I’m trying to make a virus (for testing purposes of course) and I’d like to check if the current file has Trusted Installer permissions so it can raise an exception.
CodePudding user response:
You could do so by checking the file's owner and seeing if it is TrustedInstaller. You could also do this by iterating through the DACL until you find an ACE that gives TrustedInstaller full control over the file.
GetNamedSecurityInfo can retrieve both of those things. If you import Advapi32.dll, you can get this function. You will have to define many objects, though.
See here for example code for Python.
ST_UID
from os.stat()
will not work. It returns the RID of the file owner, but TrustedInstaller is part of the account domain, so it is just zero. Because TrustedInstaller is not really an account, it is not on the SAM at all.
While you can program a virus for testing purposes in Python, it will generally be more difficult than coding it in C or C , especially for using Windows API functions. Windows API functions and objects are easily defined in header files such as "Windows.h" in Visual Studio. You will probably have to import these functions in Python and define everything else such as the SID structure. Windows API is something that is just simpler to use in C and C than Python.
Working code for C:
#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include <aclapi.h>
BOOL TrustedInstallerFile(char* FilePath) {
// Gets the owner SID
PSID OwnerSid = { 0 }; // Initializes memory to zero
PSECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
DWORD status = GetNamedSecurityInfoA(FilePath, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION,
&OwnerSid, NULL, NULL, NULL, &SecurityDescriptor);
if (status != ERROR_SUCCESS) {
LocalFree(SecurityDescriptor);
return FALSE;
}
// Converts the owner SID into a name and domain
DWORD NameBufferSize = 0;
DWORD DomainBufferSize = 0;
SID_NAME_USE SidNameUse;
LookupAccountSidA(NULL, OwnerSid, NULL, &NameBufferSize, NULL, &DomainBufferSize, &SidNameUse);
// Allocate memory
char* OwnerName = malloc(NameBufferSize * sizeof(char));
char* OwnerDomain = malloc(DomainBufferSize * sizeof(char));
if (!LookupAccountSidA(NULL, OwnerSid, OwnerName, &NameBufferSize,
OwnerDomain, &DomainBufferSize, &SidNameUse)) {
free(OwnerName);
free(OwnerDomain);
LocalFree(SecurityDescriptor);
return FALSE;
}
// Checks if the owner's name is "TrustedInstaller" and if the owner's domain is "NT SERVICE"
// Strcmp returns '0' if the strings match
if ((strcmp("TrustedInstaller", OwnerName) == 0) && (strcmp("NT SERVICE", OwnerDomain) == 0)) {
// Free allocated memory
free(OwnerName);
free(OwnerDomain);
LocalFree(SecurityDescriptor);
return TRUE; // TrustedInstaller owns the file
}
else {
free(OwnerName);
free(OwnerDomain);
LocalFree(SecurityDescriptor);
return FALSE;
}
}
int main()
{
BOOL status = TrustedInstallerFile("C:\\Windows\\System32");
if (status) {
printf("System32 is owned by TrustedInstaller\r\n"); // Should be this
}
else {
printf("System32 is not owned by TrustedInstaller\r\n");
}
system("pause");
return 0;
}