解读RtlCreateServiceSid
//----- (0000000180003E40)----------------------------------------------------
__int64 __fastcall IsKeyProtected(HKEYhKey, __int64 a2, __int16 a3, _DWORD *a4)
{
hKeya =0i64;
v4 =a4;
v5 =a3;
v6 =hKey;
v7 =0i64;
UnicodeString = {0 };
cbSecurityDescriptor = 0;
*a4= 0;
if (a2 )
{
if (!(unsigned__int8)RtlCreateUnicodeString(&UnicodeString) )
{
LABEL_3:
v8 =8;
goto LABEL_18;
}
v9 =UnicodeString.Buffer;
LODWORD(v10) = (unsigned int)UnicodeString.Length>> 1;
v11 =v5 & 0x300| 0x20019;
do
{
v12 =RegOpenKeyExW(v6, v9, 0, v11, &hKeya);
v8 =v12;
if (!v12 )
break;
if (v12 != 2)
goto LABEL_18;
if (!(_DWORD)v10 )
break;
v9 =UnicodeString.Buffer;
while ( 1 )
{
v10 =(unsigned int)(v10 - 1);
if ( UnicodeString.Buffer[v10] == 92 )
break;
if ( !(_DWORD)v10 )
goto LABEL_13;
}
UnicodeString.Buffer[v10] = 0;
v9 =UnicodeString.Buffer;
LABEL_13:
;
}
while ((_DWORD)v10);
}
v8 =RegGetKeySecurity(v6, 5u, 0i64, &cbSecurityDescriptor);
if (v8 == 122) //传递给系统调用的数据区域太小。
{
v7 =LocalAlloc(0x40u, 0i64);
if (!v7 )
goto LABEL_3;
v8 =RegGetKeySecurity(v6, 5u, v7, &cbSecurityDescriptor);
if (!v8 )
*v4= IsWrpKeyDescriptor(v7);
}
LABEL_18:
if (v7 )
LocalFree(v7);
if (UnicodeString.Buffer )
RtlFreeUnicodeString(&UnicodeString);
return (unsignedint)v8;
}
//----- (0000000180003FC4)----------------------------------------------------
__int64 __fastcall IsWrpKeyDescriptor(PSECURITY_DESCRIPTORpSecurityDescriptor)
{
pDacl =0i64;
pAclInformation = 0;
v12 =0i64;
v1 =0;
v2 =0;
v3 =pSecurityDescriptor;
v4 =InitTrustedSid();
if (v4 )
{
if (GetSecurityDescriptorDacl(v3, &bDaclPresent, &pDacl,&bDaclDefaulted) )
{
if (pDacl )
{
if ( GetAclInformation(pDacl, &pAclInformation, 0xCu, AclSizeInformation) )
{
if ( pAclInformation )
{
v5 = 0;
if ( pAclInformation >0 )
{
do
{
if ( GetAce(pDacl,v5, &pAce))
{
if ( (unsigned__int8)RtlEqualSid(v4, (char*)pAce+ 8) )
{
if ( *(_BYTE *)pAce || *((_DWORD *)pAce + 1) != 0x10000000 &&*((_DWORD*)pAce+ 1) != 983103 )
{
if ( *(_BYTE *)pAce == 1 )
gotoLABEL_20;
}
else
{
v2 = 1;
}
}
else if ( !*(_BYTE *)pAce &&*((_DWORD*)pAce+ 1) & 0x500D0006 )
{
goto LABEL_20;
}
}
++v5;
}
while ( v5 <pAclInformation );
if ( v2 )
v1 = 1;
}
}
}
}
}
LABEL_20:
LocalFree(v4);
}
return (unsignedint)v1;
}
//----- (0000000180006660)----------------------------------------------------
void *InitTrustedSid()
{
DestinationString = { 0 };
LODWORD(uBytes) = 0;
RtlInitUnicodeString(&DestinationString,L"TrustedInstaller");
v0 =RtlCreateServiceSid(&DestinationString, 0i64, &uBytes);
if (v0 == -1073741789 )
{
v1 =LocalAlloc(0,(unsigned int)uBytes);
v2 =v1;
v0 =-1073741801;
if (!v1 )
{
LABEL_7:
v4 =RtlNtStatusToDosError((unsigned int)v0);
SetLastError(v4);
return 0i64;
}
v0 =RtlCreateServiceSid(&DestinationString, v1, &uBytes);
if (v0 >= 0)
return v2;
LocalFree(v2);
}
if (v0 < 0)
goto LABEL_7;
return 0i64;
}