systeminformer icon indicating copy to clipboard operation
systeminformer copied to clipboard

Published 20 hours ago verified publisher icon winsiderss

[Feature Request]: Group count & Privilege counts

Open AltF5 opened this issue 2 years ago • 5 comments

Description of the feature, modification, idea or suggestion

Let's discuss here before resubmitting this PR of only this feature. I believe the implementation I provided is not overly burdensome.

Use: Find processes with the largest amount of Privileges & Groups in their tokens for seeing what viable candidates are for impersonation. This is done programmatically usually for locating a viable process in descending order, checking to see what’s openable. But by having this in SI, it allows the dev, researcher, or tested to see which processes would be attempted first regarding a sort of Privileges. Arguably privileges > integrity (more privileges and High IL is better than lower privileges / removed privileges and System IL) tho some are only granted to System IL and not available in High IL.

Processes with a larger count of privileges (say 34 for all of them) will typically be of higher elevation for impersonation candidates than lower privilege counts

Processes with a larger count or groups may indicate more access to resources, like on a domain. Doesn’t necessarily mean notes privileges unless the token shows as NT SERVICE\TrustedInstaller which is the default DACL for many NT AUTHORITY\SYSTEM-owned open objects. Possibly just greater access.

I find both of these columns of immense value

2

3

Proposed implementation details (optional)

Part of Pull Req: https://github.com/winsiderss/systeminformer/pull/1272/commits/cfc23ad83a41937e3ebec2d53f7177a36a70f0c5#diff-56713526ef4d61b4c434e2b04f4c7c9f7c6170f01027b2ab0331c3cd8e13ef32

See: in proctree.h and proctree.c

  • PHPRTLC_PRIVCOUNT

  • PHPRTLC_GRPCOUNT

              PTOKEN_PRIVILEGES privileges;
          if (NT_SUCCESS(PhGetTokenPrivileges(tokenHandle, &privileges)))
          {
              ProcessNode->PrivilegeCount = privileges->PrivilegeCount;
          }
          else
          {
              ProcessNode->PrivilegeCount = -1;
          }

          PTOKEN_GROUPS groups;
          if (NT_SUCCESS(PhGetTokenGroups(tokenHandle, &groups)))
          {
              ProcessNode->GroupCount = groups->GroupCount;
          }
          else
          {
              ProcessNode->GroupCount = -1;
          }

AltF5 avatar Jun 17 '22 00:06 AltF5