Created
September 1, 2019 00:13
-
-
Save yonixw/0cf974a92ebd9d400ecc28cb1f005cd4 to your computer and use it in GitHub Desktop.
WINAPI Open process as user from SYSTEM with deny on query.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <wtsapi32.h> | |
#include <userenv.h> | |
#include <aclapi.h> | |
#include <stdio.h> | |
#include <sddl.h> | |
#pragma comment(lib, "Userenv.lib") | |
#pragma comment(lib, "wtsapi32.lib") | |
DWORD GetCurrentSessionId() | |
{ | |
WTS_SESSION_INFO *pSessionInfo; | |
DWORD n_sessions = 0; | |
BOOL ok = WTSEnumerateSessions(WTS_CURRENT_SERVER, 0, 1, &pSessionInfo, &n_sessions); | |
if (!ok) | |
return 0; | |
DWORD SessionId = 0; | |
for (DWORD i = 0; i < n_sessions; ++i) | |
{ | |
if (pSessionInfo[i].State == WTSActive) | |
{ | |
SessionId = pSessionInfo[i].SessionId; | |
break; | |
} | |
} | |
WTSFreeMemory(pSessionInfo); | |
return SessionId; | |
} | |
bool LaunchProcess(wchar_t *process_path) | |
{ | |
printf("==== Getting session\n"); | |
DWORD SessionId = GetCurrentSessionId(); | |
if (SessionId == 0) // no-one logged in | |
return false; | |
printf("Session %d\n", SessionId); | |
printf("==== Getting session Token\n"); | |
HANDLE hToken , hTokenDup = NULL; | |
BOOL ok = WTSQueryUserToken(SessionId, &hToken); | |
if (!ok) | |
return false; | |
printf("==== Duplicating session\n"); | |
ok = DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hTokenDup); | |
if (!ok) | |
return false; | |
printf("==== Create envinroment\n"); | |
void *environment = NULL; | |
ok = CreateEnvironmentBlock(&environment, hToken, TRUE); | |
if (!ok) | |
{ | |
CloseHandle(hToken); | |
CloseHandle(hTokenDup); | |
return false; | |
} | |
STARTUPINFOW si = { sizeof(si) }; | |
si.wShowWindow = SW_SHOW; | |
PROCESS_INFORMATION pi = { }; | |
wchar_t desktop[] = L"winsta0\\default"; | |
si.lpDesktop = desktop; | |
// Do NOT want to inherit handles here | |
DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE; | |
printf("==== Making Security Descriptor\n"); | |
PSECURITY_DESCRIPTOR pSD; | |
pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); | |
if (!pSD) | |
return false; | |
//InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); | |
//SetSecurityDescriptorDacl(pSD, TRUE, (PACL)NULL, FALSE); | |
printf("==== Setting Security Descriptor\n"); | |
ok = ConvertStringSecurityDescriptorToSecurityDescriptorW(L"D:P(D;OICI;GA;;;WD)", // Block for everyone (=WD) | |
SDDL_REVISION_1, &pSD, nullptr); | |
if (!ok) | |
return false; | |
// SECURITY_ATTRIBUTES struct | |
SECURITY_ATTRIBUTES sa; | |
sa.nLength = sizeof(SECURITY_ATTRIBUTES); | |
sa.lpSecurityDescriptor = pSD; | |
sa.bInheritHandle = FALSE; | |
printf("==== Creating process\n"); | |
ok = CreateProcessAsUserW(hTokenDup, NULL, process_path, (LPSECURITY_ATTRIBUTES)&sa , NULL, FALSE, | |
dwCreationFlags, environment, NULL, &si, &pi); | |
DestroyEnvironmentBlock(environment); | |
CloseHandle(hToken); | |
CloseHandle(hTokenDup); | |
if (!ok) | |
return false; | |
printf("OK!!!! %d\n", GetProcessId(pi.hProcess)); | |
CloseHandle(pi.hThread); | |
CloseHandle(pi.hProcess); | |
return true; | |
} | |
int main(int argc, char **argv) | |
{ | |
printf("33\n"); | |
wchar_t path[] = L"C:\\WINDOWS\\system32\\cmd.exe"; | |
if (!LaunchProcess(path)) { | |
printf("Failed opening. %d\n", GetLastError()); | |
} | |
//getchar(); | |
return 0; | |
} | |
//PsExec64.exe -s %x64% |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment