35 if (NULL == StartUpTime)
41 if (NULL == systemProc)
51 ERROR(
"[ERROR] IntKernVirtMemFetchQword failed: 0x%08x\n", status);
103 const CHAR *privs2str[] =
107 "SeCreateTokenPrivilege",
108 "SeAssignPrimaryTokenPrivilege",
109 "SeLockMemoryPrivilege",
110 "SeIncreaseQuotaPrivilege",
111 "SeMachineAccountPrivilege",
113 "SeSecurityPrivilege",
114 "SeTakeOwnershipPrivilege",
115 "SeLoadDriverPrivilege",
116 "SeSystemProfilePrivilege",
117 "SeSystemtimePrivilege",
118 "SeProfileSingleProcessPrivilege",
119 "SeIncreaseBasePriorityPrivilege",
120 "SeCreatePagefilePrivilege",
121 "SeCreatePermanentPrivilege",
123 "SeRestorePrivilege",
124 "SeShutdownPrivilege",
127 "SeSystemEnvironmentPrivilege",
128 "SeChangeNotifyPrivilege",
129 "SeRemoteShutdownPrivilege",
131 "SeSyncAgentPrivilege",
132 "SeEnableDelegationPrivilege",
133 "SeManageVolumePrivilege",
134 "SeImpersonatePrivilege",
135 "SeCreateGlobalPrivilege",
136 "SeTrustedCredManAccessPrivilege",
137 "SeRelabelPrivilege",
138 "SeIncreaseWorkingSetPrivilege",
139 "SeTimeZonePrivilege",
140 "SeCreateSymbolicLinkPrivilege",
143 for (
DWORD i = 0; i < 63; i++)
147 if (i >=
ARRAYSIZE(privs2str) || privs2str[i] == NULL)
149 LOG(
"%d Unknown Privilege\n", i);
153 LOG(
"%d %s\n", i, privs2str[i]);
176 if (NULL == Privileges)
187 LOG(
"Enabled By Default: \n");
271 sizeof(
DWORD) * Sid->Sid.SubAuthorityCount, &Sid->Sid.SubAuthority, NULL);
327 Token->SidsBufferTooSmall = Token->RestrictedSIdsBufferTooSmall =
FALSE;
329 if (0 != Token->SidCount)
332 size_t incrementSize;
337 Token->SidsBufferTooSmall =
TRUE;
353 WARNING(
"[WARNING] Failed to read Token.UserAndGroups: 0x%08x\n", status);
357 for (
DWORD i = 0; i < Token->SidCount; i++)
359 status =
IntWinReadSid(gva + i * incrementSize, &Token->SidsAndAttributes[i]);
365 Token->SidsAndAttributes[i].IsRestricted =
FALSE;
371 &Token->RestrictedSidCount);
377 if (0 != Token->RestrictedSidCount)
380 size_t incrementSize;
385 Token->RestrictedSIdsBufferTooSmall =
TRUE;
404 for (
DWORD i = 0; i < Token->RestrictedSidCount; i++)
406 status =
IntWinReadSid(gva + i * incrementSize, &Token->RestrictedSids[i]);
412 Token->RestrictedSids[i].IsRestricted =
TRUE;
417 if (0 == Token->SidCount && 0 == Token->RestrictedSidCount)
488 if (0 == EprocessGva)
493 ERROR(
"[ERROR] IntWinProcGetObjectByPid failed for %d: 0x%x\n", ProcessId, status);
511 ERROR(
"[ERROR] Failed to read Token from Eprocess 0x%016llx: 0x%08x\n", EprocessGva, status);
564 ERROR(
"[ERROR] Failed to read Token from Ethread 0x%016llx: 0x%08x\n", EthreadGva, status);
569 tokenGva &= ~((
QWORD)0x7);
597 if (Sid->IsRestricted)
599 LOG(
"Restricted SID\n");
602 LOG(
"Attributes: 0x%x\n", Sid->Attributes);
604 LOG(
"Revision: %d\n", Sid->Sid.Revision);
606 LOG(
"Identifier Authority: ");
607 for (
DWORD i = 0; i < 6; i++)
609 NLOG(
"%d ", Sid->Sid.IdentifierAuthority[i]);
613 LOG(
"Sub authority: ");
614 for (
DWORD i = 0; i < Sid->Sid.SubAuthorityCount; i++)
616 NLOG(
"%d ", Sid->Sid.SubAuthority[i]);
640 if (Token->ImpersonationToken)
642 LOG(
"Impersonation token\n");
645 LOG(
"Privileges: \n");
648 LOG(
"User and Groups: \n");
649 for (
DWORD i = 0; i < Token->SidCount; i++)
654 LOG(
"Restricted SIDs: \n");
655 for (
DWORD i = 0; i < Token->RestrictedSidCount; i++)
DWORD Sid
Pointer to a _SID structure.
static void IntWinDumpPrivilegesMask(QWORD Mask)
Prints the name of the privileges available.
#define EX_FAST_REF_TO_PTR(is64, p)
Converts a _EX_FAST_REF value to a pointer.
A Windows token structure as reported by Introcore alerts.
#define INT_STATUS_SUCCESS
#define INT_SUCCESS(Status)
QWORD Sid
Pointer to a _SID structure.
#define INTRO_WIN_SID_MAX_SUB_AUTHORITIES
The maximum number of sub authorities contained in a SID.
int INTSTATUS
The status data type.
#define INT_STATUS_NOT_FOUND
PWIN_PROCESS_OBJECT IntWinProcFindObjectByPid(DWORD Pid)
Finds a process by its ID.
void IntWinDumpToken(INTRO_WIN_TOKEN const *Token)
Prints a INTRO_WIN_TOKEN structure.
INTSTATUS IntWinDumpPrivileges(INTRO_TOKEN_PRIVILEGES const *Privileges)
Prints a INTRO_TOKEN_PRIVILEGES structure.
DWORD Attributes
A combination of SE_GROUP_* values.
INTSTATUS IntKernVirtMemFetchDword(QWORD GuestVirtualAddress, DWORD *Data)
Reads 4 bytes from the guest kernel memory.
INTSTATUS IntWinGetAccesTokenFromThread(QWORD EthreadGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a thread.
Windows process token privileges.
#define INT_STATUS_NOT_INITIALIZED
INTSTATUS IntKernVirtMemFetchQword(QWORD GuestVirtualAddress, QWORD *Data)
Reads 8 bytes from the guest kernel memory.
INTSTATUS IntWinGetAccessTokenFromProcess(DWORD ProcessId, QWORD EprocessGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure assigned to a process.
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define INTRO_SIDS_MAX_COUNT
The maximum SID count included in an alert.
struct _SID_AND_ATTRIBUTES32 SID_AND_ATTRIBUTES32
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
void IntWinDumpSid(INTRO_SID_ATTRIBUTES const *Sid)
Prints a INTRO_SID_ATTRIBUTES structure.
INTSTATUS IntWinProcGetObjectByPid(DWORD Pid, WIN_PROCESS_OBJECT **Process)
This function looks for a process with the given PID inside gWinProcesses and returns its WIN_PROCESS...
INTSTATUS IntWinReadToken(QWORD TokenGva, INTRO_WIN_TOKEN *Token)
Reads the contents of a _TOKEN Windows structure.
struct _SID_AND_ATTRIBUTES64 SID_AND_ATTRIBUTES64
#define WIN_KM_FIELD(Structure, Field)
Macro used to access kernel mode fields inside the WIN_OPAQUE_FIELDS structure.
#define INT_STATUS_INVALID_DATA_VALUE
INTSTATUS IntWinGetStartUpTime(QWORD *StartUpTime)
Gets the system startup time.
QWORD EprocessAddress
This will be the address of the ActiveProcess field.
GUEST_STATE gGuest
The current guest state.
#define FIELD_OFFSET(type, field)
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
#define INT_STATUS_INVALID_PARAMETER_1
DWORD Attributes
A combination of SE_GROUP_* values.
INTSTATUS IntWinReadSid(QWORD SidAndAttributesGva, INTRO_SID_ATTRIBUTES *Sid)
Reads the contents of a _SID_AND_ATTRIBUTES Windows structure.
#define INT_STATUS_INVALID_PARAMETER_2
This structure describes a running process inside the guest.
#define INT_STATUS_INVALID_PARAMETER_3