////////////////////////////////////////////////////////////////////////////////
// Checks if a Privilege Exists and is Enabled
////////////////////////////////////////////////////////////////////////////////
public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out bool exists, out bool enabled)
{
exists = false;
enabled = false;
////////////////////////////////////////////////////////////////////////////////
uint TokenInfLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength <= 0 || TokenInfLength > int.MaxValue)
{
Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return(false);
}
IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
{
Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
return(false);
}
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Marshal.FreeHGlobal(lpTokenInformation);
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
System.Text.StringBuilder lpName = new System.Text.StringBuilder();
int cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
try
{
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > int.MaxValue)
{
Misc.GetWin32Error("LookupPrivilegeName Pass 1");
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
Misc.GetWin32Error("LookupPrivilegeName Pass 2");
continue;
}
if (lpName.ToString() != privilegeName)
{
continue;
}
exists = true;
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
int pfResult = 0;
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
Misc.GetWin32Error("PrivilegeCheck");
continue;
}
enabled = Convert.ToBoolean(pfResult);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
return(false);
}
finally
{
Marshal.FreeHGlobal(lpLuid);
}
}
Console.WriteLine();
return(false);
}
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges
////////////////////////////////////////////////////////////////////////////////
public void GetTokenPrivileges()
{
////////////////////////////////////////////////////////////////////////////////
uint TokenInfLength;
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength < 0 || TokenInfLength > int.MaxValue)
{
Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation (TokenPrivileges) - Pass 1");
hTokenPrivileges = Marshal.AllocHGlobal((int)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, hTokenPrivileges, TokenInfLength, out TokenInfLength))
{
Misc.GetWin32Error("GetTokenInformation (TokenPrivileges) - 2 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 2");
tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
Console.WriteLine();
Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
int cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > int.MaxValue)
{
Misc.GetWin32Error("LookupPrivilegeName Pass 1");
Marshal.FreeHGlobal(lpLuid);
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
Misc.GetWin32Error("LookupPrivilegeName Pass 2");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
int pfResult = 0;
if (!advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult))
{
Misc.GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}
public static extern bool PrivilegeCheck(IntPtr ClientToken, ref Winnt._PRIVILEGE_SET RequiredPrivileges, out int pfResult);
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges
////////////////////////////////////////////////////////////////////////////////
public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken)
{
////////////////////////////////////////////////////////////////////////////////
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 1");
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
{
GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 2");
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Marshal.FreeHGlobal(lpTokenInformation);
Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
Console.WriteLine();
Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
Int32 cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > Int32.MaxValue)
{
GetWin32Error("LookupPrivilegeName Pass 1");
Marshal.FreeHGlobal(lpLuid);
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
GetWin32Error("LookupPrivilegeName Pass 2");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult))
{
GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
continue;
}
if (Convert.ToBoolean(pfResult))
{
SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
}
SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}
public static extern Boolean PrivilegeCheck(IntPtr ClientToken, ref Winnt._PRIVILEGE_SET RequiredPrivileges, out Int32 pfResult);
