Skip to content

Commit

Permalink
Adding Token Manipulation
Browse files Browse the repository at this point in the history
  • Loading branch information
Alexander authored and Alexander committed Oct 23, 2017
1 parent 1cfdaac commit e092b09
Show file tree
Hide file tree
Showing 7 changed files with 882 additions and 1 deletion.
467 changes: 467 additions & 0 deletions WheresMyImplant/Credentials/Tokens.cs
View file

Large diffs are not rendered by default.

5 changes: 4 additions & 1 deletion WheresMyImplant/Empire/Empire.Agent.Coms.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@

namespace WheresMyImplant
{
class Coms
class Coms : Base
{
private String sessionId {get; set;}
private String stagingKey {get; set;}
Expand Down Expand Up @@ -106,6 +106,7 @@ internal void decodeRoutingPacket(byte[] packetData, ref JobTracking jobTracking
}
catch (IndexOutOfRangeException error)
{
WriteOutputBad(error.ToString());
}
byte[] extra = routingPacket.Skip(10).Take(2).ToArray();
UInt32 packetLength = BitConverter.ToUInt32(routingData, 12);
Expand All @@ -125,6 +126,7 @@ internal void decodeRoutingPacket(byte[] packetData, ref JobTracking jobTracking
}
catch (Exception error)
{
WriteOutputBad(error.ToString());
}
}
}
Expand Down Expand Up @@ -200,6 +202,7 @@ internal void sendMessage(byte[] packets)
}
catch (WebException error)
{
WriteOutputBad(error.ToString());
}
}

Expand Down
59 changes: 59 additions & 0 deletions WheresMyImplant/Resources/Constants.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
using System;

{
class Constants
{
//Process Security and Access Rights
//https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
public const UInt32 PROCESS_ALL_ACCESS = 0;
public const UInt32 PROCESS_CREATE_PROCESS = 0x0080;
public const UInt32 PROCESS_CREATE_THREAD = 0x0002;
public const UInt32 PROCESS_DUP_HANDLE = 0x0040;
public const UInt32 PROCESS_QUERY_INFORMATION = 0x0400;
public const UInt32 PROCESS_QUERY_LIMITED_INFORMATION = 0x1000;
public const UInt32 PROCESS_SET_INFORMATION = 0x0200;
public const UInt32 PROCESS_SET_QUOTA = 0x0100;
public const UInt32 PROCESS_SUSPEND_RESUME = 0x0800;
public const UInt32 PROCESS_TERMINATE = 0x0001;
public const UInt32 PROCESS_VM_OPERATION = 0x0008;
public const UInt32 PROCESS_VM_READ = 0x0010;
public const UInt32 PROCESS_VM_WRITE = 0x0020;
public const UInt32 SYNCHRONIZE = 0x00100000;

//Token
//http://www.pinvoke.net/default.aspx/advapi32.openprocesstoken
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY = 0x0008;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
public const UInt32 TOKEN_ALT = (TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY);

//TOKEN_PRIVILEGES
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379630(v=vs.85).aspx
public const UInt32 SE_PRIVILEGE_ENABLED = 0x2;
public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x1;
public const UInt32 SE_PRIVILEGE_REMOVED = 0x4;
public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x3;

public const Int32 ANYSIZE_ARRAY = 1;

//https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx
public const String SE_ASSIGNPRIMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege";
public const String SE_BACKUP_NAME = "SeBackupPrivilege";
public const String SE_DEBUG_NAME = "SeDebugPrivilege";
public const String SE_INCREASE_QUOTA_NAME = "SeIncreaseQuotaPrivilege";
public const String SE_TCB_NAME = "SeTcbPrivilege";
}
}
144 changes: 144 additions & 0 deletions WheresMyImplant/Resources/Enums.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace WheresMyImplant
{
public class Enums
{
[Flags]
public enum LOGON_FLAGS
{
WithProfile = 1,
NetCredentialsOnly
}

//https://msdn.microsoft.com/en-us/library/windows/desktop/ms682434(v=vs.85).aspx
[Flags]
public enum CREATION_FLAGS
{
NONE = 0x0,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_SEPARATE_WOW_VDM = 0x00000800,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000
}



[Flags]
public enum _SECURITY_IMPERSONATION_LEVEL : int
{
SecurityAnonymous = 0,
SecurityIdentification = 1,
SecurityImpersonation = 2,
SecurityDelegation = 3
};

[Flags]
public enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
}

//http://www.pinvoke.net/default.aspx/Enums.ACCESS_MASK
[Flags]
public enum ACCESS_MASK : uint
{
DELETE = 0x00010000,
READ_CONTROL = 0x00020000,
WRITE_DAC = 0x00040000,
WRITE_OWNER = 0x00080000,
SYNCHRONIZE = 0x00100000,
STANDARD_RIGHTS_REQUIRED = 0x000F0000,
STANDARD_RIGHTS_READ = 0x00020000,
STANDARD_RIGHTS_WRITE = 0x00020000,
STANDARD_RIGHTS_EXECUTE = 0x00020000,
STANDARD_RIGHTS_ALL = 0x001F0000,
SPECIFIC_RIGHTS_ALL = 0x0000FFF,
ACCESS_SYSTEM_SECURITY = 0x01000000,
MAXIMUM_ALLOWED = 0x02000000,
GENERIC_READ = 0x80000000,
GENERIC_WRITE = 0x40000000,
GENERIC_EXECUTE = 0x20000000,
GENERIC_ALL = 0x10000000,
DESKTOP_READOBJECTS = 0x00000001,
DESKTOP_CREATEWINDOW = 0x00000002,
DESKTOP_CREATEMENU = 0x00000004,
DESKTOP_HOOKCONTROL = 0x00000008,
DESKTOP_JOURNALRECORD = 0x00000010,
DESKTOP_JOURNALPLAYBACK = 0x00000020,
DESKTOP_ENUMERATE = 0x00000040,
DESKTOP_WRITEOBJECTS = 0x00000080,
DESKTOP_SWITCHDESKTOP = 0x00000100,
WINSTA_ENUMDESKTOPS = 0x00000001,
WINSTA_READATTRIBUTES = 0x00000002,
WINSTA_ACCESSCLIPBOARD = 0x00000004,
WINSTA_CREATEDESKTOP = 0x00000008,
WINSTA_WRITEATTRIBUTES = 0x00000010,
WINSTA_ACCESSGLOBALATOMS = 0x00000020,
WINSTA_EXITWINDOWS = 0x00000040,
WINSTA_ENUMERATE = 0x00000100,
WINSTA_READSCREEN = 0x00000200,
WINSTA_ALL_ACCESS = 0x0000037F
};

public enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}

public enum _TOKEN_INFORMATION_CLASS {
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin,
TokenElevationType,
TokenLinkedToken,
TokenElevation,
TokenHasRestrictions,
TokenAccessInformation,
TokenVirtualizationAllowed,
TokenVirtualizationEnabled,
TokenIntegrityLevel,
TokenUIAccess,
TokenMandatoryPolicy,
TokenLogonSid,
TokenIsAppContainer,
TokenCapabilities,
TokenAppContainerSid,
TokenAppContainerNumber,
TokenUserClaimAttributes,
TokenDeviceClaimAttributes,
TokenRestrictedUserClaimAttributes,
TokenRestrictedDeviceClaimAttributes,
TokenDeviceGroups,
TokenRestrictedDeviceGroups,
TokenSecurityAttributes,
TokenIsRestricted,
MaxTokenInfoClass
}

}
}
120 changes: 120 additions & 0 deletions WheresMyImplant/Resources/Services.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management;
using System.Text;
using System.ServiceProcess;

namespace WheresMyImplant
{
class Services : Base
{
private ServiceController service;
private String serviceName;
private UInt32 ProcessId;

////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Services(String serviceName)
{
this.serviceName = serviceName;
service = new ServiceController(serviceName);
}

////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean StartService()
{
WriteOutputNeutral("Starting Service " + serviceName);
if (service.Status == ServiceControllerStatus.Running)
{
return true;
}

service.Start();
while (service.Status == ServiceControllerStatus.StartPending)
{
System.Threading.Thread.Sleep(100);
}

if (service.Status == ServiceControllerStatus.Running)
{
return true;
}
else
{
return false;
}
}

////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public Boolean StopService()
{
WriteOutputGood("Stopping Service " + serviceName);
if (service.CanStop)
{
service.Stop();
while (service.Status == ServiceControllerStatus.StopPending)
{
System.Threading.Thread.Sleep(100);
}

if (service.Status == ServiceControllerStatus.Stopped)
{
return true;
}
else
{
return false;
}
}
else if (service.CanPauseAndContinue)
{
service.Pause();
while (service.Status == ServiceControllerStatus.PausePending)
{
System.Threading.Thread.Sleep(100);
}

if (service.Status == ServiceControllerStatus.Paused)
{
return true;
}
else
{
return false;
}
}
else
{
WriteOutputBad("Unable to stop service");
return false;
}
}

////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
public UInt32 GetServiceProcessId()
{
List<ManagementObject> systemProcesses = new List<ManagementObject>();
ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2");
scope.Connect();
if (!scope.IsConnected)
{
WriteOutputBad("Failed to connect to WMI");
}

Console.WriteLine(" [*] Querying for service: " + serviceName);
ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_Service WHERE Name = \'" + serviceName + "\'");
ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher(scope, query);
ManagementObjectCollection objectCollection = objectSearcher.Get();
foreach (ManagementObject managementObject in objectCollection)
{
ProcessId = (UInt32)managementObject["ProcessId"];
}
WriteOutputGood(" [+] Returned PID: " + ProcessId);
return ProcessId;
}
}
}
Loading

0 comments on commit e092b09

Please sign in to comment.