public ObjectManagerPSDriveInfo(NtObject root, PSDriveInfo drive_info) : base(drive_info) { if (root is NtDirectory dir) { DirectoryRoot = new NtDirectoryContainer(dir); } else if (root is NtKey key) { bool open_for_backup = false; using (var token = NtToken.OpenProcessToken()) { if (token.SinglePrivilegeCheck(TokenPrivilegeValue.SeBackupPrivilege)) { open_for_backup = true; } } DirectoryRoot = new NtKeyContainer(key, open_for_backup); } else { throw new ArgumentException($"Invalid root object. {root.NtTypeName}"); } }
private static Dictionary <string, string> CreateWin32BaseKeys() { Dictionary <string, string> dict = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase) { { "HKLM", @"\Registry\Machine" }, { "HKEY_LOCAL_MACHINE", @"\Registry\Machine" }, { "HKU", @"\Registry\User" }, { "HKEY_USERS", @"\Registry\User" }, { "HKEY_CURRENT_CONFIG", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" }, { "HKCC", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" }, }; using (var token = NtToken.OpenProcessToken(NtProcess.Current, TokenAccessRights.Query, false)) { if (token.IsSuccess) { string current_user = $@"\Registry\User\{token.Result.User.Sid}"; dict.Add("HKCU", current_user); dict.Add("HKEY_CURRENT_USER", current_user); dict.Add(@"HKCU\Software\Classes", $"{current_user}_Classes"); dict.Add(@"HKEY_CURRENT_USER\Software\Classes", $"{current_user}_Classes"); } } dict.Add("HKEY_CLASSES_ROOT", @"\Registry\Machine\Software\Classes"); dict.Add("HKCR", @"\Registry\Machine\Software\Classes"); return(dict); }
private static NtToken GetTokenFromProcessWithImpersonation(NtProcess process) { if (_system_token.Value != null) { using (_system_token.Value.Impersonate()) { using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Duplicate | TokenAccessRights.Impersonate | TokenAccessRights.Query, false)) { if (!token.IsSuccess) { if (token.Status != NtStatus.STATUS_ACCESS_DENIED) { token.Status.ToNtException(); } } return(token.Result.Duplicate()); } } } return(GetTokenFromProcessDuplication(process)); }
private void RefreshServiceList() { ClearList(listViewServices); foreach (var service in ServiceUtils.GetRunningServicesWithProcessIds()) { using (var result = NtToken.OpenProcessToken(service.ProcessId, false, TokenAccessRights.MaximumAllowed | TokenAccessRights.Query, false)) { if (!result.IsSuccess) { continue; } var token = result.Result; ListViewItem item = new ListViewItem(service.Name); item.SubItems.Add(token.User.ToString()); item.SubItems.Add(service.LaunchProtected.ToString()); item.SubItems.Add(service.SidType.ToString()); item.SubItems.Add(service.DisplayName); item.SubItems.Add(service.ProcessId.ToString()); item.Tag = new ServiceTokenEntry(service, token); listViewServices.Items.Add(item); } } ResizeColumns(listViewServices); }
public void UpdateProcessList(ProcessAccessRights desired_access, bool require_token) { NtToken.EnableDebugPrivilege(); ClearListView(); using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation | desired_access, true).ToDisposableList()) { foreach (var p in ps.OrderBy(p => p.ProcessId)) { using (var result = NtToken.OpenProcessToken(p, TokenAccessRights.MaximumAllowed, false)) { if (!result.IsSuccess && require_token) { continue; } ListViewItem item = listViewProcesses.Items.Add(p.ProcessId.ToString()); item.SubItems.Add(p.Name); if (result.IsSuccess) { NtToken token = result.Result; item.SubItems.Add(p.User.Name); item.SubItems.Add(token.IntegrityLevel.ToString()); } item.Tag = _processes.AddResource(p.Duplicate()); } } } listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent); listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); listViewProcesses.ListViewItemSorter = new ListItemComparer(0); }
private NtToken GetEffectiveToken(TokenAccessRights desired_access) { if (Pseduo) { return(NtToken.PseudoEffectiveToken); } NtToken token = GetImpersonationToken(desired_access); if (token != null) { return(token); } if (Thread == null && !ThreadId.HasValue) { return(NtToken.OpenProcessToken(NtProcess.Current, false, desired_access)); } int pid; if (Thread != null) { pid = Thread.ProcessId; } else { using (NtThread thread = NtThread.Open(ThreadId.Value, ThreadAccessRights.QueryLimitedInformation)) { pid = thread.ProcessId; } } return(NtToken.OpenProcessToken(pid, false, desired_access)); }
private NtToken OpenImpersonationToken() { using (NtToken token = NtToken.OpenProcessToken()) { return(token.DuplicateToken(SecurityImpersonationLevel.Identification)); } }
private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process) { using (var token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Query)) { using (var imp_token = token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation, TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate, false)) { NtToken valid_imp_token = null; if (!imp_token.IsSuccess) { if (!_has_impersonate_privilege.Value || imp_token.Status != NtStatus.STATUS_ACCESS_DENIED) { imp_token.Status.ToNtException(); } valid_imp_token = GetTokenFromProcessWithImpersonation(process); } else { valid_imp_token = imp_token.Result; } AddTokenEntry(tokens, new TokenEntry(token, valid_imp_token, process)); } } }
static void Main(string[] args) { bool show_help = false; bool recursive = false; HashSet <string> exclude_dirs = new HashSet <string>(StringComparer.OrdinalIgnoreCase); int pid = Process.GetCurrentProcess().Id; try { OptionSet opts = new OptionSet() { { "r", "Recursive tree directory listing", v => recursive = v != null }, { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null }, { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) }, { "w", "Show only write permissions granted", v => _show_write_only = v != null }, { "k=", String.Format("Filter on a specific directory right [{0}]", String.Join(",", Enum.GetNames(typeof(DirectoryAccessRights)))), v => _dir_rights |= ParseRight(v, typeof(DirectoryAccessRights)) }, { "x=", "Specify a base path to exclude from recursive search", v => exclude_dirs.Add(v) }, { "t=", "Specify a type of object to include", v => _type_filter.Add(v) }, { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null }, { "e", "Display errors when opening objects, ignores access denied.", v => _show_errors = v != null }, { "h|help", "show this message and exit", v => show_help = v != null }, }; List <string> paths = opts.Parse(args); if (show_help || (paths.Count == 0)) { ShowHelp(opts); } else { using (NtToken token = NtToken.OpenProcessToken(pid)) { foreach (string path in paths) { try { using (NtDirectory dir = OpenDirectory(path)) { HashSet <string> walked = new HashSet <string>(exclude_dirs, StringComparer.OrdinalIgnoreCase); Console.WriteLine("Dumping Directory: {0}", path); DumpDirectory(dir, token, recursive, walked); } } catch (NtException ex) { Console.WriteLine("Couldn't open {0} - {1}", path, ex.Message); } } } } } catch (Exception e) { Console.WriteLine(e.Message); } }
static void Main(string[] args) { try { string dir = CreateDir(); Console.WriteLine("Created {0} to test mount point bypass", dir); using (var token = NtToken.OpenProcessToken()) { Console.WriteLine("Lowering token to Low IL"); token.SetIntegrityLevel(TokenIntegrityLevel.Low); } using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dir), null, FileAccessRights.GenericRead | FileAccessRights.GenericWrite, FileShareMode.None, FileOpenOptions.OpenReparsePoint | FileOpenOptions.DirectoryFile)) { Console.WriteLine("Opened {0}", file.FullPath); byte[] buffer = BuildReparseBuffer(Environment.GetFolderPath(Environment.SpecialFolder.Windows)); file.FsControl(NtWellKnownIoControlCodes.FSCTL_SET_REPARSE_POINT_EX, buffer, 0); MountPointReparseBuffer rp = (MountPointReparseBuffer)file.GetReparsePoint(); Console.WriteLine("Set Mount Point: {0} {1}", rp.Tag, rp.SubstitutionName); Console.ReadLine(); } } catch (Exception ex) { Console.WriteLine(ex); Console.ReadLine(); } }
/// <summary> /// Get the maximum permission access for this object based on the current token /// and its security descriptor. /// </summary> /// <returns>Returns 0 if can't read the security descriptor.</returns> public A GetMaximumAccess() { using (NtToken token = NtToken.OpenProcessToken()) { return(GetMaximumAccess(token)); } }
static void SetVirtualization(bool enable) { using (var token = NtToken.OpenProcessToken()) { token.VirtualizationEnabled = enable; } }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { string key_path = Win32Path ? NtKeyUtils.Win32KeyNameToNt(KeyPath) : KeyPath; using (ObjectAttributes name = new ObjectAttributes(key_path, AttributeFlags.CaseInsensitive)) { if ((LoadFlags & LoadKeyFlags.AppKey) == 0) { using (NtToken token = NtToken.OpenProcessToken()) { TokenPrivilege priv = token.GetPrivilege(TokenPrivilegeValue.SeRestorePrivilege); if (priv == null || (priv.Attributes & PrivilegeAttributes.Enabled) == 0) { WriteWarning("Loading a non-app hive should require SeRestorePrivilege"); } } } else { if (!KeyPath.StartsWith(@"\Registry\A\", System.StringComparison.OrdinalIgnoreCase)) { WriteWarning(@"Loading app hive outside of \Registry\A\ will fail on an up to date system."); } } return(NtKey.LoadKey(name, obj_attributes, LoadFlags, Access)); } }
static bool IsInAppContainer() { using (var token = NtToken.OpenProcessToken()) { return(token.AppContainer); } }
static void EnablePrivileges() { using (var token = NtToken.OpenProcessToken()) { token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled); token.SetPrivilege(TokenPrivilegeValue.SeRestorePrivilege, PrivilegeAttributes.Enabled); } }
static int Main(string[] args) { IntPtr handle = GetConsoleWindow(); // Hide ShowWindow(handle, SW_HIDE); InvokePrivs.EnablePriv("SeImpersonatePrivilege"); if (args.LongLength > 0) { string cmd = args[0]; //= Shell.GetCommand(Process.GetCurrentProcess().MainModule.FileName); } else { Environment.Exit(-1); } DCERPCNtlmHandler dcerpcServer = new DCERPCNtlmHandler(); Thread bootstrapThread = null; Thread dcerpcThread = null; dcerpcThread = new Thread(() => dcerpcServer.start("127.0.0.1", "6666", "127.0.0.1", "135", false, "true", cmd)); dcerpcThread.Start(); Thread.Sleep(100); try { bootstrapThread = new Thread(() => ComUtils.BootstrapComMarshal()); bootstrapThread.Start(); } catch (Exception e) { Console.WriteLine("This wasn't supposed to happen... {0}", e); } if (dcerpcThread != null) { DCERPCNtlmHandler.finished.WaitOne(); if (!Shell.NtShell) { NtToken main_token = NtToken.OpenProcessToken(); //TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + cmd, main_token, false); TokenUtils.CreateProcessForToken(cmd, main_token, false); } Thread.Sleep(100); Environment.Exit(0); dcerpcThread.Abort(); bootstrapThread.Abort(); } Environment.Exit(0); return(0); }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { if (!NtToken.EnableDebugPrivilege()) { WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate"); } NtType type = NtType.GetTypeByType <NtToken>(); AccessMask access_rights = type.MapGenericRights(AccessRights); int current_session_id = NtProcess.Current.SessionId; using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList()) { IEnumerable <NtProcess> proc_enum = procs; if (CurrentSession) { proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id)); } foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting)) { using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false)) { if (!result.IsSuccess) { WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}"); continue; } NtToken primary_token = result.Result; var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false); if (!sd_result.IsSuccess) { WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}"); continue; } var sd = sd_result.Result; string process_name = proc.Name; string process_cmdline = proc.CommandLine; string image_path = proc.FullPath; int process_id = proc.ProcessId; foreach (var token in tokens) { if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation)) { AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping); if (IsAccessGranted(granted_access, access_rights)) { WriteObject(new TokenAccessCheckResult(primary_token, proc, granted_access, sd, token.Information)); } } } } } } }
private static NtToken FetchDesktopToken() { var shell = GetShellWindow(); _ = GetWindowThreadProcessId(shell, out var shellProcessId); using var proc = NtProcess.Open(shellProcessId, ProcessAccessRights.MaximumAllowed, true).GetResultOrThrow(); using var token = NtToken.OpenProcessToken(proc); return(token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Impersonation, TokenAccessRights.MaximumAllowed)); }
private NtToken GetPrimaryToken(TokenAccessRights desired_access) { if (ProcessId.HasValue) { return(NtToken.OpenProcessToken(ProcessId.Value, false, desired_access)); } return(NtToken.OpenProcessToken(Process ?? NtProcess.Current, false, desired_access)); }
static void Main(string[] args) { bool show_help = false; int pid = Process.GetCurrentProcess().Id; try { PrintDeprecationWarning(); OptionSet opts = new OptionSet() { { "r", "Recursive tree directory listing", v => _recursive = v != null }, { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null }, { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) }, { "w", "Show only write permissions granted", v => _show_write_only = v != null }, { "k=", String.Format("Filter on a specific right [{0}]", String.Join(",", Enum.GetNames(typeof(KeyAccessRights)))), v => _key_rights |= ParseRight(v, typeof(KeyAccessRights)) }, { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v.ToLower()) }, { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null }, { "h|help", "show this message and exit", v => show_help = v != null }, }; List <string> paths = opts.Parse(args); if (show_help || (paths.Count == 0)) { ShowHelp(opts); } else { using (NtToken token = NtToken.OpenProcessToken(pid)) { foreach (string path in paths) { try { using (NtKey key = OpenKey(path)) { DumpKey(token, key); } } catch (NtException ex) { Console.Error.WriteLine("Error opening key: {0} - {1}", path, ex.Message); } } } } } catch (Exception e) { Console.Error.WriteLine(e.Message); } }
private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process) { using (NtToken token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Duplicate | TokenAccessRights.Impersonate | TokenAccessRights.Query)) { AddTokenEntry(tokens, new TokenEntry(token, process)); } }
internal NtProcessMitigations(NtProcess process) { ProcessDepStatus dep_status = process.DepStatus; DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation; DepEnabled = dep_status.Enabled; DepPermanent = dep_status.Permanent; int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy); EnableBottomUpRandomization = result.GetBit(0); EnableForceRelocateImages = result.GetBit(1); EnableHighEntropy = result.GetBit(2); DisallowStrippedImages = result.GetBit(3); DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy); RaiseExceptionOnInvalidHandleReference = result.GetBit(0); HandleExceptionsPermanentlyEnabled = result.GetBit(1); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy); DisableNonSystemFonts = result.GetBit(0); AuditNonSystemFontLoading = result.GetBit(1); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy); ProhibitDynamicCode = result.GetBit(0); AllowThreadOptOut = result.GetBit(1); AllowRemoteDowngrade = result.GetBit(2); DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy); MicrosoftSignedOnly = result.GetBit(0); StoreSignedOnly = result.GetBit(1); SignedMitigationOptIn = result.GetBit(2); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy); NoRemoteImages = result.GetBit(0); NoLowMandatoryLabelImages = result.GetBit(1); PreferSystem32Images = result.GetBit(2); result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy); EnabledReturnFlowGuard = result.GetBit(0); ReturnFlowGuardStrictMode = result.GetBit(1); IsChildProcessRestricted = process.IsChildProcessRestricted; using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false)) { IsRestricted = token.Result.Restricted; IsAppContainer = token.Result.AppContainer; IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer; IntegrityLevel = token.Result.IntegrityLevel; } ProcessId = process.ProcessId; Name = process.Name; ImagePath = process.FullPath; CommandLine = process.CommandLine; }
static void Main(string[] args) { bool show_help = false; int pid = Process.GetCurrentProcess().Id; try { OptionSet opts = new OptionSet() { { "r", "Recursive tree directory listing", v => _recursive = v != null }, { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null }, { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) }, { "w", "Show only write permissions granted", v => _show_write_only = v != null }, { "f=", String.Format("Filter on a file right [{0}]", String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) }, { "d=", String.Format("Filter on a directory right [{0}]", String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) }, { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v) }, { "q", "Don't print errors", v => _quiet = v != null }, { "onlydirs", "Only check the permissions of directories", v => _only_dirs = v != null }, { "h|help", "show this message and exit", v => show_help = v != null }, }; List <string> paths = opts.Parse(args); if (show_help || (paths.Count == 0)) { ShowHelp(opts); } else { _type = NtType.GetTypeByName("file"); _token = NtToken.OpenProcessToken(pid); foreach (string path in paths) { if ((File.GetAttributes(path) & System.IO.FileAttributes.Directory) == System.IO.FileAttributes.Directory) { DumpDirectory(new DirectoryInfo(path)); } else { DumpFile(new FileInfo(path)); } } } } catch (Exception e) { Console.WriteLine(e.Message); } }
private void btnCurrentProcess_Click(object sender, EventArgs e) { try { TokenForm.OpenForm(NtToken.OpenProcessToken(), false); } catch (NtException ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
private protected bool HasSecurityPrivilege() { if (!_has_security_privilege.HasValue) { using (var token = NtToken.OpenProcessToken()) { _has_security_privilege = token.GetPrivilege(TokenPrivilegeValue.SeSecurityPrivilege)?.Enabled ?? false; } } return(_has_security_privilege.Value); }
private static NtToken GetProcessToken(NtThread thread) { try { return(NtToken.OpenProcessToken(thread.ProcessId)); } catch (NtException) { return(null); } }
static void Main(string[] args) { bool show_help = false; int pid = Process.GetCurrentProcess().Id; int recursive_depth = 1; bool no_files = false; try { PrintDeprecationWarning(); OptionSet opts = new OptionSet() { { "r", "Recursive tree directory listing", v => recursive_depth = v != null ? int.MaxValue : 1 }, { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null }, { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) }, { "w", "Show only write permissions granted", v => _show_write_only = v != null }, { "f=", String.Format("Filter on a file right [{0}]", String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) }, { "d=", String.Format("Filter on a directory right [{0}]", String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) }, { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(ConvertPath(v)) }, { "q", "Don't print errors", v => _quiet = v != null }, { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null }, { "nofiles", "Don't show permission of files.", v => no_files = v != null }, { "depth", "Specify a recursive depth", v => recursive_depth = int.Parse(v) }, { "h|help", "show this message and exit", v => show_help = v != null }, }; List <string> paths = opts.Parse(args).Select(p => ConvertPath(p)).ToList(); if (show_help || (paths.Count == 0)) { ShowHelp(opts); } else { _type = NtType.GetTypeByType <NtFile>(); _token = NtToken.OpenProcessToken(pid); foreach (string path in paths) { DumpFile(path, null, recursive_depth, no_files); } } } catch (Exception e) { Console.WriteLine(e.Message); } }
private NtToken GetServiceNameToken(TokenAccessRights desired_access) { int pid = ServiceUtils.GetServiceProcessId(ServiceName); if (pid == 0) { throw new ArgumentException($"{ServiceName} is not current running."); } using (var process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation)) { return(NtToken.OpenProcessToken(process, false, desired_access)); } }
private NtToken GetSandboxedToken(TokenAccessRights desired_access, Func <NtToken, NtToken> sandbox_func) { using (NtToken token = Token != null ? Token.Duplicate() : NtToken.OpenProcessToken()) { using (NtToken sandbox_token = sandbox_func(token)) { if (desired_access == TokenAccessRights.MaximumAllowed) { return(token.Duplicate()); } return(token.Duplicate(desired_access)); } } }
/// <summary> /// Override for begin processing. /// </summary> protected override void BeginProcessing() { using (NtToken process_token = NtToken.OpenProcessToken()) { _open_for_backup = process_token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled); if (!_open_for_backup) { WriteWarning("Current process doesn't have SeBackupPrivilege, results may be inaccurate"); } } base.BeginProcessing(); }