Added Get/Set-NtTokenDefaultDacl.

tyranid · tyranid · commit 16e863ee5636 · 2020-05-24T15:02:46.000+01:00
diff --git a/NtApiDotNet/NtToken.cs b/NtApiDotNet/NtToken.cs
@@ -2223,6 +2223,20 @@ public static NtResult<NtToken> OpenEffectiveToken(NtThread thread, bool open_as
             return OpenProcessToken(pid.Result, duplicate, desired_access, throw_on_error);
         }
 
+        /// <summary>
+        /// Open the effective token, thread if available or process
+        /// </summary>
+        /// <param name="thread">The thread to open the token for</param>
+        /// <param name="duplicate">True to duplicate the token before returning</param>
+        /// <param name="desired_access">Desired access for token.</param>
+        /// <param name="open_as_self">Open token as self.</param>
+        /// <returns>The opened token</returns>
+        /// <exception cref="NtException">Thrown if cannot open token</exception>
+        public static NtToken OpenEffectiveToken(NtThread thread, bool open_as_self, bool duplicate, TokenAccessRights desired_access)
+        {
+            return OpenEffectiveToken(thread, open_as_self, duplicate, desired_access, true).Result;
+        }
+
         /// <summary>
         /// Open the effective token, thread if available or process
         /// </summary>
diff --git a/NtObjectManager/Cmdlets/Object/GetNtTokenDefaultDacl.cs b/NtObjectManager/Cmdlets/Object/GetNtTokenDefaultDacl.cs
@@ -0,0 +1,79 @@
+﻿//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet;
+using System.Management.Automation;
+
+namespace NtObjectManager.Cmdlets.Object
+{
+    /// <summary>
+    /// <para type="synopsis">Get the Default DACL from a Token.</para>
+    /// <para type="description">This cmdlet gets the Default DACL from a Token.</para>
+    /// </summary>
+    /// <example>
+    ///   <code>$dacl = Get-NtTokenDefaultDacl</code>
+    ///   <para>Get current effective token's Default DACL.</para>
+    /// </example>
+    /// <example>
+    ///   <code>$dacl = Get-NtTokenDefaultDacl -Token $token</code>
+    ///   <para>Get Default DACL from a Token.</para>
+    /// </example>
+    /// <example>
+    ///   <code>$sd = Get-NtTokenDefaultDacl -AsSecurityDescriptor</code>
+    ///   <para>Get current process' primary token's Default DACL as a Security Descriptor.</para>
+    /// </example>
+    [Cmdlet(VerbsCommon.Get, "NtTokenDefaultDacl", DefaultParameterSetName = "FromCurrent")]
+    [OutputType(typeof(SecurityDescriptor), typeof(Acl))]
+    public class GetNtTokenDefaultDacl : PSCmdlet
+    {
+        private NtToken GetToken()
+        {
+            if (Token != null)
+                return Token.Duplicate();
+            return NtToken.OpenEffectiveToken(NtThread.Current, true, false, TokenAccessRights.Query);
+        }
+
+        /// <summary>
+        /// <para type="description">Specify the token to query for the default DACL.</para>
+        /// </summary>
+        [Parameter(ParameterSetName = "FromToken", Position = 0, Mandatory = true)]
+        public NtToken Token { get; set; }
+
+        /// <summary>
+        /// <para type="description">Specify to return the ACL in a Security Descriptor.</para>
+        /// </summary>
+        [Parameter]
+        [Alias("sd")]
+        public SwitchParameter AsSecurityDescriptor { get; set; }
+
+        /// <summary>
+        /// Overridden ProcessRecord method.
+        /// </summary>
+        protected override void ProcessRecord()
+        {
+            using (var token = GetToken())
+            {
+                Acl default_dacl = token.DefaultDacl;
+                if (AsSecurityDescriptor)
+                {
+                    WriteObject(new SecurityDescriptor() { Dacl = default_dacl });
+                }
+                else
+                {
+                    WriteObject(default_dacl, false);
+                }
+            }
+        }
+    }
+}
diff --git a/NtObjectManager/Cmdlets/Object/SetNtTokenDefaultDacl.cs b/NtObjectManager/Cmdlets/Object/SetNtTokenDefaultDacl.cs
@@ -0,0 +1,95 @@
+﻿//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet;
+using System;
+using System.Management.Automation;
+
+namespace NtObjectManager.Cmdlets.Object
+{
+    /// <summary>
+    /// <para type="synopsis">Set the Default DACL for a Token.</para>
+    /// <para type="description">This cmdlet sets the Default DACL for a Token.</para>
+    /// </summary>
+    /// <example>
+    ///   <code>Set-NtTokenDefaultDacl -DefaultDacl $dacl</code>
+    ///   <para>Set current effective token's Default DACL.</para>
+    /// </example>
+    /// <example>
+    ///   <code>Set-NtTokenDefaultDacl -SecurityDescriptor $sd</code>
+    ///   <para>Set current effective token's Default DACL from a Security Descriptor.</para>
+    /// </example>
+    /// <example>
+    ///   <code>Set-NtTokenDefaultDacl -DefaultDacl $dacl -Token $token</code>
+    ///   <para>Set Default DACL for a Token.</para>
+    /// </example>
+    [Cmdlet(VerbsCommon.Set, "NtTokenDefaultDacl", DefaultParameterSetName = "FromAcl")]
+    public class SetNtTokenDefaultDacl : PSCmdlet
+    {
+        private NtToken GetToken()
+        {
+            if (Token != null)
+                return Token.Duplicate();
+            return NtToken.OpenEffectiveToken(NtThread.Current, true, false, TokenAccessRights.AdjustDefault);
+        }
+
+        /// <summary>
+        /// <para type="description">Specify the default DACL.</para>
+        /// </summary>
+        [Parameter(ParameterSetName = "FromAcl", Position = 1, Mandatory = true)]
+        [AllowEmptyCollection]
+        public Acl DefaultDacl { get; set; }
+
+        /// <summary>
+        /// <para type="description">Specify the default DACL as a Security Descriptor.</para>
+        /// </summary>
+        [Parameter(ParameterSetName = "FromSD", Position = 1, Mandatory = true)]
+        public SecurityDescriptor SecurityDescriptor { get; set; }
+
+        /// <summary>
+        /// <para type="description">Specify the token to set the default DACL.</para>
+        /// </summary>
+        [Parameter(Position = 1)]
+        public NtToken Token { get; set; }
+
+        /// <summary>
+        /// Overridden ProcessRecord method.
+        /// </summary>
+        protected override void ProcessRecord()
+        {
+
+            Acl default_dacl = null;
+
+            switch (ParameterSetName)
+            {
+                case "FromAcl":
+                    default_dacl = DefaultDacl;
+                    break;
+                case "FromSD":
+                    default_dacl = SecurityDescriptor.Dacl;
+                    break;
+            }
+
+            if (default_dacl == null)
+            {
+                throw new ArgumentNullException(nameof(DefaultDacl));
+            }
+
+            using (var token = GetToken())
+            {
+                token.SetDefaultDacl(default_dacl);
+            }
+        }
+    }
+}
diff --git a/NtObjectManager/NtObjectManager.csproj b/NtObjectManager/NtObjectManager.csproj
@@ -97,6 +97,7 @@
     <Compile Include="Cmdlets\Object\GetNtSymbolicLinkCmdlet.cs" />
     <Compile Include="Cmdlets\Object\GetNtSymbolicLinkTargetCmdlet.cs" />
     <Compile Include="Cmdlets\Object\GetNtTokenCmdlet.cs" />
+    <Compile Include="Cmdlets\Object\GetNtTokenDefaultDacl.cs" />
     <Compile Include="Cmdlets\Object\GetNtTransactionCmdlet.cs" />
     <Compile Include="Cmdlets\Object\GetNtTransactionManagerCmdlet.cs" />
     <Compile Include="Cmdlets\Object\GetNtWaitTimeoutCmdlet.cs" />
@@ -141,6 +142,7 @@
     <Compile Include="Cmdlets\Object\SetNtFileReparsePointCmdlet.cs" />
     <Compile Include="Cmdlets\Object\SetNtProcessJobCmdlet.cs" />
     <Compile Include="Cmdlets\Object\SetNtTokenCmdlet.cs" />
+    <Compile Include="Cmdlets\Object\SetNtTokenDefaultDacl.cs" />
     <Compile Include="Cmdlets\Object\SpecificAccessType.cs" />
     <Compile Include="Cmdlets\Object\StartNtDebugWaitCmdlet.cs" />
     <Compile Include="Cmdlets\Object\CompareNtSidCmdlet.cs" />
diff --git a/NtObjectManager/NtObjectManager.psd1 b/NtObjectManager/NtObjectManager.psd1
@@ -133,7 +133,8 @@ CmdletsToExport = 'Add-NtKeyHive', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile
                'Test-NtTokenGroup', 'Test-NtAccessMask', 'Grant-NtAccessMask',
                'Revoke-NtAccessMask', 'Select-NtSecurityDescriptorAce', 'Write-NtAudit',
                'New-AuthZResourceManager', 'New-AuthZContext', 'Get-AuthZGrantedAccess',
-               'Add-AuthZSid', 'Remove-AuthZSid', 'Set-NtToken'
+               'Add-AuthZSid', 'Remove-AuthZSid', 'Set-NtToken', 'Get-NtTokenDefaultDacl',
+               'Set-NtTokenDefaultDacl'
 
 # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
 AliasesToExport = @()
