public static extern Boolean PrivilegeCheck(
IntPtr ClientToken,
Structs._PRIVILEGE_SET RequiredPrivileges,
out IntPtr pfResult
);
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges
////////////////////////////////////////////////////////////////////////////////
public static void EnumerateTokenPrivileges(IntPtr hToken)
{
////////////////////////////////////////////////////////////////////////////////
UInt32 TokenInfLength = 0;
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(
hToken,
Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges,
IntPtr.Zero,
TokenInfLength,
out TokenInfLength
);
if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
GetError("GetTokenInformation - 1 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 1");
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(
hToken,
Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges,
lpTokenInformation,
TokenInfLength,
out TokenInfLength))
{
GetError("GetTokenInformation - 2" + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 2");
Structs._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Structs._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Structs._TOKEN_PRIVILEGES_ARRAY));
Console.WriteLine("[+] Enumerated " + tokenPrivileges.PrivilegeCount + " Privileges");
Console.WriteLine();
Console.WriteLine("{0,-30}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-30}{1,-30}", "--------------", "-------");
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
Int32 cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName < 0 || cchName > Int32.MaxValue)
{
GetError("LookupPrivilegeName " + cchName);
return;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
Console.WriteLine("[-] Privilege Name Lookup Failed");
continue;
}
Structs._PRIVILEGE_SET privilegeSet = new Structs._PRIVILEGE_SET();
privilegeSet.PrivilegeCount = 1;
privilegeSet.Control = Structs.PRIVILEGE_SET_ALL_NECESSARY;
privilegeSet.Privilege = new Structs._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] };
IntPtr pfResult;
if (!advapi32.PrivilegeCheck(hToken, privilegeSet, out pfResult))
{
Console.WriteLine("[-] Privilege Check Failed");
continue;
}
Console.WriteLine("{0,-30}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult.ToInt32()));
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}