internal static void OpenForm(ProcessTokenEntry process, string text, bool copy, bool thread)
{
if (process != null)
{
OpenForm(new TokenForm(copy ? process.Clone() : process, text, thread));
}
}
private void ShowProcessSecurity(ProcessTokenEntry process)
{
var viewer = new SecurityDescriptorViewerForm($"{process.Name}:{process.ProcessId}",
process.ProcessSecurity, NtType.GetTypeByType <NtProcess>(), false);
viewer.ShowDialog(this);
}
private static string GetChromeSandboxType(ProcessTokenEntry entry)
{
string[] args = Win32Utils.ParseCommandLine(entry.CommandLine);
foreach (var s in args)
{
if (s.StartsWith("--type="))
{
return($"Sandbox: {s.Substring(7)}");
}
}
return("Unknown");
}
private static string GetChromeSandboxType(ProcessTokenEntry entry)
{
string[] args = Win32Utils.ParseCommandLine(entry.CommandLine);
string sandbox_type = null;
foreach (var s in args)
{
if (s.StartsWith("--type="))
{
sandbox_type = s.Substring(7);
if (!sandbox_type.Equals("utility", StringComparison.OrdinalIgnoreCase))
{
break;
}
}
else if (s.StartsWith("--utility-sub-type="))
{
sandbox_type = $"utility.{s.Substring(19)}";
break;
}
}
return($"Sandbox: {sandbox_type ?? "Unknown"}");
}
private TokenForm(ProcessTokenEntry process, NtToken token, string text)
{
InitializeComponent();
this.Disposed += TokenForm_Disposed;
_token = token;
Text = GetFormText(token, text);
foreach (object v in Enum.GetValues(typeof(TokenIntegrityLevel)))
{
comboBoxIL.Items.Add(v);
comboBoxILForDup.Items.Add(v);
}
UpdateTokenData(process);
listViewGroups.ListViewItemSorter = new ListItemComparer(0);
listViewPrivs.ListViewItemSorter = new ListItemComparer(0);
listViewRestrictedSids.ListViewItemSorter = new ListItemComparer(0);
listViewCapabilities.ListViewItemSorter = new ListItemComparer(0);
comboBoxImpLevel.Items.Add(SecurityImpersonationLevel.Anonymous);
comboBoxImpLevel.Items.Add(SecurityImpersonationLevel.Identification);
comboBoxImpLevel.Items.Add(SecurityImpersonationLevel.Impersonation);
comboBoxImpLevel.Items.Add(SecurityImpersonationLevel.Delegation);
comboBoxImpLevel.SelectedItem = SecurityImpersonationLevel.Impersonation;
comboBoxTokenType.Items.Add(TokenType.Primary);
comboBoxTokenType.Items.Add(TokenType.Impersonation);
comboBoxTokenType.SelectedItem = TokenType.Impersonation;
foreach (object v in Enum.GetValues(typeof(SaferLevel)))
{
comboBoxSaferLevel.Items.Add(v);
}
comboBoxSaferLevel.SelectedItem = SaferLevel.NormalUser;
}
internal TokenForm(ProcessTokenEntry process, string text, bool thread)
: this(process, thread ? ((ThreadTokenEntry)process).ThreadToken : process.ProcessToken, text)
{
}
private void UpdateTokenData(ProcessTokenEntry process)
{
UserGroup user = _token.User;
txtUsername.Text = user.ToString();
txtUserSid.Text = user.Sid.ToString();
TokenType tokentype = _token.TokenType;
txtTokenType.Text = tokentype.ToString();
if (tokentype == TokenType.Impersonation)
{
txtImpLevel.Text = _token.ImpersonationLevel.ToString();
}
else
{
txtImpLevel.Text = "N/A";
}
txtTokenId.Text = _token.Id.ToString();
txtModifiedId.Text = _token.ModifiedId.ToString();
txtAuthId.Text = _token.AuthenticationId.ToString();
if (Enum.IsDefined(typeof(TokenIntegrityLevel), _token.IntegrityLevel))
{
comboBoxIL.SelectedItem = _token.IntegrityLevel;
comboBoxILForDup.SelectedItem = _token.IntegrityLevel;
}
else
{
comboBoxIL.Text = _token.IntegrityLevel.ToString();
comboBoxILForDup.Text = _token.IntegrityLevel.ToString();
}
txtSessionId.Text = _token.SessionId.ToString();
if (_token.IsAccessGranted(TokenAccessRights.QuerySource))
{
txtSourceName.Text = _token.Source.SourceName;
txtSourceId.Text = _token.Source.SourceIdentifier.ToString();
}
else
{
txtSourceName.Text = "N/A";
txtSourceId.Text = "N/A";
}
TokenElevationType evtype = _token.ElevationType;
txtElevationType.Text = evtype.ToString();
txtIsElevated.Text = _token.Elevated.ToString();
txtOriginLoginId.Text = _token.Origin.ToString();
btnLinkedToken.Enabled = evtype != TokenElevationType.Default;
btnLinkedToken.Visible = btnLinkedToken.Enabled;
UpdateGroupList();
txtPrimaryGroup.Text = _token.PrimaryGroup.Name;
txtOwner.Text = _token.Owner.Name;
Acl defdacl = _token.DefaultDacl;
if (!defdacl.NullAcl)
{
foreach (Ace ace in defdacl)
{
UserGroup group = new UserGroup(ace.Sid, GroupAttributes.None);
ListViewItem item = new ListViewItem(group.ToString());
AccessMask mask = GenericAccessRights.GenericAll | GenericAccessRights.GenericExecute
| GenericAccessRights.GenericRead | GenericAccessRights.GenericWrite
| GenericAccessRights.AccessSystemSecurity | GenericAccessRights.Delete | GenericAccessRights.ReadControl
| GenericAccessRights.Synchronize | GenericAccessRights.WriteDac | GenericAccessRights.WriteOwner;
string maskstr;
if ((ace.Mask & ~mask).HasAccess)
{
maskstr = $"0x{ace.Mask:X08}";
}
else
{
maskstr = ace.Mask.ToGenericAccess().ToString();
}
item.SubItems.Add(maskstr);
item.SubItems.Add(ace.Flags.ToString());
item.SubItems.Add(ace.Type.ToString());
listViewDefDacl.Items.Add(item);
}
}
else
{
listViewDefDacl.Items.Add("No Default DACL");
}
listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.ColumnContent);
listViewDefDacl.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
if (_token.Restricted)
{
PopulateGroupList(listViewRestrictedSids, _token.RestrictedSids, false);
if (_token.WriteRestricted)
{
tabPageRestricted.Text = "Write Restricted SIDs";
}
}
else
{
tabControlMain.TabPages.Remove(tabPageRestricted);
}
if (_token.AppContainer)
{
PopulateGroupList(listViewCapabilities, _token.Capabilities, false);
txtACNumber.Text = _token.AppContainerNumber.ToString();
txtPackageName.Text = _token.AppContainerSid.Name;
txtPackageSid.Text = _token.AppContainerSid.ToString();
}
else
{
tabControlMain.TabPages.Remove(tabPageAppContainer);
}
if (process == null)
{
tabControlMain.TabPages.Remove(tabPageTokenSource);
}
else
{
txtProcessId.Text = process.ProcessId.ToString();
txtProcessImagePath.Text = process.ImagePath;
txtProcessCommandLine.Text = process.CommandLine;
if (process is ThreadTokenEntry thread)
{
txtThreadId.Text = thread.ThreadId.ToString();
txtThreadName.Text = thread.ThreadName;
}
else
{
groupThread.Visible = false;
}
}
txtUIAccess.Text = _token.UIAccess.ToString();
txtSandboxInert.Text = _token.SandboxInert.ToString();
bool virtAllowed = _token.VirtualizationAllowed;
txtVirtualizationAllowed.Text = virtAllowed.ToString();
btnToggleVirtualizationEnabled.Enabled = virtAllowed;
btnToggleVirtualizationEnabled.Visible = virtAllowed;
if (virtAllowed)
{
txtVirtualizationEnabled.Text = _token.VirtualizationEnabled.ToString();
}
else
{
txtVirtualizationEnabled.Text = "N/A";
}
txtMandatoryILPolicy.Text = _token.MandatoryPolicy.ToString();
txtHandleAccess.Text = _token.GrantedAccess.ToString();
Sid trust_level = _token.TrustLevel;
txtTrustLevel.Text = trust_level != null ? trust_level.Name : "N/A";
UpdateTokenFlags();
UpdatePrivileges();
UpdateSecurityAttributes(tabPageLocalSecurityAttributes, treeViewLocalSecurityAttributes, SecurityAttributeType.Local);
UpdateSecurityAttributes(tabPageUserClaimSecurityAttributes, treeViewUserClaimSecurityAttributes, SecurityAttributeType.User);
UpdateSecurityAttributes(tabPageDeviceClaimSecurityAttributes, treeViewDeviceClaimSecurityAttributes, SecurityAttributeType.Device);
if (_token.DeviceGroups.Length > 0)
{
PopulateGroupList(listViewDeviceGroup, _token.DeviceGroups, false);
}
else
{
tabControlSecurityAttributes.TabPages.Remove(tabPageDeviceGroup);
}
if (tabControlSecurityAttributes.TabCount == 0)
{
lblSecurityAttributes.Visible = false;
}
if (_token.IsAccessGranted(TokenAccessRights.ReadControl))
{
securityDescriptorViewerControl.SetSecurityDescriptor(_token.SecurityDescriptor, _token.NtType, _token.NtType.ValidAccess);
}
else
{
tabControlMain.TabPages.Remove(tabPageSecurity);
}
}