private void Window_Loaded(object sender, RoutedEventArgs e) { try { // Получаем и отображаем текущий integrity level IntegrityLevel il = ProccessIntegrityLevelHelper.GetCurrentProcessIntegrityLevel(); switch (il) { case IntegrityLevel.Unknown: lblIntegrityLevel.Content = "Неизвестный"; break; case IntegrityLevel.Untrusted: lblIntegrityLevel.Content = "Недоверенный"; break; case IntegrityLevel.Low: lblIntegrityLevel.Content = "Низкий"; break; case IntegrityLevel.Medium: lblIntegrityLevel.Content = "Средний"; break; case IntegrityLevel.High: lblIntegrityLevel.Content = "Высокий"; break; case IntegrityLevel.System: lblIntegrityLevel.Content = "Системный"; break; } } catch (Win32Exception) { lblIntegrityLevel.Content = "N/A"; } }
/// <summary> /// https://tc39.es/ecma262/#sec-testintegritylevel /// </summary> private static JsValue TestIntegrityLevel(ObjectInstance o, IntegrityLevel level) { if (o.Extensible) { return(JsBoolean.False); } foreach (var k in o.GetOwnPropertyKeys()) { var currentDesc = o.GetOwnProperty(k); if (currentDesc != PropertyDescriptor.Undefined) { if (currentDesc.Configurable) { return(JsBoolean.False); } if (level == IntegrityLevel.Frozen && currentDesc.IsDataDescriptor()) { if (currentDesc.Writable) { return(JsBoolean.False); } } } } return(JsBoolean.True); }
private static bool TestIntegrityLevel([NotNull] ScriptObject obj, IntegrityLevel level) { //https://tc39.github.io/ecma262/#sec-testintegritylevel var status = obj.IsExtensible; if (status) { return(false); } //NOTE: If the object is extensible, none of its properties are examined. var keys = obj.OwnPropertyKeys(); foreach (var key in keys) { var currentDescriptor = obj.GetOwnProperty(key); if (currentDescriptor != null) { if (currentDescriptor.Configurable) { return(false); } if (level == IntegrityLevel.Frozen && currentDescriptor.IsDataDescriptor) { if (currentDescriptor.Writable) { return(false); } } } } return(true); }
/// <summary> /// You can only call this if you are elevated. /// </summary> public static SafeProcessHandle StartAttachedWithIntegrity(IntegrityLevel integrityLevel, string appToRun, string args, string startupFolder, bool newWindow, bool hidden) { // must return a process Handle because we cant create a Process() from a handle and get the exit code. Logger.Instance.Log($"{nameof(StartAttachedWithIntegrity)}: {appToRun} {args}", LogLevel.Debug); int currentIntegrity = ProcessHelper.GetCurrentIntegrityLevel(); SafeTokenHandle newToken; if ((int)integrityLevel == currentIntegrity) { return(new SafeProcessHandle(StartAttached(appToRun, args).Handle, true)); } if (integrityLevel >= IntegrityLevel.Medium) // Unelevation request. { try { return(TokenProvider .CreateFromSystemAccount() .EnablePrivilege(Privilege.SeIncreaseQuotaPrivilege, false) .EnablePrivilege(Privilege.SeAssignPrimaryTokenPrivilege, false) .Impersonate(() => { newToken = TokenProvider.CreateFromCurrentProcessToken().GetLinkedToken() .SetIntegrity(integrityLevel) .GetToken(); using (newToken) { return CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden); } })); } catch (Exception e) { Logger.Instance.Log("Unable to get unelevated token. (Is UAC enabled?) Fallback to SaferApi Token but this process won't be able to elevate." + e.Message, LogLevel.Debug); newToken = TokenProvider.CreateFromSaferApi(SaferLevels.NormalUser) .SetIntegrity(integrityLevel) .GetToken(); } using (newToken) { return(CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden)); } } else { // Integrity < Medium var tf = TokenProvider.CreateFromSaferApi(integrityLevel.ToSaferLevel()) .SetIntegrity(integrityLevel); newToken = tf.GetToken(); } using (newToken) { return(CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden)); } }
private static IntPtr GetIntegritySid(IntegrityLevel level) // https://msdn.microsoft.com/en-us/library/bb625963.aspx { if (!ConvertStringSidToSid($"S-1-16-{4096 * ((int)level)}", out IntPtr pIntegritySid)) { throw new Win32Exception(); } return(pIntegritySid); }
/// <summary> /// https://tc39.es/ecma262/#sec-setintegritylevel /// </summary> private static bool SetIntegrityLevel(ObjectInstance o, IntegrityLevel level) { var status = o.PreventExtensions(); if (!status) { return(false); } var keys = o.GetOwnPropertyKeys(); if (level == IntegrityLevel.Sealed) { for (var i = 0; i < keys.Count; i++) { var k = keys[i]; o.DefinePropertyOrThrow(k, new PropertyDescriptor { Configurable = false }); } } else { for (var i = 0; i < keys.Count; i++) { var k = keys[i]; var currentDesc = o.GetOwnProperty(k); if (currentDesc != PropertyDescriptor.Undefined) { PropertyDescriptor desc; if (currentDesc.IsAccessorDescriptor()) { desc = new PropertyDescriptor { Configurable = false }; } else { desc = new PropertyDescriptor { Configurable = false, Writable = false }; } o.DefinePropertyOrThrow(k, desc); } } } return(true); }
public static SaferLevels ToSaferLevel(this IntegrityLevel integrityLevel) { if (integrityLevel >= IntegrityLevel.High) { return(SaferLevels.FullyTrusted); } if (integrityLevel >= IntegrityLevel.Medium) { return(SaferLevels.NormalUser); } if (integrityLevel >= IntegrityLevel.Low) { return(SaferLevels.Constrained); } return(SaferLevels.Untrusted); }
internal static string ToSerializedValue(this IntegrityLevel value) { switch (value) { case IntegrityLevel.Untrusted: return("Untrusted"); case IntegrityLevel.Low: return("Low"); case IntegrityLevel.Medium: return("Medium"); case IntegrityLevel.High: return("High"); case IntegrityLevel.System: return("System"); } return(null); }
/// <summary> /// Initializes a new instance of the Grunt class. /// </summary> /// <param name="dotNetVersion">Possible values include: 'Net35', /// 'Net40', 'NetCore31'</param> /// <param name="runtimeIdentifier">Possible values include: 'win_x64', /// 'win_x86', 'win_arm', 'win_arm64', 'win7_x64', 'win7_x86', /// 'win81_x64', 'win81_x86', 'win81_arm', 'win10_x64', 'win10_x86', /// 'win10_arm', 'win10_arm64', 'linux_x64', 'linux_musl_x64', /// 'linux_arm', 'linux_arm64', 'rhel_x64', 'rhel_6_x64', 'tizen', /// 'tizen_4_0_0', 'tizen_5_0_0', 'osx_x64', 'osx_10_10_x64', /// 'osx_10_11_x64', 'osx_10_12_x64', 'osx_10_13_x64', 'osx_10_14_x64', /// 'osx_10_15_x64'</param> /// <param name="status">Possible values include: 'Uninitialized', /// 'Stage0', 'Stage1', 'Stage2', 'Active', 'Lost', 'Exited', /// 'Disconnected', 'Hidden'</param> /// <param name="integrity">Possible values include: 'Untrusted', /// 'Low', 'Medium', 'High', 'System'</param> public Grunt(string name, string originalServerGuid, int implantTemplateId, bool validateCert, bool useCertPinning, string smbPipeName, int delay, int jitterPercent, int connectAttempts, System.DateTime killDate, DotNetVersion dotNetVersion, RuntimeIdentifier runtimeIdentifier, GruntStatus status, IntegrityLevel integrity, int?id = default(int?), string guid = default(string), IList <string> children = default(IList <string>), ImplantTemplate implantTemplate = default(ImplantTemplate), int?listenerId = default(int?), Listener listener = default(Listener), string note = default(string), string process = default(string), string userDomainName = default(string), string userName = default(string), string ipAddress = default(string), string hostname = default(string), string operatingSystem = default(string), string gruntSharedSecretPassword = default(string), string gruntRSAPublicKey = default(string), string gruntNegotiatedSessionKey = default(string), string gruntChallenge = default(string), System.DateTime?activationTime = default(System.DateTime?), System.DateTime?lastCheckIn = default(System.DateTime?), string powerShellImport = default(string), IList <GruntCommand> gruntCommands = default(IList <GruntCommand>)) { Id = id; Name = name; OriginalServerGuid = originalServerGuid; Guid = guid; Children = children; ImplantTemplateId = implantTemplateId; ImplantTemplate = implantTemplate; ValidateCert = validateCert; UseCertPinning = useCertPinning; SmbPipeName = smbPipeName; ListenerId = listenerId; Listener = listener; Note = note; Delay = delay; JitterPercent = jitterPercent; ConnectAttempts = connectAttempts; KillDate = killDate; DotNetVersion = dotNetVersion; RuntimeIdentifier = runtimeIdentifier; Status = status; Integrity = integrity; Process = process; UserDomainName = userDomainName; UserName = userName; IpAddress = ipAddress; Hostname = hostname; OperatingSystem = operatingSystem; GruntSharedSecretPassword = gruntSharedSecretPassword; GruntRSAPublicKey = gruntRSAPublicKey; GruntNegotiatedSessionKey = gruntNegotiatedSessionKey; GruntChallenge = gruntChallenge; ActivationTime = activationTime; LastCheckIn = lastCheckIn; PowerShellImport = powerShellImport; GruntCommands = gruntCommands; CustomInit(); }
internal static TokenProvider CreateUnelevated(IntegrityLevel level) { if (ProcessHelper.IsAdministrator()) { // Have you impersonated system first? if (!WindowsIdentity.GetCurrent().IsSystem) { try { return(TokenProvider .CreateFromSystemAccount() .EnablePrivilege(Privilege.SeAssignPrimaryTokenPrivilege, true) .Impersonate(() => { return CreateFromCurrentProcessToken().GetLinkedToken().Duplicate() .SetIntegrity(level); })); } catch (Exception e) { Logger.Instance.Log("Unable to get unelevated token, will try SaferApi Token. " + e.ToString(), LogLevel.Warning); return(TokenProvider.CreateFromSaferApi(SaferLevels.NormalUser)); } } else { IntPtr hwnd = ConsoleApi.GetShellWindow(); _ = ConsoleApi.GetWindowThreadProcessId(hwnd, out uint pid); return(TokenProvider.CreateFromProcessToken((int)pid)); } } else { return(TokenProvider.CreateFromCurrentProcessToken()); } }
public TokenProvider SetIntegrity(IntegrityLevel integrityLevel) { return(SetIntegrity((int)integrityLevel)); }
/// <summary> /// Retrieve the amount of components to build the block to the given index /// </summary> /// <param name="block"></param> /// <param name="componentList"></param> /// <param name="level">integrity level </param> public static void GetMissingComponents(this IMySlimBlock block, Dictionary <string, int> componentList, IntegrityLevel level) { var blockDefinition = block.BlockDefinition as MyCubeBlockDefinition; if (blockDefinition.Components == null || blockDefinition.Components.Length == 0) { return; } if (level == IntegrityLevel.Create) { var component = blockDefinition.Components[0]; componentList.Add(component.Definition.Id.SubtypeName, 1); } else { if (block.IsProjected()) { int maxIdx = level == IntegrityLevel.Functional ? blockDefinition.CriticalGroup + 1 : blockDefinition.Components.Length; for (var idx = 0; idx < maxIdx; idx++) { var component = blockDefinition.Components[idx]; if (componentList.ContainsKey(component.Definition.Id.SubtypeName)) { componentList[component.Definition.Id.SubtypeName] += component.Count; } else { componentList.Add(component.Definition.Id.SubtypeName, component.Count); } } } else { block.GetMissingComponents(componentList); if (level == IntegrityLevel.Functional) { for (var idx = blockDefinition.CriticalGroup + 1; idx < blockDefinition.Components.Length; idx++) { var component = blockDefinition.Components[idx]; if (componentList.ContainsKey(component.Definition.Id.SubtypeName)) { var amount = componentList[component.Definition.Id.SubtypeName]; if (amount <= component.Count) { componentList.Remove(component.Definition.Id.SubtypeName); } else { componentList[component.Definition.Id.SubtypeName] -= component.Count; } } } } } } }
private static bool SetIntegrityLevel([NotNull] Agent agent, [NotNull] ScriptObject obj, IntegrityLevel level) { //https://tc39.github.io/ecma262/#sec-setintegritylevel var status = obj.PreventExtensions(); if (!status) { return(false); } var keys = obj.OwnPropertyKeys(); switch (level) { case IntegrityLevel.Sealed: foreach (var key in keys) { agent.DefinePropertyOrThrow(obj, key, new PropertyDescriptor { Configurable = false }); } break; case IntegrityLevel.Frozen: foreach (var key in keys) { var currentDescriptor = obj.GetOwnProperty(key); if (currentDescriptor != null) { PropertyDescriptor descriptor; if (currentDescriptor.IsAccessorDescriptor) { descriptor = new PropertyDescriptor { Configurable = false }; } else { descriptor = new PropertyDescriptor { Configurable = false, Writable = false }; } agent.DefinePropertyOrThrow(obj, key, descriptor); } } break; default: throw new ArgumentOutOfRangeException(nameof(level)); } return(true); }
/// <summary> /// Process record. /// </summary> protected override void ProcessRecord() { IEnumerable <Sid> sids; switch (ParameterSetName) { case "sddl": sids = Sddl.Select(s => new Sid(s)); break; case "name": sids = Name.Select(s => NtSecurity.LookupAccountName(s)); break; case "service": sids = ServiceName.Select(s => NtSecurity.GetServiceSid(s)); break; case "il": sids = IntegrityLevel.Select(s => NtSecurity.GetIntegritySid(s)); break; case "il_raw": sids = IntegrityLevelRaw.Select(s => NtSecurity.GetIntegritySidRaw(s)); break; case "package": sids = PackageName.Select(s => TokenUtils.DerivePackageSidFromName(s)); if (RestrictedPackageName != null) { sids = sids.Select(s => TokenUtils.DeriveRestrictedPackageSidFromSid(s, RestrictedPackageName)); } if (AsCapability) { sids = sids.Select(s => NtSecurity.PackageSidToCapability(s)); } break; case "known": sids = KnownSid.Select(s => KnownSids.GetKnownSid(s)); break; case "token": using (NtToken token = NtToken.OpenProcessToken()) { Sid temp = null; if (PrimaryGroup) { temp = token.PrimaryGroup; } else if (Owner) { temp = token.Owner; } else if (LogonGroup) { temp = token.LogonSid.Sid; } else if (AppContainer) { temp = token.AppContainerSid; } else if (Label) { temp = token.IntegrityLevelSid.Sid; } else { temp = token.User.Sid; } sids = new[] { temp }; } break; case "cap": sids = CapabilityName.Select(s => CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(s) : NtSecurity.GetCapabilitySid(s)); break; case "sid": sids = new[] { new Sid(SecurityAuthority, RelativeIdentifier ?? new uint[0]) }; break; case "rawsa": sids = new[] { new Sid(new SidIdentifierAuthority(SecurityAuthorityByte), RelativeIdentifier) }; break; case "logon": sids = new[] { NtSecurity.GetLogonSessionSid() }; break; case "trust": sids = new[] { NtSecurity.GetTrustLevelSid(TrustType, TrustLevel) }; break; case "ace": sids = AccessControlEntry.Select(a => a.Sid); break; case "relsid": sids = new[] { Sibling?BaseSid.CreateSibling(RelativeIdentifier) : BaseSid.CreateRelative(RelativeIdentifier) }; break; case "bytes": sids = new[] { new Sid(Byte) }; break; default: throw new ArgumentException("No SID type specified"); } if (AsSddl) { WriteObject(sids.Select(s => s.ToString()), true); } else if (AsName) { WriteObject(sids.Select(s => s.Name), true); } else { WriteObject(sids, true); } }
public static Process CreateSaferProcess(String fileName, string arguments, SaferLevel saferLevel, IntegrityLevel integrityLevel, CreateProcessFlags flags = CreateProcessFlags.CREATE_NEW_CONSOLE) { IntPtr saferLevelHandle = IntPtr.Zero; //Create a SaferLevel handle to match what was requested if (!SaferCreateLevel(SaferLevelScope.User, saferLevel, SaferOpen.Open, out saferLevelHandle, IntPtr.Zero)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } try { //Generate the access token to use, based on the safer level handle. IntPtr hToken = IntPtr.Zero; if (!SaferComputeTokenFromLevel( saferLevelHandle, // SAFER Level handle IntPtr.Zero, // NULL is current thread token. out hToken, // Target token SaferTokenBehaviour.Default, // No flags IntPtr.Zero)) // Reserved { throw new Win32Exception(Marshal.GetLastWin32Error()); } // Get the Integrity SID IntPtr pIntegritySid = GetIntegritySid(integrityLevel); // Construct a structure describing the token integrity level var TIL = new TOKEN_MANDATORY_LABEL(); TIL.Label.Attributes = SE_GROUP_INTEGRITY; TIL.Label.Sid = pIntegritySid; IntPtr pTIL = Marshal.AllocHGlobal(Marshal.SizeOf <TOKEN_MANDATORY_LABEL>()); Marshal.StructureToPtr(TIL, pTIL, false); // Modify the token if (!SetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTIL, (uint)Marshal.SizeOf <TOKEN_MANDATORY_LABEL>() + GetLengthSid(pIntegritySid))) { throw new Win32Exception(); } try { //Now that we have a security token, we can lauch the process //using the standard CreateProcessAsUser API STARTUPINFO si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); si.lpDesktop = String.Empty; var processAttributes = new SECURITY_ATTRIBUTES(); var threadAttributes = new SECURITY_ATTRIBUTES(); // Spin up the new process //bool result = CreateProcessAsUser(hToken, fileName, arguments, bool result = CreateProcessAsUser(hToken, fileName, $"\"{fileName}\"{(arguments?.Length > 0 ? " " + arguments : "")}", ref processAttributes, ref threadAttributes, false, //inherit handles flags, IntPtr.Zero, //environment null, //current directory ref si, //startup info out PROCESS_INFORMATION pi); //process info if (!result) { throw new Win32Exception(Marshal.GetLastWin32Error()); } if (pi.hProcess != IntPtr.Zero) { CloseHandle(pi.hProcess); } if (pi.hThread != IntPtr.Zero) { CloseHandle(pi.hThread); } return(Process.GetProcessById(pi.dwProcessId)); } finally { if (hToken != IntPtr.Zero) { CloseHandle(hToken); } } } finally { SaferCloseLevel(saferLevelHandle); } }