Hi Friend,
I would like to give a simple tutorial on windows programming to escalate your priviledge token programatically.
In this tutorial is to enable your application to have SE_PRIVILEGE_ENABLED token in order to do alot of more action such as dll injection.
#include<Windows.h>
#include <iostream>
using namespace std;
#define MAXFILEPATHLEN 5000
bool injectSetDebugPriv() {
bool bRet = FALSE;
HANDLE hToken = NULL;
LUID luid = { 0 };
bool seDebugAvailable = false;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
//Enabling the SE_DEBUG
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
return FALSE;
}
else {
DWORD structSize;
GetTokenInformation(hToken, TokenPrivileges, NULL, 0, &structSize);
DWORD structSize2; // should come out of the API with same value as structSize2
PTOKEN_PRIVILEGES processTokenPrivs;
processTokenPrivs = (PTOKEN_PRIVILEGES)malloc(structSize);
if (!GetTokenInformation(hToken, TokenPrivileges, processTokenPrivs, structSize, &structSize2)) {
cout << "GetTokenInformation()" << endl;
}
PLUID_AND_ATTRIBUTES runner;
for (DWORD x = 0; x < processTokenPrivs->PrivilegeCount; x++) {
runner = &processTokenPrivs->Privileges[x];
if ((runner->Luid.LowPart == luid.LowPart) && (runner->Luid.HighPart == luid.HighPart)) {
cout << "[+] SeDebugPrivilege available for enabling!" << endl;
seDebugAvailable = true;
break;
}
}
}
}
if (!seDebugAvailable) {
// if we reached here we could not find the Privilege in the token
cout << "[-] SeDebugPrivilege unavailable\nPlease run with Privileges!" << endl;
return FALSE;
}
else {
TOKEN_PRIVILEGES tokenPriv = { 0 };
tokenPriv.PrivilegeCount = 1;
tokenPriv.Privileges[0].Luid = luid;
tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
return TRUE;
}
return FALSE;
}
void RelaunchSelf(void) {
SHELLEXECUTEINFO info;
WCHAR fileName[MAXFILEPATHLEN];
DWORD pathLen = MAXFILEPATHLEN;
GetModuleFileName(NULL, fileName, pathLen);
info.cbSize = sizeof(SHELLEXECUTEINFO);
info.fMask = SEE_MASK_DEFAULT;
info.hwnd = NULL;
info.lpVerb = L"runas";
info.lpFile = fileName;
info.lpParameters = NULL;
info.lpDirectory = NULL;
info.nShow = SW_SHOWNORMAL;
ShellExecuteEx(&info); // Also try the simpler ShellExecute
}
int main()
{
bool result = injectSetDebugPriv();
if (!result) {
RelaunchSelf();
ExitProcess(-1);
}
cout << "Escalation with debug enabled successfully" << endl;
int i;
cin >> i;
}