////////////////////////////////////////////////////////////////////////////////
// Finds a process per user discovered
// ToDo: check if token is a primary token
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <String, UInt32> EnumerateTokens(Boolean findElevation)
{
Dictionary <String, UInt32> users = new Dictionary <String, UInt32>();
foreach (Process p in Process.GetProcesses())
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation)
{
if (!CheckPrivileges.CheckElevation(hToken))
{
continue;
}
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
//Split up impersonation and primary tokens
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
Console.WriteLine("GetTokenInformation: {0}", Marshal.GetLastWin32Error());
continue;
}
}
kernel32.CloseHandle(hToken);
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (!users.ContainsKey(userName))
{
users.Add(userName, (UInt32)p.Id);
}
}
return(users);
}
////////////////////////////////////////////////////////////////////////////////
// Find processes for a user via Tokens
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <UInt32, String> EnumerateUserProcesses(Boolean findElevation, String userAccount)
{
Dictionary <UInt32, String> users = new Dictionary <UInt32, String>();
Process[] pids = Process.GetProcesses();
Console.WriteLine("[*] Examining {0} processes", pids.Length);
foreach (Process p in pids)
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation && !CheckPrivileges.CheckElevation(hToken))
{
continue;
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
continue;
}
}
kernel32.CloseHandle(hToken);
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (userName.ToUpper() == userAccount.ToUpper())
{
users.Add((UInt32)p.Id, p.ProcessName);
if (findElevation)
{
return(users);
}
}
}
Console.WriteLine("[*] Discovered {0} processes", users.Count);
Dictionary <UInt32, String> sorted = new Dictionary <UInt32, String>();
foreach (var user in users.OrderBy(u => u.Value))
{
sorted.Add(user.Key, user.Value);
}
return(sorted);
}