Skip to content

Instantly share code, notes, and snippets.

@jaredcatkinson
Last active February 24, 2024 15:16
Show Gist options
  • Save jaredcatkinson/d514ea6030bd6bd1a378bec57483c7f6 to your computer and use it in GitHub Desktop.
Save jaredcatkinson/d514ea6030bd6bd1a378bec57483c7f6 to your computer and use it in GitHub Desktop.
Add-Type -AssemblyName System.ServiceModel
$BF = [Reflection.BindingFlags]::NonPublic -bor [Reflection.BindingFlags]::Static
$C1 = [ServiceModel.PeerNode].Assembly.GetType('System.ServiceModel.Channels.AppContainerInfo')
$C2 = [ServiceModel.PeerNode].Assembly.GetType('System.ServiceModel.Activation.Utility')
$M1 = $C1.GetMethod('GetCurrentProcessToken', $BF)
$M2 = $C2.GetMethod('GetTokenInformation', $BF)
$hT = $M1.Invoke($null, @())
$b = New-Object -TypeName byte[](28)
$M2.Invoke($null, @($hT, 25, [byte[]]$b))
$IL = [Security.Principal.SecurityIdentifier]::new($b, 16).Value
function Get-IntegrityLevel
{
param
(
[Parameter()]
[Int32]
$ProcessId
)
try
{
$null = [System.ServiceModel.PeerNode]
}
catch
{
Add-Type -AssemblyName System.ServiceModel
}
if($PSBoundParameters.ContainsKey('ProcessId'))
{
$processes = Get-Process -Id $ProcessId
}
else
{
$processes = Get-Process
}
foreach($proc in $processes)
{
try
{
$BindingFlags = [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Static
$UtilityClass = [System.ServiceModel.PeerNode].Assembly.GetType('System.ServiceModel.Activation.Utility')
$OpenProcessMethod = $UtilityClass.GetMethod('OpenProcessForQuery', $BindingFlags)
$GetProcessTokenMethod = $UtilityClass.GetMethod('GetProcessToken', $BindingFlags)
$GetTokenInformationLengthMethod = $UtilityClass.GetMethod('GetTokenInformationLength', $BindingFlags)
$GetTokenInformationMethod = $UtilityClass.GetMethod('GetTokenInformation', $BindingFlags)
$hProcess = $OpenProcessMethod.Invoke($null, @($proc.Id))
$hToken = $GetProcessTokenMethod.Invoke($null, @($hProcess, 8))
$length = $GetTokenInformationLengthMethod.Invoke($null, @($hToken, 25))
$bytes = New-Object -TypeName byte[]($length)
$GetTokenInformationMethod.Invoke($null, @($hToken, 25, [byte[]]$bytes))
$IntegrityLevel = [Security.Principal.SecurityIdentifier]::new($bytes, 16).Value
}
catch
{
$IntegrityLevel = $null
}
switch($IntegrityLevel)
{
S-1-16-0 {$Integrity = 'Untrusted Mandatory Level'}
S-1-16-4096 {$Integrity = 'Low Mandatory Level'}
S-1-16-8192 {$Integrity = 'Medium Mandatory Level'}
S-1-16-8448 {$Integrity = 'Medium Plus Mandatory Level'}
S-1-16-12288 {$Integrity = 'High Mandatory Level'}
S-1-16-16384 {$Integrity = 'System Mandatory Level'}
S-1-16-20480 {$Integrity = 'Protected Process Mandatory Level'}
S-1-16-28672 {$Integrity = 'Secure Process Mandatory Level'}
default {$Integrity = $null}
}
$props = @{
ProcessName = $proc.Name
ProcessId = $proc.Id
IntegrityLevel = $Integrity
}
New-Object -TypeName psobject -Property $props
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment