See the NetSPI blog for full details: https://www.netspi.com/blog/technical/network-penetration-testing/tokenvator-release-3/

(Tokens) > Install_Driver /ServiceName:TokenDriver /Path:C:\Share\KernelTokens.sys

Option               Value
------               -----
servicename          TokenDriver
path                 C:\Share\KernelTokens.sys

[*] Service Name: TokenDriver
[*] Service Path: C:\Share\KernelTokens.sys
[*] Using Service Name TokenDriver
[*] Connecting to .
[+] Connected to .
[*] Full Path: C:\Share\KernelTokens.sys
[+] Opened service
[+] Started Service

(Tokens) > Add_Privilege /Process:notepad /Privilege:SeCreateTokenPrivilegee

Option               Value
------               -----
process              notepad
privilege            SeCreateTokenPrivilege

[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080

[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data         : 0xFFFF95027C1ED063

[+] TOKEN Base Address                 : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0

[+] Current Present Value : 0x602880000
[+] Updated Present Value : 0x602880004
[+] Enabled               : 0x800000
[+] EnabledByDefault      : 0x40800000
[*] Disconnected from Driver

(Tokens) > List_Privileges /Process:Notepad

Option               Value
------               -----
process              Notepad

[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C4
[*] Recieved Token Handle 0x02C8
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 6 Privileges

Privilege Name                               Enabled
--------------                               -------
SeCreateTokenPrivilege                       False
SeShutdownPrivilege                          False
SeChangeNotifyPrivilege                      True
SeUndockPrivilege                            False
SeIncreaseWorkingSetPrivilege                False
SeTimeZonePrivilege                          False


(Tokens) > Add_Privilege /Process:notepad /Privilege:SeDebugPrivilege  lege

Option               Value
------               -----
process              notepad
privilege            SeDebugPrivilege

[+] 8568 notepad
[+] Connected to Driver
[*] Sending IOCTL 2285592
[+] 72 Bytes Returned
[+] PEPROCESS Base Address : 0xFFFFBC0F8A59F080

[+] EX_FAST_REF Base Address : 0xFFFFBC0F8A59F538
[+] EX_FAST_REF Data         : 0xFFFF95027C1ED062

[+] TOKEN Base Address                 : 0xFFFF95027C1ED060
[+] PSEP_TOKEN_PRIVILEGES Base Address : 0xFFFF95027C1ED0A0

[+] Current Present Value : 0x602880004
[+] Updated Present Value : 0x602980004
[+] Enabled               : 0x800000
[+] EnabledByDefault      : 0x40800000
[*] Disconnected from Driver

(Tokens) > List_Privileges /Process:Notepad

Option               Value
------               -----
process              Notepad

[+] 8568 Notepad
Remote: True
Impers: False
[*] Recieved Process Handle 0x02C8
[*] Recieved Token Handle 0x02CC
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 7 Privileges

Privilege Name                               Enabled
--------------                               -------
SeCreateTokenPrivilege                       False
SeShutdownPrivilege                          False
SeDebugPrivilege                             False
SeChangeNotifyPrivilege                      True
SeUndockPrivilege                            False
SeIncreaseWorkingSetPrivilege                False
SeTimeZonePrivilege                          False

Note: The KernelToken.sys driver is compiled and attached, but is not signed. If you want to test it without signing it run the command bcdedit /debug on and restart.

Note: This release is for .Net 4.5 x64