Updated to v1.1.29.

NtApiDotNet.Forms/NtApiDotNet.Forms.nuspec

@@ -0,0 +1,69 @@
+<?xml version="1.0"?>
+<package >
+  <metadata>
+    <id>$id$</id>
+    <version>$version$</version>
+    <title>NtApiDotNet.Forms</title>
+    <authors>James Forshaw</authors>
+    <owners>James Forshaw</owners>
+    <license type="expression">Apache-2.0</license>
+    <projectUrl>https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools</projectUrl>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <description>A .NET class library to access native NT API system calls. This contains just the forms code.</description>
+    <releaseNotes>
+1.1.29
+--------
+* Added Get-NtProcessUser.
+* Added Get-NtProcessEnvironment.
+* Added global option for New-NtSymbolicLink.
+* Added Split-Win32CommandLine.
+* Added send and post methods to NtMessage.
+* Added AsObject parameter for Get-NtObjectInformation.
+* Added NtMailslotFile and fixed mailslot creation.
+* Added Get-NtKeySymbolicLinkTarget.
+* Added support for a FollowLink switch which will allow accessible cmdlets to follow symbolic links. Feature request #29.
+* Separated forms code from the main assembly.
+* Added setting service security and Get/Set-Win32ServiceSecurityDescriptor.
+* Added Win32 debug console class and Start/New/Read-Win32DebugConsole.
+* Added Test-NtTokenCapability.
+* Added New-Win32Service and Remove-Win32Service.
+* Reimplemented SidName to allow access to the Domain component.
+* Added section characteristics check when parsing RPC servers. Fix for issue #27.
+* Added an SDKName attribute to access rights.
+* Added Add-NtAccountRight and Remove-NtAccountRight.
+* Added basic VBS enclave support.
+* Added support to parse ELAM information from a binary.
+* Added Get-NtSigningLevel and Get-X509Certificate.
+* Added Compare-NtSigningLevel.
+* Added silo impersonation commands.
+* Added option to impersonation System when creating a token or with Invoke-NtToken.
+* Added proper enumeration of AppContainer profiles and support creating with capabilities.
+* Added Get-AppModelApplicationPolicy.
+* Added Get-NtThreadContext and Set-NtThreadContext.
+* Added support for calling CreateProcessWithLogon via Win32Process.
+* Added Start-AppModelApplication.
+* Added Add-NtThreadApc.
+* Fixed path handling in Get-Win32SecurityDescriptor.
+* Added Get-NtFileFinalPath command.
+* Reworked handling of lease oplocks.
+* Added basic USN journal support.
+* Added Get-NtFileStream.
+* Added Get-NtMountPoint command.
+* Added basic async support and the Wait-AsyncTaskResult command.
+* Added Send-NtFileControl command.
+* Added Get-NtFileVolumeInformation and Set-NtFileVolumeInformation.
+* Added Get-NtFileItem command.
+* Added support for querying device nodes, setup class and interface classes.
+* Added Get-NtFileSharingProcess.
+* IPeb: Added GetBeingDebugged() (#26)
+* Added support for enumerating filter drivers and connecting to ports.
+* Added New-NtKeySymbolicLink and Set-NtKeySymbolicLinkTarget.
+* Added a Get-NtKeyHive command.
+</releaseNotes>
+    <copyright>Copyright Google Inc. 2016-2020</copyright>
+    <tags>syscalls</tags>
+    <dependencies>
+      <dependency id="NtApiDotNet" version="1.1.29" />
+    </dependencies>
+  </metadata>
+</package>

NtApiDotNet.Forms/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.1.28.0")]
-[assembly: AssemblyInformationalVersion("1.1.28")]
+[assembly: AssemblyFileVersion("1.1.29.0")]
+[assembly: AssemblyInformationalVersion("1.1.29")]

NtApiDotNet/NtApiDotNet.Core.csproj

@@ -7,7 +7,7 @@
     <Authors>James Forshaw</Authors>
     <Company>Google Inc.</Company>
     <Product>NtApiDotNet</Product>
-    <FileVersion>1.1.28.0</FileVersion>
+    <FileVersion>1.1.29.0</FileVersion>
     <Copyright>Copyright © Google Inc. 2016-2020</Copyright>
     <AssemblyVersion>1.0.0.0</AssemblyVersion>
     <PackageLicenseUrl>https://www.apache.org/licenses/LICENSE-2.0</PackageLicenseUrl>

NtApiDotNet/NtApiDotNet.nuspec

@@ -11,36 +11,54 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>A .NET class library to access native NT API system calls</description>
     <releaseNotes>
-1.1.28
+1.1.29
 --------
-* Added Import-Win32Module and Get-Win32Module.
-* Added support for Registry Keys in the NtObjectManager provider.
-* Added Get-NtDirectoryEntry.
-* Added Win32 CreateRemoteThread.
-* Added addition Registry Key functions.
-* Added Network Authentication commands.
-* Added Authentication Token formatting commands.
-* Added new filtering features to TokenViewer.
-* Improved cmdlets for getting and setting object information classes.
-* Added Add-NtSection and Remove-NtSection.
-* Added Compare-NtObject.
-* Added Test-NtTokenPrivilege.
-* Added type parsing from PDBs via SymbolResolver.
-* Added a summary format to Format-NtSecurityDescriptor.
-* Added Out-HexDump.
-* Added C# compiler support for .NET Core Support of Get-RpcClient.
-* Updated New-NtSecurityDescriptor and Edit-NtSecurityDescriptor.
-* Basic C++ NDR formatting from irsl@.
-* Added Format-NtJob.
-* Added New-NtSecurityAttribute and Get-NtAceConditionData.
-* Added Device/User Claims to Token Viewer and Format-NtToken.
-* Added many different commands to manipulate Security Descriptors.
-* Added Win32 Security Descriptor commands.
-* Added filtering for accessible path commands.
-* Added Audit support.
-* Added basic AuthZ API support.
-* Added basic ASN.1 DER parsing and Format-ASN1DER command.
-* Added Kerberos Keytab file reading and writing.
+* Added Get-NtProcessUser.
+* Added Get-NtProcessEnvironment.
+* Added global option for New-NtSymbolicLink.
+* Added Split-Win32CommandLine.
+* Added send and post methods to NtMessage.
+* Added AsObject parameter for Get-NtObjectInformation.
+* Added NtMailslotFile and fixed mailslot creation.
+* Added Get-NtKeySymbolicLinkTarget.
+* Added support for a FollowLink switch which will allow accessible cmdlets to follow symbolic links. Feature request #29.
+* Separated forms code from the main assembly.
+* Added setting service security and Get/Set-Win32ServiceSecurityDescriptor.
+* Added Win32 debug console class and Start/New/Read-Win32DebugConsole.
+* Added Test-NtTokenCapability.
+* Added New-Win32Service and Remove-Win32Service.
+* Reimplemented SidName to allow access to the Domain component.
+* Added section characteristics check when parsing RPC servers. Fix for issue #27.
+* Added an SDKName attribute to access rights.
+* Added Add-NtAccountRight and Remove-NtAccountRight.
+* Added basic VBS enclave support.
+* Added support to parse ELAM information from a binary.
+* Added Get-NtSigningLevel and Get-X509Certificate.
+* Added Compare-NtSigningLevel.
+* Added silo impersonation commands.
+* Added option to impersonation System when creating a token or with Invoke-NtToken.
+* Added proper enumeration of AppContainer profiles and support creating with capabilities.
+* Added Get-AppModelApplicationPolicy.
+* Added Get-NtThreadContext and Set-NtThreadContext.
+* Added support for calling CreateProcessWithLogon via Win32Process.
+* Added Start-AppModelApplication.
+* Added Add-NtThreadApc.
+* Fixed path handling in Get-Win32SecurityDescriptor.
+* Added Get-NtFileFinalPath command.
+* Reworked handling of lease oplocks.
+* Added basic USN journal support.
+* Added Get-NtFileStream.
+* Added Get-NtMountPoint command.
+* Added basic async support and the Wait-AsyncTaskResult command.
+* Added Send-NtFileControl command.
+* Added Get-NtFileVolumeInformation and Set-NtFileVolumeInformation.
+* Added Get-NtFileItem command.
+* Added support for querying device nodes, setup class and interface classes.
+* Added Get-NtFileSharingProcess.
+* IPeb: Added GetBeingDebugged() (#26)
+* Added support for enumerating filter drivers and connecting to ports.
+* Added New-NtKeySymbolicLink and Set-NtKeySymbolicLinkTarget.
+* Added a Get-NtKeyHive command.
 </releaseNotes>
     <copyright>Copyright Google Inc. 2016-2020</copyright>
     <tags>syscalls</tags>

NtApiDotNet/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.1.28.0")]
-[assembly: AssemblyInformationalVersion("1.1.28")]
+[assembly: AssemblyFileVersion("1.1.29.0")]
+[assembly: AssemblyInformationalVersion("1.1.29")]

NtObjectManager/NtObjectManager.Core.csproj

@@ -7,7 +7,7 @@
     <Authors>James Forshaw</Authors>
     <Company>Google Inc.</Company>
     <Product>NtObjectManager</Product>
-    <FileVersion>1.1.28.0</FileVersion>
+    <FileVersion>1.1.29.0</FileVersion>
     <Copyright>Copyright © Google Inc. 2016-2020</Copyright>
     <AssemblyVersion>1.0.0.0</AssemblyVersion>
     <PackageLicenseUrl>https://www.apache.org/licenses/LICENSE-2.0</PackageLicenseUrl>

NtObjectManager/NtObjectManager.psd1

@@ -18,7 +18,7 @@
 RootModule = 'NtObjectManager.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.1.28'
+ModuleVersion = '1.1.29'
 
 # ID used to uniquely identify this module
 GUID = 'ac251c97-67a6-4bc4-bb8a-5ae300e93030'
@@ -180,36 +180,54 @@ PrivateData = @{
         ProjectUri = 'https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools'
 
         # ReleaseNotes of this module
-        ReleaseNotes = '1.1.28
+        ReleaseNotes = '1.1.29
 --------
-* Added Import-Win32Module and Get-Win32Module.
-* Added support for Registry Keys in the NtObjectManager provider.
-* Added Get-NtDirectoryEntry.
-* Added Win32 CreateRemoteThread.
-* Added addition Registry Key functions.
-* Added Network Authentication commands.
-* Added Authentication Token formatting commands.
-* Added new filtering features to TokenViewer.
-* Improved cmdlets for getting and setting object information classes.
-* Added Add-NtSection and Remove-NtSection.
-* Added Compare-NtObject.
-* Added Test-NtTokenPrivilege.
-* Added type parsing from PDBs via SymbolResolver.
-* Added a summary format to Format-NtSecurityDescriptor.
-* Added Out-HexDump.
-* Added C# compiler support for .NET Core Support of Get-RpcClient.
-* Updated New-NtSecurityDescriptor and Edit-NtSecurityDescriptor.
-* Basic C++ NDR formatting from irsl@.
-* Added Format-NtJob.
-* Added New-NtSecurityAttribute and Get-NtAceConditionData.
-* Added Device/User Claims to Token Viewer and Format-NtToken.
-* Added many different commands to manipulate Security Descriptors.
-* Added Win32 Security Descriptor commands.
-* Added filtering for accessible path commands.
-* Added Audit support.
-* Added basic AuthZ API support.
-* Added basic ASN.1 DER parsing and Format-ASN1DER command.
-* Added Kerberos Keytab file reading and writing.
+* Added Get-NtProcessUser.
+* Added Get-NtProcessEnvironment.
+* Added global option for New-NtSymbolicLink.
+* Added Split-Win32CommandLine.
+* Added send and post methods to NtMessage.
+* Added AsObject parameter for Get-NtObjectInformation.
+* Added NtMailslotFile and fixed mailslot creation.
+* Added Get-NtKeySymbolicLinkTarget.
+* Added support for a FollowLink switch which will allow accessible cmdlets to follow symbolic links. Feature request #29.
+* Separated forms code from the main assembly.
+* Added setting service security and Get/Set-Win32ServiceSecurityDescriptor.
+* Added Win32 debug console class and Start/New/Read-Win32DebugConsole.
+* Added Test-NtTokenCapability.
+* Added New-Win32Service and Remove-Win32Service.
+* Reimplemented SidName to allow access to the Domain component.
+* Added section characteristics check when parsing RPC servers. Fix for issue #27.
+* Added an SDKName attribute to access rights.
+* Added Add-NtAccountRight and Remove-NtAccountRight.
+* Added basic VBS enclave support.
+* Added support to parse ELAM information from a binary.
+* Added Get-NtSigningLevel and Get-X509Certificate.
+* Added Compare-NtSigningLevel.
+* Added silo impersonation commands.
+* Added option to impersonation System when creating a token or with Invoke-NtToken.
+* Added proper enumeration of AppContainer profiles and support creating with capabilities.
+* Added Get-AppModelApplicationPolicy.
+* Added Get-NtThreadContext and Set-NtThreadContext.
+* Added support for calling CreateProcessWithLogon via Win32Process.
+* Added Start-AppModelApplication.
+* Added Add-NtThreadApc.
+* Fixed path handling in Get-Win32SecurityDescriptor.
+* Added Get-NtFileFinalPath command.
+* Reworked handling of lease oplocks.
+* Added basic USN journal support.
+* Added Get-NtFileStream.
+* Added Get-NtMountPoint command.
+* Added basic async support and the Wait-AsyncTaskResult command.
+* Added Send-NtFileControl command.
+* Added Get-NtFileVolumeInformation and Set-NtFileVolumeInformation.
+* Added Get-NtFileItem command.
+* Added support for querying device nodes, setup class and interface classes.
+* Added Get-NtFileSharingProcess.
+* IPeb: Added GetBeingDebugged() (#26)
+* Added support for enumerating filter drivers and connecting to ports.
+* Added New-NtKeySymbolicLink and Set-NtKeySymbolicLinkTarget.
+* Added a Get-NtKeyHive command.
 '
 
         # External dependent modules of this module

NtObjectManager/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.1.28.0")]
-[assembly: AssemblyInformationalVersion("1.1.28")]
+[assembly: AssemblyFileVersion("1.1.29.0")]
+[assembly: AssemblyInformationalVersion("1.1.29")]

README.txt

@@ -46,6 +46,55 @@ Thanks to the people who were willing to test it and give feedback:
 
 Release Notes:
 
+1.1.29
+--------
+* Added Get-NtProcessUser.
+* Added Get-NtProcessEnvironment.
+* Added global option for New-NtSymbolicLink.
+* Added Split-Win32CommandLine.
+* Added send and post methods to NtMessage.
+* Added AsObject parameter for Get-NtObjectInformation.
+* Added NtMailslotFile and fixed mailslot creation.
+* Added Get-NtKeySymbolicLinkTarget.
+* Added support for a FollowLink switch which will allow accessible cmdlets to follow symbolic links. Feature request #29.
+* Separated forms code from the main assembly.
+* Added setting service security and Get/Set-Win32ServiceSecurityDescriptor.
+* Added Win32 debug console class and Start/New/Read-Win32DebugConsole.
+* Added Test-NtTokenCapability.
+* Added New-Win32Service and Remove-Win32Service.
+* Reimplemented SidName to allow access to the Domain component.
+* Added section characteristics check when parsing RPC servers. Fix for issue #27.
+* Added an SDKName attribute to access rights.
+* Added Add-NtAccountRight and Remove-NtAccountRight.
+* Added basic VBS enclave support.
+* Added support to parse ELAM information from a binary.
+* Added Get-NtSigningLevel and Get-X509Certificate.
+* Added Compare-NtSigningLevel.
+* Added silo impersonation commands.
+* Added option to impersonation System when creating a token or with Invoke-NtToken.
+* Added proper enumeration of AppContainer profiles and support creating with capabilities.
+* Added Get-AppModelApplicationPolicy.
+* Added Get-NtThreadContext and Set-NtThreadContext.
+* Added support for calling CreateProcessWithLogon via Win32Process.
+* Added Start-AppModelApplication.
+* Added Add-NtThreadApc.
+* Fixed path handling in Get-Win32SecurityDescriptor.
+* Added Get-NtFileFinalPath command.
+* Reworked handling of lease oplocks.
+* Added basic USN journal support.
+* Added Get-NtFileStream.
+* Added Get-NtMountPoint command.
+* Added basic async support and the Wait-AsyncTaskResult command.
+* Added Send-NtFileControl command.
+* Added Get-NtFileVolumeInformation and Set-NtFileVolumeInformation.
+* Added Get-NtFileItem command.
+* Added support for querying device nodes, setup class and interface classes.
+* Added Get-NtFileSharingProcess.
+* IPeb: Added GetBeingDebugged() (#26)
+* Added support for enumerating filter drivers and connecting to ports.
+* Added New-NtKeySymbolicLink and Set-NtKeySymbolicLinkTarget.
+* Added a Get-NtKeyHive command.
+
 1.1.28
 --------
 * Added Import-Win32Module and Get-Win32Module.