private static IntPtr StartProcessAsUser(string szFile, string szArguments, string szDirectory, bool Inherit, IntPtr hParent) { Win32.STARTUPINFOEX si = new Win32.STARTUPINFOEX(); Win32.PROCESS_INFORMATION pi = new Win32.PROCESS_INFORMATION(); Win32.SECURITY_ATTRIBUTES sa = new Win32.SECURITY_ATTRIBUTES(); IntPtr processToken = IntPtr.Zero, userToken, cbAttributeListSize = IntPtr.Zero; Win32.OpenProcessToken(new IntPtr(-1), (uint)Win32.TOKEN_ACCESS.TOKEN_ALL_ACCESS, ref processToken); Win32.DuplicateTokenEx(processToken, (uint)Win32.TOKEN_ACCESS.TOKEN_ALL_ACCESS, out sa, Win32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Win32.TOKEN_TYPE.TokenPrimary, out userToken); Win32.InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref cbAttributeListSize); IntPtr pAttributeList = Win32.VirtualAlloc(IntPtr.Zero, (int)cbAttributeListSize, 0x1000, 0x40); Win32.InitializeProcThreadAttributeList(pAttributeList, 1, 0, ref cbAttributeListSize); Win32.UpdateProcThreadAttribute(pAttributeList, 0, (IntPtr)0x00020000, ref hParent, (IntPtr)Marshal.SizeOf(hParent), IntPtr.Zero, IntPtr.Zero); si.lpAttributeList = pAttributeList; si.StartupInfo = new Win32.STARTUPINFO(); Win32.CreateProcessAsUserA(userToken, szFile, szArguments, IntPtr.Zero, IntPtr.Zero, Inherit, 0x400 | 0x010 | 0x00080000, IntPtr.Zero, szDirectory, ref si, ref pi); Win32.CloseHandle(processToken); Win32.CloseHandle(userToken); Win32.DeleteProcThreadAttributeList(pAttributeList); Win32.VirtualFree(pAttributeList, 0x1000, 0x8000); return(pi.hProcess); }
private byte[] executeDispatch(IRpcClientInfo client, byte[] input) { using (client.Impersonate()) { IntPtr hToken; Win32.OpenThreadToken(Win32.GetCurrentThread(), Win32.TOKEN_READ | Win32.TOKEN_IMPERSONATE, false, out hToken); Win32.SECURITY_ATTRIBUTES saProcessAttributes = new Win32.SECURITY_ATTRIBUTES(); Win32.SECURITY_ATTRIBUTES saThreadAttributes = new Win32.SECURITY_ATTRIBUTES(); Win32.STARTUPINFO startupInfo = new Win32.STARTUPINFO(); startupInfo.cb = Marshal.SizeOf(startupInfo); Win32.PROCESS_INFORMATION processInfo = new Win32.PROCESS_INFORMATION(); bool result = Win32.CreateProcessAsUser( hToken, @"c:\windows\notepad.exe", null, ref saProcessAttributes, ref saThreadAttributes, true, 0x01000000, IntPtr.Zero, null, ref startupInfo, out processInfo); if (!result) { int error = Marshal.GetLastWin32Error(); } return(new byte[] { 0 }); } }
public static DllInjector CreateProcess(ProcessStartInfo StartInfo, bool CreateSuspended = false, bool FreeOnDispose = false) { Process process; if (CreateSuspended) { if (StartInfo == null) { throw new ArgumentNullException("StartInfo"); } if (string.IsNullOrEmpty(StartInfo.FileName)) { throw new ArgumentException("FileNameMissing"); } if (StartInfo.StandardOutputEncoding != null && !StartInfo.RedirectStandardOutput) { throw new ArgumentException("StandardOutputEncodingNotAllowed"); } if (StartInfo.StandardErrorEncoding != null && !StartInfo.RedirectStandardError) { throw new ArgumentException("StandardErrorEncodingNotAllowed"); } /* * private static StringBuilder BuildCommandLine(string executableFileName, string arguments); * * Declaring Type: System.Diagnostics.Process * Assembly: System, Version=4.0.0.0 */ StringBuilder cmdLine = new StringBuilder(); string str = StartInfo.FileName.Trim(); bool flag = str.StartsWith("\"", StringComparison.Ordinal) && str.EndsWith("\"", StringComparison.Ordinal); if (!flag) { cmdLine.Append("\""); } cmdLine.Append(str); if (!flag) { cmdLine.Append("\""); } if (!string.IsNullOrEmpty(StartInfo.Arguments)) { cmdLine.Append(" "); cmdLine.Append(StartInfo.Arguments); } /* * private bool StartWithCreateProcess(ProcessStartInfo startInfo); * * Declaring Type: System.Diagnostics.Process * Assembly: System, Version=4.0.0.0 */ Win32.STARTUPINFO lpStartupInfo = new Win32.STARTUPINFO() { hStdError = new SafeFileHandle(IntPtr.Zero, false), hStdInput = new SafeFileHandle(IntPtr.Zero, false), hStdOutput = new SafeFileHandle(IntPtr.Zero, false) }; Win32.PROCESS_INFORMATION lpProcessInformation = new Win32.PROCESS_INFORMATION(); IntPtr processHandle = IntPtr.Zero; IntPtr handle2 = IntPtr.Zero; SafeFileHandle parentHandle = null; SafeFileHandle handle4 = null; SafeFileHandle handle5 = null; int error = 0; GCHandle handle6 = new GCHandle(); try { if (StartInfo.RedirectStandardInput || StartInfo.RedirectStandardOutput || StartInfo.RedirectStandardError) { if (StartInfo.RedirectStandardInput) { CreatePipe(out parentHandle, out lpStartupInfo.hStdInput, true); } else { lpStartupInfo.hStdInput = new SafeFileHandle(Win32.GetStdHandle(Win32.StdHandles.STD_INPUT_HANDLE), false); } if (StartInfo.RedirectStandardOutput) { CreatePipe(out handle4, out lpStartupInfo.hStdOutput, false); } else { lpStartupInfo.hStdOutput = new SafeFileHandle(Win32.GetStdHandle(Win32.StdHandles.STD_OUTPUT_HANDLE), false); } if (StartInfo.RedirectStandardError) { CreatePipe(out handle5, out lpStartupInfo.hStdError, false); } else { lpStartupInfo.hStdError = new SafeFileHandle(Win32.GetStdHandle(Win32.StdHandles.STD_ERROR_HANDLE), false); } lpStartupInfo.dwFlags = 0x100; } Win32.ProcessCreationFlags creationFlags = Win32.ProcessCreationFlags.CREATE_SUSPENDED; if (StartInfo.CreateNoWindow) { creationFlags |= Win32.ProcessCreationFlags.CREATE_NO_WINDOW; } if (Utilities.IsNt) { creationFlags |= Win32.ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT; handle6 = GCHandle.Alloc(EnvironmentBlock.ToByteArray(StartInfo.EnvironmentVariables, true), GCHandleType.Pinned); } else { handle6 = GCHandle.Alloc(EnvironmentBlock.ToByteArray(StartInfo.EnvironmentVariables, false), GCHandleType.Pinned); } string workingDirectory = StartInfo.WorkingDirectory; if (workingDirectory == string.Empty) { workingDirectory = Environment.CurrentDirectory; } if (StartInfo.UserName.Length != 0) { Win32.LogonFlags logonFlags = 0; if (StartInfo.LoadUserProfile) { logonFlags = Win32.LogonFlags.LOGON_WITH_PROFILE; } IntPtr password = IntPtr.Zero; try { if (StartInfo.Password == null) { password = Marshal.StringToCoTaskMemUni(string.Empty); } else { password = Marshal.SecureStringToCoTaskMemUnicode(StartInfo.Password); } RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { flag = Win32.CreateProcessWithLogon(StartInfo.UserName, StartInfo.Domain, password, logonFlags, null, cmdLine, creationFlags, handle6.AddrOfPinnedObject(), workingDirectory, ref lpStartupInfo, out lpProcessInformation); if (!flag) { error = Marshal.GetLastWin32Error(); } if (lpProcessInformation.hProcess != IntPtr.Zero && lpProcessInformation.hProcess != Win32.INVALID_HANDLE_VALUE) { processHandle = lpProcessInformation.hProcess; } if (lpProcessInformation.hThread != IntPtr.Zero && lpProcessInformation.hThread != Win32.INVALID_HANDLE_VALUE) { handle2 = lpProcessInformation.hThread; } } if (!flag) { if ((error != 0xc1) && (error != 0xd8)) { throw new Win32Exception(error); } throw new Win32Exception(error, "InvalidApplication"); } } finally { if (password != IntPtr.Zero) { Marshal.ZeroFreeCoTaskMemUnicode(password); } } } else { RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { flag = Win32.CreateProcess(null, cmdLine, IntPtr.Zero, IntPtr.Zero, true, creationFlags, handle6.AddrOfPinnedObject(), workingDirectory, ref lpStartupInfo, out lpProcessInformation); if (!flag) { error = Marshal.GetLastWin32Error(); } if (lpProcessInformation.hProcess != IntPtr.Zero && lpProcessInformation.hProcess != Win32.INVALID_HANDLE_VALUE) { processHandle = lpProcessInformation.hProcess; } if (lpProcessInformation.hThread != IntPtr.Zero && lpProcessInformation.hThread != Win32.INVALID_HANDLE_VALUE) { handle2 = lpProcessInformation.hThread; } } if (!flag) { if ((error != 0xc1) && (error != 0xd8)) { throw new Win32Exception(error); } throw new Win32Exception(error, "InvalidApplication"); } } } finally { if (handle6.IsAllocated) { handle6.Free(); } if (lpStartupInfo.hStdInput != null && !lpStartupInfo.hStdInput.IsInvalid) { lpStartupInfo.hStdInput.Close(); } if (lpStartupInfo.hStdOutput != null && !lpStartupInfo.hStdOutput.IsInvalid) { lpStartupInfo.hStdOutput.Close(); } if (lpStartupInfo.hStdError != null && !lpStartupInfo.hStdError.IsInvalid) { lpStartupInfo.hStdError.Close(); } } if (processHandle != IntPtr.Zero && processHandle != Win32.INVALID_HANDLE_VALUE) { Win32.CloseHandle(handle2); } process = Process.GetProcessById((int)lpProcessInformation.dwProcessId); if (StartInfo.RedirectStandardInput) { FieldInfo standardInput = typeof(Process).GetField("standardInput", BindingFlags.Instance | BindingFlags.NonPublic); standardInput.SetValue(process, new StreamWriter(new FileStream(parentHandle, FileAccess.Write, 0x1000, false), Console.InputEncoding, 0x1000) { AutoFlush = true }); } if (StartInfo.RedirectStandardOutput) { FieldInfo standardOutput = typeof(Process).GetField("standardOutput", BindingFlags.Instance | BindingFlags.NonPublic); standardOutput.SetValue(process, new StreamReader(new FileStream(handle4, FileAccess.Read, 0x1000, false), (StartInfo.StandardOutputEncoding != null) ? StartInfo.StandardOutputEncoding : Console.OutputEncoding, true, 0x1000)); } if (StartInfo.RedirectStandardError) { FieldInfo standardError = typeof(Process).GetField("standardError", BindingFlags.Instance | BindingFlags.NonPublic); standardError.SetValue(process, new StreamReader(new FileStream(handle5, FileAccess.Read, 0x1000, false), (StartInfo.StandardErrorEncoding != null) ? StartInfo.StandardErrorEncoding : Console.OutputEncoding, true, 0x1000)); } } else { process = Process.Start(StartInfo); } return(new DllInjector(process, FreeOnDispose)); }