StartOffset + 40, 8) 955 | $SecurityIdKey = _SwapEndian($SecurityIdKey) 956 | 957 | $SecurityDescriptorHashData = StringMid($InputData, $StartOffset + 48, 8) 958 | ; $SecurityDescriptorHashData = _SwapEndian($SecurityDescriptorHashData) 959 | 960 | $SecurityIdData = StringMid($InputData, $StartOffset + 56, 8) 961 | $SecurityIdData = _SwapEndian($SecurityIdData) 962 | 963 | $OffsetInSDS = StringMid($InputData, $StartOffset + 64, 16) 964 | $OffsetInSDS = _SwapEndian($OffsetInSDS) 965 | 966 | $SizeInSDS = StringMid($InputData, $StartOffset + 80, 8) 967 | $SizeInSDS = _SwapEndian($SizeInSDS) 968 | 969 | $EndPadding = StringMid($InputData, $StartOffset + 88, 8) 970 | If $EndPadding <> "49004900" Then 971 | _DumpOutput("Wrong end padding (49004900): " & $EndPadding & @CRLF) 972 | ; Return 973 | EndIf 974 | $SDHArray[$Counter][0] = $OffsetInSDS 975 | $SDHArray[$Counter][1] = $SizeInSDS 976 | $SDHArray[$Counter][2] = $SecurityDescriptorHashKey 977 | $SDHArray[$Counter][3] = $SecurityIdKey 978 | $SDHArray[$Counter][4] = $SecurityDescriptorHashData 979 | $SDHArray[$Counter][5] = $SecurityIdData 980 | #cs 981 | ConsoleWrite(@CRLF) 982 | ConsoleWrite("$DataOffset: " & $DataOffset & @CRLF) 983 | ConsoleWrite("$DataSize: " & $DataSize & @CRLF) 984 | ConsoleWrite("$IndexEntrySize: " & $IndexEntrySize & @CRLF) 985 | ConsoleWrite("$IndexKeySize: " & $IndexKeySize & @CRLF) 986 | ConsoleWrite("$Flags: " & $Flags & @CRLF) 987 | ConsoleWrite("$SecurityDescriptorHashKey: " & $SecurityDescriptorHashKey & @CRLF) 988 | ConsoleWrite("$SecurityIdKey: " & $SecurityIdKey & @CRLF) 989 | ConsoleWrite("$SecurityDescriptorHashData: " & $SecurityDescriptorHashData & @CRLF) 990 | ConsoleWrite("$SecurityIdData: " & $SecurityIdData & @CRLF) 991 | ConsoleWrite("$OffsetInSDS: " & $OffsetInSDS & @CRLF) 992 | ConsoleWrite("$SizeInSDS: " & $SizeInSDS & @CRLF) 993 | #ce 994 | $StartOffset += 96 995 | WEnd 996 | $MaxDescriptors = $CurrentDescriptor 997 | If Not $CommandlineMode Then 998 | AdlibUnRegister("_SDHProgress") 999 | GUICtrlSetData($ProgressStatus, "[$SDH] Processing security descriptor index entry " & $CurrentDescriptor & " of " & $MaxDescriptors) 1000 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 1001 | GUICtrlSetData($ProgressSDH, 100 * $CurrentDescriptor / $MaxDescriptors) 1002 | _DisplayInfo("$SDH processing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 1003 | Else 1004 | _DumpOutput("$SDH processing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 1005 | EndIf 1006 | ReDim $SDHArray[$Counter+1][6] 1007 | EndFunc 1008 | 1009 | Func _DecodeIndxEntriesSII($InputData) 1010 | Local $StartOffset = 1, $Counter = 0;, $unk1 1011 | $StartOffset -= 16 1012 | Local $InputDataSize = BinaryLen("0x"&$InputData) 1013 | ReDim $SIIArray[100+1+$InputDataSize/40][5] 1014 | ; $SIIArray[0][0] = "OffsetInSDS" 1015 | ; $SIIArray[0][1] = "SizeInSDS" 1016 | ; $SIIArray[0][2] = "SecurityIdKey" 1017 | ; $SIIArray[0][3] = "SecurityDescriptorHashData" 1018 | ; $SIIArray[0][4] = "SecurityIdData" 1019 | ; ConsoleWrite("_DecodeIndxEntriesSII() " & @CRLF) 1020 | ; ConsoleWrite("Input size: " & BinaryLen("0x"&$InputData) & @CRLF) 1021 | ; ConsoleWrite("$InputData: " & @CRLF) 1022 | ; ConsoleWrite(_HexEncode("0x"&$InputData)) 1023 | 1024 | $MaxDescriptors=UBound($SIIArray)-101 1025 | $begin = TimerInit() 1026 | If Not $CommandlineMode Then AdlibRegister("_SIIProgress", 500) 1027 | While 1 1028 | If $StartOffset >= $InputDataSize*2 Then ExitLoop 1029 | 1030 | $IndexEntrySize = StringMid($InputData, $StartOffset + 16, 4) 1031 | $IndexEntrySize = Dec(_SwapEndian($IndexEntrySize)) 1032 | 1033 | If $IndexEntrySize = 0 Then 1034 | $StartOffset += 16 1035 | ContinueLoop 1036 | EndIf 1037 | If $IndexEntrySize = 0x18 Then 1038 | $StartOffset += 80 1039 | ContinueLoop 1040 | EndIf 1041 | 1042 | $IndexKeySize = StringMid($InputData, $StartOffset + 20, 4) 1043 | $IndexKeySize = Dec(_SwapEndian($IndexKeySize)) 1044 | 1045 | $Flags = StringMid($InputData, $StartOffset + 24, 4) 1046 | $Flags = _SwapEndian($Flags) 1047 | 1048 | ;Padding 2 bytes 1049 | $SecurityIdKey = StringMid($InputData, $StartOffset + 32, 8) 1050 | $SecurityIdKey = _SwapEndian($SecurityIdKey) 1051 | 1052 | $SecurityDescriptorHashData = StringMid($InputData, $StartOffset + 40, 8) 1053 | ; $SecurityDescriptorHashData = _SwapEndian($SecurityDescriptorHashData) 1054 | 1055 | $SecurityIdData = StringMid($InputData, $StartOffset + 48, 8) 1056 | $SecurityIdData = _SwapEndian($SecurityIdData) 1057 | 1058 | $OffsetInSDS = StringMid($InputData, $StartOffset + 56, 16) 1059 | $OffsetInSDS = Dec(_SwapEndian($OffsetInSDS)) 1060 | 1061 | $SizeInSDS = StringMid($InputData, $StartOffset + 72, 8) 1062 | $SizeInSDS = Dec(_SwapEndian($SizeInSDS)) 1063 | 1064 | #cs 1065 | ConsoleWrite(@CRLF) 1066 | ConsoleWrite("Offset: 0x" & Hex(Int(($StartOffset+15)/2), 8) & @CRLF) 1067 | ConsoleWrite("$IndexEntrySize: " & $IndexEntrySize & @CRLF) 1068 | ConsoleWrite("$IndexKeySize: " & $IndexKeySize & @CRLF) 1069 | ConsoleWrite("$Flags: " & $Flags & @CRLF) 1070 | ConsoleWrite("$SecurityIdKey: " & $SecurityIdKey & @CRLF) 1071 | ConsoleWrite("$SecurityDescriptorHashData: " & $SecurityDescriptorHashData & @CRLF) 1072 | ConsoleWrite("$SecurityIdData: " & $SecurityIdData & @CRLF) 1073 | ConsoleWrite("$OffsetInSDS: " & $OffsetInSDS & @CRLF) 1074 | ConsoleWrite("$SizeInSDS: " & $SizeInSDS & @CRLF) 1075 | #ce 1076 | 1077 | If $SizeInSDS = 0 Or Dec($SecurityIdKey) = 0 Or Dec($SecurityIdData) = 0 Then 1078 | ;ConsoleWrite("Bad entry.." & @CRLF) 1079 | ExitLoop 1080 | EndIf 1081 | 1082 | $SIIArray[$Counter][0] = $OffsetInSDS 1083 | $SIIArray[$Counter][1] = $SizeInSDS 1084 | $SIIArray[$Counter][2] = $SecurityIdKey 1085 | $SIIArray[$Counter][3] = $SecurityDescriptorHashData 1086 | $SIIArray[$Counter][4] = $SecurityIdData 1087 | 1088 | If $IndexEntrySize = 0x10 Then 1089 | $StartOffset += 80 1090 | Else 1091 | ; what's the deal about the 0x30 ones? 1092 | $StartOffset += $IndexEntrySize * 2 1093 | EndIf 1094 | 1095 | $Counter += 1 1096 | 1097 | WEnd 1098 | $CurrentDescriptor = $Counter 1099 | $MaxDescriptors = $CurrentDescriptor 1100 | If Not $CommandlineMode Then 1101 | AdlibUnRegister("_SIIProgress") 1102 | GUICtrlSetData($ProgressStatus, "[$SII] Processing security descriptor index entry " & $CurrentDescriptor & " of " & $MaxDescriptors) 1103 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 1104 | GUICtrlSetData($ProgressSII, 100 * $CurrentDescriptor / $MaxDescriptors) 1105 | _DisplayInfo("$SII processing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 1106 | _DisplayInfo("Sorting data. Please wait..." & @CRLF) 1107 | Else 1108 | _DumpOutput("$SII processing finished in " & _WinAPI_StrFromTimeInterval(TimerDiff($begin)) & @CRLF) 1109 | _DumpOutput("Sorting data. Please wait..." & @CRLF) 1110 | EndIf 1111 | ReDim $SIIArray[$Counter][5] 1112 | _ArraySort($SIIArray, 0, 0, 0, 0, 0) 1113 | $aUnique = _MyArrayUnique2($SIIArray, 0, 0) 1114 | _ArraySort($aUnique, 0, 0, 0, 0, 0) 1115 | _DumpOutput("Duplicate entries removed: " & UBound($SIIArray) - UBound($aUnique) & @CRLF) 1116 | $SIIArray = $aUnique 1117 | ;_ArrayDisplay($SIIArray, "$SIIArray") 1118 | EndFunc 1119 | 1120 | Func _GetSDSSlack1($hFile, $hFileOut) 1121 | Local $diff=0 1122 | ;ConsoleWrite("_GetSDSSlack1(): " & @CRLF) 1123 | For $i = 0 To UBound($SIIArray) - 2 1124 | $diff = $SIIArray[$i + 1][0] - ($SIIArray[$i][0] + $SIIArray[$i][1]) 1125 | ;ConsoleWrite("$diff: " & $diff & @CRLF) 1126 | If $diff > 0x20 Then 1127 | ;ConsoleWrite("Writing slack bytes: " & $diff & @CRLF) 1128 | _WriteFromOffset($hFile, $SIIArray[$i][0], $diff, $hFileOut) 1129 | EndIf 1130 | Next 1131 | EndFunc 1132 | 1133 | Func _GetSDSSlack2($hFileOut, $inputData) 1134 | ;ConsoleWrite("_GetSDSSlack2(): " & @CRLF) 1135 | Local $nBytes 1136 | Local $tBuffer = DllStructCreate("byte[" & StringLen($inputData)/2 & "]") 1137 | ;ConsoleWrite("DllStructCreate: " & @error & @CRLF) 1138 | DllStructSetData($tBuffer, 1, "0x" & $inputData) 1139 | ;ConsoleWrite("DllStructSetData: " & @error & @CRLF) 1140 | ;ConsoleWrite("Writing bytes: " & DllStructGetSize($tBuffer) & @CRLF) 1141 | If Not _WinAPI_WriteFile($hFileOut, DllStructGetPtr($tBuffer), DllStructGetSize($tBuffer), $nBytes) Then 1142 | _DumpOutput("Error in WriteFile." & @CRLF) 1143 | Exit 1144 | EndIf 1145 | EndFunc 1146 | 1147 | Func _GetSDSSlack3($hFile, $hFileOut) 1148 | ;ConsoleWrite("_GetSDSSlack3(): " & @CRLF) 1149 | 1150 | Local $filesize = _WinAPI_GetFileSizeEx($hFile) 1151 | Local $endOfData = $SIIArray[UBound($SIIArray) - 1][0] + $SIIArray[UBound($SIIArray) - 1][1] 1152 | Local $sectorOffset = $endOfData + (512 - Mod($endOfData, 512)) 1153 | Local $diff = $filesize - $sectorOffset 1154 | 1155 | ;ConsoleWrite("$filesize: " & $filesize & @CRLF) 1156 | ;ConsoleWrite("$endOfData: " & $endOfData & @CRLF) 1157 | ;ConsoleWrite("$sectorOffset: " & $sectorOffset & @CRLF) 1158 | ;ConsoleWrite("$diff: " & $diff & @CRLF) 1159 | 1160 | If $diff < 1 Then 1161 | ;ConsoleWrite("No slack to dump at the end" & @CRLF) 1162 | Return 1163 | EndIf 1164 | 1165 | ;ConsoleWrite("Writing last slack bytes from offset: " & $sectorOffset & @CRLF) 1166 | _WriteFromOffset($hFile, $sectorOffset, $diff, $hFileOut) 1167 | 1168 | EndFunc 1169 | 1170 | Func _WriteFromOffset($hFile, $offset, $size, $hFileOut) 1171 | Local $nBytes 1172 | _WinAPI_SetFilePointerEx($hFile, $offset, $FILE_BEGIN) 1173 | Local $tBuffer = DllStructCreate("byte[" & $size & "]") 1174 | ;ConsoleWrite("DllStructCreate: " & @error & @CRLF) 1175 | If Not _WinAPI_ReadFile($hFile, DllStructGetPtr($tBuffer), $size, $nBytes) Then 1176 | _DumpOutput("Error in ReadFile." & @CRLF) 1177 | _WinAPI_CloseHandle($hFile) 1178 | Exit 1179 | EndIf 1180 | If Not _WinAPI_WriteFile($hFileOut, DllStructGetPtr($tBuffer), $size, $nBytes) Then 1181 | _DumpOutput("Error in WriteFile." & @CRLF) 1182 | _WinAPI_CloseHandle($hFile) 1183 | Exit 1184 | EndIf 1185 | EndFunc 1186 | 1187 | Func _MyArrayUnique2(Const ByRef $aArray, $refColumn, $columnDataKeep) 1188 | ; for multi dimensional arrays 1189 | ; will be extremely slow for large arrays 1190 | ; assume already sorted 1191 | 1192 | Local $columns = UBound($aArray, 2) 1193 | Local $aNewArray[0][$columns] 1194 | Local $counter = 0, $Found 1195 | 1196 | For $i = 0 To UBound($aArray) - 1 1197 | 1198 | $Found = 0 1199 | For $j = 0 To UBound($aNewArray) - 1 1200 | 1201 | If $aArray[$i][$refColumn] = $aNewArray[$j][$refColumn] Then 1202 | If $aArray[$i][$columnDataKeep] <> "" And $aNewArray[$j][$columnDataKeep] = "" Then 1203 | $aNewArray[$j][$columnDataKeep] = $aArray[$i][$columnDataKeep] 1204 | EndIf 1205 | $Found = 1 1206 | ExitLoop 1207 | EndIf 1208 | Next 1209 | 1210 | If $Found = 0 Then 1211 | $counter += 1 1212 | ReDim $aNewArray[$counter][$columns] 1213 | For $j = 0 To $columns - 1 1214 | $aNewArray[$counter - 1][$j] = $aArray[$i][$j] 1215 | Next 1216 | EndIf 1217 | Next 1218 | Return $aNewArray 1219 | EndFunc 1220 | 1221 | Func _SwapEndian($iHex) 1222 | Return StringMid(Binary(Dec($iHex,2)),3, StringLen($iHex)) 1223 | EndFunc 1224 | 1225 | Func _HexEncode($bInput) 1226 | Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]") 1227 | DllStructSetData($tInput, 1, $bInput) 1228 | Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ 1229 | "ptr", DllStructGetPtr($tInput), _ 1230 | "dword", DllStructGetSize($tInput), _ 1231 | "dword", 11, _ 1232 | "ptr", 0, _ 1233 | "dword*", 0) 1234 | 1235 | If @error Or Not $a_iCall[0] Then 1236 | Return SetError(1, 0, "") 1237 | EndIf 1238 | Local $iSize = $a_iCall[5] 1239 | Local $tOut = DllStructCreate("char[" & $iSize & "]") 1240 | $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ 1241 | "ptr", DllStructGetPtr($tInput), _ 1242 | "dword", DllStructGetSize($tInput), _ 1243 | "dword", 11, _ 1244 | "ptr", DllStructGetPtr($tOut), _ 1245 | "dword*", $iSize) 1246 | 1247 | If @error Or Not $a_iCall[0] Then 1248 | Return SetError(2, 0, "") 1249 | EndIf 1250 | 1251 | Return SetError(0, 0, DllStructGetData($tOut, 1)) 1252 | EndFunc 1253 | 1254 | Func _GetIndx($Entry) 1255 | ; ConsoleWrite("Starting function _Get_IndexAllocation()" & @crlf) 1256 | Local $NextPosition = 3,$IndxHdrMagic,$IndxEntries,$TotalIndxEntries 1257 | ; ConsoleWrite("StringLen of chunk = " & StringLen($Entry) & @crlf) 1258 | ; ConsoleWrite("Expected records = " & StringLen($Entry)/8192 & @crlf) 1259 | ; $NextPosition = 1 1260 | Do 1261 | If $NextPosition >= StringLen($Entry) Then ExitLoop 1262 | ; ConsoleWrite("$NextPosition = " & $NextPosition/2 & @crlf) 1263 | $IndxHdrMagic = StringMid($Entry,$NextPosition,8) 1264 | ; ConsoleWrite("$IndxHdrMagic = " & $IndxHdrMagic & @crlf) 1265 | $IndxHdrMagic = _HexToString($IndxHdrMagic) 1266 | ; ConsoleWrite("$IndxHdrMagic = " & $IndxHdrMagic & @crlf) 1267 | If $IndxHdrMagic <> "INDX" Then 1268 | ; ConsoleWrite("$IndxHdrMagic: " & $IndxHdrMagic & @crlf) 1269 | _DumpOutput("Error: Record is not of type INDX, and this was not expected.." & @crlf) 1270 | $NextPosition += 8192 1271 | ContinueLoop 1272 | EndIf 1273 | $IndxEntries = _StripIndxRecord(StringMid($Entry,$NextPosition,8192)) 1274 | ; ConsoleWrite(_HexEncode("0x"&$IndxEntries) & @crlf) 1275 | $TotalIndxEntries &= $IndxEntries 1276 | $NextPosition += 8192 1277 | Until $NextPosition >= StringLen($Entry);+32 1278 | ; ConsoleWrite("INDX record:" & @crlf) 1279 | ; ConsoleWrite(_HexEncode("0x"& StringMid($Entry,1)) & @crlf) 1280 | ; ConsoleWrite("Total chunk of stripped INDX entries:" & @crlf) 1281 | ; ConsoleWrite(_HexEncode("0x"& StringMid($TotalIndxEntries,1)) & @crlf) 1282 | ; _DecodeIndxEntriesSDH($TotalIndxEntries) 1283 | Return $TotalIndxEntries 1284 | EndFunc 1285 | 1286 | Func _StripIndxRecord($Entry) 1287 | ; ConsoleWrite("Starting function _StripIndxRecord()" & @crlf) 1288 | Local $LocalAttributeOffset = 1,$IndxHdrUpdateSeqArrOffset,$IndxHdrUpdateSeqArrSize,$IndxHdrUpdSeqArr,$IndxHdrUpdSeqArrPart0,$IndxHdrUpdSeqArrPart1,$IndxHdrUpdSeqArrPart2,$IndxHdrUpdSeqArrPart3,$IndxHdrUpdSeqArrPart4,$IndxHdrUpdSeqArrPart5,$IndxHdrUpdSeqArrPart6,$IndxHdrUpdSeqArrPart7 1289 | Local $IndxRecordEnd1,$IndxRecordEnd2,$IndxRecordEnd3,$IndxRecordEnd4,$IndxRecordEnd5,$IndxRecordEnd6,$IndxRecordEnd7,$IndxRecordEnd8,$IndxRecordSize,$IndxHeaderSize,$IsNotLeafNode 1290 | ; ConsoleWrite("Unfixed INDX record:" & @crlf) 1291 | ; ConsoleWrite(_HexEncode("0x"&$Entry) & @crlf) 1292 | ; ConsoleWrite(_HexEncode("0x" & StringMid($Entry,1,4096)) & @crlf) 1293 | $IndxHdrUpdateSeqArrOffset = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+8,4))) 1294 | ; ConsoleWrite("$IndxHdrUpdateSeqArrOffset = " & $IndxHdrUpdateSeqArrOffset & @crlf) 1295 | $IndxHdrUpdateSeqArrSize = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+12,4))) 1296 | ; ConsoleWrite("$IndxHdrUpdateSeqArrSize = " & $IndxHdrUpdateSeqArrSize & @crlf) 1297 | $IndxHdrUpdSeqArr = StringMid($Entry,1+($IndxHdrUpdateSeqArrOffset*2),$IndxHdrUpdateSeqArrSize*2*2) 1298 | ; ConsoleWrite("$IndxHdrUpdSeqArr = " & $IndxHdrUpdSeqArr & @crlf) 1299 | $IndxHdrUpdSeqArrPart0 = StringMid($IndxHdrUpdSeqArr,1,4) 1300 | $IndxHdrUpdSeqArrPart1 = StringMid($IndxHdrUpdSeqArr,5,4) 1301 | $IndxHdrUpdSeqArrPart2 = StringMid($IndxHdrUpdSeqArr,9,4) 1302 | $IndxHdrUpdSeqArrPart3 = StringMid($IndxHdrUpdSeqArr,13,4) 1303 | $IndxHdrUpdSeqArrPart4 = StringMid($IndxHdrUpdSeqArr,17,4) 1304 | $IndxHdrUpdSeqArrPart5 = StringMid($IndxHdrUpdSeqArr,21,4) 1305 | $IndxHdrUpdSeqArrPart6 = StringMid($IndxHdrUpdSeqArr,25,4) 1306 | $IndxHdrUpdSeqArrPart7 = StringMid($IndxHdrUpdSeqArr,29,4) 1307 | ;$IndxHdrUpdSeqArrPart8 = StringMid($IndxHdrUpdSeqArr,33,4) 1308 | $IndxRecordEnd1 = StringMid($Entry,1021,4) 1309 | $IndxRecordEnd2 = StringMid($Entry,2045,4) 1310 | $IndxRecordEnd3 = StringMid($Entry,3069,4) 1311 | $IndxRecordEnd4 = StringMid($Entry,4093,4) 1312 | $IndxRecordEnd5 = StringMid($Entry,5117,4) 1313 | $IndxRecordEnd6 = StringMid($Entry,6141,4) 1314 | $IndxRecordEnd7 = StringMid($Entry,7165,4) 1315 | $IndxRecordEnd8 = StringMid($Entry,8189,4) 1316 | If $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd1 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd2 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd3 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd4 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd5 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd6 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd7 OR $IndxHdrUpdSeqArrPart0 <> $IndxRecordEnd8 Then 1317 | _DumpOutput("Error the INDX record is corrupt" & @CRLF) 1318 | Return ; Not really correct because I think in theory chunks of 1024 bytes can be invalid and not just everything or nothing for the given INDX record. 1319 | Else 1320 | $Entry = StringMid($Entry,1,1020) & $IndxHdrUpdSeqArrPart1 & StringMid($Entry,1025,1020) & $IndxHdrUpdSeqArrPart2 & StringMid($Entry,2049,1020) & $IndxHdrUpdSeqArrPart3 & StringMid($Entry,3073,1020) & $IndxHdrUpdSeqArrPart4 & StringMid($Entry,4097,1020) & $IndxHdrUpdSeqArrPart5 & StringMid($Entry,5121,1020) & $IndxHdrUpdSeqArrPart6 & StringMid($Entry,6145,1020) & $IndxHdrUpdSeqArrPart7 & StringMid($Entry,7169,1020) 1321 | EndIf 1322 | $IndxRecordSize = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+56,8)),2) 1323 | ; ConsoleWrite("$IndxRecordSize = " & $IndxRecordSize & @crlf) 1324 | $IndxHeaderSize = Dec(_SwapEndian(StringMid($Entry,$LocalAttributeOffset+48,8)),2) 1325 | ; ConsoleWrite("$IndxHeaderSize = " & $IndxHeaderSize & @crlf) 1326 | If $IndxHeaderSize = 0x28 Then 1327 | $IndxHeaderSize += 0x8 1328 | $IndxRecordSize -= 0x10 1329 | EndIf 1330 | ; ConsoleWrite("$IndxRecordSize = 0x" & Hex($IndxRecordSize, 4) & @crlf) 1331 | ; ConsoleWrite("$IndxHeaderSize = 0x" & Hex($IndxHeaderSize, 4) & @crlf) 1332 | $IsNotLeafNode = StringMid($Entry,$LocalAttributeOffset+72,2) ;1 if not leaf node 1333 | ;$Entry = StringMid($Entry,$LocalAttributeOffset+48+($IndxHeaderSize*2),($IndxRecordSize-$IndxHeaderSize-16)*2) 1334 | $Entry = StringMid($Entry,$LocalAttributeOffset+48+($IndxHeaderSize*2),($IndxRecordSize)*2) 1335 | If $IsNotLeafNode = "01" Then ; This flag leads to the entry being 8 bytes of 00's longer than the others. Can be stripped I think. 1336 | $Entry = StringTrimRight($Entry,16) 1337 | ; ConsoleWrite("Is not leaf node..." & @crlf) 1338 | EndIf 1339 | Return $Entry 1340 | EndFunc 1341 | 1342 | Func _WriteCSVHeader() 1343 | $Secure_Csv_Header = "Offset"&$de&"SecurityDescriptorHash"&$de&"SecurityId"&$de&"Control"&$de&"SidOwner"&$de&"SidGroup"&$de&"SAclRevision"&$de&"SAceCount"&$de&"SAceType"&$de&"SAceFlags"&$de&"SAceMask"&$de&"SAceObjectFlags"&$de&"SAceObjectType"&$de&"SAceInheritedObjectType"&$de&"SAceSIDofTrustee"&$de&"DAclRevision"&$de&"DAceCount"&$de&"DAceType"&$de&"DAceFlags"&$de&"DAceMask"&$de&"DAceObjectFlags"&$de&"DAceObjectType"&$de&"DAceInheritedObjectType"&$de&"DAceSIDofTrustee" 1344 | FileWriteLine($hSecureCsv, $Secure_Csv_Header & @CRLF) 1345 | EndFunc 1346 | 1347 | Func _WriteCsv() 1348 | If $WithQuotes Then 1349 | FileWriteLine($hSecureCsv, '"'&$TargetSDSOffsetHex&'"'&$de&'"'&$SecurityDescriptorHash&'"'&$de&'"'&$SecurityId&'"'&$de&'"'&$ControlText&'"'&$de&'"'&$SidOwner&'"'&$de&'"'&$SidGroup&'"'&$de&'"'&$SAclRevision&'"'&$de&'"'&$SAceCount&'"'&$de&'"'&$SAceTypeText&'"'&$de&'"'&$SAceFlagsText&'"'&$de&'"'&$SAceMask&'"'&$de&'"'&$SAceObjectFlagsText&'"'&$de&'"'&$SAceObjectType&'"'&$de&'"'&$SAceInheritedObjectType&'"'&$de&'"'&$SAceSIDString&'"'&$de&'"'&$DAclRevision&'"'&$de&'"'&$DAceCount&'"'&$de&'"'&$DAceTypeText&'"'&$de&'"'&$DAceFlagsText&'"'&$de&'"'&$DAceMask&'"'&$de&'"'&$DAceObjectFlagsText&'"'&$de&'"'&$DAceObjectType&'"'&$de&'"'&$DAceInheritedObjectType&'"'&$de&'"'&$DAceSIDString&'"'&@CRLF) 1350 | Else 1351 | FileWriteLine($hSecureCsv, $TargetSDSOffsetHex&$de&$SecurityDescriptorHash&$de&$SecurityId&$de&$ControlText&$de&$SidOwner&$de&$SidGroup&$de&$SAclRevision&$de&$SAceCount&$de&$SAceTypeText&$de&$SAceFlagsText&$de&$SAceMask&$de&$SAceObjectFlagsText&$de&$SAceObjectType&$de&$SAceInheritedObjectType&$de&$SAceSIDString&$de&$DAclRevision&$de&$DAceCount&$de&$DAceTypeText&$de&$DAceFlagsText&$de&$DAceMask&$de&$DAceObjectFlagsText&$de&$DAceObjectType&$de&$DAceInheritedObjectType&$de&$DAceSIDString&@crlf) 1352 | EndIf 1353 | EndFunc 1354 | 1355 | Func _ClearVar() 1356 | $TargetSDSOffsetHex = "" 1357 | $SecurityDescriptorHash = "" 1358 | $SecurityId = "" 1359 | $ControlText = "" 1360 | $SidOwner = "" 1361 | $SidGroup = "" 1362 | $SAclRevision = "" 1363 | $SAceCount = "" 1364 | $SAceTypeText = "" 1365 | $SAceFlagsText = "" 1366 | $SAceMask = "" 1367 | $SAceObjectType = "" 1368 | $SAceInheritedObjectType = "" 1369 | $SAceSIDString = "" 1370 | $SAceObjectFlagsText = "" 1371 | $DAclRevision = "" 1372 | $DAceCount = "" 1373 | $DAceTypeText = "" 1374 | $DAceFlagsText = "" 1375 | $DAceMask = "" 1376 | $DAceObjectType = "" 1377 | $DAceInheritedObjectType = "" 1378 | $DAceSIDString = "" 1379 | $DAceObjectFlagsText = "" 1380 | EndFunc 1381 | 1382 | Func _TranslateSeparator() 1383 | ; Or do it the other way around to allow setting other trickier separators, like specifying it in hex 1384 | GUICtrlSetData($SeparatorInput,StringLeft(GUICtrlRead($SeparatorInput),1)) 1385 | GUICtrlSetData($SeparatorInput2,"0x"&Hex(Asc(GUICtrlRead($SeparatorInput)),2)) 1386 | EndFunc 1387 | 1388 | Func _TranslateSeparatorAce() 1389 | ; Or do it the other way around to allow setting other trickier separators, like specifying it in hex 1390 | GUICtrlSetData($AceSeparatorInput,StringLeft(GUICtrlRead($AceSeparatorInput),1)) 1391 | GUICtrlSetData($AceSeparatorInput2,"0x"&Hex(Asc(GUICtrlRead($AceSeparatorInput)),2)) 1392 | EndFunc 1393 | 1394 | Func _SelectSDS() 1395 | $SDSFile = FileOpenDialog("Select $SDS",@ScriptDir,"All (*.*)") 1396 | If @error Then 1397 | _DisplayInfo("Error getting $SDS: " & $SDSFile & @CRLF) 1398 | GUICtrlSetData($SDSField,"Error getting $SDS") 1399 | Else 1400 | ; _DisplayInfo("Selected $SDS: " & $SDSFile & @CRLF) 1401 | GUICtrlSetData($SDSField,$SDSFile) 1402 | EndIf 1403 | EndFunc 1404 | 1405 | Func _SelectSDH() 1406 | $SDHFile = FileOpenDialog("Select $SDH",@ScriptDir,"All (*.*)") 1407 | If @error Then 1408 | _DisplayInfo("Error getting $SDH: " & $SDHFile & @CRLF) 1409 | GUICtrlSetData($SDHField,"Error getting $SDH") 1410 | $DoSDH=0 1411 | Else 1412 | ; _DisplayInfo("Selected $SDH: " & $SDHFile & @CRLF) 1413 | GUICtrlSetData($SDHField,$SDHFile) 1414 | $DoSDH=1 1415 | EndIf 1416 | EndFunc 1417 | 1418 | Func _SelectSII() 1419 | $SIIFile = FileOpenDialog("Select $SII",@ScriptDir,"All (*.*)") 1420 | If @error Then 1421 | _DisplayInfo("Error getting $SII: " & $SIIFile & @CRLF) 1422 | GUICtrlSetData($SIIField,"Error getting $SII") 1423 | $DoSII=0 1424 | Else 1425 | ; _DisplayInfo("Selected $SII: " & $SIIFile & @CRLF) 1426 | GUICtrlSetData($SIIField,$SIIFile) 1427 | $DoSII=1 1428 | EndIf 1429 | EndFunc 1430 | 1431 | Func _DisplayInfo($DebugInfo) 1432 | GUICtrlSetData($myctredit, $DebugInfo, 1) 1433 | EndFunc 1434 | 1435 | Func _SDSProgress() 1436 | GUICtrlSetData($ProgressStatus, "[$SDS] Processing security descriptor " & $CurrentDescriptor & " of " & $MaxDescriptors) 1437 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 1438 | GUICtrlSetData($ProgressSDS, 100 * $CurrentDescriptor / $MaxDescriptors) 1439 | EndFunc 1440 | 1441 | Func _SDHProgress() 1442 | GUICtrlSetData($ProgressStatus, "[$SDH] Processing security descriptor index entry " & $CurrentDescriptor & " of " & $MaxDescriptors) 1443 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 1444 | GUICtrlSetData($ProgressSDH, 100 * $CurrentDescriptor / $MaxDescriptors) 1445 | EndFunc 1446 | 1447 | Func _SIIProgress() 1448 | GUICtrlSetData($ProgressStatus, "[$SII] Processing security descriptor index entry " & $CurrentDescriptor & " of " & $MaxDescriptors) 1449 | GUICtrlSetData($ElapsedTime, "Elapsed time = " & _WinAPI_StrFromTimeInterval(TimerDiff($begin))) 1450 | GUICtrlSetData($ProgressSII, 100 * $CurrentDescriptor / $MaxDescriptors) 1451 | EndFunc 1452 | 1453 | Func _HexToGuidStr($input) 1454 | ;{4b-2b-2b-2b-6b} 1455 | Local $OutStr 1456 | If Not StringLen($input) = 32 Then Return $input 1457 | $OutStr = "{" 1458 | $OutStr &= _SwapEndian(StringMid($input,1,8)) & "-" 1459 | $OutStr &= _SwapEndian(StringMid($input,9,4)) & "-" 1460 | $OutStr &= _SwapEndian(StringMid($input,13,4)) & "-" 1461 | $OutStr &= StringMid($input,17,4) & "-" 1462 | $OutStr &= StringMid($input,21,12) 1463 | $OutStr &= "}" 1464 | Return $OutStr 1465 | EndFunc 1466 | 1467 | Func _GetInputParams() 1468 | ;Local $TimeZone, $OutputFormat, $ScanMode 1469 | For $i = 1 To $cmdline[0] 1470 | ;ConsoleWrite("Param " & $i & ": " & $cmdline[$i] & @CRLF) 1471 | If StringLeft($cmdline[$i],9) = "/SDSFile:" Then $SDSFile = StringMid($cmdline[$i],10) 1472 | ;If StringLeft($cmdline[$i],9) = "/SDHFile:" Then $SDHFile = StringMid($cmdline[$i],10) 1473 | If StringLeft($cmdline[$i],9) = "/SIIFile:" Then $SIIFile = StringMid($cmdline[$i],10) 1474 | If StringLeft($cmdline[$i],12) = "/OutputPath:" Then $OutputPath = StringMid($cmdline[$i],13) 1475 | If StringLeft($cmdline[$i],11) = "/Separator:" Then $SeparatorInput = StringMid($cmdline[$i],12) 1476 | If StringLeft($cmdline[$i],14) = "/AceSeparator:" Then $AceSeparatorInput = StringMid($cmdline[$i],15) 1477 | Next 1478 | 1479 | 1480 | If StringLen($SDSFile) > 0 Then 1481 | If Not FileExists($SDSFile) Then 1482 | ConsoleWrite("Error input $SDSFile file does not exist." & @CRLF) 1483 | Exit 1484 | EndIf 1485 | EndIf 1486 | If StringLen($SDHFile) > 0 Then 1487 | If Not FileExists($SDHFile) Then 1488 | ConsoleWrite("Error input $SDHFile file does not exist." & @CRLF) 1489 | ;Exit 1490 | $DoSDH=0 1491 | Else 1492 | $DoSDH=1 1493 | EndIf 1494 | Else 1495 | $DoSDH=0 1496 | EndIf 1497 | If StringLen($SIIFile) > 0 Then 1498 | If Not FileExists($SIIFile) Then 1499 | ConsoleWrite("Error input $SIIFile file does not exist." & @CRLF) 1500 | ;Exit 1501 | $DoSII=0 1502 | Else 1503 | $DoSII=1 1504 | EndIf 1505 | Else 1506 | $DoSII=0 1507 | EndIf 1508 | 1509 | If StringLen($OutputPath) > 0 Then 1510 | If Not FileExists($OutputPath) Then 1511 | ConsoleWrite("Error input $OutputPath does not exist. Setting default to curent directory." & @CRLF) 1512 | $OutputPath = @ScriptDir 1513 | EndIf 1514 | Else 1515 | $OutputPath = @ScriptDir 1516 | EndIf 1517 | 1518 | 1519 | If StringLen($SeparatorInput) <> 1 Then $SeparatorInput = "|" 1520 | $de = $SeparatorInput 1521 | If StringLen($AceSeparatorInput) <> 1 Then $AceSeparatorInput = ":" 1522 | $de2 = $AceSeparatorInput 1523 | 1524 | 1525 | EndFunc 1526 | 1527 | Func _DumpOutput($text) 1528 | ConsoleWrite($text) 1529 | If $DebugOutFile Then FileWrite($DebugOutFile, $text) 1530 | EndFunc --------------------------------------------------------------------------------