From 0a84879cdc3be1bbe3e09dd9fd883a4832e9443e Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Tue, 27 Mar 2018 01:53:14 +0000
Subject: internals: when running as a local/domain user, cache the domain's
 admin sid.

---
 src/acl/ntapi_acl_helper.c                   |  2 +-
 src/internal/ntapi.c                         | 24 +++++++++++++++++++++---
 src/internal/ntapi_impl.h                    |  5 +++--
 src/object/ntapi_tt_keyed_object_directory.c |  2 +-
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/acl/ntapi_acl_helper.c b/src/acl/ntapi_acl_helper.c
index 72444fe..c495dc5 100644
--- a/src/acl/ntapi_acl_helper.c
+++ b/src/acl/ntapi_acl_helper.c
@@ -65,7 +65,7 @@ void __stdcall __ntapi_acl_init_common_descriptor(
 	sd->sd.offset_sacl      = 0;
 
 	/* owner, group, other: default sid's */
-	owner = owner ? owner : __ntapi_internals()->sid;
+	owner = owner ? owner : __ntapi_internals()->user;
 	group = group ? group : owner;
 	other = other ? other : &sid_auth_users;
 
diff --git a/src/internal/ntapi.c b/src/internal/ntapi.c
index f0b4431..aaf1b33 100644
--- a/src/internal/ntapi.c
+++ b/src/internal/ntapi.c
@@ -94,6 +94,8 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 	void * 					hntdll;
 	size_t					block_size;
 	size_t					buf[64];
+	unsigned char *				value;
+	uint16_t				sacnt;
 	nt_oa					oa;
 	nt_cid					cid;
 	ntapi_zw_allocate_virtual_memory *	pfn_zw_allocate_virtual_memory;
@@ -482,7 +484,7 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 		internals->htoken,
 		NT_SE_CREATE_SYMBOLIC_LINK_PRIVILEGE);
 
-	/* sid */
+	/* user */
 	if ((status = __ntapi->zw_query_information_token(
 			internals->htoken,
 			NT_TOKEN_USER,
@@ -490,12 +492,28 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 			&block_size)))
 		return status;
 
-	internals->sid = (nt_sid *)&internals->sid_buffer;
+	internals->user  = (nt_sid *)&internals->sid_buffer[0];
+	internals->admin = (nt_sid *)&internals->sid_buffer[1];
 
 	__ntapi->tt_sid_copy(
-		internals->sid,
+		internals->user,
 		((nt_sid_and_attributes *)buf)->sid);
 
+	/* admin */
+	value = internals->user->identifier_authority.value;
+	sacnt = internals->user->sub_authority_count;
+
+	if ((value[0] == 0) && (value[1] == 0)
+			&& (value[2] == 0) && (value[3] == 0)
+			&& (value[4] == 0) && (value[5] == 5)
+			&& internals->user->sub_authority[0] == 21) {
+		__ntapi->tt_sid_copy(
+			internals->admin,
+			internals->user);
+
+		internals->admin->sub_authority[sacnt - 1] = 500;
+	}
+
 	/* done */
 	*pvtbl	= &___ntapi_shadow;
 	at_locked_inc(&__ntapi_init_idx);
diff --git a/src/internal/ntapi_impl.h b/src/internal/ntapi_impl.h
index 6021a48..d020386 100644
--- a/src/internal/ntapi_impl.h
+++ b/src/internal/ntapi_impl.h
@@ -82,8 +82,9 @@ typedef struct __attr_ptr_size_aligned__ _ntapi_internals {
 	nt_port_name *					subsystem;
 	nt_security_descriptor				seq_desc;
 	nt_security_quality_of_service			seq_qos;
-	nt_sid_any					sid_buffer;
-	nt_sid *					sid;
+	nt_sid_any					sid_buffer[2];
+	nt_sid *					user;
+	nt_sid *					admin;
 	void *						hprocess;
 	void *						htoken;
 	void *						hport_tty_session;
diff --git a/src/object/ntapi_tt_keyed_object_directory.c b/src/object/ntapi_tt_keyed_object_directory.c
index c34d8ec..b79f3b6 100644
--- a/src/object/ntapi_tt_keyed_object_directory.c
+++ b/src/object/ntapi_tt_keyed_object_directory.c
@@ -74,7 +74,7 @@ static void __ipc_sd_init(nt_sd_common_buffer * sd, int fdir)
 	/* owner sid */
 	__ntapi->tt_sid_copy(
 		(nt_sid *)&sd->owner,
-		__ntapi_internals()->sid);
+		__ntapi_internals()->user);
 
 
 	/* ace's for LOCAL_SYSTEM, AUTHENTICATED_USERS, and process token user */
-- 
cgit v1.2.3