private void CheckHandles(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter,
HashSet <ulong> checked_objects, NtProcess process, IEnumerable <NtHandle> handles)
{
foreach (NtHandle handle in handles)
{
if (Stopping)
{
return;
}
using (var obj = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false))
{
// We double check type here to ensure we've duplicated a similar handle.
if (!obj.IsSuccess)
{
continue;
}
if (checked_objects.Add(handle.Object))
{
if (CheckUnnamed || !String.IsNullOrEmpty(obj.Result.FullPath))
{
DumpObject(tokens, type_filter, AccessRights, obj.Result,
obj.Result.NtTypeName.Equals("Directory", StringComparison.OrdinalIgnoreCase));
}
}
}
}
}
private object GetObject(IntPtr handle)
{
using (var dup_obj = NtGeneric.DuplicateFrom(SourceProcess, handle,
GetDesiredAccess(), ObjectAttributes ?? 0, GetOptions()))
{
return(dup_obj.ToTypedObject());
}
}
private object GetObject(NtHandle handle)
{
using (var proc = NtProcess.Open(handle.ProcessId, ProcessAccessRights.DupHandle))
{
using (var dup_obj = NtGeneric.DuplicateFrom(proc, new IntPtr(handle.Handle),
GetDesiredAccess(), ObjectAttributes ?? 0, GetOptions()))
{
return(dup_obj.ToTypedObject());
}
}
}
private NtObject GetObject()
{
if (ParameterSetName == "FromHandle")
{
using (var obj = NtGeneric.DuplicateFrom(SourceProcess, SourceHandle, DesiredAccess ?? 0, ObjectAttributes ?? 0, GetOptions()))
{
return(obj.ToTypedObject());
}
}
else
{
return(Object.DuplicateObject(DesiredAccess ?? 0, ObjectAttributes ?? 0, GetOptions()));
}
}
private void CheckHandles(TokenEntry token, HashSet <string> type_filter,
Dictionary <ulong, MaximumAccess> max_access, NtProcess process, IEnumerable <NtHandle> handles)
{
foreach (NtHandle handle in handles)
{
if (Stopping)
{
return;
}
using (var result = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false))
{
if (!result.IsSuccess)
{
continue;
}
using (NtObject obj = result.Result.ToTypedObject())
{
NtType type = obj.NtType;
if (!IsTypeFiltered(type.Name, type_filter))
{
continue;
}
string full_path = GetObjectName(obj);
MaximumAccess maximum_access = GetMaxAccess(token, obj, handle.Object, max_access);
HandleAccessCheckResult access = new HandleAccessCheckResult(maximum_access, handle,
full_path, type.Name, handle.GrantedAccess, type.GenericMapping,
maximum_access != null ? maximum_access.SecurityDescriptor : string.Empty, type.AccessRightsType, false, token.Information);
WriteObject(access);
}
}
}
}