public ObjectManagerPSDriveInfo(NtObject root, PSDriveInfo drive_info)
            : base(drive_info)
        {
            if (root is NtDirectory dir)
            {
                DirectoryRoot = new NtDirectoryContainer(dir);
            }
            else if (root is NtKey key)
            {
                bool open_for_backup = false;
                using (var token = NtToken.OpenProcessToken())
                {
                    if (token.SinglePrivilegeCheck(TokenPrivilegeValue.SeBackupPrivilege))
                    {
                        open_for_backup = true;
                    }
                }

                DirectoryRoot = new NtKeyContainer(key, open_for_backup);
            }
            else
            {
                throw new ArgumentException($"Invalid root object. {root.NtTypeName}");
            }
        }
Exemplo n.º 2
0
        private static Dictionary <string, string> CreateWin32BaseKeys()
        {
            Dictionary <string, string> dict = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase)
            {
                { "HKLM", @"\Registry\Machine" },
                { "HKEY_LOCAL_MACHINE", @"\Registry\Machine" },
                { "HKU", @"\Registry\User" },
                { "HKEY_USERS", @"\Registry\User" },
                { "HKEY_CURRENT_CONFIG", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" },
                { "HKCC", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" },
            };

            using (var token = NtToken.OpenProcessToken(NtProcess.Current, TokenAccessRights.Query, false))
            {
                if (token.IsSuccess)
                {
                    string current_user = $@"\Registry\User\{token.Result.User.Sid}";
                    dict.Add("HKCU", current_user);
                    dict.Add("HKEY_CURRENT_USER", current_user);
                    dict.Add(@"HKCU\Software\Classes", $"{current_user}_Classes");
                    dict.Add(@"HKEY_CURRENT_USER\Software\Classes", $"{current_user}_Classes");
                }
            }
            dict.Add("HKEY_CLASSES_ROOT", @"\Registry\Machine\Software\Classes");
            dict.Add("HKCR", @"\Registry\Machine\Software\Classes");
            return(dict);
        }
        private static NtToken GetTokenFromProcessWithImpersonation(NtProcess process)
        {
            if (_system_token.Value != null)
            {
                using (_system_token.Value.Impersonate())
                {
                    using (var token = NtToken.OpenProcessToken(process,
                                                                TokenAccessRights.Duplicate |
                                                                TokenAccessRights.Impersonate |
                                                                TokenAccessRights.Query, false))
                    {
                        if (!token.IsSuccess)
                        {
                            if (token.Status != NtStatus.STATUS_ACCESS_DENIED)
                            {
                                token.Status.ToNtException();
                            }
                        }
                        return(token.Result.Duplicate());
                    }
                }
            }

            return(GetTokenFromProcessDuplication(process));
        }
Exemplo n.º 4
0
        private void RefreshServiceList()
        {
            ClearList(listViewServices);
            foreach (var service in ServiceUtils.GetRunningServicesWithProcessIds())
            {
                using (var result = NtToken.OpenProcessToken(service.ProcessId, false, TokenAccessRights.MaximumAllowed | TokenAccessRights.Query, false))
                {
                    if (!result.IsSuccess)
                    {
                        continue;
                    }

                    var token = result.Result;

                    ListViewItem item = new ListViewItem(service.Name);
                    item.SubItems.Add(token.User.ToString());
                    item.SubItems.Add(service.LaunchProtected.ToString());
                    item.SubItems.Add(service.SidType.ToString());
                    item.SubItems.Add(service.DisplayName);
                    item.SubItems.Add(service.ProcessId.ToString());
                    item.Tag = new ServiceTokenEntry(service, token);
                    listViewServices.Items.Add(item);
                }
            }
            ResizeColumns(listViewServices);
        }
Exemplo n.º 5
0
        public void UpdateProcessList(ProcessAccessRights desired_access, bool require_token)
        {
            NtToken.EnableDebugPrivilege();
            ClearListView();
            using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation | desired_access, true).ToDisposableList())
            {
                foreach (var p in ps.OrderBy(p => p.ProcessId))
                {
                    using (var result = NtToken.OpenProcessToken(p, TokenAccessRights.MaximumAllowed, false))
                    {
                        if (!result.IsSuccess && require_token)
                        {
                            continue;
                        }

                        ListViewItem item = listViewProcesses.Items.Add(p.ProcessId.ToString());
                        item.SubItems.Add(p.Name);
                        if (result.IsSuccess)
                        {
                            NtToken token = result.Result;
                            item.SubItems.Add(p.User.Name);
                            item.SubItems.Add(token.IntegrityLevel.ToString());
                        }
                        item.Tag = _processes.AddResource(p.Duplicate());
                    }
                }
            }
            listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
            listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
            listViewProcesses.ListViewItemSorter = new ListItemComparer(0);
        }
        private NtToken GetEffectiveToken(TokenAccessRights desired_access)
        {
            if (Pseduo)
            {
                return(NtToken.PseudoEffectiveToken);
            }
            NtToken token = GetImpersonationToken(desired_access);

            if (token != null)
            {
                return(token);
            }

            if (Thread == null && !ThreadId.HasValue)
            {
                return(NtToken.OpenProcessToken(NtProcess.Current, false, desired_access));
            }

            int pid;

            if (Thread != null)
            {
                pid = Thread.ProcessId;
            }
            else
            {
                using (NtThread thread = NtThread.Open(ThreadId.Value, ThreadAccessRights.QueryLimitedInformation))
                {
                    pid = thread.ProcessId;
                }
            }

            return(NtToken.OpenProcessToken(pid, false, desired_access));
        }
 private NtToken OpenImpersonationToken()
 {
     using (NtToken token = NtToken.OpenProcessToken())
     {
         return(token.DuplicateToken(SecurityImpersonationLevel.Identification));
     }
 }
        private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process)
        {
            using (var token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Query))
            {
                using (var imp_token = token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation,
                                                            TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate, false))
                {
                    NtToken valid_imp_token = null;
                    if (!imp_token.IsSuccess)
                    {
                        if (!_has_impersonate_privilege.Value || imp_token.Status != NtStatus.STATUS_ACCESS_DENIED)
                        {
                            imp_token.Status.ToNtException();
                        }

                        valid_imp_token = GetTokenFromProcessWithImpersonation(process);
                    }
                    else
                    {
                        valid_imp_token = imp_token.Result;
                    }
                    AddTokenEntry(tokens, new TokenEntry(token, valid_imp_token, process));
                }
            }
        }
        static void Main(string[] args)
        {
            bool             show_help    = false;
            bool             recursive    = false;
            HashSet <string> exclude_dirs = new HashSet <string>(StringComparer.OrdinalIgnoreCase);

            int pid = Process.GetCurrentProcess().Id;

            try
            {
                OptionSet opts = new OptionSet()
                {
                    { "r", "Recursive tree directory listing",
                      v => recursive = v != null },
                    { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
                    { "w", "Show only write permissions granted", v => _show_write_only = v != null },
                    { "k=", String.Format("Filter on a specific directory right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(DirectoryAccessRights)))), v => _dir_rights |= ParseRight(v, typeof(DirectoryAccessRights)) },
                    { "x=", "Specify a base path to exclude from recursive search", v => exclude_dirs.Add(v) },
                    { "t=", "Specify a type of object to include", v => _type_filter.Add(v) },
                    { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
                    { "e", "Display errors when opening objects, ignores access denied.", v => _show_errors = v != null },
                    { "h|help", "show this message and exit", v => show_help = v != null },
                };

                List <string> paths = opts.Parse(args);

                if (show_help || (paths.Count == 0))
                {
                    ShowHelp(opts);
                }
                else
                {
                    using (NtToken token = NtToken.OpenProcessToken(pid))
                    {
                        foreach (string path in paths)
                        {
                            try
                            {
                                using (NtDirectory dir = OpenDirectory(path))
                                {
                                    HashSet <string> walked = new HashSet <string>(exclude_dirs, StringComparer.OrdinalIgnoreCase);
                                    Console.WriteLine("Dumping Directory: {0}", path);
                                    DumpDirectory(dir, token, recursive, walked);
                                }
                            }
                            catch (NtException ex)
                            {
                                Console.WriteLine("Couldn't open {0} - {1}", path, ex.Message);
                            }
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
        }
Exemplo n.º 10
0
        static void Main(string[] args)
        {
            try
            {
                string dir = CreateDir();
                Console.WriteLine("Created {0} to test mount point bypass", dir);
                using (var token = NtToken.OpenProcessToken())
                {
                    Console.WriteLine("Lowering token to Low IL");
                    token.SetIntegrityLevel(TokenIntegrityLevel.Low);
                }

                using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dir), null,
                                              FileAccessRights.GenericRead | FileAccessRights.GenericWrite,
                                              FileShareMode.None, FileOpenOptions.OpenReparsePoint | FileOpenOptions.DirectoryFile))
                {
                    Console.WriteLine("Opened {0}", file.FullPath);
                    byte[] buffer = BuildReparseBuffer(Environment.GetFolderPath(Environment.SpecialFolder.Windows));
                    file.FsControl(NtWellKnownIoControlCodes.FSCTL_SET_REPARSE_POINT_EX, buffer, 0);
                    MountPointReparseBuffer rp = (MountPointReparseBuffer)file.GetReparsePoint();
                    Console.WriteLine("Set Mount Point: {0} {1}", rp.Tag, rp.SubstitutionName);
                    Console.ReadLine();
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
                Console.ReadLine();
            }
        }
Exemplo n.º 11
0
 /// <summary>
 /// Get the maximum permission access for this object based on the current token
 /// and its security descriptor.
 /// </summary>
 /// <returns>Returns 0 if can't read the security descriptor.</returns>
 public A GetMaximumAccess()
 {
     using (NtToken token = NtToken.OpenProcessToken())
     {
         return(GetMaximumAccess(token));
     }
 }
Exemplo n.º 12
0
 static void SetVirtualization(bool enable)
 {
     using (var token = NtToken.OpenProcessToken())
     {
         token.VirtualizationEnabled = enable;
     }
 }
        /// <summary>
        /// Method to create an object from a set of object attributes.
        /// </summary>
        /// <param name="obj_attributes">The object attributes to create/open from.</param>
        /// <returns>The newly created object.</returns>
        protected override object CreateObject(ObjectAttributes obj_attributes)
        {
            string key_path = Win32Path ? NtKeyUtils.Win32KeyNameToNt(KeyPath) : KeyPath;

            using (ObjectAttributes name = new ObjectAttributes(key_path, AttributeFlags.CaseInsensitive))
            {
                if ((LoadFlags & LoadKeyFlags.AppKey) == 0)
                {
                    using (NtToken token = NtToken.OpenProcessToken())
                    {
                        TokenPrivilege priv = token.GetPrivilege(TokenPrivilegeValue.SeRestorePrivilege);
                        if (priv == null || (priv.Attributes & PrivilegeAttributes.Enabled) == 0)
                        {
                            WriteWarning("Loading a non-app hive should require SeRestorePrivilege");
                        }
                    }
                }
                else
                {
                    if (!KeyPath.StartsWith(@"\Registry\A\", System.StringComparison.OrdinalIgnoreCase))
                    {
                        WriteWarning(@"Loading app hive outside of \Registry\A\ will fail on an up to date system.");
                    }
                }

                return(NtKey.LoadKey(name, obj_attributes, LoadFlags, Access));
            }
        }
 static bool IsInAppContainer()
 {
     using (var token = NtToken.OpenProcessToken())
     {
         return(token.AppContainer);
     }
 }
Exemplo n.º 15
0
 static void EnablePrivileges()
 {
     using (var token = NtToken.OpenProcessToken())
     {
         token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled);
         token.SetPrivilege(TokenPrivilegeValue.SeRestorePrivilege, PrivilegeAttributes.Enabled);
     }
 }
Exemplo n.º 16
0
        static int Main(string[] args)
        {
            IntPtr handle = GetConsoleWindow();

            // Hide
            ShowWindow(handle, SW_HIDE);


            InvokePrivs.EnablePriv("SeImpersonatePrivilege");

            if (args.LongLength > 0)
            {
                string cmd = args[0];  //= Shell.GetCommand(Process.GetCurrentProcess().MainModule.FileName);
            }
            else
            {
                Environment.Exit(-1);
            }

            DCERPCNtlmHandler dcerpcServer    = new DCERPCNtlmHandler();
            Thread            bootstrapThread = null;
            Thread            dcerpcThread    = null;

            dcerpcThread = new Thread(() => dcerpcServer.start("127.0.0.1", "6666", "127.0.0.1", "135", false, "true", cmd));
            dcerpcThread.Start();
            Thread.Sleep(100);
            try
            {
                bootstrapThread = new Thread(() => ComUtils.BootstrapComMarshal());
                bootstrapThread.Start();
            }
            catch (Exception e)
            {
                Console.WriteLine("This wasn't supposed to happen... {0}", e);
            }


            if (dcerpcThread != null)
            {
                DCERPCNtlmHandler.finished.WaitOne();
                if (!Shell.NtShell)
                {
                    NtToken main_token = NtToken.OpenProcessToken();

                    //TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + cmd, main_token, false);
                    TokenUtils.CreateProcessForToken(cmd, main_token, false);
                }

                Thread.Sleep(100);
                Environment.Exit(0);


                dcerpcThread.Abort();
                bootstrapThread.Abort();
            }
            Environment.Exit(0);
            return(0);
        }
        private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
        {
            if (!NtToken.EnableDebugPrivilege())
            {
                WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
            }

            NtType     type               = NtType.GetTypeByType <NtToken>();
            AccessMask access_rights      = type.MapGenericRights(AccessRights);
            int        current_session_id = NtProcess.Current.SessionId;

            using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
            {
                IEnumerable <NtProcess> proc_enum = procs;
                if (CurrentSession)
                {
                    proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
                }
                foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
                {
                    using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
                    {
                        if (!result.IsSuccess)
                        {
                            WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
                            continue;
                        }

                        NtToken primary_token = result.Result;
                        var     sd_result     = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
                        if (!sd_result.IsSuccess)
                        {
                            WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
                            continue;
                        }

                        var    sd              = sd_result.Result;
                        string process_name    = proc.Name;
                        string process_cmdline = proc.CommandLine;
                        string image_path      = proc.FullPath;
                        int    process_id      = proc.ProcessId;

                        foreach (var token in tokens)
                        {
                            if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
                            {
                                AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
                                if (IsAccessGranted(granted_access, access_rights))
                                {
                                    WriteObject(new TokenAccessCheckResult(primary_token, proc,
                                                                           granted_access, sd, token.Information));
                                }
                            }
                        }
                    }
                }
            }
        }
Exemplo n.º 18
0
        private static NtToken FetchDesktopToken()
        {
            var shell = GetShellWindow();

            _ = GetWindowThreadProcessId(shell, out var shellProcessId);
            using var proc  = NtProcess.Open(shellProcessId, ProcessAccessRights.MaximumAllowed, true).GetResultOrThrow();
            using var token = NtToken.OpenProcessToken(proc);
            return(token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Impersonation, TokenAccessRights.MaximumAllowed));
        }
        private NtToken GetPrimaryToken(TokenAccessRights desired_access)
        {
            if (ProcessId.HasValue)
            {
                return(NtToken.OpenProcessToken(ProcessId.Value, false, desired_access));
            }

            return(NtToken.OpenProcessToken(Process ?? NtProcess.Current, false, desired_access));
        }
Exemplo n.º 20
0
        static void Main(string[] args)
        {
            bool show_help = false;

            int pid = Process.GetCurrentProcess().Id;

            try
            {
                PrintDeprecationWarning();

                OptionSet opts = new OptionSet()
                {
                    { "r", "Recursive tree directory listing",
                      v => _recursive = v != null },
                    { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
                    { "w", "Show only write permissions granted", v => _show_write_only = v != null },
                    { "k=", String.Format("Filter on a specific right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(KeyAccessRights)))), v => _key_rights |= ParseRight(v, typeof(KeyAccessRights)) },
                    { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v.ToLower()) },
                    { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
                    { "h|help", "show this message and exit", v => show_help = v != null },
                };

                List <string> paths = opts.Parse(args);

                if (show_help || (paths.Count == 0))
                {
                    ShowHelp(opts);
                }
                else
                {
                    using (NtToken token = NtToken.OpenProcessToken(pid))
                    {
                        foreach (string path in paths)
                        {
                            try
                            {
                                using (NtKey key = OpenKey(path))
                                {
                                    DumpKey(token, key);
                                }
                            }
                            catch (NtException ex)
                            {
                                Console.Error.WriteLine("Error opening key: {0} - {1}", path, ex.Message);
                            }
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.Error.WriteLine(e.Message);
            }
        }
 private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process)
 {
     using (NtToken token = NtToken.OpenProcessToken(process, false,
                                                     TokenAccessRights.Duplicate |
                                                     TokenAccessRights.Impersonate |
                                                     TokenAccessRights.Query))
     {
         AddTokenEntry(tokens, new TokenEntry(token, process));
     }
 }
        internal NtProcessMitigations(NtProcess process)
        {
            ProcessDepStatus dep_status = process.DepStatus;

            DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
            DepEnabled   = dep_status.Enabled;
            DepPermanent = dep_status.Permanent;

            int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy);

            EnableBottomUpRandomization = result.GetBit(0);
            EnableForceRelocateImages   = result.GetBit(1);
            EnableHighEntropy           = result.GetBit(2);
            DisallowStrippedImages      = result.GetBit(3);

            DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0);
            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy);
            RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
            HandleExceptionsPermanentlyEnabled     = result.GetBit(1);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy);
            DisableNonSystemFonts     = result.GetBit(0);
            AuditNonSystemFontLoading = result.GetBit(1);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy);
            ProhibitDynamicCode    = result.GetBit(0);
            AllowThreadOptOut      = result.GetBit(1);
            AllowRemoteDowngrade   = result.GetBit(2);
            DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0);
            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy);
            MicrosoftSignedOnly   = result.GetBit(0);
            StoreSignedOnly       = result.GetBit(1);
            SignedMitigationOptIn = result.GetBit(2);

            result                    = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy);
            NoRemoteImages            = result.GetBit(0);
            NoLowMandatoryLabelImages = result.GetBit(1);
            PreferSystem32Images      = result.GetBit(2);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy);
            EnabledReturnFlowGuard    = result.GetBit(0);
            ReturnFlowGuardStrictMode = result.GetBit(1);
            IsChildProcessRestricted  = process.IsChildProcessRestricted;
            using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false))
            {
                IsRestricted               = token.Result.Restricted;
                IsAppContainer             = token.Result.AppContainer;
                IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer;
                IntegrityLevel             = token.Result.IntegrityLevel;
            }
            ProcessId   = process.ProcessId;
            Name        = process.Name;
            ImagePath   = process.FullPath;
            CommandLine = process.CommandLine;
        }
Exemplo n.º 23
0
        static void Main(string[] args)
        {
            bool show_help = false;

            int pid = Process.GetCurrentProcess().Id;

            try
            {
                OptionSet opts = new OptionSet()
                {
                    { "r", "Recursive tree directory listing",
                      v => _recursive = v != null },
                    { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
                    { "w", "Show only write permissions granted", v => _show_write_only = v != null },
                    { "f=", String.Format("Filter on a file right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) },
                    { "d=", String.Format("Filter on a directory right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) },
                    { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v) },
                    { "q", "Don't print errors", v => _quiet = v != null },
                    { "onlydirs", "Only check the permissions of directories", v => _only_dirs = v != null },
                    { "h|help", "show this message and exit", v => show_help = v != null },
                };

                List <string> paths = opts.Parse(args);

                if (show_help || (paths.Count == 0))
                {
                    ShowHelp(opts);
                }
                else
                {
                    _type  = NtType.GetTypeByName("file");
                    _token = NtToken.OpenProcessToken(pid);

                    foreach (string path in paths)
                    {
                        if ((File.GetAttributes(path) & System.IO.FileAttributes.Directory) == System.IO.FileAttributes.Directory)
                        {
                            DumpDirectory(new DirectoryInfo(path));
                        }
                        else
                        {
                            DumpFile(new FileInfo(path));
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
        }
 private void btnCurrentProcess_Click(object sender, EventArgs e)
 {
     try
     {
         TokenForm.OpenForm(NtToken.OpenProcessToken(), false);
     }
     catch (NtException ex)
     {
         MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
     }
 }
 private protected bool HasSecurityPrivilege()
 {
     if (!_has_security_privilege.HasValue)
     {
         using (var token = NtToken.OpenProcessToken())
         {
             _has_security_privilege = token.GetPrivilege(TokenPrivilegeValue.SeSecurityPrivilege)?.Enabled ?? false;
         }
     }
     return(_has_security_privilege.Value);
 }
 private static NtToken GetProcessToken(NtThread thread)
 {
     try
     {
         return(NtToken.OpenProcessToken(thread.ProcessId));
     }
     catch (NtException)
     {
         return(null);
     }
 }
        static void Main(string[] args)
        {
            bool show_help = false;

            int  pid             = Process.GetCurrentProcess().Id;
            int  recursive_depth = 1;
            bool no_files        = false;

            try
            {
                PrintDeprecationWarning();
                OptionSet opts = new OptionSet()
                {
                    { "r", "Recursive tree directory listing",
                      v => recursive_depth = v != null ? int.MaxValue : 1 },
                    { "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
                    { "w", "Show only write permissions granted", v => _show_write_only = v != null },
                    { "f=", String.Format("Filter on a file right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) },
                    { "d=", String.Format("Filter on a directory right [{0}]",
                                          String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) },
                    { "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(ConvertPath(v)) },
                    { "q", "Don't print errors", v => _quiet = v != null },
                    { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
                    { "nofiles", "Don't show permission of files.", v => no_files = v != null },
                    { "depth", "Specify a recursive depth", v => recursive_depth = int.Parse(v) },
                    { "h|help", "show this message and exit", v => show_help = v != null },
                };

                List <string> paths = opts.Parse(args).Select(p => ConvertPath(p)).ToList();

                if (show_help || (paths.Count == 0))
                {
                    ShowHelp(opts);
                }
                else
                {
                    _type  = NtType.GetTypeByType <NtFile>();
                    _token = NtToken.OpenProcessToken(pid);

                    foreach (string path in paths)
                    {
                        DumpFile(path, null, recursive_depth, no_files);
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e.Message);
            }
        }
        private NtToken GetServiceNameToken(TokenAccessRights desired_access)
        {
            int pid = ServiceUtils.GetServiceProcessId(ServiceName);

            if (pid == 0)
            {
                throw new ArgumentException($"{ServiceName} is not current running.");
            }
            using (var process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation))
            {
                return(NtToken.OpenProcessToken(process, false, desired_access));
            }
        }
 private NtToken GetSandboxedToken(TokenAccessRights desired_access, Func <NtToken, NtToken> sandbox_func)
 {
     using (NtToken token = Token != null ? Token.Duplicate() : NtToken.OpenProcessToken())
     {
         using (NtToken sandbox_token = sandbox_func(token))
         {
             if (desired_access == TokenAccessRights.MaximumAllowed)
             {
                 return(token.Duplicate());
             }
             return(token.Duplicate(desired_access));
         }
     }
 }
Exemplo n.º 30
0
        /// <summary>
        /// Override for begin processing.
        /// </summary>
        protected override void BeginProcessing()
        {
            using (NtToken process_token = NtToken.OpenProcessToken())
            {
                _open_for_backup = process_token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled);

                if (!_open_for_backup)
                {
                    WriteWarning("Current process doesn't have SeBackupPrivilege, results may be inaccurate");
                }
            }

            base.BeginProcessing();
        }