public static TokenHandle Create(
TokenAccess access,
ObjectFlags objectFlags,
TokenHandle existingTokenHandle,
TokenType tokenType,
Sid user,
Sid[] groups,
PrivilegeSet privileges,
Sid owner,
Sid primaryGroup
)
{
var statistics = existingTokenHandle.GetStatistics();
return(Create(
access,
null,
objectFlags,
null,
tokenType,
statistics.AuthenticationId,
statistics.ExpirationTime,
user,
groups,
privileges,
owner,
primaryGroup,
null,
_phTokenSource
));
}
public void AddPrivileges(PrivilegeSet privileges)
{
using (MemoryAlloc privilegeSetMemory = privileges.ToMemory())
{
Win32.LsaAddPrivilegesToAccount(
this,
privilegeSetMemory
).ThrowIf();
}
}
public static TokenHandle Create(
TokenAccess access,
string name,
ObjectFlags objectFlags,
DirectoryHandle rootDirectory,
TokenType tokenType,
Luid authenticationId,
long expirationTime,
Sid user,
Sid[] groups,
PrivilegeSet privileges,
Sid owner,
Sid primaryGroup,
Acl defaultDacl,
TokenSource source
)
{
NtStatus status;
TokenUser tokenUser = new TokenUser(user);
TokenGroups tokenGroups = new TokenGroups(groups);
TokenPrivileges tokenPrivileges = new TokenPrivileges(privileges);
TokenOwner tokenOwner = new TokenOwner(owner);
TokenPrimaryGroup tokenPrimaryGroup = new TokenPrimaryGroup(primaryGroup);
TokenDefaultDacl tokenDefaultDacl = new TokenDefaultDacl(defaultDacl);
ObjectAttributes oa = new ObjectAttributes(name, objectFlags, rootDirectory);
IntPtr handle;
try
{
if ((status = Win32.NtCreateToken(
out handle,
access,
ref oa,
tokenType,
ref authenticationId,
ref expirationTime,
ref tokenUser,
ref tokenGroups,
ref tokenPrivileges,
ref tokenOwner,
ref tokenPrimaryGroup,
ref tokenDefaultDacl,
ref source
)) >= NtStatus.Error)
{
Win32.Throw(status);
}
}
finally
{
oa.Dispose();
}
return(new TokenHandle(handle, true));
}
public void RemovePrivileges(PrivilegeSet privileges)
{
using (MemoryAlloc privilegeSetMemory = privileges.ToMemory())
{
Win32.LsaRemovePrivilegesFromAccount(
this,
false,
privilegeSetMemory
).ThrowIf();
}
}
public void AdjustPrivileges(PrivilegeSet privileges)
{
var tokenPrivileges = privileges.ToTokenPrivileges();
Win32.AdjustTokenPrivileges(this, false, ref tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero);
if (Marshal.GetLastWin32Error() != 0)
{
Win32.Throw();
}
}
public static TokenHandle Create(
TokenAccess access,
TokenType tokenType,
Sid user,
Sid[] groups,
PrivilegeSet privileges
)
{
using (var administratorsSid = Sid.GetWellKnownSid(WellKnownSidType.WinBuiltinAdministratorsSid))
using (var thandle = TokenHandle.OpenCurrentPrimary(TokenAccess.Query))
return(Create(access, 0, thandle, tokenType, user, groups, privileges, administratorsSid, administratorsSid));
}
static extern bool AccessCheckByType(
byte[] pSecurityDescriptor,
byte[] PrincipalSelfSid,
SafeTokenHandle ClientToken,
uint DesiredAccess,
IntPtr ObjectTypeList,
int ObjectTypeListLength,
ref GenericMapping GenericMapping,
ref PrivilegeSet PrivilegeSet,
ref int PrivilegeSetLength,
out uint GrantedAccess,
out bool AccessStatus
);
public void AddPrivileges(PrivilegeSet privileges)
{
NtStatus status;
using (var privilegeSetMemory = privileges.ToMemory())
{
if ((status = Win32.LsaAddPrivilegesToAccount(
this,
privilegeSetMemory
)) >= NtStatus.Error)
{
Win32.Throw(status);
}
}
}
public bool CheckPrivileges(PrivilegeSet privileges)
{
bool result;
using (MemoryAlloc privilegesMemory = privileges.ToMemory())
{
Win32.NtPrivilegeCheck(
this,
privilegesMemory,
out result
).ThrowIf();
return(result);
}
}
public void RemovePrivileges(PrivilegeSet privileges)
{
NtStatus status;
using (var privilegeSetMemory = privileges.ToMemory())
{
if ((status = Win32.LsaRemovePrivilegesFromAccount(
this,
false,
privilegeSetMemory
)) >= NtStatus.Error)
{
Win32.Throw(status);
}
}
}
private static bool GetGrantedAccess(string sddl, string principal, SafeTokenHandle token, bool launch, out COMAccessRights maximum_rights)
{
GenericMapping mapping = new GenericMapping();
mapping.GenericExecute = (uint)(COMAccessRights.Execute | COMAccessRights.ExecuteLocal | COMAccessRights.ExecuteRemote);
if (launch)
{
mapping.GenericExecute = mapping.GenericExecute | (uint)(COMAccessRights.ActivateLocal | COMAccessRights.ActivateRemote);
}
// If SD is only a NULL DACL we get maximum rights.
if (sddl == "D:NO_ACCESS_CONTROL")
{
maximum_rights = (COMAccessRights)mapping.GenericExecute;
return(true);
}
byte[] princ_bytes = null;
if (!String.IsNullOrWhiteSpace(principal))
{
SecurityIdentifier sid = new SecurityIdentifier(principal);
princ_bytes = new byte[sid.BinaryLength];
sid.GetBinaryForm(princ_bytes, 0);
}
maximum_rights = 0;
PrivilegeSet priv_set = new PrivilegeSet();
int priv_length = Marshal.SizeOf(priv_set);
uint granted_access = 0;
bool access_status = false;
byte[] sd = GetSDForStringSD(sddl);
if (!AccessCheckByType(sd, princ_bytes, token, MaximumAllowed, IntPtr.Zero,
0, ref mapping, ref priv_set, ref priv_length, out granted_access, out access_status))
{
throw new Win32Exception(sddl);
}
if (access_status)
{
maximum_rights = (COMAccessRights)(granted_access & 0x1F);
}
return(access_status);
}
public bool CheckPrivileges(PrivilegeSet privileges)
{
NtStatus status;
bool result;
using (var privilegesMemory = privileges.ToMemory())
{
if ((status = Win32.NtPrivilegeCheck(
this,
privilegesMemory,
out result
)) >= NtStatus.Error)
{
Win32.Throw(status);
}
return(result);
}
}
public void AdjustPrivileges(PrivilegeSet privileges)
{
var tokenPrivileges = privileges.ToTokenPrivileges();
Win32.NtAdjustPrivilegesToken(this, false, ref tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero).ThrowIf();
}
