/// <summary> /// Overridden ProcessRecord method. /// </summary> protected override void ProcessRecord() { NtToken token = null; if (Duplicate) { using (NtToken base_token = GetToken(TokenAccessRights.Duplicate)) { if (base_token != null) { token = base_token.DuplicateToken(TokenType, ImpersonationLevel, Access); if (IntegrityLevel.HasValue) { using (NtToken set_token = token.Duplicate(TokenAccessRights.AdjustDefault)) { set_token.SetIntegrityLevel(IntegrityLevel.Value); } } } } } else { token = GetToken(Access); } WriteObject(token); }
/// <summary> /// Do an access check between a security descriptor and a token to determine the allowed access. /// </summary> /// <param name="sd">The security descriptor</param> /// <param name="token">The access token.</param> /// <param name="access_rights">The set of access rights to check against</param> /// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param> /// <returns>The allowed access mask as a unsigned integer.</returns> /// <exception cref="NtException">Thrown if an error occurred in the access check.</exception> public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping) { if (sd == null) { throw new ArgumentNullException("sd"); } if (token == null) { throw new ArgumentNullException("token"); } using (var sd_buffer = sd.ToSafeBuffer()) { using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification)) { uint granted_access; NtStatus result_status; using (var privs = new SafePrivilegeSetBuffer()) { int buffer_length = privs.Length; NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights, ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException(); if (result_status.IsSuccess()) { return(granted_access); } return(0); } } } }
private NtToken OpenImpersonationToken() { using (NtToken token = NtToken.OpenProcessToken()) { return(token.DuplicateToken(SecurityImpersonationLevel.Identification)); } }
private void btnDuplicate_Click(object sender, EventArgs e) { try { using (NtToken token = _token.DuplicateToken((TokenType)comboBoxTokenType.SelectedItem, (SecurityImpersonationLevel)comboBoxImpLevel.SelectedItem, TokenAccessRights.MaximumAllowed)) { TokenIntegrityLevel il = GetILFromComboBox(comboBoxILForDup); if (il != token.IntegrityLevel) { token.SetIntegrityLevel(il); } OpenForm(token, "Duplicate", true); } } catch (Exception ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private static NtToken DuplicateToken(NtToken token) { if (token.TokenType == TokenType.Primary) { return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation, TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate)); } else { return(token.Duplicate(TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate)); } }
private NtToken GetToken() { if (Token != null) { return(Token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query)); } else { using (NtToken token = NtToken.OpenEffectiveToken()) { return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query)); } } }
public COMAccessCheck(NtToken token, string principal, COMAccessRights access_rights, COMAccessRights launch_rights, bool ignore_default) { m_access_cache = new Dictionary <string, bool>(); m_launch_cache = new Dictionary <string, bool>(); m_access_cache[string.Empty] = false; m_launch_cache[string.Empty] = false; m_access_token = token.DuplicateToken(SecurityImpersonationLevel.Identification); m_principal = principal; m_access_rights = access_rights; m_launch_rights = launch_rights; m_ignore_default = ignore_default; }
static NtToken CreateProcessForToken(string cmdline, NtToken token, bool make_interactive) { using (NtToken newtoken = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed)) { string desktop = null; if (make_interactive) { desktop = @"WinSta0\Default"; newtoken.SetSessionId(NtProcess.Current.SessionId); } using (Win32Process process = Win32Process.CreateProcessAsUser(newtoken, null, cmdline, CreateProcessFlags.None, desktop)) { return(process.Process.OpenToken()); } } }
/// <summary> /// Overridden ProcessRecord method. /// </summary> protected override void ProcessRecord() { NtToken token = null; if (Duplicate) { using (NtToken base_token = GetToken(TokenAccessRights.Duplicate)) { token = base_token.DuplicateToken(TokenType, ImpersonationLevel, Access); } } else { token = GetToken(Access); } WriteObject(token); }
public static NtToken GetAccessToken(NtToken token, NtProcess process, int process_id) { if (token != null) { return(token.DuplicateToken(SecurityImpersonationLevel.Identification)); } else if (process != null) { return(GetProcessAccessToken(process)); } else { using (var p = NtProcess.Open(process_id, ProcessAccessRights.QueryLimitedInformation)) { return(GetProcessAccessToken(p)); } } }
private static NtToken DuplicateForAccessCheck(NtToken token) { if (token.IsPseudoToken) { // This is a pseudo token, pass along as no need to duplicate. return(token); } if (token.TokenType == TokenType.Primary) { return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query)); } else if (!token.IsAccessGranted(TokenAccessRights.Query)) { return(token.Duplicate(TokenAccessRights.Query)); } else { // If we've got query access rights already just create a shallow clone. return(token.ShallowClone()); } }
static void Main(string[] args) { Win32Process new_process = null; try { CreateProcessFlags flags = CreateProcessFlags.None; bool parent_process = false; bool set_il = false; TokenIntegrityLevel il = 0; bool show_help = false; OptionSet opts = new OptionSet() { { "p", "Use parent technique to create the new process", v => parent_process = v != null }, { "j", "Try and break away from the current process job", v => flags |= v != null ? CreateProcessFlags.BreakawayFromJob : 0 }, { "c", "Create a new console for the process", v => flags |= v != null ? CreateProcessFlags.NewConsole : 0 }, { "s", "Create the process suspended", v => flags |= v != null ? CreateProcessFlags.Suspended : 0 }, { "i|il=", "Set the process IL level", v => { il = ParseIL(v); set_il = true; } }, { "h|help", "show this message and exit", v => show_help = v != null }, }; int pid; List <string> commands = opts.Parse(args); if (show_help || commands.Count < 2) { ShowHelp(opts); } if (!int.TryParse(commands[0], out pid)) { throw new ArgumentException("Couldn't parse PID value"); } if (!NtToken.EnableDebugPrivilege()) { Console.WriteLine("WARNING: Couldn't enable Debug privilege"); } using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.MaximumAllowed)) { if (parent_process) { new_process = Win32Process.CreateProcess(process, null, commands[1], set_il ? flags | CreateProcessFlags.Suspended : flags, null); if (set_il) { using (NtToken token = new_process.Process.OpenToken()) { token.SetIntegrityLevel(il); } if ((flags & CreateProcessFlags.Suspended) == 0) { new_process.Thread.Resume(); } } } else { using (NtToken token = process.OpenToken()) { using (NtToken target_token = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed)) { if (set_il) { target_token.SetIntegrityLevel(il); } new_process = Win32Process.CreateProcessAsUser(target_token, null, commands[1], flags, null); } } } using (new_process) { Console.WriteLine("Created Process: PID: {0}, SID {1}", new_process.Pid, new_process.Process.SessionId); } } } catch (Exception ex) { Console.WriteLine("ERROR: {0}", ex.Message); if (new_process != null && new_process.Process != null) { try { new_process.Process.Terminate(NtStatus.STATUS_WAIT_1); } catch { } } } }
private async static Task <InterfaceLists> GetInterfacesOOP(string command_line, bool runtime_class, COMRegistry registry, NtToken token) { using (AnonymousPipeServerStream server = new AnonymousPipeServerStream(PipeDirection.In, HandleInheritability.Inheritable, 16 * 1024, null)) { using (var imp_token = token?.DuplicateToken(SecurityImpersonationLevel.Impersonation)) { if (imp_token != null) { imp_token.Inherit = true; } string process = null; if (!Environment.Is64BitOperatingSystem || Environment.Is64BitProcess) { process = COMUtilities.GetExePath(); } else { process = COMUtilities.Get32bitExePath(); } Process proc = new Process(); List <string> args = new List <string> { runtime_class ? "-r" : "-e", server.GetClientHandleAsString(), command_line }; if (imp_token != null) { args.Insert(0, imp_token.Handle.DangerousGetHandle().ToInt32().ToString()); args.Insert(0, "-t"); } ProcessStartInfo info = new ProcessStartInfo(process, string.Join(" ", args)) { UseShellExecute = false, CreateNoWindow = true }; proc.StartInfo = info; proc.Start(); try { List <COMInterfaceInstance> interfaces = new List <COMInterfaceInstance>(); List <COMInterfaceInstance> factory_interfaces = new List <COMInterfaceInstance>(); server.DisposeLocalCopyOfClientHandle(); using (StreamReader reader = new StreamReader(server)) { while (true) { string line = await reader.ReadLineAsync(); if (line == null) { break; } if (line.StartsWith("ERROR:")) { uint errorCode; try { errorCode = uint.Parse(line.Substring(6), System.Globalization.NumberStyles.AllowHexSpecifier); } catch (FormatException ex) { Debug.WriteLine(ex.ToString()); errorCode = 0x80004005; } throw new Win32Exception((int)errorCode); } else { bool factory = false; if (line.StartsWith("*")) { factory = true; line = line.Substring(1); } string[] parts = line.Split(new char[] { ',' }, 3); if (Guid.TryParse(parts[0], out Guid g)) { string module_path = null; long vtable_offset = 0; if (parts.Length == 3) { module_path = parts[1]; long.TryParse(parts[2], out vtable_offset); } if (factory) { factory_interfaces.Add(new COMInterfaceInstance(g, module_path, vtable_offset, registry)); } else { interfaces.Add(new COMInterfaceInstance(g, module_path, vtable_offset, registry)); } } } } if (!proc.WaitForExit(5000)) { proc.Kill(); } int exitCode = proc.ExitCode; if (exitCode != 0) { interfaces = new List <COMInterfaceInstance>(new COMInterfaceInstance[] { new COMInterfaceInstance(COMInterfaceEntry.IID_IUnknown, registry) }); factory_interfaces = new List <COMInterfaceInstance>(new COMInterfaceInstance[] { new COMInterfaceInstance(COMInterfaceEntry.IID_IUnknown, registry) }); } return(new InterfaceLists() { Interfaces = interfaces, FactoryInterfaces = factory_interfaces }); } } finally { proc.Close(); } } } }
public static NtToken CreateProcessForToken(string cmdline, NtToken token, bool make_interactive) { try { using (NtToken newtoken = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed)) { string desktop = null; if (make_interactive) { desktop = @"WinSta0\Default"; newtoken.SetSessionId(NtProcess.Current.SessionId); } using (Win32Process process = Win32Process.CreateProcessAsUser(newtoken, null, cmdline, CreateProcessFlags.None, desktop)) { return process.Process.OpenToken(); } } } catch (NtException ex) { throw ex.AsWin32Exception(); } }