static uint GetGrantedAccess(SecurityDescriptor sd, NtToken token, uint specific_rights, GenericMapping generic_mapping)
{
uint granted_access = 0;
specific_rights = generic_mapping.MapMask(specific_rights);
if (specific_rights != 0)
{
granted_access = NtSecurity.GetAllowedAccess(sd, token, (GenericAccessRights)(specific_rights), generic_mapping);
}
else
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
}
if (granted_access != 0)
{
// As we can get all the rights for the key get maximum
if (specific_rights != 0)
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
}
}
return(granted_access);
}
static void CheckAccess(string full_path, NtFile entry)
{
try
{
if (!entry.IsAccessGranted(FileAccessRights.ReadControl))
{
return;
}
SecurityDescriptor sd = entry.SecurityDescriptor;
bool is_dir = entry.IsDirectory;
AccessMask granted_access;
if (is_dir && _dir_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type,
_dir_filter, sd.ToByteArray());
}
else if (!is_dir && _file_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type,
_file_filter, sd.ToByteArray());
}
else
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (granted_access.HasAccess)
{
// Now reget maximum access rights
if (_dir_filter != 0 || _file_filter != 0)
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (!_show_write_only || _type.HasWritePermission(granted_access))
{
Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
if (_print_sddl)
{
Console.WriteLine("{0}", sd.ToSddl());
}
}
}
}
catch (NtException)
{
}
}
static void CheckAccess(string path, byte[] sd, NtType type)
{
try
{
if (_type_filter.Count > 0)
{
if (!_type_filter.Contains(type.Name.ToLower()))
{
return;
}
}
if (sd.Length > 0)
{
uint granted_access = 0;
if (_dir_rights != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, type, (uint)_dir_rights, sd);
}
else
{
granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
}
if (granted_access != 0)
{
// As we can get all the rights for the directory get maximum
if (_dir_rights != 0)
{
granted_access = NtSecurity.GetMaximumAccess(_token, type, sd);
}
if (!_show_write_only || type.HasWritePermission(granted_access))
{
Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, path, granted_access, AccessMaskToString(type, granted_access));
if (_print_sddl)
{
Console.WriteLine("{0}", NtSecurity.SecurityDescriptorToSddl(sd, SecurityInformation.AllBasic));
}
}
}
}
}
catch (Exception)
{
}
}
static void CheckAccess(NtToken token, NtObject obj)
{
if (!obj.IsAccessMaskGranted(GenericAccessRights.ReadControl))
{
return;
}
try
{
SecurityDescriptor sd = obj.SecurityDescriptor;
AccessMask granted_access;
NtType type = obj.NtType;
if (_dir_rights != 0)
{
granted_access = NtSecurity.GetAllowedAccess(sd, token,
_dir_rights, type.GenericMapping);
}
else
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping);
}
if (!granted_access.IsEmpty)
{
// As we can get all the rights for the directory get maximum
if (_dir_rights != 0)
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, type.GenericMapping);
}
if (!_show_write_only || type.HasWritePermission(granted_access))
{
Console.WriteLine("<{0}> {1} : {2:X08} {3}", type.Name, obj.FullPath,
granted_access, type.AccessMaskToString(granted_access, _map_to_generic));
if (_print_sddl)
{
Console.WriteLine("{0}", sd.ToSddl());
}
}
}
}
catch (NtException)
{
}
}
static void CheckAccess(FileSystemInfo entry)
{
try
{
SecurityDescriptor sd = NtSecurity.FromNamedObject(@"\??\" + entry.FullName, "file");
if (sd != null)
{
bool is_dir = entry is DirectoryInfo;
uint granted_access;
if (is_dir && _dir_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
}
else if (!is_dir && _file_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
}
else
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (granted_access != 0)
{
// Now reget maximum access rights
if (_dir_filter != 0 || _file_filter != 0)
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (!_show_write_only || _type.HasWritePermission(granted_access))
{
Console.WriteLine("{0}{1} : {2:X08} {3}", entry.FullName, is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
if (_print_sddl)
{
Console.WriteLine("{0}", sd.ToSddl());
}
}
}
}
}
catch (Exception)
{
}
}
static void CheckAccess(string full_path, NtFile entry)
{
try
{
SecurityDescriptor sd = entry.GetSecurityDescriptor(SecurityInformation.AllBasic);
if (sd != null)
{
bool is_dir = entry.IsDirectory;
uint granted_access;
if (is_dir && _dir_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type, _dir_filter, sd.ToByteArray());
}
else if (!is_dir && _file_filter != 0)
{
granted_access = NtSecurity.GetAllowedAccess(_token, _type, _file_filter, sd.ToByteArray());
}
else
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (granted_access != 0)
{
// Now reget maximum access rights
if (_dir_filter != 0 || _file_filter != 0)
{
granted_access = NtSecurity.GetMaximumAccess(_token, _type, sd.ToByteArray());
}
if (!_show_write_only || _type.HasWritePermission(granted_access))
{
Console.WriteLine("{0}{1} : {2:X08} {3}", full_path.TrimEnd('\\'),
is_dir ? "\\" : "", granted_access, AccessMaskToString(granted_access, is_dir));
if (_print_sddl)
{
Console.WriteLine("{0}", sd.ToSddl());
}
}
}
}
}
catch { }
}
static void CheckAccess(NtToken token, NtKey key)
{
NtType type = key.NtType;
if (!key.IsAccessGranted(KeyAccessRights.ReadControl))
{
return;
}
SecurityDescriptor sd = key.SecurityDescriptor;
AccessMask granted_access;
if (_key_rights != 0)
{
granted_access = NtSecurity.GetAllowedAccess(token, type,
_key_rights, sd.ToByteArray());
}
else
{
granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
}
if (!granted_access.IsEmpty)
{
// As we can get all the rights for the key get maximum
if (_key_rights != 0)
{
granted_access = NtSecurity.GetMaximumAccess(token, type, sd.ToByteArray());
}
if (!_show_write_only || type.HasWritePermission(granted_access))
{
Console.WriteLine("{0} : {1:X08} {2}", key.FullPath, granted_access, AccessMaskToString(granted_access, type));
if (_print_sddl)
{
Console.WriteLine("{0}", sd.ToSddl());
}
}
}
}
static AccessMask GetGrantedAccess(SecurityDescriptor sd, NtToken token,
AccessMask specific_rights, GenericMapping generic_mapping)
{
AccessMask granted_access;
specific_rights = generic_mapping.MapMask(specific_rights);
if (specific_rights.HasAccess)
{
granted_access = NtSecurity.GetAllowedAccess(sd, token, specific_rights, generic_mapping);
// As we can get all the rights for the key get maximum
if (granted_access.HasAccess)
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
}
}
else
{
granted_access = NtSecurity.GetMaximumAccess(sd, token, generic_mapping);
}
return(granted_access);
}
static void Main(string[] args)
{
try
{
int pid = NtProcess.Current.ProcessId;
bool show_help = false;
bool print_sddl = false;
OptionSet opts = new OptionSet()
{
{ "p|pid=", "Specify a PID of a process for access check.", v => pid = int.Parse(v.Trim()) },
{ "sddl", "Print SDDL security descriptor.", v => print_sddl = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
HashSet <int> pids = new HashSet <int>(opts.Parse(args).Select(a => int.Parse(a)));
if (show_help)
{
ShowHelp(opts);
return;
}
Dictionary <string, string> ports = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase);
NtToken.EnableDebugPrivilege();
using (NtToken token = NtToken.OpenProcessToken(pid))
{
IEnumerable <NtHandle> handles = NtSystemInfo.GetHandles(-1, false);
HashSet <ulong> checked_objects = new HashSet <ulong>();
if (pids.Count > 0)
{
handles = handles.Where(h => pids.Contains(h.ProcessId));
}
handles = handles.Where(h => h.ObjectType.Equals("ALPC Port", StringComparison.OrdinalIgnoreCase));
Dictionary <int, NtProcess> pid_to_process = new Dictionary <int, NtProcess>();
foreach (NtHandle handle in handles.Where(h => h.GrantedAccess.IsAccessGranted(GenericAccessRights.ReadControl)))
{
if (!pid_to_process.ContainsKey(handle.ProcessId))
{
var result = NtProcess.Open(handle.ProcessId,
ProcessAccessRights.QueryLimitedInformation | ProcessAccessRights.DupHandle, false);
pid_to_process[handle.ProcessId] = result.IsSuccess ? result.Result : null;
}
NtProcess proc = pid_to_process[handle.ProcessId];
if (proc == null)
{
continue;
}
try
{
using (NtAlpc obj = NtAlpc.DuplicateFrom(proc, new IntPtr(handle.Handle)))
{
string name = obj.FullPath;
// We only care about named ALPC ports.
if (String.IsNullOrEmpty(name))
{
continue;
}
if (ports.ContainsKey(name))
{
continue;
}
SecurityDescriptor sd = obj.SecurityDescriptor;
AccessMask granted_access = NtSecurity.GetAllowedAccess(sd, token, AlpcAccessRights.Connect, obj.NtType.GenericMapping);
if (granted_access.IsEmpty)
{
continue;
}
ports.Add(name, sd.ToSddl());
}
}
catch (NtException)
{
}
}
}
foreach (var pair in ports.OrderBy(p => p.Key))
{
Console.WriteLine(pair.Key);
if (print_sddl)
{
Console.WriteLine("SDDL: {0}", pair.Value);
}
}
}
catch (Exception ex)
{
Console.Error.WriteLine(ex.Message);
}
}
