Educational Use Only
This repository contains a proof-of-concept that chains two Windows privilege escalation techniques for research and defensive learning purposes:
- A UAC (User Account Control) bypass to obtain an elevated Administrator process.
- Token duplication to attempt launching a SYSTEM-level process.
Running or modifying this code on machines you do not own or without explicit written authorization is illegal and unethical.
This project is for research, learning, and defense development only.
This proof-of-concept (PoC) demonstrates, conceptually and through code, how two privilege escalation techniques can be combined:
- User → Administrator: Attempts a UAC bypass to relaunch itself with elevated privileges.
- Administrator → SYSTEM: From that elevated context, duplicates a SYSTEM token (from a high-privilege process) to spawn a new shell running as SYSTEM.
The PoC is designed to illustrate Windows token mechanics, UAC internals, and process security, not to serve as an operational exploit.
gcc -o PrivEsc.exe .\PrivEsc01.c -ladvapi32 -lshell32 -luser32
- The program starts and checks if the current process is a member of the Administrators group (
IsAdmin()). - If not elevated, it triggers the UAC bypass routine (
UACBypassWin10orUACBypassAlternative). - These functions temporarily modify registry keys to define a custom command handler for trusted auto-elevating executables (e.g.,
fodhelper.exeorcomputerdefaults.exe). - The trusted helper then launches the PoC binary with
--admin, simulating elevation.
- When launched with the
--adminargument, the PoC assumes it’s elevated. - It enables critical privileges on its token using
EnableAllPrivileges(e.g.,SE_DEBUG_NAME,SE_IMPERSONATE_NAME). - The program locates a SYSTEM-level process (commonly
winlogon.exe) viaGetWinlogonPid. - Then, it uses
TokenStealingto:- Open the process and retrieve its access token.
- Call
DuplicateTokenExto create a primary token. - Invoke
CreateProcessAsUserAto spawn a new process (e.g.,cmd.exe) under that duplicated SYSTEM token.
| Concept | Description |
|---|---|
| Access Token | A data structure describing a process’s identity and privileges. Duplicating a token allows creating a process that inherits another identity. |
| Privileges | Special rights (e.g., SE_DEBUG_NAME) that control sensitive actions such as opening system processes or creating impersonation tokens. |
| UAC (User Account Control) | A Windows mechanism that mediates privilege elevation. Some trusted system binaries auto-elevate, forming potential abuse vectors. |
| DuplicateTokenEx / CreateProcessAsUserA | Windows APIs for creating a process using an existing token. Essential for privilege-transfer or impersonation techniques. |
| Function | Purpose |
|---|---|
main |
Entry point. Decides execution path based on privileges and arguments. |
IsAdmin |
Uses AllocateAndInitializeSid + CheckTokenMembership to verify admin status. |
UACBypassWin10 / UACBypassAlternative |
Two variants that attempt UAC bypass using different trusted helpers (registry COM handler method). |
EnableAllPrivileges |
Enables required privileges (debug, impersonate, assign token, increase quota). |
GetWinlogonPid |
Enumerates running processes to find a SYSTEM-level target (e.g., winlogon.exe). |
TokenStealing |
Duplicates a privileged token and spawns a new process with it using CreateProcessAsUserA. |
This project is a laboratory Proof of Concept, not an exploit tool.
Use it exclusively in isolated test environments and with explicit authorization.
Unauthorized execution, modification, or distribution of this code in any operational context may violate applicable law.
Contact: 28zaakypro@proton.me
This PoC is distributed for research and educational purposes only.
No warranty is provided. The author disclaims any responsibility for misuse.