Exemplo n.º 1
0
 public static extern Boolean PrivilegeCheck(
     IntPtr ClientToken,
     Structs._PRIVILEGE_SET RequiredPrivileges,
     out IntPtr pfResult
     );
Exemplo n.º 2
0
        ////////////////////////////////////////////////////////////////////////////////
        // Prints the tokens privileges
        ////////////////////////////////////////////////////////////////////////////////
        public static void EnumerateTokenPrivileges(IntPtr hToken)
        {
            ////////////////////////////////////////////////////////////////////////////////
            UInt32 TokenInfLength = 0;

            Console.WriteLine("[*] Enumerating Token Privileges");
            advapi32.GetTokenInformation(
                hToken,
                Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges,
                IntPtr.Zero,
                TokenInfLength,
                out TokenInfLength
                );

            if (TokenInfLength < 0 || TokenInfLength > Int32.MaxValue)
            {
                GetError("GetTokenInformation - 1 " + TokenInfLength);
                return;
            }
            Console.WriteLine("[*] GetTokenInformation - Pass 1");
            IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);

            ////////////////////////////////////////////////////////////////////////////////
            if (!advapi32.GetTokenInformation(
                    hToken,
                    Enums._TOKEN_INFORMATION_CLASS.TokenPrivileges,
                    lpTokenInformation,
                    TokenInfLength,
                    out TokenInfLength))
            {
                GetError("GetTokenInformation - 2" + TokenInfLength);
                return;
            }
            Console.WriteLine("[*] GetTokenInformation - Pass 2");
            Structs._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Structs._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Structs._TOKEN_PRIVILEGES_ARRAY));
            Console.WriteLine("[+] Enumerated " + tokenPrivileges.PrivilegeCount + " Privileges");

            Console.WriteLine();
            Console.WriteLine("{0,-30}{1,-30}", "Privilege Name", "Enabled");
            Console.WriteLine("{0,-30}{1,-30}", "--------------", "-------");
            ////////////////////////////////////////////////////////////////////////////////
            for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
            {
                StringBuilder lpName  = new StringBuilder();
                Int32         cchName = 0;
                IntPtr        lpLuid  = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
                Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);

                advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
                if (cchName < 0 || cchName > Int32.MaxValue)
                {
                    GetError("LookupPrivilegeName " + cchName);
                    return;
                }

                lpName.EnsureCapacity(cchName + 1);
                if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
                {
                    Console.WriteLine("[-] Privilege Name Lookup Failed");
                    continue;
                }

                Structs._PRIVILEGE_SET privilegeSet = new Structs._PRIVILEGE_SET();
                privilegeSet.PrivilegeCount = 1;
                privilegeSet.Control        = Structs.PRIVILEGE_SET_ALL_NECESSARY;
                privilegeSet.Privilege      = new Structs._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] };

                IntPtr pfResult;
                if (!advapi32.PrivilegeCheck(hToken, privilegeSet, out pfResult))
                {
                    Console.WriteLine("[-] Privilege Check Failed");
                    continue;
                }
                Console.WriteLine("{0,-30}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult.ToInt32()));

                Marshal.FreeHGlobal(lpLuid);
            }
            Console.WriteLine();
        }