internal static extern bool DuplicateTokenEx(
SafeCloseHandle hExistingToken,
TokenAccessLevels dwDesiredAccess,
IntPtr lpTokenAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
TOKEN_TYPE TokenType,
ref SafeCloseHandle phNewToken);
internal static SafeCloseHandle OpenThreadToken(TokenAccessLevels desiredAccess, bool openAsSelf)
{
SafeCloseHandle threadToken;
if (!Private.OpenThreadToken(NativeMethods.Private.GetCurrentThread(), desiredAccess, openAsSelf, out threadToken))
{
int error = Marshal.GetLastWin32Error();
if (error != WinError.ERROR_NO_TOKEN)
{
throw GetIoExceptionForError(error, desiredAccess.ToString());
}
SafeCloseHandle processToken = OpenProcessToken(TokenAccessLevels.Duplicate);
if (!Private.DuplicateTokenEx(
processToken,
TokenAccessLevels.Impersonate | TokenAccessLevels.Query | TokenAccessLevels.AdjustPrivileges,
IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
TOKEN_TYPE.TokenImpersonation,
ref threadToken))
{
error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error, desiredAccess.ToString());
}
}
return(threadToken);
}
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
internal static bool IsPrivilegeEnabled(SafeCloseHandle token, Privileges privilege)
{
LUID luid = LookupPrivilegeValue(privilege.ToString());
var luidAttributes = new LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = SE_PRIVILEGE_ENABLED
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new[] { luidAttributes }
};
bool result;
if (!Private.PrivilegeCheck(token, ref set, out result))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error, privilege.ToString());
}
return(result);
}
internal static extern bool SetThreadToken(
IntPtr Thread,
SafeCloseHandle Token);
internal static extern bool PrivilegeCheck(
SafeCloseHandle ClientToken,
ref PRIVILEGE_SET RequiredPrivileges,
[MarshalAs(UnmanagedType.Bool)] out bool pfResult);
/// <summary>
/// Checks if the given privilege is enabled. This does not tell you whether or not it
/// is possible to get a privilege- most held privileges are not enabled by default.
/// </summary>
internal static bool IsPrivilegeEnabled(SafeCloseHandle token, Privileges privilege)
{
LUID luid = LookupPrivilegeValue(privilege.ToString());
var luidAttributes = new LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = SE_PRIVILEGE_ENABLED
};
var set = new PRIVILEGE_SET
{
Control = PRIVILEGE_SET_ALL_NECESSARY,
PrivilegeCount = 1,
Privilege = new[] { luidAttributes }
};
bool result;
if (!Private.PrivilegeCheck(token, ref set, out result))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error, privilege.ToString());
}
return result;
}
/// <summary>
/// Returns true if the given token has the specified privilege. The privilege may or may not be enabled.
/// </summary>
internal static bool HasPrivilege(SafeCloseHandle token, Privileges privilege)
{
return GetTokenPrivileges(token).Any(t => t.Privilege == privilege);
}
internal static IEnumerable<PrivilegeSetting> GetTokenPrivileges(SafeCloseHandle token)
{
// Get the buffer size we need
uint bytesNeeded;
if (!Private.GetTokenInformation(
token.DangerousGetHandle(),
TOKEN_INFORMATION_CLASS.TokenPrivileges,
EmptySafeHandle.Instance,
0,
out bytesNeeded))
{
int error = Marshal.GetLastWin32Error();
if (error != WinError.ERROR_INSUFFICIENT_BUFFER)
throw GetIoExceptionForError(error);
}
else
{
// Didn't need any space for output, let's assume there are no privileges
return Enumerable.Empty<PrivilegeSetting>();
}
// Initialize the buffer and get the data
var buffer = new StreamBuffer(bytesNeeded);
if (!Private.GetTokenInformation(
token.DangerousGetHandle(),
TOKEN_INFORMATION_CLASS.TokenPrivileges,
buffer,
(uint)buffer.Length,
out bytesNeeded))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error);
}
// Loop through and get our privileges
BinaryReader reader = new BinaryReader(buffer, Encoding.Unicode, leaveOpen: true);
uint count = reader.ReadUInt32();
var privileges = new List<PrivilegeSetting>();
StringBuilder sb = new StringBuilder(256);
for (int i = 0; i < count; i++)
{
LUID luid = new LUID
{
LowPart = reader.ReadUInt32(),
HighPart = reader.ReadUInt32(),
};
uint length = (uint)sb.Capacity;
if (!Private.LookupPrivilegeNameW(IntPtr.Zero, ref luid, sb, ref length))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error);
}
PrivilegeState state = (PrivilegeState)reader.ReadUInt32();
privileges.Add(new PrivilegeSetting(sb.ToString(), state));
sb.Clear();
}
return privileges;
}
internal static extern bool OpenThreadToken(
IntPtr ThreadHandle,
TokenAccessLevels DesiredAccess,
[MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf,
out SafeCloseHandle TokenHandle);
internal static IEnumerable <PrivilegeSetting> GetTokenPrivileges(SafeCloseHandle token)
{
// Get the buffer size we need
uint bytesNeeded;
if (!Private.GetTokenInformation(
token.DangerousGetHandle(),
TOKEN_INFORMATION_CLASS.TokenPrivileges,
EmptySafeHandle.Instance,
0,
out bytesNeeded))
{
int error = Marshal.GetLastWin32Error();
if (error != WinError.ERROR_INSUFFICIENT_BUFFER)
{
throw GetIoExceptionForError(error);
}
}
else
{
// Didn't need any space for output, let's assume there are no privileges
return(Enumerable.Empty <PrivilegeSetting>());
}
// Initialize the buffer and get the data
var buffer = new StreamBuffer(bytesNeeded);
if (!Private.GetTokenInformation(
token.DangerousGetHandle(),
TOKEN_INFORMATION_CLASS.TokenPrivileges,
buffer,
(uint)buffer.Length,
out bytesNeeded))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error);
}
// Loop through and get our privileges
BinaryReader reader = new BinaryReader(buffer, Encoding.Unicode, leaveOpen: true);
uint count = reader.ReadUInt32();
var privileges = new List <PrivilegeSetting>();
StringBuilder sb = new StringBuilder(256);
for (int i = 0; i < count; i++)
{
LUID luid = new LUID
{
LowPart = reader.ReadUInt32(),
HighPart = reader.ReadUInt32(),
};
uint length = (uint)sb.Capacity;
if (!Private.LookupPrivilegeNameW(IntPtr.Zero, ref luid, sb, ref length))
{
int error = Marshal.GetLastWin32Error();
throw GetIoExceptionForError(error);
}
PrivilegeState state = (PrivilegeState)reader.ReadUInt32();
privileges.Add(new PrivilegeSetting(sb.ToString(), state));
sb.Clear();
}
return(privileges);
}
internal static extern bool OpenProcessToken(
IntPtr ProcessHandle,
TokenAccessLevels DesiredAccesss,
out SafeCloseHandle TokenHandle);
internal static extern bool SetThreadToken(
IntPtr Thread,
SafeCloseHandle Token);
internal static extern bool PrivilegeCheck(
SafeCloseHandle ClientToken,
ref PRIVILEGE_SET RequiredPrivileges,
[MarshalAs(UnmanagedType.Bool)] out bool pfResult);
/// <summary>
/// Returns true if the given token has the specified privilege. The privilege may or may not be enabled.
/// </summary>
internal static bool HasPrivilege(SafeCloseHandle token, Privileges privilege)
{
return(GetTokenPrivileges(token).Any(t => t.Privilege == privilege));
}
internal static extern bool DuplicateTokenEx(
SafeCloseHandle hExistingToken,
TokenAccessLevels dwDesiredAccess,
IntPtr lpTokenAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
TOKEN_TYPE TokenType,
ref SafeCloseHandle phNewToken);
private static extern bool SetThreadTokenPrivate(
IntPtr Thread,
SafeCloseHandle Token);
internal static extern bool OpenProcessToken(
IntPtr ProcessHandle,
TokenAccessLevels DesiredAccesss,
out SafeCloseHandle TokenHandle);
internal static extern bool OpenThreadToken(
IntPtr ThreadHandle,
TokenAccessLevels DesiredAccess,
[MarshalAs(UnmanagedType.Bool)] bool OpenAsSelf,
out SafeCloseHandle TokenHandle);
