Skip to content

Commit 33b4c63

Browse files
author
James Forshaw
committed
Fixes for Show-NtToken and Show-NtSection
1 parent 3bd108a commit 33b4c63

File tree

1 file changed

+39
-37
lines changed

1 file changed

+39
-37
lines changed

NtObjectManager/NtObjectManager.psm1

Lines changed: 39 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
1414

15+
Set-StrictMode -Version Latest
16+
1517
if (($PSVersionTable.Keys -contains "PSEdition") -and ($PSVersionTable.PSEdition -ne 'Desktop')) {
1618
Import-Module "$PSScriptRoot\Core\NtObjectManager.dll"
1719
}
@@ -1173,7 +1175,6 @@ function New-ExecutionAlias
11731175
)
11741176

11751177
$rp = [NtApiDotNet.ExecutionAliasReparseBuffer]::new($Version, $PackageName, $EntryPoint, $Target, $Flags)
1176-
11771178
Use-NtObject($file = New-NtFile -Path $Path -Win32Path -Options OpenReparsePoint,SynchronousIoNonAlert `
11781179
-Access GenericWrite,Synchronize -Disposition OpenIf) {
11791180
$file.SetReparsePoint($rp)
@@ -1246,7 +1247,7 @@ Display up to 5 primary tokens from accessible processes named notepad.exe.
12461247
function Show-NtToken {
12471248
[CmdletBinding(DefaultParameterSetName = "FromPid")]
12481249
param(
1249-
[Parameter(Mandatory=$true, Position=0, ParameterSetName="FromToken", ValueFromPipeline=$true)]
1250+
[Parameter(Mandatory=$true, Position=0, ParameterSetName="FromToken", ValueFromPipeline=$true)]
12501251
[NtApiDotNet.NtToken[]]$Token,
12511252
[Parameter(Mandatory=$true, Position=0, ParameterSetName="FromProcess", ValueFromPipeline=$true)]
12521253
[NtApiDotNet.NtProcess[]]$Process,
@@ -1259,40 +1260,40 @@ function Show-NtToken {
12591260
)
12601261

12611262
PROCESS {
1262-
if (-not $(Test-Path "$PSScriptRoot\TokenViewer.exe" -PathType Leaf)) {
1263-
Write-Error "Missing token viewer application $PSScriptRoot\TokenViewer.exe"
1264-
return
1265-
}
1266-
switch($PSCmdlet.ParameterSetName) {
1267-
"FromProcess" {
1268-
foreach($p in $Process) {
1269-
Use-NtObject($t = Get-NtToken -Primary -Process $p) {
1270-
$text = "$($p.Name):$($p.ProcessId)"
1271-
Start-NtTokenViewer $t -Text $text
1272-
}
1273-
}
1274-
}
1275-
"FromName" {
1276-
Use-NtObject($ps = Get-NtProcess -Name $Name -Access QueryLimitedInformation) {
1277-
if ($MaxTokens -gt 0) {
1278-
$ps = $ps | Select-Object -First $MaxTokens
1279-
}
1280-
$ps | Show-NtToken
1281-
}
1282-
}
1283-
"FromPid" {
1284-
$cmdline = [string]::Format("TokenViewer --pid={0}", $ProcessId)
1285-
$config = New-Win32ProcessConfig $cmdline -ApplicationName "$PSScriptRoot\TokenViewer.exe" -InheritHandles
1286-
Use-NtObject($p = New-Win32Process -Config $config) {
1287-
}
1288-
}
1289-
"FromToken" {
1290-
foreach($token in $Tokens) {
1291-
Start-NtTokenViewer $token
1292-
}
1293-
}
1294-
}
1295-
}
1263+
if (-not $(Test-Path "$PSScriptRoot\TokenViewer.exe" -PathType Leaf)) {
1264+
Write-Error "Missing token viewer application $PSScriptRoot\TokenViewer.exe"
1265+
return
1266+
}
1267+
switch($PSCmdlet.ParameterSetName) {
1268+
"FromProcess" {
1269+
foreach($p in $Process) {
1270+
Use-NtObject($t = Get-NtToken -Primary -Process $p) {
1271+
$text = "$($p.Name):$($p.ProcessId)"
1272+
Start-NtTokenViewer $t -Text $text
1273+
}
1274+
}
1275+
}
1276+
"FromName" {
1277+
Use-NtObject($ps = Get-NtProcess -Name $Name -Access QueryLimitedInformation) {
1278+
if ($MaxTokens -gt 0) {
1279+
$ps = $ps | Select-Object -First $MaxTokens
1280+
}
1281+
$ps | Show-NtToken
1282+
}
1283+
}
1284+
"FromPid" {
1285+
$cmdline = [string]::Format("TokenViewer --pid={0}", $ProcessId)
1286+
$config = New-Win32ProcessConfig $cmdline -ApplicationName "$PSScriptRoot\TokenViewer.exe" -InheritHandles
1287+
Use-NtObject($p = New-Win32Process -Config $config) {
1288+
}
1289+
}
1290+
"FromToken" {
1291+
foreach($t in $Token) {
1292+
Start-NtTokenViewer $t
1293+
}
1294+
}
1295+
}
1296+
}
12961297
}
12971298

12981299
<#
@@ -1322,7 +1323,8 @@ function Show-NtSection {
13221323
Param(
13231324
[Parameter(Position = 0, Mandatory = $true)]
13241325
[NtApiDotNet.NtSection]$Section,
1325-
[switch]$ReadOnly
1326+
[switch]$ReadOnly,
1327+
[switch]$Wait
13261328
)
13271329

13281330
if (!$Section.IsAccessGranted("MapRead")) {

0 commit comments

Comments
 (0)