private void Run(ExecConfig e, string section, int seq, bool isAsync = true)
{
ProgramWrapper wrapper;
if (Globals.Config.User == null ||
e.ExecLaunchPrivilegeLevel == ExecLaunchPrivilegeLevel.IgnoreUser ||
e.ExecLaunchPrivilegeLevel == ExecLaunchPrivilegeLevel.Full)
{
wrapper = new ManagedProgramWrapper(e.ProgramPath, e.Arguments);
wrapper.Start();
}
else
{
// Get the privilege for impersonation
var currentProcess = new CProcess();
if (!currentProcess.SetPrivilege("SeTcbPrivilege", true))
{
throw new InvalidOperationException("Required privilege SeTcbPrivilege failed");
}
if (!currentProcess.SetPrivilege("SeDelegateSessionUserImpersonatePrivilege", true))
{
throw new InvalidOperationException("Required privilege SeDelegateSessionUserImpersonatePrivilege failed");
}
// Get the identity we needed
var identity = new WindowsIdentity(Globals.Config.User);
if (identity.ImpersonationLevel != TokenImpersonationLevel.Impersonation)
{
throw new InvalidOperationException("Insufficient permission");
}
// Run the helper process as that identity
using (identity.Impersonate())
{
LogMuxer.Instance.Debug($"After impersonation, User={WindowsIdentity.GetCurrent().Name}, ImpersonationLevel={identity.ImpersonationLevel}");;
wrapper = new NativeProgramWrapper(section, seq, identity.Token);
wrapper.Start();
}
}
if (isAsync)
{
_programPool.Add(wrapper);
wrapper.ProgramExited += SubprocessQuit;
}
else
{
wrapper.WaitForExit();
}
}
private void button2_Click(object sender, EventArgs e)
{
CProcess CurrentProcess = new CProcess(), TargetProcess = new CProcess(Options.TargetProcess), ServProcess; //Use HLeaker to get a handle with needed privileges
int counter = 0, maxCount = 1;
List <Service.HANDLE_INFO> HandleList = new List <Service.HANDLE_INFO>();
IntPtr hProcess = IntPtr.Zero;
CurrentProcess.SetPrivilege("SeDebugPrivilege", true);
CurrentProcess.SetPrivilege("SeTcbPrivilege", true);
TargetProcess.Wait(Options.DelayToWait);
if (TargetProcess.IsValidProcess())
{
HandleList = Service.ServiceEnumHandles(TargetProcess.GetPid(), Options.DesiredAccess);
if (HandleList.Count > 0)
{
foreach (Service.HANDLE_INFO enumerator in HandleList)
{
if (counter == maxCount)
{
break;
}
if (enumerator.Pid == Kernel32.GetCurrentProcessId())
{
continue;
}
ServProcess = new CProcess(enumerator.Pid);
if (Service.ServiceSetHandleStatus(ServProcess, (IntPtr)enumerator.hProcess, true, true) == true)
{
hProcess = Service.ServiceStartProcess(null, Directory.GetCurrentDirectory() + "\\Stuff\\" + Options.YourProcess + " " + enumerator.hProcess, null, true, ServProcess.GetHandle());
Service.ServiceSetHandleStatus(ServProcess, (IntPtr)enumerator.hProcess, false, false);
counter++;
}
if (hProcess != null)
{
Kernel32.CloseHandle(hProcess);
}
ServProcess.Close();
}
}
TargetProcess.Close();
}
CurrentProcess.SetPrivilege("SeDebugPrivilege", false);
CurrentProcess.SetPrivilege("SeTcbPrivilege", false);
this.Close();
}
