/// <summary>
/// Logon user using S4U
/// </summary>
/// <param name="user">The username.</param>
/// <param name="realm">The user's realm.</param>
/// <param name="type">The type of logon token.</param>
/// <param name="auth_package">The name of the auth package to user.</param>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The logged on token.</returns>
public static NtResult <NtToken> LsaLogonS4U(string user, string realm, SecurityLogonType type, string auth_package, bool throw_on_error)
{
if (user is null)
{
throw new ArgumentNullException(nameof(user));
}
if (realm is null)
{
throw new ArgumentNullException(nameof(realm));
}
byte[] user_bytes = Encoding.Unicode.GetBytes(user);
byte[] realm_bytes = Encoding.Unicode.GetBytes(realm);
using (var buffer = new SafeStructureInOutBuffer <KERB_S4U_LOGON>(user_bytes.Length + realm_bytes.Length, true)) {
KERB_S4U_LOGON logon_struct = new KERB_S4U_LOGON {
MessageType = KERB_LOGON_SUBMIT_TYPE.KerbS4ULogon
};
SafeHGlobalBuffer data_buffer = buffer.Data;
logon_struct.ClientUpn.Buffer = data_buffer.DangerousGetHandle();
data_buffer.WriteArray(0, user_bytes, 0, user_bytes.Length);
logon_struct.ClientUpn.Length = (ushort)user_bytes.Length;
logon_struct.ClientUpn.MaximumLength = (ushort)user_bytes.Length;
logon_struct.ClientRealm.Buffer = data_buffer.DangerousGetHandle() + user_bytes.Length;
data_buffer.WriteArray((ulong)user_bytes.Length, realm_bytes, 0, realm_bytes.Length);
logon_struct.ClientRealm.Length = (ushort)realm_bytes.Length;
logon_struct.ClientRealm.MaximumLength = (ushort)realm_bytes.Length;
buffer.Result = logon_struct;
return(LsaLogonUser(type, auth_package, "S4U", buffer, null, throw_on_error));
}
}
public static NtToken LogonS4U(string user, string realm, SecurityLogonType type)
{
SafeLsaHandle hlsa = null;
LsaString pkgName = new LsaString("Negotiate");
LsaConnectUntrusted(out hlsa).ToNtException();
using (hlsa)
{
uint authnPkg;
LsaLookupAuthenticationPackage(hlsa, pkgName, out authnPkg).ToNtException();
byte[] user_bytes = Encoding.Unicode.GetBytes(user);
byte[] realm_bytes = Encoding.Unicode.GetBytes(realm);
using (var buffer = new SafeStructureInOutBuffer <KERB_S4U_LOGON>(user_bytes.Length + realm_bytes.Length, true))
{
KERB_S4U_LOGON logon_struct = new KERB_S4U_LOGON();
logon_struct.MessageType = KERB_LOGON_SUBMIT_TYPE.KerbS4ULogon;
SafeHGlobalBuffer data_buffer = buffer.Data;
logon_struct.ClientUpn.Buffer = data_buffer.DangerousGetHandle();
data_buffer.WriteArray(0, user_bytes, 0, user_bytes.Length);
logon_struct.ClientUpn.Length = (ushort)user_bytes.Length;
logon_struct.ClientUpn.MaximumLength = (ushort)user_bytes.Length;
logon_struct.ClientRealm.Buffer = data_buffer.DangerousGetHandle() + user_bytes.Length;
data_buffer.WriteArray((ulong)user_bytes.Length, realm_bytes, 0, realm_bytes.Length);
logon_struct.ClientRealm.Length = (ushort)realm_bytes.Length;
logon_struct.ClientRealm.MaximumLength = (ushort)realm_bytes.Length;
Marshal.StructureToPtr(logon_struct, buffer.DangerousGetHandle(), false);
TOKEN_SOURCE tokenSource = new TOKEN_SOURCE("NtLmSsp");
AllocateLocallyUniqueId(out tokenSource.SourceIdentifier);
LsaString originName = new LsaString("S4U");
IntPtr profile;
int cbProfile;
Luid logon_id;
NtStatus subStatus;
QUOTA_LIMITS quota_limits;
SafeKernelObjectHandle token_handle;
LsaLogonUser(hlsa, originName, type, authnPkg,
buffer, buffer.Length, IntPtr.Zero,
tokenSource, out profile, out cbProfile, out logon_id, out token_handle,
out quota_limits, out subStatus).ToNtException();
LsaFreeReturnBuffer(profile);
return(NtToken.FromHandle(token_handle));
}
}
}
private SecurityInformationImpl(string obj_name,
Dictionary <uint, string> names, GenericMapping generic_mapping,
bool read_only)
{
_mapping = generic_mapping;
_obj_name = new SafeStringBuffer(obj_name);
_access_map = new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SiAccess)) * names.Count);
SiAccess[] sis = new SiAccess[names.Count];
IntPtr current_ptr = _access_map.DangerousGetHandle();
_names = new DisposableList <SafeStringBuffer>();
int i = 0;
foreach (KeyValuePair <uint, string> pair in names)
{
_names.Add(new SafeStringBuffer(pair.Value));
SiAccess si = new SiAccess
{
pguid = IntPtr.Zero,
dwFlags = SiAccessFlags.SI_ACCESS_SPECIFIC | SiAccessFlags.SI_ACCESS_GENERAL,
mask = pair.Key,
pszName = _names[i].DangerousGetHandle()
};
sis[i] = si;
i++;
}
_access_map.WriteArray(0, sis, 0, names.Count);
_read_only = read_only;
}
internal static SECURITY_CAPABILITIES CreateSecuityCapabilities(Sid package_sid, IEnumerable <Sid> capabilities, DisposableList resources)
{
SECURITY_CAPABILITIES caps = new SECURITY_CAPABILITIES {
AppContainerSid = resources.AddResource(package_sid.ToSafeBuffer()).DangerousGetHandle()
};
if (capabilities.Any())
{
SidAndAttributes[] cap_sids = capabilities.Select(s => new SidAndAttributes()
{
Sid = resources.AddResource(s.ToSafeBuffer()).DangerousGetHandle(),
Attributes = GroupAttributes.Enabled
}).ToArray();
SafeHGlobalBuffer cap_buffer = resources.AddResource(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SidAndAttributes)) * cap_sids.Length));
cap_buffer.WriteArray(0, cap_sids, 0, cap_sids.Length);
caps.Capabilities = cap_buffer.DangerousGetHandle();
caps.CapabilityCount = cap_sids.Length;
}
return(caps);
}
private SafeHGlobalBuffer GetAttributes(DisposableList <IDisposable> resources)
{
int count = GetAttributeCount();
if (count == 0)
{
return(SafeHGlobalBuffer.Null);
}
var attr_list = resources.AddResource(new SafeProcThreadAttributeListBuffer(count));
if (ParentProcess != null)
{
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeParentProcess, ParentProcess.Handle.DangerousGetHandle());
}
if (MitigationOptions2 != ProcessMitigationOptions2.None)
{
MemoryStream stm = new MemoryStream();
BinaryWriter writer = new BinaryWriter(stm);
writer.Write((ulong)MitigationOptions);
writer.Write((ulong)MitigationOptions2);
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeMitigationPolicy, stm.ToArray());
}
else if (MitigationOptions != ProcessMitigationOptions.None)
{
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeMitigationPolicy, (ulong)MitigationOptions);
}
if (Win32kFilterFlags != Win32kFilterFlags.None)
{
Win32kFilterAttribute filter = new Win32kFilterAttribute();
filter.Flags = Win32kFilterFlags;
filter.FilterLevel = Win32kFilterLevel;
attr_list.AddAttributeBuffer(ProcessAttributes.ProcThreadAttributeWin32kFilter, resources.AddResource(filter.ToBuffer()));
}
if ((CreationFlags & CreateProcessFlags.ProtectedProcess) != 0)
{
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeProtectionLevel, (int)ProtectionLevel);
}
if (InheritHandleList.Count > 0)
{
int total_size = IntPtr.Size * InheritHandleList.Count;
var handle_list = resources.AddResource(new SafeHGlobalBuffer(total_size));
handle_list.WriteArray(0, InheritHandleList.ToArray(), 0, InheritHandleList.Count);
attr_list.AddAttributeBuffer(ProcessAttributes.ProcThreadAttributeHandleList, handle_list);
}
if (AppContainerSid != null)
{
SECURITY_CAPABILITIES caps = new SECURITY_CAPABILITIES();
caps.AppContainerSid = resources.AddResource(AppContainerSid.ToSafeBuffer()).DangerousGetHandle();
if (Capabilities.Count > 0)
{
SidAndAttributes[] cap_sids = new SidAndAttributes[Capabilities.Count];
for (int i = 0; i < Capabilities.Count; ++i)
{
cap_sids[i] = new SidAndAttributes()
{
Sid = resources.AddResource(Capabilities[i].ToSafeBuffer()).DangerousGetHandle(),
Attributes = GroupAttributes.Enabled
};
}
SafeHGlobalBuffer cap_buffer = resources.AddResource(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SidAndAttributes)) * Capabilities.Count));
cap_buffer.WriteArray(0, cap_sids, 0, cap_sids.Length);
caps.Capabilities = cap_buffer.DangerousGetHandle();
caps.CapabilityCount = cap_sids.Length;
}
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeSecurityCapabilities, caps);
}
if (LowPrivilegeAppContainer)
{
attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeAllApplicationPackagesPolicy, 1);
}
return(attr_list);
}
private SafeHGlobalBuffer GetAttributes(DisposableList <IDisposable> resources)
{
int count = GetAttributeCount();
if (count == 0)
{
return(SafeHGlobalBuffer.Null);
}
var attr_list = resources.AddResource(new SafeProcThreadAttributeListBuffer(count));
if (ParentProcess != null)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeParentProcess, ParentProcess.Handle.DangerousGetHandle());
}
if (MitigationOptions2 != ProcessMitigationOptions2.None)
{
MemoryStream stm = new MemoryStream();
BinaryWriter writer = new BinaryWriter(stm);
writer.Write((ulong)MitigationOptions);
writer.Write((ulong)MitigationOptions2);
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeMitigationPolicy, stm.ToArray());
}
else if (MitigationOptions != ProcessMitigationOptions.None)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeMitigationPolicy, (ulong)MitigationOptions);
}
if (Win32kFilterFlags != Win32kFilterFlags.None)
{
Win32kFilterAttribute filter = new Win32kFilterAttribute
{
Flags = Win32kFilterFlags,
FilterLevel = Win32kFilterLevel
};
attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributeWin32kFilter, resources.AddResource(filter.ToBuffer()));
}
if ((CreationFlags & CreateProcessFlags.ProtectedProcess) != 0 && ProtectionLevel != ProtectionLevel.None)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeProtectionLevel, (int)ProtectionLevel);
}
if (InheritHandleList.Count > 0)
{
int total_size = IntPtr.Size * InheritHandleList.Count;
var handle_list = resources.AddResource(new SafeHGlobalBuffer(total_size));
handle_list.WriteArray(0, InheritHandleList.ToArray(), 0, InheritHandleList.Count);
attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributeHandleList, handle_list);
}
if (AppContainerSid != null)
{
SECURITY_CAPABILITIES caps = new SECURITY_CAPABILITIES
{
AppContainerSid = resources.AddResource(AppContainerSid.ToSafeBuffer()).DangerousGetHandle()
};
if (Capabilities.Count > 0)
{
SidAndAttributes[] cap_sids = new SidAndAttributes[Capabilities.Count];
for (int i = 0; i < Capabilities.Count; ++i)
{
cap_sids[i] = new SidAndAttributes()
{
Sid = resources.AddResource(Capabilities[i].ToSafeBuffer()).DangerousGetHandle(),
Attributes = GroupAttributes.Enabled
};
}
SafeHGlobalBuffer cap_buffer = resources.AddResource(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SidAndAttributes)) * Capabilities.Count));
cap_buffer.WriteArray(0, cap_sids, 0, cap_sids.Length);
caps.Capabilities = cap_buffer.DangerousGetHandle();
caps.CapabilityCount = cap_sids.Length;
}
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeSecurityCapabilities, caps);
}
if (LowPrivilegeAppContainer)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeAllApplicationPackagesPolicy, 1);
}
if (RestrictChildProcessCreation || OverrideChildProcessCreation)
{
int flags = RestrictChildProcessCreation ? 1 : 0;
flags |= OverrideChildProcessCreation ? 2 : 0;
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeChildProcessPolicy, flags);
}
if (DesktopAppBreakaway != ProcessDesktopAppBreakawayFlags.None)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeDesktopAppPolicy, (int)DesktopAppBreakaway);
}
if (!string.IsNullOrWhiteSpace(PackageName))
{
byte[] str_bytes = Encoding.Unicode.GetBytes(PackageName);
var string_buffer = resources.AddResource(new SafeHGlobalBuffer(str_bytes));
attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributePackageName, string_buffer);
}
if (PseudoConsole != IntPtr.Zero)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributePseudoConsole, PseudoConsole);
}
if (!string.IsNullOrEmpty(BnoIsolationPrefix))
{
var prefix = new BnoIsolationAttribute()
{
IsolationEnabled = 1, IsolationPrefix = BnoIsolationPrefix
};
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeBnoIsolation, prefix);
}
if (SafeOpenPromptOriginClaim != null)
{
var bytes = (byte[])SafeOpenPromptOriginClaim.Clone();
Array.Resize(ref bytes, 524);
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeSafeOpenPromptOriginClaim, bytes);
}
if (ExtendedFlags != ProcessExtendedFlags.None)
{
attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeExtendedFlags, (int)ExtendedFlags);
}
return(attr_list);
}
public SecurityInformationImpl(string obj_name, NtObject handle,
Dictionary<uint, string> names, GenericMapping generic_mapping)
{
_mapping = generic_mapping;
_handle = handle;
_obj_name = new SafeStringBuffer(obj_name);
_access_map = new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SiAccess)) * names.Count);
SiAccess[] sis = new SiAccess[names.Count];
IntPtr current_ptr = _access_map.DangerousGetHandle();
_names = new DisposableList<SafeStringBuffer>();
int i = 0;
foreach (KeyValuePair<uint, string> pair in names)
{
_names.Add(new SafeStringBuffer(pair.Value));
SiAccess si = new SiAccess();
si.dwFlags = SiAccessFlags.SI_ACCESS_SPECIFIC | SiAccessFlags.SI_ACCESS_GENERAL;
si.mask = pair.Key;
si.pszName = _names[i].DangerousGetHandle();
sis[i] = si;
i++;
}
_access_map.WriteArray(0, sis, 0, names.Count);
}