{"id":31007635,"url":"https://github.com/fafalone/runasany","last_synced_at":"2026-02-14T18:01:38.378Z","repository":{"id":306722823,"uuid":"1020535243","full_name":"fafalone/RunAsAny","owner":"fafalone","description":"Create an arbitrary token to run as any user / groups","archived":false,"fork":false,"pushed_at":"2025-07-29T18:47:32.000Z","size":81,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-13T03:18:23.385Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Visual Basic 6.0","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fafalone.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-16T03:04:10.000Z","updated_at":"2025-07-29T18:47:36.000Z","dependencies_parsed_at":"2025-08-01T23:28:49.874Z","dependency_job_id":null,"html_url":"https://github.com/fafalone/RunAsAny","commit_stats":null,"previous_names":["fafalone/runasany"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fafalone/RunAsAny","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fafalone%2FRunAsAny","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fafalone%2FRunAsAny/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fafalone%2FRunAsAny/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fafalone%2FRunAsAny/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fafalone","download_url":"https://codeload.github.com/fafalone/RunAsAny/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fafalone%2FRunAsAny/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29451905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-13T03:11:14.331Z","updated_at":"2026-02-14T18:01:38.355Z","avatar_url":"https://github.com/fafalone.png","language":"Visual Basic 6.0","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RunAsAny\nCreate an arbitrary token to run as any user / groups\n\nThis project is not finished. I'll be building an app based on this where you can select the users/groups to run as, in the mean time, attached is an example where they're hard-coded.\n\n(Requires Windows Development Library for twinBASIC)\n\n```vba\nModule modCreateToken\n\n'Demonstrates use of NtCreateToken\n\n'Must run as admin\n\n'This is roughly based on the Chapter 11 CreateToken example from\n'the excellent Windows Native API Programming book by Pavel Yosifovich.\n'https://github.com/zodiacon/winnativeapibooksamples\n\n\nPublic g_TI As Boolean\n\nPublic lOld64 As LongPtr\n\nPrivate bUI As Boolean\nPrivate Sub PostLog(smsg As String)\nIf bUI Then Form1.AppendLog smsg\nEnd Sub\n\nSub Main()\n#If Win64 = 0 Then\nWow64DisableWow64FsRedirection lOld64\n#End If\nIf Command() \u003c\u003e \"\" Then\n    'todo\nElse\n    bUI = True\n    Form1.Show\nEnd If\nEnd Sub\n\nPublic Function RunProcessWithCustomToken(ByVal sCommandLine As String, Optional PriorityClass As Long = NORMAL_PRIORITY_CLASS, Optional UIAccess As Boolean = False) As NTSTATUS\n    'Enable debug privilege and imperdonsate lsass.exe\n    Dim enabled As Byte\n    Dim status As NTSTATUS = RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, 1, 0, enabled)\n    If NT_SUCCESS(status) Then\n        PostLog \"Successfully enabled debug privilege.\"\n    Else\n        PostLog \"Failed to enable debug privilege. You must run this program as Administrator\"\n        Return status\n    End If\n    \n    Dim hDupToken As LongPtr = DuplicateLSASSToken()\n    If hDupToken = 0 Then\n        PostLog \"Failed to duplicate lsass.exe token.\"\n        Return STATUS_UNSUCCESSFUL\n    End If\n    \n    PostLog \"Creating sids for TOKEN_GROUPS\"\n    Dim systemSid As SE_SID\n    Dim size As Long = LenB(systemSid)\n    CreateWellKnownSid(WinLocalSystemSid, vbNullPtr, VarPtr(systemSid), size)\n    DisplaySid(VarPtr(systemSid))\n    \n    Dim adminSid As SE_SID\n    size = LenB(adminSid)\n    CreateWellKnownSid(WinBuiltinAdministratorsSid, vbNullPtr, VarPtr(adminSid), size)\n    DisplaySid(VarPtr(adminSid))\n    \n    Dim allUsersSid As SE_SID\n    size = LenB(allUsersSid)\n    CreateWellKnownSid(WinWorldSid, vbNullPtr, VarPtr(allUsersSid), size)\n    DisplaySid(VarPtr(allUsersSid))\n    \n    Dim interactiveSid As SE_SID\n    size = LenB(interactiveSid)\n    CreateWellKnownSid(WinInteractiveSid, vbNullPtr, VarPtr(interactiveSid), size)\n    DisplaySid(VarPtr(interactiveSid))\n    \n    Dim authUsers As SE_SID\n    size = LenB(authUsers)\n    CreateWellKnownSid(WinAuthenticatedUserSid, vbNullPtr, VarPtr(authUsers), size)\n    DisplaySid(VarPtr(authUsers))\n    \n     Dim integritySid As LongPtr 'PSID\n     Dim auth As SID_IDENTIFIER_AUTHORITY\n     auth.Value(5) = 16 'SECURITY_MANDATORY_LABEL_AUTHORITY\n     status = RtlAllocateAndInitializeSid(auth, 1, SECURITY_MANDATORY_MEDIUM_RID, 0, 0, 0, 0, 0, 0, 0, integritySid)\n     \n     If g_TI Then\n         Dim trustedInstallerSid As LongPtr\n         Dim ntAuthority As SID_IDENTIFIER_AUTHORITY\n         ntAuthority.Value(5) = SECURITY_NT_AUTHORITY\n         status = RtlAllocateAndInitializeSid(ntAuthority, SECURITY_SERVICE_ID_RID_COUNT, SECURITY_SERVICE_ID_BASE_RID, _\n                                    SECURITY_TRUSTED_INSTALLER_RID1, SECURITY_TRUSTED_INSTALLER_RID2, _\n                                    SECURITY_TRUSTED_INSTALLER_RID3, SECURITY_TRUSTED_INSTALLER_RID4, _\n                                    SECURITY_TRUSTED_INSTALLER_RID5, 0, 0, trustedInstallerSid)\n     End If\n     Dim groups As TOKEN_GROUPS\n     groups.Groups(0).Sid = VarPtr(adminSid)\n     groups.Groups(0).Attributes = SE_GROUP_DEFAULTED Or SE_GROUP_ENABLED\n     If g_TI = False Then\n         groups.Groups(0).Attributes = groups.Groups(0).Attributes Or SE_GROUP_OWNER\n     End If\n     groups.Groups(1).Sid = VarPtr(allUsersSid)\n     groups.Groups(1).Attributes = SE_GROUP_ENABLED Or SE_GROUP_DEFAULTED\n     groups.Groups(2).Sid = VarPtr(interactiveSid)\n     groups.Groups(2).Attributes = SE_GROUP_ENABLED Or SE_GROUP_DEFAULTED\n     groups.Groups(3).Sid = VarPtr(systemSid)\n     groups.Groups(3).Attributes = SE_GROUP_ENABLED Or SE_GROUP_DEFAULTED\n     groups.Groups(4).Sid = integritySid\n     groups.Groups(4).Attributes = SE_GROUP_INTEGRITY Or SE_GROUP_INTEGRITY_ENABLED\n     groups.Groups(5).Sid = VarPtr(authUsers)\n     groups.Groups(5).Attributes = SE_GROUP_ENABLED Or SE_GROUP_DEFAULTED\n     If g_TI Then\n        groups.Groups(6).Sid = trustedInstallerSid\n        groups.Groups(6).Attributes = SE_GROUP_ENABLED Or SE_GROUP_DEFAULTED Or SE_GROUP_OWNER\n        groups.GroupCount = 7\n     Else\n         groups.GroupCount = 6\n     End If\n     \n     Dim privs As TOKEN_PRIVILEGES\n     privs.PrivilegeCount = 2\n     privs.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT\n     privs.Privileges(0).Luid.lowPart = SE_CHANGE_NOTIFY_PRIVILEGE\n     privs.Privileges(1).Luid.lowPart = SE_TCB_PRIVILEGE\n     \n     Dim primary As TOKEN_PRIMARY_GROUP\n     primary.PrimaryGroup = VarPtr(adminSid)\n     \n     Dim user As TOKEN_USER\n     user.User.Sid = VarPtr(systemSid)\n     \n     status = NtSetInformationThread(NtCurrentThread(), ThreadImpersonationToken, hDupToken, LenB(hDupToken))\n     If Not NT_SUCCESS(status) Then\n         PostLog \"NtSetInformationThread error 0x\" \u0026 Hex$(status) \u0026 \", \" \u0026 GetNtErrorString(status)\n         If integritySid Then RtlFreeSid(integritySid)\n         Return status\n     Else\n         PostLog \"Successfully impersonated lsass.exe...\"\n     End If\n     \n     Dim authenticationId As LUID = RtlConvertUlongToLuid(999)\n     Dim source As TOKEN_SOURCE\n     source.SourceName(0) = Asc(\"C\")\n     source.SourceName(0) = Asc(\"R\")\n     source.SourceName(0) = Asc(\"T\")\n     source.SourceName(0) = Asc(\"T\")\n     source.SourceIdentifier = DCast(Of LUID)(777)\n     Dim expire As LARGE_INTEGER\n     Dim hToken As LongPtr\n     \n     status = NtCreateToken(hToken, TOKEN_ALL_ACCESS, vbNullPtr, TokenPrimary, authenticationId, _\n                             expire, user, groups, privs, vbNullPtr, primary, vbNullPtr, source)\n     \n     If NT_SUCCESS(status) Then\n        PostLog \"Successfully created token!\"\n        If (NT_SUCCESS(RtlAdjustPrivilege(SE_TCB_PRIVILEGE, CTRUE, CTRUE, enabled))) Then\n            'Use the following if you're a console app to attach to the current console:\n            ' Dim session As Long = WTSGetActiveConsoleSessionId()\n            ' NtQueryInformationProcess(NtCurrentProcess(), ProcessSessionInformation, session, LenB(session), ByVal 0)\n            ' NtSetInformationToken(hToken, TokenSessionId, session, LenB(session))\n            PostLog \"Successfully acquired SE_TCB_PRIVILEGE and set token session id!\"\n            If UIAccess Then\n                status = NtSetInformationToken(hToken, TokenUIAccess, CTRUE, LenB(Of BOOL))\n                PostLog \"Set UIAccess outcome: 0x\" \u0026 Hex$(status) \u0026 If(NT_SUCCESS(status), \" (SUCCESS)\", \" (ERROR)\")\n            End If\n            Dim si As STARTUPINFO\n            si.cbSize = LenB(si)\n            Dim pi As PROCESS_INFORMATION\n            Dim desktop As String = \"winsta0\\Default\"\n            si.lpDesktop = StrPtr(desktop)\n            si.dwFlags = STARTF_USESHOWWINDOW\n            si.wShowWindow = SW_SHOW\n            status = RtlAdjustPrivilege(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, CTRUE, CTRUE, enabled)\n            Dim created As BOOL\n            If NT_SUCCESS(status) Then\n                PostLog \"Enabled assign primary token privilege...\"\n                Dim sArg As String\n                Dim sTx As String\n                Dim lpArg As LongPtr\n    \n                sTx = sCommandLine\n    \n                If ((Right$(sTx, 4) = \".exe\") And PathFileExistsW(StrPtr(sTx)) And (InStr(sTx, Chr$(34)) = 0) And (InStr(InStr(sTx, \".exe\"), sTx, \" \") = 0)) Then\n                    created = CreateProcessAsUser(hToken, vbNullString, sCommandLine, vbNullPtr, vbNullPtr, CFALSE, CREATE_UNICODE_ENVIRONMENT Or PriorityClass, ByVal 0, vbNullString, si, pi)\n                    If created = CFALSE Then\n                        PostLog \"CreateProcessAsUser failed (0x\" \u0026 Hex$(Err.LastDllError) \u0026 \" \" \u0026 GetSystemErrorString(Err.LastDllError) \u0026 \"), trying CreateProcessWithTokenW...\"\n                        created = CreateProcessWithTokenW(hToken, LOGON_WITH_PROFILE, 0\u0026, StrPtr(sCommandLine), CREATE_UNICODE_ENVIRONMENT Or PriorityClass, 0\u0026, 0\u0026, si, pi)\n                    End If\n                Else\n                    lpArg = PathGetArgsW(StrPtr(sTx))\n                    sArg = LPWSTRtoStr(lpArg, False)\n                    If Len(sArg) \u003e 0\u0026 Then\n                        sTx = Left$(sTx, Len(sTx) - Len(sArg))\n                    End If\n                    sTx = Trim$(sTx)\n                    If Left$(sTx, 1) = Chr$(34) Then\n                        sTx = Mid$(sTx, 2)\n                        sTx = Left$(sTx, Len(sTx) - 1)\n                    End If\n                    If sArg = \"\" Then\n                        If InStr(sCommandLine, \"%\") Then\n                            sCommandLine = ExpandEnvVars(sCommandLine)\n                        End If\n                        created = CreateProcessAsUser(hToken, vbNullString, sCommandLine, vbNullPtr, vbNullPtr, CFALSE, CREATE_UNICODE_ENVIRONMENT Or PriorityClass, ByVal 0, vbNullString, si, pi)\n                        If created = CFALSE Then\n                            PostLog \"CreateProcessAsUser failed (0x\" \u0026 Hex$(Err.LastDllError) \u0026 \" \" \u0026 GetSystemErrorString(Err.LastDllError) \u0026 \"), trying CreateProcessWithTokenW...\"\n                            created = CreateProcessWithTokenW(hToken, LOGON_WITH_PROFILE, 0\u0026, StrPtr(sCommandLine), CREATE_UNICODE_ENVIRONMENT Or PriorityClass, 0\u0026, 0\u0026, si, pi)\n                        End If\n                    Else\n                        PostLog \"Command line args detected, parsed as:\"\n                        PostLog \"  App=\" \u0026 sTx\n                        PostLog \"  Arg=\" \u0026 sArg\n                        If InStr(sTx, \"%\") Then\n                            sTx = ExpandEnvVars(sTx)\n                        End If\n                        created = CreateProcessAsUser(hToken, sTx, sCommandLine, vbNullPtr, vbNullPtr, CFALSE, CREATE_UNICODE_ENVIRONMENT Or PriorityClass, ByVal 0, vbNullString, si, pi)\n                        If created = CFALSE Then\n                            PostLog \"CreateProcessAsUser failed (0x\" \u0026 Hex$(Err.LastDllError) \u0026 \" \" \u0026 GetSystemErrorString(Err.LastDllError) \u0026 \"), trying CreateProcessWithTokenW...\"\n                            created = CreateProcessWithTokenW(hToken, LOGON_WITH_PROFILE, StrPtr(sTx), StrPtr(sCommandLine), CREATE_UNICODE_ENVIRONMENT, 0\u0026, 0\u0026, si, pi)\n                        End If\n                    End If\n                    If created Then\n                        PostLog \"Successfully created process, pid=\" \u0026 pi.dwProcessId\n                        NtClose(pi.hProcess)\n                        NtClose(pi.hThread)\n                    Else\n                        PostLog \"Failed to create process, 0x\" \u0026 Hex$(Err.LastDllError) \u0026 \", \" \u0026 GetSystemErrorString(Err.LastDllError)\n                    End If\n                End If\n            End If\n        Else\n            PostLog \"Couldn't enable SE_TCB_PRIVILEGE\"\n        End If\n    Else\n        PostLog \"Call to NtCreateToken failed: 0x\" \u0026 Hex$(status) \u0026 \", \" \u0026 GetNtErrorString((status))\n    End If\n\n    If integritySid Then RtlFreeSid(integritySid)\n \n     \n End Function\n Private Function ExpandEnvVars(sIn As String) As String\n 'Expand environment variables\n Dim sTmp As String\n Dim chs As Long\n\n sTmp = String$(MAX_PATH, 0)\n chs = ExpandEnvironmentStringsW(StrPtr(sIn), StrPtr(sTmp), MAX_PATH)\n If chs \u003e 1\u0026 Then\n     ExpandEnvVars = Left$(sTmp, chs - 1\u0026) 'It includes a null terminator\n Else\n     ExpandEnvVars = sIn\n End If\n\n End Function\n\nPrivate Sub DisplaySid(sid As LongPtr)\n    Dim name As UNICODE_STRING\n    If (NT_SUCCESS(RtlConvertSidToUnicodeString(name, sid, CTRUE))) Then\n        PostLog \"Create sid \" \u0026 LPWSTRtoStr(name.Buffer, False)\n        RtlFreeUnicodeString(name)\n    End If\nEnd Sub\n\nPrivate Function DuplicateLSASSToken() As LongPtr\n    Dim hProcess As LongPtr = FindLsass()\n    If hProcess = 0 Then Return 0\n\n    Dim hToken As LongPtr\n    NtOpenProcessToken(hProcess, TOKEN_DUPLICATE, hToken)\n    If hToken = 0 Then\n        PostLog \"Couldn't open process for token duplication.\"\n        Return 0\n    End If\n    \n    Dim hNewToken As LongPtr\n    Dim tokenAttr As OBJECT_ATTRIBUTES\n    InitializeObjectAttributes(tokenAttr, vbNullPtr, 0, vbNullPtr, vbNullPtr)\n    Dim qos As SECURITY_QUALITY_OF_SERVICE\n    qos.Length = LenB(qos)\n    qos.ImpersonationLevel = SecurityImpersonation\n    tokenAttr.SecurityQualityOfService = VarPtr(qos)\n    NtDuplicateToken(hToken, TOKEN_ALL_ACCESS, tokenAttr, False, TokenImpersonation, hNewToken)\n    NtClose(hToken)\n    Return hNewToken\nEnd Function\n\nPrivate Function FindLsass() As LongPtr\n    Dim path As String = String$(MAX_PATH, 0)\n    Dim cch As Long = GetSystemDirectory(path, MAX_PATH)\n    path = Left$(path, cch) \u0026 \"\\lsass.exe\"\n     \n    Dim lsassPath As UNICODE_STRING\n    RtlInitUnicodeString(lsassPath, StrPtr(path))\n    \n    Dim buffer(255) As Byte\n    Dim hProcess As LongPtr, hOld As LongPtr\n    Dim status As NTSTATUS\n    Dim i As Long\n    While True\n        hOld = hProcess\n        status = NtGetNextProcess(hProcess, PROCESS_QUERY_LIMITED_INFORMATION, 0, 0, hProcess)\n        If hOld Then NtClose(hOld)\n        If Not NT_SUCCESS(status) Then Exit While\n        \n        If NT_SUCCESS(NtQueryInformationProcess(hProcess, ProcessImageFileNameWin32, buffer(0), UBound(buffer) + 1, ByVal 0)) Then\n            Dim name As UNICODE_STRING = CType(Of UNICODE_STRING)(VarPtr(buffer(0)))\n            i += 1\n            If (RtlEqualUnicodeString(lsassPath, name, CTRUE)) Then\n                PostLog \"Located LSASS process...\"\n                Return hProcess\n            End If\n        End If\n    Wend\n    PostLog \"Failed to find lsass.exe, checked \" \u0026 i \u0026 \" processes\"\nEnd Function\n\n\nEnd Module\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffafalone%2Frunasany","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffafalone%2Frunasany","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffafalone%2Frunasany/lists"}