private void RefreshProcessList(string filter, bool hideUnrestricted, bool showDeadProcesses) { bool filter_name = !string.IsNullOrWhiteSpace(filter); ClearList(listViewProcesses); ClearList(listViewThreads); using (var list = new DisposableList <NtProcess>(NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed))) { List <NtProcess> processes = list.Where(p => !p.IsDeleting || showDeadProcesses) .Where(p => p.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation)).ToList(); processes.Sort((a, b) => a.ProcessId - b.ProcessId); using (var tokens = new DisposableList <NtToken>(processes.Select(p => GetToken(p)))) { List <ListViewItem> procs = new List <ListViewItem>(); List <ListViewItem> threads = new List <ListViewItem>(); Debug.Assert(processes.Count == tokens.Count); for (int i = 0; i < processes.Count; ++i) { NtProcess p = processes[i]; NtToken t = tokens[i]; if (t == null || !t.IsAccessGranted(TokenAccessRights.Query)) { continue; } if (filter_name) { if (!p.FullPath.ToLower().Contains(filter.ToLower())) { continue; } } if (hideUnrestricted) { if (!IsRestrictedToken(t)) { continue; } } procs.Add(CreateProcessNode(p, t)); threads.AddRange(CreateThreads(p, t)); } listViewProcesses.Items.AddRange(procs.ToArray()); listViewThreads.Items.AddRange(threads.ToArray()); ResizeColumns(listViewProcesses); ResizeColumns(listViewThreads); } } }
private static NtToken DuplicateForAccessCheck(NtToken token) { if (token.IsPseudoToken) { // This is a pseudo token, pass along as no need to duplicate. return(token); } if (token.TokenType == TokenType.Primary) { return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query)); } else if (!token.IsAccessGranted(TokenAccessRights.Query)) { return(token.Duplicate(TokenAccessRights.Query)); } else { // If we've got query access rights already just create a shallow clone. return(token.ShallowClone()); } }
private void UpdateTokenData() { UserGroup user = _token.User; txtUsername.Text = user.ToString(); txtUserSid.Text = user.Sid.ToString(); TokenType tokentype = _token.TokenType; txtTokenType.Text = _token.TokenType.ToString(); if (_token.TokenType == TokenType.Impersonation) { SecurityImpersonationLevel implevel = _token.ImpersonationLevel; txtImpLevel.Text = implevel.ToString(); } else { txtImpLevel.Text = "N/A"; } txtTokenId.Text = _token.Id.ToString(); txtModifiedId.Text = _token.ModifiedId.ToString(); txtAuthId.Text = _token.AuthenticationId.ToString(); if (Enum.IsDefined(typeof(TokenIntegrityLevel), _token.IntegrityLevel)) { comboBoxIL.SelectedItem = _token.IntegrityLevel; comboBoxILForDup.SelectedItem = _token.IntegrityLevel; } else { comboBoxIL.Text = _token.IntegrityLevel.ToString(); comboBoxILForDup.Text = _token.IntegrityLevel.ToString(); } txtSessionId.Text = _token.SessionId.ToString(); if (_token.IsAccessGranted(TokenAccessRights.QuerySource)) { txtSourceName.Text = _token.Source.SourceName; txtSourceId.Text = _token.Source.SourceIdentifier.ToString(); } else { txtSourceName.Text = "N/A"; txtSourceId.Text = "N/A"; } TokenElevationType evtype = _token.ElevationType; txtElevationType.Text = evtype.ToString(); txtIsElevated.Text = _token.Elevated.ToString(); txtOriginLoginId.Text = _token.Origin.ToString(); btnLinkedToken.Enabled = evtype != TokenElevationType.Default; UpdateGroupList(); txtPrimaryGroup.Text = _token.PrimaryGroup.Name; txtOwner.Text = _token.Owner.Name; Acl defdacl = _token.DefaultDacl; if (!defdacl.NullAcl) { foreach (Ace ace in defdacl) { UserGroup group = new UserGroup(ace.Sid, GroupAttributes.None); ListViewItem item = new ListViewItem(group.ToString()); AccessMask mask = GenericAccessRights.GenericAll | GenericAccessRights.GenericExecute | GenericAccessRights.GenericRead | GenericAccessRights.GenericWrite; string maskstr; if ((ace.Mask & ~mask).HasAccess) { maskstr = $"0x{ace.Mask:X08}"; } else { maskstr = ace.Mask.ToGenericAccess().ToString(); } item.SubItems.Add(maskstr); item.SubItems.Add(ace.Flags.ToString()); item.SubItems.Add(ace.Type.ToString()); listViewDefDacl.Items.Add(item); } } else { listViewDefDacl.Items.Add("No Default DACL"); } listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent); listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); if (_token.Restricted) { PopulateGroupList(listViewRestrictedSids, _token.RestrictedSids); } else { tabControlMain.TabPages.Remove(tabPageRestricted); } if (_token.AppContainer) { PopulateGroupList(listViewCapabilities, _token.Capabilities); txtACNumber.Text = _token.AppContainerNumber.ToString(); txtPackageName.Text = _token.AppContainerSid.Name; txtPackageSid.Text = _token.AppContainerSid.ToString(); } else { tabControlMain.TabPages.Remove(tabPageAppContainer); } txtUIAccess.Text = _token.UIAccess.ToString(); txtSandboxInert.Text = _token.SandboxInert.ToString(); bool virtAllowed = _token.VirtualizationAllowed; txtVirtualizationAllowed.Text = virtAllowed.ToString(); btnToggleVirtualizationEnabled.Enabled = virtAllowed; if (virtAllowed) { txtVirtualizationEnabled.Text = _token.VirtualizationEnabled.ToString(); } else { txtVirtualizationEnabled.Text = "N/A"; } txtMandatoryILPolicy.Text = _token.MandatoryPolicy.ToString(); txtHandleAccess.Text = _token.GrantedAccess.ToString(); Sid trust_level = _token.TrustLevel; txtTrustLevel.Text = trust_level != null ? trust_level.Name : "N/A"; UpdatePrivileges(); UpdateSecurityAttributes(); if (_token.IsAccessGranted(TokenAccessRights.ReadControl)) { securityDescriptorViewerControl.SetSecurityDescriptor(_token.SecurityDescriptor, _token.NtType, _token.NtType.ValidAccess); } else { tabControlMain.TabPages.Remove(tabPageSecurity); } }
private void btnRefreshHandles_Click(object sender, EventArgs e) { ClearList(listViewHandles); int current_pid = Process.GetCurrentProcess().Id; NtToken.EnableDebugPrivilege(); List <ListViewItem> items = new List <ListViewItem>(); foreach (var group in NtSystemInfo.GetHandles() .Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase)) .GroupBy(h => h.ProcessId)) { using (var proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation, false)) { if (!proc.IsSuccess) { continue; } foreach (NtHandle handle in group) { using (var token_result = NtToken.DuplicateFrom(proc.Result, new IntPtr(handle.Handle), TokenAccessRights.None, DuplicateObjectOptions.SameAccess, false)) { if (!token_result.IsSuccess) { continue; } NtToken token = token_result.Result; ListViewItem item = new ListViewItem(handle.ProcessId.ToString()); item.SubItems.Add(proc.Result.Name); item.SubItems.Add($"0x{handle.Handle:X}"); if (!token.IsAccessGranted(TokenAccessRights.Query)) { item.SubItems.Add("UNKNOWN"); item.SubItems.Add("UNKNOWN"); item.SubItems.Add("UNKNOWN"); item.SubItems.Add("UNKNOWN"); item.SubItems.Add("UNKNOWN"); item.SubItems.Add("UNKNOWN"); } else { item.SubItems.Add(token.User.ToString()); item.SubItems.Add(token.IntegrityLevel.ToString()); string restricted = token.Restricted.ToString(); if (token.WriteRestricted) { restricted = "Write"; } item.SubItems.Add(restricted); item.SubItems.Add(token.AppContainer.ToString()); item.SubItems.Add(token.TokenType.ToString()); item.SubItems.Add(token.ImpersonationLevel.ToString()); } item.Tag = token.Duplicate(); items.Add(item); } } } } listViewHandles.Items.AddRange(items.ToArray()); ResizeColumns(listViewHandles); }