├── .gitattributes
├── NtApiDotNet
├── Forms
│ └── Lock.ico
├── packages.config
├── Ndr
│ ├── Marshal
│ │ ├── NdrEmpty.cs
│ │ ├── NdrUnsupported.cs
│ │ ├── INdrConformantStructure.cs
│ │ ├── INdrNonEncapsulatedUnion.cs
│ │ ├── INdrStructure.cs
│ │ ├── NdrPipe.cs
│ │ ├── NdrContextHandle.cs
│ │ ├── NdrInterfacePointer.cs
│ │ └── NdrDataRepresentation.cs
│ ├── NdrProtocolSequenceEndpoint.cs
│ └── NdrParserException.cs
├── Win32
│ ├── Debugger
│ │ ├── UdtKind.cs
│ │ ├── TI_FINDCHILDREN_PARAMS.cs
│ │ ├── TypeInformation.cs
│ │ ├── SYM_TYPE.cs
│ │ ├── MODULEINFO.cs
│ │ ├── EnumProcessModulesFilter.cs
│ │ ├── DataSymbolInformation.cs
│ │ ├── SymbolInformationType.cs
│ │ ├── ArrayTypeInformation.cs
│ │ ├── PointerTypeInformation.cs
│ │ ├── SymTagEnum.cs
│ │ ├── IMAGEHLP_SYMBOL_TYPE_INFO.cs
│ │ ├── EnumTypeInformation.cs
│ │ ├── ISymbolTypeResolver.cs
│ │ └── SYMBOL_INFO.cs
│ ├── Security
│ │ ├── Native
│ │ │ ├── AuthZAccessCheckFlags.cs
│ │ │ ├── SecWinNtAuthIdentityFlags.cs
│ │ │ ├── OptionalLuid.cs
│ │ │ ├── LSA_ENUMERATION_INFORMATION.cs
│ │ │ ├── SecPkgContextStructs.cs
│ │ │ ├── INHERITED_FROM.cs
│ │ │ ├── SecStatusCode.cs
│ │ │ ├── POLICY_AUDIT_SID_ARRAY.cs
│ │ │ ├── SecHandle.cs
│ │ │ ├── SecPkgContext_SessionKey.cs
│ │ │ ├── AUDIT_POLICY_INFORMATION.cs
│ │ │ ├── KERB_S4U_LOGON.cs
│ │ │ ├── LSA_LAST_INTER_LOGON_INFO.cs
│ │ │ ├── AUTHZ_ACCESS_REPLY.cs
│ │ │ ├── AUTHZ_ACCESS_REQUEST.cs
│ │ │ ├── QUOTA_LIMITS.cs
│ │ │ ├── KERB_TICKET_LOGON.cs
│ │ │ ├── CENTRAL_ACCESS_POLICY.cs
│ │ │ ├── SEC_CHANNEL_BINDING.cs
│ │ │ ├── LsaString.cs
│ │ │ ├── KERB_LOGON_SUBMIT_TYPE.cs
│ │ │ ├── SecPkgInfo.cs
│ │ │ ├── CENTRAL_ACCESS_POLICY_ENTRY.cs
│ │ │ ├── TOKEN_SOURCE.cs
│ │ │ ├── SecureStringMarshal.cs
│ │ │ ├── AUTHZ_CONTEXT_INFORMATION_CLASS.cs
│ │ │ ├── LsaLogonUserFlags.cs
│ │ │ ├── SecBufferType.cs
│ │ │ ├── SECPKG_ATTR.cs
│ │ │ ├── SEC_WINNT_AUTH_IDENTITY.cs
│ │ │ ├── SECURITY_LOGON_SESSION_DATA.cs
│ │ │ ├── SEC_WINNT_AUTH_IDENTITY_EX.cs
│ │ │ └── SecBufferDesc.cs
│ │ ├── Authentication
│ │ │ ├── AuthenticationCredentials.cs
│ │ │ ├── Kerberos
│ │ │ │ ├── KRB_MSG_TYPE.cs
│ │ │ │ ├── KRB_NAME_TYPE.cs
│ │ │ │ ├── KRB_CHKSUM_TYPE.cs
│ │ │ │ └── KRB_ENC_TYPE.cs
│ │ │ ├── IAuthenticationContext.cs
│ │ │ ├── AuthenticationImpersonationContext.cs
│ │ │ ├── Negotiate
│ │ │ │ └── NegotiateAuthenticationToken.cs
│ │ │ └── GSSAPIUtils.cs
│ │ ├── Audit
│ │ │ ├── AuditGlobalSaclType.cs
│ │ │ ├── AuditPolicyEventType.cs
│ │ │ ├── AuditAccessRights.cs
│ │ │ └── AuditPolicyFlags.cs
│ │ ├── Authorization
│ │ │ ├── ProgressInvokeSetting.cs
│ │ │ ├── SeObjectType.cs
│ │ │ ├── TreeSecInfo.cs
│ │ │ └── AuthZAccessCheckResult.cs
│ │ └── Policy
│ │ │ ├── AccountRightLogonType.cs
│ │ │ └── LsaPolicyAccessRights.cs
│ ├── SafeHandles
│ │ ├── SafeLsaMemoryBuffer.cs
│ │ ├── SafeLocalAllocBuffer.cs
│ │ ├── SafeCoTaskMemHandle.cs
│ │ ├── SafeAuditBuffer.cs
│ │ ├── SafeLsaReturnBufferHandle.cs
│ │ ├── SafeAuthZClientContextHandle.cs
│ │ ├── SafeAuthZResourceManagerHandle.cs
│ │ ├── SafeLsaLogonHandle.cs
│ │ └── SafeLsaHandle.cs
│ ├── WnfServiceTriggerInformation.cs
│ ├── EtwServiceTriggerInformation.cs
│ ├── EventTrace.cs
│ ├── Rpc
│ │ ├── RpcClientResponse.cs
│ │ └── Transport
│ │ │ └── RpcFaultException.cs
│ ├── SafeWin32Exception.cs
│ ├── EventTraceProvider.cs
│ ├── DirectoryService
│ │ ├── DirectoryServiceAccessRights.cs
│ │ └── DirectoryServiceUtils.cs
│ └── RpcClient.cs
├── Utilities
│ ├── ASN1
│ │ ├── DERTagType.cs
│ │ ├── UniversalTag.cs
│ │ ├── OIDValues.cs
│ │ └── DERParser.cs
│ ├── Memory
│ │ ├── SafeBufferWrapper.cs
│ │ ├── CrossBitnessTypeAttribute.cs
│ │ ├── IMemoryReader.cs
│ │ └── ProcessMemoryStream.cs
│ └── SafeBuffers
│ │ └── SafeGuidArrayBuffer.cs
├── SafeStringBuffer.cs
├── NtApiDotNet.Core.csproj
├── NtRtl.cs
├── NtEtwRegistration.cs
├── SafeIoStatusBuffer.cs
├── NtAlpcUtils.cs
├── UnicodeStringBytesSafeBuffer.cs
├── Properties
│ └── AssemblyInfo.cs
├── INtTransaction.cs
├── ThreadImpersonationContext.cs
├── NtApiDotNet.nuspec
├── NtWaitNative.cs
├── SafeAlpcPortSectionHandle.cs
├── NtWindowNative.cs
├── SafeTokenPrivilegesBuffer.cs
├── Readme.txt
├── SafeSidBufferHandle.cs
├── NtStructures.cs
├── SafeHandleListHandle.cs
├── NtLdr.cs
├── NtException.cs
├── PrivilegeCheckResult.cs
├── SecurityDescriptorSid.cs
├── TokenPrivilegesBuilder.cs
└── NtLdrNative.cs
├── app.config
├── FodyWeavers.xml
├── packages.config
├── README.md
├── app.manifest
├── Properties
└── AssemblyInfo.cs
└── GenericPotato.sln
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/NtApiDotNet/Forms/Lock.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/micahvandeusen/GenericPotato/HEAD/NtApiDotNet/Forms/Lock.ico
--------------------------------------------------------------------------------
/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
--------------------------------------------------------------------------------
/NtApiDotNet/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrEmpty.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | ///
18 | /// Structure to represent an empty value.
19 | ///
20 | public struct NdrEmpty
21 | {
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/UdtKind.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | internal enum UdtKind
18 | {
19 | UdtStruct,
20 | UdtClass,
21 | UdtUnion,
22 | UdtInterface
23 | };
24 | }
25 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GenericPotato
2 | ### A modified version of SweetPotato by @_EthicalChaos_ to support impersonating authentication over HTTP and/or named pipes. This allows for local privilege escalation from SSRF and/or file writes.
3 | ### For background and explanation see https://micahvandeusen.com/the-power-of-seimpersonation/
4 |
5 | ```
6 | GenericPotato by @micahvandeusen
7 | Modified from SweetPotato by @_EthicalChaos_
8 |
9 | -m, --method=VALUE Auto,User,Thread (default Auto)
10 | -p, --prog=VALUE Program to launch (default cmd.exe)
11 | -a, --args=VALUE Arguments for program (default null)
12 | -e, --exploit=VALUE Exploit mode [HTTP|NamedPipe(default)]
13 | -l, --port=VALUE HTTP port to listen on (default 8888)
14 | -i, --host=VALUE HTTP host to listen on (default 127.0.0.1)
15 | -h, --help Display this help
16 | ```
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/ASN1/DERTagType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Utilities.ASN1
16 | {
17 | internal enum DERTagType
18 | {
19 | Universal = 0,
20 | Application = 1,
21 | ContextSpecific = 2,
22 | Private = 3,
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/AuthZAccessCheckFlags.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | [Flags]
20 | internal enum AuthZAccessCheckFlags
21 | {
22 | None = 0,
23 | NoDeepCopySD = 1,
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecWinNtAuthIdentityFlags.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | #pragma warning disable 1591
18 | internal enum SecWinNtAuthIdentityFlags
19 | {
20 | Ansi = 0x1,
21 | Unicode = 0x2,
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrUnsupported.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | ///
18 | /// Place holder for unsupported types.
19 | ///
20 | public class NdrUnsupported
21 | {
22 | private NdrUnsupported()
23 | {
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeStringBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Text;
16 |
17 | namespace NtApiDotNet
18 | {
19 | internal sealed class SafeStringBuffer : SafeHGlobalBuffer
20 | {
21 | public SafeStringBuffer(string str) : base(Encoding.Unicode.GetBytes(str + "\0"))
22 | {
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/OptionalLuid.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | #pragma warning disable 1591
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal class OptionalLuid
22 | {
23 | public Luid luid;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/LSA_ENUMERATION_INFORMATION.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct LSA_ENUMERATION_INFORMATION
22 | {
23 | public IntPtr Sid;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecPkgContextStructs.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct SecPkgContext_ClientSpecifiedTarget
22 | {
23 | public IntPtr sTargetName;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/INHERITED_FROM.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct INHERITED_FROM
22 | {
23 | public int GenerationGap;
24 | public IntPtr AncestorName;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecStatusCode.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | #pragma warning disable 1591
18 | internal enum SecStatusCode : uint
19 | {
20 | Success = 0,
21 | ContinueNeeded = 0x00090312,
22 | CompleteNeeded = 0x00090313,
23 | CompleteAndContinue = 0x00090314,
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/POLICY_AUDIT_SID_ARRAY.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct POLICY_AUDIT_SID_ARRAY
22 | {
23 | public int UsersCount;
24 | public IntPtr UserSidArray;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | #pragma warning disable 1591
21 | [StructLayout(LayoutKind.Sequential)]
22 | internal class SecHandle
23 | {
24 | public IntPtr dwLower;
25 | public IntPtr dwUpper;
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/TI_FINDCHILDREN_PARAMS.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Debugger
18 | {
19 | [StructLayout(LayoutKind.Sequential), DataStart("ChildId")]
20 | internal struct TI_FINDCHILDREN_PARAMS
21 | {
22 | public int Count;
23 | public int Start;
24 | public int ChildId;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecPkgContext_SessionKey.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct SecPkgContext_SessionKey
22 | {
23 | public int SessionKeyLength;
24 | public IntPtr SessionKey;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtApiDotNet.Core.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | NtApiDotNet
5 | netstandard2.0
6 | NtApiDotNet
7 | James Forshaw
8 | Google Inc.
9 | NtApiDotNet
10 | 1.1.27.0
11 | Copyright © Google Inc. 2016-2020
12 | 1.0.0.0
13 | https://www.apache.org/licenses/LICENSE-2.0
14 | https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/AUDIT_POLICY_INFORMATION.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct AUDIT_POLICY_INFORMATION
22 | {
23 | public Guid AuditSubCategoryGuid;
24 | public int AuditingInformation;
25 | public Guid AuditCategoryGuid;
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/AuthenticationCredentials.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Authentication
18 | {
19 | ///
20 | /// Base class for authentication credentials.
21 | ///
22 | public abstract class AuthenticationCredentials
23 | {
24 | internal abstract SafeBuffer ToBuffer(DisposableList list, string package);
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/KERB_S4U_LOGON.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | [StructLayout(LayoutKind.Sequential)]
20 | internal struct KERB_S4U_LOGON
21 | {
22 | public KERB_LOGON_SUBMIT_TYPE MessageType;
23 | public int Flags;
24 | public UnicodeStringOut ClientUpn;
25 | public UnicodeStringOut ClientRealm;
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Audit/AuditGlobalSaclType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Audit
16 | {
17 | ///
18 | /// Type of global SACL to query or set.
19 | ///
20 | public enum AuditGlobalSaclType
21 | {
22 | ///
23 | /// File type.
24 | ///
25 | File,
26 | ///
27 | /// Key type.
28 | ///
29 | Key
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/LSA_LAST_INTER_LOGON_INFO.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | [StructLayout(LayoutKind.Sequential)]
20 | internal struct LSA_LAST_INTER_LOGON_INFO
21 | {
22 | public LargeIntegerStruct LastSuccessfulLogon;
23 | public LargeIntegerStruct LastFailedLogon;
24 | public int FailedAttemptCountSinceLastSuccessfulLogon;
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtRtl.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet
18 | {
19 | #pragma warning disable 1591
20 | public static partial class NtRtl
21 | {
22 | [DllImport("ntdll.dll")]
23 | public static extern int RtlNtStatusToDosError(NtStatus status);
24 |
25 | [DllImport("ntdll.dll")]
26 | public static extern int RtlNtStatusToDosErrorNoTeb(NtStatus status);
27 | }
28 | #pragma warning restore 1591
29 | }
30 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/TypeInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | ///
18 | /// Symbol information for a type.
19 | ///
20 | public class TypeInformation : SymbolInformation
21 | {
22 | internal TypeInformation(SymTagEnum tag, long size, int type_index, SymbolLoadedModule module, string name)
23 | : base(tag, size, type_index, module, name)
24 | {
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authorization/ProgressInvokeSetting.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authorization
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Progress invoke setting for tree security.
20 | ///
21 | public enum ProgressInvokeSetting
22 | {
23 | InvokeNever = 1,
24 | EveryObject,
25 | OnError,
26 | CancelOperation,
27 | RetryOperation,
28 | PrePostError
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/AUTHZ_ACCESS_REPLY.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct AUTHZ_ACCESS_REPLY
22 | {
23 | public int ResultListLength;
24 | public IntPtr GrantedAccessMask; // PACCESS_MASK.
25 | public IntPtr SaclEvaluationResults; // PDWORD
26 | public IntPtr Error; // PDWORD
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/AUTHZ_ACCESS_REQUEST.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct AUTHZ_ACCESS_REQUEST
22 | {
23 | public AccessMask DesiredAccess;
24 | public IntPtr PrincipalSelfSid;
25 | public IntPtr ObjectTypeList;
26 | public int ObjectTypeListLength;
27 | public IntPtr OptionalArguments;
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Audit/AuditPolicyEventType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Audit
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Policy audit event type.
20 | ///
21 | public enum AuditPolicyEventType
22 | {
23 | System = 0,
24 | Logon,
25 | ObjectAccess,
26 | PrivilegeUse,
27 | DetailedTracking,
28 | PolicyChange,
29 | AccountManagement,
30 | DirectoryServiceAccess,
31 | AccountLogon
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/Memory/SafeBufferWrapper.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Utilities.Memory
19 | {
20 | internal class SafeBufferWrapper : SafeBuffer
21 | {
22 | public SafeBufferWrapper(IntPtr buffer)
23 | : base(false)
24 | {
25 | Initialize(int.MaxValue);
26 | handle = buffer;
27 | }
28 |
29 | protected override bool ReleaseHandle()
30 | {
31 | return true;
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/QUOTA_LIMITS.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal class QUOTA_LIMITS
22 | {
23 | public IntPtr PagedPoolLimit;
24 | public IntPtr NonPagedPoolLimit;
25 | public IntPtr MinimumWorkingSetSize;
26 | public IntPtr MaximumWorkingSetSize;
27 | public IntPtr PagefileLimit;
28 | public LargeIntegerStruct TimeLimit;
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/KERB_TICKET_LOGON.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct KERB_TICKET_LOGON
22 | {
23 | public KERB_LOGON_SUBMIT_TYPE MessageType;
24 | public int Flags;
25 | public int ServiceTicketLength;
26 | public int TicketGrantingTicketLength;
27 | public IntPtr ServiceTicket;
28 | public IntPtr TicketGrantingTicket;
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/CENTRAL_ACCESS_POLICY.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct CENTRAL_ACCESS_POLICY
22 | {
23 | public IntPtr CAPID;
24 | public UnicodeStringOut Name;
25 | public UnicodeStringOut Description;
26 | public UnicodeStringOut ChangeId;
27 | public uint Flags;
28 | public int CAPECount;
29 | public IntPtr CAPEs; // PCENTRAL_ACCESS_POLICY_ENTRY
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authorization/SeObjectType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authorization
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Enumeration for object type.
20 | ///
21 | public enum SeObjectType
22 | {
23 | Unknown = 0,
24 | File,
25 | Service,
26 | Printer,
27 | RegistryKey,
28 | LMShare,
29 | Kernel,
30 | Window,
31 | Ds,
32 | DsAll,
33 | ProviderDefined,
34 | WmiGuid,
35 | RegistryWow6432Key,
36 | RegistryWow6464Key
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SEC_CHANNEL_BINDING.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | [StructLayout(LayoutKind.Sequential)]
20 | internal struct SEC_CHANNEL_BINDINGS
21 | {
22 | public int dwInitiatorAddrType;
23 | public int cbInitiatorLength;
24 | public int dwInitiatorOffset;
25 | public int dwAcceptorAddrType;
26 | public int cbAcceptorLength;
27 | public int dwAcceptorOffset;
28 | public int cbApplicationDataLength;
29 | public int dwApplicationDataOffset;
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/INdrConformantStructure.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | ///
18 | /// Interface for a marshalled NDR conformant structure.
19 | ///
20 | /// This interface is primarily for internal use only.
21 | public interface INdrConformantStructure : INdrStructure
22 | {
23 | ///
24 | /// Gets the number of conformant dimensions, should be at least one.
25 | ///
26 | /// The number of conformant dimensions.
27 | int GetConformantDimensions();
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/LsaString.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
20 | internal class LsaString
21 | {
22 | public ushort Length;
23 | public ushort MaximumLength;
24 | [MarshalAs(UnmanagedType.LPStr)]
25 | string Buffer;
26 |
27 | public LsaString(string str)
28 | {
29 | Length = (ushort)str.Length;
30 | MaximumLength = (ushort)(str.Length + 1);
31 | Buffer = str;
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/SYM_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | // NOTE: This file is a modified version of SymbolResolver.cs from OleViewDotNet
16 | // https://github.com/tyranid/oleviewdotnet. It's been relicensed from GPLv3 by
17 | // the original author James Forshaw to be used under the Apache License for this
18 | // project.
19 |
20 | namespace NtApiDotNet.Win32.Debugger
21 | {
22 | enum SYM_TYPE
23 | {
24 | SymNone = 0,
25 | SymCoff,
26 | SymCv,
27 | SymPdb,
28 | SymExport,
29 | SymDeferred,
30 | SymSym,
31 | SymDia,
32 | SymVirtual,
33 | NumSymTypes
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/MODULEINFO.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | // NOTE: This file is a modified version of SymbolResolver.cs from OleViewDotNet
16 | // https://github.com/tyranid/oleviewdotnet. It's been relicensed from GPLv3 by
17 | // the original author James Forshaw to be used under the Apache License for this
18 | // project.
19 |
20 | using System;
21 | using System.Runtime.InteropServices;
22 |
23 | namespace NtApiDotNet.Win32.Debugger
24 | {
25 | [StructLayout(LayoutKind.Sequential)]
26 | struct MODULEINFO
27 | {
28 | public IntPtr lpBaseOfDll;
29 | public int SizeOfImage;
30 | public IntPtr EntryPoint;
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/Kerberos/KRB_MSG_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Kerberos Message Type.
20 | ///
21 | public enum KRB_MSG_TYPE
22 | {
23 | KRB_AS_REQ = 10,
24 | KRB_AS_REP = 11,
25 | KRB_TGS_REQ = 12,
26 | KRB_TGS_REP = 13,
27 | KRB_AP_REQ = 14,
28 | KRB_AP_REP = 15,
29 | KRB_TGT_REQ = 16,
30 | KRB_TGT_REP = 17,
31 | KRB_SAFE = 20,
32 | KRB_PRIV = 21,
33 | KRB_CRED = 22,
34 | KRB_ERROR = 30,
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/EnumProcessModulesFilter.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | // NOTE: This file is a modified version of SymbolResolver.cs from OleViewDotNet
16 | // https://github.com/tyranid/oleviewdotnet. It's been relicensed from GPLv3 by
17 | // the original author James Forshaw to be used under the Apache License for this
18 | // project.
19 |
20 | using System;
21 |
22 | namespace NtApiDotNet.Win32.Debugger
23 | {
24 | [Flags]
25 | enum EnumProcessModulesFilter
26 | {
27 | LIST_MODULES_DEFAULT = 0x00,
28 | LIST_MODULES_32BIT = 0x01,
29 | LIST_MODULES_64BIT = 0x02,
30 | LIST_MODULES_ALL = LIST_MODULES_32BIT | LIST_MODULES_64BIT,
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/Kerberos/KRB_NAME_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Kerberos Name Type.
20 | ///
21 | public enum KRB_NAME_TYPE
22 | {
23 | UNKNOWN = 0,
24 | PRINCIPAL = 1,
25 | SRV_INST = 2,
26 | SRV_HST = 3,
27 | SRV_XHST = 4,
28 | UID = 5,
29 | X500_PRINCIPAL = 6,
30 | SMTP_NAME = 7,
31 | ENTERPRISE_PRINCIPAL = 10,
32 | ENT_PRINCIPAL_AND_ID = -130,
33 | MS_PRINCIPAL = -128,
34 | MS_PRINCIPAL_AND_ID = -129
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/ASN1/UniversalTag.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Utilities.ASN1
16 | {
17 | internal enum UniversalTag
18 | {
19 | EOC = 0,
20 | BOOLEAN = 1,
21 | INTEGER = 2,
22 | BIT_STRING = 3,
23 | OCTET_STRING = 4,
24 | NULL = 5,
25 | OBJECT_IDENTIFIER = 6,
26 | ENUMERATED = 10,
27 | UTF8String = 12,
28 | RELATIVE_OBJECT_IDENTIFIER = 13,
29 | SEQUENCE = 16,
30 | SET = 17,
31 | PrintableString = 19,
32 | T16String = 20,
33 | IA5String = 22,
34 | UTCTime = 23,
35 | GeneralizedTime = 24,
36 | GeneralString = 27,
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/KERB_LOGON_SUBMIT_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | internal enum KERB_LOGON_SUBMIT_TYPE
18 | {
19 | KerbInteractiveLogon = 2,
20 | KerbSmartCardLogon = 6,
21 | KerbWorkstationUnlockLogon = 7,
22 | KerbSmartCardUnlockLogon = 8,
23 | KerbProxyLogon = 9,
24 | KerbTicketLogon = 10,
25 | KerbTicketUnlockLogon = 11,
26 | KerbS4ULogon = 12,
27 | KerbCertificateLogon = 13,
28 | KerbCertificateS4ULogon = 14,
29 | KerbCertificateUnlockLogon = 15,
30 | KerbNoElevationLogon = 83,
31 | KerbLuidLogon = 84,
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/INdrNonEncapsulatedUnion.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | ///
18 | /// Interface for a marshalled non-encapsulated NDR union.
19 | ///
20 | /// This interface is primarily for internal use only.
21 | public interface INdrNonEncapsulatedUnion : INdrStructure
22 | {
23 | ///
24 | /// Marshal the union to a stream.
25 | ///
26 | /// The selector for union arm.
27 | /// The marshal stream.
28 | void Marshal(NdrMarshalBuffer marshal, long selector);
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecPkgInfo.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Authentication;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | #pragma warning disable 1591
21 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
22 | internal struct SecPkgInfo
23 | {
24 | public SecPkgCapabilityFlag fCapabilities;
25 | public short wVersion;
26 | public short wRPCID;
27 | public int cbMaxToken;
28 | [MarshalAs(UnmanagedType.LPWStr)]
29 | public string Name;
30 | [MarshalAs(UnmanagedType.LPWStr)]
31 | public string Comment;
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/CENTRAL_ACCESS_POLICY_ENTRY.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct CENTRAL_ACCESS_POLICY_ENTRY
22 | {
23 | public UnicodeStringOut Name;
24 | public UnicodeStringOut Description;
25 | public UnicodeStringOut ChangeId;
26 | public int LengthAppliesTo;
27 | public IntPtr AppliesTo;
28 | public int LengthSD;
29 | public IntPtr SD;
30 | public int LengthStagedSD;
31 | public IntPtr StagedSD;
32 | public uint Flags;
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtEtwRegistration.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet
16 | {
17 | ///
18 | /// Class to represent an NT trace GUID.
19 | ///
20 | [NtType("EtwRegistration")]
21 | public class NtEtwRegistration : NtObjectWithDuplicate
22 | {
23 | #region Constructors
24 | internal sealed class NtTypeFactoryImpl : NtTypeFactoryImplBase
25 | {
26 | public NtTypeFactoryImpl() : base(false)
27 | {
28 | }
29 | }
30 |
31 | internal NtEtwRegistration(SafeKernelObjectHandle handle) : base(handle)
32 | {
33 | }
34 | #endregion
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/TOKEN_SOURCE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 | using System.Text;
18 |
19 | namespace NtApiDotNet.Win32.Security.Native
20 | {
21 | [StructLayout(LayoutKind.Sequential)]
22 | internal class TOKEN_SOURCE
23 | {
24 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
25 | public byte[] SourceName;
26 | public Luid SourceIdentifier;
27 |
28 | public TOKEN_SOURCE(string source_name)
29 | {
30 | SourceName = Encoding.ASCII.GetBytes(source_name);
31 | Array.Resize(ref SourceName, 8);
32 | SourceIdentifier = new Luid();
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Policy/AccountRightLogonType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Policy
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// List of account rights. Not the same as privileges.
20 | ///
21 | public enum AccountRightLogonType
22 | {
23 | SeInteractiveLogonRight,
24 | SeNetworkLogonRight,
25 | SeBatchLogonRight,
26 | SeServiceLogonRight,
27 | SeRemoteInteractiveLogonRight,
28 | SeDenyInteractiveLogonRight,
29 | SeDenyNetworkLogonRight,
30 | SeDenyBatchLogonRight,
31 | SeDenyServiceLogonRight,
32 | SeDenyRemoteInteractiveLogonRight,
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/DataSymbolInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | ///
18 | /// Symbol information for a data value.
19 | ///
20 | public class DataSymbolInformation : SymbolInformation
21 | {
22 | ///
23 | /// Address of the symbol.
24 | ///
25 | public long Address { get; }
26 |
27 | internal DataSymbolInformation(SymTagEnum tag, int size, int type_index,
28 | long address, SymbolLoadedModule module, string name)
29 | : base(tag, size, type_index, module, name)
30 | {
31 | Address = address;
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeLsaMemoryBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 |
18 | namespace NtApiDotNet.Win32.SafeHandles
19 | {
20 | internal class SafeLsaMemoryBuffer : SafeBufferGeneric
21 | {
22 | protected override bool ReleaseHandle()
23 | {
24 | return SecurityNativeMethods.LsaFreeMemory(handle).IsSuccess();
25 | }
26 |
27 | public SafeLsaMemoryBuffer()
28 | : base(IntPtr.Zero, 0, true)
29 | {
30 | }
31 |
32 | public override bool IsInvalid
33 | {
34 | get
35 | {
36 | return handle == IntPtr.Zero;
37 | }
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/IAuthenticationContext.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authentication
16 | {
17 | ///
18 | /// Interface for authentication contexts.
19 | ///
20 | public interface IAuthenticationContext
21 | {
22 | ///
23 | /// The current authentication token.
24 | ///
25 | AuthenticationToken Token { get; }
26 |
27 | ///
28 | /// Whether the authentication is done.
29 | ///
30 | bool Done { get; }
31 |
32 | ///
33 | /// Expiry of the authentication.
34 | ///
35 | long Expiry { get; }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecureStringMarshal.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 | using System.Security;
18 |
19 | namespace NtApiDotNet.Win32.Security.Native
20 | {
21 | #pragma warning disable 1591
22 | [StructLayout(LayoutKind.Sequential)]
23 | internal struct SecureStringMarshal : IDisposable
24 | {
25 | public IntPtr Ptr;
26 |
27 | public SecureStringMarshal(SecureString s)
28 | {
29 | Ptr = Marshal.SecureStringToBSTR(s);
30 | }
31 |
32 | public void Dispose()
33 | {
34 | if (Ptr != IntPtr.Zero)
35 | {
36 | Marshal.ZeroFreeBSTR(Ptr);
37 | }
38 | }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/AuthenticationImpersonationContext.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 |
18 | namespace NtApiDotNet.Win32.Security.Authentication
19 | {
20 | ///
21 | /// Impersonation context for a server authentication.
22 | ///
23 | public struct AuthenticationImpersonationContext : IDisposable
24 | {
25 | private readonly SecHandle _context;
26 |
27 | internal AuthenticationImpersonationContext(SecHandle context)
28 | {
29 | _context = context;
30 | }
31 |
32 | void IDisposable.Dispose()
33 | {
34 | SecurityNativeMethods.RevertSecurityContext(_context);
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/ASN1/OIDValues.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Utilities.ASN1
16 | {
17 | ///
18 | /// Class containing known OID values.
19 | ///
20 | internal static class OIDValues
21 | {
22 | internal const string KERBEROS_NAME = "1.2.840.113554.1.2.2.1";
23 | internal const string KERBEROS_PRINCIPAL = "1.2.840.113554.1.2.2.2";
24 | internal const string KERBEROS_USER_TO_USER_OID = "1.2.840.113554.1.2.2.3";
25 | internal const string KERBEROS_OID = "1.2.840.113554.1.2.2";
26 | internal const string MS_KERBEROS = "1.2.840.48018.1.2.2";
27 | internal const string NTLM_SSP = "1.3.6.1.4.1.311.2.2.10";
28 | internal const string MS_NEGOX = "1.3.6.1.4.1.311.2.2.30";
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/app.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeIoStatusBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet
18 | {
19 | ///
20 | /// Non-generic buffer to hold an IO_STATUS_BLOCK.
21 | ///
22 | public sealed class SafeIoStatusBuffer : SafeStructureInOutBuffer
23 | {
24 | private SafeIoStatusBuffer(int dummy_length) : base(IntPtr.Zero, dummy_length, false)
25 | {
26 | }
27 |
28 | ///
29 | /// Constructor.
30 | ///
31 | public SafeIoStatusBuffer()
32 | {
33 | }
34 |
35 | ///
36 | /// Get a buffer which represents NULL.
37 | ///
38 | new public static SafeIoStatusBuffer Null { get { return new SafeIoStatusBuffer(0); } }
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/SymbolInformationType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | ///
18 | /// Enumeration for symbol type information.
19 | ///
20 | public enum SymbolInformationType
21 | {
22 | ///
23 | /// None.
24 | ///
25 | None = 0,
26 | ///
27 | /// UDT.
28 | ///
29 | UserDefinedType,
30 | ///
31 | /// Enumerated type.
32 | ///
33 | EnumeratedType,
34 | ///
35 | /// A base type.
36 | ///
37 | BaseType,
38 | ///
39 | /// Undefined.
40 | ///
41 | UndefinedType,
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtAlpcUtils.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet
16 | {
17 | ///
18 | /// Static utilities for ALPC.
19 | ///
20 | internal static class NtAlpcUtils
21 | {
22 | internal static SafeAlpcMessageAttributesBuffer GetAttributesBuffer(this DisposableList list, IMessageAttributes attrs)
23 | {
24 | return attrs == null ? SafeAlpcMessageAttributesBuffer.Null : list.AddResource(attrs.ToSafeBuffer());
25 | }
26 |
27 | internal static SafeAlpcPortMessageBuffer GetMessageBuffer(this DisposableList list, AlpcMessage message)
28 | {
29 | if (message == null)
30 | {
31 | return SafeAlpcPortMessageBuffer.Null;
32 | }
33 | return list.AddResource(message.ToSafeBuffer());
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/Kerberos/KRB_CHKSUM_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Kerberos Checksum Type.
20 | ///
21 | public enum KRB_CHKSUM_TYPE
22 | {
23 | NONE = 0,
24 | CRC32 = 1,
25 | RSA_MD4 = 2,
26 | RSA_MD4_DES = 3,
27 | DES_MAC = 4,
28 | DES_MAC_K = 5,
29 | RSA_MD4_DES_K = 6,
30 | RSA_MD5 = 7,
31 | RSA_MD5_DES = 8,
32 | RSA_MD5_DES3 = 9,
33 | SHA1_OTHER = 10,
34 | HMAC_SHA1_DES3 = 12,
35 | SHA1 = 14,
36 | HMAC_SHA1_96_AES_128 = 15,
37 | HMAC_SHA1_96_AES_256 = 16,
38 | GSSAPI = 32771,
39 | HMAC_MD5 = -138,
40 | HMAC_MD5_ENC = -1138
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/NtApiDotNet/UnicodeStringBytesSafeBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet
16 | {
17 | ///
18 | /// Implements a UnicodeString which contains raw bytes.
19 | ///
20 | public class UnicodeStringBytesSafeBuffer : SafeStructureInOutBuffer
21 | {
22 | ///
23 | /// Constructor.
24 | ///
25 | /// The bytes for the name.
26 | public UnicodeStringBytesSafeBuffer(byte[] ba)
27 | : base(ba.Length, true)
28 | {
29 | Data.WriteBytes(ba);
30 | Result = new UnicodeStringOut
31 | {
32 | Length = (ushort)ba.Length,
33 | MaximumLength = (ushort)ba.Length,
34 | Buffer = Data.DangerousGetHandle()
35 | };
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/AUTHZ_CONTEXT_INFORMATION_CLASS.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | internal enum AUTHZ_CONTEXT_INFORMATION_CLASS
18 | {
19 | AuthzContextInfoUserSid = 1,
20 | AuthzContextInfoGroupsSids,
21 | AuthzContextInfoRestrictedSids,
22 | AuthzContextInfoPrivileges,
23 | AuthzContextInfoExpirationTime,
24 | AuthzContextInfoServerContext,
25 | AuthzContextInfoIdentifier,
26 | AuthzContextInfoSource,
27 | AuthzContextInfoAll,
28 | AuthzContextInfoAuthenticationId,
29 | AuthzContextInfoSecurityAttributes,
30 | AuthzContextInfoDeviceSids,
31 | AuthzContextInfoUserClaims,
32 | AuthzContextInfoDeviceClaims,
33 | AuthzContextInfoAppContainerSid,
34 | AuthzContextInfoCapabilitySids
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeLocalAllocBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.SafeHandles
19 | {
20 | internal sealed class SafeLocalAllocBuffer : SafeBuffer
21 | {
22 | protected override bool ReleaseHandle()
23 | {
24 | return Win32NativeMethods.LocalFree(handle) == IntPtr.Zero;
25 | }
26 |
27 | public SafeLocalAllocBuffer(IntPtr handle, bool owns_handle)
28 | : base(owns_handle)
29 | {
30 | SetHandle(handle);
31 | }
32 |
33 | public SafeLocalAllocBuffer() : base(true)
34 | {
35 | }
36 |
37 | public override bool IsInvalid
38 | {
39 | get
40 | {
41 | return handle == IntPtr.Zero;
42 | }
43 | }
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/ArrayTypeInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | ///
18 | /// Type information for an array.
19 | ///
20 | public class ArrayTypeInformation : TypeInformation
21 | {
22 | ///
23 | /// Get array element type.
24 | ///
25 | public TypeInformation ArrayType { get; }
26 | ///
27 | /// Get number of array elements.
28 | ///
29 | public int Count { get; }
30 |
31 | internal ArrayTypeInformation(int type_index, SymbolLoadedModule module, TypeInformation array_type)
32 | : base(SymTagEnum.SymTagArrayType, 0, type_index, module, string.Empty)
33 | {
34 | ArrayType = array_type;
35 | Count = (int)array_type.Size;
36 | }
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/WnfServiceTriggerInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Linq;
17 |
18 | namespace NtApiDotNet.Win32
19 | {
20 | #pragma warning disable 1591
21 | public class WnfServiceTriggerInformation : ServiceTriggerInformation
22 | {
23 | public NtWnf Name { get; }
24 |
25 | internal WnfServiceTriggerInformation(SERVICE_TRIGGER trigger)
26 | : base(trigger)
27 | {
28 | var data = CustomData.FirstOrDefault();
29 | if (data?.RawData?.Length != 8)
30 | {
31 | return;
32 | }
33 |
34 | Name = NtWnf.Open(BitConverter.ToUInt64(data.RawData, 0), true, false).GetResultOrDefault();
35 | }
36 |
37 | public override string ToString()
38 | {
39 | return base.ToString();
40 | }
41 | }
42 | #pragma warning restore
43 | }
44 |
--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SharpPotato")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpPotato")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeCoTaskMemHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.SafeHandles
19 | {
20 | internal sealed class SafeCoTaskMemHandle : SafeHandle
21 | {
22 | protected override bool ReleaseHandle()
23 | {
24 | Marshal.FreeCoTaskMem(handle);
25 | return true;
26 | }
27 |
28 | public SafeCoTaskMemHandle(IntPtr handle, bool owns_handle) : base(IntPtr.Zero, owns_handle)
29 | {
30 | SetHandle(handle);
31 | }
32 |
33 | public SafeCoTaskMemHandle()
34 | : base(IntPtr.Zero, true)
35 | {
36 | }
37 |
38 | public override bool IsInvalid
39 | {
40 | get
41 | {
42 | return handle == IntPtr.Zero;
43 | }
44 | }
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeAuditBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 | using System.Runtime.InteropServices;
18 |
19 | namespace NtApiDotNet.Win32.SafeHandles
20 | {
21 | internal class SafeAuditBuffer : SafeBuffer
22 | {
23 | protected override bool ReleaseHandle()
24 | {
25 | SecurityNativeMethods.AuditFree(handle);
26 | return true;
27 | }
28 |
29 | public SafeAuditBuffer(IntPtr handle, bool owns_handle)
30 | : base(owns_handle)
31 | {
32 | SetHandle(handle);
33 | }
34 |
35 | public SafeAuditBuffer() : base(true)
36 | {
37 | }
38 |
39 | public override bool IsInvalid
40 | {
41 | get
42 | {
43 | return handle == IntPtr.Zero;
44 | }
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/NdrProtocolSequenceEndpoint.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Utilities.Memory;
16 | using System;
17 |
18 | namespace NtApiDotNet.Ndr
19 | {
20 | ///
21 | /// Class respresenting an RPC protocol sequence.
22 | ///
23 | [Serializable]
24 | public class NdrProtocolSequenceEndpoint
25 | {
26 | ///
27 | /// The protocol sequence for the endpoint.
28 | ///
29 | public string ProtocolSequence { get; }
30 | ///
31 | /// The endpoint name.
32 | ///
33 | public string Endpoint { get; }
34 |
35 | internal NdrProtocolSequenceEndpoint(RPC_PROTSEQ_ENDPOINT protseq, IMemoryReader reader)
36 | {
37 | ProtocolSequence = protseq.GetRpcProtocolSequence(reader);
38 | Endpoint = protseq.GetEndpoint(reader);
39 | }
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/NtApiDotNet/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.InteropServices;
3 |
4 | // General Information about an assembly is controlled through the following
5 | // set of attributes. Change these attribute values to modify the information
6 | // associated with an assembly.
7 | [assembly: AssemblyTitle("NtApiDotNet")]
8 | [assembly: AssemblyDescription("")]
9 | [assembly: AssemblyConfiguration("")]
10 | [assembly: AssemblyCompany("Google Inc.")]
11 | [assembly: AssemblyProduct("NtApiDotNet")]
12 | [assembly: AssemblyCopyright("Copyright © Google Inc. 2016-2020")]
13 | [assembly: AssemblyTrademark("")]
14 | [assembly: AssemblyCulture("")]
15 |
16 | // Setting ComVisible to false makes the types in this assembly not visible
17 | // to COM components. If you need to access a type in this assembly from
18 | // COM, set the ComVisible attribute to true on that type.
19 | [assembly: ComVisible(false)]
20 |
21 | // The following GUID is for the ID of the typelib if this project is exposed to COM
22 | [assembly: Guid("6aeb5004-6093-4c23-aeae-911d64cacc58")]
23 |
24 | // Version information for an assembly consists of the following four values:
25 | //
26 | // Major Version
27 | // Minor Version
28 | // Build Number
29 | // Revision
30 | //
31 | // You can specify all the values or you can default the Build and Revision Numbers
32 | // by using the '*' as shown below:
33 | // [assembly: AssemblyVersion("1.0.*")]
34 | [assembly: AssemblyVersion("1.0.0.0")]
35 | [assembly: AssemblyFileVersion("1.1.27.0")]
36 | [assembly: AssemblyInformationalVersion("1.1.27")]
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/NdrParserException.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Ndr
18 | {
19 | ///
20 | /// Exception thrown when NDR parsing fails.
21 | ///
22 | public class NdrParserException : ApplicationException
23 | {
24 | ///
25 | /// Constructor.
26 | ///
27 | /// Exception message.
28 | public NdrParserException(string message)
29 | : base(message)
30 | {
31 | }
32 |
33 | ///
34 | /// Constructor.
35 | ///
36 | /// Exception message.
37 | /// Inner exception to wrap.
38 | public NdrParserException(string message, Exception inner_exception)
39 | : base(message, inner_exception)
40 | {
41 | }
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/NtApiDotNet/INtTransaction.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet
16 | {
17 | ///
18 | /// Interface to abstract the kernel transaction manager support.
19 | ///
20 | public interface INtTransaction
21 | {
22 | ///
23 | /// Get handle for the transaction.
24 | ///
25 | SafeKernelObjectHandle Handle { get; }
26 |
27 | ///
28 | /// Commit the transaction
29 | ///
30 | void Commit();
31 |
32 | ///
33 | /// Rollback the transaction
34 | ///
35 | void Rollback();
36 |
37 | ///
38 | /// Enable the transaction for anything in the current thread context.
39 | ///
40 | /// The transaction context. This should be disposed to disable the transaction.
41 | TransactionContext Enable();
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/INdrStructure.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | ///
18 | /// Interface for a marshalled NDR structure.
19 | ///
20 | /// This interface is primarily for internal use only.
21 | public interface INdrStructure
22 | {
23 | ///
24 | /// Marshal the stucture to a stream.
25 | ///
26 | /// The marshal stream.
27 | void Marshal(NdrMarshalBuffer marshal);
28 | ///
29 | /// Unmarshal the structure from a stream.
30 | ///
31 | /// The unmarshal stream.
32 | void Unmarshal(NdrUnmarshalBuffer unmarshal);
33 | ///
34 | /// Get the structure's alignment.
35 | ///
36 | ///
37 | int GetAlignment();
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/LsaLogonUserFlags.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.Security.Native
18 | {
19 | #pragma warning disable 1591
20 | ///
21 | /// Logon UserFlags.
22 | ///
23 | [Flags]
24 | public enum LsaLogonUserFlags
25 | {
26 | Guest = 0x01,
27 | NoEncryption = 0x02,
28 | CachedAccount = 0x04,
29 | UsedLmPassword = 0x08,
30 | ExtraSids = 0x20,
31 | SubAuthSessionKey = 0x40,
32 | ServerTrustAccount = 0x80,
33 | NtlmV2Enabled = 0x100,
34 | ResourceGroups = 0x200,
35 | ProfilePathReturned = 0x400,
36 | NtV2 = 0x800,
37 | LmV2 = 0x1000,
38 | NtlmV2 = 0x2000,
39 | Optimized = 0x4000,
40 | WinLogon = 0x8000,
41 | PKInit = 0x10000,
42 | NoOptimized = 0x20000,
43 | NoElevation = 0x40000,
44 | ManagedService = 0x80000,
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeLsaReturnBufferHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 | using System.Runtime.InteropServices;
18 |
19 | namespace NtApiDotNet.Win32.SafeHandles
20 | {
21 | internal class SafeLsaReturnBufferHandle : SafeBuffer
22 | {
23 | protected override bool ReleaseHandle()
24 | {
25 | SecurityNativeMethods.LsaFreeReturnBuffer(handle);
26 | return true;
27 | }
28 |
29 | public SafeLsaReturnBufferHandle(IntPtr handle, bool owns_handle)
30 | : base(owns_handle)
31 | {
32 | SetHandle(handle);
33 | }
34 |
35 | public SafeLsaReturnBufferHandle()
36 | : base(true)
37 | {
38 | }
39 |
40 | public override bool IsInvalid
41 | {
42 | get
43 | {
44 | return handle == IntPtr.Zero;
45 | }
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeAuthZClientContextHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 | using System.Runtime.InteropServices;
18 |
19 | namespace NtApiDotNet.Win32.SafeHandles
20 | {
21 | internal class SafeAuthZClientContextHandle : SafeHandle
22 | {
23 | protected override bool ReleaseHandle()
24 | {
25 | return SecurityNativeMethods.AuthzFreeContext(handle);
26 | }
27 |
28 | public SafeAuthZClientContextHandle(IntPtr handle, bool owns_handle)
29 | : base(IntPtr.Zero, owns_handle)
30 | {
31 | SetHandle(handle);
32 | }
33 |
34 | public SafeAuthZClientContextHandle()
35 | : base(IntPtr.Zero, true)
36 | {
37 | }
38 |
39 | public override bool IsInvalid
40 | {
41 | get
42 | {
43 | return handle == IntPtr.Zero;
44 | }
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeAuthZResourceManagerHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Security.Native;
16 | using System;
17 | using System.Runtime.InteropServices;
18 |
19 | namespace NtApiDotNet.Win32.SafeHandles
20 | {
21 | internal class SafeAuthZResourceManagerHandle : SafeHandle
22 | {
23 | protected override bool ReleaseHandle()
24 | {
25 | return SecurityNativeMethods.AuthzFreeResourceManager(handle);
26 | }
27 |
28 | public SafeAuthZResourceManagerHandle(IntPtr handle, bool owns_handle)
29 | : base(IntPtr.Zero, owns_handle)
30 | {
31 | SetHandle(handle);
32 | }
33 |
34 | public SafeAuthZResourceManagerHandle()
35 | : base(IntPtr.Zero, true)
36 | {
37 | }
38 |
39 | public override bool IsInvalid
40 | {
41 | get
42 | {
43 | return handle == IntPtr.Zero;
44 | }
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/EtwServiceTriggerInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016, 2017 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32
16 | {
17 | #pragma warning disable 1591
18 | public class EtwServiceTriggerInformation : ServiceTriggerInformation
19 | {
20 | public SecurityDescriptor SecurityDescriptor { get; }
21 |
22 | public override void Trigger()
23 | {
24 | using (var reg = EventTracing.Register(SubType))
25 | {
26 | reg.Write();
27 | }
28 | }
29 |
30 | internal EtwServiceTriggerInformation(SERVICE_TRIGGER trigger)
31 | : base(trigger)
32 | {
33 | var sd = EventTracing.QueryTraceSecurity(SubType, false);
34 | if (sd.IsSuccess)
35 | {
36 | SecurityDescriptor = sd.Result;
37 | }
38 | }
39 |
40 | public override string ToString()
41 | {
42 | return base.ToString();
43 | }
44 | }
45 | #pragma warning restore
46 | }
47 |
--------------------------------------------------------------------------------
/NtApiDotNet/ThreadImpersonationContext.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet
18 | {
19 | ///
20 | /// Disposable class to scope an impersonation context.
21 | ///
22 | public sealed class ThreadImpersonationContext : IDisposable
23 | {
24 | private NtThread _thread;
25 |
26 | internal ThreadImpersonationContext(NtThread thread)
27 | {
28 | _thread = thread;
29 | }
30 |
31 | ///
32 | /// Revert impersonation back to the current user.
33 | ///
34 | public void Revert()
35 | {
36 | if (_thread != null)
37 | {
38 | using (_thread)
39 | {
40 | _thread.SetImpersonationToken(null, false);
41 | }
42 | _thread = null;
43 | }
44 | }
45 |
46 | void IDisposable.Dispose()
47 | {
48 | Revert();
49 | }
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authorization/TreeSecInfo.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authorization
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Tree security mode.
20 | ///
21 | public enum TreeSecInfo
22 | {
23 | Set = 1,
24 | Reset = 2,
25 | ResetKeepExplicit = 3
26 | }
27 |
28 | ///
29 | /// Progress function for tree named security info.
30 | ///
31 | /// The name of the object.
32 | /// The operation status.
33 | /// The current invoke setting.
34 | /// True if security is set.
35 | /// The invoke setting. Return original invoke_setting if no change.
36 | public delegate ProgressInvokeSetting TreeProgressFunction(string object_name, Win32Error status,
37 | ProgressInvokeSetting invoke_setting, bool security_set);
38 | }
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtApiDotNet.nuspec:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | $id$
5 | $version$
6 | NtApiDotNet
7 | James Forshaw
8 | James Forshaw
9 | Apache-2.0
10 | https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools
11 | false
12 | A .NET class library to access native NT API system calls
13 |
14 | 1.1.27
15 | --------
16 | * Added support for directory change notifications.
17 | * Added New-NtDesktop, Get-NtDesktop and Get-NtDesktopName.
18 | * Added New-NtWindowStation, Get-NtWindowStation and Get-NtWindowStationName.
19 | * Changed Win32 error codes to an enumeration.
20 | * Added Load/Unload driver.
21 | * Added properties to NtType to show access masks.
22 | * Added basic SendInput method.
23 | * Added token source tab to Token Viewer.
24 | * Updated for the Job object and New-NtJob.
25 | * Added NtWindow class a HWND enumeration.
26 | * Added Get-AccessibleWindowStation command.
27 | * Added some well known WNF names.
28 | * Added option to Get-AccessibleService to check file permissions.
29 | * Added Set-NtProcessJob command.
30 | * Added Get-AccessibleToken command.
31 | * Added support for compound ACEs.
32 | * Added Get/Sid-NtTokenSid and Get/Set-NtTokenGroup.
33 | * Added Get-AccessibleEventTrace command.
34 | * Added Get-AccessibleWnf command.
35 |
36 | Copyright Google Inc. 2016-2020
37 | syscalls
38 |
39 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecBufferType.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Security buffer type.
20 | ///
21 | internal enum SecBufferType
22 | {
23 | Empty = 0,
24 | Data = 1,
25 | Token = 2,
26 | PkgParams = 3,
27 | Missing = 4,
28 | Extra = 5,
29 | StreamTrailer = 6,
30 | StreamHeader = 7,
31 | NegotiationInfo = 8,
32 | Padding = 9,
33 | Stream = 10,
34 | Mechlist = 11,
35 | MechlistSignature = 12,
36 | Target = 13,
37 | ChannelBindings = 14,
38 | ChangePassResponse = 15,
39 | TargetHost = 16,
40 | Alert = 17,
41 | ApplicationProtocols = 18,
42 | SRTPProtectionProfiles = 19,
43 | SRTPMasterKeyIdentifier = 20,
44 | TokenBinding = 21,
45 | PresharedKey = 22,
46 | PresharedKeyIdentity = 23,
47 | DTLAMtu = 24,
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrPipe.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Ndr.Marshal
18 | {
19 | ///
20 | /// Placeholder for a NDR pipe type.
21 | ///
22 | /// The base type of pipe blocks.
23 | public class NdrPipe where T : struct
24 | {
25 | ///
26 | /// Pull a block from a pipe.
27 | ///
28 | /// The maximum number of elements to pull.
29 | /// The pulled block.
30 | public T[] Pull(int count)
31 | {
32 | throw new NotImplementedException("Pipe support not implemented");
33 | }
34 |
35 | ///
36 | /// Push a block to a pipe.
37 | ///
38 | /// The block to push.
39 | public void Push(T[] data)
40 | {
41 | throw new NotImplementedException("Pipe support not implemented");
42 | }
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/GenericPotato.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29509.3
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GenericPotato", "GenericPotato.csproj", "{1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NtApiDotNet", "NtApiDotNet\NtApiDotNet.csproj", "{6AEB5004-6093-4C23-AEAE-911D64CACC58}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {6AEB5004-6093-4C23-AEAE-911D64CACC58}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {6AEB5004-6093-4C23-AEAE-911D64CACC58}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {6AEB5004-6093-4C23-AEAE-911D64CACC58}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {6AEB5004-6093-4C23-AEAE-911D64CACC58}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {2BF3BEBF-0E18-43E5-A34F-BC2C9ABDFEDD}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/EventTrace.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32
18 | {
19 | ///
20 | /// Simple class for an event trace.
21 | ///
22 | public sealed class EventTrace : IDisposable
23 | {
24 | private readonly long _handle;
25 |
26 | internal EventTrace(long handle)
27 | {
28 | _handle = handle;
29 | }
30 |
31 | ///
32 | /// Write an empty event.
33 | ///
34 | public void Write()
35 | {
36 | EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR()
37 | {
38 | Id = 1,
39 | Level = 4
40 | };
41 | Win32NativeMethods.EventWrite(_handle, ref desc, 0, null).ToNtException();
42 | }
43 |
44 | ///
45 | /// Dispose method.
46 | ///
47 | public void Dispose()
48 | {
49 | Win32NativeMethods.EventUnregister(_handle);
50 | }
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtWaitNative.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet
19 | {
20 | #pragma warning disable 1591
21 | public enum WaitType
22 | {
23 | WaitAll,
24 | WaitAny
25 | }
26 |
27 | public static partial class NtSystemCalls
28 | {
29 | [DllImport("ntdll.dll")]
30 | public static extern NtStatus NtWaitForSingleObject(
31 | SafeKernelObjectHandle Handle,
32 | bool Alertable,
33 | LargeInteger Timeout
34 | );
35 |
36 | [DllImport("ntdll.dll")]
37 | public static extern NtStatus NtWaitForMultipleObjects(int HandleCount,
38 | IntPtr[] Handles, WaitType WaitType, bool Alertable, LargeInteger Timeout);
39 |
40 | [DllImport("ntdll.dll")]
41 | public static extern NtStatus NtSignalAndWaitForSingleObject(
42 | SafeKernelObjectHandle ObjectToSignal,
43 | SafeKernelObjectHandle WaitableObject,
44 | bool Alertable,
45 | LargeInteger Timeout);
46 | }
47 | #pragma warning disable 1591
48 | }
49 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeAlpcPortSectionHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using Microsoft.Win32.SafeHandles;
16 | using System;
17 |
18 | namespace NtApiDotNet
19 | {
20 | ///
21 | /// Safe handle for a port section.
22 | ///
23 | public class SafeAlpcPortSectionHandle : SafeHandleZeroOrMinusOneIsInvalid
24 | {
25 | internal SafeAlpcPortSectionHandle(AlpcHandle handle, bool owns_handle, NtAlpc port) : base(owns_handle)
26 | {
27 | SetHandle(new IntPtr(handle.Value));
28 | Port = port;
29 | }
30 |
31 | internal NtAlpc Port { get; }
32 |
33 | ///
34 | /// Release handle.
35 | ///
36 | /// True if handle released successfully.
37 | protected override bool ReleaseHandle()
38 | {
39 | if (Port == null || Port.Handle.IsClosed)
40 | {
41 | return false;
42 | }
43 | return NtSystemCalls.NtAlpcDeletePortSection(Port.Handle,
44 | AlpcDeletePortSectionFlags.None, handle.ToInt64()).IsSuccess();
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/Kerberos/KRB_ENC_TYPE.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Kerberos Encryption Type.
20 | ///
21 | public enum KRB_ENC_TYPE
22 | {
23 | NULL = 0,
24 | DES_CBC_CRC = 1,
25 | DES_CBC_MD4 = 2,
26 | DES_CBC_MD5 = 3,
27 | DES3_CBC_MD5 = 5,
28 | OLD_DES3_CBC_SHA1 = 7,
29 | SIGN_DSA_GENERATE = 8,
30 | ENCRYPT_RSA_PRIV = 9,
31 | ENCRYPT_RSA_PUB = 10,
32 | DES3_CBC_SHA1 = 16,
33 | AES128_CTS_HMAC_SHA1_96 = 17,
34 | AES256_CTS_HMAC_SHA1_96 = 18,
35 | ARCFOUR_HMAC_MD5 = 23,
36 | ARCFOUR_HMAC_MD5_56 = 24,
37 | ENCTYPE_PK_CROSS = 48,
38 | ARCFOUR_MD4 = -128,
39 | ARCFOUR_HMAC_OLD = -133,
40 | ARCFOUR_HMAC_OLD_EXP = -135,
41 | DES_CBC_NONE = -4096,
42 | DES3_CBC_NONE = -4097,
43 | DES_CFB64_NONE = -4098,
44 | DES_PCBC_NONE = -4099,
45 | DIGEST_MD5_NONE = -4100,
46 | CRAM_MD5_NONE = -4101
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/PointerTypeInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | ///
18 | /// Type information for a pointer value.
19 | ///
20 | public class PointerTypeInformation : TypeInformation
21 | {
22 | ///
23 | /// Get the type this pointer references.
24 | ///
25 | public TypeInformation PointerType { get; internal set; }
26 |
27 | ///
28 | /// Indicates this pointer is a reference.
29 | ///
30 | public bool IsReference { get; }
31 |
32 | ///
33 | /// The name of the symbol.
34 | ///
35 | public override string Name => $"{PointerType.Name}*";
36 |
37 | internal PointerTypeInformation(long size, int type_index, SymbolLoadedModule module,
38 | TypeInformation pointer_type, bool is_reference)
39 | : base(SymTagEnum.SymTagPointerType, size, type_index, module, string.Empty)
40 | {
41 | PointerType = pointer_type;
42 | IsReference = is_reference;
43 | }
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authorization/AuthZAccessCheckResult.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.Security.Authorization
18 | {
19 | ///
20 | /// Access check result from AuthZ.
21 | ///
22 | public class AuthZAccessCheckResult : AccessCheckResultGeneric
23 | {
24 | ///
25 | /// The Win32 error code from the access check.
26 | ///
27 | public Win32Error Error { get; }
28 |
29 | internal AuthZAccessCheckResult(
30 | NtType type,
31 | Win32Error error,
32 | AccessMask granted_access,
33 | ObjectTypeEntry object_type) : base(error.MapDosErrorToStatus(),
34 | granted_access, type.GenericMapping.UnmapMask(granted_access),
35 | new TokenPrivilege[0], granted_access.ToSpecificAccess(type.AccessRightsType),
36 | type.GenericMapping.UnmapMask(granted_access).ToSpecificAccess(type.AccessRightsType),
37 | object_type?.ObjectType ?? Guid.Empty, object_type?.Name ?? string.Empty, false)
38 | {
39 | Error = error;
40 | }
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtWindowNative.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet
19 | {
20 | #pragma warning disable 1591
21 |
22 | public enum QueryWindowType
23 | {
24 | ProcessId = 0,
25 | Owner = 1,
26 | ThreadId = 2,
27 | Hung = 5,
28 | }
29 |
30 | public static partial class NtSystemCalls
31 | {
32 | [DllImport("win32u.dll")]
33 | public static extern NtStatus NtUserBuildHwndList(SafeKernelObjectHandle Desktop, IntPtr ParentWindow,
34 | [MarshalAs(UnmanagedType.Bool)] bool EnumerateChildren, bool HideImmersiveWindows, int ThreadId, int BufferCount,
35 | [Out, MarshalAs(UnmanagedType.LPArray)] IntPtr[] Buffer, out int RequiredCount);
36 |
37 | [DllImport("win32u.dll", SetLastError = true)]
38 | public static extern int NtUserQueryWindow(IntPtr Window, QueryWindowType query);
39 |
40 | [DllImport("win32u.dll", SetLastError = true)]
41 | public static extern int NtUserGetClassName(IntPtr Window, [MarshalAs(UnmanagedType.Bool)] bool RealName, UnicodeStringAllocated Name);
42 | }
43 |
44 | #pragma warning restore
45 | }
46 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeTokenPrivilegesBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet
19 | {
20 | ///
21 | /// Safe buffer for token privileges.
22 | ///
23 | public class SafeTokenPrivilegesBuffer : SafeStructureInOutBuffer
24 | {
25 | ///
26 | /// Constructor.
27 | ///
28 | /// List of privileges.
29 | public SafeTokenPrivilegesBuffer(LuidAndAttributes[] privs)
30 | : base(new TokenPrivileges() { PrivilegeCount = privs.Length },
31 | Marshal.SizeOf(typeof(LuidAndAttributes)) * privs.Length, true)
32 | {
33 | Data.WriteArray(0, privs, 0, privs.Length);
34 | }
35 |
36 | private SafeTokenPrivilegesBuffer()
37 | : base(IntPtr.Zero, 0, false)
38 | {
39 | }
40 |
41 | ///
42 | /// NULL safe buffer.
43 | ///
44 | new public static SafeTokenPrivilegesBuffer Null { get { return new SafeTokenPrivilegesBuffer(); } }
45 | }
46 | #pragma warning restore 1591
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeLsaLogonHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using Microsoft.Win32.SafeHandles;
16 | using NtApiDotNet.Win32.Security.Native;
17 | using System;
18 |
19 | namespace NtApiDotNet.Win32.SafeHandles
20 | {
21 | internal class SafeLsaLogonHandle : SafeHandleZeroOrMinusOneIsInvalid
22 | {
23 | public SafeLsaLogonHandle(IntPtr handle, bool ownsHandle) : base(ownsHandle)
24 | {
25 | SetHandle(handle);
26 | }
27 |
28 | public SafeLsaLogonHandle() : base(true)
29 | {
30 | }
31 |
32 | protected override bool ReleaseHandle()
33 | {
34 | return SecurityNativeMethods.LsaDeregisterLogonProcess(handle).IsSuccess();
35 | }
36 |
37 | internal static NtResult Connect(bool throw_on_error)
38 | {
39 | if (!SecurityNativeMethods.LsaRegisterLogonProcess(new LsaString("NtApiDotNet"), out SafeLsaLogonHandle hlsa, out uint _).IsSuccess())
40 | {
41 | return SecurityNativeMethods.LsaConnectUntrusted(out hlsa).CreateResult(throw_on_error, () => hlsa);
42 | }
43 | return hlsa.CreateResult();
44 | }
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeHandles/SafeLsaHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using Microsoft.Win32.SafeHandles;
16 | using NtApiDotNet.Win32.Security.Native;
17 | using NtApiDotNet.Win32.Security.Policy;
18 | using System;
19 |
20 | namespace NtApiDotNet.Win32.SafeHandles
21 | {
22 | internal class SafeLsaHandle : SafeHandleZeroOrMinusOneIsInvalid
23 | {
24 | public SafeLsaHandle(IntPtr handle, bool ownsHandle) : base(ownsHandle)
25 | {
26 | SetHandle(handle);
27 | }
28 |
29 | public SafeLsaHandle() : base(true)
30 | {
31 | }
32 |
33 | protected override bool ReleaseHandle()
34 | {
35 | return SecurityNativeMethods.LsaClose(handle).IsSuccess();
36 | }
37 |
38 | internal static NtResult OpenPolicy(string system_name, LsaPolicyAccessRights desired_access, bool throw_on_error)
39 | {
40 | UnicodeString str = system_name != null ? new UnicodeString(system_name) : null;
41 |
42 | return SecurityNativeMethods.LsaOpenPolicy(str, new ObjectAttributes(),
43 | desired_access, out SafeLsaHandle policy).CreateResult(throw_on_error, () => policy);
44 | }
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Rpc/RpcClientResponse.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Ndr;
16 | using NtApiDotNet.Ndr.Marshal;
17 | using System.Collections.Generic;
18 | using System.Linq;
19 |
20 | namespace NtApiDotNet.Win32.Rpc
21 | {
22 | ///
23 | /// Response data from an RPC client call.
24 | ///
25 | public sealed class RpcClientResponse
26 | {
27 | ///
28 | /// The marshaled NDR data from the response.
29 | ///
30 | public byte[] NdrBuffer { get; }
31 | ///
32 | /// Any object handles returned in the response. (only for ALPC).
33 | ///
34 | public IEnumerable Handles { get; }
35 | ///
36 | /// Indicates the NDR data representation for the response.
37 | ///
38 | public NdrDataRepresentation DataRepresentation { get; }
39 |
40 | internal RpcClientResponse(byte[] ndr_buffer, IEnumerable handles)
41 | {
42 | NdrBuffer = ndr_buffer;
43 | Handles = new List(handles.Select(o => o.DuplicateObject()));
44 | DataRepresentation = new NdrDataRepresentation();
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrContextHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Ndr.Marshal
18 | {
19 | ///
20 | /// Structure to represent a context handle.
21 | ///
22 | public struct NdrContextHandle
23 | {
24 | ///
25 | /// Context handle attributes.
26 | ///
27 | public int Attributes { get; }
28 |
29 | ///
30 | /// Context handle UUID.
31 | ///
32 | public Guid Uuid { get; }
33 |
34 | ///
35 | /// Constructor.
36 | ///
37 | /// Context handle attributes.
38 | /// Context handle UUID.
39 | public NdrContextHandle(int attributes, Guid uuid)
40 | {
41 | Attributes = attributes;
42 | Uuid = uuid;
43 | }
44 |
45 | ///
46 | /// Overidden ToString method.
47 | ///
48 | /// The handle as string.
49 | public override string ToString()
50 | {
51 | return $"Handle: {Uuid} - Attributes: {Attributes}";
52 | }
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/NtApiDotNet/Readme.txt:
--------------------------------------------------------------------------------
1 | NtApiDotNet - Managed .NET library for accessing NT API
2 |
3 | (c) Google Inc. 2015, 2016, 2017, 2018, 2019
4 | Developed by James Forshaw
5 |
6 | This library is written entirely in C# to allow managed applications easy access to
7 | various native NT API routines. It's used as the core of the sandbox analysis tools
8 | as well as a Powershell Module. The purpose of this library is to make it easier to
9 | call into the NT API, handling things like variable length structures and lifetime
10 | management.
11 |
12 | The majority of the exposed classes and methods have XML documentation, which can
13 | be used for intellisense or converted into real documentation. Most of the low-level
14 | APIs are not documented however, see the code for usage examples.
15 |
16 | In addition to my own reverse engineering efforts and MSDN documentation the following
17 | people or resources have proven invaluable in determing API functionality.
18 |
19 | Process Hacker Sources: http://processhacker.sourceforge.net/
20 | Windows NT/2000 Native API Reference: Gary Nebbett (ISBN 9781578701995)
21 | Alex Ionescu
22 | ALPC RPC client code inspired by work by Clement Rouault (@hakril) and Thomas Imbert
23 | (@masthoon) at PacSec (https://pacsec.jp/psj17/PSJ2017_Rouault_Imbert_alpc_rpc_pacsec.pdf)
24 | And others I've no doubt forgotten.
25 |
26 | NOTE: It's still a work in progress and it's not designed to act as a documentation
27 | source for the entire NT API. There will be bits missing. Patches are welcome to
28 | add missing functions or fix bugs, see the CONTRIBUTING file in the root of the solution.
29 |
30 | Building for PowerShell Core 6.0/.NET Core 2.0
31 | -----------------------------------------
32 |
33 | In order to build for PowerShell Core 6.0 use the command line:
34 |
35 | dotnet build NtApiDotNet\NtApiDotNet.Core.csproj -c Release
36 |
37 | Building for .NET Core does not currently work in Visual Studio 2017.
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/SafeWin32Exception.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.ComponentModel;
17 |
18 | namespace NtApiDotNet.Win32
19 | {
20 | ///
21 | /// Represents an impersonation safe win32 exception, which resolves the win32 message when Message is called.
22 | ///
23 | [Serializable]
24 | public class SafeWin32Exception : Win32Exception
25 | {
26 | ///
27 | /// Constructor.
28 | ///
29 | public SafeWin32Exception()
30 | {
31 | }
32 |
33 | ///
34 | /// Constructor.
35 | ///
36 | /// Win32 error.
37 | public SafeWin32Exception(int error) : base(error)
38 | {
39 | }
40 |
41 | internal SafeWin32Exception(Win32Error error)
42 | : this((int)error)
43 | {
44 | }
45 |
46 | ///
47 | /// The message for the exception.
48 | ///
49 | public override string Message
50 | {
51 | get
52 | {
53 | Win32Exception e = new Win32Exception(NativeErrorCode);
54 | return e.Message;
55 | }
56 | }
57 | }
58 | }
59 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/SymTagEnum.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | // NOTE: This file is a modified version of SymbolResolver.cs from OleViewDotNet
16 | // https://github.com/tyranid/oleviewdotnet. It's been relicensed from GPLv3 by
17 | // the original author James Forshaw to be used under the Apache License for this
18 | // project.
19 |
20 | namespace NtApiDotNet.Win32.Debugger
21 | {
22 | enum SymTagEnum
23 | {
24 | SymTagNull,
25 | SymTagExe,
26 | SymTagCompiland,
27 | SymTagCompilandDetails,
28 | SymTagCompilandEnv,
29 | SymTagFunction,
30 | SymTagBlock,
31 | SymTagData,
32 | SymTagAnnotation,
33 | SymTagLabel,
34 | SymTagPublicSymbol,
35 | SymTagUDT,
36 | SymTagEnum,
37 | SymTagFunctionType,
38 | SymTagPointerType,
39 | SymTagArrayType,
40 | SymTagBaseType,
41 | SymTagTypedef,
42 | SymTagBaseClass,
43 | SymTagFriend,
44 | SymTagFunctionArgType,
45 | SymTagFuncDebugStart,
46 | SymTagFuncDebugEnd,
47 | SymTagUsingNamespace,
48 | SymTagVTableShape,
49 | SymTagVTable,
50 | SymTagCustom,
51 | SymTagThunk,
52 | SymTagCustomType,
53 | SymTagManagedType,
54 | SymTagDimension
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SECPKG_ATTR.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Native
16 | {
17 | internal enum SECPKG_ATTR
18 | {
19 | SIZES = 0,
20 | NAMES = 1,
21 | LIFESPAN = 2,
22 | DCE_INFO = 3,
23 | STREAM_SIZES = 4,
24 | KEY_INFO = 5,
25 | AUTHORITY = 6,
26 | PROTO_INFO = 7,
27 | PASSWORD_EXPIRY = 8,
28 | SESSION_KEY = 9,
29 | PACKAGE_INFO = 10,
30 | USER_FLAGS = 11,
31 | NEGOTIATION_INFO = 12,
32 | NATIVE_NAMES = 13,
33 | FLAGS = 14,
34 | USE_VALIDATED = 15,
35 | CREDENTIAL_NAME = 16,
36 | TARGET_INFORMATION = 17,
37 | ACCESS_TOKEN = 18,
38 | TARGET = 19,
39 | AUTHENTICATION_ID = 20,
40 | LOGOFF_TIME = 21,
41 | NEGO_KEYS = 22,
42 | PROMPTING_NEEDED = 24,
43 | UNIQUE_BINDINGS = 25,
44 | ENDPOINT_BINDINGS = 26,
45 | CLIENT_SPECIFIED_TARGET = 27,
46 | LAST_CLIENT_TOKEN_STATUS = 30,
47 | NEGO_PKG_INFO = 31,
48 | NEGO_STATUS = 32,
49 | CONTEXT_DELETED = 33,
50 | DTLS_MTU = 34,
51 | SUBJECT_SECURITY_ATTRIBUTES = 128,
52 | APPLICATION_PROTOCOL = 35,
53 | NEGOTIATED_TLS_EXTENSIONS = 36,
54 | IS_LOOPBACK = 37,
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/IMAGEHLP_SYMBOL_TYPE_INFO.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Debugger
16 | {
17 | enum IMAGEHLP_SYMBOL_TYPE_INFO
18 | {
19 | TI_GET_SYMTAG,
20 | TI_GET_SYMNAME,
21 | TI_GET_LENGTH,
22 | TI_GET_TYPE,
23 | TI_GET_TYPEID,
24 | TI_GET_BASETYPE,
25 | TI_GET_ARRAYINDEXTYPEID,
26 | TI_FINDCHILDREN,
27 | TI_GET_DATAKIND,
28 | TI_GET_ADDRESSOFFSET,
29 | TI_GET_OFFSET,
30 | TI_GET_VALUE,
31 | TI_GET_COUNT,
32 | TI_GET_CHILDRENCOUNT,
33 | TI_GET_BITPOSITION,
34 | TI_GET_VIRTUALBASECLASS,
35 | TI_GET_VIRTUALTABLESHAPEID,
36 | TI_GET_VIRTUALBASEPOINTEROFFSET,
37 | TI_GET_CLASSPARENTID,
38 | TI_GET_NESTED,
39 | TI_GET_SYMINDEX,
40 | TI_GET_LEXICALPARENT,
41 | TI_GET_ADDRESS,
42 | TI_GET_THISADJUST,
43 | TI_GET_UDTKIND,
44 | TI_IS_EQUIV_TO,
45 | TI_GET_CALLING_CONVENTION,
46 | TI_IS_CLOSE_EQUIV_TO,
47 | TI_GTIEX_REQS_VALID,
48 | TI_GET_VIRTUALBASEOFFSET,
49 | TI_GET_VIRTUALBASEDISPINDEX,
50 | TI_GET_IS_REFERENCE,
51 | TI_GET_INDIRECTVIRTUALBASECLASS,
52 | TI_GET_VIRTUALBASETABLETYPE,
53 | IMAGEHLP_SYMBOL_TYPE_INFO_MAX
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/EventTraceProvider.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32
18 | {
19 | ///
20 | /// Class to represent an Event Trace Provider.
21 | ///
22 | public sealed class EventTraceProvider
23 | {
24 | ///
25 | /// The ID of the provider.
26 | ///
27 | public Guid Id { get; }
28 | ///
29 | /// The name of the provider.
30 | ///
31 | public string Name { get; }
32 | ///
33 | /// Whether the provider is defined as an XML file or a MOF.
34 | ///
35 | public bool FromXml { get; }
36 | ///
37 | /// The provider security descriptor (only available as admin).
38 | ///
39 | public SecurityDescriptor SecurityDescriptor { get; }
40 |
41 | internal EventTraceProvider(Guid id)
42 | : this(id, id.ToString(), false)
43 | {
44 | }
45 |
46 | internal EventTraceProvider(Guid id, string name, bool from_xml)
47 | {
48 | Id = id;
49 | Name = name;
50 | FromXml = from_xml;
51 | SecurityDescriptor = EventTracing.QueryTraceSecurity(Id, false).GetResultOrDefault();
52 | }
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/Memory/CrossBitnessTypeAttribute.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Reflection;
17 |
18 | namespace NtApiDotNet.Utilities.Memory
19 | {
20 | internal class CrossBitnessTypeAttribute : Attribute
21 | {
22 | private Lazy _base_method;
23 | public Type CrossBitnessType { get; }
24 |
25 | private static MethodInfo GetMethodInfo(Type cross_bitness_type)
26 | {
27 | Func read_memory = NtProcess.Current.ReadMemory;
28 | return read_memory.Method.GetGenericMethodDefinition().MakeGenericMethod(cross_bitness_type);
29 | }
30 |
31 | public CrossBitnessTypeAttribute(Type cross_bitness_type)
32 | {
33 | CrossBitnessType = cross_bitness_type;
34 | _base_method = new Lazy(() => GetMethodInfo(cross_bitness_type));
35 | }
36 |
37 | public T ReadType(NtProcess process, long base_address) where T : struct
38 | {
39 | IConvertToNative converter = (IConvertToNative)_base_method.Value.Invoke(process, new object[] { base_address });
40 | return converter.Convert();
41 | }
42 |
43 | public int GetSize()
44 | {
45 | return System.Runtime.InteropServices.Marshal.SizeOf(CrossBitnessType);
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Audit/AuditAccessRights.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.Security.Audit
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// Access rights for system audit policy.
20 | ///
21 | public enum AuditAccessRights : uint
22 | {
23 | SetSystemPolicy = 0x0001,
24 | QuerySystemPolicy = 0x0002,
25 | SetUserPolicy = 0x0004,
26 | QueryUserPolicy = 0x0008,
27 | EnumerateUsers = 0x0010,
28 | SetMiscPolicy = 0x0020,
29 | QueryMiscPolicy = 0x0040,
30 | All = WriteOwner | WriteDac | ReadControl | Delete | SetSystemPolicy | QuerySystemPolicy |
31 | SetUserPolicy | QueryUserPolicy | EnumerateUsers | SetMiscPolicy | QueryMiscPolicy,
32 | GenericRead = GenericAccessRights.GenericRead,
33 | GenericWrite = GenericAccessRights.GenericWrite,
34 | GenericExecute = GenericAccessRights.GenericExecute,
35 | GenericAll = GenericAccessRights.GenericAll,
36 | Delete = GenericAccessRights.Delete,
37 | ReadControl = GenericAccessRights.ReadControl,
38 | WriteDac = GenericAccessRights.WriteDac,
39 | WriteOwner = GenericAccessRights.WriteOwner,
40 | MaximumAllowed = GenericAccessRights.MaximumAllowed,
41 | AccessSystemSecurity = GenericAccessRights.AccessSystemSecurity,
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SEC_WINNT_AUTH_IDENTITY.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 | using System.Security;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | #pragma warning disable 1591
21 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
22 | internal class SEC_WINNT_AUTH_IDENTITY
23 | {
24 | [MarshalAs(UnmanagedType.LPWStr)]
25 | public string User;
26 | public int UserLength;
27 | [MarshalAs(UnmanagedType.LPWStr)]
28 | public string Domain;
29 | public int DomainLength;
30 | public SecureStringMarshal Password;
31 | public int PasswordLength;
32 | public SecWinNtAuthIdentityFlags Flags;
33 |
34 | public SEC_WINNT_AUTH_IDENTITY()
35 | {
36 | }
37 |
38 | public SEC_WINNT_AUTH_IDENTITY(string user, string domain, SecureString password, DisposableList list)
39 | {
40 | User = user;
41 | UserLength = user?.Length ?? 0;
42 | Domain = domain;
43 | DomainLength = domain?.Length ?? 0;
44 | if (password != null)
45 | {
46 | Password = list.AddResource(new SecureStringMarshal(password));
47 | PasswordLength = password.Length;
48 | }
49 | Flags = SecWinNtAuthIdentityFlags.Unicode;
50 | }
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SECURITY_LOGON_SESSION_DATA.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | [StructLayout(LayoutKind.Sequential)]
21 | internal struct SECURITY_LOGON_SESSION_DATA
22 | {
23 | public int Size;
24 | public Luid LogonId;
25 | public UnicodeStringOut UserName;
26 | public UnicodeStringOut LogonDomain;
27 | public UnicodeStringOut AuthenticationPackage;
28 | public SecurityLogonType LogonType;
29 | public int Session;
30 | public IntPtr Sid;
31 | public LargeIntegerStruct LogonTime;
32 | public UnicodeStringOut LogonServer;
33 | public UnicodeStringOut DnsDomainName;
34 | public UnicodeStringOut Upn;
35 | public LsaLogonUserFlags UserFlags;
36 | public LSA_LAST_INTER_LOGON_INFO LastLogonInfo;
37 | public UnicodeStringOut LogonScript;
38 | public UnicodeStringOut ProfilePath;
39 | public UnicodeStringOut HomeDirectory;
40 | public UnicodeStringOut HomeDirectoryDrive;
41 | public LargeIntegerStruct LogoffTime;
42 | public LargeIntegerStruct KickOffTime;
43 | public LargeIntegerStruct PasswordLastSet;
44 | public LargeIntegerStruct PasswordCanChange;
45 | public LargeIntegerStruct PasswordMustChange;
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeSidBufferHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using Microsoft.Win32.SafeHandles;
16 | using System;
17 |
18 | namespace NtApiDotNet
19 | {
20 | #pragma warning disable 1591
21 | ///
22 | /// Safe SID buffer.
23 | ///
24 | /// This is used to return values from the RTL apis which need to be freed using RtlFreeSid
25 | public sealed class SafeSidBufferHandle : SafeHandleZeroOrMinusOneIsInvalid
26 | {
27 | public SafeSidBufferHandle(IntPtr sid, bool owns_handle) : base(owns_handle)
28 | {
29 | SetHandle(sid);
30 | }
31 |
32 | public SafeSidBufferHandle() : base(true)
33 | {
34 | }
35 |
36 | public static SafeSidBufferHandle Null { get
37 | { return new SafeSidBufferHandle(IntPtr.Zero, false); }
38 | }
39 |
40 | public int Length
41 | {
42 | get { return NtRtl.RtlLengthSid(handle); }
43 | }
44 |
45 | public Sid ToSid()
46 | {
47 | return new Sid(DangerousGetHandle());
48 | }
49 |
50 | protected override bool ReleaseHandle()
51 | {
52 | if (!IsInvalid)
53 | {
54 | NtRtl.RtlFreeSid(handle);
55 | handle = IntPtr.Zero;
56 | }
57 | return true;
58 | }
59 | }
60 |
61 | #pragma warning restore 1591
62 | }
63 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/ASN1/DERParser.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 | using System.IO;
17 |
18 | namespace NtApiDotNet.Utilities.ASN1
19 | {
20 | ///
21 | /// A basic ASN.1 DER parser to process Kerberos and SPNEGO Tokens.
22 | ///
23 | internal class DERParser
24 | {
25 | private static DERValue[] ParseData(long offset, byte[] data, int index)
26 | {
27 | MemoryStream stm = new MemoryStream();
28 | stm.Write(data, index, data.Length - index);
29 | stm.Position = 0;
30 | BinaryReader reader = new BinaryReader(stm);
31 | List values = new List();
32 | while (reader.RemainingLength() > 0)
33 | {
34 | DERValue v = reader.ReadValue(offset);
35 | if (v.Constructed)
36 | {
37 | v.Children = ParseData(v.DataOffset, v.Data, 0);
38 | }
39 | values.Add(v);
40 | }
41 | return values.ToArray();
42 | }
43 |
44 | public static DERValue[] ParseData(byte[] data, int index)
45 | {
46 | return ParseData(0, data, index);
47 | }
48 |
49 | public static DERValue[] ParseFile(string path)
50 | {
51 | return ParseData(File.ReadAllBytes(path), 0);
52 | }
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/EnumTypeInformation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 |
17 | namespace NtApiDotNet.Win32.Debugger
18 | {
19 | ///
20 | /// Enumerated type value.
21 | ///
22 | public sealed class EnumTypeInformationValue
23 | {
24 | ///
25 | /// Name of the value.
26 | ///
27 | public string Name { get; }
28 | ///
29 | /// The value as an int64.
30 | ///
31 | public long Value { get; }
32 |
33 | internal EnumTypeInformationValue(string name, long value)
34 | {
35 | Name = name;
36 | Value = value;
37 | }
38 | }
39 |
40 | ///
41 | /// Symbol information for an enumerated type.
42 | ///
43 | public class EnumTypeInformation : TypeInformation
44 | {
45 | ///
46 | /// Get the values for the enumerated type.
47 | ///
48 | public ICollection Values { get; }
49 |
50 | internal EnumTypeInformation(long size, int type_index, SymbolLoadedModule module,
51 | string name, ICollection values)
52 | : base(SymTagEnum.SymTagEnum, size, type_index, module, name)
53 | {
54 | Values = values;
55 | }
56 | }
57 | }
58 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtStructures.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet
19 | {
20 | #pragma warning disable 1591
21 | [StructLayout(LayoutKind.Explicit)]
22 | public class LargeInteger
23 | {
24 | [FieldOffset(0)]
25 | public uint LowPart;
26 | [FieldOffset(4)]
27 | public int HighPart;
28 | [FieldOffset(0)]
29 | public long QuadPart;
30 |
31 | public LargeInteger()
32 | {
33 | }
34 |
35 | public LargeInteger(long value)
36 | {
37 | QuadPart = value;
38 | }
39 |
40 | internal DateTime ToDateTime()
41 | {
42 | return DateTime.FromFileTime(QuadPart);
43 | }
44 | }
45 |
46 | [StructLayout(LayoutKind.Explicit)]
47 | public struct LargeIntegerStruct
48 | {
49 | [FieldOffset(0)]
50 | public uint LowPart;
51 | [FieldOffset(4)]
52 | public int HighPart;
53 | [FieldOffset(0)]
54 | public long QuadPart;
55 |
56 | internal DateTime ToDateTime()
57 | {
58 | try
59 | {
60 | return DateTime.FromFileTime(QuadPart);
61 | }
62 | catch (ArgumentException)
63 | {
64 | return DateTime.MinValue;
65 | }
66 | }
67 | }
68 | #pragma warning restore 1591
69 | }
70 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Policy/LsaPolicyAccessRights.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.Security.Policy
18 | {
19 | [Flags]
20 | internal enum LsaPolicyAccessRights : uint
21 | {
22 | ViewLocalInformation = 0x00000001,
23 | ViewAuditInformation = 0x00000002,
24 | GetPrivateInformation = 0x00000004,
25 | TrustAdmin = 0x00000008,
26 | CreateAccount = 0x00000010,
27 | CreateSecret = 0x00000020,
28 | CreatePrivilege = 0x00000040,
29 | SetDefaultQuotaLimits = 0x00000080,
30 | SetAuditRequirements = 0x00000100,
31 | AuditLogAdmin = 0x00000200,
32 | ServerAdmin = 0x00000400,
33 | LookupNames = 0x00000800,
34 | Notification = 0x00001000,
35 | GenericRead = GenericAccessRights.GenericRead,
36 | GenericWrite = GenericAccessRights.GenericWrite,
37 | GenericExecute = GenericAccessRights.GenericExecute,
38 | GenericAll = GenericAccessRights.GenericAll,
39 | Delete = GenericAccessRights.Delete,
40 | ReadControl = GenericAccessRights.ReadControl,
41 | WriteDac = GenericAccessRights.WriteDac,
42 | WriteOwner = GenericAccessRights.WriteOwner,
43 | Synchronize = GenericAccessRights.Synchronize,
44 | MaximumAllowed = GenericAccessRights.MaximumAllowed,
45 | AccessSystemSecurity = GenericAccessRights.AccessSystemSecurity,
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/NtApiDotNet/SafeHandleListHandle.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Collections.Generic;
17 | using System.Linq;
18 | using System.Runtime.InteropServices;
19 |
20 | namespace NtApiDotNet
21 | {
22 | internal sealed class SafeHandleListHandle : SafeHGlobalBuffer
23 | {
24 | private DisposableList _handles;
25 | public SafeHandleListHandle(IEnumerable handles)
26 | : base(IntPtr.Size * handles.Count())
27 | {
28 | _handles = handles.ToDisposableList();
29 | IntPtr buffer = handle;
30 | for (int i = 0; i < _handles.Count; ++i)
31 | {
32 | Marshal.WriteIntPtr(buffer, _handles[i].DangerousGetHandle());
33 | buffer += IntPtr.Size;
34 | }
35 | }
36 |
37 | public static SafeHandleListHandle CreateAndDuplicate(IEnumerable handles)
38 | {
39 | return new SafeHandleListHandle(handles.Select(h => NtObject.DuplicateHandle(h)));
40 | }
41 |
42 | public static SafeHandleListHandle CreateAndDuplicate(IEnumerable handles)
43 | {
44 | return CreateAndDuplicate(handles.Select(h => h.Handle));
45 | }
46 |
47 | protected override bool ReleaseHandle()
48 | {
49 | _handles.Dispose();
50 | return base.ReleaseHandle();
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrInterfacePointer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Win32.Rpc;
16 |
17 | namespace NtApiDotNet.Ndr.Marshal
18 | {
19 | ///
20 | /// Class to represent an NDR interface pointer.
21 | ///
22 | public struct NdrInterfacePointer : INdrConformantStructure
23 | {
24 | ///
25 | /// The marshaled interface data.
26 | ///
27 | public byte[] Data { get; set; }
28 |
29 | ///
30 | /// Constructor.
31 | ///
32 | /// The marshaled interface data.
33 | public NdrInterfacePointer(byte[] data)
34 | {
35 | Data = data;
36 | }
37 |
38 | int INdrConformantStructure.GetConformantDimensions()
39 | {
40 | return 1;
41 | }
42 |
43 | void INdrStructure.Marshal(NdrMarshalBuffer marshal)
44 | {
45 | RpcUtils.CheckNull(Data, "Data");
46 | marshal.WriteInt32(Data.Length);
47 | marshal.WriteConformantByteArray(Data, Data.Length);
48 | }
49 |
50 | void INdrStructure.Unmarshal(NdrUnmarshalBuffer unmarshal)
51 | {
52 | unmarshal.ReadInt32(); // length.
53 | Data = unmarshal.ReadConformantByteArray();
54 | }
55 |
56 | int INdrStructure.GetAlignment()
57 | {
58 | return 4;
59 | }
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtLdr.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet
18 | {
19 | ///
20 | /// LDR static methods.
21 | ///
22 | public static class NtLdr
23 | {
24 | ///
25 | /// Get address of a procedure in a mapped image.
26 | ///
27 | /// The handle to the mapped image.
28 | /// The name of the procedure to find.
29 | /// True to throw on error.
30 | /// The procedure address.
31 | public static NtResult GetProcedureAddress(IntPtr dll_handle, string name, bool throw_on_error)
32 | {
33 | return NtLdrNative.LdrGetProcedureAddress(dll_handle,
34 | new AnsiString(name), 0, out IntPtr addr).CreateResult(throw_on_error, () => addr);
35 | }
36 |
37 | ///
38 | /// Get address of a procedure in a mapped image.
39 | ///
40 | /// The handle to the mapped image.
41 | /// The name of the procedure to find.
42 | /// The procedure address.
43 | public static IntPtr GetProcedureAddress(IntPtr dll_handle, string name)
44 | {
45 | return GetProcedureAddress(dll_handle, name, true).Result;
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/Memory/IMemoryReader.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.IO;
17 | using System.Runtime.InteropServices;
18 |
19 | namespace NtApiDotNet.Utilities.Memory
20 | {
21 | internal interface IConvertToNative where T : struct
22 | {
23 | T Convert();
24 | }
25 |
26 | [StructLayout(LayoutKind.Sequential)]
27 | internal struct IntPtr32 : IConvertToNative
28 | {
29 | public int value;
30 |
31 | public IntPtr Convert()
32 | {
33 | return new IntPtr(value);
34 | }
35 | }
36 |
37 | [StructLayout(LayoutKind.Sequential)]
38 | internal struct UIntPtr32 : IConvertToNative
39 | {
40 | public uint value;
41 |
42 | public UIntPtr Convert()
43 | {
44 | return new UIntPtr(value);
45 | }
46 | }
47 |
48 | internal interface IMemoryReader
49 | {
50 | byte ReadByte(IntPtr address);
51 | byte[] ReadBytes(IntPtr address, int length);
52 | short ReadInt16(IntPtr address);
53 | IntPtr ReadIntPtr(IntPtr address);
54 | int ReadInt32(IntPtr address);
55 | T ReadStruct(IntPtr address) where T : struct;
56 | T[] ReadArray(IntPtr address, int count) where T : struct;
57 | BinaryReader GetReader(IntPtr address);
58 | bool InProcess { get; }
59 | int PointerSize { get; }
60 | string ReadAnsiStringZ(IntPtr address);
61 | }
62 | }
63 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/DirectoryService/DirectoryServiceAccessRights.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.DirectoryService
18 | {
19 | #pragma warning disable 1591
20 | ///
21 | /// Access rights for Active Directory Services.
22 | ///
23 | [Flags]
24 | public enum DirectoryServiceAccessRights : uint
25 | {
26 | None = 0,
27 | CreateChild = 0x1,
28 | DeleteChild = 0x2,
29 | List = 0x4,
30 | Self = 0x8,
31 | ReadProp = 0x10,
32 | WriteProp = 0x20,
33 | DeleteTree = 0x40,
34 | ListObject = 0x80,
35 | ControlAccess = 0x100,
36 | All = WriteOwner | WriteDac | ReadControl | Delete | ControlAccess | ListObject |
37 | DeleteTree | WriteProp | ReadProp | Self | List | CreateChild | DeleteChild,
38 | GenericRead = GenericAccessRights.GenericRead,
39 | GenericWrite = GenericAccessRights.GenericWrite,
40 | GenericExecute = GenericAccessRights.GenericExecute,
41 | GenericAll = GenericAccessRights.GenericAll,
42 | Delete = GenericAccessRights.Delete,
43 | ReadControl = GenericAccessRights.ReadControl,
44 | WriteDac = GenericAccessRights.WriteDac,
45 | WriteOwner = GenericAccessRights.WriteOwner,
46 | Synchronize = GenericAccessRights.Synchronize,
47 | MaximumAllowed = GenericAccessRights.MaximumAllowed,
48 | AccessSystemSecurity = GenericAccessRights.AccessSystemSecurity,
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/Negotiate/NegotiateAuthenticationToken.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.IO;
16 |
17 | namespace NtApiDotNet.Win32.Security.Authentication.Negotiate
18 | {
19 | ///
20 | /// SPNEGO Authentication Token.
21 | ///
22 | public class NegotiateAuthenticationToken : ASN1AuthenticationToken
23 | {
24 | internal NegotiateAuthenticationToken(byte[] data)
25 | : base(data)
26 | {
27 | }
28 |
29 | #region Internal Static Methods
30 | ///
31 | /// Try and parse data into an Negotiate authentication token.
32 | ///
33 | /// The data to parse.
34 | /// The Negotiate authentication token.
35 | /// True if this is a token from a client.
36 | /// The token count number.
37 | /// True if parsed successfully.
38 | internal static bool TryParse(byte[] data, int token_count, bool client, out NegotiateAuthenticationToken token)
39 | {
40 | token = null;
41 | try
42 | {
43 | token = new NegotiateAuthenticationToken(data);
44 | return true;
45 | }
46 | catch (EndOfStreamException)
47 | {
48 | return false;
49 | }
50 | }
51 | #endregion
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtException.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet
18 | {
19 | ///
20 | /// Exception class representing an NT status error.
21 | ///
22 | [Serializable]
23 | public class NtException : ApplicationException
24 | {
25 | ///
26 | /// Constructor
27 | ///
28 | /// Status result
29 | public NtException(NtStatus status)
30 | {
31 | Status = status;
32 | }
33 |
34 | ///
35 | /// Returns the contained NT status code
36 | ///
37 | public NtStatus Status { get; }
38 |
39 | ///
40 | /// Returns a string form of the NT status code.
41 | ///
42 | public override string Message
43 | {
44 | get
45 | {
46 | string message = NtObjectUtils.GetNtStatusMessage(Status);
47 | if (string.IsNullOrEmpty(message))
48 | {
49 | if (Enum.IsDefined(typeof(NtStatus), Status))
50 | {
51 | message = Status.ToString();
52 | }
53 | else
54 | {
55 | message = "Unknown NTSTATUS";
56 | }
57 | }
58 |
59 | return $"(0x{(uint)Status:X08}) - {message}";
60 | }
61 | }
62 | }
63 |
64 | }
65 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Authentication/GSSAPIUtils.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Utilities.ASN1;
16 | using System;
17 | using System.IO;
18 |
19 | namespace NtApiDotNet.Win32.Security.Authentication
20 | {
21 | ///
22 | /// A class which represents an GSS-API Token.
23 | ///
24 | internal static class GSSAPIUtils
25 | {
26 | #region Internal Static Methods
27 | internal static bool TryParse(byte[] data, out byte[] token, out string oid)
28 | {
29 | token = null;
30 | oid = string.Empty;
31 | try
32 | {
33 | BinaryReader reader = new BinaryReader(new MemoryStream(data));
34 |
35 | byte start = reader.ReadByte();
36 | if (start != 0x60)
37 | return false;
38 | int length = DERUtils.ReadLength(reader);
39 | byte[] inner_token = reader.ReadAllBytes(length);
40 | reader = new BinaryReader(new MemoryStream(inner_token));
41 | if (reader.ReadByte() != 0x06)
42 | return false;
43 | int oid_length = DERUtils.ReadLength(reader);
44 | oid = DERUtils.ReadObjID(reader.ReadAllBytes(oid_length));
45 | token = reader.ReadAllBytes((int)reader.RemainingLength());
46 | return true;
47 | }
48 | catch (EndOfStreamException)
49 | {
50 | return false;
51 | }
52 | }
53 | #endregion
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/SafeBuffers/SafeGuidArrayBuffer.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Linq;
17 |
18 | namespace NtApiDotNet.Utilities.SafeBuffers
19 | {
20 | ///
21 | /// A buffer which contains an array of GUID pointers.
22 | ///
23 | public class SafeGuidArrayBuffer : SafeHGlobalBuffer
24 | {
25 | private static int CalculateSize(Guid[] guids)
26 | {
27 | return guids.Length * (IntPtr.Size + 16);
28 | }
29 |
30 | private SafeGuidArrayBuffer()
31 | : base(IntPtr.Zero, 0, false)
32 | {
33 | }
34 |
35 | ///
36 | /// The count of GUIDs.
37 | ///
38 | public int Count { get; }
39 |
40 | ///
41 | /// Constructor.
42 | ///
43 | /// The list of GUIDs.
44 | public SafeGuidArrayBuffer(Guid[] guids)
45 | : base(CalculateSize(guids))
46 | {
47 | Count = guids.Length;
48 | int guid_base = guids.Length * IntPtr.Size;
49 | IntPtr[] ptrs = Enumerable.Range(0, guids.Length).Select(i => DangerousGetHandle() + (i * 16 + guid_base)).ToArray();
50 | WriteArray(0, ptrs, 0, ptrs.Length);
51 | WriteArray((ulong)guid_base, guids, 0, guids.Length);
52 | }
53 |
54 | ///
55 | /// Get NULL safe buffer.
56 | ///
57 | new static public SafeGuidArrayBuffer Null => new SafeGuidArrayBuffer();
58 | }
59 | }
60 |
--------------------------------------------------------------------------------
/NtApiDotNet/PrivilegeCheckResult.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 | using System.Linq;
17 |
18 | namespace NtApiDotNet
19 | {
20 | ///
21 | /// The result of a privilege check.
22 | ///
23 | public class PrivilegeCheckResult
24 | {
25 | ///
26 | /// The list of privileges from the result.
27 | ///
28 | public IEnumerable Privileges { get; }
29 | ///
30 | /// The list of enabled privileges.
31 | ///
32 | public IEnumerable EnabledPrivileges => Privileges.Where(p => p.UsedForAccess);
33 | ///
34 | /// True indicates all privileges were held.
35 | ///
36 | public bool AllPrivilegesHeld { get; }
37 |
38 | internal PrivilegeCheckResult(IEnumerable privileges, bool all_privileges_held)
39 | {
40 | Privileges = privileges;
41 | AllPrivilegesHeld = all_privileges_held;
42 | }
43 |
44 | internal PrivilegeCheckResult(SafePrivilegeSetBuffer privileges, bool all_privileges_held)
45 | {
46 | var result = privileges.Result;
47 | LuidAndAttributes[] luids = new LuidAndAttributes[result.PrivilegeCount];
48 | privileges.Data.ReadArray(0, luids, 0, luids.Length);
49 | Privileges = luids.Select(l => new TokenPrivilege(l.Luid, l.Attributes)).ToList().AsReadOnly();
50 | AllPrivilegesHeld = all_privileges_held;
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/NtApiDotNet/Ndr/Marshal/NdrDataRepresentation.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Ndr.Marshal
16 | {
17 | #pragma warning disable 1591
18 | ///
19 | /// NDR integer representation.
20 | ///
21 | public enum NdrIntegerRepresentation
22 | {
23 | LittleEndian,
24 | BigEndian
25 | }
26 |
27 | ///
28 | /// NDR character representation.
29 | ///
30 | public enum NdrCharacterRepresentation
31 | {
32 | ASCII,
33 | EBCDIC
34 | }
35 |
36 | ///
37 | /// NDR floating point representation.
38 | ///
39 | public enum NdrFloatingPointRepresentation
40 | {
41 | IEEE,
42 | VAX,
43 | Cray,
44 | IBM
45 | }
46 |
47 | ///
48 | /// Definition of the NDR data representation for an NDR stream.
49 | ///
50 | public struct NdrDataRepresentation
51 | {
52 | ///
53 | /// The integer representation of the NDR data.
54 | ///
55 | public NdrIntegerRepresentation IntegerRepresentation { get; set; }
56 | ///
57 | /// The character representation of the NDR data.
58 | ///
59 | public NdrCharacterRepresentation CharacterRepresentation { get; set; }
60 | ///
61 | /// The floating representation of the NDR data.
62 | ///
63 | public NdrFloatingPointRepresentation FloatingPointRepresentation { get; set; }
64 | }
65 | #pragma warning restore 1591
66 | }
67 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/DirectoryService/DirectoryServiceUtils.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet.Win32.DirectoryService
16 | {
17 | ///
18 | /// Class implementing various utilities for directory services.
19 | ///
20 | public static class DirectoryServiceUtils
21 | {
22 | ///
23 | /// Get the generic mapping for directory services.
24 | ///
25 | /// The directory services generic mapping.
26 | public static GenericMapping GenericMapping
27 | {
28 | get
29 | {
30 | GenericMapping mapping = new GenericMapping
31 | {
32 | GenericRead = DirectoryServiceAccessRights.ReadProp | DirectoryServiceAccessRights.List | DirectoryServiceAccessRights.ListObject,
33 | GenericWrite = DirectoryServiceAccessRights.Self | DirectoryServiceAccessRights.WriteProp,
34 | GenericExecute = DirectoryServiceAccessRights.List,
35 | GenericAll = DirectoryServiceAccessRights.All
36 | };
37 | return mapping;
38 | }
39 | }
40 |
41 | ///
42 | /// Get a fake NtType for Directory Services.
43 | ///
44 | /// The fake Directory Services NtType
45 | public static NtType NtType => new NtType("DirectoryService", GenericMapping,
46 | typeof(DirectoryServiceAccessRights), typeof(DirectoryServiceAccessRights),
47 | MandatoryLabelPolicy.NoWriteUp);
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Audit/AuditPolicyFlags.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace NtApiDotNet.Win32.Security.Audit
18 | {
19 | ///
20 | /// Audit policy flags.
21 | ///
22 | [Flags]
23 | public enum AuditPolicyFlags
24 | {
25 | ///
26 | /// Set unchanged.
27 | ///
28 | Unchanged = 0,
29 | ///
30 | /// Audit on success.
31 | ///
32 | Success = 1,
33 | ///
34 | /// Audit on failure.
35 | ///
36 | Failure = 2,
37 | ///
38 | /// Audit nothing.
39 | ///
40 | None = 4,
41 | }
42 |
43 | ///
44 | /// Per user policy flags.
45 | ///
46 | [Flags]
47 | public enum AuditPerUserPolicyFlags
48 | {
49 | ///
50 | /// Set unchanged.
51 | ///
52 | Unchanged = 0,
53 | ///
54 | /// Audit on success included.
55 | ///
56 | SuccessInclude = 1,
57 | ///
58 | /// Audit on success excluded.
59 | ///
60 | SuccessExclude = 2,
61 | ///
62 | /// Audit on failure included.
63 | ///
64 | FailureInclude = 4,
65 | ///
66 | /// Audit on failure excluded.
67 | ///
68 | FailureExclude = 8,
69 | ///
70 | /// Audit nothing.
71 | ///
72 | None = 0x10
73 | }
74 | }
75 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/RpcClient.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using NtApiDotNet.Ndr.Marshal;
16 | using NtApiDotNet.Win32.Rpc;
17 | using System;
18 |
19 | namespace NtApiDotNet.Win32
20 | {
21 | ///
22 | /// Generic RPC client.
23 | ///
24 | public sealed class RpcClient : RpcClientBase
25 | {
26 | ///
27 | /// Constructor.
28 | ///
29 | /// The interface ID.
30 | /// Version of the interface.
31 | public RpcClient(Guid interface_id, Version interface_version)
32 | : base(interface_id, interface_version)
33 | {
34 | }
35 |
36 | ///
37 | /// Constructor.
38 | ///
39 | /// The RPC server to bind to.
40 | public RpcClient(RpcServer server)
41 | : this(server.InterfaceId, server.InterfaceVersion)
42 | {
43 | }
44 |
45 | ///
46 | /// Send and receive an RPC message.
47 | ///
48 | /// The procedure number.
49 | /// Marshal NDR buffer for the call.
50 | /// Unmarshal NDR buffer for the result.
51 | public NdrUnmarshalBuffer SendReceive(int proc_num, NdrMarshalBuffer ndr_buffer)
52 | {
53 | var response = SendReceive(proc_num, ndr_buffer.DataRepresentation,
54 | ndr_buffer.ToArray(), ndr_buffer.Handles);
55 | return new NdrUnmarshalBuffer(response.NdrBuffer, response.Handles, response.DataRepresentation);
56 | }
57 | }
58 | }
59 |
--------------------------------------------------------------------------------
/NtApiDotNet/SecurityDescriptorSid.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2016 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace NtApiDotNet
16 | {
17 | ///
18 | /// A security descriptor SID which maintains defaulted state.
19 | ///
20 | public sealed class SecurityDescriptorSid
21 | {
22 | #region Public Properties
23 | ///
24 | /// The SID.
25 | ///
26 | public Sid Sid { get; set; }
27 |
28 | ///
29 | /// Indicates whether the SID was defaulted or not.
30 | ///
31 | public bool Defaulted { get; set; }
32 | #endregion
33 |
34 | #region Constructors
35 | ///
36 | /// Constructor from existing SID.
37 | ///
38 | /// The SID.
39 | /// Whether the SID was defaulted or not.
40 | public SecurityDescriptorSid(Sid sid, bool defaulted)
41 | {
42 | Sid = sid;
43 | Defaulted = defaulted;
44 | }
45 | #endregion
46 |
47 | #region Public Methods
48 | ///
49 | /// Convert to a string.
50 | ///
51 | /// The string form of the SID
52 | public override string ToString()
53 | {
54 | return $"{Sid} - Defaulted: {Defaulted}";
55 | }
56 |
57 | ///
58 | /// Clone the security descriptor SID.
59 | ///
60 | /// The cloned SID.
61 | public SecurityDescriptorSid Clone()
62 | {
63 | return new SecurityDescriptorSid(Sid, Defaulted);
64 | }
65 |
66 | #endregion
67 | }
68 | }
69 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/ISymbolTypeResolver.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Collections.Generic;
17 |
18 | namespace NtApiDotNet.Win32.Debugger
19 | {
20 | ///
21 | /// Interface for symbol type resolver.
22 | ///
23 | public interface ISymbolTypeResolver
24 | {
25 | ///
26 | /// Query types in a module.
27 | ///
28 | /// The base address of the module.
29 | /// The list of types.
30 | IEnumerable QueryTypes(IntPtr base_address);
31 |
32 | ///
33 | /// Query names of types in a module.
34 | ///
35 | /// The base address of the module.
36 | /// The list of type names.
37 | IEnumerable QueryTypeNames(IntPtr base_address);
38 |
39 | ///
40 | /// Get a type by name.
41 | ///
42 | /// The base address of the module containing the type.
43 | /// The name of the type.
44 | ///
45 | TypeInformation GetTypeByName(IntPtr base_address, string name);
46 |
47 | ///
48 | /// Query types by name
49 | ///
50 | /// The base address of the module containing the type.
51 | /// A mask string for the type name. e.g. mod!ABC*
52 | /// The list of types.
53 | IEnumerable QueryTypesByName(IntPtr base_address, string mask);
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Rpc/Transport/RpcFaultException.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Collections.Generic;
17 |
18 | namespace NtApiDotNet.Win32.Rpc.Transport
19 | {
20 | ///
21 | /// Exception for RPC fault conditions.
22 | ///
23 | [Serializable]
24 | public sealed class RpcFaultException : NtException
25 | {
26 | private RpcFaultException(SafeStructureInOutBuffer buffer, LRPC_FAULT_MESSAGE message)
27 | : this(message.RpcStatus)
28 | {
29 | ExtendedErrorInfo = new RpcExtendedErrorInfo[0];
30 | if (message.Flags.HasFlag(LRPC_FAULT_MESSAGE_FLAGS.ExtendedErrorInfo))
31 | {
32 | try
33 | {
34 | byte[] data = buffer.GetStructAtOffset(0).Data.ToArray();
35 | ExtendedErrorInfo = RpcExtendedErrorInfo.ReadErrorInfo(data);
36 | }
37 | catch
38 | {
39 | }
40 | }
41 | }
42 |
43 | internal RpcFaultException(SafeStructureInOutBuffer buffer)
44 | : this(buffer, buffer.Result)
45 | {
46 | }
47 |
48 | ///
49 | /// Constructor.
50 | ///
51 | /// The RPC status code.
52 | public RpcFaultException(int rpc_status)
53 | : base(NtObjectUtils.MapDosErrorToStatus(rpc_status))
54 | {
55 | }
56 |
57 | ///
58 | /// Get extended error information.
59 | ///
60 | public IEnumerable ExtendedErrorInfo { get; }
61 | }
62 | }
63 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Debugger/SYMBOL_INFO.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | // NOTE: This file is a modified version of SymbolResolver.cs from OleViewDotNet
16 | // https://github.com/tyranid/oleviewdotnet. It's been relicensed from GPLv3 by
17 | // the original author James Forshaw to be used under the Apache License for this
18 | // project.
19 |
20 | using System.Runtime.InteropServices;
21 |
22 | namespace NtApiDotNet.Win32.Debugger
23 | {
24 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode), DataStart("Name")]
25 | class SYMBOL_INFO
26 | {
27 | public int SizeOfStruct;
28 | public int TypeIndex; // Type Index of symbol
29 | public long Reserved1;
30 | public long Reserved2;
31 | public int Index;
32 | public int Size;
33 | public long ModBase; // Base Address of module comtaining this symbol
34 | public int Flags;
35 | public long Value; // Value of symbol, ValuePresent should be 1
36 | public long Address; // Address of symbol including base address of module
37 | public int Register; // register holding value or pointer to value
38 | public int Scope; // scope of the symbol
39 | public SymTagEnum Tag; // pdb classification
40 | public int NameLen; // Actual length of name
41 | public int MaxNameLen;
42 | public char Name;
43 |
44 | public const int MAX_SYM_NAME = 2000;
45 |
46 | public SYMBOL_INFO()
47 | {
48 | SizeOfStruct = Marshal.SizeOf(typeof(SYMBOL_INFO));
49 | }
50 |
51 | public SYMBOL_INFO(int max_name_len) : this()
52 | {
53 | MaxNameLen = max_name_len;
54 | }
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/NtApiDotNet/TokenPrivilegesBuilder.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 | using System.Linq;
17 |
18 | namespace NtApiDotNet
19 | {
20 | internal class TokenPrivilegesBuilder
21 | {
22 | private List _privs;
23 |
24 | public TokenPrivilegesBuilder()
25 | {
26 | _privs = new List();
27 | }
28 |
29 | public void AddPrivilege(Luid luid, PrivilegeAttributes attributes)
30 | {
31 | LuidAndAttributes priv = new LuidAndAttributes
32 | {
33 | Luid = luid,
34 | Attributes = attributes
35 | };
36 | _privs.Add(priv);
37 | }
38 |
39 | public void AddPrivilege(TokenPrivilegeValue name, PrivilegeAttributes attributes)
40 | {
41 | Luid luid = new Luid((uint)name, 0);
42 | AddPrivilege(luid, attributes);
43 | }
44 |
45 | public void AddPrivilege(string name, bool enable)
46 | {
47 | AddPrivilege(new TokenPrivilege(name, enable ? PrivilegeAttributes.Enabled : PrivilegeAttributes.Disabled));
48 | }
49 |
50 | public void AddPrivilege(TokenPrivilege privilege)
51 | {
52 | AddPrivilege(privilege.Luid, privilege.Attributes);
53 | }
54 |
55 | public void AddPrivilegeRange(IEnumerable privileges)
56 | {
57 | _privs.AddRange(privileges.Select(p => new LuidAndAttributes() { Luid = p.Luid, Attributes = p.Attributes }));
58 | }
59 |
60 | public SafeTokenPrivilegesBuffer ToBuffer()
61 | {
62 | return new SafeTokenPrivilegesBuffer(_privs.ToArray());
63 | }
64 | }
65 | #pragma warning restore 1591
66 | }
67 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SEC_WINNT_AUTH_IDENTITY_EX.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Runtime.InteropServices;
16 | using System.Security;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | #pragma warning disable 1591
21 |
22 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
23 | internal class SEC_WINNT_AUTH_IDENTITY_EX
24 | {
25 | const int SEC_WINNT_AUTH_IDENTITY_VERSION = 0x200;
26 |
27 | public int Version;
28 | public int Length;
29 | [MarshalAs(UnmanagedType.LPWStr)]
30 | public string User;
31 | public int UserLength;
32 | [MarshalAs(UnmanagedType.LPWStr)]
33 | public string Domain;
34 | public int DomainLength;
35 | public SecureStringMarshal Password;
36 | public int PasswordLength;
37 | public SecWinNtAuthIdentityFlags Flags;
38 | [MarshalAs(UnmanagedType.LPWStr)]
39 | public string PackageList;
40 | public int PackageListLength;
41 |
42 | public SEC_WINNT_AUTH_IDENTITY_EX()
43 | {
44 | }
45 |
46 | public SEC_WINNT_AUTH_IDENTITY_EX(string user, string domain, SecureString password, DisposableList list)
47 | {
48 | Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
49 | Length = Marshal.SizeOf(this);
50 | User = user;
51 | UserLength = user?.Length ?? 0;
52 | Domain = domain;
53 | DomainLength = domain?.Length ?? 0;
54 | if (password != null)
55 | {
56 | Password = list.AddResource(new SecureStringMarshal(password));
57 | PasswordLength = password.Length;
58 | }
59 | Flags = SecWinNtAuthIdentityFlags.Unicode;
60 | }
61 | }
62 | }
63 |
--------------------------------------------------------------------------------
/NtApiDotNet/Win32/Security/Native/SecBufferDesc.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2020 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet.Win32.Security.Native
19 | {
20 | #pragma warning disable 1591
21 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
22 | internal sealed class SecBufferDesc : IDisposable
23 | {
24 | const int SECBUFFER_VERSION = 0;
25 |
26 | public int ulVersion;
27 | public int cBuffers;
28 | public IntPtr pBuffers;
29 |
30 | void IDisposable.Dispose()
31 | {
32 | if (pBuffers != IntPtr.Zero)
33 | {
34 | Marshal.FreeHGlobal(pBuffers);
35 | }
36 | }
37 |
38 | public SecBufferDesc(SecBuffer buffer) : this(new SecBuffer[] { buffer })
39 | {
40 | }
41 |
42 | public SecBufferDesc(SecBuffer[] buffers)
43 | {
44 | int size = Marshal.SizeOf(typeof(SecBuffer));
45 | ulVersion = SECBUFFER_VERSION;
46 | cBuffers = buffers.Length;
47 | pBuffers = Marshal.AllocHGlobal(buffers.Length * size);
48 | int offset = 0;
49 | foreach (var buffer in buffers)
50 | {
51 | Marshal.StructureToPtr(buffer, pBuffers + offset, false);
52 | offset += size;
53 | }
54 | }
55 |
56 | public SecBuffer[] ToArray()
57 | {
58 | SecBuffer[] buffers = new SecBuffer[cBuffers];
59 | int size = Marshal.SizeOf(typeof(SecBuffer));
60 | for (int i = 0; i < cBuffers; ++i)
61 | {
62 | buffers[i] = (SecBuffer)Marshal.PtrToStructure(pBuffers + i * size, typeof(SecBuffer));
63 | }
64 | return buffers;
65 | }
66 | }
67 | }
68 |
--------------------------------------------------------------------------------
/NtApiDotNet/Utilities/Memory/ProcessMemoryStream.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2018 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.IO;
17 |
18 | namespace NtApiDotNet.Utilities.Memory
19 | {
20 | internal class ProcessMemoryStream : Stream
21 | {
22 | private readonly long _base_address;
23 | private readonly NtProcess _process;
24 | private long _offset;
25 |
26 | internal ProcessMemoryStream(NtProcess process, IntPtr base_address)
27 | {
28 | _process = process;
29 | _base_address = base_address.ToInt64();
30 | }
31 |
32 | public override bool CanRead => true;
33 |
34 | public override bool CanSeek => false;
35 |
36 | public override bool CanWrite => false;
37 |
38 | public override long Length => throw new NotSupportedException();
39 |
40 | public override long Position { get => _offset; set => _offset = value; }
41 |
42 | public override void Flush()
43 | {
44 | throw new NotSupportedException();
45 | }
46 |
47 | public override int Read(byte[] buffer, int offset, int count)
48 | {
49 | var result = _process.ReadMemory(_base_address + _offset, count);
50 | Array.Copy(result, 0, buffer, offset, result.Length);
51 | _offset += result.Length;
52 | return result.Length;
53 | }
54 |
55 | public override long Seek(long offset, SeekOrigin origin)
56 | {
57 | throw new NotSupportedException();
58 | }
59 |
60 | public override void SetLength(long value)
61 | {
62 | throw new NotSupportedException();
63 | }
64 |
65 | public override void Write(byte[] buffer, int offset, int count)
66 | {
67 | throw new NotSupportedException();
68 | }
69 | }
70 | }
71 |
--------------------------------------------------------------------------------
/NtApiDotNet/NtLdrNative.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2019 Google Inc. All Rights Reserved.
2 | //
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 | //
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 | //
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 | using System.Runtime.InteropServices;
17 |
18 | namespace NtApiDotNet
19 | {
20 | #pragma warning disable 1591
21 | public static class NtLdrNative
22 | {
23 | [DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
24 | public static extern NtStatus LdrLoadDll(
25 | string DllPath,
26 | OptionalInt32 DllCharacteristics,
27 | UnicodeString DllName,
28 | out IntPtr DllHandle
29 | );
30 |
31 | [DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
32 | public static extern NtStatus LdrLoadDll(
33 | IntPtr Flags,
34 | OptionalInt32 DllCharacteristics,
35 | UnicodeString DllName,
36 | out IntPtr DllHandle
37 | );
38 |
39 | [DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
40 | public static extern NtStatus LdrUnloadDll(
41 | IntPtr DllHandle
42 | );
43 |
44 | [DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
45 | public static extern NtStatus LdrGetProcedureAddress(
46 | IntPtr DllHandle,
47 | [In] AnsiString ProcedureName,
48 | int ProcedureNumber,
49 | out IntPtr ProcedureAddress
50 | );
51 | }
52 |
53 | [Flags]
54 | public enum RtlImageNtHeaderExFlags
55 | {
56 | None = 0,
57 | NoRangeCheck = 1,
58 | }
59 |
60 | public static partial class NtRtl
61 | {
62 | [DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
63 | public static extern NtStatus RtlImageNtHeaderEx(
64 | RtlImageNtHeaderExFlags Flags,
65 | IntPtr Base,
66 | long Size,
67 | out IntPtr OutHeaders // PIMAGE_NT_HEADERS
68 | );
69 | }
70 | #pragma warning restore 1591
71 | }
72 |
--------------------------------------------------------------------------------