public static extern uint NtCreateToken(
out IntPtr TokenHandle,
uint DesiredAccess,
ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes,
Winnt._TOKEN_TYPE TokenType,
ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId
ref long ExpirationTime,
ref Ntifs._TOKEN_USER TokenUser,
ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups,
ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges,
ref Ntifs._TOKEN_OWNER TokenOwner,
ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl,
ref Winnt._TOKEN_SOURCE TokenSource
);
////////////////////////////////////////////////////////////////////////////////
// Checks if a Privilege Exists and is Enabled
////////////////////////////////////////////////////////////////////////////////
public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out bool exists, out bool enabled)
{
exists = false;
enabled = false;
////////////////////////////////////////////////////////////////////////////////
uint TokenInfLength = 0;
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength <= 0 || TokenInfLength > int.MaxValue)
{
Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return(false);
}
IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
{
Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
return(false);
}
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Marshal.FreeHGlobal(lpTokenInformation);
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
System.Text.StringBuilder lpName = new System.Text.StringBuilder();
int cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
try
{
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > int.MaxValue)
{
Misc.GetWin32Error("LookupPrivilegeName Pass 1");
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
Misc.GetWin32Error("LookupPrivilegeName Pass 2");
continue;
}
if (lpName.ToString() != privilegeName)
{
continue;
}
exists = true;
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
int pfResult = 0;
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
{
Misc.GetWin32Error("PrivilegeCheck");
continue;
}
enabled = Convert.ToBoolean(pfResult);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
return(false);
}
finally
{
Marshal.FreeHGlobal(lpLuid);
}
}
Console.WriteLine();
return(false);
}
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges
////////////////////////////////////////////////////////////////////////////////
public void GetTokenPrivileges()
{
////////////////////////////////////////////////////////////////////////////////
uint TokenInfLength;
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
if (TokenInfLength < 0 || TokenInfLength > int.MaxValue)
{
Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation (TokenPrivileges) - Pass 1");
hTokenPrivileges = Marshal.AllocHGlobal((int)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, hTokenPrivileges, TokenInfLength, out TokenInfLength))
{
Misc.GetWin32Error("GetTokenInformation (TokenPrivileges) - 2 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 2");
tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
Console.WriteLine();
Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
int cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > int.MaxValue)
{
Misc.GetWin32Error("LookupPrivilegeName Pass 1");
Marshal.FreeHGlobal(lpLuid);
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
Misc.GetWin32Error("LookupPrivilegeName Pass 2");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
int pfResult = 0;
if (!advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult))
{
Misc.GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}
////////////////////////////////////////////////////////////////////////////////
// Prints the tokens privileges
////////////////////////////////////////////////////////////////////////////////
public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken)
{
////////////////////////////////////////////////////////////////////////////////
Console.WriteLine("[*] Enumerating Token Privileges");
advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
{
GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 1");
IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);
////////////////////////////////////////////////////////////////////////////////
if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
{
GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
return;
}
Console.WriteLine("[*] GetTokenInformation - Pass 2");
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
Marshal.FreeHGlobal(lpTokenInformation);
Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
Console.WriteLine();
Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
////////////////////////////////////////////////////////////////////////////////
for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
{
StringBuilder lpName = new StringBuilder();
Int32 cchName = 0;
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
if (cchName <= 0 || cchName > Int32.MaxValue)
{
GetWin32Error("LookupPrivilegeName Pass 1");
Marshal.FreeHGlobal(lpLuid);
continue;
}
lpName.EnsureCapacity(cchName + 1);
if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
{
GetWin32Error("LookupPrivilegeName Pass 2");
Marshal.FreeHGlobal(lpLuid);
continue;
}
Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
{
PrivilegeCount = 1,
Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
};
if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult))
{
GetWin32Error("PrivilegeCheck");
Marshal.FreeHGlobal(lpLuid);
continue;
}
if (Convert.ToBoolean(pfResult))
{
SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
}
SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
Marshal.FreeHGlobal(lpLuid);
}
Console.WriteLine();
}
private bool CreateTokenPrivileges(Ntifs._TOKEN_USER tokenUser, Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges)
{
Console.WriteLine("[*] _TOKEN_PRIVILEGES");
tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
//Console.WriteLine(" - LsaOpenPolicy");
ntsecapi._LSA_UNICODE_STRING systemName = new ntsecapi._LSA_UNICODE_STRING();
lsalookup._LSA_OBJECT_ATTRIBUTES lsaobjectAttributes = new lsalookup._LSA_OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(lsalookup._LSA_OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
ObjectName = new ntsecapi._LSA_UNICODE_STRING(),
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero
};
IntPtr hPolicyHandle = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
uint ntRetVal = advapi32.LsaOpenPolicy(
ref systemName,
ref lsaobjectAttributes,
(uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS,
out hPolicyHandle
);
if (0 != ntRetVal)
{
Misc.GetNtError("LsaOpenPolicy", ntRetVal);
return(false);
}
if (IntPtr.Zero == hPolicyHandle)
{
Misc.GetNtError("hPolicyHandle", ntRetVal);
return(false);
}
Dictionary <string, Winnt._LUID> rights = new Dictionary <string, Winnt._LUID>();
_LookupRights(hPolicyHandle, tokenUser.User.Sid, ref rights);
for (int i = 0; i < extraGroups + localEntriesRead + globalEntriesRead; i++)
{
_LookupRights(hPolicyHandle, tokenGroups.Groups[i].Sid, ref rights);
}
tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY()
{
PrivilegeCount = (uint)rights.Keys.Count,
Privileges = new Winnt._LUID_AND_ATTRIBUTES[35]
};
int j = 0;
foreach (string priv in rights.Keys)
{
tokenPrivileges.Privileges[j].Luid = rights[priv];
tokenPrivileges.Privileges[j].Attributes = Winnt.SE_PRIVILEGE_ENABLED;
j++;
}
return(true);
}
