////////////////////////////////////////////////////////////////////////////////
// Enables, Disables, or Removes a privilege from a Token
////////////////////////////////////////////////////////////////////////////////
private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else if (cLP.Remote && cLP.Impersonation)
{
t.ListThreads(cLP.ProcessID);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else if (!cLP.Remote && cLP.Impersonation)
{
t.ListThreads(Process.GetCurrentProcess().Id);
t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenPrivilege(cLP.Privilege, attribute);
}
}
////////////////////////////////////////////////////////////////////////////////
// Starts Windows Module Installer and impersonates or starts a process with
// the cloned token. There are better ways of doing this net .O
////////////////////////////////////////////////////////////////////////////////
private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetTrustedInstaller();
}
else
{
t.GetTrustedInstaller(cLP.CommandAndArgs);
}
}
}
else
{
Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token");
}
}
////////////////////////////////////////////////////////////////////////////////
// Disable and remove all the privileges on a given token
////////////////////////////////////////////////////////////////////////////////
private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote)
{
t.SetWorkingTokenToRemote();
if (!t.OpenProcessToken(cLP.ProcessID))
{
return;
}
}
else
{
t.SetWorkingTokenToSelf();
}
t.DisableAndRemoveAllTokenPrivileges();
}
}
////////////////////////////////////////////////////////////////////////////////
// Impersonates a SYSTEM token or creates a new process with the cloned token
////////////////////////////////////////////////////////////////////////////////
private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
if (exists)
{
using (TokenManipulation t = new TokenManipulation(hToken))
{
t.SetWorkingTokenToSelf();
if (!enabled)
{
t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
}
if (string.IsNullOrEmpty(cLP.Command))
{
t.GetSystem();
}
else
{
t.GetSystem(cLP.CommandAndArgs);
}
}
}
else
{
if (string.IsNullOrEmpty(cLP.Command))
{
NamedPipes.GetSystem();
}
else
{
NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
}
}
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
{
string groups;
if (!cLP.GetData("groups", out groups))
{
return;
}
using (TokenManipulation t = new TokenManipulation(hToken))
{
if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID))
{
t.SetWorkingTokenToRemote();
}
else
{
t.SetWorkingTokenToSelf();
}
t.SetTokenGroup(groups, false);
}
}