Added extra property which represents which generic access an access is included in.

tyranid · tyranid · commit 1ec51eab42e3 · 2020-02-08T18:02:46.000-08:00
diff --git a/NtApiDotNet/AccessMaskEntry.cs b/NtApiDotNet/AccessMaskEntry.cs
@@ -16,6 +16,34 @@
 
 namespace NtApiDotNet
 {
+    /// <summary>
+    /// Flags representing what generic access the entry maps to.
+    /// </summary>
+    [Flags]
+    public enum GenericAccessType
+    {
+        /// <summary>
+        /// Not mapped to any access.
+        /// </summary>
+        None = 0,
+        /// <summary>
+        /// Mapped to read.
+        /// </summary>
+        Read = 1,
+        /// <summary>
+        /// Mapped to write.
+        /// </summary>
+        Write = 2,
+        /// <summary>
+        /// Mapped to execute.
+        /// </summary>
+        Execute = 4,
+        /// <summary>
+        /// Mapped to All.
+        /// </summary>
+        All = 8
+    }
+
     /// <summary>
     /// A structure to hold an access mask to enum mapping.
     /// </summary>
@@ -29,6 +57,10 @@ public struct AccessMaskEntry
         /// The value of the access mask entry enumeration.
         /// </summary>
         public Enum Value { get; }
+        /// <summary>
+        /// The generic access this maps to.
+        /// </summary>
+        public GenericAccessType GenericAccess { get; }
 
         /// <summary>
         /// Overridden ToString method.
@@ -39,10 +71,11 @@ public override string ToString()
             return $"{Mask:X08} - {Value}";
         }
 
-        internal AccessMaskEntry(AccessMask mask, Enum value)
+        internal AccessMaskEntry(AccessMask mask, Enum value, GenericAccessType generic_access)
         {
             Mask = mask;
             Value = value;
+            GenericAccess = generic_access;
         }
     }
 }
diff --git a/NtApiDotNet/NtSecurity.cs b/NtApiDotNet/NtSecurity.cs
@@ -902,6 +902,25 @@ public static CachedSigningLevel GetCachedSigningLevel(SafeKernelObjectHandle ha
             return new CachedSigningLevel(flags, signing_level, thumb_print, thumb_print_algo);
         }
 
+        /// <summary>
+        /// Get the cached signing level for a file.
+        /// </summary>
+        /// <param name="handle">The handle to the file to query.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        /// <returns>The cached signing level.</returns>
+        public static NtResult<CachedSigningLevel> GetCachedSigningLevel(SafeKernelObjectHandle handle, bool throw_on_error)
+        {
+            byte[] thumb_print = new byte[0x68];
+            int thumb_print_size = thumb_print.Length;
+
+            return NtSystemCalls.NtGetCachedSigningLevel(handle, out int flags,
+                out SigningLevel signing_level, thumb_print, ref thumb_print_size, out HashAlgorithm thumb_print_algo).CreateResult(throw_on_error, () =>
+                {
+                    Array.Resize(ref thumb_print, thumb_print_size);
+                    return new CachedSigningLevel(flags, signing_level, thumb_print, thumb_print_algo);
+                });
+        }
+
         /// <summary>
         /// Get the cached singing level from the raw EA buffer.
         /// </summary>
@@ -944,20 +963,50 @@ public static void SetCachedSigningLevel(SafeKernelObjectHandle handle,
                                                  int flags, SigningLevel signing_level,
                                                  IEnumerable<SafeKernelObjectHandle> source_files,
                                                  string catalog_path)
+        {
+            SetCachedSigningLevel(handle, flags, signing_level, source_files, catalog_path, true);
+        }
+
+        /// <summary>
+        /// Set the cached signing level for a file.
+        /// </summary>
+        /// <param name="handle">The handle to the file to set the cache on.</param>
+        /// <param name="flags">Flags to set for the cache.</param>
+        /// <param name="signing_level">The signing level to cache</param>
+        /// <param name="source_files">A list of source file for the cache.</param>
+        /// <param name="catalog_path">Optional directory path to look for catalog files.</param>
+        /// <param name="throw_on_error">True to throw on error.</param>
+        public static NtStatus SetCachedSigningLevel(SafeKernelObjectHandle handle,
+                                                     int flags, SigningLevel signing_level,
+                                                     IEnumerable<SafeKernelObjectHandle> source_files,
+                                                     string catalog_path, bool throw_on_error)
         {
             IntPtr[] handles = source_files?.Select(f => f.DangerousGetHandle()).ToArray();
             int handles_count = handles == null ? 0 : handles.Length;
             if (catalog_path != null)
             {
                 CachedSigningLevelInformation info = new CachedSigningLevelInformation(catalog_path);
-                NtSystemCalls.NtSetCachedSigningLevel2(flags, signing_level, handles, handles_count, handle, info).ToNtException();
+                return NtSystemCalls.NtSetCachedSigningLevel2(flags, signing_level, handles, 
+                    handles_count, handle, info).ToNtException(throw_on_error);
             }
             else
             {
-                NtSystemCalls.NtSetCachedSigningLevel(flags, signing_level, handles, handles_count, handle).ToNtException();
+                return NtSystemCalls.NtSetCachedSigningLevel(flags, signing_level, handles, 
+                    handles_count, handle).ToNtException(throw_on_error);
             }
         }
 
+        /// <summary>
+        /// Compare two signing levels.
+        /// </summary>
+        /// <param name="current_level">The current level.</param>
+        /// <param name="signing_level">The signing level to compare against.</param>
+        /// <returns>True if the current level is above or equal to the signing level.</returns>
+        public static bool CompareSigningLevel(SigningLevel current_level, SigningLevel signing_level)
+        {
+            return NtSystemCalls.NtCompareSigningLevel(current_level, signing_level).IsSuccess();
+        }
+
         /// <summary>
         /// Get readable name for a SID, if known. This covers sources of names such as LSASS lookup, capability names and package names.
         /// </summary>
diff --git a/NtApiDotNet/NtSecurityNative.cs b/NtApiDotNet/NtSecurityNative.cs
@@ -813,6 +813,10 @@ public static extern NtStatus NtGetCachedSigningLevel(
           ref int ThumbprintSize,
           out HashAlgorithm ThumbprintAlgorithm
         );
+
+        [DllImport("ntdll.dll")]
+        public static extern NtStatus NtCompareSigningLevel(
+            SigningLevel CurrentLevel, SigningLevel CheckLevel);
     }
 
     [StructLayout(LayoutKind.Sequential)]
diff --git a/NtApiDotNet/NtType.cs b/NtApiDotNet/NtType.cs
@@ -196,8 +196,26 @@ public IEnumerable<AccessMaskEntry> AccessRights
                     {
                         if (Enum.IsDefined(AccessRightsType, mask))
                         {
+                            GenericAccessType generic_access = GenericAccessType.None;
+                            if (GenericMapping.GenericRead.IsAccessGranted(mask))
+                            {
+                                generic_access |= GenericAccessType.Read;
+                            }
+                            if (GenericMapping.GenericWrite.IsAccessGranted(mask))
+                            {
+                                generic_access |= GenericAccessType.Write;
+                            }
+                            if (GenericMapping.GenericExecute.IsAccessGranted(mask))
+                            {
+                                generic_access |= GenericAccessType.Execute;
+                            }
+                            if (GenericMapping.GenericAll.IsAccessGranted(mask))
+                            {
+                                generic_access |= GenericAccessType.All;
+                            }
+
                             access_rights.Add(new AccessMaskEntry(mask,
-                                (Enum)Enum.ToObject(AccessRightsType, mask)));
+                                (Enum)Enum.ToObject(AccessRightsType, mask), generic_access));
                         }
                         mask <<= 1;
                     }
diff --git a/NtObjectManager/Formatters.ps1xml b/NtObjectManager/Formatters.ps1xml
@@ -1314,7 +1314,12 @@
           </TableColumnHeader>
           <TableColumnHeader>
             <Label>Value</Label>
-            <Width>40</Width>
+            <Width>20</Width>
+            <Alignment>left</Alignment>
+          </TableColumnHeader>
+          <TableColumnHeader>
+            <Label>GenericAccess</Label>
+            <Width>30</Width>
             <Alignment>left</Alignment>
           </TableColumnHeader>
         </TableHeaders>
@@ -1328,6 +1333,9 @@
               <TableColumnItem>
                 <PropertyName>Value</PropertyName>
               </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>GenericAccess</PropertyName>
+              </TableColumnItem>
             </TableColumnItems>
           </TableRowEntry>
         </TableRowEntries>
