Wednesday, May 19, 2010

A prototype test harness...but needs lots of work


I have spent too much time here in the last few days working on a test harness for live network files in Vista. As a prototype, what I have written may be useful. However, numerous problems were uncovered.  The idea was this: At any moment they are a discoverable set of files that are being accessed by the network. In theory, you should be able to list those files and then query them for their integrity. The heart of this is something like:  
  
icacls %dir_file%                                                                         &( 
if /I [%filetype% EQU [regular sfc /verifyfile=%dir_file% ) &(
if /I [%filetype% EQU [regular accesschk -qv %dir_file% ) &(
if /I [%filetype% EQU [regular sigcheck -q %dir_file% )

Definitely some useful information is returned. But the project will have to be rewritten in a faster language with better string support. Interesting to see what information it did return. Like the file - C:\Windows\System32\nsi.dll - below.

 Running icacls, sfc, accesschk, sigcheck for FileType,FileID,Path: regular 1220: "C:\Windows\System32\nsi.dll "
filetype=regular
C:\Windows\System32\nsi.dll NT SERVICE\TrustedInstaller:(F)
 BUILTIN\Administrators:(RX)
 NT AUTHORITY\SYSTEM:(RX)
 BUILTIN\Users:(RX)

Successfully processed 1 files; Failed processing 0 files

Windows Resource Protection could not perform the requested operation.
C:\Windows\System32\nsi.dll
 Medium Mandatory Level (Default) [No-Write-Up]
 RW NT SERVICE\TrustedInstaller
 FILE_ALL_ACCESS
 R BUILTIN\Administrators
 FILE_EXECUTE
 FILE_LIST_DIRECTORY
 FILE_READ_ATTRIBUTES
 FILE_READ_DATA
 FILE_READ_EA
 FILE_TRAVERSE
 SYNCHRONIZE
 READ_CONTROL
 R NT AUTHORITY\SYSTEM
 FILE_EXECUTE
 FILE_LIST_DIRECTORY
 FILE_READ_ATTRIBUTES
 FILE_READ_DATA
 FILE_READ_EA
 FILE_TRAVERSE
 SYNCHRONIZE
 READ_CONTROL
 R BUILTIN\Users
 FILE_EXECUTE
 FILE_LIST_DIRECTORY
 FILE_READ_ATTRIBUTES
 FILE_READ_DATA
 FILE_READ_EA
 FILE_TRAVERSE
 SYNCHRONIZE
 READ_CONTROL
c:\windows\system32\nsi.dll:
 Verified: Signed
 Signing date: 8:08 AM 1/19/2008
 Strong Name: Unsigned
 Publisher: Microsoft Corporation
 Description: NSI User-mode interface DLL
 Product: Microsoft« Windows« Operating System
 Version: 6.0.6001.18000
 File version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
Posted by Ryan M. Ferris at 11:06 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)