//SeCreateTokenPrivilege
public void CreateToken(string[] groups, string command)
{
if (!_CheckPrivileges())
{
return;
}
uint LG_INCLUDE_INDIRECT = 0x0001;
uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
Console.WriteLine();
Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
{
Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
};
IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
Console.WriteLine("_OBJECT_ATTRIBUTES");
wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
{
Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
RootDirectory = IntPtr.Zero,
Attributes = 0,
ObjectName = IntPtr.Zero,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = hSecurityContextTrackingMode
};
TokenInformation ti = new TokenInformation(hWorkingToken);
ti.SetWorkingTokenToSelf();
ti.GetTokenSource();
ti.GetTokenUser();
ti.GetTokenGroups();
ti.GetTokenPrivileges();
ti.GetTokenOwner();
ti.GetTokenPrimaryGroup();
ti.GetTokenDefaultDacl();
Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
long expirationTime = long.MaxValue / 2;
phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
//out/ref hToken - required
//Ref Expirationtime - required
uint ntRetVal = ntdll.NtCreateToken(
out phNewToken,
Winnt.TOKEN_ALL_ACCESS,
ref objectAttributes,
Winnt._TOKEN_TYPE.TokenPrimary,
ref systemLuid,
ref expirationTime,
ref ti.tokenUser,
ref ti.tokenGroups,
ref ti.tokenPrivileges,
ref ti.tokenOwner,
ref ti.tokenPrimaryGroup,
ref ti.tokenDefaultDacl,
ref ti.tokenSource
);
if (0 != ntRetVal)
{
Misc.GetNtError("NtCreateToken", ntRetVal);
new TokenInformation(phNewToken).GetTokenUser();
}
if (string.IsNullOrEmpty(command))
{
command = "cmd.exe";
}
SetWorkingTokenToNewToken();
StartProcessAsUser(command);
}
////////////////////////////////////////////////////////////////////////////////
// Can be use to remove groups, adding groups would require a new token
// Next Release
//https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
////////////////////////////////////////////////////////////////////////////////
public void SetTokenGroup(string group, bool isSID)
{
var tokenGroups = new Ntifs._TOKEN_GROUPS();
tokenGroups.Initialize();
if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
{
return;
}
SetWorkingTokenToNewToken();
TokenInformation ti = new TokenInformation(hWorkingToken);
ti.GetTokenGroups();
for (int i = 0; i < ti.tokenGroups.GroupCount; i++)
{
tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid;
tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes;
Console.WriteLine(tokenGroups.Groups[i].Sid);
}
tokenGroups.GroupCount = ti.tokenGroups.GroupCount;
if (!isSID)
{
Console.WriteLine("Group: {0}", group);
string domain = Environment.MachineName;
if (group.Contains(@"\"))
{
string[] split = group.Split('\\');
domain = split[0];
group = split[1];
}
group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value;
}
Console.WriteLine("Group SID: {0}", group);
++tokenGroups.GroupCount;
if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid))
{
return;
}
tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED;
CreateTokens ct = new CreateTokens(hWorkingToken);
string userName = WindowsIdentity.GetCurrent().Name;
userName = userName.Split('\\')[1];
//ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg);
tokenGroups = ti.tokenGroups;
uint returnLength;
if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength))
{
Misc.GetWin32Error("AdjustTokenGroups");
return;
}
ti.GetTokenGroups();
Console.WriteLine(returnLength);
}
