NSudo | Series of System Administration Tools | General Thread

Mouri_Naruto · Oct 6, 2019

You need to login to view this posts content.

BAU · Oct 6, 2019

Mouri_Naruto said: ↑

Looks good, but TrustedInstaller's token may not be opened until you impersonate current thread with SYSTEM token.
Click to expand...

For me there's no but's - I can enter regedit at the demo prompt and modify TrustedInstaller only keys just fine - I would not be surprised though if it's one of those things

Edit2: This was quick..as it was one of those things.. and guess I've proved you wrong
fix for naked Windows 7 with powershell 2.0 (-ea does not support short form 'sil' instead of 'SilentlyContinue' - it was not even needed for published build as the window is hidden)

Thomas Dubreuil · Oct 6, 2019

You need to login to view this posts content.

alchemist_81 · Oct 6, 2019

You need to login to view this posts content.

BAU · Oct 6, 2019

alchemist_81 said: ↑

For exe and script files, parameter %1 does not work in this script, how to?
Click to expand...

This version can be run from right-click - Send to menu.
Will also update the 1st showcase of self-elevation to accept any cmd with parameters
you should update or remove the code in your quoted message as to not generate confusion, tx

Mouri_Naruto · Oct 7, 2019

BAU said: ↑

For me there's no but's - I can enter regedit at the demo prompt and modify TrustedInstaller only keys just fine - I would not be surprised though if it's one of those things

Edit2: This was quick..as it was one of those things.. and guess I've proved you wrong
fix for naked Windows 7 with powershell 2.0 (-ea does not support short form 'sil' instead of 'SilentlyContinue' - it was not even needed for published build as the window is hidden)
Click to expand...

Yes, you are right. It looks more simple. Thank you for introducing a new way to me.

But NSudo can't use that directly because some of NSudo features need to modify the attributes of the access token. Such as creating a process with all access token privileges enabled at the beginning. (What a pity!)

Kenji Mouri

BAU · Oct 7, 2019

Mouri_Naruto said: ↑

Yes, you are right. It looks more simple. Thank you for introducing a new way to me.

But NSudo can't use that directly because some of NSudo features need to modify the attributes of the access token. Such as creating a process with all access token privileges enabled at the beginning. (What a pity!)

Kenji Mouri
Click to expand...

Once you have SYSTEM, does it really matter?

Mouri_Naruto · Oct 7, 2019

BAU said: ↑
Once you have SYSTEM, does it really matter?
Code:
@echo off
set p1=$D=''''[DllImport(!ntdll!)]public static extern IntPtr RtlAdjustPrivilege(int a,bool b,bool c,ref bool d);'''';$nt=Add-Type
set p2=-Member ($D-replace [char]33,[char]34) -Name Nt -PassThru;foreach($i in @(0..36)){$null=$nt::RtlAdjustPrivilege($i,1,0,[ref]0)}
whoami /user|findstr "S-1-5-18">nul || call :runasTI %COMSPEC% /c powershell.exe -nop -c "%p1% %p2%; cmd /c "%~f0" %*"

mode 132,44
echo %0 %*
whoami /priv /groups /user /nh /fo csv
cmd /k

exit/b

:runasTI
set "<=$asTI=1" & call :runasNT %*
:runasNT AveYo`s Lean and Mean runas TrustedInstaller / System snippet, version 20191006                     pastebin.com/AtejMKLj
whoami /user|findstr "S-1-5-18">nul && exit/b
set ">=%*"&call set ">>=%<%;$cmd=''%~f1'';$arg=''%%>:%1=%%'';$f=[io.file]::ReadAllText(''%~f0'')-split '':ps_ras\:.*'';iex($f[1])"
powershell -win 1 -nop -c "start powershell -win 1 -verb runas -ArgumentList '-nop -c \"%>>:"=\\\"%\"'" & exit :ps_ras: [
$D="`n [DllImport(`"kernel32`",SetLastError=true)][return: MarshalAs(UnmanagedType.Bool)]`n static extern bool"; $M='Marshal'
$T="`n [StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]`n struct"; $S='string';$P='IntPtr';$Z='IntPtr.Zero';$AveYo=@"
using System;using System.Diagnostics;using System.Runtime.InteropServices;`npublic class Proc { $T SA{public int a;$P b;int c;}
$T SI{public int a;$S b;$S c;$S d;int e;int f;int g;int h;int i;int j;int k;int l;Int16 m;Int16 n;$P o;$P p;$P r;$P s;}
$T PI{public $P a;public $P b;int c;int d;} $D UpdateProcThreadAttribute($P a,uint b,$P c,$P d,$P e,$P f,$P g);
$T SIEX{public SI a;public $P b;} $D CreateProcess($S a,$S b,ref SA c, ref SA d,bool e,uint f,$P g,$S h,[In] ref SIEX i,out PI j);
$D InitializeProcThreadAttributeList($P a,int b,int c,ref $P d); $D DeleteProcThreadAttributeList($P a);  $D CloseHandle($P a);`n
public static void Create(int parent, $S cmd, $S args) {`n const int PP=0x00020000; PI pi=new PI(); SIEX si=new SIEX();
 si.a.a=$M.SizeOf(si); $P v=$Z; `ntry{`n $P l=$Z; InitializeProcThreadAttributeList($Z, 1, 0, ref l); si.b=$M.AllocHGlobal(l);
 InitializeProcThreadAttributeList(si.b, 1, 0, ref l);`n $P h=Process.GetProcessById(parent).Handle; v=$M.AllocHGlobal($P.Size);
 $M.Write$P(v, h);`n UpdateProcThreadAttribute(si.b, 0, ($P)PP, v, ($P)$P.Size, $Z, $Z);`n SA pa=new SA(); SA ta=new SA();
 pa.a=$M.SizeOf(pa); ta.a=$M.SizeOf(ta);`n bool b=CreateProcess(cmd, args, ref pa,ref ta,false,0x00080010,$Z,null,ref si,out pi);
}finally{`n if (si.b != $Z) { DeleteProcThreadAttributeList(si.b);$M.FreeHGlobal(si.b);}`n $M.FreeHGlobal(v);
 if (pi.a != $Z) CloseHandle(pi.a);if (pi.b != $Z) CloseHandle(pi.b);`n}}}
"@; Add-Type -TypeDefinition $AveYo; if($asTI){ $u='TrustedInstaller'; net start $u >$nul; $id=(Get-Process $u).Id }
if(!$id){ $id=(Get-Process 'winlogon').Id }; [Proc]::Create($id,$cmd,$arg); exit # :ps_ras: ] MIT licence
:-_-:
Click to expand...
I still need to care about.

Because some features in NSudo need CreateProcessAsUserW. (For example, run an app with current session user token. I need to use WTSQueryUserToken to assure we get the token correctly. And it needs SYSTEM access token impersonation.) If I use the way your introduced, I need to create a process to do that or keep the old implementations, it makes NSudo more complex.

I'm afraid that we need many adjustments to use the new way better, because some Windows behaviors associate with the parent process. For example, there is no scroll bars with the new way.

Also, most of us, the privileges in Administrators group is enough. I can do things like most people who use TrustedInstaller do with only elevated Administrators group token, such as modify Windows system files and registry. You only need to enable the SeBackupPrivilege and SeRestorePrivilege. (You can try it with 7-Zip File Manager, use NSudo to open it with the Current Process mode and select the Enable all privileges checkbox.) I think I will provide the way to use elevated Administrators group token better in NSudoSDK. (Some Windows APIs need to de hooked for adapt that.)

I think we should follow the principle of least privilege.

Kenji Mouri

Mouri_Naruto · Oct 7, 2019

You need to login to view this posts content.

Mouri_Naruto · Oct 7, 2019

Run As SYSTEM improvement in NSudo.

BAU · Oct 7, 2019

Mouri_Naruto said: ↑

For example, there is no scroll bars with the new way.
Click to expand...

That can be solved by presetting cmd profile or simply adjusting $host.ui.rawui.buffersize - and that's probably the only improvement I'm willing to add

Mouri_Naruto said: ↑

I think we should follow the principle of least privilege.
Click to expand...

Yeah, that's what I had in mind for the snippet by design - a simple portable alternative to help get some windows administrative tasks done without making a mess with taking ownership of files and registry keys. Anybody needing a more powerful pwning tool should keep using NSudo as usual.

Mouri_Naruto · Oct 7, 2019

BAU said: ↑

That can be solved by presetting cmd profile or simply adjusting $host.ui.rawui.buffersize - and that's probably the only improvement I'm willing to add

Yeah, that's what I had in mind for the snippet by design - a simple portable alternative to help get some windows administrative tasks done without making a mess with taking ownership of files and registry keys. Anybody needing a more powerful pwning tool should keep using NSudo as usual.
Click to expand...

Yes, so I think that you can learn from #432. (Get the token from lsass.exe, so you can get a full SYSTEM access token.)

I have tested on NSudo via the NSudo's way.

Windows Vista Service Pack 2 x64 - Success
Windows 10 LTSC 2018 x64 - Success
Windows 10 Version 1909 (18362.10022) - Success

BAU · Oct 8, 2019

You need to login to view this posts content.

Mouri_Naruto · Oct 9, 2019

You need to login to view this posts content.

BAU · Oct 10, 2019

You need to login to view this posts content.

Mouri_Naruto · Oct 11, 2019

You need to login to view this posts content.

Mouri_Naruto · Oct 14, 2019

You need to login to view this posts content.

Artemus2013 · Nov 1, 2019

Been frustrated that I could not get NSudo to run any program located in
C:\Program Files
C:\Program Files (x86)

from it's initialization file (NSudo.json) yet it ran programs in the C:\Windows directory, or a sub-directory thereof, just fine.
As already discovered by others, NSudo fails when a directory or filename has a space in it.
And it is reliable only when 2 backslashes are used in directory paths,
The only way to pass an argument successfully to NSudo is to use DOS 8.3 names.

So I found what works for me. I use PowerDesk file manager, it's executable path is:
"C:\Program Files (x86)\Avanquest\PowerDesk\PDExplo.exe"

Next, below, I have pasted 2 sample NSudo.json files.Each has a slightly different naming, and both work.

{
"ShortCutList_V2": {
"PowerDesk": "C:\\PROGRA~2\\Avanquest\\PowerDesk\\PDExplo.exe",
"PowerShell": "powershell",
"PowerShell ISE": "powershell_ise",
"Hosts编辑": "notepad %windir%\\System32\\Drivers\\etc\\hosts"
}
}

{
"ShortCutList_V2": {
"PowerDesk": "C:\\PROGRA~2\\AVANQU~1\\POWERD~2\\PDExplo.exe",
"PowerShell": "powershell",
"PowerShell ISE": "powershell_ise",
"Hosts编辑": "notepad %windir%\\System32\\Drivers\\etc\\hosts"

}
}

You can get the DOS 8.3 file name and path by navigating in a CMD window to the directory where your program is located and typing:

for %I in (.) do echo %~sI

If you need just the short names of the current directory, all you have to type is:

DIR /X.

Thanks to Thomas Dubreuil
https://forums.mydigitallife.net/th...-administration-tool.59268/page-14#post-14696

For his sample file. That's what helped me get this figured out.

abbodi1406 · Nov 1, 2019

@Artemus2013

one of the 2 backslashes is escape character
can be used similary for spaces and quotes
Code:
    "Notepad3": "\"C:\\Program Files\\Notepad3\\Notepad3.exe\"",

Artemus2013 · Nov 1, 2019

abbodi1406 said: ↑
@Artemus2013

one of the 2 backslashes is escape character
can be used similary for spaces and quotes
Code:
    "Notepad3": "\"C:\\Program Files\\Notepad3\\Notepad3.exe\"",
Click to expand...
Thanks. Just tried:
"NFOPad": "\"C:\\Program Files (x86)\\NFOPad\\NFOPad.exe\"",

...and it works.

Log in or Sign up

NSudo | Series of System Administration Tools | General Thread

These things you maybe see in the future version of NSudo. What do you think about?

Publish to Chocolatey? (Suggested by wwtex.)

Publish to scoop? (Suggested by wwtex.)

Publish to Windows Store? (Desktop Bridge.)

Add NSudo Configuration Editor?

Using Qt to implement the UI? (It may increase the binary size of NSudo.)

Compile NSudo with CMake?

Yes

No

Mouri_Naruto MDL Developer

BAU MDL Addicted

Thomas Dubreuil MDL Senior Member

alchemist_81 MDL Novice

BAU MDL Addicted

Mouri_Naruto MDL Developer

BAU MDL Addicted

Mouri_Naruto MDL Developer

Mouri_Naruto MDL Developer

Mouri_Naruto MDL Developer

BAU MDL Addicted

Mouri_Naruto MDL Developer

BAU MDL Addicted

Mouri_Naruto MDL Developer

BAU MDL Addicted

Mouri_Naruto MDL Developer

Attached Files:

NSudoPreview_8.0.0-alpha1_All_Binary.7z

Mouri_Naruto MDL Developer

Artemus2013 MDL Novice

abbodi1406 MDL KB0000001

Artemus2013 MDL Novice