static void Main(string[] args)
        {
            bool show_help = false;                        

            _pid = Process.GetCurrentProcess().Id;

            try
            {
                OptionSet opts = new OptionSet() {                        
                        { "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) },    
                        { "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null },        
                        { "i", "Use an indentify level token when impersonating", v => _identify_only = v != null },                        
                        { "t", "Dump accessible threads for process", v => _dump_threads = v != null },                        
                        { "k", "Dump tokens for accessible objects", v => _dump_token = v != null },
                        { "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null },
                        { "h|help",  "show this message and exit", 
                           v => show_help = v != null },
                    };

                List<string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList();
                
                if (show_help)
                {
                    ShowHelp(opts);
                }
                else
                {
                    IEnumerable<ProcessEntry> processes = new ProcessEntry[0];

                    if (pids.Count > 0 && !_named_process)
                    {
                        List<ProcessEntry> procs = new List<ProcessEntry>();
                        using (ImpersonateProcess imp = NativeBridge.Impersonate(_pid,
                            _identify_only ? TokenSecurityLevel.Identification : TokenSecurityLevel.Impersonate))
                        {
                            foreach (string pid_name in pids)
                            {
                                try
                                {
                                    procs.Add(new ProcessEntry(NativeBridge.OpenProcess(int.Parse(pid_name))));
                                }
                                catch (Win32Exception ex)
                                {
                                    Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message);
                                }
                            }
                        }

                        processes = procs;                        
                    }
                    else
                    {
                        try
                        {
                            using (ImpersonateProcess imp = NativeBridge.Impersonate(_pid,
                                _identify_only ? TokenSecurityLevel.Identification : TokenSecurityLevel.Impersonate))
                            {
                                processes = NativeBridge.GetProcesses().Select(h => new ProcessEntry(h));
                            }

                            if (_named_process && pids.Count > 0)
                            {
                                processes = processes.Where(p => pids.Contains(p.Name.ToLower()));
                            }
                        }
                        catch (Win32Exception ex)
                        {
                            Console.WriteLine(ex);
                        }
                    }

                    List<ProcessEntry> ps = processes.ToList();

                    ps.Sort((a, b) => a.Pid - b.Pid);

                    processes = ps;

                    foreach (ProcessEntry process in processes)
                    {
                        Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccess());
                        if (_print_sddl && process.StringSecurityDescriptor.Length > 0)
                        {
                            Console.WriteLine("SDDL: {0}", process.StringSecurityDescriptor);
                        }

                        if (_dump_token && process.Token != null)
                        {
                            Console.WriteLine("User: {0}", process.Token.UserName);
                            if (_print_sddl && process.Token.StringSecurityDescriptor.Length > 0)
                            {
                                Console.WriteLine("Token SDDL: {0}", process.Token.StringSecurityDescriptor);
                            }
                        }

                        if (_dump_threads)
                        {
                            foreach (ThreadEntry thread in process.Threads)
                            {
                                Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.GetGrantedAccess());
                                if (_print_sddl && thread.StringSecurityDescriptor.Length > 0)
                                {
                                    Console.WriteLine("---- SDDL: {0}", thread.StringSecurityDescriptor);
                                }

                                if (_dump_token && thread.Token != null)
                                {                                    
                                    Console.WriteLine("---- Impersonating {0}", thread.Token.UserName);
                                    if (_print_sddl && thread.Token.StringSecurityDescriptor.Length > 0)
                                    {
                                        Console.WriteLine("---- Token SDDL: {0}", thread.Token.StringSecurityDescriptor);
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.Message);
            }
        }
        static void Main(string[] args)
        {
            bool show_help = false;

            _pid = Process.GetCurrentProcess().Id;

            try
            {
                OptionSet opts = new OptionSet()
                {
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) },
                    { "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null },
                    { "i", "Use an indentify level token when impersonating", v => _identify_only = v != null },
                    { "t", "Dump accessible threads for process", v => _dump_threads = v != null },
                    { "k", "Dump tokens for accessible objects", v => _dump_token = v != null },
                    { "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null },
                    { "h|help", "show this message and exit",
                      v => show_help = v != null },
                };

                List <string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList();

                if (show_help)
                {
                    ShowHelp(opts);
                }
                else
                {
                    IEnumerable <ProcessEntry> processes = new ProcessEntry[0];

                    if (pids.Count > 0 && !_named_process)
                    {
                        List <ProcessEntry> procs = new List <ProcessEntry>();
                        using (ImpersonateProcess imp = NativeBridge.Impersonate(_pid,
                                                                                 _identify_only ? TokenSecurityLevel.Identification : TokenSecurityLevel.Impersonate))
                        {
                            foreach (string pid_name in pids)
                            {
                                try
                                {
                                    procs.Add(new ProcessEntry(NativeBridge.OpenProcess(int.Parse(pid_name))));
                                }
                                catch (Win32Exception ex)
                                {
                                    Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message);
                                }
                            }
                        }

                        processes = procs;
                    }
                    else
                    {
                        try
                        {
                            using (ImpersonateProcess imp = NativeBridge.Impersonate(_pid,
                                                                                     _identify_only ? TokenSecurityLevel.Identification : TokenSecurityLevel.Impersonate))
                            {
                                processes = NativeBridge.GetProcesses().Select(h => new ProcessEntry(h));
                            }

                            if (_named_process && pids.Count > 0)
                            {
                                processes = processes.Where(p => pids.Contains(p.Name.ToLower()));
                            }
                        }
                        catch (Win32Exception ex)
                        {
                            Console.WriteLine(ex);
                        }
                    }

                    List <ProcessEntry> ps = processes.ToList();

                    ps.Sort((a, b) => a.Pid - b.Pid);

                    processes = ps;

                    foreach (ProcessEntry process in processes)
                    {
                        Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccess());
                        if (_print_sddl && process.StringSecurityDescriptor.Length > 0)
                        {
                            Console.WriteLine("SDDL: {0}", process.StringSecurityDescriptor);
                        }

                        if (_dump_token && process.Token != null)
                        {
                            Console.WriteLine("User: {0}", process.Token.UserName);
                            if (_print_sddl && process.Token.StringSecurityDescriptor.Length > 0)
                            {
                                Console.WriteLine("Token SDDL: {0}", process.Token.StringSecurityDescriptor);
                            }
                        }

                        if (_dump_threads)
                        {
                            foreach (ThreadEntry thread in process.Threads)
                            {
                                Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.GetGrantedAccess());
                                if (_print_sddl && thread.StringSecurityDescriptor.Length > 0)
                                {
                                    Console.WriteLine("---- SDDL: {0}", thread.StringSecurityDescriptor);
                                }

                                if (_dump_token && thread.Token != null)
                                {
                                    Console.WriteLine("---- Impersonating {0}", thread.Token.UserName);
                                    if (_print_sddl && thread.Token.StringSecurityDescriptor.Length > 0)
                                    {
                                        Console.WriteLine("---- Token SDDL: {0}", thread.Token.StringSecurityDescriptor);
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.Message);
            }
        }
Exemple #3
0
        static void Main(string[] args)
        {
            bool show_help = false;

            _pid = Process.GetCurrentProcess().Id;

            try
            {
                OptionSet opts = new OptionSet()
                {
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) },
                    { "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null },
                    { "i", "Use an indentify level token when impersonating", v => _identify_only = v != null },
                    { "t", "Dump accessible threads for process", v => _dump_threads = v != null },
                    { "k", "Dump tokens for accessible objects", v => _dump_token = v != null },
                    { "a", "Start with all accessible threads instead of processes", v => _dump_threads = _all_threads = v != null },
                    { "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null },
                    { "h|help", "show this message and exit",
                      v => show_help = v != null },
                };

                List <string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList();

                if (show_help)
                {
                    ShowHelp(opts);
                }
                else
                {
                    IEnumerable <ProcessEntry> processes = new ProcessEntry[0];

                    if (_all_threads)
                    {
                        NtThread[] all_threads = null;

                        using (var imp = NtToken.Impersonate(_pid,
                                                             _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                        {
                            if (pids.Count > 0)
                            {
                                List <NtThread> ths = new List <NtThread>();
                                foreach (string pid_name in pids)
                                {
                                    try
                                    {
                                        ths.Add(NtThread.Open(int.Parse(pid_name), ThreadAccessRights.MaximumAllowed));
                                    }
                                    catch (NtException ex)
                                    {
                                        Console.WriteLine("Error opening tid {0} - {1}", pid_name, ex.Message);
                                    }
                                }

                                all_threads = ths.ToArray();
                            }
                            else
                            {
                                all_threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
                            }

                            List <ProcessEntry> procs = new List <ProcessEntry>();

                            foreach (var group in all_threads.GroupBy(t => t.ProcessId))
                            {
                                ProcessEntry entry   = null;
                                NtThread[]   threads = group.ToArray();
                                try
                                {
                                    entry = new ProcessEntry(NtProcess.Open(group.Key, ProcessAccessRights.MaximumAllowed), threads);
                                }
                                catch (NtException)
                                {
                                    entry = new ProcessEntry(group.Key, threads);
                                }
                                procs.Add(entry);
                            }
                            processes = procs;
                        }
                    }
                    else
                    {
                        if (pids.Count > 0 && !_named_process)
                        {
                            List <ProcessEntry> procs = new List <ProcessEntry>();
                            using (var imp = NtToken.Impersonate(_pid,
                                                                 _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                            {
                                foreach (string pid_name in pids)
                                {
                                    try
                                    {
                                        procs.Add(new ProcessEntry(NtProcess.Open(int.Parse(pid_name), ProcessAccessRights.MaximumAllowed)));
                                    }
                                    catch (NtException ex)
                                    {
                                        Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message);
                                    }
                                }
                            }

                            processes = procs;
                        }
                        else
                        {
                            try
                            {
                                using (var imp = NtToken.Impersonate(_pid,
                                                                     _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                                {
                                    processes = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed).Select(h => new ProcessEntry(h));
                                }

                                if (_named_process && pids.Count > 0)
                                {
                                    processes = processes.Where(p => pids.Contains(p.Name.ToLower()));
                                }
                            }
                            catch (NtException ex)
                            {
                                Console.WriteLine(ex);
                            }
                        }
                    }

                    List <ProcessEntry> ps = processes.ToList();

                    ps.Sort((a, b) => a.Pid - b.Pid);

                    processes = ps;

                    foreach (ProcessEntry process in processes)
                    {
                        Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccessString());
                        if (_print_sddl && process.Handle.IsAccessGranted(ProcessAccessRights.ReadControl))
                        {
                            Console.WriteLine("SDDL: {0}", process.Handle.GetSddl());
                        }

                        if (_dump_token && process.Token != null)
                        {
                            Console.WriteLine("User: {0}", process.Token.User);
                            if (_print_sddl && process.Token.IsAccessGranted(TokenAccessRights.ReadControl))
                            {
                                Console.WriteLine("Token SDDL: {0}", process.Token.GetSddl());
                            }
                        }

                        if (_dump_threads)
                        {
                            foreach (ThreadEntry thread in process.Threads)
                            {
                                Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.Handle.GetGrantedAccessString());
                                if (_print_sddl && thread.Handle.IsAccessGranted(ThreadAccessRights.ReadControl))
                                {
                                    Console.WriteLine("---- SDDL: {0}", thread.Handle.GetSddl());
                                }

                                if (_dump_token && thread.Token != null)
                                {
                                    Console.WriteLine("---- Impersonating {0}", thread.Token.User);
                                    if (_print_sddl && thread.Token.IsAccessGranted(TokenAccessRights.ReadControl))
                                    {
                                        Console.WriteLine("---- Token SDDL: {0}", thread.Token.GetSddl());
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }