internal void FromSafeBuffer(SafeAlpcMessageAttributesBuffer buffer, NtAlpc port, AlpcMessage message) { var result = buffer.Result; var valid_attrs = result.ValidAttributes; if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.Token)) { AddAttribute <AlpcTokenMessageAttribute>(buffer, port, message); } if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.Context)) { AddAttribute <AlpcContextMessageAttribute>(buffer, port, message); } if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.Handle)) { var attribute = AddAttribute <AlpcHandleMessageAttribute>(buffer, port, message); _handles.AddRange(attribute.Handles.Select(h => NtObjectUtils.FromHandle(h.Handle, true))); } if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.Security)) { var attr = AddAttribute <AlpcSecurityMessageAttribute>(buffer, port, message); SecurityContext = new SafeAlpcSecurityContextHandle(attr.ContextHandle, true, port, attr.Flags, attr.SecurityQoS); } if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.View)) { var attr = AddAttribute <AlpcDataViewMessageAttribute>(buffer, port, message); DataView = new SafeAlpcDataViewBuffer(new IntPtr(attr.ViewBase), attr.ViewSize, new SafeAlpcPortSectionHandle(attr.SectionHandle, true, port), attr.Flags, true); } if (valid_attrs.HasFlag(AlpcMessageAttributeFlags.WorkOnBehalfOf)) { AddAttribute <AlpcWorkOnBehalfMessageAttribute>(buffer, port, message); } }
internal NtType(int id, ObjectTypeInformation info, NtTypeFactory type_factory) { Index = id; Name = info.Name.ToString(); InvalidAttributes = info.InvalidAttributes; GenericMapping = info.GenericMapping; ValidAccess = info.ValidAccess; SecurityRequired = info.SecurityRequired != 0; TotalNumberOfObjects = info.TotalNumberOfObjects; TotalNumberOfHandles = info.TotalNumberOfHandles; TotalPagedPoolUsage = info.TotalPagedPoolUsage; TotalNonPagedPoolUsage = info.TotalNonPagedPoolUsage; TotalNamePoolUsage = info.TotalNamePoolUsage; TotalHandleTableUsage = info.TotalHandleTableUsage; HighWaterNumberOfObjects = info.HighWaterNumberOfObjects; HighWaterNumberOfHandles = info.HighWaterNumberOfHandles; HighWaterPagedPoolUsage = info.HighWaterPagedPoolUsage; HighWaterNonPagedPoolUsage = info.HighWaterNonPagedPoolUsage; HighWaterNamePoolUsage = info.HighWaterNamePoolUsage; HighWaterHandleTableUsage = info.HighWaterHandleTableUsage; MaintainHandleCount = info.MaintainHandleCount != 0; MaintainTypeList = info.MaintainTypeList; PoolType = info.PoolType; PagedPoolUsage = info.PagedPoolUsage; NonPagedPoolUsage = info.NonPagedPoolUsage; _type_factory = type_factory; GenericRead = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericRead, GenericMapping, _type_factory.AccessRightsType, false); GenericWrite = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericWrite, GenericMapping, _type_factory.AccessRightsType, false); GenericExecute = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericExecute, GenericMapping, _type_factory.AccessRightsType, false); GenericAll = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericAll, GenericMapping, _type_factory.AccessRightsType, false); }
private static object ToObject(RegistryValueType type, byte[] data) { switch (type) { case RegistryValueType.String: case RegistryValueType.ExpandString: case RegistryValueType.Link: return(Encoding.Unicode.GetString(data)); case RegistryValueType.MultiString: return(NtObjectUtils.ParseMultiString(data)); case RegistryValueType.Dword: return(BitConverter.ToUInt32(data, 0)); case RegistryValueType.DwordBigEndian: return(BitConverter.ToUInt32(data.Reverse().ToArray(), 0)); case RegistryValueType.Qword: return(BitConverter.ToUInt64(data, 0)); default: return(data); } }
/// <summary> /// Overridden process record method. /// </summary> protected override void ProcessRecord() { using (NtToken token = GetToken()) { NtType type = GetNtType(); if (type == null) { throw new ArgumentException("Must specify a type."); } var result = NtSecurity.AccessCheck(GetSecurityDescriptor(), token, AccessMask, Principal, type.GenericMapping, ObjectType).ToSpecificAccess(type.AccessRightsType); if (PassResult) { WriteObject(result); return; } var mask = result.SpecificGrantedAccess; if (MapToGeneric) { mask = result.SpecificGenericGrantedAccess; } if (ConvertToString) { string access_string = NtObjectUtils.GrantedAccessAsString(mask, type.GenericMapping, type.AccessRightsType, false); WriteObject(access_string); } else { WriteObject(mask); } } }
/// <summary> /// Convert to a managed byte array. /// </summary> /// <returns>The managed byte array.</returns> public byte[] ToArray() { using (SafeSidBufferHandle handle = ToSafeBuffer()) { return(NtObjectUtils.SafeHandleToArray(handle, handle.Length)); } }
/// <summary> /// Convert the value to a string /// </summary> /// <returns>The value as a string</returns> public override string ToString() { switch (Type) { case RegistryValueType.String: case RegistryValueType.ExpandString: case RegistryValueType.Link: return(Encoding.Unicode.GetString(Data).TrimEnd('\0')); case RegistryValueType.MultiString: return(string.Join(", ", NtObjectUtils.ParseMultiString(Data))); case RegistryValueType.Dword: return(BitConverter.ToUInt32(Data, 0).ToString()); case RegistryValueType.DwordBigEndian: return(BitConverter.ToUInt32(Data.Reverse().ToArray(), 0).ToString()); case RegistryValueType.Qword: return(BitConverter.ToUInt64(Data, 0).ToString()); default: return(Convert.ToBase64String(Data)); } }
/// <summary> /// Free a buffer from the heap. /// </summary> /// <param name="flags">Heap flags.</param> /// <param name="address">Address of the allocation.</param> public void Free(HeapAllocFlags flags, long address) { if (!NtRtl.RtlFreeHeap(_heap_handle, flags, new IntPtr(address))) { throw new NtException(NtObjectUtils.MapDosErrorToStatus()); } }
/// <summary> /// Set the Window Station for the Process. /// </summary> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The NT status.</returns> public NtStatus SetProcess(bool throw_on_error = true) { if (!NtSystemCalls.NtUserSetProcessWindowStation(Handle)) { return(NtObjectUtils.MapDosErrorToStatus().ToNtException(throw_on_error)); } return(NtStatus.STATUS_SUCCESS); }
/// <summary> /// Close the Window Stations. This is different from normal Close as it destroys the Window Station. /// </summary> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The NT status.</returns> public NtStatus CloseWindowStation(bool throw_on_error = true) { if (!NtSystemCalls.NtUserCloseWindowStation(Handle)) { return(NtObjectUtils.MapDosErrorToStatus()); } return(NtStatus.STATUS_SUCCESS); }
/// <summary> /// Free a buffer from the heap. /// </summary> /// <param name="flags">Heap flags.</param> /// <param name="address">Address of the allocation.</param> /// <param name="throw_on_error">True to throw on error.</param> public NtStatus Free(HeapAllocFlags flags, long address, bool throw_on_error) { if (!NtRtl.RtlFreeHeap(_heap_handle, flags, new IntPtr(address))) { return(NtObjectUtils.MapDosErrorToStatus().ToNtException(throw_on_error)); } return(NtStatus.STATUS_SUCCESS); }
/// <summary> /// Close the Desktop. This is different from normal Close as it destroys the Desktop. /// </summary> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The NT status.</returns> public NtStatus CloseDesktop(bool throw_on_error = true) { if (!NtSystemCalls.NtUserCloseDesktop(Handle)) { return(NtObjectUtils.MapDosErrorToStatus().ToNtException(throw_on_error)); } Handle.SetHandleAsInvalid(); return(NtStatus.STATUS_SUCCESS); }
/// <summary> /// Open a window station by name. /// </summary> /// <param name="object_attributes">The object attributes for opening.</param> /// <param name="desired_access">Desired access.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The instance of the window station</returns> /// <exception cref="NtException">Thrown on error.</exception> public static NtResult <NtWindowStation> Open(ObjectAttributes object_attributes, WindowStationAccessRights desired_access, bool throw_on_error) { SafeKernelObjectHandle handle = NtSystemCalls.NtUserOpenWindowStation(object_attributes, desired_access); if (handle.IsInvalid) { return(NtObjectUtils.CreateResultFromDosError <NtWindowStation>(Marshal.GetLastWin32Error(), throw_on_error)); } return(new NtResult <NtWindowStation>(NtStatus.STATUS_SUCCESS, new NtWindowStation(handle))); }
/// <summary> /// Open the current process Window Station. /// </summary> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The instance of the window station</returns> /// <remarks>The returned object is no owned by the caller.</remarks> /// <exception cref="NtException">Thrown on error.</exception> public static NtResult <NtWindowStation> OpenCurrent(bool throw_on_error) { var handle = NtSystemCalls.NtUserGetProcessWindowStation(); if (handle == IntPtr.Zero) { return(NtObjectUtils.CreateResultFromDosError <NtWindowStation>(Marshal.GetLastWin32Error(), throw_on_error)); } return(new NtResult <NtWindowStation>(NtStatus.STATUS_SUCCESS, new NtWindowStation(new SafeKernelObjectHandle(handle, false)))); }
/// <summary> /// Allocate a buffer from the heap. /// </summary> /// <param name="flags">Heap flags.</param> /// <param name="size">Size of the allocation.</param> /// <returns>The allocated memory address.</returns> public long Allocate(HeapAllocFlags flags, long size) { long address = NtRtl.RtlAllocateHeap(_heap_handle, flags, new IntPtr(size)).ToInt64(); if (address == 0) { throw new NtException(NtObjectUtils.MapDosErrorToStatus()); } return(address); }
/// <summary> /// Get the desktop for a thread. /// </summary> /// <param name="thread_id">The thread ID of the thread.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The desktop result.</returns> public static NtResult <NtDesktop> GetThreadDesktop(int thread_id, bool throw_on_error) { var handle = NtSystemCalls.NtUserGetThreadDesktop(thread_id); if (handle == IntPtr.Zero) { return(NtObjectUtils.CreateResultFromDosError <NtDesktop>(Marshal.GetLastWin32Error(), throw_on_error)); } return(new NtDesktop(new SafeKernelObjectHandle(handle, false)).CreateResult()); }
/// <summary> /// Allocate a buffer from the heap. /// </summary> /// <param name="flags">Heap flags.</param> /// <param name="size">Size of the allocation.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The allocated memory address.</returns> public NtResult <long> Allocate(HeapAllocFlags flags, long size, bool throw_on_error) { long address = NtRtl.RtlAllocateHeap(_heap_handle, flags, new IntPtr(size)).ToInt64(); if (address == 0) { return(NtObjectUtils.MapDosErrorToStatus().CreateResultFromError <long>(throw_on_error)); } return(address.CreateResult()); }
/// <summary> /// Convert an SDDL SID string to a Sid /// </summary> /// <param name="sddl">The SDDL SID string</param> /// <returns>The converted Sid</returns> /// <exception cref="NtException">Thrown if cannot convert from a SDDL string.</exception> public static Sid SidFromSddl(string sddl) { if (!Win32NativeMethods.ConvertStringSidToSid(sddl, out SafeLocalAllocHandle handle)) { throw new NtException(NtObjectUtils.MapDosErrorToStatus()); } using (handle) { return(new Sid(handle.DangerousGetHandle())); } }
/// <summary> /// Convert an SDDL SID string to a Sid /// </summary> /// <param name="sddl">The SDDL SID string</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The converted Sid</returns> /// <exception cref="NtException">Thrown if cannot convert from a SDDL string.</exception> public static NtResult <Sid> SidFromSddl(string sddl, bool throw_on_error) { if (!Win32NativeMethods.ConvertStringSidToSid(sddl, out SafeLocalAllocHandle handle)) { return(NtObjectUtils.MapDosErrorToStatus().CreateResultFromError <Sid>(throw_on_error)); } using (handle) { return(new Sid(handle.DangerousGetHandle()).CreateResult()); } }
/// <summary> /// Convert a security descriptor to SDDL string /// </summary> /// <param name="sd">The security descriptor</param> /// <param name="security_information">Indicates what parts of the security descriptor to include</param> /// <returns>The SDDL string</returns> /// <exception cref="NtException">Thrown if cannot convert to a SDDL string.</exception> public static string SecurityDescriptorToSddl(byte[] sd, SecurityInformation security_information) { if (!Win32NativeMethods.ConvertSecurityDescriptorToStringSecurityDescriptor(sd, 1, security_information, out SafeLocalAllocHandle handle, out int return_length)) { throw new NtException(NtObjectUtils.MapDosErrorToStatus()); } using (handle) { return(Marshal.PtrToStringUni(handle.DangerousGetHandle())); } }
/// <summary> /// Create a new desktop. /// </summary> /// <param name="object_attributes">The object attributes for opening.</param> /// <param name="flags">Flags for opening the desktop.</param> /// <param name="desired_access">Desired access.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <param name="device">Device name.</param> /// <param name="dev_mode">Device mode.</param> /// <param name="heap_size">Heap size.</param> /// <returns>An instance of NtDesktop.</returns> public static NtResult <NtDesktop> Create(ObjectAttributes object_attributes, string device, IntPtr dev_mode, CreateDesktopFlags flags, DesktopAccessRights desired_access, int heap_size, bool throw_on_error) { SafeKernelObjectHandle handle = NtSystemCalls.NtUserCreateDesktopEx(object_attributes, device == null ? null : new UnicodeString(device), dev_mode, flags, desired_access, heap_size); if (handle.IsInvalid) { return(NtObjectUtils.CreateResultFromDosError <NtDesktop>(Marshal.GetLastWin32Error(), throw_on_error)); } return(new NtResult <NtDesktop>(NtStatus.STATUS_SUCCESS, new NtDesktop(handle))); }
private NtResult <string> GetClassName(bool real_name, bool throw_on_error) { using (var str = new UnicodeStringAllocated()) { int length = NtSystemCalls.NtUserGetClassName(Handle, real_name, str); if (length == 0) { return(NtObjectUtils.CreateResultFromDosError <string>(throw_on_error)); } str.String.Length = (ushort)(length * 2); return(str.ToString().CreateResult()); } }
internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type) { if (!access_rights_type.IsEnum) { throw new ArgumentException("Specify an enumerated type", "access_rights_type"); } _type_factory = new NtTypeFactory(access_rights_type, typeof(object)); Name = name; GenericMapping = generic_mapping; GenericRead = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericRead, GenericMapping, access_rights_type, false); GenericWrite = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericWrite, GenericMapping, access_rights_type, false); GenericExecute = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericExecute, GenericMapping, access_rights_type, false); GenericAll = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericAll, GenericMapping, access_rights_type, false); }
/// <summary> /// Convert an SDDL string to a binary security descriptor /// </summary> /// <param name="sddl">The SDDL string</param> /// <returns>The binary security descriptor</returns> /// <exception cref="NtException">Thrown if cannot convert from a SDDL string.</exception> public static byte[] SddlToSecurityDescriptor(string sddl) { if (!Win32NativeMethods.ConvertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, out SafeLocalAllocHandle handle, out int return_length)) { throw new NtException(NtObjectUtils.MapDosErrorToStatus()); } using (handle) { byte[] ret = new byte[return_length]; Marshal.Copy(handle.DangerousGetHandle(), ret, 0, return_length); return(ret); } }
/// <summary> /// Convert an SDDL string to a binary security descriptor /// </summary> /// <param name="sddl">The SDDL string</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The binary security descriptor</returns> /// <exception cref="NtException">Thrown if cannot convert from a SDDL string.</exception> public static NtResult <byte[]> SddlToSecurityDescriptor(string sddl, bool throw_on_error) { if (!Win32NativeMethods.ConvertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, out SafeLocalAllocHandle handle, out int return_length)) { return(NtObjectUtils.MapDosErrorToStatus().CreateResultFromError <byte[]>(throw_on_error)); } using (handle) { byte[] ret = new byte[return_length]; Marshal.Copy(handle.DangerousGetHandle(), ret, 0, return_length); return(ret.CreateResult()); } }
internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type, MandatoryLabelPolicy default_policy) { if (!access_rights_type.IsEnum) { throw new ArgumentException("Specify an enumerated type", "access_rights_type"); } _type_factory = new NtTypeFactory(access_rights_type, container_access_rights_type, typeof(object), false, default_policy); Name = name; ValidAccess = CalculateValidAccess(access_rights_type) | CalculateValidAccess(container_access_rights_type); GenericMapping = generic_mapping; GenericRead = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericRead, GenericMapping, access_rights_type, false); GenericWrite = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericWrite, GenericMapping, access_rights_type, false); GenericExecute = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericExecute, GenericMapping, access_rights_type, false); GenericAll = NtObjectUtils.GrantedAccessAsString(GenericMapping.GenericAll, GenericMapping, access_rights_type, false); DefaultMandatoryAccess = NtObjectUtils.GrantedAccessAsString(GetDefaultMandatoryAccess(), generic_mapping, access_rights_type, false); }
/// <summary> /// Compare ACE to another object. /// </summary> /// <param name="obj">The other object.</param> /// <returns>True if the other object equals this ACE</returns> public override bool Equals(object obj) { if (ReferenceEquals(obj, this)) { return(true); } Ace ace = obj as Ace; if (ace == null) { return(false); } return(ace.Type == Type && ace.Flags == Flags && ace.Sid == Sid && ace.Mask == Mask && ace.ObjectType == ObjectType && ace.InheritedObjectType == InheritedObjectType && ace.ServerSid == ServerSid && NtObjectUtils.EqualByteArray(ApplicationData, ace.ApplicationData)); }
void IDisposable.Dispose() { // Close handles which come from errors switch (State) { case ProcessCreateState.FailOnSectionCreate: NtObjectUtils.CloseHandle(Data.FileHandle); break; case ProcessCreateState.FailExeName: NtObjectUtils.CloseHandle(Data.IFEOKey); break; case ProcessCreateState.Success: NtObjectUtils.CloseHandle(Data.Success.FileHandle); NtObjectUtils.CloseHandle(Data.Success.SectionHandle); break; } }
/// <summary> /// Convert an enumerable access rights to a string /// </summary> /// <param name="granted_access">The granted access mask.</param> /// <param name="generic_mapping">Generic mapping for object type.</param> /// <param name="enum_type">Enum type to convert to string.</param> /// <param name="map_to_generic">True to try and convert to generic rights where possible.</param> /// <returns>The string format of the access rights</returns> public static string GrantedAccessAsString(AccessMask granted_access, GenericMapping generic_mapping, Type enum_type, bool map_to_generic) { if (granted_access == 0) { return("None"); } AccessMask mapped_access = generic_mapping.MapMask(granted_access); if (map_to_generic) { mapped_access = generic_mapping.UnmapMask(mapped_access); } else if (generic_mapping.HasAll(granted_access)) { return("Full Access"); } return(NtObjectUtils.AccessRightsToString(enum_type, mapped_access)); }
/// <summary> /// Create a Window Station by name. /// </summary> /// <param name="object_attributes">Object attributes for the Window Station.</param> /// <param name="desired_access">Desired access for the Window Station.</param> /// <param name="kbd_dll_path">Path to Keyboard DLL e.g. kbusa.dll.</param> /// <param name="keyboard_locale">Locale ID, e.g. 0x4090409.</param> /// <param name="language_id">Language ID e.g. 0x409.</param> /// <param name="throw_on_error">True to throw on error.</param> /// <returns>The Window Station.</returns> public static NtResult <NtWindowStation> Create(ObjectAttributes object_attributes, WindowStationAccessRights desired_access, string kbd_dll_path, int language_id, int keyboard_locale, bool throw_on_error) { string dll_path; IntPtr layout_offset; IntPtr nls_offset; using (var kbd_dll = SafeLoadLibraryHandle.LoadLibrary(kbd_dll_path, LoadLibraryFlags.None, throw_on_error)) { if (!kbd_dll.IsSuccess) { return(kbd_dll.Cast <NtWindowStation>()); } dll_path = kbd_dll.Result.FullPath; layout_offset = GetKdbLayoutOffset(kbd_dll.Result, 1); nls_offset = GetKdbLayoutOffset(kbd_dll.Result, 2); } using (var buffer = new SafeHGlobalBuffer(0x318)) { BufferUtils.FillBuffer(buffer, 0); using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dll_path), null, FileAccessRights.GenericRead | FileAccessRights.Synchronize, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, throw_on_error)) { if (!file.IsSuccess) { return(file.Cast <NtWindowStation>()); } var handle = NtSystemCalls.NtUserCreateWindowStation(object_attributes, desired_access, file.Result.Handle, layout_offset, nls_offset, buffer, new UnicodeString($"{language_id:X08}"), keyboard_locale); if (handle.IsInvalid) { return(NtObjectUtils.CreateResultFromDosError <NtWindowStation>(throw_on_error)); } return(new NtWindowStation(handle).CreateResult()); } } }
/// <summary> /// Overridden process record method. /// </summary> protected override void ProcessRecord() { using (NtToken token = GetToken()) { NtType type = GetNtType(); AccessMask mask = NtSecurity.GetAllowedAccess(GetSecurityDescriptor(), token, AccessMask, Principal, type.GenericMapping); if (MapToGeneric) { mask = type.GenericMapping.UnmapMask(mask); } if (ConvertToString) { string access_string = NtObjectUtils.GrantedAccessAsString(mask, type.GenericMapping, type.AccessRightsType, false); WriteObject(access_string); } else { WriteObject(mask.ToSpecificAccess(type.AccessRightsType)); } } }