Overview
SysWhispers4 provides direct syscall access to Windows token manipulation functions. These bypass user-mode hooks onadvapi32.dll functions like OpenProcessToken, AdjustTokenPrivileges, etc.
Tokens control access rights and privileges for processes and threads. Manipulating tokens is essential for privilege escalation and impersonation techniques.
NtOpenProcessToken
Opens the access token associated with a process.Parameters
Handle to the process. Use
GetCurrentProcess() for current process, or a handle from SW4_NtOpenProcess().Access rights for the token:
TOKEN_QUERY(0x0008) — Query token informationTOKEN_ADJUST_PRIVILEGES(0x0020) — Enable/disable privilegesTOKEN_DUPLICATE(0x0002) — Duplicate the tokenTOKEN_ALL_ACCESS(0x000F01FF) — All access rights
Pointer to variable that receives the token handle.
Example
NtOpenThreadToken
Opens the access token associated with a thread.Parameters
Handle to the thread (use
GetCurrentThread() for current thread).Access rights (same as
NtOpenProcessToken).TRUE— Open using the calling thread’s security contextFALSE— Open using impersonation context
Receives the token handle.
Example
NtQueryInformationToken
Retrieves information about a token.Parameters
Type of information to retrieve:
TokenUser(1) — User SIDTokenGroups(2) — Group SIDsTokenPrivileges(3) — Privilege arrayTokenOwner(4) — Owner SIDTokenPrimaryGroup(5) — Primary group SIDTokenSessionId(12) — Session IDTokenElevation(20) — Elevation status (UAC)TokenIntegrityLevel(25) — Integrity level
Pointer to buffer that receives the information.
Size of the buffer in bytes.
Receives the actual size needed/written.
Example: Check Token Elevation
Example: Enumerate Privileges
NtAdjustPrivilegesToken
Enables or disables privileges in a token.Parameters
Handle to token with
TOKEN_ADJUST_PRIVILEGES access.If
TRUE, disables all privileges (ignores NewState).Pointer to
TOKEN_PRIVILEGES structure specifying privileges to modify.Size of
PreviousState buffer (use 0 if not interested).Optional buffer to receive previous state (can be
NULL).Receives actual size of previous state (can be
NULL).Example: Enable SeDebugPrivilege
Common Privileges
NtDuplicateToken
Duplicates a token.Parameters
Handle to token to duplicate (requires
TOKEN_DUPLICATE access).Access rights for the new token.
Optional attributes (use
NULL).If
TRUE, only enabled privileges are copied.Type of new token:
TokenPrimary(1) — Primary token (for process creation)TokenImpersonation(2) — Impersonation token (for thread impersonation)
Receives the new token handle.
Example: Token Duplication for Impersonation
NtImpersonateThread
Makes a server thread impersonate a client thread’s security context.Parameters
Handle to the thread that will impersonate (usually
GetCurrentThread()).Handle to the thread being impersonated.
Pointer to QOS structure:
Example
Complete Example: Token Theft (SYSTEM)
Steal SYSTEM token from a privileged process:Use Cases
Privilege Escalation
- Enable SeDebugPrivilege → Open protected processes
- Steal SYSTEM token from winlogon.exe, lsass.exe, or PID 4
- Duplicate token as primary or impersonation
- Create elevated process or impersonate
Lateral Movement
- Duplicate token from remote process (via handle duplication)
- Impersonate network logon token
- Access remote resources with stolen credentials
Defense Evasion
- Lower token integrity level to appear less privileged
- Remove privileges to reduce detection surface
- Token spoofing to masquerade as different user
Next Steps
Evasion Helpers
SW4_PatchEtw, SW4_PatchAmsi, SW4_UnhookNtdll
Supported Functions
Complete list of all 64 NT functions
