/// <summary> /// Method to create an object from a set of object attributes. /// </summary> /// <param name="obj_attributes">The object attributes to create/open from.</param> /// <returns>The newly created object.</returns> protected override object CreateObject(ObjectAttributes obj_attributes) { string key_path = Win32Path ? NtKeyUtils.Win32KeyNameToNt(KeyPath) : KeyPath; using (ObjectAttributes name = new ObjectAttributes(key_path, AttributeFlags.CaseInsensitive)) { if ((LoadFlags & LoadKeyFlags.AppKey) == 0) { using (NtToken token = NtToken.OpenProcessToken()) { TokenPrivilege priv = token.GetPrivilege(TokenPrivilegeValue.SeRestorePrivilege); if (priv == null || (priv.Attributes & PrivilegeAttributes.Enabled) == 0) { WriteWarning("Loading a non-app hive should require SeRestorePrivilege"); } } } else { if (!KeyPath.StartsWith(@"\Registry\A\", System.StringComparison.OrdinalIgnoreCase)) { WriteWarning(@"Loading app hive outside of \Registry\A\ will fail on an up to date system."); } } return(NtKey.LoadKey(name, obj_attributes, LoadFlags, Access)); } }
public void AdjustToken(bool enable) { var p = Process.GetCurrentProcess(); var at = new AccessTokenProcess(p.Id, TokenAccessType.TOKEN_ADJUST_PRIVILEGES); var tp = new TokenPrivilege(TokenPrivilege.SE_SHUTDOWN_NAME, enable); at.EnablePrivilege(tp); }
/// <summary> /// Constructor. /// </summary> public NewNtTokenCmdlet() { AuthenticationId = NtToken.LocalSystemAuthId; TokenType = TokenType.Primary; ExpirationTime = DateTime.Now.AddYears(10); Group = new Sid[0]; Privilege = new TokenPrivilegeValue[0]; UserPrivilege = new TokenPrivilege[0]; UserGroup = new UserGroup[0]; DefaultAcl = new Acl(); DefaultAcl.AddAccessAllowedAce(GenericAccessRights.GenericAll, AceFlags.None, "SY"); DefaultAcl.AddAccessAllowedAce(GenericAccessRights.GenericAll, AceFlags.None, "BA"); IntegrityLevel = TokenIntegrityLevel.System; SecurityQualityOfService = new SecurityQualityOfService(SecurityImpersonationLevel.Anonymous, SecurityContextTrackingMode.Static, false); }
private void enablePrivilegeToolStripMenuItem_Click(object sender, EventArgs e) { if (listViewPrivs.SelectedItems.Count > 0) { TokenPrivilege priv = listViewPrivs.SelectedItems[0].Tag as TokenPrivilege; try { _token.EnablePrivilege(priv, !priv.IsEnabled()); UpdatePrivileges(); } catch (Win32Exception ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } } }
private void contextMenuStripPrivileges_Opening(object sender, CancelEventArgs e) { if (listViewPrivs.SelectedItems.Count > 0) { TokenPrivilege priv = listViewPrivs.SelectedItems[0].Tag as TokenPrivilege; if (priv != null) { if (priv.IsEnabled()) { enablePrivilegeToolStripMenuItem.Text = "Disable Privilege"; } else { enablePrivilegeToolStripMenuItem.Text = "Enable Privilege"; } } } }
/// <summary> /// Computes effective access rights upon acquiring the necessary security information such as Share's security, /// Central Policy and Resource's security as maybe applicable. /// </summary> public void Evaluate() { using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security)) { try { // // SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the // file's SD // seSecurityPrivilege.Enable(); var securityObjects = new Dictionary <string, FileSecurityObject>(); // // First include the Share's SD if available. If the share denies a permission, anything else that // denies a permission is of lesser consequence. // if (shareSD != null) { securityObjects.Add("Share", new FileSecurityObject(shareSD)); } SecurityIdentifier capId = null; { RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle, NativeMethods.SecurityInformationClass.Scope); if (scopeSD != null) { if (scopeSD.SystemAcl != null) { foreach (GenericAce ace in scopeSD.SystemAcl) { // // Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType // // Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier // for a Central Policy, extract it explicitly. // byte[] rawAce = new byte[ace.BinaryLength]; ace.GetBinaryForm(rawAce, 0); if ((ace.AceFlags & AceFlags.InheritOnly) == 0) { long sidOffset = (long)Marshal.OffsetOf( typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE), "SidStart"); if (sidOffset < ace.BinaryLength) { capId = new SecurityIdentifier(rawAce, (int)sidOffset); // // The first Central Policy is the only one honored when there are multiple // in a Security Descriptor. Ignore everything else. // break; } } } } } } // // Obtain file SD // RawSecurityDescriptor fileSD = GetFileSecInfoSD( handle, NativeMethods.SecurityInformationClass.Owner | NativeMethods.SecurityInformationClass.Group | NativeMethods.SecurityInformationClass.Dacl | NativeMethods.SecurityInformationClass.Label | NativeMethods.SecurityInformationClass.Attribute); if (capId != null) { var availableCaps = new AvailableCentralPolicies(targetMachine); Dictionary <string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId); if (CARs == null || CARs.Count == 0) { // // If the Central Policy or any of its Central Access Rules could not be retrieved, fall // back to just the granularity of Central Policy. For this, use the file's SD with the // CAP ID. // securityObjects.Add("Central Policy", new FileSecurityObject( GetFileSecInfoSD(handle, NativeMethods.SecurityInformationClass.Owner | NativeMethods.SecurityInformationClass.Group | NativeMethods.SecurityInformationClass.Label | NativeMethods.SecurityInformationClass.Attribute | NativeMethods.SecurityInformationClass.Scope))); } else { // // The merged security descriptor for each Central Access Rule is generated as follows: // Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule // // If the AppliesTo predicate is present, then we do the following: // Owned + Group + SACL (all from resource's SD) // + A fabricated DACL with an allowed callback ACE containingn the selected user // principal and the AppliesTo predicate appended. // foreach (var rule in CARs) { var sd = new RawSecurityDescriptor(fileSD.ControlFlags, fileSD.Owner, fileSD.Group, fileSD.SystemAcl, rule.Value.EffectivePolicy.DiscretionaryAcl); if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition)) { string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" + rule.Value.AppliesToCondition + ")"; var appliesToSD = new RawSecurityDescriptor( fileSD.ControlFlags, fileSD.Owner, fileSD.Group, fileSD.SystemAcl, (new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl); securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD)); } else { securityObjects.Add(rule.Key, new FileSecurityObject(sd)); } } } } securityObjects.Add("File permissions", new FileSecurityObject(fileSD)); results = ComputeEffectiveAccessResult(targetMachine, securityObjects); } finally { seSecurityPrivilege.Revert(); } } }
public static extern int OpenProcessToken( System.IntPtr ProcessHandle, // handle to process TokenPrivilege DesiredAccess, // desired access to process ref IntPtr TokenHandle // handle to open access token );
public static extern bool SetPrivilege(IntPtr token, bool release, ref TokenPrivilege newState, uint zero1, IntPtr zero2, IntPtr zero3);
/// <summary> /// Computes effective access rights upon acquiring the necessary security information such as Share's security, /// Central Policy and Resource's security as maybe applicable. /// </summary> public void Evaluate() { using (TokenPrivilege seSecurityPrivilege = new TokenPrivilege(TokenPrivilege.Security)) { try { // // SeSecurityPrivilege is required for querying the Central Policy ID (Scope information) from the // file's SD // seSecurityPrivilege.Enable(); var securityObjects = new Dictionary<string, FileSecurityObject>(); // // First include the Share's SD if available. If the share denies a permission, anything else that // denies a permission is of lesser consequence. // if (shareSD != null) { securityObjects.Add("Share", new FileSecurityObject(shareSD)); } SecurityIdentifier capId = null; { RawSecurityDescriptor scopeSD = GetFileSecInfoSD(handle, NativeMethods.SecurityInformationClass.Scope); if (scopeSD != null) { if (scopeSD.SystemAcl != null) { foreach (GenericAce ace in scopeSD.SystemAcl) { // // Scoped Policy ID ACE not yet part of System.Security.AccessControl.AceType // // Since SYSTEM_SCOPED_POLICY_ID_ACE essentially has a SID which is the identifier // for a Central Policy, extract it explicitly. // byte[] rawAce = new byte[ace.BinaryLength]; ace.GetBinaryForm(rawAce, 0); if ((ace.AceFlags & AceFlags.InheritOnly) == 0) { long sidOffset = (long)Marshal.OffsetOf( typeof(NativeMethods.SYSTEM_SCOPED_POLICY_ID_ACE), "SidStart"); if (sidOffset < ace.BinaryLength) { capId = new SecurityIdentifier(rawAce, (int)sidOffset); // // The first Central Policy is the only one honored when there are multiple // in a Security Descriptor. Ignore everything else. // break; } } } } } } // // Obtain file SD // RawSecurityDescriptor fileSD = GetFileSecInfoSD( handle, NativeMethods.SecurityInformationClass.Owner | NativeMethods.SecurityInformationClass.Group | NativeMethods.SecurityInformationClass.Dacl | NativeMethods.SecurityInformationClass.Label | NativeMethods.SecurityInformationClass.Attribute); if (capId != null) { var availableCaps = new AvailableCentralPolicies(targetMachine); Dictionary<string, CentralAccessRule> CARs = availableCaps.FetchCentralAccessRules(capId); if (CARs == null || CARs.Count == 0) { // // If the Central Policy or any of its Central Access Rules could not be retrieved, fall // back to just the granularity of Central Policy. For this, use the file's SD with the // CAP ID. // securityObjects.Add("Central Policy", new FileSecurityObject( GetFileSecInfoSD(handle, NativeMethods.SecurityInformationClass.Owner | NativeMethods.SecurityInformationClass.Group | NativeMethods.SecurityInformationClass.Label | NativeMethods.SecurityInformationClass.Attribute | NativeMethods.SecurityInformationClass.Scope))); } else { // // The merged security descriptor for each Central Access Rule is generated as follows: // Owner + Group + SACL (all from resource's SD) + DACL from Central Access Rule // // If the AppliesTo predicate is present, then we do the following: // Owned + Group + SACL (all from resource's SD) // + A fabricated DACL with an allowed callback ACE containingn the selected user // principal and the AppliesTo predicate appended. // foreach (var rule in CARs) { var sd = new RawSecurityDescriptor(fileSD.ControlFlags, fileSD.Owner, fileSD.Group, fileSD.SystemAcl, rule.Value.EffectivePolicy.DiscretionaryAcl); if (!string.IsNullOrEmpty(rule.Value.AppliesToCondition)) { string appliesToSDDL = "D:(XA;;FR;;;" + userSid.ToString() + ";" + rule.Value.AppliesToCondition + ")"; var appliesToSD = new RawSecurityDescriptor( fileSD.ControlFlags, fileSD.Owner, fileSD.Group, fileSD.SystemAcl, (new RawSecurityDescriptor(appliesToSDDL)).DiscretionaryAcl); securityObjects.Add(rule.Key, new FileSecurityObject(sd, appliesToSD)); } else { securityObjects.Add(rule.Key, new FileSecurityObject(sd)); } } } } securityObjects.Add("File permissions", new FileSecurityObject(fileSD)); results = ComputeEffectiveAccessResult(targetMachine, securityObjects); } finally { seSecurityPrivilege.Revert(); } } }