qtc-de · October 20, 2022 11:56
diff --git a/Get-ProcessRedirectionTrustPolicy.cpp b/Get-ProcessRedirectionTrustPolicy.cpp
 #include <windows.h>
 #include <stdio.h>
 #include <tchar.h>
 #include <psapi.h>
 #include <winnt.h>
 #include <winternl.h>

 typedef NTSTATUS(*MyNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

 int main(int argc, char** argv)
 {
    HMODULE ntdll;
    HANDLE hToken;
    LUID luid = { 0 };
    BOOL result = false;
    DWORD aProcesses[1024], cbNeeded, cProcesses;

    /*
    * Enable SeDebugPrivilege to read memory from other proecesses. Required to obtain the actual
    * command line of other processes.
    * 
    * Reference: https://github.com/nettitude/DLLInjection/blob/master/Nettitude/Injection/SeDebugPrivilege.cpp
    */
    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
    {
        if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
        {
            TOKEN_PRIVILEGES tokenPriv = { 0 };
            tokenPriv.PrivilegeCount = 1;
            tokenPriv.Privileges[0].Luid = luid;
            tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

            AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

            if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
                printf("[-] Error: Your current token does not contain the SeDebugPrivilege.\n");
                printf("[-] Please rerun as administrator.");
                return 1;
            }
        }
    }

    /*
    * Make NtQueryInformationProcess accessible to obtain a reference to the Process Environment Block.
    * This is again required to obtain the actual command lone of other processes.
    */
    ntdll = LoadLibraryA("Ntdll.dll");
    MyNtQueryInformationProcess query = (MyNtQueryInformationProcess)GetProcAddress(ntdll, "NtQueryInformationProcess");

    /*
    * Enumerate all processes and iterate over them.
    * 
    * Reference: https://learn.microsoft.com/en-us/windows/win32/psapi/enumerating-all-processes
    */
    EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded);
    cProcesses = cbNeeded / sizeof(DWORD);

    for (int i = 0; i < cProcesses; i++)
    {
        HANDLE hProcess;
        PVOID* params;
        WCHAR* commandLineContents;
        UNICODE_STRING commandLine;
        PROCESS_BASIC_INFORMATION ProcessInformation = {};
        PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY policy = {};

        if (aProcesses[i] != 0)
        {
            hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);

            if (hProcess != NULL)
            {
                /*
                * Obtain the command line from another process by reading it from the processes PEB.
                * 
                * Reference: https://stackoverflow.com/a/42341811
                */
                query(hProcess, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), NULL);

                ReadProcessMemory(hProcess, &(ProcessInformation.PebBaseAddress->ProcessParameters), &params, sizeof(PVOID), NULL);
                ReadProcessMemory(hProcess, &(((_RTL_USER_PROCESS_PARAMETERS*)params)->CommandLine), &commandLine, sizeof(commandLine), NULL);

                commandLineContents = (WCHAR*)malloc(commandLine.Length);
                ReadProcessMemory(hProcess, commandLine.Buffer, commandLineContents, commandLine.Length, NULL);

                /*
                * Obtain the actual policy and print the result.
                * 
                * Reference: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy
                */
                GetProcessMitigationPolicy(hProcess, PROCESS_MITIGATION_POLICY::ProcessRedirectionTrustPolicy, &policy, sizeof(policy));
                printf("E: %d - A: %d  - PID: %d - Process: %ws", policy.EnforceRedirectionTrust, policy.AuditRedirectionTrust, aProcesses[i], commandLineContents);
                printf("\n");

                CloseHandle(hProcess);
                free(commandLineContents);
            }
        }
    }

    return 0;
 }
	#include <windows.h>
	#include <stdio.h>
	#include <tchar.h>
	#include <psapi.h>
	#include <winnt.h>
	#include <winternl.h>

	typedef NTSTATUS(*MyNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

	int main(int argc, char** argv)
	{
	HMODULE ntdll;
	HANDLE hToken;
	LUID luid = { 0 };
	BOOL result = false;
	DWORD aProcesses[1024], cbNeeded, cProcesses;

	/*
	* Enable SeDebugPrivilege to read memory from other proecesses. Required to obtain the actual
	* command line of other processes.
	*
	* Reference: https://github.com/nettitude/DLLInjection/blob/master/Nettitude/Injection/SeDebugPrivilege.cpp
	*/
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
	{
	if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
	{
	TOKEN_PRIVILEGES tokenPriv = { 0 };
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
	printf("[-] Error: Your current token does not contain the SeDebugPrivilege.\n");
	printf("[-] Please rerun as administrator.");
	return 1;
	}
	}
	}

	/*
	* Make NtQueryInformationProcess accessible to obtain a reference to the Process Environment Block.
	* This is again required to obtain the actual command lone of other processes.
	*/
	ntdll = LoadLibraryA("Ntdll.dll");
	MyNtQueryInformationProcess query = (MyNtQueryInformationProcess)GetProcAddress(ntdll, "NtQueryInformationProcess");

	/*
	* Enumerate all processes and iterate over them.
	*
	* Reference: https://learn.microsoft.com/en-us/windows/win32/psapi/enumerating-all-processes
	*/
	EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded);
	cProcesses = cbNeeded / sizeof(DWORD);

	for (int i = 0; i < cProcesses; i++)
	{
	HANDLE hProcess;
	PVOID* params;
	WCHAR* commandLineContents;
	UNICODE_STRING commandLine;
	PROCESS_BASIC_INFORMATION ProcessInformation = {};
	PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY policy = {};

	if (aProcesses[i] != 0)
	{
	hProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, aProcesses[i]);

	if (hProcess != NULL)
	{
	/*
	* Obtain the command line from another process by reading it from the processes PEB.
	*
	* Reference: https://stackoverflow.com/a/42341811
	*/
	query(hProcess, ProcessBasicInformation, &ProcessInformation, sizeof(ProcessInformation), NULL);

	ReadProcessMemory(hProcess, &(ProcessInformation.PebBaseAddress->ProcessParameters), &params, sizeof(PVOID), NULL);
	ReadProcessMemory(hProcess, &(((_RTL_USER_PROCESS_PARAMETERS*)params)->CommandLine), &commandLine, sizeof(commandLine), NULL);

	commandLineContents = (WCHAR*)malloc(commandLine.Length);
	ReadProcessMemory(hProcess, commandLine.Buffer, commandLineContents, commandLine.Length, NULL);

	/*
	* Obtain the actual policy and print the result.
	*
	* Reference: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessmitigationpolicy
	*/
	GetProcessMitigationPolicy(hProcess, PROCESS_MITIGATION_POLICY::ProcessRedirectionTrustPolicy, &policy, sizeof(policy));
	printf("E: %d - A: %d - PID: %d - Process: %ws", policy.EnforceRedirectionTrust, policy.AuditRedirectionTrust, aProcesses[i], commandLineContents);
	printf("\n");

	CloseHandle(hProcess);
	free(commandLineContents);
	}
	}
	}

	return 0;
	}