internal NtProcessMitigations(NtProcess process)
{
ProcessDepStatus dep_status = process.DepStatus;
DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
DepEnabled = dep_status.Enabled;
DepPermanent = dep_status.Permanent;
int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy);
EnableBottomUpRandomization = result.GetBit(0);
EnableForceRelocateImages = result.GetBit(1);
EnableHighEntropy = result.GetBit(2);
DisallowStrippedImages = result.GetBit(3);
DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy);
RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
HandleExceptionsPermanentlyEnabled = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy);
DisableNonSystemFonts = result.GetBit(0);
AuditNonSystemFontLoading = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy);
ProhibitDynamicCode = result.GetBit(0);
AllowThreadOptOut = result.GetBit(1);
AllowRemoteDowngrade = result.GetBit(2);
DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy);
MicrosoftSignedOnly = result.GetBit(0);
StoreSignedOnly = result.GetBit(1);
SignedMitigationOptIn = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy);
NoRemoteImages = result.GetBit(0);
NoLowMandatoryLabelImages = result.GetBit(1);
PreferSystem32Images = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy);
EnabledReturnFlowGuard = result.GetBit(0);
ReturnFlowGuardStrictMode = result.GetBit(1);
IsChildProcessRestricted = process.IsChildProcessRestricted;
using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false))
{
IsRestricted = token.Result.Restricted;
IsAppContainer = token.Result.AppContainer;
IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer;
IntegrityLevel = token.Result.IntegrityLevel;
}
ProcessId = process.ProcessId;
Name = process.Name;
ImagePath = process.FullPath;
CommandLine = process.CommandLine;
}
internal NtProcessMitigations(NtProcess process)
{
ProcessDepStatus dep_status = process.DepStatus;
DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
DepEnabled = dep_status.Enabled;
DepPermanent = dep_status.Permanent;
int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy);
EnableForceRelocateImages = result.GetBit(0);
EnableBottomUpRandomization = result.GetBit(1);
EnableHighEntropy = result.GetBit(2);
DisallowStrippedImages = result.GetBit(3);
DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy);
RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
HandleExceptionsPermanentlyEnabled = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy);
DisableNonSystemFonts = result.GetBit(0);
AuditNonSystemFontLoading = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy);
ProhibitDynamicCode = result.GetBit(0);
AllowThreadOptOut = result.GetBit(1);
DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy);
MicrosoftSignedOnly = result.GetBit(0);
StoreSignedOnly = result.GetBit(1);
SignedMitigationOptIn = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy);
NoRemoteImages = result.GetBit(0);
NoLowMandatoryLabelImages = result.GetBit(1);
PreferSystem32Images = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy);
EnabledReturnFlowGuard = result.GetBit(0);
ReturnFlowGuardStrictMode = result.GetBit(1);
IsChildProcessRestricted = process.IsChildProcessRestricted;
}
internal NtProcessMitigations(NtProcess process)
{
ProcessDepStatus dep_status = process.DepStatus;
DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
DepEnabled = dep_status.Enabled;
DepPermanent = dep_status.Permanent;
int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ASLR);
EnableBottomUpRandomization = result.GetBit(0);
EnableForceRelocateImages = result.GetBit(1);
EnableHighEntropy = result.GetBit(2);
DisallowStrippedImages = result.GetBit(3);
DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.SystemCallDisable).GetBit(0);
AuditDisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.SystemCallDisable).GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.StrictHandleCheck);
RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
HandleExceptionsPermanentlyEnabled = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.FontDisable);
DisableNonSystemFonts = result.GetBit(0);
AuditNonSystemFontLoading = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.DynamicCode);
ProhibitDynamicCode = result.GetBit(0);
AllowThreadOptOut = result.GetBit(1);
AllowRemoteDowngrade = result.GetBit(2);
AuditProhibitDynamicCode = result.GetBit(3);
DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ExtensionPointDisable).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ControlFlowGuard);
EnabledControlFlowGuard = result.GetBit(0);
EnableExportSuppression = result.GetBit(1);
ControlFlowGuardStrictMode = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.Signature);
MicrosoftSignedOnly = result.GetBit(0);
StoreSignedOnly = result.GetBit(1);
SignedMitigationOptIn = result.GetBit(2);
AuditMicrosoftSignedOnly = result.GetBit(3);
AuditStoreSignedOnly = result.GetBit(4);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ImageLoad);
NoRemoteImages = result.GetBit(0);
NoLowMandatoryLabelImages = result.GetBit(1);
PreferSystem32Images = result.GetBit(2);
AuditNoRemoteImages = result.GetBit(3);
AuditNoLowMandatoryLabelImages = result.GetBit(4);
SystemCallFilterId = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.SystemCallFilter) & 0xF;
NoChildProcessCreation = process.IsChildProcessRestricted;
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ChildProcess);
AuditNoChildProcessCreation = result.GetBit(1);
AllowSecureProcessCreation = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.PayloadRestriction);
EnableExportAddressFilter = result.GetBit(0);
AuditExportAddressFilter = result.GetBit(1);
EnableExportAddressFilterPlus = result.GetBit(2);
AuditExportAddressFilterPlus = result.GetBit(3);
EnableImportAddressFilter = result.GetBit(4);
AuditImportAddressFilter = result.GetBit(5);
EnableRopStackPivot = result.GetBit(6);
AuditRopStackPivot = result.GetBit(7);
EnableRopCallerCheck = result.GetBit(8);
AuditRopCallerCheck = result.GetBit(9);
EnableRopSimExec = result.GetBit(10);
AuditRopSimExec = result.GetBit(11);
using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false))
{
if (token.IsSuccess)
{
IsRestricted = token.Result.Restricted;
IsAppContainer = token.Result.AppContainer;
IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer;
IntegrityLevel = token.Result.IntegrityLevel;
}
}
ProcessId = process.ProcessId;
Name = process.Name;
ImagePath = process.FullPath;
CommandLine = process.CommandLine;
}