public static SafeHandle GetCurrentAccessToken() { IntPtr originalToken = Constants.INVALID_HANDLE_VALUE; IntPtr threadPSeudoHandle = Kernel32.GetCurrentThread(); if (!AdvApi32PInvoke.OpenThreadToken(threadPSeudoHandle, AdvApi32PInvoke.TOKEN_QUERY | AdvApi32PInvoke.TOKEN_DUPLICATE | AdvApi32PInvoke.TOKEN_ASSIGN_PRIMARY | AdvApi32PInvoke.TOKEN_ADJUST_DEFAULT | AdvApi32PInvoke.TOKEN_ADJUST_SESSIONID, false, out originalToken)) { var lastWin32Error = Marshal.GetLastWin32Error(); if (lastWin32Error != ErrorCodes.ERROR_NO_TOKEN) { throw new Win32Exception(lastWin32Error); } var processPseudohandle = Kernel32.GetCurrentProcess(); if (!AdvApi32PInvoke.OpenProcessToken(processPseudohandle, AdvApi32PInvoke.TOKEN_QUERY | AdvApi32PInvoke.TOKEN_DUPLICATE | AdvApi32PInvoke.TOKEN_ASSIGN_PRIMARY | AdvApi32PInvoke.TOKEN_ADJUST_DEFAULT | AdvApi32PInvoke.TOKEN_ADJUST_SESSIONID, out originalToken)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } } return(new SafeFileHandle(originalToken, true)); }
public static SafeHandle LogonUser(string username, string password, string domain = ".") { IntPtr handle; if (!AdvApi32PInvoke.LogonUser(username, domain, password, (int)AdvApi32PInvoke.LogonType.LOGON32_LOGON_BATCH, (int)AdvApi32PInvoke.LogonProvider.LOGON32_PROVIDER_DEFAULT, out handle)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(new SafeFileHandle(handle, true)); }
public static SafeHandle DuplicateTokenAsPrimaryToken(SafeHandle originalToken) { IntPtr duplicatedToken = Constants.INVALID_HANDLE_VALUE; if (!AdvApi32PInvoke.DuplicateTokenEx(originalToken.DangerousGetHandle(), AdvApi32PInvoke.TOKEN_QUERY | AdvApi32PInvoke.TOKEN_DUPLICATE | AdvApi32PInvoke.TOKEN_ASSIGN_PRIMARY | AdvApi32PInvoke.TOKEN_ADJUST_DEFAULT | AdvApi32PInvoke.TOKEN_ADJUST_SESSIONID, Constants.NULL, AdvApi32PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityDelegation, AdvApi32PInvoke.TOKEN_TYPE.TokenPrimary, out duplicatedToken)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } return(new SafeFileHandle(duplicatedToken, true)); }
private bool CheckPrivilege(string exectedPrivilege, SafeHandle currentUserToken) { AdvApi32PInvoke.LUID luid = default(AdvApi32PInvoke.LUID); expect(() => get_privilege_identifier(exectedPrivilege, out luid)); AdvApi32PInvoke.PRIVILEGE_SET privilegeSet = new AdvApi32PInvoke.PRIVILEGE_SET(); privilegeSet.PrivilegeCount = 1; privilegeSet.Control = AdvApi32PInvoke.PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY; privilegeSet.Privilege = new AdvApi32PInvoke.LUID_AND_ATTRIBUTES[1]; privilegeSet.Privilege[0].Luid = luid; privilegeSet.Privilege[0].Attributes = AdvApi32PInvoke.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_REMOVED; bool privilegeCheckResult; bool executionResult = AdvApi32PInvoke.PrivilegeCheck(currentUserToken.DangerousGetHandle(), ref privilegeSet, out privilegeCheckResult); expect(() => executionResult); return(privilegeCheckResult); }
private bool get_privilege_identifier(string expectedPrivilege, out AdvApi32PInvoke.LUID luid) { string systemName = null; return(AdvApi32PInvoke.LookupPrivilegeValue(systemName, expectedPrivilege, out luid)); }
public override void Specify() { it("can run code like Luke's code", delegate { using (SafeHandle hToken = AccessToken.GetCurrentAccessToken()) { IntPtr hDuplicate = AccessToken.DuplicateTokenAsPrimaryToken(hToken).DangerousGetHandle(); string commandLine = ("powershell"); var startupInfo = StartupInfoWithOutputStreams.Create(); AdvApi32PInvoke.PROCESS_INFORMATION processInformation = new AdvApi32PInvoke.PROCESS_INFORMATION(); if (!AdvApi32PInvoke.CreateProcessWithTokenW(hDuplicate, AdvApi32PInvoke.LogonFlags.LOGON_WITH_PROFILE, null, commandLine, 0, Constants.NULL, Constants.NULL, ref startupInfo.STARTUP_INFO, out processInformation)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } Kernel32.CloseHandle(hDuplicate); Kernel32.CloseHandle(processInformation.hThread); Kernel32.TerminateProcess(processInformation.hProcess, 0); Kernel32.CloseHandle(processInformation.hProcess); } }); it("can run Luke's code", delegate { IntPtr hToken; if (!AdvApi32PInvoke.OpenProcessToken(Kernel32.GetCurrentProcess(), AdvApi32PInvoke.TOKEN_DUPLICATE, out hToken)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } IntPtr hDuplicate; if (!AdvApi32PInvoke.DuplicateTokenEx(hToken, AdvApi32PInvoke.TOKEN_ASSIGN_PRIMARY | AdvApi32PInvoke.TOKEN_DUPLICATE | AdvApi32PInvoke.TOKEN_QUERY | AdvApi32PInvoke.TOKEN_ADJUST_DEFAULT | AdvApi32PInvoke.TOKEN_ADJUST_SESSIONID, Constants.NULL, AdvApi32PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, AdvApi32PInvoke.TOKEN_TYPE.TokenPrimary, out hDuplicate)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } string commandLine = ("powershell"); AdvApi32PInvoke.STARTUPINFO startupInfo = new AdvApi32PInvoke.STARTUPINFO(); startupInfo.cb = Marshal.SizeOf(typeof(AdvApi32PInvoke.STARTUPINFO)); AdvApi32PInvoke.PROCESS_INFORMATION processInformation = new AdvApi32PInvoke.PROCESS_INFORMATION(); if ( !AdvApi32PInvoke.CreateProcessWithTokenW(hDuplicate, AdvApi32PInvoke.LogonFlags.LOGON_WITH_PROFILE, null, commandLine, 0, Constants.NULL, Constants.NULL, ref startupInfo, out processInformation)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } Kernel32.CloseHandle(hToken); Kernel32.CloseHandle(hDuplicate); Kernel32.CloseHandle(processInformation.hThread); Kernel32.TerminateProcess(processInformation.hProcess, 0); Kernel32.CloseHandle(processInformation.hProcess); }); }
public static ConsoleApplicationResultStreams RunNoninteractiveConsoleProcessForStreams(string commandArguments, out string newLine) { using (var threadToken = AccessToken.GetCurrentAccessTokenDuplicatedAsPrimary()) { StreamReader consoleOutput; StreamReader errorOutput; IntPtr processHandle; int dwProcessId; using (var startupInfo = StartupInfoWithOutputStreams.Create()) { AdvApi32PInvoke.PROCESS_INFORMATION lpProcessInformation = new AdvApi32PInvoke.PROCESS_INFORMATION(); AdvApi32PInvoke.LogonFlags logonFlags = AdvApi32PInvoke.LogonFlags.LOGON_WITH_PROFILE; AdvApi32PInvoke.CreationFlags creationFlags = AdvApi32PInvoke.CreationFlags.CREATE_NEW_CONSOLE; if (!AdvApi32PInvoke.CreateProcessWithTokenW(threadToken.DangerousGetHandle(), logonFlags, null, commandArguments, (int)creationFlags, Constants.NULL, Constants.NULL, ref startupInfo.STARTUP_INFO, out lpProcessInformation)) { int lastWin32Error = Marshal.GetLastWin32Error(); if (lastWin32Error == 0xc1) // found in Process.StartWithCreateProcess { throw new Win32Exception("Invalid application"); } throw new Win32Exception(lastWin32Error); } Kernel32.CloseHandle(lpProcessInformation.hThread); processHandle = lpProcessInformation.hProcess; lpProcessInformation.hProcess = Constants.NULL; consoleOutput = startupInfo.ConsoleOutput; errorOutput = startupInfo.ErrorOutput; startupInfo.ConsoleOutput = null; startupInfo.ErrorOutput = null; } consoleOutput.Peek(); var waitResult = Kernel32.WaitForSingleObject(processHandle, Kernel32.INFINITE); if (waitResult == Kernel32.WAIT_FAILED) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (waitResult == Kernel32.WAIT_TIMEOUT) { throw new TimeoutException("Timed out waiting for process."); } if (waitResult != Kernel32.WAIT_OBJECT_0) { throw new InvalidOperationException("Unexpected wait result."); } int exitCode; if (!Kernel32.GetExitCodeProcess(processHandle, out exitCode)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } MemoryStream consoleStore = ReadStreamToMemoryStream(consoleOutput.BaseStream); MemoryStream errorStore = ReadStreamToMemoryStream(errorOutput.BaseStream); consoleStore.Seek(0, SeekOrigin.Begin); errorStore.Seek(0, SeekOrigin.Begin); newLine = Environment.NewLine; return(new ConsoleApplicationResultStreams(new StreamReader(consoleStore), new StreamReader(errorStore), exitCode)); } }