Added basic Window Station creation.

Author: tyranid

NtApiDotNet/NtWindowStation.cs

@@ -12,6 +12,7 @@
 //  See the License for the specific language governing permissions and
 //  limitations under the License.
 
+using NtApiDotNet.Win32;
 using System;
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
@@ -140,6 +141,43 @@ public static NtWindowStation Open(string winsta_name)
             return Open(winsta_name, null);
         }
 
+        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+        private delegate IntPtr GetKbdLayout();
+
+        /// <summary>
+        /// Create a Window Station by name.
+        /// </summary>
+        /// <param name="winsta_name">The name of the Window Station.</param>
+        /// <returns>The Window Station.</returns>
+        public static NtWindowStation Create(string winsta_name)
+        {
+            string dll_path;
+            IntPtr layout_offset;
+            using (var kbd_dll = SafeLoadLibraryHandle.LoadLibrary(@"kbdus.dll"))
+            {
+                dll_path = kbd_dll.FullPath;
+                var proc = kbd_dll.GetProcAddress(new IntPtr(1));
+                GetKbdLayout kbdLayout = (GetKbdLayout)Marshal.GetDelegateForFunctionPointer(proc, typeof(GetKbdLayout));
+                var layout = kbdLayout();
+                layout_offset = new IntPtr(layout.ToInt64() - kbd_dll.DangerousGetHandle().ToInt64());
+            }
+
+            using (var buffer = new SafeHGlobalBuffer(0x318))
+            {
+                BufferUtils.FillBuffer(buffer, 0);
+                using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(dll_path), null,
+                    FileAccessRights.GenericRead | FileAccessRights.Synchronize, FileShareMode.Read | FileShareMode.Delete, 
+                    FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert))
+                {
+                    using (var obja = new ObjectAttributes(winsta_name, AttributeFlags.CaseInsensitive))
+                    {
+                        return new NtWindowStation(NtSystemCalls.NtUserCreateWindowStation(obja, WindowStationAccessRights.MaximumAllowed, file.Handle,
+                            layout_offset, IntPtr.Zero, buffer, new UnicodeString("00000409"), 0x04090409));
+                    }
+                }
+            }
+        }
+
         /// <summary>
         /// Get a list of desktops for this Window Station.
         /// </summary>

NtApiDotNet/NtWindowStationNative.cs

@@ -50,6 +50,17 @@ public static extern SafeKernelObjectHandle NtUserOpenWindowStation(
             ObjectAttributes ObjectAttributes,
             WindowStationAccessRights DesiredAccess);
 
+        [DllImport("win32u.dll", SetLastError = true)]
+        public static extern SafeKernelObjectHandle NtUserCreateWindowStation(
+            ObjectAttributes ObjectAttributes,
+            WindowStationAccessRights DesiredAccess,
+            SafeKernelObjectHandle KbdDllHandle,
+            IntPtr KbdTablesOffset,     // Offset of tables returned from Ordinal 1 call from DLL base.
+            IntPtr NlsTablesOffset,     // Offset of tables returned from Ordinal 2 call from DLL base.
+            SafeBuffer KbdMultiDescriptor, // Buffer 0x318 bytes in size. Can be extracted using Ordinal 6.
+            UnicodeString LanguageIdString, // e.g. "00000409"
+            int KeyboardLocale); // e.g. 0x04090409 is US English and US Layout
+
         [DllImport("win32u.dll", SetLastError = true)]
         public static extern NtStatus NtUserBuildNameList(
             SafeKernelObjectHandle Handle, int Size, SafeBuffer NameList, out int RequiredSize);

NtApiDotNet/SecurityCapabilities.cs

@@ -879,6 +879,7 @@ internal static class SecurityCapabilities
             "thumbnailCache",
             "timezone",
             "uiAutomationSystem",
+            "unvirtualizedResources",
             "unzipFile",
             "updateAndSecurityDeviceSettings",
             "usb",

NtApiDotNet/Win32/SafeLoadLibraryHandle.cs

@@ -401,10 +401,9 @@ public IntPtr GetProcAddress(IntPtr ordinal)
         /// <typeparam name="TDelegate">The delegate type. The name of the delegate is used to lookup the name of the function.</typeparam>
         /// <param name="throw_on_error">True to throw on error.</param>
         /// <returns>The delegate.</returns>
-        public TDelegate GetFunctionPointer<TDelegate>(bool throw_on_error) where TDelegate : class
+        public TDelegate GetFunctionPointer<TDelegate>(bool throw_on_error) where TDelegate : Delegate
         {
-            if (!typeof(TDelegate).IsSubclassOf(typeof(Delegate)) ||
-                typeof(TDelegate).GetCustomAttribute<UnmanagedFunctionPointerAttribute>() == null)
+            if (typeof(TDelegate).GetCustomAttribute<UnmanagedFunctionPointerAttribute>() == null)
             {
                 throw new ArgumentException("Invalid delegate type, must have an UnmanagedFunctionPointerAttribute annotation");
             }
@@ -419,15 +418,15 @@ public TDelegate GetFunctionPointer<TDelegate>(bool throw_on_error) where TDeleg
                 return null;
             }
 
-            return (TDelegate)(object)Marshal.GetDelegateForFunctionPointer(proc, typeof(TDelegate));
+            return (TDelegate)Marshal.GetDelegateForFunctionPointer(proc, typeof(TDelegate));
         }
 
         /// <summary>
         /// Get a delegate which points to an unmanaged function.
         /// </summary>
         /// <typeparam name="TDelegate">The delegate type. The name of the delegate is used to lookup the name of the function.</typeparam>
         /// <returns>The delegate.</returns>
-        public TDelegate GetFunctionPointer<TDelegate>() where TDelegate : class
+        public TDelegate GetFunctionPointer<TDelegate>() where TDelegate : Delegate
         {
             return GetFunctionPointer<TDelegate>(true);
         }

NtApiDotNet/Win32/SymbolResolver.cs

@@ -455,7 +455,7 @@ int cb
         private SymLoadModule64 _sym_load_module;
         private SymRefreshModuleList _sym_refresh_module_list;
 
-        private void GetFunc<T>(ref T f) where T : class
+        private void GetFunc<T>(ref T f) where T : Delegate
         {
             f = _dbghelp_lib.GetFunctionPointer<T>();
         }

NtApiDotNet/Win32/Win32NativeMethods.cs

@@ -971,9 +971,12 @@ internal static extern int SendInput(int nInputs,
             [MarshalAs(UnmanagedType.LPArray), In] INPUT[] pInputs,
             int cbSize);
 
-        [DllImport("user32.dll", SetLastError = true)]
-        internal static extern short GetAsyncKeyState(
-            int vKey
+        [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
+        internal static extern SafeKernelObjectHandle CreateWindowStation(
+            string lpwinsta,
+            int dwFlags,
+            AccessMask dwDesiredAccess,
+            SECURITY_ATTRIBUTES lpsa
         );
     }
 #pragma warning restore 1591

NtApiDotNet/Win32/Win32ProcessConfig.cs

@@ -191,6 +191,10 @@ public bool OverrideChildProcessCreation
         /// Specify list of handles to inherit.
         /// </summary>
         public List<NtJob> JobList { get; }
+        /// <summary>
+        /// Specify a service window station and desktop.
+        /// </summary>
+        public bool ServiceDesktop { get; set; }
 
         /// <summary>
         /// Add an object's handle to the list of inherited handles. 
@@ -240,7 +244,7 @@ public Win32ProcessConfig()
 
         private void PopulateStartupInfo(ref STARTUPINFO start_info)
         {
-            start_info.lpDesktop = Desktop;
+            start_info.lpDesktop = ServiceDesktop ? CreateServiceDesktopName() : Desktop;
             start_info.lpTitle = Title;
             if (StdInputHandle != Win32Utils.InvalidHandle ||
                 StdOutputHandle != Win32Utils.InvalidHandle ||
@@ -496,5 +500,25 @@ private static SECURITY_ATTRIBUTES CreateSecurityAttributes(SecurityDescriptor s
             }
             return ret;
         }
+
+        private string ServiceDesktopNameFromToken(NtToken token)
+        {
+            Luid authid = token.AuthenticationId;
+            return $@"Service-0x{authid.HighPart:X}-{authid.LowPart:X}$\Default";
+        }
+
+        private string CreateServiceDesktopName()
+        {
+            if (Token != null)
+            {
+                return ServiceDesktopNameFromToken(Token);
+            }
+
+            NtProcess process = ParentProcess ?? NtProcess.Current;
+            using (var token = process.OpenToken())
+            {
+                return ServiceDesktopNameFromToken(token);
+            }
+        }
     }
 }

NtApiDotNet/Win32/Win32Utils.cs

@@ -430,5 +430,18 @@ public static void SendKeys(params VirtualKey[] key_codes)
             SendKeyDown(key_codes);
             SendKeyUp(key_codes);
         }
+
+        /// <summary>
+        /// This creates a Window Station using the User32 API.
+        /// </summary>
+        /// <param name="name">The name of the Window Station.</param>
+        /// <returns>The Window Station.</returns>
+        public static NtWindowStation CreateWindowStation(string name)
+        {
+            var handle = Win32NativeMethods.CreateWindowStation(name, 0, WindowStationAccessRights.MaximumAllowed, null);
+            if (handle.IsInvalid)
+                throw new SafeWin32Exception();
+            return new NtWindowStation(handle);
+        }
     }
 }