Beispiel #1
0
        ////////////////////////////////////////////////////////////////////////////////
        // List the instances / volumes attached to for a given minifilter
        ////////////////////////////////////////////////////////////////////////////////
        private static void _ListFiltersInstances(CommandLineParsing cLP)
        {
            string filter;

            if (!cLP.GetData("filter", out filter))
            {
                Console.WriteLine("[-] Filter Not Specified");
                return;
            }

            using (FilterInstance filterInstance = new FilterInstance(filter))
            {
                filterInstance.First();
                filterInstance.Next();
            }
        }
Beispiel #2
0
        internal void Run()
        {
            try
            {
                Console.Write(context);
                String input;
                if (activateTabs)
                {
                    input = console.ReadLine();
                }
                else
                {
                    input = Console.ReadLine();
                }

                IntPtr tempToken = IntPtr.Zero;
                kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
                switch (NextItem(ref input))
                {
                case "info":
                    if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
                    {
                        hToken = tempToken;
                    }
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenUser(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenOwner(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenGroups(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
                    CheckPrivileges.PrintElevation(hToken);
                    break;

                case "list_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.EnumerateTokenPrivileges(hToken);
                    break;

                case "enable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    break;

                case "disable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                    break;

                case "remove_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                    break;

                case "nuke_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
                    break;

                case "terminate":
                    if (GetProcessID(input, out processID, out command))
                    {
                        IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
                        if (IntPtr.Zero == hProcess)
                        {
                            Tokens.GetWin32Error("OpenProcess");
                            break;
                        }
                        Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
                        if (!kernel32.TerminateProcess(hProcess, 0))
                        {
                            Tokens.GetWin32Error("TerminateProcess");
                            break;
                        }
                        Console.WriteLine("[+] Process Terminated");
                    }
                    break;

                case "sample_processes":
                    users = Enumeration.EnumerateTokens(false);
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "sample_processes_wmi":
                    users = Enumeration.EnumerateTokensWMI();
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "find_user_processes":
                    processes = Enumeration.EnumerateUserProcesses(false, input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "find_user_processes_wmi":
                    processes = Enumeration.EnumerateUserProcessesWMI(input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "list_filters":
                    using (Filters filters = new Filters())
                    {
                        filters.First();
                        filters.Next();
                    }
                    break;

                case "list_filter_instances":
                    using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
                    {
                        filterInstance.First();
                        filterInstance.Next();
                    }
                    break;

                case "detach_filter":
                    Filters.FilterDetach(input);
                    break;

                case "unload_filter":
                    Filters.Unload(NextItem(ref input));
                    break;

                case "sessions":
                    Enumeration.EnumerateInteractiveUserSessions();
                    break;

                case "getsystem":
                    GetSystem(input, hToken);
                    break;

                case "gettrustedinstaller":
                    GetTrustedInstaller(input);
                    break;

                case "steal_token":
                    StealToken(input);
                    break;

                case "steal_pipe_token":
                    StealPipeToken(input);
                    break;

                case "bypassuac":
                    BypassUAC(input);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
                    break;

                case "reverttoself":
                    String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
                    Console.WriteLine(message);
                    break;

                case "run":
                    Run(input);
                    break;

                case "runpowershell":
                    RunPowerShell(input);
                    break;

                case "exit":
                    Environment.Exit(0);
                    break;

                case "help":
                    String item = NextItem(ref input);
                    if ("help" != item)
                    {
                        Help(item);
                    }
                    else
                    {
                        Help();
                    }
                    break;

                default:
                    Help();
                    break;
                }
                if (IntPtr.Zero != hToken)
                {
                    kernel32.CloseHandle(hToken);
                }
                Console.WriteLine();
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
                Tokens.GetWin32Error("MainLoop");
            }
            finally
            {
            }
        }