//////////////////////////////////////////////////////////////////////////////// // Creates a suspended process, and then opens a handle to the process //////////////////////////////////////////////////////////////////////////////// internal Boolean CreateSuspendedProcess(String lpApplicationName) { String lpCommandLine = lpApplicationName; Winbase._SECURITY_ATTRIBUTES lpProcessAttributes = new Winbase._SECURITY_ATTRIBUTES(); Winbase._SECURITY_ATTRIBUTES lpThreadAttributes = new Winbase._SECURITY_ATTRIBUTES(); Winbase._STARTUPINFO lpStartupInfo = new Winbase._STARTUPINFO(); if (!kernel32.CreateProcess( lpApplicationName, lpCommandLine, ref lpProcessAttributes, ref lpThreadAttributes, false, Winbase.CREATION_FLAGS.CREATE_SUSPENDED, IntPtr.Zero, null, ref lpStartupInfo, out lpProcessInformation )) { return(false); } Console.WriteLine("[+] Started Process: {0}", lpProcessInformation.dwProcessId); Console.WriteLine("[+] Started Thread: {0}", lpProcessInformation.dwThreadId); Console.WriteLine("[+] Recieved Handle: 0x{0}", lpProcessInformation.hProcess.ToString("X4")); return(ReadPEB()); }
//////////////////////////////////////////////////////////////////////////////// // Impersonates the token from a specified processId //////////////////////////////////////////////////////////////////////////////// public virtual bool ImpersonateUser() { Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken )) { Misc.GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4")); if (!advapi32.ImpersonateLoggedOnUser(phNewToken)) { Misc.GetWin32Error("ImpersonateLoggedOnUser: "******"[+] Operating as {0}", WindowsIdentity.GetCurrent().Name); return(true); }
//////////////////////////////////////////////////////////////////////////////// // Impersonates the token from a specified processId //////////////////////////////////////////////////////////////////////////////// public virtual Boolean ImpersonateUser(Int32 processId) { Console.WriteLine("[*] Impersonating {0}", processId); GetPrimaryToken((UInt32)processId, ""); if (hExistingToken == IntPtr.Zero) { return(false); } Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hExistingToken, (UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken )) { GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4")); if (!advapi32.ImpersonateLoggedOnUser(phNewToken)) { GetWin32Error("ImpersonateLoggedOnUser: "******"[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name); return(true); }
public static extern IntPtr CreateNamedPipeA( String lpName, Winbase.OPEN_MODE dwOpenMode, Winbase.PIPE_MODE dwPipeMode, UInt32 nMaxInstances, UInt32 nOutBufferSize, UInt32 nInBufferSize, UInt32 nDefaultTimeOut, Winbase._SECURITY_ATTRIBUTES lpSecurityAttributes );
public static extern Boolean CreateProcess( String lpApplicationName, String lpCommandLine, ref Winbase._SECURITY_ATTRIBUTES lpProcessAttributes, ref Winbase._SECURITY_ATTRIBUTES lpThreadAttributes, Boolean bInheritHandles, Winbase.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, String lpCurrentDirectory, ref Winbase._STARTUPINFO lpStartupInfo, out Winbase._PROCESS_INFORMATION lpProcessInformation );
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private bool _GetPrimaryToken(uint processId) { //Originally Set to true IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_LIMITED_INFORMATION, false, processId); if (IntPtr.Zero == hProcess) { Console.WriteLine(" [-] Unable to Open Process Token: {0}", processId); return(false); } Console.WriteLine("[+] Recieved Handle for: {0}", processId); Console.WriteLine(" [+] Process Handle: 0x{0}", hProcess.ToString("X4")); try { if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken)) { Console.WriteLine(" [-] Unable to Open Process Token"); Misc.GetWin32Error("OpenProcessToken"); return(false); } Console.WriteLine(" [+] Primary Token Handle: 0x{0}", hExistingToken.ToString("X4")); } catch (Exception ex) { Console.WriteLine("[-] {0}", ex.Message); return(false); } finally { kernel32.CloseHandle(hProcess); } Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hExistingToken, (uint)(Winnt.TOKEN_ALL_ACCESS), ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken )) { Misc.GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Existing Token Handle: 0x{0}", hExistingToken.ToString("X4")); Console.WriteLine(" [+] New Token Handle: 0x{0}", phNewToken.ToString("X4")); return(true); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private bool _DuplicateToken() { Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( luaToken, Winnt.TOKEN_IMPERSONATE | Winnt.TOKEN_QUERY, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation, out phNewToken )) { Misc.GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle : 0x{0}", phNewToken.ToString("X4")); return(true); }
//////////////////////////////////////////////////////////////////////////////// // Calls CreateProcessWithTokenW //////////////////////////////////////////////////////////////////////////////// public Boolean StartProcessAsUser(Int32 processId, String newProcess) { GetPrimaryToken((UInt32)processId, ""); if (hExistingToken == IntPtr.Zero) { return(false); } Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hExistingToken, (UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken )) { GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4")); Create createProcess; if (0 == Process.GetCurrentProcess().SessionId) { createProcess = CreateProcess.CreateProcessWithLogonW; } else { createProcess = CreateProcess.CreateProcessWithTokenW; } String arguments = String.Empty; FindExe(ref newProcess, out arguments); if (!createProcess(phNewToken, newProcess, arguments)) { return(false); } return(true); }
//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// public Boolean GetPrimaryToken(UInt32 processId) { //Originally Set to true IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_LIMITED_INFORMATION, false, processId); if (hProcess == IntPtr.Zero) { Console.WriteLine(" [-] Unable to Open Process Token: {0}", processId); return(false); } Console.WriteLine("[+] Recieved Handle for: {0}", processId); Console.WriteLine(" [+] Process Handle: {0}", hProcess.ToInt32()); if (!kernel32.OpenProcessToken(hProcess, (UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken)) { Console.WriteLine(" [-] Unable to Open Process Token: {0}", hProcess.ToInt32()); return(false); } Console.WriteLine(" [+] Primary Token Handle: {0}", hExistingToken.ToInt32()); kernel32.CloseHandle(hProcess); Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hExistingToken, (UInt32)(Constants.TOKEN_ALL_ACCESS), ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken )) { GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Existing Token Handle: {0}", hExistingToken.ToInt32()); Console.WriteLine(" [+] New Token Handle: {0}", phNewToken.ToInt32()); kernel32.CloseHandle(hExistingToken); return(true); }
//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// public Boolean ImpersonateUser() { Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( luaToken, (UInt32)(Constants.TOKEN_IMPERSONATE | Constants.TOKEN_QUERY), ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation, out phNewToken )) { GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle : 0x{0}", phNewToken.ToString("X4")); if (!advapi32.ImpersonateLoggedOnUser(phNewToken)) { GetWin32Error("ImpersonateLoggedOnUser: "); return(false); } return(true); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel) { if (IntPtr.Zero == hExistingToken) { return(false); } Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); if (!advapi32.DuplicateTokenEx( hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, impersonationLevel, Winnt._TOKEN_TYPE.TokenImpersonation, out phNewToken )) { Misc.GetWin32Error("DuplicateTokenEx: "); return(false); } Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4")); return(true); }
public static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref Winbase._SECURITY_ATTRIBUTES lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
public static extern bool CreateProcessAsUser(IntPtr hToken, IntPtr lpApplicationName, IntPtr lpCommandLine, ref Winbase._SECURITY_ATTRIBUTES lpProcessAttributes, ref Winbase._SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, Winbase.CREATION_FLAGS dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, ref Winbase._STARTUPINFO lpStartupInfo, out Winbase._PROCESS_INFORMATION lpProcessInfo);
//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// private static Boolean _GetPipeToken(String pipeName) { IntPtr hNamedPipe = IntPtr.Zero; try { hNamedPipe = kernel32.CreateNamedPipeA(pipeName, Winbase.OPEN_MODE.PIPE_ACCESS_DUPLEX, Winbase.PIPE_MODE.PIPE_TYPE_MESSAGE | Winbase.PIPE_MODE.PIPE_WAIT, 2, 0, 0, 0, IntPtr.Zero); if (IntPtr.Zero == hNamedPipe) { Tokens.GetWin32Error("CreateNamedPipeA"); return(false); } Console.WriteLine("[+] Created Pipe {0}", pipeName); waitHandle.Set(); if (!kernel32.ConnectNamedPipe(hNamedPipe, IntPtr.Zero)) { Tokens.GetWin32Error("ConnectNamedPipe"); return(false); } Console.WriteLine("[+] Connected to Pipe {0}", pipeName); Byte[] lpBuffer = new Byte[128]; UInt32 lpNumberOfBytesRead = 0; if (!kernel32.ReadFile(hNamedPipe, lpBuffer, 1, ref lpNumberOfBytesRead, IntPtr.Zero)) { Tokens.GetWin32Error("ReadFile"); return(false); } Console.WriteLine("[+] Read Pipe {0}", pipeName); if (!advapi32.ImpersonateNamedPipeClient(hNamedPipe)) { Tokens.GetWin32Error("ImpersonateNamedPipeClient"); return(false); } Console.WriteLine("[+] Impersonated Pipe {0}", pipeName); Winbase._SECURITY_ATTRIBUTES sa = new Winbase._SECURITY_ATTRIBUTES(); sa.bInheritHandle = false; sa.nLength = (UInt32)Marshal.SizeOf(sa); sa.lpSecurityDescriptor = (IntPtr)0; if (!kernel32.OpenThreadToken(kernel32.GetCurrentThread(), Constants.TOKEN_ALL_ACCESS, false, ref hToken)) { Tokens.GetWin32Error("OpenThreadToken"); return(false); } Console.WriteLine("[+] Thread Token 0x{0}", hToken.ToString("X4")); IntPtr phNewToken = new IntPtr(); UInt32 result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenPrimary, ref phNewToken); if (IntPtr.Zero == phNewToken) { result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken); if (IntPtr.Zero == phNewToken) { Tokens.GetNtError("NtDuplicateToken", result); return(false); } } if (IntPtr.Zero != phNewToken) { hToken = phNewToken; } } catch (Exception ex) { Console.WriteLine("[-] {0}", ex.Message); return(false); } finally { if (IntPtr.Zero != hNamedPipe) { kernel32.DisconnectNamedPipe(hNamedPipe); kernel32.CloseHandle(hNamedPipe); } } return(true); }
//////////////////////////////////////////////////////////////////////////////// // This is probably going to break on certain consoles - e.g. Hangul || Kanji //////////////////////////////////////////////////////////////////////////////// private static void _RunAsNetOnly(CommandLineParsing cLP) { string[] domain_user; string domain; string username; string un; if (!cLP.GetData("username", out un)) { Console.WriteLine("[-] Username not specified"); return; } string userInfo = un; if (userInfo.Contains("\\")) { domain_user = userInfo .Split(new string[] { "\\" }, StringSplitOptions.RemoveEmptyEntries); domain = (2 == domain_user.Length) ? domain_user[0] : "."; username = (2 == domain_user.Length) ? domain_user[1] : domain_user[0]; } else if (userInfo.Contains("@")) { domain_user = userInfo .Split(new string[] { "@" }, StringSplitOptions.RemoveEmptyEntries); domain = (2 == domain_user.Length) ? domain_user[1] : "."; username = domain_user[0]; } else { domain = "."; username = userInfo; } string password; if (!cLP.GetData("password", out password)) { Console.WriteLine("[-] Password not specified"); return; } Console.WriteLine("[*] Username: {0}", username); Console.WriteLine("[*] Domain: {0}", domain); Console.WriteLine("[*] Password: {0}", password); if (string.IsNullOrEmpty(cLP.Command)) { IntPtr phToken; bool retVal = advapi32.LogonUser( username, domain, password, Winbase.LOGON_TYPE.LOGON32_LOGON_NEW_CREDENTIALS, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out phToken ); if (!retVal || IntPtr.Zero == phToken) { Misc.GetWin32Error("LogonUser"); return; } Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES(); IntPtr phNewToken; advapi32.DuplicateTokenEx( phToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation, out phNewToken ); kernel32.CloseHandle(phToken); if (!retVal || IntPtr.Zero == phNewToken) { Misc.GetWin32Error("DuplicateTokenEx"); return; } WindowsIdentity newId = new WindowsIdentity(phNewToken); WindowsImpersonationContext impersonatedUser = newId.Impersonate(); Console.WriteLine("[*] If you run \"info /all\", you should now see a thread token in the primary thread."); if (!retVal) { Misc.GetWin32Error("ImpersonateLoggedOnUser"); return; } Console.WriteLine("[+] Operating As: {0}", WindowsIdentity.GetCurrent().Name); } else { Console.WriteLine("[*] Command: {0}", cLP.Command); Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO { cb = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(Winbase._STARTUPINFO)) }; Winbase._PROCESS_INFORMATION processInformation; bool retVal = advapi32.CreateProcessWithLogonW( username, domain, password, Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY, cLP.Command, cLP.Arguments, Winbase.CREATION_FLAGS.CREATE_NEW_PROCESS_GROUP, IntPtr.Zero, Environment.CurrentDirectory, ref startupInfo, out processInformation ); if (!retVal) { Misc.GetWin32Error("CreateProcessWithLogonW"); return; } Console.WriteLine("[+] Process ID: {0}", processInformation.dwProcessId); Console.WriteLine("[+] Thread ID: {0}", processInformation.dwThreadId); } }