Skip to content

Instantly share code, notes, and snippets.

@ArunTS96
Last active May 22, 2019 10:16
Show Gist options
  • Save ArunTS96/362eff9c1a4595152deb8dbf34ddc790 to your computer and use it in GitHub Desktop.
Save ArunTS96/362eff9c1a4595152deb8dbf34ddc790 to your computer and use it in GitHub Desktop.
#include <Windows.h>
#include <iostream>
#include <WtsApi32.h>
#include <string>
#include <stdio.h>
#include <NTSecAPI.h>
#pragma comment(lib, "Wtsapi32.lib")
typedef NTSYSAPI NTSTATUS (NTAPI *LP_NtCreateToken)(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE TokenType,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER TokenUser,
IN PTOKEN_GROUPS TokenGroups,
IN PTOKEN_PRIVILEGES TokenPrivileges,
IN PTOKEN_OWNER TokenOwner,
IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
IN PTOKEN_SOURCE TokenSource);
LPVOID GetTokenInformation_s(HANDLE tokenHandle, TOKEN_INFORMATION_CLASS tis)
{
LPVOID ti = NULL;
DWORD tokenSize;
DWORD sidLength;
GetTokenInformation(tokenHandle,
tis,
ti,
0,
&tokenSize);
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
}
ti = malloc(tokenSize);
if (!GetTokenInformation(tokenHandle,
tis,
ti,
tokenSize,
&tokenSize))
{
free(ti);
std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
}
return ti;
}
void PrintTokenPrivileges(HANDLE token)
{
PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)GetTokenInformation_s(token, TokenPrivileges);
std::cout << "Privileges found : " << std::endl;
for(DWORD i = 0; i <= tp->PrivilegeCount; i++)
{
LUID_AND_ATTRIBUTES la = tp->Privileges[i];
char privilegeConstant[1024];
DWORD cchName = 1024;
if(!LookupPrivilegeNameA(nullptr, &la.Luid, privilegeConstant, &cchName))
{
std::cout << "LookupPrivilegeNameA failed with " << GetLastError() << std::endl;
}
else
{
std::string spacer(50 - strlen(privilegeConstant), ' ');
std::cout << '\t' << privilegeConstant << spacer << ((la.Attributes == SE_PRIVILEGE_ENABLED)?"Enabled":"Disabled") << std::endl;
}
}
std::cout << "*******************" << std::endl;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %lu\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
int main()
{
LP_NtCreateToken NtCreateToken = (LP_NtCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateToken");
if(NtCreateToken == nullptr)
{
std::cout << "GetProcAddress failed with " << GetLastError() << std::endl;
}
HANDLE currentUserToekn;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &currentUserToekn))
{
std::cout << "OpenProcessToken failed with " << GetLastError() << std::endl;
}
PrintTokenPrivileges(currentUserToekn);
if (SetPrivilege(currentUserToekn, TEXT("SeCreateTokenPrivilege"), TRUE))
{
PrintTokenPrivileges(currentUserToekn);
HANDLE nToken = nullptr;
auto ts = (PTOKEN_STATISTICS)GetTokenInformation_s(currentUserToekn, TokenStatistics);
auto status = NtCreateToken(&nToken, TOKEN_ALL_ACCESS, nullptr, TokenPrimary, &ts->AuthenticationId, &ts->ExpirationTime, (PTOKEN_USER)GetTokenInformation_s(currentUserToekn, TokenUser), (PTOKEN_GROUPS)GetTokenInformation_s(currentUserToekn, TokenGroups), (PTOKEN_PRIVILEGES)GetTokenInformation_s(currentUserToekn, TokenPrivileges), (PTOKEN_OWNER)GetTokenInformation_s(currentUserToekn, TokenOwner), (PTOKEN_PRIMARY_GROUP)GetTokenInformation_s(currentUserToekn, TokenPrimaryGroup), (PTOKEN_DEFAULT_DACL)GetTokenInformation_s(currentUserToekn, TokenDefaultDacl), (PTOKEN_SOURCE)GetTokenInformation_s(currentUserToekn, TokenSource));
if (status)
{
std::cout << "NtCreateToken return status : " << status << " winerror : " << LsaNtStatusToWinError(status) << std::endl;
}
else
{
std::cout << "Successfully created the token" << std::endl;
}
}
else
{
std::cout << "Failed to enable privilege" << std::endl;
}
return 0;
}
@ArunTS96
Copy link
Author

Rough code. Freeing memory and other cleanup handles can be done later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment