private NtToken GetTicketToken(TokenAccessRights desired_access)
 {
     using (NtToken token = LogonUtils.LsaLogonTicket(LogonType, Ticket, KerbCred))
     {
         if (desired_access == TokenAccessRights.MaximumAllowed)
         {
             return(token.Duplicate());
         }
         return(token.Duplicate(desired_access));
     }
 }
Exemplo n.º 2
0
 private NtToken GetLogonToken(TokenAccessRights desired_access)
 {
     using (NtToken token = TokenUtils.GetLogonUserToken(User, Domain, Password, LogonType))
     {
         if (desired_access == TokenAccessRights.MaximumAllowed)
         {
             return(token.Duplicate());
         }
         return(token.Duplicate(desired_access));
     }
 }
 private NtToken GetS4UToken(TokenAccessRights desired_access)
 {
     using (NtToken token = LogonUtils.LogonS4U(User, Domain, LogonType))
     {
         if (desired_access == TokenAccessRights.MaximumAllowed)
         {
             return(token.Duplicate());
         }
         return(token.Duplicate(desired_access));
     }
 }
 private NtToken GetS4UToken(TokenAccessRights desired_access)
 {
     using (NtToken token = LogonUtils.LsaLogonS4U(User, Domain, LogonType, AuthenticationPackage.NEGOSSP_NAME))
     {
         if (desired_access == TokenAccessRights.MaximumAllowed)
         {
             return(token.Duplicate());
         }
         return(token.Duplicate(desired_access));
     }
 }
 private NtToken GetSandboxedToken(TokenAccessRights desired_access, Func <NtToken, NtToken> sandbox_func)
 {
     using (NtToken token = Token != null ? Token.Duplicate() : NtToken.OpenProcessToken())
     {
         using (NtToken sandbox_token = sandbox_func(token))
         {
             if (desired_access == TokenAccessRights.MaximumAllowed)
             {
                 return(token.Duplicate());
             }
             return(token.Duplicate(desired_access));
         }
     }
 }
        /// <summary>
        /// Get a safer token.
        /// </summary>
        /// <param name="token">The base token.</param>
        /// <param name="level">The safer level to use.</param>
        /// <param name="make_inert">True to make the token inert.</param>
        /// <returns>The safer token.</returns>
        public static NtToken GetTokenFromSaferLevel(NtToken token, SaferLevel level, bool make_inert)
        {
            IntPtr level_handle;

            if (!Win32NativeMethods.SaferCreateLevel(SaferScope.User, level, Win32NativeMethods.SAFER_LEVEL_OPEN, out level_handle, IntPtr.Zero))
            {
                throw new SafeWin32Exception();
            }

            try
            {
                using (NtToken duptoken = token.Duplicate(TokenAccessRights.GenericRead | TokenAccessRights.GenericExecute))
                {
                    SafeKernelObjectHandle handle;
                    if (Win32NativeMethods.SaferComputeTokenFromLevel(level_handle,
                                                                      duptoken.Handle, out handle, make_inert ? SaferFlags.MakeInert : 0, IntPtr.Zero))
                    {
                        return(NtToken.FromHandle(handle));
                    }
                    else
                    {
                        throw new SafeWin32Exception();
                    }
                }
            }
            finally
            {
                Win32NativeMethods.SaferCloseLevel(level_handle);
            }
        }
        /// <summary>
        /// Overridden ProcessRecord method.
        /// </summary>
        protected override void ProcessRecord()
        {
            NtToken token = null;

            if (Duplicate)
            {
                using (NtToken base_token = GetToken(TokenAccessRights.Duplicate))
                {
                    if (base_token != null)
                    {
                        token = base_token.DuplicateToken(TokenType, ImpersonationLevel, Access);
                        if (IntegrityLevel.HasValue)
                        {
                            using (NtToken set_token = token.Duplicate(TokenAccessRights.AdjustDefault))
                            {
                                set_token.SetIntegrityLevel(IntegrityLevel.Value);
                            }
                        }
                    }
                }
            }
            else
            {
                token = GetToken(Access);
            }
            WriteObject(token);
        }
Exemplo n.º 8
0
 public static void OpenForm(NtToken token, string text, bool copy)
 {
     if (token != null)
     {
         OpenForm(new TokenForm(copy ? token.Duplicate() : token, text));
     }
 }
 public ProcessTokenEntry(int process_id, string name, string image_path, string command_line, NtToken process_token)
 {
     ProcessId    = process_id;
     Name         = name;
     ImagePath    = image_path;
     CommandLine  = command_line;
     ProcessToken = process_token.Duplicate();
 }
 public ThreadTokenEntry(NtProcess process, NtToken process_token,
                         int thread_id, string thread_name, NtToken thread_token)
     : base(process, process_token)
 {
     ThreadName  = thread_name;
     ThreadId    = thread_id;
     ThreadToken = thread_token.Duplicate();
 }
        private NtToken GetLogonToken(TokenAccessRights desired_access)
        {
            IEnumerable <UserGroup> groups = null;

            if (AdditionalGroups != null && AdditionalGroups.Length > 0)
            {
                groups = AdditionalGroups.Select(s => new UserGroup(s,
                                                                    GroupAttributes.Enabled | GroupAttributes.EnabledByDefault | GroupAttributes.Mandatory));
            }
            using (NtToken token = TokenUtils.GetLogonUserToken(User, Domain, Password, LogonType, groups))
            {
                if (desired_access == TokenAccessRights.MaximumAllowed)
                {
                    return(token.Duplicate());
                }
                return(token.Duplicate(desired_access));
            }
        }
 public ProcessTokenEntry(int process_id, string name, string image_path,
                          string command_line, NtToken process_token, SecurityDescriptor process_security)
 {
     ProcessId       = process_id;
     Name            = name;
     ImagePath       = image_path;
     CommandLine     = command_line;
     ProcessToken    = process_token.Duplicate();
     ProcessSecurity = process_security;
 }
        private NtToken GetLogonToken(TokenAccessRights desired_access, string user,
                                      string domain, SecureString password, SecurityLogonType logon_type)
        {
            IEnumerable <UserGroup> groups = null;

            if (AdditionalGroup != null && AdditionalGroup.Length > 0)
            {
                groups = AdditionalGroup.Select(s => new UserGroup(s,
                                                                   GetAttributes(s)));
            }
            using (NtToken token = Win32Security.LsaLogonUser(user, domain, password, logon_type, LogonProvider, groups))
            {
                if (desired_access == TokenAccessRights.MaximumAllowed)
                {
                    return(token.Duplicate());
                }
                return(token.Duplicate(desired_access));
            }
        }
 public ThreadTokenEntry(NtProcess process, NtToken process_token,
                         int thread_id, string thread_name, NtToken thread_token,
                         SecurityDescriptor thread_security)
     : base(process, process_token)
 {
     ThreadName     = thread_name;
     ThreadId       = thread_id;
     ThreadToken    = thread_token.Duplicate();
     ThreadSecurity = thread_security;
 }
Exemplo n.º 15
0
        static Form GetFormFromArgs(string[] args)
        {
            try
            {
                int    pid       = -1;
                int    handle    = -1;
                string text      = string.Empty;
                bool   show_help = false;

                OptionSet opts = new OptionSet()
                {
                    { "p|pid=", "Specify a process ID to view the token.",
                      v => pid = int.Parse(v) },
                    { "handle=", "Specify an inherited handle to view.",
                      v => handle = int.Parse(v) },
                    { "text=", "Specify a text string for the token window.",
                      v => text = v },
                    { "h|help", "Show this message and exit",
                      v => show_help = v != null },
                };

                opts.Parse(args);

                if (show_help || (handle <= 0 && pid <= 0))
                {
                    ShowHelp(opts);
                }
                else if (handle > 0)
                {
                    using (NtToken token = NtToken.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
                    {
                        if (token.NtType != NtType.GetTypeByType <NtToken>())
                        {
                            throw new ArgumentException("Passed handle is not a token");
                        }

                        return(new TokenForm(token.Duplicate(), text));
                    }
                }
                else if (pid > 0)
                {
                    using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation))
                    {
                        return(new TokenForm(process.OpenToken(),
                                             $"{process.Name}:{pid}"));
                    }
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
            }

            return(null);
        }
Exemplo n.º 16
0
 private void btnPermissions_Click(object sender, EventArgs e)
 {
     try
     {
         NativeBridge.EditSecurity(Handle, _token.Duplicate(TokenAccessRights.ReadControl), "Token");
     }
     catch (NtException ex)
     {
         MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
     }
 }
        private ListViewItem CreateProcessNode(NtProcess entry, NtToken token)
        {
            ListViewItem item = new ListViewItem(entry.ProcessId.ToString());

            item.SubItems.Add(entry.Name);
            item.SubItems.Add(token.User.ToString());
            item.SubItems.Add(token.IntegrityLevel.ToString());
            item.SubItems.Add(token.Restricted.ToString());
            item.SubItems.Add(token.AppContainer.ToString());
            item.Tag = token.Duplicate();
            return(item);
        }
 private static NtToken DuplicateToken(NtToken token)
 {
     if (token.TokenType == TokenType.Primary)
     {
         return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation,
                                     TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate));
     }
     else
     {
         return(token.Duplicate(TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate));
     }
 }
        public static void OpenForm(NtToken token, string text, bool copy)
        {
            if (token != null)
            {
                TokenForm form = new TokenForm(copy ? token.Duplicate() : token, text);

                _forms.Add(form);
                form.FormClosed += form_FormClosed;

                form.Show(_main_form);
            }
        }
        private void btnRefreshHandles_Click(object sender, EventArgs e)
        {
            ClearList(listViewHandles);
            int current_pid = Process.GetCurrentProcess().Id;

            NtToken.EnableDebugPrivilege();
            List <ListViewItem> items = new List <ListViewItem>();

            foreach (var group in NtSystemInfo.GetHandles()
                     .Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
                     .GroupBy(h => h.ProcessId))
            {
                using (var proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation, false))
                {
                    if (!proc.IsSuccess)
                    {
                        continue;
                    }

                    foreach (NtHandle handle in group)
                    {
                        using (var token_result = NtToken.DuplicateFrom(proc.Result, new IntPtr(handle.Handle),
                                                                        TokenAccessRights.Query | TokenAccessRights.QuerySource, DuplicateObjectOptions.None, false))
                        {
                            if (!token_result.IsSuccess)
                            {
                                continue;
                            }
                            NtToken      token = token_result.Result;
                            ListViewItem item  = new ListViewItem(handle.ProcessId.ToString());
                            item.SubItems.Add(proc.Result.Name);
                            item.SubItems.Add($"0x{handle.Handle:X}");
                            item.SubItems.Add(token.User.ToString());
                            item.SubItems.Add(token.IntegrityLevel.ToString());
                            string restricted = token.Restricted.ToString();
                            if (token.WriteRestricted)
                            {
                                restricted = "Write";
                            }
                            item.SubItems.Add(restricted);
                            item.SubItems.Add(token.AppContainer.ToString());
                            item.SubItems.Add(token.TokenType.ToString());
                            item.SubItems.Add(token.ImpersonationLevel.ToString());
                            item.Tag = token.Duplicate();
                            items.Add(item);
                        }
                    }
                }
            }
            listViewHandles.Items.AddRange(items.ToArray());
            ResizeColumns(listViewHandles);
        }
 private bool ShowTokenPermissions(TokenAccessRights access, bool throw_on_error)
 {
     using (var result = _token.Duplicate(access, AttributeFlags.None, DuplicateObjectOptions.None, throw_on_error))
     {
         if (result.IsSuccess)
         {
             Win32Utils.EditSecurity(Handle,
                                     result.Result,
                                     "Token", false);
             return(true);
         }
     }
     return(false);
 }
        private void btnRefreshHandles_Click(object sender, EventArgs e)
        {
            ClearList(listViewHandles);
            int current_pid = Process.GetCurrentProcess().Id;

            NtToken.EnableDebugPrivilege();
            List <ListViewItem> items = new List <ListViewItem>();

            foreach (var group in NtSystemInfo.GetHandles()
                     .Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
                     .GroupBy(h => h.ProcessId))
            {
                try
                {
                    using (NtProcess proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation))
                    {
                        foreach (NtHandle handle in group)
                        {
                            try
                            {
                                using (NtToken token = NtToken.DuplicateFrom(proc, new IntPtr(handle.Handle),
                                                                             TokenAccessRights.Query | TokenAccessRights.QuerySource))
                                {
                                    ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
                                    item.SubItems.Add(proc.Name);
                                    item.SubItems.Add(String.Format("0x{0:X}", handle.Handle));
                                    item.SubItems.Add(token.User.ToString());
                                    item.SubItems.Add(token.IntegrityLevel.ToString());
                                    item.SubItems.Add(token.Restricted.ToString());
                                    item.SubItems.Add(token.AppContainer.ToString());
                                    item.SubItems.Add(token.TokenType.ToString());
                                    item.SubItems.Add(token.ImpersonationLevel.ToString());
                                    item.Tag = token.Duplicate();
                                    items.Add(item);
                                }
                            }
                            catch (NtException)
                            {
                            }
                        }
                    }
                }
                catch (NtException)
                {
                }
            }
            listViewHandles.Items.AddRange(items.ToArray());
            ResizeColumns(listViewHandles);
        }
Exemplo n.º 23
0
        private static NtToken DuplicateForAccessCheck(NtToken token)
        {
            if (token.IsPseudoToken)
            {
                // This is a pseudo token, pass along as no need to duplicate.
                return(token);
            }

            if (token.TokenType == TokenType.Primary)
            {
                return(token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Identification, TokenAccessRights.Query));
            }
            else if (!token.IsAccessGranted(TokenAccessRights.Query))
            {
                return(token.Duplicate(TokenAccessRights.Query));
            }
            else
            {
                // If we've got query access rights already just create a shallow clone.
                return(token.ShallowClone());
            }
        }
        private NtToken CreateToken()
        {
            SandboxTokenType type          = GetSelectedTokenType();
            NtToken          current_token = _token.Duplicate();

            if ((type & SandboxTokenType.RestrictedOnly) != 0)
            {
                using (NtToken tmp_token = current_token)
                {
                    current_token = CreateRestrictedToken(tmp_token);
                }
            }

            if ((type & SandboxTokenType.LowBoxOnly) != 0)
            {
                using (NtToken tmp_token = current_token)
                {
                    current_token = CreateLowBoxToken(tmp_token);
                }
            }

            return(current_token);
        }
 public ServiceTokenEntry(RunningService service, NtToken token)
 {
     Service      = service;
     ProcessToken = token.Duplicate();
 }
        public static NtToken GetTokenFromSaferLevel(NtToken token, SaferLevel level, bool make_inert)
        {
            IntPtr level_handle;

            if (!SaferCreateLevel(SaferScope.User, level, SAFER_LEVEL_OPEN, out level_handle, IntPtr.Zero))
            {
                throw new SafeWin32Exception();
            }

            try
            {
                using (NtToken duptoken = token.Duplicate(TokenAccessRights.GenericRead | TokenAccessRights.GenericExecute))
                {
                    SafeKernelObjectHandle handle;
                    if (SaferComputeTokenFromLevel(level_handle, duptoken.Handle, out handle, make_inert ? SaferFlags.MakeInert : 0, IntPtr.Zero))
                    {
                        return NtToken.FromHandle(handle);
                    }
                    else
                    {
                        throw new SafeWin32Exception();
                    }
                }
            }
            finally
            {
                SaferCloseLevel(level_handle);
            }
        }
        public static void OpenForm(NtToken token, bool copy)
        {
            if (token != null)
            {
                TokenForm form = new TokenForm(copy ? token.Duplicate() : token);

                _forms.Add(form);
                form.FormClosed += form_FormClosed;

                form.Show(_main_form);
            }
        }