Adding SID field in RPCFW events

rpcFirewall/dllmain.cpp

@@ -800,7 +800,6 @@ bool checkAddress(const AddressRangeFilter& addrRangeFilter, const std::wstring&
 	return true;
 }
 
-
 bool checkProtocol(const protocolFilter& protFilter, const std::wstring& protocol)
 {
 	if (!protFilter.has_value())
@@ -1084,7 +1083,6 @@ void waitForFurtherInstructions()
 	}
 }
 
-
 struct AutoUnloader
 {
 	~AutoUnloader()
@@ -1207,12 +1205,71 @@ bool APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpRese
     return true;
 }
 
+std::wstring GetClientSIDString()
+{
+	std::wstring clientSID = L"S-1-0-0";
+
+	RPC_STATUS status = RpcImpersonateClient(nullptr);
+	if (status != RPC_S_OK)
+	{
+		WRITE_DEBUG_MSG_WITH_STATUS(_T("RpcImpersonateClient failed during GetClientSIDString"), status);
+		return clientSID;
+	}
+
+	HANDLE hToken = nullptr;
+	if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, true, &hToken))
+	{
+		WRITE_DEBUG_MSG_WITH_GETLASTERROR(_T("OpenThreadToken failed during GetClientSIDString"));
+	}
+	else
+	{
+		DWORD dwSize = 0;
+		if (!GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+		{
+			WRITE_DEBUG_MSG_WITH_GETLASTERROR(_T("failed to get token information size"));
+		}
+		else
+		{
+			PTOKEN_USER tokenUser = (PTOKEN_USER)LocalAlloc(LPTR, dwSize);
+			if (tokenUser == nullptr)
+			{
+				WRITE_DEBUG_MSG_WITH_GETLASTERROR(_T("failed to allocate token information buffer"));
+			}
+			else
+			{
+				if (!GetTokenInformation(hToken, TokenUser, tokenUser, dwSize, &dwSize))
+				{
+					WRITE_DEBUG_MSG_WITH_GETLASTERROR(_T("failed to get token information"));
+				}
+				else
+				{
+					LPWSTR sidString = nullptr;
+					if (!ConvertSidToStringSidW(tokenUser->User.Sid, &sidString))
+					{
+						WRITE_DEBUG_MSG_WITH_GETLASTERROR(_T("failed to convert sid to string"));
+					}
+					clientSID.assign(sidString);
+				}
+
+				LocalFree(tokenUser);
+			}
+		}
+
+		CloseHandle(hToken);
+	}
+
+	RevertToSelf();
+
+	return clientSID;
+}
+
 RpcEventParameters populateEventParameters(PRPC_MESSAGE pRpcMsg, wchar_t* szStringBindingServer, wchar_t* szStringBinding, wchar_t* functionName, std::wstring &srcAddr, unsigned short srcPort, std::wstring& dstAddr, unsigned short dstPort)
 {
 	RpcEventParameters eventParams = {};
 	eventParams.functionName = std::wstring(functionName);
 	eventParams.processID = std::wstring(myProcessID);
 	eventParams.processName = std::wstring(myProcessName);
+	eventParams.clientSID = GetClientSIDString();
 
 	std::wstring srcPrt = std::to_wstring(srcPort);
 	eventParams.srcPort  = srcPrt;

rpcMessages/Messages.h

@@ -68,7 +68,7 @@
 //
 // MessageText:
 //
-// An RPC server function was called.%n%nProcess Information:%n%tProcess ID:%t%2%n%tImage Path:%t%3%n%tRPCRT_Func:%t%1%n%nNetwork Information:%n%tProtocol:%t%4%n%tEndpoint:%t%5%n%tClient Network Address:%t%6%n%tClient Port:%t%12%n%tServer Network Address:%t%13%n%tServer Port:%t%14%nRPC Information:%n%tInterfaceUuid:%t%7%n%tOpNum:%t%t%8%n%nSubject:%n%tSecurity ID:%t%9%n%nDetailed Authentication Information:%n%tAuthentication Level:%t%10%n%tAuthentication Service:%t%11
+// An RPC server function was called.%n%nProcess Information:%n%tProcess ID:%t%2%n%tImage Path:%t%3%n%tRPCRT_Func:%t%1%n%nNetwork Information:%n%tProtocol:%t%4%n%tEndpoint:%t%5%n%tClient Network Address:%t%6%n%tClient Port:%t%12%n%tServer Network Address:%t%13%n%tServer Port:%t%14%nRPC Information:%n%tInterfaceUuid:%t%7%n%tOpNum:%t%t%8%n%nSubject:%n%tSecurity ID:%t%9%n%tSID:%t%15%n%nDetailed Authentication Information:%n%tAuthentication Level:%t%10%n%tAuthentication Service:%t%11
 //
 #define RPC_SERVER_CALL                  ((DWORD)0x60020003L)
 

rpcMessages/Messages.mc

@@ -44,5 +44,5 @@ Severity        = Informational
 Facility        = Runtime
 SymbolicName    = RPC_SERVER_CALL
 Language        = English
-An RPC server function was called.%n%nProcess Information:%n%tProcess ID:%t%2%n%tImage Path:%t%3%n%tRPCRT_Func:%t%1%n%nNetwork Information:%n%tProtocol:%t%4%n%tEndpoint:%t%5%n%tClient Network Address:%t%6%n%tClient Port:%t%12%n%tServer Network Address:%t%13%n%tServer Port:%t%14%nRPC Information:%n%tInterfaceUuid:%t%7%n%tOpNum:%t%t%8%n%nSubject:%n%tSecurity ID:%t%9%n%nDetailed Authentication Information:%n%tAuthentication Level:%t%10%n%tAuthentication Service:%t%11
+An RPC server function was called.%n%nProcess Information:%n%tProcess ID:%t%2%n%tImage Path:%t%3%n%tRPCRT_Func:%t%1%n%nNetwork Information:%n%tProtocol:%t%4%n%tEndpoint:%t%5%n%tClient Network Address:%t%6%n%tClient Port:%t%12%n%tServer Network Address:%t%13%n%tServer Port:%t%14%nRPC Information:%n%tInterfaceUuid:%t%7%n%tOpNum:%t%t%8%n%nSubject:%n%tSecurity ID:%t%9%n%tSID:%t%15%n%nDetailed Authentication Information:%n%tAuthentication Level:%t%10%n%tAuthentication Service:%t%11
 .

rpcMessages/rpcMessages.cpp

@@ -316,7 +316,7 @@ bool rpcFunctionCalledEvent(bool callSuccessful, const RpcEventParameters& event
 {
     bool bSuccess = false;
     WORD eventType = EVENTLOG_AUDIT_SUCCESS;
-    LPCWSTR aInsertions[14] = {nullptr};
+    LPCWSTR aInsertions[15] = {nullptr};
 
     if (!callSuccessful) {
         eventType = EVENTLOG_AUDIT_FAILURE;
@@ -344,6 +344,7 @@ bool rpcFunctionCalledEvent(bool callSuccessful, const RpcEventParameters& event
     aInsertions[11] = (wchar_t*)eventParams.srcPort.c_str();
     aInsertions[12] = (wchar_t*)eventParams.destAddress.c_str();
     aInsertions[13] = (wchar_t*)eventParams.dstPort.c_str();
+    aInsertions[14] = (wchar_t*)eventParams.clientSID.c_str();
 
     if (hEventLog) {
 
@@ -353,7 +354,7 @@ bool rpcFunctionCalledEvent(bool callSuccessful, const RpcEventParameters& event
             0,               
             RPC_SERVER_CALL,           
             nullptr,                      
-            14,                        
+            15,                        
             0,                         
             aInsertions,               
             nullptr                       

rpcMessages/rpcMessages.h

@@ -32,6 +32,7 @@ struct RpcEventParameters
 	std::wstring clientName;
 	std::wstring authnLevel;
 	std::wstring authnSvc;
+	std::wstring clientSID;
 };
 
 DllExport bool deleteEventSource();