//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private bool _SetTokenInformation() { Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority = new Winnt._SID_IDENTIFIER_AUTHORITY { Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 } //16 - all }; byte nSubAuthorityCount = 1; IntPtr pSID = new IntPtr(); if (!advapi32.AllocateAndInitializeSid(ref pIdentifierAuthority, nSubAuthorityCount, 0x2000, 0, 0, 0, 0, 0, 0, 0, out pSID)) { Misc.GetWin32Error("AllocateAndInitializeSid: "); return(false); } Console.WriteLine(" [+] Initialized SID: 0x{0}", pSID.ToString("X4")); Winnt._SID_AND_ATTRIBUTES sidAndAttributes = new Winnt._SID_AND_ATTRIBUTES { Sid = pSID, Attributes = (uint)Winnt.SE_GROUP_INTEGRITY_32 }; try { Winnt._TOKEN_MANDATORY_LABEL tokenMandatoryLabel = new Winnt._TOKEN_MANDATORY_LABEL { Label = sidAndAttributes }; int tokenMandatoryLableSize = Marshal.SizeOf(tokenMandatoryLabel); if (0 != ntdll.NtSetInformationToken(phNewToken, 25, ref tokenMandatoryLabel, tokenMandatoryLableSize)) { Misc.GetWin32Error("NtSetInformationToken: "); return(false); } Console.WriteLine(" [+] Set Token Information On: 0x{0}", phNewToken.ToString("X4")); if (0 != ntdll.NtFilterToken(phNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken)) { Misc.GetWin32Error("NtFilterToken: "); return(false); } Console.WriteLine(" [+] LUA Token Handle: 0x{0}", luaToken.ToString("X4")); } catch (Exception ex) { Console.WriteLine("[-] {0}", ex.Message); return(false); } finally { advapi32.FreeSid(pSID); } return(true); }
public static extern bool AllocateAndInitializeSid( ref Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority, byte nSubAuthorityCount, int dwSubAuthority0, int dwSubAuthority1, int dwSubAuthority2, int dwSubAuthority3, int dwSubAuthority4, int dwSubAuthority5, int dwSubAuthority6, int dwSubAuthority7, out IntPtr pSid );
public static extern Boolean AllocateAndInitializeSid( ref Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority, byte nSubAuthorityCount, Int32 dwSubAuthority0, Int32 dwSubAuthority1, Int32 dwSubAuthority2, Int32 dwSubAuthority3, Int32 dwSubAuthority4, Int32 dwSubAuthority5, Int32 dwSubAuthority6, Int32 dwSubAuthority7, out IntPtr pSid );
//////////////////////////////////////////////////////////////////////////////// // Wrapper for AllocateAndInitializeSid - Hardest Possible way of doing it //////////////////////////////////////////////////////////////////////////////// private static bool InitializeSid(Winnt._SID_IDENTIFIER_AUTHORITY authority, uint[] subAuthority, ref IntPtr psid) { //Console.WriteLine("AllocateAndInitializeSid"); bool retVal = advapi32.AllocateAndInitializeSid( ref authority, 1, subAuthority[0], subAuthority[1], subAuthority[2], subAuthority[3], subAuthority[4], subAuthority[5], subAuthority[6], subAuthority[7], out psid); if (!retVal) { Misc.GetWin32Error("AllocateAndInitializeSid"); return(false); } IntPtr hStringUserSid = IntPtr.Zero; advapi32.ConvertSidToStringSid(psid, ref hStringUserSid); string sddl = Marshal.PtrToStringAuto(hStringUserSid); string accountName = string.Empty; try { accountName = new System.Security.Principal.SecurityIdentifier(sddl) .Translate(typeof(System.Security.Principal.NTAccount)).ToString(); } catch (System.Security.Principal.IdentityNotMappedException ex) { Console.WriteLine(ex.Message); } Console.WriteLine(" - " + accountName + " " + sddl); return(true); }
//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// public Boolean SetTokenInformation() { Winnt._SID_IDENTIFIER_AUTHORITY pIdentifierAuthority = new Winnt._SID_IDENTIFIER_AUTHORITY(); pIdentifierAuthority.Value = new byte[] { 0x0, 0x0, 0x0, 0x0, 0x0, 0x10 }; //16 - all Byte nSubAuthorityCount = 1; IntPtr pSID = new IntPtr(); if (!advapi32.AllocateAndInitializeSid(ref pIdentifierAuthority, nSubAuthorityCount, 0x2000, 0, 0, 0, 0, 0, 0, 0, out pSID)) { GetWin32Error("AllocateAndInitializeSid: "); return(false); } Console.WriteLine(" [+] Initialized SID: {0}", pSID.ToInt32()); Winnt._SID_AND_ATTRIBUTES sidAndAttributes = new Winnt._SID_AND_ATTRIBUTES(); sidAndAttributes.Sid = pSID; sidAndAttributes.Attributes = Constants.SE_GROUP_INTEGRITY_32; Winnt._TOKEN_MANDATORY_LABEL tokenMandatoryLabel = new Winnt._TOKEN_MANDATORY_LABEL(); tokenMandatoryLabel.Label = sidAndAttributes; Int32 tokenMandatoryLableSize = Marshal.SizeOf(tokenMandatoryLabel); if (0 != ntdll.NtSetInformationToken(phNewToken, 25, ref tokenMandatoryLabel, tokenMandatoryLableSize)) { GetWin32Error("NtSetInformationToken: "); return(false); } Console.WriteLine(" [+] Set Token Information : {0}", phNewToken.ToInt32()); if (0 != ntdll.NtFilterToken(phNewToken, 4, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref luaToken)) { GetWin32Error("NtFilterToken: "); return(false); } Console.WriteLine(" [+] Set LUA Token Information : {0}", luaToken.ToInt32()); advapi32.FreeSid(pSID); return(true); }