private protected override void RunAccessCheckPath(IEnumerable <TokenEntry> tokens, string path)
{
FileOpenOptions options = _open_for_backup ? FileOpenOptions.OpenForBackupIntent : FileOpenOptions.None;
if (!FollowLink)
{
options |= FileOpenOptions.OpenReparsePoint;
}
NtType type = NtType.GetTypeByType <NtFile>();
AccessMask access_rights = type.MapGenericRights(Access);
AccessMask dir_access_rights = type.MapGenericRights(DirectoryAccess);
using (var result = OpenFile(path, null, options))
{
NtFile file = result.GetResultOrThrow();
if (FollowPath(file, GetFilePath))
{
DumpFile(tokens,
access_rights,
dir_access_rights,
null,
result.Result);
if (IsDirectoryNoThrow(result.Result))
{
DumpDirectory(tokens, access_rights, dir_access_rights, file, options, GetMaxDepth());
}
}
}
}
internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
AccessMask access_rights = _process_type.MapGenericRights(AccessRights);
AccessMask thread_access_rights = _thread_type.MapGenericRights(ThreadAccessRights);
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
if (CheckProcess())
{
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed, false).ToDisposableList())
{
DoAccessCheck(tokens, procs.Where(p => ShowDeadProcesses || !p.IsDeleting), access_rights, thread_access_rights);
}
}
else
{
using (var threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed, true).ToDisposableList())
{
foreach (var thread in threads)
{
DoAccessCheck(tokens, ProcessDetails.FromThread(thread), thread, thread_access_rights);
}
}
}
}
private AccessMask GetDesiredAccess()
{
NtType type = GetNtType();
if (RawAccess.HasValue)
{
return(type.MapGenericRights(RawAccess.Value));
}
if (!_dict.GetValue("Access", out Enum access))
{
return(GenericAccessRights.MaximumAllowed);
}
return(type.MapGenericRights(access));
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
NtType type = NtType.GetTypeByType <NtToken>();
AccessMask access_rights = type.MapGenericRights(AccessRights);
int current_session_id = NtProcess.Current.SessionId;
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
{
IEnumerable <NtProcess> proc_enum = procs;
if (CurrentSession)
{
proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
}
foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
{
using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
{
if (!result.IsSuccess)
{
WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
continue;
}
NtToken primary_token = result.Result;
var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
if (!sd_result.IsSuccess)
{
WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
continue;
}
var sd = sd_result.Result;
string process_name = proc.Name;
string process_cmdline = proc.CommandLine;
string image_path = proc.FullPath;
int process_id = proc.ProcessId;
foreach (var token in tokens)
{
if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new TokenAccessCheckResult(primary_token, proc,
granted_access, sd, token.Information));
}
}
}
}
}
}
}
static string AccessMaskToString(NtType type, uint granted_access)
{
if (type.HasFullPermission(granted_access))
{
return("Full Permission");
}
return(NtObject.AccessRightsToString(GetTypeAccessRights(type), type.MapGenericRights(granted_access)));
}
private AccessMask MapGeneric(string typename, AccessMask access_mask)
{
if (!MapGenericRights)
{
return(access_mask);
}
NtType type = NtType.GetTypeByName(typename, false);
System.Diagnostics.Debug.Assert(type != null);
return(type.MapGenericRights(access_mask));
}
private AccessMask MapGeneric(SpecificAccessType specific_type, AccessMask access_mask)
{
if (!MapGenericRights)
{
return(access_mask);
}
NtType type = GetTypeObject(specific_type);
System.Diagnostics.Debug.Assert(type != null);
return(type.MapGenericRights(access_mask));
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
HashSet <string> devices = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
foreach (string path in Path)
{
using (var result = OpenDirectory(path, null))
{
if (result.IsSuccess)
{
FindDevicesInDirectory(result.Result, devices, MaxDepth ?? int.MaxValue);
}
else
{
// If failed, it might be an absolute path so just add it.
devices.Add(path);
}
}
}
if (devices.Count > 0)
{
AccessMask access_rights = _file_type.MapGenericRights(AccessRights);
EaBuffer ea_buffer = CheckEaBuffer ? (EaBuffer ?? CreateDummyEaBuffer()) : null;
List <string> namespace_paths = new List <string>(NamespacePath ?? new[] { "XYZ" });
foreach (var entry in tokens)
{
foreach (string path in devices)
{
if (CheckDevice())
{
CheckAccessUnderImpersonation(entry, path, false, access_rights, OpenOptions, ea_buffer);
}
if (CheckNamespace())
{
foreach (string namespace_path in namespace_paths)
{
CheckAccessUnderImpersonation(entry, path + @"\" + namespace_path,
true, access_rights, OpenOptions, ea_buffer);
}
}
}
}
}
else
{
WriteWarning("Couldn't find any devices to check");
}
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
NtType type = NtType.GetTypeByType <NtFile>();
AccessMask access_rights = type.MapGenericRights(AccessRights);
using (var result = OpenFile("",
FileAccessRights.ReadData, false))
{
NtFile file = result.GetResultOrThrow();
foreach (var entry in result.Result.QueryDirectoryInfo())
{
DumpFile(tokens, access_rights, entry.FileName);
}
}
}
private void DumpObject(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter, AccessMask access_rights, NtObject obj, bool is_directory)
{
NtType type = obj.NtType;
if (!IsTypeFiltered(type.Name, type_filter))
{
return;
}
if (!IncludePath(obj.Name))
{
return;
}
AccessMask desired_access = type.MapGenericRights(access_rights);
var result = GetSecurityDescriptor(obj);
if (!result.IsSuccess && !obj.IsAccessMaskGranted(GenericAccessRights.ReadControl))
{
// Try and duplicate handle to see if we can just ask for ReadControl.
using (var dup_obj = obj.DuplicateObject(GenericAccessRights.ReadControl, AttributeFlags.None, DuplicateObjectOptions.None, false))
{
if (dup_obj.IsSuccess)
{
result = GetSecurityDescriptor(dup_obj.Result);
}
}
}
if (result.IsSuccess)
{
foreach (var token in tokens)
{
CheckAccess(token, obj, type, is_directory, desired_access, result.Result);
}
}
else if (type.CanOpen)
{
// If we can't read security descriptor then try opening the object.
foreach (var token in tokens)
{
CheckAccessUnderImpersonation(token, type, is_directory, desired_access, obj);
}
}
// TODO: Do we need a warning here?
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
var devices = new Dictionary <string, SecurityDescriptorEntry>(StringComparer.OrdinalIgnoreCase);
foreach (string path in Path)
{
using (var result = OpenDirectory(path, null))
{
if (result.IsSuccess)
{
FindDevicesInDirectory(result.Result, devices, MaxDepth ?? int.MaxValue);
}
else
{
// If failed, it might be an absolute path so just add it.
if (!devices.ContainsKey(path))
{
devices.Add(path, GetSecurityDescriptor(path));
}
}
}
}
if (devices.Count > 0)
{
AccessMask access_rights = _file_type.MapGenericRights(Access);
EaBuffer ea_buffer = CheckEaBuffer ? (EaBuffer ?? CreateDummyEaBuffer()) : null;
List <string> namespace_paths = new List <string>(NamespacePath ?? new[] { "XYZ" });
foreach (var entry in tokens)
{
foreach (var pair in devices)
{
if (CheckDevice())
{
if (pair.Value != null)
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(pair.Value.SecurityDescriptor, entry.Token, _file_type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new DeviceAccessCheckResult(pair.Key, false, pair.Value.DeviceType,
pair.Value.Characteristics, granted_access,
pair.Value.SecurityDescriptor, entry.Information));
}
}
else
{
if (!NoImpersonation)
{
CheckAccessUnderImpersonation(entry, pair.Key, false, access_rights, OpenOptions, ea_buffer);
}
}
}
if (CheckNamespace() && !NoImpersonation)
{
foreach (string namespace_path in namespace_paths)
{
CheckAccessUnderImpersonation(entry, pair.Key + @"\" + namespace_path,
true, access_rights, OpenOptions, ea_buffer);
}
}
}
}
}
else
{
WriteWarning("Couldn't find any devices to check");
}
}
/// <summary>
/// Process Record.
/// </summary>
protected override void ProcessRecord()
{
if (!_dict.GetValue("Access", out Enum access))
{
if (!RawAccess.HasValue && RequiresAccess(Type))
{
throw new ArgumentException("Invalid access value.");
}
else
{
access = GenericAccessRights.None;
}
}
_dict.GetValue("Condition", out string condition);
_dict.GetValue("ObjectType", out Guid? object_type);
_dict.GetValue("InheritedObjectType", out Guid? inherited_object_type);
_dict.GetValue("ServerSid", out Sid server_sid);
_dict.GetValue("SecurityAttribute", out ClaimSecurityAttribute security_attribute);
Acl acl;
if (NtSecurity.IsSystemAceType(Type))
{
if (SecurityDescriptor.Sacl == null)
{
SecurityDescriptor.Sacl = new Acl();
}
acl = SecurityDescriptor.Sacl;
}
else
{
if (SecurityDescriptor.Dacl == null)
{
SecurityDescriptor.Dacl = new Acl();
}
acl = SecurityDescriptor.Dacl;
}
AccessMask mask = access;
if (RawAccess.HasValue)
{
mask |= RawAccess.Value;
}
if (MapGeneric)
{
NtType type = SecurityDescriptor.NtType;
if (type == null)
{
WriteWarning("No NtType specified in security descriptor. Defaulting to File.");
type = NtType.GetTypeByType <NtFile>();
}
mask = type.MapGenericRights(mask);
}
Ace ace = new Ace(Type, Flags, mask, GetSid());
if ((NtSecurity.IsCallbackAceType(Type) || Type == AceType.AccessFilter) && !string.IsNullOrWhiteSpace(condition))
{
ace.Condition = condition;
}
if (NtSecurity.IsObjectAceType(Type))
{
ace.ObjectType = object_type;
ace.InheritedObjectType = inherited_object_type;
}
if (Type == AceType.AllowedCompound)
{
ace.ServerSid = server_sid;
}
if (Type == AceType.ResourceAttribute)
{
ace.ResourceAttribute = security_attribute;
}
acl.Add(ace);
if (PassThru)
{
WriteObject(ace);
}
}
