private void openTokenToolStripMenuItem_Click(object sender, EventArgs e)
{
TreeNode selectedNode = treeViewProcesses.SelectedNode;
if (selectedNode != null)
{
NtProcess process = selectedNode.Tag as NtProcess;
NtHandle handle = selectedNode.Tag as NtHandle;
if (process != null)
{
NtToken token = GetToken(process);
if (token != null)
{
TokenForm.OpenForm(token, true);
}
}
else if (handle != null)
{
try
{
TokenForm.OpenForm(NtToken.DuplicateFrom(handle.ProcessId, new IntPtr(handle.Handle), TokenAccessRights.Query | TokenAccessRights.QuerySource), false);
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
}
/// <summary>
/// Get the token from the IKEEXT service.
/// </summary>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The token.</returns>
public NtResult <NtToken> GetToken(bool throw_on_error)
{
int pid = ServiceUtils.GetService("IKEEXT", false).GetResultOrDefault()?.ProcessId ?? 0;
return(NtToken.DuplicateFrom(pid, new IntPtr(Token),
TokenAccessRights.None, DuplicateObjectOptions.SameAccess, throw_on_error));
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
using (var proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation, false))
{
if (!proc.IsSuccess)
{
continue;
}
foreach (NtHandle handle in group)
{
using (var token_result = NtToken.DuplicateFrom(proc.Result, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource, DuplicateObjectOptions.None, false))
{
if (!token_result.IsSuccess)
{
continue;
}
NtToken token = token_result.Result;
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Result.Name);
item.SubItems.Add($"0x{handle.Handle:X}");
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
string restricted = token.Restricted.ToString();
if (token.WriteRestricted)
{
restricted = "Write";
}
item.SubItems.Add(restricted);
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
try
{
using (NtProcess proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation))
{
foreach (NtHandle handle in group)
{
try
{
using (NtToken token = NtToken.DuplicateFrom(proc, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource))
{
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Name);
item.SubItems.Add(String.Format("0x{0:X}", handle.Handle));
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
item.SubItems.Add(token.Restricted.ToString());
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
catch (NtException)
{
}
}
}
}
catch (NtException)
{
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
