private void CheckHandles(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter,
                                  HashSet <ulong> checked_objects, NtProcess process, IEnumerable <NtHandle> handles)
        {
            foreach (NtHandle handle in handles)
            {
                if (Stopping)
                {
                    return;
                }

                using (var obj = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false))
                {
                    // We double check type here to ensure we've duplicated a similar handle.
                    if (!obj.IsSuccess)
                    {
                        continue;
                    }

                    if (checked_objects.Add(handle.Object))
                    {
                        if (CheckUnnamed || !String.IsNullOrEmpty(obj.Result.FullPath))
                        {
                            DumpObject(tokens, type_filter, AccessRights, obj.Result,
                                       obj.Result.NtTypeName.Equals("Directory", StringComparison.OrdinalIgnoreCase));
                        }
                    }
                }
            }
        }
Beispiel #2
0
 private object GetObject(IntPtr handle)
 {
     using (var dup_obj = NtGeneric.DuplicateFrom(SourceProcess, handle,
                                                  GetDesiredAccess(), ObjectAttributes ?? 0, GetOptions()))
     {
         return(dup_obj.ToTypedObject());
     }
 }
Beispiel #3
0
 private object GetObject(NtHandle handle)
 {
     using (var proc = NtProcess.Open(handle.ProcessId, ProcessAccessRights.DupHandle))
     {
         using (var dup_obj = NtGeneric.DuplicateFrom(proc, new IntPtr(handle.Handle),
                                                      GetDesiredAccess(), ObjectAttributes ?? 0, GetOptions()))
         {
             return(dup_obj.ToTypedObject());
         }
     }
 }
Beispiel #4
0
 private NtObject GetObject()
 {
     if (ParameterSetName == "FromHandle")
     {
         using (var obj = NtGeneric.DuplicateFrom(SourceProcess, SourceHandle, DesiredAccess ?? 0, ObjectAttributes ?? 0, GetOptions()))
         {
             return(obj.ToTypedObject());
         }
     }
     else
     {
         return(Object.DuplicateObject(DesiredAccess ?? 0, ObjectAttributes ?? 0, GetOptions()));
     }
 }
        private void CheckHandles(TokenEntry token, HashSet <string> type_filter,
                                  Dictionary <ulong, MaximumAccess> max_access, NtProcess process, IEnumerable <NtHandle> handles)
        {
            foreach (NtHandle handle in handles)
            {
                if (Stopping)
                {
                    return;
                }

                using (var result = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false))
                {
                    if (!result.IsSuccess)
                    {
                        continue;
                    }

                    using (NtObject obj = result.Result.ToTypedObject())
                    {
                        NtType type = obj.NtType;
                        if (!IsTypeFiltered(type.Name, type_filter))
                        {
                            continue;
                        }

                        string full_path = GetObjectName(obj);

                        MaximumAccess           maximum_access = GetMaxAccess(token, obj, handle.Object, max_access);
                        HandleAccessCheckResult access         = new HandleAccessCheckResult(maximum_access, handle,
                                                                                             full_path, type.Name, handle.GrantedAccess, type.GenericMapping,
                                                                                             maximum_access != null ? maximum_access.SecurityDescriptor : string.Empty, type.AccessRightsType, false, token.Information);
                        WriteObject(access);
                    }
                }
            }
        }