internal void Run() { try { Console.Write(context); String input; if (activateTabs) { input = console.ReadLine(); } else { input = Console.ReadLine(); } IntPtr tempToken = IntPtr.Zero; kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken); switch (NextItem(ref input)) { case "info": if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken)) { hToken = tempToken; } Console.WriteLine(""); CheckPrivileges.GetTokenUser(hToken); Console.WriteLine(""); CheckPrivileges.GetTokenOwner(hToken); Console.WriteLine(""); CheckPrivileges.GetTokenGroups(hToken); Console.WriteLine(""); CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType); CheckPrivileges.PrintElevation(hToken); break; case "list_privileges": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.EnumerateTokenPrivileges(hToken); break; case "enable_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); break; case "disable_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); break; case "remove_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); break; case "nuke_privileges": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken); break; case "terminate": if (GetProcessID(input, out processID, out command)) { IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID); if (IntPtr.Zero == hProcess) { Tokens.GetWin32Error("OpenProcess"); break; } Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4")); if (!kernel32.TerminateProcess(hProcess, 0)) { Tokens.GetWin32Error("TerminateProcess"); break; } Console.WriteLine("[+] Process Terminated"); } break; case "sample_processes": users = Enumeration.EnumerateTokens(false); Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name"); Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName); } break; case "sample_processes_wmi": users = Enumeration.EnumerateTokensWMI(); Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name"); Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName); } break; case "find_user_processes": processes = Enumeration.EnumerateUserProcesses(false, input); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "find_user_processes_wmi": processes = Enumeration.EnumerateUserProcessesWMI(input); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "list_filters": using (Filters filters = new Filters()) { filters.First(); filters.Next(); } break; case "list_filter_instances": using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input))) { filterInstance.First(); filterInstance.Next(); } break; case "detach_filter": Filters.FilterDetach(input); break; case "unload_filter": Filters.Unload(NextItem(ref input)); break; case "sessions": Enumeration.EnumerateInteractiveUserSessions(); break; case "getsystem": GetSystem(input, hToken); break; case "gettrustedinstaller": GetTrustedInstaller(input); break; case "steal_token": StealToken(input); break; case "steal_pipe_token": StealPipeToken(input); break; case "bypassuac": BypassUAC(input); break; case "whoami": Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name); break; case "reverttoself": String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed"; Console.WriteLine(message); break; case "run": Run(input); break; case "runpowershell": RunPowerShell(input); break; case "exit": Environment.Exit(0); break; case "help": String item = NextItem(ref input); if ("help" != item) { Help(item); } else { Help(); } break; default: Help(); break; } if (IntPtr.Zero != hToken) { kernel32.CloseHandle(hToken); } Console.WriteLine(); } catch (Exception error) { Console.WriteLine(error.ToString()); Tokens.GetWin32Error("MainLoop"); } finally { } }
//////////////////////////////////////////////////////////////////////////////// // Mainloop //////////////////////////////////////////////////////////////////////////////// internal void Run() { try { Console.Write(context); string input; if (activateTabs) { try { input = console.ReadLine(); } catch (InvalidOperationException) { input = Console.ReadLine(); } } else { input = Console.ReadLine(); } IntPtr hToken, tempToken; hToken = tempToken = IntPtr.Zero; bool remote = _GetProcessID(input, out processID, out command); if (!remote) { hProcess = hBackup; kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hToken); if (IntPtr.Zero == hToken) { Console.WriteLine("[-] Opening Process Token Failed, Opening Thread Token"); IntPtr hThread = kernel32.GetCurrentThread(); kernel32.OpenThreadToken(hThread, Winnt.TOKEN_ALL_ACCESS, true, ref hToken); if (IntPtr.Zero == hToken) { Console.WriteLine("[-] Opening Thread Token Failed, Recommend RevertToSelf"); } } } string action = Misc.NextItem(ref input); CommandLineParsing cLP = new CommandLineParsing(); if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase)) { if (!cLP.Parse(input)) { return; } } switch (action) { case "add_group": _AddGroup(cLP, hToken); break; case "add_privilege": _AddPrivilege(cLP); break; case "bypassuac": _BypassUAC(cLP, hToken); break; case "clear_desktop_acl": _ClearDesktopACL(); break; case "clone_token": _CloneToken(cLP, hToken); break; case "create_token": _CreateToken(cLP, hToken); break; case "delete_driver": _UnInstallDriver(cLP); break; case "detach_filter": Filters.FilterDetach(cLP); break; case "disable_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); break; case "enable_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); break; case "exit": Environment.Exit(0); break; case "find_user_processes": _FindUserProcesses(cLP); break; case "find_user_processes_wmi": _FindUserProcessesWMI(cLP); break; case "getinfo": _Info(cLP, hToken); break; case "getsystem": _GetSystem(cLP, hToken); break; case "get_system": _GetSystem(cLP, hToken); break; case "gettrustedinstaller": _GetTrustedInstaller(cLP, hToken); break; case "get_trustedinstaller": _GetTrustedInstaller(cLP, hToken); break; case "help": _Help(input); break; case "history": console.GetHistory(); break; case "info": _Info(cLP, hToken); break; case "install_driver": _InstallDriver(cLP); break; case "list_filters": _ListFilters(); break; case "list_filter_instances": _ListFiltersInstances(cLP); break; case "list_privileges": _ListPrivileges(cLP, hToken); break; case "logon_user": _LogonUser(cLP, hToken); break; case "nuke_privileges": _NukePrivileges(cLP, hToken); break; case "pid": Console.WriteLine("[+] Process ID: {0}", Process.GetCurrentProcess().Id); Console.WriteLine("[+] Parent ID: {0}", Process.GetCurrentProcess().Parent().Id); break; case "remove_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); break; case "is_critical_process": _IsCriticalProcess(cLP, hProcess); break; case "set_critical_process": _SetCriticalProcess(cLP, hProcess); break; case "reverttoself": Console.WriteLine(advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed"); break; case "run": _Run(cLP); break; case "runas": _RunAsNetOnly(cLP); break; case "runpowershell": _RunPowerShell(cLP); break; case "sample_processes": _SampleProcess(); break; case "sample_processes_wmi": _SampleProcessWMI(); break; case "sessions": UserSessions.EnumerateInteractiveUserSessions(); break; case "start_driver": _StartDriver(cLP); break; case "steal_pipe_token": _StealPipeToken(cLP); break; case "steal_token": _StealToken(cLP, hToken); break; case "tasklist": UserSessions.Tasklist(); break; case "terminate": _Terminate(cLP); break; case "unfreeze_token": _UnfreezeToken(cLP); break; case "uninstall_driver": _UnInstallDriver(cLP); break; case "unload_filter": Filters.Unload(cLP); break; case "whoami": Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name); break; default: _Help(input); break; } if (IntPtr.Zero != hToken) { kernel32.CloseHandle(hToken); } } catch (Exception error) { Console.WriteLine(error.ToString()); Misc.GetWin32Error("MainLoop"); } Console.WriteLine(); }
internal void Run() { try { Console.Write(context); String input; if (activateTabs) { input = console.ReadLine(); } else { input = Console.ReadLine(); } switch (NextItem(ref input)) { case "list_privileges": if (GetProcessID(input, out processID, out command)) { hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID); Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64()); } else { hProcess = Process.GetCurrentProcess().Handle; } kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken); Tokens.EnumerateTokenPrivileges(currentProcessToken); kernel32.CloseHandle(currentProcessToken); break; case "set_privilege": if (GetProcessID(input, out processID, out command)) { hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID); Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64()); } else { hProcess = Process.GetCurrentProcess().Handle; } kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken); Tokens.SetTokenPrivilege(ref currentProcessToken, command); kernel32.CloseHandle(currentProcessToken); break; case "list_processes": users = Enumeration.EnumerateTokens(false); Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID"); Console.WriteLine("{0,-30}{1,-30}", "-----", "---------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-30}{1,-30}", name, users[name]); } break; case "list_processes_wmi": users = Enumeration.EnumerateTokensWMI(); Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID"); Console.WriteLine("{0,-30}{1,-30}", "-----", "---------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-30}{1,-30}", name, users[name]); } break; case "find_user_processes": processes = Enumeration.EnumerateUserProcesses(false, input); Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name"); Console.WriteLine("{0,-30}{1,-30}", "---------", "----"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "find_user_processes_wmi": processes = Enumeration.EnumerateUserProcessesWMI(input); Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name"); Console.WriteLine("{0,-30}{1,-30}", "---------", "----"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "list_user_sessions": Enumeration.EnumerateInteractiveUserSessions(); break; case "getsystem": GetSystem(input); break; case "gettrustedinstaller": GetTrustedInstaller(input); break; case "steal_token": StealToken(input); break; case "bypassuac": BypassUAC(input); break; case "whoami": Console.WriteLine("[*] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name); break; case "reverttoself": if (advapi32.RevertToSelf()) { Console.WriteLine("[*] Reverted token to {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name); } else { Console.WriteLine("[-] RevertToSelf failed"); } break; case "run": Run(input); break; case "exit": System.Environment.Exit(0); break; default: Help(); break; } Console.WriteLine(); } catch (Exception error) { Console.WriteLine(error.ToString()); } finally { } }