-
Aug 8th, 2010, 11:44 PM
#41
Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Is this code posted anywhere yet? Would really love to give it a whirl
Thanks
-
Aug 9th, 2010, 09:21 AM
#42
Thread Starter
Addicted Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
unfortunately due to copywrite issues, I can't provide my code but I have already outlined the way you should start attempting to run a remote process in my last post.
-
Apr 4th, 2011, 09:49 AM
#43
New Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Hi all
Do anyone have a code-example for vb.net (VS2010)?
Thank you
luca
-
Apr 4th, 2011, 04:28 PM
#44
Thread Starter
Addicted Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
As mentioned in this thread, I can't provide the code due to legality issues but if you use the correct API's from Pinvoke and follow these steps, you will be able to do exactly what I have described.
Create a service on the remote machine with the local system account.
1) To create a process as the system account - Obtain the process token from the currently running process and use CreateProcessAsUser to launch the process.
2) To create a process as the currently logged in user - Obtain the process token from any process running as the currently logged in user. Usually "explorer" will work fine. Then use CreateProcessAsUser API once again.
3) To run a process as any other user - Create a separate executable with code to run CreateProcessWithLogonW and use named pipes to communicate the username/password/domain/process from the service process. Obtain the process token of the currently logged in user in the service process and use CreateProcessAsUser to launch the second executable using the SW_HIDE flag for the process. Now the new process launched will be that of the user specified and will be interactive with the currently logged in users desktop.
You will need to create a "SERVICE" application that runs on the remote machine and then another application that runs on the client system that installs and starts the process remotely. If you are looking to re-direct the standard input and output from the service running on the remote machine, I haven't gotten that far yet but at this point I can run any executable on any remote machine in my company either as the SYSTEM account, the currently logged in user, or any other user specified on any domain in the organization.
-
Apr 5th, 2011, 01:55 AM
#45
New Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
thank you taigon, i have readed your post from Jun 10th 2010.
i have a service running in system-account, but i'm not able to take the token from the explorer to create another process. Can you post only this part? an example to take the token from explorer and open a notepad-process?
thank you anyway
luca
-
Apr 5th, 2011, 02:49 AM
#46
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Originally Posted by taigon
If you are looking to re-direct the standard input and output from the service running on the remote machine, I haven't gotten that far yet but at this point
Oh I thought you got that going - didn't I ever send you the code that I eventually got working for redirecting input and output for a process started with CreateProcessAsUser? I thought I would have as the only reason I started working on it was because of this thread...
But anyway here it is: http://cjwdev.wordpress.com/2010/06/...ut-and-output/
-
Apr 5th, 2011, 08:31 AM
#47
Thread Starter
Addicted Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Hi Chris,
I hadn't gotten around to it yet because I've been working on an enormous project that I've almost completed. I'm leaving the re-direction code until last. LoL. Thanks for your assistance with it though because I am going to probably need your example to assist.
I will post the code to open the process token from explorer.exe but it is no longer in VB.Net as I've actually ported everything over to C# and that has now become my preferred language to code in. Later today I will post it for you.
-
Apr 5th, 2011, 12:10 PM
#48
Thread Starter
Addicted Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Ok, here is the full code for the service running on the remote machine to obtain the process token from explorer.exe and create the process as the user.
vb Code:
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As IntPtr, ByVal DesiredAccess As Integer, ByRef TokenHandle As IntPtr) As Boolean
Private Declare Auto Function DuplicateTokenEx Lib "advapi32" (ByVal ExistingTokenHandle As IntPtr, ByVal dwDesiredAccess As UInt32, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal ImpersonationLevel As Integer, ByVal TokenType As Integer, ByRef DuplicateTokenHandle As System.IntPtr) As Boolean
Private Declare Function CreateEnvironmentBlock Lib "userenv" (ByRef lpEnvironment As IntPtr, ByVal hToken As IntPtr, ByVal bInherit As Boolean) As Boolean
Private Declare Auto Function CreateProcessAsUser Lib "advapi32" (ByVal hToken As IntPtr, ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Integer, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean
Dim ps As Process() = Process.GetProcessesByName("explorer")
Dim p As Process = Process.GetProcessById(ps(0).Id)
If OpenProcessToken(p.Handle, TOKEN_DUPLICATE, p_processtoken) = False Then
Return ("PROCFAILED=OpenProcessToken Failed: " & Marshal.GetLastWin32Error.ToString)
End If
If DuplicateTokenEx(p_processtoken, Convert.ToUInt32(TOKEN_ASSIGN_PRIMARY Or TOKEN_DUPLICATE Or TOKEN_QUERY), sa, CType(SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, Integer), CType(TOKEN_TYPE.TokenPrimary, Integer), DupedToken) = False Then
Return ("PROCFAILED=DuplicateTokenEx Failed: " & Marshal.GetLastWin32Error.ToString)
End If
If CreateEnvironmentBlock(p_env, DupedToken, True) = False Then
Return ("PROCFAILED=CreateEnvironmentBlock Failed: " & Marshal.GetLastWin32Error.ToString)
End If
Dim s_ProfilePath() As String = Environment.GetEnvironmentVariable("USERPROFILE").Split(CChar("\"))
Dim ProfilePath As String = ""
Dim Path As New ManagementPath("root\cimv2")
Dim Scope As New ManagementScope(Path)
Dim objectQuery As New ObjectQuery("select * from Win32_Process")
Dim searcher As New ManagementObjectSearcher(CType(Scope, ManagementScope), objectQuery)
Dim Owner(1) As String
For Each os As ManagementObject In searcher.Get()
Try
os.InvokeMethod("GetOwner", CType(Owner, Object()))
If os("Caption").ToString = "explorer.exe" Then
Exit For
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
Next os
ProfilePath &= s_ProfilePath(0) & "\" & s_ProfilePath(1) & "\" & Owner(0)
Environment.SetEnvironmentVariable("USERPROFILE", ProfilePath)
If CreateProcessAsUser(DupedToken, exe, Arg, saProcess, saThread, True, Nothing, Nothing, Nothing, si, pi) = False Then
If CreateProcessAsUser(DupedToken, Nothing, Executable, saProcess, saThread, True, Nothing, Nothing, Nothing, si, pi) = False Then
Return ("PROCFAILED=CreateProcessAsUser Failed: " & Marshal.GetLastWin32Error.ToString)
End If
End If
-
Apr 7th, 2011, 01:50 AM
#49
New Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Hi taigon
First of all: thank you for the code!
But probably i'm a "cretin"! ;o)
I'm not able to use your code. How can i call this function? Do i have to insert it into the code at the beginning of this thread?
-
Apr 7th, 2011, 02:43 AM
#50
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Originally Posted by lucorse
Hi taigon
First of all: thank you for the code!
But probably i'm a "cretin"! ;o)
I'm not able to use your code. How can i call this function? Do i have to insert it into the code at the beginning of this thread?
I don't mean to sound rude but if you don't even know how to call a function then I don't think you should be attempting something like this...
-
Apr 7th, 2011, 06:59 AM
#51
New Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
may be chris128, but i call a lot of functions and therefor i will try to call also this one.
could you tell me the way?
for example:
i will start a process (in this case "notepad") as the same user who has running the explorer.exe. How do i create it?
-
Apr 13th, 2011, 03:18 AM
#52
New Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Hi taigon
Thank you another time, i've cracked the nut! ;o)
It works very fine.
-
Apr 13th, 2011, 08:25 AM
#53
Thread Starter
Addicted Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
-
Jan 15th, 2014, 05:31 AM
#54
Lively Member
Re: [RESOLVED] VB.Net CreateProcessAsUser API
Originally Posted by taigon
Ok, here is the full code for the service running on the remote machine to obtain the process token from explorer.exe and create the process as the user.
vb Code:
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As IntPtr, ByVal DesiredAccess As Integer, ByRef TokenHandle As IntPtr) As Boolean
Private Declare Auto Function DuplicateTokenEx Lib "advapi32" (ByVal ExistingTokenHandle As IntPtr, ByVal dwDesiredAccess As UInt32, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal ImpersonationLevel As Integer, ByVal TokenType As Integer, ByRef DuplicateTokenHandle As System.IntPtr) As Boolean
Private Declare Function CreateEnvironmentBlock Lib "userenv" (ByRef lpEnvironment As IntPtr, ByVal hToken As IntPtr, ByVal bInherit As Boolean) As Boolean
Private Declare Auto Function CreateProcessAsUser Lib "advapi32" (ByVal hToken As IntPtr, ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Integer, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean
Dim ps As Process() = Process.GetProcessesByName("explorer")
Dim p As Process = Process.GetProcessById(ps(0).Id)
If OpenProcessToken(p.Handle, TOKEN_DUPLICATE, p_processtoken) = False Then
Return ("PROCFAILED=OpenProcessToken Failed: " & Marshal.GetLastWin32Error.ToString)
End If
If DuplicateTokenEx(p_processtoken, Convert.ToUInt32(TOKEN_ASSIGN_PRIMARY Or TOKEN_DUPLICATE Or TOKEN_QUERY), sa, CType(SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, Integer), CType(TOKEN_TYPE.TokenPrimary, Integer), DupedToken) = False Then
Return ("PROCFAILED=DuplicateTokenEx Failed: " & Marshal.GetLastWin32Error.ToString)
End If
If CreateEnvironmentBlock(p_env, DupedToken, True) = False Then
Return ("PROCFAILED=CreateEnvironmentBlock Failed: " & Marshal.GetLastWin32Error.ToString)
End If
Dim s_ProfilePath() As String = Environment.GetEnvironmentVariable("USERPROFILE").Split(CChar("\"))
Dim ProfilePath As String = ""
Dim Path As New ManagementPath("root\cimv2")
Dim Scope As New ManagementScope(Path)
Dim objectQuery As New ObjectQuery("select * from Win32_Process")
Dim searcher As New ManagementObjectSearcher(CType(Scope, ManagementScope), objectQuery)
Dim Owner(1) As String
For Each os As ManagementObject In searcher.Get()
Try
os.InvokeMethod("GetOwner", CType(Owner, Object()))
If os("Caption").ToString = "explorer.exe" Then
Exit For
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
Next os
ProfilePath &= s_ProfilePath(0) & "\" & s_ProfilePath(1) & "\" & Owner(0)
Environment.SetEnvironmentVariable("USERPROFILE", ProfilePath)
If CreateProcessAsUser(DupedToken, exe, Arg, saProcess, saThread, True, Nothing, Nothing, Nothing, si, pi) = False Then
If CreateProcessAsUser(DupedToken, Nothing, Executable, saProcess, saThread, True, Nothing, Nothing, Nothing, si, pi) = False Then
Return ("PROCFAILED=CreateProcessAsUser Failed: " & Marshal.GetLastWin32Error.ToString)
End If
End If
Thanks ! The above code is working but the process can be seen only in the taskmanager. UI is not showing.
Any solution for that?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|