internals: when running as a local/domain user, cache the domain's admin sid.

1 files changed, 21 insertions, 3 deletions

diff --git a/src/internal/ntapi.c b/src/internal/ntapi.c
index f0b4431..aaf1b33 100644
--- a/src/internal/ntapi.c
+++ b/src/internal/ntapi.c
@@ -94,6 +94,8 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 	void * 					hntdll;
 	size_t					block_size;
 	size_t					buf[64];
+	unsigned char *				value;
+	uint16_t				sacnt;
 	nt_oa					oa;
 	nt_cid					cid;
 	ntapi_zw_allocate_virtual_memory *	pfn_zw_allocate_virtual_memory;
@@ -482,7 +484,7 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 		internals->htoken,
 		NT_SE_CREATE_SYMBOLIC_LINK_PRIVILEGE);
 
-	/* sid */
+	/* user */
 	if ((status = __ntapi->zw_query_information_token(
 			internals->htoken,
 			NT_TOKEN_USER,
@@ -490,12 +492,28 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 			&block_size)))
 		return status;
 
-	internals->sid = (nt_sid *)&internals->sid_buffer;
+	internals->user  = (nt_sid *)&internals->sid_buffer[0];
+	internals->admin = (nt_sid *)&internals->sid_buffer[1];
 
 	__ntapi->tt_sid_copy(
-		internals->sid,
+		internals->user,
 		((nt_sid_and_attributes *)buf)->sid);
 
+	/* admin */
+	value = internals->user->identifier_authority.value;
+	sacnt = internals->user->sub_authority_count;
+
+	if ((value[0] == 0) && (value[1] == 0)
+			&& (value[2] == 0) && (value[3] == 0)
+			&& (value[4] == 0) && (value[5] == 5)
+			&& internals->user->sub_authority[0] == 21) {
+		__ntapi->tt_sid_copy(
+			internals->admin,
+			internals->user);
+
+		internals->admin->sub_authority[sacnt - 1] = 500;
+	}
+
 	/* done */
 	*pvtbl	= &___ntapi_shadow;
 	at_locked_inc(&__ntapi_init_idx);