internal void Run()
{
try
{
Console.Write(context);
String input;
if (activateTabs)
{
input = console.ReadLine();
}
else
{
input = Console.ReadLine();
}
switch (NextItem(ref input))
{
case "list_privileges":
if (GetProcessID(input, out processID, out command))
{
hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID);
Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64());
}
else
{
hProcess = Process.GetCurrentProcess().Handle;
}
kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
Tokens.EnumerateTokenPrivileges(currentProcessToken);
kernel32.CloseHandle(currentProcessToken);
break;
case "set_privilege":
if (GetProcessID(input, out processID, out command))
{
hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID);
Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64());
}
else
{
hProcess = Process.GetCurrentProcess().Handle;
}
kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
Tokens.SetTokenPrivilege(ref currentProcessToken, command);
kernel32.CloseHandle(currentProcessToken);
break;
case "list_processes":
users = Enumeration.EnumerateTokens(false);
Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
}
break;
case "list_processes_wmi":
users = Enumeration.EnumerateTokensWMI();
Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
}
break;
case "find_user_processes":
processes = Enumeration.EnumerateUserProcesses(false, input);
Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "find_user_processes_wmi":
processes = Enumeration.EnumerateUserProcessesWMI(input);
Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "list_user_sessions":
Enumeration.EnumerateInteractiveUserSessions();
break;
case "getsystem":
GetSystem(input);
break;
case "gettrustedinstaller":
GetTrustedInstaller(input);
break;
case "steal_token":
StealToken(input);
break;
case "bypassuac":
BypassUAC(input);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
break;
case "reverttoself":
if (advapi32.RevertToSelf())
{
Console.WriteLine("[*] Reverted token to {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
else
{
Console.WriteLine("[-] RevertToSelf failed");
}
break;
case "run":
Run(input);
break;
case "exit":
System.Environment.Exit(0);
break;
default:
Help();
break;
}
Console.WriteLine();
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
}
finally
{
}
}
internal void Run()
{
try
{
Console.Write(context);
String input;
if (activateTabs)
{
input = console.ReadLine();
}
else
{
input = Console.ReadLine();
}
IntPtr tempToken = IntPtr.Zero;
kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
switch (NextItem(ref input))
{
case "info":
if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
Console.WriteLine("");
CheckPrivileges.GetTokenUser(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenOwner(hToken);
Console.WriteLine("");
CheckPrivileges.GetTokenGroups(hToken);
Console.WriteLine("");
CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
CheckPrivileges.PrintElevation(hToken);
break;
case "list_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.EnumerateTokenPrivileges(hToken);
break;
case "enable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
break;
case "disable_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
break;
case "remove_privilege":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
break;
case "nuke_privileges":
if (GetProcessID(input, out processID, out command))
{
if (OpenToken(processID, ref tempToken))
{
hToken = tempToken;
}
else
{
break;
}
}
Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
break;
case "terminate":
if (GetProcessID(input, out processID, out command))
{
IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
if (IntPtr.Zero == hProcess)
{
Tokens.GetWin32Error("OpenProcess");
break;
}
Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
if (!kernel32.TerminateProcess(hProcess, 0))
{
Tokens.GetWin32Error("TerminateProcess");
break;
}
Console.WriteLine("[+] Process Terminated");
}
break;
case "sample_processes":
users = Enumeration.EnumerateTokens(false);
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "sample_processes_wmi":
users = Enumeration.EnumerateTokensWMI();
Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
}
break;
case "find_user_processes":
processes = Enumeration.EnumerateUserProcesses(false, input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "find_user_processes_wmi":
processes = Enumeration.EnumerateUserProcessesWMI(input);
Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "list_filters":
using (Filters filters = new Filters())
{
filters.First();
filters.Next();
}
break;
case "list_filter_instances":
using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
{
filterInstance.First();
filterInstance.Next();
}
break;
case "detach_filter":
Filters.FilterDetach(input);
break;
case "unload_filter":
Filters.Unload(NextItem(ref input));
break;
case "sessions":
Enumeration.EnumerateInteractiveUserSessions();
break;
case "getsystem":
GetSystem(input, hToken);
break;
case "gettrustedinstaller":
GetTrustedInstaller(input);
break;
case "steal_token":
StealToken(input);
break;
case "steal_pipe_token":
StealPipeToken(input);
break;
case "bypassuac":
BypassUAC(input);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
break;
case "reverttoself":
String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
Console.WriteLine(message);
break;
case "run":
Run(input);
break;
case "runpowershell":
RunPowerShell(input);
break;
case "exit":
Environment.Exit(0);
break;
case "help":
String item = NextItem(ref input);
if ("help" != item)
{
Help(item);
}
else
{
Help();
}
break;
default:
Help();
break;
}
if (IntPtr.Zero != hToken)
{
kernel32.CloseHandle(hToken);
}
Console.WriteLine();
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
Tokens.GetWin32Error("MainLoop");
}
finally
{
}
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
static void Main(string[] args)
{
IntPtr currentProcessToken;
Dictionary <String, UInt32> users;
Dictionary <UInt32, String> processes;
while (true)
{
try
{
Console.Write("(Tokens) > ");
String input = Console.ReadLine();
switch (NextItem(ref input))
{
case "list_privileges":
kernel32.OpenProcessToken(Process.GetCurrentProcess().Handle, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
Tokens.EnumerateTokenPrivileges(currentProcessToken);
kernel32.CloseHandle(currentProcessToken);
break;
case "set_privilege":
kernel32.OpenProcessToken(Process.GetCurrentProcess().Handle, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
Tokens.SetTokenPrivilege(ref currentProcessToken, input);
kernel32.CloseHandle(currentProcessToken);
break;
case "list_processes":
users = Enumeration.EnumerateTokens(false);
Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
}
break;
case "list_processes_wmi":
users = Enumeration.EnumerateTokensWMI();
Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
foreach (String name in users.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
}
break;
case "find_user_processes":
processes = Enumeration.EnumerateUserProcesses(false, input);
Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "find_user_processes_wmi":
processes = Enumeration.EnumerateUserProcessesWMI(input);
Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
foreach (UInt32 pid in processes.Keys)
{
Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
}
break;
case "list_user_sessions":
Enumeration.EnumerateInteractiveUserSessions();
break;
case "getsystem":
GetSystem(input);
break;
case "gettrustedinstaller":
GetTrustedInstaller(input);
break;
case "steal_token":
StealToken(input);
break;
case "bypassuac":
BypassUAC(input);
break;
case "whoami":
Console.WriteLine("[*] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
break;
case "reverttoself":
if (advapi32.RevertToSelf())
{
Console.WriteLine("[*] Reverted token to {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
else
{
Console.WriteLine("RevertToSelf failed");
}
break;
case "run":
Process process = new Process();
process.StartInfo.FileName = NextItem(ref input);
process.StartInfo.Arguments = input;
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
Console.WriteLine(process.StandardOutput.ReadToEnd());
Console.WriteLine(process.StandardError.ReadToEnd());
process.WaitForExit();
break;
case "exit":
return;
default:
Help();
break;
}
Console.WriteLine();
}
catch (Exception error)
{
Console.WriteLine(error.ToString());
}
finally
{
}
}
}
