PSReflect-Functions

1.1

advapi32/OpenThreadToken.ps1

                                function OpenThreadToken

{

    <#

    .SYNOPSIS

    The OpenThreadToken function opens the access token associated with a thread

    .DESCRIPTION

    Tokens with the anonymous impersonation level cannot be opened.

    Close the access token handle returned through the Handle parameter by calling CloseHandle.

    .PARAMETER ThreadHandle

    A handle to the thread whose access token is opened.

    .PARAMETER DesiredAccess

    Specifies an access mask that specifies the requested types of access to the access token. These requested access types are reconciled against the token's discretionary access control list (DACL) to determine which accesses are granted or denied.

    .PARAMETER OpenAsSelf

    TRUE if the access check is to be made against the process-level security context.

    FALSE if the access check is to be made against the current security context of the thread calling the OpenThreadToken function.

    The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is impossible to open executive-level objects by using the SecurityIdentification impersonation level.

    .NOTES

    Author: Jared Atkinson (@jaredcatkinson)

    License: BSD 3-Clause

    Required Dependencies: PSReflect

    Optional Dependencies: $TOKEN_ACCESS (Enumeration)

    (func advapi32 OpenThreadToken ([bool]) @(

      [IntPtr],                #_In_  HANDLE  ThreadHandle

      [UInt32],                #_In_  DWORD   DesiredAccess

      [bool],                  #_In_  BOOL    OpenAsSelf

      [IntPtr].MakeByRefType() #_Out_ PHANDLE TokenHandle

    ) -EntryPoint OpenThreadToken -SetLastError)

    .LINK

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa379296(v=vs.85).aspx

    .LINK

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa374905(v=vs.85).aspx

    .EXAMPLE

    #>

    [CmdletBinding()]

    param

    (

        [Parameter(Mandatory = $true)]

        [IntPtr]

        $ThreadHandle,

        [Parameter(Mandatory = $true)]

        [ValidateSet('TOKEN_ASSIGN_PRIMARY','TOKEN_DUPLICATE','TOKEN_IMPERSONATE','TOKEN_QUERY','TOKEN_QUERY_SOURCE','TOKEN_ADJUST_PRIVILEGES','TOKEN_ADJUST_GROUPS','TOKEN_ADJUST_DEFAULT','TOKEN_ADJUST_SESSIONID','DELETE','READ_CONTROL','WRITE_DAC','WRITE_OWNER','SYNCHRONIZE','STANDARD_RIGHTS_REQUIRED','TOKEN_ALL_ACCESS')]

        [string[]]

        $DesiredAccess,

        [Parameter()]

        [bool]

        $OpenAsSelf = $false   

    )

    # Calculate Desired Access Value

    $dwDesiredAccess = 0

    foreach($val in $DesiredAccess)

    {

        $dwDesiredAccess = $dwDesiredAccess -bor $TOKEN_ACCESS::$val

    }

    $hToken = [IntPtr]::Zero

    $Success = $Advapi32::OpenThreadToken($ThreadHandle, $dwDesiredAccess, $OpenAsSelf, [ref]$hToken); $LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()

    if(-not $Success) 

    {

        throw "OpenThreadToken Error: $(([ComponentModel.Win32Exception] $LastError).Message)"

    }

    Write-Output $hToken

}