A Windows token-theft utility that enumerates SYSTEM processes, duplicates their access token, and spawns a new process running as NT AUTHORITY\SYSTEM.
Let's use and prove it:
First of all i open a Windows 10 Home, with Antivirus (Kaspersky) and Windows Defender activated.
Now i transfer the malicious binary to execute it:
And now i execute it:
In this case i execute a CMD.
And this is a popped CMD, now i execute the whoami command:
1. Enable debug privileges The program first enables SeDebugPrivilege so it can open handles to protected SYSTEM processes.
2. Enumerate running processes It creates a snapshot using:
- CreateToolhelp32Snapshot
- Process32First
- Process32Next
to iterate through all running processes.
3. Target known SYSTEM processes It filters processes such as:
- winlogon.exe
- services.exe
- svchost.exe
- lsass.exe
which normally run as SYSTEM.
4. Steal the process token For each candidate process:
-
OpenProcess() obtains a handle
-
OpenProcessToken() retrieves its security token
5. Verify the token belongs to SYSTEM The token is checked with GetTokenInformation(TokenUser) and compared against the SYSTEM SID (S-1-5-18) using EqualSid.
6. Duplicate the token If the token is valid:
- DuplicateTokenEx() converts it into a primary token that can create new processes.
7. Spawn a SYSTEM process Finally:
- CreateProcessWithTokenW() launches the user-specified program (e.g., cmd.exe) using the duplicated SYSTEM token.
The result is a new process running with SYSTEM privileges.