public static extern uint NtCreateToken( out IntPtr TokenHandle, uint DesiredAccess, ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes, Winnt._TOKEN_TYPE TokenType, ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId ref long ExpirationTime, ref Ntifs._TOKEN_USER TokenUser, ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups, ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges, ref Ntifs._TOKEN_OWNER TokenOwner, ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup, ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl, ref Winnt._TOKEN_SOURCE TokenSource );
//////////////////////////////////////////////////////////////////////////////// // Checks if a Privilege Exists and is Enabled //////////////////////////////////////////////////////////////////////////////// public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out bool exists, out bool enabled) { exists = false; enabled = false; //////////////////////////////////////////////////////////////////////////////// uint TokenInfLength = 0; advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength); if (TokenInfLength <= 0 || TokenInfLength > int.MaxValue) { Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return(false); } IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)) { Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength); return(false); } Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Marshal.FreeHGlobal(lpTokenInformation); //////////////////////////////////////////////////////////////////////////////// for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++) { System.Text.StringBuilder lpName = new System.Text.StringBuilder(); int cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); try { advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > int.MaxValue) { Misc.GetWin32Error("LookupPrivilegeName Pass 1"); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { Misc.GetWin32Error("LookupPrivilegeName Pass 2"); continue; } if (lpName.ToString() != privilegeName) { continue; } exists = true; Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; int pfResult = 0; if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult)) { Misc.GetWin32Error("PrivilegeCheck"); continue; } enabled = Convert.ToBoolean(pfResult); } catch (Exception ex) { Console.WriteLine(ex.Message); return(false); } finally { Marshal.FreeHGlobal(lpLuid); } } Console.WriteLine(); return(false); }
//////////////////////////////////////////////////////////////////////////////// // Prints the tokens privileges //////////////////////////////////////////////////////////////////////////////// public void GetTokenPrivileges() { //////////////////////////////////////////////////////////////////////////////// uint TokenInfLength; Console.WriteLine("[*] Enumerating Token Privileges"); advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength); if (TokenInfLength < 0 || TokenInfLength > int.MaxValue) { Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation (TokenPrivileges) - Pass 1"); hTokenPrivileges = Marshal.AllocHGlobal((int)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, hTokenPrivileges, TokenInfLength, out TokenInfLength)) { Misc.GetWin32Error("GetTokenInformation (TokenPrivileges) - 2 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 2"); tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount); Console.WriteLine(); Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled"); Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------"); //////////////////////////////////////////////////////////////////////////////// for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++) { StringBuilder lpName = new StringBuilder(); int cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > int.MaxValue) { Misc.GetWin32Error("LookupPrivilegeName Pass 1"); Marshal.FreeHGlobal(lpLuid); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { Misc.GetWin32Error("LookupPrivilegeName Pass 2"); Marshal.FreeHGlobal(lpLuid); continue; } Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; int pfResult = 0; if (!advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult)) { Misc.GetWin32Error("PrivilegeCheck"); Marshal.FreeHGlobal(lpLuid); continue; } Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult)); Marshal.FreeHGlobal(lpLuid); } Console.WriteLine(); }
//////////////////////////////////////////////////////////////////////////////// // Prints the tokens privileges //////////////////////////////////////////////////////////////////////////////// public static void DisableAndRemoveAllTokenPrivileges(ref IntPtr hToken) { //////////////////////////////////////////////////////////////////////////////// Console.WriteLine("[*] Enumerating Token Privileges"); advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength); if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue) { GetWin32Error("GetTokenInformation - 1 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 1"); IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength); //////////////////////////////////////////////////////////////////////////////// if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)) { GetWin32Error("GetTokenInformation - 2 " + TokenInfLength); return; } Console.WriteLine("[*] GetTokenInformation - Pass 2"); Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY)); Marshal.FreeHGlobal(lpTokenInformation); Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount); Console.WriteLine(); Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled"); Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------"); //////////////////////////////////////////////////////////////////////////////// for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++) { StringBuilder lpName = new StringBuilder(); Int32 cchName = 0; IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i])); Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true); advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName); if (cchName <= 0 || cchName > Int32.MaxValue) { GetWin32Error("LookupPrivilegeName Pass 1"); Marshal.FreeHGlobal(lpLuid); continue; } lpName.EnsureCapacity(cchName + 1); if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)) { GetWin32Error("LookupPrivilegeName Pass 2"); Marshal.FreeHGlobal(lpLuid); continue; } Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET { PrivilegeCount = 1, Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY, Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] } }; if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out Int32 pfResult)) { GetWin32Error("PrivilegeCheck"); Marshal.FreeHGlobal(lpLuid); continue; } if (Convert.ToBoolean(pfResult)) { SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); } SetTokenPrivilege(ref hToken, lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); Marshal.FreeHGlobal(lpLuid); } Console.WriteLine(); }
private bool CreateTokenPrivileges(Ntifs._TOKEN_USER tokenUser, Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges) { Console.WriteLine("[*] _TOKEN_PRIVILEGES"); tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY(); //Console.WriteLine(" - LsaOpenPolicy"); ntsecapi._LSA_UNICODE_STRING systemName = new ntsecapi._LSA_UNICODE_STRING(); lsalookup._LSA_OBJECT_ATTRIBUTES lsaobjectAttributes = new lsalookup._LSA_OBJECT_ATTRIBUTES() { Length = (uint)Marshal.SizeOf(typeof(lsalookup._LSA_OBJECT_ATTRIBUTES)), RootDirectory = IntPtr.Zero, ObjectName = new ntsecapi._LSA_UNICODE_STRING(), Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero }; IntPtr hPolicyHandle = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); uint ntRetVal = advapi32.LsaOpenPolicy( ref systemName, ref lsaobjectAttributes, (uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS, out hPolicyHandle ); if (0 != ntRetVal) { Misc.GetNtError("LsaOpenPolicy", ntRetVal); return(false); } if (IntPtr.Zero == hPolicyHandle) { Misc.GetNtError("hPolicyHandle", ntRetVal); return(false); } Dictionary <string, Winnt._LUID> rights = new Dictionary <string, Winnt._LUID>(); _LookupRights(hPolicyHandle, tokenUser.User.Sid, ref rights); for (int i = 0; i < extraGroups + localEntriesRead + globalEntriesRead; i++) { _LookupRights(hPolicyHandle, tokenGroups.Groups[i].Sid, ref rights); } tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY() { PrivilegeCount = (uint)rights.Keys.Count, Privileges = new Winnt._LUID_AND_ATTRIBUTES[35] }; int j = 0; foreach (string priv in rights.Keys) { tokenPrivileges.Privileges[j].Luid = rights[priv]; tokenPrivileges.Privileges[j].Attributes = Winnt.SE_PRIVILEGE_ENABLED; j++; } return(true); }