Start CMD in CMD with CreateProcessWithTokenW

Question

I have a console application which calls the CreateProcessWithTokenW() WinAPI function to create a new process which starts a cmd console. By calling it, it starts a new CMD Window. I want to spawn another cmd within the calling cmd window (not in a new window).

So I want to simulate the same behavior like if you start cmd and type "cmd".

ret = CreateProcessWithTokenW(pNewToken, 0, L"C:\\Windows\\System32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

Answer 1

Here is a minimal reproducible code snippet. I added CreateProcess instead of CreateProcessWithToken....if i define 0 for 5th argument (dwCreationFlag) than it starts the CMD in the Powershell. But for CreateProcessWithToken the behavior is not the same.

Run this code with a elevated powershell (because it needs Se_Debug_Priv)

#include <stdio.h> 
#include <Windows.h> 
#include <WinBase.h> 
#include <iostream> 
#include <tchar.h> 

int main() {
    //DEFINE HERE PID OF winlogon.exe
    DWORD pid = 940;

    HANDLE currentProcess = {};
    HANDLE AccessToken = {};
    currentProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);
    OpenProcessToken(currentProcess, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &AccessToken);
    HANDLE pToken = AccessToken;
    SECURITY_IMPERSONATION_LEVEL seImpersonateLevel = SecurityImpersonation;
    TOKEN_TYPE tokenType = TokenPrimary;
    HANDLE pNewToken = new HANDLE;
    DuplicateTokenEx(pToken, MAXIMUM_ALLOWED, NULL, seImpersonateLevel, tokenType, &pNewToken);
    STARTUPINFO si = {};
    PROCESS_INFORMATION pi = {};

    //TEST1
    //Creates a new window for both functions so the 5th seems to be ignored 
    CreateProcessWithTokenW(pNewToken, 0, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi);
    CreateProcessWithTokenW(pNewToken, 0, L"cmds.bat", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

    //TEST2
    //Create a new windows, assumed behavior
    CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
    //Creates also a new window, NOT assumed behavior
    CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
    return 0;
}

Answer 2

Get rid of the CREATE_NEW_CONSOLE flag:

CREATE_NEW_CONSOLE
0x00000010

The new process has a new console, instead of inheriting the parent's console. This flag cannot be used with the DETACHED_PROCESS flag.

This flag is enabled by default.

That flash is what is forcing a new CMD window to be created. Without that, the new process will be created in the existing CMD window of the calling process.

Answer 3

As far as I'm concerned, you should use CREATE_NEW_CONSOLE . According to the code:

ret = CreateProcessWithTokenW(pNewToken, 0, L"C:\\\\Windows\\\\System32\\\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);

The problem is not with the use of CreateProcessWithTokenW () winapi. Could you please provide us with a minimal reproducible example to reproduce the issue.

Here is the code:

STARTUPINFOEX startup_info = {};
PROCESS_INFORMATION process_info = {};
BOOL CreateProcTokenRes = FALSE;

CreateProcTokenRes = CreateProcessWithTokenW(NewToken, 0, L"C:\\Windows\\system32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &startup_info, &process_info);

if (!CreateProcTokenRes)
{
    _tprintf(L"Cannot Create Process With Token. Failed with Error Code: %d\n", GetLastError());
    CloseHandle(NewToken);

For more details I suggest you could refer to the link: https://niiconsulting.com/checkmate/2019/11/token-manipulation-attacks-part-2-process-of-impersonation/