public static LUID CreateProcessNetOnly(string commandLine, bool show = false)
{
// creates a hidden process with random /netonly credentials,
// displayng the process ID and LUID, and returning the LUID
// Note: the LUID can be used with the "ptt" action
Interop.PROCESS_INFORMATION pi;
var si = new Interop.STARTUPINFO();
si.cb = Marshal.SizeOf(si);
if (!show)
{
// hide the window
si.wShowWindow = 0;
si.dwFlags = 0x00000001;
}
Console.WriteLine("[*] Showing process : {0}", show);
var luid = new LUID();
// 0x00000002 == LOGON_NETCREDENTIALS_ONLY
if (!Interop.CreateProcessWithLogonW(Helpers.RandomString(8), Helpers.RandomString(8), Helpers.RandomString(8), 0x00000002, commandLine, String.Empty, 0, 0, null, ref si, out pi))
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] CreateProcessWithLogonW error: {0}", lastError);
return(new LUID());
}
Console.WriteLine("[+] Process : '{0}' successfully created with LOGON_TYPE = 9", commandLine);
Console.WriteLine("[+] ProcessID : {0}", pi.dwProcessId);
var hToken = IntPtr.Zero;
// TOKEN_QUERY == 0x0008
var success = Interop.OpenProcessToken(pi.hProcess, 0x0008, out hToken);
if (!success)
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] OpenProcessToken error: {0}", lastError);
return(new LUID());
}
var TokenInfLength = 0;
bool Result;
// first call gets lenght of TokenInformation to get proper struct size
Result = Interop.GetTokenInformation(hToken, Interop.TOKEN_INFORMATION_CLASS.TokenStatistics, IntPtr.Zero, TokenInfLength, out TokenInfLength);
var TokenInformation = Marshal.AllocHGlobal(TokenInfLength);
// second call actually gets the information
Result = Interop.GetTokenInformation(hToken, Interop.TOKEN_INFORMATION_CLASS.TokenStatistics, TokenInformation, TokenInfLength, out TokenInfLength);
if (Result)
{
var TokenStats = (Interop.TOKEN_STATISTICS)Marshal.PtrToStructure(TokenInformation, typeof(Interop.TOKEN_STATISTICS));
luid = new LUID(TokenStats.AuthenticationId);
Console.WriteLine("[+] LUID : {0}", luid);
}
else
{
var lastError = Interop.GetLastError();
Console.WriteLine("[X] GetTokenInformation error: {0}", lastError);
Marshal.FreeHGlobal(TokenInformation);
Interop.CloseHandle(hToken);
return(new LUID());
}
Marshal.FreeHGlobal(TokenInformation);
Interop.CloseHandle(hToken);
return(luid);
}
/// <summary>Starts the process using the supplied start info.</summary>
/// <param name="startInfo">The start info with which to start the process.</param>
private bool StartCore(ProcessStartInfo startInfo)
{
if (startInfo.StandardOutputEncoding != null && !startInfo.RedirectStandardOutput)
{
throw new InvalidOperationException(SR.StandardOutputEncodingNotAllowed);
}
if (startInfo.StandardErrorEncoding != null && !startInfo.RedirectStandardError)
{
throw new InvalidOperationException(SR.StandardErrorEncodingNotAllowed);
}
// See knowledge base article Q190351 for an explanation of the following code. Noteworthy tricky points:
// * The handles are duplicated as non-inheritable before they are passed to CreateProcess so
// that the child process can not close them
// * CreateProcess allows you to redirect all or none of the standard IO handles, so we use
// GetStdHandle for the handles that are not being redirected
//Cannot start a new process and store its handle if the object has been disposed, since finalization has been suppressed.
if (_disposed)
{
throw new ObjectDisposedException(GetType().Name);
}
StringBuilder commandLine = BuildCommandLine(startInfo.FileName, startInfo.Arguments);
Interop.STARTUPINFO startupInfo = new Interop.STARTUPINFO();
Interop.PROCESS_INFORMATION processInfo = new Interop.PROCESS_INFORMATION();
Interop.SECURITY_ATTRIBUTES unused_SecAttrs = new Interop.SECURITY_ATTRIBUTES();
SafeProcessHandle procSH = new SafeProcessHandle();
SafeThreadHandle threadSH = new SafeThreadHandle();
bool retVal;
int errorCode = 0;
// handles used in parent process
SafeFileHandle standardInputWritePipeHandle = null;
SafeFileHandle standardOutputReadPipeHandle = null;
SafeFileHandle standardErrorReadPipeHandle = null;
GCHandle environmentHandle = new GCHandle();
lock (s_createProcessLock)
{
try
{
// set up the streams
if (startInfo.RedirectStandardInput || startInfo.RedirectStandardOutput || startInfo.RedirectStandardError)
{
if (startInfo.RedirectStandardInput)
{
CreatePipe(out standardInputWritePipeHandle, out startupInfo.hStdInput, true);
}
else
{
startupInfo.hStdInput = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_INPUT_HANDLE), false);
}
if (startInfo.RedirectStandardOutput)
{
CreatePipe(out standardOutputReadPipeHandle, out startupInfo.hStdOutput, false);
}
else
{
startupInfo.hStdOutput = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_OUTPUT_HANDLE), false);
}
if (startInfo.RedirectStandardError)
{
CreatePipe(out standardErrorReadPipeHandle, out startupInfo.hStdError, false);
}
else
{
startupInfo.hStdError = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_ERROR_HANDLE), false);
}
startupInfo.dwFlags = Interop.STARTF_USESTDHANDLES;
}
// set up the creation flags paramater
int creationFlags = 0;
if (startInfo.CreateNoWindow)
{
creationFlags |= Interop.CREATE_NO_WINDOW;
}
// set up the environment block parameter
IntPtr environmentPtr = (IntPtr)0;
if (startInfo._environmentVariables != null)
{
creationFlags |= Interop.CREATE_UNICODE_ENVIRONMENT;
byte[] environmentBytes = EnvironmentVariablesToByteArray(startInfo._environmentVariables);
environmentHandle = GCHandle.Alloc(environmentBytes, GCHandleType.Pinned);
environmentPtr = environmentHandle.AddrOfPinnedObject();
}
string workingDirectory = startInfo.WorkingDirectory;
if (workingDirectory == string.Empty)
{
workingDirectory = Directory.GetCurrentDirectory();
}
try { }
finally
{
retVal = Interop.mincore.CreateProcess(
null, // we don't need this since all the info is in commandLine
commandLine, // pointer to the command line string
unused_SecAttrs, // address to process security attributes, we don't need to inheriat the handle
unused_SecAttrs, // address to thread security attributes.
true, // handle inheritance flag
creationFlags, // creation flags
environmentPtr, // pointer to new environment block
workingDirectory, // pointer to current directory name
startupInfo, // pointer to STARTUPINFO
processInfo // pointer to PROCESS_INFORMATION
);
if (!retVal)
{
errorCode = Marshal.GetLastWin32Error();
}
if (processInfo.hProcess != (IntPtr)0 && processInfo.hProcess != (IntPtr)Interop.INVALID_HANDLE_VALUE)
{
procSH.InitialSetHandle(processInfo.hProcess);
}
if (processInfo.hThread != (IntPtr)0 && processInfo.hThread != (IntPtr)Interop.INVALID_HANDLE_VALUE)
{
threadSH.InitialSetHandle(processInfo.hThread);
}
}
if (!retVal)
{
if (errorCode == Interop.ERROR_BAD_EXE_FORMAT || errorCode == Interop.ERROR_EXE_MACHINE_TYPE_MISMATCH)
{
throw new Win32Exception(errorCode, SR.InvalidApplication);
}
throw new Win32Exception(errorCode);
}
}
finally
{
// free environment block
if (environmentHandle.IsAllocated)
{
environmentHandle.Free();
}
startupInfo.Dispose();
}
}
if (startInfo.RedirectStandardInput)
{
Encoding enc = GetEncoding((int)Interop.mincore.GetConsoleCP());
_standardInput = new StreamWriter(new FileStream(standardInputWritePipeHandle, FileAccess.Write, 4096, false), enc, 4096);
_standardInput.AutoFlush = true;
}
if (startInfo.RedirectStandardOutput)
{
Encoding enc = (startInfo.StandardOutputEncoding != null) ? startInfo.StandardOutputEncoding : GetEncoding((int)Interop.mincore.GetConsoleOutputCP());
_standardOutput = new StreamReader(new FileStream(standardOutputReadPipeHandle, FileAccess.Read, 4096, false), enc, true, 4096);
}
if (startInfo.RedirectStandardError)
{
Encoding enc = (startInfo.StandardErrorEncoding != null) ? startInfo.StandardErrorEncoding : GetEncoding((int)Interop.mincore.GetConsoleOutputCP());
_standardError = new StreamReader(new FileStream(standardErrorReadPipeHandle, FileAccess.Read, 4096, false), enc, true, 4096);
}
bool ret = false;
if (!procSH.IsInvalid)
{
SetProcessHandle(procSH);
SetProcessId((int)processInfo.dwProcessId);
threadSH.Dispose();
ret = true;
}
return(ret);
}
/// <summary>Starts the process using the supplied start info.</summary>
/// <param name="startInfo">The start info with which to start the process.</param>
private bool StartCore(ProcessStartInfo startInfo)
{
// See knowledge base article Q190351 for an explanation of the following code. Noteworthy tricky points:
// * The handles are duplicated as non-inheritable before they are passed to CreateProcess so
// that the child process can not close them
// * CreateProcess allows you to redirect all or none of the standard IO handles, so we use
// GetStdHandle for the handles that are not being redirected
StringBuilder commandLine = BuildCommandLine(startInfo.FileName, startInfo.Arguments);
Interop.STARTUPINFO startupInfo = new Interop.STARTUPINFO();
Interop.PROCESS_INFORMATION processInfo = new Interop.PROCESS_INFORMATION();
Interop.SECURITY_ATTRIBUTES unused_SecAttrs = new Interop.SECURITY_ATTRIBUTES();
SafeProcessHandle procSH = new SafeProcessHandle();
SafeThreadHandle threadSH = new SafeThreadHandle();
bool retVal;
int errorCode = 0;
// handles used in parent process
SafeFileHandle standardInputWritePipeHandle = null;
SafeFileHandle standardOutputReadPipeHandle = null;
SafeFileHandle standardErrorReadPipeHandle = null;
GCHandle environmentHandle = new GCHandle();
lock (s_createProcessLock)
{
try
{
// set up the streams
if (startInfo.RedirectStandardInput || startInfo.RedirectStandardOutput || startInfo.RedirectStandardError)
{
if (startInfo.RedirectStandardInput)
{
CreatePipe(out standardInputWritePipeHandle, out startupInfo.hStdInput, true);
}
else
{
startupInfo.hStdInput = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_INPUT_HANDLE), false);
}
if (startInfo.RedirectStandardOutput)
{
CreatePipe(out standardOutputReadPipeHandle, out startupInfo.hStdOutput, false);
}
else
{
startupInfo.hStdOutput = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_OUTPUT_HANDLE), false);
}
if (startInfo.RedirectStandardError)
{
CreatePipe(out standardErrorReadPipeHandle, out startupInfo.hStdError, false);
}
else
{
startupInfo.hStdError = new SafeFileHandle(Interop.mincore.GetStdHandle(Interop.STD_ERROR_HANDLE), false);
}
startupInfo.dwFlags = Interop.STARTF_USESTDHANDLES;
}
// set up the creation flags paramater
int creationFlags = 0;
if (startInfo.CreateNoWindow) creationFlags |= Interop.CREATE_NO_WINDOW;
// set up the environment block parameter
IntPtr environmentPtr = (IntPtr)0;
if (startInfo._environmentVariables != null)
{
creationFlags |= Interop.CREATE_UNICODE_ENVIRONMENT;
byte[] environmentBytes = EnvironmentVariablesToByteArray(startInfo._environmentVariables);
environmentHandle = GCHandle.Alloc(environmentBytes, GCHandleType.Pinned);
environmentPtr = environmentHandle.AddrOfPinnedObject();
}
string workingDirectory = startInfo.WorkingDirectory;
if (workingDirectory == string.Empty)
workingDirectory = Directory.GetCurrentDirectory();
try { }
finally
{
retVal = Interop.mincore.CreateProcess(
null, // we don't need this since all the info is in commandLine
commandLine, // pointer to the command line string
unused_SecAttrs, // address to process security attributes, we don't need to inheriat the handle
unused_SecAttrs, // address to thread security attributes.
true, // handle inheritance flag
creationFlags, // creation flags
environmentPtr, // pointer to new environment block
workingDirectory, // pointer to current directory name
startupInfo, // pointer to STARTUPINFO
processInfo // pointer to PROCESS_INFORMATION
);
if (!retVal)
errorCode = Marshal.GetLastWin32Error();
if (processInfo.hProcess != (IntPtr)0 && processInfo.hProcess != (IntPtr)Interop.INVALID_HANDLE_VALUE)
procSH.InitialSetHandle(processInfo.hProcess);
if (processInfo.hThread != (IntPtr)0 && processInfo.hThread != (IntPtr)Interop.INVALID_HANDLE_VALUE)
threadSH.InitialSetHandle(processInfo.hThread);
}
if (!retVal)
{
if (errorCode == Interop.ERROR_BAD_EXE_FORMAT || errorCode == Interop.ERROR_EXE_MACHINE_TYPE_MISMATCH)
{
throw new Win32Exception(errorCode, SR.InvalidApplication);
}
throw new Win32Exception(errorCode);
}
}
finally
{
// free environment block
if (environmentHandle.IsAllocated)
{
environmentHandle.Free();
}
startupInfo.Dispose();
}
}
if (startInfo.RedirectStandardInput)
{
Encoding enc = GetEncoding((int)Interop.mincore.GetConsoleCP());
_standardInput = new StreamWriter(new FileStream(standardInputWritePipeHandle, FileAccess.Write, 4096, false), enc, 4096);
_standardInput.AutoFlush = true;
}
if (startInfo.RedirectStandardOutput)
{
Encoding enc = startInfo.StandardOutputEncoding ?? GetEncoding((int)Interop.mincore.GetConsoleOutputCP());
_standardOutput = new StreamReader(new FileStream(standardOutputReadPipeHandle, FileAccess.Read, 4096, false), enc, true, 4096);
}
if (startInfo.RedirectStandardError)
{
Encoding enc = startInfo.StandardErrorEncoding ?? GetEncoding((int)Interop.mincore.GetConsoleOutputCP());
_standardError = new StreamReader(new FileStream(standardErrorReadPipeHandle, FileAccess.Read, 4096, false), enc, true, 4096);
}
bool ret = false;
if (!procSH.IsInvalid)
{
SetProcessHandle(procSH);
SetProcessId((int)processInfo.dwProcessId);
threadSH.Dispose();
ret = true;
}
return ret;
}
