internal ProcessTokenInformation(NtToken token, NtProcess process) : base(token, process) { ProcessId = process.ProcessId; ProcessName = process.Name; ProcessImagePath = process.GetImageFilePath(false, false).GetResultOrDefault(string.Empty); ProcessCommandLine = process.CommandLine; NativeImagePath = process.GetImageFilePath(true, false).GetResultOrDefault(string.Empty); }
static void DumpProcessEntry(NtProcess entry, HashSet<string> mitigation_filter, bool all_mitigations, bool print_command_line) { try { NtProcessMitigations mitigations = entry.Mitigations; Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false)); if (print_command_line) { Console.WriteLine("Command Line: {0}", GetCommandLine(entry)); } IEnumerable<PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name)); foreach (PropertyInfo prop in props.OrderBy(p => p.Name)) { object value = prop.GetValue(mitigations); if (!all_mitigations && (value is bool)) { if (!(bool)value) { continue; } } FormatEntry(prop.Name, prop.GetValue(mitigations)); } Console.WriteLine(); } catch (NtException) { // Can end up here if the process is exiting. } }
public ProcessEntry(NtProcess handle, NtThread[] threads) { Handle = handle; if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { Pid = handle.ProcessId; } if (threads == null) { threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray(); } Threads = threads.Select(h => new ThreadEntry(h)).ToArray(); Array.Sort(Threads, (a, b) => a.Tid - b.Tid); ImagePath = String.Empty; if (Pid == 0) { Name = "Idle"; } else if (Pid == 4) { Name = "System"; } else { if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { try { ImagePath = Handle.GetImageFilePath(false); Name = Path.GetFileNameWithoutExtension(ImagePath); } catch (NtException) { } } } CommandLine = String.Empty; if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation)) { try { Token = Handle.OpenToken(); } catch (NtException) { } try { CommandLine = Handle.CommandLine; } catch (NtException) { } } }
internal TokenInformation(NtToken token, NtProcess process) { SourceData = new Dictionary <string, object>(); TokenId = token.Id; AuthenticationId = token.AuthenticationId; Origin = token.Origin; Flags = token.Flags; User = token.User.Sid; IntegrityLevel = token.IntegrityLevel; TokenType = token.TokenType; ImpersonationLevel = token.ImpersonationLevel; AppContainer = token.AppContainer; AppContainerSid = token.AppContainerSid; Elevated = token.Elevated; ElevationType = token.ElevationType; Restricted = token.Restricted; WriteRestricted = token.WriteRestricted; LowPrivilegeAppContainer = token.LowPrivilegeAppContainer; SessionId = token.SessionId; Groups = token.Groups.ToList().AsReadOnly(); RestrictedSids = token.RestrictedSids.ToList().AsReadOnly(); Capabilities = token.Capabilities.ToList().AsReadOnly(); Sandbox = token.IsSandbox; NoChildProcess = token.NoChildProcess; UIAccess = token.UIAccess; MandatoryPolicy = token.MandatoryPolicy; if (process != null) { SourceData["ProcessId"] = process.ProcessId; SourceData["Name"] = process.Name; SourceData["ImagePath"] = process.GetImageFilePath(false, false).GetResultOrDefault(string.Empty); SourceData["CommandLine"] = process.CommandLine; } }
internal TokenInformation(NtToken token, NtProcess process) : this(token) { SourceData["ProcessId"] = process.ProcessId; SourceData["Name"] = process.Name; SourceData["ImagePath"] = process.GetImageFilePath(false); SourceData["CommandLine"] = process.CommandLine; }
internal TokenInformation(NtToken token, NtProcess process) { SourceData = new Dictionary <string, object>(); TokenId = token.Id; UserName = token.User.Sid; IntegrityLevel = token.IntegrityLevel; TokenType = token.TokenType; ImpersonationLevel = token.ImpersonationLevel; AppContainer = token.AppContainer; AppContainerSid = token.AppContainerSid; Elevated = token.Elevated; Restricted = token.Restricted; LowPrivilegeAppContainer = token.LowPrivilegeAppContainer; SessionId = token.SessionId; if (process != null) { SourceData["ProcessId"] = process.ProcessId; SourceData["Name"] = process.Name; SourceData["ImagePath"] = process.GetImageFilePath(false); SourceData["CommandLine"] = process.CommandLine; } }
private static string GetProcessFileName(NtProcess process) { return(process.GetImageFilePath(false)); }
static void DumpProcessEntry(NtProcess entry, HashSet <string> mitigation_filter, bool all_mitigations, bool print_command_line) { try { NtProcessMitigations mitigations = entry.Mitigations; Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false)); if (print_command_line) { Console.WriteLine("Command Line: {0}", GetCommandLine(entry)); } IEnumerable <PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name)); foreach (PropertyInfo prop in props.OrderBy(p => p.Name)) { object value = prop.GetValue(mitigations); if (!all_mitigations && (value is bool)) { if (!(bool)value) { continue; } } FormatEntry(prop.Name, prop.GetValue(mitigations)); } Console.WriteLine(); } catch (NtException) { // Can end up here if the process is exiting. } }