Added mandatory access list and Get-NtTypeAccess function.

Author: tyranid

NtApiDotNet/NtType.cs

@@ -227,6 +227,18 @@ public IEnumerable<AccessMaskEntry> AccessRights
         /// </summary>
         public IEnumerable<AccessMaskEntry> AllAccessRights => AccessRights.Where(r => GenericMapping.GenericAll.IsAccessGranted(r.Mask));
 
+        /// <summary>
+        /// Get the valid mandatory access rights for this Type.
+        /// </summary>
+        public IEnumerable<AccessMaskEntry> MandatoryAccessRights
+        {
+            get
+            {
+                AccessMask mask = GetDefaultMandatoryAccess();
+                return AccessRights.Where(r => mask.IsAccessGranted(r.Mask));
+            }
+        }
+
         #endregion
 
         #region Public Methods

NtObjectManager/NtObjectManager.psd1

@@ -68,7 +68,7 @@ FunctionsToExport = 'Get-AccessibleAlpcPort', 'Set-NtTokenPrivilege',
           'Suspend-NtProcess', 'Resume-NtProcess', 'Stop-NtProcess', 'Suspend-NtThread', 'Resume-NtThread', 'Stop-NtThread',
           'Format-NtToken', 'Remove-NtTokenPrivilege', 'Get-NtTokenPrivilege', 'Get-NtLocallyUniqueId', 'Get-NtTokenGroup',
           'Get-NtTokenSid', 'Set-NtTokenSid', 'Set-NtTokenGroup', 'Get-NtDesktopName', 'Get-NtWindowStationName',
-          'Get-NtWindow', 'Out-HexDump'
+          'Get-NtWindow', 'Out-HexDump', 'Get-NtTypeAccess'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Add-NtKey', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile', 

NtObjectManager/NtObjectManager.psm1

@@ -5630,4 +5630,50 @@ function Out-HexDump {
         $builder.Complete()
         $builder.ToString() | Write-Output
     }
+}
+
+<#
+.SYNOPSIS
+Gets the access masks for a type.
+.DESCRIPTION
+This cmdlet gets the access masks for a type.
+.PARAMETER Type
+The NT type.
+.PARAMETER Read
+Shown only read access.
+.PARAMETER Write
+Shown only write access.
+.PARAMETER Execute
+Shown only execute access.
+.PARAMETER Mandatory
+Shown only default mandatory access.
+.INPUTS
+None
+.OUTPUTS
+AccessMask entries.
+#>
+function Get-NtTypeAccess {
+    [CmdletBinding(DefaultParameterSetName="All")]
+    Param(
+        [Parameter(Mandatory, Position=0)]
+        [NtApiDotNet.NtType]$Type,
+        [Parameter(ParameterSetName="Read")]
+        [switch]$Read,
+        [Parameter(ParameterSetName="Write")]
+        [switch]$Write,
+        [Parameter(ParameterSetName="Execute")]
+        [switch]$Execute,
+        [Parameter(ParameterSetName="Mandatory")]
+        [switch]$Mandatory
+    )
+
+    $access = switch($PSCmdlet.ParameterSetName) {
+        "All" { $Type.AccessRights }
+        "Read" { $Type.ReadAccessRights } 
+        "Write" { $Type.WriteAccessRights }
+        "Execute" { $Type.ExecuteAccessRights }
+        "Mandatory" { $Type.MandatoryAccessRights }
+    }
+
+    $access | Write-Output
 }