Hi Friend,
I would like to give a simple tutorial on windows programming to escalate your priviledge token programatically.
In this tutorial is to enable your application to have SE_PRIVILEGE_ENABLED token in order to do alot of more action such as dll injection.
#include<Windows.h> #include <iostream> using namespace std; #define MAXFILEPATHLEN 5000 bool injectSetDebugPriv() { bool bRet = FALSE; HANDLE hToken = NULL; LUID luid = { 0 }; bool seDebugAvailable = false; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { //Enabling the SE_DEBUG if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { return FALSE; } else { DWORD structSize; GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &structSize); DWORD structSize2; // should come out of the API with same value as structSize2 PTOKEN_PRIVILEGES processTokenPrivs; processTokenPrivs = (PTOKEN_PRIVILEGES)malloc(structSize); if (!GetTokenInformation(hToken, TokenPrivileges, processTokenPrivs, structSize, &structSize2)) { cout << "GetTokenInformation()" << endl; } PLUID_AND_ATTRIBUTES runner; for (DWORD x = 0; x < processTokenPrivs->PrivilegeCount; x++) { runner = &processTokenPrivs->Privileges[x]; if ((runner->Luid.LowPart == luid.LowPart) && (runner->Luid.HighPart == luid.HighPart)) { cout << "[+] SeDebugPrivilege available for enabling!" << endl; seDebugAvailable = true; break; } } } } if (!seDebugAvailable) { // if we reached here we could not find the Privilege in the token cout << "[-] SeDebugPrivilege unavailable\nPlease run with Privileges!" << endl; return FALSE; } else { TOKEN_PRIVILEGES tokenPriv = { 0 }; tokenPriv.PrivilegeCount = 1; tokenPriv.Privileges[0].Luid = luid; tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL); return TRUE; } return FALSE; } void RelaunchSelf(void) { SHELLEXECUTEINFO info; WCHAR fileName[MAXFILEPATHLEN]; DWORD pathLen = MAXFILEPATHLEN; GetModuleFileName(NULL, fileName, pathLen); info.cbSize = sizeof(SHELLEXECUTEINFO); info.fMask = SEE_MASK_DEFAULT; info.hwnd = NULL; info.lpVerb = L"runas"; info.lpFile = fileName; info.lpParameters = NULL; info.lpDirectory = NULL; info.nShow = SW_SHOWNORMAL; ShellExecuteEx(&info); // Also try the simpler ShellExecute } int main() { bool result = injectSetDebugPriv(); if (!result) { RelaunchSelf(); ExitProcess(-1); } cout << "Escalation with debug enabled successfully" << endl; int i; cin >> i; }