public static extern Boolean GetTokenInformation(
IntPtr TokenHandle,
Enums._TOKEN_INFORMATION_CLASS TokenInformationClass,
ref Winnt._TOKEN_STATISTICS TokenInformation,
UInt32 TokenInformationLength,
out UInt32 ReturnLength
);
////////////////////////////////////////////////////////////////////////////////
// Converts a TokenStatistics Pointer array to User Name
////////////////////////////////////////////////////////////////////////////////
public static Boolean ConvertTokenStatisticsToUsername(Winnt._TOKEN_STATISTICS tokenStatistics, ref String userName)
{
IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(Structs._LUID)));
Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false);
if (IntPtr.Zero == lpLuid)
{
return(false);
}
IntPtr ppLogonSessionData = new IntPtr();
if (0 != secur32.LsaGetLogonSessionData(lpLuid, out ppLogonSessionData))
{
return(false);
}
if (IntPtr.Zero == ppLogonSessionData)
{
return(false);
}
ntsecapi._SECURITY_LOGON_SESSION_DATA securityLogonSessionData = (ntsecapi._SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData, typeof(ntsecapi._SECURITY_LOGON_SESSION_DATA));
if (IntPtr.Zero == securityLogonSessionData.Sid)
{
return(false);
}
userName = String.Format("{0}\\{1}", Marshal.PtrToStringUni(securityLogonSessionData.LogonDomain.Buffer), Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer));
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// Finds a process per user discovered
// ToDo: check if token is a primary token
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <String, UInt32> EnumerateTokens(Boolean findElevation)
{
Dictionary <String, UInt32> users = new Dictionary <String, UInt32>();
foreach (Process p in Process.GetProcesses())
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation)
{
if (!CheckPrivileges.CheckElevation(hToken))
{
continue;
}
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
//Split up impersonation and primary tokens
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
Console.WriteLine("GetTokenInformation: {0}", Marshal.GetLastWin32Error());
continue;
}
}
kernel32.CloseHandle(hToken);
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (!users.ContainsKey(userName))
{
users.Add(userName, (UInt32)p.Id);
}
}
return(users);
}
////////////////////////////////////////////////////////////////////////////////
// Find processes for a user via Tokens
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <UInt32, String> EnumerateUserProcesses(Boolean findElevation, String userAccount)
{
Dictionary <UInt32, String> users = new Dictionary <UInt32, String>();
Process[] pids = Process.GetProcesses();
Console.WriteLine("[*] Examining {0} processes", pids.Length);
foreach (Process p in pids)
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation && !CheckPrivileges.CheckElevation(hToken))
{
continue;
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
continue;
}
}
kernel32.CloseHandle(hToken);
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (userName.ToUpper() == userAccount.ToUpper())
{
users.Add((UInt32)p.Id, p.ProcessName);
if (findElevation)
{
return(users);
}
}
}
Console.WriteLine("[*] Discovered {0} processes", users.Count);
Dictionary <UInt32, String> sorted = new Dictionary <UInt32, String>();
foreach (var user in users.OrderBy(u => u.Value))
{
sorted.Add(user.Key, user.Value);
}
return(sorted);
}
