//[Test] public void AppFromTokenTest() { using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_ALL_ACCESS)) { var sb = new StringBuilder(1024, 1024); var sbSz = (uint)sb.Capacity; ResetSb(); Assert.That(GetApplicationUserModelIdFromToken(hTok, ref sbSz, sb), Is.EqualTo((Win32Error)0)); WriteSb("AppUserModelId"); ResetSb(); Assert.That(GetPackageFamilyNameFromToken(hTok, ref sbSz, sb), Is.EqualTo((Win32Error)0)); WriteSb("PkgFamilyName"); ResetSb(); Assert.That(GetPackageFullNameFromToken(hTok, ref sbSz, sb), Is.EqualTo((Win32Error)0)); WriteSb("PkgFullName"); void ResetSb() { sb.Clear(); sbSz = (uint)sb.Capacity; } void WriteSb(string prefix) => TestContext.WriteLine($"{prefix}:{sb}"); } }
/// <summary>Extracts the user account SID associated with a security token.</summary> /// <param name="hToken">The security token handle.</param> /// <returns>A <see cref="SafePSID"/> instance of the user account SID associated with a security token.</returns> public static SafePSID FromToken(HTOKEN hToken) { var hTok = new SafeHTOKEN((IntPtr)hToken, false); using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser); return(new SafePSID(pUserToken.ToStructure <TOKEN_USER>().User.Sid)); }
public static void EnablePrivilege(this Process process, SystemPrivilege privilege) { using (var hObj = SafeHTOKEN.FromProcess(process, TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY)) { hObj.AdjustPrivilege(privilege, PrivilegeAttributes.SE_PRIVILEGE_ENABLED); } }
public static SafeAUTHZ_CLIENT_CONTEXT_HANDLE GetTokenAuthContext(SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM) { using SafeHTOKEN hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_QUERY); Assert.That(AuthzInitializeContextFromToken(0, hTok, hRM, IntPtr.Zero, new LUID(), IntPtr.Zero, out SafeAUTHZ_CLIENT_CONTEXT_HANDLE hCtx), ResultIs.Successful); Assert.That(!hCtx.IsInvalid); return(hCtx); }
/// <summary>Gets the privileges for this process.</summary> /// <param name="process">The process.</param> /// <returns> /// An enumeration of <see cref="PrivilegeAndAttributes"/> instances that include the process privileges and their associated attributes (enabled, /// disabled, removed, etc.). /// </returns> public static IEnumerable <PrivilegeAndAttributes> GetPrivileges(this Process process) { using (var hObj = SafeHTOKEN.FromProcess(process, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE)) { return(hObj.GetPrivileges().Select(la => new PrivilegeAndAttributes(la.Luid.GetPrivilege(process.MachineName), la.Attributes))); } }
public void DuplicateTokenExTest() { using (var tok = SafeHTOKEN.FromThread(GetCurrentThread())) { Assert.That(tok.IsInvalid, Is.False); } }
private static int Main(string[] args) { try { // // obtain current process token // using var hToken = SafeHTOKEN.FromProcess(Process.GetCurrentProcess(), TokenAccess.TOKEN_QUERY); // obtain user identified by current process' access token // // Vanara Note: since the SID value of SID_AND_ATTRIBUTES is allocated in memory, you need to get the memory allocation and then // pull the SID value before destroying the memory // using var ptgUser = hToken.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser); // // obtain the textual representaion of the Sid // var szTextualSid = GetTextualSid(ptgUser.ToStructure <TOKEN_USER>().User.Sid); // display the TextualSid representation Console.WriteLine($"Process Sid: {szTextualSid}"); return(0); } catch (Exception ex) { Console.WriteLine(ex); return(1); } }
/// <summary> /// The function gets the integrity level of the current process. Integrity level is only available on Windows Vista and newer operating systems, thus /// GetProcessIntegrityLevel throws an exception if it is called on systems prior to Windows Vista. /// </summary> /// <returns>Returns the integrity level of the current process.</returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// When any native Windows API call fails, the function throws a Win32Exception with the last error code. /// </exception> /// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception> public static ProcessIntegrityLevel GetIntegrityLevel(this Process p) { if (p == null) { throw new ArgumentNullException(nameof(p)); } // Open the access token of the current process with TOKEN_QUERY. var hObject = SafeHTOKEN.FromProcess(p, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE); // Marshal the TOKEN_MANDATORY_LABEL struct from native to .NET object. var tokenIL = hObject.GetInfo <TOKEN_MANDATORY_LABEL>(TOKEN_INFORMATION_CLASS.TokenIntegrityLevel); // Integrity Level SIDs are in the form of S-1-16-0xXXXX. (e.g. S-1-16-0x1000 stands for low integrity level SID). There is one and only one subauthority. switch (GetSidSubAuthority(tokenIL.Label.Sid, 0)) { case 0: return(ProcessIntegrityLevel.Untrusted); case 0x1000: return(ProcessIntegrityLevel.Low); case var iVal when iVal >= 0x2000 && iVal < 0x3000: return(ProcessIntegrityLevel.Medium); case var iVal when iVal >= 0x4000: return(ProcessIntegrityLevel.System); case var iVal when iVal >= 0x3000: return(ProcessIntegrityLevel.High); default: return(ProcessIntegrityLevel.Undefined); } }
public void DuplicateTokenTest() { var pval = SafeHTOKEN.FromProcess(System.Diagnostics.Process.GetCurrentProcess()); Assert.That(pval.IsInvalid, Is.False); Assert.That(DuplicateToken(pval, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, out var dtok)); Assert.That(dtok.IsInvalid, Is.False); }
public static bool HasPrivileges(this SafeHTOKEN hObj, bool requireAll, params SystemPrivilege[] privs) { if (!PrivilegeCheck(hObj, new PRIVILEGE_SET((PrivilegeSetControl)(requireAll ? 1 : 0), privs.Select(p => new LUID_AND_ATTRIBUTES(p.GetLUID(), PrivilegeAttributes.SE_PRIVILEGE_ENABLED)).ToArray()), out bool ret)) { Win32Error.ThrowLastError(); } return(ret); }
public void AuditComputeEffectivePolicyByTokenTest() { using var identity = WindowsIdentity.GetCurrent(); using var hTok = new SafeHTOKEN(identity.Token); Assert.That(AuditComputeEffectivePolicyByToken(hTok, new[] { regAudit }), Is.Not.Empty); }
/// <summary>Adjusts the specified privileges on a security token to have the supplied attributes.</summary> /// <param name="hObj">The security token object.</param> /// <param name="privileges">The privileges to change.</param> /// <returns>The privious privileges.</returns> public static TOKEN_PRIVILEGES AdjustPrivileges(this SafeHTOKEN hObj, params PrivilegeAndAttributes[] privileges) { if (privileges == null || privileges.Length == 0) { throw new ArgumentNullException(nameof(privileges)); } return(AdjustPrivileges(hObj, new TOKEN_PRIVILEGES(privileges.Select(pa => new LUID_AND_ATTRIBUTES(pa.Privilege.GetLUID(), pa.Attributes)).ToArray()))); }
public ElevPriv(string[] privs, HPROCESS hProc = default, TokenAccess access = TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY) { if (hProc.IsNull) { hProc = GetCurrentProcess(); } tok = SafeHTOKEN.FromProcess(hProc, access); ElevatePrivileges(privs); }
public void AccessCheckByTypeAndAuditAlarmTest() { using (var pSD = AdvApi32Tests.GetSD(AdvApi32Tests.fn, siNoSacl)) using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_IMPERSONATE | TokenAccess.TOKEN_DUPLICATE | TokenAccess.TOKEN_READ).Duplicate(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { var gm = GENERIC_MAPPING.GenericFileMapping; ACCESS_MASK accessMask = ACCESS_MASK.GENERIC_READ; MapGenericMask(ref accessMask, gm); var otl = new[] { new OBJECT_TYPE_LIST(ObjectTypeListLevel.ACCESS_OBJECT_GUID) }; Assert.That(AccessCheckByTypeAndAuditAlarm(subSys, default, objType, null, pSD, pCurSid, accessMask, AUDIT_EVENT_TYPE.AuditEventObjectAccess,
public static void AdjustPrivileges(this SafeHTOKEN hObj, SafeAllocatedMemoryHandle privileges) { if (privileges == null || privileges.IsInvalid) { return; } if (!AdjustTokenPrivileges(hObj, false, privileges)) { throw new Win32Exception(); } }
/// <summary>Determines whether the specified process is elevated.</summary> /// <param name="process">The process. If this value is <c>null</c>, then the current process is used.</param> /// <returns><c>true</c> if the specified process is elevated; otherwise, <c>false</c>.</returns> public static bool IsElevated(Process process = null) { try { // Open the access token of the current process with TOKEN_QUERY. using (var hObject = SafeHTOKEN.FromProcess(process ?? Process.GetCurrentProcess(), TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE)) return(hObject.IsElevated); } catch { } return(false); }
public static void AdjustPrivileges(this SafeHTOKEN hObj, PTOKEN_PRIVILEGES privileges) { if (privileges == null) { return; } if (!AdjustTokenPrivileges(hObj, false, privileges)) { throw new Win32Exception(); } }
/// <summary> /// The function gets the integrity level of the current process. Integrity level is only available on Windows Vista and newer operating systems, thus /// GetProcessIntegrityLevel throws an exception if it is called on systems prior to Windows Vista. /// </summary> /// <returns>Returns the integrity level of the current process.</returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// When any native Windows API call fails, the function throws a Win32Exception with the last error code. /// </exception> /// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception> public static MANDATORY_LEVEL GetIntegrityLevel(this Process p) { if (p == null) { throw new ArgumentNullException(nameof(p)); } // Open the access token of the current process with TOKEN_QUERY. using var hObject = SafeHTOKEN.FromProcess(p, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE); return(((HTOKEN)hObject).GetIntegrityLevel()); }
public void AppPolicyGetTest() { using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_ALL_ACCESS)) { Assert.That(AppPolicyGetCreateFileAccess(hTok, out var fileAccess), Is.EqualTo((Win32Error)0)); Assert.That(AppPolicyGetProcessTerminationMethod(hTok, out var termMeth), Is.EqualTo((Win32Error)0)); Assert.That(AppPolicyGetShowDeveloperDiagnostic(hTok, out var diag), Is.EqualTo((Win32Error)0)); Assert.That(AppPolicyGetThreadInitializationType(hTok, out var iType), Is.EqualTo((Win32Error)0)); TestContext.WriteLine($"File:{fileAccess}; TermMeth:{termMeth}; DevDiag:{diag}; InitType:{iType}"); } }
public static SafeCoTaskMemHandle AdjustPrivilege(this SafeHTOKEN hObj, SystemPrivilege priv, PrivilegeAttributes attr) { var newState = new PTOKEN_PRIVILEGES(priv.GetLUID(), attr); var prevState = PTOKEN_PRIVILEGES.GetAllocatedAndEmptyInstance(); if (!AdjustTokenPrivileges(hObj, false, newState, (uint)prevState.Size, prevState, out var retLen)) { throw new Win32Exception(); } prevState.Size = (int)retLen; return(prevState); }
public void CreateEnvironmentBlockTest_And_DestroyEnvironmentBlockTest() { using var hToken = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_IMPERSONATE | TokenAccess.TOKEN_DUPLICATE | TokenAccess.TOKEN_READ); Assert.That(hToken.IsInvalid, Is.False); Assert.That(CreateEnvironmentBlock(out string[] environmentBlock, hToken, false), ResultIs.Successful); Assert.That(environmentBlock, Is.Not.Empty); // Validate same environment variables count as .NET method // Assert.That(Environment.GetEnvironmentVariables().Count, Is.EqualTo(environmentBlock.Length)); TestContext.Write(string.Join("\r\n", environmentBlock)); }
public void AdjustTokenPrivilegesTest() { using (var t = SafeHTOKEN.FromThread(SafeHTHREAD.Current, TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY)) { Assert.That(LookupPrivilegeValue(null, "SeShutdownPrivilege", out var luid)); var ptp = new PTOKEN_PRIVILEGES(luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED); var old = PTOKEN_PRIVILEGES.GetAllocatedAndEmptyInstance(); Assert.That(AdjustTokenPrivileges(t, false, ptp, (uint)old.Size, old, out var rLen)); Assert.That(AdjustTokenPrivileges(t, false, ptp)); } }
/****************************************************************************++ * * Description : * * This function creates a well known sid using User domain. CreateWellKnownSid requires * domain sid to be provided to generate such sids. This function first gets the domain sid * out of the user information in the token and then generate a well known sid. * * Arguments: * * hToken - [supplies] The token for which sid has to be generated * sidType - [supplies] The type of well known sid * pSid - [receives] The newly create sid * pdwSidSize - [Supplies/Receives] The size of the memory allocated for ppSid * * Returns: * * Errors returned by GetTokenInformation * Errors returned by CreateWellKnownSid * E_OUTOFMEMORY In case there is not enough memory * Errors returned by GetWindowsAccountDomainSid * --***************************************************************************/ static SafePSID CreateWellKnownSidForAccount(HTOKEN hToken, WELL_KNOWN_SID_TYPE sidType) { var hTok = new SafeHTOKEN((IntPtr)hToken, false); using var pUserToken = hTok.GetInfo(TOKEN_INFORMATION_CLASS.TokenUser); // // Now get the domain sid from the TokenUser // Win32Error.ThrowLastErrorIfFalse(GetWindowsAccountDomainSid(pUserToken.ToStructure <TOKEN_USER>().User.Sid, out var pDomainSid)); return(SafePSID.CreateWellKnown(sidType, pDomainSid)); }
public static void AdjustPrivileges(this SafeHTOKEN hObj, PTOKEN_PRIVILEGES privileges) { if (privileges == null) { return; } uint retLen = 0; if (!AdjustTokenPrivileges(hObj, false, privileges, (uint)privileges.SizeInBytes, null, ref retLen)) { throw new Win32Exception(); } }
public static void AdjustPrivileges(this SafeHTOKEN hObj, SafeCoTaskMemHandle privileges) { if (privileges == null || privileges.IsInvalid) { return; } uint retLen = 0; if (!AdjustTokenPrivileges(hObj, false, privileges, (uint)privileges.Size, SafeCoTaskMemHandle.Null, ref retLen)) { throw new Win32Exception(); } }
public static SafeAUTHZ_CLIENT_CONTEXT_HANDLE GetTokenAuthContext(SafeAUTHZ_RESOURCE_MANAGER_HANDLE hRM) { using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_QUERY)) { var b = AuthzInitializeContextFromToken(0, hTok, hRM, IntPtr.Zero, new LUID(), IntPtr.Zero, out var hCtx); if (!b) { TestContext.WriteLine($"AuthzAccessCheck:{Win32Error.GetLastError()}"); } Assert.That(b); Assert.That(!hCtx.IsInvalid); return(hCtx); } }
public void AdjustTokenPrivilegesTest() { using (var t = SafeHTOKEN.FromThread(GetCurrentThread(), TokenAccess.TOKEN_ADJUST_PRIVILEGES | TokenAccess.TOKEN_QUERY)) { Assert.That(LookupPrivilegeValue(null, "SeShutdownPrivilege", out var luid)); var ptp = new PTOKEN_PRIVILEGES(luid, PrivilegeAttributes.SE_PRIVILEGE_ENABLED); var old = PTOKEN_PRIVILEGES.GetAllocatedAndEmptyInstance(); var rLen = (uint)old.Size; Assert.That(AdjustTokenPrivileges(t, false, ptp, ptp.SizeInBytes, old, ref rLen)); rLen = 0U; Assert.That(AdjustTokenPrivileges(t, false, ptp, ptp.SizeInBytes, SafeCoTaskMemHandle.Null, ref rLen)); } }
public void AccessCheckByTypeResultListTest() { using (var pSD = AdvApi32Tests.GetSD(AdvApi32Tests.fn, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION | SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION | SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION)) using (var hTok = SafeHTOKEN.FromProcess(GetCurrentProcess(), TokenAccess.TOKEN_IMPERSONATE | TokenAccess.TOKEN_DUPLICATE | TokenAccess.TOKEN_READ).Duplicate(SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { var ps = PRIVILEGE_SET.InitializeWithCapacity(100); var psSz = ps.SizeInBytes; var gm = GENERIC_MAPPING.GenericFileMapping; ACCESS_MASK accessMask = ACCESS_MASK.GENERIC_READ; MapGenericMask(ref accessMask, gm); var otl = new[] { new OBJECT_TYPE_LIST(ObjectTypeListLevel.ACCESS_OBJECT_GUID) }; var access = new uint[otl.Length]; var status = new uint[otl.Length]; Assert.That(AccessCheckByTypeResultList(pSD, default, hTok, accessMask, otl, (uint)otl.Length, gm, ps, ref psSz, access, status), ResultIs.Successful);
public static SafeCoTaskMemHandle AdjustPrivileges(this SafeHTOKEN hObj, params PrivilegeAndAttributes[] privileges) { if (privileges == null || privileges.Length == 0) { return(SafeCoTaskMemHandle.Null); } var newState = new PTOKEN_PRIVILEGES(privileges.Select(pa => new LUID_AND_ATTRIBUTES(pa.Privilege.GetLUID(), pa.Attributes)).ToArray()); var prevState = PTOKEN_PRIVILEGES.GetAllocatedAndEmptyInstance(); if (!AdjustTokenPrivileges(hObj, false, newState, (uint)prevState.Size, prevState, out var retLen)) { throw new Win32Exception(); } prevState.Size = (int)retLen; return(prevState); }
/// <summary> /// The function gets the elevation information of the current process. It dictates whether the process is elevated or not. Token elevation is only /// available on Windows Vista and newer operating systems, thus IsProcessElevated throws a C++ exception if it is called on systems prior to Windows /// Vista. It is not appropriate to use this function to determine whether a process is run as administrator. /// </summary> /// <returns>Returns true if the process is elevated. Returns false if it is not.</returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// When any native Windows API call fails, the function throws a Win32Exception with the last error code. /// </exception> /// <exception cref="System.ArgumentNullException"><paramref name="p"/> must be a valid <see cref="Process"/>.</exception> /// <remarks> /// TOKEN_INFORMATION_CLASS provides TokenElevationType to check the elevation type (TokenElevationTypeDefault / TokenElevationTypeLimited / /// TokenElevationTypeFull) of the process. It is different from TokenElevation in that, when UAC is turned off, elevation type always returns /// TokenElevationTypeDefault even though the process is elevated (Integrity Level == High). In other words, it is not safe to say if the process is /// elevated based on elevation type. Instead, we should use TokenElevation. /// </remarks> public static bool IsElevated(this Process p) { if (p == null) { throw new ArgumentNullException(nameof(p)); } try { // Open the access token of the current process with TOKEN_QUERY. using (var hObject = SafeHTOKEN.FromProcess(p, TokenAccess.TOKEN_QUERY | TokenAccess.TOKEN_DUPLICATE)) return(hObject.IsElevated); } catch { } return(false); }