extern 'C'void TestCreateProcess(handle_thBinding, int level)
{
if(RpcImpersonateClient(hBinding) == 0)
{
STARTUPINFOstartInfo= { 0 };
PROCESS_INFORMATIONprocInfo= { 0 };
HANDLEhToken= nullptr;
HANDLE hDuplicateToken= nullptr;
startInfo.cb= sizeof(startInfo);
WCHARcmdline[] = L'c:\windows\notepad.exe';
if(level== Medium) // -- (1)
{
// Open and create client impersonated token
if(!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE| TOKEN_DUPLICATE| TOKEN_QUERY, true, &hToken))
{
printf('Error OpenThreadToken: 0x%xn', GetLastError());
}
else
{
if(!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, nullptr, SecurityImpersonation, TokenPrimary, &hDuplicateToken))
{
printf('Error duplicate token (0x%x)n', GetLastError());
}
else
{
LPVOIDlpEnv;
// Create interactive process
startInfo.lpDesktop=_T('winsta0\default');
if(!CreateEnvironmentBlock(&lpEnv, hDuplicateToken, false))
{
printf('Error create env block (0x%x)n', GetLastError());
}
else
{
if(!CreateProcessAsUser(hDuplicateToken, cmdline, cmdline, nullptr, nullptr, false, 0, nullptr, nullptr, &startInfo, &procInfo))
{
printf('Error CreateProcessAsUser (0x%x)n', GetLastError());
}
else
{
printf('[+] CreateProcessAsUser: %dn', procInfo.dwProcessId);
}
DestroyEnvironmentBlock(lpEnv);
}
CloseHandle(hDuplicateToken);
CloseHandle(hToken);
}
}
}
else // -- (2)
{
if(CreateProcess(cmdline, cmdline, nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
{
printf('[+] CreateProcess: %dn', procInfo.dwProcessId);
CloseHandle(procInfo.hThread);
CloseHandle(procInfo.hProcess);
}
else
{
printf('Error creating process: %dn', GetLastError());
}
}
RpcRevertToSelf();
}
else
{
printf('Error impersonating usern');
}
}
Attachments
- Original document
- Permalink
Disclaimer
Fortinet Inc. published this content on 10 September 2019 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 10 September 2019 19:56:02 UTC