public static EnvironmentBlock SetCurrent(EnvironmentBlock environmentBlock)
{
IntPtr previousEnvironment;
Win32.RtlSetCurrentEnvironment(
environmentBlock,
out previousEnvironment
).ThrowIf();
return new EnvironmentBlock(previousEnvironment);
}
public static EnvironmentBlock SetCurrent(EnvironmentBlock environmentBlock)
{
IntPtr previousEnvironment;
Win32.RtlSetCurrentEnvironment(
environmentBlock,
out previousEnvironment
).ThrowIf();
return(new EnvironmentBlock(previousEnvironment));
}
public static EnvironmentBlock SetCurrent(EnvironmentBlock environmentBlock)
{
NtStatus status;
IntPtr previousEnvironment;
if ((status = Win32.RtlSetCurrentEnvironment(
environmentBlock,
out previousEnvironment
)) >= NtStatus.Error)
Win32.Throw(status);
return new EnvironmentBlock(previousEnvironment);
}
public static EnvironmentBlock SetCurrent(EnvironmentBlock environmentBlock)
{
NtStatus status;
IntPtr previousEnvironment;
if ((status = Win32.RtlSetCurrentEnvironment(
environmentBlock,
out previousEnvironment
)) >= NtStatus.Error)
{
Win32.Throw(status);
}
return(new EnvironmentBlock(previousEnvironment));
}
public unsafe static void CopyProcessParameters(
ProcessHandle processHandle,
IntPtr peb,
ProcessCreationFlags creationFlags,
string imagePathName,
string dllPath,
string currentDirectory,
string commandLine,
EnvironmentBlock environment,
string windowTitle,
string desktopInfo,
string shellInfo,
string runtimeInfo,
ref StartupInfo startupInfo
)
{
UnicodeString imagePathNameStr;
UnicodeString dllPathStr;
UnicodeString currentDirectoryStr;
UnicodeString commandLineStr;
UnicodeString windowTitleStr;
UnicodeString desktopInfoStr;
UnicodeString shellInfoStr;
UnicodeString runtimeInfoStr;
// Create the unicode strings.
imagePathNameStr = new UnicodeString(imagePathName);
dllPathStr = new UnicodeString(dllPath);
currentDirectoryStr = new UnicodeString(currentDirectory);
commandLineStr = new UnicodeString(commandLine);
windowTitleStr = new UnicodeString(windowTitle);
desktopInfoStr = new UnicodeString(desktopInfo);
shellInfoStr = new UnicodeString(shellInfo);
runtimeInfoStr = new UnicodeString(runtimeInfo);
try
{
NtStatus status;
IntPtr processParameters;
// Create the process parameter block.
status = Win32.RtlCreateProcessParameters(
out processParameters,
ref imagePathNameStr,
ref dllPathStr,
ref currentDirectoryStr,
ref commandLineStr,
environment,
ref windowTitleStr,
ref desktopInfoStr,
ref shellInfoStr,
ref runtimeInfoStr
);
if (status >= NtStatus.Error)
Win32.Throw(status);
try
{
// Allocate a new memory region in the remote process for
// the environment block and copy it over.
int environmentLength;
IntPtr newEnvironment;
environmentLength = environment.GetLength();
newEnvironment = processHandle.AllocateMemory(
environmentLength,
MemoryProtection.ReadWrite
);
processHandle.WriteMemory(
newEnvironment,
environment,
environmentLength
);
// Copy over the startup info data.
RtlUserProcessParameters* paramsStruct = (RtlUserProcessParameters*)processParameters;
paramsStruct->Environment = newEnvironment;
paramsStruct->StartingX = startupInfo.X;
paramsStruct->StartingY = startupInfo.Y;
paramsStruct->CountX = startupInfo.XSize;
paramsStruct->CountY = startupInfo.YSize;
paramsStruct->CountCharsX = startupInfo.XCountChars;
paramsStruct->CountCharsY = startupInfo.YCountChars;
paramsStruct->FillAttribute = startupInfo.FillAttribute;
paramsStruct->WindowFlags = startupInfo.Flags;
paramsStruct->ShowWindowFlags = startupInfo.ShowWindow;
if ((startupInfo.Flags & StartupFlags.UseStdHandles) == StartupFlags.UseStdHandles)
{
paramsStruct->StandardInput = startupInfo.StdInputHandle;
paramsStruct->StandardOutput = startupInfo.StdOutputHandle;
paramsStruct->StandardError = startupInfo.StdErrorHandle;
}
// TODO: Add console support.
// Allocate a new memory region in the remote process for
// the process parameters.
IntPtr newProcessParameters;
IntPtr regionSize = paramsStruct->Length.ToIntPtr();
newProcessParameters = processHandle.AllocateMemory(
IntPtr.Zero,
ref regionSize,
MemoryFlags.Commit,
MemoryProtection.ReadWrite
);
paramsStruct->MaximumLength = regionSize.ToInt32();
processHandle.WriteMemory(newProcessParameters, processParameters, paramsStruct->Length);
// Modify the process parameters pointer in the PEB.
processHandle.WriteMemory(
peb.Increment(Peb.ProcessParametersOffset),
&newProcessParameters,
IntPtr.Size
);
}
finally
{
Win32.RtlDestroyProcessParameters(processParameters);
}
}
finally
{
imagePathNameStr.Dispose();
dllPathStr.Dispose();
currentDirectoryStr.Dispose();
commandLineStr.Dispose();
windowTitleStr.Dispose();
desktopInfoStr.Dispose();
shellInfoStr.Dispose();
runtimeInfoStr.Dispose();
}
}
public static void Main(Dictionary<string, string> pArgs)
{
args = pArgs;
EnablePrivilege("SeAssignPrimaryTokenPrivilege");
EnablePrivilege("SeBackupPrivilege");
EnablePrivilege("SeRestorePrivilege");
try
{
bool bad = false;
if (!args.ContainsKey("-w"))
{
if (!args.ContainsKey("-c") && !args.ContainsKey("-f"))
bad = true;
if (args.ContainsKey("-c") && args.ContainsKey("-f"))
bad = true;
if (!args.ContainsKey("-u") && !args.ContainsKey("-P"))
bad = true;
if (args.ContainsKey("-u") && args.ContainsKey("-P"))
bad = true;
}
if (args.ContainsKey("-v") || args.ContainsKey("-h"))
bad = true;
if (bad)
{
PrintUsage();
Exit();
}
}
catch
{
PrintUsage();
Exit();
}
if (args.ContainsKey("-w"))
{
try
{
SetDesktopWinStaAccess();
}
catch (Exception ex)
{
Console.WriteLine("Warning: Could not set desktop and window station access: " + ex.Message);
}
}
TokenHandle token = null;
string domain = null;
string username;
if (args.ContainsKey("-u"))
{
string user = args["-u"];
if (user.Contains("\\", StringComparison.OrdinalIgnoreCase))
{
domain = user.Split('\\')[0];
username = user.Split('\\')[1];
}
else if (user.Contains("@", StringComparison.OrdinalIgnoreCase))
{
username = user.Split('@')[0];
domain = user.Split('@')[1];
}
else
{
username = user;
}
LogonType type = LogonType.Interactive;
if (args.ContainsKey("-t"))
{
try
{
type = (LogonType)Enum.Parse(typeof(LogonType), args["-t"], true);
}
catch
{
Console.WriteLine("Error: Invalid logon type.");
Exit(-1);
}
}
try
{
token = TokenHandle.Logon(
username,
domain,
args.ContainsKey("-p") ? args["-p"] : "",
type,
LogonProvider.Default
);
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not logon as user: "******"-P"))
pid = int.Parse(args["-P"]);
}
catch
{
Console.WriteLine("Error: Invalid PID.");
}
try
{
using (var phandle = new ProcessHandle(pid, OSVersion.MinProcessQueryInfoAccess))
{
try
{
token = phandle.GetToken(TokenAccess.All);
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not open process token: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not open process: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
// Need to duplicate the token if we're going to set the session ID.
if (args.ContainsKey("-s"))
{
try
{
TokenHandle dupToken;
dupToken = token.Duplicate(
TokenAccess.All,
SecurityImpersonationLevel.SecurityImpersonation,
TokenType.Primary
);
token.Dispose();
token = dupToken;
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not duplicate own token: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
}
}
if (args.ContainsKey("-s"))
{
int sessionId = int.Parse(args["-s"]);
try
{
token.SessionId = sessionId;
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not set token session ID: " + ex.Message);
}
}
if (args.ContainsKey("-c") || args.ContainsKey("-f"))
{
if (!args.ContainsKey("-e"))
{
EnvironmentBlock environment;
StartupInfo startupInfo = new StartupInfo();
ProcessHandle processHandle;
ThreadHandle threadHandle;
ClientId clientId;
environment = new EnvironmentBlock(token);
startupInfo.Desktop = "WinSta0\\Default";
try
{
processHandle = ProcessHandle.CreateWin32(
token,
args.ContainsKey("-f") ? args["-f"] : null,
args.ContainsKey("-c") ? args["-c"] : null,
false,
ProcessCreationFlags.CreateUnicodeEnvironment,
environment,
args.ContainsKey("-d") ? args["-d"] : null,
startupInfo,
out clientId,
out threadHandle
);
processHandle.Dispose();
threadHandle.Dispose();
}
catch (Exception ex)
{
Console.WriteLine("Error: Could not create process: " + ex.Message);
Exit(Marshal.GetLastWin32Error());
}
finally
{
environment.Destroy();
}
}
}
token.Dispose();
Exit();
}
