ArunTS96/CreateToken.cpp

## CreateToken.cpp
#include <Windows.h>
#include <iostream>
#include <WtsApi32.h>
#include <string>
#include <stdio.h>
#include <NTSecAPI.h>

#pragma comment(lib, "Wtsapi32.lib")

typedef NTSYSAPI NTSTATUS (NTAPI *LP_NtCreateToken)(
	OUT PHANDLE             TokenHandle,
	IN ACCESS_MASK          DesiredAccess,
	IN POBJECT_ATTRIBUTES   ObjectAttributes,
	IN TOKEN_TYPE           TokenType,
	IN PLUID                AuthenticationId,
	IN PLARGE_INTEGER       ExpirationTime,
	IN PTOKEN_USER          TokenUser,
	IN PTOKEN_GROUPS        TokenGroups,
	IN PTOKEN_PRIVILEGES    TokenPrivileges,
	IN PTOKEN_OWNER         TokenOwner,
	IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
	IN PTOKEN_DEFAULT_DACL  TokenDefaultDacl,
	IN PTOKEN_SOURCE        TokenSource);

LPVOID GetTokenInformation_s(HANDLE tokenHandle, TOKEN_INFORMATION_CLASS tis)
{
	LPVOID  ti = NULL;
	DWORD       tokenSize;
	DWORD       sidLength;

	GetTokenInformation(tokenHandle,
		tis,
		ti,
		0,
		&tokenSize);
	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
	{
		std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
	}

	ti = malloc(tokenSize);

	if (!GetTokenInformation(tokenHandle,
		tis,
		ti,
		tokenSize,
		&tokenSize))
	{
		free(ti);
		std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
	}

	return ti;
}

void PrintTokenPrivileges(HANDLE token)
{
	PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)GetTokenInformation_s(token, TokenPrivileges);
	std::cout << "Privileges found : " << std::endl;
	for(DWORD i = 0; i <= tp->PrivilegeCount; i++)
	{
		LUID_AND_ATTRIBUTES la = tp->Privileges[i];
		char privilegeConstant[1024];
		DWORD cchName = 1024;
		if(!LookupPrivilegeNameA(nullptr, &la.Luid, privilegeConstant, &cchName))
		{
			std::cout << "LookupPrivilegeNameA failed with " << GetLastError() << std::endl;
		}
		else
		{
			std::string spacer(50 - strlen(privilegeConstant), ' ');
			std::cout << '\t' << privilegeConstant << spacer << ((la.Attributes == SE_PRIVILEGE_ENABLED)?"Enabled":"Disabled") << std::endl;
		}
	}
	std::cout << "*******************" << std::endl;
}

BOOL SetPrivilege(
	HANDLE hToken,          // access token handle
	LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
	BOOL bEnablePrivilege   // to enable or disable privilege
)
{
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(
		NULL,            // lookup privilege on local system
		lpszPrivilege,   // privilege to lookup
		&luid))        // receives LUID of privilege
	{
		printf("LookupPrivilegeValue error: %lu\n", GetLastError());
		return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;

	// Enable the privilege or disable all privileges.

	if (!AdjustTokenPrivileges(
		hToken,
		FALSE,
		&tp,
		sizeof(TOKEN_PRIVILEGES),
		(PTOKEN_PRIVILEGES)NULL,
		(PDWORD)NULL))
	{
		printf("AdjustTokenPrivileges error: %u\n", GetLastError());
		return FALSE;
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

	{
		printf("The token does not have the specified privilege. \n");
		return FALSE;
	}

	return TRUE;
}

int main()
{
	LP_NtCreateToken NtCreateToken = (LP_NtCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateToken");
	if(NtCreateToken == nullptr)
	{
		std::cout << "GetProcAddress failed with " << GetLastError() << std::endl;
	}

	HANDLE currentUserToekn;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &currentUserToekn))
	{
		std::cout << "OpenProcessToken failed with " << GetLastError() << std::endl;
	}

	PrintTokenPrivileges(currentUserToekn);

	if (SetPrivilege(currentUserToekn, TEXT("SeCreateTokenPrivilege"), TRUE))
	{
		PrintTokenPrivileges(currentUserToekn);
		HANDLE nToken = nullptr;
		auto ts = (PTOKEN_STATISTICS)GetTokenInformation_s(currentUserToekn, TokenStatistics);

		auto status = NtCreateToken(&nToken, TOKEN_ALL_ACCESS, nullptr, TokenPrimary, &ts->AuthenticationId, &ts->ExpirationTime, (PTOKEN_USER)GetTokenInformation_s(currentUserToekn, TokenUser), (PTOKEN_GROUPS)GetTokenInformation_s(currentUserToekn, TokenGroups), (PTOKEN_PRIVILEGES)GetTokenInformation_s(currentUserToekn, TokenPrivileges), (PTOKEN_OWNER)GetTokenInformation_s(currentUserToekn, TokenOwner), (PTOKEN_PRIMARY_GROUP)GetTokenInformation_s(currentUserToekn, TokenPrimaryGroup), (PTOKEN_DEFAULT_DACL)GetTokenInformation_s(currentUserToekn, TokenDefaultDacl), (PTOKEN_SOURCE)GetTokenInformation_s(currentUserToekn, TokenSource));

		if (status)
		{
			std::cout << "NtCreateToken return status : " << status << " winerror :  " << LsaNtStatusToWinError(status) << std::endl;
		}
		else
		{
			std::cout << "Successfully created the token" << std::endl;
		}
	}
	else
	{
			std::cout << "Failed to enable privilege" << std::endl;
	}

	return 0;
}
	#include <Windows.h>
	#include <iostream>
	#include <WtsApi32.h>
	#include <string>
	#include <stdio.h>
	#include <NTSecAPI.h>

	#pragma comment(lib, "Wtsapi32.lib")

	typedef NTSYSAPI NTSTATUS (NTAPI *LP_NtCreateToken)(
	OUT PHANDLE TokenHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN TOKEN_TYPE TokenType,
	IN PLUID AuthenticationId,
	IN PLARGE_INTEGER ExpirationTime,
	IN PTOKEN_USER TokenUser,
	IN PTOKEN_GROUPS TokenGroups,
	IN PTOKEN_PRIVILEGES TokenPrivileges,
	IN PTOKEN_OWNER TokenOwner,
	IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
	IN PTOKEN_DEFAULT_DACL TokenDefaultDacl,
	IN PTOKEN_SOURCE TokenSource);

	LPVOID GetTokenInformation_s(HANDLE tokenHandle, TOKEN_INFORMATION_CLASS tis)
	{
	LPVOID ti = NULL;
	DWORD tokenSize;
	DWORD sidLength;

	GetTokenInformation(tokenHandle,
	tis,
	ti,
	0,
	&tokenSize);
	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
	{
	std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
	}

	ti = malloc(tokenSize);

	if (!GetTokenInformation(tokenHandle,
	tis,
	ti,
	tokenSize,
	&tokenSize))
	{
	free(ti);
	std::cout << "GetTokenInformation failed with " << GetLastError() << std::endl;
	}

	return ti;
	}

	void PrintTokenPrivileges(HANDLE token)
	{
	PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)GetTokenInformation_s(token, TokenPrivileges);
	std::cout << "Privileges found : " << std::endl;
	for(DWORD i = 0; i <= tp->PrivilegeCount; i++)
	{
	LUID_AND_ATTRIBUTES la = tp->Privileges[i];
	char privilegeConstant[1024];
	DWORD cchName = 1024;
	if(!LookupPrivilegeNameA(nullptr, &la.Luid, privilegeConstant, &cchName))
	{
	std::cout << "LookupPrivilegeNameA failed with " << GetLastError() << std::endl;
	}
	else
	{
	std::string spacer(50 - strlen(privilegeConstant), ' ');
	std::cout << '\t' << privilegeConstant << spacer << ((la.Attributes == SE_PRIVILEGE_ENABLED)?"Enabled":"Disabled") << std::endl;
	}
	}
	std::cout << "*******************" << std::endl;
	}

	BOOL SetPrivilege(
	HANDLE hToken, // access token handle
	LPCTSTR lpszPrivilege, // name of privilege to enable/disable
	BOOL bEnablePrivilege // to enable or disable privilege
	)
	{
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(
	NULL, // lookup privilege on local system
	lpszPrivilege, // privilege to lookup
	&luid)) // receives LUID of privilege
	{
	printf("LookupPrivilegeValue error: %lu\n", GetLastError());
	return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
	tp.Privileges[0].Attributes = 0;

	// Enable the privilege or disable all privileges.

	if (!AdjustTokenPrivileges(
	hToken,
	FALSE,
	&tp,
	sizeof(TOKEN_PRIVILEGES),
	(PTOKEN_PRIVILEGES)NULL,
	(PDWORD)NULL))
	{
	printf("AdjustTokenPrivileges error: %u\n", GetLastError());
	return FALSE;
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

	{
	printf("The token does not have the specified privilege. \n");
	return FALSE;
	}

	return TRUE;
	}

	int main()
	{
	LP_NtCreateToken NtCreateToken = (LP_NtCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateToken");
	if(NtCreateToken == nullptr)
	{
	std::cout << "GetProcAddress failed with " << GetLastError() << std::endl;
	}

	HANDLE currentUserToekn;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &currentUserToekn))
	{
	std::cout << "OpenProcessToken failed with " << GetLastError() << std::endl;
	}

	PrintTokenPrivileges(currentUserToekn);

	if (SetPrivilege(currentUserToekn, TEXT("SeCreateTokenPrivilege"), TRUE))
	{
	PrintTokenPrivileges(currentUserToekn);
	HANDLE nToken = nullptr;
	auto ts = (PTOKEN_STATISTICS)GetTokenInformation_s(currentUserToekn, TokenStatistics);

	auto status = NtCreateToken(&nToken, TOKEN_ALL_ACCESS, nullptr, TokenPrimary, &ts->AuthenticationId, &ts->ExpirationTime, (PTOKEN_USER)GetTokenInformation_s(currentUserToekn, TokenUser), (PTOKEN_GROUPS)GetTokenInformation_s(currentUserToekn, TokenGroups), (PTOKEN_PRIVILEGES)GetTokenInformation_s(currentUserToekn, TokenPrivileges), (PTOKEN_OWNER)GetTokenInformation_s(currentUserToekn, TokenOwner), (PTOKEN_PRIMARY_GROUP)GetTokenInformation_s(currentUserToekn, TokenPrimaryGroup), (PTOKEN_DEFAULT_DACL)GetTokenInformation_s(currentUserToekn, TokenDefaultDacl), (PTOKEN_SOURCE)GetTokenInformation_s(currentUserToekn, TokenSource));

	if (status)
	{
	std::cout << "NtCreateToken return status : " << status << " winerror : " << LsaNtStatusToWinError(status) << std::endl;
	}
	else
	{
	std::cout << "Successfully created the token" << std::endl;
	}
	}
	else
	{
	std::cout << "Failed to enable privilege" << std::endl;
	}

	return 0;
	}