//////////////////////////////////////////////////////////////////////////////// // Checks if a Privilege Exists and is Enabled //////////////////////////////////////////////////////////////////////////////// public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out bool exists, out bool enabled) { exists = false; enabled = false; //////////////////////////////////////////////////////////////////////////////// uint TokenInfLength = 0; advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength); if (TokenInfLength <= 0 || TokenInfLength > int.MaxValue) { Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return(false); } IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)) { Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength); return(false); } Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Marshal.FreeHGlobal(lpTokenInformation); //////////////////////////////////////////////////////////////////////////////// for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++) { System.Text.StringBuilder lpName = new System.Text.StringBuilder(); int cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); try { advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > int.MaxValue) { Misc.GetWin32Error("LookupPrivilegeName Pass 1"); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { Misc.GetWin32Error("LookupPrivilegeName Pass 2"); continue; } if (lpName.ToString() != privilegeName) { continue; } exists = true; Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; int pfResult = 0; if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult)) { Misc.GetWin32Error("PrivilegeCheck"); continue; } enabled = Convert.ToBoolean(pfResult); } catch (Exception ex) { Console.WriteLine(ex.Message); return(false); } finally { Marshal.FreeHGlobal(lpLuid); } } Console.WriteLine(); return(false); }
//////////////////////////////////////////////////////////////////////////////// // Prints the tokens privileges //////////////////////////////////////////////////////////////////////////////// public void GetTokenPrivileges() { //////////////////////////////////////////////////////////////////////////////// uint TokenInfLength; Console.WriteLine("[*] Enumerating Token Privileges"); advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength); if (TokenInfLength < 0 || TokenInfLength > int.MaxValue) { Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation (TokenPrivileges) - Pass 1"); hTokenPrivileges = Marshal.AllocHGlobal((int)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, hTokenPrivileges, TokenInfLength, out TokenInfLength)) { Misc.GetWin32Error("GetTokenInformation (TokenPrivileges) - 2 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 2"); tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount); Console.WriteLine(); Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled"); Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------"); //////////////////////////////////////////////////////////////////////////////// for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++) { StringBuilder lpName = new StringBuilder(); int cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > int.MaxValue) { Misc.GetWin32Error("LookupPrivilegeName Pass 1"); Marshal.FreeHGlobal(lpLuid); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { Misc.GetWin32Error("LookupPrivilegeName Pass 2"); Marshal.FreeHGlobal(lpLuid); continue; } Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; int pfResult = 0; if (!advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult)) { Misc.GetWin32Error("PrivilegeCheck"); Marshal.FreeHGlobal(lpLuid); continue; } Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult)); Marshal.FreeHGlobal(lpLuid); } Console.WriteLine(); }
public static extern bool PrivilegeCheck(IntPtr ClientToken, ref Winnt._PRIVILEGE_SET RequiredPrivileges, out int pfResult);
//////////////////////////////////////////////////////////////////////////////// // Prints the tokens privileges //////////////////////////////////////////////////////////////////////////////// public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken) { //////////////////////////////////////////////////////////////////////////////// Console.WriteLine("[*] Enumerating Token Privileges"); advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength); if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue) { GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 1"); IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)) { GetWin32Error("GetTokenInformation - 2 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 2"); Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Marshal.FreeHGlobal(lpTokenInformation); Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount); Console.WriteLine(); Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled"); Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------"); //////////////////////////////////////////////////////////////////////////////// for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++) { StringBuilder lpName = new StringBuilder(); Int32 cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > Int32.MaxValue) { GetWin32Error("LookupPrivilegeName Pass 1"); Marshal.FreeHGlobal(lpLuid); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { GetWin32Error("LookupPrivilegeName Pass 2"); Marshal.FreeHGlobal(lpLuid); continue; } Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult)) { GetWin32Error("PrivilegeCheck"); Marshal.FreeHGlobal(lpLuid); continue; } if (Convert.ToBoolean(pfResult)) { SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); } SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); Marshal.FreeHGlobal(lpLuid); } Console.WriteLine(); }
public static extern Boolean PrivilegeCheck(IntPtr ClientToken, ref Winnt._PRIVILEGE_SET RequiredPrivileges, out Int32 pfResult);