PowerShell Remoting Project Home

Wednesday, March 01, 2006

Release of MSHForFun.Security MshSnapin v0.1

Finally, I finished my MSHForFun.Security MshSnapin v0.1. Source code and binary files can be downloaded from GotDotNet under BSD license (Sorry, you need an Internet explorer to visit gotdotnet.com. Firefox seemed to not willing to take .Net passport). Contain four cmdlets at this moment:

Name          : add-processowner
Definition    : add-processowner [-ProcessArray] Process[] [-Verbose] [-Debug]
                [-ErrorAction ActionPreference] [-ErrorVariable String] [-OutVa
                riable String] [-OutBuffer Int32] [-WhatIf] [-Confirm]
Wrapper of OpenProcessToken Win32 API. It takes Process (output of get-process cmdlet) as input and adds process owner information (System.Security.Pricipal.WindowsIdentity) as NoteProperty.

Name          : Get-Privilege
Definition    : Get-Privilege [[-Identity] WindowsIdentity] [-Verbose] [-Debug]
                 [-ErrorAction ActionPreference] [-ErrorVariable String] [-OutV
                ariable String] [-OutBuffer Int32] [-WhatIf] [-Confirm]
Wrapper of GetTokenInformation Win32 API. It takes System.Security.Pricipal.WindowsIdentity object as input and returns MSHForFun.Security.TokenPrivilegeCollection object. If used without parameter, it returns current process (msh.exe) token privileges.

Name          : get-windowsidentity
Definition    : get-windowsidentity [[-Credential] MshCredential] [-Verbose] [-
                Debug] [-ErrorAction ActionPreference] [-ErrorVariable String]
                [-OutVariable String] [-OutBuffer Int32] [-WhatIf] [-Confirm]
Wapper of LogonUser() Win32API. It takes MshCredential object as input and returns System.Security.Pricipal.WindowsIdentity object. If used without parameter, it returns System.Security.Pricipal.WindowsIdentity object represented current user.

Name          : start-process
Definition    : start-process [-FileName] String [-Credential MshCredential] [-
                Arguments String] [-LoadUserProfile] [-UseShellExecute] [-Worki
                ngDirectory String] [-CreateNoWindow] [-ErrorDialog] [-ErrorDia
                logParentHandle IntPtr] [-RedirectStandardError] [-RedirectStan
                dardInput] [-RedirectStandardOutput] [-StandardErrorEncoding En
                coding] [-StandardOutputEncoding Encoding] [-Verb String] [-Win
                dowStyle ProcessWindowStyle] [-Verbose] [-Debug] [-ErrorAction
                ActionPreference] [-ErrorVariable String] [-OutVariable String]
                 [-OutBuffer Int32] [-WhatIf] [-Confirm]
Wrapper of System.Diagnostics.Process.Start() Methods. It takes MshCredential object as input and start a process using that credential. (Runas in MSH).

What's new?
  1. Wrap token handle into SafeTokenHandle, which is derived from Microsoft.Win32. SafeHandles. SafeHandleZeroOrMinusOneIsInvalid (try to prevent handle leakage and provides protection for handle recycling security attacks)
  2. Get-Privilege cmdlet
  3. Make sure all Exceptions were properly handled  and using WriteWarning instead of WriteError,  if we known errors will happen frequently (Add-Processowner)
  4. Rewrite C# code, correct errors and clean comments.
Something intersting about Get-Privilege cmdlet:
  1. System.Security.Pricipal.WindowsIdentity contains all important information inside a token except token privileges, so I took the challenge to write a Get-Privilege cmdlet.
  2. Mashalling memory block (struct TOKEN_PRIVILEGE) using C# is killing me. I will not do it again.
  3. MSHForFun.Security.TokenPrivilege contian 2 public property: Name and Status
  4. MSHForFun.Security.TokenPrivilegeCollection is derived from System.Collection.CollectionBase.
  5. Get-Privilege cmdlet is used for dump token privilege only.
Some examples of using these cmdlets:
>get-privilege (get-windowsidentity (get-credential))

Cmdlet get-credential at command pipeline position 1
Supply values for the following parameters:
Credential
User: Administrator
Password for user Administrator: *******


Name                                    Status
----                                    ------
SeChangeNotifyPrivilege                 Enabled | Enabled By Default
SeSecurityPrivilege                     Enabled | Enabled By Default
SeBackupPrivilege                       Enabled | Enabled By Default
SeRestorePrivilege                      Enabled | Enabled By Default
SeSystemtimePrivilege                   Enabled | Enabled By Default
SeShutdownPrivilege                     Enabled | Enabled By Default
SeRemoteShutdownPrivilege               Enabled | Enabled By Default
SeTakeOwnershipPrivilege                Enabled | Enabled By Default
SeDebugPrivilege                        Enabled | Enabled By Default
SeSystemEnvironmentPrivilege            Enabled | Enabled By Default
SeSystemProfilePrivilege                Enabled | Enabled By Default
SeProfileSingleProcessPrivilege         Enabled | Enabled By Default
SeIncreaseBasePriorityPrivilege         Enabled | Enabled By Default
SeLoadDriverPrivilege                   Enabled | Enabled By Default
SeCreatePagefilePrivilege               Enabled | Enabled By Default
SeIncreaseQuotaPrivilege                Enabled | Enabled By Default
SeUndockPrivilege                       Enabled | Enabled By Default
SeManageVolumePrivilege                 Enabled | Enabled By Default
SeCreateGlobalPrivilege                 Enabled | Enabled By Default
SeImpersonatePrivilege                  Enabled | Enabled By Default

> get-privilege (get-process -Id 3768 | add-processowner).Processowner

Name                                    Status
----                                    ------
SeChangeNotifyPrivilege                 Enabled | Enabled By Default
SeSecurityPrivilege                     Removed
SeBackupPrivilege                       Removed
SeRestorePrivilege                      Removed
SeSystemtimePrivilege                   Removed
SeShutdownPrivilege                     Removed
SeRemoteShutdownPrivilege               Removed
SeTakeOwnershipPrivilege                Removed
SeDebugPrivilege                        Enabled
SeSystemEnvironmentPrivilege            Removed
SeSystemProfilePrivilege                Removed
SeProfileSingleProcessPrivilege         Removed
SeIncreaseBasePriorityPrivilege         Removed
SeLoadDriverPrivilege                   Removed
SeCreatePagefilePrivilege               Removed
SeIncreaseQuotaPrivilege                Removed
SeUndockPrivilege                       Removed
SeManageVolumePrivilege                 Removed
SeCreateGlobalPrivilege                 Enabled | Enabled By Default
SeImpersonatePrivilege                  Enabled | Enabled By Default

>get-process | add-processowner

Handles  NPM(K)    PM(K)      WS(K) VS(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     71       3     1548       5304    38     0.80    864 acrotray
WARNING: Failed to openy process token (Access Denied): alg
    105       5     1224       3604    35            2832 alg
....
(clipped)


>Start-process -Credential (get-credential) -FileName control.exe -Arguments timedate.cpl

Cmdlet get-credential at command pipeline position 1
Supply values for the following parameters:
Credential
User: Administrator
Password for user Administrator: *******


Handles  NPM(K)    PM(K)      WS(K) VS(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
      0       0       64         60     1     0.00   2220 control


PS. some Non-MSH stuff:
Check out the "Brrreeeport" game on the Scobleizer blog.
Check out results on
1. Technorati
2. MSN Search
3. Google
4. Yahoo

Have fun!

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]

Tags:       


Comments:
Great Work,

(I once did this for VB.NET, could not set myself to translate it (remembered the Token part ;-))


gr /\/\o\/\/
 
hehe, especially during testing this mshsnapin ...
 
Hey, good stuff that you have posted and converted them into a snapin(must've taken a lot of time and effort :))

BTW, Do you have any plan to extend your project to include other utility cmdlets? or is the project going to be strictly "security"-related cmdlets?
 
Thanks.

I think mshsnapin should only bundle related cmdlets. If I am going to release some new cmdlets, I would put them in another seperated mshsnapin instead of put them together.
 

Post a Comment





<< Home