Execute commands as local system.
以本地系统上下文执行命令.
This code is for learning communication only and may not be used to create malware.
此代码仅用于学习交流,不得用于制作恶意软件.
Warning: Please use this program with caution, especially calling the PrivilegeHelps library.
警告:请谨慎使用本程序,尤其是调用PrivilegeHelps库.
sudo.exe program args...
sudo.exe 程序名 参数...
- Cannot inherit the current console window under Windows7
- Windows7 下无法继承当前控制台窗口
- Process need to be elevated
- 进程需要提升
-
All enabled privileges are enabled by default
-
默认开启所有能启用的特权
-
Can create an access token just like calling winapi, which can contain any privileges and any attributes for any user group.
-
可以像调用winapi一样创建访问令牌,可以包含任意特权和任意用户组任意属性
-
User name and group name are submitted using LPCSTR, which is convenient to call.
-
用户名和组名使用LPCSTR提交,方便调用
-
Strict parameter checking to avoid memory violations
-
严格的参数检查,尽量避免内存违规
- PrivilegeHelps
Provide APIs such as creating access tokens.
提供创建访问令牌等API - sudo
Create a process with local system permissions using the PrivilegeHelps library.
使用PrivilegeHelps库创建具有本地系统权限的进程 - cmder
The process created by theCreateProcessWithTokenWfunction assigns a new console by default, and the cmder will reattach the original console to achieve in-place promotion.
CreateProcessWithTokenW函数创建的进程默认分配新控制台,cmder将重新附加原来的控制台,以实现原地提升.
However, the standard output handle cannot be copied under Windows 7, and the additional source console cannot be implemented.
但是,在Windows7下无法复制标准输出句柄,不能实现附加源控制台.
SeCreateUserTokenExA
Create a user access token based on user-defined information.
创建一个用户访问令牌,根据用户自定义的信息.
SeCreateUserTokenA
A simplified version of SeCreateUserTokenExA that is called internally.
SeCreateUserTokenExA的简化版,在内部调用了它
SeEnablePrivilegesToken
Create a new token with the specified privilege, the other information is consistent with the source token.
创建一个指定特权的新令牌,其他信息与源令牌一致
RtlTokenPrivilegesToPrivilegeValue
Convert the TOKEN_PRIVILEGES structure to a PRIVILEGE_VALUE 64-bit value.
将TOKEN_PRIVILEGES结构转换为PRIVILEGE_VALUE 64位值.
RtlGroupsToTokenGroupsA
Convert the GROUPS structure to the TOKEN_GROUPS structure.
将GROUPS结构转换为TOKEN_GROUPS结构.
SeReferenceEscalationToken
You will get a copy of the elevated token, which you need to call SeDereferenceEscalationToken or NtClose or CloseHandle to close.
将获取一个提升的令牌副本,使用完毕需要调用SeDereferenceEscalationToken或者NtClose或者CloseHandle关闭.
SeDereferenceEscalationToken
Close a handle with the Win32 CloseHandle and NT NtClose functions.
关闭一个句柄,同Win32 CloseHandle 和 NT NtClose函数.
