private static bool _LookupRights(IntPtr hPolicyHandle, IntPtr sid, ref Dictionary <string, Winnt._LUID> rights)
{
//Console.WriteLine(" - LsaEnumerateAccountRights");
IntPtr hUserRights;
long countOfRights;
uint ntRetVal = advapi32.LsaEnumerateAccountRights(
hPolicyHandle,
sid,
out hUserRights,
out countOfRights
);
//Weird Quirk
countOfRights--;
if (0 != ntRetVal)
{
//File Not Found - User Has No Rights Assigned
//Parameter is incorrect - Not a valid SID lookup
if (3221225524 == ntRetVal || 3221225485 == ntRetVal)
{
return(true);
}
Misc.GetLsaNtError("LsaEnumerateAccountRights", ntRetVal);
return(false);
}
Console.WriteLine("[+] Additional {0} privilege(s)", countOfRights);
ntsecapi._LSA_UNICODE_STRING[] userRights = new ntsecapi._LSA_UNICODE_STRING[countOfRights];
////////////////////////////////////////////////////////////////////////////////
///
////////////////////////////////////////////////////////////////////////////////
for (int i = 0; i < countOfRights; i++)
{
try
{
userRights[i] = (ntsecapi._LSA_UNICODE_STRING)Marshal.PtrToStructure(new IntPtr(hUserRights.ToInt64() + (i * Marshal.SizeOf(typeof(ntsecapi._LSA_UNICODE_STRING)))), typeof(ntsecapi._LSA_UNICODE_STRING));
string privilege = Marshal.PtrToStringUni(userRights[i].Buffer);
Winnt._LUID luid = new Winnt._LUID();
bool retVal = advapi32.LookupPrivilegeValue(null, privilege, ref luid);
if (!retVal)
{
Console.WriteLine("[-] Privilege Not Found");
return(false);
}
Console.WriteLine(" ({0}) {1}", i, privilege);
rights[privilege] = luid;
}
catch (Exception ex)
{
Console.WriteLine(ex);
//return false;
}
}
return(true);
}
public static extern uint NtCreateToken(
out IntPtr TokenHandle,
uint DesiredAccess,
ref wudfwdm._OBJECT_ATTRIBUTES ObjectAttributes,
Winnt._TOKEN_TYPE TokenType,
ref Winnt._LUID AuthenticationId, //From NtAllocateLocallyUniqueId
ref long ExpirationTime,
ref Ntifs._TOKEN_USER TokenUser,
ref Ntifs._TOKEN_GROUPS_DYNAMIC TokenGroups,
ref Winnt._TOKEN_PRIVILEGES_ARRAY TokenPrivileges,
ref Ntifs._TOKEN_OWNER TokenOwner,
ref Winnt._TOKEN_PRIMARY_GROUP TokenPrimaryGroup,
ref Winnt._TOKEN_DEFAULT_DACL TokenDefaultDacl,
ref Winnt._TOKEN_SOURCE TokenSource
);
////////////////////////////////////////////////////////////////////////////////
// Sets a Token to have a specified privilege
// http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
// https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
////////////////////////////////////////////////////////////////////////////////
public static void SetTokenPrivilege(ref IntPtr hToken, String privilege, Winnt.TokenPrivileges attribute)
{
if (!validPrivileges.Contains(privilege))
{
Console.WriteLine("[-] Invalid Privilege Specified");
return;
}
Console.WriteLine("[*] Adjusting Token Privilege");
////////////////////////////////////////////////////////////////////////////////
Winnt._LUID luid = new Winnt._LUID();
if (!advapi32.LookupPrivilegeValue(null, privilege, ref luid))
{
GetWin32Error("LookupPrivilegeValue");
return;
}
Console.WriteLine(" [+] Recieved luid");
////////////////////////////////////////////////////////////////////////////////
Winnt._LUID_AND_ATTRIBUTES luidAndAttributes = new Winnt._LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = (uint)attribute
};
Winnt._TOKEN_PRIVILEGES newState = new Winnt._TOKEN_PRIVILEGES
{
PrivilegeCount = 1,
Privileges = luidAndAttributes
};
Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES();
Console.WriteLine(" [*] AdjustTokenPrivilege");
UInt32 returnLength = 0;
if (!advapi32.AdjustTokenPrivileges(hToken, false, ref newState, (UInt32)Marshal.SizeOf(newState), ref previousState, out returnLength))
{
GetWin32Error("AdjustTokenPrivileges");
return;
}
Console.WriteLine(" [+] Adjusted Privilege: {0}", privilege);
Console.WriteLine(" [+] Privilege State: {0}", attribute);
return;
}
////////////////////////////////////////////////////////////////////////////////
// Sets a Token to have a specified privilege
// http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
// https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
////////////////////////////////////////////////////////////////////////////////
public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
{
Console.WriteLine("[*] Adjusting Token Privilege {0} => {1}", privilege, attribute);
////////////////////////////////////////////////////////////////////////////////
Winnt._LUID luid = new Winnt._LUID();
if (!advapi32.LookupPrivilegeValue(null, privilege, ref luid))
{
Misc.GetWin32Error("LookupPrivilegeValue");
return(false);
}
Console.WriteLine(" [+] Recieved luid");
////////////////////////////////////////////////////////////////////////////////
Winnt._LUID_AND_ATTRIBUTES luidAndAttributes = new Winnt._LUID_AND_ATTRIBUTES
{
Luid = luid,
Attributes = (uint)attribute
};
Winnt._TOKEN_PRIVILEGES newState = new Winnt._TOKEN_PRIVILEGES
{
PrivilegeCount = 1,
Privileges = luidAndAttributes
};
Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES();
Console.WriteLine(" [*] AdjustTokenPrivilege");
uint returnLength;
if (!advapi32.AdjustTokenPrivileges(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, out returnLength))
{
Misc.GetWin32Error("AdjustTokenPrivileges");
return(false);
}
Console.WriteLine(" [+] Adjusted Privilege: {0}", privilege);
Console.WriteLine(" [+] Privilege State: {0}", attribute);
return(true);
}
public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, ref Winnt._LUID luid);
public static extern Boolean LookupPrivilegeValue(String lpSystemName, String lpName, ref Winnt._LUID luid);
//SeCreateTokenPrivilege
public void CreateToken(string[] groups, string command)
{
if (!_CheckPrivileges())
{
return;
}
uint LG_INCLUDE_INDIRECT = 0x0001;
uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
Console.WriteLine();
Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
{
Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
};
IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
Console.WriteLine("_OBJECT_ATTRIBUTES");
wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
Attributes = 0,
ObjectName = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = hSecurityContextTrackingMode
};
TokenInformation ti = new TokenInformation(hWorkingToken);
ti.SetWorkingTokenToSelf();
ti.GetTokenSource();
ti.GetTokenUser();
ti.GetTokenGroups();
ti.GetTokenPrivileges();
ti.GetTokenOwner();
ti.GetTokenPrimaryGroup();
ti.GetTokenDefaultDacl();
Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
long expirationTime = long.MaxValue / 2;
phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
//out/ref hToken - required
//Ref Expirationtime - required
uint ntRetVal = ntdll.NtCreateToken(
out phNewToken,
Winnt.TOKEN_ALL_ACCESS,
ref objectAttributes,
Winnt._TOKEN_TYPE.TokenPrimary,
ref systemLuid,
ref expirationTime,
ref ti.tokenUser,
ref ti.tokenGroups,
ref ti.tokenPrivileges,
ref ti.tokenOwner,
ref ti.tokenPrimaryGroup,
ref ti.tokenDefaultDacl,
ref ti.tokenSource
);
if (0 != ntRetVal)
{
Misc.GetNtError("NtCreateToken", ntRetVal);
new TokenInformation(phNewToken).GetTokenUser();
}
if (string.IsNullOrEmpty(command))
{
command = "cmd.exe";
}
SetWorkingTokenToNewToken();
StartProcessAsUser(command);
}
//SeCreateTokenPrivilege
public void CreateToken(string userName, string[] groups, string command)
{
Console.WriteLine("[*] Creating Token for {0}", userName);
if (!_CheckPrivileges())
{
return;
}
uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
#region _OBJECT_ATTRIBUTES
Console.WriteLine();
Console.WriteLine("[*] _SECURITY_QUALITY_OF_SERVICE");
Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
{
Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
};
IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
Console.WriteLine("[*] _OBJECT_ATTRIBUTES");
wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
Attributes = 0,
ObjectName = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = hSecurityContextTrackingMode
};
#endregion
string domain = string.Empty;
if (userName.Contains(@"\"))
{
string[] split = userName.Split('\\');
domain = split[0];
userName = split[1];
}
Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
long expirationTime = long.MaxValue / 2;
Ntifs._TOKEN_USER tokenUser;
CreateTokenUser(domain, userName, out tokenUser);
Ntifs._TOKEN_GROUPS tokenGroups;
Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
CreateTokenGroups(domain, userName, out tokenGroups, out tokenPrimaryGroup, groups);
Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges;
CreateTokenPrivileges(tokenUser, tokenGroups, out tokenPrivileges);
Ntifs._TOKEN_OWNER tokenOwner;
CreateTokenOwner(domain, userName, out tokenOwner);
Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl;
CreateTokenDefaultDACL(out tokenDefaultDacl);
Winnt._TOKEN_SOURCE tokenSource;
CreateTokenSource(out tokenSource);
phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
//out/ref hToken - required
//Ref Expirationtime - required
uint ntRetVal = ntdll.NtCreateToken(
out phNewToken,
Winnt.TOKEN_ALL_ACCESS,
ref objectAttributes,
Winnt._TOKEN_TYPE.TokenPrimary,
ref systemLuid,
ref expirationTime,
ref tokenUser,
ref tokenGroups,
ref tokenPrivileges,
ref tokenOwner,
ref tokenPrimaryGroup,
ref tokenDefaultDacl,
ref tokenSource
);
if (0 != ntRetVal)
{
Misc.GetNtError("NtCreateToken", ntRetVal);
return;
}
Console.WriteLine();
DesktopACL desktop = new DesktopACL();
desktop.OpenDesktop();
desktop.OpenWindow();
Console.WriteLine();
if (string.IsNullOrEmpty(command))
{
command = "cmd.exe";
}
SetWorkingTokenToNewToken();
StartProcessAsUser(command);
}
public static extern uint NtAllocateLocallyUniqueId(
ref Winnt._LUID LocallyUniqueID
);
