getsystem
small utility for impersonating a user in the current thread or starting a new process with a duplicated token.
must already be in a high integrity context.
Example demo in /cmd/main.go
folder
Available functions
// replace the current threads effective token
func OnThread(pid int) error
// start a new process from a duplicated token
func InNewProcess(pid int, cmd string, hidden bool) error
// Enable debug privilege
func DebugPriv() error
// Enable a specific privilege
func SePrivEnable(privString string) (err error)
// Return the owner of a given token
func TokenOwner(hToken windows.Token) (string, error)
Output
PS getsystem> go run .\cmd\ 1804
2021/08/21 11:06:04 Enabling seDebug...
2021/08/21 11:06:04 OK
2021/08/21 11:06:04 Current effective thread owner: DEMOPC\adm-user
2021/08/21 11:06:04 Beginning Token impersonation in current thread
2021/08/21 11:06:04 Current effective thread owner: NT AUTHORITY\SYSTEM
2021/08/21 11:06:04 Reverting to previous user
2021/08/21 11:06:04 Current effective thread owner: DEMOPC\adm-user
2021/08/21 11:06:04 Starting new process with duplicated token
greetz
@slyd0g for this article which was a huge help in understanding the inconsistencies I was seeing when testing this on different SYSTEM processes.