Beispiel #1
0
 public static extern bool CreateProcessWithTokenW(
     IntPtr hToken,
     Winbase.LOGON_FLAGS dwLogonFlags,
     string lpApplicationName,
     string lpCommandLine,
     Winbase.CREATION_FLAGS dwCreationFlags,
     IntPtr lpEnvironment,
     string lpCurrentDirectory,
     ref Winbase._STARTUPINFO lpStartupInfo,
     out Winbase._PROCESS_INFORMATION lpProcessInfo
     );
Beispiel #2
0
 public static extern Boolean CreateProcess(
     String lpApplicationName,
     String lpCommandLine,
     ref Winbase._SECURITY_ATTRIBUTES lpProcessAttributes,
     ref Winbase._SECURITY_ATTRIBUTES lpThreadAttributes,
     Boolean bInheritHandles,
     Winbase.CREATION_FLAGS dwCreationFlags,
     IntPtr lpEnvironment,
     String lpCurrentDirectory,
     ref Winbase._STARTUPINFO lpStartupInfo,
     out Winbase._PROCESS_INFORMATION lpProcessInformation
     );
Beispiel #3
0
 public static extern Boolean CreateProcessWithLogonW(
     String lpUsername,
     String lpDomain,
     String lpPassword,
     Winbase.LOGON_FLAGS dwLogonFlags,
     String lpApplicationName,
     String lpCommandLine,
     Winbase.CREATION_FLAGS dwCreationFlags,
     IntPtr lpEnvironment,
     String lpCurrentDirectory,
     ref Winbase._STARTUPINFO lpStartupInfo,
     out Winbase._PROCESS_INFORMATION lpProcessInformation
     );
Beispiel #4
0
        ////////////////////////////////////////////////////////////////////////////////
        // Wrapper for CreateProcessWithTokenW
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean CreateProcessWithTokenW(IntPtr phNewToken, String name, String arguments)
        {
            if (name.Contains(@"\"))
            {
                name = System.IO.Path.GetFullPath(name);
                if (!System.IO.File.Exists(name))
                {
                    Console.WriteLine("[-] File Not Found");
                    return(false);
                }
            }
            else
            {
                name = FindFilePath(name);
                if (String.Empty == name)
                {
                    Console.WriteLine("[-] Unable to find file");
                    return(false);
                }
            }

            Console.WriteLine("[*] CreateProcessWithTokenW");
            Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
            {
                cb = (UInt32)Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
            };
            Winbase._PROCESS_INFORMATION processInformation = new Winbase._PROCESS_INFORMATION();
            if (!advapi32.CreateProcessWithTokenW(
                    phNewToken,
                    Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                    name,
                    name + " " + arguments,
                    Winbase.CREATION_FLAGS.NONE,
                    IntPtr.Zero,
                    Environment.CurrentDirectory,
                    ref startupInfo,
                    out processInformation
                    ))
            {
                Tokens.GetWin32Error("CreateProcessWithTokenW");
                return(false);
            }
            Console.WriteLine(" [+] Created process: " + processInformation.dwProcessId);
            Console.WriteLine(" [+] Created thread: " + processInformation.dwThreadId);
            return(true);
        }
Beispiel #5
0
        ////////////////////////////////////////////////////////////////////////////////
        ////////////////////////////////////////////////////////////////////////////////
        public static void GetPipeToken(String pipeName, String command)
        {
            Console.WriteLine("[*] Creating Listener Thread");
            Thread thread = new Thread(() => _GetPipeToken(pipeName));

            thread.Start();
            waitHandle.WaitOne();

            Console.WriteLine("[*] Joining Thread");
            thread.Join();
            Console.WriteLine("[*] Joined Thread");

            if (IntPtr.Zero != hToken)
            {
                Console.WriteLine("[*] CreateProcessWithLogonW");
                Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO();
                startupInfo.cb = (UInt32)Marshal.SizeOf(typeof(Winbase._STARTUPINFO));
                Winbase._PROCESS_INFORMATION processInformation = new Winbase._PROCESS_INFORMATION();
                if (!advapi32.CreateProcessWithLogonW(
                        "i", "j", "k",
                        Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                        command, command,
                        Winbase.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE,
                        IntPtr.Zero,
                        Environment.CurrentDirectory,
                        ref startupInfo,
                        out processInformation
                        ))
                {
                    Tokens.GetWin32Error("CreateProcessWithLogonW");
                }
                else
                {
                    Console.WriteLine(" [+] Created process: {0}", processInformation.dwProcessId);
                    Console.WriteLine(" [+] Created thread:  {1}", processInformation.dwThreadId);
                }
                kernel32.CloseHandle(hToken);
                hToken = IntPtr.Zero;
            }
        }
 ////////////////////////////////////////////////////////////////////////////////
 // Default Constructor
 ////////////////////////////////////////////////////////////////////////////////
 internal HollowProcess()
 {
     lpProcessInformation = new Winbase._PROCESS_INFORMATION();
 }
Beispiel #7
0
 public static extern bool CreateProcessAsUserW(IntPtr hToken, IntPtr lpApplicationName, IntPtr lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Winbase.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, ref Winbase._STARTUPINFO lpStartupInfo, out Winbase._PROCESS_INFORMATION lpProcessInfo);