private static IntPtr StartProcessAsUser(string szFile, string szArguments, string szDirectory, bool Inherit, IntPtr hParent) { Win32.STARTUPINFOEX si = new Win32.STARTUPINFOEX(); Win32.PROCESS_INFORMATION pi = new Win32.PROCESS_INFORMATION(); Win32.SECURITY_ATTRIBUTES sa = new Win32.SECURITY_ATTRIBUTES(); IntPtr processToken = IntPtr.Zero, userToken, cbAttributeListSize = IntPtr.Zero; Win32.OpenProcessToken(new IntPtr(-1), (uint)Win32.TOKEN_ACCESS.TOKEN_ALL_ACCESS, ref processToken); Win32.DuplicateTokenEx(processToken, (uint)Win32.TOKEN_ACCESS.TOKEN_ALL_ACCESS, out sa, Win32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Win32.TOKEN_TYPE.TokenPrimary, out userToken); Win32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref cbAttributeListSize); IntPtr pAttributeList = Win32.VirtualAlloc(IntPtr.Zero, (int)cbAttributeListSize, 0x1000, 0x40); Win32.InitializeProcThreadAttributeList(pAttributeList, 1, 0, ref cbAttributeListSize); Win32.UpdateProcThreadAttribute(pAttributeList, 0, (IntPtr)0x00020000, ref hParent, (IntPtr)Marshal.SizeOf(hParent), IntPtr.Zero, IntPtr.Zero); si.lpAttributeList = pAttributeList; si.StartupInfo = new Win32.STARTUPINFO(); Win32.CreateProcessAsUserA(userToken, szFile, szArguments, IntPtr.Zero, IntPtr.Zero, Inherit, 0x400 | 0x010 | 0x00080000, IntPtr.Zero, szDirectory, ref si, ref pi); Win32.CloseHandle(processToken); Win32.CloseHandle(userToken); Win32.DeleteProcThreadAttributeList(pAttributeList); Win32.VirtualFree(pAttributeList, 0x1000, 0x8000); return(pi.hProcess); }
public static IntPtr GetPrimaryToken(Process process) { var token = IntPtr.Zero; var primaryToken = IntPtr.Zero; if (OpenProcessToken(process.Handle, TOKEN_DUPLICATE, ref token)) { var sa = new Win32.SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(sa); if (!DuplicateTokenEx( token, TOKEN_ALL_ACCESS, ref sa, (int)Win32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)Win32.TOKEN_TYPE.TokenPrimary, ref primaryToken)) { throw new Win32Exception(Marshal.GetLastWin32Error(), "DuplicateTokenEx failed"); } CloseHandle(token); } else { throw new Win32Exception(Marshal.GetLastWin32Error(), "OpenProcessToken failed"); } return(primaryToken); }
private byte[] executeDispatch(IRpcClientInfo client, byte[] input) { using (client.Impersonate()) { IntPtr hToken; Win32.OpenThreadToken(Win32.GetCurrentThread(), Win32.TOKEN_READ | Win32.TOKEN_IMPERSONATE, false, out hToken); Win32.SECURITY_ATTRIBUTES saProcessAttributes = new Win32.SECURITY_ATTRIBUTES(); Win32.SECURITY_ATTRIBUTES saThreadAttributes = new Win32.SECURITY_ATTRIBUTES(); Win32.STARTUPINFO startupInfo = new Win32.STARTUPINFO(); startupInfo.cb = Marshal.SizeOf(startupInfo); Win32.PROCESS_INFORMATION processInfo = new Win32.PROCESS_INFORMATION(); bool result = Win32.CreateProcessAsUser( hToken, @"c:\windows\notepad.exe", null, ref saProcessAttributes, ref saThreadAttributes, true, 0x01000000, IntPtr.Zero, null, ref startupInfo, out processInfo); if (!result) { int error = Marshal.GetLastWin32Error(); } return(new byte[] { 0 }); } }
private static int SetupShareMemoryWithSercurity(int nSize) { bool flag = false; System.IntPtr intPtr = System.IntPtr.Zero; int cb = 68; System.IntPtr arg_12_0 = System.IntPtr.Zero; Win32.SECURITY_ATTRIBUTES sECURITY_ATTRIBUTES = default(Win32.SECURITY_ATTRIBUTES); try { intPtr = System.Runtime.InteropServices.Marshal.AllocHGlobal(cb); if (!Win32.CreateWellKnownSid(System.Security.Principal.WellKnownSidType.BuiltinAdministratorsSid, System.IntPtr.Zero, intPtr, ref cb)) { int result = -1; return(result); } if (!Win32.ConvertStringSecurityDescriptorToSecurityDescriptor("D:(A;;GA;;;RD)(A;;GA;;;S-1-5-32-544)(A;;GA;;;S-1-5-4)", 1, out sECURITY_ATTRIBUTES.lpSecurityDescriptor, System.IntPtr.Zero)) { int result = -1; return(result); } sECURITY_ATTRIBUTES.nLength = System.Runtime.InteropServices.Marshal.SizeOf(sECURITY_ATTRIBUTES); sECURITY_ATTRIBUTES.bInheritHandle = false; AppInterProcess._hMapFile = Win32.CreateFileMapping(4294967295u, ref sECURITY_ATTRIBUTES, 4, 0, nSize + 1024, "Global\\ecoAppMapName"); flag = ((long)System.Runtime.InteropServices.Marshal.GetLastWin32Error() == 183L); if (AppInterProcess._hMapFile == System.IntPtr.Zero) { int result = -1; return(result); } AppInterProcess._pMapBuf = Win32.MapViewOfFile(AppInterProcess._hMapFile, 983071, 0, 0, nSize + 128); if (AppInterProcess._pMapBuf == System.IntPtr.Zero) { int result = -1; return(result); } } catch (System.Exception) { } finally { if (intPtr != System.IntPtr.Zero) { System.Runtime.InteropServices.Marshal.FreeHGlobal(intPtr); } if (sECURITY_ATTRIBUTES.lpSecurityDescriptor != System.IntPtr.Zero) { Win32.LocalFree(sECURITY_ATTRIBUTES.lpSecurityDescriptor); } } if (!flag) { return(0); } return(1); }
private static void CreatePipe(out SafeFileHandle parentHandle, out SafeFileHandle childHandle, bool parentInputs) { /* * private void CreatePipe(out SafeFileHandle parentHandle, out SafeFileHandle childHandle, bool parentInputs); * * Declaring Type: System.Diagnostics.Process * Assembly: System, Version=4.0.0.0 */ parentHandle = childHandle = null; Win32.SECURITY_ATTRIBUTES lpPipeAttributes = new Win32.SECURITY_ATTRIBUTES(); lpPipeAttributes.bInheritHandle = true; SafeFileHandle hWritePipe = null; try { if (parentInputs && (!Win32.CreatePipe(out childHandle, out hWritePipe, ref lpPipeAttributes, 0) || childHandle.IsInvalid || hWritePipe.IsInvalid)) { throw new Win32Exception(); } else if (!parentInputs && (!Win32.CreatePipe(out hWritePipe, out childHandle, ref lpPipeAttributes, 0) || hWritePipe.IsInvalid || childHandle.IsInvalid)) { throw new Win32Exception(); } if (!Win32.DuplicateHandle(Process.GetCurrentProcess().Handle, hWritePipe, Process.GetCurrentProcess().Handle, out parentHandle, 0, false, 2)) { throw new Win32Exception(); } } finally { if (hWritePipe != null && !hWritePipe.IsInvalid) { hWritePipe.Close(); } } }
public bool CreateTrinoHandleIDs() { HandleID1FileMap = 0; HandleID2Event = 0; // Not sure if we actually need this signature part or not string stringForSignature = "dGVzdA=="; string ticketDataString = ""; if (UseCustomTicketData) { ticketDataString = CustomTicketData; } else { ticketDataString = "<?xml version=\"1.0\" encoding=\"UTF - 8\" standalone=\"yes\"?>"; ticketDataString += "<authTicket version = \"1.2\">"; ticketDataString += "<storeToken>1</storeToken>"; ticketDataString += "<username>" + UserName + "</username>"; ticketDataString += "<password>" + _passwordHash + "</password>"; ticketDataString += "</authTicket>"; } //------ IntPtr CreateFileMappingHandle(string ticketString,string signatureString) // MSDN Documentation says SECURITY_ATTRIBUTES needs to be set (not null) for child processes to be able to inherit the handle from CreateEvent Win32.SECURITY_ATTRIBUTES sa = new Win32.SECURITY_ATTRIBUTES { nLength = Marshal.SizeOf(typeof(Win32.SECURITY_ATTRIBUTES)), lpSecurityDescriptor = IntPtr.Zero, bInheritHandle = true }; IntPtr sa_pointer = Marshal.AllocHGlobal(sa.nLength); Marshal.StructureToPtr(sa, sa_pointer, false); uint maxMapSize = 4096; // TODO: 0x20000 or 0x1000 maxMapSize = (uint)ticketDataString.Length + 0xc; var credentialFileMapHandle = Win32.CreateFileMappingW( Win32.INVALID_HANDLE_VALUE, sa_pointer, // IntPtr.Zero, //sa_pointer, FileMapProtection.PageReadWrite, 0, maxMapSize, "archeage_auth_ticket_map"); //Marshal.FreeHGlobal(sa_pointer); if (credentialFileMapHandle == IntPtr.Zero) { //Console.WriteLine("Failed to create credential file mapping"); Marshal.FreeHGlobal(sa_pointer); return(false); } var fileMapViewPointer = Win32.MapViewOfFile(credentialFileMapHandle, FileMapAccess.FileMapAllAccessFull, 0, 0, maxMapSize); if (fileMapViewPointer == IntPtr.Zero) { //Console.WriteLine("Failed to create credential file mapping view"); Win32.CloseHandle(credentialFileMapHandle); Marshal.FreeHGlobal(sa_pointer); return(false); } //--- EncryptFileMapData(fileMapViewHandle, ticketString, signatureString); // TFIR is the header for this ? var ticket = "TFIR" + stringForSignature + '\n' + ticketDataString; var ticketBytes = Encoding.UTF8.GetBytes(ticket); var ticketEncrypted = AAEmu.Launcher.Basic.RC4.Encrypt(encryptionKey, ticketBytes); // Use a temporary memorystream for ease MemoryStream ms = new MemoryStream(); var writer = new BinaryWriter(ms); writer.Write(encryptionKey, 0, encryptionKey.Length); Int32 ticketSize = ticketEncrypted.Length; writer.Write((int)ticketSize); writer.Write(ticketEncrypted); ms.Position = 0; var result = new byte[ms.Length]; ms.Read(result, 0, (int)ms.Length); // Copy data to MemoryMappedFile // Structure // 8 bytes: RC4 Key // 4 bytes: Actual Data Size // ? bytes: Encrypted data var pointer = Marshal.AllocHGlobal(result.Length); Marshal.Copy(result, 0, pointer, result.Length); Win32.MemCpy(fileMapViewPointer, pointer, (uint)result.Length); Marshal.FreeHGlobal(pointer); writer.Dispose(); ms.Dispose(); //----------- if (credentialFileMapHandle == IntPtr.Zero) { // TODO ... // Win32.CloseHandle(credentialEvent); Marshal.FreeHGlobal(sa_pointer); return(false); } var credentialEvent = Win32.CreateEventW(sa_pointer, true, false, "archeage_auth_ticket_event"); Marshal.FreeHGlobal(sa_pointer); if (credentialEvent == IntPtr.Zero) { // Console.WriteLine("Failed to create credential event"); return(false); } HandleID1FileMap = credentialFileMapHandle.ToInt32(); HandleID2Event = credentialEvent.ToInt32(); return((HandleID1FileMap != 0) && (HandleID2Event != 0)); }