static void DumpProcessEntry(NtProcess entry, HashSet<string> mitigation_filter, bool all_mitigations, bool print_command_line)
        {
            try
            {
                NtProcessMitigations mitigations = entry.Mitigations;

                Console.WriteLine("Process Mitigations: {0,8} - {1}", entry.ProcessId, entry.GetImageFilePath(false));
                if (print_command_line)
                {
                    Console.WriteLine("Command Line: {0}", GetCommandLine(entry));
                }
                IEnumerable<PropertyInfo> props = _props.Values.Where(p => mitigation_filter.Count == 0 || mitigation_filter.Contains(p.Name));
                foreach (PropertyInfo prop in props.OrderBy(p => p.Name))
                {
                    object value = prop.GetValue(mitigations);
                    if (!all_mitigations && (value is bool))
                    {
                        if (!(bool)value)
                        {
                            continue;
                        }
                    }

                    FormatEntry(prop.Name, prop.GetValue(mitigations));
                }
                Console.WriteLine();
            }
            catch (NtException)
            {
                // Can end up here if the process is exiting.
            }
        }
 private void AddThreads(NtProcess entry)
 {
     using (DisposableList<NtThread> threads = new DisposableList<NtThread>(entry.GetThreads(ThreadAccessRights.QueryInformation)))
     {
         foreach (NtThread thread in threads)
         {
             try
             {
                 using (NtToken token = thread.OpenToken())
                 {
                     if (token != null)
                     {
                         ListViewItem item = new ListViewItem(String.Format("{0} - {1}", entry.ProcessId, entry.Name));
                         item.SubItems.Add(thread.ThreadId.ToString());
                         item.SubItems.Add(token.User.ToString());
                         item.SubItems.Add(token.ImpersonationLevel.ToString());
                         item.Tag = thread.Duplicate();
                         listViewThreads.Items.Add(item);
                     }
                 }
             }
             catch (NtException)
             {
             }
         }
     }
 }
 static string GetCommandLine(NtProcess process)
 {
     try
     {
         return process.CommandLine;
     }
     catch (NtException)
     {
         return String.Empty;
     }
 }
 private static NtToken GetToken(NtProcess process)
 {
     try
     {
         return process.OpenToken();
     }
     catch (NtException)
     {
         return null;
     }
 }
 private void AddProcessNode(NtProcess entry)
 {
     try
     {
         using (NtToken token = entry.OpenToken())
         {
             TreeNode node = new TreeNode(String.Format("Pid: {0} - Name: {1} (User:{2}, IL: {3}, R: {4}, AC: {5})",
                entry.ProcessId, entry.Name, token.User, token.IntegrityLevel,
                token.Restricted, token.AppContainer));
             node.Tag = entry.Duplicate();
             treeViewProcesses.Nodes.Add(node);
         }
     }
     catch
     {
         // Do nothing
     }
 }
示例#6
0
        public T ReadType <T>(NtProcess process, long base_address) where T : struct
        {
            IConvertToNative <T> converter = (IConvertToNative <T>)_base_method.Value.Invoke(process, new object[] { base_address });

            return(converter.Convert());
        }
        private static bool FilterCommandLine(NtProcess proc, string cmdline)
        {
            try
            {
                return proc.CommandLine.ToLower().Contains(cmdline);
            }
            catch
            {
            }

            return false;
        }
示例#8
0
 internal ProcessMemoryReader(NtProcess process)
 {
     _process    = process;
     PointerSize = _process.Is64Bit ? 8 : 4;
 }
 private NtProcess OpenSpecificProcess(ProcessAccessRights desired_access)
 {
     return(Current ? GetCurrentProcess(desired_access) : NtProcess.Open(ProcessId, desired_access));
 }
示例#10
0
 /// <summary>
 /// Constructor.
 /// </summary>
 /// <param name="process">Process to parse from.</param>
 public NdrParser(NtProcess process) : this(process, null)
 {
 }
示例#11
0
 /// <summary>
 /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
 /// </summary>
 /// <param name="process">The process to read from.</param>
 /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param>
 /// <param name="midl_stub_desc">The pointer to the MIDL_STUB_DESC structure.</param>
 /// <param name="start_offsets">Offsets into the format string to the start of the types.</param>
 /// <returns>The list of complex types.</returns>
 /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
 /// MIDL_STUB_DESC is the third (minus the offset).</remarks>
 public static IEnumerable <NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info,
                                                                              IntPtr midl_stub_desc, params int[] start_offsets)
 {
     return(ReadPicklingComplexTypes(process, midl_type_pickling_info, midl_stub_desc, start_offsets, NdrParserFlags.IgnoreUserMarshal));
 }
示例#12
0
 /// <summary>
 /// Constructor.
 /// </summary>
 /// <param name="process">Process to parse from.</param>
 /// <param name="symbol_resolver">Specify a symbol resolver to use for looking up symbols.</param>
 /// <param name="parser_flags">Flags which affect the parsing operation.</param>
 public NdrParser(NtProcess process, ISymbolResolver symbol_resolver, NdrParserFlags parser_flags)
     : this(CreateReader(process), process, symbol_resolver, parser_flags)
 {
 }
示例#13
0
        private static IEnumerable <NdrComplexTypeReference> ReadPicklingComplexTypes(NdrParserFlags parser_flags, NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, bool deref_stub_desc, Func <IMemoryReader, IntPtr, IEnumerable <int> > get_offsets)
        {
            NdrParser parser = new NdrParser(process, null, parser_flags);

            RunWithAccessCatch(() => parser.ReadTypes(midl_type_pickling_info, midl_stub_desc, deref_stub_desc, get_offsets));
            return(parser.ComplexTypes);
        }
示例#14
0
        private bool CheckSession(NtProcess p, int check_session_id)
        {
            var session_id = p.GetSessionId(false);

            return(session_id.IsSuccess && session_id.Result == check_session_id);
        }
 /// <summary>
 /// Create a new instance of a symbol resolver.
 /// </summary>
 /// <param name="process">The process in which the symbols should be resolved.</param>
 /// <param name="dbghelp_path">The path to dbghelp.dll, ideally should use the one which comes with Debugging Tools for Windows.</param>
 /// <param name="symbol_path">The symbol path.</param>
 /// <returns>The instance of a symbol resolver. Should be disposed when finished.</returns>
 public static ISymbolResolver Create(NtProcess process, string dbghelp_path, string symbol_path)
 {
     return(new DbgHelpSymbolResolver(process, dbghelp_path, symbol_path));
 }
示例#16
0
        public static void AttachToProcess(Process[] processes, ChildDebuggingMode mode)
        {
            List <VsDebugTargetInfo2> targetList = new List <VsDebugTargetInfo2>();
            IntPtr targetsBuffer = IntPtr.Zero;
            int    targetSize    = Marshal.SizeOf(typeof(VsDebugTargetInfo2));
            int    guidSize      = Marshal.SizeOf(typeof(Guid));

            try {
                foreach (Process process in processes)
                {
                    NtProcess           ntproc  = new NtProcess(process.Id);
                    VsDebugTargetInfo2  target  = new VsDebugTargetInfo2();
                    DebugProcessOptions options = new DebugProcessOptions {
                        ChildDebuggingMode = mode
                    };
                    target.dwDebugEngineCount = 1;
                    target.dwProcessId        = (uint)process.Id;
                    target.dlo = (uint)DEBUG_LAUNCH_OPERATION.DLO_AlreadyRunning;
                    if (process.Threads.Count == 1)
                    {
                        // If this is a suspended process, then using DLO_AttachToSuspendedLaunchProcess will
                        // bypass the initial loader breakpoint, causing a seamless and transparent attach.
                        // This is usually the desired behavior, as child processes frequently startup and
                        // shutdown, and it is intrusive to be constantly breaking into the debugger.
                        ProcessThread mainThread = process.Threads[0];
                        if (mainThread.ThreadState == ThreadState.Wait && mainThread.WaitReason == ThreadWaitReason.Suspended)
                        {
                            target.dlo |= (uint)_DEBUG_LAUNCH_OPERATION4.DLO_AttachToSuspendedLaunchProcess;
                        }
                    }
                    target.bstrExe          = ntproc.Win32ProcessImagePath;
                    target.cbSize           = (uint)targetSize;
                    target.bstrCurDir       = null;
                    target.guidPortSupplier = DkmIntegration.Guids.PortSupplier.Default;
                    target.LaunchFlags      = (uint)(__VSDBGLAUNCHFLAGS.DBGLAUNCH_Silent | __VSDBGLAUNCHFLAGS.DBGLAUNCH_WaitForAttachComplete);
                    target.bstrOptions      = options.OptionsString;
                    target.pDebugEngines    = Marshal.AllocCoTaskMem(guidSize);
                    Marshal.StructureToPtr(DkmEngineId.NativeEng, target.pDebugEngines, false);
                    targetList.Add(target);
                }
                int elementSize = Marshal.SizeOf(typeof(VsDebugTargetInfo2));
                targetsBuffer = Marshal.AllocCoTaskMem(targetList.Count * elementSize);
                for (int i = 0; i < targetList.Count; ++i)
                {
                    IntPtr writeAddr = targetsBuffer + i * elementSize;
                    Marshal.StructureToPtr(targetList[i], writeAddr, false);
                }

                IVsDebugger2 debugger = (IVsDebugger2)VsPackage.GetGlobalService(typeof(SVsShellDebugger));
                Core.Logger.Log("Launching {0} debug targets", processes.Length);
                int hr = debugger.LaunchDebugTargets2((uint)processes.Length, targetsBuffer);
                if (hr != 0)
                {
                    IVsUIShell shell = (IVsUIShell)VsPackage.GetGlobalService(typeof(SVsUIShell));
                    string     error;
                    shell.GetErrorInfo(out error);
                    Core.Logger.LogError("An error occured while attaching to process (hr = 0x{0:x}).  {1}", hr, error);
                }
            } finally {
                foreach (VsDebugTargetInfo2 target in targetList)
                {
                    if (target.pDebugEngines != IntPtr.Zero)
                    {
                        Marshal.FreeCoTaskMem(target.pDebugEngines);
                    }
                }

                if (targetsBuffer != IntPtr.Zero)
                {
                    Marshal.FreeCoTaskMem(targetsBuffer);
                }
            }
        }
        private static bool ArbitraryFilter(NtProcess proc, ScriptBlock filter)
        {
            try
            {
                ICollection<PSObject> os = filter.Invoke(proc);
                if (os.Count == 1)
                {
                    return (bool)os.First().BaseObject;
                }
            }
            catch
            {
            }

            return false;
        }
 internal CrossBitnessProcessMemoryReader(NtProcess process) : base(process)
 {
 }
示例#19
0
 /// <summary>
 /// Constructor.
 /// </summary>
 /// <param name="process">Process to parse from.</param>
 /// <param name="symbol_resolver">Specify a symbol resolver to use for looking up symbols.</param>
 public NdrParser(NtProcess process, ISymbolResolver symbol_resolver)
     : this(process, symbol_resolver, NdrParserFlags.None)
 {
 }
示例#20
0
        private void CheckHandles(IEnumerable <TokenEntry> tokens, HashSet <string> type_filter, HashSet <ulong> checked_objects, NtProcess process, IEnumerable <NtHandle> handles)
        {
            foreach (NtHandle handle in handles)
            {
                if (Stopping)
                {
                    return;
                }

                using (var obj = NtGeneric.DuplicateFrom(process, new IntPtr(handle.Handle), 0, DuplicateObjectOptions.SameAccess, false))
                {
                    // We double check type here to ensure we've duplicated a similar handle.
                    if (!obj.IsSuccess)
                    {
                        continue;
                    }

                    if (checked_objects.Add(handle.Object))
                    {
                        if (CheckUnnamed || !String.IsNullOrEmpty(obj.Result.FullPath))
                        {
                            DumpObject(tokens, type_filter, AccessRights, obj.Result);
                        }
                    }
                }
            }
        }
 private static bool ArbitraryFilter(NtProcess proc, ScriptBlock filter)
 {
     return(filter.InvokeWithArg(false, proc));
 }
        private void btnOK_Click(object sender, EventArgs e)
        {
            try
            {
                if (radioCurrentProcess.Checked)
                {
                    Token = OpenImpersonationToken();
                }
                else if (radioSpecificProcess.Checked)
                {
                    NtProcess process = selectProcessControl.SelectedProcess;
                    if (process == null)
                    {
                        throw new InvalidOperationException("Please select a process from the list");
                    }

                    using (var token = NtToken.OpenProcessToken(process, false, TokenAccessRights.Duplicate))
                    {
                        Token = token.DuplicateToken(TokenType.Impersonation, SecurityImpersonationLevel.Impersonation, TokenAccessRights.GenericAll);
                    }
                }
                else if (radioAnonymous.Checked)
                {
                    Token = TokenUtils.GetAnonymousToken();
                }

                if (checkBoxSetIL.Checked)
                {
                    Token.SetIntegrityLevel((TokenIntegrityLevel)comboBoxIL.SelectedItem);
                }

                if (checkBoxLocalAccess.Checked)
                {
                    AccessRights |= COMAccessRights.ExecuteLocal;
                }
                if (checkBoxRemoteAccess.Checked)
                {
                    AccessRights |= COMAccessRights.ExecuteRemote;
                }

                if (!_process_security)
                {
                    if (checkBoxLocalLaunch.Checked)
                    {
                        LaunchRights |= COMAccessRights.ExecuteLocal;
                    }
                    if (checkBoxRemoteLaunch.Checked)
                    {
                        LaunchRights |= COMAccessRights.ExecuteRemote;
                    }
                    if (checkBoxLocalActivate.Checked)
                    {
                        LaunchRights |= COMAccessRights.ActivateLocal;
                    }
                    if (checkBoxRemoteActivate.Checked)
                    {
                        LaunchRights |= COMAccessRights.ActivateRemote;
                    }
                    if (!_process_security)
                    {
                        Principal = COMSecurity.UserToSid(textBoxPrincipal.Text).ToString();
                    }
                }

                DialogResult = DialogResult.OK;
                Close();
            }
            catch (Exception ex)
            {
                EntryPoint.ShowError(this, ex);
            }
        }
示例#23
0
        internal NtProcessMitigations(NtProcess process)
        {
            ProcessDepStatus dep_status = process.DepStatus;

            DisableAtlThunkEmulation = dep_status.DisableAtlThunkEmulation;
            DepEnabled   = dep_status.Enabled;
            DepPermanent = dep_status.Permanent;

            int result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessASLRPolicy);

            EnableBottomUpRandomization = result.GetBit(0);
            EnableForceRelocateImages   = result.GetBit(1);
            EnableHighEntropy           = result.GetBit(2);
            DisallowStrippedImages      = result.GetBit(3);

            DisallowWin32kSystemCalls = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSystemCallDisablePolicy).GetBit(0);
            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessStrictHandleCheckPolicy);
            RaiseExceptionOnInvalidHandleReference = result.GetBit(0);
            HandleExceptionsPermanentlyEnabled     = result.GetBit(1);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessFontDisablePolicy);
            DisableNonSystemFonts     = result.GetBit(0);
            AuditNonSystemFontLoading = result.GetBit(1);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessDynamicCodePolicy);
            ProhibitDynamicCode    = result.GetBit(0);
            AllowThreadOptOut      = result.GetBit(1);
            AllowRemoteDowngrade   = result.GetBit(2);
            DisableExtensionPoints = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessExtensionPointDisablePolicy).GetBit(0);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessControlFlowGuardPolicy);
            EnabledControlFlowGuard    = result.GetBit(0);
            EnableExportSuppression    = result.GetBit(1);
            ControlFlowGuardStrictMode = result.GetBit(2);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessSignaturePolicy);
            MicrosoftSignedOnly   = result.GetBit(0);
            StoreSignedOnly       = result.GetBit(1);
            SignedMitigationOptIn = result.GetBit(2);

            result                    = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessImageLoadPolicy);
            NoRemoteImages            = result.GetBit(0);
            NoLowMandatoryLabelImages = result.GetBit(1);
            PreferSystem32Images      = result.GetBit(2);

            result = process.GetProcessMitigationPolicy(ProcessMitigationPolicy.ProcessReturnFlowGuardPolicy);
            EnabledReturnFlowGuard    = result.GetBit(0);
            ReturnFlowGuardStrictMode = result.GetBit(1);
            IsChildProcessRestricted  = process.IsChildProcessRestricted;
            using (var token = NtToken.OpenProcessToken(process, TokenAccessRights.Query, false))
            {
                IsRestricted               = token.Result.Restricted;
                IsAppContainer             = token.Result.AppContainer;
                IsLowPrivilegeAppContainer = token.Result.LowPrivilegeAppContainer;
                IntegrityLevel             = token.Result.IntegrityLevel;
            }
            ProcessId   = process.ProcessId;
            Name        = process.Name;
            ImagePath   = process.FullPath;
            CommandLine = process.CommandLine;
        }
 public TokenEntry(NtToken token, NtProcess process)
     : this(token, token, process)
 {
 }
        private void DoAccessCheck(IEnumerable <TokenEntry> tokens,
                                   IEnumerable <NtProcess> processes, AccessMask access_rights, AccessMask thread_access_rights)
        {
            foreach (NtProcess process in processes)
            {
                ProcessDetails proc_details = ProcessDetails.FromProcess(process);

                if (CheckProcess())
                {
                    var sd = process.GetSecurityDescriptor(SecurityInformation.AllBasic, false);
                    if (sd.IsSuccess)
                    {
                        foreach (TokenEntry token in tokens)
                        {
                            CheckAccess(token, proc_details, null, _process_type, access_rights, sd.Result);
                        }
                    }
                    else
                    {
                        // Try and open process when under impersonation.
                        foreach (TokenEntry token in tokens)
                        {
                            using (var new_process = token.Token.RunUnderImpersonate(() => NtProcess.Open(process.ProcessId, ProcessAccessRights.MaximumAllowed, false)))
                            {
                                if (new_process.IsSuccess && IsAccessGranted(new_process.Result.GrantedAccessMask, access_rights))
                                {
                                    WriteAccessCheckResult(proc_details, null, new_process.Result.GrantedAccessMask,
                                                           _process_type.GenericMapping, null, token.Information);
                                }
                            }
                        }
                    }
                }

                if (CheckThread())
                {
                    using (var threads = process.GetThreads(ThreadAccessRights.MaximumAllowed).ToDisposableList())
                    {
                        foreach (var thread in threads)
                        {
                            DoAccessCheck(tokens, proc_details, thread, thread_access_rights);
                        }
                    }
                }
            }
        }
        public static Win32Process CreateProcess(NtProcess parent, string application_name, string command_line, CreateProcessFlags flags, string desktop)
        {
            STARTUPINFOEX start_info = new STARTUPINFOEX();
            start_info.StartupInfo.lpDesktop = desktop;
            PROCESS_INFORMATION proc_info = new PROCESS_INFORMATION();

            using (SafeProcThreadAttributeListBuffer attr_list = new SafeProcThreadAttributeListBuffer(1))
            {
                using (var handle_buffer = parent.Handle.DangerousGetHandle().ToBuffer())
                {
                    attr_list.AddAttribute(new IntPtr(0x00020000), handle_buffer);
                    start_info.lpAttributeList = attr_list.DangerousGetHandle();
                    
                    if (!CreateProcess(application_name, command_line, IntPtr.Zero, IntPtr.Zero, false, 
                        flags | CreateProcessFlags.EXTENDED_STARTUPINFO_PRESENT, IntPtr.Zero, null, start_info, out proc_info))
                    {
                        throw new SafeWin32Exception();
                    }

                    return new Win32Process(proc_info);
                }
            }
        }
 public TokenEntry(NtToken token, NtToken imp_token, NtProcess process)
 {
     Information = new TokenInformation(token, process);
     Token       = DuplicateToken(imp_token);
 }
        private static bool FilterName(NtProcess proc, string name)
        {
            try
            {
                return proc.Name.Equals(name, System.StringComparison.OrdinalIgnoreCase);
            }
            catch
            {
            }

            return false;
        }
 private static bool IsRestrictedToken(NtProcess process)
 {
     NtToken token = null;
     try
     {
         token = GetToken(process);
         if (token == null)
         {
             return false;
         }
         return token.Restricted|| token.AppContainer|| token.IntegrityLevel< TokenIntegrityLevel.Medium;
     }
     catch (NtException)
     {
         return false;
     }
     finally
     {
         if (token != null)
         {
             token.Close();
         }
     }
 }
        static void Main(string[] args)
        {
            bool show_help = false;

            _pid = Process.GetCurrentProcess().Id;

            try
            {
                PrintDeprecationWarning();

                OptionSet opts = new OptionSet()
                {
                    { "p|pid=", "Specify a PID of a process to impersonate when checking", v => _pid = int.Parse(v.Trim()) },
                    { "n", "Specifes the list of arguments represents names instead of pids", v => _named_process = v != null },
                    { "i", "Use an indentify level token when impersonating", v => _identify_only = v != null },
                    { "t", "Dump accessible threads for process", v => _dump_threads = v != null },
                    { "k", "Dump tokens for accessible objects", v => _dump_token = v != null },
                    { "a", "Start with all accessible threads instead of processes", v => _dump_threads = _all_threads = v != null },
                    { "g", "Map access mask to generic rights.", v => _map_to_generic = v != null },
                    { "sddl", "Dump SDDL strings for objects", v => _print_sddl = v != null },
                    { "h|help", "show this message and exit",
                      v => show_help = v != null },
                };

                List <string> pids = opts.Parse(args).Select(s => s.ToLower()).ToList();

                if (show_help)
                {
                    ShowHelp(opts);
                }
                else
                {
                    IEnumerable <ProcessEntry> processes = new ProcessEntry[0];

                    if (_all_threads)
                    {
                        NtThread[] all_threads = null;

                        using (var imp = NtToken.Impersonate(_pid,
                                                             _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                        {
                            if (pids.Count > 0)
                            {
                                List <NtThread> ths = new List <NtThread>();
                                foreach (string pid_name in pids)
                                {
                                    try
                                    {
                                        ths.Add(NtThread.Open(int.Parse(pid_name), ThreadAccessRights.MaximumAllowed));
                                    }
                                    catch (NtException ex)
                                    {
                                        Console.WriteLine("Error opening tid {0} - {1}", pid_name, ex.Message);
                                    }
                                }

                                all_threads = ths.ToArray();
                            }
                            else
                            {
                                all_threads = NtThread.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
                            }

                            List <ProcessEntry> procs = new List <ProcessEntry>();

                            foreach (var group in all_threads.GroupBy(t => t.ProcessId))
                            {
                                ProcessEntry entry   = null;
                                NtThread[]   threads = group.ToArray();
                                try
                                {
                                    entry = new ProcessEntry(NtProcess.Open(group.Key, ProcessAccessRights.MaximumAllowed), threads);
                                }
                                catch (NtException)
                                {
                                    entry = new ProcessEntry(group.Key, threads);
                                }
                                procs.Add(entry);
                            }
                            processes = procs;
                        }
                    }
                    else
                    {
                        if (pids.Count > 0 && !_named_process)
                        {
                            List <ProcessEntry> procs = new List <ProcessEntry>();
                            using (var imp = NtToken.Impersonate(_pid,
                                                                 _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                            {
                                foreach (string pid_name in pids)
                                {
                                    try
                                    {
                                        procs.Add(new ProcessEntry(NtProcess.Open(int.Parse(pid_name), ProcessAccessRights.MaximumAllowed)));
                                    }
                                    catch (NtException ex)
                                    {
                                        Console.WriteLine("Error opening pid {0} - {1}", pid_name, ex.Message);
                                    }
                                }
                            }

                            processes = procs;
                        }
                        else
                        {
                            try
                            {
                                HashSet <string> names = new HashSet <string>(pids, StringComparer.OrdinalIgnoreCase);
                                using (var imp = NtToken.Impersonate(_pid,
                                                                     _identify_only ? SecurityImpersonationLevel.Identification : SecurityImpersonationLevel.Impersonation))
                                {
                                    processes = NtProcess.GetProcesses(ProcessAccessRights.MaximumAllowed).Select(h => new ProcessEntry(h)).ToArray();
                                }

                                if (_named_process && names.Count > 0)
                                {
                                    processes = processes.Where(p => names.Contains(p.Name));
                                }
                            }
                            catch (NtException ex)
                            {
                                Console.WriteLine(ex);
                            }
                        }
                    }

                    List <ProcessEntry> ps = processes.ToList();

                    ps.Sort((a, b) => a.Pid - b.Pid);

                    processes = ps;

                    foreach (ProcessEntry process in processes)
                    {
                        Console.WriteLine("{0}: {1} {2}", process.Pid, process.Name, process.GetGrantedAccessString(_map_to_generic));
                        if (_print_sddl && process.Handle.IsAccessGranted(ProcessAccessRights.ReadControl))
                        {
                            Console.WriteLine("SDDL: {0}", process.Handle.GetSddl());
                        }

                        if (_dump_token && process.Token != null)
                        {
                            Console.WriteLine("User: {0}", process.Token.User);
                            if (_print_sddl && process.Token.IsAccessGranted(TokenAccessRights.ReadControl))
                            {
                                Console.WriteLine("Token SDDL: {0}", process.Token.GetSddl());
                            }
                            Console.WriteLine("Token Granted Access: {0}", process.Token.GrantedAccessAsString(_map_to_generic));
                        }

                        if (_dump_threads)
                        {
                            foreach (ThreadEntry thread in process.Threads)
                            {
                                Console.WriteLine("-- Thread {0}: {1}", thread.Tid, thread.Handle.GrantedAccessAsString(_map_to_generic));
                                if (_print_sddl && thread.Handle.IsAccessGranted(ThreadAccessRights.ReadControl))
                                {
                                    Console.WriteLine("---- SDDL: {0}", thread.Handle.GetSddl());
                                }

                                if (_dump_token && thread.Token != null)
                                {
                                    Console.WriteLine("---- Impersonating {0}", thread.Token.User);
                                    if (_print_sddl && thread.Token.IsAccessGranted(TokenAccessRights.ReadControl))
                                    {
                                        Console.WriteLine("---- Token SDDL: {0}", thread.Token.GetSddl());
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }
 public ProcessEntry(NtProcess handle) : this(handle, null)
 {
 }
            public ProcessEntry(NtProcess handle, NtThread[] threads)
            {
                Handle = handle;

                if (handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
                {
                    Pid = handle.ProcessId;
                }

                if (threads == null)
                {
                    threads = handle.GetThreads(ThreadAccessRights.MaximumAllowed).ToArray();
                }

                Threads = threads.Select(h => new ThreadEntry(h)).ToArray();
                Array.Sort(Threads, (a, b) => a.Tid - b.Tid);
                ImagePath = String.Empty;
                Name      = String.Empty;
                if (Pid == 0)
                {
                    Name = "Idle";
                }
                else if (Pid == 4)
                {
                    Name = "System";
                }
                else
                {
                    if (Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
                    {
                        try
                        {
                            ImagePath = Handle.GetImageFilePath(false);
                            Name      = Path.GetFileNameWithoutExtension(ImagePath);
                        }
                        catch (NtException)
                        {
                        }
                    }
                }

                CommandLine = String.Empty;
                if (Handle.IsAccessGranted(ProcessAccessRights.QueryInformation) || Handle.IsAccessGranted(ProcessAccessRights.QueryLimitedInformation))
                {
                    try
                    {
                        Token = Handle.OpenToken();
                    }
                    catch (NtException)
                    {
                    }

                    try
                    {
                        CommandLine = Handle.CommandLine;
                    }
                    catch (NtException)
                    {
                    }
                }
            }
 internal CreateUserProcessResult(SafeKernelObjectHandle process_handle, SafeKernelObjectHandle thread_handle,
   ProcessCreateInfoData create_info,
   SectionImageInformation image_info, ClientId client_id)
 {
     Process = new NtProcess(process_handle);
     Thread = new NtThread(thread_handle);
     ImageFile = new NtFile(new SafeKernelObjectHandle(create_info.Success.FileHandle, true));
     SectionHandle = new NtSection(new SafeKernelObjectHandle(create_info.Success.SectionHandle, true));
     ImageInfo = image_info;
     ClientId = client_id;
     CreateInfo = create_info;
     CreateState = ProcessCreateState.Success;
 }
示例#34
0
 internal ProcessMemoryStream(NtProcess process, IntPtr base_address)
 {
     _process      = process;
     _base_address = base_address.ToInt64();
 }