Updated version to 1.1.8.

Author: James Forshaw

NtApiDotNet/NtApiDotNet.Core.csproj

@@ -7,8 +7,8 @@
     <Authors>James Forshaw</Authors>
     <Company>Google Inc.</Company>
     <Product>NtApiDotNet</Product>
-    <FileVersion>1.1.7.0</FileVersion>
-    <Copyright>Copyright © Google Inc. 2016, 2017</Copyright>
+    <FileVersion>1.1.8.0</FileVersion>
+    <Copyright>Copyright © Google Inc. 2016, 2017, 2018</Copyright>
     <AssemblyVersion>1.0.0.0</AssemblyVersion>
     <PackageLicenseUrl>https://www.apache.org/licenses/LICENSE-2.0</PackageLicenseUrl>
     <RepositoryUrl>https://github.com/google/sandbox-attacksurface-analysis-tools</RepositoryUrl>

NtApiDotNet/NtApiDotNet.nuspec

@@ -11,6 +11,17 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>A .NET class library to access native NT API system calls</description>
     <releaseNotes>
+1.1.8
+-----
+* Better support for relative paths in the cmdlets including supporting ones based on the current directory.
+* RenameEx and DispositionEx support from fllombard.
+* Added Key value deletion and fixes from rsiestrunck.
+* Fixed bug in NtOpenSession prototype.
+* Added support for adding additional groups to a token in Get-NtToken if user has SeTcbPrivilege.
+* Added Show-NtToken to display a token in the GUI, renamed old whois style token viewer to Show-NtTokenEffective.
+* Added PowerShell functions to get and create execution alias reparse points.
+* Added section viewer and editor with Show-NtSection function.
+
 1.1.7
 -----
 * Added projects to build NtObjectManager for PowerShell Core 6.0

NtApiDotNet/Properties/AssemblyInfo.cs

@@ -33,5 +33,5 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.1.7.0")]
-[assembly: AssemblyInformationalVersion("1.1.7")]
+[assembly: AssemblyFileVersion("1.1.8.0")]
+[assembly: AssemblyInformationalVersion("1.1.8")]

NtObjectManager/NtObjectManager.Core.csproj

@@ -7,8 +7,8 @@
     <Authors>James Forshaw</Authors>
     <Company>Google Inc.</Company>
     <Product>NtObjectManager</Product>
-    <FileVersion>1.1.7.0</FileVersion>
-    <Copyright>Copyright © Google Inc. 2016, 2017</Copyright>
+    <FileVersion>1.1.8.0</FileVersion>
+    <Copyright>Copyright © Google Inc. 2016, 2017, 2018</Copyright>
     <AssemblyVersion>1.0.0.0</AssemblyVersion>
     <PackageLicenseUrl>https://www.apache.org/licenses/LICENSE-2.0</PackageLicenseUrl>
     <RepositoryUrl>https://github.com/google/sandbox-attacksurface-analysis-tools</RepositoryUrl>

NtObjectManager/NtObjectManager.psd1

@@ -18,7 +18,7 @@
 RootModule = 'NtObjectManager.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.1.7'
+ModuleVersion = '1.1.8'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -33,54 +33,30 @@ Author = 'James Forshaw'
 CompanyName = 'Google Inc.'
 
 # Copyright statement for this module
-Copyright = '(c) 2016, 2017 Google Inc. All rights reserved.'
+Copyright = '(c) 2016, 2017, 2018 Google Inc. All rights reserved.'
 
 # Description of the functionality provided by this module
 Description = 'This module adds a provider and cmdlets to access the NT object manager namespace.'
 
 # Minimum version of the Windows PowerShell engine required by this module
 PowerShellVersion = '3.0'
 
-# Name of the Windows PowerShell host required by this module
-# PowerShellHostName = ''
-
-# Minimum version of the Windows PowerShell host required by this module
-# PowerShellHostVersion = ''
-
 # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
 DotNetFrameworkVersion = '4.5'
 
 # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
 CLRVersion = '4.0'
 
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
-
-# Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @()
-
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
-
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = @()
-
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
-
 # Format files (.ps1xml) to be loaded when importing this module
 FormatsToProcess = 'Formatters.ps1xml'
 
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-# NestedModules = @()
-
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
 FunctionsToExport = 'Get-NtTokenPrimary', 'Get-NtTokenThread', 'Get-NtTokenEffective', 'Get-AccessibleAlpcPort', 'Set-NtTokenPrivilege',
 					'Set-NtTokenIntegrityLevel', 'Get-NtProcessMitigations', 'New-NtKernelCrashDump', 'New-NtObjectAttributes',
 					'New-NtSecurityQualityOfService', 'Get-NtLicenseValue', 'Get-NtSystemEnvironmentValue', 'New-Win32Process',
 					'New-NtEaBuffer', 'New-NtSectionImage', 'New-Win32ProcessConfig', 'Get-NtTokenFromProcess', 'Get-ExecutableManifest',
 					'New-NtProcess', 'New-NtProcessConfig', 'Get-NtFilePath', 'Show-NtTokenEffective', 'Show-NtSecurityDescriptor', 'Get-NtIoControlCode',
-					'Import-NtObject', 'Export-NtObject', 'Get-ExecutionAlias', 'New-ExecutionAlias', 'Show-NtToken'
+					'Import-NtObject', 'Export-NtObject', 'Get-ExecutionAlias', 'New-ExecutionAlias', 'Show-NtToken', 'Show-NtSection'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Add-NtKey', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile', 
@@ -92,28 +68,16 @@ CmdletsToExport = 'Add-NtKey', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile',
                'New-NtMailslotFile', 'New-NtMutant', 'New-NtNamedPipeFile', 
                'New-NtSecurityDescriptor', 'New-NtSemaphore', 'New-NtSymbolicLink', 
                'Remove-NtFileReparsePoint', 'Start-NtWait', 'Use-NtObject',
-			   'Get-NtFilteredToken', 'Get-NtLowBoxToken', 'Get-NtSid',
-			   'Get-NtSection', 'New-NtSection', 'Get-AccessibleAlpcPort',
-			   'Get-AccessibleKey', 'Get-AccessibleProcess', 'Get-AccessibleFile',
-			   'Get-AccessibleObject', 'Get-NtAccessMask', 'Get-AccessibleDevice',
-			   'Get-AccessibleNamedPipe', 'Get-NtGrantedAccess', 'Get-NtJob', 'New-NtJob',
-			   'Get-AccessibleService', 'Get-AccessibleHandle', 'Remove-NtKey'
-
-# Variables to export from this module
-# VariablesToExport = @()
+               'Get-NtFilteredToken', 'Get-NtLowBoxToken', 'Get-NtSid',
+               'Get-NtSection', 'New-NtSection', 'Get-AccessibleAlpcPort',
+               'Get-AccessibleKey', 'Get-AccessibleProcess', 'Get-AccessibleFile',
+               'Get-AccessibleObject', 'Get-NtAccessMask', 'Get-AccessibleDevice',
+               'Get-AccessibleNamedPipe', 'Get-NtGrantedAccess', 'Get-NtJob', 'New-NtJob',
+               'Get-AccessibleService', 'Get-AccessibleHandle', 'Remove-NtKey'
 
 # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
 AliasesToExport = @()
 
-# DSC resources to export from this module
-# DscResourcesToExport = @()
-
-# List of all modules packaged with this module
-# ModuleList = @()
-
-# List of all files packaged with this module
-# FileList = @()
-
 # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
 PrivateData = @{
 
@@ -128,11 +92,18 @@ PrivateData = @{
         # A URL to the main website for this project.
         ProjectUri = 'https://github.com/google/sandbox-attacksurface-analysis-tools'
 
-        # A URL to an icon representing this module.
-        # IconUri = ''
-
         # ReleaseNotes of this module
-        ReleaseNotes = '1.1.7
+        ReleaseNotes = '1.1.8
+-----
+* Better support for relative paths in the cmdlets including supporting ones based on the current directory.
+* RenameEx and DispositionEx support from fllombard.
+* Added Key value deletion and fixes from rsiestrunck.
+* Fixed bug in NtOpenSession prototype.
+* Added support for adding additional groups to a token in Get-NtToken if user has SeTcbPrivilege.
+* Added Show-NtToken to display a token in the GUI, renamed old whois style token viewer to Show-NtTokenEffective.
+* Added PowerShell functions to get and create execution alias reparse points.
+* Added section viewer and editor with Show-NtSection function.
+1.1.7
 -----
 * Added projects to build NtObjectManager for PowerShell Core 6.0
 * Added additional techniques to open process tokens in access checking cmdlets.

NtObjectManager/NtObjectManager.psm1

@@ -1292,7 +1292,57 @@ function Show-NtToken {
 				}
 			}
 		}
-    }
+	}
+}
+
+<#
+.SYNOPSIS
+Displays a mapped section in a UI.
+.DESCRIPTION
+This cmdlet displays a section object inside a UI from where the data can be inspected or edited.
+.PARAMETER Section
+Specify a section object.
+.PARAMETER Wait
+Optionally wait for the user to close the UI.
+.PARAMETER ReadOnly
+Optionally force the viewer to be read-only when passing a section with Map Write access.
+.OUTPUTS
+None
+.EXAMPLE
+Show-NtSection $section
+Show the mapped section.
+.EXAMPLE
+Show-NtSection $section -ReadOnly
+Show the mapped section as read only.
+.EXAMPLE
+Show-NtSection $section -Wait
+Show the mapped section and wait for the viewer to exit.
+#>
+function Show-NtSection {
+    Param(
+        [Parameter(Position = 0, Mandatory = $true)] 
+        [NtApiDotNet.NtSection]$Section,
+        [switch]$ReadOnly
+    )
+
+	if (!$Section.IsAccessGranted("MapRead")) {
+		Write-Error "Section doesn't have Map Read access."
+		return
+	}
+	Use-NtObject($obj = $Section.Duplicate()) {
+		$obj.Inherit = $true
+		$cmdline = [string]::Format("EditSection {0}", $obj.Handle.DangerousGetHandle())
+		if ($ReadOnly) {
+			$cmdline += " --readonly"
+		}
+		$config = New-Win32ProcessConfig $cmdline -ApplicationName "$PSScriptRoot\EditSection.exe" -InheritHandles
+		$config.InheritHandleList.Add($obj.Handle.DangerousGetHandle())
+		Use-NtObject($p = New-Win32Process -Config $config) {
+			if ($Wait) {
+				$p.Process.Wait() | Out-Null
+			}
+		}
+	}
 }
 
 <#

NtObjectManager/Properties/AssemblyInfo.cs

@@ -33,5 +33,5 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.1.7.0")]
-[assembly: AssemblyInformationalVersion("1.1.7")]
+[assembly: AssemblyFileVersion("1.1.8.0")]
+[assembly: AssemblyInformationalVersion("1.1.8")]

README.txt

@@ -21,6 +21,17 @@ with .NET Core 2.0 by building the specific project files.
 
 Release Notes:
 
+1.1.8
+-----
+* Better support for relative paths in the cmdlets including supporting ones based on the current directory.
+* RenameEx and DispositionEx support from fllombard.
+* Added Key value deletion and fixes from rsiestrunck.
+* Fixed bug in NtOpenSession prototype.
+* Added support for adding additional groups to a token in Get-NtToken if user has SeTcbPrivilege.
+* Added Show-NtToken to display a token in the GUI, renamed old whois style token viewer to Show-NtTokenEffective.
+* Added PowerShell functions to get and create execution alias reparse points.
+* Added section viewer and editor with Show-NtSection function.
+
 1.1.7
 -----
 * Added projects to build NtObjectManager for PowerShell Core 6.0