-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCheckTokenPrivs.py
More file actions
155 lines (133 loc) · 4.41 KB
/
CheckTokenPrivs.py
File metadata and controls
155 lines (133 loc) · 4.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
import ctypes
from ctypes.wintypes import ULONG, LONG, DWORD, BOOL
u_handle = ctypes.WinDLL("User32.dll")
k_handle = ctypes.WinDLL("kernel32.dll")
adv_handle = ctypes.WinDLL("advapi32.dll")
PROCESS_ALL_ACCESS = (0x00100000 | 0xF0000 | 0xFFF)
# Source https://referencesource.microsoft.com/#System.IdentityModel/System/IdentityModel/Privilege.cs
SE_PRIVILEGE_DISABLED = 0x0000
SE_PRIVILEGE_ENABLED = 0x0002
# Source token value: https://referencesource.microsoft.com/#System.Workflow.Runtime/DebugEngine/NativeMethods.cs
STANDARD_RIGHTS_REQUIRED = 0x000F0000
STANDARD_RIGHTS_READ = 0x00020000
TOKEN_ASSIGN_PRIMARY = 0x0001
TOKEN_DUPLICATE = 0x0002
TOKEN_IMPERSONATION = 0x0004
TOKEN_QUERY = 0x0008
TOKEN_QUERY_SOURCE = 0x0010
TOKEN_ADJUST_PRIVILEGES = 0x0020
TOKEN_ADJUST_GROUPS = 0x0040
TOKEN_ADJUST_DEFAULT = 0x0080
TOKEN_ADJUST_SESSIONID = 0x0100
TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY)
TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED |
TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE |
TOKEN_IMPERSONATION |
TOKEN_QUERY |
TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES |
TOKEN_ADJUST_GROUPS |
TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID)
# define LUID structure
class LUID(ctypes.Structure):
_fields_ = [
("LowPart", ULONG),
("HighPart", LONG)
]
class LUID_AND_ATTRIBUTES(ctypes.Structure):
_fields_ = [
("Luid", LUID),
("Attributes", DWORD)
]
class PRIVILEGE_SET(ctypes.Structure):
_fields_ = [
("PrivilegeCount", DWORD),
("Control", DWORD),
("Privilege", LUID_AND_ATTRIBUTES)
]
# Enter window name
print('[+] Enter window name')
window_name = input().encode('utf-8')
# FindWindowA
print('[+] FindWindowA')
lpClassName = None
lpWindowName = ctypes.c_char_p(window_name) #LPCSTR --> Pointer to string.
windows_handle = u_handle.FindWindowA(None, lpWindowName)
if windows_handle == 0:
print('Error code {0} - This window name is not available.'.format(k_handle.GetLastError()))
#exit(1)
else:
print('OK')
# GetWindowThreadProcessId
print('[+] GetWindowThreadProcessId')
hWnd = windows_handle
dwProcessId = ctypes.c_ulong()
lpdwProcessId = ctypes.byref(dwProcessId)
thread_id = u_handle.GetWindowThreadProcessId(hWnd, lpdwProcessId)
if thread_id == 0:
print('Error code {0} - GetWindowThreadProcessId failed.'.format(k_handle.GetLastError()))
exit(1)
else:
print('OK')
# OpenProcess
print('[+] OpenProcess')
dwDesiredAccess = PROCESS_ALL_ACCESS
bInheritHandle = False
hProcess = k_handle.OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId)
if hProcess == 0:
print('Error code {0} - OpenProcess failed.'.format(k_handle.GetLastError()))
exit(1)
else:
print('OK')
# OpenProcessToken
print('[+] OpenProcessToken')
ProcessHandle = hProcess
DesiredAccess = TOKEN_ALL_ACCESS
TokenHandle = ctypes.c_void_p() # void pointer
response = adv_handle.OpenProcessToken(ProcessHandle, DesiredAccess, ctypes.byref(TokenHandle))
if response == 0:
print('Error code {0} - OpenProcessToken failed.'.format(k_handle.GetLastError()))
else:
print('Open acccess token successfully!!')
'''
BOOL LookupPrivilegeValueW(
LPCWSTR lpSystemName,
LPCWSTR lpName,
PLUID lpLuid
);
'''
print('[+] LookupPrivilegeValue')
lpSystemName = None
lpName = "SeShutdownPrivilege"
lpLuid = LUID()
response = adv_handle.LookupPrivilegeValueW(lpSystemName, lpName, ctypes.byref(lpLuid))
if response == 0:
print('Error code {0} - LookupPrivilegeValue failed.'.format(k_handle.GetLastError()))
else:
print('Lookup privilege {0} successfully!!'.format(lpName))
'''
BOOL PrivilegeCheck(
HANDLE ClientToken,
PPRIVILEGE_SET RequiredPrivileges,
LPBOOL pfResult
);
'''
# PrivilegeCheck
print('[+] PrivilegeCheck')
ClientToken = TokenHandle
RequiredPrivileges = PRIVILEGE_SET()
RequiredPrivileges.PrivilegeCount = 1
RequiredPrivileges.Privilege.Luid = lpLuid
RequiredPrivileges.Privilege.Attributes = SE_PRIVILEGE_ENABLED
pfResult = BOOL()
response = adv_handle.PrivilegeCheck(ClientToken, ctypes.byref(RequiredPrivileges), ctypes.byref(pfResult))
if response == 0:
print('Error code {0} - PrivilegeCheck failed.'.format(k_handle.GetLastError()))
else:
print('PrivilegeCheck successfully!!')
if pfResult.value == 0:
print('Privilege {0} is DISABLED'.format(lpName))
else:
print('Privilege {0} is ENABLED'.format(lpName))