//SeCreateTokenPrivilege public void CreateToken(string[] groups, string command) { if (!_CheckPrivileges()) { return; } uint LG_INCLUDE_INDIRECT = 0x0001; uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF; Console.WriteLine(); Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE"); Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE() { Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)), ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING, EffectiveOnly = Winnt.EFFECTIVE_ONLY.False }; IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode)); Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false); Console.WriteLine("_OBJECT_ATTRIBUTES"); wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES() { Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)), RootDirectory = IntPtr.Zero, Attributes = 0, ObjectName = IntPtr.Zero, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = hSecurityContextTrackingMode }; TokenInformation ti = new TokenInformation(hWorkingToken); ti.SetWorkingTokenToSelf(); ti.GetTokenSource(); ti.GetTokenUser(); ti.GetTokenGroups(); ti.GetTokenPrivileges(); ti.GetTokenOwner(); ti.GetTokenPrimaryGroup(); ti.GetTokenDefaultDacl(); Winnt._LUID systemLuid = Winnt.SYSTEM_LUID; long expirationTime = long.MaxValue / 2; phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr))); //out/ref hToken - required //Ref Expirationtime - required uint ntRetVal = ntdll.NtCreateToken( out phNewToken, Winnt.TOKEN_ALL_ACCESS, ref objectAttributes, Winnt._TOKEN_TYPE.TokenPrimary, ref systemLuid, ref expirationTime, ref ti.tokenUser, ref ti.tokenGroups, ref ti.tokenPrivileges, ref ti.tokenOwner, ref ti.tokenPrimaryGroup, ref ti.tokenDefaultDacl, ref ti.tokenSource ); if (0 != ntRetVal) { Misc.GetNtError("NtCreateToken", ntRetVal); new TokenInformation(phNewToken).GetTokenUser(); } if (string.IsNullOrEmpty(command)) { command = "cmd.exe"; } SetWorkingTokenToNewToken(); StartProcessAsUser(command); }
//////////////////////////////////////////////////////////////////////////////// // Can be use to remove groups, adding groups would require a new token // Next Release //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups //////////////////////////////////////////////////////////////////////////////// public void SetTokenGroup(string group, bool isSID) { var tokenGroups = new Ntifs._TOKEN_GROUPS(); tokenGroups.Initialize(); if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation)) { return; } SetWorkingTokenToNewToken(); TokenInformation ti = new TokenInformation(hWorkingToken); ti.GetTokenGroups(); for (int i = 0; i < ti.tokenGroups.GroupCount; i++) { tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid; tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes; Console.WriteLine(tokenGroups.Groups[i].Sid); } tokenGroups.GroupCount = ti.tokenGroups.GroupCount; if (!isSID) { Console.WriteLine("Group: {0}", group); string domain = Environment.MachineName; if (group.Contains(@"\")) { string[] split = group.Split('\\'); domain = split[0]; group = split[1]; } group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value; } Console.WriteLine("Group SID: {0}", group); ++tokenGroups.GroupCount; if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid)) { return; } tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED; CreateTokens ct = new CreateTokens(hWorkingToken); string userName = WindowsIdentity.GetCurrent().Name; userName = userName.Split('\\')[1]; //ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg); tokenGroups = ti.tokenGroups; uint returnLength; if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength)) { Misc.GetWin32Error("AdjustTokenGroups"); return; } ti.GetTokenGroups(); Console.WriteLine(returnLength); }