/// <summary>
/// Return access token information regarding current process.
/// </summary>
/// <returns></returns>
public static String WhoisProcess()
{
var hProc = TMProcessHandle.GetCurrentProcessHandle();
var hToken = AccessTokenHandle.FromProcessHandle(hProc);
return(new AccessTokenInformation(hToken).ToOutputString());
}
public static void SetProcessPrivilege(string privilege, bool enabled)
{
var hProc = TMProcessHandle.GetCurrentProcessHandle();
var hToken = AccessTokenHandle.FromProcessHandle(hProc, TokenAccess.TOKEN_ADJUST_PRIVILEGES);
SetPrivilege(hToken, privilege, enabled);
}
public static void EnableAllProcessPrivileges()
{
var hProc = TMProcessHandle.GetCurrentProcessHandle();
var hToken = AccessTokenHandle.FromProcessHandle(hProc);
SetAllPrivileges(hToken, true);
}
public TMProcessBuilder UsingExistingProcessToken(int processId)
{
var hProc = TMProcessHandle.FromProcessId(processId);
var hToken = AccessTokenHandle.FromProcessHandle(hProc, TokenAccess.TOKEN_DUPLICATE, TokenAccess.TOKEN_QUERY);
var hDuplicate = hToken.DuplicatePrimaryToken();
this.TokenHandle = hDuplicate;
return(this);
}
/// <summary>
/// Duplicates and impersonates the process token of the specified PID.
/// This replaces the current thread token. Call RevertToSelf() to get back
/// previous access token.
/// </summary>
/// <param name="pid"></param>
public static void ImpersonateProcessToken(int pid)
{
var hProc = TMProcessHandle.FromProcessId(pid, ProcessAccessFlags.QueryInformation);
var hToken = AccessTokenHandle.FromProcessHandle(hProc, TokenAccess.TOKEN_IMPERSONATE, TokenAccess.TOKEN_DUPLICATE);
var hDuplicate = hToken.DuplicateImpersonationToken(TokenAccess.TOKEN_ALL_ACCESS);
if (!Advapi32.SetThreadToken(IntPtr.Zero, hDuplicate.GetHandle()))
{
Console.WriteLine($"{Kernel32.GetLastError()}");
}
}
public void Execute()
{
TMProcessHandle hProcess;
if (this.options.ProcessID.HasValue)
{
hProcess = TMProcessHandle.FromProcessId(this.options.ProcessID.Value, TokenManage.API.ProcessAccessFlags.QueryInformation);
}
else
{
hProcess = TMProcessHandle.GetCurrentProcessHandle();
}
var hToken = AccessTokenHandle.FromProcessHandle(hProcess, TokenAccess.TOKEN_QUERY);
if (this.options.ShowUser || this.options.ShowAll)
{
ShowUser(hToken);
}
if (this.options.ShowGroups || this.options.ShowAll)
{
ShowGroups(hToken);
}
if (this.options.ShowPrivileges || this.options.ShowAll)
{
ShowPrivileges(hToken);
}
if (this.options.ShowLogonSid || this.options.ShowAll)
{
ShowLogonSid(hToken);
}
if (this.options.ShowOwner || this.options.ShowAll)
{
ShowOwner(hToken);
}
if (this.options.ShowPrimaryGroup || this.options.ShowAll)
{
ShowPrimaryGroup(hToken);
}
if (this.options.ShowSessionID || this.options.ShowAll)
{
ShowSessionID(hToken);
}
}
public static void ListProcesses()
{
var processes = TMProcess.GetAllProcesses();
foreach (var p in processes)
{
try
{
var pHandle = TMProcessHandle.FromProcess(p, ProcessAccessFlags.QueryInformation);
var hToken = AccessTokenHandle.FromProcessHandle(pHandle, TokenAccess.TOKEN_QUERY);
var userInfo = AccessTokenUser.FromTokenHandle(hToken);
Console.WriteLine($"{p.ProcessId}, {p.ProcessName}, {userInfo.Username}");
} catch (Exception)
{
continue;
}
}
}
public void Execute()
{
if (options.ListTokens)
{
var processes = TMProcess.GetAllProcesses();
this.InnerPrintProcesses(processes);
}
if (this.options.Privilege != null)
{
var processes = TMProcess.GetAllProcesses();
var found = new List <TMProcess>();
foreach (var proc in processes)
{
try
{
var hProc = TMProcessHandle.FromProcess(proc, ProcessAccessFlags.QueryInformation);
var hToken = AccessTokenHandle.FromProcessHandle(hProc, TokenAccess.TOKEN_QUERY);
var privileges = AccessTokenPrivileges.FromTokenHandle(hToken);
foreach (var priv in privileges.GetPrivileges())
{
if (priv.Name.ToLower().Contains(this.options.Privilege.ToLower()))
{
if (this.options.Disabled)
{
if (priv.IsDisabled())
{
found.Add(proc);
}
}
else
{
if (priv.IsEnabled())
{
found.Add(proc);
}
}
}
}
}
catch (Exception e)
{
console.Error("Failed to retrieve privilege information: " + e.Message);
}
}
this.InnerPrintProcesses(found);
}
if (this.options.Term != null && this.options.Term != "")
{
var processes = TMProcess.GetProcessByName(this.options.Term);
this.InnerPrintProcesses(processes);
}
if (this.options.User != null && this.options.User != "")
{
var processes = TMProcess.GetAllProcesses();
var found = new List <TMProcess>();
foreach (var proc in processes)
{
try
{
var hProc = TMProcessHandle.FromProcess(proc, ProcessAccessFlags.QueryInformation);
var hToken = AccessTokenHandle.FromProcessHandle(hProc, TokenAccess.TOKEN_QUERY);
var user = AccessTokenUser.FromTokenHandle(hToken);
if (user.Username.ToLower().Contains(this.options.User.ToLower()))
{
found.Add(proc);
}
}
catch
{
}
}
this.InnerPrintProcesses(found);
}
}
private void InnerPrintProcesses(List <TMProcess> processes)
{
List <Tuple <string, string, string, string> > processesInfo = new List <Tuple <string, string, string, string> >();
foreach (var p in processes)
{
var sessionId = "";
string username = "";
try
{
var pHandle = TMProcessHandle.FromProcess(p, ProcessAccessFlags.QueryInformation);
var tHandle = AccessTokenHandle.FromProcessHandle(pHandle, TokenAccess.TOKEN_QUERY);
var userInfo = AccessTokenUser.FromTokenHandle(tHandle);
var sessionInfo = AccessTokenSessionId.FromTokenHandle(tHandle);
username = userInfo.Domain + "\\" + userInfo.Username;
sessionId = sessionInfo.SessionId.ToString();
}
catch (Exception)
{
}
processesInfo.Add(new Tuple <string, string, string, string>(p.ProcessId.ToString(), p.ProcessName, username, sessionId));
}
StringBuilder output = new StringBuilder();
int padding = 2;
int maxName = 0;
int maxPid = 0;
int maxUser = 0;
int maxSession = 0;
foreach (var p in processesInfo)
{
maxPid = Math.Max(maxPid, p.Item1.Length);
maxName = Math.Max(maxName, p.Item2.Length);
maxUser = Math.Max(maxUser, p.Item3.Length);
maxSession = Math.Max(maxSession, p.Item4.Length);
}
string name = "PROCESS";
string pid = "PID";
string user = "******";
string session = "SESSION";
output.Append(pid + "," + generateSpaces(maxPid + padding - pid.Length));
output.Append(name + "," + generateSpaces(maxName + padding - name.Length));
output.Append(user + generateSpaces(maxUser + padding - user.Length));
output.Append(session + "\n");
var sorted = processesInfo.OrderBy(x => x.Item1).ToList();
foreach (var p in sorted)
{
string line = "";
line += p.Item1 + ",";
line += generateSpaces(maxPid + padding - p.Item1.Length);
line += p.Item2 + ",";
line += generateSpaces(maxName + padding - p.Item2.Length);
line += p.Item3;
line += generateSpaces(maxUser + padding - p.Item3.Length);
line += p.Item4;
output.Append(line + "\n");
}
console.Write(output.ToString());
}