public ProcessEntry(NtProcess handle, NtThread[] threads) { Handle = handle; if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { Pid = handle.ProcessId; } if (threads == null) { threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray(); } Threads = threads.Select(h => new ThreadEntry(h)).ToArray(); Array.Sort(Threads, (a, b) => a.Tid - b.Tid); ImagePath = String.Empty; if (Pid == 0) { Name = "Idle"; } else if (Pid == 4) { Name = "System"; } else { if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)) { try { ImagePath = Handle.GetImageFilePath(false); Name = Path.GetFileNameWithoutExtension(ImagePath); } catch (NtException) { } } } CommandLine = String.Empty; if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation)) { try { Token = Handle.OpenToken(); } catch (NtException) { } try { CommandLine = Handle.CommandLine; } catch (NtException) { } } }
private static NtToken GetToken(NtProcess process) { var result = process.OpenToken(false); if (result.IsSuccess) { return(result.Result); } return(null); }
static Form GetFormFromArgs(string[] args) { try { int pid = -1; int handle = -1; string text = string.Empty; bool show_help = false; OptionSet opts = new OptionSet() { { "p|pid=", "Specify a process ID to view the token.", v => pid = int.Parse(v) }, { "handle=", "Specify an inherited handle to view.", v => handle = int.Parse(v) }, { "text=", "Specify a text string for the token window.", v => text = v }, { "h|help", "Show this message and exit", v => show_help = v != null }, }; opts.Parse(args); if (show_help || (handle <= 0 && pid <= 0)) { ShowHelp(opts); } else if (handle > 0) { using (NtToken token = NtToken.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true))) { if (token.NtType != NtType.GetTypeByType <NtToken>()) { throw new ArgumentException("Passed handle is not a token"); } return(new TokenForm(token.Duplicate(), text)); } } else if (pid > 0) { using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation)) { return(new TokenForm(process.OpenToken(), $"{process.Name}:{pid}")); } } } catch (Exception ex) { MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } return(null); }
private static NtToken GetToken(NtProcess process) { try { return(process.OpenToken()); } catch (NtException) { return(null); } }
private static NtToken GetToken(NtProcess process) { try { return process.OpenToken(); } catch (NtException) { return null; } }
public static COMAccessCheck GetAccessCheck(NtProcess process, string principal, COMAccessRights access_rights, COMAccessRights launch_rights, bool ignore_default) { return(new COMAccessCheck( process.OpenToken(), principal, access_rights, launch_rights, ignore_default)); }
private void AddProcessNode(NtProcess entry) { try { using (NtToken token = entry.OpenToken()) { TreeNode node = new TreeNode(String.Format("Pid: {0} - Name: {1} (User:{2}, IL: {3}, R: {4}, AC: {5})", entry.ProcessId, entry.Name, token.User, token.IntegrityLevel, token.Restricted, token.AppContainer)); node.Tag = entry.Duplicate(); treeViewProcesses.Nodes.Add(node); } } catch { // Do nothing } }
private ListViewItem CreateProcessNode(NtProcess entry) { try { using (NtToken token = entry.OpenToken()) { ListViewItem item = new ListViewItem(entry.ProcessId.ToString()); item.SubItems.Add(entry.Name); item.SubItems.Add(token.User.ToString()); item.SubItems.Add(token.IntegrityLevel.ToString()); item.SubItems.Add(token.Restricted.ToString()); item.SubItems.Add(token.AppContainer.ToString()); item.Tag = entry.Duplicate(); return(item); } } catch { // Do nothing } return(null); }
static void Main(string[] args) { Win32Process new_process = null; try { CreateProcessFlags flags = CreateProcessFlags.None; bool parent_process = false; bool set_il = false; TokenIntegrityLevel il = 0; bool show_help = false; OptionSet opts = new OptionSet() { { "p", "Use parent technique to create the new process", v => parent_process = v != null }, { "j", "Try and break away from the current process job", v => flags |= v != null ? CreateProcessFlags.BreakawayFromJob : 0 }, { "c", "Create a new console for the process", v => flags |= v != null ? CreateProcessFlags.NewConsole : 0 }, { "s", "Create the process suspended", v => flags |= v != null ? CreateProcessFlags.Suspended : 0 }, { "i|il=", "Set the process IL level", v => { il = ParseIL(v); set_il = true; } }, { "h|help", "show this message and exit", v => show_help = v != null }, }; int pid; List <string> commands = opts.Parse(args); if (show_help || commands.Count < 2) { ShowHelp(opts); } if (!int.TryParse(commands[0], out pid)) { throw new ArgumentException("Couldn't parse PID value"); } if (!NtToken.EnableDebugPrivilege()) { Console.WriteLine("WARNING: Couldn't enable Debug privilege"); } using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.MaximumAllowed)) { if (parent_process) { new_process = Win32Process.CreateProcess(process, null, commands[1], set_il ? flags | CreateProcessFlags.Suspended : flags, null); if (set_il) { using (NtToken token = new_process.Process.OpenToken()) { token.SetIntegrityLevel(il); } if ((flags & CreateProcessFlags.Suspended) == 0) { new_process.Thread.Resume(); } } } else { using (NtToken token = process.OpenToken()) { using (NtToken target_token = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed)) { if (set_il) { target_token.SetIntegrityLevel(il); } new_process = Win32Process.CreateProcessAsUser(target_token, null, commands[1], flags, null); } } } using (new_process) { Console.WriteLine("Created Process: PID: {0}, SID {1}", new_process.Pid, new_process.Process.SessionId); } } } catch (Exception ex) { Console.WriteLine("ERROR: {0}", ex.Message); if (new_process != null && new_process.Process != null) { try { new_process.Process.Terminate(NtStatus.STATUS_WAIT_1); } catch { } } } }
static NtToken GetProcessAccessToken(NtProcess process) { return(process.OpenToken()); }
public ProcessTokenEntry(NtProcess process) : this(process, process.OpenToken()) { }