static uint GetGrantedAccess(SecurityDescriptor sd, NtToken token, uint specific_rights, GenericMapping generic_mapping) { uint granted_access = 0; specific_rights = generic_mapping.MapMask(specific_rights); if (specific_rights != 0) { granted_access = NtSecurity.GetAllowedAccess(sd, token, (GenericAccessRights)(specific_rights), generic_mapping); } else { granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping); } if (granted_access != 0) { // As we can get all the rights for the key get maximum if (specific_rights != 0) { granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping); } } return(granted_access); }
static void CheckAccess(string full_path, NtFile entry) { try { if (!entry.IsAccessGranted(FileAccessRights.ReadControl)) { return; } SecurityDescriptor sd = entry.SecurityDescriptor; bool is_dir = entry.IsDirectory; AccessMask granted_access; if (is_dir && _dir_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray()); } else if (!is_dir && _file_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray()); } else { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (granted_access.HasAccess) { // Now reget maximum access rights if (_dir_filter != 0 || _file_filter != 0) { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (!_show_write_only || _type.HasWritePermission(granted_access)) { Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'), is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir)); if (_print_sddl) { Console.WriteLine("{0}", sd.ToSddl()); } } } } catch (NtException) { } }
static void CheckAccess(string path, byte[] sd, NtType type) { try { if (_type_filter.Count > 0) { if (!_type_filter.Contains(type.Name.ToLower())) { return; } } if (sd.Length > 0) { uint granted_access = 0; if (_dir_rights != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, type, (uint)_dir_rights, sd); } else { granted_access = NtSecurity.GetMaximumAccess(_token, type, sd); } if (granted_access != 0) { // As we can get all the rights for the directory get maximum if (_dir_rights != 0) { granted_access = NtSecurity.GetMaximumAccess(_token, type, sd); } if (!_show_write_only || type.HasWritePermission(granted_access)) { Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, path, granted_access, AccessMaskToString(type, granted_access)); if (_print_sddl) { Console.WriteLine("{0}", NtSecurity.SecurityDescriptorToSddl(sd, SecurityInformation.AllBasic)); } } } } } catch (Exception) { } }
static void CheckAccess(NtToken token, NtObject obj) { if (!obj.IsAccessMaskGranted(GenericAccessRights.ReadControl)) { return; } try { SecurityDescriptor sd = obj.SecurityDescriptor; AccessMask granted_access; NtType type = obj.NtType; if (_dir_rights != 0) { granted_access = NtSecurity.GetAllowedAccess(sd, token, _dir_rights, type.GenericMapping); } else { granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping); } if (!granted_access.IsEmpty) { // As we can get all the rights for the directory get maximum if (_dir_rights != 0) { granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping); } if (!_show_write_only || type.HasWritePermission(granted_access)) { Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, obj.FullPath, granted_access, type.AccessMaskToString(granted_access, _map_to_generic)); if (_print_sddl) { Console.WriteLine("{0}", sd.ToSddl()); } } } } catch (NtException) { } }
static void CheckAccess(FileSystemInfo entry) { try { SecurityDescriptor sd = NtSecurity.FromNamedObject(@"\??\" + entry.FullName, "file"); if (sd != null) { bool is_dir = entry is DirectoryInfo; uint granted_access; if (is_dir && _dir_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray()); } else if (!is_dir && _file_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray()); } else { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (granted_access != 0) { // Now reget maximum access rights if (_dir_filter != 0 || _file_filter != 0) { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (!_show_write_only || _type.HasWritePermission(granted_access)) { Console.WriteLine("{0}{1} : {2:X08} {3}", entry.FullName, is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir)); if (_print_sddl) { Console.WriteLine("{0}", sd.ToSddl()); } } } } } catch (Exception) { } }
static void CheckAccess(string full_path, NtFile entry) { try { SecurityDescriptor sd = entry.GetSecurityDescriptor(SecurityInformation.AllBasic); if (sd != null) { bool is_dir = entry.IsDirectory; uint granted_access; if (is_dir && _dir_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray()); } else if (!is_dir && _file_filter != 0) { granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray()); } else { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (granted_access != 0) { // Now reget maximum access rights if (_dir_filter != 0 || _file_filter != 0) { granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray()); } if (!_show_write_only || _type.HasWritePermission(granted_access)) { Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'), is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir)); if (_print_sddl) { Console.WriteLine("{0}", sd.ToSddl()); } } } } } catch { } }
static void CheckAccess(NtToken token, NtKey key) { NtType type = key.NtType; if (!key.IsAccessGranted(KeyAccessRights.ReadControl)) { return; } SecurityDescriptor sd = key.SecurityDescriptor; AccessMask granted_access; if (_key_rights != 0) { granted_access = NtSecurity.GetAllowedAccess(token, type, _key_rights, sd.ToByteArray()); } else { granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray()); } if (!granted_access.IsEmpty) { // As we can get all the rights for the key get maximum if (_key_rights != 0) { granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray()); } if (!_show_write_only || type.HasWritePermission(granted_access)) { Console.WriteLine("{0} : {1:X08} {2}", key.FullPath, granted_access, AccessMaskToString(granted_access, type)); if (_print_sddl) { Console.WriteLine("{0}", sd.ToSddl()); } } } }
static AccessMask GetGrantedAccess(SecurityDescriptor sd, NtToken token, AccessMask specific_rights, GenericMapping generic_mapping) { AccessMask granted_access; specific_rights = generic_mapping.MapMask(specific_rights); if (specific_rights.HasAccess) { granted_access = NtSecurity.GetAllowedAccess(sd, token, specific_rights, generic_mapping); // As we can get all the rights for the key get maximum if (granted_access.HasAccess) { granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping); } } else { granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping); } return(granted_access); }
static void Main(string[] args) { try { int pid = NtProcess.Current.ProcessId; bool show_help = false; bool print_sddl = false; OptionSet opts = new OptionSet() { { "p|pid=", "Specify a PID of a process for access check.", v => pid = int.Parse(v.Trim()) }, { "sddl", "Print SDDL security descriptor.", v => print_sddl = v != null }, { "h|help", "show this message and exit", v => show_help = v != null }, }; HashSet <int> pids = new HashSet <int>(opts.Parse(args).Select(a => int.Parse(a))); if (show_help) { ShowHelp(opts); return; } Dictionary <string, string> ports = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase); NtToken.EnableDebugPrivilege(); using (NtToken token = NtToken.OpenProcessToken(pid)) { IEnumerable <NtHandle> handles = NtSystemInfo.GetHandles(-1, false); HashSet <ulong> checked_objects = new HashSet <ulong>(); if (pids.Count > 0) { handles = handles.Where(h => pids.Contains(h.ProcessId)); } handles = handles.Where(h => h.ObjectType.Equals("ALPC Port", StringComparison.OrdinalIgnoreCase)); Dictionary <int, NtProcess> pid_to_process = new Dictionary <int, NtProcess>(); foreach (NtHandle handle in handles.Where(h => h.GrantedAccess.IsAccessGranted(GenericAccessRights.ReadControl))) { if (!pid_to_process.ContainsKey(handle.ProcessId)) { var result = NtProcess.Open(handle.ProcessId, ProcessAccessRights.QueryLimitedInformation | ProcessAccessRights.DupHandle, false); pid_to_process[handle.ProcessId] = result.IsSuccess ? result.Result : null; } NtProcess proc = pid_to_process[handle.ProcessId]; if (proc == null) { continue; } try { using (NtAlpc obj = NtAlpc.DuplicateFrom(proc, new IntPtr(handle.Handle))) { string name = obj.FullPath; // We only care about named ALPC ports. if (String.IsNullOrEmpty(name)) { continue; } if (ports.ContainsKey(name)) { continue; } SecurityDescriptor sd = obj.SecurityDescriptor; AccessMask granted_access = NtSecurity.GetAllowedAccess(sd, token, AlpcAccessRights.Connect, obj.NtType.GenericMapping); if (granted_access.IsEmpty) { continue; } ports.Add(name, sd.ToSddl()); } } catch (NtException) { } } } foreach (var pair in ports.OrderBy(p => p.Key)) { Console.WriteLine(pair.Key); if (print_sddl) { Console.WriteLine("SDDL: {0}", pair.Value); } } } catch (Exception ex) { Console.Error.WriteLine(ex.Message); } }