private void Window_Loaded(object sender, RoutedEventArgs e)
{
try
{
// Получаем и отображаем текущий integrity level
IntegrityLevel il = ProccessIntegrityLevelHelper.GetCurrentProcessIntegrityLevel();
switch (il)
{
case IntegrityLevel.Unknown: lblIntegrityLevel.Content = "Неизвестный"; break;
case IntegrityLevel.Untrusted: lblIntegrityLevel.Content = "Недоверенный"; break;
case IntegrityLevel.Low: lblIntegrityLevel.Content = "Низкий"; break;
case IntegrityLevel.Medium: lblIntegrityLevel.Content = "Средний"; break;
case IntegrityLevel.High: lblIntegrityLevel.Content = "Высокий"; break;
case IntegrityLevel.System: lblIntegrityLevel.Content = "Системный"; break;
}
}
catch (Win32Exception)
{
lblIntegrityLevel.Content = "N/A";
}
}
/// <summary>
/// https://tc39.es/ecma262/#sec-testintegritylevel
/// </summary>
private static JsValue TestIntegrityLevel(ObjectInstance o, IntegrityLevel level)
{
if (o.Extensible)
{
return(JsBoolean.False);
}
foreach (var k in o.GetOwnPropertyKeys())
{
var currentDesc = o.GetOwnProperty(k);
if (currentDesc != PropertyDescriptor.Undefined)
{
if (currentDesc.Configurable)
{
return(JsBoolean.False);
}
if (level == IntegrityLevel.Frozen && currentDesc.IsDataDescriptor())
{
if (currentDesc.Writable)
{
return(JsBoolean.False);
}
}
}
}
return(JsBoolean.True);
}
private static bool TestIntegrityLevel([NotNull] ScriptObject obj, IntegrityLevel level)
{
//https://tc39.github.io/ecma262/#sec-testintegritylevel
var status = obj.IsExtensible;
if (status)
{
return(false);
}
//NOTE: If the object is extensible, none of its properties are examined.
var keys = obj.OwnPropertyKeys();
foreach (var key in keys)
{
var currentDescriptor = obj.GetOwnProperty(key);
if (currentDescriptor != null)
{
if (currentDescriptor.Configurable)
{
return(false);
}
if (level == IntegrityLevel.Frozen && currentDescriptor.IsDataDescriptor)
{
if (currentDescriptor.Writable)
{
return(false);
}
}
}
}
return(true);
}
/// <summary>
/// You can only call this if you are elevated.
/// </summary>
public static SafeProcessHandle StartAttachedWithIntegrity(IntegrityLevel integrityLevel, string appToRun, string args, string startupFolder, bool newWindow, bool hidden)
{
// must return a process Handle because we cant create a Process() from a handle and get the exit code.
Logger.Instance.Log($"{nameof(StartAttachedWithIntegrity)}: {appToRun} {args}", LogLevel.Debug);
int currentIntegrity = ProcessHelper.GetCurrentIntegrityLevel();
SafeTokenHandle newToken;
if ((int)integrityLevel == currentIntegrity)
{
return(new SafeProcessHandle(StartAttached(appToRun, args).Handle, true));
}
if (integrityLevel >= IntegrityLevel.Medium) // Unelevation request.
{
try
{
return(TokenProvider
.CreateFromSystemAccount()
.EnablePrivilege(Privilege.SeIncreaseQuotaPrivilege, false)
.EnablePrivilege(Privilege.SeAssignPrimaryTokenPrivilege, false)
.Impersonate(() =>
{
newToken = TokenProvider.CreateFromCurrentProcessToken().GetLinkedToken()
.SetIntegrity(integrityLevel)
.GetToken();
using (newToken)
{
return CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden);
}
}));
}
catch (Exception e)
{
Logger.Instance.Log("Unable to get unelevated token. (Is UAC enabled?) Fallback to SaferApi Token but this process won't be able to elevate." + e.Message, LogLevel.Debug);
newToken = TokenProvider.CreateFromSaferApi(SaferLevels.NormalUser)
.SetIntegrity(integrityLevel)
.GetToken();
}
using (newToken)
{
return(CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden));
}
}
else
{
// Integrity < Medium
var tf = TokenProvider.CreateFromSaferApi(integrityLevel.ToSaferLevel())
.SetIntegrity(integrityLevel);
newToken = tf.GetToken();
}
using (newToken)
{
return(CreateProcessAsUser(newToken, appToRun, args, startupFolder, newWindow, hidden));
}
}
private static IntPtr GetIntegritySid(IntegrityLevel level) // https://msdn.microsoft.com/en-us/library/bb625963.aspx
{
if (!ConvertStringSidToSid($"S-1-16-{4096 * ((int)level)}", out IntPtr pIntegritySid))
{
throw new Win32Exception();
}
return(pIntegritySid);
}
/// <summary>
/// https://tc39.es/ecma262/#sec-setintegritylevel
/// </summary>
private static bool SetIntegrityLevel(ObjectInstance o, IntegrityLevel level)
{
var status = o.PreventExtensions();
if (!status)
{
return(false);
}
var keys = o.GetOwnPropertyKeys();
if (level == IntegrityLevel.Sealed)
{
for (var i = 0; i < keys.Count; i++)
{
var k = keys[i];
o.DefinePropertyOrThrow(k, new PropertyDescriptor {
Configurable = false
});
}
}
else
{
for (var i = 0; i < keys.Count; i++)
{
var k = keys[i];
var currentDesc = o.GetOwnProperty(k);
if (currentDesc != PropertyDescriptor.Undefined)
{
PropertyDescriptor desc;
if (currentDesc.IsAccessorDescriptor())
{
desc = new PropertyDescriptor {
Configurable = false
};
}
else
{
desc = new PropertyDescriptor {
Configurable = false, Writable = false
};
}
o.DefinePropertyOrThrow(k, desc);
}
}
}
return(true);
}
public static SaferLevels ToSaferLevel(this IntegrityLevel integrityLevel)
{
if (integrityLevel >= IntegrityLevel.High)
{
return(SaferLevels.FullyTrusted);
}
if (integrityLevel >= IntegrityLevel.Medium)
{
return(SaferLevels.NormalUser);
}
if (integrityLevel >= IntegrityLevel.Low)
{
return(SaferLevels.Constrained);
}
return(SaferLevels.Untrusted);
}
internal static string ToSerializedValue(this IntegrityLevel value)
{
switch (value)
{
case IntegrityLevel.Untrusted:
return("Untrusted");
case IntegrityLevel.Low:
return("Low");
case IntegrityLevel.Medium:
return("Medium");
case IntegrityLevel.High:
return("High");
case IntegrityLevel.System:
return("System");
}
return(null);
}
/// <summary>
/// Initializes a new instance of the Grunt class.
/// </summary>
/// <param name="dotNetVersion">Possible values include: 'Net35',
/// 'Net40', 'NetCore31'</param>
/// <param name="runtimeIdentifier">Possible values include: 'win_x64',
/// 'win_x86', 'win_arm', 'win_arm64', 'win7_x64', 'win7_x86',
/// 'win81_x64', 'win81_x86', 'win81_arm', 'win10_x64', 'win10_x86',
/// 'win10_arm', 'win10_arm64', 'linux_x64', 'linux_musl_x64',
/// 'linux_arm', 'linux_arm64', 'rhel_x64', 'rhel_6_x64', 'tizen',
/// 'tizen_4_0_0', 'tizen_5_0_0', 'osx_x64', 'osx_10_10_x64',
/// 'osx_10_11_x64', 'osx_10_12_x64', 'osx_10_13_x64', 'osx_10_14_x64',
/// 'osx_10_15_x64'</param>
/// <param name="status">Possible values include: 'Uninitialized',
/// 'Stage0', 'Stage1', 'Stage2', 'Active', 'Lost', 'Exited',
/// 'Disconnected', 'Hidden'</param>
/// <param name="integrity">Possible values include: 'Untrusted',
/// 'Low', 'Medium', 'High', 'System'</param>
public Grunt(string name, string originalServerGuid, int implantTemplateId, bool validateCert, bool useCertPinning, string smbPipeName, int delay, int jitterPercent, int connectAttempts, System.DateTime killDate, DotNetVersion dotNetVersion, RuntimeIdentifier runtimeIdentifier, GruntStatus status, IntegrityLevel integrity, int?id = default(int?), string guid = default(string), IList <string> children = default(IList <string>), ImplantTemplate implantTemplate = default(ImplantTemplate), int?listenerId = default(int?), Listener listener = default(Listener), string note = default(string), string process = default(string), string userDomainName = default(string), string userName = default(string), string ipAddress = default(string), string hostname = default(string), string operatingSystem = default(string), string gruntSharedSecretPassword = default(string), string gruntRSAPublicKey = default(string), string gruntNegotiatedSessionKey = default(string), string gruntChallenge = default(string), System.DateTime?activationTime = default(System.DateTime?), System.DateTime?lastCheckIn = default(System.DateTime?), string powerShellImport = default(string), IList <GruntCommand> gruntCommands = default(IList <GruntCommand>))
{
Id = id;
Name = name;
OriginalServerGuid = originalServerGuid;
Guid = guid;
Children = children;
ImplantTemplateId = implantTemplateId;
ImplantTemplate = implantTemplate;
ValidateCert = validateCert;
UseCertPinning = useCertPinning;
SmbPipeName = smbPipeName;
ListenerId = listenerId;
Listener = listener;
Note = note;
Delay = delay;
JitterPercent = jitterPercent;
ConnectAttempts = connectAttempts;
KillDate = killDate;
DotNetVersion = dotNetVersion;
RuntimeIdentifier = runtimeIdentifier;
Status = status;
Integrity = integrity;
Process = process;
UserDomainName = userDomainName;
UserName = userName;
IpAddress = ipAddress;
Hostname = hostname;
OperatingSystem = operatingSystem;
GruntSharedSecretPassword = gruntSharedSecretPassword;
GruntRSAPublicKey = gruntRSAPublicKey;
GruntNegotiatedSessionKey = gruntNegotiatedSessionKey;
GruntChallenge = gruntChallenge;
ActivationTime = activationTime;
LastCheckIn = lastCheckIn;
PowerShellImport = powerShellImport;
GruntCommands = gruntCommands;
CustomInit();
}
internal static TokenProvider CreateUnelevated(IntegrityLevel level)
{
if (ProcessHelper.IsAdministrator())
{
// Have you impersonated system first?
if (!WindowsIdentity.GetCurrent().IsSystem)
{
try
{
return(TokenProvider
.CreateFromSystemAccount()
.EnablePrivilege(Privilege.SeAssignPrimaryTokenPrivilege, true)
.Impersonate(() =>
{
return CreateFromCurrentProcessToken().GetLinkedToken().Duplicate()
.SetIntegrity(level);
}));
}
catch (Exception e)
{
Logger.Instance.Log("Unable to get unelevated token, will try SaferApi Token. " + e.ToString(),
LogLevel.Warning);
return(TokenProvider.CreateFromSaferApi(SaferLevels.NormalUser));
}
}
else
{
IntPtr hwnd = ConsoleApi.GetShellWindow();
_ = ConsoleApi.GetWindowThreadProcessId(hwnd, out uint pid);
return(TokenProvider.CreateFromProcessToken((int)pid));
}
}
else
{
return(TokenProvider.CreateFromCurrentProcessToken());
}
}
public TokenProvider SetIntegrity(IntegrityLevel integrityLevel)
{
return(SetIntegrity((int)integrityLevel));
}
/// <summary>
/// Retrieve the amount of components to build the block to the given index
/// </summary>
/// <param name="block"></param>
/// <param name="componentList"></param>
/// <param name="level">integrity level </param>
public static void GetMissingComponents(this IMySlimBlock block, Dictionary <string, int> componentList, IntegrityLevel level)
{
var blockDefinition = block.BlockDefinition as MyCubeBlockDefinition;
if (blockDefinition.Components == null || blockDefinition.Components.Length == 0)
{
return;
}
if (level == IntegrityLevel.Create)
{
var component = blockDefinition.Components[0];
componentList.Add(component.Definition.Id.SubtypeName, 1);
}
else
{
if (block.IsProjected())
{
int maxIdx = level == IntegrityLevel.Functional ? blockDefinition.CriticalGroup + 1 : blockDefinition.Components.Length;
for (var idx = 0; idx < maxIdx; idx++)
{
var component = blockDefinition.Components[idx];
if (componentList.ContainsKey(component.Definition.Id.SubtypeName))
{
componentList[component.Definition.Id.SubtypeName] += component.Count;
}
else
{
componentList.Add(component.Definition.Id.SubtypeName, component.Count);
}
}
}
else
{
block.GetMissingComponents(componentList);
if (level == IntegrityLevel.Functional)
{
for (var idx = blockDefinition.CriticalGroup + 1; idx < blockDefinition.Components.Length; idx++)
{
var component = blockDefinition.Components[idx];
if (componentList.ContainsKey(component.Definition.Id.SubtypeName))
{
var amount = componentList[component.Definition.Id.SubtypeName];
if (amount <= component.Count)
{
componentList.Remove(component.Definition.Id.SubtypeName);
}
else
{
componentList[component.Definition.Id.SubtypeName] -= component.Count;
}
}
}
}
}
}
}
private static bool SetIntegrityLevel([NotNull] Agent agent, [NotNull] ScriptObject obj, IntegrityLevel level)
{
//https://tc39.github.io/ecma262/#sec-setintegritylevel
var status = obj.PreventExtensions();
if (!status)
{
return(false);
}
var keys = obj.OwnPropertyKeys();
switch (level)
{
case IntegrityLevel.Sealed:
foreach (var key in keys)
{
agent.DefinePropertyOrThrow(obj, key, new PropertyDescriptor
{
Configurable = false
});
}
break;
case IntegrityLevel.Frozen:
foreach (var key in keys)
{
var currentDescriptor = obj.GetOwnProperty(key);
if (currentDescriptor != null)
{
PropertyDescriptor descriptor;
if (currentDescriptor.IsAccessorDescriptor)
{
descriptor = new PropertyDescriptor
{
Configurable = false
};
}
else
{
descriptor = new PropertyDescriptor
{
Configurable = false,
Writable = false
};
}
agent.DefinePropertyOrThrow(obj, key, descriptor);
}
}
break;
default:
throw new ArgumentOutOfRangeException(nameof(level));
}
return(true);
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
IEnumerable <Sid> sids;
switch (ParameterSetName)
{
case "sddl":
sids = Sddl.Select(s => new Sid(s));
break;
case "name":
sids = Name.Select(s => NtSecurity.LookupAccountName(s));
break;
case "service":
sids = ServiceName.Select(s => NtSecurity.GetServiceSid(s));
break;
case "il":
sids = IntegrityLevel.Select(s => NtSecurity.GetIntegritySid(s));
break;
case "il_raw":
sids = IntegrityLevelRaw.Select(s => NtSecurity.GetIntegritySidRaw(s));
break;
case "package":
sids = PackageName.Select(s => TokenUtils.DerivePackageSidFromName(s));
if (RestrictedPackageName != null)
{
sids = sids.Select(s => TokenUtils.DeriveRestrictedPackageSidFromSid(s, RestrictedPackageName));
}
if (AsCapability)
{
sids = sids.Select(s => NtSecurity.PackageSidToCapability(s));
}
break;
case "known":
sids = KnownSid.Select(s => KnownSids.GetKnownSid(s));
break;
case "token":
using (NtToken token = NtToken.OpenProcessToken())
{
Sid temp = null;
if (PrimaryGroup)
{
temp = token.PrimaryGroup;
}
else if (Owner)
{
temp = token.Owner;
}
else if (LogonGroup)
{
temp = token.LogonSid.Sid;
}
else if (AppContainer)
{
temp = token.AppContainerSid;
}
else if (Label)
{
temp = token.IntegrityLevelSid.Sid;
}
else
{
temp = token.User.Sid;
}
sids = new[] { temp };
}
break;
case "cap":
sids = CapabilityName.Select(s => CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(s)
: NtSecurity.GetCapabilitySid(s));
break;
case "sid":
sids = new[] { new Sid(SecurityAuthority, RelativeIdentifier ?? new uint[0]) };
break;
case "rawsa":
sids = new[] { new Sid(new SidIdentifierAuthority(SecurityAuthorityByte), RelativeIdentifier) };
break;
case "logon":
sids = new[] { NtSecurity.GetLogonSessionSid() };
break;
case "trust":
sids = new[] { NtSecurity.GetTrustLevelSid(TrustType, TrustLevel) };
break;
case "ace":
sids = AccessControlEntry.Select(a => a.Sid);
break;
case "relsid":
sids = new[] { Sibling?BaseSid.CreateSibling(RelativeIdentifier) : BaseSid.CreateRelative(RelativeIdentifier) };
break;
case "bytes":
sids = new[] { new Sid(Byte) };
break;
default:
throw new ArgumentException("No SID type specified");
}
if (AsSddl)
{
WriteObject(sids.Select(s => s.ToString()), true);
}
else if (AsName)
{
WriteObject(sids.Select(s => s.Name), true);
}
else
{
WriteObject(sids, true);
}
}
public static Process CreateSaferProcess(String fileName, string arguments, SaferLevel saferLevel, IntegrityLevel integrityLevel, CreateProcessFlags flags = CreateProcessFlags.CREATE_NEW_CONSOLE)
{
IntPtr saferLevelHandle = IntPtr.Zero;
//Create a SaferLevel handle to match what was requested
if (!SaferCreateLevel(SaferLevelScope.User, saferLevel, SaferOpen.Open, out saferLevelHandle, IntPtr.Zero))
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
try
{
//Generate the access token to use, based on the safer level handle.
IntPtr hToken = IntPtr.Zero;
if (!SaferComputeTokenFromLevel(
saferLevelHandle, // SAFER Level handle
IntPtr.Zero, // NULL is current thread token.
out hToken, // Target token
SaferTokenBehaviour.Default, // No flags
IntPtr.Zero)) // Reserved
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// Get the Integrity SID
IntPtr pIntegritySid = GetIntegritySid(integrityLevel);
// Construct a structure describing the token integrity level
var TIL = new TOKEN_MANDATORY_LABEL();
TIL.Label.Attributes = SE_GROUP_INTEGRITY;
TIL.Label.Sid = pIntegritySid;
IntPtr pTIL = Marshal.AllocHGlobal(Marshal.SizeOf <TOKEN_MANDATORY_LABEL>());
Marshal.StructureToPtr(TIL, pTIL, false);
// Modify the token
if (!SetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTIL, (uint)Marshal.SizeOf <TOKEN_MANDATORY_LABEL>() + GetLengthSid(pIntegritySid)))
{
throw new Win32Exception();
}
try
{
//Now that we have a security token, we can lauch the process
//using the standard CreateProcessAsUser API
STARTUPINFO si = new STARTUPINFO();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = String.Empty;
var processAttributes = new SECURITY_ATTRIBUTES();
var threadAttributes = new SECURITY_ATTRIBUTES();
// Spin up the new process
//bool result = CreateProcessAsUser(hToken, fileName, arguments,
bool result = CreateProcessAsUser(hToken, fileName, $"\"{fileName}\"{(arguments?.Length > 0 ? " " + arguments : "")}",
ref processAttributes,
ref threadAttributes,
false, //inherit handles
flags,
IntPtr.Zero, //environment
null, //current directory
ref si, //startup info
out PROCESS_INFORMATION pi); //process info
if (!result)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
if (pi.hProcess != IntPtr.Zero)
{
CloseHandle(pi.hProcess);
}
if (pi.hThread != IntPtr.Zero)
{
CloseHandle(pi.hThread);
}
return(Process.GetProcessById(pi.dwProcessId));
}
finally
{
if (hToken != IntPtr.Zero)
{
CloseHandle(hToken);
}
}
}
finally
{
SaferCloseLevel(saferLevelHandle);
}
}
