Skip to main content

Overview

SysWhispers4 provides direct syscall access to Windows token manipulation functions. These bypass user-mode hooks on advapi32.dll functions like OpenProcessToken, AdjustTokenPrivileges, etc. Tokens control access rights and privileges for processes and threads. Manipulating tokens is essential for privilege escalation and impersonation techniques.

NtOpenProcessToken

Opens the access token associated with a process.

Parameters

ProcessHandle
HANDLE
required
Handle to the process. Use GetCurrentProcess() for current process, or a handle from SW4_NtOpenProcess().
DesiredAccess
ACCESS_MASK
required
Access rights for the token:
  • TOKEN_QUERY (0x0008) — Query token information
  • TOKEN_ADJUST_PRIVILEGES (0x0020) — Enable/disable privileges
  • TOKEN_DUPLICATE (0x0002) — Duplicate the token
  • TOKEN_ALL_ACCESS (0x000F01FF) — All access rights
TokenHandle
PHANDLE
required
Pointer to variable that receives the token handle.

Example


NtOpenThreadToken

Opens the access token associated with a thread.

Parameters

ThreadHandle
HANDLE
required
Handle to the thread (use GetCurrentThread() for current thread).
DesiredAccess
ACCESS_MASK
required
Access rights (same as NtOpenProcessToken).
OpenAsSelf
BOOLEAN
required
  • TRUE — Open using the calling thread’s security context
  • FALSE — Open using impersonation context
TokenHandle
PHANDLE
required
Receives the token handle.

Example


NtQueryInformationToken

Retrieves information about a token.

Parameters

TokenInformationClass
TOKEN_INFORMATION_CLASS
required
Type of information to retrieve:
  • TokenUser (1) — User SID
  • TokenGroups (2) — Group SIDs
  • TokenPrivileges (3) — Privilege array
  • TokenOwner (4) — Owner SID
  • TokenPrimaryGroup (5) — Primary group SID
  • TokenSessionId (12) — Session ID
  • TokenElevation (20) — Elevation status (UAC)
  • TokenIntegrityLevel (25) — Integrity level
TokenInformation
PVOID
required
Pointer to buffer that receives the information.
TokenInformationLength
ULONG
required
Size of the buffer in bytes.
ReturnLength
PULONG
required
Receives the actual size needed/written.

Example: Check Token Elevation

Example: Enumerate Privileges


NtAdjustPrivilegesToken

Enables or disables privileges in a token.

Parameters

TokenHandle
HANDLE
required
Handle to token with TOKEN_ADJUST_PRIVILEGES access.
DisableAllPrivileges
BOOLEAN
required
If TRUE, disables all privileges (ignores NewState).
NewState
PTOKEN_PRIVILEGES
required
Pointer to TOKEN_PRIVILEGES structure specifying privileges to modify.
BufferLength
ULONG
required
Size of PreviousState buffer (use 0 if not interested).
PreviousState
PTOKEN_PRIVILEGES
Optional buffer to receive previous state (can be NULL).
ReturnLength
PULONG
Receives actual size of previous state (can be NULL).

Example: Enable SeDebugPrivilege

Common Privileges


NtDuplicateToken

Duplicates a token.

Parameters

ExistingTokenHandle
HANDLE
required
Handle to token to duplicate (requires TOKEN_DUPLICATE access).
DesiredAccess
ACCESS_MASK
required
Access rights for the new token.
ObjectAttributes
POBJECT_ATTRIBUTES
Optional attributes (use NULL).
EffectiveOnly
BOOLEAN
required
If TRUE, only enabled privileges are copied.
TokenType
TOKEN_TYPE
required
Type of new token:
  • TokenPrimary (1) — Primary token (for process creation)
  • TokenImpersonation (2) — Impersonation token (for thread impersonation)
NewTokenHandle
PHANDLE
required
Receives the new token handle.

Example: Token Duplication for Impersonation


NtImpersonateThread

Makes a server thread impersonate a client thread’s security context.

Parameters

ServerThreadHandle
HANDLE
required
Handle to the thread that will impersonate (usually GetCurrentThread()).
ClientThreadHandle
HANDLE
required
Handle to the thread being impersonated.
SecurityQos
PSECURITY_QUALITY_OF_SERVICE
required
Pointer to QOS structure:

Example


Complete Example: Token Theft (SYSTEM)

Steal SYSTEM token from a privileged process:

Use Cases

Privilege Escalation

  1. Enable SeDebugPrivilege → Open protected processes
  2. Steal SYSTEM token from winlogon.exe, lsass.exe, or PID 4
  3. Duplicate token as primary or impersonation
  4. Create elevated process or impersonate

Lateral Movement

  1. Duplicate token from remote process (via handle duplication)
  2. Impersonate network logon token
  3. Access remote resources with stolen credentials

Defense Evasion

  • Lower token integrity level to appear less privileged
  • Remove privileges to reduce detection surface
  • Token spoofing to masquerade as different user

Next Steps

Evasion Helpers

SW4_PatchEtw, SW4_PatchAmsi, SW4_UnhookNtdll

Supported Functions

Complete list of all 64 NT functions