private void FormatJobBasicLimits(NtJob job)
{
WriteObject("[Basic Limits]");
WriteObject($"Limit Flags : {job.LimitFlags}");
if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ActiveProcess))
{
WriteObject($"Active Process Limit: {job.ActiveProcess}");
}
if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ProcessMemory))
{
WriteObject($"Process Memory Limit: {job.ProcessMemory}");
}
if (job.LimitFlags.HasFlag(JobObjectLimitFlags.ProcessTime))
{
WriteObject($"Process Time Limit : {FormatTime(job.ProcessTime)}");
}
if (job.LimitFlags.HasFlag(JobObjectLimitFlags.JobMemory))
{
WriteObject($"Job Memory Limit : {job.JobMemory}");
}
if (job.LimitFlags.HasFlag(JobObjectLimitFlags.JobTime))
{
WriteObject($"Job Time Limit : {FormatTime(job.JobTime)}");
}
WriteObject(string.Empty);
}
public static bool StartProcessAsCurrentUser(string appPath, NtJob job)
{
var hUserToken = IntPtr.Zero;
var startInfo = new STARTUPINFO();
var procInfo = new PROCESS_INFORMATION();
var pEnv = IntPtr.Zero;
int iResultOfCreateProcessAsUser;
startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO));
try {
if (!GetSessionUserToken(out hUserToken))
{
throw new Exception("StartProcessAsCurrentUser: GetSessionUserToken failed.");
}
uint dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED | CREATE_NEW_CONSOLE;
startInfo.wShowWindow = (short)(SW.SW_SHOW);
startInfo.lpDesktop = @"winsta0\default";
if (!CreateEnvironmentBlock(ref pEnv, hUserToken, false))
{
throw new Exception("StartProcessAsCurrentUser: CreateEnvironmentBlock failed.");
}
if (!CreateProcessAsUser(hUserToken,
appPath, // Application Name
null,
IntPtr.Zero,
IntPtr.Zero,
false,
dwCreationFlags,
pEnv,
null,
ref startInfo,
out procInfo))
{
iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error();
throw new Exception("StartProcessAsCurrentUser: CreateProcessAsUser failed. Error Code -" + iResultOfCreateProcessAsUser);
}
job.AssignProcess(NtProcess.FromHandle(procInfo.hProcess));
NtThread.FromHandle(procInfo.hThread).Resume();
iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error();
} finally {
CloseHandle(hUserToken);
if (pEnv != IntPtr.Zero)
{
DestroyEnvironmentBlock(pEnv);
}
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
}
return(true);
}
private void FormatSilo(NtJob job)
{
var basic_info = job.QuerySiloBasicInformation(false);
if (!basic_info.IsSuccess)
{
return;
}
WriteObject("[Silo]");
WriteObject($"Silo ID : {basic_info.Result.SiloId}");
WriteObject($"Silo Parent ID: {basic_info.Result.SiloParentId}");
WriteObject($"Process Count : {basic_info.Result.NumberOfProcesses}");
string root_dir = job.QuerySiloRootDirectory(false).GetResultOrDefault(string.Empty);
if (root_dir.Length > 0)
{
WriteObject($"Root Directory: {root_dir}");
}
WriteObject($"Container ID : {job.ContainerId}");
if (job.ContainerTelemetryId != Guid.Empty)
{
WriteObject($"Telemetry ID : {job.ContainerTelemetryId}");
}
WriteObject($"Impersonation : {(job.ThreadImpersonation ? "Enabled" : "Disabled")}");
WriteObject(string.Empty);
if (!basic_info.Result.IsInServerSilo)
{
return;
}
var server_info = job.QueryServerSiloBasicInformation(false);
if (!server_info.IsSuccess)
{
return;
}
WriteObject("[Server Silo]");
WriteObject($"Session ID : {server_info.Result.ServiceSessionId}");
WriteObject($"Exit Status : {server_info.Result.ExitStatus}");
WriteObject($"State : {server_info.Result.State}");
WriteObject($"Downlevel : {server_info.Result.IsDownlevelContainer}");
WriteObject(string.Empty);
var user_data = job.QuerySiloUserSharedData(false);
if (!user_data.IsSuccess)
{
return;
}
WriteObject("[Silo Shared User Data]");
WriteObject($"Console ID : {user_data.Result.ActiveConsoleId}");
WriteObject($"Foreground PID: {user_data.Result.ConsoleSessionForegroundProcessId}");
WriteObject($"Service SID : {user_data.Result.ServiceSessionId}");
WriteObject($"User SID : {user_data.Result.SharedUserSessionId}");
WriteObject($"System Root : {user_data.Result.NtSystemRoot}");
WriteObject($"NT Product : {user_data.Result.NtProductType}");
WriteObject($"Multisession : {user_data.Result.IsMultiSessionSku}");
WriteObject(string.Empty);
}
private void FormatBasicInfo(NtJob job)
{
WriteObject("[Basic Information]");
WriteObject($"Handle: {job.Handle}");
if (job.FullPath.Length > 0)
{
WriteObject($"Path: {job.FullPath}");
}
WriteObject(string.Empty);
}
private static void NotifySM(NtJob job, ushort code)
{
var data = new SmData(code, job.Handle.DangerousGetHandle());
RtlConnectToSm(IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, out var handle).ToNtException();
RtlSendMsgToSm(handle, ref data).ToNtException();
Console.WriteLine(data.u1);
Console.WriteLine(data.u2);
Console.WriteLine(data.msg);
Console.WriteLine(data.cb);
}
private void FormatProcessList(NtJob job)
{
var pids = job.GetProcessIdList(false);
if (pids.IsSuccess)
{
WriteObject("[Process List]");
foreach (var pid in pids.Result)
{
FormatProcess(pid);
}
WriteObject(string.Empty);
}
}
private void FormatSilo(NtJob job)
{
var basic_info = job.QuerySiloBasicInformation(false);
if (!basic_info.IsSuccess)
{
return;
}
WriteObject("[Silo]");
WriteObject($"Silo ID : {basic_info.Result.SiloId}");
WriteObject($"Silo Parent ID: {basic_info.Result.SiloParentId}");
WriteObject($"Process Count : {basic_info.Result.NumberOfProcesses}");
WriteObject(string.Empty);
if (!basic_info.Result.IsInServerSilo)
{
return;
}
var server_info = job.QueryServerSiloBasicInformation(false);
if (!server_info.IsSuccess)
{
return;
}
WriteObject("[Server Silo]");
WriteObject($"Session ID : {server_info.Result.ServiceSessionId}");
WriteObject($"Exit Status : {server_info.Result.ExitStatus}");
WriteObject($"State : {server_info.Result.State}");
WriteObject($"Downlevel : {server_info.Result.IsDownlevelContainer}");
WriteObject(string.Empty);
var user_data = job.QuerySiloUserSharedData(false);
if (!user_data.IsSuccess)
{
return;
}
WriteObject("[Silo Shared User Data]");
WriteObject($"Console ID : {user_data.Result.ActiveConsoleId}");
WriteObject($"Foreground PID: {user_data.Result.ConsoleSessionForegroundProcessId}");
WriteObject($"Service SID : {user_data.Result.ServiceSessionId}");
WriteObject($"User SID : {user_data.Result.SharedUserSessionId}");
WriteObject($"System Root : {user_data.Result.NtSystemRoot}");
WriteObject($"NT Product : {user_data.Result.NtProductType}");
WriteObject($"Multisession : {user_data.Result.IsMultiSessionSku}");
WriteObject(string.Empty);
}
private void FormatJob(NtJob job)
{
if (Filter.HasFlag(JobFormatFilter.BasicInfo))
{
FormatBasicInfo(job);
}
if (Filter.HasFlag(JobFormatFilter.BasicLimits))
{
FormatJobBasicLimits(job);
}
if (Filter.HasFlag(JobFormatFilter.ProcessList))
{
FormatProcessList(job);
}
if (Filter.HasFlag(JobFormatFilter.UILimits))
{
FormatUILimits(job);
}
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
using (var job = NtJob.Create(obj_attributes, Access))
{
if (LimitFlags != 0)
{
job.LimitFlags = LimitFlags;
}
if (ActiveProcessLimit > 0)
{
job.ActiveProcessLimit = ActiveProcessLimit;
}
if (UiRestrictionFlags != 0)
{
job.UiRestrictionFlags = UiRestrictionFlags;
}
return(job.Duplicate());
}
}
static void Main()
{
SetTokenPriv.EnablePrivilege();
//using var _ = new ApplicationPrivilege(new[] {
// TokenPrivilegeValue.SeAssignPrimaryTokenPrivilege,
// TokenPrivilegeValue.SeTakeOwnershipPrivilege,
// TokenPrivilegeValue.SeLoadDriverPrivilege,
// TokenPrivilegeValue.SeSecurityPrivilege,
// TokenPrivilegeValue.SeTcbPrivilege,
// TokenPrivilegeValue.SeBackupPrivilege,
// TokenPrivilegeValue.SeRestorePrivilege,
//});
//WaitForDebugger();
using var evt = NtEvent.Create(null, EventType.NotificationEvent, false);
using var job = NtJob.CreateServerSilo(SiloObjectRootDirectoryControlFlags.All, @"C:\Windows", evt, false);
using (var root = NtDirectory.Open(job.SiloRootDirectory)) {
Console.WriteLine(root);
SetupRootDirectory(root);
}
//Debugger.Break();
//NotifySM(job, 7);
//ProcessExtensions.GetSessionUserToken(out var tok);
var config = new NtProcessCreateConfig {
ImagePath = @"\SystemRoot\System32\cmd.exe",
ConfigImagePath = @"C:\Windows\System32\cmd.exe",
CurrentDirectory = @"C:\Windows\System32",
WindowTitle = "Demo",
ParentProcess = NtProcess.Current,
TerminateOnDispose = true,
ThreadFlags = ThreadCreateFlags.Suspended,
};
config.AddAttribute(ProcessAttribute.JobList(new[] { job }));
using var proc = NtProcess.Create(config);
proc.Thread.Resume();
proc.Process.Wait().ToNtException();
Console.WriteLine($"status: {proc.Process.ExitNtStatus}");
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
return(NtJob.Open(obj_attributes, Access));
}
private void FormatUILimits(NtJob job)
{
WriteObject("[UI Limits]");
WriteObject($"Limit Flags: {job.UiRestrictionFlags}");
WriteObject(string.Empty);
}
