private static string FormatText(NtHandle ent) { string size = String.Empty; try { using (NtSection section = NtSection.DuplicateFrom(ent.ProcessId, new IntPtr(ent.Handle), SectionAccessRights.Query)) { size = section.Size.ToString(); } } catch (NtException) { size = "Unknown"; } StringBuilder builder = new StringBuilder(); NtType section_type = NtType.GetTypeByName("section"); if (section_type.HasReadPermission(ent.GrantedAccess)) { builder.Append("R"); } if (section_type.HasWritePermission(ent.GrantedAccess)) { builder.Append("W"); } return(String.Format("[{0}/0x{0:X}] {1} Size: {2} Access: {3}", ent.Handle, ent.Name, size, builder.ToString())); }
private static NtResult <NtSection> CreateSection(int session_id, bool throw_on_error) { using (var obja = CreateObjectAttributes(session_id, SECTION_NAME)) { return(NtSection.Create(obja, SectionAccessRights.MaximumAllowed, new LargeInteger(64 * 1024), MemoryAllocationProtect.ReadWrite, SectionAttributes.Commit, null, throw_on_error)); } }
private static NtSection OpenSection(string name, bool read_only) { SectionAccessRights access = SectionAccessRights.MapRead; if (!read_only) { access |= SectionAccessRights.MapWrite; } return(NtSection.Open(name, null, access)); }
static void ViewSection(NtSection section, bool read_only) { read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite); using (var map = read_only ? section.MapRead() : section.MapReadWrite()) { using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only)) { Application.Run(frm); } } }
private Win32DebugConsole(int session_id, NtEvent buffer_ready, NtEvent data_ready, NtSection buffer, NtMappedSection mapped_buffer) { _session_id = session_id; _buffer_ready = buffer_ready; _data_ready = data_ready; _buffer = buffer; _mapped_buffer = mapped_buffer; _data_ready_wait = data_ready.DuplicateAsWaitHandle(); _symlinks = new Dictionary <int, DisposableList <NtSymbolicLink> >(); }
static NtSection CreateSection(string file_path, string name, NtDirectory root) { using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(file_path), null, FileAccessRights.GenericRead | FileAccessRights.GenericExecute, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile)) { using (var obja = CreateObjectAttributes(name, root)) { return(NtSection.Create(obja, SectionAccessRights.MaximumAllowed, null, MemoryAllocationProtect.ExecuteRead, SectionAttributes.Image, file)); } } }
/// <summary> /// Get the signing level for an image file. /// </summary> /// <param name="path">The path to the image file.</param> /// <returns>The signing level.</returns> public static SigningLevel GetSigningLevel(string path) { using (var file = NtFile.Open(path, null, FileAccessRights.Execute, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile)) { using (var sect = NtSection.CreateImageSection(file)) { using (var map = sect.MapRead()) { return(map.ImageSigningLevel); } } } }
public NtMappedSection OpenMappedFile(bool writable) { SectionAccessRights accessRights = SectionAccessRights.MapRead; if (writable) { accessRights |= SectionAccessRights.MapWrite; } using (NtSection section = NtSection.DuplicateFrom(_ent.ProcessId, new IntPtr(_ent.Handle), accessRights)) { return(section.Map(writable ? ProtectionType.ReadWrite : ProtectionType.ReadOnly)); } }
public static bool ChangeLogPathInSection(string path, out string previousPath) { previousPath = null; // open and map section RW NtSection section = null; foreach (string name in PulseSharedSectionNames) { if (section != null) { break; } try { section = NtSection.Open(name, null, SectionAccessRights.MapRead | SectionAccessRights.MapWrite); } catch {} } if (section == null) { return(false); } NtMappedSection map = null; try { map = section.MapReadWrite(); } catch { return(false); } if (map == null) { return(false); } // read the old path and write the new one try { byte[] buf = new byte[LogPathMaxLength]; map.ReadArray(LogPathOffset, buf, 0, LogPathMaxLength); previousPath = BytesToString(buf); buf = StringToBytes(path + '\0'); if (buf.Length > LogPathMaxLength) { return(false); } map.WriteArray(LogPathOffset, buf, 0, buf.Length); } catch { return(false); } return(true); }
static NtSection RemapFileAsRW() { string base_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "luafv_" + Guid.NewGuid()); Console.WriteLine("Base Path: {0}", base_path); DirectorySecurity dir_sd = new DirectorySecurity(); Directory.CreateDirectory(base_path); string target_path = NtFileUtils.DosFileNameToNt(Path.Combine(base_path, "dummy.txt")); string license_file = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "license.rtf"); Console.WriteLine("Trying to map {0} R/W", license_file); NtFile.CreateHardlink(NtFileUtils.DosFileNameToNt(license_file), target_path); using (var oplock_file = NtFile.Open(target_path, null, FileAccessRights.ReadAttributes, FileShareMode.All, FileOpenOptions.NonDirectoryFile)) { var oplock = oplock_file.RequestOplockAsync(OplockLevelCache.Read | OplockLevelCache.Write, RequestOplockInputFlag.Request); Console.WriteLine("Started oplock"); SetVirtualization(true); Console.WriteLine("Opening file"); using (var file = NtFile.Open(target_path, null, FileAccessRights.GenericRead | FileAccessRights.GenericWrite, FileShareMode.All, FileOpenOptions.NonDirectoryFile | FileOpenOptions.CompleteIfOplocked)) { SetVirtualization(false); Console.WriteLine("{0} {1}", NtProcess.Current.ProcessId, file.Handle.DangerousGetHandle()); Console.WriteLine("{0} {1}", file.FullPath, file.GrantedAccess); CreateVirtualStoreFile(target_path, GetDummyBuffer()); var async_read = file.ReadAsync(1, 0); if (!oplock.Wait(10000)) { throw new Exception("Oplock Timed Out"); } Console.WriteLine("Oplock Fired"); EaBuffer ea = new EaBuffer(); ea.AddEntry("Hello", new byte[16], EaBufferEntryFlags.None); // Set EA to force the delayed virtualization to complete without triggering oplock. Console.WriteLine("Setting EA"); file.SetEa(ea); Console.WriteLine("File now {0}", file.FullPath); oplock_file.Close(); Console.WriteLine("Closed oplock_file"); if (!async_read.Wait(10000)) { throw new Exception("Async Read Timed Out"); } Console.WriteLine("Read Complete"); return NtSection.Create(null, SectionAccessRights.MaximumAllowed, null, MemoryAllocationProtect.ReadWrite, SectionAttributes.Commit, file); } } }
private void openNamedSectionToolStripMenuItem_Click(object sender, EventArgs e) { using (NamedObjectForm frm = new NamedObjectForm("Section")) { if (frm.ShowDialog(this) == DialogResult.OK) { using (NtSection handle = (NtSection)frm.ObjectHandle) { NtMappedSection mapped_file = handle.Map(frm.ReadOnly ? MemoryAllocationProtect.ReadOnly : MemoryAllocationProtect.ReadWrite); SectionEditorForm c = new SectionEditorForm(mapped_file, frm.ObjectName, frm.ReadOnly); c.Show(dockPanel, DockState.Document); } } } }
static string GetName(NtSection section, NtMappedSection map) { string name = String.Empty; try { name = map.FullPath; if (string.IsNullOrEmpty(name)) { name = section.FullPath; } } catch (NtException) { } return(string.IsNullOrEmpty(name) ? $"Handle {section.Handle.DangerousGetHandle()} - 0x{map.DangerousGetHandle().ToInt64():X}" : name); }
static void Main(string[] args) { Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); NtToken.EnableDebugPrivilege(); try { if (args.Length == 0) { Application.Run(new MainForm()); } else { if (args.Length < 3) { var handle = new SafeKernelObjectHandle(new IntPtr(int.Parse(args[0])), true); using (var section = NtSection.FromHandle(handle)) { bool read_only = args.Length > 1 ? args[1].Equals("--readonly") : !section.IsAccessGranted(SectionAccessRights.MapWrite); using (var map = read_only ? section.MapRead() : section.MapReadWrite()) { using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only)) { Application.Run(frm); } } } } } } catch (Exception ex) { MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
internal CreateUserProcessResult(SafeKernelObjectHandle process_handle, SafeKernelObjectHandle thread_handle, ProcessCreateInfoData create_info, SectionImageInformation image_info, ClientId client_id) { Process = new NtProcess(process_handle); Thread = new NtThread(thread_handle); ImageFile = new NtFile(new SafeKernelObjectHandle(create_info.Success.FileHandle, true)); SectionHandle = new NtSection(new SafeKernelObjectHandle(create_info.Success.SectionHandle, true)); ImageInfo = image_info; ClientId = client_id; CreateInfo = create_info; CreateState = ProcessCreateState.Success; }
static void Main(string[] args) { Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); NtToken.EnableDebugPrivilege(); try { if (args.Length == 0) { Application.Run(new MainForm()); } else { int handle = -1; string text = String.Empty; bool read_only = false; bool delete_file = false; string filename = string.Empty; OptionSet opts = new OptionSet() { { "handle=", "Specify an inherited handle to view.", v => handle = int.Parse(v) }, { "readonly", "Specify view section readonly", v => read_only = v != null }, { "file=", "Specify a file to view", v => filename = v }, { "delete", "Delete file after viewing", v => delete_file = v != null }, }; opts.Parse(args); if (handle > 0) { using (var section = NtSection.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true))) { read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite); using (var map = read_only ? section.MapRead() : section.MapReadWrite()) { using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only)) { Application.Run(frm); } } } } else if (File.Exists(filename)) { try { using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(filename), null, FileAccessRights.ReadData, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile)) { using (NtSection section = NtSection.CreateReadOnlyDataSection(file)) { using (var map = section.MapRead()) { using (SectionEditorForm frm = new SectionEditorForm(map, filename, true, file.Length)) { Application.Run(frm); } } } } } finally { if (delete_file) { File.Delete(filename); } } } else { throw new Exception("Invalid command line arguments"); } } } catch (Exception ex) { MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { return(NtSection.Create(obj_attributes, Access, Size, Protection, SectionAttributes, File)); }
/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { return(NtSection.Open(obj_attributes, Access)); }