private NtToken GetTicketToken(TokenAccessRights desired_access)
{
using (NtToken token = LogonUtils.LsaLogonTicket(LogonType, Ticket, KerbCred))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
private NtToken GetLogonToken(TokenAccessRights desired_access)
{
using (NtToken token = TokenUtils.GetLogonUserToken(User, Domain, Password, LogonType))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
private NtToken GetS4UToken(TokenAccessRights desired_access)
{
using (NtToken token = LogonUtils.LogonS4U(User, Domain, LogonType))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
private NtToken GetS4UToken(TokenAccessRights desired_access)
{
using (NtToken token = LogonUtils.LsaLogonS4U(User, Domain, LogonType, AuthenticationPackage.NEGOSSP_NAME))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
private NtToken GetSandboxedToken(TokenAccessRights desired_access, Func <NtToken, NtToken> sandbox_func)
{
using (NtToken token = Token != null ? Token.Duplicate() : NtToken.OpenProcessToken())
{
using (NtToken sandbox_token = sandbox_func(token))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
}
/// <summary>
/// Get a safer token.
/// </summary>
/// <param name="token">The base token.</param>
/// <param name="level">The safer level to use.</param>
/// <param name="make_inert">True to make the token inert.</param>
/// <returns>The safer token.</returns>
public static NtToken GetTokenFromSaferLevel(NtToken token, SaferLevel level, bool make_inert)
{
IntPtr level_handle;
if (!Win32NativeMethods.SaferCreateLevel(SaferScope.User, level, Win32NativeMethods.SAFER_LEVEL_OPEN, out level_handle, IntPtr.Zero))
{
throw new SafeWin32Exception();
}
try
{
using (NtToken duptoken = token.Duplicate(TokenAccessRights.GenericRead | TokenAccessRights.GenericExecute))
{
SafeKernelObjectHandle handle;
if (Win32NativeMethods.SaferComputeTokenFromLevel(level_handle,
duptoken.Handle, out handle, make_inert ? SaferFlags.MakeInert : 0, IntPtr.Zero))
{
return(NtToken.FromHandle(handle));
}
else
{
throw new SafeWin32Exception();
}
}
}
finally
{
Win32NativeMethods.SaferCloseLevel(level_handle);
}
}
/// <summary>
/// Overridden ProcessRecord method.
/// </summary>
protected override void ProcessRecord()
{
NtToken token = null;
if (Duplicate)
{
using (NtToken base_token = GetToken(TokenAccessRights.Duplicate))
{
if (base_token != null)
{
token = base_token.DuplicateToken(TokenType, ImpersonationLevel, Access);
if (IntegrityLevel.HasValue)
{
using (NtToken set_token = token.Duplicate(TokenAccessRights.AdjustDefault))
{
set_token.SetIntegrityLevel(IntegrityLevel.Value);
}
}
}
}
}
else
{
token = GetToken(Access);
}
WriteObject(token);
}
public static void OpenForm(NtToken token, string text, bool copy)
{
if (token != null)
{
OpenForm(new TokenForm(copy ? token.Duplicate() : token, text));
}
}
public ProcessTokenEntry(int process_id, string name, string image_path, string command_line, NtToken process_token)
{
ProcessId = process_id;
Name = name;
ImagePath = image_path;
CommandLine = command_line;
ProcessToken = process_token.Duplicate();
}
public ThreadTokenEntry(NtProcess process, NtToken process_token,
int thread_id, string thread_name, NtToken thread_token)
: base(process, process_token)
{
ThreadName = thread_name;
ThreadId = thread_id;
ThreadToken = thread_token.Duplicate();
}
private NtToken GetLogonToken(TokenAccessRights desired_access)
{
IEnumerable <UserGroup> groups = null;
if (AdditionalGroups != null && AdditionalGroups.Length > 0)
{
groups = AdditionalGroups.Select(s => new UserGroup(s,
GroupAttributes.Enabled | GroupAttributes.EnabledByDefault | GroupAttributes.Mandatory));
}
using (NtToken token = TokenUtils.GetLogonUserToken(User, Domain, Password, LogonType, groups))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
public ProcessTokenEntry(int process_id, string name, string image_path,
string command_line, NtToken process_token, SecurityDescriptor process_security)
{
ProcessId = process_id;
Name = name;
ImagePath = image_path;
CommandLine = command_line;
ProcessToken = process_token.Duplicate();
ProcessSecurity = process_security;
}
private NtToken GetLogonToken(TokenAccessRights desired_access, string user,
string domain, SecureString password, SecurityLogonType logon_type)
{
IEnumerable <UserGroup> groups = null;
if (AdditionalGroup != null && AdditionalGroup.Length > 0)
{
groups = AdditionalGroup.Select(s => new UserGroup(s,
GetAttributes(s)));
}
using (NtToken token = Win32Security.LsaLogonUser(user, domain, password, logon_type, LogonProvider, groups))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
public ThreadTokenEntry(NtProcess process, NtToken process_token,
int thread_id, string thread_name, NtToken thread_token,
SecurityDescriptor thread_security)
: base(process, process_token)
{
ThreadName = thread_name;
ThreadId = thread_id;
ThreadToken = thread_token.Duplicate();
ThreadSecurity = thread_security;
}
static Form GetFormFromArgs(string[] args)
{
try
{
int pid = -1;
int handle = -1;
string text = string.Empty;
bool show_help = false;
OptionSet opts = new OptionSet()
{
{ "p|pid=", "Specify a process ID to view the token.",
v => pid = int.Parse(v) },
{ "handle=", "Specify an inherited handle to view.",
v => handle = int.Parse(v) },
{ "text=", "Specify a text string for the token window.",
v => text = v },
{ "h|help", "Show this message and exit",
v => show_help = v != null },
};
opts.Parse(args);
if (show_help || (handle <= 0 && pid <= 0))
{
ShowHelp(opts);
}
else if (handle > 0)
{
using (NtToken token = NtToken.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
{
if (token.NtType != NtType.GetTypeByType <NtToken>())
{
throw new ArgumentException("Passed handle is not a token");
}
return(new TokenForm(token.Duplicate(), text));
}
}
else if (pid > 0)
{
using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation))
{
return(new TokenForm(process.OpenToken(),
$"{process.Name}:{pid}"));
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
return(null);
}
private void btnPermissions_Click(object sender, EventArgs e)
{
try
{
NativeBridge.EditSecurity(Handle, _token.Duplicate(TokenAccessRights.ReadControl), "Token");
}
catch (NtException ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private ListViewItem CreateProcessNode(NtProcess entry, NtToken token)
{
ListViewItem item = new ListViewItem(entry.ProcessId.ToString());
item.SubItems.Add(entry.Name);
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
item.SubItems.Add(token.Restricted.ToString());
item.SubItems.Add(token.AppContainer.ToString());
item.Tag = token.Duplicate();
return(item);
}
private static NtToken DuplicateToken(NtToken token)
{
if (token.TokenType == TokenType.Primary)
{
return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation,
TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate));
}
else
{
return(token.Duplicate(TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate));
}
}
public static void OpenForm(NtToken token, string text, bool copy)
{
if (token != null)
{
TokenForm form = new TokenForm(copy ? token.Duplicate() : token, text);
_forms.Add(form);
form.FormClosed += form_FormClosed;
form.Show(_main_form);
}
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
using (var proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation, false))
{
if (!proc.IsSuccess)
{
continue;
}
foreach (NtHandle handle in group)
{
using (var token_result = NtToken.DuplicateFrom(proc.Result, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource, DuplicateObjectOptions.None, false))
{
if (!token_result.IsSuccess)
{
continue;
}
NtToken token = token_result.Result;
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Result.Name);
item.SubItems.Add($"0x{handle.Handle:X}");
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
string restricted = token.Restricted.ToString();
if (token.WriteRestricted)
{
restricted = "Write";
}
item.SubItems.Add(restricted);
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
private bool ShowTokenPermissions(TokenAccessRights access, bool throw_on_error)
{
using (var result = _token.Duplicate(access, AttributeFlags.None, DuplicateObjectOptions.None, throw_on_error))
{
if (result.IsSuccess)
{
Win32Utils.EditSecurity(Handle,
result.Result,
"Token", false);
return(true);
}
}
return(false);
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
try
{
using (NtProcess proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation))
{
foreach (NtHandle handle in group)
{
try
{
using (NtToken token = NtToken.DuplicateFrom(proc, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource))
{
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Name);
item.SubItems.Add(String.Format("0x{0:X}", handle.Handle));
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
item.SubItems.Add(token.Restricted.ToString());
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
catch (NtException)
{
}
}
}
}
catch (NtException)
{
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
private static NtToken DuplicateForAccessCheck(NtToken token)
{
if (token.IsPseudoToken)
{
// This is a pseudo token, pass along as no need to duplicate.
return(token);
}
if (token.TokenType == TokenType.Primary)
{
return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query));
}
else if (!token.IsAccessGranted(TokenAccessRights.Query))
{
return(token.Duplicate(TokenAccessRights.Query));
}
else
{
// If we've got query access rights already just create a shallow clone.
return(token.ShallowClone());
}
}
private NtToken CreateToken()
{
SandboxTokenType type = GetSelectedTokenType();
NtToken current_token = _token.Duplicate();
if ((type & SandboxTokenType.RestrictedOnly) != 0)
{
using (NtToken tmp_token = current_token)
{
current_token = CreateRestrictedToken(tmp_token);
}
}
if ((type & SandboxTokenType.LowBoxOnly) != 0)
{
using (NtToken tmp_token = current_token)
{
current_token = CreateLowBoxToken(tmp_token);
}
}
return(current_token);
}
public ServiceTokenEntry(RunningService service, NtToken token)
{
Service = service;
ProcessToken = token.Duplicate();
}
public static NtToken GetTokenFromSaferLevel(NtToken token, SaferLevel level, bool make_inert)
{
IntPtr level_handle;
if (!SaferCreateLevel(SaferScope.User, level, SAFER_LEVEL_OPEN, out level_handle, IntPtr.Zero))
{
throw new SafeWin32Exception();
}
try
{
using (NtToken duptoken = token.Duplicate(TokenAccessRights.GenericRead | TokenAccessRights.GenericExecute))
{
SafeKernelObjectHandle handle;
if (SaferComputeTokenFromLevel(level_handle, duptoken.Handle, out handle, make_inert ? SaferFlags.MakeInert : 0, IntPtr.Zero))
{
return NtToken.FromHandle(handle);
}
else
{
throw new SafeWin32Exception();
}
}
}
finally
{
SaferCloseLevel(level_handle);
}
}
public static void OpenForm(NtToken token, bool copy)
{
if (token != null)
{
TokenForm form = new TokenForm(copy ? token.Duplicate() : token);
_forms.Add(form);
form.FormClosed += form_FormClosed;
form.Show(_main_form);
}
}
