internal ProcessTokenInformation(NtToken token, NtProcess process)
: base(token, process)
{
ProcessId = process.ProcessId;
ProcessName = process.Name;
ProcessImagePath = process.GetImageFilePath(false, false).GetResultOrDefault(string.Empty);
ProcessCommandLine = process.CommandLine;
NativeImagePath = process.GetImageFilePath(true, false).GetResultOrDefault(string.Empty);
}
static void DumpProcessEntry(NtProcess entry, HashSet<string> mitigation_filter, bool all_mitigations, bool print_command_line)
{
try
{
NtProcessMitigations mitigations = entry.Mitigations;
Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false));
if (print_command_line)
{
Console.WriteLine("Command Line: {0}", GetCommandLine(entry));
}
IEnumerable<PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name));
foreach (PropertyInfo prop in props.OrderBy(p => p.Name))
{
object value = prop.GetValue(mitigations);
if (!all_mitigations && (value is bool))
{
if (!(bool)value)
{
continue;
}
}
FormatEntry(prop.Name, prop.GetValue(mitigations));
}
Console.WriteLine();
}
catch (NtException)
{
// Can end up here if the process is exiting.
}
}
public ProcessEntry(NtProcess handle, NtThread[] threads)
{
Handle = handle;
if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
{
Pid = handle.ProcessId;
}
if (threads == null)
{
threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
}
Threads = threads.Select(h => new ThreadEntry(h)).ToArray();
Array.Sort(Threads, (a, b) => a.Tid - b.Tid);
ImagePath = String.Empty;
if (Pid == 0)
{
Name = "Idle";
}
else if (Pid == 4)
{
Name = "System";
}
else
{
if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
{
try
{
ImagePath = Handle.GetImageFilePath(false);
Name = Path.GetFileNameWithoutExtension(ImagePath);
}
catch (NtException)
{
}
}
}
CommandLine = String.Empty;
if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation))
{
try
{
Token = Handle.OpenToken();
}
catch (NtException)
{
}
try
{
CommandLine = Handle.CommandLine;
}
catch (NtException)
{
}
}
}
internal TokenInformation(NtToken token, NtProcess process)
{
SourceData = new Dictionary <string, object>();
TokenId = token.Id;
AuthenticationId = token.AuthenticationId;
Origin = token.Origin;
Flags = token.Flags;
User = token.User.Sid;
IntegrityLevel = token.IntegrityLevel;
TokenType = token.TokenType;
ImpersonationLevel = token.ImpersonationLevel;
AppContainer = token.AppContainer;
AppContainerSid = token.AppContainerSid;
Elevated = token.Elevated;
ElevationType = token.ElevationType;
Restricted = token.Restricted;
WriteRestricted = token.WriteRestricted;
LowPrivilegeAppContainer = token.LowPrivilegeAppContainer;
SessionId = token.SessionId;
Groups = token.Groups.ToList().AsReadOnly();
RestrictedSids = token.RestrictedSids.ToList().AsReadOnly();
Capabilities = token.Capabilities.ToList().AsReadOnly();
Sandbox = token.IsSandbox;
NoChildProcess = token.NoChildProcess;
UIAccess = token.UIAccess;
MandatoryPolicy = token.MandatoryPolicy;
if (process != null)
{
SourceData["ProcessId"] = process.ProcessId;
SourceData["Name"] = process.Name;
SourceData["ImagePath"] = process.GetImageFilePath(false, false).GetResultOrDefault(string.Empty);
SourceData["CommandLine"] = process.CommandLine;
}
}
internal TokenInformation(NtToken token, NtProcess process)
: this(token)
{
SourceData["ProcessId"] = process.ProcessId;
SourceData["Name"] = process.Name;
SourceData["ImagePath"] = process.GetImageFilePath(false);
SourceData["CommandLine"] = process.CommandLine;
}
internal TokenInformation(NtToken token, NtProcess process)
{
SourceData = new Dictionary <string, object>();
TokenId = token.Id;
UserName = token.User.Sid;
IntegrityLevel = token.IntegrityLevel;
TokenType = token.TokenType;
ImpersonationLevel = token.ImpersonationLevel;
AppContainer = token.AppContainer;
AppContainerSid = token.AppContainerSid;
Elevated = token.Elevated;
Restricted = token.Restricted;
LowPrivilegeAppContainer = token.LowPrivilegeAppContainer;
SessionId = token.SessionId;
if (process != null)
{
SourceData["ProcessId"] = process.ProcessId;
SourceData["Name"] = process.Name;
SourceData["ImagePath"] = process.GetImageFilePath(false);
SourceData["CommandLine"] = process.CommandLine;
}
}
private static string GetProcessFileName(NtProcess process)
{
return(process.GetImageFilePath(false));
}
static void DumpProcessEntry(NtProcess entry, HashSet <string> mitigation_filter, bool all_mitigations, bool print_command_line)
{
try
{
NtProcessMitigations mitigations = entry.Mitigations;
Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false));
if (print_command_line)
{
Console.WriteLine("Command Line: {0}", GetCommandLine(entry));
}
IEnumerable <PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name));
foreach (PropertyInfo prop in props.OrderBy(p => p.Name))
{
object value = prop.GetValue(mitigations);
if (!all_mitigations && (value is bool))
{
if (!(bool)value)
{
continue;
}
}
FormatEntry(prop.Name, prop.GetValue(mitigations));
}
Console.WriteLine();
}
catch (NtException)
{
// Can end up here if the process is exiting.
}
}
