private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { if (!NtToken.EnableDebugPrivilege()) { WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate"); } NtType type = NtType.GetTypeByType <NtToken>(); AccessMask access_rights = type.MapGenericRights(AccessRights); int current_session_id = NtProcess.Current.SessionId; using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList()) { IEnumerable <NtProcess> proc_enum = procs; if (CurrentSession) { proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id)); } foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting)) { using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false)) { if (!result.IsSuccess) { WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}"); continue; } NtToken primary_token = result.Result; var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false); if (!sd_result.IsSuccess) { WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}"); continue; } var sd = sd_result.Result; string process_name = proc.Name; string process_cmdline = proc.CommandLine; string image_path = proc.FullPath; int process_id = proc.ProcessId; foreach (var token in tokens) { if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation)) { AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping); if (IsAccessGranted(granted_access, access_rights)) { WriteObject(new TokenAccessCheckResult(primary_token, proc, granted_access, sd, token.Information)); } } } } } } }