private bool _CheckPrivileges()
{
bool exists, enabled;
TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_CREATETOKEN_NAME, out exists, out enabled);
if (!exists)
{
Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_CREATETOKEN_NAME);
Console.WriteLine("[-] Steal_Token lsass cmd.exe");
Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
return(false);
}
if (!enabled)
{
Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_CREATETOKEN_NAME);
Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_CREATETOKEN_NAME);
using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
{
tm.SetWorkingTokenToSelf();
if (!tm.SetTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
{
return(false);
}
}
}
else
{
Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
}
TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_SECURITY_NAME, out exists, out enabled);
if (!exists)
{
Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
Console.WriteLine("[-] This should be present on existing high integrity tokens");
Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
return(false);
}
if (!enabled)
{
Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_SECURITY_NAME);
Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_SECURITY_NAME);
using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
{
tm.SetWorkingTokenToSelf();
if (!tm.SetTokenPrivilege(Winnt.SE_SECURITY_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
{
return(false);
}
}
}
else
{
Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
}
return(true);
}
////////////////////////////////////////////////////////////////////////////////
// Updates the token session ID to the specified session
////////////////////////////////////////////////////////////////////////////////
public bool SetTokenSessionId(int sessionId)
{
bool exists, enabled;
SetWorkingTokenToSelf();
TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_TCB_NAME, out exists, out enabled);
if (!exists)
{
Console.WriteLine("[-] SeTcbPrivilege Does Not Exist On Token");
return(false);
}
SetWorkingTokenToRemote();
if (!enabled && !SetTokenPrivilege(Winnt.SE_TCB_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
{
Console.WriteLine("[-] Enable SeTcbPrivilege Failed ");
return(false);
}
Console.WriteLine("[*] Updating Token Session ID to {0}", sessionId);
GCHandle handle = new GCHandle();
try
{
handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned);
if (!advapi32.SetTokenInformation(
hWorkingToken,
Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId,
handle.AddrOfPinnedObject(),
sizeof(uint))
)
{
Misc.GetWin32Error("SetTokenInformation");
return(false);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
if (null != handle && handle.IsAllocated)
{
handle.Free();
}
}
return(true);
}