-
-
Save Scuzz3y/7ba66a1c60bf30a42a4a1d1bf942cc1a to your computer and use it in GitHub Desktop.
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . C:\Users\Test\Desktop\PSReflect.ps1 | |
| function CloseHandle | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $Handle | |
| ) | |
| <# | |
| (func kernel32 CloseHandle ([bool]) @( | |
| [IntPtr] #_In_ HANDLE hObject | |
| ) -SetLastError) | |
| #> | |
| $Success = $Kernel32::CloseHandle($Handle); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| } | |
| function ConvertSidToStringSid | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $SidPointer | |
| ) | |
| <# | |
| (func advapi32 ConvertSidToStringSid ([bool]) @( | |
| [IntPtr] #_In_ PSID Sid, | |
| [IntPtr].MakeByRefType() #_Out_ LPTSTR *StringSid | |
| ) -SetLastError) | |
| #> | |
| $StringPtr = [IntPtr]::Zero | |
| $Success = $Advapi32::ConvertSidToStringSid($SidPointer, [ref]$StringPtr); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output ([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($StringPtr)) | |
| } | |
| function CreateToolhelp32Snapshot | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $ProcessId, | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $Flags | |
| ) | |
| <# | |
| (func kernel32 CreateToolhelp32Snapshot ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwFlags, | |
| [UInt32] #_In_ DWORD th32ProcessID | |
| ) -SetLastError) | |
| #> | |
| $hSnapshot = $Kernel32::CreateToolhelp32Snapshot($Flags, $ProcessId); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $hSnapshot) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $hSnapshot | |
| } | |
| function GetTokenInformation | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $TokenHandle, | |
| [Parameter(Mandatory = $true)] | |
| $TokenInformationClass | |
| ) | |
| <# | |
| (func advapi32 GetTokenInformation ([bool]) @( | |
| [IntPtr], #_In_ HANDLE TokenHandle | |
| [Int32], #_In_ TOKEN_INFORMATION_CLASS TokenInformationClass | |
| [IntPtr], #_Out_opt_ LPVOID TokenInformation | |
| [UInt32], #_In_ DWORD TokenInformationLength | |
| [UInt32].MakeByRefType() #_Out_ PDWORD ReturnLength | |
| ) -SetLastError) | |
| #> | |
| # initial query to determine the necessary buffer size | |
| $TokenPtrSize = 0 | |
| $Success = $Advapi32::GetTokenInformation($TokenHandle, $TokenInformationClass, 0, $TokenPtrSize, [ref]$TokenPtrSize) | |
| [IntPtr]$TokenPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPtrSize) | |
| # retrieve the proper buffer value | |
| $Success = $Advapi32::GetTokenInformation($TokenHandle, $TokenInformationClass, $TokenPtr, $TokenPtrSize, [ref]$TokenPtrSize); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if($Success) | |
| { | |
| switch($TokenInformationClass) | |
| { | |
| 1 # TokenUser | |
| { | |
| $TokenUser = $TokenPtr -as $TOKEN_USER | |
| ConvertSidToStringSid -SidPointer $TokenUser.User.Sid | |
| } | |
| 3 # TokenPrivilege | |
| { | |
| # query the process token with the TOKEN_INFORMATION_CLASS = 3 enum to retrieve a TOKEN_PRIVILEGES structure | |
| $TokenPrivileges = $TokenPtr -as $TOKEN_PRIVILEGES | |
| $sb = New-Object System.Text.StringBuilder | |
| for($i=0; $i -lt $TokenPrivileges.PrivilegeCount; $i++) | |
| { | |
| if((($TokenPrivileges.Privileges[$i].Attributes -as $LuidAttributes) -band $LuidAttributes::SE_PRIVILEGE_ENABLED) -eq $LuidAttributes::SE_PRIVILEGE_ENABLED) | |
| { | |
| $sb.Append(", $($TokenPrivileges.Privileges[$i].Luid.LowPart.ToString())") | Out-Null | |
| } | |
| } | |
| Write-Output $sb.ToString().TrimStart(', ') | |
| } | |
| 17 # TokenOrigin | |
| { | |
| $TokenOrigin = $TokenPtr -as $LUID | |
| Write-Output (Get-LogonSession -LogonId $TokenOrigin.LowPart) | |
| } | |
| 22 # TokenAccessInformation | |
| { | |
| } | |
| 25 # TokenIntegrityLevel | |
| { | |
| $TokenIntegrity = $TokenPtr -as $TOKEN_MANDATORY_LABEL | |
| switch(ConvertSidToStringSid -SidPointer $TokenIntegrity.Label.Sid) | |
| { | |
| $UNTRUSTED_MANDATORY_LEVEL | |
| { | |
| Write-Output "UNTRUSTED_MANDATORY_LEVEL" | |
| } | |
| $LOW_MANDATORY_LEVEL | |
| { | |
| Write-Output "LOW_MANDATORY_LEVEL" | |
| } | |
| $MEDIUM_MANDATORY_LEVEL | |
| { | |
| Write-Output "MEDIUM_MANDATORY_LEVEL" | |
| } | |
| $MEDIUM_PLUS_MANDATORY_LEVEL | |
| { | |
| Write-Output "MEDIUM_PLUS_MANDATORY_LEVEL" | |
| } | |
| $HIGH_MANDATORY_LEVEL | |
| { | |
| Write-Output "HIGH_MANDATORY_LEVEL" | |
| } | |
| $SYSTEM_MANDATORY_LEVEL | |
| { | |
| Write-Output "SYSTEM_MANDATORY_LEVEL" | |
| } | |
| $PROTECTED_PROCESS_MANDATORY_LEVEL | |
| { | |
| Write-Output "PROTECTED_PROCESS_MANDATORY_LEVEL" | |
| } | |
| $SECURE_PROCESS_MANDATORY_LEVEL | |
| { | |
| Write-Output "SECURE_PROCESS_MANDATORY_LEVEL" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| else | |
| { | |
| Write-Warning ([ComponentModel.Win32Exception] $LastError) | |
| } | |
| try | |
| { | |
| [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPtr) | |
| } | |
| catch | |
| { | |
| } | |
| } | |
| function LookupAccountSid | |
| { | |
| param | |
| ( | |
| ) | |
| <#(func advapi32 LookupAccountSid ([bool]) @( | |
| #_In_opt_ LPCTSTR lpSystemName | |
| #_In_ PSID lpSid | |
| #_Out_opt_ LPTSTR lpName | |
| #_Inout_ LPDWORD cchName | |
| #_Out_opt_ LPTSTR lpReferencedDomainName | |
| #_Inout_ LPDWORD cchReferencedDomainName | |
| #_Out_ PSID_NAME_USE peUse | |
| ) -SetLastError),#> | |
| } | |
| function NtQueryInformationThread | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ThreadHandle | |
| ) | |
| <# | |
| (func ntdll NtQueryInformationThread ([Int32]) @( | |
| [IntPtr], #_In_ HANDLE ThreadHandle, | |
| [Int32], #_In_ THREADINFOCLASS ThreadInformationClass, | |
| [IntPtr], #_Inout_ PVOID ThreadInformation, | |
| [Int32], #_In_ ULONG ThreadInformationLength, | |
| [IntPtr] #_Out_opt_ PULONG ReturnLength | |
| )) | |
| #> | |
| $buf = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([IntPtr]::Size) | |
| $Success = $Ntdll::NtQueryInformationThread($ThreadHandle, 9, $buf, [IntPtr]::Size, [IntPtr]::Zero); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output ([System.Runtime.InteropServices.Marshal]::ReadIntPtr($buf)) | |
| } | |
| function OpenProcess | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $ProcessId, | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $DesiredAccess, | |
| [Parameter()] | |
| [bool] | |
| $InheritHandle = $false | |
| ) | |
| <# | |
| (func kernel32 OpenProcess ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwDesiredAccess, | |
| [bool], #_In_ BOOL bInheritHandle, | |
| [UInt32] #_In_ DWORD dwProcessId | |
| ) -SetLastError) | |
| #> | |
| $hProcess = $Kernel32::OpenProcess($DesiredAccess, $InheritHandle, $ProcessId); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $hProcess) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $hProcess | |
| } | |
| function OpenProcessToken | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ProcessHandle, | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $DesiredAccess | |
| ) | |
| <# | |
| (func advapi32 OpenProcessToken ([bool]) @( | |
| [IntPtr], #_In_ HANDLE ProcessHandle | |
| [UInt32], #_In_ DWORD DesiredAccess | |
| [IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle | |
| ) -SetLastError) | |
| #> | |
| $hToken = [IntPtr]::Zero | |
| $Success = $Advapi32::OpenProcessToken($ProcessHandle, $DesiredAccess, [ref]$hToken); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $hToken | |
| } | |
| function OpenThread | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $ThreadId, | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $DesiredAccess, | |
| [Parameter()] | |
| [bool] | |
| $InheritHandle = $false | |
| ) | |
| <# | |
| (func kernel32 OpenThread ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwDesiredAccess, | |
| [bool], #_In_ BOOL bInheritHandle, | |
| [UInt32] #_In_ DWORD dwThreadId | |
| ) -SetLastError) | |
| #> | |
| $hThread = $Kernel32::OpenThread($DesiredAccess, $InheritHandle, $ThreadId); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $hThread) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $hThread | |
| } | |
| function OpenThreadToken | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ThreadHandle, | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $DesiredAccess, | |
| [Parameter()] | |
| [bool] | |
| $OpenAsSelf = $false | |
| ) | |
| <# | |
| (func advapi32 OpenThreadToken ([bool]) @( | |
| [IntPtr], #_In_ HANDLE ThreadHandle | |
| [UInt32], #_In_ DWORD DesiredAccess | |
| [bool], #_In_ BOOL OpenAsSelf | |
| [IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle | |
| ) -SetLastError) | |
| #> | |
| $hToken = [IntPtr]::Zero | |
| $Success = $Advapi32::OpenThreadToken($ThreadHandle, $DesiredAccess, $OpenAsSelf, [ref]$hToken); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Warning "OpenThreadToken Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| throw "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $hToken | |
| } | |
| function QueryFullProcessImageName | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ProcessHandle, | |
| [Parameter()] | |
| [UInt32] | |
| $Flags = 0 | |
| ) | |
| $capacity = 2048 | |
| $sb = New-Object -TypeName System.Text.StringBuilder($capacity) | |
| $Success = $Kernel32::QueryFullProcessImageName($ProcessHandle, $Flags, $sb, [ref]$capacity); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "QueryFullProcessImageName Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $sb.ToString() | |
| } | |
| function ReadProcessMemory | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ProcessHandle, | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $BaseAddress, | |
| [Parameter(Mandatory = $true)] | |
| [Int] | |
| $Size | |
| ) | |
| <# | |
| (func kernel32 ReadProcessMemory ([Bool]) @( | |
| [IntPtr], # _In_ HANDLE hProcess | |
| [IntPtr], # _In_ LPCVOID lpBaseAddress | |
| [Byte[]], # _Out_ LPVOID lpBuffer | |
| [Int], # _In_ SIZE_T nSize | |
| [Int].MakeByRefType() # _Out_ SIZE_T *lpNumberOfBytesRead | |
| ) -SetLastError) # MSDN states to call GetLastError if the return value is false. | |
| #> | |
| $buf = New-Object byte[]($Size) | |
| [Int32]$NumberOfBytesRead = 0 | |
| $Success = $Kernel32::ReadProcessMemory($ProcessHandle, $BaseAddress, $buf, $buf.Length, [ref]$NumberOfBytesRead); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "ReadProcessMemory Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $buf | |
| } | |
| function TerminateThread | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ThreadHandle, | |
| [Parameter()] | |
| [UInt32] | |
| $ExitCode = 0 | |
| ) | |
| <# | |
| (func kernel32 TerminateThread ([bool]) @( | |
| [IntPtr], # _InOut_ HANDLE hThread | |
| [UInt32] # _In_ DWORD dwExitCode | |
| ) -SetLastError) | |
| #> | |
| $Success = $Kernel32::TerminateThread($ThreadHandle, $ExitCode); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| } | |
| function Thread32First | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $SnapshotHandle | |
| ) | |
| <# | |
| (func kernel32 Thread32First ([bool]) @( | |
| [IntPtr], #_In_ HANDLE hSnapshot, | |
| $THREADENTRY32.MakeByRefType() #_Inout_ LPTHREADENTRY32 lpte | |
| ) -SetLastError) | |
| #> | |
| $Thread = [Activator]::CreateInstance($THREADENTRY32) | |
| $Thread.dwSize = $THREADENTRY32::GetSize() | |
| $Success = $Kernel32::Thread32First($hSnapshot, [Ref]$Thread); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $Thread | |
| } | |
| function VirtualQueryEx | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $ProcessHandle, | |
| [Parameter(Mandatory = $true)] | |
| [IntPtr] | |
| $BaseAddress | |
| ) | |
| <# | |
| (func kernel32 VirtualQueryEx ([Int32]) @( | |
| [IntPtr], #_In_ HANDLE hProcess, | |
| [IntPtr], #_In_opt_ LPCVOID lpAddress, | |
| $MEMORYBASICINFORMATION.MakeByRefType(), #_Out_ PMEMORY_BASIC_INFORMATION lpBuffer, | |
| [UInt32] #_In_ SIZE_T dwLength | |
| ) -SetLastError) | |
| #> | |
| $memory_basic_info = [Activator]::CreateInstance($MEMORYBASICINFORMATION) | |
| $Success = $Kernel32::VirtualQueryEx($ProcessHandle, $BaseAddress, [Ref]$memory_basic_info, $MEMORYBASICINFORMATION::GetSize()); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| if(-not $Success) | |
| { | |
| Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" | |
| } | |
| Write-Output $memory_basic_info | |
| } | |
| <# | |
| Author: Lee Christensen (@tifkin_) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| #> | |
| function Get-LogonSession | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $LogonId | |
| ) | |
| $LogonMap = @{} | |
| Get-WmiObject Win32_LoggedOnUser | %{ | |
| $Identity = $_.Antecedent | Select-String 'Domain="(.*)",Name="(.*)"' | |
| $LogonSession = $_.Dependent | Select-String 'LogonId="(\d+)"' | |
| $LogonMap[$LogonSession.Matches[0].Groups[1].Value] = New-Object PSObject -Property @{ | |
| Domain = $Identity.Matches[0].Groups[1].Value | |
| UserName = $Identity.Matches[0].Groups[2].Value | |
| } | |
| } | |
| Get-WmiObject Win32_LogonSession -Filter "LogonId = `"$($LogonId)`"" | %{ | |
| $LogonType = $Null | |
| switch($_.LogonType) { | |
| $null {$LogonType = 'None'} | |
| 0 { $LogonType = 'System' } | |
| 2 { $LogonType = 'Interactive' } | |
| 3 { $LogonType = 'Network' } | |
| 4 { $LogonType = 'Batch' } | |
| 5 { $LogonType = 'Service' } | |
| 6 { $LogonType = 'Proxy' } | |
| 7 { $LogonType = 'Unlock' } | |
| 8 { $LogonType = 'NetworkCleartext' } | |
| 9 { $LogonType = 'NewCredentials' } | |
| 10 { $LogonType = 'RemoteInteractive' } | |
| 11 { $LogonType = 'CachedInteractive' } | |
| 12 { $LogonType = 'CachedRemoteInteractive' } | |
| 13 { $LogonType = 'CachedUnlock' } | |
| default { $LogonType = $_.LogonType} | |
| } | |
| New-Object PSObject -Property @{ | |
| UserName = $LogonMap[$_.LogonId].UserName | |
| Domain = $LogonMap[$_.LogonId].Domain | |
| LogonId = $_.LogonId | |
| LogonType = $LogonType | |
| AuthenticationPackage = $_.AuthenticationPackage | |
| Caption = $_.Caption | |
| Description = $_.Description | |
| InstallDate = $_.InstallDate | |
| Name = $_.Name | |
| StartTime = $_.ConvertToDateTime($_.StartTime) | |
| } | |
| } | |
| } | |
| function Get-InjectedThread | |
| { | |
| $hSnapshot = CreateToolhelp32Snapshot -ProcessId 0 -Flags 4 | |
| $Thread = Thread32First -SnapshotHandle $hSnapshot | |
| do | |
| { | |
| $hThread = OpenThread -ThreadId $Thread.th32ThreadID -DesiredAccess 0x40 -InheritHandle $false | |
| $BaseAddress = NtQueryInformationThread -ThreadHandle $hThread | |
| $hProcess = OpenProcess -ProcessId $Thread.th32OwnerProcessID -DesiredAccess $PROCESS_ALL_ACCESS -InheritHandle $false | |
| $memory_basic_info = VirtualQueryEx -ProcessHandle $hProcess -BaseAddress $BaseAddress | |
| if($memory_basic_info.State -eq 0x1000 -and $memory_basic_info.Type -ne 0x1000000) | |
| { | |
| $buf = ReadProcessMemory -ProcessHandle $hProcess -BaseAddress $BaseAddress -Size 100 | |
| $proc = Get-WmiObject Win32_Process -Filter "ProcessId = '$($Thread.th32OwnerProcessID)'" | |
| $KernelPath = QueryFullProcessImageName -ProcessHandle $hProcess | |
| $PathMismatch = $proc.Path -ne $TruePath | |
| # check if thread has unique token | |
| try | |
| { | |
| $hThreadToken = OpenThreadToken -ThreadHandle $hThread -DesiredAccess $TOKEN_ALL_ACCESS | |
| $SID = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 1 | |
| $Privs = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 3 | |
| $LogonSession = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 17 | |
| $Integrity = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 25 | |
| $IsUniqueThreadToken = $true | |
| } | |
| catch | |
| { | |
| $hProcessToken = OpenProcessToken -ProcessHandle $hProcess -DesiredAccess $TOKEN_ALL_ACCESS | |
| $SID = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 1 | |
| $Privs = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 3 | |
| $LogonSession = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 17 | |
| $Integrity = GetTokenInformation -TokenHandle $hProcessToken -TokenInformationClass 25 | |
| $IsUniqueThreadToken = $false | |
| } | |
| $ThreadDetail = New-Object PSObject | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name ProcessName -Value $proc.Name | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name ProcessId -Value $proc.ProcessId | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name Path -Value $proc.Path | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name KernelPath -Value $KernelPath | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name CommandLine -Value $proc.CommandLine | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name PathMismatch -Value $PathMismatch | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name ThreadId -Value $Thread.th32ThreadId | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name BasePriority -Value $Thread.tpBasePri | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name IsUniqueThreadToken -Value $IsUniqueThreadToken | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name Integrity -Value $Integrity | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name Privilege -Value $Privs | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name LogonId -Value $LogonSession.LogonId | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name SecurityIdentifier -Value $SID | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name UserName -Value "$($LogonSession.Domain)\$($LogonSession.UserName)" | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name LogonSessionStartTime -Value $LogonSession.StartTime | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name LogonType -Value $LogonSession.LogonType | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name AuthenticationPackage -Value $LogonSession.AuthenticationPackage | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name BaseAddress -Value $BaseAddress | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name Size -Value $memory_basic_info.RegionSize | |
| $ThreadDetail | Add-Member -MemberType Noteproperty -Name Bytes -Value $buf | |
| Write-Output $ThreadDetail | |
| } | |
| CloseHandle($hThread) | |
| CloseHandle($hProcess) | |
| } while($Kernel32::Thread32Next($hSnapshot, [ref]$Thread)) | |
| CloseHandle($hSnapshot) | |
| } | |
| function Stop-Thread | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [UInt32] | |
| $ThreadId | |
| ) | |
| $hThread = OpenThread -ThreadId $ThreadId -DesiredAccess $THREAD_TERMINATE | |
| TerminateThread -ThreadHandle $hThread | |
| CloseHandle -Handle $hThread | |
| } | |
| #OpenProcessToken / OpenThreadToken | |
| #GetTokenInformation with the TokenOwner flag to get the SID of the owner. | |
| #LookupAccountSid | |
| $Mod = New-InMemoryModule -ModuleName Thread | |
| $LuidAttributes = psenum $Mod Thread.LuidAttributes UInt32 @{ | |
| DISABLED = '0x00000000' | |
| SE_PRIVILEGE_ENABLED_BY_DEFAULT = '0x00000001' | |
| SE_PRIVILEGE_ENABLED = '0x00000002' | |
| SE_PRIVILEGE_REMOVED = '0x00000004' | |
| SE_PRIVILEGE_USED_FOR_ACCESS = '0x80000000' | |
| } -Bitfield | |
| $SecurityEntity = psenum $Mod Thread.SecurityEntity UInt32 @{ | |
| SeCreateTokenPrivilege = 1 | |
| SeAssignPrimaryTokenPrivilege = 2 | |
| SeLockMemoryPrivilege = 3 | |
| SeIncreaseQuotaPrivilege = 4 | |
| SeUnsolicitedInputPrivilege = 5 | |
| SeMachineAccountPrivilege = 6 | |
| SeTcbPrivilege = 7 | |
| SeSecurityPrivilege = 8 | |
| SeTakeOwnershipPrivilege = 9 | |
| SeLoadDriverPrivilege = 10 | |
| SeSystemProfilePrivilege = 11 | |
| SeSystemtimePrivilege = 12 | |
| SeProfileSingleProcessPrivilege = 13 | |
| SeIncreaseBasePriorityPrivilege = 14 | |
| SeCreatePagefilePrivilege = 15 | |
| SeCreatePermanentPrivilege = 16 | |
| SeBackupPrivilege = 17 | |
| SeRestorePrivilege = 18 | |
| SeShutdownPrivilege = 19 | |
| SeDebugPrivilege = 20 | |
| SeAuditPrivilege = 21 | |
| SeSystemEnvironmentPrivilege = 22 | |
| SeChangeNotifyPrivilege = 23 | |
| SeRemoteShutdownPrivilege = 24 | |
| SeUndockPrivilege = 25 | |
| SeSyncAgentPrivilege = 26 | |
| SeEnableDelegationPrivilege = 27 | |
| SeManageVolumePrivilege = 28 | |
| SeImpersonatePrivilege = 29 | |
| SeCreateGlobalPrivilege = 30 | |
| SeTrustedCredManAccessPrivilege = 31 | |
| SeRelabelPrivilege = 32 | |
| SeIncreaseWorkingSetPrivilege = 33 | |
| SeTimeZonePrivilege = 34 | |
| SeCreateSymbolicLinkPrivilege = 35 | |
| } | |
| $SidNameUser = psenum $Mod Thread.SID_NAME_USE UInt32 @{ | |
| SidTypeUser = 1 | |
| SidTypeGroup = 2 | |
| SidTypeDomain = 3 | |
| SidTypeAlias = 4 | |
| SidTypeWellKnownGroup = 5 | |
| SidTypeDeletedAccount = 6 | |
| SidTypeInvalid = 7 | |
| SidTypeUnknown = 8 | |
| SidTypeComputer = 9 | |
| } | |
| $TokenInformationClass = psenum $Mod Thread.TOKEN_INFORMATION_CLASS UInt16 @{ | |
| TokenUser = 1 | |
| TokenGroups = 2 | |
| TokenPrivileges = 3 | |
| TokenOwner = 4 | |
| TokenPrimaryGroup = 5 | |
| TokenDefaultDacl = 6 | |
| TokenSource = 7 | |
| TokenType = 8 | |
| TokenImpersonationLevel = 9 | |
| TokenStatistics = 10 | |
| TokenRestrictedSids = 11 | |
| TokenSessionId = 12 | |
| TokenGroupsAndPrivileges = 13 | |
| TokenSessionReference = 14 | |
| TokenSandBoxInert = 15 | |
| TokenAuditPolicy = 16 | |
| TokenOrigin = 17 | |
| TokenElevationType = 18 | |
| TokenLinkedToken = 19 | |
| TokenElevation = 20 | |
| TokenHasRestrictions = 21 | |
| TokenAccessInformation = 22 | |
| TokenVirtualizationAllowed = 23 | |
| TokenVirtualizationEnabled = 24 | |
| TokenIntegrityLevel = 25 | |
| TokenUIAccess = 26 | |
| TokenMandatoryPolicy = 27 | |
| TokenLogonSid = 28 | |
| TokenIsAppContainer = 29 | |
| TokenCapabilities = 30 | |
| TokenAppContainerSid = 31 | |
| TokenAppContainerNumber = 32 | |
| TokenUserClaimAttributes = 33 | |
| TokenDeviceClaimAttributes = 34 | |
| TokenRestrictedUserClaimAttributes = 35 | |
| TokenRestrictedDeviceClaimAttributes = 36 | |
| TokenDeviceGroups = 37 | |
| TokenRestrictedDeviceGroups = 38 | |
| TokenSecurityAttributes = 39 | |
| TokenIsRestricted = 40 | |
| MaxTokenInfoClass = 41 | |
| } | |
| $LUID = struct $Mod Thread.Luid @{ | |
| LowPart = field 0 $SecurityEntity | |
| HighPart = field 1 Int32 | |
| } | |
| $LUID_AND_ATTRIBUTES = struct $Mod Thread.LuidAndAttributes @{ | |
| Luid = field 0 $LUID | |
| Attributes = field 1 UInt32 | |
| } | |
| $MEMORYBASICINFORMATION = struct $Mod Thread.MEMORY_BASIC_INFORMATION @{ | |
| BaseAddress = field 0 IntPtr | |
| AllocationBase = field 1 IntPtr | |
| AllocationProtect = field 2 UInt32 | |
| RegionSize = field 3 UIntPtr | |
| State = field 4 UInt32 | |
| Protect = field 5 UInt32 | |
| Type = field 6 UInt32 | |
| } | |
| $SID_AND_ATTRIBUTES = struct $Mod Thread.SidAndAttributes @{ | |
| Sid = field 0 IntPtr | |
| Attributes = field 1 UInt32 | |
| } | |
| $THREADENTRY32 = struct $Mod Thread.THREADENTRY32 @{ | |
| dwSize = field 0 UInt32 | |
| cntUsage = field 1 UInt32 | |
| th32ThreadID = field 2 UInt32 | |
| th32OwnerProcessID = field 3 UInt32 | |
| tpBasePri = field 4 UInt32 | |
| tpDeltaPri = field 5 UInt32 | |
| dwFlags = field 6 UInt32 | |
| } | |
| $TOKEN_MANDATORY_LABEL = struct $Mod Thread.TokenMandatoryLabel @{ | |
| Label = field 0 $SID_AND_ATTRIBUTES; | |
| } | |
| $TOKEN_ORIGIN = struct $Mod Thread.TokenOrigin @{ | |
| OriginatingLogonSession = field 0 UInt64 | |
| } | |
| $TOKEN_PRIVILEGES = struct $Mod Thread.TokenPrivileges @{ | |
| PrivilegeCount = field 0 UInt32 | |
| Privileges = field 1 $LUID_AND_ATTRIBUTES.MakeArrayType() -MarshalAs @('ByValArray', 50) | |
| } | |
| $TOKEN_USER = struct $Mod Thread.TOKEN_USER @{ | |
| User = field 0 $SID_AND_ATTRIBUTES | |
| } | |
| $FunctionDefinitions = @( | |
| (func kernel32 CloseHandle ([bool]) @( | |
| [IntPtr] #_In_ HANDLE hObject | |
| ) -SetLastError), | |
| (func advapi32 ConvertSidToStringSid ([bool]) @( | |
| [IntPtr] #_In_ PSID Sid, | |
| [IntPtr].MakeByRefType() #_Out_ LPTSTR *StringSid | |
| ) -SetLastError), | |
| (func kernel32 CreateToolhelp32Snapshot ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwFlags, | |
| [UInt32] #_In_ DWORD th32ProcessID | |
| ) -SetLastError), | |
| (func advapi32 GetTokenInformation ([bool]) @( | |
| [IntPtr], #_In_ HANDLE TokenHandle | |
| [Int32], #_In_ TOKEN_INFORMATION_CLASS TokenInformationClass | |
| [IntPtr], #_Out_opt_ LPVOID TokenInformation | |
| [UInt32], #_In_ DWORD TokenInformationLength | |
| [UInt32].MakeByRefType() #_Out_ PDWORD ReturnLength | |
| ) -SetLastError), | |
| (func ntdll NtQueryInformationThread ([Int32]) @( | |
| [IntPtr], #_In_ HANDLE ThreadHandle, | |
| [Int32], #_In_ THREADINFOCLASS ThreadInformationClass, | |
| [IntPtr], #_Inout_ PVOID ThreadInformation, | |
| [Int32], #_In_ ULONG ThreadInformationLength, | |
| [IntPtr] #_Out_opt_ PULONG ReturnLength | |
| )), | |
| (func kernel32 OpenProcess ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwDesiredAccess, | |
| [bool], #_In_ BOOL bInheritHandle, | |
| [UInt32] #_In_ DWORD dwProcessId | |
| ) -SetLastError), | |
| (func advapi32 OpenProcessToken ([bool]) @( | |
| [IntPtr], #_In_ HANDLE ProcessHandle | |
| [UInt32], #_In_ DWORD DesiredAccess | |
| [IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle | |
| ) -SetLastError), | |
| (func kernel32 OpenThread ([IntPtr]) @( | |
| [UInt32], #_In_ DWORD dwDesiredAccess, | |
| [bool], #_In_ BOOL bInheritHandle, | |
| [UInt32] #_In_ DWORD dwThreadId | |
| ) -SetLastError), | |
| (func advapi32 OpenThreadToken ([bool]) @( | |
| [IntPtr], #_In_ HANDLE ThreadHandle | |
| [UInt32], #_In_ DWORD DesiredAccess | |
| [bool], #_In_ BOOL OpenAsSelf | |
| [IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle | |
| ) -SetLastError), | |
| (func kernel32 QueryFullProcessImageName ([bool]) @( | |
| [IntPtr] #_In_ HANDLE hProcess | |
| [UInt32] #_In_ DWORD dwFlags, | |
| [System.Text.StringBuilder] #_Out_ LPTSTR lpExeName, | |
| [UInt32].MakeByRefType() #_Inout_ PDWORD lpdwSize | |
| ) -SetLastError), | |
| (func kernel32 ReadProcessMemory ([Bool]) @( | |
| [IntPtr], # _In_ HANDLE hProcess | |
| [IntPtr], # _In_ LPCVOID lpBaseAddress | |
| [Byte[]], # _Out_ LPVOID lpBuffer | |
| [Int], # _In_ SIZE_T nSize | |
| [Int].MakeByRefType() # _Out_ SIZE_T *lpNumberOfBytesRead | |
| ) -SetLastError), | |
| (func kernel32 TerminateThread ([bool]) @( | |
| [IntPtr], # _InOut_ HANDLE hThread | |
| [UInt32] # _In_ DWORD dwExitCode | |
| ) -SetLastError), | |
| (func kernel32 Thread32First ([bool]) @( | |
| [IntPtr], #_In_ HANDLE hSnapshot, | |
| $THREADENTRY32.MakeByRefType() #_Inout_ LPTHREADENTRY32 lpte | |
| ) -SetLastError) | |
| (func kernel32 Thread32Next ([bool]) @( | |
| [IntPtr], #_In_ HANDLE hSnapshot, | |
| $THREADENTRY32.MakeByRefType() #_Out_ LPTHREADENTRY32 lpte | |
| ) -SetLastError), | |
| (func kernel32 VirtualQueryEx ([Int32]) @( | |
| [IntPtr], #_In_ HANDLE hProcess, | |
| [IntPtr], #_In_opt_ LPCVOID lpAddress, | |
| $MEMORYBASICINFORMATION.MakeByRefType(), #_Out_ PMEMORY_BASIC_INFORMATION lpBuffer, | |
| [UInt32] #_In_ SIZE_T dwLength | |
| ) -SetLastError) | |
| ) | |
| $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32SysInfo' | |
| $Kernel32 = $Types['kernel32'] | |
| $Ntdll = $Types['ntdll'] | |
| $Advapi32 = $Types['advapi32'] | |
| $DELETE = 0x00010000 | |
| $READ_CONTROL = 0x00020000 | |
| $SYNCHRONIZE = 0x00100000 | |
| $WRITE_DAC = 0x00040000 | |
| $WRITE_OWNER = 0x00080000 | |
| $PROCESS_CREATE_PROCESS = 0x0080 | |
| $PROCESS_CREATE_THREAD = 0x0002 | |
| $PROCESS_DUP_HANDLE = 0x0040 | |
| $PROCESS_QUERY_INFORMATION = 0x0400 | |
| $PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 | |
| $PROCESS_SET_INFORMATION = 0x0200 | |
| $PROCESS_SET_QUOTA = 0x0100 | |
| $PROCESS_SUSPEND_RESUME = 0x0800 | |
| $PROCESS_TERMINATE = 0x0001 | |
| $PROCESS_VM_OPERATION = 0x0008 | |
| $PROCESS_VM_READ = 0x0010 | |
| $PROCESS_VM_WRITE = 0x0020 | |
| $PROCESS_ALL_ACCESS = $DELETE -bor | |
| $READ_CONTROL -bor | |
| $SYNCHRONIZE -bor | |
| $WRITE_DAC -bor | |
| $WRITE_OWNER -bor | |
| $PROCESS_CREATE_PROCESS -bor | |
| $PROCESS_CREATE_THREAD -bor | |
| $PROCESS_DUP_HANDLE -bor | |
| $PROCESS_QUERY_INFORMATION -bor | |
| $PROCESS_QUERY_LIMITED_INFORMATION -bor | |
| $PROCESS_SET_INFORMATION -bor | |
| $PROCESS_SET_QUOTA -bor | |
| $PROCESS_SUSPEND_RESUME -bor | |
| $PROCESS_TERMINATE -bor | |
| $PROCESS_VM_OPERATION -bor | |
| $PROCESS_VM_READ -bor | |
| $PROCESS_VM_WRITE | |
| $THREAD_DIRECT_IMPERSONATION = 0x0200 | |
| $THREAD_GET_CONTEXT = 0x0008 | |
| $THREAD_IMPERSONATE = 0x0100 | |
| $THREAD_QUERY_INFORMATION = 0x0040 | |
| $THREAD_QUERY_LIMITED_INFORMATION = 0x0800 | |
| $THREAD_SET_CONTEXT = 0x0010 | |
| $THREAD_SET_INFORMATION = 0x0020 | |
| $THREAD_SET_LIMITED_INFORMATION = 0x0400 | |
| $THREAD_SET_THREAD_TOKEN = 0x0080 | |
| $THREAD_SUSPEND_RESUME = 0x0002 | |
| $THREAD_TERMINATE = 0x0001 | |
| $THREAD_ALL_ACCESS = $DELETE -bor | |
| $READ_CONTROL -bor | |
| $SYNCHRONIZE -bor | |
| $WRITE_DAC -bor | |
| $WRITE_OWNER -bor | |
| $THREAD_DIRECT_IMPERSONATION -bor | |
| $THREAD_GET_CONTEXT -bor | |
| $THREAD_IMPERSONATE -bor | |
| $THREAD_QUERY_INFORMATION -bor | |
| $THREAD_QUERY_LIMITED_INFORMATION -bor | |
| $THREAD_SET_CONTEXT -bor | |
| $THREAD_SET_LIMITED_INFORMATION -bor | |
| $THREAD_SET_THREAD_TOKEN -bor | |
| $THREAD_SUSPEND_RESUME -bor | |
| $THREAD_TERMINATE | |
| $STANDARD_RIGHTS_REQUIRED = 0x000F0000 | |
| $TOKEN_ASSIGN_PRIMARY = 0x0001 | |
| $TOKEN_DUPLICATE = 0x0002 | |
| $TOKEN_IMPERSONATE = 0x0004 | |
| $TOKEN_QUERY = 0x0008 | |
| $TOKEN_QUERY_SOURCE = 0x0010 | |
| $TOKEN_ADJUST_PRIVILEGES = 0x0020 | |
| $TOKEN_ADJUST_GROUPS = 0x0040 | |
| $TOKEN_ADJUST_DEFAULT = 0x0080 | |
| $TOKEN_ADJUST_SESSIONID = 0x0100 | |
| $TOKEN_ALL_ACCESS = $STANDARD_RIGHTS_REQUIRED -bor | |
| $TOKEN_ASSIGN_PRIMARY -bor | |
| $TOKEN_DUPLICATE -bor | |
| $TOKEN_IMPERSONATE -bor | |
| $TOKEN_QUERY -bor | |
| $TOKEN_QUERY_SOURCE -bor | |
| $TOKEN_ADJUST_PRIVILEGES -bor | |
| $TOKEN_ADJUST_GROUPS -bor | |
| $TOKEN_ADJUST_DEFAULT | |
| $UNTRUSTED_MANDATORY_LEVEL = "S-1-16-0" | |
| $LOW_MANDATORY_LEVEL = "S-1-16-4096" | |
| $MEDIUM_MANDATORY_LEVEL = "S-1-16-8192" | |
| $MEDIUM_PLUS_MANDATORY_LEVEL = "S-1-16-8448" | |
| $HIGH_MANDATORY_LEVEL = "S-1-16-12288" | |
| $SYSTEM_MANDATORY_LEVEL = "S-1-16-16384" | |
| $PROTECTED_PROCESS_MANDATORY_LEVEL = "S-1-16-20480" | |
| $SECURE_PROCESS_MANDATORY_LEVEL = "S-1-16-28672" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment