TokenUniverse

Token Universe

Token Universe is an advanced tool for experimenting and researching Windows security mechanisms. It exposes UI for creating, viewing, impersonating, and modifying access tokens, spawning processes, managing Local Security Authority, checking available access and modifying security of many types of objects, and much more. The program can operate and (at least partially) provide valuable functionality under a wide range of privileges, from LPAC AppContainer sandbox to SYSTEM with SeTcbPrivilege and SeCreateTokenPrivilege.

Downloads

The tool supports Windows 7 and above. See the releases page for pre-compiled binaries.

If you encounter bugs and know how to reproduce them, feel free to open issues. Additionally, you can download debug symbols (TokenUniverse.dbg) from the releases page and place them into the same folder as TokenUniverse.exe, allowing the program to show stack traces on unhandled exceptions.

For instructions on how to compile the project, see a section below.

Features

Viewing & Adjusting Tokens

Opening & Creating Tokens

Example: Logon

Example: Creation

Spawning Processes

Checking Access

Editing Security

Other

Feature list

There are a lot of already implemented features, but there are also many more to go. Here is the overview of both:

Token-related functionality

Obtaining tokens

• Opening process/thread tokens
• Opening all accessible process/thread tokens
• Opening tokens via direct impersonation
• Querying terminal session token
• Logging in users with credentials
• Logging in users without credentials (S4U logon)
• Logging into virtual accounts
• Adding arbitrary group membership while logging users in
• Duplicating tokens
• Duplicating handles
• Searching for opened handles
• Opening linked tokens
• Creating restricted tokens
• Creating restricted tokens via Safer API
• Creating LowBox (AppContainer) tokens
• Creating tokens via NtCreareToken
• Creating anonymous token
• Creating anonymous token with Everyone membership
• Impersonating logon session token via pipes
• Opening clipboard token
• Impersonating BITS

Viewing & editing

• Groups (enable/disable)
• Privileges (enable/disable/remove)
• Session ID
• Integrity level (lower/raise)
• UIAccess, mandatory policy
• Virtualization (enable/disable & allow/disallow)
• Owner and primary group
• Originating logon session
• Default DACL
• Security descriptor
• Security attributes
• Audit overrides
• Handle flags (inherit, protect)
• SID info
• Privilege info

Just Viewing

• User, restricting SIDs
• Statistics, source, flags
• Extended flags (TOKEN_*)
• App container SID
• Verbose terminal session information
• Elevation type
• Logon session information
• Package identity information
• Trust level
• Capabilities
• Claims
• AppModel policy
• Object and handle information (access, attributes, references)
• Object creator (PID)
• List of processes that have handles to this token
• Creation and last modification times

Operations

• Impersonation
• Safe impersonation
• Direct impersonation
• Assigning primary tokens
• Sending handles to another process
• Spawning processes with tokens
• Share with another instance of TokenUniverse
• Comparing tokens
• Linking logon sessions to create UAC-friendly tokens

AppContainers and Packages

• Viewing AppContainer information
• Listing AppContainer profiles per user
• Listing child AppContainers
• Creating/deleting AppContainers
• Viewing package information
• Listing packages

Local Security Authority

• Global audit settings
• Per-user audit settings
• Privilege assignment
• Logon rights assignment
• Virtual account creation
• SID tree
• Viewing/editing security
• Enumerating accounts with right/privilege
• Source of rights in the token
• Quotas

Security Account Manager

• Domain information
• Group information
• Alias information
• User information
• Enumerate domain groups/aliases/users
• Enumerate group members
• Enumerate alias members
• Manage group members
• Manage alias members
• Create groups
• Create aliases
• Create users
• Sam object tree
• Viewing/editing security

Process creation

Methods

• CreateProcessAsUser
• CreateProcessWithToken
• CreateProcessWithLogon (credentials)
• CreateProcess via code injection (no token)
• RtlCreateUserProcess
• RtlCreateUserProcessEx
• NtCreateUserProcess
• NtCreateProcessEx
• ShellExecuteEx (no token)
• ShellExecute via IShellDispatch2 (no token)
• WdcRunTaskAsInteractiveUser (no token)
• WMI
• IDesktopAppXActivator (packaged)

Parameters

• Current directory
• Desktop
• Window show mode
• Flags (inherit handles, create suspended, breakaway from job, …)
• Force job breakaway
• Environmental variables
• Parent process override
• Mitigation policies
• Child process policy
• Process protection (PPL/Full/etc.)
• Custom SxS registration
• Job assignment
• Run as invoker/ignore elevation
• AppContainer SID
• Capabilities
• Security descriptor
• Verify access to desktop/window station

Process & thread list

• Hierarchy
• Icons
• Listing processes from Low integrity & AppContainer
• Suspend/resume support
• Customizable columns
• Highlighting
• Viewing/editing security

Attack Surface Analysis

• Checking access to NT namespace objects
• Namespace object name suggestions
• Checking access to processes/threads/tokens
• Checking access to LSA and SAM accounts
• Checking access to window stations and desktops
• Checking access to services and SCM
• Checking access to file shares
• Checking access to kernel transactions
• Checking access to objects in private namespaces
• Viewing/editing security descriptors
• Enumerating accessible resources

Other

• Restarting as admin
• Restarting as SYSTEM
• Restarting as SYSTEM with SeCreateToken
• Customizable columns
• Settings
• Sharing settings across users
• Graphical hash icons
• Auto-detecting inherited handles
• SID suggestions
• Detailed error status information
• DLL mode

Compiling

To compile the tool, you can use the free Community Edition of Embarcadero Delphi. After installing it, the steps are the following:

1. Clone the project and its submodule dependencies using git clone --recurse-submodules. Alternatively, you can use git submodule update --init after cloning the repository.
2. Make sure there are files under the NtUtilsUI directory, otherwise, you didn\’t clone the submodules.
3. Install VirtualTree for VCL using the IDE menu Tools -> GetIt Package Manager.
4. Open NtUtilsUI\\Components\\VirtualTreesExtension.dproj in the IDE and click Install on the project to register it as a design-time package.
5. Similarly, open NtUtilsUI\\VclEx\\VclExtension.dproj and click Install.
6. Now you can open and build the main TokenUniverse.dproj project.

Additionally, if you also want to generate debug symbols during compilation, you\’ll need map2dbg – a tool that converts *.map files generated by Delphi into *.dbg files that dbghelp.dll can understand. The project is already configured for generating *.map files and using a post-build event, so you can download map2dbg from an answer to this Stack Overflow question and place it somewhere where the Delphi compiler can find and invoke it.