internal static void Unload(CommandLineParsing cLP) { string filter; if (!cLP.GetData("filter", out filter)) { Console.WriteLine("[-] Filter Not Specified"); return; } uint result = fltlib.FilterUnload(filter); if (0 != result) { if (2147943714 == result) { Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)"); return; } else if (2149515280 == result) { Console.WriteLine("[-] Filter does not have a detach routine"); return; } Console.WriteLine("FilterUnload Failed: 0x{0}", result.ToString("X4")); return; } Console.WriteLine("[+] Filter Unloaded"); }
public static bool ProcessInstallationArgs(string[] args) { var handledSomething = false; // Check if the installer is trying to get us to initialize the store // Only strictly needed for MultiUser scenario if (CommandLineParsing.HasSwitch("initialize", args)) { ExecuteCommandLineAction( "Initializing Shared License Storage...", SpAgent.Configuration.StoresInitialization.Initialize); handledSomething = true; } // Verify the assumption that the installer has done its work by having the Agent Verify each of its registered stores // NB do not remove this line as it is responsible for ensuring the correct timely Configuration of the Licensing System. ReportInstallationActionIfDebug("Verifying Storage..."); SpAgent.Configuration.VerifyStoresInitialized(); ReportInstallationActionIfDebug("... verified."); // Check if the installer is trying to get us to activate a license var activationKey = CommandLineParsing.ArgumentOrDefault("activate", args); if (activationKey != null) { ExecuteCommandLineAction( "Activating License: " + activationKey, () => SpAgent.Product.Activation.OnlineActivate(activationKey)); handledSomething = true; } return(handledSomething); }
//////////////////////////////////////////////////////////////////////////////// // List the privileges for a token //////////////////////////////////////////////////////////////////////////////// private static void _ListPrivileges(CommandLineParsing cLP, IntPtr hToken) { Console.WriteLine("Remote: " + cLP.Remote); Console.WriteLine("Impers: " + cLP.Impersonation); using (TokenInformation ti = new TokenInformation(hToken)) { if (cLP.Remote && !cLP.Impersonation && ti.OpenProcessToken(cLP.ProcessID)) { ti.SetWorkingTokenToRemote(); } else if (cLP.Remote && cLP.Impersonation) { ti.ListThreads(cLP.ProcessID); ti.GetThreadPrivileges(); return; } else if (!cLP.Remote && cLP.Impersonation) { ti.ListThreads(Process.GetCurrentProcess().Id); ti.GetThreadPrivileges(); return; } else { ti.SetWorkingTokenToSelf(); } ti.GetTokenPrivileges(); } }
//////////////////////////////////////////////////////////////////////////////// // Enables, Disables, or Removes a privilege from a Token //////////////////////////////////////////////////////////////////////////////// private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute) { using (TokenManipulation t = new TokenManipulation(hToken)) { if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID)) { t.SetWorkingTokenToRemote(); } else if (cLP.Remote && cLP.Impersonation) { t.ListThreads(cLP.ProcessID); t.SetThreadTokenPrivilege(cLP.Privilege, attribute); } else if (!cLP.Remote && cLP.Impersonation) { t.ListThreads(Process.GetCurrentProcess().Id); t.SetThreadTokenPrivilege(cLP.Privilege, attribute); } else { t.SetWorkingTokenToSelf(); } t.SetTokenPrivilege(cLP.Privilege, attribute); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _UnInstallDriver(CommandLineParsing cLP) { string service; if (cLP.GetData("servicename", out service)) { using (PSExec p = new PSExec(service)) { if (!p.Connect(".")) { return; } if (!p.Open()) { return; } if (!p.Stop()) { return; } if (!p.Delete()) { return; } } } else { Console.WriteLine("[-] Unable to identify /Service"); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _AddPrivilege(CommandLineParsing cLP) { TokenDriver.PRIVILEGES priv = Misc.ParseEnum <TokenDriver.PRIVILEGES>(cLP.Privilege); using (TokenDriver td = new TokenDriver()) { if (!td.Connect()) { Console.WriteLine("[-] Driver Connect Failed"); return; } Console.WriteLine("[+] Connected to Driver"); if (cLP.Remote) { TokenDriver.PRIVILEGE_DATA data = new TokenDriver.PRIVILEGE_DATA { ProcessID = (uint)cLP.ProcessID, Privilege = priv, }; td.AddTokenPrivilege(data); } else { td.AddTokenPrivilege(priv); } } Console.WriteLine("[*] Disconnected from Driver"); }
//////////////////////////////////////////////////////////////////////////////// // Starts Windows Module Installer and impersonates or starts a process with // the cloned token. There are better ways of doing this net .O //////////////////////////////////////////////////////////////////////////////// private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken) { bool exists, enabled; TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled); if (exists) { using (TokenManipulation t = new TokenManipulation(hToken)) { t.SetWorkingTokenToSelf(); if (!enabled) { t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); } if (string.IsNullOrEmpty(cLP.Command)) { t.GetTrustedInstaller(); } else { t.GetTrustedInstaller(cLP.CommandAndArgs); } } } else { Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token"); } }
//////////////////////////////////////////////////////////////////////////////// // Runs a cmd prompt command //////////////////////////////////////////////////////////////////////////////// private static void _Run(CommandLineParsing cLP) { process = new Process(); process.StartInfo.FileName = cLP.Command; process.StartInfo.Arguments = cLP.Arguments; process.StartInfo.CreateNoWindow = true; process.StartInfo.UseShellExecute = false; process.StartInfo.RedirectStandardInput = true; process.StartInfo.RedirectStandardError = true; process.StartInfo.RedirectStandardOutput = true; Console.WriteLine("[+] Starting {0}", cLP.CommandAndArgs); Console.WriteLine("[*] Note: The prompt is currently missing for input"); Console.WriteLine(); process.Start(); Thread inThread = new Thread(() => _SubProcessStdIn()); Thread outThread = new Thread(() => _SubProcessStdOut()); inThread.Start(); outThread.Start(); process.WaitForExit(); inThread.Abort(); outThread.Abort(); }
//////////////////////////////////////////////////////////////////////////////// // https://github.com/numbnet/Win32-OpenSSH/blob/8dd7423e13ac0b88b3084ec95bc93ea09dec1fef/contrib/win32/win32compat/win32auth.c // https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp // https://www.exploit-db.com/papers/42556 //////////////////////////////////////////////////////////////////////////////// private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken) { try { using (CreateTokens ct = new CreateTokens(hToken)) { string[] groups = new string[0]; string g; if (cLP.GetData("groups", out g)) { groups = (g).Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries); } string user; if (cLP.GetData("username", out user)) { ct.SetWorkingTokenToSelf(); ct.CreateToken(user, groups, cLP.Command); } else { ct.SetWorkingTokenToSelf(); ct.CreateToken(groups, cLP.Command); } } } catch (AccessViolationException ex) { Console.WriteLine(ex); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken) { using (TokenManipulation t = new TokenManipulation(hToken)) { if (string.IsNullOrWhiteSpace(cLP.Command)) { if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID)) { t.SetWorkingTokenToRemote(); } else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS)) { t.SetWorkingTokenToThreadToken(); } else { Console.WriteLine("[-] Process or Thread ID not Specified"); return(false); } if (t.ImpersonateUser()) { return(true); } } else { if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID)) { t.SetWorkingTokenToRemote(); if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { return(false); } t.SetWorkingTokenToNewToken(); } else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS)) { t.SetWorkingTokenToThreadToken(); } else { Console.WriteLine("[-] Process or Thread ID not Specified"); return(false); } if (t.StartProcessAsUser(cLP.Command)) { return(true); } } return(false); } }
public static bool ProcessUninitializationArgs(string[] args) { if (CommandLineParsing.HasSwitch("uninitialize", args)) { ExecuteCommandLineAction( "Removing Shared License Storage...", SpAgent.Configuration.StoresInitialization.Uninitialize); return(true); } return(false); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _CloneToken(CommandLineParsing cLP, IntPtr hToken) { try { using (CreateTokens ct = new CreateTokens(hToken)) { ct.SetWorkingTokenToSelf(); ct.CloneToken(cLP.ProcessID, cLP.Command); } } catch (AccessViolationException ex) { Console.WriteLine(ex); } }
//////////////////////////////////////////////////////////////////////////////// // Marks or unmarks a process as being critical //////////////////////////////////////////////////////////////////////////////// private static void _SetCriticalProcess(CommandLineParsing cLP, IntPtr hProcess) { string sSetting; cLP.GetData("state", out sSetting); bool bSetting; if (!bool.TryParse(sSetting, out bSetting)) { Console.WriteLine("[-] Invalid Boolean Specified: {0}", sSetting); return; } uint uSetting = Convert.ToUInt32(bSetting); if (cLP.Remote) { hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID); if (IntPtr.Zero == hProcess) { Misc.GetWin32Error("OpenProcess"); kernel32.CloseHandle(hProcess); return; } } uint status = ntdll.NtSetInformationProcess(hProcess, ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(uint))); if (0 != status) { Misc.GetNtError("NtSetInformationProcess", status); kernel32.CloseHandle(hProcess); return; } if (bSetting) { Console.WriteLine("[+] Process {0} is Marked as Critical", cLP.ProcessID); } else { Console.WriteLine("[+] Process {0} is Unmarked as Critical", cLP.ProcessID); } kernel32.CloseHandle(hProcess); return; }
//////////////////////////////////////////////////////////////////////////////// // List the instances / volumes attached to for a given minifilter //////////////////////////////////////////////////////////////////////////////// private static void _ListFiltersInstances(CommandLineParsing cLP) { string filter; if (!cLP.GetData("filter", out filter)) { Console.WriteLine("[-] Filter Not Specified"); return; } using (FilterInstance filterInstance = new FilterInstance(filter)) { filterInstance.First(); filterInstance.Next(); } }
internal static void FilterDetach(CommandLineParsing cLP) { string filter; if (!cLP.GetData("filter", out filter)) { Console.WriteLine("[-] /Filter: Not Specified"); return; } string instance; if (!cLP.GetData("instance", out instance)) { Console.WriteLine("[-] /Instance: Not Specified"); return; } string volume; if (!cLP.GetData("volume", out volume)) { Console.WriteLine("[-] /Volume: Not Specified"); return; } uint result = fltlib.FilterDetach(filter, volume, instance); if (0 != result) { if (2147943714 == result) { Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)"); return; } else if (2149515280 == result) { Console.WriteLine("[-] Filter does not have a detach routine"); return; } Console.WriteLine("FilterDetach Failed: 0x{0}", result.ToString("X4")); return; } Console.WriteLine("[+] Filter Detached"); }
//////////////////////////////////////////////////////////////////////////////// // Steal a token from a named pipe, has some wierd corner cases //////////////////////////////////////////////////////////////////////////////// private static void _StealPipeToken(CommandLineParsing cLP) { if (string.IsNullOrEmpty(cLP.PipeName)) { Console.WriteLine("[-] Pipename not set"); return; } if (string.IsNullOrEmpty(cLP.Command)) { NamedPipes.GetPipeToken(cLP.PipeName); } else { Console.WriteLine("[*] Running {0}", cLP.CommandAndArgs); NamedPipes.GetPipeToken(cLP.PipeName, cLP.Command, cLP.Arguments); } }
//////////////////////////////////////////////////////////////////////////////// // Use WMI to find processes that a user is running //////////////////////////////////////////////////////////////////////////////// private static void _FindUserProcessesWMI(CommandLineParsing cLP) { string user; if (!cLP.GetData("username", out user)) { Console.WriteLine("[-] Username not specified"); return; } Dictionary <uint, string> processes = UserSessions.EnumerateUserProcessesWMI(user); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (uint pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } }
//////////////////////////////////////////////////////////////////////////////// // Pass through powershell command //////////////////////////////////////////////////////////////////////////////// private static void _RunPowerShell(CommandLineParsing cLP) { Runspace runspace = RunspaceFactory.CreateRunspace(); runspace.Open(); RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); Pipeline pipeline = runspace.CreatePipeline(); pipeline.Commands.AddScript(cLP.Command); pipeline.Commands.Add("Out-String"); Collection <PSObject> results = pipeline.Invoke(); runspace.Close(); foreach (PSObject obj in results) { Console.WriteLine(obj.ToString()); } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _UnfreezeToken(CommandLineParsing cLP) { using (TokenDriver td = new TokenDriver()) { if (!td.Connect()) { Console.WriteLine("[-] Driver Connect Failed"); return; } if (cLP.Remote) { td.UnFreezeToken((uint)cLP.ProcessID); } else { td.UnFreezeToken(); } } }
//////////////////////////////////////////////////////////////////////////////// // Disable and remove all the privileges on a given token //////////////////////////////////////////////////////////////////////////////// private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken) { using (TokenManipulation t = new TokenManipulation(hToken)) { if (cLP.Remote) { t.SetWorkingTokenToRemote(); if (!t.OpenProcessToken(cLP.ProcessID)) { return; } } else { t.SetWorkingTokenToSelf(); } t.DisableAndRemoveAllTokenPrivileges(); } }
//////////////////////////////////////////////////////////////////////////////// // Impersonates a SYSTEM token or creates a new process with the cloned token //////////////////////////////////////////////////////////////////////////////// private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken) { bool exists, enabled; TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled); if (exists) { using (TokenManipulation t = new TokenManipulation(hToken)) { t.SetWorkingTokenToSelf(); if (!enabled) { t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); } if (string.IsNullOrEmpty(cLP.Command)) { t.GetSystem(); } else { t.GetSystem(cLP.CommandAndArgs); } } } else { if (string.IsNullOrEmpty(cLP.Command)) { NamedPipes.GetSystem(); } else { NamedPipes.GetSystem(cLP.Command, cLP.Arguments); } } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken) { string groups; if (!cLP.GetData("groups", out groups)) { return; } using (TokenManipulation t = new TokenManipulation(hToken)) { if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID)) { t.SetWorkingTokenToRemote(); } else { t.SetWorkingTokenToSelf(); } t.SetTokenGroup(groups, false); } }
//////////////////////////////////////////////////////////////////////////////// // Starts the KernelTokens Driver //////////////////////////////////////////////////////////////////////////////// private static void _StartDriver(CommandLineParsing cLP) { string sn; if (!cLP.GetData("ServiceName", out sn)) { Console.WriteLine("[-] ServiceName not set"); return; } PSExec p = new PSExec(sn); if (!p.Connect(".")) { Console.WriteLine("[-] Unable to connect to service controller"); return; } if (!p.Start()) { return; } }
//////////////////////////////////////////////////////////////////////////////// // Module to check if a process is marked as critical //////////////////////////////////////////////////////////////////////////////// private static void _IsCriticalProcess(CommandLineParsing cLP, IntPtr hProcess) { if (cLP.Remote) { hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID); if (IntPtr.Zero == hProcess) { Misc.GetWin32Error("OpenProcess"); return; } } bool bIsCritical = false; if (!kernel32.IsProcessCritical(hProcess, ref bIsCritical)) { Misc.GetWin32Error("IsProcessCritical"); kernel32.CloseHandle(hProcess); return; } Console.WriteLine("[*] Process Critical State: {0}", bIsCritical); kernel32.CloseHandle(hProcess); return; }
//////////////////////////////////////////////////////////////////////////////// // UAC Token Magic - Deprecated //////////////////////////////////////////////////////////////////////////////// private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken) { Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703"); if (cLP.Remote) { using (RestrictedToken rt = new RestrictedToken(hToken)) { rt.BypassUAC(cLP.ProcessID, cLP.Command); } } else { string name = WindowsIdentity.GetCurrent().Name; Dictionary <uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name); foreach (uint pid in uacUsers.Keys) { Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]); using (RestrictedToken rt = new RestrictedToken(hToken)) { rt.BypassUAC((int)pid, cLP.Command); } } } }
//////////////////////////////////////////////////////////////////////////////// // Terminates a given process //////////////////////////////////////////////////////////////////////////////// private static void _Terminate(CommandLineParsing cLP) { if (cLP.Remote) { IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_TERMINATE, false, (uint)cLP.ProcessID); if (IntPtr.Zero == hProcess) { Misc.GetWin32Error("OpenProcess"); return; } Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4")); if (!kernel32.TerminateProcess(hProcess, 0)) { Misc.GetWin32Error("TerminateProcess"); return; } Console.WriteLine("[+] Process Terminated"); } else { Console.WriteLine("[-] Unable to identify Process ID"); } }
//////////////////////////////////////////////////////////////////////////////// // Mainloop //////////////////////////////////////////////////////////////////////////////// internal void Run() { try { Console.Write(context); string input; if (activateTabs) { try { input = console.ReadLine(); } catch (InvalidOperationException) { input = Console.ReadLine(); } } else { input = Console.ReadLine(); } IntPtr hToken, tempToken; hToken = tempToken = IntPtr.Zero; bool remote = _GetProcessID(input, out processID, out command); if (!remote) { hProcess = hBackup; kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hToken); if (IntPtr.Zero == hToken) { Console.WriteLine("[-] Opening Process Token Failed, Opening Thread Token"); IntPtr hThread = kernel32.GetCurrentThread(); kernel32.OpenThreadToken(hThread, Winnt.TOKEN_ALL_ACCESS, true, ref hToken); if (IntPtr.Zero == hToken) { Console.WriteLine("[-] Opening Thread Token Failed, Recommend RevertToSelf"); } } } string action = Misc.NextItem(ref input); CommandLineParsing cLP = new CommandLineParsing(); if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase)) { if (!cLP.Parse(input)) { return; } } switch (action) { case "add_group": _AddGroup(cLP, hToken); break; case "add_privilege": _AddPrivilege(cLP); break; case "bypassuac": _BypassUAC(cLP, hToken); break; case "clear_desktop_acl": _ClearDesktopACL(); break; case "clone_token": _CloneToken(cLP, hToken); break; case "create_token": _CreateToken(cLP, hToken); break; case "delete_driver": _UnInstallDriver(cLP); break; case "detach_filter": Filters.FilterDetach(cLP); break; case "disable_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); break; case "enable_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); break; case "exit": Environment.Exit(0); break; case "find_user_processes": _FindUserProcesses(cLP); break; case "find_user_processes_wmi": _FindUserProcessesWMI(cLP); break; case "getinfo": _Info(cLP, hToken); break; case "getsystem": _GetSystem(cLP, hToken); break; case "get_system": _GetSystem(cLP, hToken); break; case "gettrustedinstaller": _GetTrustedInstaller(cLP, hToken); break; case "get_trustedinstaller": _GetTrustedInstaller(cLP, hToken); break; case "help": _Help(input); break; case "history": console.GetHistory(); break; case "info": _Info(cLP, hToken); break; case "install_driver": _InstallDriver(cLP); break; case "list_filters": _ListFilters(); break; case "list_filter_instances": _ListFiltersInstances(cLP); break; case "list_privileges": _ListPrivileges(cLP, hToken); break; case "logon_user": _LogonUser(cLP, hToken); break; case "nuke_privileges": _NukePrivileges(cLP, hToken); break; case "pid": Console.WriteLine("[+] Process ID: {0}", Process.GetCurrentProcess().Id); Console.WriteLine("[+] Parent ID: {0}", Process.GetCurrentProcess().Parent().Id); break; case "remove_privilege": _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); break; case "is_critical_process": _IsCriticalProcess(cLP, hProcess); break; case "set_critical_process": _SetCriticalProcess(cLP, hProcess); break; case "reverttoself": Console.WriteLine(advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed"); break; case "run": _Run(cLP); break; case "runas": _RunAsNetOnly(cLP); break; case "runpowershell": _RunPowerShell(cLP); break; case "sample_processes": _SampleProcess(); break; case "sample_processes_wmi": _SampleProcessWMI(); break; case "sessions": UserSessions.EnumerateInteractiveUserSessions(); break; case "start_driver": _StartDriver(cLP); break; case "steal_pipe_token": _StealPipeToken(cLP); break; case "steal_token": _StealToken(cLP, hToken); break; case "tasklist": UserSessions.Tasklist(); break; case "terminate": _Terminate(cLP); break; case "unfreeze_token": _UnfreezeToken(cLP); break; case "uninstall_driver": _UnInstallDriver(cLP); break; case "unload_filter": Filters.Unload(cLP); break; case "whoami": Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name); break; default: _Help(input); break; } if (IntPtr.Zero != hToken) { kernel32.CloseHandle(hToken); } } catch (Exception error) { Console.WriteLine(error.ToString()); Misc.GetWin32Error("MainLoop"); } Console.WriteLine(); }
/// <summary> /// Called when command line is parsing. /// </summary> /// <param name="args">The arguments of the event.</param> /// <returns><c>true</c> if arguments was handled, <c>false</c> otherwise.</returns> public void OnCommandLineParsing(CommandLineParseEventArgs args) { CommandLineParsing?.Invoke(this, args); }
//////////////////////////////////////////////////////////////////////////////// // sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel //////////////////////////////////////////////////////////////////////////////// private static void _InstallDriver(CommandLineParsing cLP) { //string servicename = Misc.NextItem(ref command); //string path = Misc.NextItem(ref command); //string force = Misc.NextItem(ref command); string serviceName = "TokenDriver"; string sn; if (cLP.GetData("ServiceName", out sn)) { serviceName = sn; } string path = string.Empty; string p; if (cLP.GetData("Path", out p)) { path = (string)p; } bool overwrite = false; object f; if (cLP.GetData("Force", out f)) { overwrite = true; } Console.WriteLine("[*] Service Name: " + serviceName); Console.WriteLine("[*] Service Path: " + path); PSExec psexec = new PSExec(serviceName); if (!psexec.Connect(".")) { Console.WriteLine("[-] Unable to connect to service controller"); return; } string filename; try { filename = Path.GetFullPath(path); } catch (Exception ex) { if (ex is ArgumentException) { filename = CreateProcess.FindFilePath(path); if (string.IsNullOrEmpty(filename)) { Console.WriteLine("[-] Unable to locate service binary"); return; } } else { return; } } Console.WriteLine("[*] Full Path: " + filename); if (!File.Exists(filename)) { Console.WriteLine("[-] Unable to find service binary: {0}"); return; } if (!psexec.Open()) { if (!psexec.CreateDriver(filename, overwrite)) { return; } if (!psexec.Open()) { return; } } if (!psexec.Start()) { return; } }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken) { string username; if (!cLP.GetData("username", out username)) { return; } string domain = "."; string password = string.Empty; Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE; if (username.Contains('\\') && !username.ToLower().StartsWith("nt service")) { string[] split = username.Split('\\').ToArray(); domain = split.FirstOrDefault(); username = split.LastOrDefault(); if (!cLP.GetData("password", out password)) { return; } Console.WriteLine("User Logon"); } else if (username.Contains('\\') && username.ToLower().StartsWith("nt service")) { string[] split = username.Split('\\').ToArray(); username = split.LastOrDefault(); logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT SERVICE"; Console.WriteLine("Service Logon"); } else { switch (username.ToLower().Trim()) { case "localservice": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; case "localsystem": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; case "networkservice": username = "******"; logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE; domain = "NT AUTHORITY"; break; default: cLP.GetData("password", out password); break; } } using (TokenManipulation t = new TokenManipulation(hToken)) { string groups; if (cLP.GetData("groups", out groups)) { t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments); } else { t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments); } } }