Added Get-NtTokenPrivilege command.

tyranid · tyranid · commit b56ac50619b1 · 2020-01-20T10:42:02.000-08:00
diff --git a/NtObjectManager/NtObjectManager.psd1 b/NtObjectManager/NtObjectManager.psd1
@@ -66,7 +66,7 @@ FunctionsToExport = 'Get-AccessibleAlpcPort', 'Set-NtTokenPrivilege',
           'Get-RpcClient', 'Format-RpcClient', 'Set-RpcServer', 'Connect-RpcClient', 'New-RpcContextHandle', 'Format-RpcComplexType',
           'Get-Win32File', 'Close-NtObject', 'Start-AccessibleScheduledTask', 'Get-NtEaBuffer', 'Set-NtEaBuffer',
           'Suspend-NtProcess', 'Resume-NtProcess', 'Stop-NtProcess', 'Suspend-NtThread', 'Resume-NtThread', 'Stop-NtThread',
-          'Format-NtToken', 'Remove-NtTokenPrivilege'
+          'Format-NtToken', 'Remove-NtTokenPrivilege', 'Get-NtTokenPrivilege'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Add-NtKey', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile', 
diff --git a/NtObjectManager/NtObjectManager.psm1 b/NtObjectManager/NtObjectManager.psm1
@@ -128,6 +128,53 @@ function Set-NtTokenPrivilege
   }
 }
 
+<#
+.SYNOPSIS
+Get the state of a token's privileges.
+.DESCRIPTION
+This cmdlet will get the state of a token's privileges.
+.PARAMETER Privileges
+A list of privileges to get their state.
+.PARAMETER Token
+Optional token object to use to get privileges. Must be accesible for Query right.
+.INPUTS
+None
+.OUTPUTS
+List of TokenPrivilege values indicating the state of all privileges requested.
+.EXAMPLE
+Get-NtTokenPrivilege
+Get all privileges on the current process token
+.EXAMPLE
+Set-NtTokenPrivilege SeDebugPrivilege 
+Get state of SeDebugPrivilege on the current process token
+.EXAMPLE
+Get-NtTokenPrivilege SeBackupPrivilege, SeRestorePrivilege -Token $token
+Get SeBackupPrivilege and SeRestorePrivilege status on an explicit token object.
+#>
+function Get-NtTokenPrivilege
+{
+  Param(
+    [Parameter(Position=0)]
+    [NtApiDotNet.TokenPrivilegeValue[]]$Privileges,
+    [NtApiDotNet.NtToken]$Token
+    )
+  if ($null -eq $Token) {
+    $Token = Get-NtToken -Primary -Access Query
+  } else {
+    $Token = $Token.Duplicate()
+  }
+
+  Use-NtObject($Token) {
+    if ($Privileges -ne $null -and $Privileges.Count -gt 0) {
+        foreach($priv in $Privileges) {
+            $Token.GetPrivilege($priv) | Write-Output
+        }
+    } else {
+        $Token.Privileges | Write-Output
+    }
+  }
+}
+
 <#
 .SYNOPSIS
 Remove privileges from a token.
