//////////////////////////////////////////////////////////////////////////////// // Can be use to remove groups, adding groups would require a new token // Next Release //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups //////////////////////////////////////////////////////////////////////////////// public void SetTokenGroup(string group, bool isSID) { var tokenGroups = new Ntifs._TOKEN_GROUPS(); tokenGroups.Initialize(); if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { return; } SetWorkingTokenToNewToken(); TokenInformation ti = new TokenInformation(hWorkingToken); ti.GetTokenGroups(); for (int i = 0; i < ti.tokenGroups.GroupCount; i++) { tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid; tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes; Console.WriteLine(tokenGroups.Groups[i].Sid); } tokenGroups.GroupCount = ti.tokenGroups.GroupCount; if (!isSID) { Console.WriteLine("Group: {0}", group); string domain = Environment.MachineName; if (group.Contains(@"\")) { string[] split = group.Split('\\'); domain = split[0]; group = split[1]; } group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value; } Console.WriteLine("Group SID: {0}", group); ++tokenGroups.GroupCount; if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid)) { return; } tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED; CreateTokens ct = new CreateTokens(hWorkingToken); string userName = WindowsIdentity.GetCurrent().Name; userName = userName.Split('\\')[1]; //ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg); tokenGroups = ti.tokenGroups; uint returnLength; if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength)) { Misc.GetWin32Error("AdjustTokenGroups"); return; } ti.GetTokenGroups(); Console.WriteLine(returnLength); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments) { SetWorkingTokenToSelf(); CreateTokens ct = new CreateTokens(hWorkingToken); Ntifs._TOKEN_GROUPS tokenGroups; Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup; ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(',')); /* * TokenInformation ti = new TokenInformation(hWorkingToken); * ti.GetTokenGroups(); * Ntifs._TOKEN_GROUPS tokenGroups = ti.tokenGroups; * * int extraGroups = tokenGroups.GroupCount; * * uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY); * * Ntifs._TOKEN_GROUPS tokenGroupsCopy = new Ntifs._TOKEN_GROUPS(); * tokenGroupsCopy.Initialize(); * * for (int i = 0; i < tokenGroups.GroupCount; i++) * { * tokenGroupsCopy.Groups[i] = tokenGroups.Groups[i]; * } * * foreach (string group in groups.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries)) * { * Console.WriteLine(group); * string d = Environment.MachineName; * string groupname = group; * if (group.Contains(@"\")) * { * string[] split = group.Split('\\'); * d = split[0]; * groupname = split[1]; * } * Console.WriteLine(groupname); * string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value; * Console.WriteLine(sid); * tokenGroupsCopy.Groups[++extraGroups].Sid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); * Console.WriteLine(extraGroups); * CreateTokens.InitializeSid(sid, ref tokenGroupsCopy.Groups[extraGroups].Sid); * tokenGroupsCopy.Groups[extraGroups].Attributes = groupsAttributes; * } * tokenGroupsCopy.GroupCount = extraGroups; */ if (!advapi32.LogonUserExExW( username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)) { Misc.GetWin32Error("LogonUserExExW"); return; } Console.WriteLine("[+] Logged On {0}", username.TrimEnd()); if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType) { SetWorkingTokenToRemote(); if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId)) { Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token"); } } if (string.IsNullOrEmpty(command)) { SetWorkingTokenToRemote(); ImpersonateUser(); } else { Create createProcess; if (0 == Process.GetCurrentProcess().SessionId) { createProcess = CreateProcess.CreateProcessWithLogonW; } else { createProcess = CreateProcess.CreateProcessWithTokenW; } createProcess(hExistingToken, command, arguments); } }