{"id":21736194,"url":"https://github.com/audibleblink/getsystem","last_synced_at":"2025-04-13T01:54:23.817Z","repository":{"id":44215993,"uuid":"398409776","full_name":"audibleblink/getsystem","owner":"audibleblink","description":"Small utility package for manipulating Windows process tokens","archived":false,"fork":false,"pushed_at":"2022-04-26T17:01:57.000Z","size":27,"stargazers_count":26,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-13T01:53:30.489Z","etag":null,"topics":["golang","pentesting","redteam","winapi"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/audibleblink.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-20T22:02:29.000Z","updated_at":"2025-01-17T05:19:36.000Z","dependencies_parsed_at":"2022-08-26T20:20:26.147Z","dependency_job_id":null,"html_url":"https://github.com/audibleblink/getsystem","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/audibleblink%2Fgetsystem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/audibleblink%2Fgetsystem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/audibleblink%2Fgetsystem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/audibleblink%2Fgetsystem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/audibleblink","download_url":"https://codeload.github.com/audibleblink/getsystem/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248654052,"owners_count":21140235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","pentesting","redteam","winapi"],"created_at":"2024-11-26T05:17:23.852Z","updated_at":"2025-04-13T01:54:23.791Z","avatar_url":"https://github.com/audibleblink.png","language":"Go","readme":"## getsystem\n\nsmall utility package for impersonating a user in the current thread or starting a new process\nwith a duplicated tokenl\n\nalso token privilege manipulation\n\nmust already be in a high integrity context.\n\nExample demo in `/cmd/main.go` folder\n\n## Available functions\n\n```\nCONSTANTS\n\nconst (\n        OpenProcTokenPerms uint32 = windows.TOKEN_READ |\n                windows.TOKEN_DUPLICATE |\n                windows.TOKEN_IMPERSONATE\n        TokenDupPerms uint32 = windows.TOKEN_QUERY |\n                windows.TOKEN_DUPLICATE |\n                windows.TOKEN_ASSIGN_PRIMARY |\n                windows.TOKEN_ADJUST_DEFAULT |\n                windows.TOKEN_ADJUST_SESSIONID\n\n        MLUntrusted = \"S-1-16-0\"\n)\n\nFUNCTIONS\n\nfunc DebugPriv() error\n    DebugPriv enables the SeDebugPrivilege\n\nfunc DemoteProcess(pid int) (err error)\n    DemoteProcess will remove set SE_PRIVILEGE_REMOVED on all privs for the\n    process LUID It then sets the Token Label to Untrusted\n\nfunc GetTokenPrivileges(tokenH windows.Token) (tokenPrivileges windows.Tokenprivileges, err error)\n    GetTokenPrivileges will retreive token privilege information and parse it to\n    a windows Tokenpriveleges struct. An error is returned if the function fails\n    to retrieve the initial token information\n\nfunc InNewProcess(pid int, cmd string, hidden bool) error\n    InNewProcess will duplicate the token from given PID and start a new process\n    using the winapi's DuplicateTokenEx and StartProccessWithTokenW with the\n    given command\n\nfunc OnThread(pid int) error\n    OnThread will steal a token from the given process. It can be other users as\n    well not just system. The token will be applied to the current thread until\n    revtoself is called, or the thread exits. Only certain processes can have\n    their SYSTEM token stolen. You have TOKEN_OWNER in the DACL of the SYSTEM\n    process in order to steal it.\n\nfunc RemoveTokenPrivileges(tokenH windows.Token) (err error)\n    RemoveTokenPrivileges fetches the privileges of a token and revokes them by\n    applying the SE_PRIVILEGE_REMOVED privilege\n\nfunc SePrivEnable(privString string) (err error)\n    SePrivEnable takes a privilege name and enables it\n\nfunc SetTokenLabel(tokenH windows.Token, label string) (err error)\n    SetTokenLabel sets a token label for a given token\n\nfunc TokenOwner(hToken windows.Token) (string, error)\n    TokenOwner will resolve the primary token or thread owner of the given\n    handle\n\nfunc TokenOwnerFromPid(pid int) (string, error)\n    TokenOwnerFromPid will resolve the primary token or thread owner of the\n    given pid\n```\n\n\n## greetz\n\n@slyd0g for [this article](https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b) which was a huge help in understanding the inconsistencies I was seeing when testing this on different SYSTEM processes.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faudibleblink%2Fgetsystem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faudibleblink%2Fgetsystem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faudibleblink%2Fgetsystem/lists"}