Styris
/
trusted-uninstaller-cli
1
0
Fork 0
Code Issues 1 Pull Requests 0 Projects 1 Releases 10 Wiki Activity
CLI tool for running Playbooks
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
1 Branch
55 MiB
 
Tree: 63739db83a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '63739db83a'
${ noResults }
trusted-uninstaller-cli/TrustedUninstaller.Shared/Defender.cs

1638 lines
74 KiB
Raw Blame History

using System.IO;
using System.Windows;
using TrustedUninstaller.Shared.Actions;
using TrustedUninstaller.Shared.Tasks;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.ServiceProcess;
using System.Text;
using System.Threading;
using Microsoft.Win32;
namespace TrustedUninstaller.Shared
{
public static class Defender
{
private static KeyValuePair<string, ProcessType>[] DefenderItems =
{
new KeyValuePair<string, ProcessType>("CompatTelRunner", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("DWWIN", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("DeviceCensus", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("GameBarPresenceWriter", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("SecurityHealthHost", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("SecurityHealthService", ProcessType.Exe), // SecurityHealthService
new KeyValuePair<string, ProcessType>("SecurityHealthSystray", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("smartscreen", ProcessType.Exe),
//new KeyValuePair<string, ProcessType>("MpCmdRun", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("NisSrv", ProcessType.Exe),
new KeyValuePair<string, ProcessType>("wscsvc", ProcessType.Service), // Windows Security Center
new KeyValuePair<string, ProcessType>("WinDefend", ProcessType.Service), // Microsoft Defender Antivirus Service
new KeyValuePair<string, ProcessType>("Sense", ProcessType.Service), // Windows Defender Advanced Threat Protection Service
new KeyValuePair<string, ProcessType>("WdNisSvc", ProcessType.Service), // Microsoft Defender Antivirus Network Inspection Service
new KeyValuePair<string, ProcessType>("WdNisDrv", ProcessType.Device), // Microsoft Defender Antivirus Network Inspection Driver
//new KeyValuePair<string, ProcessType>("WdFilter", ProcessType.Device), // Windows Defender Disk inspection Minifilter,
};
//[DllImport("Unlocker.dll", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode)]
//private static extern bool EzUnlockFileW(string path);
private static readonly string[] defenderDirs =
{
Environment.ExpandEnvironmentVariables(@"%ProgramData%\Microsoft\Windows Defender"),
Environment.ExpandEnvironmentVariables(@"%ProgramFiles%\Windows Defender"),
Environment.ExpandEnvironmentVariables(@"%ProgramFiles%\Windows Defender Advanced Threat Protection")
};
private static void RenameAllChildFiles(string dir, bool reset)
{
foreach (var subDir in Directory.GetDirectories(dir))
{
try
{
RenameAllChildFiles(subDir, reset);
}
catch (Exception e)
{
}
}
foreach (var file in Directory.GetFiles(dir, reset ? "*.oldx" : "*", SearchOption.TopDirectoryOnly))
{
try
{
File.Move(file, reset ? file.Substring(0, file.Length - 4) : file + ".oldx");
}
catch (Exception e)
{
}
}
}
public static void Cripple()
{
foreach (var defenderDir in defenderDirs)
{
try
{
RenameAllChildFiles(defenderDir, false);
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("Error renaming files: " + e.GetType() + " " + e.Message, null, "Defender cripple warning", defenderDir);
}
}
}
public static void DeCripple()
{
foreach (var defenderDir in defenderDirs)
{
try
{
RenameAllChildFiles(defenderDir, true);
}
catch (Exception e)
{
}
}
}
public static bool Disable()
{
bool restartRequired = true;
foreach (var service in DefenderItems.Where(x => x.Value == ProcessType.Service || x.Value == ProcessType.Device).Select(x => x.Key))
{
AmeliorationUtil.SafeRunAction(new RegistryValueAction()
{ KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\" + service, Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD, Operation = RegistryValueOperation.Set }).Wait();
}
AmeliorationUtil.SafeRunAction(new RegistryValueAction()
{ KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }).Wait();
AmeliorationUtil.SafeRunAction(new RegistryValueAction()
{ KeyName = @"HKLM\SOFTWARE\Policies\Microsoft\Windows\System", Value = "EnableSmartScreen", Data = 0, Type = RegistryValueType.REG_DWORD }).Wait();
try
{
new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "ProductAppDataPath", Operation = RegistryValueOperation.Delete }.RunTask().Wait();
new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "InstallLocation", Operation = RegistryValueOperation.Delete }.RunTask().Wait();
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("Error removing Defender install values: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\" /v \"ProductAppDataPath\" /f &" +
" reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\" /v \"InstallLocation\" /f\"",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryValueAction() { KeyName = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender", Value = "InstallLocation", Operation = RegistryValueOperation.Delete }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Could not remove defender install values.");
}
try
{
new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.RunTask().Wait();
if (new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Unknown reason");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First WinDefend service removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg delete \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\" /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryKeyAction() { KeyName = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend" }.GetStatus() !=
UninstallTaskStatus.Completed)
{
ErrorLogger.WriteToErrorLog("WinDefend service removal failed." + e.GetType(), null, "Defender disable warning");
try
{
new RegistryValueAction()
{ KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.RunTask().Wait();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Unknown reason");
}
catch (Exception ex)
{
ErrorLogger.WriteToErrorLog("First WinDefend disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\" /v \"Start\" /t REG_DWORD /d 4 /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Services\WinDefend", Value = "Start", Data = 4, Type = RegistryValueType.REG_DWORD }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Could not disable WinDefend service.");
}
}
}
try
{
// MpOAV.dll is normally in use by a lot of processes. This prevents that.
new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.RunTask().Wait();
if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Unknown reason");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First MpOAV mapping removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = @"-U:T -P:E -M:S -Priority:RealTime -ShowWindowMode:Hide -Wait reg delete ""HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32"" /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32" }.GetStatus() !=
UninstallTaskStatus.Completed)
ErrorLogger.WriteToErrorLog("Could not remove MpOAV mapping.", null, "Defender disable warning");
}
try
{
// smartscreenps.dll is sometimes in use by a lot of processes. This prevents that.
new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.RunTask().Wait();
// This may not be important.
new RegistryKeyAction() { KeyName = @"HKCR\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.RunTask().Wait();
new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService" }.RunTask().Wait();
new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.EventLogger" }.RunTask().Wait();
new RegistryKeyAction() { KeyName = @"HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.UriReputationService" }.RunTask().Wait();
if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.GetStatus() !=
UninstallTaskStatus.Completed)
throw new Exception("Unknown reason");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First smartscreenps mapping removal failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"reg delete \"HKCR\\CLSID\\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\\InprocServer32\" /f &" +
"reg delete \"HKCR\\WOW6432Node\\CLSID\\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\\InprocServer32\" /f &" +
"reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.AppReputationService\" /f &" +
"reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.EventLogger\" /f &" +
"reg delete \"HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Security.SmartScreen.UriReputationService\" /f\"",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryKeyAction() { KeyName = @"HKCR\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InprocServer32" }.GetStatus() !=
UninstallTaskStatus.Completed)
ErrorLogger.WriteToErrorLog("Could not remove smartscreenps mapping.", null, "Defender disable warning");
}
try
{
// Can cause ProcessHacker driver warnings without this
new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.RunTask().Wait();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
throw new Exception("Unknown error");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First memory integrity disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments =
@"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"" /v Enabled /d 0 /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
ErrorLogger.WriteToErrorLog("Could not disable memory integrity.", null, "Defender disable warning");
}
try
{
// Can cause ProcessHacker driver warnings without this
new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.RunTask().Wait();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
throw new Exception("Unknown error");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First memory integrity disable failed: " + e.GetType() + " " + e.Message, null, "Defender disable warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments =
@"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"" /v Enabled /d 0 /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity", Value = "Enabled", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
ErrorLogger.WriteToErrorLog("Could not disable memory integrity.", null, "Defender disable warning");
}
try
{
// Can cause ProcessHacker driver warnings without this
new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.RunTask().Wait();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
throw new Exception("Unknown error");
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("First blocklist disable failed: " + e.GetType() + " " + e.Message, null, "Kernel driver preparation warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments =
@"-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait reg add ""HKLM\SYSTEM\CurrentControlSet\Control\CI\Config"" /v VulnerableDriverBlocklistEnable /d 0 /f",
CreateWindow = false
}.RunTaskOnMainThread();
if (new RegistryValueAction() { KeyName = @"HKLM\SYSTEM\CurrentControlSet\Control\CI\Config", Value = "VulnerableDriverBlocklistEnable", Data = 0, }.GetStatus()
!= UninstallTaskStatus.Completed)
ErrorLogger.WriteToErrorLog("Could not disable blocklist.", null, "Kernel driver preparation error");
}
return restartRequired;
}
public static void GetDefenderPrivileges()
{
IntPtr impersonatedTokenHandle = IntPtr.Zero;
ImpersonateProcessByName("winlogon", ref impersonatedTokenHandle);
ImpersonateProcessByName("lsass", ref impersonatedTokenHandle);
impersonatedTokenHandle = CreateWinDefendToken(impersonatedTokenHandle, false);
PInvoke.ImpersonateLoggedOnUser(impersonatedTokenHandle);
}
public static IntPtr StartElevatedProcess(string exe, string command)
{
IntPtr impersonatedTokenHandle = IntPtr.Zero;
ImpersonateProcessByName("winlogon", ref impersonatedTokenHandle);
ImpersonateProcessByName("lsass", ref impersonatedTokenHandle);
impersonatedTokenHandle = CreateWinDefendToken(impersonatedTokenHandle, true);
var startupInfo = new PInvoke.STARTUPINFO();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "Winsta0\\Default";
if (!String.IsNullOrEmpty(command))
command = command.Insert(0, " ");
if (!PInvoke.CreateProcessWithToken(
impersonatedTokenHandle,
PInvoke.LogonFlags.WithProfile,
null,
$@"""{exe}""{command}",
0,
IntPtr.Zero,
Environment.CurrentDirectory,
ref startupInfo,
out PInvoke.PROCESS_INFORMATION processInformation))
{
throw new Exception(Marshal.GetLastWin32Error().ToString());
}
PInvoke.CloseHandle(processInformation.hThread);
return processInformation.hProcess;
}
public static uint WaitForProcessExit(IntPtr hProcess, uint timeout = uint.MaxValue)
{
PInvoke.WaitForSingleObject(hProcess, timeout);
if (!PInvoke.GetExitCodeProcess(hProcess, out uint exitCode))
{
PInvoke.CloseHandle(hProcess);
throw new Exception("Process timeout exceeded: " + Marshal.GetLastWin32Error());
}
PInvoke.CloseHandle(hProcess);
return exitCode;
}
public
enum ProcessType
{
Service = 1,
Device = 2,
Exe = 3,
}
public static bool Kill()
{
try
{
GetDefenderPrivileges();
AmeliorationUtil.SafeRunAction(new RegistryValueAction()
{
KeyName = $"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications",
Value = "DisableNotifications",
Data = 1,
Type = RegistryValueType.REG_DWORD
}).Wait();
AmeliorationUtil.SafeRunAction(new RegistryValueAction()
{
KeyName = @"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance",
Value = "Enabled",
Data = 0,
Scope = Scope.CurrentUser,
Type = RegistryValueType.REG_DWORD
}).Wait();
var services = ServiceController.GetServices();
var devices = ServiceController.GetDevices();
var stopped = new List<ServiceController>();
var notStopped = new List<ServiceController>();
foreach (var item in DefenderItems)
{
try
{
if (item.Value == ProcessType.Exe)
{
var process = Process.GetProcessesByName(item.Key).FirstOrDefault();
if (process != null)
process.Kill();
continue;
}
var controller = item.Value == ProcessType.Service ?
services.FirstOrDefault(x => x.ServiceName == item.Key) :
devices.FirstOrDefault(x => x.ServiceName == item.Key);
if (controller == null || controller.Status == ServiceControllerStatus.Stopped)
continue;
try
{
controller.Stop();
stopped.Add(controller);
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("Service stop error: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName);
notStopped.Add(controller);
}
} catch (Exception e)
{ ErrorLogger.WriteToErrorLog("Error during service kill loop: " + e.GetType() + " " + e.Message, e.StackTrace, "Defender kill warning", item.Key); }
}
foreach (var controller in stopped)
{
try
{
controller.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(5));
} catch (Exception e)
{ ErrorLogger.WriteToErrorLog("Error waiting for service: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName); }
}
if (notStopped.Count > 0)
{
Thread.Sleep(1000);
foreach (var controller in notStopped)
{
try
{
controller.Stop();
controller.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(7));
}
catch (Exception e)
{ ErrorLogger.WriteToErrorLog("Service stop re-try error: " + e.GetType() + " " + e.Message, null, "Defender kill warning", controller.ServiceName); }
}
}
if (Process.GetProcessesByName("MsMpEng").Any())
{
ErrorLogger.WriteToErrorLog("First Defender stop failed", null, "Defender kill warning");
new RunAction()
{
RawPath = Directory.GetCurrentDirectory(),
Exe = $"NSudoLC.exe",
Arguments = "-U:T -P:E -M:S -ShowWindowMode:Hide -Priority:RealTime -Wait cmd /c \"" +
"sc sdset \"WinDefend\" \"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"&" +
"sc config WinDefend start=disabled&" +
"net stop WinDefend\"",
CreateWindow = false,
Timeout = 7500,
}.RunTaskOnMainThread();
}
return !Process.GetProcessesByName("MsMpEng").Any();
}
catch (Exception e)
{
ErrorLogger.WriteToErrorLog("Unknown error: " + e.GetType() + " " + e.Message, e.StackTrace, "Defender kill error");
return false;
}
}
private static IntPtr CreateWinDefendToken(IntPtr handle, bool primary)
{
var privileges = new string[] {
PInvoke.SE_CREATE_TOKEN_NAME,
PInvoke.SE_ASSIGNPRIMARYTOKEN_NAME,
PInvoke.SE_LOCK_MEMORY_NAME,
PInvoke.SE_INCREASE_QUOTA_NAME,
PInvoke.SE_MACHINE_ACCOUNT_NAME,
PInvoke.SE_TCB_NAME,
PInvoke.SE_SECURITY_NAME,
PInvoke.SE_TAKE_OWNERSHIP_NAME,
PInvoke.SE_LOAD_DRIVER_NAME,
PInvoke.SE_SYSTEM_PROFILE_NAME,
PInvoke.SE_SYSTEMTIME_NAME,
PInvoke.SE_PROFILE_SINGLE_PROCESS_NAME,
PInvoke.SE_INCREASE_BASE_PRIORITY_NAME,
PInvoke.SE_CREATE_PAGEFILE_NAME,
PInvoke.SE_CREATE_PERMANENT_NAME,
PInvoke.SE_BACKUP_NAME,
PInvoke.SE_RESTORE_NAME,
PInvoke.SE_SHUTDOWN_NAME,
PInvoke.SE_DEBUG_NAME,
PInvoke.SE_AUDIT_NAME,
PInvoke.SE_SYSTEM_ENVIRONMENT_NAME,
PInvoke.SE_CHANGE_NOTIFY_NAME,
PInvoke.SE_REMOTE_SHUTDOWN_NAME,
PInvoke.SE_UNDOCK_NAME,
PInvoke.SE_SYNC_AGENT_NAME,
PInvoke.SE_ENABLE_DELEGATION_NAME,
PInvoke.SE_MANAGE_VOLUME_NAME,
PInvoke.SE_IMPERSONATE_NAME,
PInvoke.SE_CREATE_GLOBAL_NAME,
PInvoke.SE_TRUSTED_CREDMAN_ACCESS_NAME,
PInvoke.SE_RELABEL_NAME,
PInvoke.SE_INCREASE_WORKING_SET_NAME,
PInvoke.SE_TIME_ZONE_NAME,
PInvoke.SE_CREATE_SYMBOLIC_LINK_NAME,
PInvoke.SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME
};
PInvoke.ConvertStringSidToSid("S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464", out IntPtr tiSid);
PInvoke.ConvertStringSidToSid("S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736", out IntPtr defSid);
PInvoke.SidIdentifierAuthority NtAuthority = new PInvoke.SidIdentifierAuthority();
NtAuthority.Value = new byte[] { 0, 0, 0, 0, 0, PInvoke.NtSecurityAuthority };
PInvoke.TOKEN_USER tokenUser = new PInvoke.TOKEN_USER();
PInvoke.AllocateAndInitializeSid(ref NtAuthority, 1, 18, 0, 0, 0, 0, 0, 0, 0, out IntPtr pLocalSystem);
tokenUser.User.Sid = pLocalSystem;
tokenUser.User.Attributes = 0;
tokenUser.User.Attributes = 0;
var pTokenPrivileges = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenPrivileges);
var pTokenGroups = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenGroups);
var pTokenPrimaryGroup = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
var pTokenDefaultDacl = GetInfoFromToken(handle, PInvoke.TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
if (primary || !PInvoke.CreateTokenPrivileges(
privileges,
out PInvoke.TOKEN_PRIVILEGES tokenPrivileges))
{
tokenPrivileges =
(PInvoke.TOKEN_PRIVILEGES)Marshal.PtrToStructure(pTokenPrivileges, typeof(PInvoke.TOKEN_PRIVILEGES));
}
var tokenGroups = (PInvoke.TOKEN_GROUPS)Marshal.PtrToStructure(
pTokenGroups,
typeof(PInvoke.TOKEN_GROUPS));
var tokenOwner = new PInvoke.TOKEN_OWNER(pLocalSystem);
var tokenPrimaryGroup = (PInvoke.TOKEN_PRIMARY_GROUP)
Marshal.PtrToStructure(
pTokenPrimaryGroup,
typeof(PInvoke.TOKEN_PRIMARY_GROUP));
var tokenDefaultDacl = (PInvoke.TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(
pTokenDefaultDacl,
typeof(PInvoke.TOKEN_DEFAULT_DACL));
Console.WriteLine(tokenGroups.GroupCount + ":" + tokenGroups.Groups.Length);
for (var idx = 0; idx < tokenGroups.GroupCount - 1; idx++)
{
PInvoke.ConvertSidToStringSid(
tokenGroups.Groups[idx].Sid,
out string strSid);
if (string.Compare(strSid, PInvoke.DOMAIN_ALIAS_RID_ADMINS, StringComparison.OrdinalIgnoreCase) == 0)
{
tokenGroups.Groups[idx].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
}
else
{
tokenGroups.Groups[idx].Attributes &= ~(uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_OWNER;
}
}
tokenGroups.Groups[tokenGroups.GroupCount].Sid = tiSid;
tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT;
tokenGroups.GroupCount++;
tokenGroups.Groups[tokenGroups.GroupCount].Sid = defSid;
tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_ENABLED_BY_DEFAULT | (uint)PInvoke.SE_GROUP_ATTRIBUTES.SE_GROUP_OWNER;
tokenGroups.GroupCount++;
var authId = PInvoke.SYSTEM_LUID;
var tokenSource = new PInvoke.TOKEN_SOURCE("*SYSTEM*") { SourceIdentifier = { LowPart = 0, HighPart = 0 } };
var expirationTime = new PInvoke.LARGE_INTEGER(-1L);
var sqos = new PInvoke.SECURITY_QUALITY_OF_SERVICE(primary ? PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityIdentification : PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
PInvoke.SECURITY_STATIC_TRACKING,
0);
var oa = new PInvoke.OBJECT_ATTRIBUTES(string.Empty, 0);
IntPtr pSqos = Marshal.AllocHGlobal(Marshal.SizeOf(sqos));
Marshal.StructureToPtr(sqos, pSqos, true);
oa.SecurityQualityOfService = pSqos;
var status = PInvoke.ZwCreateToken(
out IntPtr elevatedToken,
PInvoke.TokenAccessFlags.TOKEN_ALL_ACCESS,
ref oa,
primary ? PInvoke.TOKEN_TYPE.TokenPrimary : PInvoke.TOKEN_TYPE.TokenImpersonation,
ref authId,
ref expirationTime,
ref tokenUser,
ref tokenGroups,
ref tokenPrivileges,
ref tokenOwner,
ref tokenPrimaryGroup,
ref tokenDefaultDacl,
ref tokenSource
);
PInvoke.LocalFree(pTokenGroups);
PInvoke.LocalFree(pTokenDefaultDacl);
PInvoke.LocalFree(pTokenPrivileges);
PInvoke.LocalFree(pTokenPrimaryGroup);
PInvoke.FreeSid(pLocalSystem);
PInvoke.FreeSid(tiSid);
PInvoke.FreeSid(defSid);
return elevatedToken;
}
private static IntPtr GetInfoFromToken(IntPtr currentToken, PInvoke.TOKEN_INFORMATION_CLASS tic)
{
int length;
PInvoke.GetTokenInformation(currentToken, tic, IntPtr.Zero, 0, out length);
IntPtr info = Marshal.AllocHGlobal(length);
PInvoke.GetTokenInformation(currentToken, tic, info, length, out length);
return info;
}
private static void ImpersonateProcessByName(string name, ref IntPtr handle)
{
var processHandle = Process.GetProcessesByName(name).First().Handle;
PInvoke.OpenProcessToken(processHandle,
PInvoke.TokenAccessFlags.TOKEN_DUPLICATE | PInvoke.TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
PInvoke.TokenAccessFlags.TOKEN_QUERY |
PInvoke.TokenAccessFlags.TOKEN_IMPERSONATE, out IntPtr tokenHandle);
PInvoke.DuplicateTokenEx(tokenHandle, PInvoke.TokenAccessFlags.TOKEN_ALL_ACCESS,
IntPtr.Zero, PInvoke.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
PInvoke.TOKEN_TYPE.TokenImpersonation,
out handle);
PInvoke.ImpersonateLoggedOnUser(handle);
PInvoke.CloseHandle(tokenHandle);
PInvoke.CloseHandle(processHandle);
}
private static class PInvoke
{
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool GetExitCodeProcess(IntPtr hProcess, out uint lpExitCode);
[StructLayout(LayoutKind.Sequential)]
internal struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[DllImport("kernel32.dll", SetLastError = true)]
internal static extern uint WaitForSingleObject(
IntPtr hHandle,
uint dwMilliseconds);
[DllImport("advapi32", SetLastError = true, CharSet = CharSet.Auto)]
internal static extern bool CreateProcessWithToken(
IntPtr hToken,
LogonFlags dwLogonFlags,
string lpApplicationName,
string lpCommandLine,
ProcessCreationFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
internal enum LogonFlags
{
WithProfile = 1,
NetCredentialsOnly
}
[Flags]
internal enum ProcessCreationFlags : uint
{
DEBUG_PROCESS = 0x00000001,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
CREATE_SUSPENDED = 0x00000004,
DETACHED_PROCESS = 0x00000008,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
CREATE_SEPARATE_WOW_VDM = 0x00000800,
CREATE_SHARED_WOW_VDM = 0x00001000,
INHERIT_PARENT_AFFINITY = 0x00010000,
CREATE_PROTECTED_PROCESS = 0x00040000,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NO_WINDOW = 0x08000000,
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct STARTUPINFO
{
public int cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public int dwX;
public int dwY;
public int dwXSize;
public int dwYSize;
public int dwXCountChars;
public int dwYCountChars;
public int dwFillAttribute;
public int dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
internal static bool CreateTokenPrivileges(
string[] privs,
out TOKEN_PRIVILEGES tokenPrivileges)
{
int error;
int sizeOfStruct = Marshal.SizeOf(typeof(TOKEN_PRIVILEGES));
IntPtr pPrivileges = Marshal.AllocHGlobal(sizeOfStruct);
tokenPrivileges = (TOKEN_PRIVILEGES)Marshal.PtrToStructure(
pPrivileges,
typeof(TOKEN_PRIVILEGES));
tokenPrivileges.PrivilegeCount = privs.Length;
for (var idx = 0; idx < tokenPrivileges.PrivilegeCount; idx++)
{
if (!LookupPrivilegeValue(
null,
privs[idx],
out LUID luid))
{
return false;
}
tokenPrivileges.Privileges[idx].Attributes = (uint)(
SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ATTRIBUTES.SE_PRIVILEGE_ENABLED_BY_DEFAULT);
tokenPrivileges.Privileges[idx].Luid = luid;
}
return true;
}
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LookupPrivilegeValue(
string lpSystemName,
string lpName,
out LUID lpLuid);
[Flags]
enum SE_PRIVILEGE_ATTRIBUTES : uint
{
SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001,
SE_PRIVILEGE_ENABLED = 0x00000002,
SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000,
}
[DllImport("kernel32.dll", SetLastError = true)]
internal static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError = true)]
internal static extern IntPtr LocalFree(IntPtr hMem);
[Flags]
internal enum SE_GROUP_ATTRIBUTES : uint
{
SE_GROUP_MANDATORY = 0x00000001,
SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
SE_GROUP_ENABLED = 0x00000004,
SE_GROUP_OWNER = 0x00000008,
SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
SE_GROUP_INTEGRITY = 0x00000020,
SE_GROUP_INTEGRITY_ENABLED = 0x00000040,
SE_GROUP_RESOURCE = 0x20000000,
SE_GROUP_LOGON_ID = 0xC0000000
}
[DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool ConvertSidToStringSid(IntPtr pSid, out string strSid);
// Windows Struct
[StructLayout(LayoutKind.Explicit, Size = 8)]
internal struct LARGE_INTEGER
{
[FieldOffset(0)]
public int Low;
[FieldOffset(4)]
public int High;
[FieldOffset(0)]
public long QuadPart;
public LARGE_INTEGER(int _low, int _high)
{
QuadPart = 0L;
Low = _low;
High = _high;
}
public LARGE_INTEGER(long _quad)
{
Low = 0;
High = 0;
QuadPart = _quad;
}
public long ToInt64()
{
return ((long)this.High << 32) | (uint)this.Low;
}
public static LARGE_INTEGER FromInt64(long value)
{
return new LARGE_INTEGER
{
Low = (int)(value),
High = (int)((value >> 32))
};
}
}
[DllImport("ntdll.dll")]
internal static extern int ZwCreateToken(
out IntPtr TokenHandle,
TokenAccessFlags DesiredAccess,
ref OBJECT_ATTRIBUTES ObjectAttributes,
TOKEN_TYPE TokenType,
ref LUID AuthenticationId,
ref LARGE_INTEGER ExpirationTime,
ref TOKEN_USER TokenUser,
ref TOKEN_GROUPS TokenGroups,
ref TOKEN_PRIVILEGES TokenPrivileges,
ref TOKEN_OWNER TokenOwner,
ref TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
ref TOKEN_DEFAULT_DACL TokenDefaultDacl,
ref TOKEN_SOURCE TokenSource);
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_DEFAULT_DACL
{
internal IntPtr DefaultDacl; // PACL
}
[Flags]
internal enum TokenAccessFlags : uint
{
TOKEN_ADJUST_DEFAULT = 0x0080,
TOKEN_ADJUST_GROUPS = 0x0040,
TOKEN_ADJUST_PRIVILEGES = 0x0020,
TOKEN_ADJUST_SESSIONID = 0x0100,
TOKEN_ASSIGN_PRIMARY = 0x0001,
TOKEN_DUPLICATE = 0x0002,
TOKEN_EXECUTE = 0x00020000,
TOKEN_IMPERSONATE = 0x0004,
TOKEN_QUERY = 0x0008,
TOKEN_QUERY_SOURCE = 0x0010,
TOKEN_READ = 0x00020008,
TOKEN_WRITE = 0x000200E0,
TOKEN_ALL_ACCESS = 0x000F01FF,
MAXIMUM_ALLOWED = 0x02000000
}
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool ConvertStringSidToSid(
string StringSid,
out IntPtr ptrSid
);
[StructLayout(LayoutKind.Sequential, Pack = 4)]
internal struct LUID_AND_ATTRIBUTES
{
internal LUID Luid;
internal UInt32 Attributes;
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_PRIVILEGES
{
public int PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]
public LUID_AND_ATTRIBUTES[] Privileges;
public TOKEN_PRIVILEGES(int privilegeCount)
{
PrivilegeCount = privilegeCount;
Privileges = new LUID_AND_ATTRIBUTES[36];
}
}
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool OpenProcessToken(
IntPtr hProcess,
TokenAccessFlags DesiredAccess,
out IntPtr hToken);
internal enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
internal enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
}
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool DuplicateTokenEx(
IntPtr hExistingToken,
TokenAccessFlags dwDesiredAccess,
IntPtr lpTokenAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
TOKEN_TYPE TokenType,
out IntPtr phNewToken);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool GetTokenInformation(
IntPtr TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
IntPtr TokenInformation,
int TokenInformationLength,
out int ReturnLength);
internal enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin
}
[StructLayout(LayoutKind.Sequential)]
internal struct UNICODE_STRING : IDisposable
{
internal ushort Length;
internal ushort MaximumLength;
private IntPtr buffer;
internal UNICODE_STRING(string s)
{
Length = (ushort)(s.Length * 2);
MaximumLength = (ushort)(Length + 2);
buffer = Marshal.StringToHGlobalUni(s);
}
public void Dispose()
{
Marshal.FreeHGlobal(buffer);
buffer = IntPtr.Zero;
}
public override string ToString()
{
return Marshal.PtrToStringUni(buffer);
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct SECURITY_QUALITY_OF_SERVICE
{
public int Length;
public SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
public byte ContextTrackingMode;
public byte EffectiveOnly;
public SECURITY_QUALITY_OF_SERVICE(
SECURITY_IMPERSONATION_LEVEL _impersonationLevel,
byte _contextTrackingMode,
byte _effectiveOnly)
{
Length = 0;
ImpersonationLevel = _impersonationLevel;
ContextTrackingMode = _contextTrackingMode;
EffectiveOnly = _effectiveOnly;
Length = Marshal.SizeOf(this);
}
}
// Windows Consts
internal const int STATUS_SUCCESS = 0;
internal static readonly int STATUS_INFO_LENGTH_MISMATCH = Convert.ToInt32("0xC0000004", 16);
internal const int ERROR_BAD_LENGTH = 0x00000018;
internal const int ERROR_INSUFFICIENT_BUFFER = 0x0000007A;
internal static readonly IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
internal const string DOMAIN_ALIAS_RID_ADMINS = "S-1-5-32-544";
internal const string TRUSTED_INSTALLER_RID =
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
internal const string UNTRUSTED_MANDATORY_LEVEL = "S-1-16-0";
internal const string LOW_MANDATORY_LEVEL = "S-1-16-4096";
internal const string MEDIUM_MANDATORY_LEVEL = "S-1-16-8192";
internal const string MEDIUM_PLUS_MANDATORY_LEVEL = "S-1-16-8448";
internal const string HIGH_MANDATORY_LEVEL = "S-1-16-12288";
internal const string SYSTEM_MANDATORY_LEVEL = "S-1-16-16384";
internal const string LOCAL_SYSTEM_RID = "S-1-5-18";
internal const string SE_CREATE_TOKEN_NAME = "SeCreateTokenPrivilege";
internal const string SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";
internal const string SE_LOCK_MEMORY_NAME = "SeLockMemoryPrivilege";
internal const string SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";
internal const string SE_MACHINE_ACCOUNT_NAME = "SeMachineAccountPrivilege";
internal const string SE_TCB_NAME = "SeTcbPrivilege";
internal const string SE_SECURITY_NAME = "SeSecurityPrivilege";
internal const string SE_TAKE_OWNERSHIP_NAME = "SeTakeOwnershipPrivilege";
internal const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";
internal const string SE_SYSTEM_PROFILE_NAME = "SeSystemProfilePrivilege";
internal const string SE_SYSTEMTIME_NAME = "SeSystemtimePrivilege";
internal const string SE_PROFILE_SINGLE_PROCESS_NAME = "SeProfileSingleProcessPrivilege";
internal const string SE_INCREASE_BASE_PRIORITY_NAME = "SeIncreaseBasePriorityPrivilege";
internal const string SE_CREATE_PAGEFILE_NAME = "SeCreatePagefilePrivilege";
internal const string SE_CREATE_PERMANENT_NAME = "SeCreatePermanentPrivilege";
internal const string SE_BACKUP_NAME = "SeBackupPrivilege";
internal const string SE_RESTORE_NAME = "SeRestorePrivilege";
internal const string SE_SHUTDOWN_NAME = "SeShutdownPrivilege";
internal const string SE_DEBUG_NAME = "SeDebugPrivilege";
internal const string SE_AUDIT_NAME = "SeAuditPrivilege";
internal const string SE_SYSTEM_ENVIRONMENT_NAME = "SeSystemEnvironmentPrivilege";
internal const string SE_CHANGE_NOTIFY_NAME = "SeChangeNotifyPrivilege";
internal const string SE_REMOTE_SHUTDOWN_NAME = "SeRemoteShutdownPrivilege";
internal const string SE_UNDOCK_NAME = "SeUndockPrivilege";
internal const string SE_SYNC_AGENT_NAME = "SeSyncAgentPrivilege";
internal const string SE_ENABLE_DELEGATION_NAME = "SeEnableDelegationPrivilege";
internal const string SE_MANAGE_VOLUME_NAME = "SeManageVolumePrivilege";
internal const string SE_IMPERSONATE_NAME = "SeImpersonatePrivilege";
internal const string SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege";
internal const string SE_TRUSTED_CREDMAN_ACCESS_NAME = "SeTrustedCredManAccessPrivilege";
internal const string SE_RELABEL_NAME = "SeRelabelPrivilege";
internal const string SE_INCREASE_WORKING_SET_NAME = "SeIncreaseWorkingSetPrivilege";
internal const string SE_TIME_ZONE_NAME = "SeTimeZonePrivilege";
internal const string SE_CREATE_SYMBOLIC_LINK_NAME = "SeCreateSymbolicLinkPrivilege";
internal const string SE_DELEGATE_SESSION_USER_IMPERSONATE_NAME =
"SeDelegateSessionUserImpersonatePrivilege";
internal const byte SECURITY_STATIC_TRACKING = 0;
internal static readonly LUID ANONYMOUS_LOGON_LUID = new LUID(0x3e6, 0);
internal static readonly LUID SYSTEM_LUID = new LUID(0x3e7, 0);
[StructLayout(LayoutKind.Sequential)]
internal struct LUID
{
public uint LowPart;
public uint HighPart;
public LUID(uint _lowPart, uint _highPart)
{
LowPart = _lowPart;
HighPart = _highPart;
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct OBJECT_ATTRIBUTES : IDisposable
{
internal int Length;
internal IntPtr RootDirectory;
private IntPtr objectName;
internal uint Attributes;
internal IntPtr SecurityDescriptor;
internal IntPtr SecurityQualityOfService;
internal OBJECT_ATTRIBUTES(string name, uint attrs)
{
Length = 0;
RootDirectory = IntPtr.Zero;
objectName = IntPtr.Zero;
Attributes = attrs;
SecurityDescriptor = IntPtr.Zero;
SecurityQualityOfService = IntPtr.Zero;
Length = Marshal.SizeOf(this);
ObjectName = new UNICODE_STRING(name);
}
internal UNICODE_STRING ObjectName
{
get
{
return (UNICODE_STRING)Marshal.PtrToStructure(
objectName, typeof(UNICODE_STRING));
}
set
{
bool fDeleteOld = objectName != IntPtr.Zero;
if (!fDeleteOld)
objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));
Marshal.StructureToPtr(value, objectName, fDeleteOld);
}
}
public void Dispose()
{
if (objectName != IntPtr.Zero)
{
Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));
Marshal.FreeHGlobal(objectName);
objectName = IntPtr.Zero;
}
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_GROUPS
{
public int GroupCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]
public SID_AND_ATTRIBUTES[] Groups;
public TOKEN_GROUPS(int privilegeCount)
{
GroupCount = privilegeCount;
Groups = new SID_AND_ATTRIBUTES[32];
}
};
[StructLayout(LayoutKind.Sequential)]
internal struct SID_AND_ATTRIBUTES
{
internal IntPtr Sid;
internal uint Attributes;
}
internal struct TOKEN_PRIMARY_GROUP
{
public IntPtr PrimaryGroup; // PSID
public TOKEN_PRIMARY_GROUP(IntPtr _sid)
{
PrimaryGroup = _sid;
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_SOURCE
{
public TOKEN_SOURCE(string name)
{
SourceName = new byte[8];
Encoding.GetEncoding(1252).GetBytes(name, 0, name.Length, SourceName, 0);
if (!AllocateLocallyUniqueId(out SourceIdentifier))
throw new System.ComponentModel.Win32Exception();
}
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public byte[] SourceName;
public LUID SourceIdentifier;
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_USER
{
public SID_AND_ATTRIBUTES User;
public TOKEN_USER(IntPtr _sid)
{
User = new SID_AND_ATTRIBUTES
{
Sid = _sid,
Attributes = 0
};
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_OWNER
{
public IntPtr Owner; // PSID
public TOKEN_OWNER(IntPtr _owner)
{
Owner = _owner;
}
}
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool AllocateAndInitializeSid(
ref SidIdentifierAuthority pIdentifierAuthority,
byte nSubAuthorityCount,
int dwSubAuthority0, int dwSubAuthority1,
int dwSubAuthority2, int dwSubAuthority3,
int dwSubAuthority4, int dwSubAuthority5,
int dwSubAuthority6, int dwSubAuthority7,
out IntPtr pSid);
[StructLayout(LayoutKind.Sequential)]
internal struct SidIdentifierAuthority
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 6, ArraySubType = UnmanagedType.I1)]
internal byte[] Value;
}
internal const int NtSecurityAuthority = 5;
internal const int AuthenticatedUser = 11;
[DllImport("advapi32.dll")]
internal static extern bool AllocateLocallyUniqueId(out LUID allocated);
[DllImport("advapi32.dll")]
internal static extern IntPtr FreeSid(IntPtr pSid);
internal enum NtStatus : uint
{
// Success
Success = 0x00000000,
Wait0 = 0x00000000,
Wait1 = 0x00000001,
Wait2 = 0x00000002,
Wait3 = 0x00000003,
Wait63 = 0x0000003f,
Abandoned = 0x00000080,
AbandonedWait0 = 0x00000080,
AbandonedWait1 = 0x00000081,
AbandonedWait2 = 0x00000082,
AbandonedWait3 = 0x00000083,
AbandonedWait63 = 0x000000bf,
UserApc = 0x000000c0,
KernelApc = 0x00000100,
Alerted = 0x00000101,
Timeout = 0x00000102,
Pending = 0x00000103,
Reparse = 0x00000104,
MoreEntries = 0x00000105,
NotAllAssigned = 0x00000106,
SomeNotMapped = 0x00000107,
OpLockBreakInProgress = 0x00000108,
VolumeMounted = 0x00000109,
RxActCommitted = 0x0000010a,
NotifyCleanup = 0x0000010b,
NotifyEnumDir = 0x0000010c,
NoQuotasForAccount = 0x0000010d,
PrimaryTransportConnectFailed = 0x0000010e,
PageFaultTransition = 0x00000110,
PageFaultDemandZero = 0x00000111,
PageFaultCopyOnWrite = 0x00000112,
PageFaultGuardPage = 0x00000113,
PageFaultPagingFile = 0x00000114,
CrashDump = 0x00000116,
ReparseObject = 0x00000118,
NothingToTerminate = 0x00000122,
ProcessNotInJob = 0x00000123,
ProcessInJob = 0x00000124,
ProcessCloned = 0x00000129,
FileLockedWithOnlyReaders = 0x0000012a,
FileLockedWithWriters = 0x0000012b,
// Informational
Informational = 0x40000000,
ObjectNameExists = 0x40000000,
ThreadWasSuspended = 0x40000001,
WorkingSetLimitRange = 0x40000002,
ImageNotAtBase = 0x40000003,
RegistryRecovered = 0x40000009,
// Warning
Warning = 0x80000000,
GuardPageViolation = 0x80000001,
DatatypeMisalignment = 0x80000002,
Breakpoint = 0x80000003,
SingleStep = 0x80000004,
BufferOverflow = 0x80000005,
NoMoreFiles = 0x80000006,
HandlesClosed = 0x8000000a,
PartialCopy = 0x8000000d,
DeviceBusy = 0x80000011,
InvalidEaName = 0x80000013,
EaListInconsistent = 0x80000014,
NoMoreEntries = 0x8000001a,
LongJump = 0x80000026,
DllMightBeInsecure = 0x8000002b,
// Error
Error = 0xc0000000,
Unsuccessful = 0xc0000001,
NotImplemented = 0xc0000002,
InvalidInfoClass = 0xc0000003,
InfoLengthMismatch = 0xc0000004,
AccessViolation = 0xc0000005,
InPageError = 0xc0000006,
PagefileQuota = 0xc0000007,
InvalidHandle = 0xc0000008,
BadInitialStack = 0xc0000009,
BadInitialPc = 0xc000000a,
InvalidCid = 0xc000000b,
TimerNotCanceled = 0xc000000c,
InvalidParameter = 0xc000000d,
NoSuchDevice = 0xc000000e,
NoSuchFile = 0xc000000f,
InvalidDeviceRequest = 0xc0000010,
EndOfFile = 0xc0000011,
WrongVolume = 0xc0000012,
NoMediaInDevice = 0xc0000013,
NoMemory = 0xc0000017,
NotMappedView = 0xc0000019,
UnableToFreeVm = 0xc000001a,
UnableToDeleteSection = 0xc000001b,
IllegalInstruction = 0xc000001d,
AlreadyCommitted = 0xc0000021,
AccessDenied = 0xc0000022,
BufferTooSmall = 0xc0000023,
ObjectTypeMismatch = 0xc0000024,
NonContinuableException = 0xc0000025,
BadStack = 0xc0000028,
NotLocked = 0xc000002a,
NotCommitted = 0xc000002d,
InvalidParameterMix = 0xc0000030,
ObjectNameInvalid = 0xc0000033,
ObjectNameNotFound = 0xc0000034,
ObjectNameCollision = 0xc0000035,
ObjectPathInvalid = 0xc0000039,
ObjectPathNotFound = 0xc000003a,
ObjectPathSyntaxBad = 0xc000003b,
DataOverrun = 0xc000003c,
DataLate = 0xc000003d,
DataError = 0xc000003e,
CrcError = 0xc000003f,
SectionTooBig = 0xc0000040,
PortConnectionRefused = 0xc0000041,
InvalidPortHandle = 0xc0000042,
SharingViolation = 0xc0000043,
QuotaExceeded = 0xc0000044,
InvalidPageProtection = 0xc0000045,
MutantNotOwned = 0xc0000046,
SemaphoreLimitExceeded = 0xc0000047,
PortAlreadySet = 0xc0000048,
SectionNotImage = 0xc0000049,
SuspendCountExceeded = 0xc000004a,
ThreadIsTerminating = 0xc000004b,
BadWorkingSetLimit = 0xc000004c,
IncompatibleFileMap = 0xc000004d,
SectionProtection = 0xc000004e,
EasNotSupported = 0xc000004f,
EaTooLarge = 0xc0000050,
NonExistentEaEntry = 0xc0000051,
NoEasOnFile = 0xc0000052,
EaCorruptError = 0xc0000053,
FileLockConflict = 0xc0000054,
LockNotGranted = 0xc0000055,
DeletePending = 0xc0000056,
CtlFileNotSupported = 0xc0000057,
UnknownRevision = 0xc0000058,
RevisionMismatch = 0xc0000059,
InvalidOwner = 0xc000005a,
InvalidPrimaryGroup = 0xc000005b,
NoImpersonationToken = 0xc000005c,
CantDisableMandatory = 0xc000005d,
NoLogonServers = 0xc000005e,
NoSuchLogonSession = 0xc000005f,
NoSuchPrivilege = 0xc0000060,
PrivilegeNotHeld = 0xc0000061,
InvalidAccountName = 0xc0000062,
UserExists = 0xc0000063,
NoSuchUser = 0xc0000064,
GroupExists = 0xc0000065,
NoSuchGroup = 0xc0000066,
MemberInGroup = 0xc0000067,
MemberNotInGroup = 0xc0000068,
LastAdmin = 0xc0000069,
WrongPassword = 0xc000006a,
IllFormedPassword = 0xc000006b,
PasswordRestriction = 0xc000006c,
LogonFailure = 0xc000006d,
AccountRestriction = 0xc000006e,
InvalidLogonHours = 0xc000006f,
InvalidWorkstation = 0xc0000070,
PasswordExpired = 0xc0000071,
AccountDisabled = 0xc0000072,
NoneMapped = 0xc0000073,
TooManyLuidsRequested = 0xc0000074,
LuidsExhausted = 0xc0000075,
InvalidSubAuthority = 0xc0000076,
InvalidAcl = 0xc0000077,
InvalidSid = 0xc0000078,
InvalidSecurityDescr = 0xc0000079,
ProcedureNotFound = 0xc000007a,
InvalidImageFormat = 0xc000007b,
NoToken = 0xc000007c,
BadInheritanceAcl = 0xc000007d,
RangeNotLocked = 0xc000007e,
DiskFull = 0xc000007f,
ServerDisabled = 0xc0000080,
ServerNotDisabled = 0xc0000081,
TooManyGuidsRequested = 0xc0000082,
GuidsExhausted = 0xc0000083,
InvalidIdAuthority = 0xc0000084,
AgentsExhausted = 0xc0000085,
InvalidVolumeLabel = 0xc0000086,
SectionNotExtended = 0xc0000087,
NotMappedData = 0xc0000088,
ResourceDataNotFound = 0xc0000089,
ResourceTypeNotFound = 0xc000008a,
ResourceNameNotFound = 0xc000008b,
ArrayBoundsExceeded = 0xc000008c,
FloatDenormalOperand = 0xc000008d,
FloatDivideByZero = 0xc000008e,
FloatInexactResult = 0xc000008f,
FloatInvalidOperation = 0xc0000090,
FloatOverflow = 0xc0000091,
FloatStackCheck = 0xc0000092,
FloatUnderflow = 0xc0000093,
IntegerDivideByZero = 0xc0000094,
IntegerOverflow = 0xc0000095,
PrivilegedInstruction = 0xc0000096,
TooManyPagingFiles = 0xc0000097,
FileInvalid = 0xc0000098,
InstanceNotAvailable = 0xc00000ab,
PipeNotAvailable = 0xc00000ac,
InvalidPipeState = 0xc00000ad,
PipeBusy = 0xc00000ae,
IllegalFunction = 0xc00000af,
PipeDisconnected = 0xc00000b0,
PipeClosing = 0xc00000b1,
PipeConnected = 0xc00000b2,
PipeListening = 0xc00000b3,
InvalidReadMode = 0xc00000b4,
IoTimeout = 0xc00000b5,
FileForcedClosed = 0xc00000b6,
ProfilingNotStarted = 0xc00000b7,
ProfilingNotStopped = 0xc00000b8,
NotSameDevice = 0xc00000d4,
FileRenamed = 0xc00000d5,
CantWait = 0xc00000d8,
PipeEmpty = 0xc00000d9,
CantTerminateSelf = 0xc00000db,
InternalError = 0xc00000e5,
InvalidParameter1 = 0xc00000ef,
InvalidParameter2 = 0xc00000f0,
InvalidParameter3 = 0xc00000f1,
InvalidParameter4 = 0xc00000f2,
InvalidParameter5 = 0xc00000f3,
InvalidParameter6 = 0xc00000f4,
InvalidParameter7 = 0xc00000f5,
InvalidParameter8 = 0xc00000f6,
InvalidParameter9 = 0xc00000f7,
InvalidParameter10 = 0xc00000f8,
InvalidParameter11 = 0xc00000f9,
InvalidParameter12 = 0xc00000fa,
MappedFileSizeZero = 0xc000011e,
TooManyOpenedFiles = 0xc000011f,
Cancelled = 0xc0000120,
CannotDelete = 0xc0000121,
InvalidComputerName = 0xc0000122,
FileDeleted = 0xc0000123,
SpecialAccount = 0xc0000124,
SpecialGroup = 0xc0000125,
SpecialUser = 0xc0000126,
MembersPrimaryGroup = 0xc0000127,
FileClosed = 0xc0000128,
TooManyThreads = 0xc0000129,
ThreadNotInProcess = 0xc000012a,
TokenAlreadyInUse = 0xc000012b,
PagefileQuotaExceeded = 0xc000012c,
CommitmentLimit = 0xc000012d,
InvalidImageLeFormat = 0xc000012e,
InvalidImageNotMz = 0xc000012f,
InvalidImageProtect = 0xc0000130,
InvalidImageWin16 = 0xc0000131,
LogonServer = 0xc0000132,
DifferenceAtDc = 0xc0000133,
SynchronizationRequired = 0xc0000134,
DllNotFound = 0xc0000135,
IoPrivilegeFailed = 0xc0000137,
OrdinalNotFound = 0xc0000138,
EntryPointNotFound = 0xc0000139,
ControlCExit = 0xc000013a,
PortNotSet = 0xc0000353,
DebuggerInactive = 0xc0000354,
CallbackBypass = 0xc0000503,
PortClosed = 0xc0000700,
MessageLost = 0xc0000701,
InvalidMessage = 0xc0000702,
RequestCanceled = 0xc0000703,
RecursiveDispatch = 0xc0000704,
LpcReceiveBufferExpected = 0xc0000705,
LpcInvalidConnectionUsage = 0xc0000706,
LpcRequestsNotAllowed = 0xc0000707,
ResourceInUse = 0xc0000708,
ProcessIsProtected = 0xc0000712,
VolumeDirty = 0xc0000806,
FileCheckedOut = 0xc0000901,
CheckOutRequired = 0xc0000902,
BadFileType = 0xc0000903,
FileTooLarge = 0xc0000904,
FormsAuthRequired = 0xc0000905,
VirusInfected = 0xc0000906,
VirusDeleted = 0xc0000907,
TransactionalConflict = 0xc0190001,
InvalidTransaction = 0xc0190002,
TransactionNotActive = 0xc0190003,
TmInitializationFailed = 0xc0190004,
RmNotActive = 0xc0190005,
RmMetadataCorrupt = 0xc0190006,
TransactionNotJoined = 0xc0190007,
DirectoryNotRm = 0xc0190008,
CouldNotResizeLog = 0xc0190009,
TransactionsUnsupportedRemote = 0xc019000a,
LogResizeInvalidSize = 0xc019000b,
RemoteFileVersionMismatch = 0xc019000c,
CrmProtocolAlreadyExists = 0xc019000f,
TransactionPropagationFailed = 0xc0190010,
CrmProtocolNotFound = 0xc0190011,
TransactionSuperiorExists = 0xc0190012,
TransactionRequestNotValid = 0xc0190013,
TransactionNotRequested = 0xc0190014,
TransactionAlreadyAborted = 0xc0190015,
TransactionAlreadyCommitted = 0xc0190016,
TransactionInvalidMarshallBuffer = 0xc0190017,
CurrentTransactionNotValid = 0xc0190018,
LogGrowthFailed = 0xc0190019,
ObjectNoLongerExists = 0xc0190021,
StreamMiniversionNotFound = 0xc0190022,
StreamMiniversionNotValid = 0xc0190023,
MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
CantOpenMiniversionWithModifyIntent = 0xc0190025,
CantCreateMoreStreamMiniversions = 0xc0190026,
HandleNoLongerValid = 0xc0190028,
NoTxfMetadata = 0xc0190029,
LogCorruptionDetected = 0xc0190030,
CantRecoverWithHandleOpen = 0xc0190031,
RmDisconnected = 0xc0190032,
EnlistmentNotSuperior = 0xc0190033,
RecoveryNotNeeded = 0xc0190034,
RmAlreadyStarted = 0xc0190035,
FileIdentityNotPersistent = 0xc0190036,
CantBreakTransactionalDependency = 0xc0190037,
CantCrossRmBoundary = 0xc0190038,
TxfDirNotEmpty = 0xc0190039,
IndoubtTransactionsExist = 0xc019003a,
TmVolatile = 0xc019003b,
RollbackTimerExpired = 0xc019003c,
TxfAttributeCorrupt = 0xc019003d,
EfsNotAllowedInTransaction = 0xc019003e,
TransactionalOpenNotAllowed = 0xc019003f,
TransactedMappingUnsupportedRemote = 0xc0190040,
TxfMetadataAlreadyPresent = 0xc0190041,
TransactionScopeCallbacksNotSet = 0xc0190042,
TransactionRequiredPromotion = 0xc0190043,
CannotExecuteFileInTransaction = 0xc0190044,
TransactionsNotFrozen = 0xc0190045,
MaximumNtStatus = 0xffffffff
}
}
}
}