////////////////////////////////////////////////////////////////////////////////
// Displays the users associated with a token
////////////////////////////////////////////////////////////////////////////////
public void GetTokenOwner()
{
uint returnLength;
advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out returnLength);
hTokenOwner = Marshal.AllocHGlobal((int)returnLength);
try
{
if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, hTokenOwner, returnLength, out returnLength))
{
Misc.GetWin32Error("GetTokenInformation (TokenOwner) - Pass 2");
return;
}
tokenOwner = (Ntifs._TOKEN_OWNER)Marshal.PtrToStructure(hTokenOwner, typeof(Ntifs._TOKEN_OWNER));
if (IntPtr.Zero == tokenOwner.Owner)
{
Misc.GetWin32Error("PtrToStructure");
}
}
catch (Exception ex)
{
Misc.GetWin32Error("GetTokenInformation (TokenOwner) - Pass 2");
Console.WriteLine(ex.Message);
return;
}
Console.WriteLine("[+] Owner: ");
string sid, account;
sid = account = string.Empty;
_ReadSidAndName(tokenOwner.Owner, out sid, out account);
Console.WriteLine("{0,-50} {1}", sid, account);
return;
}
private bool CreateTokenOwner(string domain, string userName, out Ntifs._TOKEN_OWNER tokenOwner)
{
Console.WriteLine("[*] _TOKEN_OWNER");
tokenOwner = new Ntifs._TOKEN_OWNER();
IntPtr hOwnerSid = IntPtr.Zero;
if (!_LookupSid(domain, userName, ref hOwnerSid))
{
return(false);
}
tokenOwner.Owner = hOwnerSid;
return(true);
}
public static extern uint NtCreateToken(
out IntPtr TokenHandle,
uint DesiredAccess,
ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes,
Winnt._TOKEN_TYPE TokenType,
ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId
ref long ExpirationTime,
ref Ntifs._TOKEN_USER TokenUser,
ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups,
ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges,
ref Ntifs._TOKEN_OWNER TokenOwner,
ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl,
ref Winnt._TOKEN_SOURCE TokenSource
);
