rekall.plugins.windows.registry.getsids

40 """Print the SIDs owning each process token.""" 41 42 __name = "tokens" 43 44 well_known_sid_re = [ 45 (re.compile(r'S-1-5-[0-9-]+-500'), 'Administrator'), 46 (re.compile(r'S-1-5-[0-9-]+-501'), 'Guest'), 47 (re.compile(r'S-1-5-[0-9-]+-502'), 'KRBTGT'), 48 (re.compile(r'S-1-5-[0-9-]+-512'), 'Domain Admins'), 49 (re.compile(r'S-1-5-[0-9-]+-513'), 'Domain Users'), 50 (re.compile(r'S-1-5-[0-9-]+-514'), 'Domain Guests'), 51 (re.compile(r'S-1-5-[0-9-]+-515'), 'Domain Computers'), 52 (re.compile(r'S-1-5-[0-9-]+-516'), 'Domain Controllers'), 53 (re.compile(r'S-1-5-[0-9-]+-517'), 'Cert Publishers'), 54 (re.compile(r'S-1-5-[0-9-]+-520'), 'Group Policy Creator Owners'), 55 (re.compile(r'S-1-5-[0-9-]+-533'), 'RAS and IAS Servers'), 56 (re.compile(r'S-1-5-5-[0-9]+-[0-9]+'), 'Logon Session'), 57 (re.compile(r'S-1-5-21-[0-9-]+-518'), 'Schema Admins'), 58 (re.compile(r'S-1-5-21-[0-9-]+-519'), 'Enterprise Admins'), 59 (re.compile(r'S-1-5-21-[0-9-]+-553'), 'RAS Servers'), 60 ] 61 62 well_known_sids = { 63 'S-1-0': 'Null Authority', 64 'S-1-0-0': 'Nobody', 65 'S-1-1': 'World Authority', 66 'S-1-1-0': 'Everyone', 67 'S-1-2': 'Local Authority', 68 'S-1-2-0': 'Local (Users with the ability to log in locally)', 69 'S-1-2-1': ('Console Logon (Users who are logged onto the physical ' 70 'console)'), 71 'S-1-3': 'Creator Authority', 72 'S-1-3-0': 'Creator Owner', 73 'S-1-3-1': 'Creator Group', 74 'S-1-3-2': 'Creator Owner Server', 75 'S-1-3-3': 'Creator Group Server', 76 'S-1-3-4': 'Owner Rights', 77 'S-1-4': 'Non-unique Authority', 78 'S-1-5': 'NT Authority', 79 'S-1-5-1': 'Dialup', 80 'S-1-5-2': 'Network', 81 'S-1-5-3': 'Batch', 82 'S-1-5-4': 'Interactive', 83 'S-1-5-6': 'Service', 84 'S-1-5-7': 'Anonymous', 85 'S-1-5-8': 'Proxy', 86 'S-1-5-9': 'Enterprise Domain Controllers', 87 'S-1-5-10': 'Principal Self', 88 'S-1-5-11': 'Authenticated Users', 89 'S-1-5-12': 'Restricted Code', 90 'S-1-5-13': 'Terminal Server Users', 91 'S-1-5-14': 'Remote Interactive Logon', 92 'S-1-5-15': 'This Organization', 93 'S-1-5-17': 'This Organization (Used by the default IIS user)', 94 'S-1-5-18': 'Local System', 95 'S-1-5-19': 'NT Authority', 96 'S-1-5-20': 'NT Authority', 97 'S-1-5-32-544': 'Administrators', 98 'S-1-5-32-545': 'Users', 99 'S-1-5-32-546': 'Guests', 100 'S-1-5-32-547': 'Power Users', 101 'S-1-5-32-548': 'Account Operators', 102 'S-1-5-32-549': 'Server Operators', 103 'S-1-5-32-550': 'Print Operators', 104 'S-1-5-32-551': 'Backup Operators', 105 'S-1-5-32-552': 'Replicators', 106 'S-1-5-32-554': 'BUILTIN\\Pre-Windows 2000 Compatible Access', 107 'S-1-5-32-555': 'BUILTIN\\Remote Desktop Users', 108 'S-1-5-32-556': 'BUILTIN\\Network Configuration Operators', 109 'S-1-5-32-557': 'BUILTIN\\Incoming Forest Trust Builders', 110 'S-1-5-32-558': 'BUILTIN\\Performance Monitor Users', 111 'S-1-5-32-559': 'BUILTIN\\Performance Log Users', 112 'S-1-5-32-560': 'BUILTIN\\Windows Authorization Access Group', 113 'S-1-5-32-561': 'BUILTIN\\Terminal Server License Servers', 114 'S-1-5-32-562': 'BUILTIN\\Distributed COM Users', 115 'S-1-5-32-568': 'BUILTIN\\IIS IUSRS', 116 'S-1-5-32-569': 'Cryptographic Operators', 117 'S-1-5-32-573': 'BUILTIN\\Event Log Readers', 118 'S-1-5-32-574': 'BUILTIN\\Certificate Service DCOM Access', 119 'S-1-5-33': 'Write Restricted', 120 'S-1-5-64-10': 'NTLM Authentication', 121 'S-1-5-64-14': 'SChannel Authentication', 122 'S-1-5-64-21': 'Digest Authentication', 123 'S-1-5-80': 'NT Service', 124 'S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952': ( 125 'WMI (Local Service)'), 126 'S-1-5-86-615999462-62705297-2911207457-59056572-3668589837': ( 127 'WMI (Network Service)'), 128 'S-1-5-1000': 'Other Organization', 129 'S-1-16-0': 'Untrusted Mandatory Level', 130 'S-1-16-4096': 'Low Mandatory Level', 131 'S-1-16-8192': 'Medium Mandatory Level', 132 'S-1-16-8448': 'Medium Plus Mandatory Level', 133 'S-1-16-12288': 'High Mandatory Level', 134 'S-1-16-16384': 'System Mandatory Level', 135 'S-1-16-20480': 'Protected Process Mandatory Level', 136 'S-1-16-28672': 'Secure Process Mandatory Level', 137 } 138 139 table_header = [ 140 dict(name="Process", width=40), 141 dict(name="Sid", width=50), 142 dict(name="Comment") 143 ] 144

145 - def column_types(self):

146 return dict( 147 Process=self.session.profile._EPROCESS(), 148 Pid=0, 149 Sid="", 150 Comment="")

151

152 - def find_sid_re(self, sid_string):

153 for reg, name in self.well_known_sid_re: 154 if reg.search(sid_string): 155 return name

156

157 - def collect(self):

158 # First enumerate all the users on this system. 159 users = {} 160 for _, v, f in self.session.plugins.users().GenerateUsers(): 161 users[f.Rid] = v.UserName.Value 162 163 for task in self.filter_processes(): 164 for sa in task.Token.UserAndGroups: 165 # The RID is the last SubAuthority 166 rid = sa.Sid.SubAuthority[sa.Sid.SubAuthorityCount-1] 167 sid_name = "" 168 username = users.get(rid) 169 if username: 170 sid_name = "User: %s" % username 171 172 sid_string = unicode(sa.Sid.deref()) 173 if sid_string in self.well_known_sids: 174 sid_name = self.well_known_sids[sid_string] 175 else: 176 sid_name_re = self.find_sid_re(sid_string) 177 if sid_name_re: 178 sid_name = sid_name_re 179 180 yield(task, sid_string, sid_name)

Source Code for Module rekall.plugins.windows.registry.getsids