public static COMProcessEntry ParseProcess(int pid, string dbghelp_path, string symbol_path)
        {
            using (SafeProcessHandle process = SafeProcessHandle.Open(pid, ProcessAccessRights.VmRead | ProcessAccessRights.QueryInformation))
            {
                if (process.IsInvalid)
                {
                    return(null);
                }

                if (process.Is64Bit && !Environment.Is64BitProcess)
                {
                    return(null);
                }

                using (SymbolResolver resolver = new SymbolResolver(dbghelp_path, process, symbol_path))
                {
                    return(new COMProcessEntry(
                               pid,
                               GetProcessFileName(process),
                               ParseIPIDEntries(process, resolver),
                               process.Is64Bit,
                               GetProcessAppId(process, resolver),
                               GetProcessAccessSecurityDescriptor(process, resolver),
                               GetLrpcSecurityDescriptor(process, resolver),
                               process.GetUser(),
                               process.GetUserSid(),
                               ReadString(process, resolver, "gwszLRPCEndPoint"),
                               ReadEnum <EOLE_AUTHENTICATION_CAPABILITIES>(process, resolver, "gCapabilities"),
                               ReadEnum <RPC_AUTHN_LEVEL>(process, resolver, "gAuthnLevel"),
                               ReadEnum <RPC_IMP_LEVEL>(process, resolver, "gImpLevel"),
                               ReadPointer(process, resolver, "gAccessControl"),
                               ReadPointer(process, resolver, "ghwndOleMainThread")));
                }
            }
        }
Exemple #2
0
        public SelectSecurityCheckForm(bool process_security)
        {
            InitializeComponent();
            _process_security = process_security;
            _tokens           = new List <SafeTokenHandle>();
            Disposed         += SelectSecurityCheckForm_Disposed;
            string username = String.Format(@"{0}\{1}", Environment.UserDomainName, Environment.UserName);

            textBoxPrincipal.Text = username;
            COMProcessParser.EnableDebugPrivilege();

            foreach (Process p in Process.GetProcesses().OrderBy(p => p.Id))
            {
                try
                {
                    using (SafeProcessHandle process = SafeProcessHandle.Open(p.Id, ProcessAccessRights.QueryInformation))
                    {
                        SafeTokenHandle token = process.OpenToken();
                        _tokens.Add(token);
                        ListViewItem item = listViewProcesses.Items.Add(p.Id.ToString());
                        item.SubItems.Add(p.ProcessName);
                        item.SubItems.Add(process.GetUser());
                        item.SubItems.Add(token.GetIntegrityLevel().ToString());
                        item.Tag = token;
                    }
                }
                catch
                {
                }
            }
            listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
            listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
            listViewProcesses.ListViewItemSorter = new ListItemComparer(0);

            foreach (object value in Enum.GetValues(typeof(SecurityIntegrityLevel)))
            {
                comboBoxIL.Items.Add(value);
            }
            comboBoxIL.SelectedItem = SecurityIntegrityLevel.Low;
            if (process_security)
            {
                textBoxPrincipal.Enabled       = false;
                checkBoxLocalLaunch.Enabled    = false;
                checkBoxRemoteLaunch.Enabled   = false;
                checkBoxLocalActivate.Enabled  = false;
                checkBoxRemoteActivate.Enabled = false;
            }
        }