////////////////////////////////////////////////////////////////////////////////
// Can be use to remove groups, adding groups would require a new token
// Next Release
//https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
////////////////////////////////////////////////////////////////////////////////
public void SetTokenGroup(string group, bool isSID)
{
var tokenGroups = new Ntifs._TOKEN_GROUPS();
tokenGroups.Initialize();
if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
return;
}
SetWorkingTokenToNewToken();
TokenInformation ti = new TokenInformation(hWorkingToken);
ti.GetTokenGroups();
for (int i = 0; i < ti.tokenGroups.GroupCount; i++)
{
tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid;
tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes;
Console.WriteLine(tokenGroups.Groups[i].Sid);
}
tokenGroups.GroupCount = ti.tokenGroups.GroupCount;
if (!isSID)
{
Console.WriteLine("Group: {0}", group);
string domain = Environment.MachineName;
if (group.Contains(@"\"))
{
string[] split = group.Split('\\');
domain = split[0];
group = split[1];
}
group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value;
}
Console.WriteLine("Group SID: {0}", group);
++tokenGroups.GroupCount;
if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid))
{
return;
}
tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED;
CreateTokens ct = new CreateTokens(hWorkingToken);
string userName = WindowsIdentity.GetCurrent().Name;
userName = userName.Split('\\')[1];
//ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg);
tokenGroups = ti.tokenGroups;
uint returnLength;
if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength))
{
Misc.GetWin32Error("AdjustTokenGroups");
return;
}
ti.GetTokenGroups();
Console.WriteLine(returnLength);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
{
SetWorkingTokenToSelf();
CreateTokens ct = new CreateTokens(hWorkingToken);
Ntifs._TOKEN_GROUPS tokenGroups;
Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
/*
* TokenInformation ti = new TokenInformation(hWorkingToken);
* ti.GetTokenGroups();
* Ntifs._TOKEN_GROUPS tokenGroups = ti.tokenGroups;
*
* int extraGroups = tokenGroups.GroupCount;
*
* uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY);
*
* Ntifs._TOKEN_GROUPS tokenGroupsCopy = new Ntifs._TOKEN_GROUPS();
* tokenGroupsCopy.Initialize();
*
* for (int i = 0; i < tokenGroups.GroupCount; i++)
* {
* tokenGroupsCopy.Groups[i] = tokenGroups.Groups[i];
* }
*
* foreach (string group in groups.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries))
* {
* Console.WriteLine(group);
* string d = Environment.MachineName;
* string groupname = group;
* if (group.Contains(@"\"))
* {
* string[] split = group.Split('\\');
* d = split[0];
* groupname = split[1];
* }
* Console.WriteLine(groupname);
* string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
* Console.WriteLine(sid);
* tokenGroupsCopy.Groups[++extraGroups].Sid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
* Console.WriteLine(extraGroups);
* CreateTokens.InitializeSid(sid, ref tokenGroupsCopy.Groups[extraGroups].Sid);
* tokenGroupsCopy.Groups[extraGroups].Attributes = groupsAttributes;
* }
* tokenGroupsCopy.GroupCount = extraGroups;
*/
if (!advapi32.LogonUserExExW(
username, domain, password,
logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT,
ref tokenGroups, out hExistingToken,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero))
{
Misc.GetWin32Error("LogonUserExExW");
return;
}
Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
{
SetWorkingTokenToRemote();
if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
{
Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
}
}
if (string.IsNullOrEmpty(command))
{
SetWorkingTokenToRemote();
ImpersonateUser();
}
else
{
Create createProcess;
if (0 == Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
createProcess(hExistingToken, command, arguments);
}
}
