hartl3y94 / secure2csv Goto Github PK
View Code? Open in Web Editor NEWThis project forked from jschicht/secure2csv
Decode security descriptors in $Secure on NTFS
License: Other
This project forked from jschicht/secure2csv
Decode security descriptors in $Secure on NTFS
License: Other
Introduction This is a parser for the $Secure system file on NTFS. The $Secure file basically contains all security descriptors used on the volume. Information about this file is found in MFT record number 9. The actual security descriptors are stored within a named data stream, $SDS. The OS uses 2 indexes, $SDH and $SII, for easy lookup in $SDS. The $SDH and $SII indexes are found as named streams for either $INDEX_ROOT or $INDEX_ALLOCATION attribute. These streams (when $INDEX_ALLOCATION) are thus so-called INDX records. There may also be $Bitmap attributes found within $Secure that relates to $SDH and $SII, but this is not really relevant for the decoded security descriptors. Details about security descriptors All files and folders in $MFT are linked to a security descriptor, by a SecurityId which is unique per volume. Security descriptors contain information to control access to objects (files/folders when concerning NTFS). From Microsoft (https://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx): Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors, in turn, contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs: • A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access • A system access control list (SACL) that controls how access is audited There's also numerous structures to handle. This is the top level one. typedef struct _SECURITY_DESCRIPTOR { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; PSID Owner; PSID Group; PACL Sacl; PACL Dacl; } SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR; In short, the Control field must contain the SE_SELF_RELATIVE bit mask. Owner and Group are pointers to SID structures. Sacl and Dacl are pointers to the respective data structures for system ACL and descretionary ACL. Any given security descriptor can therefore contain several sets of Type, Flags, SID's and access masks, as any ACL (SACL/DACL) may be constructed of several ACE's. So each security descriptor has at least 2 SID's (owner and primary group) and 1 per ACE (a trustee identified by a SID). In the output the exist 2 sets of the same type of variables, where the ones prefixed with S are for SACL and those prefixed with D are for DACL. About output All output will be prefixed with a timestamp, and written to same directory as program is launched from. The csv contains all the decoded security descriptors found in $SDS. See section about the explanation of output variables. When $SDH or $SII are chosen, the core INDX entries with fixups applied, are written to a separate file. Explanation of output variables: Offset: The offset of the descriptor in $SDS. SecurityDescriptorHash: Descriptor hash in big endian. SecurityId: The Id that can be mapped from MFT record. Control: Control access bit mask. SidOwner: This SID specifies the owner of the object to which the security descriptor is associated. SidGroup: This SID specifies the group of the object to which the security descriptor is associated. --SACL SAclRevision: The revision of the ACL. SAceCount: The number of ACE records in the ACL. SAceType: A bit mask for the ACE type. SAceFlags: A bit mask for a set of ACE type-specific control flags. * SAceMask: A bit mask specifying the suer rights allowed/disallowed by this ACE. SAceObjectFlags: A bit flag that indicate whether the ObjectType and InheritedObjectType fields contain valid data. SAceObjectType: A GUID that identifies a property set, property, extended right, or type of child object. SAceInheritedObjectType: A GUID that identifies the type of child object that can inherit the ACE. SAceSIDofTrustee: The SID of a trustee. --DACL DAclRevision: The revision of the ACL. DAceCount: The number of ACE records in the ACL. DAceType: A bit mask for the ACE type. DAceFlags: A bit mask for a set of ACE type-specific control flags. * DAceMask: A bit mask specifying the suer rights allowed/disallowed by this ACE. SAceObjectFlags: A bit flag that indicate whether the ObjectType and InheritedObjectType fields contain valid data. DAceObjectType: A GUID that identifies a property set, property, extended right, or type of child object. DAceInheritedObjectType: A GUID that identifies the type of child object that can inherit the ACE. DAceSIDofTrustee: The SID of a trustee. * Depending on the bitmask for the flag, the object type fields may or may not be in use. Usage The gui is quite intuitive. An $SDS file is mandatory. Supplying either $SDH or $SII as input will speed up the processing due to the format of $SDS which contains 2 sets of all descriptors. There's an option to specify output directory. It is possible to specify the default output variable separator, as well as the ACE separator which must be different than the other one (see explanation above for why there will be several ACE's). Command line use If no parameters are supplied, the GUI will by default launch. Valid switches are: Switches: /SDSFile: Target $SDS file. Mandatory. /SDHFile: Target $SDH file. Optional. /SIIFile: Target $SII file. Optional. /OutputPath: The output path to write all output to. Optional. Defaults to program directory. /Separator: The separator to use in the csv. Default is | /AceSeparator: The separator to distinguish ace's in the csv. Default is : Examples: Secure2Csv.exe /SDSFile:c:\temp\$Secure[ADS_$SDS] /OutputPath:c:\temp Secure2Csv.exe /SDSFile:c:\temp\$Secure[ADS_$SDS] /SIIFile:c:\temp\$Secure_9_$INDEX_ALLOCATION_$SII.bin /OutputPath:c:\temp Secure2Csv.exe /SDSFile:c:\temp\$Secure[ADS_$SDS] /OutputPath:c:\temp /Separator:% /AceSeparator:! Note The file $Secure[ADS_$SDS] and $Secure_9_$INDEX_ALLOCATION_$SII.bin are the two of default output when using RawCopy (https://github.com/jschicht/RawCopy) to extract mft ref 9 with a command such as "rawcopy.exe c:9 c:\temp -AllAttr" ExtractAllAttributes (https://github.com/jschicht/ExtractAllAttributes) can also be used to extract mft ref 9, but will produce slightly different filenames in the output.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.