CreateProcessW

SUBMITTED BY: Guest

DATE: May 17, 2013, 9:15 a.m.

FORMAT: C#

SIZE: 6.1 kB

Raw Download

HITS: 985

Report
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Diagnostics;
  4. using System.Linq;
  5. using System.Runtime.InteropServices;
  6. using System.Text;
  7. using System.Threading.Tasks;
  8. using System.Security.Principal;
  10. namespace Grabber
  11. {
  12. class Program
  13. {
  14. static IntPtr capturedToken = default(IntPtr);
  16. static WindowsIdentity identity;
  18. [DllImport("advapi32.dll", CharSet = CharSet.Auto, EntryPoint = "OpenProcessToken", SetLastError = true)]
  19. public static extern bool OpenProcessToken([In()]
  20. IntPtr ProcessToken, [In()]
  21. TokenAccessLevels DesiredAccess, [In()]
  22. ref IntPtr TokenHandle);
  24. [DllImport("advapi32.dll", CharSet = CharSet.Auto, EntryPoint = "DuplicateTokenEx", SetLastError = true)]
  25. public static extern bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess,
  26. ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType,
  27. int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
  29. [DllImport("kernel32", CharSet = CharSet.Auto, EntryPoint = "CloseHandle", SetLastError = true)]
  30. public static extern
  31. bool CloseHandle(IntPtr handle);
  33. [DllImport("userenv.dll", CharSet = CharSet.Auto, SetLastError = true)]
  34. static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit);
  36. [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Auto)]
  37. public static extern bool CreateProcessWithTokenW(
  38. IntPtr hToken,
  39. LogonFlags dwLogonFlags,
  40. string lpApplicationName,
  41. string lpCommandLine,
  42. CreationFlags dwCreationFlags,
  43. IntPtr lpEnvironment,
  44. string lpCurrentDirectory,
  45. [In] ref STARTUPINFO lpStartupInfo,
  46. out PROCESS_INFORMATION lpProcessInformation);
  48. static void Main(string[] args)
  49. {
  50. Console.WriteLine("grabbing");
  51. identity = GrabToken();
  52. var info = new PROCESS_INFORMATION();
  53. var startup = new STARTUPINFO();
  54. Console.WriteLine("converting");
  55. Console.ReadKey();
  56. IntPtr lpEnvironment = IntPtr.Zero;
  57. bool envior = CreateEnvironmentBlock(out lpEnvironment, capturedToken, false);
  58. bool sucess = CreateProcessWithTokenW(capturedToken, LogonFlags.WithProfile, "", @"C:\Windows\system32\notepad.exe",
  59. CreationFlags.DefaultErrorMode, lpEnvironment, null, ref startup, out info);
  60. Console.WriteLine("we did it.");
  61. Console.ReadKey();
  62. }
  64. static public WindowsIdentity GrabToken()
  65. {
  67. while (true)
  68. {
  69. Process currentProcess = Process.GetCurrentProcess();
  70. //Bool to see if you have rights to view process token.
  71. if (OpenProcessToken(currentProcess.Handle, TokenAccessLevels.AllAccess, ref capturedToken))
  72. //Grab the "impersonate token" before we convert to primary
  73. {
  74. var wi = new WindowsIdentity(capturedToken);
  75. return wi;
  76. }
  77. }
  78. }
  80. static public bool convertToken()
  81. {
  82. //Convert to primary
  83. IntPtr cloneToken = new IntPtr(0);
  84. bool finalToken;
  85. SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
  86. sa.bInheritHandle = true;
  87. sa.Length = Marshal.SizeOf(sa);
  88. sa.lpSecurityDescriptor = (IntPtr)0;
  89. const uint GENERIC_ALL = 0x10000000;
  90. const int SecurityImpersonation = 2;
  91. const int accessLevel = 1;
  93. try
  94. {
  95. finalToken = DuplicateTokenEx(capturedToken, GENERIC_ALL, ref sa, SecurityImpersonation, accessLevel,
  96. ref cloneToken);
  97. }
  98. catch (Exception e)
  99. {
  100. throw e;
  101. }
  102. return finalToken;
  103. }
  109. }
  111. [StructLayout(LayoutKind.Sequential)]
  112. public struct SECURITY_ATTRIBUTES
  113. {
  114. public Int32 Length;
  115. public IntPtr lpSecurityDescriptor;
  116. public bool bInheritHandle;
  117. }
  119. public enum LogonFlags
  120. {
  121. WithProfile = 1,
  122. NetCredentialsOnly
  123. }
  125. public enum CreationFlags
  126. {
  127. DefaultErrorMode = 0x04000000,
  128. NewConsole = 0x00000010,
  129. NewProcessGroup = 0x00000200,
  130. SeparateWOWVDM = 0x00000800,
  131. Suspended = 0x00000004,
  132. UnicodeEnvironment = 0x00000400,
  133. ExtendedStartupInfoPresent = 0x00080000
  134. }
  136. [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
  137. struct STARTUPINFO
  138. {
  139. public Int32 cb;
  140. public string lpReserved;
  141. public string lpDesktop;
  142. public string lpTitle;
  143. public Int32 dwX;
  144. public Int32 dwY;
  145. public Int32 dwXSize;
  146. public Int32 dwYSize;
  147. public Int32 dwXCountChars;
  148. public Int32 dwYCountChars;
  149. public Int32 dwFillAttribute;
  150. public Int32 dwFlags;
  151. public Int16 wShowWindow;
  152. public Int16 cbReserved2;
  153. public IntPtr lpReserved2;
  154. public IntPtr hStdInput;
  155. public IntPtr hStdOutput;
  156. public IntPtr hStdError;
  157. }
  160. [StructLayout(LayoutKind.Sequential)]
  161. internal struct PROCESS_INFORMATION
  162. {
  163. public IntPtr hProcess;
  164. public IntPtr hThread;
  165. public int dwProcessId;
  166. public int dwThreadId;
  167. }
  170. }
comments powered by Disqus