protected override bool ReleaseHandle() { return(NativeMethod.CloseHandle(base.handle)); }
/// <summary> /// The function gets the integrity level of the current process. Integrity /// level is only available on Windows Vista and newer operating systems, thus /// GetProcessIntegrityLevel throws a C++ exception if it is called on systems /// prior to Windows Vista. /// </summary> /// <returns> /// Returns the integrity level of the current process. It is usually one of /// these values: /// /// SECURITY_MANDATORY_UNTRUSTED_RID - means untrusted level. It is used /// by processes started by the Anonymous group. Blocks most write access. /// (SID: S-1-16-0x0) /// /// SECURITY_MANDATORY_LOW_RID - means low integrity level. It is used by /// Protected Mode Internet Explorer. Blocks write acess to most objects /// (such as files and registry keys) on the system. (SID: S-1-16-0x1000) /// /// SECURITY_MANDATORY_MEDIUM_RID - means medium integrity level. It is /// used by normal applications being launched while UAC is enabled. /// (SID: S-1-16-0x2000) /// /// SECURITY_MANDATORY_HIGH_RID - means high integrity level. It is used /// by administrative applications launched through elevation when UAC is /// enabled, or normal applications if UAC is disabled and the user is an /// administrator. (SID: S-1-16-0x3000) /// /// SECURITY_MANDATORY_SYSTEM_RID - means system integrity level. It is /// used by services and other system-level applications (such as Wininit, /// Winlogon, Smss, etc.) (SID: S-1-16-0x4000) /// /// </returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// When any native Windows API call fails, the function throws a Win32Exception /// with the last error code. /// </exception> internal int GetProcessIntegrityLevel() { int IL = -1; SafeTokenHandle hToken = null; int cbTokenIL = 0; IntPtr pTokenIL = IntPtr.Zero; try { // Open the access token of the current process with TOKEN_QUERY. if (!NativeMethod.OpenProcessToken(Process.GetCurrentProcess().Handle, NativeMethod.TOKEN_QUERY, out hToken)) { throw new Win32Exception(); } // Then we must query the size of the integrity level information // associated with the token. Note that we expect GetTokenInformation // to return false with the ERROR_INSUFFICIENT_BUFFER error code // because we've given it a null buffer. On exit cbTokenIL will tell // the size of the group information. if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out cbTokenIL)) { int error = Marshal.GetLastWin32Error(); if (error != NativeMethod.ERROR_INSUFFICIENT_BUFFER) { // When the process is run on operating systems prior to // Windows Vista, GetTokenInformation returns false with the // ERROR_INVALID_PARAMETER error code because // TokenIntegrityLevel is not supported on those OS's. throw new Win32Exception(error); } } // Now we allocate a buffer for the integrity level information. pTokenIL = Marshal.AllocHGlobal(cbTokenIL); if (pTokenIL == IntPtr.Zero) { throw new Win32Exception(); } // Now we ask for the integrity level information again. This may fail // if an administrator has added this account to an additional group // between our first call to GetTokenInformation and this one. if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenIL, cbTokenIL, out cbTokenIL)) { throw new Win32Exception(); } // Marshal the TOKEN_MANDATORY_LABEL struct from native to .NET object. TOKEN_MANDATORY_LABEL tokenIL = (TOKEN_MANDATORY_LABEL) Marshal.PtrToStructure(pTokenIL, typeof(TOKEN_MANDATORY_LABEL)); // Integrity Level SIDs are in the form of S-1-16-0xXXXX. (e.g. // S-1-16-0x1000 stands for low integrity level SID). There is one // and only one subauthority. IntPtr pIL = NativeMethod.GetSidSubAuthority(tokenIL.Label.Sid, 0); IL = Marshal.ReadInt32(pIL); } finally { // Centralized cleanup for all allocated resources. if (hToken != null) { hToken.Close(); hToken = null; } if (pTokenIL != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenIL); pTokenIL = IntPtr.Zero; cbTokenIL = 0; } } return(IL); }
/// <summary> /// 此函数获取当前线程的完整性级别。完整性级别只有在Windows Vista及后 /// 续版本的Windows中有效。所以在Windows Vista之前的版本中执行GetProcessIntegrityLevel, /// 它会抛出一个C++异常。 /// </summary> /// <returns> /// 返回当前进程的完整性级别。它可能是以下某一个值。 /// /// SECURITY_MANDATORY_UNTRUSTED_RID (SID: S-1-16-0x0) /// 表示不被信任的级别。它被用于一个匿名组成员起动的进程。这时大多数 /// 写入操作被禁止。 /// /// SECURITY_MANDATORY_LOW_RID (SID: S-1-16-0x1000) /// 表示低完整性级别。它被用于保护模式下的IE浏览器。这时大多数系统中对 /// 象(包括文件及注册表键值)的写入操作被禁止。 /// /// SECURITY_MANDATORY_MEDIUM_RID (SID: S-1-16-0x2000) /// 表示中完整性级别。它被用于在UAC开启时启动普通应用程序。 /// /// /// SECURITY_MANDATORY_HIGH_RID (SID: S-1-16-0x3000) /// 表示高完整性级别。它被用于用户通过UAC提升权限启动一个管理员应用程序。 /// 或则当UAC关闭时,管理员用户启动一个普通程序。 /// /// /// SECURITY_MANDATORY_SYSTEM_RID (SID: S-1-16-0x4000) /// 表示系统完整性级别。它被用于服务或则其他系统级别的应用程序(比如 /// Wininit, Winlogon, Smss,等等) /// </returns> /// <exception cref="System.ComponentModel.Win32Exception"> /// 如果任何原生的Windows API函数出错,此函数会抛出一个包含最后错误代码的Win32Exception。 /// </exception> internal int GetProcessIntegrityLevel() { int IL = -1; SafeTokenHandle hToken = null; int cbTokenIL = 0; IntPtr pTokenIL = IntPtr.Zero; try { // 使用TOKEN_QUERY打开线程的主访问令牌。 if (!NativeMethod.OpenProcessToken(Process.GetCurrentProcess().Handle, NativeMethod.TOKEN_QUERY, out hToken)) { throw new Win32Exception(); } // 然后我们必须查询令牌完整性级别信息的大小。注意:我们预期得到一个FALSE结果及错误 // ERROR_INSUFFICIENT_BUFFER, 这是由于我们在GetTokenInformation输入一个 // 空缓冲。同时,在cbTokenIL中我们会得知完整性级别信息的大小。 if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, IntPtr.Zero, 0, out cbTokenIL)) { int error = Marshal.GetLastWin32Error(); if (error != NativeMethod.ERROR_INSUFFICIENT_BUFFER) { // 当进程运行于Windows Vista之前的系统中,GetTokenInformation返回 // FALSE和错误码ERROR_INVALID_PARAMETER。这是由于这些操作系统不支 // 持TokenElevation。 throw new Win32Exception(error); } } // 现在我们为完整性级别信息分配一个缓存。 pTokenIL = Marshal.AllocHGlobal(cbTokenIL); if (pTokenIL == IntPtr.Zero) { throw new Win32Exception(); } // 现在我们需要再次查询完整性级别信息。如果在第一次调用GetTokenInformation // 和本次之间一个管理员把当前账户加到另外一个组中,此次调用会失败。 if (!NativeMethod.GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenIL, cbTokenIL, out cbTokenIL)) { throw new Win32Exception(); } // 转换TOKEN_MANDATORY_LABEL结构(从Native 到.Net) TOKEN_MANDATORY_LABEL tokenIL = (TOKEN_MANDATORY_LABEL) Marshal.PtrToStructure(pTokenIL, typeof(TOKEN_MANDATORY_LABEL)); // 完整性级别SID为S-1-16-0xXXXX形式。(例如:S-1-16-0x1000表示为低完整性 // 级别的SID)。而且有且仅有一个次级授权信息。 IntPtr pIL = NativeMethod.GetSidSubAuthority(tokenIL.Label.Sid, 0); IL = Marshal.ReadInt32(pIL); } finally { // 集中清理所有已分配的内存资源 if (hToken != null) { hToken.Close(); hToken = null; } if (pTokenIL != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenIL); pTokenIL = IntPtr.Zero; cbTokenIL = 0; } } return(IL); }
/// <summary> /// The function launches an application at low integrity level. /// </summary> /// <param name="commandLine"> /// The command line to be executed. The maximum length of this string is 32K /// characters. /// </param> /// <remarks> /// To start a low-integrity process, /// 1) Duplicate the handle of the current process, which is at medium /// integrity level. /// 2) Use SetTokenInformation to set the integrity level in the access token /// to Low. /// 3) Use CreateProcessAsUser to create a new process using the handle to /// the low integrity access token. /// </remarks> internal void CreateLowIntegrityProcess(string commandLine) { SafeTokenHandle hToken = null; SafeTokenHandle hNewToken = null; IntPtr pIntegritySid = IntPtr.Zero; int cbTokenInfo = 0; IntPtr pTokenInfo = IntPtr.Zero; STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); try { // Open the primary access token of the process. if (!NativeMethod.OpenProcessToken(Process.GetCurrentProcess().Handle, NativeMethod.TOKEN_DUPLICATE | NativeMethod.TOKEN_ADJUST_DEFAULT | NativeMethod.TOKEN_QUERY | NativeMethod.TOKEN_ASSIGN_PRIMARY, out hToken)) { throw new Win32Exception(); } // Duplicate the primary token of the current process. if (!NativeMethod.DuplicateTokenEx(hToken, 0, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out hNewToken)) { throw new Win32Exception(); } // Create the low integrity SID. if (!NativeMethod.AllocateAndInitializeSid( ref NativeMethod.SECURITY_MANDATORY_LABEL_AUTHORITY, 1, NativeMethod.SECURITY_MANDATORY_LOW_RID, 0, 0, 0, 0, 0, 0, 0, out pIntegritySid)) { throw new Win32Exception(); } TOKEN_MANDATORY_LABEL tml; tml.Label.Attributes = NativeMethod.SE_GROUP_INTEGRITY; tml.Label.Sid = pIntegritySid; // Marshal the TOKEN_MANDATORY_LABEL struct to the native memory. cbTokenInfo = Marshal.SizeOf(tml); pTokenInfo = Marshal.AllocHGlobal(cbTokenInfo); Marshal.StructureToPtr(tml, pTokenInfo, false); // Set the integrity level in the access token to low. if (!NativeMethod.SetTokenInformation(hNewToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenInfo, cbTokenInfo + NativeMethod.GetLengthSid(pIntegritySid))) { throw new Win32Exception(); } // Create the new process at the Low integrity level. si.cb = Marshal.SizeOf(si); if (!NativeMethod.CreateProcessAsUser(hNewToken, null, commandLine, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref si, out pi)) { throw new Win32Exception(); } } finally { // Centralized cleanup for all allocated resources. if (hToken != null) { hToken.Close(); hToken = null; } if (hNewToken != null) { hNewToken.Close(); hNewToken = null; } if (pIntegritySid != IntPtr.Zero) { NativeMethod.FreeSid(pIntegritySid); pIntegritySid = IntPtr.Zero; } if (pTokenInfo != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenInfo); pTokenInfo = IntPtr.Zero; cbTokenInfo = 0; } if (pi.hProcess != IntPtr.Zero) { NativeMethod.CloseHandle(pi.hProcess); pi.hProcess = IntPtr.Zero; } if (pi.hThread != IntPtr.Zero) { NativeMethod.CloseHandle(pi.hThread); pi.hThread = IntPtr.Zero; } } }
/// <summary> /// 此函数以低完整性级别启动一个应用程序 /// </summary> /// <param name="commandLine"> /// 需要被执行的命令行。此字符串最长为32K个字符。 /// </param> /// <remarks> /// 启动一个低完整性进程 /// 1) 复制当前进程的句柄,它拥有中完整性级别 /// 2)使用SetTokenInformation设置访问进程的完整性级别为低。 /// 3)使用CreateProcessAsUser及低完整性级别的访问令牌创建一个新的进程。 /// </remarks> internal void CreateLowIntegrityProcess(string commandLine) { SafeTokenHandle hToken = null; SafeTokenHandle hNewToken = null; string strIntegritySid = "S-1-16-4096"; // Low integrity SID string 低完整性SID字符串 IntPtr pIntegritySid = IntPtr.Zero; int cbTokenInfo = 0; IntPtr pTokenInfo = IntPtr.Zero; STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); try { // 打开进程的主访问令牌。 if (!NativeMethod.OpenProcessToken(Process.GetCurrentProcess().Handle, NativeMethod.TOKEN_DUPLICATE | NativeMethod.TOKEN_ADJUST_DEFAULT | NativeMethod.TOKEN_QUERY | NativeMethod.TOKEN_ASSIGN_PRIMARY, out hToken)) { throw new Win32Exception(); } // 复制当前进程的主令牌。 if (!NativeMethod.DuplicateTokenEx(hToken, 0, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out hNewToken)) { throw new Win32Exception(); } // 创建低完整性SID。 if (!NativeMethod.ConvertStringSidToSid(strIntegritySid, out pIntegritySid)) { throw new Win32Exception(); } TOKEN_MANDATORY_LABEL tml; tml.Label.Attributes = NativeMethod.SE_GROUP_INTEGRITY; tml.Label.Sid = pIntegritySid; // 转换TOKEN_MANDATORY_LABEL结构至native内存。 cbTokenInfo = Marshal.SizeOf(tml); pTokenInfo = Marshal.AllocHGlobal(cbTokenInfo); Marshal.StructureToPtr(tml, pTokenInfo, false); // 设置访问令牌的完整性级别为低。 if (!NativeMethod.SetTokenInformation(hNewToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pTokenInfo, cbTokenInfo + NativeMethod.GetLengthSid(pIntegritySid))) { throw new Win32Exception(); } // 以低完整性级别创建一个新进程。 si.cb = Marshal.SizeOf(si); if (!NativeMethod.CreateProcessAsUser(hNewToken, null, commandLine, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref si, out pi)) { throw new Win32Exception(); } } finally { // 集中清理已分配的资源 if (hToken != null) { hToken.Close(); hToken = null; } if (hNewToken != null) { hNewToken.Close(); hNewToken = null; } if (pIntegritySid != IntPtr.Zero) { Marshal.FreeHGlobal(pIntegritySid); pIntegritySid = IntPtr.Zero; } if (pTokenInfo != IntPtr.Zero) { Marshal.FreeHGlobal(pTokenInfo); pTokenInfo = IntPtr.Zero; cbTokenInfo = 0; } if (pi.hProcess != IntPtr.Zero) { NativeMethod.CloseHandle(pi.hProcess); pi.hProcess = IntPtr.Zero; } if (pi.hThread != IntPtr.Zero) { NativeMethod.CloseHandle(pi.hThread); pi.hThread = IntPtr.Zero; } } }