////////////////////////////////////////////////////////////////////////////////
// Creates a suspended process, and then opens a handle to the process
////////////////////////////////////////////////////////////////////////////////
internal Boolean CreateSuspendedProcess(String lpApplicationName)
{
String lpCommandLine = lpApplicationName;
Winbase._SECURITY_ATTRIBUTES lpProcessAttributes = new Winbase._SECURITY_ATTRIBUTES();
Winbase._SECURITY_ATTRIBUTES lpThreadAttributes = new Winbase._SECURITY_ATTRIBUTES();
Winbase._STARTUPINFO lpStartupInfo = new Winbase._STARTUPINFO();
if (!kernel32.CreateProcess(
lpApplicationName,
lpCommandLine,
ref lpProcessAttributes,
ref lpThreadAttributes,
false,
Winbase.CREATION_FLAGS.CREATE_SUSPENDED,
IntPtr.Zero,
null,
ref lpStartupInfo,
out lpProcessInformation
))
{
return(false);
}
Console.WriteLine("[+] Started Process: {0}", lpProcessInformation.dwProcessId);
Console.WriteLine("[+] Started Thread: {0}", lpProcessInformation.dwThreadId);
Console.WriteLine("[+] Recieved Handle: 0x{0}", lpProcessInformation.hProcess.ToString("X4"));
return(ReadPEB());
}
////////////////////////////////////////////////////////////////////////////////
// Impersonates the token from a specified processId
////////////////////////////////////////////////////////////////////////////////
public virtual bool ImpersonateUser()
{
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hWorkingToken,
(uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
Misc.GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
{
Misc.GetWin32Error("ImpersonateLoggedOnUser: "******"[+] Operating as {0}", WindowsIdentity.GetCurrent().Name);
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// Impersonates the token from a specified processId
////////////////////////////////////////////////////////////////////////////////
public virtual Boolean ImpersonateUser(Int32 processId)
{
Console.WriteLine("[*] Impersonating {0}", processId);
GetPrimaryToken((UInt32)processId, "");
if (hExistingToken == IntPtr.Zero)
{
return(false);
}
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
{
GetWin32Error("ImpersonateLoggedOnUser: "******"[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
return(true);
}
public static extern IntPtr CreateNamedPipeA(
String lpName,
Winbase.OPEN_MODE dwOpenMode,
Winbase.PIPE_MODE dwPipeMode,
UInt32 nMaxInstances,
UInt32 nOutBufferSize,
UInt32 nInBufferSize,
UInt32 nDefaultTimeOut,
Winbase._SECURITY_ATTRIBUTES lpSecurityAttributes
);
public static extern Boolean CreateProcess(
String lpApplicationName,
String lpCommandLine,
ref Winbase._SECURITY_ATTRIBUTES lpProcessAttributes,
ref Winbase._SECURITY_ATTRIBUTES lpThreadAttributes,
Boolean bInheritHandles,
Winbase.CREATION_FLAGS dwCreationFlags,
IntPtr lpEnvironment,
String lpCurrentDirectory,
ref Winbase._STARTUPINFO lpStartupInfo,
out Winbase._PROCESS_INFORMATION lpProcessInformation
);
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private bool _GetPrimaryToken(uint processId)
{
//Originally Set to true
IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_LIMITED_INFORMATION, false, processId);
if (IntPtr.Zero == hProcess)
{
Console.WriteLine(" [-] Unable to Open Process Token: {0}", processId);
return(false);
}
Console.WriteLine("[+] Recieved Handle for: {0}", processId);
Console.WriteLine(" [+] Process Handle: 0x{0}", hProcess.ToString("X4"));
try
{
if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken))
{
Console.WriteLine(" [-] Unable to Open Process Token");
Misc.GetWin32Error("OpenProcessToken");
return(false);
}
Console.WriteLine(" [+] Primary Token Handle: 0x{0}", hExistingToken.ToString("X4"));
}
catch (Exception ex)
{
Console.WriteLine("[-] {0}", ex.Message);
return(false);
}
finally
{
kernel32.CloseHandle(hProcess);
}
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(uint)(Winnt.TOKEN_ALL_ACCESS),
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
Misc.GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Existing Token Handle: 0x{0}", hExistingToken.ToString("X4"));
Console.WriteLine(" [+] New Token Handle: 0x{0}", phNewToken.ToString("X4"));
return(true);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private bool _DuplicateToken()
{
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
luaToken,
Winnt.TOKEN_IMPERSONATE | Winnt.TOKEN_QUERY,
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenImpersonation,
out phNewToken
))
{
Misc.GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle : 0x{0}", phNewToken.ToString("X4"));
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// Calls CreateProcessWithTokenW
////////////////////////////////////////////////////////////////////////////////
public Boolean StartProcessAsUser(Int32 processId, String newProcess)
{
GetPrimaryToken((UInt32)processId, "");
if (hExistingToken == IntPtr.Zero)
{
return(false);
}
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
Create createProcess;
if (0 == Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
String arguments = String.Empty;
FindExe(ref newProcess, out arguments);
if (!createProcess(phNewToken, newProcess, arguments))
{
return(false);
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean GetPrimaryToken(UInt32 processId)
{
//Originally Set to true
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, false, processId);
if (hProcess == IntPtr.Zero)
{
Console.WriteLine(" [-] Unable to Open Process Token: {0}", processId);
return(false);
}
Console.WriteLine("[+] Recieved Handle for: {0}", processId);
Console.WriteLine(" [+] Process Handle: {0}", hProcess.ToInt32());
if (!kernel32.OpenProcessToken(hProcess, (UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken))
{
Console.WriteLine(" [-] Unable to Open Process Token: {0}", hProcess.ToInt32());
return(false);
}
Console.WriteLine(" [+] Primary Token Handle: {0}", hExistingToken.ToInt32());
kernel32.CloseHandle(hProcess);
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hExistingToken,
(UInt32)(Constants.TOKEN_ALL_ACCESS),
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenPrimary,
out phNewToken
))
{
GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Existing Token Handle: {0}", hExistingToken.ToInt32());
Console.WriteLine(" [+] New Token Handle: {0}", phNewToken.ToInt32());
kernel32.CloseHandle(hExistingToken);
return(true);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean ImpersonateUser()
{
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
luaToken,
(UInt32)(Constants.TOKEN_IMPERSONATE | Constants.TOKEN_QUERY),
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenImpersonation,
out phNewToken
))
{
GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle : 0x{0}", phNewToken.ToString("X4"));
if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
{
GetWin32Error("ImpersonateLoggedOnUser: ");
return(false);
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel)
{
if (IntPtr.Zero == hExistingToken)
{
return(false);
}
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
if (!advapi32.DuplicateTokenEx(
hWorkingToken,
(uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
impersonationLevel,
Winnt._TOKEN_TYPE.TokenImpersonation,
out phNewToken
))
{
Misc.GetWin32Error("DuplicateTokenEx: ");
return(false);
}
Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
return(true);
}
public static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref Winbase._SECURITY_ATTRIBUTES lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
public static extern bool CreateProcessAsUser(IntPtr hToken, IntPtr lpApplicationName, IntPtr lpCommandLine, ref Winbase._SECURITY_ATTRIBUTES lpProcessAttributes, ref Winbase._SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, Winbase.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, ref Winbase._STARTUPINFO lpStartupInfo, out Winbase._PROCESS_INFORMATION lpProcessInfo);
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
private static Boolean _GetPipeToken(String pipeName)
{
IntPtr hNamedPipe = IntPtr.Zero;
try
{
hNamedPipe = kernel32.CreateNamedPipeA(pipeName, Winbase.OPEN_MODE.PIPE_ACCESS_DUPLEX, Winbase.PIPE_MODE.PIPE_TYPE_MESSAGE | Winbase.PIPE_MODE.PIPE_WAIT, 2, 0, 0, 0, IntPtr.Zero);
if (IntPtr.Zero == hNamedPipe)
{
Tokens.GetWin32Error("CreateNamedPipeA");
return(false);
}
Console.WriteLine("[+] Created Pipe {0}", pipeName);
waitHandle.Set();
if (!kernel32.ConnectNamedPipe(hNamedPipe, IntPtr.Zero))
{
Tokens.GetWin32Error("ConnectNamedPipe");
return(false);
}
Console.WriteLine("[+] Connected to Pipe {0}", pipeName);
Byte[] lpBuffer = new Byte[128];
UInt32 lpNumberOfBytesRead = 0;
if (!kernel32.ReadFile(hNamedPipe, lpBuffer, 1, ref lpNumberOfBytesRead, IntPtr.Zero))
{
Tokens.GetWin32Error("ReadFile");
return(false);
}
Console.WriteLine("[+] Read Pipe {0}", pipeName);
if (!advapi32.ImpersonateNamedPipeClient(hNamedPipe))
{
Tokens.GetWin32Error("ImpersonateNamedPipeClient");
return(false);
}
Console.WriteLine("[+] Impersonated Pipe {0}", pipeName);
Winbase._SECURITY_ATTRIBUTES sa = new Winbase._SECURITY_ATTRIBUTES();
sa.bInheritHandle = false;
sa.nLength = (UInt32)Marshal.SizeOf(sa);
sa.lpSecurityDescriptor = (IntPtr)0;
if (!kernel32.OpenThreadToken(kernel32.GetCurrentThread(), Constants.TOKEN_ALL_ACCESS, false, ref hToken))
{
Tokens.GetWin32Error("OpenThreadToken");
return(false);
}
Console.WriteLine("[+] Thread Token 0x{0}", hToken.ToString("X4"));
IntPtr phNewToken = new IntPtr();
UInt32 result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenPrimary, ref phNewToken);
if (IntPtr.Zero == phNewToken)
{
result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
if (IntPtr.Zero == phNewToken)
{
Tokens.GetNtError("NtDuplicateToken", result);
return(false);
}
}
if (IntPtr.Zero != phNewToken)
{
hToken = phNewToken;
}
}
catch (Exception ex)
{
Console.WriteLine("[-] {0}", ex.Message);
return(false);
}
finally
{
if (IntPtr.Zero != hNamedPipe)
{
kernel32.DisconnectNamedPipe(hNamedPipe);
kernel32.CloseHandle(hNamedPipe);
}
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// This is probably going to break on certain consoles - e.g. Hangul || Kanji
////////////////////////////////////////////////////////////////////////////////
private static void _RunAsNetOnly(CommandLineParsing cLP)
{
string[] domain_user;
string domain;
string username;
string un;
if (!cLP.GetData("username", out un))
{
Console.WriteLine("[-] Username not specified");
return;
}
string userInfo = un;
if (userInfo.Contains("\\"))
{
domain_user = userInfo
.Split(new string[] { "\\" }, StringSplitOptions.RemoveEmptyEntries);
domain = (2 == domain_user.Length) ? domain_user[0] : ".";
username = (2 == domain_user.Length) ? domain_user[1] : domain_user[0];
}
else if (userInfo.Contains("@"))
{
domain_user = userInfo
.Split(new string[] { "@" }, StringSplitOptions.RemoveEmptyEntries);
domain = (2 == domain_user.Length) ? domain_user[1] : ".";
username = domain_user[0];
}
else
{
domain = ".";
username = userInfo;
}
string password;
if (!cLP.GetData("password", out password))
{
Console.WriteLine("[-] Password not specified");
return;
}
Console.WriteLine("[*] Username: {0}", username);
Console.WriteLine("[*] Domain: {0}", domain);
Console.WriteLine("[*] Password: {0}", password);
if (string.IsNullOrEmpty(cLP.Command))
{
IntPtr phToken;
bool retVal = advapi32.LogonUser(
username, domain, password,
Winbase.LOGON_TYPE.LOGON32_LOGON_NEW_CREDENTIALS,
Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT,
out phToken
);
if (!retVal || IntPtr.Zero == phToken)
{
Misc.GetWin32Error("LogonUser");
return;
}
Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
IntPtr phNewToken;
advapi32.DuplicateTokenEx(
phToken,
(uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
ref securityAttributes,
Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
Winnt._TOKEN_TYPE.TokenImpersonation,
out phNewToken
);
kernel32.CloseHandle(phToken);
if (!retVal || IntPtr.Zero == phNewToken)
{
Misc.GetWin32Error("DuplicateTokenEx");
return;
}
WindowsIdentity newId = new WindowsIdentity(phNewToken);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();
Console.WriteLine("[*] If you run \"info /all\", you should now see a thread token in the primary thread.");
if (!retVal)
{
Misc.GetWin32Error("ImpersonateLoggedOnUser");
return;
}
Console.WriteLine("[+] Operating As: {0}", WindowsIdentity.GetCurrent().Name);
}
else
{
Console.WriteLine("[*] Command: {0}", cLP.Command);
Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
{
cb = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
};
Winbase._PROCESS_INFORMATION processInformation;
bool retVal = advapi32.CreateProcessWithLogonW(
username, domain, password,
Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
cLP.Command,
cLP.Arguments,
Winbase.CREATION_FLAGS.CREATE_NEW_PROCESS_GROUP,
IntPtr.Zero,
Environment.CurrentDirectory,
ref startupInfo,
out processInformation
);
if (!retVal)
{
Misc.GetWin32Error("CreateProcessWithLogonW");
return;
}
Console.WriteLine("[+] Process ID: {0}", processInformation.dwProcessId);
Console.WriteLine("[+] Thread ID: {0}", processInformation.dwThreadId);
}
}
