1377 lines
50 KiB
C++
1377 lines
50 KiB
C++
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Microsoft Windows
|
||
|
// Copyright(C) 2002 Microsoft Corporation
|
||
|
//
|
||
|
// File: sysprep.cxx
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
|
||
|
#include "..\pch\headers.hxx"
|
||
|
#include "security.hxx"
|
||
|
#include "sysprep.hxx"
|
||
|
|
||
|
static WCHAR gwszSysprepKey[] = L"TSSK"; // Task Scheduler Sysprep Key
|
||
|
static WCHAR gwszSysprepIdentity[] = L"TSSI"; // Task Scheduler Sysprep Identity Data
|
||
|
|
||
|
// needed by ScavengeSASecurityDBase
|
||
|
extern SERVICE_STATUS g_SvcStatus;
|
||
|
#define SERVICE_RUNNING 0x00000004
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: GetUniqueSPSName
|
||
|
//
|
||
|
// Synopsis: calls NewWorkItem a few times trying to get a unique file name out of it
|
||
|
//
|
||
|
// Arguments: ITaskScheduler *pITaskScheduler, IUnknown** pITask
|
||
|
// WCHAR* pwszTaskName, to receive the name that was actually
|
||
|
// used in the creation of the task
|
||
|
//
|
||
|
// Returns: Various HRESULTs
|
||
|
//
|
||
|
// Notes: None.
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT GetUniqueSPSName(ITaskScheduler* pITaskScheduler, ITask** ppITask, WCHAR* pwszTaskName)
|
||
|
{
|
||
|
HRESULT hr = E_FAIL;
|
||
|
|
||
|
// okay, so we're not distinguishing between errors, code's simpler
|
||
|
// and the only expectable error is "already exists"
|
||
|
for (int i = 0; (i < 16) && FAILED(hr); i++)
|
||
|
{
|
||
|
if (FAILED(StringCchPrintf(pwszTaskName, 20, L"$~$Sys%X$", i)))
|
||
|
break;
|
||
|
|
||
|
hr = pITaskScheduler->NewWorkItem(pwszTaskName,
|
||
|
CLSID_CTask,
|
||
|
IID_ITask,
|
||
|
(IUnknown**)ppITask);
|
||
|
}
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: PrepSysPrepTask
|
||
|
//
|
||
|
// Synopsis: Creates a task to be run which will call run the sysprep
|
||
|
// code in the local system account
|
||
|
//
|
||
|
// Arguments: Task** ppITaskToRun, to receive pointer to ITask interface
|
||
|
// task is to activated by calling the Run() method
|
||
|
// WCHAR* pwszTaskName, to receive the name that was actually
|
||
|
// used in the creation of the task
|
||
|
//
|
||
|
// Returns: Various HRESULTs
|
||
|
//
|
||
|
// Notes: None.
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT PrepSysPrepTask(ITask** ppITaskToRun, WCHAR* pwszTaskName)
|
||
|
{
|
||
|
HRESULT hr = E_FAIL;
|
||
|
WCHAR applicationName[MAX_PATH +1];
|
||
|
WCHAR argument[MAX_PATH +20];
|
||
|
DWORD expandedSize;
|
||
|
|
||
|
expandedSize = ExpandEnvironmentStrings(L"\"%SystemRoot%\\System32\\rundll32.exe\"", applicationName, MAX_PATH +1);
|
||
|
if ((0 == expandedSize) || expandedSize > (MAX_PATH +1))
|
||
|
return HRESULT_FROM_WIN32(GetLastError());
|
||
|
|
||
|
expandedSize = ExpandEnvironmentStrings(L"\"%SystemRoot%\\System32\\SchedSvc.dll\",SysPrepCallback", argument, MAX_PATH +20);
|
||
|
if ((0 == expandedSize) || expandedSize > (MAX_PATH +1))
|
||
|
return HRESULT_FROM_WIN32(GetLastError());
|
||
|
|
||
|
TASK_TRIGGER tigger;
|
||
|
tigger.wStartHour = 10;
|
||
|
tigger.wStartMinute = 20;
|
||
|
tigger.wBeginYear = 1957;
|
||
|
tigger.wBeginMonth = 6;
|
||
|
tigger.wBeginDay = 14;
|
||
|
|
||
|
tigger.wEndYear = 2001;
|
||
|
tigger.wEndMonth = 10;
|
||
|
tigger.wEndDay = 8 ;
|
||
|
tigger.MinutesDuration = 0;
|
||
|
tigger.MinutesInterval = 0;
|
||
|
tigger.rgFlags = 0;
|
||
|
tigger.TriggerType = TASK_TIME_TRIGGER_ONCE;
|
||
|
tigger.Reserved2 = 0;
|
||
|
tigger.wRandomMinutesInterval = 0;
|
||
|
tigger.cbTriggerSize = sizeof(TASK_TRIGGER);
|
||
|
tigger.Reserved1 = 0;
|
||
|
|
||
|
ITaskScheduler *pITaskScheduler = NULL;
|
||
|
ITask *pITask = NULL;
|
||
|
IPersistFile *pIPersistFile = NULL;
|
||
|
ITaskTrigger* pTrigger = NULL;
|
||
|
WORD idontcare;
|
||
|
|
||
|
hr = CoCreateInstance( CLSID_CTaskScheduler, NULL, CLSCTX_INPROC_SERVER, IID_ITaskScheduler, (void**)&pITaskScheduler);
|
||
|
if (SUCCEEDED(hr) &&
|
||
|
SUCCEEDED(hr = GetUniqueSPSName(pITaskScheduler, &pITask, pwszTaskName)) &&
|
||
|
SUCCEEDED(hr = pITask->SetApplicationName(applicationName)) &&
|
||
|
SUCCEEDED(hr = pITask->SetParameters(argument)) &&
|
||
|
SUCCEEDED(hr = pITask->SetFlags(TASK_FLAG_DELETE_WHEN_DONE | TASK_FLAG_DISABLED)) &&
|
||
|
SUCCEEDED(hr = pITask->SetAccountInformation(L"", NULL)) &&
|
||
|
SUCCEEDED(hr = pITask->CreateTrigger(&idontcare, &pTrigger)) &&
|
||
|
SUCCEEDED(hr = pTrigger->SetTrigger(&tigger)) &&
|
||
|
SUCCEEDED(hr = pITask->QueryInterface(IID_IPersistFile, (void **)&pIPersistFile)) &&
|
||
|
SUCCEEDED(hr = pIPersistFile->Save(NULL, TRUE)))
|
||
|
{
|
||
|
// return it to the caller
|
||
|
*ppITaskToRun = pITask;
|
||
|
}
|
||
|
else
|
||
|
if (pITask)
|
||
|
pITask->Release();
|
||
|
|
||
|
if (pITaskScheduler)
|
||
|
pITaskScheduler->Release();
|
||
|
|
||
|
if (pIPersistFile)
|
||
|
pIPersistFile->Release();
|
||
|
|
||
|
if (pTrigger)
|
||
|
pTrigger->Release();
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: SaveSysprepInfo
|
||
|
//
|
||
|
// Synopsis: Saves job identity and credential key information prior to Sysprep
|
||
|
// so that it can be used to convert old data after Sysprep.
|
||
|
//
|
||
|
// Arguments: None.
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT SaveSysprepInfo(void)
|
||
|
{
|
||
|
//
|
||
|
// Initialize security
|
||
|
//
|
||
|
InitSS();
|
||
|
SetMysteryDWORDValue();
|
||
|
|
||
|
HRESULT hr = PreProcessNetScheduleJobs();
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
// ignore, we still need to do the other processing
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Obtain a provider handle to the CSP (for use with Crypto API).
|
||
|
//
|
||
|
HCRYPTPROV hCSP = NULL;
|
||
|
hr = GetCSPHandle(&hCSP);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
if (hCSP)
|
||
|
{
|
||
|
//
|
||
|
// We've got the handle, now save the important stuff
|
||
|
//
|
||
|
hr = SaveSysprepKeyInfo(hCSP);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
hr = SaveSysprepIdentityInfo(hCSP);
|
||
|
}
|
||
|
|
||
|
CloseCSPHandle(hCSP);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
hr = E_FAIL;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Done doing security stuff
|
||
|
//
|
||
|
UninitSS();
|
||
|
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
CHECK_HRESULT(hr);
|
||
|
}
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: SaveSysprepKeyInfo
|
||
|
//
|
||
|
// Synopsis: Stores the computed CredentialKey as a secret prior to sysprep so that it can be
|
||
|
// retrieved and used to decrypt credentials after sysprep, so those credentials may
|
||
|
// be encrypted again using the post-sysprep key.
|
||
|
//
|
||
|
// Arguments: hCSP - handle to the crypto service provider
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT SaveSysprepKeyInfo(HCRYPTPROV hCSP)
|
||
|
{
|
||
|
//
|
||
|
// Generate the encryption key
|
||
|
//
|
||
|
RC2_KEY_INFO RC2KeyInfo;
|
||
|
HRESULT hr = ComputeCredentialKey(hCSP, &RC2KeyInfo);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
//
|
||
|
// Write the key to LSA
|
||
|
//
|
||
|
hr = WriteLsaData(sizeof(gwszSysprepKey), gwszSysprepKey, sizeof(RC2KeyInfo), (BYTE*)&RC2KeyInfo);
|
||
|
}
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: SaveSysprepIdentityInfo
|
||
|
//
|
||
|
// Synopsis: Obtains the credential index and NULL password setting for each
|
||
|
// existing job identity and stores that information along with the
|
||
|
// associated filename in an LSA secret so that the identities can
|
||
|
// be rehashed and stored in the identity database, postsysprep,
|
||
|
// still associated with the correct credential.
|
||
|
//
|
||
|
// Arguments: hCSP - handle to the crypto service provider
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT SaveSysprepIdentityInfo(HCRYPTPROV hCSP)
|
||
|
{
|
||
|
WCHAR* pwszTasksFolder = NULL;
|
||
|
HANDLE hFileEnum = INVALID_HANDLE_VALUE;
|
||
|
DWORD cbSAI;
|
||
|
DWORD cbSAC;
|
||
|
BYTE* pbSAI = NULL;
|
||
|
BYTE* pbSAC = NULL;
|
||
|
|
||
|
//
|
||
|
// First, read the security database so we can do the lookups
|
||
|
//
|
||
|
HRESULT hr = ReadSecurityDBase(&cbSAI, &pbSAI, &cbSAC, &pbSAC);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
if (cbSAI <= SAI_HEADER_SIZE)
|
||
|
{
|
||
|
//
|
||
|
// Database empty, nothing to do.
|
||
|
//
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// Enumerate job objects in the task's folder directory.
|
||
|
//
|
||
|
hr = GetTasksFolder(&pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
WCHAR wszSearchPath[MAX_PATH + 1];
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
hr = StringCchCat(wszSearchPath, MAX_PATH + 1, EXTENSION_WILDCARD TSZ_JOB);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
WIN32_FIND_DATA fd;
|
||
|
DWORD dwRet = 0;
|
||
|
if ((hFileEnum = FindFirstFile(wszSearchPath, &fd)) == INVALID_HANDLE_VALUE)
|
||
|
{
|
||
|
//
|
||
|
// Either no jobs (this is OK), or an error occurred.
|
||
|
//
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_FILE_NOT_FOUND)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// Must concatenate the filename returned from the enumeration onto the folder path
|
||
|
// before computing the hash. Prepare for doing that repeatedly by taking the path,
|
||
|
// adding a slash, and remembering the next character position.
|
||
|
//
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
DWORD iConcatenation = lstrlenW(pwszTasksFolder);
|
||
|
wszSearchPath[iConcatenation++] = L'\\';
|
||
|
|
||
|
//
|
||
|
// Allocate buffer used to collect identity data that will be written to the LSA secret
|
||
|
//
|
||
|
BYTE rgbIdentityData[MAX_SECRET_SIZE];
|
||
|
BYTE* pbCurrentData = (BYTE*)&rgbIdentityData;
|
||
|
DWORD cbIdentityData = 0;
|
||
|
|
||
|
//
|
||
|
// Process each found file
|
||
|
//
|
||
|
BYTE rgbIdentity[HASH_DATA_SIZE];
|
||
|
BOOL bIsPasswordNull;
|
||
|
DWORD dwCredentialIndex;
|
||
|
DWORD cbFileName;
|
||
|
|
||
|
while (dwRet != ERROR_NO_MORE_FILES)
|
||
|
{
|
||
|
//
|
||
|
// Truncate the existing name after the folder path,
|
||
|
// then concatenate the new filename onto it.
|
||
|
//
|
||
|
wszSearchPath[iConcatenation] = L'\0';
|
||
|
if (SUCCEEDED(StringCchCat(wszSearchPath, MAX_PATH + 1, fd.cFileName)))
|
||
|
{
|
||
|
//
|
||
|
// Hash the job into a unique identity.
|
||
|
//
|
||
|
if (SUCCEEDED(HashJobIdentity(hCSP, wszSearchPath, rgbIdentity)))
|
||
|
{
|
||
|
//
|
||
|
// Find the identity in the SAI for this job
|
||
|
//
|
||
|
hr = SAIFindIdentity(rgbIdentity,
|
||
|
cbSAI,
|
||
|
pbSAI,
|
||
|
&dwCredentialIndex,
|
||
|
&bIsPasswordNull,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
NULL);
|
||
|
//
|
||
|
// S_OK means the identity was found; S_FALSE means it wasn't
|
||
|
// Other codes are errors. We process only the S_OKs, of course.
|
||
|
//
|
||
|
if (S_OK == hr)
|
||
|
{
|
||
|
cbFileName = (lstrlenW(fd.cFileName) + 1) * sizeof(WCHAR);
|
||
|
|
||
|
if ((cbIdentityData + cbFileName + sizeof(BOOL) + sizeof(DWORD)) > MAX_SECRET_SIZE)
|
||
|
{
|
||
|
//
|
||
|
// this should _never_ happen, as we shouldn't be able to exceed the size
|
||
|
// given that we only add data for jobs that have already been found in
|
||
|
// the SAI, and we are collecting less data than was stored there
|
||
|
//
|
||
|
hr = HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
CopyMemory(pbCurrentData, fd.cFileName, cbFileName);
|
||
|
pbCurrentData += cbFileName;
|
||
|
CopyMemory(pbCurrentData, &bIsPasswordNull, sizeof(BOOL));
|
||
|
pbCurrentData += sizeof(BOOL);
|
||
|
CopyMemory(pbCurrentData, &dwCredentialIndex, sizeof(DWORD));
|
||
|
pbCurrentData += sizeof(DWORD);
|
||
|
cbIdentityData += (cbFileName + sizeof(BOOL) + sizeof(DWORD));
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
hr = S_OK; // OK, we failed this one, go on to the next
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (!FindNextFile(hFileEnum, &fd))
|
||
|
{
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_NO_MORE_FILES)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER) != hr)
|
||
|
{
|
||
|
hr = WriteLsaData(sizeof(gwszSysprepIdentity), gwszSysprepIdentity, cbIdentityData, (BYTE*)&rgbIdentityData);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (pbSAI) LocalFree(pbSAI);
|
||
|
if (pbSAC) LocalFree(pbSAC);
|
||
|
|
||
|
if (pwszTasksFolder)
|
||
|
delete [] pwszTasksFolder;
|
||
|
|
||
|
if (hFileEnum != INVALID_HANDLE_VALUE)
|
||
|
FindClose(hFileEnum);
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: PreProcessNetScheduleJobs
|
||
|
//
|
||
|
// Synopsis: Netschedule jobs (AT jobs) are signed internally with a hash so
|
||
|
// that the service can validate their authenticity at run time.
|
||
|
// Sysprep changes important data used by the Crypto API such that
|
||
|
// the generated hash will be different and can never match the hash
|
||
|
// stored in the AT job. In order to be runnable again, the AT jobs
|
||
|
// must be signed again with the new hash.
|
||
|
//
|
||
|
// *** WARNING ***
|
||
|
// This means that if someone could drop a bogus AT job into the tasks
|
||
|
// folder, it would automatically get signed as a result of running sysprep.
|
||
|
// In order to prevent this, check all AT jobs prior to sysprep and
|
||
|
// eliminate any that are not valid.
|
||
|
//
|
||
|
// Arguments: None
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT PreProcessNetScheduleJobs(void)
|
||
|
{
|
||
|
HANDLE hFileEnum = INVALID_HANDLE_VALUE;
|
||
|
|
||
|
WCHAR* pwszTasksFolder = NULL;
|
||
|
HRESULT hr = GetTasksFolder(&pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
WCHAR wszSearchPath[MAX_PATH + 1];
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
hr = StringCchCat(wszSearchPath, MAX_PATH + 1, L"\\" TSZ_AT_JOB_PREFIX L"*" TSZ_DOTJOB);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
WIN32_FIND_DATA fd;
|
||
|
DWORD dwRet = 0;
|
||
|
if ((hFileEnum = FindFirstFile(wszSearchPath, &fd)) == INVALID_HANDLE_VALUE)
|
||
|
{
|
||
|
//
|
||
|
// Either no jobs (this is OK), or an error occurred.
|
||
|
//
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_FILE_NOT_FOUND)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// Must concatenate the filename returned from the enumeration onto the folder path
|
||
|
// before loading the job. Prepare for doing that repeatedly by taking the path,
|
||
|
// adding a slash, and remembering the next character position.
|
||
|
//
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, pwszTasksFolder);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
DWORD iConcatenation = lstrlenW(pwszTasksFolder);
|
||
|
wszSearchPath[iConcatenation++] = L'\\';
|
||
|
|
||
|
//
|
||
|
// Process each found file
|
||
|
//
|
||
|
while (dwRet != ERROR_NO_MORE_FILES)
|
||
|
{
|
||
|
//
|
||
|
// Truncate the existing name after the folder path,
|
||
|
// then concatenate the new filename onto it.
|
||
|
//
|
||
|
wszSearchPath[iConcatenation] = L'\0';
|
||
|
if (SUCCEEDED(StringCchCat(wszSearchPath, MAX_PATH + 1, fd.cFileName)))
|
||
|
{
|
||
|
//
|
||
|
// Load and check signature of each job
|
||
|
//
|
||
|
CJob* pJob = CJob::Create();
|
||
|
if (!pJob)
|
||
|
{
|
||
|
hr = E_OUTOFMEMORY;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
if (SUCCEEDED(pJob->Load(wszSearchPath, 0)))
|
||
|
{
|
||
|
if (!pJob->VerifySignature())
|
||
|
{
|
||
|
if (!DeleteFile(wszSearchPath))
|
||
|
{
|
||
|
dwRet = GetLastError();
|
||
|
|
||
|
// go on anyway
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
pJob->Release();
|
||
|
}
|
||
|
|
||
|
if (!FindNextFile(hFileEnum, &fd))
|
||
|
{
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_NO_MORE_FILES)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (hFileEnum != INVALID_HANDLE_VALUE)
|
||
|
FindClose(hFileEnum);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (pwszTasksFolder)
|
||
|
delete [] pwszTasksFolder;
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: GetSysprepIdentityInfo
|
||
|
//
|
||
|
// Synopsis: Retrieves the stored job identity data so new hashes can be calculated.
|
||
|
//
|
||
|
// Arguments: pcbIdentityData - pointer to count of bytes in the identity data
|
||
|
// ppIdentityData - pointer to pointer to retrieved identity data
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT GetSysprepIdentityInfo(DWORD* pcbIdentityData, BYTE** ppIdentityData)
|
||
|
{
|
||
|
*ppIdentityData = NULL;
|
||
|
|
||
|
//
|
||
|
// Retrieve job identity data from LSA, if it exists
|
||
|
//
|
||
|
HRESULT hr = ReadLsaData(sizeof(gwszSysprepIdentity), gwszSysprepIdentity, pcbIdentityData, ppIdentityData);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
if (*ppIdentityData != NULL)
|
||
|
{
|
||
|
LocalFree(*ppIdentityData);
|
||
|
*ppIdentityData = NULL;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: GetSysprepKeyInfo
|
||
|
//
|
||
|
// Synopsis: Retrieves the stored pre-sysprep CredentialKey so that it can be used to decrypt
|
||
|
// credentials after sysprep, so those credentials may be encrypted again using the
|
||
|
// post-sysprep key.
|
||
|
//
|
||
|
// Arguments: pcbRC2KeyInfo - pointer to count of bytes in key data
|
||
|
// ppRC2KeyInfo - pointer to pointer to retrieved key
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT GetSysprepKeyInfo(DWORD* pcbRC2KeyInfo, RC2_KEY_INFO** ppRC2KeyInfo)
|
||
|
{
|
||
|
*ppRC2KeyInfo = NULL;
|
||
|
|
||
|
//
|
||
|
// Get the key from LSA
|
||
|
//
|
||
|
HRESULT hr = ReadLsaData(sizeof(gwszSysprepKey), gwszSysprepKey, pcbRC2KeyInfo, (BYTE**)ppRC2KeyInfo);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
//
|
||
|
// Check the size. We know exactly how big this should be, so make sure it is.
|
||
|
//
|
||
|
if (*pcbRC2KeyInfo != sizeof(RC2_KEY_INFO))
|
||
|
{
|
||
|
*pcbRC2KeyInfo = 0;
|
||
|
LocalFree(*ppRC2KeyInfo);
|
||
|
*ppRC2KeyInfo = NULL;
|
||
|
hr = E_FAIL;
|
||
|
}
|
||
|
}
|
||
|
else // failed!
|
||
|
{
|
||
|
if (*ppRC2KeyInfo != NULL)
|
||
|
{
|
||
|
LocalFree(*ppRC2KeyInfo);
|
||
|
*ppRC2KeyInfo = NULL;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: ConvertSysprepInfo
|
||
|
//
|
||
|
// Synopsis: Converts credentials stored prior to sysprep so they may be decrypted after sysprep.
|
||
|
// It does this by retrieving the pre-sysprep key, decrypting the credentials with it, and then
|
||
|
// encrypting them using the new post-sysprep key.
|
||
|
//
|
||
|
// Arguments: None
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT ConvertSysprepInfo(void)
|
||
|
{
|
||
|
//
|
||
|
// Initialize these up here so they will have values if we exit early
|
||
|
//
|
||
|
HCRYPTPROV hCSP = NULL;
|
||
|
|
||
|
BYTE* pbSAI = NULL;
|
||
|
DWORD cbSAI = 0;
|
||
|
BYTE* pbSAC = NULL;
|
||
|
DWORD cbSAC = 0;
|
||
|
|
||
|
RC2_KEY_INFO* pRC2KeyPreSysprep = NULL;
|
||
|
DWORD cbRC2KeyPreSysprep = 0;
|
||
|
RC2_KEY_INFO RC2KeyPostSysprep;
|
||
|
|
||
|
//
|
||
|
// Initialize security
|
||
|
//
|
||
|
InitSS();
|
||
|
SetMysteryDWORDValue();
|
||
|
|
||
|
//
|
||
|
// Set this as it is relied on by ScavengeSASecurityDBase
|
||
|
//
|
||
|
g_SvcStatus.dwCurrentState = SERVICE_RUNNING;
|
||
|
|
||
|
//
|
||
|
// Get the tasks folder for use by ConvertNetScheduleJobs, ConvertIdentityData, and ScavengeSASecurityDBase
|
||
|
//
|
||
|
HRESULT hr = GetTasksFolder(&g_TasksFolderInfo.ptszPath);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Obtain a provider handle to the CSP (for use with Crypto API)
|
||
|
//
|
||
|
hr = GetCSPHandle(&hCSP);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Get the pre-sysprep key from LSA
|
||
|
//
|
||
|
hr = GetSysprepKeyInfo(&cbRC2KeyPreSysprep, &pRC2KeyPreSysprep);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Generate the post-sysprep key
|
||
|
//
|
||
|
hr = ComputeCredentialKey(hCSP, &RC2KeyPostSysprep);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// The Net Schedule conversions are independent of the rest of the logic,
|
||
|
// so do them first and get them out of the way.
|
||
|
//
|
||
|
hr = ConvertNetScheduleJobs();
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
// ignore, we still can do our other conversions
|
||
|
hr = S_OK;
|
||
|
}
|
||
|
|
||
|
hr = ConvertNetScheduleCredentialData(pRC2KeyPreSysprep, &RC2KeyPostSysprep);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
// ignore, we still can do our other conversions
|
||
|
hr = S_OK;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Read SAI & SAC databases.
|
||
|
// It is not necessary to guard security db access with a critsec as elsewhere in the code,
|
||
|
// as the service will not be running during MiniSetup and there will be no other threads accessing this data.
|
||
|
//
|
||
|
hr = ReadSecurityDBase(&cbSAI, &pbSAI, &cbSAC, &pbSAC);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Do some validations on the database
|
||
|
//
|
||
|
if (cbSAI <= SAI_HEADER_SIZE || pbSAI == NULL ||
|
||
|
cbSAC <= SAC_HEADER_SIZE || pbSAC == NULL)
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Place updated entries into SAI for all jobs
|
||
|
//
|
||
|
hr = ConvertIdentityData(hCSP, &cbSAI, &pbSAI, &cbSAC, &pbSAC);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Place updated entries into SAC for all credentials
|
||
|
//
|
||
|
hr = ConvertCredentialData(pRC2KeyPreSysprep, &RC2KeyPostSysprep, &cbSAI, &pbSAI, &cbSAC, &pbSAC);
|
||
|
|
||
|
//
|
||
|
// Clearing key content at earliest opportunity
|
||
|
//
|
||
|
SecureZeroMemory(&RC2KeyPostSysprep, sizeof(RC2KeyPostSysprep));
|
||
|
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
//
|
||
|
// Update security database with new identities and converted credentials
|
||
|
//
|
||
|
hr = WriteSecurityDBase(cbSAI, pbSAI, cbSAC, pbSAC);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
//
|
||
|
// Allow scavenger cleanup to delete old identities
|
||
|
//
|
||
|
ScavengeSASecurityDBase();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
ErrorExit:
|
||
|
//
|
||
|
// Delete the secrets
|
||
|
//
|
||
|
DeleteLsaData(sizeof(gwszSysprepKey), gwszSysprepKey);
|
||
|
DeleteLsaData(sizeof(gwszSysprepIdentity), gwszSysprepIdentity);
|
||
|
|
||
|
//
|
||
|
// Clean up
|
||
|
//
|
||
|
if (g_TasksFolderInfo.ptszPath)
|
||
|
delete [] g_TasksFolderInfo.ptszPath;
|
||
|
|
||
|
if (hCSP) CloseCSPHandle(hCSP);
|
||
|
|
||
|
if (pbSAI) LocalFree(pbSAI);
|
||
|
if (pbSAC) LocalFree(pbSAC);
|
||
|
|
||
|
if (pRC2KeyPreSysprep) LocalFree(pRC2KeyPreSysprep);
|
||
|
|
||
|
//
|
||
|
// Log an error & reset the SA security dbases SAI & SAC if corruption is detected.
|
||
|
//
|
||
|
if (hr == SCHED_E_ACCOUNT_DBASE_CORRUPT)
|
||
|
{
|
||
|
//
|
||
|
// Reset SAI & SAC by writing four bytes of zeros into each.
|
||
|
// Ignore the return code. No recourse if this fails.
|
||
|
//
|
||
|
DWORD dwZero = 0;
|
||
|
WriteSecurityDBase(sizeof(dwZero), (BYTE*)&dwZero, sizeof(dwZero), (BYTE*)&dwZero);
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Done doing security stuff
|
||
|
//
|
||
|
UninitSS();
|
||
|
|
||
|
return(hr);
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: ConvertNetScheduleJobs
|
||
|
//
|
||
|
// Synopsis: Netschedule jobs (AT jobs) are signed internally with a hash so
|
||
|
// that the service can validate their authenticity at run time.
|
||
|
// Sysprep changes important data used by the Crypto API such that
|
||
|
// the generated hash will be different and can never match the hash
|
||
|
// stored in the AT job. In order to be runnable again, the AT jobs
|
||
|
// must be signed again with the new hash.
|
||
|
//
|
||
|
// *** WARNING ***
|
||
|
// This means that if someone could drop a bogus AT job into the tasks
|
||
|
// folder, it would automatically get signed as a result of running sysprep.
|
||
|
// In order to prevent this, PreProcessNetScheduleJobs has already checked
|
||
|
// all AT jobs prior to sysprep and eliminated any that were not valid.
|
||
|
// Arguments: None
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT ConvertNetScheduleJobs(void)
|
||
|
{
|
||
|
HRESULT hr = S_OK;
|
||
|
HANDLE hFileEnum = INVALID_HANDLE_VALUE;
|
||
|
|
||
|
WCHAR wszSearchPath[MAX_PATH + 1];
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, g_TasksFolderInfo.ptszPath);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
hr = StringCchCat(wszSearchPath, MAX_PATH + 1, L"\\" TSZ_AT_JOB_PREFIX L"*" TSZ_DOTJOB);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
WIN32_FIND_DATA fd;
|
||
|
DWORD dwRet = 0;
|
||
|
if ((hFileEnum = FindFirstFile(wszSearchPath, &fd)) == INVALID_HANDLE_VALUE)
|
||
|
{
|
||
|
//
|
||
|
// Either no jobs (this is OK), or an error occurred.
|
||
|
//
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_FILE_NOT_FOUND)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// Must concatenate the filename returned from the enumeration onto the folder path
|
||
|
// before loading the job. Prepare for doing that repeatedly by taking the path,
|
||
|
// adding a slash, and remembering the next character position.
|
||
|
//
|
||
|
hr = StringCchCopy(wszSearchPath, MAX_PATH + 1, g_TasksFolderInfo.ptszPath);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
DWORD iConcatenation = lstrlenW(g_TasksFolderInfo.ptszPath);
|
||
|
wszSearchPath[iConcatenation++] = L'\\';
|
||
|
|
||
|
//
|
||
|
// Process each found file
|
||
|
//
|
||
|
while (dwRet != ERROR_NO_MORE_FILES)
|
||
|
{
|
||
|
//
|
||
|
// Truncate the existing name after the folder path,
|
||
|
// then concatenate the new filename onto it.
|
||
|
//
|
||
|
wszSearchPath[iConcatenation] = L'\0';
|
||
|
if (SUCCEEDED(StringCchCat(wszSearchPath, MAX_PATH + 1, fd.cFileName)))
|
||
|
{
|
||
|
//
|
||
|
// Load, sign, save, and release the job
|
||
|
//
|
||
|
CJob* pJob = CJob::Create();
|
||
|
if (!pJob)
|
||
|
{
|
||
|
hr = E_OUTOFMEMORY;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
if (SUCCEEDED(pJob->Load(wszSearchPath, 0)))
|
||
|
{
|
||
|
if (SUCCEEDED(pJob->Sign()))
|
||
|
{
|
||
|
pJob->SaveWithRetry(pJob->GetFileName(),
|
||
|
FALSE,
|
||
|
SAVEP_VARIABLE_LENGTH_DATA |
|
||
|
SAVEP_PRESERVE_NET_SCHEDULE);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
pJob->Release();
|
||
|
}
|
||
|
|
||
|
if (!FindNextFile(hFileEnum, &fd))
|
||
|
{
|
||
|
dwRet = GetLastError();
|
||
|
if (dwRet != ERROR_NO_MORE_FILES)
|
||
|
hr = _HRESULT_FROM_WIN32(dwRet);
|
||
|
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (hFileEnum != INVALID_HANDLE_VALUE)
|
||
|
FindClose(hFileEnum);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return hr;
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: ConvertIdentityData
|
||
|
//
|
||
|
// Synopsis: Create new job identity entries in SAI representing the existing
|
||
|
// jobs on the system. It does this by retrieving information stored
|
||
|
// pre-sysprep associating each existing job with its credential, then
|
||
|
// creating and storing a new identity to reference that credential.
|
||
|
//
|
||
|
// Arguments: hCSP - handle to crypto service provider
|
||
|
// pcbSAI - pointer to dword containing count of bytes in SAI
|
||
|
// ppbSAI - pointer to pointer to SAI data
|
||
|
// pcbSAC - pointer to dword containing count of bytes in SAC
|
||
|
// ppbSAC - pointer to pointer to SAC data
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT ConvertIdentityData(HCRYPTPROV hCSP, DWORD* pcbSAI, BYTE** ppbSAI, DWORD* pcbSAC, BYTE** ppbSAC)
|
||
|
{
|
||
|
//
|
||
|
// Get the job identity data from LSA
|
||
|
//
|
||
|
BYTE* pbIdentityData = NULL;
|
||
|
DWORD cbIdentityData = 0;
|
||
|
|
||
|
HRESULT hr = GetSysprepIdentityInfo(&cbIdentityData, &pbIdentityData);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Insert updated hashes into SAI for pre-sysprep jobs
|
||
|
//
|
||
|
if (pbIdentityData)
|
||
|
{
|
||
|
//
|
||
|
// Get the tasks folder and prepare buffer for use in producing job path
|
||
|
//
|
||
|
WCHAR wszJobPath[MAX_PATH + 1];
|
||
|
hr = StringCchCopy(wszJobPath, MAX_PATH + 1, g_TasksFolderInfo.ptszPath);
|
||
|
if (SUCCEEDED(hr))
|
||
|
{
|
||
|
DWORD iConcatenation = lstrlenW(g_TasksFolderInfo.ptszPath);
|
||
|
wszJobPath[iConcatenation++] = L'\\';
|
||
|
|
||
|
//
|
||
|
// Process each stored task
|
||
|
//
|
||
|
BYTE* pbCurrentData = pbIdentityData;
|
||
|
BYTE* pbLastByte = (BYTE*)(pbIdentityData + cbIdentityData - 1);
|
||
|
WCHAR* pwszFileName = NULL;
|
||
|
BOOL bIsPasswordNull;
|
||
|
DWORD dwCredentialIndex;
|
||
|
BYTE rgbIdentity[HASH_DATA_SIZE];
|
||
|
BYTE* pbIdentitySet = NULL;
|
||
|
|
||
|
while (pbCurrentData <= pbLastByte)
|
||
|
{
|
||
|
pwszFileName = (WCHAR*) pbCurrentData;
|
||
|
pbCurrentData += ((lstrlenW(pwszFileName) + 1) * sizeof(WCHAR));
|
||
|
CopyMemory(&bIsPasswordNull, pbCurrentData, sizeof(BOOL));
|
||
|
pbCurrentData += sizeof(BOOL);
|
||
|
CopyMemory(&dwCredentialIndex, pbCurrentData, sizeof(DWORD));
|
||
|
|
||
|
if ((pbCurrentData + sizeof(DWORD)) > (pbLastByte + 1))
|
||
|
{
|
||
|
//
|
||
|
// the first DWORD after pbCurrentData is beyond the first BYTE after pbLastByte;
|
||
|
// this means that the DWORD pointed to by pbCurrentData is partially or wholly
|
||
|
// beyond the end of the data -- something is corrupt
|
||
|
//
|
||
|
hr = E_FAIL;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Truncate the existing name after the folder path,
|
||
|
// then concatenate the new filename onto it.
|
||
|
//
|
||
|
wszJobPath[iConcatenation] = L'\0';
|
||
|
if (SUCCEEDED(StringCchCat(wszJobPath, MAX_PATH + 1, pwszFileName)))
|
||
|
{
|
||
|
//
|
||
|
// Hash the job into a unique identity.
|
||
|
//
|
||
|
if (SUCCEEDED(HashJobIdentity(hCSP, (LPCWSTR)&wszJobPath, rgbIdentity)))
|
||
|
{
|
||
|
//
|
||
|
// Store a NULL password by flipping the last bit of the hash data.
|
||
|
//
|
||
|
if (bIsPasswordNull)
|
||
|
{
|
||
|
LAST_HASH_BYTE(rgbIdentity) ^= 1;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Insert the job identity into the SAI identity set associated
|
||
|
// with this credential.
|
||
|
//
|
||
|
hr = SAIIndexIdentity(*pcbSAI,
|
||
|
*ppbSAI,
|
||
|
dwCredentialIndex,
|
||
|
0,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
&pbIdentitySet);
|
||
|
if (hr == S_FALSE)
|
||
|
{
|
||
|
//
|
||
|
// The SAC & SAI databases are out of sync. Should *never* occur.
|
||
|
//
|
||
|
ASSERT_SECURITY_DBASE_CORRUPT();
|
||
|
hr = SCHED_E_ACCOUNT_DBASE_CORRUPT;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
else if (SUCCEEDED(hr))
|
||
|
{
|
||
|
hr = SAIInsertIdentity(rgbIdentity,
|
||
|
pbIdentitySet,
|
||
|
pcbSAI,
|
||
|
ppbSAI);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
hr = S_OK; // OK, we failed this one, go on to the next
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
pbCurrentData += sizeof(DWORD);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
ErrorExit:
|
||
|
if (pbIdentityData)
|
||
|
LocalFree(pbIdentityData);
|
||
|
|
||
|
return(hr);
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: ConvertCredentialData
|
||
|
//
|
||
|
// Synopsis: Converts credentials stored prior to sysprep so they may be decrypted after sysprep.
|
||
|
// It does this by retrieving the pre-sysprep key, decrypting the credentials with it, and then
|
||
|
// encrypting them using the new post-sysprep key.
|
||
|
//
|
||
|
// Arguments: pRC2KeyPreSysprep - pointer to presysprep key
|
||
|
// pRC2KeyPostSysprep - pointer to postsysprep key
|
||
|
// pcbSAI - pointer to dword containing count of bytes in SAI
|
||
|
// ppbSAI - pointer to pointer to SAI data
|
||
|
// pcbSAC - pointer to dword containing count of bytes in SAC
|
||
|
// ppbSAC - pointer to pointer to SAC data
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT ConvertCredentialData(RC2_KEY_INFO* pRC2KeyPreSysprep,
|
||
|
RC2_KEY_INFO* pRC2KeyPostSysprep,
|
||
|
DWORD* pcbSAI,
|
||
|
BYTE** ppbSAI,
|
||
|
DWORD* pcbSAC,
|
||
|
BYTE** ppbSAC)
|
||
|
{
|
||
|
HRESULT hr = S_OK;
|
||
|
HRESULT hRes2 = S_OK; // for hresults that we don't want to affect our return code
|
||
|
|
||
|
BYTE* pbEncryptedData = NULL;
|
||
|
DWORD cbEncryptedData = 0;
|
||
|
|
||
|
BYTE* pbSACEnd = *ppbSAC + *pcbSAC;
|
||
|
BYTE* pbCredential = *ppbSAC + USN_SIZE; // Advance past USN.
|
||
|
DWORD cbCredential = 0;
|
||
|
|
||
|
//
|
||
|
// Read credential count
|
||
|
//
|
||
|
DWORD dwCredentialCount = 0;
|
||
|
CopyMemory(&dwCredentialCount, pbCredential, sizeof(dwCredentialCount));
|
||
|
pbCredential += sizeof(dwCredentialCount);
|
||
|
|
||
|
//
|
||
|
// Loop through all credentials, decrypting, encrypting, and updating each one
|
||
|
//
|
||
|
JOB_CREDENTIALS jc;
|
||
|
RC2_KEY_INFO RC2KeyPreSysprepCopy;
|
||
|
RC2_KEY_INFO RC2KeyPostSysprepCopy;
|
||
|
|
||
|
for (DWORD dwCredentialIndex = 0;
|
||
|
(dwCredentialIndex < dwCredentialCount) && ((DWORD)(pbCredential - *ppbSAC) < *pcbSAC);
|
||
|
dwCredentialIndex++
|
||
|
)
|
||
|
{
|
||
|
//
|
||
|
// Ensure sufficient space remains in the buffer.
|
||
|
//
|
||
|
if ((pbCredential + sizeof(cbCredential)) > pbSACEnd)
|
||
|
{
|
||
|
ASSERT_SECURITY_DBASE_CORRUPT();
|
||
|
hr = SCHED_E_ACCOUNT_DBASE_CORRUPT;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
CopyMemory(&cbCredential, pbCredential, sizeof(cbCredential));
|
||
|
pbCredential += sizeof(cbCredential);
|
||
|
|
||
|
//
|
||
|
// Check remaining buffer size again
|
||
|
//
|
||
|
if ((pbCredential + HASH_DATA_SIZE) > pbSACEnd)
|
||
|
{
|
||
|
ASSERT_SECURITY_DBASE_CORRUPT();
|
||
|
hr = SCHED_E_ACCOUNT_DBASE_CORRUPT;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Check remaining buffer size yet again
|
||
|
//
|
||
|
if ((pbCredential + cbCredential) > pbSACEnd)
|
||
|
{
|
||
|
ASSERT_SECURITY_DBASE_CORRUPT();
|
||
|
hr = SCHED_E_ACCOUNT_DBASE_CORRUPT;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// The start of the credential refers to the credential identity.
|
||
|
// Skip over this to refer to the encrypted bits. Copy the pbCredential
|
||
|
// and cbCredential for this dwCredentialIndex so that it can be
|
||
|
// manipulated without altering the original buffer.
|
||
|
//
|
||
|
cbEncryptedData = cbCredential - HASH_DATA_SIZE;
|
||
|
pbEncryptedData = new BYTE[cbEncryptedData];
|
||
|
CopyMemory(pbEncryptedData, pbCredential + HASH_DATA_SIZE, cbEncryptedData);
|
||
|
|
||
|
//
|
||
|
// The decryption process (CBC call) clobbers the key, so make a fresh
|
||
|
// copy from the source each time through the loop
|
||
|
//
|
||
|
CopyMemory(&RC2KeyPreSysprepCopy, pRC2KeyPreSysprep, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
//
|
||
|
// Decrypt credential using the pre-sysprep key
|
||
|
//
|
||
|
// *** Important ***
|
||
|
//
|
||
|
// The encrypted credentials passed are decrypted *in-place*.
|
||
|
// Therefore, buffer content has been compromised;
|
||
|
// plus, the decrypted data must be zeroed immediately
|
||
|
// following decryption (even in a failure case).
|
||
|
//
|
||
|
hRes2 = DecryptCredentials(RC2KeyPreSysprepCopy, cbEncryptedData, pbEncryptedData, &jc);
|
||
|
|
||
|
//
|
||
|
// Don't leave the plain-text password on the heap.
|
||
|
//
|
||
|
SecureZeroMemory(pbEncryptedData, cbEncryptedData);
|
||
|
|
||
|
if (SUCCEEDED(hRes2))
|
||
|
{
|
||
|
//
|
||
|
// The encryption process (CBC call) clobbers the key, so make a fresh
|
||
|
// copy from the source each time through the loop
|
||
|
//
|
||
|
CopyMemory(&RC2KeyPostSysprepCopy, pRC2KeyPostSysprep, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
//
|
||
|
// Encrypt credential using the post-sysprep key
|
||
|
//
|
||
|
hRes2 = EncryptCredentials(RC2KeyPostSysprepCopy,
|
||
|
jc.wszAccount,
|
||
|
jc.wszDomain,
|
||
|
jc.wszPassword,
|
||
|
NULL,
|
||
|
&cbEncryptedData,
|
||
|
&pbEncryptedData);
|
||
|
//
|
||
|
// Don't leave the plain-text password on the stack
|
||
|
//
|
||
|
ZERO_PASSWORD(jc.wszPassword);
|
||
|
jc.ccPassword = 0;
|
||
|
|
||
|
if (SUCCEEDED(hRes2))
|
||
|
{
|
||
|
//
|
||
|
// Update the old encrypted credential with the newly encrypted credential
|
||
|
//
|
||
|
hr = SACUpdateCredential(cbEncryptedData,
|
||
|
pbEncryptedData,
|
||
|
cbCredential,
|
||
|
pbCredential,
|
||
|
pcbSAC,
|
||
|
ppbSAC);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit; // a failure to update leaves the SAC data
|
||
|
// in an unknown state, so we need to bail
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Clean up
|
||
|
//
|
||
|
delete pbEncryptedData;
|
||
|
pbEncryptedData = NULL;
|
||
|
|
||
|
//
|
||
|
// Advance to next credential.
|
||
|
//
|
||
|
pbCredential += (HASH_DATA_SIZE + cbEncryptedData);
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Still more integrity checking.
|
||
|
// Did we reach the end of the buffer exactly when we thought we should?
|
||
|
// If not, something is wrong somewhere.
|
||
|
//
|
||
|
if ((dwCredentialIndex == dwCredentialCount) && ((DWORD)(pbCredential - *ppbSAC) != *pcbSAC) ||
|
||
|
(dwCredentialIndex != dwCredentialCount) && ((DWORD)(pbCredential - *ppbSAC) > *pcbSAC))
|
||
|
{
|
||
|
//
|
||
|
// The database appears to be truncated.
|
||
|
//
|
||
|
ASSERT_SECURITY_DBASE_CORRUPT();
|
||
|
hr = SCHED_E_ACCOUNT_DBASE_CORRUPT;
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
ErrorExit:
|
||
|
if (pbEncryptedData) LocalFree(pbEncryptedData);
|
||
|
|
||
|
return(hr);
|
||
|
}
|
||
|
|
||
|
//+---------------------------------------------------------------------------
|
||
|
//
|
||
|
// Function: ConvertNetScheduleCredentialData
|
||
|
//
|
||
|
// Synopsis: Converts Net Schedule credential stored prior to sysprep so it may be decrypted after sysprep.
|
||
|
// It does this by using the pre-sysprep key to decrypt the credential with it, and then
|
||
|
// encrypting it using the new post-sysprep key.
|
||
|
//
|
||
|
// Arguments: pRC2KeyPreSysprep - pointer to presysprep key
|
||
|
// pRC2KeyPostSysprep - pointer to postsysprep key
|
||
|
//
|
||
|
// Returns: HRESULT
|
||
|
//
|
||
|
//----------------------------------------------------------------------------
|
||
|
HRESULT ConvertNetScheduleCredentialData(RC2_KEY_INFO* pRC2KeyPreSysprep, RC2_KEY_INFO* pRC2KeyPostSysprep)
|
||
|
{
|
||
|
BYTE* pbEncryptedData = NULL;
|
||
|
DWORD cbEncryptedData = 0;
|
||
|
|
||
|
//
|
||
|
// Read the Net Schedule account from LSA
|
||
|
//
|
||
|
HRESULT hr = ReadLsaData(sizeof(WSZ_SANSC), WSZ_SANSC, &cbEncryptedData, &pbEncryptedData);
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
if (hr == S_FALSE || cbEncryptedData <= sizeof(DWORD))
|
||
|
{
|
||
|
//
|
||
|
// The information was specified previously but has been reset since.
|
||
|
// NOTE: This will be the case if the value has been reset back to LocalSystem,
|
||
|
// as it merely stores a dword = 0x00000000 in that case
|
||
|
//
|
||
|
|
||
|
//
|
||
|
// Do nothing -- there is no data to convert
|
||
|
//
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
//
|
||
|
// The decryption process (CBC call) clobbers the key, so make a copy for use
|
||
|
//
|
||
|
RC2_KEY_INFO RC2KeyPreSysprepCopy;
|
||
|
CopyMemory(&RC2KeyPreSysprepCopy, pRC2KeyPreSysprep, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
JOB_CREDENTIALS jc;
|
||
|
hr = DecryptCredentials(RC2KeyPreSysprepCopy,
|
||
|
cbEncryptedData,
|
||
|
pbEncryptedData,
|
||
|
&jc);
|
||
|
|
||
|
SecureZeroMemory(&RC2KeyPreSysprepCopy, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Don't leave the plain-text password on the heap.
|
||
|
//
|
||
|
SecureZeroMemory(pbEncryptedData, cbEncryptedData);
|
||
|
|
||
|
//
|
||
|
// The encryption process (CBC call) clobbers the key, so make a copy for use
|
||
|
//
|
||
|
RC2_KEY_INFO RC2KeyPostSysprepCopy;
|
||
|
CopyMemory(&RC2KeyPostSysprepCopy, pRC2KeyPostSysprep, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
//
|
||
|
// Encrypt credential using the post-sysprep key
|
||
|
//
|
||
|
hr = EncryptCredentials(RC2KeyPostSysprepCopy,
|
||
|
jc.wszAccount,
|
||
|
jc.wszDomain,
|
||
|
jc.wszPassword,
|
||
|
NULL,
|
||
|
&cbEncryptedData,
|
||
|
&pbEncryptedData);
|
||
|
|
||
|
SecureZeroMemory(&RC2KeyPostSysprepCopy, sizeof(RC2_KEY_INFO));
|
||
|
|
||
|
if (FAILED(hr))
|
||
|
{
|
||
|
goto ErrorExit;
|
||
|
}
|
||
|
|
||
|
//
|
||
|
// Don't leave the plain-text password on the stack
|
||
|
//
|
||
|
ZERO_PASSWORD(jc.wszPassword);
|
||
|
|
||
|
hr = WriteLsaData(sizeof(WSZ_SANSC), WSZ_SANSC, cbEncryptedData, pbEncryptedData);
|
||
|
}
|
||
|
|
||
|
ErrorExit:
|
||
|
if (pbEncryptedData != NULL)
|
||
|
LocalFree(pbEncryptedData);
|
||
|
|
||
|
return(hr);
|
||
|
}
|