private async void btnStartServer_Click(object sender, EventArgs e)
{
try
{
btnStartServer.Enabled = false;
using (NamedPipeServerStream pipe = new NamedPipeServerStream(txtPipeName.Text,
PipeDirection.In, 1, PipeTransmissionMode.Byte, PipeOptions.Asynchronous))
{
await Task.Factory.FromAsync(pipe.BeginWaitForConnection,
pipe.EndWaitForConnection, null);
NtToken token = null;
if (pipe.IsConnected)
{
pipe.RunAsClient(() => token = NtToken.OpenThreadToken());
pipe.Disconnect();
}
if (token != null)
{
TokenForm.OpenForm(token, false);
}
}
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
finally
{
btnStartServer.Enabled = true;
}
}
/// <summary>
/// Get the anonymous token.
/// </summary>
/// <param name="desired_access">The access rights for the opened token.</param>
/// <returns>The anonymous token.</returns>
public static NtToken GetAnonymousToken(TokenAccessRights desired_access)
{
using (var imp = NtThread.Current.ImpersonateAnonymousToken())
{
return(NtToken.OpenThreadToken(NtThread.Current, true, false, desired_access));
}
}
//
public void TokenRelay(BlockingCollection <byte[]> hashesIn, BlockingCollection <byte[]> hashesOut, String command)
{
while (bContinueServer)
{
byte[] out_buffer = null;
byte[] hash = hashesIn.Take();
InitializeServer(hash, out out_buffer, out bContinueServer);
hashesOut.Add(out_buffer);
if (bContinueServer)
{
hash = hashesIn.Take();
InitializeServer(hash, out out_buffer, out bContinueServer);
ImpersonateSecurityContext(ref _hServerContext);
NtToken thread_token = NtToken.OpenThreadToken();
if (thread_token.ImpersonationLevel.ToString() == "Impersonation" || thread_token.ImpersonationLevel.ToString() == "Delegation")
{
//TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + command, thread_token, true);
TokenUtils.CreateProcessForToken(command, thread_token, true);
Console.WriteLine("Process Created Successfully");
Shell.NtShell = true;
}
else
{
Console.WriteLine("IMPERSONATION LEVEL IS {0} ACCESS DENIED !!!", thread_token.ImpersonationLevel.ToString());
Console.WriteLine("Primary Token Shell Starting ....");
Shell.NtShell = false;
}
hashesOut.Add(new byte[] { 99 }); // if finished pass 99
}
}
}
private IEnumerable <ListViewItem> CreateThreads(NtProcess query_process, NtToken process_token)
{
List <ListViewItem> ret = new List <ListViewItem>();
using (var threads = new DisposableList <NtThread>(query_process.GetThreads(ThreadAccessRights.MaximumAllowed)))
{
foreach (NtThread thread in threads.Where(t => t.IsAccessGranted(ThreadAccessRights.QueryLimitedInformation)))
{
using (var result = NtToken.OpenThreadToken(thread, true, TokenAccessRights.MaximumAllowed, false))
{
if (!result.IsSuccess)
{
continue;
}
var token = result.Result;
ListViewItem item = new ListViewItem($"{query_process.ProcessId} - {query_process.Name}");
item.SubItems.Add(thread.ThreadId.ToString());
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = new ThreadTokenEntry(query_process, process_token,
thread.ThreadId, thread.Description, token,
thread.GetSecurityDescriptor(SecurityInformation.AllBasic, false).GetResultOrDefault());
ret.Add(item);
}
}
}
return(ret);
}
private IEnumerable <ListViewItem> CreateThreads(NtProcess entry, NtToken process_token)
{
List <ListViewItem> ret = new List <ListViewItem>();
using (var query_process = entry.Duplicate(ProcessAccessRights.QueryInformation, false))
{
if (!query_process.IsSuccess)
{
return(ret);
}
using (var threads = new DisposableList <NtThread>(query_process.Result.GetThreads(ThreadAccessRights.QueryLimitedInformation)))
{
foreach (NtThread thread in threads)
{
using (var result = NtToken.OpenThreadToken(thread, true, TokenAccessRights.MaximumAllowed, false))
{
if (!result.IsSuccess)
{
continue;
}
var token = result.Result;
ListViewItem item = new ListViewItem($"{entry.ProcessId} - {entry.Name}");
item.SubItems.Add(thread.ThreadId.ToString());
item.SubItems.Add(token.User.ToString());
item.SubItems.Add(token.ImpersonationLevel.ToString());
item.Tag = new ThreadTokenEntry(query_process.Result, token, thread.ThreadId, thread.Description, token);
ret.Add(item);
}
}
}
}
return(ret);
}
public static NtToken GetAnonymousToken()
{
using (var imp = NtThread.Current.ImpersonateAnonymousToken())
{
return(NtToken.OpenThreadToken());
}
}
private NtToken GetImpersonationToken(TokenAccessRights desired_access)
{
if (ThreadId.HasValue)
{
return(NtToken.OpenThreadToken(ThreadId.Value, OpenAsSelf, false, desired_access));
}
return(NtToken.OpenThreadToken(Thread ?? NtThread.Current, OpenAsSelf, false, desired_access));
}
public static NtToken GetAnonymousToken()
{
try
{
using (var imp = NtThread.Current.ImpersonateAnonymousToken())
{
return(NtToken.OpenThreadToken());
}
}
catch (NtException ex)
{
throw ex.AsWin32Exception();
}
}
private async void btnStartServer_Click(object sender, EventArgs e)
{
try
{
btnStartServer.Enabled = false;
using (NamedPipeServerStream pipe = new NamedPipeServerStream(txtPipeName.Text,
PipeDirection.InOut, 1, PipeTransmissionMode.Byte, PipeOptions.Asynchronous))
{
await Task.Factory.FromAsync(pipe.BeginWaitForConnection,
pipe.EndWaitForConnection, null);
NtToken token = null;
bool use_unc = checkBoxUseUNCPath.Checked;
if (pipe.IsConnected)
{
if (!use_unc)
{
byte[] buffer = new byte[1];
int result = await pipe.ReadAsync(buffer, 0, 1);
}
pipe.RunAsClient(() => token = NtToken.OpenThreadToken());
pipe.Disconnect();
}
if (token != null)
{
TokenForm.OpenForm(token, "NamedPipe", false);
}
}
}
catch (Exception ex)
{
MessageBox.Show(this, ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
finally
{
btnStartServer.Enabled = true;
}
}
/// <summary>
/// Overridden ProcessRecord method.
/// </summary>
protected override void ProcessRecord()
{
using (var token = Token.DuplicateToken(ImpersonationLevel))
{
var thread = Thread ?? NtThread.Current;
using (var imp = thread.Impersonate(token))
{
using (var new_token = NtToken.OpenThreadToken(thread))
{
if (PassThru)
{
WriteObject(new_token.Duplicate());
}
else
{
WriteObject(ImpersonationLevel == new_token.ImpersonationLevel);
}
}
}
}
}
/// <summary>
/// Open the thread's token
/// </summary>
/// <returns>The token, null if no token available</returns>
public NtToken OpenToken()
{
return(NtToken.OpenThreadToken(this));
}
/// <summary>
/// Get token for this cmdlet.
/// </summary>
/// <param name="desired_access">The token access required.</param>
/// <returns>The token object.</returns>
protected override NtToken GetToken(TokenAccessRights desired_access)
{
return(NtToken.OpenThreadToken(Thread ?? NtThread.Current, OpenAsSelf, false, desired_access));
}
