API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 31st, 2011
470
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 9.57 KB | None | 0 0
raw download clone embed print report
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Text;
  5. using System.Security.Permissions;
  6. using Microsoft.Win32;
  7. using System.Runtime.InteropServices;
  8. using System.Diagnostics;
  9. using System.Collections;
  10. using System.Threading;
  11. using System.Security.AccessControl;
  12. using System.Security.Principal;
  13. using Microsoft.Win32.SafeHandles;
  14.  
  15.  
  16.  
  17. namespace EnumerateMutexACL
  18. {
  19.     class Win
  20.     {
  21.         [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
  22.         public static extern SafeWaitHandle OpenMutex(UInt32 desiredAccess, bool inheritHandle, string name);
  23.  
  24.         [DllImport("kernel32.dll", SetLastError = true)]
  25.         [return: MarshalAs(UnmanagedType.Bool)]
  26.         public static extern bool DuplicateHandle(IntPtr hSourceProcessHandle,
  27.            IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle,
  28.            uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
  29.  
  30.         [DllImport("kernel32.dll", SetLastError = true)]
  31.         [return: MarshalAs(UnmanagedType.Bool)]
  32.         public static extern bool CloseHandle(IntPtr hObject);
  33.     }
  34.  
  35.     class Program
  36.     {
  37.  
  38.         [DllImport("advapi32.dll", SetLastError = true)]
  39.         [return: MarshalAs(UnmanagedType.Bool)]
  40.         static extern bool OpenProcessToken(IntPtr ProcessHandle,
  41.             UInt32 DesiredAccess, out IntPtr TokenHandle);
  42.  
  43.         private static uint STANDARD_RIGHTS_REQUIRED = 0x000F0000;
  44.         private static uint STANDARD_RIGHTS_READ = 0x00020000;
  45.         private static uint TOKEN_ASSIGN_PRIMARY = 0x0001;
  46.         private static uint TOKEN_DUPLICATE = 0x0002;
  47.         private static uint TOKEN_IMPERSONATE = 0x0004;
  48.         private static uint TOKEN_QUERY = 0x0008;
  49.         private static uint TOKEN_QUERY_SOURCE = 0x0010;
  50.         private static uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
  51.         private static uint TOKEN_ADJUST_GROUPS = 0x0040;
  52.         private static uint TOKEN_ADJUST_DEFAULT = 0x0080;
  53.         private static uint TOKEN_ADJUST_SESSIONID = 0x0100;
  54.         private static uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
  55.         private static uint TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
  56.             TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
  57.             TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
  58.             TOKEN_ADJUST_SESSIONID);
  59.  
  60.         [DllImport("kernel32.dll", SetLastError = true)]
  61.         static extern IntPtr GetCurrentProcess();
  62.  
  63.         [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
  64.         [return: MarshalAs(UnmanagedType.Bool)]
  65.         static extern bool LookupPrivilegeValue(string lpSystemName, string lpName,
  66.             out LUID lpLuid);
  67.  
  68.         public const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";
  69.  
  70.         public const string SE_AUDIT_NAME = "SeAuditPrivilege";
  71.  
  72.         public const string SE_BACKUP_NAME = "SeBackupPrivilege";
  73.  
  74.         public const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege";
  75.  
  76.         public const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege";
  77.  
  78.         public const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege";
  79.  
  80.         public const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege";
  81.  
  82.         public const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege";
  83.  
  84.         public const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege";
  85.  
  86.         public const string SE_DEBUG_NAME = "SeDebugPrivilege";
  87.  
  88.         public const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege";
  89.  
  90.         public const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege";
  91.  
  92.         public const string SE_INC_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege";
  93.  
  94.         public const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";
  95.  
  96.         public const string SE_INC_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege";
  97.  
  98.         public const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";
  99.  
  100.         public const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege";
  101.  
  102.         public const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege";
  103.  
  104.         public const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege";
  105.  
  106.         public const string SE_PROF_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege";
  107.  
  108.         public const string SE_RELABEL_NAME = "SeRelabelPrivilege";
  109.  
  110.         public const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege";
  111.  
  112.         public const string SE_RESTORE_NAME = "SeRestorePrivilege";
  113.  
  114.         public const string SE_SECURITY_NAME = "SeSecurityPrivilege";
  115.  
  116.         public const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege";
  117.  
  118.         public const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege";
  119.  
  120.         public const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege";
  121.  
  122.         public const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege";
  123.  
  124.         public const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege";
  125.  
  126.         public const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege";
  127.  
  128.         public const string SE_TCB_NAME = "SeTcbPrivilege";
  129.  
  130.         public const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege";
  131.  
  132.         public const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege";
  133.  
  134.         public const string SE_UNDOCK_NAME = "SeUndockPrivilege";
  135.  
  136.         public const string SE_UNSOLICITED_INPUT_NAME = "SeUnsolicitedInputPrivilege";
  137.  
  138.         [StructLayout(LayoutKind.Sequential)]
  139.         public struct LUID
  140.         {
  141.             public UInt32 LowPart;
  142.             public Int32 HighPart;
  143.         }
  144.  
  145.         [DllImport("kernel32.dll", SetLastError = true)]
  146.         static extern bool CloseHandle(IntPtr hHandle);
  147.  
  148.         public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001;
  149.         public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
  150.         public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004;
  151.         public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000;
  152.  
  153.         [StructLayout(LayoutKind.Sequential)]
  154.         public struct TOKEN_PRIVILEGES
  155.         {
  156.             public UInt32 PrivilegeCount;
  157.             public LUID Luid;
  158.             public UInt32 Attributes;
  159.         }
  160.  
  161.         [StructLayout(LayoutKind.Sequential)]
  162.         public struct LUID_AND_ATTRIBUTES
  163.         {
  164.             public LUID Luid;
  165.             public UInt32 Attributes;
  166.         }
  167.  
  168.         // Use this signature if you do not want the previous state
  169.         [DllImport("advapi32.dll", SetLastError = true)]
  170.         [return: MarshalAs(UnmanagedType.Bool)]
  171.         static extern bool AdjustTokenPrivileges(IntPtr TokenHandle,
  172.            [MarshalAs(UnmanagedType.Bool)]bool DisableAllPrivileges,
  173.            ref TOKEN_PRIVILEGES NewState,
  174.            UInt32 Zero,
  175.            IntPtr Null1,
  176.            IntPtr Null2);
  177.  
  178.  
  179.         static void Main(string[] args)
  180.         {
  181.             const UInt32 MUTEX_ALL_ACCESS = 0x1F0001;
  182.             const uint DUPLICATE_CLOSE_SOURCE = 0x00000001;
  183.  
  184.             //Process.EnterDebugMode();
  185.             Process proc = Process.GetProcessesByName("notepad2")[0];
  186.             IntPtr p = proc.Handle;
  187.  
  188.  
  189.             IntPtr hToken;
  190.             LUID luidSEDebugNameValue;
  191.             TOKEN_PRIVILEGES tkpPrivileges;
  192.  
  193.             if (!OpenProcessToken(proc.Handle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
  194.             {
  195.                 Console.WriteLine("OpenProcessToken() failed, error = {0} . SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
  196.                 return;
  197.             }
  198.             else
  199.             {
  200.                 Console.WriteLine("OpenProcessToken() successfully");
  201.             }
  202.  
  203.             if (!LookupPrivilegeValue(null, SE_DEBUG_NAME, out luidSEDebugNameValue))
  204.             {
  205.                 Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
  206.                 CloseHandle(hToken);
  207.                 return;
  208.             }
  209.             else
  210.             {
  211.                 Console.WriteLine("LookupPrivilegeValue() successfully");
  212.             }
  213.  
  214.             tkpPrivileges.PrivilegeCount = 1;
  215.             tkpPrivileges.Luid = luidSEDebugNameValue;
  216.             tkpPrivileges.Attributes = SE_PRIVILEGE_ENABLED;
  217.  
  218.             if (!AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
  219.             {
  220.                 Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
  221.             }
  222.             else
  223.             {
  224.                 Console.WriteLine("SeDebugPrivilege is now available");
  225.             }
  226.             CloseHandle(hToken);
  227.  
  228.  
  229.  
  230.             SafeWaitHandle hMutex = Win.OpenMutex(MUTEX_ALL_ACCESS, false, "MSCTF.Asm.MutexDefault1");
  231.             IntPtr pp = hMutex.DangerousGetHandle();
  232.  
  233.             IntPtr ppp = Process.GetCurrentProcess().Handle;
  234.             IntPtr pppp = IntPtr.Zero; // System.Diagnostics.Process.Start("calc").Handle;
  235.             Win.DuplicateHandle(p, pp, ppp, out pppp, MUTEX_ALL_ACCESS, false, DUPLICATE_CLOSE_SOURCE);
  236.             Win.CloseHandle(pppp);
  237.  
  238.             if (Win.OpenMutex(MUTEX_ALL_ACCESS, false, "MSCTF.Asm.MutexDefault1").DangerousGetHandle() == IntPtr.Zero)
  239.                 Console.Write("Success");
  240.             else
  241.                 Console.Write("Failed");
  242.  
  243.  
  244.             Console.Read();
  245.  
  246.             return;
  247.         }
  248.     }
  249. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!