public TokenProvider SetIntegrity(int integrityLevel) { string integritySid = "S-1-16-" + integrityLevel.ToString(System.Globalization.CultureInfo.InvariantCulture); IntPtr pIntegritySid; if (!ConvertStringSidToSid(integritySid, out pIntegritySid)) { throw new Win32Exception(); } TOKEN_MANDATORY_LABEL TIL = new TOKEN_MANDATORY_LABEL(); TIL.Label.Attributes = 0x00000020 /* SE_GROUP_INTEGRITY */; TIL.Label.Sid = pIntegritySid; var pTIL = Marshal.AllocHGlobal(Marshal.SizeOf <TOKEN_MANDATORY_LABEL>()); Marshal.StructureToPtr(TIL, pTIL, false); if (!SetTokenInformation(Token.DangerousGetHandle(), TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTIL, (uint)(Marshal.SizeOf <TOKEN_MANDATORY_LABEL>() + GetLengthSid(pIntegritySid)))) { throw new Win32Exception(); } return(this); }
unsafe static public bool IsRunningElevated() { // Pre-vista, nothing ran elevated if (Environment.OSVersion.Version.Major < 6) { return(false); } IntPtr processToken = WindowsIdentity.GetCurrent().Token; uint returnLength; if (GetTokenInformation( processToken, 25, // TokenIntegrityLevel, IntPtr.Zero, // TokenInformation 0, // tokenInformationLength out returnLength) != 0) { return(false); } if (Marshal.GetLastWin32Error() != ERROR_INSUFFICIENT_BUFFER) { return(false); } uint length = returnLength; byte[] tokenInformation = new byte[length]; uint integLevel; fixed(byte *tokenInformationPtr = tokenInformation) { if (GetTokenInformation( processToken, 25, // TokenIntegrityLevel, (IntPtr)tokenInformationPtr, // TokenInformation length, // tokenInformationLength out returnLength) == 0) { return(false); } TOKEN_MANDATORY_LABEL label = (TOKEN_MANDATORY_LABEL)Marshal.PtrToStructure((IntPtr)tokenInformationPtr, typeof(TOKEN_MANDATORY_LABEL)); IntPtr psid = label.Label.Sid; IntPtr subAuthCountPtr = GetSidSubAuthorityCount(psid); byte subAuthCount = Marshal.ReadByte(subAuthCountPtr); uint subAuthIndex = (uint)(subAuthCount - 1); IntPtr integLevelPtr = GetSidSubAuthority(psid, subAuthIndex); integLevel = (uint)Marshal.ReadInt32(integLevelPtr); } return(integLevel >= SECURITY_MANDATORY_HIGH_RID); }
public static bool SetInformationToken(IntPtr hproctoken, IntPtr pSid) { SID_AND_ATTRIBUTES sidAndAttributes = new SID_AND_ATTRIBUTES { Sid = pSid, Attributes = SE_GROUP_INTEGRITY }; TOKEN_MANDATORY_LABEL tokenMandatoryLevel = new TOKEN_MANDATORY_LABEL(); tokenMandatoryLevel.Label = sidAndAttributes; Int32 tokenMandatoryLabelSize = Marshal.SizeOf(tokenMandatoryLevel); if (Natives.NtSetInformationToken(hproctoken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, ref tokenMandatoryLevel, tokenMandatoryLabelSize) != 0) { return(false); } return(true); }
public static extern Int32 NtSetInformationToken(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, ref TOKEN_MANDATORY_LABEL TokenInformation, int TokenInformationLength);
public static PROCESS_INFORMATION StartElevatedProcess(string binary, [Optional] int elevatedPID) { IntPtr hProcess = IntPtr.Zero; if (elevatedPID > 0) { hProcess = OpenProcess(0x00001000, false, elevatedPID); } else { SHELLEXECUTEINFO shellInfo = new SHELLEXECUTEINFO(); shellInfo.cbSize = Marshal.SizeOf(shellInfo); shellInfo.fMask = 0x40; shellInfo.lpFile = "wusa.exe"; shellInfo.nShow = 0x0; ShellExecuteEx(ref shellInfo); hProcess = shellInfo.hProcess; } IntPtr hToken = IntPtr.Zero; OpenProcessToken(hProcess, 0x02000000, ref hToken); IntPtr hNewToken = IntPtr.Zero; SECURITY_ATTRIBUTES secAttribs = new SECURITY_ATTRIBUTES(); DuplicateTokenEx(hToken, 0xf01ff, ref secAttribs, 2, 1, ref hNewToken); SID_IDENTIFIER_AUTHORITY sia = new SID_IDENTIFIER_AUTHORITY(); sia.Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 }; IntPtr pSID = IntPtr.Zero; AllocateAndInitializeSid(ref sia, 1, 0x2000, 0, 0, 0, 0, 0, 0, 0, ref pSID); SID_AND_ATTRIBUTES saa = new SID_AND_ATTRIBUTES(); saa.Sid = pSID; saa.Attributes = 0x20; TOKEN_MANDATORY_LABEL tml = new TOKEN_MANDATORY_LABEL(); tml.Label = saa; int tmlSize = Marshal.SizeOf(tml); NtSetInformationToken(hNewToken, 25, ref tml, tmlSize); IntPtr luaToken = IntPtr.Zero; NtFilterToken(hNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken); hNewToken = IntPtr.Zero; secAttribs = new SECURITY_ATTRIBUTES(); DuplicateTokenEx(luaToken, 0xc, ref secAttribs, 2, 2, ref hNewToken); ImpersonateLoggedOnUser(hNewToken); STARTUPINFO sInfo = new STARTUPINFO(); PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); CreateProcessWithLogonW("xxx", "xxx", "xxx", LogonFlags.LogonNetCredentialsOnly, binary, "", CreationFlags.CreateSuspended, 0, @"C:\Windows\System32", ref sInfo, out pInfo); if (elevatedPID == 0) { TerminateProcess(hProcess, 1); } return(pInfo); }
internal static extern bool SetTokenInformation(SafeTokenHandle hToken, TOKEN_INFORMATION_CLASS informationClass, TOKEN_MANDATORY_LABEL tokenInformation, int tokenInformationLength);
public PROCESS_INFORMATION StartElevatedProcess(string binary, [Optional] int elevatedPID) { IntPtr hProcess = IntPtr.Zero; if (elevatedPID > 0) { hProcess = OpenProcess(0x00001000, false, elevatedPID); } else { SHELLEXECUTEINFO shellInfo = new SHELLEXECUTEINFO(); shellInfo.cbSize = Marshal.SizeOf(shellInfo); shellInfo.fMask = 0x40; shellInfo.lpFile = "wusa.exe"; shellInfo.nShow = 0x0; if (!ShellExecuteEx(ref shellInfo)) { throw new SystemException("[x] Failed to create process"); } hProcess = shellInfo.hProcess; } if (hProcess == IntPtr.Zero) { throw new SystemException("[x] Failed to process handle"); } IntPtr hToken = IntPtr.Zero; if (!OpenProcessToken(hProcess, 0x02000000, ref hToken)) { throw new SystemException("[x] Failed to open process token"); } IntPtr hNewToken = IntPtr.Zero; SECURITY_ATTRIBUTES secAttribs = new SECURITY_ATTRIBUTES(); if (!DuplicateTokenEx(hToken, 0xf01ff, ref secAttribs, 2, 1, ref hNewToken)) { throw new SystemException("[x] Failed to duplicate process token"); } SID_IDENTIFIER_AUTHORITY sia = new SID_IDENTIFIER_AUTHORITY(); sia.Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 }; IntPtr pSID = IntPtr.Zero; if (!AllocateAndInitializeSid(ref sia, 1, 0x2000, 0, 0, 0, 0, 0, 0, 0, ref pSID)) { throw new SystemException("[x] Failed to initialize SID"); } SID_AND_ATTRIBUTES saa = new SID_AND_ATTRIBUTES(); saa.Sid = pSID; saa.Attributes = 0x20; TOKEN_MANDATORY_LABEL tml = new TOKEN_MANDATORY_LABEL(); tml.Label = saa; int tmlSize = Marshal.SizeOf(tml); if (NtSetInformationToken(hNewToken, 25, ref tml, tmlSize) != 0) { throw new SystemException("[x] Failed to modify token"); } IntPtr luaToken = IntPtr.Zero; if (NtFilterToken(hNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken) != 0) { throw new SystemException("[x] Failed to create restricted token"); } hNewToken = IntPtr.Zero; secAttribs = new SECURITY_ATTRIBUTES(); if (!DuplicateTokenEx(luaToken, 0xc, ref secAttribs, 2, 2, ref hNewToken)) { throw new SystemException("[x] Failed to duplicate restricted token"); } if (!ImpersonateLoggedOnUser(hNewToken)) { throw new SystemException("[x] Failed to impersonate context"); } STARTUPINFO sInfo = new STARTUPINFO(); PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); CreateProcessWithLogonW("xxx", "xxx", "xxx", LogonFlags.LOGON_NETCREDENTIALS_ONLY, binary, "", CreationFlags.CREATE_SUSPENDED, 0, @"C:\\Windows\\System32", ref sInfo, out pInfo); if (elevatedPID == 0) { if (!TerminateProcess(hProcess, 1)) { Console.WriteLine("Warning, failed to terminate wusa.exe"); } } return(pInfo); }
public static extern int NtSetInformationToken(IntPtr TokenHandle, int TokenInformationClass, ref TOKEN_MANDATORY_LABEL TokenInformation, int TokenInformationLength);
/// <summary> /// The function gets the integrity level of the current process. Integrity /// level is only available on Windows Vista and newer operating systems, thus /// GetProcessIntegrityLevel throws a C++ exception if it is called on systems /// prior to Windows Vista. /// </summary> /// <returns> /// Returns the integrity level of the current process. It is usually one of /// these values: /// /// SECURITY_MANDATORY_UNTRUSTED_RID - means untrusted level. It is used /// by processes started by the Anonymous group. Blocks most write access. /// (SID: S-1-16-0x0) /// /// SECURITY_MANDATORY_LOW_RID - means low integrity level. It is used by /// Protected Mode Internet Explorer. Blocks write acess to most objects /// (such as files and registry keys) on the system. (SID: S-1-16-0x1000) /// /// SECURITY_MANDATORY_MEDIUM_RID - means medium integrity level. It is /// used by normal applications being launched while UAC is enabled. /// (SID: S-1-16-0x2000) /// /// SECURITY_MANDATORY_HIGH_RID - means high integrity level. It is used /// by administrative applications launched through elevation when UAC is /// enabled, or normal applications if UAC is disabled and the user is an /// administrator. (SID: S-1-16-0x3000) /// /// SECURITY_MANDATORY_SYSTEM_RID - means system integrity level. It is /// used by services and other system-level applications (such as Wininit, /// Winlogon, Smss, etc.) (SID: S-1-16-0x4000) /// /// </returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// When any native Windows API call fails, the function throws a Win32Exception /// with the last error code. /// </exception> public static int GetProcessIntegrityLevel() { int IL = -1; SafeTokenHandle hToken = null; int cbTokenIL = 0; IntPtr pTokenIL = IntPtr.Zero; try { // Open the access token of the current process with TOKEN_QUERY. if (!NativeMethod.OpenProcessToken(Process.GetCurrentProcess().Handle, NativeMethod.TOKEN_QUERY, out hToken)) { throw new Win32Exception(); } // Then we must query the size of the integrity level information // associated with the token. Note that we expect GetTokenInformation // to return false with the ERROR_INSUFFICIENT_BUFFER error code // because we've given it a null buffer. On exit cbTokenIL will tell // the size of the group information. if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out cbTokenIL)) { int error = Marshal.GetLastWin32Error(); if (error != NativeMethod.ERROR_INSUFFICIENT_BUFFER) { // When the process is run on operating systems prior to // Windows Vista, GetTokenInformation returns false with the // ERROR_INVALID_PARAMETER error code because // TokenIntegrityLevel is not supported on those OS's. throw new Win32Exception(error); } } // Now we allocate a buffer for the integrity level information. pTokenIL = Marshal.AllocHGlobal(cbTokenIL); if (pTokenIL == IntPtr.Zero) { throw new Win32Exception(); } // Now we ask for the integrity level information again. This may fail // if an administrator has added this account to an additional group // between our first call to GetTokenInformation and this one. if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenIL, cbTokenIL, out cbTokenIL)) { throw new Win32Exception(); } // Marshal the TOKEN_MANDATORY_LABEL struct from native to .NET object. TOKEN_MANDATORY_LABEL tokenIL = (TOKEN_MANDATORY_LABEL) Marshal.PtrToStructure(pTokenIL, typeof(TOKEN_MANDATORY_LABEL)); // Integrity Level SIDs are in the form of S-1-16-0xXXXX. (e.g. // S-1-16-0x1000 stands for low integrity level SID). There is one // and only one subauthority. IntPtr pIL = NativeMethod.GetSidSubAuthority(tokenIL.Label.Sid, 0); IL = Marshal.ReadInt32(pIL); } finally { // Centralized cleanup for all allocated resources. if (hToken != null) { hToken.Close(); hToken = null; } if (pTokenIL != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenIL); pTokenIL = IntPtr.Zero; cbTokenIL = 0; } } return(IL); }
public string ShowProcessIntegrityLevel(int ID) { Process proc = Process.GetProcessById(ID); IntPtr hProcess = proc.Handle; IntPtr hToken; OpenProcessToken(hProcess, TokenAccessLevels.MaximumAllowed, out hToken); string IL = ND_MESSAGE; try { uint dwLengthNeeded; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out dwLengthNeeded)) { uint dwError = (uint)Marshal.GetLastWin32Error(); } IntPtr pTIL = Marshal.AllocHGlobal((int)dwLengthNeeded); try { if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTIL, dwLengthNeeded, out dwLengthNeeded)) { return(IL); } TOKEN_MANDATORY_LABEL TIL = (TOKEN_MANDATORY_LABEL)Marshal.PtrToStructure(pTIL, typeof(TOKEN_MANDATORY_LABEL)); IntPtr SubAuthorityCount = GetSidSubAuthorityCount(TIL.Label.Sid); IntPtr IntegrityLevelPtr = GetSidSubAuthority(TIL.Label.Sid, Marshal.ReadByte(SubAuthorityCount) - 1); int dwIntegrityLevel = Marshal.ReadInt32(IntegrityLevelPtr); if (dwIntegrityLevel >= SECURITY_MANDATORY_UNTRUSTED_RID && dwIntegrityLevel < SECURITY_MANDATORY_LOW_RID) { IL = "Ненадежный"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_LOW_RID && dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID) { IL = "Низкий"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_PLUS_RID) { IL = "Средний"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_PLUS_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) { IL = "Средний+"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID && dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID) { IL = "Высокий"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID && dwIntegrityLevel < SECURITY_MANDATORY_PROTECTED_PROCESS_RID) { IL = "Системный"; } else if (dwIntegrityLevel >= SECURITY_MANDATORY_PROTECTED_PROCESS_RID) { IL = "Защищенный"; } } catch (Exception err) { #region Запись в файл "Exeptions_LOG.txt" исключений, возникающих в ходе работы программы string error_message = "Имя: " + proc.ProcessName + Environment.NewLine + "Исключение: " + err.Message.ToString() + Environment.NewLine + Environment.NewLine; StreamWriter file = new StreamWriter("Исключение.txt", true); file.WriteLine(error_message); file.Close(); #endregion Marshal.FreeHGlobal(pTIL); return(IL); } } catch (Exception err) { #region Запись в файл "Exeptions_LOG.txt" исключений, возникающих в ходе работы программы string error_message = "Имя: " + proc.ProcessName + Environment.NewLine + "Исключение: " + err.Message.ToString() + Environment.NewLine + Environment.NewLine; StreamWriter file = new StreamWriter("Исключение.txt", true); file.WriteLine(error_message); file.Close(); #endregion CloseHandle(hToken); return(IL); } return(IL); }
/// <summary> /// Sets the integrity level of the given access token. /// </summary> /// <param name="token">handle to the access token</param> /// <param name="mlrid">mandatory integrity level</param> private static void SetTokenMandatoryLabel(IntPtr token, MandatoryLabel mlrid) { SID_IDENTIFIER_AUTHORITY mlauth = new SID_IDENTIFIER_AUTHORITY() { Value = MANDATORY_LABEL_AUTHORITY }; TOKEN_MANDATORY_LABEL tml = new TOKEN_MANDATORY_LABEL(); IntPtr mlauthptr; IntPtr sidptr; IntPtr tmlptr; int tmlsz; int errno = 0; mlauthptr = Marshal.AllocHGlobal(Marshal.SizeOf(mlauth)); Marshal.StructureToPtr(mlauth, mlauthptr, false); if (!Security.AllocateAndInitializeSid(mlauthptr, 1, (int)mlrid, 0, 0, 0, 0, 0, 0, 0, out sidptr)) { errno = Marshal.GetLastWin32Error(); Marshal.FreeHGlobal(mlauthptr); throw new IOException("Failed to allocate new SID. (" + errno + ")"); } Marshal.FreeHGlobal(mlauthptr); tml.Label.Sid = sidptr; tml.Label.Attributes = SE_GROUP_INTEGRITY; tmlsz = Marshal.SizeOf(tml); tmlptr = Marshal.AllocHGlobal(tmlsz); Marshal.StructureToPtr(tml, tmlptr, false); if (!Security.SetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, tmlptr, tmlsz)) { errno = Marshal.GetLastWin32Error(); Marshal.FreeHGlobal(sidptr); Marshal.FreeHGlobal(tmlptr); throw new IOException("Failed to set token mandatory label. (" + errno + ")"); } Marshal.FreeHGlobal(sidptr); Marshal.FreeHGlobal(tmlptr); }
/// <summary> /// Extracts Token information from a thread's memory by wrapping GetTokenInformation(). Returns token information specified by the tokenInformationClass param /// </summary> /// <param name="hToken"></param> /// <param name="tokenInformationClass"></param> /// <returns>String containing the requested token information</returns> static string QueryToken(IntPtr hToken, TOKEN_INFORMATION_CLASS tokenInformationClass) { int tokenInformationLength = 0; // First need to get the length of TokenInformation - won't return true bool result = GetTokenInformation(hToken, tokenInformationClass, IntPtr.Zero, tokenInformationLength, out tokenInformationLength); // Buffer for the struct IntPtr tokenInformation = Marshal.AllocHGlobal(tokenInformationLength); // Make call to GetTokenInformation() and get particular Struct switch (tokenInformationClass) { case TOKEN_INFORMATION_CLASS.TokenUser: // Store the requested token information in the buffer result = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenUser, tokenInformation, tokenInformationLength, out tokenInformationLength); if (result) { // Marshal the buffer to TOKEN_USER Struct TOKEN_USER tokenUser = (TOKEN_USER)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_USER)); // Extract SID from the TOKEN_USER struct IntPtr pSID = IntPtr.Zero; ConvertSidToStringSid(tokenUser.User.Sid, out pSID); string SID = Marshal.PtrToStringAuto(pSID); return(SID); } else { return(null); } case TOKEN_INFORMATION_CLASS.TokenPrivileges: result = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenPrivileges, tokenInformation, tokenInformationLength, out tokenInformationLength); if (result) { TOKEN_PRIVILEGES tokenPrivileges = (TOKEN_PRIVILEGES)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_PRIVILEGES)); StringBuilder stringBuilder = new StringBuilder(); for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++) { // Bitwise AND comparison to check that each token privilege attribute for SE_PRIVILEGE_ENABLED if (((LUID_ATTRIBUTES)tokenPrivileges.Privileges[i].Attributes & LUID_ATTRIBUTES.SE_PRIVILEGE_ENABLED) == LUID_ATTRIBUTES.SE_PRIVILEGE_ENABLED) { // Append the privilege to the stringBuilder stringBuilder.Append($", {tokenPrivileges.Privileges[i].Luid.LowPart.ToString()}"); } } return(stringBuilder.ToString().Remove(0, 2)); } else { return(null); } case TOKEN_INFORMATION_CLASS.TokenIntegrityLevel: // Mandatory Level SIDs for QueryToken() // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems#allsids Dictionary <string, string> tokenIntegritySIDs = new Dictionary <string, string> { { "S-1-16-0", "Untrusted Mandatory Level" }, { "S-1-16-4096", "Low Mandatory Level" }, { "S-1-16-8192", "Medium Mandatory Level" }, { "S-1-16-8448", "Medium Plus Mandatory Level" }, { "S-1-16-12288", "High Mandatory Level" }, { "S-1-16-16384", "System Mandatory Level" }, { "S-1-16-20480", "Protected Process Mandatory Level" }, { "S-1-16-28672", "Secure Process Mandatory Level" } }; result = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, tokenInformation, tokenInformationLength, out tokenInformationLength); if (result) { TOKEN_MANDATORY_LABEL tokenMandatoryLabel = (TOKEN_MANDATORY_LABEL)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_MANDATORY_LABEL)); // Extract SID string from TOKEN_MANDATORY_LABEL IntPtr pSID = IntPtr.Zero; ConvertSidToStringSid(tokenMandatoryLabel.label.Sid, out pSID); string SID = Marshal.PtrToStringAuto(pSID); if (tokenIntegritySIDs.ContainsKey(SID)) { return(tokenIntegritySIDs[SID]); } else { return(null); } } else { return(null); } case TOKEN_INFORMATION_CLASS.TokenOrigin: result = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenOrigin, tokenInformation, tokenInformationLength, out tokenInformationLength); if (result) { TOKEN_ORIGIN tokenOrigin = (TOKEN_ORIGIN)Marshal.PtrToStructure(tokenInformation, typeof(TOKEN_ORIGIN)); string logonId = tokenOrigin.OriginatingLogonSession.LowPart.ToString(); return(logonId); } else { return(null); } } return(null); }
public string GetProcessIntegrityLevel() { int IL = -1; IntPtr hToken = IntPtr.Zero; uint cbTokenIL = 0; IntPtr pTokenIL = IntPtr.Zero; string d = ""; try { if (!OpenProcessToken(ProcList[ProcNumber].Handle, TokenAccessLevels.Query, out hToken)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out cbTokenIL)) { int error = Marshal.GetLastWin32Error(); if (error != ERROR_INSUFFICIENT_BUFFER) { throw new Win32Exception(error); } } pTokenIL = Marshal.AllocHGlobal((int)cbTokenIL); if (pTokenIL == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenIL, cbTokenIL, out cbTokenIL)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } TOKEN_MANDATORY_LABEL tokenIL = (TOKEN_MANDATORY_LABEL) Marshal.PtrToStructure(pTokenIL, typeof(TOKEN_MANDATORY_LABEL)); IntPtr pIL = GetSidSubAuthority(tokenIL.Label.Sid, 0); IL = Marshal.ReadInt32(pIL); if (IL == SECURITY_MANDATORY_UNTRUSTED_RID) { // Untrusted Integrity d = "Untrusted Process"; } else if (IL == SECURITY_MANDATORY_LOW_RID) { // Low Integrity d = "Low Process"; } else if (IL == SECURITY_MANDATORY_MEDIUM_RID) { // Medium Integrity d = "Medium Process"; } else if (IL == SECURITY_MANDATORY_HIGH_RID) { // High Integrity d = "High Integrity Process"; } else if (IL == SECURITY_MANDATORY_SYSTEM_RID) { // System Integrity d = "System Integrity Process"; } d += cbTokenIL.ToString(); } finally { if (hToken != null) { CloseHandle(hToken); hToken = IntPtr.Zero; } if (pTokenIL != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenIL); pTokenIL = IntPtr.Zero; cbTokenIL = 0; } } return(d); }
//integrity level процесса public static string GetIntegrityLevel(Process process) { try { IntPtr hProcess = process.Handle; IntPtr hToken; if (!OpenProcessToken(hProcess, TokenAccessLevels.MaximumAllowed, out hToken)) { return("error"); } try { uint dwLengthNeeded; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out dwLengthNeeded)) { return("error"); } uint dwError = (uint)Marshal.GetLastWin32Error(); if (dwError == ERROR_INSUFFICIENT_BUFFER) { IntPtr pTIL = Marshal.AllocHGlobal((int)dwLengthNeeded); try { if (!GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTIL, dwLengthNeeded, out dwLengthNeeded)) { return("error"); } // TOKEN_MANDATORY_LABEL TIL = (TOKEN_MANDATORY_LABEL)Marshal.PtrToStructure(pTIL, typeof(TOKEN_MANDATORY_LABEL)); IntPtr SubAuthorityCount = GetSidSubAuthorityCount(TIL.Label.Sid); IntPtr IntegrityLevelPtr = GetSidSubAuthority(TIL.Label.Sid, Marshal.ReadByte(SubAuthorityCount) - 1); // int dwIntegrityLevel = Marshal.ReadInt32(IntegrityLevelPtr); if (dwIntegrityLevel < SECURITY_MANDATORY_LOW_RID) { return("untrusted"); } else if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID) { return("low"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) { return("medium"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID && dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID) { return("high"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID) { return("system"); } } finally { Marshal.FreeHGlobal(pTIL); } } } finally { CloseHandle(hToken); } return(""); } catch { return("system"); } }
public static extern bool SetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, ref TOKEN_MANDATORY_LABEL TokenInformation, uint TokenInformationLength);