static uint GetGrantedAccess(SecurityDescriptor sd, NtToken token, uint specific_rights, GenericMapping generic_mapping)
        {
            uint granted_access = 0;

            specific_rights = generic_mapping.MapMask(specific_rights);

            if (specific_rights != 0)
            {
                granted_access = NtSecurity.GetAllowedAccess(sd, token, (GenericAccessRights)(specific_rights), generic_mapping);
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
            }

            if (granted_access != 0)
            {
                // As we can get all the rights for the key get maximum
                if (specific_rights != 0)
                {
                    granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
                }
            }

            return(granted_access);
        }
        static void CheckAccess(string full_path, NtFile entry)
        {
            try
            {
                if (!entry.IsAccessGranted(FileAccessRights.ReadControl))
                {
                    return;
                }

                SecurityDescriptor sd = entry.SecurityDescriptor;
                bool       is_dir     = entry.IsDirectory;
                AccessMask granted_access;

                if (is_dir && _dir_filter != 0)
                {
                    granted_access = NtSecurity.GetAllowedAccess(_token, _type,
                                                                 _dir_filter, sd.ToByteArray());
                }
                else if (!is_dir && _file_filter != 0)
                {
                    granted_access = NtSecurity.GetAllowedAccess(_token, _type,
                                                                 _file_filter, sd.ToByteArray());
                }
                else
                {
                    granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                }

                if (granted_access.HasAccess)
                {
                    // Now reget maximum access rights
                    if (_dir_filter != 0 || _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (!_show_write_only || _type.HasWritePermission(granted_access))
                    {
                        Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
                                          is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                        if (_print_sddl)
                        {
                            Console.WriteLine("{0}", sd.ToSddl());
                        }
                    }
                }
            }
            catch (NtException)
            {
            }
        }
Beispiel #3
0
        static void CheckAccess(string path, byte[] sd, NtType type)
        {
            try
            {
                if (_type_filter.Count > 0)
                {
                    if (!_type_filter.Contains(type.Name.ToLower()))
                    {
                        return;
                    }
                }

                if (sd.Length > 0)
                {
                    uint granted_access = 0;

                    if (_dir_rights != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, type, (uint)_dir_rights, sd);
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
                    }

                    if (granted_access != 0)
                    {
                        // As we can get all the rights for the directory get maximum
                        if (_dir_rights != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
                        }

                        if (!_show_write_only || type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, path, granted_access, AccessMaskToString(type, granted_access));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", NtSecurity.SecurityDescriptorToSddl(sd, SecurityInformation.AllBasic));
                            }
                        }
                    }
                }
            }
            catch (Exception)
            {
            }
        }
        static void CheckAccess(NtToken token, NtObject obj)
        {
            if (!obj.IsAccessMaskGranted(GenericAccessRights.ReadControl))
            {
                return;
            }

            try
            {
                SecurityDescriptor sd = obj.SecurityDescriptor;
                AccessMask         granted_access;
                NtType             type = obj.NtType;

                if (_dir_rights != 0)
                {
                    granted_access = NtSecurity.GetAllowedAccess(sd, token,
                                                                 _dir_rights, type.GenericMapping);
                }
                else
                {
                    granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping);
                }

                if (!granted_access.IsEmpty)
                {
                    // As we can get all the rights for the directory get maximum
                    if (_dir_rights != 0)
                    {
                        granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping);
                    }

                    if (!_show_write_only || type.HasWritePermission(granted_access))
                    {
                        Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, obj.FullPath,
                                          granted_access, type.AccessMaskToString(granted_access, _map_to_generic));
                        if (_print_sddl)
                        {
                            Console.WriteLine("{0}", sd.ToSddl());
                        }
                    }
                }
            }
            catch (NtException)
            {
            }
        }
Beispiel #5
0
        static void CheckAccess(FileSystemInfo entry)
        {
            try
            {
                SecurityDescriptor sd = NtSecurity.FromNamedObject(@"\??\" + entry.FullName, "file");
                if (sd != null)
                {
                    bool is_dir = entry is DirectoryInfo;
                    uint granted_access;

                    if (is_dir && _dir_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
                    }
                    else if (!is_dir && _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (granted_access != 0)
                    {
                        // Now reget maximum access rights
                        if (_dir_filter != 0 || _file_filter != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                        }

                        if (!_show_write_only || _type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("{0}{1} : {2:X08} {3}", entry.FullName, is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", sd.ToSddl());
                            }
                        }
                    }
                }
            }
            catch (Exception)
            {
            }
        }
        static void CheckAccess(string full_path, NtFile entry)
        {
            try
            {
                SecurityDescriptor sd = entry.GetSecurityDescriptor(SecurityInformation.AllBasic);
                if (sd != null)
                {
                    bool is_dir = entry.IsDirectory;
                    uint granted_access;

                    if (is_dir && _dir_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
                    }
                    else if (!is_dir && _file_filter != 0)
                    {
                        granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
                    }
                    else
                    {
                        granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                    }

                    if (granted_access != 0)
                    {
                        // Now reget maximum access rights
                        if (_dir_filter != 0 || _file_filter != 0)
                        {
                            granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
                        }

                        if (!_show_write_only || _type.HasWritePermission(granted_access))
                        {
                            Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
                                              is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
                            if (_print_sddl)
                            {
                                Console.WriteLine("{0}", sd.ToSddl());
                            }
                        }
                    }
                }
            }
            catch { }
        }
Beispiel #7
0
        static void CheckAccess(NtToken token, NtKey key)
        {
            NtType type = key.NtType;

            if (!key.IsAccessGranted(KeyAccessRights.ReadControl))
            {
                return;
            }

            SecurityDescriptor sd = key.SecurityDescriptor;
            AccessMask         granted_access;

            if (_key_rights != 0)
            {
                granted_access = NtSecurity.GetAllowedAccess(token, type,
                                                             _key_rights, sd.ToByteArray());
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
            }

            if (!granted_access.IsEmpty)
            {
                // As we can get all the rights for the key get maximum
                if (_key_rights != 0)
                {
                    granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
                }

                if (!_show_write_only || type.HasWritePermission(granted_access))
                {
                    Console.WriteLine("{0} : {1:X08} {2}", key.FullPath, granted_access, AccessMaskToString(granted_access, type));
                    if (_print_sddl)
                    {
                        Console.WriteLine("{0}", sd.ToSddl());
                    }
                }
            }
        }
Beispiel #8
0
        static AccessMask GetGrantedAccess(SecurityDescriptor sd, NtToken token,
                                           AccessMask specific_rights, GenericMapping generic_mapping)
        {
            AccessMask granted_access;

            specific_rights = generic_mapping.MapMask(specific_rights);

            if (specific_rights.HasAccess)
            {
                granted_access = NtSecurity.GetAllowedAccess(sd, token, specific_rights, generic_mapping);
                // As we can get all the rights for the key get maximum
                if (granted_access.HasAccess)
                {
                    granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
                }
            }
            else
            {
                granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
            }

            return(granted_access);
        }
Beispiel #9
0
        static void Main(string[] args)
        {
            try
            {
                int  pid        = NtProcess.Current.ProcessId;
                bool show_help  = false;
                bool print_sddl = false;

                OptionSet opts = new OptionSet()
                {
                    { "p|pid=", "Specify a PID of a process for access check.", v => pid = int.Parse(v.Trim()) },
                    { "sddl", "Print SDDL security descriptor.", v => print_sddl = v != null },
                    { "h|help", "show this message and exit",
                      v => show_help = v != null },
                };

                HashSet <int> pids = new HashSet <int>(opts.Parse(args).Select(a => int.Parse(a)));
                if (show_help)
                {
                    ShowHelp(opts);
                    return;
                }

                Dictionary <string, string> ports = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase);

                NtToken.EnableDebugPrivilege();
                using (NtToken token = NtToken.OpenProcessToken(pid))
                {
                    IEnumerable <NtHandle> handles         = NtSystemInfo.GetHandles(-1, false);
                    HashSet <ulong>        checked_objects = new HashSet <ulong>();

                    if (pids.Count > 0)
                    {
                        handles = handles.Where(h => pids.Contains(h.ProcessId));
                    }

                    handles = handles.Where(h => h.ObjectType.Equals("ALPC Port", StringComparison.OrdinalIgnoreCase));
                    Dictionary <int, NtProcess> pid_to_process = new Dictionary <int, NtProcess>();
                    foreach (NtHandle handle in handles.Where(h => h.GrantedAccess.IsAccessGranted(GenericAccessRights.ReadControl)))
                    {
                        if (!pid_to_process.ContainsKey(handle.ProcessId))
                        {
                            var result = NtProcess.Open(handle.ProcessId,
                                                        ProcessAccessRights.QueryLimitedInformation | ProcessAccessRights.DupHandle, false);
                            pid_to_process[handle.ProcessId] = result.IsSuccess ? result.Result : null;
                        }

                        NtProcess proc = pid_to_process[handle.ProcessId];
                        if (proc == null)
                        {
                            continue;
                        }

                        try
                        {
                            using (NtAlpc obj = NtAlpc.DuplicateFrom(proc, new IntPtr(handle.Handle)))
                            {
                                string name = obj.FullPath;
                                // We only care about named ALPC ports.
                                if (String.IsNullOrEmpty(name))
                                {
                                    continue;
                                }

                                if (ports.ContainsKey(name))
                                {
                                    continue;
                                }

                                SecurityDescriptor sd             = obj.SecurityDescriptor;
                                AccessMask         granted_access = NtSecurity.GetAllowedAccess(sd, token, AlpcAccessRights.Connect, obj.NtType.GenericMapping);
                                if (granted_access.IsEmpty)
                                {
                                    continue;
                                }
                                ports.Add(name, sd.ToSddl());
                            }
                        }
                        catch (NtException)
                        {
                        }
                    }
                }
                foreach (var pair in ports.OrderBy(p => p.Key))
                {
                    Console.WriteLine(pair.Key);
                    if (print_sddl)
                    {
                        Console.WriteLine("SDDL: {0}", pair.Value);
                    }
                }
            }
            catch (Exception ex)
            {
                Console.Error.WriteLine(ex.Message);
            }
        }