Warning
This project is intended strictly for educational purposes, security research, and authorized penetration testing activities. Unauthorized use against systems without explicit permission may violate applicable laws and regulations.
PrivEsc is a C++ privilege escalation utility for Windows x64 environments. It implements a staged execution model to transition process context across Windows Integrity Levels:
- Execute a process as Administrator from a standard user
- Execute a process as NT AUTHORITY\SYSTEM from an Administrator
The implementation directly leverages Windows internals, including token inspection, privilege adjustment, registry manipulation, and primary token duplication.
This project is an adapted implementation of S12cybersecurity/PrivilegeEscalationClass, maintained by @undefinedable.
The core logic is implemented in PrivEscalationClass, responsible for:
- Integrity Level evaluation using
TokenElevation - Automatic privilege adjustment (
SeDebugPrivilege) - Registry-based execution redirection
- Process enumeration and SYSTEM token acquisition
- Primary token duplication and process creation
- Queries current process token via
OpenProcessToken - Uses
GetTokenInformation(TokenElevation)to determine elevation state - Resolves current identity via token SID lookup
-
Writes to:
HKCU\Software\Classes\ms-settings\Shell\Open\command -
Sets:
- Default value → target executable path
DelegateExecute→ empty string
-
Launches:
C:\Windows\System32\fodhelper.exe -
Waits briefly for execution and removes registry keys via
RegDeleteKeyW
- Ensures
SeDebugPrivilegeis enabled viaAdjustTokenPrivileges - Enumerates processes using
CreateToolhelp32Snapshot - Identifies processes owned by
NT AUTHORITY\SYSTEM - Retrieves access tokens using
OpenProcessToken
-
Duplicates SYSTEM token:
DuplicateTokenEx(..., TokenPrimary) -
Spawns target process:
CreateProcessWithTokenW(...)
- Enables
SeDebugPrivilegeon the current process token - Invoked during class construction and prior to SYSTEM escalation
- Implements registry-based execution redirection
- Triggers execution via
fodhelper.exe - Cleans registry artifacts post-execution
- Enumerates SYSTEM processes
- Extracts and duplicates primary tokens
- Executes target binary under SYSTEM context
-
Retrieves current executable path
-
Re-launches itself through staged escalation:
- User → Administrator
- Administrator → SYSTEM
-
Terminates original process after successful transition
- Resolves process owner using
TokenUser - Converts SID to
DOMAIN\USERNAMEviaLookupAccountSidW
- Creates a process using a duplicated primary token
- Uses
CreateProcessWithTokenW
-
Target: Windows x64
-
Required libraries:
advapi32.libuser32.libshell32.lib
PrivEsc.exe [optional_target_path]
-
Default target:
C:\Windows\System32\cmd.exe
- Automatically enables
SeDebugPrivilegeduring initialization - Determines execution path based on current Integrity Level
- Supports staged self-relaunch via
SelfElevate() - Cleans registry keys used during elevation
- Executes target process under highest attainable context
- Displays execution identity via
MessageBoxW
-
Requires write access to the current user registry hive
-
SYSTEM escalation depends on:
- Availability of accessible SYSTEM processes
- Successful privilege adjustment (
SeDebugPrivilege)
-
Token access may be restricted in hardened environments
-
May fail in environments with:
- Restricted token access
- Process protection mechanisms
- Endpoint detection and response (EDR)
-
Assumes sufficient rights to:
- Query process tokens
- Adjust privileges
- Adapted from:
S12cybersecurity/PrivilegeEscalationClass - Maintained by: @undefinedable