static CheckResult CheckDevice(string name, bool writable, EaBuffer ea_buffer)
{
CheckResult result = new CheckResult(name, NtStatus.STATUS_INVALID_PARAMETER, FileDeviceType.UNKNOWN);
try
{
using (var imp = NtToken.Impersonate(_pid,
_identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
{
FileAccessRights access_mask = FileAccessRights.GenericRead;
if (writable)
{
access_mask |= FileAccessRights.GenericWrite;
}
FileOpenOptions opts = _open_as_dir ? FileOpenOptions.DirectoryFile : FileOpenOptions.NonDirectoryFile;
using (NtFile file = NtFile.Create(name, null, access_mask, NtApiDotNet.FileAttributes.Normal,
FileShareMode.All, opts, FileDisposition.Open, ea_buffer))
{
result = new CheckResult(name, NtStatus.STATUS_SUCCESS, file.DeviceType);
}
}
}
catch (NtException ex)
{
result = new CheckResult(name, ex.Status, FileDeviceType.UNKNOWN);
}
return(result);
}
private void btnCreateProcess_Click(object sender, EventArgs e)
{
try
{
if (checkBoxUseWmi.Checked)
{
_token.SetDefaultDacl(new Acl(IntPtr.Zero, false));
using (var imp = _token.Impersonate())
{
using (var managementClass = new ManagementClass(@"\\.\root\cimv2",
"Win32_Process",
new ObjectGetOptions()))
{
var inputParams = managementClass.GetMethodParameters("Create");
inputParams["CommandLine"] = txtCommandLine.Text;
var outParams = managementClass.InvokeMethod("Create",
inputParams,
new InvokeMethodOptions());
System.Diagnostics.Trace.WriteLine(outParams["ReturnValue"].ToString());
}
}
}
else
{
using (var token = TokenUtils.CreateProcessForToken(txtCommandLine.Text, _token, checkBoxMakeInteractive.Checked))
{
}
}
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
static bool CheckDevice(string name, bool writable)
{
bool success = false;
try
{
using (var imp = NtToken.Impersonate(_pid,
_identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
{
FileAccessRights access_mask = FileAccessRights.GenericRead;
if (writable)
{
access_mask |= FileAccessRights.GenericWrite;
}
FileOpenOptions opts = _open_as_dir ? FileOpenOptions.DirectoryFile : FileOpenOptions.NonDirectoryFile;
using (NtFile file = NtFile.Open(name, null, access_mask, FileShareMode.All, opts))
{
success = true;
}
}
}
catch (Win32Exception ex)
{
// Ignore access denied and invalid function (indicates there's no IRP_MJ_CREATE handler)
PrintError(name, ex);
}
catch (NtException ex)
{
PrintError(name, ex.AsWin32Exception());
}
return(success);
}
static void ConnectTest(int pid, IPEndPoint ep)
{
using (var imp = NtToken.Impersonate(pid, SecurityImpersonationLevel.Impersonation))
{
TcpClient client = new TcpClient();
client.Connect(ep);
client.Close();
Console.WriteLine("** Opened Connection **");
}
}
static void ListenTest(int pid, IPEndPoint ep)
{
using (var imp = NtToken.Impersonate(pid, SecurityImpersonationLevel.Impersonation))
{
TcpListener listener = new TcpListener(ep);
listener.Start();
Console.WriteLine("Make a connection to {0}", ep);
listener.AcceptTcpClient();
Console.WriteLine("** Accepted Connection **");
}
}
private void btnCreate_Click(object sender, EventArgs e)
{
try
{
using (NtToken token = _token.DuplicateToken(TokenType.Impersonation,
SecurityImpersonationLevel.Impersonation, TokenAccessRights.MaximumAllowed))
{
using (var imp = token.Impersonate())
{
File.WriteAllText(txtFilePath.Text, txtFileContents.Text);
}
MessageBox.Show(this, "Success", "Success", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private void btnImpersonate_Click(object sender, EventArgs e)
{
SecurityImpersonationLevel implevel = SecurityImpersonationLevel.Impersonation;
try
{
if (_token.TokenType == TokenType.Impersonation)
{
implevel = _token.ImpersonationLevel;
}
using (NtToken token = _token.DuplicateToken(TokenType.Impersonation, implevel, TokenAccessRights.MaximumAllowed))
{
TokenIntegrityLevel il = GetILFromComboBox(comboBoxILForDup);
if (il != token.IntegrityLevel)
{
token.SetIntegrityLevel(il);
}
NtToken imptoken = null;
using (var imp = token.Impersonate())
{
imptoken = NtThread.Current.OpenToken();
}
if (imptoken != null)
{
OpenForm(imptoken, "Impersonation", false);
}
else
{
MessageBox.Show(this, "Couldn't open thread token", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private void GetInterfacesInternal(NtToken token)
{
IntPtr punk = IntPtr.Zero;
IntPtr pfactory = IntPtr.Zero;
Guid IID_IUnknown = COMInterfaceEntry.IID_IUnknown;
CLSCTX clsctx = _clsctx;
if (token != null)
{
clsctx |= CLSCTX.ENABLE_CLOAKING;
}
using (var imp = token?.Impersonate())
{
int hr = 0;
if (_winrt_component)
{
hr = COMUtilities.RoGetActivationFactory(_activatable_classid, ref IID_IUnknown, out pfactory);
}
else
{
hr = COMUtilities.CoGetClassObject(ref _clsid, clsctx, null, ref IID_IUnknown, out pfactory);
}
// If we can't get class object, no chance we'll get object.
if (hr != 0)
{
throw new Win32Exception(hr);
}
if (_winrt_component)
{
hr = COMUtilities.RoActivateInstance(_activatable_classid, out punk);
}
else
{
hr = COMUtilities.CoCreateInstance(ref _clsid, IntPtr.Zero, clsctx,
ref IID_IUnknown, out punk);
}
if (hr != 0)
{
punk = IntPtr.Zero;
}
try
{
Dictionary <IntPtr, string> module_names = new Dictionary <IntPtr, string>();
QueryInterface(punk, COMInterfaceEntry.IID_IMarshal, module_names, _interfaces);
QueryInterface(pfactory, COMInterfaceEntry.IID_IMarshal, module_names, _factory_interfaces);
QueryInterface(punk, COMInterfaceEntry.IID_IPSFactoryBuffer, module_names, _interfaces);
QueryInterface(pfactory, COMInterfaceEntry.IID_IPSFactoryBuffer, module_names, _factory_interfaces);
var actctx = ActivationContext.FromProcess();
if (actctx != null)
{
foreach (var intf in actctx.ComInterfaces)
{
QueryInterface(punk, intf.Iid, module_names, _interfaces);
QueryInterface(pfactory, intf.Iid, module_names, _factory_interfaces);
}
}
using (RegistryKey interface_key = Registry.ClassesRoot.OpenSubKey("Interface"))
{
foreach (string iid_string in interface_key.GetSubKeyNames())
{
if (Guid.TryParse(iid_string, out Guid iid))
{
QueryInterface(punk, iid, module_names, _interfaces);
QueryInterface(pfactory, iid, module_names, _factory_interfaces);
}
}
}
QueryInspectableInterfaces(punk, module_names, _interfaces);
QueryInspectableInterfaces(pfactory, module_names, _factory_interfaces);
}
finally
{
if (pfactory != IntPtr.Zero)
{
Marshal.Release(pfactory);
}
if (punk != IntPtr.Zero)
{
Marshal.Release(punk);
}
}
}
}
static void Main(string[] args)
{
bool show_help = false;
_pid = Process.GetCurrentProcess().Id;
try
{
OptionSet opts = new OptionSet()
{
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) },
{ "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null },
{ "i", "Use an indentify level token when impersonating", v => _identify_only = v != null },
{ "t", "Dump accessible threads for process", v => _dump_threads = v != null },
{ "k", "Dump tokens for accessible objects", v => _dump_token = v != null },
{ "a", "Start with all accessible threads instead of processes", v => _dump_threads = _all_threads = v != null },
{ "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
List <string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList();
if (show_help)
{
ShowHelp(opts);
}
else
{
IEnumerable <ProcessEntry> processes = new ProcessEntry[0];
if (_all_threads)
{
NtThread[] all_threads = null;
using (var imp = NtToken.Impersonate(_pid,
_identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
{
if (pids.Count > 0)
{
List <NtThread> ths = new List <NtThread>();
foreach (string pid_name in pids)
{
try
{
ths.Add(NtThread.Open(int.Parse(pid_name), ThreadAccessRights.MaximumAllowed));
}
catch (NtException ex)
{
Console.WriteLine("Error opening tid {0} - {1}", pid_name, ex.Message);
}
}
all_threads = ths.ToArray();
}
else
{
all_threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
}
List <ProcessEntry> procs = new List <ProcessEntry>();
foreach (var group in all_threads.GroupBy(t => t.ProcessId))
{
ProcessEntry entry = null;
NtThread[] threads = group.ToArray();
try
{
entry = new ProcessEntry(NtProcess.Open(group.Key, ProcessAccessRights.MaximumAllowed), threads);
}
catch (NtException)
{
entry = new ProcessEntry(group.Key, threads);
}
procs.Add(entry);
}
processes = procs;
}
}
else
{
if (pids.Count > 0 && !_named_process)
{
List <ProcessEntry> procs = new List <ProcessEntry>();
using (var imp = NtToken.Impersonate(_pid,
_identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
{
foreach (string pid_name in pids)
{
try
{
procs.Add(new ProcessEntry(NtProcess.Open(int.Parse(pid_name), ProcessAccessRights.MaximumAllowed)));
}
catch (NtException ex)
{
Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message);
}
}
}
processes = procs;
}
else
{
try
{
using (var imp = NtToken.Impersonate(_pid,
_identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
{
processes = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed).Select(h => new ProcessEntry(h));
}
if (_named_process && pids.Count > 0)
{
processes = processes.Where(p => pids.Contains(p.Name.ToLower()));
}
}
catch (NtException ex)
{
Console.WriteLine(ex);
}
}
}
List <ProcessEntry> ps = processes.ToList();
ps.Sort((a, b) => a.Pid - b.Pid);
processes = ps;
foreach (ProcessEntry process in processes)
{
Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccessString());
if (_print_sddl && process.Handle.IsAccessGranted(ProcessAccessRights.ReadControl))
{
Console.WriteLine("SDDL: {0}", process.Handle.GetSddl());
}
if (_dump_token && process.Token != null)
{
Console.WriteLine("User: {0}", process.Token.User);
if (_print_sddl && process.Token.IsAccessGranted(TokenAccessRights.ReadControl))
{
Console.WriteLine("Token SDDL: {0}", process.Token.GetSddl());
}
}
if (_dump_threads)
{
foreach (ThreadEntry thread in process.Threads)
{
Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.Handle.GetGrantedAccessString());
if (_print_sddl && thread.Handle.IsAccessGranted(ThreadAccessRights.ReadControl))
{
Console.WriteLine("---- SDDL: {0}", thread.Handle.GetSddl());
}
if (_dump_token && thread.Token != null)
{
Console.WriteLine("---- Impersonating {0}", thread.Token.User);
if (_print_sddl && thread.Token.IsAccessGranted(TokenAccessRights.ReadControl))
{
Console.WriteLine("---- Token SDDL: {0}", thread.Token.GetSddl());
}
}
}
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
