├── ntfs-ads.cpp ├── random-icon.py ├── startup.cpp ├── wmi-process-watcher ├── README.rst └── main.cpp └── wmi-request.cpp /ntfs-ads.cpp: -------------------------------------------------------------------------------- 1 | /* NTFS Alternate Data Stream reader / Delete the security warning for the executables downladed from internet 2 | * File Streams: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364404(v=vs.85).aspx 3 | * Output: 4 | 5 | - StreamName = ::$DATA 6 | StreamSize = 0x226418 7 | - StreamName = :Zone.Identifier:$DATA 8 | StreamSize = 0x1A 9 | ------------------ 10 | [ZoneTransfer] 11 | ZoneId=3 12 | 13 | */ 14 | #include 15 | #include 16 | 17 | #define STREAM_NAME_LENGTH 1024 18 | #define STREAM_SIZE (sizeof(FILE_STREAM_INFO) + (STREAM_NAME_LENGTH-1)*sizeof(WCHAR)) 19 | 20 | int main() { 21 | // List all ADS 22 | HFILE hFile = CreateFile(L"C:\\Users\\Dimitri\\Desktop\\file.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 23 | if (hFile == HFILE_ERROR) { 24 | return -1; 25 | } 26 | 27 | PFILE_STREAM_INFO streamInfo = malloc(STREAM_SIZE); 28 | if (streamInfo == NULL) { 29 | return -2; 30 | } 31 | 32 | ZeroMemory(streamInfo, STREAM_SIZE); 33 | BOOL success = GetFileInformationByHandleEx(hFile, FileStreamInfo, streamInfo, STREAM_SIZE); 34 | if (!success) { 35 | CloseHandle(hFile); 36 | return -3; 37 | } 38 | 39 | while (TRUE) { 40 | wprintf(L"- StreamName = %s\n", &streamInfo->StreamName); 41 | wprintf(L"\tStreamSize = 0x%X\n", streamInfo->StreamSize); 42 | 43 | if (streamInfo->NextEntryOffset == 0) { 44 | break; 45 | } 46 | streamInfo = (PFILE_STREAM_INFO)((DWORD)streamInfo + streamInfo->NextEntryOffset); 47 | } 48 | CloseHandle(hFile); 49 | 50 | // Try to read the Zone.Identifier added by the browser 51 | // ZoneId=0 => My Computer 52 | // ZoneId=1 => Local Intranet Zone 53 | // ZoneId=2 => Trusted Sites Zone 54 | // ZoneId=3 => Internet Zone 55 | // ZoneId=4 => Restricted Sites Zone 56 | hFile = CreateFile(L"C:\\Users\\Dimitri\\Desktop\\file.exe:Zone.Identifier:$DATA", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 57 | if (hFile == HFILE_ERROR) { 58 | wprintf(L"error: %X\n", GetLastError()); 59 | return -4; 60 | } 61 | 62 | char buffer[255] = { 0 }; 63 | DWORD dwNbBytes = 0; 64 | success = ReadFile(hFile, buffer, sizeof(buffer), &dwNbBytes, NULL); 65 | CloseHandle(hFile); 66 | if (!success) { 67 | return -5; 68 | } 69 | 70 | printf("------------------\n"); 71 | printf("%s\n", buffer); 72 | 73 | // Delete the security warning for the executables downladed from internet 74 | //DeleteFile(L"C:\\Users\\Dimitri\\Desktop\\file.exe:Zone.Identifier:$DATA"); 75 | 76 | return 0; 77 | } -------------------------------------------------------------------------------- /random-icon.py: -------------------------------------------------------------------------------- 1 | # Generate a random file.ico 2 | 3 | from struct import pack 4 | from random import randint 5 | 6 | def random_icon(width, height): 7 | buff = [] 8 | 9 | # Icon information 10 | buff += pack(' 4 | #include 5 | #include 6 | 7 | int main() { 8 | wchar_t currentPath[MAX_PATH] = { 0 }; 9 | unsigned currentPathLen = 0; 10 | wchar_t installPath[MAX_PATH] = { 0 }; 11 | wchar_t regeditPath[MAX_PATH + 2] = L"\""; 12 | BOOL success = FALSE; 13 | LSTATUS status = 0; 14 | 15 | // Source 16 | currentPathLen = GetModuleFileName(NULL, currentPath, MAX_PATH); 17 | if (currentPathLen == 0) { 18 | return -1; 19 | } 20 | 21 | // Destination 22 | status = SHGetFolderPath(0, CSIDL_APPDATA, -1, SHGFP_TYPE_DEFAULT, installPath); 23 | if (status != S_OK) { 24 | return -1; 25 | } 26 | StringCchCat(installPath, MAX_PATH, L"\\Hello.exe"); 27 | 28 | // Copy 29 | if (lstrcmp(currentPath, installPath) == 0) { 30 | return 1; 31 | } 32 | success = CopyFile(currentPath, installPath, FALSE); 33 | if (!success) { 34 | return -1; 35 | } 36 | 37 | // Add a registry entry 38 | lstrcatW(regeditPath, installPath); 39 | lstrcatW(regeditPath, L"\""); 40 | 41 | HKEY hKey = NULL; 42 | status = RegOpenKeyEx(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey); 43 | if (status != ERROR_SUCCESS) { 44 | return -1; 45 | } 46 | 47 | status = RegSetValueEx(hKey, L"Hello", 0, REG_SZ, regeditPath, (lstrlenW(regeditPath)+1)*sizeof(wchar_t)); 48 | if (status != ERROR_SUCCESS) { 49 | RegCloseKey(hKey); 50 | return -1; 51 | } 52 | 53 | RegCloseKey(hKey); 54 | return 0; 55 | } -------------------------------------------------------------------------------- /wmi-process-watcher/README.rst: -------------------------------------------------------------------------------- 1 | 2 | WMI Process Watcher 3 | ====================== 4 | 5 | A technique to asynchronously detect when a process is created using WMI. 6 | I have got this idea by the CIA Applied Engineering Division (AED). 7 | 8 | The program will have this following ouput in a new console:: 9 | 10 | [+] New Process! 11 | ----------------------------- 12 | SECURITY_DESCRIPTOR : 0x0 13 | TargetInstance : 0xCA1DB0 14 | Caption : sublime_text.exe 15 | CommandLine : "C:\Program Files\Sublime Text 3\sublime_text.exe" 16 | CreationClassName : Win32_Process 17 | CreationDate : 0xC948EC 18 | CSCreationClassName : Win32_ComputerSystem 19 | CSName : DESKTOP-K4H7ATJ 20 | Description : sublime_text.exe 21 | ExecutablePath : C:\Program Files\Sublime Text 3\sublime_text.exe 22 | ExecutionState : 0x0 23 | Handle : 18360 24 | HandleCount : 0x84 25 | InstallDate : 0x0 26 | KernelModeTime : 0xC9824C 27 | MaximumWorkingSetSize : 0x564 28 | MinimumWorkingSetSize : 0xC8 29 | Name : sublime_text.exe 30 | OSCreationClassName : Win32_OperatingSystem 31 | OSName : Microsoft Windows 10 Professionnel|C:\WINDOWS|\Device\Harddisk0\Partition4 32 | OtherOperationCount : 0xC98184 33 | OtherTransferCount : 0xC98684 34 | PageFaults : 0xB64 35 | PageFileUsage : 0xFA4 36 | ParentProcessId : 0x3538 37 | PeakPageFileUsage : 0xFA4 38 | PeakVirtualSize : 0xCAA734 39 | PeakWorkingSetSize : 0x2A20 40 | Priority : 0x8 41 | PrivatePageCount : 0xCAA75C 42 | ProcessId : 0x47B8 43 | QuotaNonPagedPoolUsage : 0xB 44 | QuotaPagedPoolUsage : 0xC7 45 | QuotaPeakNonPagedPoolUsage : 0xB 46 | QuotaPeakPagedPoolUsage : 0xC8 47 | ReadOperationCount : 0xCA6344 48 | ReadTransferCount : 0xCAA11C 49 | SessionId : 0xB 50 | Status : NULL_STR 51 | TerminationDate : 0x0 52 | ThreadCount : 0x5 53 | UserModeTime : 0xCAA2D4 54 | VirtualSize : 0xCAA4DC 55 | WindowsVersion : 10.0.14393 56 | WorkingSetSize : 0xCAA1BC 57 | WriteOperationCount : 0xCA63BC 58 | WriteTransferCount : 0xCA61DC 59 | TIME_CREATED : 0xC97D2C -------------------------------------------------------------------------------- /wmi-process-watcher/main.cpp: -------------------------------------------------------------------------------- 1 | #pragma comment(lib, "wbemuuid.lib") 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | bool dumpClassObject(IWbemClassObject* pClassObject, int indentationLevel = 0); 8 | 9 | class EventSink : public IWbemEventSink { 10 | private: 11 | LONG m_lRef; 12 | bool bDone; 13 | bool m_processCreated; 14 | 15 | public: 16 | EventSink(bool processCreated) { 17 | m_processCreated = processCreated; 18 | } 19 | 20 | virtual HRESULT STDMETHODCALLTYPE QueryInterface(REFIID riid, _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject) { 21 | if (riid == IID_IUnknown || riid == IID_IWbemObjectSink) { 22 | *ppvObject = (IWbemEventSink*) this; 23 | AddRef(); 24 | return WBEM_S_NO_ERROR; 25 | } 26 | else return E_NOINTERFACE; 27 | } 28 | 29 | virtual ULONG STDMETHODCALLTYPE AddRef(void) { 30 | return InterlockedIncrement(&m_lRef); 31 | } 32 | 33 | virtual ULONG STDMETHODCALLTYPE Release(void) { 34 | LONG lRef = InterlockedDecrement(&m_lRef); 35 | if (lRef == 0) 36 | delete this; 37 | return lRef; 38 | } 39 | 40 | virtual HRESULT STDMETHODCALLTYPE Indicate(long lObjectCount, __RPC__in_ecount_full(lObjectCount) IWbemClassObject **apObjArray) { 41 | for (long i = 0; i < lObjectCount; i++) 42 | { 43 | if (m_processCreated) { 44 | printf("\n\n[+] New Process!\n"); 45 | } else { 46 | printf("\n\n[-] Process terminated!\n"); 47 | } 48 | 49 | IWbemClassObject* pObj = apObjArray[i]; 50 | dumpClassObject(pObj); 51 | } 52 | return WBEM_S_NO_ERROR; 53 | }; 54 | 55 | virtual HRESULT STDMETHODCALLTYPE SetStatus(long lFlags, HRESULT hResult, __RPC__in_opt BSTR strParam, __RPC__in_opt IWbemClassObject *pObjParam) { 56 | return WBEM_S_NO_ERROR; 57 | }; 58 | 59 | virtual HRESULT STDMETHODCALLTYPE SetSinkSecurity( long lSDLength, __RPC__in_ecount_full(lSDLength) BYTE *pSD) { 60 | return WBEM_S_NO_ERROR; 61 | } 62 | 63 | virtual HRESULT STDMETHODCALLTYPE IsActive(void) { 64 | return WBEM_S_NO_ERROR; 65 | } 66 | 67 | virtual HRESULT STDMETHODCALLTYPE GetRestrictedSink(long lNumQueries, __RPC__in_ecount_full(lNumQueries) const LPCWSTR *awszQueries, __RPC__in_opt IUnknown *pCallback, __RPC__deref_out_opt IWbemEventSink **ppSink) { 68 | return WBEM_S_NO_ERROR; 69 | } 70 | 71 | virtual HRESULT STDMETHODCALLTYPE SetBatchingParameters(LONG lFlags, DWORD dwMaxBufferSize, DWORD dwMaxSendLatency) { 72 | return WBEM_S_NO_ERROR; 73 | } 74 | }; 75 | 76 | bool dumpClassObject(IWbemClassObject* pClassObject, int indentationLevel) { 77 | SAFEARRAY* pStrNames; 78 | HRESULT hError; 79 | 80 | if (indentationLevel == 0) { 81 | printf("-----------------------------\n"); 82 | } 83 | 84 | hError = pClassObject->GetNames(NULL, WBEM_FLAG_ALWAYS | WBEM_FLAG_NONSYSTEM_ONLY, NULL, &pStrNames); 85 | if (FAILED(hError)) { 86 | return false; 87 | } 88 | 89 | long lowerBound, upperBound; 90 | SafeArrayGetLBound(pStrNames, 1, &lowerBound); 91 | SafeArrayGetUBound(pStrNames, 1, &upperBound); 92 | long nbElements = upperBound - lowerBound + 1; 93 | 94 | BSTR name; 95 | VARIANT varVal; 96 | CIMTYPE cymType; 97 | for (int i = 0; i < nbElements; i++) { 98 | name = ((BSTR*)pStrNames->pvData)[i]; 99 | 100 | hError = pClassObject->Get(name, 0, &varVal, &cymType, NULL); 101 | if (SUCCEEDED(hError)) { 102 | if (wcscmp(name, L"TargetInstance") == 0) { 103 | wprintf(L"%*s%s : 0x%X\n", indentationLevel * 4, L"", name, varVal.uintVal); 104 | dumpClassObject((IWbemClassObject*)varVal.uintVal, indentationLevel+1); 105 | } else if (cymType == CIM_STRING) { 106 | if (varVal.bstrVal != NULL) { 107 | wprintf(L"%*s%s : %s\n", indentationLevel*4, L"", name, varVal.bstrVal); 108 | } else { 109 | wprintf(L"%*s%s : NULL_STR\n", indentationLevel * 4, L"", name); 110 | } 111 | } else { 112 | wprintf(L"%*s%s : 0x%X\n", indentationLevel * 4, L"", name, varVal.uintVal); 113 | } 114 | } 115 | } 116 | 117 | return true; 118 | } 119 | 120 | #define ASSERT(hError) if(FAILED(hError)){return -1;} 121 | int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 122 | AllocConsole(); 123 | FILE* fp; 124 | freopen_s(&fp, "CONOUT$", "w", stdout); 125 | 126 | HRESULT hError = S_OK; 127 | hError = CoInitializeEx(NULL, COINIT_MULTITHREADED); 128 | ASSERT(hError); 129 | 130 | hError = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); 131 | ASSERT(hError); 132 | 133 | IWbemLocator* pLoc = NULL; 134 | hError = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc); 135 | ASSERT(hError); 136 | 137 | IWbemServices* pWbemServices = NULL; 138 | hError = pLoc->ConnectServer(L"root\\cimv2", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &pWbemServices); 139 | ASSERT(hError); 140 | 141 | EventSink eventCreated(true); 142 | pWbemServices->ExecNotificationQueryAsync(L"WQL", L"SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'", 0, NULL, &eventCreated); 143 | EventSink eventTerminated(false); 144 | pWbemServices->ExecNotificationQueryAsync(L"WQL", L"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'", 0, NULL, &eventTerminated); 145 | 146 | MSG msg; 147 | while (GetMessage(&msg, NULL, 0, 0)) { 148 | TranslateMessage(&msg); 149 | DispatchMessage(&msg); 150 | } 151 | return 0; 152 | } -------------------------------------------------------------------------------- /wmi-request.cpp: -------------------------------------------------------------------------------- 1 | // Performs a WMI request in C++ 2 | 3 | #pragma comment(lib, "wbemuuid.lib") 4 | #include 5 | #include 6 | 7 | #define ASSERT(hError) if(FAILED(hError)){return -1;} 8 | 9 | int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 10 | HRESULT hError = S_OK; 11 | hError = CoInitializeEx(NULL, COINIT_MULTITHREADED); 12 | ASSERT(hError); 13 | 14 | hError = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); 15 | ASSERT(hError); 16 | 17 | IWbemLocator* pLoc = NULL; 18 | hError = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLoc); 19 | ASSERT(hError); 20 | 21 | IWbemServices* pWbemServices = NULL; 22 | hError = pLoc->ConnectServer(L"root\\cimv2", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &pWbemServices); 23 | ASSERT(hError); 24 | 25 | IEnumWbemClassObject* pEnumClassObject = NULL; 26 | hError = pWbemServices->ExecQuery(L"WQL", L"SELECT * FROM Win32_Processor", WBEM_FLAG_FORWARD_ONLY, NULL, &pEnumClassObject); 27 | ASSERT(hError); 28 | 29 | ULONG ret; 30 | IWbemClassObject* pClassObject = NULL; 31 | hError = pEnumClassObject->Next(WBEM_INFINITE, 1L, &pClassObject, &ret); 32 | ASSERT(hError); 33 | 34 | VARIANT varVal; 35 | pClassObject->Get(L"Name", 0, &varVal, NULL, NULL); 36 | 37 | MessageBoxW(0, varVal.bstrVal, L"Info", MB_OK|MB_ICONINFORMATION); 38 | 39 | return 0; 40 | } --------------------------------------------------------------------------------