private void FormatJobBasicLimits(NtJob job) { WriteObject("[Basic Limits]"); WriteObject($"Limit Flags : {job.LimitFlags}"); if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ActiveProcess)) { WriteObject($"Active Process Limit: {job.ActiveProcess}"); } if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ProcessMemory)) { WriteObject($"Process Memory Limit: {job.ProcessMemory}"); } if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ProcessTime)) { WriteObject($"Process Time Limit : {FormatTime(job.ProcessTime)}"); } if (job.LimitFlags.HasFlag(JobObjectLimitFlags.JobMemory)) { WriteObject($"Job Memory Limit : {job.JobMemory}"); } if (job.LimitFlags.HasFlag(JobObjectLimitFlags.JobTime)) { WriteObject($"Job Time Limit : {FormatTime(job.JobTime)}"); } WriteObject(string.Empty); }
public static bool StartProcessAsCurrentUser(string appPath, NtJob job) { var hUserToken = IntPtr.Zero; var startInfo = new STARTUPINFO(); var procInfo = new PROCESS_INFORMATION(); var pEnv = IntPtr.Zero; int iResultOfCreateProcessAsUser; startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO)); try { if (!GetSessionUserToken(out hUserToken)) { throw new Exception("StartProcessAsCurrentUser: GetSessionUserToken failed."); } uint dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED | CREATE_NEW_CONSOLE; startInfo.wShowWindow = (short)(SW.SW_SHOW); startInfo.lpDesktop = @"winsta0\default"; if (!CreateEnvironmentBlock(ref pEnv, hUserToken, false)) { throw new Exception("StartProcessAsCurrentUser: CreateEnvironmentBlock failed."); } if (!CreateProcessAsUser(hUserToken, appPath, // Application Name null, IntPtr.Zero, IntPtr.Zero, false, dwCreationFlags, pEnv, null, ref startInfo, out procInfo)) { iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error(); throw new Exception("StartProcessAsCurrentUser: CreateProcessAsUser failed. Error Code -" + iResultOfCreateProcessAsUser); } job.AssignProcess(NtProcess.FromHandle(procInfo.hProcess)); NtThread.FromHandle(procInfo.hThread).Resume(); iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error(); } finally { CloseHandle(hUserToken); if (pEnv != IntPtr.Zero) { DestroyEnvironmentBlock(pEnv); } CloseHandle(procInfo.hThread); CloseHandle(procInfo.hProcess); } return(true); }
private void FormatSilo(NtJob job) { var basic_info = job.QuerySiloBasicInformation(false); if (!basic_info.IsSuccess) { return; } WriteObject("[Silo]"); WriteObject($"Silo ID : {basic_info.Result.SiloId}"); WriteObject($"Silo Parent ID: {basic_info.Result.SiloParentId}"); WriteObject($"Process Count : {basic_info.Result.NumberOfProcesses}"); string root_dir = job.QuerySiloRootDirectory(false).GetResultOrDefault(string.Empty); if (root_dir.Length > 0) { WriteObject($"Root Directory: {root_dir}"); } WriteObject($"Container ID : {job.ContainerId}"); if (job.ContainerTelemetryId != Guid.Empty) { WriteObject($"Telemetry ID : {job.ContainerTelemetryId}"); } WriteObject($"Impersonation : {(job.ThreadImpersonation ? "Enabled" : "Disabled")}"); WriteObject(string.Empty); if (!basic_info.Result.IsInServerSilo) { return; } var server_info = job.QueryServerSiloBasicInformation(false); if (!server_info.IsSuccess) { return; } WriteObject("[Server Silo]"); WriteObject($"Session ID : {server_info.Result.ServiceSessionId}"); WriteObject($"Exit Status : {server_info.Result.ExitStatus}"); WriteObject($"State : {server_info.Result.State}"); WriteObject($"Downlevel : {server_info.Result.IsDownlevelContainer}"); WriteObject(string.Empty); var user_data = job.QuerySiloUserSharedData(false); if (!user_data.IsSuccess) { return; } WriteObject("[Silo Shared User Data]"); WriteObject($"Console ID : {user_data.Result.ActiveConsoleId}"); WriteObject($"Foreground PID: {user_data.Result.ConsoleSessionForegroundProcessId}"); WriteObject($"Service SID : {user_data.Result.ServiceSessionId}"); WriteObject($"User SID : {user_data.Result.SharedUserSessionId}"); WriteObject($"System Root : {user_data.Result.NtSystemRoot}"); WriteObject($"NT Product : {user_data.Result.NtProductType}"); WriteObject($"Multisession : {user_data.Result.IsMultiSessionSku}"); WriteObject(string.Empty); }
private void FormatBasicInfo(NtJob job) { WriteObject("[Basic Information]"); WriteObject($"Handle: {job.Handle}"); if (job.FullPath.Length > 0) { WriteObject($"Path: {job.FullPath}"); } WriteObject(string.Empty); }
private static void NotifySM(NtJob job, ushort code) { var data = new SmData(code, job.Handle.DangerousGetHandle()); RtlConnectToSm(IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, out var handle).ToNtException(); RtlSendMsgToSm(handle, ref data).ToNtException(); Console.WriteLine(data.u1); Console.WriteLine(data.u2); Console.WriteLine(data.msg); Console.WriteLine(data.cb); }
private void FormatProcessList(NtJob job) { var pids = job.GetProcessIdList(false); if (pids.IsSuccess) { WriteObject("[Process List]"); foreach (var pid in pids.Result) { FormatProcess(pid); } WriteObject(string.Empty); } }
private void FormatSilo(NtJob job) { var basic_info = job.QuerySiloBasicInformation(false); if (!basic_info.IsSuccess) { return; } WriteObject("[Silo]"); WriteObject($"Silo ID : {basic_info.Result.SiloId}"); WriteObject($"Silo Parent ID: {basic_info.Result.SiloParentId}"); WriteObject($"Process Count : {basic_info.Result.NumberOfProcesses}"); WriteObject(string.Empty); if (!basic_info.Result.IsInServerSilo) { return; } var server_info = job.QueryServerSiloBasicInformation(false); if (!server_info.IsSuccess) { return; } WriteObject("[Server Silo]"); WriteObject($"Session ID : {server_info.Result.ServiceSessionId}"); WriteObject($"Exit Status : {server_info.Result.ExitStatus}"); WriteObject($"State : {server_info.Result.State}"); WriteObject($"Downlevel : {server_info.Result.IsDownlevelContainer}"); WriteObject(string.Empty); var user_data = job.QuerySiloUserSharedData(false); if (!user_data.IsSuccess) { return; } WriteObject("[Silo Shared User Data]"); WriteObject($"Console ID : {user_data.Result.ActiveConsoleId}"); WriteObject($"Foreground PID: {user_data.Result.ConsoleSessionForegroundProcessId}"); WriteObject($"Service SID : {user_data.Result.ServiceSessionId}"); WriteObject($"User SID : {user_data.Result.SharedUserSessionId}"); WriteObject($"System Root : {user_data.Result.NtSystemRoot}"); WriteObject($"NT Product : {user_data.Result.NtProductType}"); WriteObject($"Multisession : {user_data.Result.IsMultiSessionSku}"); WriteObject(string.Empty); }
private void FormatJob(NtJob job) { if (Filter.HasFlag(JobFormatFilter.BasicInfo)) { FormatBasicInfo(job); } if (Filter.HasFlag(JobFormatFilter.BasicLimits)) { FormatJobBasicLimits(job); } if (Filter.HasFlag(JobFormatFilter.ProcessList)) { FormatProcessList(job); } if (Filter.HasFlag(JobFormatFilter.UILimits)) { FormatUILimits(job); } }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { using (var job = NtJob.Create(obj_attributes, Access)) { if (LimitFlags != 0) { job.LimitFlags = LimitFlags; } if (ActiveProcessLimit > 0) { job.ActiveProcessLimit = ActiveProcessLimit; } if (UiRestrictionFlags != 0) { job.UiRestrictionFlags = UiRestrictionFlags; } return(job.Duplicate()); } }
static void Main() { SetTokenPriv.EnablePrivilege(); //using var _ = new ApplicationPrivilege(new[] { // TokenPrivilegeValue.SeAssignPrimaryTokenPrivilege, // TokenPrivilegeValue.SeTakeOwnershipPrivilege, // TokenPrivilegeValue.SeLoadDriverPrivilege, // TokenPrivilegeValue.SeSecurityPrivilege, // TokenPrivilegeValue.SeTcbPrivilege, // TokenPrivilegeValue.SeBackupPrivilege, // TokenPrivilegeValue.SeRestorePrivilege, //}); //WaitForDebugger(); using var evt = NtEvent.Create(null, EventType.NotificationEvent, false); using var job = NtJob.CreateServerSilo(SiloObjectRootDirectoryControlFlags.All, @"C:\Windows", evt, false); using (var root = NtDirectory.Open(job.SiloRootDirectory)) { Console.WriteLine(root); SetupRootDirectory(root); } //Debugger.Break(); //NotifySM(job, 7); //ProcessExtensions.GetSessionUserToken(out var tok); var config = new NtProcessCreateConfig { ImagePath = @"\SystemRoot\System32\cmd.exe", ConfigImagePath = @"C:\Windows\System32\cmd.exe", CurrentDirectory = @"C:\Windows\System32", WindowTitle = "Demo", ParentProcess = NtProcess.Current, TerminateOnDispose = true, ThreadFlags = ThreadCreateFlags.Suspended, }; config.AddAttribute(ProcessAttribute.JobList(new[] { job })); using var proc = NtProcess.Create(config); proc.Thread.Resume(); proc.Process.Wait().ToNtException(); Console.WriteLine($"status: {proc.Process.ExitNtStatus}"); }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { return(NtJob.Open(obj_attributes, Access)); }
private void FormatUILimits(NtJob job) { WriteObject("[UI Limits]"); WriteObject($"Limit Flags: {job.UiRestrictionFlags}"); WriteObject(string.Empty); }