private protected override void RunAccessCheckPath(IEnumerable <TokenEntry> tokens, string path) { FileOpenOptions options = _open_for_backup ? FileOpenOptions.OpenForBackupIntent : FileOpenOptions.None; if (!FollowLink) { options |= FileOpenOptions.OpenReparsePoint; } NtType type = NtType.GetTypeByType <NtFile>(); AccessMask access_rights = type.MapGenericRights(Access); AccessMask dir_access_rights = type.MapGenericRights(DirectoryAccess); using (var result = OpenFile(path, null, options)) { NtFile file = result.GetResultOrThrow(); if (FollowPath(file, GetFilePath)) { DumpFile(tokens, access_rights, dir_access_rights, null, result.Result); if (IsDirectoryNoThrow(result.Result)) { DumpDirectory(tokens, access_rights, dir_access_rights, file, options, GetMaxDepth()); } } } }
internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { AccessMask access_rights = _process_type.MapGenericRights(AccessRights); AccessMask thread_access_rights = _thread_type.MapGenericRights(ThreadAccessRights); if (!NtToken.EnableDebugPrivilege()) { WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate"); } if (CheckProcess()) { using (var procs = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed, false).ToDisposableList()) { DoAccessCheck(tokens, procs.Where(p => ShowDeadProcesses || !p.IsDeleting), access_rights, thread_access_rights); } } else { using (var threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed, true).ToDisposableList()) { foreach (var thread in threads) { DoAccessCheck(tokens, ProcessDetails.FromThread(thread), thread, thread_access_rights); } } } }
private AccessMask GetDesiredAccess() { NtType type = GetNtType(); if (RawAccess.HasValue) { return(type.MapGenericRights(RawAccess.Value)); } if (!_dict.GetValue("Access", out Enum access)) { return(GenericAccessRights.MaximumAllowed); } return(type.MapGenericRights(access)); }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { if (!NtToken.EnableDebugPrivilege()) { WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate"); } NtType type = NtType.GetTypeByType <NtToken>(); AccessMask access_rights = type.MapGenericRights(AccessRights); int current_session_id = NtProcess.Current.SessionId; using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList()) { IEnumerable <NtProcess> proc_enum = procs; if (CurrentSession) { proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id)); } foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting)) { using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false)) { if (!result.IsSuccess) { WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}"); continue; } NtToken primary_token = result.Result; var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false); if (!sd_result.IsSuccess) { WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}"); continue; } var sd = sd_result.Result; string process_name = proc.Name; string process_cmdline = proc.CommandLine; string image_path = proc.FullPath; int process_id = proc.ProcessId; foreach (var token in tokens) { if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation)) { AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping); if (IsAccessGranted(granted_access, access_rights)) { WriteObject(new TokenAccessCheckResult(primary_token, proc, granted_access, sd, token.Information)); } } } } } } }
static string AccessMaskToString(NtType type, uint granted_access) { if (type.HasFullPermission(granted_access)) { return("Full Permission"); } return(NtObject.AccessRightsToString(GetTypeAccessRights(type), type.MapGenericRights(granted_access))); }
private AccessMask MapGeneric(string typename, AccessMask access_mask) { if (!MapGenericRights) { return(access_mask); } NtType type = NtType.GetTypeByName(typename, false); System.Diagnostics.Debug.Assert(type != null); return(type.MapGenericRights(access_mask)); }
private AccessMask MapGeneric(SpecificAccessType specific_type, AccessMask access_mask) { if (!MapGenericRights) { return(access_mask); } NtType type = GetTypeObject(specific_type); System.Diagnostics.Debug.Assert(type != null); return(type.MapGenericRights(access_mask)); }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { HashSet <string> devices = new HashSet <string>(StringComparer.OrdinalIgnoreCase); foreach (string path in Path) { using (var result = OpenDirectory(path, null)) { if (result.IsSuccess) { FindDevicesInDirectory(result.Result, devices, MaxDepth ?? int.MaxValue); } else { // If failed, it might be an absolute path so just add it. devices.Add(path); } } } if (devices.Count > 0) { AccessMask access_rights = _file_type.MapGenericRights(AccessRights); EaBuffer ea_buffer = CheckEaBuffer ? (EaBuffer ?? CreateDummyEaBuffer()) : null; List <string> namespace_paths = new List <string>(NamespacePath ?? new[] { "XYZ" }); foreach (var entry in tokens) { foreach (string path in devices) { if (CheckDevice()) { CheckAccessUnderImpersonation(entry, path, false, access_rights, OpenOptions, ea_buffer); } if (CheckNamespace()) { foreach (string namespace_path in namespace_paths) { CheckAccessUnderImpersonation(entry, path + @"\" + namespace_path, true, access_rights, OpenOptions, ea_buffer); } } } } } else { WriteWarning("Couldn't find any devices to check"); } }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { NtType type = NtType.GetTypeByType <NtFile>(); AccessMask access_rights = type.MapGenericRights(AccessRights); using (var result = OpenFile("", FileAccessRights.ReadData, false)) { NtFile file = result.GetResultOrThrow(); foreach (var entry in result.Result.QueryDirectoryInfo()) { DumpFile(tokens, access_rights, entry.FileName); } } }
private void DumpObject(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter, AccessMask access_rights, NtObject obj, bool is_directory) { NtType type = obj.NtType; if (!IsTypeFiltered(type.Name, type_filter)) { return; } if (!IncludePath(obj.Name)) { return; } AccessMask desired_access = type.MapGenericRights(access_rights); var result = GetSecurityDescriptor(obj); if (!result.IsSuccess && !obj.IsAccessMaskGranted(GenericAccessRights.ReadControl)) { // Try and duplicate handle to see if we can just ask for ReadControl. using (var dup_obj = obj.DuplicateObject(GenericAccessRights.ReadControl, AttributeFlags.None, DuplicateObjectOptions.None, false)) { if (dup_obj.IsSuccess) { result = GetSecurityDescriptor(dup_obj.Result); } } } if (result.IsSuccess) { foreach (var token in tokens) { CheckAccess(token, obj, type, is_directory, desired_access, result.Result); } } else if (type.CanOpen) { // If we can't read security descriptor then try opening the object. foreach (var token in tokens) { CheckAccessUnderImpersonation(token, type, is_directory, desired_access, obj); } } // TODO: Do we need a warning here? }
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens) { var devices = new Dictionary <string, SecurityDescriptorEntry>(StringComparer.OrdinalIgnoreCase); foreach (string path in Path) { using (var result = OpenDirectory(path, null)) { if (result.IsSuccess) { FindDevicesInDirectory(result.Result, devices, MaxDepth ?? int.MaxValue); } else { // If failed, it might be an absolute path so just add it. if (!devices.ContainsKey(path)) { devices.Add(path, GetSecurityDescriptor(path)); } } } } if (devices.Count > 0) { AccessMask access_rights = _file_type.MapGenericRights(Access); EaBuffer ea_buffer = CheckEaBuffer ? (EaBuffer ?? CreateDummyEaBuffer()) : null; List <string> namespace_paths = new List <string>(NamespacePath ?? new[] { "XYZ" }); foreach (var entry in tokens) { foreach (var pair in devices) { if (CheckDevice()) { if (pair.Value != null) { AccessMask granted_access = NtSecurity.GetMaximumAccess(pair.Value.SecurityDescriptor, entry.Token, _file_type.GenericMapping); if (IsAccessGranted(granted_access, access_rights)) { WriteObject(new DeviceAccessCheckResult(pair.Key, false, pair.Value.DeviceType, pair.Value.Characteristics, granted_access, pair.Value.SecurityDescriptor, entry.Information)); } } else { if (!NoImpersonation) { CheckAccessUnderImpersonation(entry, pair.Key, false, access_rights, OpenOptions, ea_buffer); } } } if (CheckNamespace() && !NoImpersonation) { foreach (string namespace_path in namespace_paths) { CheckAccessUnderImpersonation(entry, pair.Key + @"\" + namespace_path, true, access_rights, OpenOptions, ea_buffer); } } } } } else { WriteWarning("Couldn't find any devices to check"); } }
/// <summary> /// Process Record. /// </summary> protected override void ProcessRecord() { if (!_dict.GetValue("Access", out Enum access)) { if (!RawAccess.HasValue && RequiresAccess(Type)) { throw new ArgumentException("Invalid access value."); } else { access = GenericAccessRights.None; } } _dict.GetValue("Condition", out string condition); _dict.GetValue("ObjectType", out Guid? object_type); _dict.GetValue("InheritedObjectType", out Guid? inherited_object_type); _dict.GetValue("ServerSid", out Sid server_sid); _dict.GetValue("SecurityAttribute", out ClaimSecurityAttribute security_attribute); Acl acl; if (NtSecurity.IsSystemAceType(Type)) { if (SecurityDescriptor.Sacl == null) { SecurityDescriptor.Sacl = new Acl(); } acl = SecurityDescriptor.Sacl; } else { if (SecurityDescriptor.Dacl == null) { SecurityDescriptor.Dacl = new Acl(); } acl = SecurityDescriptor.Dacl; } AccessMask mask = access; if (RawAccess.HasValue) { mask |= RawAccess.Value; } if (MapGeneric) { NtType type = SecurityDescriptor.NtType; if (type == null) { WriteWarning("No NtType specified in security descriptor. Defaulting to File."); type = NtType.GetTypeByType <NtFile>(); } mask = type.MapGenericRights(mask); } Ace ace = new Ace(Type, Flags, mask, GetSid()); if ((NtSecurity.IsCallbackAceType(Type) || Type == AceType.AccessFilter) && !string.IsNullOrWhiteSpace(condition)) { ace.Condition = condition; } if (NtSecurity.IsObjectAceType(Type)) { ace.ObjectType = object_type; ace.InheritedObjectType = inherited_object_type; } if (Type == AceType.AllowedCompound) { ace.ServerSid = server_sid; } if (Type == AceType.ResourceAttribute) { ace.ResourceAttribute = security_attribute; } acl.Add(ace); if (PassThru) { WriteObject(ace); } }