Added calculation of service SIDs

lkarlslund · Jan 8, 2024 · 6ea7c30 · 6ea7c30
1 parent f81bcbc
commit 6ea7c30
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/modules/windowssecurity/sid.go b/modules/windowssecurity/sid.go
@@ -1,12 +1,14 @@
 package windowssecurity
 
 import (
+	"crypto/sha1"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
+	"unicode/utf16"
 	"unsafe"
 
 	"github.com/lkarlslund/adalanche/modules/dedup"
@@ -41,8 +43,8 @@ func BytesToSID(data []byte) (SID, []byte, error) {
 	if subauthoritycount > 15 {
 		return "", data, errors.New("SID subauthority count is more than 15")
 	}
-	length := 8 + 4*subauthoritycount
-	return SID(dedup.D.BS(data[2:length])), data[length:], nil
+	sidend := 8 + 4*subauthoritycount
+	return SID(dedup.D.BS(data[2:sidend])), data[sidend:], nil
 }
 
 func ParseStringSID(input string) (SID, error) {
@@ -86,6 +88,14 @@ func ParseStringSID(input string) (SID, error) {
 	return SID(dedup.D.S(string(sid))), nil
 }
 
+func MustParseStringSID(input string) SID {
+	sid, err := ParseStringSID(input)
+	if err != nil {
+		panic(err)
+	}
+	return sid
+}
+
 func (sid SID) IsNull() bool {
 	return sid == ""
 }
@@ -192,3 +202,15 @@ func SIDFromPtr(data uintptr) (SID, error) {
 	copy(sid, bytes[2:len(sid)])
 	return SID(sid), nil
 }
+
+// Calculate a Windows service SID by converting servicename to uppercase, converting to Unicode 16, running through SHA1, and then converting to SID
+func ServiceNameToServiceSID(servicename string) SID {
+	use := utf16.Encode([]rune(strings.ToUpper(servicename)))
+	rawbytes := (*[16384]byte)(unsafe.Pointer(&use[0]))[:len(use)*2]
+	huse := sha1.Sum(rawbytes)
+	var sidbytes [30]byte
+	sidbytes[5] = 5
+	sidbytes[6] = 80
+	copy(sidbytes[10:], huse[:])
+	return SID(sidbytes[:])
+}
diff --git a/modules/windowssecurity/sid_test.go b/modules/windowssecurity/sid_test.go
@@ -0,0 +1,29 @@
+package windowssecurity
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestServiceNameToServiceSID(t *testing.T) {
+	tests := []struct {
+		service string
+		want    SID
+	}{
+		{
+			service: "msiserver",
+			want:    MustParseStringSID("S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966"),
+		},
+		{
+			service: "RtkAudioUniversalService",
+			want:    MustParseStringSID("S-1-5-80-1164333642-2394958904-2405857294-3413162929-38257115"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.service, func(t *testing.T) {
+			if got := ServiceNameToServiceSID(tt.service); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ServiceNameToServiceSID() = %v, want %v", got.String(), tt.want.String())
+			}
+		})
+	}
+}