public ProcessEntry(NtProcess handle, NtThread[] threads)
{
Handle = handle;
if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
{
Pid = handle.ProcessId;
}
if (threads == null)
{
threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
}
Threads = threads.Select(h => new ThreadEntry(h)).ToArray();
Array.Sort(Threads, (a, b) => a.Tid - b.Tid);
ImagePath = String.Empty;
if (Pid == 0)
{
Name = "Idle";
}
else if (Pid == 4)
{
Name = "System";
}
else
{
if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
{
try
{
ImagePath = Handle.GetImageFilePath(false);
Name = Path.GetFileNameWithoutExtension(ImagePath);
}
catch (NtException)
{
}
}
}
CommandLine = String.Empty;
if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation))
{
try
{
Token = Handle.OpenToken();
}
catch (NtException)
{
}
try
{
CommandLine = Handle.CommandLine;
}
catch (NtException)
{
}
}
}
private static NtToken GetToken(NtProcess process)
{
var result = process.OpenToken(false);
if (result.IsSuccess)
{
return(result.Result);
}
return(null);
}
static Form GetFormFromArgs(string[] args)
{
try
{
int pid = -1;
int handle = -1;
string text = string.Empty;
bool show_help = false;
OptionSet opts = new OptionSet()
{
{ "p|pid=", "Specify a process ID to view the token.",
v => pid = int.Parse(v) },
{ "handle=", "Specify an inherited handle to view.",
v => handle = int.Parse(v) },
{ "text=", "Specify a text string for the token window.",
v => text = v },
{ "h|help", "Show this message and exit",
v => show_help = v != null },
};
opts.Parse(args);
if (show_help || (handle <= 0 && pid <= 0))
{
ShowHelp(opts);
}
else if (handle > 0)
{
using (NtToken token = NtToken.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
{
if (token.NtType != NtType.GetTypeByType <NtToken>())
{
throw new ArgumentException("Passed handle is not a token");
}
return(new TokenForm(token.Duplicate(), text));
}
}
else if (pid > 0)
{
using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation))
{
return(new TokenForm(process.OpenToken(),
$"{process.Name}:{pid}"));
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
return(null);
}
private static NtToken GetToken(NtProcess process)
{
try
{
return(process.OpenToken());
}
catch (NtException)
{
return(null);
}
}
private static NtToken GetToken(NtProcess process)
{
try
{
return process.OpenToken();
}
catch (NtException)
{
return null;
}
}
public static COMAccessCheck GetAccessCheck(NtProcess process,
string principal,
COMAccessRights access_rights,
COMAccessRights launch_rights,
bool ignore_default)
{
return(new COMAccessCheck(
process.OpenToken(),
principal,
access_rights,
launch_rights,
ignore_default));
}
private void AddProcessNode(NtProcess entry)
{
try
{
using (NtToken token = entry.OpenToken())
{
TreeNode node = new TreeNode(String.Format("Pid: {0} - Name: {1} (User:{2}, IL: {3}, R: {4}, AC: {5})",
entry.ProcessId, entry.Name, token.User, token.IntegrityLevel,
token.Restricted, token.AppContainer));
node.Tag = entry.Duplicate();
treeViewProcesses.Nodes.Add(node);
}
}
catch
{
// Do nothing
}
}
private void AddProcessNode(NtProcess entry)
{
try
{
using (NtToken token = entry.OpenToken())
{
TreeNode node = new TreeNode(String.Format("Pid: {0} - Name: {1} (User:{2}, IL: {3}, R: {4}, AC: {5})",
entry.ProcessId, entry.Name, token.User, token.IntegrityLevel,
token.Restricted, token.AppContainer));
node.Tag = entry.Duplicate();
treeViewProcesses.Nodes.Add(node);
}
}
catch
{
// Do nothing
}
}
private ListViewItem CreateProcessNode(NtProcess entry)
{
try
{
using (NtToken token = entry.OpenToken())
{
ListViewItem item = new ListViewItem(entry.ProcessId.ToString());
item.SubItems.Add(entry.Name);
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
item.SubItems.Add(token.Restricted.ToString());
item.SubItems.Add(token.AppContainer.ToString());
item.Tag = entry.Duplicate();
return(item);
}
}
catch
{
// Do nothing
}
return(null);
}
static void Main(string[] args)
{
Win32Process new_process = null;
try
{
CreateProcessFlags flags = CreateProcessFlags.None;
bool parent_process = false;
bool set_il = false;
TokenIntegrityLevel il = 0;
bool show_help = false;
OptionSet opts = new OptionSet()
{
{ "p", "Use parent technique to create the new process", v => parent_process = v != null },
{ "j", "Try and break away from the current process job", v => flags |= v != null ? CreateProcessFlags.BreakawayFromJob : 0 },
{ "c", "Create a new console for the process", v => flags |= v != null ? CreateProcessFlags.NewConsole : 0 },
{ "s", "Create the process suspended", v => flags |= v != null ? CreateProcessFlags.Suspended : 0 },
{ "i|il=", "Set the process IL level", v => {
il = ParseIL(v); set_il = true;
} },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
int pid;
List <string> commands = opts.Parse(args);
if (show_help || commands.Count < 2)
{
ShowHelp(opts);
}
if (!int.TryParse(commands[0], out pid))
{
throw new ArgumentException("Couldn't parse PID value");
}
if (!NtToken.EnableDebugPrivilege())
{
Console.WriteLine("WARNING: Couldn't enable Debug privilege");
}
using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.MaximumAllowed))
{
if (parent_process)
{
new_process = Win32Process.CreateProcess(process, null, commands[1], set_il ? flags | CreateProcessFlags.Suspended : flags, null);
if (set_il)
{
using (NtToken token = new_process.Process.OpenToken())
{
token.SetIntegrityLevel(il);
}
if ((flags & CreateProcessFlags.Suspended) == 0)
{
new_process.Thread.Resume();
}
}
}
else
{
using (NtToken token = process.OpenToken())
{
using (NtToken target_token = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed))
{
if (set_il)
{
target_token.SetIntegrityLevel(il);
}
new_process = Win32Process.CreateProcessAsUser(target_token, null, commands[1], flags, null);
}
}
}
using (new_process)
{
Console.WriteLine("Created Process: PID: {0}, SID {1}", new_process.Pid, new_process.Process.SessionId);
}
}
}
catch (Exception ex)
{
Console.WriteLine("ERROR: {0}", ex.Message);
if (new_process != null && new_process.Process != null)
{
try
{
new_process.Process.Terminate(NtStatus.STATUS_WAIT_1);
}
catch
{
}
}
}
}
static NtToken GetProcessAccessToken(NtProcess process)
{
return(process.OpenToken());
}
public ProcessTokenEntry(NtProcess process)
: this(process, process.OpenToken())
{
}
