Skip to content

Instantly share code, notes, and snippets.

@vector-sec

vector-sec/Get-Token.ps1

Created August 10, 2017 17:51
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
  • Save vector-sec/a049bf12da619d9af8f9c7dbd28d3b56 to your computer and use it in GitHub Desktop.
Save vector-sec/a049bf12da619d9af8f9c7dbd28d3b56 to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell script to enumerate all Process and Thread tokens.
Raw
Get-Token.ps1
function Get-Token
{
foreach($proc in (Get-Process))
{
if($proc.Id -ne 0 -and $proc.Id -ne 4)
{
try
{
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
}
catch
{
if($_.Exception.Message -ne "OpenProcess Error: The parameter is incorrect")
{
Write-Warning "Process Handle: $($proc.Id)"
Write-Warning $_.Exception.Message
}
}
try
{
$hToken = OpenProcessToken -ProcessHandle $hProcess -DesiredAccess TOKEN_QUERY
}
catch
{
Write-Warning "Process Token Handle: $($proc.Id)"
Write-Warning $_.Exception.Message
}
try
{
$TokenUser = GetTokenInformation -TokenInformationClass TokenUser -TokenHandle $hToken
$TokenOwner = GetTokenInformation -TokenInformationClass TokenOwner -TokenHandle $hToken
$TokenIntegrityLevel = GetTokenInformation -TokenInformationClass TokenIntegrityLevel -TokenHandle $hToken
$TokenType = GetTokenInformation -TokenInformationClass TokenType -TokenHandle $hToken
$TokenSessionId = GetTokenInformation -TokenInformationClass TokenSessionId -TokenHandle $hToken
$TokenOrigin = GetTokenInformation -TokenInformationClass TokenOrigin -TokenHandle $hToken
#$TokenLogonSid = GetTokenInformation -TokenInformationClass TokenLogonSid -TokenHandle $hToken
$TokenPrivileges = GetTokenInformation -TokenInformationClass TokenPrivileges -TokenHandle $hToken
$TokenElevation = GetTokenInformation -TokenInformationClass TokenElevation -TokenHandle $hToken
$TokenElevationType = GetTokenInformation -TokenInformationClass TokenElevationType -TokenHandle $hToken
#$TokenSource = GetTokenInformation -TokenInformationClass TokenSource -TokenHandle $hToken
$obj = New-Object -TypeName psobject -Property $props
$obj | Add-Member -MemberType NoteProperty -Name ProcessName -Value $proc.Name
$obj | Add-Member -MemberType NoteProperty -Name ProcessId -Value $proc.Id
$obj | Add-Member -MemberType NoteProperty -Name ThreadId -Value $thread.Id
$obj | Add-Member -MemberType NoteProperty -Name UserSid -Value $TokenUser.Sid
$obj | Add-Member -MemberType NoteProperty -Name UserName -Value $TokenUser.Name
$obj | Add-Member -MemberType NoteProperty -Name OwnerSid -Value $TokenOwner.Sid
$obj | Add-Member -MemberType NoteProperty -Name OwnerName -Value $TokenOwner.Name
$obj | Add-Member -MemberType NoteProperty -Name IntegrityLevel -Value $TokenIntegrityLevel
$obj | Add-Member -MemberType NoteProperty -Name Type -Value $TokenType
$obj | Add-Member -MemberType NoteProperty -Name ImpersonationLevel -Value 'None'
$obj | Add-Member -MemberType NoteProperty -Name SessionId -Value $TokenSessionId
$obj | Add-Member -MemberType NoteProperty -Name Origin -Value $TokenOrigin
$obj | Add-Member -MemberType NoteProperty -Name LogonSid -Value $TokenLogonSid
$obj | Add-Member -MemberType NoteProperty -Name Privileges -Value $TokenPrivileges
$obj | Add-Member -MemberType NoteProperty -Name IsElevated -Value $TokenElevation
$obj | Add-Member -MemberType NoteProperty -Name ElevationType -Value $TokenElevationType
Write-Output $obj
CloseHandle -Handle $hProcess
CloseHandle -Handle $hToken
}
catch
{
Write-Warning "Process Token Query: $($proc.Id)"
Write-Warning $_.Exception.Message
}
foreach($thread in $proc.Threads)
{
try
{
$hThread = OpenThread -ThreadId $thread.Id -DesiredAccess THREAD_QUERY_LIMITED_INFORMATION
}
catch
{
Write-Warning "Thread Handle: $($thread.Id)"
Write-Warning $_.Exception.Message
}
try
{
$hToken = OpenThreadToken -ThreadHandle $hThread -DesiredAccess TOKEN_QUERY
$TokenUser = GetTokenInformation -TokenInformationClass TokenUser -TokenHandle $hToken
$TokenOwner = GetTokenInformation -TokenInformationClass TokenOwner -TokenHandle $hToken
$TokenIntegrityLevel = GetTokenInformation -TokenInformationClass TokenIntegrityLevel -TokenHandle $hToken
$TokenType = GetTokenInformation -TokenInformationClass TokenType -TokenHandle $hToken
if($TokenType -eq 'TokenImpersonation')
{
$TokenImpersonationLevel = GetTokenInformation -TokenInformationClass TokenImpersonationLevel -TokenHandle $hToken
}
else
{
$TokenImpersonationLevel = 'None'
}
$TokenSessionId = GetTokenInformation -TokenInformationClass TokenSessionId -TokenHandle $hToken
$TokenOrigin = GetTokenInformation -TokenInformationClass TokenOrigin -TokenHandle $hToken
#$TokenLogonSid = GetTokenInformation -TokenInformationClass TokenLogonSid -TokenHandle $hToken
$TokenPrivileges = GetTokenInformation -TokenInformationClass TokenPrivileges -TokenHandle $hToken
$TokenElevation = GetTokenInformation -TokenInformationClass TokenElevation -TokenHandle $hToken
$TokenElevationType = GetTokenInformation -TokenInformationClass TokenElevationType -TokenHandle $hToken
#$TokenSource = GetTokenInformation -TokenInformationClass TokenSource -TokenHandle $hToken
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name ProcessName -Value $proc.Name
$obj | Add-Member -MemberType NoteProperty -Name ProcessId -Value $proc.Id
$obj | Add-Member -MemberType NoteProperty -Name ThreadId -Value $thread.Id
$obj | Add-Member -MemberType NoteProperty -Name UserSid -Value $TokenUser.Sid
$obj | Add-Member -MemberType NoteProperty -Name UserName -Value $TokenUser.Name
$obj | Add-Member -MemberType NoteProperty -Name OwnerSid -Value $TokenOwner.Sid
$obj | Add-Member -MemberType NoteProperty -Name OwnerName -Value $TokenOwner.Name
$obj | Add-Member -MemberType NoteProperty -Name IntegrityLevel -Value $TokenIntegrityLevel
$obj | Add-Member -MemberType NoteProperty -Name Type -Value $TokenType
$obj | Add-Member -MemberType NoteProperty -Name ImpersonationLevel -Value $TokenImpersonationLevel
$obj | Add-Member -MemberType NoteProperty -Name SessionId -Value $TokenSessionId
$obj | Add-Member -MemberType NoteProperty -Name Origin -Value $TokenOrigin
$obj | Add-Member -MemberType NoteProperty -Name LogonSid -Value $TokenLogonSid
$obj | Add-Member -MemberType NoteProperty -Name Privileges -Value $TokenPrivileges
$obj | Add-Member -MemberType NoteProperty -Name IsElevated -Value $TokenElevation
$obj | Add-Member -MemberType NoteProperty -Name ElevationType -Value $TokenElevationType
Write-Output $obj
CloseHandle -Handle $hThread
CloseHandle -Handle $hToken
}
catch
{
if($_.Exception.Message -ne 'OpenThreadToken Error: An attempt was made to reference a token that does not exist')
{
#Write-Warning "Thread Token Handle"
#Write-Warning $_.Exception.Message
}
}
}
}
}
}
#region PSReflect
#Requires -Version 2
function New-InMemoryModule
{
<#
.SYNOPSIS
Creates an in-memory assembly and module
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
When defining custom enums, structs, and unmanaged functions, it is
necessary to associate to an assembly module. This helper function
creates an in-memory module that can be passed to the 'enum',
'struct', and Add-Win32Type functions.
.PARAMETER ModuleName
Specifies the desired name for the in-memory assembly and module. If
ModuleName is not provided, it will default to a GUID.
.EXAMPLE
$Module = New-InMemoryModule -ModuleName Win32
#>
Param
(
[Parameter(Position = 0)]
[ValidateNotNullOrEmpty()]
[String]
$ModuleName = [Guid]::NewGuid().ToString()
)
$AppDomain = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @())
$LoadedAssemblies = $AppDomain.GetAssemblies()
foreach ($Assembly in $LoadedAssemblies) {
if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) {
return $Assembly
}
}
$DynAssembly = New-Object Reflection.AssemblyName($ModuleName)
$Domain = $AppDomain
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run')
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False)
return $ModuleBuilder
}
# A helper function used to reduce typing while defining function
# prototypes for Add-Win32Type.
function func
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$DllName,
[Parameter(Position = 1, Mandatory = $True)]
[string]
$FunctionName,
[Parameter(Position = 2, Mandatory = $True)]
[Type]
$ReturnType,
[Parameter(Position = 3)]
[Type[]]
$ParameterTypes,
[Parameter(Position = 4)]
[Runtime.InteropServices.CallingConvention]
$NativeCallingConvention,
[Parameter(Position = 5)]
[Runtime.InteropServices.CharSet]
$Charset,
[String]
$EntryPoint,
[Switch]
$SetLastError
)
$Properties = @{
DllName = $DllName
FunctionName = $FunctionName
ReturnType = $ReturnType
}
if ($ParameterTypes) { $Properties['ParameterTypes'] = $ParameterTypes }
if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention }
if ($Charset) { $Properties['Charset'] = $Charset }
if ($SetLastError) { $Properties['SetLastError'] = $SetLastError }
if ($EntryPoint) { $Properties['EntryPoint'] = $EntryPoint }
New-Object PSObject -Property $Properties
}
function Add-Win32Type
{
<#
.SYNOPSIS
Creates a .NET type for an unmanaged Win32 function.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: func
.DESCRIPTION
Add-Win32Type enables you to easily interact with unmanaged (i.e.
Win32 unmanaged) functions in PowerShell. After providing
Add-Win32Type with a function signature, a .NET type is created
using reflection (i.e. csc.exe is never called like with Add-Type).
The 'func' helper function can be used to reduce typing when defining
multiple function definitions.
.PARAMETER DllName
The name of the DLL.
.PARAMETER FunctionName
The name of the target function.
.PARAMETER EntryPoint
The DLL export function name. This argument should be specified if the
specified function name is different than the name of the exported
function.
.PARAMETER ReturnType
The return type of the function.
.PARAMETER ParameterTypes
The function parameters.
.PARAMETER NativeCallingConvention
Specifies the native calling convention of the function. Defaults to
stdcall.
.PARAMETER Charset
If you need to explicitly call an 'A' or 'W' Win32 function, you can
specify the character set.
.PARAMETER SetLastError
Indicates whether the callee calls the SetLastError Win32 API
function before returning from the attributed method.
.PARAMETER Module
The in-memory module that will host the functions. Use
New-InMemoryModule to define an in-memory module.
.PARAMETER Namespace
An optional namespace to prepend to the type. Add-Win32Type defaults
to a namespace consisting only of the name of the DLL.
.EXAMPLE
$Mod = New-InMemoryModule -ModuleName Win32
$FunctionDefinitions = @(
(func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
(func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
(func ntdll RtlGetCurrentPeb ([IntPtr]) @())
)
$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
$Kernel32 = $Types['kernel32']
$Ntdll = $Types['ntdll']
$Ntdll::RtlGetCurrentPeb()
$ntdllbase = $Kernel32::GetModuleHandle('ntdll')
$Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
.NOTES
Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
When defining multiple function prototypes, it is ideal to provide
Add-Win32Type with an array of function signatures. That way, they
are all incorporated into the same in-memory module.
#>
[OutputType([Hashtable])]
Param(
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[String]
$DllName,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[String]
$FunctionName,
[Parameter(ValueFromPipelineByPropertyName = $True)]
[String]
$EntryPoint,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Type]
$ReturnType,
[Parameter(ValueFromPipelineByPropertyName = $True)]
[Type[]]
$ParameterTypes,
[Parameter(ValueFromPipelineByPropertyName = $True)]
[Runtime.InteropServices.CallingConvention]
$NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall,
[Parameter(ValueFromPipelineByPropertyName = $True)]
[Runtime.InteropServices.CharSet]
$Charset = [Runtime.InteropServices.CharSet]::Auto,
[Parameter(ValueFromPipelineByPropertyName = $True)]
[Switch]
$SetLastError,
[Parameter(Mandatory = $True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
[ValidateNotNull()]
[String]
$Namespace = ''
)
BEGIN
{
$TypeHash = @{}
}
PROCESS
{
if ($Module -is [Reflection.Assembly])
{
if ($Namespace)
{
$TypeHash[$DllName] = $Module.GetType("$Namespace.$DllName")
}
else
{
$TypeHash[$DllName] = $Module.GetType($DllName)
}
}
else
{
# Define one type for each DLL
if (!$TypeHash.ContainsKey($DllName))
{
if ($Namespace)
{
$TypeHash[$DllName] = $Module.DefineType("$Namespace.$DllName", 'Public,BeforeFieldInit')
}
else
{
$TypeHash[$DllName] = $Module.DefineType($DllName, 'Public,BeforeFieldInit')
}
}
$Method = $TypeHash[$DllName].DefineMethod(
$FunctionName,
'Public,Static,PinvokeImpl',
$ReturnType,
$ParameterTypes)
# Make each ByRef parameter an Out parameter
$i = 1
foreach($Parameter in $ParameterTypes)
{
if ($Parameter.IsByRef)
{
[void] $Method.DefineParameter($i, 'Out', $null)
}
$i++
}
$DllImport = [Runtime.InteropServices.DllImportAttribute]
$SetLastErrorField = $DllImport.GetField('SetLastError')
$CallingConventionField = $DllImport.GetField('CallingConvention')
$CharsetField = $DllImport.GetField('CharSet')
$EntryPointField = $DllImport.GetField('EntryPoint')
if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False }
if ($PSBoundParameters['EntryPoint']) { $ExportedFuncName = $EntryPoint } else { $ExportedFuncName = $FunctionName }
# Equivalent to C# version of [DllImport(DllName)]
$Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String])
$DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor,
$DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(),
[Reflection.FieldInfo[]] @($SetLastErrorField,
$CallingConventionField,
$CharsetField,
$EntryPointField),
[Object[]] @($SLEValue,
([Runtime.InteropServices.CallingConvention] $NativeCallingConvention),
([Runtime.InteropServices.CharSet] $Charset),
$ExportedFuncName))
$Method.SetCustomAttribute($DllImportAttribute)
}
}
END
{
if ($Module -is [Reflection.Assembly])
{
return $TypeHash
}
$ReturnTypes = @{}
foreach ($Key in $TypeHash.Keys)
{
$Type = $TypeHash[$Key].CreateType()
$ReturnTypes[$Key] = $Type
}
return $ReturnTypes
}
}
function psenum
{
<#
.SYNOPSIS
Creates an in-memory enumeration for use in your PowerShell session.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
The 'psenum' function facilitates the creation of enums entirely in
memory using as close to a "C style" as PowerShell will allow.
.PARAMETER Module
The in-memory module that will host the enum. Use
New-InMemoryModule to define an in-memory module.
.PARAMETER FullName
The fully-qualified name of the enum.
.PARAMETER Type
The type of each enum element.
.PARAMETER EnumElements
A hashtable of enum elements.
.PARAMETER Bitfield
Specifies that the enum should be treated as a bitfield.
.EXAMPLE
$Mod = New-InMemoryModule -ModuleName Win32
$ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
UNKNOWN = 0
NATIVE = 1 # Image doesn't require a subsystem.
WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem.
WINDOWS_CUI = 3 # Image runs in the Windows character subsystem.
OS2_CUI = 5 # Image runs in the OS/2 character subsystem.
POSIX_CUI = 7 # Image runs in the Posix character subsystem.
NATIVE_WINDOWS = 8 # Image is a native Win9x driver.
WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem.
EFI_APPLICATION = 10
EFI_BOOT_SERVICE_DRIVER = 11
EFI_RUNTIME_DRIVER = 12
EFI_ROM = 13
XBOX = 14
WINDOWS_BOOT_APPLICATION = 16
}
.NOTES
PowerShell purists may disagree with the naming of this function but
again, this was developed in such a way so as to emulate a "C style"
definition as closely as possible. Sorry, I'm not going to name it
New-Enum. :P
#>
[OutputType([Type])]
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
[Parameter(Position = 1, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$FullName,
[Parameter(Position = 2, Mandatory = $True)]
[Type]
$Type,
[Parameter(Position = 3, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[Hashtable]
$EnumElements,
[Switch]
$Bitfield
)
if ($Module -is [Reflection.Assembly])
{
return ($Module.GetType($FullName))
}
$EnumType = $Type -as [Type]
$EnumBuilder = $Module.DefineEnum($FullName, 'Public', $EnumType)
if ($Bitfield)
{
$FlagsConstructor = [FlagsAttribute].GetConstructor(@())
$FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @())
$EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)
}
foreach ($Key in $EnumElements.Keys)
{
# Apply the specified enum type to each element
$null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
}
$EnumBuilder.CreateType()
}
# A helper function used to reduce typing while defining struct
# fields.
function field
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[UInt16]
$Position,
[Parameter(Position = 1, Mandatory = $True)]
[Type]
$Type,
[Parameter(Position = 2)]
[UInt16]
$Offset,
[Object[]]
$MarshalAs
)
@{
Position = $Position
Type = $Type -as [Type]
Offset = $Offset
MarshalAs = $MarshalAs
}
}
function struct
{
<#
.SYNOPSIS
Creates an in-memory struct for use in your PowerShell session.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: field
.DESCRIPTION
The 'struct' function facilitates the creation of structs entirely in
memory using as close to a "C style" as PowerShell will allow. Struct
fields are specified using a hashtable where each field of the struct
is comprosed of the order in which it should be defined, its .NET
type, and optionally, its offset and special marshaling attributes.
One of the features of 'struct' is that after your struct is defined,
it will come with a built-in GetSize method as well as an explicit
converter so that you can easily cast an IntPtr to the struct without
relying upon calling SizeOf and/or PtrToStructure in the Marshal
class.
.PARAMETER Module
The in-memory module that will host the struct. Use
New-InMemoryModule to define an in-memory module.
.PARAMETER FullName
The fully-qualified name of the struct.
.PARAMETER StructFields
A hashtable of fields. Use the 'field' helper function to ease
defining each field.
.PARAMETER PackingSize
Specifies the memory alignment of fields.
.PARAMETER ExplicitLayout
Indicates that an explicit offset for each field will be specified.
.PARAMETER CharSet
Dictates which character set marshaled strings should use.
.EXAMPLE
$Mod = New-InMemoryModule -ModuleName Win32
$ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
DOS_SIGNATURE = 0x5A4D
OS2_SIGNATURE = 0x454E
OS2_SIGNATURE_LE = 0x454C
VXD_SIGNATURE = 0x454C
}
$ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
e_magic = field 0 $ImageDosSignature
e_cblp = field 1 UInt16
e_cp = field 2 UInt16
e_crlc = field 3 UInt16
e_cparhdr = field 4 UInt16
e_minalloc = field 5 UInt16
e_maxalloc = field 6 UInt16
e_ss = field 7 UInt16
e_sp = field 8 UInt16
e_csum = field 9 UInt16
e_ip = field 10 UInt16
e_cs = field 11 UInt16
e_lfarlc = field 12 UInt16
e_ovno = field 13 UInt16
e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4)
e_oemid = field 15 UInt16
e_oeminfo = field 16 UInt16
e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10)
e_lfanew = field 18 Int32
}
# Example of using an explicit layout in order to create a union.
$TestUnion = struct $Mod TestUnion @{
field1 = field 0 UInt32 0
field2 = field 1 IntPtr 0
} -ExplicitLayout
.NOTES
PowerShell purists may disagree with the naming of this function but
again, this was developed in such a way so as to emulate a "C style"
definition as closely as possible. Sorry, I'm not going to name it
New-Struct. :P
#>
[OutputType([Type])]
Param
(
[Parameter(Position = 1, Mandatory = $True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
[Parameter(Position = 2, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$FullName,
[Parameter(Position = 3, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[Hashtable]
$StructFields,
[Reflection.Emit.PackingSize]
$PackingSize = [Reflection.Emit.PackingSize]::Unspecified,
[Switch]
$ExplicitLayout,
[System.Runtime.InteropServices.CharSet]
$CharSet = [System.Runtime.InteropServices.CharSet]::Ansi
)
if ($Module -is [Reflection.Assembly])
{
return ($Module.GetType($FullName))
}
[Reflection.TypeAttributes] $StructAttributes = 'Class,
Public,
Sealed,
BeforeFieldInit'
if ($ExplicitLayout)
{
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::ExplicitLayout
}
else
{
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::SequentialLayout
}
switch($CharSet)
{
Ansi
{
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::AnsiClass
}
Auto
{
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::AutoClass
}
Unicode
{
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::UnicodeClass
}
}
$StructBuilder = $Module.DefineType($FullName, $StructAttributes, [ValueType], $PackingSize)
$ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
$SizeConst = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
$Fields = New-Object Hashtable[]($StructFields.Count)
# Sort each field according to the orders specified
# Unfortunately, PSv2 doesn't have the luxury of the
# hashtable [Ordered] accelerator.
foreach ($Field in $StructFields.Keys)
{
$Index = $StructFields[$Field]['Position']
$Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]}
}
foreach ($Field in $Fields)
{
$FieldName = $Field['FieldName']
$FieldProp = $Field['Properties']
$Offset = $FieldProp['Offset']
$Type = $FieldProp['Type']
$MarshalAs = $FieldProp['MarshalAs']
$NewField = $StructBuilder.DefineField($FieldName, $Type, 'Public')
if ($MarshalAs)
{
$UnmanagedType = $MarshalAs[0] -as ([Runtime.InteropServices.UnmanagedType])
if ($MarshalAs[1])
{
$Size = $MarshalAs[1]
$AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo,
$UnmanagedType, $SizeConst, @($Size))
}
else
{
$AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, [Object[]] @($UnmanagedType))
}
$NewField.SetCustomAttribute($AttribBuilder)
}
if ($ExplicitLayout) { $NewField.SetOffset($Offset) }
}
# Make the struct aware of its own size.
# No more having to call [Runtime.InteropServices.Marshal]::SizeOf!
$SizeMethod = $StructBuilder.DefineMethod('GetSize',
'Public, Static',
[Int],
[Type[]] @())
$ILGenerator = $SizeMethod.GetILGenerator()
# Thanks for the help, Jason Shirk!
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,
[Type].GetMethod('GetTypeFromHandle'))
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,
[Runtime.InteropServices.Marshal].GetMethod('SizeOf', [Type[]] @([Type])))
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Ret)
# Allow for explicit casting from an IntPtr
# No more having to call [Runtime.InteropServices.Marshal]::PtrToStructure!
$ImplicitConverter = $StructBuilder.DefineMethod('op_Implicit',
'PrivateScope, Public, Static, HideBySig, SpecialName',
$StructBuilder,
[Type[]] @([IntPtr]))
$ILGenerator2 = $ImplicitConverter.GetILGenerator()
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Nop)
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldarg_0)
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,
[Type].GetMethod('GetTypeFromHandle'))
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,
[Runtime.InteropServices.Marshal].GetMethod('PtrToStructure', [Type[]] @([IntPtr], [Type])))
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder)
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret)
$StructBuilder.CreateType()
}
#endregion PSReflect
$Module = New-InMemoryModule -ModuleName GetToken
#region Enums
$LuidAttributes = psenum $Module LuidAttributes UInt32 @{
DISABLED = 0x00000000
SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001
SE_PRIVILEGE_ENABLED = 0x00000002
SE_PRIVILEGE_REMOVED = 0x00000004
SE_PRIVILEGE_USED_FOR_ACCESS = 2147483648
} -Bitfield
$PROCESS_ACCESS = psenum $Module PROCESS_ACCESS UInt32 @{
PROCESS_TERMINATE = 0x00000001
PROCESS_CREATE_THREAD = 0x00000002
PROCESS_VM_OPERATION = 0x00000008
PROCESS_VM_READ = 0x00000010
PROCESS_VM_WRITE = 0x00000020
PROCESS_DUP_HANDLE = 0x00000040
PROCESS_CREATE_PROCESS = 0x00000080
PROCESS_SET_QUOTA = 0x00000100
PROCESS_SET_INFORMATION = 0x00000200
PROCESS_QUERY_INFORMATION = 0x00000400
PROCESS_SUSPEND_RESUME = 0x00000800
PROCESS_QUERY_LIMITED_INFORMATION = 0x00001000
DELETE = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC = 0x00040000
WRITE_OWNER = 0x00080000
SYNCHRONIZE = 0x00100000
PROCESS_ALL_ACCESS = 0x001f1ffb
} -Bitfield
$SE_GROUP = psenum $Module SE_GROUP UInt32 @{
DISABLED = 0x00000000
MANDATORY = 0x00000001
ENABLED_BY_DEFAULT = 0x00000002
ENABLED = 0x00000004
OWNER = 0x00000008
USE_FOR_DENY_ONLY = 0x00000010
INTEGRITY = 0x00000020
INTEGRITY_ENABLED = 0x00000040
RESOURCE = 0x20000000
LOGON_ID = 3221225472
} -Bitfield
$SE_PRIVILEGE = psenum $Module SE_PRIVILEGE UInt32 @{
DISABLED = 0x00000000
ENABLED_BY_DEFAULT = 0x00000001
ENABLED = 0x00000002
REMOVED = 0x00000004
USED_FOR_ACCESS = 2147483648
} -Bitfield
$SECURITY_IMPERSONATION_LEVEL = psenum $Module SECURITY_IMPERSONATION_LEVEL UInt32 @{
SecurityAnonymous = 0
SecurityIdentification = 1
SecurityImpersonation = 2
SecurityDelegation = 3
}
$SecurityEntity = psenum $Module SecurityEntity UInt32 @{
SeCreateTokenPrivilege = 1
SeAssignPrimaryTokenPrivilege = 2
SeLockMemoryPrivilege = 3
SeIncreaseQuotaPrivilege = 4
SeUnsolicitedInputPrivilege = 5
SeMachineAccountPrivilege = 6
SeTcbPrivilege = 7
SeSecurityPrivilege = 8
SeTakeOwnershipPrivilege = 9
SeLoadDriverPrivilege = 10
SeSystemProfilePrivilege = 11
SeSystemtimePrivilege = 12
SeProfileSingleProcessPrivilege = 13
SeIncreaseBasePriorityPrivilege = 14
SeCreatePagefilePrivilege = 15
SeCreatePermanentPrivilege = 16
SeBackupPrivilege = 17
SeRestorePrivilege = 18
SeShutdownPrivilege = 19
SeDebugPrivilege = 20
SeAuditPrivilege = 21
SeSystemEnvironmentPrivilege = 22
SeChangeNotifyPrivilege = 23
SeRemoteShutdownPrivilege = 24
SeUndockPrivilege = 25
SeSyncAgentPrivilege = 26
SeEnableDelegationPrivilege = 27
SeManageVolumePrivilege = 28
SeImpersonatePrivilege = 29
SeCreateGlobalPrivilege = 30
SeTrustedCredManAccessPrivilege = 31
SeRelabelPrivilege = 32
SeIncreaseWorkingSetPrivilege = 33
SeTimeZonePrivilege = 34
SeCreateSymbolicLinkPrivilege = 35
}
$THREAD_ACCESS = psenum $Module THREAD_ACCESS UInt32 @{
THREAD_TERMINATE = 0x00000001
THREAD_SUSPEND_RESUME = 0x00000002
THREAD_GET_CONTEXT = 0x00000008
THREAD_SET_CONTEXT = 0x00000010
THREAD_SET_INFORMATION = 0x00000020
THREAD_QUERY_INFORMATION = 0x00000040
THREAD_SET_THREAD_TOKEN = 0x00000080
THREAD_IMPERSONATE = 0x00000100
THREAD_DIRECT_IMPERSONATION = 0x00000200
THREAD_SET_LIMITED_INFORMATION = 0x00000400
THREAD_QUERY_LIMITED_INFORMATION = 0x00000800
DELETE = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC = 0x00040000
WRITE_OWNER = 0x00080000
SYNCHRONIZE = 0x00100000
THREAD_ALL_ACCESS = 0x001f0ffb
} -Bitfield
$TOKEN_ACCESS = psenum $Module TOKEN_ACCESS UInt32 @{
TOKEN_DUPLICATE = 0x00000002
TOKEN_IMPERSONATE = 0x00000004
TOKEN_QUERY = 0x00000008
TOKEN_QUERY_SOURCE = 0x00000010
TOKEN_ADJUST_PRIVILEGES = 0x00000020
TOKEN_ADJUST_GROUPS = 0x00000040
TOKEN_ADJUST_DEFAULT = 0x00000080
TOKEN_ADJUST_SESSIONID = 0x00000100
DELETE = 0x00010000
READ_CONTROL = 0x00020000
WRITE_DAC = 0x00040000
WRITE_OWNER = 0x00080000
SYNCHRONIZE = 0x00100000
STANDARD_RIGHTS_REQUIRED = 0x000F0000
TOKEN_ALL_ACCESS = 0x001f01ff
} -Bitfield
$TOKEN_ELEVATION_TYPE = psenum $Module TOKEN_ELEVATION_TYPE UInt32 @{
TokenElevationTypeDefault = 1
TokenElevationTypeFull = 2
TokenElevationTypeLimited = 3
}
$TOKEN_INFORMATION_CLASS = psenum $Module TOKEN_INFORMATION_CLASS UInt16 @{
TokenUser = 1
TokenGroups = 2
TokenPrivileges = 3
TokenOwner = 4
TokenPrimaryGroup = 5
TokenDefaultDacl = 6
TokenSource = 7
TokenType = 8
TokenImpersonationLevel = 9
TokenStatistics = 10
TokenRestrictedSids = 11
TokenSessionId = 12
TokenGroupsAndPrivileges = 13
TokenSessionReference = 14
TokenSandBoxInert = 15
TokenAuditPolicy = 16
TokenOrigin = 17
TokenElevationType = 18
TokenLinkedToken = 19
TokenElevation = 20
TokenHasRestrictions = 21
TokenAccessInformation = 22
TokenVirtualizationAllowed = 23
TokenVirtualizationEnabled = 24
TokenIntegrityLevel = 25
TokenUIAccess = 26
TokenMandatoryPolicy = 27
TokenLogonSid = 28
TokenIsAppContainer = 29
TokenCapabilities = 30
TokenAppContainerSid = 31
TokenAppContainerNumber = 32
TokenUserClaimAttributes = 33
TokenDeviceClaimAttributes = 34
TokenRestrictedUserClaimAttributes = 35
TokenRestrictedDeviceClaimAttributes = 36
TokenDeviceGroups = 37
TokenRestrictedDeviceGroups = 38
TokenSecurityAttributes = 39
TokenIsRestricted = 40
MaxTokenInfoClass = 41
}
$TOKENMANDATORYPOLICY = psenum $Module TOKENMANDATORYPOLICY UInt32 @{
OFF = 0x0
NO_WRITE_UP = 0x1
POLICY_NEW_PROCESS_MIN = 0x2
POLICY_VALID_MASK = 0x3
}
$TOKEN_TYPE = psenum $Module TOKEN_TYPE UInt32 @{
TokenPrimary = 1
TokenImpersonation = 2
}
#endregion Enums
#region Structs
$ACL = struct $Module ACL @{
AclRevision = field 0 Byte
Sbz1 = field 1 Byte
AclSize = field 2 UInt16
AceCount = field 3 UInt16
Sbz2 = field 4 UInt16
}
$LUID = struct $Module LUID @{
LowPart = field 0 $SecurityEntity
HighPart = field 1 Int32
}
$LUID_AND_ATTRIBUTES = struct $Module LUID_AND_ATTRIBUTES @{
Luid = field 0 $LUID
Attributes = field 1 $SE_PRIVILEGE
}
$SID_AND_ATTRIBUTES = struct $Module SID_AND_ATTRIBUTES @{
Sid = field 0 IntPtr
Attributes = field 1 $SE_GROUP
} -PackingSize Size8
$TOKEN_APPCONTAINER_INFORMATION = struct $Module TOKEN_APPCONSTAINER_INFORMATION @{
TokenAppContainer = field 0 IntPtr
}
$TOKEN_DEFAULT_DACL = struct $Module TOKEN_DEFAULT_DACL @{
DefaultDacl = field 0 $ACL
}
$TOKEN_ELEVATION = struct $Module TOKEN_ELEVATION @{
TokenIsElevated = field 0 UInt32
}
$TOKEN_GROUPS = struct $Module TOKEN_GROUPS @{
GroupCount = field 0 UInt32
Groups = field 1 $SID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs ('ByValArray', 50)
}
$TOKEN_GROUPS_AND_PRIVILEGES = struct $Module TOKEN_GROUPS_AND_PRIVILEGES @{
SidCount = field 0 UInt32
SidLength = field 1 UInt32
Sids = field 2 IntPtr
RestrictedSidCount = field 3 UInt32
RestrictedSidLength = field 4 UInt32
RestrictedSids = field 5 IntPtr
PrivilegeCount = field 6 UInt32
PrivilegeLength = field 7 UInt32
Privileges = field 8 IntPtr
AuthenticationId = field 9 $LUID
}
$TOKEN_LINKED_TOKEN = struct $Module TOKEN_LINKED_TOKEN @{
LinkedToken = field 0 IntPtr
}
$TOKEN_MANDATORY_LABEL = struct $Module TOKEN_MANDATORY_LABEL @{
Label = field 0 $SID_AND_ATTRIBUTES
}
$TOKEN_MANDATORY_POLICY = struct $Module TOKEN_MANDATORY_POLICY @{
Policy = field 0 $TOKENMANDATORYPOLICY
}
$TOKEN_OWNER = struct $Module TOKEN_OWNER @{
Owner = field 0 IntPtr
}
$TOKEN_PRIVILEGES = struct $Module TOKEN_PRIVILEGES @{
PrivilegeCount = field 0 UInt32
Privileges = field 1 $LUID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 50)
}
$TOKEN_SOURCE = struct $Module TOKEN_SOURCE @{
SourceName = field 0 string
SourceIdentifier = field 1 $LUID
}
$TOKEN_STATISTICS = struct $Module TOKEN_STATISTICS @{
TokenId = field 0 $LUID
AuthenticationId = field 1 $LUID
ExpirationTime = field 2 UInt64
TokenType = field 3 $TOKEN_TYPE
ImpersonationLevel = field 4 $SECURITY_IMPERSONATION_LEVEL
DynamicCharged = field 5 UInt32
DynamicAvailable = field 6 UInt32
GroupCount = field 7 UInt32
PrivilegeCount = field 8 UInt32
ModifiedId = field 9 $LUID
}
$TOKEN_USER = struct $Module TOKEN_USER @{
User = field 0 $SID_AND_ATTRIBUTES
}
#endregion Structs
#region FunctionDefinitions
$FunctionDefinitions = @(
(func kernel32 CloseHandle ([bool]) @(
[IntPtr] #_In_ HANDLE hObject
) -EntryPoint CloseHandle -SetLastError),
(func advapi32 ConvertSidToStringSid ([bool]) @(
[IntPtr] #_In_ PSID Sid,
[IntPtr].MakeByRefType() #_Out_ LPTSTR *StringSid
) -EntryPoint ConvertSidToStringSid -SetLastError),
(func advapi32 GetTokenInformation ([bool]) @(
[IntPtr], #_In_ HANDLE TokenHandle
[Int32], #_In_ TOKEN_INFORMATION_CLASS TokenInformationClass
[IntPtr], #_Out_opt_ LPVOID TokenInformation
[UInt32], #_In_ DWORD TokenInformationLength
[UInt32].MakeByRefType() #_Out_ PDWORD ReturnLength
) -EntryPoint GetTokenInformation -SetLastError),
(func kernel32 OpenProcess ([IntPtr]) @(
[UInt32], #_In_ DWORD dwDesiredAccess
[bool], #_In_ BOOL bInheritHandle
[UInt32] #_In_ DWORD dwProcessId
) -EntryPoint OpenProcess -SetLastError),
(func advapi32 OpenProcessToken ([bool]) @(
[IntPtr], #_In_ HANDLE ProcessHandle
[UInt32], #_In_ DWORD DesiredAccess
[IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle
) -EntryPoint OpenProcessToken -SetLastError),
(func kernel32 OpenThread ([IntPtr]) @(
[UInt32], #_In_ DWORD dwDesiredAccess
[bool], #_In_ BOOL bInheritHandle
[UInt32] #_In_ DWORD dwThreadId
) -EntryPoint OpenThread -SetLastError),
(func advapi32 OpenThreadToken ([bool]) @(
[IntPtr], #_In_ HANDLE ThreadHandle
[UInt32], #_In_ DWORD DesiredAccess
[bool], #_In_ BOOL OpenAsSelf
[IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle
) -EntryPoint OpenThreadToken -SetLastError)
)
#endregion FunctionDefinitions
#region Windows API Functions
function CloseHandle
{
<#
.SYNOPSIS
Closes an open object handle.
.DESCRIPTION
The CloseHandle function closes handles to the following objects:
- Access token
- Communications device
- Console input
- Console screen buffer
- Event
- File
- File mapping
- I/O completion port
- Job
- Mailslot
- Memory resource notification
- Mutex
- Named pipe
- Pipe
- Process
- Semaphore
- Thread
- Transaction
- Waitable timer
The documentation for the functions that create these objects indicates that CloseHandle should be used when you are finished with the object, and what happens to pending operations on the object after the handle is closed. In general, CloseHandle invalidates the specified object handle, decrements the object's handle count, and performs object retention checks. After the last handle to an object is closed, the object is removed from the system.
.PARAMETER Handle
A valid handle to an open object.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect
Optional Dependencies: None
(func kernel32 CloseHandle ([bool]) @(
[IntPtr] #_In_ HANDLE hObject
) -EntryPoint CloseHandle -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724211(v=vs.85).aspx
.EXAMPLE
#>
param
(
[Parameter(Mandatory = $true)]
[IntPtr]
$Handle
)
$SUCCESS = $Kernel32::CloseHandle($Handle); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if(-not $SUCCESS)
{
Write-Debug "CloseHandle Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
}
function ConvertSidToStringSid
{
<#
.SYNOPSIS
The ConvertSidToStringSid function converts a security identifier (SID) to a string format suitable for display, storage, or transmission.
.DESCRIPTION
The ConvertSidToStringSid function uses the standard S-R-I-S-S… format for SID strings.
.PARAMETER SidPointer
A pointer to the SID structure to be converted.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect
Optional Dependencies: None
(func advapi32 ConvertSidToStringSid ([bool]) @(
[IntPtr] #_In_ PSID Sid,
[IntPtr].MakeByRefType() #_Out_ LPTSTR *StringSid
) -EntryPoint ConvertSidToStringSid -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376399(v=vs.85).aspx
.EXAMPLE
#>
[OutputType([string])]
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[IntPtr]
$SidPointer
)
$StringPtr = [IntPtr]::Zero
$Success = $Advapi32::ConvertSidToStringSid($SidPointer, [ref]$StringPtr); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if(-not $Success)
{
Write-Verbose "ConvertSidToStringSid Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
Write-Output ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($StringPtr))
}
function GetTokenInformation
{
<#
.SYNOPSIS
The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
To determine if a user is a member of a specific group, use the CheckTokenMembership function. To determine group membership for app container tokens, use the CheckTokenMembershipEx function.
.PARAMETER TokenHandle
A handle to an access token from which information is retrieved. If TokenInformationClass specifies TokenSource, the handle must have TOKEN_QUERY_SOURCE access. For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.
.PARAMETER TokenInformationClass
Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the current token is not an app container but is an identity level token, you should return AccessDenied.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Module Dependencies: PSReflect
Required Function Dependencies: ConvertSidToStringSid
Required Structure Dependencies: TOKEN_USER, SID_AND_ATTRIBUTES, TOKEN_PRIVILEGES, TOKEN_OWNER, TOKEN_SOURCE, LUID, TOKEN_MANDATORY_LABEL
Required Enumeration Dependencies: LuidAttributes, TOKEN_TYPE, SECURITY_IMPERSONATION_LEVEL
Optional Dependencies: TokenInformationClass (Enum)
(func advapi32 GetTokenInformation ([bool]) @(
[IntPtr], #_In_ HANDLE TokenHandle
[Int32], #_In_ TOKEN_INFORMATION_CLASS TokenInformationClass
[IntPtr], #_Out_opt_ LPVOID TokenInformation
[UInt32], #_In_ DWORD TokenInformationLength
[UInt32].MakeByRefType() #_Out_ PDWORD ReturnLength
) -EntryPoint GetTokenInformation -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
.EXAMPLE
#>
param
(
[Parameter(Mandatory = $true)]
[IntPtr]
$TokenHandle,
[Parameter(Mandatory = $true)]
[ValidateSet('TokenUser','TokenGroups','TokenPrivileges','TokenOwner','TokenPrimaryGroup','TokenDefaultDacl','TokenSource','TokenType','TokenImpersonationLevel','TokenStatistics','TokenRestrictedSids','TokenSessionId','TokenGroupsAndPrivileges','TokenSandBoxInert','TokenOrigin','TokenElevationType','TokenLinkedToken','TokenElevation','TokenHasRestrictions','TokenAccessInformation','TokenVirtualizationAllowed','TokenVirtualizationEnabled','TokenIntegrityLevel','TokenUIAccess','TokenMandatoryPolicy','TokenLogonSid','TokenIsAppContainer','TokenCapabilities','TokenAppContainerSid','TokenAppContainerNumber','TokenUserClaimAttributes','TokenDeviceClaimAttributes','TokenDeviceGroups','TokenRestrictedDeviceGroups')]
[string]
$TokenInformationClass
)
# initial query to determine the necessary buffer size
$TokenPtrSize = 0
$SUCCESS = $Advapi32::GetTokenInformation($TokenHandle, $TOKEN_INFORMATION_CLASS::$TokenInformationClass, [IntPtr]::Zero, $TokenPtrSize, [ref]$TokenPtrSize); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
[IntPtr]$TokenPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPtrSize)
# retrieve the proper buffer value
$SUCCESS = $Advapi32::GetTokenInformation($TokenHandle, $TOKEN_INFORMATION_CLASS::$TokenInformationClass, $TokenPtr, $TokenPtrSize, [ref]$TokenPtrSize); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if(-not $SUCCESS)
{
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPtr)
throw "GetTokenInformation Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
switch($TokenInformationClass)
{
TokenUser
{
<#
The buffer receives a TOKEN_USER structure that contains the user account of the token.
ConvertSidToStringSid (Function)
TOKEN_USER (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenUser = $TokenPtr -as $TOKEN_USER
$UserSid = ConvertSidToStringSid -SidPointer $TokenUser.User.Sid
$Sid = New-Object System.Security.Principal.SecurityIdentifier($UserSid)
$UserName = $Sid.Translate([System.Security.Principal.NTAccount])
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value $UserSid
$obj | Add-Member -MemberType NoteProperty -Name Name -Value $UserName
Write-Output $obj
}
TokenGroups
{
<#
The buffer receives a TOKEN_GROUPS structure that contains the group accounts associated with the token.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
TokenPrivileges
{
<#
The buffer receives a TOKEN_PRIVILEGES structure that contains the privileges of the token.
TOKEN_PRIVILEGES (Structure)
LUID_AND_ATTRIBUTES (Structure)
LuidAttributes (Enumeration)
#>
$TokenPrivileges = $TokenPtr -as $TOKEN_PRIVILEGES
for($i = 0; $i -lt $TokenPrivileges.PrivilegeCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Privilege -Value $TokenPrivileges.Privileges[$i].Luid.LowPart
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenPrivileges.Privileges[$i].Attributes
Write-Output $obj
}
}
TokenOwner
{
<#
The buffer receives a TOKEN_OWNER structure that contains the default owner security identifier (SID) for newly created objects.
ConvertSidToStringSid (Function)
TOKEN_OWNER (Structure)
#>
$TokenOwner = $TokenPtr -as $TOKEN_OWNER
if($TokenOwner.Owner -ne $null)
{
$OwnerSid = ConvertSidToStringSid -SidPointer $TokenOwner.Owner
$Sid = New-Object System.Security.Principal.SecurityIdentifier($OwnerSid)
$OwnerName = $Sid.Translate([System.Security.Principal.NTAccount])
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value $OwnerSid
$obj | Add-Member -MemberType NoteProperty -Name Name -Value $OwnerName
Write-Output $obj
}
else
{
Write-Output $null
}
}
TokenPrimaryGroup
{
<#
The buffer receives a TOKEN_PRIMARY_GROUP structure that contains the default primary group SID for newly created objects.
TOKEN_PRIMARY_GROUP (Structure)
#>
throw [System.NotImplementedException]"The $($TokenInformationClass) class is not implemented yet."
}
TokenDefaultDacl
{
<#
The buffer receives a TOKEN_DEFAULT_DACL structure that contains the default DACL for newly created objects.
TOKEN_DEFAULT_DACL (Structure)
ACL (Structure)
#>
$Dacl = $TokenPtr -as $TOKEN_DEFAULT_DACL
Write-Output $Dacl.DefaultDacl
}
TokenSource
{
<#
The buffer receives a TOKEN_SOURCE structure that contains the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information.
TOKEN_SOURCE (Structure)
LUID (Structure)
#>
Write-Output $TokenPtr
#$TokenSource = $TokenPtr -as $TOKEN_SOURCE
#Write-Output ($TokenSource.SourceName -join "")
}
TokenType
{
<#
The buffer receives a TOKEN_TYPE value that indicates whether the token is a primary or impersonation token.
TOKEN_TYPE (Enumeration)
#>
if($TokenPtr -ne $null)
{
Write-Output ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr) -as $TOKEN_TYPE)
}
}
TokenImpersonationLevel
{
<#
The buffer receives a SECURITY_IMPERSONATION_LEVEL value that indicates the impersonation level of the token. If the access token is not an impersonation token, the function fails.
SECURITY_IMPERSONATION_LEVEL (Enumeration)
#>
Write-Output ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr) -as $SECURITY_IMPERSONATION_LEVEL)
}
TokenStatistics
{
<#
The buffer receives a TOKEN_STATISTICS structure that contains various token statistics.
TOKEN_STATISTICS (Structure)
LUID (Structure)
TOKEN_TYPE (Enumeration)
SECURITY_IMPERSONATION_LEVEL (Enumeration)
#>
$TokenStats = $TokenPtr -as $TOKEN_STATISTICS
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name TokenId -Value $TokenStats.TokenId.LowPart
$obj | Add-Member -MemberType NoteProperty -Name AuthenticationId -Value $TokenStats.AuthenticationId.LowPart
$obj | Add-Member -MemberType NoteProperty -Name TokenType -Value $TokenStats.TokenType
$obj | Add-Member -MemberType NoteProperty -Name ImpersonationLevel -Value $TokenStats.ImpersonationLevel
$obj | Add-Member -MemberType NoteProperty -Name DynamicCharged -Value $TokenStats.DynamicCharged
$obj | Add-Member -MemberType NoteProperty -Name DynamicAvailable -Value $TokenStats.DynamicAvailable
$obj | Add-Member -MemberType NoteProperty -Name GroupCount -Value $TokenStats.GroupCount
$obj | Add-Member -MemberType NoteProperty -Name PrivilegeCount -Value $TokenStats.PrivilegeCount
$obj | Add-Member -MemberType NoteProperty -Name ModifiedId -Value $TokenStats.ModifiedId.LowPart
Write-Output $obj
}
TokenRestrictedSids
{
<#
The buffer receives a TOKEN_GROUPS structure that contains the list of restricting SIDs in a restricted token.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
TokenSessionId
{
# The buffer receives a DWORD value that indicates the Terminal Services session identifier that is associated with the token.
# If the token is associated with the terminal server client session, the session identifier is nonzero.
# Windows Server 2003 and Windows XP: If the token is associated with the terminal server console session, the session identifier is zero.
# In a non-Terminal Services environment, the session identifier is zero.
# If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token.
Write-Output ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr))
}
TokenGroupsAndPrivileges
{
<#
The buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token.
TOKEN_GROUPS_AND_PRIVILEGES (Structure)
SID_AND_ATTRIBUTES (Structure)
LUID (Structure)
#>
$GroupsAndPrivs = ($TokenPtr -as $TOKEN_GROUPS_AND_PRIVILEGES)
$SidList = New-Object -TypeName 'System.Collections.Generic.List[System.Object]'
for($i = 0; $i -lt $GroupsAndPrivs.SidCount; $i++)
{
$currentPtr = [IntPtr]($GroupsAndPrivs.Sids.ToInt64() + ($SID_AND_ATTRIBUTES::GetSize() * $i))
$SidAndAttr = $currentPtr -as $SID_AND_ATTRIBUTES
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $SidAndAttr.Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $SidAndAttr.Attributes
$SidList.Add($obj)
}
$PrivList = New-Object -TypeName 'System.Collections.Generic.List[System.Object]'
for($i = 0; $i -lt $GroupsAndPrivs.PrivilegeCount; $i++)
{
$currentPtr = [IntPtr]($GroupsAndPrivs.Privileges.ToInt64() + ($LUID_AND_ATTRIBUTES::GetSize() * $i))
$LuidAndAttr = ($currentPtr -as $LUID_AND_ATTRIBUTES)
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Privilege -Value $LuidAndAttr.Luid.LowPart
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $LuidAndAttr.Attributes
$PrivList.Add($obj)
}
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sids -Value $SidList.ToArray()
$obj | Add-Member -MemberType NoteProperty -Name Privilegs -Value $PrivList.ToArray()
Write-Output $obj
}
TokenSandBoxInert
{
# The buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenOrigin
{
<#
The buffer receives a TOKEN_ORIGIN value.
If the token resulted from a logon that used explicit credentials, such as passing a name, domain, and password to the LogonUser function, then the TOKEN_ORIGIN structure will contain the ID of the logon session that created it.
If the token resulted from network authentication, such as a call to AcceptSecurityContext or a call to LogonUser with dwLogonType set to LOGON32_LOGON_NETWORK or LOGON32_LOGON_NETWORK_CLEARTEXT, then this value will be zero.
TOKEN_ORIGIN (Structure)
LUID (Structure)
#>
$TokenOrigin = $TokenPtr -as $LUID
Write-Output $TokenOrigin.LowPart
}
TokenElevationType
{
<#
The buffer receives a TOKEN_ELEVATION_TYPE value that specifies the elevation level of the token.
TOKEN_ELEVATION_TYPE (Enumeration)
#>
Write-Output ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr) -as $TOKEN_ELEVATION_TYPE)
}
TokenLinkedToken
{
<#
The buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token.
TOKEN_LINKED_TOKEN (Structure)
#>
Write-Output ($TokenPtr -as $TOKEN_LINKED_TOKEN).LinkedToken
}
TokenElevation
{
<#
The buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated.
TOKEN_ELEVATION (Structure)
#>
Write-Output (($TokenPtr -as $TOKEN_ELEVATION).TokenIsElevated -ne 0)
}
TokenHasRestrictions
{
# The buffer receives a DWORD value that is nonzero if the token has ever been filtered.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenAccessInformation
{
<#
The buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token.
TOKEN_ACCESS_INFORMATION (Structure)
SID_AND_ATTRIBUTES_HASH (Structure)
SID_HASH_ENTRY (Structure)
TOKEN_PRIVILEGES (Structure)
LUID_AND_ATTRIBUTES (Structure)
LUID (Structure)
TOKEN_TYPE (Enumeration)
SECURITY_IMPERSONATION_LEVEL (Enumeration)
TOKEN_MANDATORY_POLICY (Structure)
#>
<#
$TokenAccessInfo = ($TokenPtr -as $TOKEN_ACCESS_INFORMATION)
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name SidHash -Value ($TokenAccessInfo.SidHash -as $SID_AND_ATTRIBUTES_HASH)
$obj | Add-Member -MemberType NoteProperty -Name RestrictedSidHash -Value ($TokenAccessInfo.RestrictedSidHash -as $SID_AND_ATTRIBUTES_HASH)
$obj | Add-Member -MemberType NoteProperty -Name Privileges -Value ($TokenAccessInfo.Privileges -as $TOKEN_PRIVILEGES)
$obj | Add-Member -MemberType NoteProperty -Name AuthenticationId -Value $TokenAccessInfo.AuthenticationId.LowPart
$obj | Add-Member -MemberType NoteProperty -Name TokenType -Value $TokenAccessInfo.TokenType
$obj | Add-Member -MemberType NoteProperty -Name ImpersonationLevel -Value $TokenAccessInfo.ImpersonationLevel
$obj | Add-Member -MemberType NoteProperty -Name AppContainerNumber -Value $TokenAccessInfo.AppContainerNumber
$obj | Add-Member -MemberType NoteProperty -Name PackageSid -Value (ConvertSidToStringSid -SidPointer $TokenAccessInfo.PackageSid)
$obj | Add-Member -MemberType NoteProperty -Name CapabilitiesHash -Value ($TokenAccessInfo.CapabilitiesHash -as $SID_AND_ATTRIBUTES_HASH)
$obj | Add-Member -MemberType NoteProperty -Name TrustLevelSid -Value (ConvertSidToStringSid -SidPointer $TokenAccessInfo.TrustLevelSid)
Write-Output $obj
#>
throw [System.NotImplementedException]"The $($TokenInformationClass) class is not implemented yet."
}
TokenVirtualizationAllowed
{
# The buffer receives a DWORD value that is nonzero if virtualization is allowed for the token.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenVirtualizationEnabled
{
# The buffer receives a DWORD value that is nonzero if virtualization is enabled for the token.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenIntegrityLevel
{
<#
The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
TOKEN_MANDATORY_LABEL
ConvertSidToStringSid
#>
$TokenIntegrity = $TokenPtr -as $TOKEN_MANDATORY_LABEL
switch(ConvertSidToStringSid -SidPointer $TokenIntegrity.Label.Sid)
{
S-1-16-0
{
Write-Output "UNTRUSTED_MANDATORY_LEVEL"
}
S-1-16-4096
{
Write-Output "LOW_MANDATORY_LEVEL"
}
S-1-16-8192
{
Write-Output "MEDIUM_MANDATORY_LEVEL"
}
S-1-16-8448
{
Write-Output "MEDIUM_PLUS_MANDATORY_LEVEL"
}
S-1-16-12288
{
Write-Output "HIGH_MANDATORY_LEVEL"
}
S-1-16-16384
{
Write-Output "SYSTEM_MANDATORY_LEVEL"
}
S-1-16-20480
{
Write-Output "PROTECTED_PROCESS_MANDATORY_LEVEL"
}
S-1-16-28672
{
Write-Output "SECURE_PROCESS_MANDATORY_LEVEL"
}
}
}
TokenUIAccess
{
# The buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenMandatoryPolicy
{
<#
The buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy.
TOKEN_MANDATORY_POLICY
TOKENMANDATORYPOLICY
#>
$MandatoryPolicy = $TokenPtr -as $TOKEN_MANDATORY_POLICY
Write-Output $MandatoryPolicy.Policy
}
TokenLogonSid
{
<#
The buffer receives a TOKEN_GROUPS structure that specifies the token's logon SID.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
TokenIsAppContainer
{
# The buffer receives a DWORD value that is nonzero if the token is an app container token. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the current token is not an app container but is an identity level token, you should return AccessDenied.
Write-Output (0 -ne ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr)))
}
TokenCapabilities
{
<#
The buffer receives a TOKEN_GROUPS structure that contains the capabilities associated with the token.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
TokenAppContainerSid
{
<#
The buffer receives a TOKEN_APPCONTAINER_INFORMATION structure that contains the AppContainerSid associated with the token. If the token is not associated with an app container, the TokenAppContainer member of the TOKEN_APPCONTAINER_INFORMATION structure points to NULL.
TOKEN_APPCONTAINER_INFORMATION (Structure)
#>
Write-Output ($TokenPtr -as $TOKEN_APPCONTAINER_INFORMATION)
}
TokenAppContainerNumber
{
# The buffer receives a DWORD value that includes the app container number for the token. For tokens that are not app container tokens, this value is zero.
Write-Output ([System.Runtime.InteropServices.Marshal]::ReadInt32($TokenPtr))
}
TokenUserClaimAttributes
{
<#
The buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the user claims associated with the token.
CLAIM_SECURITY_ATTRIBUTES_INFORMATION (Structure)
CLAIM_SECURITY_ATTRIBUTE_V1 (Structure)
CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE (Structure)
CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE (Structure)
#>
<#
$AttributeInformation = $TokenPtr -as $CLAIM_SECURITY_ATTRIBUTES_INFORMATION
if($AttributeInformation.AttributeCount -ne 0)
{
}
#>
throw [System.NotImplementedException]"The $($TokenInformationClass) class is not implemented yet."
}
TokenDeviceClaimAttributes
{
<#
The buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the device claims associated with the token.
CLAIM_SECURITY_ATTRIBUTES_INFORMATION (Structure)
CLAIM_SECURITY_ATTRIBUTE_V1 (Structure)
CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE (Structure)
CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE (Structure)
#>
<#
$AttributeInformation = $TokenPtr -as $CLAIM_SECURITY_ATTRIBUTES_INFORMATION
if($AttributeInformation.AttributeCount -ne 0)
{
}
#>
throw [System.NotImplementedException]"The $($TokenInformationClass) class is not implemented yet."
}
TokenDeviceGroups
{
<#
The buffer receives a TOKEN_GROUPS structure that contains the device groups that are associated with the token.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
#Write-Output ($TokenPtr -as $TOKEN_GROUPS)
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
TokenRestrictedDeviceGroups
{
<#
The buffer receives a TOKEN_GROUPS structure that contains the restricted device groups that are associated with the token.
TOKEN_GROUPS (Structure)
SID_AND_ATTRIBUTES (Structure)
#>
$TokenGroups = ($TokenPtr -as $TOKEN_GROUPS)
for($i = 0; $i -lt $TokenGroups.GroupCount; $i++)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value (ConvertSidToStringSid -SidPointer $TokenGroups.Groups[$i].Sid)
$obj | Add-Member -MemberType NoteProperty -Name Attributes -Value $TokenGroups.Groups[$i].Attributes
Write-Output $obj
}
}
}
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPtr)
}
function OpenProcess
{
<#
.SYNOPSIS
Opens an existing local process object.
.DESCRIPTION
To open a handle to another local process and obtain full access rights, you must enable the SeDebugPrivilege privilege.
The handle returned by the OpenProcess function can be used in any function that requires a handle to a process, such as the wait functions, provided the appropriate access rights were requested.
When you are finished with the handle, be sure to close it using the CloseHandle function.
.PARAMETER ProcessId
The identifier of the local process to be opened.
If the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them.
.PARAMETER DesiredAccess
The access to the process object. This access right is checked against the security descriptor for the process. This parameter can be one or more of the process access rights.
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
.PARAMETER InheritHandle
If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect, PROCESS_ACCESS (Enumeration)
Optional Dependencies: None
(func kernel32 OpenProcess ([IntPtr]) @(
[UInt32], #_In_ DWORD dwDesiredAccess
[bool], #_In_ BOOL bInheritHandle
[UInt32] #_In_ DWORD dwProcessId
) -EntryPoint OpenProcess -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
.EXAMPLE
#>
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[UInt32]
$ProcessId,
[Parameter(Mandatory = $true)]
[ValidateSet('PROCESS_TERMINATE','PROCESS_CREATE_THREAD','PROCESS_VM_OPERATION','PROCESS_VM_READ','PROCESS_VM_WRITE','PROCESS_DUP_HANDLE','PROCESS_CREATE_PROCESS','PROCESS_SET_QUOTA','PROCESS_SET_INFORMATION','PROCESS_QUERY_INFORMATION','PROCESS_SUSPEND_RESUME','PROCESS_QUERY_LIMITED_INFORMATION','DELETE','READ_CONTROL','WRITE_DAC','WRITE_OWNER','SYNCHRONIZE','PROCESS_ALL_ACCESS')]
[string[]]
$DesiredAccess,
[Parameter()]
[bool]
$InheritHandle = $false
)
# Calculate Desired Access Value
$dwDesiredAccess = 0
foreach($val in $DesiredAccess)
{
$dwDesiredAccess = $dwDesiredAccess -bor $PROCESS_ACCESS::$val
}
$hProcess = $Kernel32::OpenProcess($dwDesiredAccess, $InheritHandle, $ProcessId); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if($hProcess -eq 0)
{
throw "OpenProcess Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
Write-Output $hProcess
}
function OpenProcessToken
{
<#
.SYNOPSIS
The OpenProcessToken function opens the access token associated with a process.
.PARAMETER ProcessHandle
A handle to the process whose access token is opened. The process must have the PROCESS_QUERY_INFORMATION access permission.
.PARAMETER DesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the discretionary access control list (DACL) of the token to determine which accesses are granted or denied.
For a list of access rights for access tokens, see Access Rights for Access-Token Objects.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect, TOKEN_ACCESS (Enumeration)
Optional Dependencies: None
(func advapi32 OpenProcessToken ([bool]) @(
[IntPtr], #_In_ HANDLE ProcessHandle
[UInt32], #_In_ DWORD DesiredAccess
[IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle
) -EntryPoint OpenProcessToken -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379295(v=vs.85).aspx
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374905(v=vs.85).aspx
.EXAMPLE
#>
[OutputType([IntPtr])]
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[IntPtr]
$ProcessHandle,
[Parameter(Mandatory = $true)]
[ValidateSet('TOKEN_ASSIGN_PRIMARY','TOKEN_DUPLICATE','TOKEN_IMPERSONATE','TOKEN_QUERY','TOKEN_QUERY_SOURCE','TOKEN_ADJUST_PRIVILEGES','TOKEN_ADJUST_GROUPS','TOKEN_ADJUST_DEFAULT','TOKEN_ADJUST_SESSIONID','DELETE','READ_CONTROL','WRITE_DAC','WRITE_OWNER','SYNCHRONIZE','STANDARD_RIGHTS_REQUIRED','TOKEN_ALL_ACCESS')]
[string[]]
$DesiredAccess
)
# Calculate Desired Access Value
$dwDesiredAccess = 0
foreach($val in $DesiredAccess)
{
$dwDesiredAccess = $dwDesiredAccess -bor $TOKEN_ACCESS::$val
}
$hToken = [IntPtr]::Zero
$Success = $Advapi32::OpenProcessToken($ProcessHandle, $dwDesiredAccess, [ref]$hToken); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if(-not $Success)
{
throw "OpenProcessToken Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
Write-Output $hToken
}
function OpenThread
{
<#
.SYNOPSIS
Opens an existing thread object.
.DESCRIPTION
The handle returned by OpenThread can be used in any function that requires a handle to a thread, such as the wait functions, provided you requested the appropriate access rights. The handle is granted access to the thread object only to the extent it was specified in the dwDesiredAccess parameter.
When you are finished with the handle, be sure to close it by using the CloseHandle function.
.PARAMETER ThreadId
The identifier of the thread to be opened.
.PARAMETER DesiredAccess
The access to the thread object. This access right is checked against the security descriptor for the thread. This parameter can be one or more of the thread access rights.
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
.PARAMETER InheritHandle
If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect, THREAD_ACCESS (Enumeration)
Optional Dependencies: None
(func kernel32 OpenThread ([IntPtr]) @(
[UInt32], #_In_ DWORD dwDesiredAccess
[bool], #_In_ BOOL bInheritHandle
[UInt32] #_In_ DWORD dwThreadId
) -EntryPoint OpenThread -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684335(v=vs.85).aspx
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx
.EXAMPLE
#>
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[UInt32]
$ThreadId,
[Parameter(Mandatory = $true)]
[ValidateSet('THREAD_TERMINATE','THREAD_SUSPEND_RESUME','THREAD_GET_CONTEXT','THREAD_SET_CONTEXT','THREAD_SET_INFORMATION','THREAD_QUERY_INFORMATION','THREAD_SET_THREAD_TOKEN','THREAD_IMPERSONATE','THREAD_DIRECT_IMPERSONATION','THREAD_SET_LIMITED_INFORMATION','THREAD_QUERY_LIMITED_INFORMATION','DELETE','READ_CONTROL','WRITE_DAC','WRITE_OWNER','SYNCHRONIZE','THREAD_ALL_ACCESS')]
[string[]]
$DesiredAccess,
[Parameter()]
[bool]
$InheritHandle = $false
)
# Calculate Desired Access Value
$dwDesiredAccess = 0
foreach($val in $DesiredAccess)
{
$dwDesiredAccess = $dwDesiredAccess -bor $THREAD_ACCESS::$val
}
$hThread = $Kernel32::OpenThread($dwDesiredAccess, $InheritHandle, $ThreadId); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if($hThread -eq 0)
{
throw "OpenThread Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
Write-Output $hThread
}
function OpenThreadToken
{
<#
.SYNOPSIS
The OpenThreadToken function opens the access token associated with a thread
.DESCRIPTION
Tokens with the anonymous impersonation level cannot be opened.
Close the access token handle returned through the Handle parameter by calling CloseHandle.
.PARAMETER ThreadHandle
A handle to the thread whose access token is opened.
.PARAMETER DesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are reconciled against the token's discretionary access control list (DACL) to determine which accesses are granted or denied.
.PARAMETER OpenAsSelf
TRUE if the access check is to be made against the process-level security context.
FALSE if the access check is to be made against the current security context of the thread calling the OpenThreadToken function.
The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is impossible to open executive-level objects by using the SecurityIdentification impersonation level.
.NOTES
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: PSReflect, $TOKEN_ACCESS (Enumeration)
Optional Dependencies: None
(func advapi32 OpenThreadToken ([bool]) @(
[IntPtr], #_In_ HANDLE ThreadHandle
[UInt32], #_In_ DWORD DesiredAccess
[bool], #_In_ BOOL OpenAsSelf
[IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle
) -EntryPoint OpenThreadToken -SetLastError)
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379296(v=vs.85).aspx
.LINK
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374905(v=vs.85).aspx
.EXAMPLE
#>
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[IntPtr]
$ThreadHandle,
[Parameter(Mandatory = $true)]
[ValidateSet('TOKEN_ASSIGN_PRIMARY','TOKEN_DUPLICATE','TOKEN_IMPERSONATE','TOKEN_QUERY','TOKEN_QUERY_SOURCE','TOKEN_ADJUST_PRIVILEGES','TOKEN_ADJUST_GROUPS','TOKEN_ADJUST_DEFAULT','TOKEN_ADJUST_SESSIONID','DELETE','READ_CONTROL','WRITE_DAC','WRITE_OWNER','SYNCHRONIZE','STANDARD_RIGHTS_REQUIRED','TOKEN_ALL_ACCESS')]
[string[]]
$DesiredAccess,
[Parameter()]
[bool]
$OpenAsSelf = $false
)
# Calculate Desired Access Value
$dwDesiredAccess = 0
foreach($val in $DesiredAccess)
{
$dwDesiredAccess = $dwDesiredAccess -bor $TOKEN_ACCESS::$val
}
$hToken = [IntPtr]::Zero
$Success = $Advapi32::OpenThreadToken($ThreadHandle, $dwDesiredAccess, $OpenAsSelf, [ref]$hToken); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
if(-not $Success)
{
throw "OpenThreadToken Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
Write-Output $hToken
}
#endregion Windows API Functions
$Types = $FunctionDefinitions | Add-Win32Type -Module $Module -Namespace 'GetToken'
$Kernel32 = $Types['kernel32']
$Advapi32 = $Types['advapi32']
@fmeunierCC
Copy link

Hi

can you tell how to get the result of script sent to file and for a specific process , like explorer.exe.

thanks

@silicontrip
Copy link

I'm probably a little confused how to use this. You've defined functions like it should be imported as a module, but is named get-token.ps1 and doesn't have any export-modulemembers. Am I just supposed to include this verbatim on top of my own scripts? (sorry powershell newbie)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment