private static bool _LookupRights(IntPtr hPolicyHandle, IntPtr sid, ref Dictionary <string, Winnt._LUID> rights) { //Console.WriteLine(" - LsaEnumerateAccountRights"); IntPtr hUserRights; long countOfRights; uint ntRetVal = advapi32.LsaEnumerateAccountRights( hPolicyHandle, sid, out hUserRights, out countOfRights ); //Weird Quirk countOfRights--; if (0 != ntRetVal) { //File Not Found - User Has No Rights Assigned //Parameter is incorrect - Not a valid SID lookup if (3221225524 == ntRetVal || 3221225485 == ntRetVal) { return(true); } Misc.GetLsaNtError("LsaEnumerateAccountRights", ntRetVal); return(false); } Console.WriteLine("[+] Additional {0} privilege(s)", countOfRights); ntsecapi._LSA_UNICODE_STRING[] userRights = new ntsecapi._LSA_UNICODE_STRING[countOfRights]; //////////////////////////////////////////////////////////////////////////////// /// //////////////////////////////////////////////////////////////////////////////// for (int i = 0; i < countOfRights; i++) { try { userRights[i] = (ntsecapi._LSA_UNICODE_STRING)Marshal.PtrToStructure(new IntPtr(hUserRights.ToInt64() + (i * Marshal.SizeOf(typeof(ntsecapi._LSA_UNICODE_STRING)))), typeof(ntsecapi._LSA_UNICODE_STRING)); string privilege = Marshal.PtrToStringUni(userRights[i].Buffer); Winnt._LUID luid = new Winnt._LUID(); bool retVal = advapi32.LookupPrivilegeValue(null, privilege, ref luid); if (!retVal) { Console.WriteLine("[-] Privilege Not Found"); return(false); } Console.WriteLine(" ({0}) {1}", i, privilege); rights[privilege] = luid; } catch (Exception ex) { Console.WriteLine(ex); //return false; } } return(true); }
public static extern uint NtCreateToken( out IntPtr TokenHandle, uint DesiredAccess, ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes, Winnt._TOKEN_TYPE TokenType, ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId ref long ExpirationTime, ref Ntifs._TOKEN_USER TokenUser, ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups, ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges, ref Ntifs._TOKEN_OWNER TokenOwner, ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup, ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl, ref Winnt._TOKEN_SOURCE TokenSource );
//////////////////////////////////////////////////////////////////////////////// // Sets a Token to have a specified privilege // http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ // https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege //////////////////////////////////////////////////////////////////////////////// public static void SetTokenPrivilege(ref IntPtr hToken, String privilege, Winnt.TokenPrivileges attribute) { if (!validPrivileges.Contains(privilege)) { Console.WriteLine("[-] Invalid Privilege Specified"); return; } Console.WriteLine("[*] Adjusting Token Privilege"); //////////////////////////////////////////////////////////////////////////////// Winnt._LUID luid = new Winnt._LUID(); if (!advapi32.LookupPrivilegeValue(null, privilege, ref luid)) { GetWin32Error("LookupPrivilegeValue"); return; } Console.WriteLine(" [+] Recieved luid"); //////////////////////////////////////////////////////////////////////////////// Winnt._LUID_AND_ATTRIBUTES luidAndAttributes = new Winnt._LUID_AND_ATTRIBUTES { Luid = luid, Attributes = (uint)attribute }; Winnt._TOKEN_PRIVILEGES newState = new Winnt._TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = luidAndAttributes }; Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES(); Console.WriteLine(" [*] AdjustTokenPrivilege"); UInt32 returnLength = 0; if (!advapi32.AdjustTokenPrivileges(hToken, false, ref newState, (UInt32)Marshal.SizeOf(newState), ref previousState, out returnLength)) { GetWin32Error("AdjustTokenPrivileges"); return; } Console.WriteLine(" [+] Adjusted Privilege: {0}", privilege); Console.WriteLine(" [+] Privilege State: {0}", attribute); return; }
//////////////////////////////////////////////////////////////////////////////// // Sets a Token to have a specified privilege // http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ // https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege //////////////////////////////////////////////////////////////////////////////// public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute) { Console.WriteLine("[*] Adjusting Token Privilege {0} => {1}", privilege, attribute); //////////////////////////////////////////////////////////////////////////////// Winnt._LUID luid = new Winnt._LUID(); if (!advapi32.LookupPrivilegeValue(null, privilege, ref luid)) { Misc.GetWin32Error("LookupPrivilegeValue"); return(false); } Console.WriteLine(" [+] Recieved luid"); //////////////////////////////////////////////////////////////////////////////// Winnt._LUID_AND_ATTRIBUTES luidAndAttributes = new Winnt._LUID_AND_ATTRIBUTES { Luid = luid, Attributes = (uint)attribute }; Winnt._TOKEN_PRIVILEGES newState = new Winnt._TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = luidAndAttributes }; Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES(); Console.WriteLine(" [*] AdjustTokenPrivilege"); uint returnLength; if (!advapi32.AdjustTokenPrivileges(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, out returnLength)) { Misc.GetWin32Error("AdjustTokenPrivileges"); return(false); } Console.WriteLine(" [+] Adjusted Privilege: {0}", privilege); Console.WriteLine(" [+] Privilege State: {0}", attribute); return(true); }
public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, ref Winnt._LUID luid);
public static extern Boolean LookupPrivilegeValue(String lpSystemName, String lpName, ref Winnt._LUID luid);
//SeCreateTokenPrivilege public void CreateToken(string[] groups, string command) { if (!_CheckPrivileges()) { return; } uint LG_INCLUDE_INDIRECT = 0x0001; uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF; Console.WriteLine(); Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE"); Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE() { Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)), ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING, EffectiveOnly = Winnt.EFFECTIVE_ONLY.False }; IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode)); Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false); Console.WriteLine("_OBJECT_ATTRIBUTES"); wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES() { Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)), RootDirectory = IntPtr.Zero, Attributes = 0, ObjectName = IntPtr.Zero, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = hSecurityContextTrackingMode }; TokenInformation ti = new TokenInformation(hWorkingToken); ti.SetWorkingTokenToSelf(); ti.GetTokenSource(); ti.GetTokenUser(); ti.GetTokenGroups(); ti.GetTokenPrivileges(); ti.GetTokenOwner(); ti.GetTokenPrimaryGroup(); ti.GetTokenDefaultDacl(); Winnt._LUID systemLuid = Winnt.SYSTEM_LUID; long expirationTime = long.MaxValue / 2; phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); //out/ref hToken - required //Ref Expirationtime - required uint ntRetVal = ntdll.NtCreateToken( out phNewToken, Winnt.TOKEN_ALL_ACCESS, ref objectAttributes, Winnt._TOKEN_TYPE.TokenPrimary, ref systemLuid, ref expirationTime, ref ti.tokenUser, ref ti.tokenGroups, ref ti.tokenPrivileges, ref ti.tokenOwner, ref ti.tokenPrimaryGroup, ref ti.tokenDefaultDacl, ref ti.tokenSource ); if (0 != ntRetVal) { Misc.GetNtError("NtCreateToken", ntRetVal); new TokenInformation(phNewToken).GetTokenUser(); } if (string.IsNullOrEmpty(command)) { command = "cmd.exe"; } SetWorkingTokenToNewToken(); StartProcessAsUser(command); }
//SeCreateTokenPrivilege public void CreateToken(string userName, string[] groups, string command) { Console.WriteLine("[*] Creating Token for {0}", userName); if (!_CheckPrivileges()) { return; } uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF; #region _OBJECT_ATTRIBUTES Console.WriteLine(); Console.WriteLine("[*] _SECURITY_QUALITY_OF_SERVICE"); Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE() { Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)), ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING, EffectiveOnly = Winnt.EFFECTIVE_ONLY.False }; IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode)); Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false); Console.WriteLine("[*] _OBJECT_ATTRIBUTES"); wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES() { Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)), RootDirectory = IntPtr.Zero, Attributes = 0, ObjectName = IntPtr.Zero, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = hSecurityContextTrackingMode }; #endregion string domain = string.Empty; if (userName.Contains(@"\")) { string[] split = userName.Split('\\'); domain = split[0]; userName = split[1]; } Winnt._LUID systemLuid = Winnt.SYSTEM_LUID; long expirationTime = long.MaxValue / 2; Ntifs._TOKEN_USER tokenUser; CreateTokenUser(domain, userName, out tokenUser); Ntifs._TOKEN_GROUPS tokenGroups; Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup; CreateTokenGroups(domain, userName, out tokenGroups, out tokenPrimaryGroup, groups); Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges; CreateTokenPrivileges(tokenUser, tokenGroups, out tokenPrivileges); Ntifs._TOKEN_OWNER tokenOwner; CreateTokenOwner(domain, userName, out tokenOwner); Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl; CreateTokenDefaultDACL(out tokenDefaultDacl); Winnt._TOKEN_SOURCE tokenSource; CreateTokenSource(out tokenSource); phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); //out/ref hToken - required //Ref Expirationtime - required uint ntRetVal = ntdll.NtCreateToken( out phNewToken, Winnt.TOKEN_ALL_ACCESS, ref objectAttributes, Winnt._TOKEN_TYPE.TokenPrimary, ref systemLuid, ref expirationTime, ref tokenUser, ref tokenGroups, ref tokenPrivileges, ref tokenOwner, ref tokenPrimaryGroup, ref tokenDefaultDacl, ref tokenSource ); if (0 != ntRetVal) { Misc.GetNtError("NtCreateToken", ntRetVal); return; } Console.WriteLine(); DesktopACL desktop = new DesktopACL(); desktop.OpenDesktop(); desktop.OpenWindow(); Console.WriteLine(); if (string.IsNullOrEmpty(command)) { command = "cmd.exe"; } SetWorkingTokenToNewToken(); StartProcessAsUser(command); }
public static extern uint NtAllocateLocallyUniqueId( ref Winnt._LUID LocallyUniqueID );