private async void btnStartServer_Click(object sender, EventArgs e) { try { btnStartServer.Enabled = false; using (NamedPipeServerStream pipe = new NamedPipeServerStream(txtPipeName.Text, PipeDirection.In, 1, PipeTransmissionMode.Byte, PipeOptions.Asynchronous)) { await Task.Factory.FromAsync(pipe.BeginWaitForConnection, pipe.EndWaitForConnection, null); NtToken token = null; if (pipe.IsConnected) { pipe.RunAsClient(() => token = NtToken.OpenThreadToken()); pipe.Disconnect(); } if (token != null) { TokenForm.OpenForm(token, false); } } } catch (Exception ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } finally { btnStartServer.Enabled = true; } }
/// <summary> /// Get the anonymous token. /// </summary> /// <param name="desired_access">The access rights for the opened token.</param> /// <returns>The anonymous token.</returns> public static NtToken GetAnonymousToken(TokenAccessRights desired_access) { using (var imp = NtThread.Current.ImpersonateAnonymousToken()) { return(NtToken.OpenThreadToken(NtThread.Current, true, false, desired_access)); } }
// public void TokenRelay(BlockingCollection <byte[]> hashesIn, BlockingCollection <byte[]> hashesOut, String command) { while (bContinueServer) { byte[] out_buffer = null; byte[] hash = hashesIn.Take(); InitializeServer(hash, out out_buffer, out bContinueServer); hashesOut.Add(out_buffer); if (bContinueServer) { hash = hashesIn.Take(); InitializeServer(hash, out out_buffer, out bContinueServer); ImpersonateSecurityContext(ref _hServerContext); NtToken thread_token = NtToken.OpenThreadToken(); if (thread_token.ImpersonationLevel.ToString() == "Impersonation" || thread_token.ImpersonationLevel.ToString() == "Delegation") { //TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + command, thread_token, true); TokenUtils.CreateProcessForToken(command, thread_token, true); Console.WriteLine("Process Created Successfully"); Shell.NtShell = true; } else { Console.WriteLine("IMPERSONATION LEVEL IS {0} ACCESS DENIED !!!", thread_token.ImpersonationLevel.ToString()); Console.WriteLine("Primary Token Shell Starting ...."); Shell.NtShell = false; } hashesOut.Add(new byte[] { 99 }); // if finished pass 99 } } }
private IEnumerable <ListViewItem> CreateThreads(NtProcess query_process, NtToken process_token) { List <ListViewItem> ret = new List <ListViewItem>(); using (var threads = new DisposableList <NtThread>(query_process.GetThreads(ThreadAccessRights.MaximumAllowed))) { foreach (NtThread thread in threads.Where(t => t.IsAccessGranted(ThreadAccessRights.QueryLimitedInformation))) { using (var result = NtToken.OpenThreadToken(thread, true, TokenAccessRights.MaximumAllowed, false)) { if (!result.IsSuccess) { continue; } var token = result.Result; ListViewItem item = new ListViewItem($"{query_process.ProcessId} - {query_process.Name}"); item.SubItems.Add(thread.ThreadId.ToString()); item.SubItems.Add(token.User.ToString()); item.SubItems.Add(token.ImpersonationLevel.ToString()); item.Tag = new ThreadTokenEntry(query_process, process_token, thread.ThreadId, thread.Description, token, thread.GetSecurityDescriptor(SecurityInformation.AllBasic, false).GetResultOrDefault()); ret.Add(item); } } } return(ret); }
private IEnumerable <ListViewItem> CreateThreads(NtProcess entry, NtToken process_token) { List <ListViewItem> ret = new List <ListViewItem>(); using (var query_process = entry.Duplicate(ProcessAccessRights.QueryInformation, false)) { if (!query_process.IsSuccess) { return(ret); } using (var threads = new DisposableList <NtThread>(query_process.Result.GetThreads(ThreadAccessRights.QueryLimitedInformation))) { foreach (NtThread thread in threads) { using (var result = NtToken.OpenThreadToken(thread, true, TokenAccessRights.MaximumAllowed, false)) { if (!result.IsSuccess) { continue; } var token = result.Result; ListViewItem item = new ListViewItem($"{entry.ProcessId} - {entry.Name}"); item.SubItems.Add(thread.ThreadId.ToString()); item.SubItems.Add(token.User.ToString()); item.SubItems.Add(token.ImpersonationLevel.ToString()); item.Tag = new ThreadTokenEntry(query_process.Result, token, thread.ThreadId, thread.Description, token); ret.Add(item); } } } } return(ret); }
public static NtToken GetAnonymousToken() { using (var imp = NtThread.Current.ImpersonateAnonymousToken()) { return(NtToken.OpenThreadToken()); } }
private NtToken GetImpersonationToken(TokenAccessRights desired_access) { if (ThreadId.HasValue) { return(NtToken.OpenThreadToken(ThreadId.Value, OpenAsSelf, false, desired_access)); } return(NtToken.OpenThreadToken(Thread ?? NtThread.Current, OpenAsSelf, false, desired_access)); }
public static NtToken GetAnonymousToken() { try { using (var imp = NtThread.Current.ImpersonateAnonymousToken()) { return(NtToken.OpenThreadToken()); } } catch (NtException ex) { throw ex.AsWin32Exception(); } }
private async void btnStartServer_Click(object sender, EventArgs e) { try { btnStartServer.Enabled = false; using (NamedPipeServerStream pipe = new NamedPipeServerStream(txtPipeName.Text, PipeDirection.InOut, 1, PipeTransmissionMode.Byte, PipeOptions.Asynchronous)) { await Task.Factory.FromAsync(pipe.BeginWaitForConnection, pipe.EndWaitForConnection, null); NtToken token = null; bool use_unc = checkBoxUseUNCPath.Checked; if (pipe.IsConnected) { if (!use_unc) { byte[] buffer = new byte[1]; int result = await pipe.ReadAsync(buffer, 0, 1); } pipe.RunAsClient(() => token = NtToken.OpenThreadToken()); pipe.Disconnect(); } if (token != null) { TokenForm.OpenForm(token, "NamedPipe", false); } } } catch (Exception ex) { MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); } finally { btnStartServer.Enabled = true; } }
/// <summary> /// Overridden ProcessRecord method. /// </summary> protected override void ProcessRecord() { using (var token = Token.DuplicateToken(ImpersonationLevel)) { var thread = Thread ?? NtThread.Current; using (var imp = thread.Impersonate(token)) { using (var new_token = NtToken.OpenThreadToken(thread)) { if (PassThru) { WriteObject(new_token.Duplicate()); } else { WriteObject(ImpersonationLevel == new_token.ImpersonationLevel); } } } } }
/// <summary> /// Open the thread's token /// </summary> /// <returns>The token, null if no token available</returns> public NtToken OpenToken() { return(NtToken.OpenThreadToken(this)); }
/// <summary> /// Get token for this cmdlet. /// </summary> /// <param name="desired_access">The token access required.</param> /// <returns>The token object.</returns> protected override NtToken GetToken(TokenAccessRights desired_access) { return(NtToken.OpenThreadToken(Thread ?? NtThread.Current, OpenAsSelf, false, desired_access)); }