public static extern Boolean PrivilegeCheck( IntPtr ClientToken, Structs._PRIVILEGE_SET RequiredPrivileges, out IntPtr pfResult );
//////////////////////////////////////////////////////////////////////////////// // Prints the tokens privileges //////////////////////////////////////////////////////////////////////////////// public static void EnumerateTokenPrivileges(IntPtr hToken) { //////////////////////////////////////////////////////////////////////////////// UInt32 TokenInfLength = 0; Console.WriteLine("[*] Enumerating Token Privileges"); advapi32.GetTokenInformation( hToken, Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, TokenInfLength, out TokenInfLength ); if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue) { GetError("GetTokenInformation - 1 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 1"); IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation( hToken, Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)) { GetError("GetTokenInformation - 2" + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 2"); Structs._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Structs._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Structs._TOKEN_PRIVILEGES_ARRAY)); Console.WriteLine("[+] Enumerated " + tokenPrivileges.PrivilegeCount + " Privileges"); Console.WriteLine(); Console.WriteLine("{0,-30}{1,-30}", "Privilege Name", "Enabled"); Console.WriteLine("{0,-30}{1,-30}", "--------------", "-------"); //////////////////////////////////////////////////////////////////////////////// for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++) { StringBuilder lpName = new StringBuilder(); Int32 cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName < 0 || cchName > Int32.MaxValue) { GetError("LookupPrivilegeName " + cchName); return; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { Console.WriteLine("[-] Privilege Name Lookup Failed"); continue; } Structs._PRIVILEGE_SET privilegeSet = new Structs._PRIVILEGE_SET(); privilegeSet.PrivilegeCount = 1; privilegeSet.Control = Structs.PRIVILEGE_SET_ALL_NECESSARY; privilegeSet.Privilege = new Structs._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }; IntPtr pfResult; if (!advapi32.PrivilegeCheck(hToken, privilegeSet, out pfResult)) { Console.WriteLine("[-] Privilege Check Failed"); continue; } Console.WriteLine("{0,-30}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult.ToInt32())); Marshal.FreeHGlobal(lpLuid); } Console.WriteLine(); }