private void QueryValues()
{
if (_allow_query)
{
_allow_query = false;
NtToken.EnableDebugPrivilege();
using (var obj = NtGeneric.DuplicateFrom(ProcessId,
new IntPtr(Handle), 0, DuplicateObjectOptions.SameAccess, false)) {
if (!obj.IsSuccess)
{
return;
}
NtType = obj.Result.NtType;
if (!_force_file_query && obj.Result.NtTypeName == "File")
{
using (var file = obj.Result.ToTypedObject() as NtFile) {
var device_type = file?.DeviceType ?? FileDeviceType.UNKNOWN;
switch (device_type)
{
case FileDeviceType.DISK:
case FileDeviceType.CD_ROM:
break;
default:
return;
}
}
}
_handle_valid = true;
_name = GetName(obj.Result);
_sd = GetSecurityDescriptor(obj.Result);
}
}
}
public static IEnumerable <COMProcessEntry> GetProcesses(IEnumerable <Process> procs, string dbghelp_path, string symbol_path, IProgress <Tuple <string, int> > progress)
{
List <COMProcessEntry> ret = new List <COMProcessEntry>();
NtToken.EnableDebugPrivilege();
int total_count = procs.Count();
int current_count = 0;
foreach (Process p in procs)
{
try
{
if (progress != null)
{
progress.Report(new Tuple <string, int>(String.Format("Parsing process {0}", p.ProcessName),
100 * current_count++ / total_count));
}
COMProcessEntry proc = COMProcessParser.ParseProcess(p.Id,
dbghelp_path, symbol_path);
if (proc != null)
{
ret.Add(proc);
}
}
catch (Win32Exception)
{
}
finally
{
p.Close();
}
}
return(ret);
}
internal override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
AccessMask access_rights = _process_type.MapGenericRights(AccessRights);
AccessMask thread_access_rights = _thread_type.MapGenericRights(ThreadAccessRights);
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
if (CheckProcess())
{
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed, false).ToDisposableList())
{
DoAccessCheck(tokens, procs.Where(p => ShowDeadProcesses || !p.IsDeleting), access_rights, thread_access_rights);
}
}
else
{
using (var threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed, true).ToDisposableList())
{
foreach (var thread in threads)
{
DoAccessCheck(tokens, ProcessDetails.FromThread(thread), thread, thread_access_rights);
}
}
}
}
public void UpdateProcessList(ProcessAccessRights desired_access, bool require_token)
{
NtToken.EnableDebugPrivilege();
ClearListView();
using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation | desired_access, true).ToDisposableList())
{
foreach (var p in ps.OrderBy(p => p.ProcessId))
{
using (var result = NtToken.OpenProcessToken(p, TokenAccessRights.MaximumAllowed, false))
{
if (!result.IsSuccess && require_token)
{
continue;
}
ListViewItem item = listViewProcesses.Items.Add(p.ProcessId.ToString());
item.SubItems.Add(p.Name);
if (result.IsSuccess)
{
NtToken token = result.Result;
item.SubItems.Add(p.User.Name);
item.SubItems.Add(token.IntegrityLevel.ToString());
}
item.Tag = _processes.AddResource(p.Duplicate());
}
}
}
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
listViewProcesses.ListViewItemSorter = new ListItemComparer(0);
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
NtType type = NtType.GetTypeByType <NtToken>();
AccessMask access_rights = type.MapGenericRights(AccessRights);
int current_session_id = NtProcess.Current.SessionId;
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
{
IEnumerable <NtProcess> proc_enum = procs;
if (CurrentSession)
{
proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
}
foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
{
using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
{
if (!result.IsSuccess)
{
WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
continue;
}
NtToken primary_token = result.Result;
var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
if (!sd_result.IsSuccess)
{
WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
continue;
}
var sd = sd_result.Result;
string process_name = proc.Name;
string process_cmdline = proc.CommandLine;
string image_path = proc.FullPath;
int process_id = proc.ProcessId;
foreach (var token in tokens)
{
if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new TokenAccessCheckResult(primary_token, proc,
granted_access, sd, token.Information));
}
}
}
}
}
}
}
/// <summary>
/// Overridden process record method.
/// </summary>
protected override void ProcessRecord()
{
HashSet <TokenEntry> tokens = new HashSet <TokenEntry>(new TokenEntryComparer());
try
{
bool explicit_tokens = false;
NtToken.EnableDebugPrivilege();
if (Token != null)
{
foreach (NtToken token in Token)
{
AddTokenEntry(tokens, new TokenEntry(token));
}
explicit_tokens = true;
}
if (ProcessId != null)
{
GetTokensFromPids(tokens, ProcessId);
explicit_tokens = true;
}
if (GetTokensFromArguments(tokens, ProcessName, ProcessCommandLine))
{
explicit_tokens = true;
}
if (Process != null)
{
foreach (NtProcess process in Process)
{
AddTokenEntryFromProcess(tokens, process);
}
explicit_tokens = true;
}
if (tokens.Count == 0)
{
if (explicit_tokens)
{
return;
}
AddTokenEntryFromProcess(tokens, NtProcess.Current);
}
RunAccessCheck(tokens);
}
finally
{
foreach (TokenEntry token in tokens)
{
token.Dispose();
}
}
}
static void Main()
{
CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, AuthnLevel.RPC_C_AUTHN_LEVEL_DEFAULT,
ImpLevel.RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero, EOLE_AUTHENTICATION_CAPABILITIES.EOAC_DYNAMIC_CLOAKING, IntPtr.Zero);
NtToken.EnableDebugPrivilege();
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new MainForm());
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
using (var proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation, false))
{
if (!proc.IsSuccess)
{
continue;
}
foreach (NtHandle handle in group)
{
using (var token_result = NtToken.DuplicateFrom(proc.Result, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource, DuplicateObjectOptions.None, false))
{
if (!token_result.IsSuccess)
{
continue;
}
NtToken token = token_result.Result;
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Result.Name);
item.SubItems.Add($"0x{handle.Handle:X}");
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
string restricted = token.Restricted.ToString();
if (token.WriteRestricted)
{
restricted = "Write";
}
item.SubItems.Add(restricted);
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
private void btnRefreshHandles_Click(object sender, EventArgs e)
{
ClearList(listViewHandles);
int current_pid = Process.GetCurrentProcess().Id;
NtToken.EnableDebugPrivilege();
List <ListViewItem> items = new List <ListViewItem>();
foreach (var group in NtSystemInfo.GetHandles()
.Where(h => h.ProcessId != current_pid && h.ObjectType.Equals("token", StringComparison.OrdinalIgnoreCase))
.GroupBy(h => h.ProcessId))
{
try
{
using (NtProcess proc = NtProcess.Open(group.Key, ProcessAccessRights.DupHandle | ProcessAccessRights.QueryLimitedInformation))
{
foreach (NtHandle handle in group)
{
try
{
using (NtToken token = NtToken.DuplicateFrom(proc, new IntPtr(handle.Handle),
TokenAccessRights.Query | TokenAccessRights.QuerySource))
{
ListViewItem item = new ListViewItem(handle.ProcessId.ToString());
item.SubItems.Add(proc.Name);
item.SubItems.Add(String.Format("0x{0:X}", handle.Handle));
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.IntegrityLevel.ToString());
item.SubItems.Add(token.Restricted.ToString());
item.SubItems.Add(token.AppContainer.ToString());
item.SubItems.Add(token.TokenType.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = token.Duplicate();
items.Add(item);
}
}
catch (NtException)
{
}
}
}
}
catch (NtException)
{
}
}
listViewHandles.Items.AddRange(items.ToArray());
ResizeColumns(listViewHandles);
}
/// <summary>
/// Disable dynamic code policy on another process.
/// </summary>
public void DisableDynamicCodePolicy()
{
if (!NtToken.EnableDebugPrivilege())
{
throw new InvalidOperationException("Must have Debug privilege to disable code policy");
}
MitigationPolicy p = new MitigationPolicy();
p.Policy = ProcessMitigationPolicy.ProcessDynamicCodePolicy;
using (var buffer = p.ToBuffer())
{
NtSystemCalls.NtSetInformationProcess(Handle, ProcessInfoClass.ProcessMitigationPolicy, buffer, buffer.Length).ToNtException();
}
}
/// <summary>
/// Get handle into the current process
/// </summary>
/// <param name="throw_on_error">True to throw on error.</param>
/// <returns>The handle to the object</returns>
public NtResult <NtObject> GetObject(bool throw_on_error)
{
NtToken.EnableDebugPrivilege();
using (var result = NtGeneric.DuplicateFrom(ProcessId, new IntPtr(Handle), 0,
DuplicateObjectOptions.SameAccess | DuplicateObjectOptions.SameAttributes, throw_on_error)) {
if (!result.IsSuccess)
{
return(result.Cast <NtObject>());
}
NtGeneric generic = result.Result;
// Ensure that we get the actual type from the handle.
NtType = generic.NtType;
return(generic.ToTypedObject(throw_on_error).Cast <NtObject>());
}
}
public SelectSecurityCheckForm(bool process_security)
{
InitializeComponent();
_process_security = process_security;
_tokens = new DisposableList <NtToken>();
Disposed += SelectSecurityCheckForm_Disposed;
string username = String.Format(@"{0}\{1}", Environment.UserDomainName, Environment.UserName);
textBoxPrincipal.Text = username;
NtToken.EnableDebugPrivilege();
using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation, true).ToDisposableList())
{
foreach (var p in ps.OrderBy(p => p.ProcessId))
{
var result = NtToken.OpenProcessToken(p, TokenAccessRights.MaximumAllowed, false);
if (result.IsSuccess)
{
NtToken token = result.Result;
_tokens.Add(token);
ListViewItem item = listViewProcesses.Items.Add(p.ProcessId.ToString());
item.SubItems.Add(p.Name);
item.SubItems.Add(p.User.Name);
item.SubItems.Add(token.IntegrityLevel.ToString());
item.Tag = token;
}
}
}
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
listViewProcesses.ListViewItemSorter = new ListItemComparer(0);
foreach (object value in Enum.GetValues(typeof(TokenIntegrityLevel)))
{
comboBoxIL.Items.Add(value);
}
comboBoxIL.SelectedItem = TokenIntegrityLevel.Low;
if (process_security)
{
textBoxPrincipal.Enabled = false;
checkBoxLocalLaunch.Enabled = false;
checkBoxRemoteLaunch.Enabled = false;
checkBoxLocalActivate.Enabled = false;
checkBoxRemoteActivate.Enabled = false;
}
}
/// <summary>
/// Get handle into the current process
/// </summary>
/// <returns>The handle to the object</returns>
public NtObject GetObject()
{
NtToken.EnableDebugPrivilege();
try
{
using (NtGeneric generic = NtGeneric.DuplicateFrom(ProcessId, new IntPtr(Handle)))
{
// Ensure that we get the actual type from the handle.
NtType = generic.NtType;
return(generic.ToTypedObject());
}
}
catch
{
}
return(null);
}
/// <summary>
/// Create a kernel dump for current system.
/// </summary>
/// <param name="path">The path to the output file.</param>
/// <param name="flags">Flags</param>
/// <param name="page_flags">Page flags</param>
public static void CreateKernelDump(string path, SystemDebugKernelDumpControlFlags flags, SystemDebugKernelDumpPageControlFlags page_flags)
{
NtToken.EnableDebugPrivilege();
using (NtFile file = NtFile.Create(path, FileAccessRights.Synchronize | FileAccessRights.GenericWrite | FileAccessRights.GenericRead,
FileShareMode.Read, FileOpenOptions.SynchronousIoNonAlert | FileOpenOptions.WriteThrough | FileOpenOptions.NoIntermediateBuffering, FileDisposition.OverwriteIf,
null))
{
using (var buffer = new SystemDebugKernelDumpConfig()
{
FileHandle = file.Handle.DangerousGetHandle(),
Flags = flags,
PageFlags = page_flags
}.ToBuffer())
{
NtSystemCalls.NtSystemDebugControl(SystemDebugCommand.SysDbgGetLiveKernelDump, buffer, buffer.Length,
SafeHGlobalBuffer.Null, 0, out int ret_length).ToNtException();
}
}
}
/// <summary>
/// Overridden process record method.
/// </summary>
protected override void ProcessRecord()
{
HashSet <TokenEntry> tokens = new HashSet <TokenEntry>(new TokenEntryComparer());
try
{
NtToken.EnableDebugPrivilege();
if (Tokens != null)
{
foreach (NtToken token in Tokens)
{
AddTokenEntry(tokens, new TokenEntry(token));
}
}
if (ProcessIds != null)
{
GetTokensFromPids(tokens, ProcessIds);
}
GetTokensFromArguments(tokens, ProcessNames, ProcessCommandLines);
if (Processes != null)
{
foreach (NtProcess process in Processes)
{
AddTokenEntryFromProcess(tokens, process);
}
}
if (tokens.Count == 0)
{
AddTokenEntryFromProcess(tokens, NtProcess.Current);
}
RunAccessCheck(tokens);
}
finally
{
foreach (TokenEntry token in tokens)
{
token.Dispose();
}
}
}
private void QueryValues()
{
if (_allow_query)
{
_allow_query = false;
NtToken.EnableDebugPrivilege();
using (var obj = NtGeneric.DuplicateFrom(ProcessId,
new IntPtr(Handle), 0, DuplicateObjectOptions.SameAccess, false))
{
if (!obj.IsSuccess)
{
return;
}
NtType = obj.Result.NtType;
_name = GetName(obj.Result);
_sd = GetSecurityDescriptor(obj.Result);
}
}
}
private void QueryValues()
{
if (_allow_query)
{
_allow_query = false;
try
{
NtToken.EnableDebugPrivilege();
using (NtGeneric obj = NtGeneric.DuplicateFrom(ProcessId, new IntPtr(Handle)))
{
// Ensure we get the real type, in case it changed _or_ it was wrong to begin with.
ObjectType = obj.NtTypeName;
_name = GetName(obj);
_sd = GetSecurityDescriptor(obj);
}
}
catch (NtException)
{
}
}
}
static void Main(string[] args)
{
CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, AuthnLevel.RPC_C_AUTHN_LEVEL_DEFAULT,
ImpLevel.RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero, EOLE_AUTHENTICATION_CAPABILITIES.EOAC_DYNAMIC_CLOAKING, IntPtr.Zero);
NtToken.EnableDebugPrivilege();
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Form main_form;
if (args.Length > 0)
{
main_form = GetFormFromArgs(args);
if (main_form == null)
{
Environment.Exit(1);
}
}
else
{
main_form = new MainForm();
}
Application.Run(main_form);
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
NtToken.EnableDebugPrivilege();
try
{
if (args.Length == 0)
{
Application.Run(new MainForm());
}
else
{
if (args.Length < 3)
{
var handle = new SafeKernelObjectHandle(new IntPtr(int.Parse(args[0])), true);
using (var section = NtSection.FromHandle(handle))
{
bool read_only = args.Length > 1 ? args[1].Equals("--readonly") : !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private static NtToken GetSystemToken()
{
NtToken.EnableDebugPrivilege();
using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation).ToDisposableList())
{
Sid local_system = KnownSids.LocalSystem;
foreach (var p in ps)
{
using (var result = NtToken.OpenProcessToken(p, TokenAccessRights.Query | TokenAccessRights.Duplicate, false))
{
if (!result.IsSuccess)
{
continue;
}
var token = result.Result;
if (token.User.Sid == local_system &&
!token.Filtered &&
token.GetPrivilege(TokenPrivilegeValue.SeTcbPrivilege) != null &&
token.IntegrityLevel == TokenIntegrityLevel.System)
{
using (var imp_token = token.DuplicateToken(SecurityImpersonationLevel.Impersonation))
{
if (imp_token.SetPrivilege(TokenPrivilegeValue.SeTcbPrivilege, PrivilegeAttributes.Enabled))
{
using (imp_token.Impersonate())
{
return(LogonUtils.Logon("SYSTEM", "NT AUTHORITY", null,
SecurityLogonType.Service, Logon32Provider.Default, false).GetResultOrDefault());
}
}
}
}
}
}
}
return(null);
}
static void Main(string[] args)
{
bool verbose = false;
if (args.Length > 0 && args[0] == "-verbose")
{
verbose = true;
}
try
{
if (!NtToken.EnableDebugPrivilege())
{
Console.WriteLine("WARNING: Can't enable debug privilege. Some zombies may not be found. Run as admin for full results.");
}
var zombies = GetZombieObjectAddress();
Console.WriteLine("{0} total zombie processes.", zombies.Values.Count(h => !h.IsThread));
Console.WriteLine("{0} total zombie threads.", zombies.Values.Count(h => h.IsThread));
if (zombies.Count == 0)
{
Console.WriteLine("No zombies found. Maybe all software is working correctly, but I doubt it. " +
"More likely the zombie counting process failed for some reason. Please try again.");
}
// Create a list to store the pids of process that hold zombies, a list of zombie handles,
// a count of the zombies. The count is first for sorting.
List <Tuple <int, int, List <ZombieHandle> > > count_and_pid = new List <Tuple <int, int, List <ZombieHandle> > >();
foreach (var group in NtSystemInfo.GetHandles(-1, false).GroupBy(h => h.ProcessId))
{
var total = group.Where(h => zombies.ContainsKey(h.Object)).Select(h => zombies[h.Object]).ToList();
int count = total.Select(h => h.ProcessId).Distinct().Count();
if (count > 0)
{
count_and_pid.Add(Tuple.Create(count, group.Key, total));
}
}
// Print the processes holding handles to zombies, sorted by zombie count.
count_and_pid.Sort();
count_and_pid.Reverse();
foreach (var buggy_process in count_and_pid)
{
int count_by = buggy_process.Item1;
int pid = buggy_process.Item2;
var total = buggy_process.Item3;
Console.WriteLine(" {0} {1} held by {2}({3})", count_by, ZombiePluralized(count_by), GetProcessName(pid, verbose), pid);
var names = total.GroupBy(h => h.ProcessPath, StringComparer.CurrentCultureIgnoreCase);
var zombies_from_process = new List <Tuple <int, string, int, int> >();
foreach (var name in names)
{
int slash_index = name.Key.LastIndexOf('\\');
if (verbose)
{
slash_index = -1;
}
string process_name = name.Key.Substring(slash_index + 1);
int process_count = name.Count(h => !h.IsThread);
int thread_count = name.Count(h => h.IsThread);
int unique_process = name.Select(h => h.ProcessId).Distinct().Count();
zombies_from_process.Add(Tuple.Create(unique_process, process_name, process_count, thread_count));
}
// Print the processes being held as zombies, sorted by count.
zombies_from_process.Sort();
zombies_from_process.Reverse();
foreach (var zombie_process in zombies_from_process)
{
int total_count = zombie_process.Item1;
string process_name = zombie_process.Item2;
int process_count = zombie_process.Item3;
int thread_count = zombie_process.Item4;
Console.WriteLine(" {0} {1} of {2} - process handle count: {3} - thread handle count: {4}", total_count,
ZombiePluralized(total_count), process_name, process_count, thread_count);
}
}
if (!verbose)
{
Console.WriteLine("Pass -verbose to get full zombie names.");
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
int[] pids = new int[3];
if (GetConsoleProcessList(pids, 3) == 1)
{
Console.Write("Press any key to continue");
Console.ReadKey();
}
}
static void Main(string[] args)
{
Win32Process new_process = null;
try
{
CreateProcessFlags flags = CreateProcessFlags.None;
bool parent_process = false;
bool set_il = false;
TokenIntegrityLevel il = 0;
bool show_help = false;
OptionSet opts = new OptionSet()
{
{ "p", "Use parent technique to create the new process", v => parent_process = v != null },
{ "j", "Try and break away from the current process job", v => flags |= v != null ? CreateProcessFlags.BreakawayFromJob : 0 },
{ "c", "Create a new console for the process", v => flags |= v != null ? CreateProcessFlags.NewConsole : 0 },
{ "s", "Create the process suspended", v => flags |= v != null ? CreateProcessFlags.Suspended : 0 },
{ "i|il=", "Set the process IL level", v => {
il = ParseIL(v); set_il = true;
} },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
int pid;
List <string> commands = opts.Parse(args);
if (show_help || commands.Count < 2)
{
ShowHelp(opts);
}
if (!int.TryParse(commands[0], out pid))
{
throw new ArgumentException("Couldn't parse PID value");
}
if (!NtToken.EnableDebugPrivilege())
{
Console.WriteLine("WARNING: Couldn't enable Debug privilege");
}
using (NtProcess process = NtProcess.Open(pid, ProcessAccessRights.MaximumAllowed))
{
if (parent_process)
{
new_process = Win32Process.CreateProcess(process, null, commands[1], set_il ? flags | CreateProcessFlags.Suspended : flags, null);
if (set_il)
{
using (NtToken token = new_process.Process.OpenToken())
{
token.SetIntegrityLevel(il);
}
if ((flags & CreateProcessFlags.Suspended) == 0)
{
new_process.Thread.Resume();
}
}
}
else
{
using (NtToken token = process.OpenToken())
{
using (NtToken target_token = token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Anonymous, TokenAccessRights.MaximumAllowed))
{
if (set_il)
{
target_token.SetIntegrityLevel(il);
}
new_process = Win32Process.CreateProcessAsUser(target_token, null, commands[1], flags, null);
}
}
}
using (new_process)
{
Console.WriteLine("Created Process: PID: {0}, SID {1}", new_process.Pid, new_process.Process.SessionId);
}
}
}
catch (Exception ex)
{
Console.WriteLine("ERROR: {0}", ex.Message);
if (new_process != null && new_process.Process != null)
{
try
{
new_process.Process.Terminate(NtStatus.STATUS_WAIT_1);
}
catch
{
}
}
}
}
static void Main(string[] args)
{
bool verbose = false;
if (args.Length > 0 && args[0] == "-verbose")
{
verbose = true;
}
try
{
if (!NtToken.EnableDebugPrivilege())
{
Console.WriteLine("WARNING: Can't enable debug privilege. Some zombies may not be found. Run as admin for full results.");
}
var zombies = GetZombieProcessObjectAddress();
var flattenList = zombies.Values.ToList();
var q = from x in flattenList
group x by x into g
let count = g.Count()
orderby count descending
select new { Value = g.Key, Count = count };
Dictionary <string, int> orphaned = q.ToDictionary(x => x.Value, x => x.Count);
Console.Write("{0} total zombie processes.", zombies.Count);
if (zombies.Count == 0)
{
Console.WriteLine("No zombies found. Maybe all software is working correctly, but I doubt it. " +
"More likely the zombie counting process failed for some reason. Please try again.");
}
// Create a list to store the pids of process that hold zombies, a list of zombie handles,
// a count of the zombies. The count is first for sorting.
List <Tuple <int, int, HandleList> > count_and_pid = new List <Tuple <int, int, HandleList> >();
foreach (var group in NtSystemInfo.GetHandles(-1, false).GroupBy(h => h.ProcessId))
{
var total = group.Where(h => zombies.ContainsKey(h.Object));
int count = total.Count();
if (count > 0)
{
count_and_pid.Add(new Tuple <int, int, HandleList>(count, group.Key, total));
}
}
// Print the processes holding handles to zombies, sorted by zombie count.
count_and_pid.Sort();
count_and_pid.Reverse();
int total_count_zombies = 0;
foreach (Tuple <int, int, HandleList> buggy_process in count_and_pid)
{
total_count_zombies += buggy_process.Item1;
}
int total_count_orphans = zombies.Count - total_count_zombies;
Console.WriteLine(" ({0} {1} and {2} {3})", total_count_zombies, ZombiePluralized(total_count_zombies), total_count_orphans, OrphanPluralized(total_count_orphans));
foreach (Tuple <int, int, HandleList> buggy_process in count_and_pid)
{
int count_by = buggy_process.Item1;
int pid = buggy_process.Item2;
HandleList total = buggy_process.Item3;
Console.WriteLine(" {0} {1} held by {2}({3})", count_by, ZombiePluralized(count_by), GetProcessName(pid, verbose), pid);
var names = total.GroupBy(h => zombies[h.Object], StringComparer.CurrentCultureIgnoreCase);
List <Tuple <int, string> > zombies_from_process = new List <Tuple <int, string> >();
foreach (var name in names)
{
int slash_index = name.Key.LastIndexOf('\\');
if (verbose)
{
slash_index = -1;
}
string process_name = name.Key.Substring(slash_index + 1);
zombies_from_process.Add(new Tuple <int, string>(name.Count(), process_name));
if (orphaned.ContainsKey(name.Key))
{
orphaned[name.Key] = orphaned[name.Key] - name.Count();
}
}
// Print the processes being held as zombies, sorted by count.
zombies_from_process.Sort();
zombies_from_process.Reverse();
foreach (var zombie_process in zombies_from_process)
{
int count_of = zombie_process.Item1;
string process_name = zombie_process.Item2;
Console.WriteLine(" {0} {1} of {2}", count_of, ZombiePluralized(count_of), process_name);
}
}
Console.WriteLine(" {0} {1}", total_count_orphans, OrphanPluralized(total_count_orphans));
foreach (var item in orphaned)
{
int slash_index = item.Key.LastIndexOf('\\');
if (verbose)
{
slash_index = -1;
}
string process_name = item.Key.Substring(slash_index + 1);
if (item.Value != 0)
{
Console.WriteLine(" {0} {1} of {2}", item.Value, OrphanPluralized(item.Value), process_name);
}
}
if (!verbose)
{
Console.WriteLine("Pass -verbose to get full zombie names.");
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
int[] pids = new int[3];
if (GetConsoleProcessList(pids, 3) == 1)
{
Console.Write("Press any key to continue");
Console.ReadKey();
}
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
NtToken.EnableDebugPrivilege();
try
{
if (args.Length == 0)
{
Application.Run(new MainForm());
}
else
{
int handle = -1;
string text = String.Empty;
bool read_only = false;
bool delete_file = false;
string filename = string.Empty;
OptionSet opts = new OptionSet()
{
{ "handle=", "Specify an inherited handle to view.",
v => handle = int.Parse(v) },
{ "readonly", "Specify view section readonly", v => read_only = v != null },
{ "file=", "Specify a file to view", v => filename = v },
{ "delete", "Delete file after viewing", v => delete_file = v != null },
};
opts.Parse(args);
if (handle > 0)
{
using (var section = NtSection.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
{
read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
}
else if (File.Exists(filename))
{
try
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(filename), null,
FileAccessRights.ReadData, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (NtSection section = NtSection.CreateReadOnlyDataSection(file))
{
using (var map = section.MapRead())
{
using (SectionEditorForm frm = new SectionEditorForm(map, filename, true, file.Length))
{
Application.Run(frm);
}
}
}
}
}
finally
{
if (delete_file)
{
File.Delete(filename);
}
}
}
else
{
throw new Exception("Invalid command line arguments");
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
static void Main(string[] args)
{
bool show_help = false;
HashSet <string> mitigation_filter = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
HashSet <string> process_filter = new HashSet <string>(StringComparer.CurrentCultureIgnoreCase);
HashSet <int> pid_filter = new HashSet <int>();
HashSet <string> cmdline_filter = new HashSet <string>();
bool all_mitigations = false;
bool print_command_line = false;
OptionSet p = new OptionSet()
{
{ "t|type=", "A filter for processes with a specific mitigation to display", v => mitigation_filter.Add(v.Trim()) },
{ "f|filter=", "A filter for the path of a process to display", v => process_filter.Add(v.Trim()) },
{ "p|pid=", "A filter for a specific PID to display", v => pid_filter.Add(int.Parse(v)) },
{ "c|cmd=", "A filter for the command line of a process to display", v => cmdline_filter.Add(v.Trim().ToLower()) },
{ "a|all", "Show all process mitigations", v => all_mitigations = v != null },
{ "l|cmdline", "Print the command line of the process", v => print_command_line = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
foreach (PropertyInfo prop in typeof(NtProcessMitigations).GetProperties())
{
_props.Add(prop.Name.ToLower(), prop);
}
try
{
p.Parse(args);
if (show_help)
{
ShowHelp(p);
}
else
{
NtToken.EnableDebugPrivilege();
IEnumerable <NtProcess> procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation);
if (cmdline_filter.Count > 0)
{
procs = procs.Where(e => ContainsString(GetCommandLine(e).ToLower(), cmdline_filter));
}
if (pid_filter.Count > 0)
{
procs = procs.Where(e => pid_filter.Contains(e.ProcessId));
}
if (process_filter.Count > 0)
{
procs = procs.Where(e => ContainsString(e.GetImageFilePath(false).ToLower(), process_filter));
}
if (mitigation_filter.Count > 0)
{
procs = procs.Where(e => HasPropertySet(e.Mitigations, mitigation_filter));
}
foreach (NtProcess entry in procs)
{
DumpProcessEntry(entry, mitigation_filter, all_mitigations, print_command_line);
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
static void Main(string[] args)
{
bool verbose = false;
if (args.Length > 0 && args[0] == "-verbose")
{
verbose = true;
}
try
{
if (!NtToken.EnableDebugPrivilege())
{
Console.WriteLine("WARNING: Can't enable debug privilege. Some process names may be missing.");
}
var zombies = GetZombieProcessObjectAddress();
Console.WriteLine("{0} total zombie processes.", zombies.Count);
if (zombies.Count == 0)
{
Console.WriteLine("No zombies found. Maybe all software is working correctly, but I doubt it. " +
"More likely the zombie counting process failed for some reason. Please try again.");
}
// Create a list to store the pids of process that hold zombies, a list of zombie handles,
// a count of the zombies. The count is first for sorting.
List <Tuple <int, int, HandleList> > count_and_pid = new List <Tuple <int, int, HandleList> >();
foreach (var group in NtSystemInfo.GetHandles(-1, false).GroupBy(h => h.ProcessId))
{
var total = group.Where(h => zombies.ContainsKey(h.Object));
int count = total.Count();
if (count > 0)
{
count_and_pid.Add(new Tuple <int, int, HandleList>(count, group.Key, total));
}
}
// Print the processes holding handles to zombies, sorted by zombie count.
count_and_pid.Sort();
count_and_pid.Reverse();
foreach (Tuple <int, int, HandleList> buggy_process in count_and_pid)
{
int count_by = buggy_process.Item1;
int pid = buggy_process.Item2;
HandleList total = buggy_process.Item3;
Console.WriteLine(" {0} {1} held by {2}({3})", count_by, ZombiePluralized(count_by), GetProcessName(pid, verbose), pid);
var names = total.GroupBy(h => zombies[h.Object], StringComparer.CurrentCultureIgnoreCase);
List <Tuple <int, string> > zombies_from_process = new List <Tuple <int, string> >();
foreach (var name in names)
{
int slash_index = name.Key.LastIndexOf('\\');
if (verbose)
{
slash_index = -1;
}
string process_name = name.Key.Substring(slash_index + 1);
zombies_from_process.Add(new Tuple <int, string>(name.Count(), process_name));
}
// Print the processes being held as zombies, sorted by count.
zombies_from_process.Sort();
zombies_from_process.Reverse();
foreach (var zombie_process in zombies_from_process)
{
int count_of = zombie_process.Item1;
string process_name = zombie_process.Item2;
Console.WriteLine(" {0} {1} of {2}", count_of, ZombiePluralized(count_of), process_name);
}
}
if (!verbose)
{
Console.WriteLine("Pass -verbose to get full zombie names.");
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
static void Main(string[] args)
{
try
{
int pid = NtProcess.Current.ProcessId;
bool show_help = false;
bool print_sddl = false;
OptionSet opts = new OptionSet()
{
{ "p|pid=", "Specify a PID of a process for access check.", v => pid = int.Parse(v.Trim()) },
{ "sddl", "Print SDDL security descriptor.", v => print_sddl = v != null },
{ "h|help", "show this message and exit",
v => show_help = v != null },
};
HashSet <int> pids = new HashSet <int>(opts.Parse(args).Select(a => int.Parse(a)));
if (show_help)
{
ShowHelp(opts);
return;
}
Dictionary <string, string> ports = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase);
NtToken.EnableDebugPrivilege();
using (NtToken token = NtToken.OpenProcessToken(pid))
{
IEnumerable <NtHandle> handles = NtSystemInfo.GetHandles(-1, false);
HashSet <ulong> checked_objects = new HashSet <ulong>();
if (pids.Count > 0)
{
handles = handles.Where(h => pids.Contains(h.ProcessId));
}
handles = handles.Where(h => h.ObjectType.Equals("ALPC Port", StringComparison.OrdinalIgnoreCase));
Dictionary <int, NtProcess> pid_to_process = new Dictionary <int, NtProcess>();
foreach (NtHandle handle in handles.Where(h => h.GrantedAccess.IsAccessGranted(GenericAccessRights.ReadControl)))
{
if (!pid_to_process.ContainsKey(handle.ProcessId))
{
var result = NtProcess.Open(handle.ProcessId,
ProcessAccessRights.QueryLimitedInformation | ProcessAccessRights.DupHandle, false);
pid_to_process[handle.ProcessId] = result.IsSuccess ? result.Result : null;
}
NtProcess proc = pid_to_process[handle.ProcessId];
if (proc == null)
{
continue;
}
try
{
using (NtAlpc obj = NtAlpc.DuplicateFrom(proc, new IntPtr(handle.Handle)))
{
string name = obj.FullPath;
// We only care about named ALPC ports.
if (String.IsNullOrEmpty(name))
{
continue;
}
if (ports.ContainsKey(name))
{
continue;
}
SecurityDescriptor sd = obj.SecurityDescriptor;
AccessMask granted_access = NtSecurity.GetAllowedAccess(sd, token, AlpcAccessRights.Connect, obj.NtType.GenericMapping);
if (granted_access.IsEmpty)
{
continue;
}
ports.Add(name, sd.ToSddl());
}
}
catch (NtException)
{
}
}
}
foreach (var pair in ports.OrderBy(p => p.Key))
{
Console.WriteLine(pair.Key);
if (print_sddl)
{
Console.WriteLine("SDDL: {0}", pair.Value);
}
}
}
catch (Exception ex)
{
Console.Error.WriteLine(ex.Message);
}
}
