private static bool _LookupRights(IntPtr hPolicyHandle, IntPtr sid, ref Dictionary <string, Winnt._LUID> rights)
{
//Console.WriteLine(" - LsaEnumerateAccountRights");
IntPtr hUserRights;
long countOfRights;
uint ntRetVal = advapi32.LsaEnumerateAccountRights(
hPolicyHandle,
sid,
out hUserRights,
out countOfRights
);
//Weird Quirk
countOfRights--;
if (0 != ntRetVal)
{
//File Not Found - User Has No Rights Assigned
//Parameter is incorrect - Not a valid SID lookup
if (3221225524 == ntRetVal || 3221225485 == ntRetVal)
{
return(true);
}
Misc.GetLsaNtError("LsaEnumerateAccountRights", ntRetVal);
return(false);
}
Console.WriteLine("[+] Additional {0} privilege(s)", countOfRights);
ntsecapi._LSA_UNICODE_STRING[] userRights = new ntsecapi._LSA_UNICODE_STRING[countOfRights];
////////////////////////////////////////////////////////////////////////////////
///
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < countOfRights; i++)
{
try
{
userRights[i] = (ntsecapi._LSA_UNICODE_STRING)Marshal.PtrToStructure(new IntPtr(hUserRights.ToInt64() + (i * Marshal.SizeOf(typeof(ntsecapi._LSA_UNICODE_STRING)))), typeof(ntsecapi._LSA_UNICODE_STRING));
string privilege = Marshal.PtrToStringUni(userRights[i].Buffer);
Winnt._LUID luid = new Winnt._LUID();
bool retVal = advapi32.LookupPrivilegeValue(null, privilege, ref luid);
if (!retVal)
{
Console.WriteLine("[-] Privilege Not Found");
return(false);
}
Console.WriteLine(" ({0}) {1}", i, privilege);
rights[privilege] = luid;
}
catch (Exception ex)
{
Console.WriteLine(ex);
//return false;
}
}
return(true);
}
public static extern uint LsaOpenPolicy(ref ntsecapi._LSA_UNICODE_STRING SystemName, ref lsalookup._LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle);
private bool CreateTokenPrivileges(Ntifs._TOKEN_USER tokenUser, Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges)
{
Console.WriteLine("[*] _TOKEN_PRIVILEGES");
tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
//Console.WriteLine(" - LsaOpenPolicy");
ntsecapi._LSA_UNICODE_STRING systemName = new ntsecapi._LSA_UNICODE_STRING();
lsalookup._LSA_OBJECT_ATTRIBUTES lsaobjectAttributes = new lsalookup._LSA_OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(lsalookup._LSA_OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
ObjectName = new ntsecapi._LSA_UNICODE_STRING(),
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero
};
IntPtr hPolicyHandle = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
uint ntRetVal = advapi32.LsaOpenPolicy(
ref systemName,
ref lsaobjectAttributes,
(uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS,
out hPolicyHandle
);
if (0 != ntRetVal)
{
Misc.GetNtError("LsaOpenPolicy", ntRetVal);
return(false);
}
if (IntPtr.Zero == hPolicyHandle)
{
Misc.GetNtError("hPolicyHandle", ntRetVal);
return(false);
}
Dictionary <string, Winnt._LUID> rights = new Dictionary <string, Winnt._LUID>();
_LookupRights(hPolicyHandle, tokenUser.User.Sid, ref rights);
for (int i = 0; i < extraGroups + localEntriesRead + globalEntriesRead; i++)
{
_LookupRights(hPolicyHandle, tokenGroups.Groups[i].Sid, ref rights);
}
tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY()
{
PrivilegeCount = (uint)rights.Keys.Count,
Privileges = new Winnt._LUID_AND_ATTRIBUTES[35]
};
int j = 0;
foreach (string priv in rights.Keys)
{
tokenPrivileges.Privileges[j].Luid = rights[priv];
tokenPrivileges.Privileges[j].Attributes = Winnt.SE_PRIVILEGE_ENABLED;
j++;
}
return(true);
}
