From 0a84879cdc3be1bbe3e09dd9fd883a4832e9443e Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Tue, 27 Mar 2018 01:53:14 +0000
Subject: internals: when running as a local/domain user, cache the domain's
 admin sid.

---
 src/internal/ntapi.c      | 24 +++++++++++++++++++++---
 src/internal/ntapi_impl.h |  5 +++--
 2 files changed, 24 insertions(+), 5 deletions(-)

(limited to 'src/internal')

diff --git a/src/internal/ntapi.c b/src/internal/ntapi.c
index f0b4431..aaf1b33 100644
--- a/src/internal/ntapi.c
+++ b/src/internal/ntapi.c
@@ -94,6 +94,8 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 	void * 					hntdll;
 	size_t					block_size;
 	size_t					buf[64];
+	unsigned char *				value;
+	uint16_t				sacnt;
 	nt_oa					oa;
 	nt_cid					cid;
 	ntapi_zw_allocate_virtual_memory *	pfn_zw_allocate_virtual_memory;
@@ -482,7 +484,7 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 		internals->htoken,
 		NT_SE_CREATE_SYMBOLIC_LINK_PRIVILEGE);
 
-	/* sid */
+	/* user */
 	if ((status = __ntapi->zw_query_information_token(
 			internals->htoken,
 			NT_TOKEN_USER,
@@ -490,12 +492,28 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl)
 			&block_size)))
 		return status;
 
-	internals->sid = (nt_sid *)&internals->sid_buffer;
+	internals->user  = (nt_sid *)&internals->sid_buffer[0];
+	internals->admin = (nt_sid *)&internals->sid_buffer[1];
 
 	__ntapi->tt_sid_copy(
-		internals->sid,
+		internals->user,
 		((nt_sid_and_attributes *)buf)->sid);
 
+	/* admin */
+	value = internals->user->identifier_authority.value;
+	sacnt = internals->user->sub_authority_count;
+
+	if ((value[0] == 0) && (value[1] == 0)
+			&& (value[2] == 0) && (value[3] == 0)
+			&& (value[4] == 0) && (value[5] == 5)
+			&& internals->user->sub_authority[0] == 21) {
+		__ntapi->tt_sid_copy(
+			internals->admin,
+			internals->user);
+
+		internals->admin->sub_authority[sacnt - 1] = 500;
+	}
+
 	/* done */
 	*pvtbl	= &___ntapi_shadow;
 	at_locked_inc(&__ntapi_init_idx);
diff --git a/src/internal/ntapi_impl.h b/src/internal/ntapi_impl.h
index 6021a48..d020386 100644
--- a/src/internal/ntapi_impl.h
+++ b/src/internal/ntapi_impl.h
@@ -82,8 +82,9 @@ typedef struct __attr_ptr_size_aligned__ _ntapi_internals {
 	nt_port_name *					subsystem;
 	nt_security_descriptor				seq_desc;
 	nt_security_quality_of_service			seq_qos;
-	nt_sid_any					sid_buffer;
-	nt_sid *					sid;
+	nt_sid_any					sid_buffer[2];
+	nt_sid *					user;
+	nt_sid *					admin;
 	void *						hprocess;
 	void *						htoken;
 	void *						hport_tty_session;
-- 
cgit v1.2.3