Get Process Owner, & Permissions [Win_Func]
Posted: Wed Aug 24, 2016 4:39 am
Code: Select all
#OWNER_SECURITY_INFORMATION = $1
#DACL_SECURITY_INFORMATION = $4
Enumeration ;ACL_INFORMATION_CLASS
#AclRevisionInformation = 1
#AclSizeInformation
EndEnumeration
Enumeration ; SID_NAME_USE
#SidTypeUser = 1
#SidTypeGroup
#SidTypeDomain
#SidTypeAlias
#SidTypeWellKnownGroup
#SidTypeDeletedAccount
#SidTypeInvalid
#SidTypeUnknown
#SidTypeComputer
#SidTypeLabel
EndEnumeration
Enumeration ; SE_OBJECT_TYPE
#SE_UNKNOWN_OBJECT_TYPE
#SE_FILE_OBJECT
#SE_SERVICE
#SE_PRINTER
#SE_REGISTRY_KEY
#SE_LMSHARE
#SE_KERNEL_OBJECT
#SE_WINDOW_OBJECT
#SE_DS_OBJECT
#SE_DS_OBJECT_ALL
#SE_PROVIDER_DEFINED_OBJECT
EndEnumeration
Structure SID
Revision.b
SubAuthorityCount.b
*IdentifierAuthority.SID_IDENTIFIER_AUTHORITY
SubAuthority.l[#ANYSIZE_ARRAY]
EndStructure
#TH32CS_SNAPPROCESS = $2
Procedure SearchPID(Name.s)
Protected Process.PROCESSENTRY32, Snapshot.i, ProcCount.l, ProcName$
Process\dwSize = SizeOf(PROCESSENTRY32)
Snapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
If Snapshot
ProcCount = Process32First_(Snapshot, Process)
While ProcCount
ProcName$ = UCase(PeekS(@Process\szExeFile, #MAX_PATH))
If UCase(Name) = GetFilePart(ProcName$)
ProcedureReturn Process\th32ProcessID
EndIf
ProcCount = Process32Next_(Snapshot, Process)
Wend
CloseHandle_(Snapshot)
EndIf
ProcedureReturn 0
EndProcedure
Procedure.b EnumProcPermissions(pDacl)
Protected *pAce.ACCESS_ALLOWED_ACE, aclSize.ACL_SIZE_INFORMATION
Protected.i retfunc, acl_ACECount, dwAccountNameSize, dwDomainNameSize, SID_NAME_USE
Protected.s szAccountName, szDomainName
If GetAclInformation_(pDacl, @aclSize, SizeOf(aclSize), #AclSizeInformation)
acl_ACECount = aclSize\AceCount - 1
If Not acl_ACECount : ProcedureReturn 0 : EndIf
Repeat
GetAce_(pDacl, acl_ACECount, @*pAce)
bRtnBool = LookupAccountSid_(#Null, @*pAce\SidStart, 0, @dwAccountNameSize, 0, @dwDomainNameSize, @SID_NAME_USE)
szAccountName = Space(dwAccountNameSize)
szDomainName = Space(dwDomainNameSize)
If LookupAccountSid_(#Null, @*pAce\SidStart, @szAccountName, @dwAccountNameSize, @szDomainName, @dwDomainNameSize, @SID_NAME_USE)
If *pAce\Mask = #FILE_ALL_ACCESS
AccessMask$ = "( Full Access ) - "
ElseIf *pAce\Mask = 268435456
AccessMask$ = "( Full Access (Sub Only) ) - "
EndIf
;Standard Access Rights
If *pAce\Mask & #STANDARD_RIGHTS_ALL = #STANDARD_RIGHTS_ALL
StandardAccess$ + "( STANDARD_RIGHTS_ALL ) | "
EndIf
If *pAce\Mask & #DELETE
StandardAccess$ + "DELETE - "
EndIf
If *pAce\Mask & #READ_CONTROL
StandardAccess$ + "READ_CONTROL - "
EndIf
If *pAce\Mask & #SYNCHRONIZE
StandardAccess$ + "SYNCHRONIZE - "
EndIf
If *pAce\Mask & #WRITE_OWNER
StandardAccess$ + "WRITE_OWNER - "
EndIf
StandardAccess$ = RemoveString(StandardAccess$, " - ", #PB_String_NoCase, Len(StandardAccess$) - 3, 1)
If *pAce\Mask & #FILE_ALL_ACCESS = #FILE_ALL_ACCESS
GenericAccess$ + " (Full Access) | "
EndIf
If *pAce\Mask & #FILE_GENERIC_READ = #FILE_GENERIC_READ
GenericAccess$ + "FILE_GENERIC_READ - "
EndIf
If *pAce\Mask & #FILE_GENERIC_WRITE = #FILE_GENERIC_WRITE
GenericAccess$ + "FILE_GENERIC_WRITE - "
EndIf
If *pAce\Mask & #FILE_GENERIC_EXECUTE = #FILE_GENERIC_EXECUTE
GenericAccess$ + "FILE_GENERIC_EXECUTE - "
EndIf
GenericAccess$ = RemoveString(GenericAccess$, " - ", #PB_String_NoCase, Len(GenericAccess$) - 3, 1)
;Specific Access Rights
If *pAce\Mask & #FILE_READ_DATA
SpecificAccess$ + "READ / FILE_LIST_DIRECTORY - "
EndIf
If *pAce\Mask & #FILE_WRITE_DATA
SpecificAccess$ + "WRITE / FILE_ADD_FILE - "
EndIf
If *pAce\Mask & #FILE_APPEND_DATA
SpecificAccess$ + "FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - "
EndIf
If *pAce\Mask & #FILE_READ_EA
SpecificAccess$ + "FILE_READ_EA - "
EndIf
If *pAce\Mask & #FILE_WRITE_EA
SpecificAccess$ + "FILE_WRITE_EA - "
EndIf
If *pAce\Mask & #FILE_READ_ATTRIBUTES
SpecificAccess$ + "FILE_READ_ATTRIBUTES - "
EndIf
If *pAce\Mask & #FILE_WRITE_ATTRIBUTES
SpecificAccess$ + "FILE_WRITE_ATTRIBUTES - "
EndIf
If *pAce\Mask & #FILE_EXECUTE
SpecificAccess$ + "FILE_EXECUTE / FILE_TRAVERSE - "
EndIf
If *pAce\Mask & #FILE_DELETE_CHILD
SpecificAccess$ + "FILE_DELETE_CHILD - "
EndIf
If *pAce\Mask & #SPECIFIC_RIGHTS_ALL = #SPECIFIC_RIGHTS_ALL
SpecificAccess$ + "SPECIFIC_RIGHTS_ALL"
EndIf
SpecificAccess$ = RemoveString(SpecificAccess$, " - ", #PB_String_NoCase, Len(SpecificAccess$) - 3, 1)
Select *pAce\Header\AceType
Case #ACCESS_ALLOWED_ACE_TYPE
AceType$ = "ACCESS_ALLOWED_ACE_TYPE"
Case #ACCESS_DENIED_ACE_TYPE
AceType$ = "ACCESS_DENIED_ACE_TYPE"
Case #SYSTEM_AUDIT_ACE_TYPE
AceType$ = "SYSTEM_AUDIT_ACE_TYPE"
Default
AceType$ = "Unknown ACE type"
EndSelect
Debug "Account = " + szAccountName + ", Domain = " + szDomainName + ", Generic Access Rights = " + GenericAccess$
Debug "Account = " + szAccountName + ", Domain = " + szDomainName + ", Standard Access Rights = " + StandardAccess$
Debug "Account = " + szAccountName + ", Domain = " + szDomainName + ", Specific Access Rights = " + AccessMask$ + SpecificAccess$
Debug "Account = " + szAccountName + ", Domain = " + szDomainName + ", ACE Type = " + AceType$
Debug ""
GenericAccess$=""
StandardAccess$=""
SpecificAccess$=""
AccessMask$=""
EndIf
dwDomainNameSize = 0
acl_ACECount - 1
Until acl_ACECount < 0
EndIf
EndProcedure
Procedure.b GetObjectOwner(PID.l, ProcName.s, EnumProcPermissions.l = 0)
Protected *pSidOwner.SID, *pSD.SECURITY_DESCRIPTOR
Protected.i dwRtnCode, bRtnBool, eUse
Protected.s szAccountName, szDomainName
Protected.i dwAcctName, dwDomainName
If PID = #INVALID_HANDLE_VALUE
Debug "Invalid PID"
ProcedureReturn 0
EndIf
Object = OpenProcess_(#READ_CONTROL, #False, PID)
If Not Object
Debug GetLastError_()
Debug "Invalid Object handle!"
ProcedureReturn 0
EndIf
If OpenProcessToken_(GetCurrentProcess_(), #TOKEN_QUERY | #TOKEN_ADJUST_PRIVILEGES, @htok) <= 0
Debug "OpenProcessToken failed"
ProcedureReturn 0
EndIf
; Allocate memory for the security descriptor structure
*pSD = AllocateMemory(SizeOf(SECURITY_DESCRIPTOR))
If *pSD = 0
Debug "Can't allocate memory for the SECURITY_DESCRIPTOR structure"
ProcedureReturn 0
EndIf
; Get the owner SID of the object
dwRtnCode = GetSecurityInfo_(Object, #SE_KERNEL_OBJECT, #DACL_SECURITY_INFORMATION|#OWNER_SECURITY_INFORMATION, @*pSidOWner, #Null, @pDacl.i, #Null, @*pSD)
; Check GetLastError for GetSecurityInfo error condition
If dwRtnCode <> #ERROR_SUCCESS
Debug "GetSecurityInfo error = " + Str(dwRtnCode)
ProcedureReturn 0
EndIf
; First call to LookupAccoundSid to get the buffer sizes
bRtnBool = LookupAccountSid_(#Null, *pSidOwner, szAccountName, @dwAcctName, szDomainName, @dwDomainName, @eUse)
; Reallocate memory for the buffers
szAccountName = Space(dwAcctName)
szDomainName = Space(dwDomainName)
; Second call to LookupAccountSid to get the account name
bRtnBool = LookupAccountSid_(#Null, *pSidOwner, szAccountName, @dwAcctName, szDomainName, @dwDomainName, @eUse)
Debug "Object Owner for Process [ "+ProcName+" ]:"+#LF$+" "+szAccountName
Debug ""
If EnumProcPermissions
Debug "Enumerate Process Permissions:"
EnumProcPermissions(pDacl)
EndIf
; Close the process handle
CloseHandle_(Object)
ProcedureReturn 1
EndProcedure
Procedure EnableDebugPrivNT()
Protected DebugValue.LUID, *tkp.TOKEN_PRIVILEGES
; Retrieve a handle of the access token
If Not OpenProcessToken_(GetCurrentProcess_(), #TOKEN_ADJUST_PRIVILEGES|#TOKEN_QUERY, @hToken)
ProcedureReturn 0
EndIf
; Enable the SE_DEBUG_NAME privilege
If Not LookupPrivilegeValue_("", #SE_DEBUG_NAME, @DebugValue)
ProcedureReturn 0
EndIf
*tkp = AllocateMemory( SizeOf(TOKEN_PRIVILEGES) + (1 * SizeOf(LUID_AND_ATTRIBUTES)) )
If Not *tkp : ProcedureReturn 0 : EndIf
*tkp\PrivilegeCount = 1
*tkp\Privileges\Luid\HighPart = DebugValue\HighPart
*tkp\Privileges\Luid\LowPart = DebugValue\LowPart
*tkp\Privileges\Attributes = #SE_PRIVILEGE_ENABLED
If Not AdjustTokenPrivileges_(hToken, #False, @*tkp, SizeOf(TOKEN_PRIVILEGES), @PreviousState.TOKEN_PRIVILEGES, @ReturnLength)
If GetLastError_() = #ERROR_SUCCESS
ProcedureReturn 0
EndIf
EndIf
FreeMemory(*tkp)
ProcedureReturn 1
EndProcedure
#EnumProcPermissions = 1
If EnableDebugPrivNT()
Debug "Privilege loaded..."+#CRLF$
Debug "Search processes list for explorer.exe PID number..."
PID1 = SearchPID("explorer.exe")
If PID1
Debug " PID #: "+Str(PID1)+#CRLF$
GetObjectOwner(PID1, "explorer.exe", #EnumProcPermissions)
EndIf
Else
Debug "Privilege issue."
EndIfWhen compiled, you'll see basically the following;
Code: Select all
Privilege loaded...
Search processes list for explorer.exe PID number...
PID #: 4020
Object Owner for Process [ explorer.exe ]:
JohnDoe
Enumerate Process Permissions:
Account = LogonSessionId_0_270100, Domain = NT AUTHORITY, Generic Access Rights =
Account = LogonSessionId_0_270100, Domain = NT AUTHORITY, Standard Access Rights = READ_CONTROL - SYNCHRONIZE
Account = LogonSessionId_0_270100, Domain = NT AUTHORITY, Specific Access Rights = READ / FILE_LIST_DIRECTORY - FILE_WRITE_EA
Account = LogonSessionId_0_270100, Domain = NT AUTHORITY, ACE Type = ACCESS_ALLOWED_ACE_TYPE
Account = SYSTEM, Domain = NT AUTHORITY, Generic Access Rights = (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = SYSTEM, Domain = NT AUTHORITY, Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = SYSTEM, Domain = NT AUTHORITY, Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD - SPECIFIC_RIGHTS_ALL
Account = SYSTEM, Domain = NT AUTHORITY, ACE Type = ACCESS_ALLOWED_ACE_TYPE
Account = JohnDoe, Domain = DESKTOP-5BE1L1R, Generic Access Rights = (Full Access) | FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_GENERIC_EXECUTE
Account = JohnDoe, Domain = DESKTOP-5BE1L1R, Standard Access Rights = ( STANDARD_RIGHTS_ALL ) | DELETE - READ_CONTROL - SYNCHRONIZE - WRITE_OWNER
Account = JohnDoe, Domain = DESKTOP-5BE1L1R, Specific Access Rights = READ / FILE_LIST_DIRECTORY - WRITE / FILE_ADD_FILE - FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY / FILE_CREATE_PIPE_INSTANCE - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES - FILE_EXECUTE / FILE_TRAVERSE - FILE_DELETE_CHILD - SPECIFIC_RIGHTS_ALL
Account = JohnDoe, Domain = DESKTOP-5BE1L1R, ACE Type = ACCESS_ALLOWED_ACE_TYPE... I'm not doing no more!
