Skip to content

Commit b4a7c9a

Browse files
author
Hank Chen
committed
update some skill
1 parent dc8d51e commit b4a7c9a

34 files changed

+2232
-51
lines changed

AdjToken/AdjToken.sln

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 12.00
3+
# Visual Studio Version 16
4+
VisualStudioVersion = 16.0.31005.135
5+
MinimumVisualStudioVersion = 10.0.40219.1
6+
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AdjToken", "AdjToken\AdjToken.vcxproj", "{27A45EBC-A95A-4B40-9DAB-870044C46B61}"
7+
EndProject
8+
Global
9+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
10+
Debug|x64 = Debug|x64
11+
Debug|x86 = Debug|x86
12+
Release|x64 = Release|x64
13+
Release|x86 = Release|x86
14+
EndGlobalSection
15+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
16+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Debug|x64.ActiveCfg = Debug|x64
17+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Debug|x64.Build.0 = Debug|x64
18+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Debug|x86.ActiveCfg = Debug|Win32
19+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Debug|x86.Build.0 = Debug|Win32
20+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Release|x64.ActiveCfg = Release|x64
21+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Release|x64.Build.0 = Release|x64
22+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Release|x86.ActiveCfg = Release|Win32
23+
{27A45EBC-A95A-4B40-9DAB-870044C46B61}.Release|x86.Build.0 = Release|Win32
24+
EndGlobalSection
25+
GlobalSection(SolutionProperties) = preSolution
26+
HideSolutionNode = FALSE
27+
EndGlobalSection
28+
GlobalSection(ExtensibilityGlobals) = postSolution
29+
SolutionGuid = {743E0191-2AEC-49BA-BF02-267B384E9EB8}
30+
EndGlobalSection
31+
EndGlobal

AdjToken/AdjToken/AdjToken.cpp

+220
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,220 @@
1+
#include <windows.h>
2+
#include <stdio.h>
3+
//#pragma comment(lib, "cmcfg32.lib")
4+
5+
BOOL EnablePrivilege()
6+
{
7+
LUID PrivilegeRequired;
8+
DWORD dwLen = 0, iCount = 0;
9+
BOOL bRes = FALSE;
10+
HANDLE hToken = NULL;
11+
BYTE* pBuffer = NULL;
12+
TOKEN_PRIVILEGES* pPrivs = NULL;
13+
14+
bRes = LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &PrivilegeRequired);
15+
if (!bRes) return FALSE;
16+
17+
bRes = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken);
18+
if (!bRes) return FALSE;
19+
20+
bRes = GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &dwLen);
21+
if (TRUE == bRes)
22+
{
23+
CloseHandle(hToken);
24+
return FALSE;
25+
}
26+
pBuffer = (BYTE*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLen);
27+
if (NULL == pBuffer) return FALSE;
28+
29+
if (!GetTokenInformation(hToken, TokenPrivileges, pBuffer, dwLen, &dwLen))
30+
{
31+
CloseHandle(hToken);
32+
HeapFree(GetProcessHeap(), 0, pBuffer);
33+
return FALSE;
34+
}
35+
36+
// Iterate through all the privileges and enable the one required
37+
bRes = FALSE;
38+
pPrivs = (TOKEN_PRIVILEGES*)pBuffer;
39+
for (iCount = 0; iCount < pPrivs->PrivilegeCount; iCount++)
40+
{
41+
if (pPrivs->Privileges[iCount].Luid.LowPart == PrivilegeRequired.LowPart &&
42+
pPrivs->Privileges[iCount].Luid.HighPart == PrivilegeRequired.HighPart)
43+
{
44+
pPrivs->Privileges[iCount].Attributes |= SE_PRIVILEGE_ENABLED;
45+
// here it's found
46+
bRes = AdjustTokenPrivileges(hToken, FALSE, pPrivs, dwLen, NULL, NULL);
47+
break;
48+
}
49+
}
50+
51+
CloseHandle(hToken);
52+
HeapFree(GetProcessHeap(), 0, pBuffer);
53+
return bRes;
54+
}
55+
56+
BOOL CheckAndEnablePrivilege(HANDLE hTokenToCheck, LPCWSTR pwszPrivilegeToCheck)
57+
{
58+
BOOL bResult = FALSE;
59+
HANDLE hToken = INVALID_HANDLE_VALUE;
60+
61+
DWORD dwTokenPrivilegesSize = 0;
62+
PTOKEN_PRIVILEGES pTokenPrivileges = NULL;
63+
64+
LPWSTR pwszPrivilegeName = NULL;
65+
66+
if (hTokenToCheck)
67+
{
68+
// If a token handle was supplied, check this token
69+
hToken = hTokenToCheck;
70+
}
71+
else
72+
{
73+
// If a token handle wasn't supplied, check the token of the current process
74+
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
75+
{
76+
wprintf(L"OpenProcessToken() failed. Error: %d\n", GetLastError());
77+
goto cleanup;
78+
}
79+
}
80+
81+
if (!GetTokenInformation(hToken, TokenPrivileges, NULL, dwTokenPrivilegesSize, &dwTokenPrivilegesSize))
82+
{
83+
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
84+
{
85+
wprintf(L"GetTokenInformation() failed. Error: %d\n", GetLastError());
86+
goto cleanup;
87+
}
88+
}
89+
90+
pTokenPrivileges = (PTOKEN_PRIVILEGES)malloc(dwTokenPrivilegesSize);
91+
if (!pTokenPrivileges)
92+
goto cleanup;
93+
94+
if (!GetTokenInformation(hToken, TokenPrivileges, pTokenPrivileges, dwTokenPrivilegesSize, &dwTokenPrivilegesSize))
95+
{
96+
wprintf(L"GetTokenInformation() failed. Error: %d\n", GetLastError());
97+
goto cleanup;
98+
}
99+
100+
for (DWORD i = 0; i < pTokenPrivileges->PrivilegeCount; i++)
101+
{
102+
LUID_AND_ATTRIBUTES laa = pTokenPrivileges->Privileges[i];
103+
DWORD dwPrivilegeNameLength = 0;
104+
105+
if (!LookupPrivilegeName(NULL, &(laa.Luid), NULL, &dwPrivilegeNameLength))
106+
{
107+
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
108+
{
109+
wprintf(L"LookupPrivilegeName() failed. Error: %d\n", GetLastError());
110+
goto cleanup;
111+
}
112+
}
113+
114+
dwPrivilegeNameLength++;
115+
pwszPrivilegeName = (LPWSTR)malloc(dwPrivilegeNameLength * sizeof(WCHAR));
116+
if (!pwszPrivilegeName)
117+
goto cleanup;
118+
119+
if (!LookupPrivilegeName(NULL, &(laa.Luid), pwszPrivilegeName, &dwPrivilegeNameLength))
120+
{
121+
wprintf(L"LookupPrivilegeName() failed. Error: %d\n", GetLastError());
122+
goto cleanup;
123+
}
124+
125+
if (!_wcsicmp(pwszPrivilegeName, pwszPrivilegeToCheck))
126+
{
127+
TOKEN_PRIVILEGES tp = { 0 };
128+
129+
ZeroMemory(&tp, sizeof(TOKEN_PRIVILEGES));
130+
tp.PrivilegeCount = 1;
131+
tp.Privileges[0].Luid = laa.Luid;
132+
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
133+
134+
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
135+
{
136+
wprintf(L"AdjustTokenPrivileges() failed. Error: %d\n", GetLastError());
137+
goto cleanup;
138+
}
139+
140+
bResult = TRUE;
141+
}
142+
143+
free(pwszPrivilegeName);
144+
145+
if (bResult)
146+
break;
147+
}
148+
149+
cleanup:
150+
if (hToken)
151+
CloseHandle(hToken);
152+
if (pTokenPrivileges)
153+
free(pTokenPrivileges);
154+
155+
return bResult;
156+
}
157+
158+
int enablePriv() {
159+
HANDLE hToken;
160+
LPCTSTR lpszPrivilege = SE_TCB_NAME;
161+
BOOL bEnablePrivilege = TRUE;
162+
BOOL bRes = FALSE;
163+
164+
bRes = ImpersonateSelf(SecurityImpersonation);
165+
if (!bRes) return -1;
166+
167+
bRes = OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken);
168+
if (!bRes) return -1;
169+
170+
171+
TOKEN_PRIVILEGES tp;
172+
LUID luid;
173+
174+
if (!LookupPrivilegeValue(
175+
NULL, // lookup privilege on local system
176+
lpszPrivilege, // privilege to lookup
177+
&luid)) // receives LUID of privilege
178+
{
179+
printf("LookupPrivilegeValue error: %u\n", GetLastError());
180+
return FALSE;
181+
}
182+
183+
tp.PrivilegeCount = 1;
184+
tp.Privileges[0].Luid = luid;
185+
if (bEnablePrivilege)
186+
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
187+
else
188+
tp.Privileges[0].Attributes = 0;
189+
190+
// Enable the privilege or disable all privileges.
191+
192+
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
193+
{
194+
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
195+
}
196+
197+
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
198+
199+
{
200+
printf("The token does not have the specified privilege. \n");
201+
}
202+
return 0;
203+
}
204+
205+
int main() {
206+
//EnablePrivilege();
207+
//ShellExecuteA(NULL, "open", "cmd", "", NULL, SW_NORMAL); // fork ?
208+
209+
if (!CheckAndEnablePrivilege(NULL, SE_BACKUP_NAME))
210+
{
211+
wprintf(L"[-] A privilege is missing: '%ws'\n", SE_BACKUP_NAME);
212+
}
213+
214+
215+
216+
//WinExec("cmd", 0); // fork ?
217+
//while (1);
218+
219+
return 0;
220+
}

0 commit comments

Comments
 (0)