def shell_as(th, enable_privs=0):
t = thread(th)
print t.as_text()
new_tokenh = win32security.DuplicateTokenEx(
th, 3, win32con.MAXIMUM_ALLOWED, win32security.TokenPrimary,
win32security.SECURITY_ATTRIBUTES())
print "new_tokenh: %s" % new_tokenh
print "Impersonating..."
if enable_privs:
get_all_privs(new_tokenh)
commandLine = "cmd"
si = win32process.STARTUPINFO()
print "pysecdump: Starting shell with required privileges..."
(hProcess, hThread, dwProcessId,
dwThreadId) = win32process.CreateProcessAsUser(
new_tokenh,
None, # AppName
commandLine, # Command line
None, # Process Security
None, # ThreadSecurity
1, # Inherit Handles?
win32process.NORMAL_PRIORITY_CLASS,
None, # New environment
None, # Current directory
si) # startup info.
win32event.WaitForSingleObject(hProcess, win32event.INFINITE)
print "pysecdump: Quitting"
def LockWorkStation(self):
try:
logging.debug("LockWorkStation was called.")
sessionId = GetActiveSessionId()
if sessionId != 0xffffffff:
logging.debug("Locking workstation (session %d)", sessionId)
dupToken = None
userToken = win32ts.WTSQueryUserToken(sessionId)
if userToken is not None:
logging.debug("Got the active user token.")
# The following access rights are required for
# CreateProcessAsUser.
access = win32security.TOKEN_QUERY
access |= win32security.TOKEN_DUPLICATE
access |= win32security.TOKEN_ASSIGN_PRIMARY
dupToken = win32security.DuplicateTokenEx(
userToken, win32security.SecurityImpersonation, access,
win32security.TokenPrimary, None)
userToken.Close()
if dupToken is not None:
logging.debug("Duplicated the active user token.")
lockCmd = os.path.join(os.environ['WINDIR'],
"system32\\rundll32.exe")
lockCmd += " user32.dll,LockWorkStation"
logging.debug("Executing \"%s\".", lockCmd)
win32process.CreateProcessAsUser(
dupToken, None, lockCmd, None, None, 0, 0, None, None,
win32process.STARTUPINFO())
dupToken.Close()
else:
logging.debug("No active session. Ignoring lock workstation "
"command.")
except:
logging.exception("LockWorkStation exception")
def impersonate_system():
with enable_privileges(win32security.SE_DEBUG_NAME):
pid_csr = ntdll.CsrGetProcessId()
hprocess_csr = win32api.OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,
False, pid_csr)
htoken_csr = win32security.OpenProcessToken(hprocess_csr,
win32con.TOKEN_DUPLICATE)
htoken = win32security.DuplicateTokenEx(
htoken_csr, win32security.SecurityImpersonation, win32con.TOKEN_QUERY
| win32con.TOKEN_IMPERSONATE | win32con.TOKEN_ADJUST_PRIVILEGES,
win32security.TokenImpersonation)
enable_token_privileges(htoken, win32security.SE_TCB_NAME,
win32security.SE_INCREASE_QUOTA_NAME,
win32security.SE_ASSIGNPRIMARYTOKEN_NAME)
try:
htoken_prev = win32security.OpenThreadToken(
win32api.GetCurrentThread(), win32con.TOKEN_IMPERSONATE, True)
except pywintypes.error as e:
if e.winerror != winerror.ERROR_NO_TOKEN:
raise
htoken_prev = None
win32security.SetThreadToken(None, htoken)
try:
yield
finally:
win32security.SetThreadToken(None, htoken_prev)
def run(args, cwd=None, as_admin=False, cmd_window=False):
""" Run an arbitrary command. """
if isinstance(args, str):
args = [args]
args = list(args)
if cwd is None:
cwd = os.getenv("USERPROFILE")
if as_admin:
subprocess.call(args, shell=True, cwd=cwd)
else:
# We have to do all this nonsense to spawn the process
# as the logged in user, rather than as the administrator
# that PyleWM is running as
startup_info = STARTUPINFO()
process_information = PROCESS_INFORMATION()
shell_window = ctypes.windll.user32.GetShellWindow()
thread_id, process_id = win32process.GetWindowThreadProcessId(
shell_window)
shell_handle = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION,
False, process_id)
shell_token = win32security.OpenProcessToken(shell_handle,
win32con.TOKEN_DUPLICATE)
spawn_token = win32security.DuplicateTokenEx(
shell_token, win32security.SecurityImpersonation,
win32con.TOKEN_QUERY | win32con.TOKEN_ASSIGN_PRIMARY
| win32con.TOKEN_DUPLICATE
| win32con.TOKEN_ADJUST_DEFAULT | 0x0100,
win32security.TokenPrimary, None)
escaped_commandline = ""
for arg in args:
escaped_commandline += '"'
escaped_commandline += arg
escaped_commandline += '" '
# Try to lookup where the exe is from PATH
executable = args[0]
if not os.path.isfile(executable):
executable = shutil.which(executable)
success = ctypes.windll.advapi32.CreateProcessWithTokenW(
int(spawn_token), 0, executable, escaped_commandline,
win32con.CREATE_NO_WINDOW
if not cmd_window else win32con.CREATE_NEW_CONSOLE, None,
os.getcwd(), ctypes.pointer(startup_info),
ctypes.pointer(process_information))
if not success:
error = ctypes.get_last_error()
raise pywintypes.error(error, 'CreateProcessWithTokenW',
win32api.FormatMessageW(error))
def getusertoken():
print("Getting winlogon pid...")
winlogon_pid = get_pid('winlogon.exe')
print("PID:" + str(winlogon_pid))
p = win32api.OpenProcess(1024, 0, get_pid('winlogon.exe'))
t = win32security.OpenProcessToken(p, win32security.TOKEN_DUPLICATE)
primaryToken = win32security.DuplicateTokenEx(
t, win32security.SecurityImpersonation, win32security.TOKEN_ALL_ACCESS,
win32security.TokenPrimary)
return primaryToken
def dup_token(th):
'''
duplicate the access token
'''
# TODO: is `duplicate_token` the same?
sec_attr = win32security.SECURITY_ATTRIBUTES()
sec_attr.bInheritHandle = True
return win32security.DuplicateTokenEx(
th,
win32security.SecurityImpersonation,
win32con.MAXIMUM_ALLOWED,
win32security.TokenPrimary,
sec_attr,
)
def duplicate_shell_token():
hWndShell = user32.GetShellWindow()
if not hWndShell:
raise pywintypes.error(winerror.ERROR_FILE_NOT_FOUND, 'GetShellWindow',
'no shell window')
tid, pid = win32process.GetWindowThreadProcessId(hWndShell)
hProcShell = win32api.OpenProcess(win32con.PROCESS_QUERY_INFORMATION,
False, pid)
hTokenShell = win32security.OpenProcessToken(hProcShell,
win32con.TOKEN_DUPLICATE)
return win32security.DuplicateTokenEx(
hTokenShell, win32security.SecurityImpersonation,
win32con.TOKEN_ASSIGN_PRIMARY | win32con.TOKEN_DUPLICATE
| win32con.TOKEN_QUERY | win32con.TOKEN_ADJUST_DEFAULT
| TOKEN_ADJUST_SESSIONID, win32security.TokenPrimary, None)
def runProcessInteractWithUser(self):
hToken = win32security.OpenProcessToken(
win32api.GetCurrentProcess(),
win32con.TOKEN_DUPLICATE | win32con.TOKEN_ADJUST_DEFAULT
| win32con.TOKEN_QUERY | win32con.TOKEN_ASSIGN_PRIMARY)
hNewToken = win32security.DuplicateTokenEx(
hToken, win32security.SecurityImpersonation,
win32security.TOKEN_ALL_ACCESS, win32security.TokenPrimary)
# Create sid level
sessionId = win32ts.WTSGetActiveConsoleSessionId()
win32security.SetTokenInformation(hNewToken,
win32security.TokenSessionId,
sessionId)
priority = win32con.NORMAL_PRIORITY_CLASS | win32con.CREATE_NEW_CONSOLE
startup = win32process.STARTUPINFO()
handle, thread_id, pid, tid = win32process.CreateProcessAsUser(
hNewToken, self.filePath, None, None, None, False, priority, None,
None, startup)
def runScreenShotApp3_old(self):
# Get the current security token
token = win32security.OpenProcessToken(
win32process.GetCurrentProcess(), win32security.TOKEN_ALL_ACCESS)
# Make a copy
#token2 = win32security.DuplicateToken(token)
token2 = win32security.DuplicateTokenEx(
token, win32security.SecurityImpersonation,
win32security.TOKEN_ALL_ACCESS, win32security.TokenPrimary)
# Find the session id - we will grab the console/keyboard
#proc_id = win32process.GetCurrentProcessId()
#session_id = win32ts.ProcessIdToSessionId(proc_id)
session_id = win32ts.WTSGetActiveConsoleSessionId()
# Make this token target our session
win32security.SetTokenInformation(token2, win32security.TokenSessionId,
session_id)
def run_os_command_impersonated(cmd, user, password, domain='.'):
si = win32process.STARTUPINFO()
out_handle, err_handle, out_file, err_file = _create_tmp_files()
ok, si.hStdInput = _safe_duplicate_handle(
win32api.GetStdHandle(win32api.STD_INPUT_HANDLE))
if not ok:
raise Exception("Unable to create StdInput for child process")
ok, si.hStdOutput = _safe_duplicate_handle(out_handle)
if not ok:
raise Exception("Unable to create StdOut for child process")
ok, si.hStdError = _safe_duplicate_handle(err_handle)
if not ok:
raise Exception("Unable to create StdErr for child process")
si.dwFlags = win32process.STARTF_USESTDHANDLES
si.lpDesktop = ""
user_token = win32security.LogonUser(user, domain, password,
win32con.LOGON32_LOGON_SERVICE,
win32con.LOGON32_PROVIDER_DEFAULT)
primary_token = win32security.DuplicateTokenEx(
user_token, win32security.SecurityImpersonation, 0,
win32security.TokenPrimary)
info = win32process.CreateProcessAsUser(primary_token, None, cmd, None,
None, 1, 0, None, None, si)
hProcess, hThread, dwProcessId, dwThreadId = info
hThread.Close()
try:
win32event.WaitForSingleObject(hProcess, win32event.INFINITE)
except KeyboardInterrupt:
pass
out, err = _get_files_output(out_file, err_file)
exitcode = win32process.GetExitCodeProcess(hProcess)
return exitcode, out, err
def runScreenShotApp(self):
global DISABLE_SSHOT
if DISABLE_SSHOT is True:
return
# Get the session id for the console
session_id = win32ts.WTSGetActiveConsoleSessionId()
if session_id == 0xffffffff:
# User not logged in right now?
logging.info("No console user")
return None
# logging.info("Got Console: " + str(session_id))
# Login to the terminal service to get the user token for the console id
svr = win32ts.WTSOpenServer(".")
user_token = win32ts.WTSQueryUserToken(session_id)
# logging.info("User Token " + str(user_token))
# Copy the token
user_token_copy = win32security.DuplicateTokenEx(
user_token, win32security.SecurityImpersonation,
win32security.TOKEN_ALL_ACCESS, win32security.TokenPrimary)
# Put this token in the logged in session
win32security.SetTokenInformation(user_token_copy,
win32security.TokenSessionId,
session_id)
# Switch to the user
# win32security.ImpersonateLoggedOnUser(user_token)
# logging.info("Impersonating " + win32api.GetUserName())
# Run the screen shot app
# app_path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.dirname(os.path.realpath(__file__)))))
# cmd = os.path.join(app_path, "sshot\\dist\\sshot.exe")
cmd = os.path.join(ROOT_FOLDER, "ope_laptop_binaries\\sshot\\sshot.exe"
) # "c:\\programdata\\ope\\bin\\sshot.exe"
# cmd = "cmd.exe"
logging.info("Running sshot app " + cmd)
# Use win create process function
si = win32process.STARTUPINFO()
si.dwFlags = win32process.STARTF_USESHOWWINDOW
si.wShowWindow = win32con.SW_NORMAL
# si.lpDesktop = "WinSta0\Default"
si.lpDesktop = ""
# Setup envinroment for the user
environment = win32profile.CreateEnvironmentBlock(user_token, False)
try:
(
hProcess, hThread, dwProcessId, dwThreadId
) = win32process.CreateProcessAsUser(
user_token_copy,
None, # AppName (really command line, blank if cmd line supplied)
"\"" + cmd + "\"", # Command Line (blank if app supplied)
None, # Process Attributes
None, # Thread Attributes
0, # Inherits Handles
win32con.
NORMAL_PRIORITY_CLASS, # or win32con.CREATE_NEW_CONSOLE,
environment, # Environment
os.path.dirname(cmd), # Curr directory
si) # Startup info
# logging.info("Process Started: " + str(dwProcessId))
# logging.info(hProcess)
except Exception as e:
logging.info("Error launching process: " + str(e))
# logging.info(os.system(cmd))
# Return us to normal security
# win32security.RevertToSelf()
# Cleanup
win32ts.WTSCloseServer(svr)
user_token.close()
user_token_copy.close()
return
def remote_authorize(self, data):
err, sec_buffer = self.mServer.authorize(data)
if err == 0:
# Get the handle for the authenticated user such that we can pass it
# to win32security.DuplicateTokenEx() and get back a handle that
# allows us to spawn interactive processes as the authenticated user.
self.mServer.ctxt.ImpersonateSecurityContext()
flags = win32security.TOKEN_DUPLICATE | win32security.TOKEN_QUERY
handle = win32security.OpenThreadToken(win32api.GetCurrentThread(),
flags, False)
self.mServer.ctxt.RevertSecurityContext()
# Using handle, reate a primary handle suitable for passing to
# CreateProcessAsUser().
sec_attr = None
# sec_attr = pywintypes.SECURITY_ATTRIBUTES()
# sec_attr.Initialize()
# sec_attr.bInheritHandle = True
# Try different impersonation levels for DuplicateTokenEx(). These
# should be in order of decreasing utility (most useful to least).
# See the SECURITY_IMPERSONATION_LEVEL documentation for more
# details.
levels = [
win32security.SecurityDelegation,
win32security.SecurityImpersonation
]
primary_handle = None
#access = win32security.TOKEN_ALL_ACCESS
#access = win32con.MAXIMUM_ALLOWED
access = win32security.TOKEN_IMPERSONATE | \
win32security.TOKEN_QUERY | \
win32security.TOKEN_ASSIGN_PRIMARY | \
win32security.TOKEN_DUPLICATE
for l in levels:
try:
primary_handle = \
win32security.DuplicateTokenEx(
ExistingToken = handle,
DesiredAccess = access,
ImpersonationLevel = l,
TokenType = ntsecuritycon.TokenPrimary,
TokenAttributes = sec_attr
)
break
except Exception, ex:
self.mLogger.error(
"Failed to create primary token with impersonation level %s:"
% str(l))
self.mLogger.error(str(ex))
# If the above failed to create a primary token, then we throw an
# exception. It is important that we do not return None from this
# method.
if primary_handle is None:
msg = 'Failed to create primary token for user!'
self.mLogger.error(msg)
raise failure.Failure(error.UnauthorizedLogin(msg))
# acct_info[0] has the SID for the user.
acct_info = win32security.GetTokenInformation(
primary_handle, win32security.TokenUser)
user_sid = acct_info[0]
# This returns a tuple containing the user name, the domain (if
# applicable), and the accouunt type.
# NOTE: The returned strings may be Unicode strings.
user_info = win32security.LookupAccountSid(None, user_sid)
# Close the handle returned by win32security.OpenThreadToken() since
# it is a duplicate.
handle.Close()
# NOTE: We are forcing the addition of user_sid to the window station
# and desktop ACLs. This seems to be the only way for the user
# authenticated through SSPI to be able to open interactive windows.
return self.prepareAvatar(
avatar.WindowsAvatar(primary_handle,
user_sid, str(user_info[0]),
str(user_info[1]), True))
def CreateProc(appname, cmdline=None):
global cfg
#找到winlogon.exe的进程信息,然后复制它的token,再赋权新的token,用新token创建的新进程,就有前台交互权限了
p = getProcess(caption='winlogon.exe')[0]
pid = p['pid']
if cfg['debug']:
mylog("pid=%d,type=%s" % (pid, type(pid)))
#通过winlogon.exe的pid打开进程,获得它的句柄
handle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, True, pid)
#通过winlogon.exe的句柄,获得它的令牌(经测试,admin权限运行的程序,只能用TOKEN_QUERY方式打开,service方式运行的程序,有全部权限)
token_handle = win32security.OpenProcessToken(
handle, win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY
| win32con.TOKEN_DUPLICATE)
if cfg['debug']:
print("winlogon.exe's handle=%s,token=%s" % (handle, token_handle))
res = None
#通过winlogon.exe的令牌,复制一个新令牌(经测试,admin权限运行的程序,权限不足,service方式运行的程序,有全部权限)
dup_th = win32security.DuplicateTokenEx(
token_handle,
win32security.SecurityImpersonation,
win32security.TOKEN_ALL_ACCESS,
win32security.TokenPrimary,
)
#通过winlogon.exe的pid,获得它的session id(经测试,admin权限运行的程序,没TCB权限,需要service方式运行的程序,有全部权限)
curr_session_id = win32ts.ProcessIdToSessionId(pid)
if cfg['debug']:
print("dup_th=%s" % dup_th)
#获得系统默认的程序启动信息(初始化程序所需的,标准输出、桌面选择等信息)
startup = win32process.STARTUPINFO()
if cfg['debug']:
print(startup)
#下面的这个win32con.CREATE_NEW_CONSOLE权限必须给,要不后面CreateProcessAsUser时看到执行了,然后程序就没了
priority = win32con.NORMAL_PRIORITY_CLASS | win32con.CREATE_NEW_CONSOLE
if cfg['debug']:
mylog("in CreateProc(),appname=%s,cmdline=%s" % (appname, cmdline))
(hProcess, hThread, dwProcessId, dwThreadId) = (None, None, None, None)
#通过winlogon.exe的session id获得它的console令牌
console_user_token = win32ts.WTSQueryUserToken(curr_session_id)
#通过winlogon.exe的console令牌,获得它的环境profile设置信息
environment = win32profile.CreateEnvironmentBlock(console_user_token,
False)
#给复制出来的token,绑定对应的session id,使之基于和winlogon.exe一样的会话
win32security.SetTokenInformation(dup_th, win32security.TokenSessionId,
curr_session_id)
#设置调整权限的flag权限
flags = win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY
#设置权限1:找到SE_DEBUG_NAME的权限的id,给p1
p1 = win32security.LookupPrivilegeValue(None, win32con.SE_DEBUG_NAME)
newPrivileges = [(p1, win32con.SE_PRIVILEGE_ENABLED)]
#把复制出来的winlogon.exe的token,增加新权限(也即是SE_DEBUG_NAME权限)
win32security.AdjustTokenPrivileges(dup_th, False, newPrivileges)
if cfg['debug']:
privs = getPrivs(dup_th)
mylog("privs=%s" % "\n".join(privs))
#下面准备启动程序需要的重定向的标准输出和标准错误输出的文件句柄,但目前似乎没有重定向成功:(
fh_stdout = win32file.CreateFile(
os.path.join(app_path, "watchdog.stdout"), win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None,
win32file.OPEN_ALWAYS, win32file.FILE_FLAG_SEQUENTIAL_SCAN, 0)
fh_stderr = win32file.CreateFile(
os.path.join(app_path, "watchdog.stderr"), win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None,
win32file.OPEN_ALWAYS, win32file.FILE_FLAG_SEQUENTIAL_SCAN, 0)
startup.hStdOutput = fh_stdout
startup.hStdError = fh_stderr
#下面开始尝试用复制好的token:dup_th,并也给了足够的权限的token,然后来启动指定程序
try:
(hProcess, hThread, dwProcessId,
dwThreadId) = win32process.CreateProcessAsUser(
dup_th, appname, cmdline, None, None, True, priority, None, None,
startup)
except Exception as e:
mylog("in CreateProc(),return False,ERROR:%s" % str(e))
return False
mylog("%s,%s,%s,%s" % (hProcess, hThread, dwProcessId, dwThreadId))
if dwProcessId == None:
#创建进程失败
mylog(
"Can not get dwProcessId from win32process.CreateProcessAsUser()")
return False
try:
time.sleep(2)
mylog("dwProcessId=%s" % dwProcessId)
process = psutil.Process(dwProcessId)
except Exception as e:
mylog("CreateProc(),try to psutil.Process(),ERROR:%s" % str(e))
mylog("process:%s" % process)
return_code = None
try:
return_code = process.wait(10)
except Exception as e:
mylog("CreateProc(),try to process.wait(),ERROR:%s" % str(e))
mylog("Maybe Child process Running already , but not quit")
mylog("CreateProc return code=%s" % str(return_code))
def get_active_user_token():
# Figure out the active user token we need to use to run the app as
ret = None
# Get the current user name
user_name = win32api.GetUserName()
if user_name != "SYSTEM":
# Running as a logged in user, get the current users token
current_process = win32process.GetCurrentProcess()
token = win32security.OpenProcessToken(current_process,
win32con.MAXIMUM_ALLOWED)
# win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY) #
ret = token
return ret
#if user_name == "SYSTEM":
# p("}}gnStarted by SYSTEM user (OPEService) - trying to switch user identity}}xx")
# Get a list of Terminal Service sessions and see which one is active
active_session = UserAccounts.WTS_INVALID_SESSION_ID
station_name = ""
sessions = win32ts.WTSEnumerateSessions(None, 1, 0)
for session in sessions:
if session['State'] == UserAccounts.WTSActive:
# Found the active session
active_session = session['SessionId']
station_name = session["WinStationName"]
# If we didn't find one, try this way
if active_session == UserAccounts.WTS_INVALID_SESSION_ID:
active_session = win32ts.WTSGetActiveConsoleSessionId()
if active_session == UserAccounts.WTS_INVALID_SESSION_ID:
# User not logged in right now? or lock screen up?
p("}}gnNo console user or desktop locked}}xx", log_level=1)
return ret
# Get the current console session
#p("Got Console: " + str(active_session), debug_level=5)
# Login to the terminal service to get the user token for the console id so we can impersonate it
try:
#svr = win32ts.WTSOpenServer(".")
#win32ts.WTSCloseServer(svr)
user_token = win32ts.WTSQueryUserToken(active_session)
# Copy the token so we can modify it
user_token_copy = win32security.DuplicateTokenEx(
user_token, win32security.SecurityImpersonation,
win32security.TOKEN_ALL_ACCESS, win32security.TokenPrimary)
ret = user_token_copy
user_token.close()
except Exception as ex:
p("}}rnUnknown Error - trying to get WTS UserToken\n" + str(ex) +
"}}xx",
debug_level=1)
return ret
#p("User Token Found " + str(user_token_copy), debug_level=5)
return ret
def run_as_system(command): # pylint: disable=too-many-locals
currentProcess = win32api.OpenProcess(win32con.MAXIMUM_ALLOWED, False, os.getpid())
currentProcessToken = win32security.OpenProcessToken(currentProcess, win32con.MAXIMUM_ALLOWED)
duplicatedCurrentProcessToken = win32security.DuplicateTokenEx(
ExistingToken=currentProcessToken,
DesiredAccess=win32con.MAXIMUM_ALLOWED,
ImpersonationLevel=win32security.SecurityImpersonation,
TokenType=ntsecuritycon.TokenImpersonation,
TokenAttributes=None
)
_id = win32security.LookupPrivilegeValue(None, win32security.SE_DEBUG_NAME)
newprivs = [(_id, win32security.SE_PRIVILEGE_ENABLED)]
win32security.AdjustTokenPrivileges(duplicatedCurrentProcessToken, False, newprivs)
win32security.SetThreadToken(win32api.GetCurrentThread(), duplicatedCurrentProcessToken)
currentProcessToken = win32security.OpenThreadToken(win32api.GetCurrentThread(), win32con.MAXIMUM_ALLOWED, False)
sessionId = win32security.GetTokenInformation(currentProcessToken, ntsecuritycon.TokenSessionId)
pid = None
for proc in psutil.process_iter():
try:
if proc.name() == "lsass.exe":
pid = proc.pid
break
except psutil.AccessDenied:
pass
if not pid:
raise RuntimeError("Failed to get pid of lsass.exe")
lsassProcess = win32api.OpenProcess(win32con.MAXIMUM_ALLOWED, False, pid)
lsassProcessToken = win32security.OpenProcessToken(
lsassProcess,
win32con.MAXIMUM_ALLOWED
)
systemToken = win32security.DuplicateTokenEx(
ExistingToken=lsassProcessToken,
DesiredAccess=win32con.MAXIMUM_ALLOWED,
ImpersonationLevel=win32security.SecurityImpersonation,
TokenType=ntsecuritycon.TokenImpersonation,
TokenAttributes=None
)
privs = win32security.GetTokenInformation(systemToken, ntsecuritycon.TokenPrivileges)
newprivs = []
# enable all privileges
for privtuple in privs:
newprivs.append((privtuple[0], win32security.SE_PRIVILEGE_ENABLED))
privs = tuple(newprivs)
win32security.AdjustTokenPrivileges(systemToken, False, newprivs)
win32security.SetThreadToken(win32api.GetCurrentThread(), systemToken)
hToken = win32security.DuplicateTokenEx(
ExistingToken=lsassProcessToken,
DesiredAccess=win32con.MAXIMUM_ALLOWED,
ImpersonationLevel=win32security.SecurityImpersonation,
TokenType=ntsecuritycon.TokenPrimary,
TokenAttributes=None
)
win32security.SetTokenInformation(hToken, ntsecuritycon.TokenSessionId, sessionId)
privs = win32security.GetTokenInformation(hToken, ntsecuritycon.TokenPrivileges)
newprivs = []
# enable all privileges
for privtuple in privs:
newprivs.append((privtuple[0], win32security.SE_PRIVILEGE_ENABLED))
privs = tuple(newprivs)
win32security.AdjustTokenPrivileges(hToken, False, newprivs)
si = win32process.STARTUPINFO()
dwCreationFlags = win32con.CREATE_NEW_CONSOLE
win32process.CreateProcessAsUser(hToken, None, command, None, None, 1, dwCreationFlags, None, None, si)
