private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
NtType type = NtType.GetTypeByType <NtToken>();
AccessMask access_rights = type.MapGenericRights(AccessRights);
int current_session_id = NtProcess.Current.SessionId;
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
{
IEnumerable <NtProcess> proc_enum = procs;
if (CurrentSession)
{
proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
}
foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
{
using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
{
if (!result.IsSuccess)
{
WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
continue;
}
NtToken primary_token = result.Result;
var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
if (!sd_result.IsSuccess)
{
WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
continue;
}
var sd = sd_result.Result;
string process_name = proc.Name;
string process_cmdline = proc.CommandLine;
string image_path = proc.FullPath;
int process_id = proc.ProcessId;
foreach (var token in tokens)
{
if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new TokenAccessCheckResult(primary_token, proc,
granted_access, sd, token.Information));
}
}
}
}
}
}
}
