yonixw/main.cpp

## main.cpp
#include <Windows.h>
#include <wtsapi32.h>
#include <userenv.h>
#include <aclapi.h>
#include <stdio.h>
#include <sddl.h>


#pragma comment(lib, "Userenv.lib")
#pragma comment(lib, "wtsapi32.lib")

DWORD GetCurrentSessionId()
{
	WTS_SESSION_INFO *pSessionInfo;
	DWORD n_sessions = 0;
	BOOL ok = WTSEnumerateSessions(WTS_CURRENT_SERVER, 0, 1, &pSessionInfo, &n_sessions);
	if (!ok)
		return 0;

	DWORD SessionId = 0;

	for (DWORD i = 0; i < n_sessions; ++i)
	{
		if (pSessionInfo[i].State == WTSActive)
		{
			SessionId = pSessionInfo[i].SessionId;
			break;
		}
	}

	WTSFreeMemory(pSessionInfo);
	return SessionId;
}

bool LaunchProcess(wchar_t *process_path)
{
	printf("==== Getting session\n");
	DWORD SessionId = GetCurrentSessionId();
	if (SessionId == 0)    // no-one logged in
		return false;
	printf("Session %d\n", SessionId);

	printf("==== Getting session Token\n");
	HANDLE hToken , hTokenDup = NULL;
	BOOL ok = WTSQueryUserToken(SessionId, &hToken);
	if (!ok)
		return false;

	printf("==== Duplicating session\n");
	ok = DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hTokenDup);
	if (!ok)
		return false;

	printf("==== Create envinroment\n");
	void *environment = NULL;
	ok = CreateEnvironmentBlock(&environment, hToken, TRUE);

	if (!ok)
	{
		CloseHandle(hToken);
		CloseHandle(hTokenDup);
		return false;
	}


	STARTUPINFOW si = { sizeof(si) };
	si.wShowWindow = SW_SHOW;
	PROCESS_INFORMATION pi = { };
	wchar_t desktop[] = L"winsta0\\default";
	si.lpDesktop = desktop;

	// Do NOT want to inherit handles here
	DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT | CREATE_NEW_CONSOLE;

	printf("==== Making Security Descriptor\n");
	PSECURITY_DESCRIPTOR pSD;
	pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
	if (!pSD)
		return false;
	//InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
	//SetSecurityDescriptorDacl(pSD, TRUE, (PACL)NULL, FALSE);

	printf("==== Setting Security Descriptor\n");
	ok = ConvertStringSecurityDescriptorToSecurityDescriptorW(L"D:P(D;OICI;GA;;;WD)", // Block for everyone (=WD)
		SDDL_REVISION_1, &pSD, nullptr);
	if (!ok)
		return false;

	// SECURITY_ATTRIBUTES struct
	SECURITY_ATTRIBUTES sa;
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.lpSecurityDescriptor = pSD;
	sa.bInheritHandle = FALSE;


	printf("==== Creating process\n");
	ok = CreateProcessAsUserW(hTokenDup, NULL, process_path, (LPSECURITY_ATTRIBUTES)&sa , NULL, FALSE,
		dwCreationFlags, environment, NULL, &si, &pi);

	DestroyEnvironmentBlock(environment);
	CloseHandle(hToken);
	CloseHandle(hTokenDup);

	if (!ok)
		return false;

	printf("OK!!!! %d\n", GetProcessId(pi.hProcess));

	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return true;
}


int main(int argc, char **argv)
{
	printf("33\n");
	wchar_t path[] = L"C:\\WINDOWS\\system32\\cmd.exe";
	if (!LaunchProcess(path)) {
		printf("Failed opening. %d\n", GetLastError());
	}
	//getchar();
	return 0;
}

//PsExec64.exe -s %x64%
	#include <Windows.h>
	#include <wtsapi32.h>
	#include <userenv.h>
	#include <aclapi.h>
	#include <stdio.h>
	#include <sddl.h>


	#pragma comment(lib, "Userenv.lib")
	#pragma comment(lib, "wtsapi32.lib")

	DWORD GetCurrentSessionId()
	{
	WTS_SESSION_INFO *pSessionInfo;
	DWORD n_sessions = 0;
	BOOL ok = WTSEnumerateSessions(WTS_CURRENT_SERVER, 0, 1, &pSessionInfo, &n_sessions);
	if (!ok)
	return 0;

	DWORD SessionId = 0;

	for (DWORD i = 0; i < n_sessions; ++i)
	{
	if (pSessionInfo[i].State == WTSActive)
	{
	SessionId = pSessionInfo[i].SessionId;
	break;
	}
	}

	WTSFreeMemory(pSessionInfo);
	return SessionId;
	}

	bool LaunchProcess(wchar_t *process_path)
	{
	printf("==== Getting session\n");
	DWORD SessionId = GetCurrentSessionId();
	if (SessionId == 0) // no-one logged in
	return false;
	printf("Session %d\n", SessionId);

	printf("==== Getting session Token\n");
	HANDLE hToken , hTokenDup = NULL;
	BOOL ok = WTSQueryUserToken(SessionId, &hToken);
	if (!ok)
	return false;

	printf("==== Duplicating session\n");
	ok = DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hTokenDup);
	if (!ok)
	return false;

	printf("==== Create envinroment\n");
	void *environment = NULL;
	ok = CreateEnvironmentBlock(&environment, hToken, TRUE);

	if (!ok)
	{
	CloseHandle(hToken);
	CloseHandle(hTokenDup);
	return false;
	}


	STARTUPINFOW si = { sizeof(si) };
	si.wShowWindow = SW_SHOW;
	PROCESS_INFORMATION pi = { };
	wchar_t desktop[] = L"winsta0\\default";
	si.lpDesktop = desktop;

	// Do NOT want to inherit handles here
	DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS \| CREATE_UNICODE_ENVIRONMENT \| CREATE_NEW_CONSOLE;

	printf("==== Making Security Descriptor\n");
	PSECURITY_DESCRIPTOR pSD;
	pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
	if (!pSD)
	return false;
	//InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
	//SetSecurityDescriptorDacl(pSD, TRUE, (PACL)NULL, FALSE);

	printf("==== Setting Security Descriptor\n");
	ok = ConvertStringSecurityDescriptorToSecurityDescriptorW(L"D:P(D;OICI;GA;;;WD)", // Block for everyone (=WD)
	SDDL_REVISION_1, &pSD, nullptr);
	if (!ok)
	return false;

	// SECURITY_ATTRIBUTES struct
	SECURITY_ATTRIBUTES sa;
	sa.nLength = sizeof(SECURITY_ATTRIBUTES);
	sa.lpSecurityDescriptor = pSD;
	sa.bInheritHandle = FALSE;


	printf("==== Creating process\n");
	ok = CreateProcessAsUserW(hTokenDup, NULL, process_path, (LPSECURITY_ATTRIBUTES)&sa , NULL, FALSE,
	dwCreationFlags, environment, NULL, &si, &pi);

	DestroyEnvironmentBlock(environment);
	CloseHandle(hToken);
	CloseHandle(hTokenDup);

	if (!ok)
	return false;

	printf("OK!!!! %d\n", GetProcessId(pi.hProcess));

	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return true;
	}


	int main(int argc, char **argv)
	{
	printf("33\n");
	wchar_t path[] = L"C:\\WINDOWS\\system32\\cmd.exe";
	if (!LaunchProcess(path)) {
	printf("Failed opening. %d\n", GetLastError());
	}
	//getchar();
	return 0;
	}

	//PsExec64.exe -s %x64%