Home > OS >  Is there a way to check if the current file has Trusted Installer permissions using python?
Is there a way to check if the current file has Trusted Installer permissions using python?

Time:08-15

I’m trying to make a virus (for testing purposes of course) and I’d like to check if the current file has Trusted Installer permissions so it can raise an exception.

CodePudding user response:

You could do so by checking the file's owner and seeing if it is TrustedInstaller. You could also do this by iterating through the DACL until you find an ACE that gives TrustedInstaller full control over the file.

GetNamedSecurityInfo can retrieve both of those things. If you import Advapi32.dll, you can get this function. You will have to define many objects, though.

See here for example code for Python.

ST_UID from os.stat() will not work. It returns the RID of the file owner, but TrustedInstaller is part of the account domain, so it is just zero. Because TrustedInstaller is not really an account, it is not on the SAM at all.

While you can program a virus for testing purposes in Python, it will generally be more difficult than coding it in C or C , especially for using Windows API functions. Windows API functions and objects are easily defined in header files such as "Windows.h" in Visual Studio. You will probably have to import these functions in Python and define everything else such as the SID structure. Windows API is something that is just simpler to use in C and C than Python.

Working code for C:

#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include <aclapi.h>

BOOL TrustedInstallerFile(char* FilePath) {
    // Gets the owner SID

    PSID OwnerSid = { 0 }; // Initializes memory to zero
    PSECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
    DWORD status = GetNamedSecurityInfoA(FilePath, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION,
        &OwnerSid, NULL, NULL, NULL, &SecurityDescriptor);

    if (status != ERROR_SUCCESS) {
        LocalFree(SecurityDescriptor);
        return FALSE;
    }

    // Converts the owner SID into a name and domain

    DWORD NameBufferSize = 0;
    DWORD DomainBufferSize = 0;
    SID_NAME_USE SidNameUse;
    LookupAccountSidA(NULL, OwnerSid, NULL, &NameBufferSize, NULL, &DomainBufferSize, &SidNameUse);

    // Allocate memory
    char* OwnerName = malloc(NameBufferSize * sizeof(char));
    char* OwnerDomain = malloc(DomainBufferSize * sizeof(char));

    if (!LookupAccountSidA(NULL, OwnerSid, OwnerName, &NameBufferSize,
        OwnerDomain, &DomainBufferSize, &SidNameUse)) {

        free(OwnerName);
        free(OwnerDomain);
        LocalFree(SecurityDescriptor);
        return FALSE;
    }

    // Checks if the owner's name is "TrustedInstaller" and if the owner's domain is "NT SERVICE"
    // Strcmp returns '0' if the strings match
    if ((strcmp("TrustedInstaller", OwnerName) == 0) && (strcmp("NT SERVICE", OwnerDomain) == 0)) {

        // Free allocated memory
        free(OwnerName);
        free(OwnerDomain);
        LocalFree(SecurityDescriptor);
        return TRUE; // TrustedInstaller owns the file
    }
    else {
        free(OwnerName);
        free(OwnerDomain);
        LocalFree(SecurityDescriptor);
        return FALSE;
    }
}

int main()
{
    BOOL status = TrustedInstallerFile("C:\\Windows\\System32");
    if (status) {
        printf("System32 is owned by TrustedInstaller\r\n"); // Should be this
    }
    else {
        printf("System32 is not owned by TrustedInstaller\r\n");
    }
    
    system("pause");
    return 0;
}

Page link:https//www.codepudding.com/os/510944.html

Prev:Clear git-credential-manager-core cached login
Next:how to make sure that a jsonb object is not an encoded string?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding