C# 在.NET中将SDDL转换为可读文本
在.NET中,有没有一种好方法可以将权限代码转换为可读文本 例如,将GR转换为通用读取等C# 在.NET中将SDDL转换为可读文本,c#,.net,C#,.net,在.NET中,有没有一种好方法可以将权限代码转换为可读文本 例如,将GR转换为通用读取等 感谢下面是我用来解析SDDL并生成人类可读输出的类: class SDDLParser { static private Dictionary<string, string> ACE_Types = null; static private Dictionary<string, string> ACE_Flags = null; static private
感谢下面是我用来解析SDDL并生成人类可读输出的类:
class SDDLParser
{
static private Dictionary<string, string> ACE_Types = null;
static private Dictionary<string, string> ACE_Flags = null;
static private Dictionary<string, string> Permissions = null;
static private Dictionary<string, string> Trustee = null;
private static void Initialize()
{
ACE_Types = new Dictionary<string, string>();
ACE_Flags = new Dictionary<string, string>();
Permissions = new Dictionary<string, string>();
Trustee = new Dictionary<string, string>();
#region Add ACE_Types
ACE_Types.Add("A", "Access Allowed");
ACE_Types.Add("D", "Access Denied");
ACE_Types.Add("OA", "Object Access Allowed");
ACE_Types.Add("OD", "Object Access Denied");
ACE_Types.Add("AU", "System Audit");
ACE_Types.Add("AL", "System Alarm");
ACE_Types.Add("OU", "Object System Audit");
ACE_Types.Add("OL", "Object System Alarm");
#endregion
#region Add ACE_Flags
ACE_Flags.Add("CI", "Container Inherit");
ACE_Flags.Add("OI", "Object Inherit");
ACE_Flags.Add("NP", "No Propagate");
ACE_Flags.Add("IO", "Inheritance Only");
ACE_Flags.Add("ID", "Inherited");
ACE_Flags.Add("SA", "Successful Access Audit");
ACE_Flags.Add("FA", "Failed Access Audit");
#endregion
#region Add Permissions
#region Generic Access Rights
Permissions.Add("GA", "Generic All");
Permissions.Add("GR", "Generic Read");
Permissions.Add("GW", "Generic Write");
Permissions.Add("GX", "Generic Execute");
#endregion
#region Directory Access Rights
Permissions.Add("RC", "Read Permissions");
Permissions.Add("SD", "Delete");
Permissions.Add("WD", "Modify Permissions");
Permissions.Add("WO", "Modify Owner");
Permissions.Add("RP", "Read All Properties");
Permissions.Add("WP", "Write All Properties");
Permissions.Add("CC", "Create All Child Objects");
Permissions.Add("DC", "Delete All Child Objects");
Permissions.Add("LC", "List Contents");
Permissions.Add("SW", "All Validated Writes");
Permissions.Add("LO", "List Object");
Permissions.Add("DT", "Delete Subtree");
Permissions.Add("CR", "All Extended Rights");
#endregion
#region File Access Rights
Permissions.Add("FA", "File All Access");
Permissions.Add("FR", "File Generic Read");
Permissions.Add("FW", "File Generic Write");
Permissions.Add("FX", "File Generic Execute");
#endregion
#region Registry Key Access Rights
Permissions.Add("KA", "Key All Access");
Permissions.Add("KR", "Key Read");
Permissions.Add("KW", "Key Write");
Permissions.Add("KX", "Key Execute");
#endregion
#endregion
#region Add Trustee's
Trustee.Add("AO", "Account Operators");
Trustee.Add("RU", "Alias to allow previous Windows 2000");
Trustee.Add("AN", "Anonymous Logon");
Trustee.Add("AU", "Authenticated Users");
Trustee.Add("BA", "Built-in Administrators");
Trustee.Add("BG", "Built in Guests");
Trustee.Add("BO", "Backup Operators");
Trustee.Add("BU", "Built-in Users");
Trustee.Add("CA", "Certificate Server Administrators");
Trustee.Add("CG", "Creator Group");
Trustee.Add("CO", "Creator Owner");
Trustee.Add("DA", "Domain Administrators");
Trustee.Add("DC", "Domain Computers");
Trustee.Add("DD", "Domain Controllers");
Trustee.Add("DG", "Domain Guests");
Trustee.Add("DU", "Domain Users");
Trustee.Add("EA", "Enterprise Administrators");
Trustee.Add("ED", "Enterprise Domain Controllers");
Trustee.Add("WD", "Everyone");
Trustee.Add("PA", "Group Policy Administrators");
Trustee.Add("IU", "Interactively logged-on user");
Trustee.Add("LA", "Local Administrator");
Trustee.Add("LG", "Local Guest");
Trustee.Add("LS", "Local Service Account");
Trustee.Add("SY", "Local System");
Trustee.Add("NU", "Network Logon User");
Trustee.Add("NO", "Network Configuration Operators");
Trustee.Add("NS", "Network Service Account");
Trustee.Add("PO", "Printer Operators");
Trustee.Add("PS", "Self");
Trustee.Add("PU", "Power Users");
Trustee.Add("RS", "RAS Servers group");
Trustee.Add("RD", "Terminal Server Users");
Trustee.Add("RE", "Replicator");
Trustee.Add("RC", "Restricted Code");
Trustee.Add("SA", "Schema Administrators");
Trustee.Add("SO", "Server Operators");
Trustee.Add("SU", "Service Logon User");
#endregion
}
private static string friendlyTrusteeName(string trustee)
{
if (Trustee.Keys.Contains(trustee))
{
return Trustee[trustee];
}
else
{
try
{
System.Security.Principal.SecurityIdentifier sid = new System.Security.Principal.SecurityIdentifier(trustee);
return sid.Translate(typeof(System.Security.Principal.NTAccount)).ToString();
}
catch (Exception)
{
return trustee;
}
}
}
private static string doParse(string subSDDL, string Separator, string Separator2)
{
string retval = "";
char type = subSDDL.ToCharArray()[0];
if (type == 'O')
{
string owner = subSDDL.Substring(2);
return "Owner: " + friendlyTrusteeName(owner) + Separator;
}
else if (type == 'G')
{
string group = subSDDL.Substring(2);
return "Group: " + friendlyTrusteeName(group) + Separator;
}
else if ((type == 'D') || (type == 'S'))
{
if (type == 'D')
{
retval += "DACL" + Separator;
}
else
{
retval += "SACL" + Separator;
}
string[] sections = subSDDL.Split('(');
for (int count = 1; count < sections.Length; count++)
{
retval += "# " + count.ToString() + " of " + (sections.Length - 1).ToString() + Separator;
string[] parts = sections[count].TrimEnd(')').Split(';');
retval += "";
if (ACE_Types.Keys.Contains(parts[0]))
{
retval += Separator2 + "Type: " + ACE_Types[parts[0]] + Separator;
}
if (ACE_Flags.Keys.Contains(parts[1]))
{
retval += Separator2 + "Inheritance: " + ACE_Flags[parts[1]] + Separator;
}
for (int count2 = 0; count2 < parts[2].Length; count2 += 2)
{
string perm = parts[2].Substring(count2, 2);
if (Permissions.Keys.Contains(perm))
{
if (count2 == 0)
{
retval += Separator2 + "Permissions: " + Permissions[perm];
}
else
{
retval += "|" + Permissions[perm];
}
}
}
retval += Separator;
retval += Separator2 + "Trustee: " + friendlyTrusteeName(parts[5]) + Separator;
}
}
return retval;
}
public static string Parse(string SDDL)
{
return Parse(SDDL, "\r\n", "\t");
}
public static string Parse(string SDDL, string Separator, string Separator2)
{
string retval = "";
if (ACE_Types == null)
{
Initialize();
}
int startindex = 0;
int nextindex = 0;
int first = 0;
string section;
while (true)
{
first = SDDL.IndexOf(':', nextindex) - 1;
startindex = nextindex;
if (first < 0)
{
break;
}
if (first != 0)
{
section = SDDL.Substring(startindex - 2, first - startindex + 2);
retval += doParse(section, Separator, Separator2);
}
nextindex = first + 2;
}
section = SDDL.Substring(startindex - 2);
retval += doParse(section, Separator, Separator2);
return retval;
}
}
类SDDLParser
{
静态专用字典ACE_Types=null;
静态专用字典ACE_Flags=null;
静态私有字典权限=null;
静态私有字典受托方=null;
私有静态void Initialize()
{
ACE_Types=新字典();
ACE_Flags=新字典();
权限=新建字典();
受托人=新字典();
#区域添加ACE_类型
ACE_类型。添加(“A”,“允许访问”);
添加(“D”、“拒绝访问”);
添加(“OA”,“允许对象访问”);
添加(“OD”、“拒绝对象访问”);
ACE_类型。添加(“AU”、“系统审计”);
ACE_类型。添加(“AL”、“系统报警”);
ACE_类型。添加(“OU”,“对象系统审计”);
ACE_类型。添加(“OL”,“对象系统报警”);
#端区
#区域添加ACE_标志
添加(“CI”、“容器继承”);
添加(“OI”、“对象继承”);
ACE_标志。添加(“NP”、“无传播”);
ACE_标志。添加(“IO”、“仅继承”);
ACE_标志。添加(“ID”、“继承”);
添加(“SA”,“成功访问审核”);
ACE_标志。添加(“FA”,“访问审核失败”);
#端区
#区域添加权限
#区域通用访问权限
权限。添加(“GA”、“通用所有”);
权限。添加(“GR”、“通用读取”);
权限。添加(“GW”、“通用写入”);
权限。添加(“GX”、“通用执行”);
#端区
#区域目录访问权限
权限。添加(“RC”、“读取权限”);
权限。添加(“SD”、“删除”);
权限。添加(“WD”、“修改权限”);
权限。添加(“WO”、“修改所有者”);
权限。添加(“RP”,“读取所有属性”);
权限。添加(“WP”、“写入所有属性”);
添加(“CC”,“创建所有子对象”);
权限。添加(“DC”,“删除所有子对象”);
权限。添加(“LC”,“列出内容”);
权限。添加(“软件”、“所有已验证的写入”);
权限。添加(“LO”、“列表对象”);
权限。添加(“DT”,“删除子树”);
权限。添加(“CR”、“所有扩展权限”);
#端区
#区域文件访问权限
权限。添加(“FA”、“文件所有访问权限”);
权限。添加(“FR”,“文件通用读取”);
权限。添加(“FW”,“文件通用写入”);
权限。添加(“FX”、“文件通用执行”);
#端区
#区域注册表项访问权限
权限。添加(“KA”,“键入所有访问权限”);
权限。添加(“KR”、“密钥读取”);
权限。添加(“KW”、“密钥写入”);
权限。添加(“KX”、“密钥执行”);
#端区
#端区
#区域添加受托人的
受托人。添加(“AO”,“账户运营商”);
添加(“RU”,“允许以前的Windows 2000使用的别名”);
添加(“匿名登录”);
添加(“AU”、“认证用户”);
添加(“BA”,“内置管理员”);
受托人。添加(“BG”、“内置来宾”);
添加(“BO”、“备份运营商”);
添加(“BU”,“内置用户”);
添加(“CA”、“证书服务器管理员”);
受托人。添加(“CG”、“创造者集团”);
受托人。添加(“共同”、“创造者和所有者”);
添加(“DA”、“域管理员”);
受托人。添加(“DC”、“域计算机”);
添加(“DD”、“域控制器”);
受托人。添加(“DG”、“域客户”);
添加(“DU”、“域用户”);
受托人。添加(“EA”、“企业管理员”);
添加(“ED”、“企业域控制器”);
受托人。添加(“WD”、“所有人”);
受托人。添加(“PA”、“集团策略管理员”);
添加(“IU”,“交互登录用户”);
受托人。添加(“LA”,“本地管理人”);
受托人。添加(“LG”,“本地客人”);
受托人。添加(“LS”,“本地服务账户”);
添加(“SY”、“本地系统”);
添加(“NU”,“网络登录用户”);
添加(“否”、“网络配置运营商”);
受托人。添加(“NS”,“网络服务账户”);
添加(“采购订单”、“打印机操作员”);
受托人。添加(“PS”、“Self”);
受托人。添加(“PU”、“电力用户”);
添加(“RS”、“RAS服务器组”);
添加(“RD”,“终端服务器用户”);
受托人。添加(“RE”、“Replicator”);
增加(“RC”、“限制性代码”);
添加(“SA”、“架构管理员”);
添加(“SO”、“服务器运营商”);
添加(“SU”,“服务登录用户”);
#端区
}
私有静态字符串friendlyTrusteeName(字符串受托人)
{
if(受托人密钥包含(受托人))
{
申报受托人[受托人];
}
其他的
{
尝试
{
System.Security.Principal.SecurityIdentifier sid=新的System.Security.Principal.SecurityIdentifier(受托人);
返回sid.Translate(typeof(System.Security.Principal.NTAccount)).ToString();
}
捕获(例外)
{
回报受托人;
}
}
}
私有静态字符串doParse(字符串子DDL、字符串分隔符、字符串分隔符2)
{
字符串retval=“”;
char type=subsdll.ToCharArray()[0];
如果(类型='O')
{
字符串所有者=子ddl.Substring(2);
返回“Owner:+friendlyTrusteeName(Owner)+分隔符;
}
else if(type='G')
{
字符串组=子ddl.Substring(2);
返回“Gro”
void Main()
{
var sddl = "O:SYG:SYD:(A;CI;0xf03bf;;;SY)(A;;CCLO;;;LS)(A;;CCLO;;;NS)(A;;0xf03bf;;;BA)(A;;CC;;;IU)S:NO_ACCESS_CONTROL";
SddlDecoder.DecodeString<FileSystemRights>(sddl).Dump("FileSystem");
SddlDecoder.DecodeString<RegistryRights>(sddl).Dump("Registry");
SddlDecoder.DecodeString<SemaphoreRights>(sddl).Dump("Semaphore");
}
// Define other methods and classes here
public static class SddlDecoder
{
private static readonly ConcurrentDictionary<Type, Dictionary<uint, string>> _rights
= new ConcurrentDictionary<Type, Dictionary<uint, string>>();
public static string DecodeString<TRightsEnum>(string sddl) where TRightsEnum : struct
{
var rightsEnumType = typeof(TRightsEnum);
if (!rightsEnumType.IsEnum ||
Marshal.SizeOf(Enum.GetUnderlyingType(rightsEnumType)) != 4 ||
!rightsEnumType.GetCustomAttributes(typeof(FlagsAttribute), true).Any())
{
throw new ArgumentException("TRightsEnum must be a 32-bit integer System.Enum with Flags attribute", "TRightsEnum");
}
else if (string.IsNullOrWhiteSpace(sddl))
throw new ArgumentNullException("sddl");
var descriptor = new RawSecurityDescriptor(sddl);
var rights = _rights.GetOrAdd(rightsEnumType,
t => Enum.GetValues(rightsEnumType)
.Cast<uint>()
.Where(n => n != 0 && (n & (n - 1)) == 0)
.Distinct()
.OrderBy(n => n)
.Select(v => new { v, n = Enum.GetName(rightsEnumType, v) })
.ToDictionary(x => x.v, x => x.n));
var builder = new StringBuilder();
builder.Append("Owner: ").AppendLine(SidToAccountName(descriptor.Owner));
builder.Append("Group: ").AppendLine(SidToAccountName(descriptor.Group));
if (descriptor.SystemAcl != null)
{
builder.AppendLine("System ACL:");
DecodeAclEntries(builder, descriptor.SystemAcl, rights);
}
if (descriptor.DiscretionaryAcl != null)
{
builder.AppendLine("Discretionary ACL:");
DecodeAclEntries(builder, descriptor.DiscretionaryAcl, rights);
}
return builder.ToString();
}
private static string SidToAccountName(SecurityIdentifier sid)
{
return (sid.IsValidTargetType(typeof(NTAccount)))
? ((NTAccount)sid.Translate(typeof(NTAccount))).Value
: sid.Value;
}
private static void DecodeAclEntries(StringBuilder builder, RawAcl acl, Dictionary<uint, string> rights)
{
var counter = 0;
foreach (var ace in acl)
{
builder.Append(" #")
.Append(++counter)
.Append(": ");
var knownAce = ace as KnownAce;
if (knownAce != null)
{
builder.Append(knownAce.AceType > AceType.MaxDefinedAceType
? "Custom Access"
: knownAce.AceType.ToString())
.Append(" for ")
.Append(SidToAccountName(knownAce.SecurityIdentifier));
if (knownAce.AceFlags != AceFlags.None)
{
builder.Append(" (")
.Append(knownAce.AceFlags)
.Append(')');
}
builder.AppendLine();
var mask = unchecked((uint)knownAce.AccessMask);
foreach (var r in rights.Keys)
{
if ((mask & r) == r)
{
builder.Append(" - ")
.AppendLine(rights[r]);
}
}
}
else builder.AppendLine("Unknown ACE");
}
}
}