private SafeHGlobalBuffer GetAttributes(DisposableList <IDisposable> resources) { int count = GetAttributeCount(); if (count == 0) { return(SafeHGlobalBuffer.Null); } var attr_list = resources.AddResource(new SafeProcThreadAttributeListBuffer(count)); if (ParentProcess != null) { attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeParentProcess, ParentProcess.Handle.DangerousGetHandle()); } if (MitigationOptions2 != ProcessMitigationOptions2.None) { MemoryStream stm = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stm); writer.Write((ulong)MitigationOptions); writer.Write((ulong)MitigationOptions2); attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeMitigationPolicy, stm.ToArray()); } else if (MitigationOptions != ProcessMitigationOptions.None) { attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeMitigationPolicy, (ulong)MitigationOptions); } if (Win32kFilterFlags != Win32kFilterFlags.None) { Win32kFilterAttribute filter = new Win32kFilterAttribute(); filter.Flags = Win32kFilterFlags; filter.FilterLevel = Win32kFilterLevel; attr_list.AddAttributeBuffer(ProcessAttributes.ProcThreadAttributeWin32kFilter, resources.AddResource(filter.ToBuffer())); } if ((CreationFlags & CreateProcessFlags.ProtectedProcess) != 0) { attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeProtectionLevel, (int)ProtectionLevel); } if (InheritHandleList.Count > 0) { int total_size = IntPtr.Size * InheritHandleList.Count; var handle_list = resources.AddResource(new SafeHGlobalBuffer(total_size)); handle_list.WriteArray(0, InheritHandleList.ToArray(), 0, InheritHandleList.Count); attr_list.AddAttributeBuffer(ProcessAttributes.ProcThreadAttributeHandleList, handle_list); } if (AppContainerSid != null) { SECURITY_CAPABILITIES caps = new SECURITY_CAPABILITIES(); caps.AppContainerSid = resources.AddResource(AppContainerSid.ToSafeBuffer()).DangerousGetHandle(); if (Capabilities.Count > 0) { SidAndAttributes[] cap_sids = new SidAndAttributes[Capabilities.Count]; for (int i = 0; i < Capabilities.Count; ++i) { cap_sids[i] = new SidAndAttributes() { Sid = resources.AddResource(Capabilities[i].ToSafeBuffer()).DangerousGetHandle(), Attributes = GroupAttributes.Enabled }; } SafeHGlobalBuffer cap_buffer = resources.AddResource(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SidAndAttributes)) * Capabilities.Count)); cap_buffer.WriteArray(0, cap_sids, 0, cap_sids.Length); caps.Capabilities = cap_buffer.DangerousGetHandle(); caps.CapabilityCount = cap_sids.Length; } attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeSecurityCapabilities, caps); } if (LowPrivilegeAppContainer) { attr_list.AddAttribute(ProcessAttributes.ProcThreadAttributeAllApplicationPackagesPolicy, 1); } return(attr_list); }
private SafeHGlobalBuffer GetAttributes(DisposableList <IDisposable> resources) { int count = GetAttributeCount(); if (count == 0) { return(SafeHGlobalBuffer.Null); } var attr_list = resources.AddResource(new SafeProcThreadAttributeListBuffer(count)); if (ParentProcess != null) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeParentProcess, ParentProcess.Handle.DangerousGetHandle()); } if (MitigationOptions2 != ProcessMitigationOptions2.None) { MemoryStream stm = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stm); writer.Write((ulong)MitigationOptions); writer.Write((ulong)MitigationOptions2); attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeMitigationPolicy, stm.ToArray()); } else if (MitigationOptions != ProcessMitigationOptions.None) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeMitigationPolicy, (ulong)MitigationOptions); } if (Win32kFilterFlags != Win32kFilterFlags.None) { Win32kFilterAttribute filter = new Win32kFilterAttribute { Flags = Win32kFilterFlags, FilterLevel = Win32kFilterLevel }; attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributeWin32kFilter, resources.AddResource(filter.ToBuffer())); } if ((CreationFlags & CreateProcessFlags.ProtectedProcess) != 0 && ProtectionLevel != ProtectionLevel.None) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeProtectionLevel, (int)ProtectionLevel); } if (InheritHandleList.Count > 0) { int total_size = IntPtr.Size * InheritHandleList.Count; var handle_list = resources.AddResource(new SafeHGlobalBuffer(total_size)); handle_list.WriteArray(0, InheritHandleList.ToArray(), 0, InheritHandleList.Count); attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributeHandleList, handle_list); } if (AppContainerSid != null) { SECURITY_CAPABILITIES caps = new SECURITY_CAPABILITIES { AppContainerSid = resources.AddResource(AppContainerSid.ToSafeBuffer()).DangerousGetHandle() }; if (Capabilities.Count > 0) { SidAndAttributes[] cap_sids = new SidAndAttributes[Capabilities.Count]; for (int i = 0; i < Capabilities.Count; ++i) { cap_sids[i] = new SidAndAttributes() { Sid = resources.AddResource(Capabilities[i].ToSafeBuffer()).DangerousGetHandle(), Attributes = GroupAttributes.Enabled }; } SafeHGlobalBuffer cap_buffer = resources.AddResource(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SidAndAttributes)) * Capabilities.Count)); cap_buffer.WriteArray(0, cap_sids, 0, cap_sids.Length); caps.Capabilities = cap_buffer.DangerousGetHandle(); caps.CapabilityCount = cap_sids.Length; } attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeSecurityCapabilities, caps); } if (LowPrivilegeAppContainer) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeAllApplicationPackagesPolicy, 1); } if (RestrictChildProcessCreation || OverrideChildProcessCreation) { int flags = RestrictChildProcessCreation ? 1 : 0; flags |= OverrideChildProcessCreation ? 2 : 0; attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeChildProcessPolicy, flags); } if (DesktopAppBreakaway != ProcessDesktopAppBreakawayFlags.None) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeDesktopAppPolicy, (int)DesktopAppBreakaway); } if (!string.IsNullOrWhiteSpace(PackageName)) { byte[] str_bytes = Encoding.Unicode.GetBytes(PackageName); var string_buffer = resources.AddResource(new SafeHGlobalBuffer(str_bytes)); attr_list.AddAttributeBuffer(Win32ProcessAttributes.ProcThreadAttributePackageName, string_buffer); } if (PseudoConsole != IntPtr.Zero) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributePseudoConsole, PseudoConsole); } if (!string.IsNullOrEmpty(BnoIsolationPrefix)) { var prefix = new BnoIsolationAttribute() { IsolationEnabled = 1, IsolationPrefix = BnoIsolationPrefix }; attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeBnoIsolation, prefix); } if (SafeOpenPromptOriginClaim != null) { var bytes = (byte[])SafeOpenPromptOriginClaim.Clone(); Array.Resize(ref bytes, 524); attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeSafeOpenPromptOriginClaim, bytes); } if (ExtendedFlags != ProcessExtendedFlags.None) { attr_list.AddAttribute(Win32ProcessAttributes.ProcThreadAttributeExtendedFlags, (int)ExtendedFlags); } return(attr_list); }