├── README.md
├── bin
    ├── MessageBox32.dll
    └── MessageBox64.dll
└── src
    ├── MessageBox.sdf
    ├── MessageBox.sln
    └── MessageBox
        ├── MessageBox.cpp
        ├── MessageBox.vcxproj
        ├── MessageBox.vcxproj.filters
        ├── dllmain.cpp
        ├── stdafx.cpp
        ├── stdafx.h
        └── targetver.h


/README.md:
--------------------------------------------------------------------------------
1 | # MessageBox
2 | PoC dlls for Task Scheduler COM Hijacking
3 | 


--------------------------------------------------------------------------------
/bin/MessageBox32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/enigma0x3/MessageBox/a240ca7c609acf76a0f56a91b9d81d62ad032240/bin/MessageBox32.dll


--------------------------------------------------------------------------------
/bin/MessageBox64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/enigma0x3/MessageBox/a240ca7c609acf76a0f56a91b9d81d62ad032240/bin/MessageBox64.dll


--------------------------------------------------------------------------------
/src/MessageBox.sdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/enigma0x3/MessageBox/a240ca7c609acf76a0f56a91b9d81d62ad032240/src/MessageBox.sdf


--------------------------------------------------------------------------------
/src/MessageBox.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.40629.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MessageBox", "MessageBox\MessageBox.vcxproj", "{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Win32 = Debug|Win32
11 | 		Debug|x64 = Debug|x64
12 | 		Release|Win32 = Release|Win32
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Debug|Win32.ActiveCfg = Debug|Win32
17 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Debug|Win32.Build.0 = Debug|Win32
18 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Debug|x64.Build.0 = Debug|x64
20 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Release|Win32.ActiveCfg = Release|Win32
21 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Release|Win32.Build.0 = Release|Win32
22 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Release|x64.ActiveCfg = Release|x64
23 | 		{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}.Release|x64.Build.0 = Release|x64
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/src/MessageBox/MessageBox.cpp:
--------------------------------------------------------------------------------
1 | // MessageBox.cpp : Defines the exported functions for the DLL application.
2 | //
3 | 
4 | #include "stdafx.h"
5 | 
6 | 
7 | 


--------------------------------------------------------------------------------
/src/MessageBox/MessageBox.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{307DDB8D-73FA-47A1-AD96-924DBBE21C4C}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>MessageBox</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <PlatformToolset>v120</PlatformToolset>
 31 |     <CharacterSet>Unicode</CharacterSet>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 34 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 35 |     <UseDebugLibraries>true</UseDebugLibraries>
 36 |     <PlatformToolset>v120</PlatformToolset>
 37 |     <CharacterSet>Unicode</CharacterSet>
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 40 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 41 |     <UseDebugLibraries>false</UseDebugLibraries>
 42 |     <PlatformToolset>v120</PlatformToolset>
 43 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 44 |     <CharacterSet>Unicode</CharacterSet>
 45 |   </PropertyGroup>
 46 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 47 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 48 |     <UseDebugLibraries>false</UseDebugLibraries>
 49 |     <PlatformToolset>v120</PlatformToolset>
 50 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 51 |     <CharacterSet>Unicode</CharacterSet>
 52 |   </PropertyGroup>
 53 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 54 |   <ImportGroup Label="ExtensionSettings">
 55 |   </ImportGroup>
 56 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 57 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <PropertyGroup Label="UserMacros" />
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 70 |     <LinkIncremental>true</LinkIncremental>
 71 |   </PropertyGroup>
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 76 |     <LinkIncremental>false</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 82 |     <ClCompile>
 83 |       <PrecompiledHeader>Use</PrecompiledHeader>
 84 |       <WarningLevel>Level3</WarningLevel>
 85 |       <Optimization>Disabled</Optimization>
 86 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;MESSAGEBOX_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 87 |       <SDLCheck>true</SDLCheck>
 88 |     </ClCompile>
 89 |     <Link>
 90 |       <SubSystem>Windows</SubSystem>
 91 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 92 |     </Link>
 93 |   </ItemDefinitionGroup>
 94 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 95 |     <ClCompile>
 96 |       <PrecompiledHeader>Use</PrecompiledHeader>
 97 |       <WarningLevel>Level3</WarningLevel>
 98 |       <Optimization>Disabled</Optimization>
 99 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;MESSAGEBOX_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
100 |       <SDLCheck>true</SDLCheck>
101 |     </ClCompile>
102 |     <Link>
103 |       <SubSystem>Windows</SubSystem>
104 |       <GenerateDebugInformation>true</GenerateDebugInformation>
105 |     </Link>
106 |   </ItemDefinitionGroup>
107 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
108 |     <ClCompile>
109 |       <WarningLevel>Level3</WarningLevel>
110 |       <PrecompiledHeader>Use</PrecompiledHeader>
111 |       <Optimization>MaxSpeed</Optimization>
112 |       <FunctionLevelLinking>true</FunctionLevelLinking>
113 |       <IntrinsicFunctions>true</IntrinsicFunctions>
114 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;MESSAGEBOX_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
115 |       <SDLCheck>true</SDLCheck>
116 |     </ClCompile>
117 |     <Link>
118 |       <SubSystem>Windows</SubSystem>
119 |       <GenerateDebugInformation>true</GenerateDebugInformation>
120 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
121 |       <OptimizeReferences>true</OptimizeReferences>
122 |     </Link>
123 |   </ItemDefinitionGroup>
124 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
125 |     <ClCompile>
126 |       <WarningLevel>Level3</WarningLevel>
127 |       <PrecompiledHeader>Use</PrecompiledHeader>
128 |       <Optimization>MaxSpeed</Optimization>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;MESSAGEBOX_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <SDLCheck>true</SDLCheck>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Windows</SubSystem>
136 |       <GenerateDebugInformation>true</GenerateDebugInformation>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <Text Include="ReadMe.txt" />
143 |   </ItemGroup>
144 |   <ItemGroup>
145 |     <ClInclude Include="stdafx.h" />
146 |     <ClInclude Include="targetver.h" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClCompile Include="dllmain.cpp">
150 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
151 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
152 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
153 |       </PrecompiledHeader>
154 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
155 |       </PrecompiledHeader>
156 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
157 |       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
158 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
159 |       </PrecompiledHeader>
160 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
161 |       </PrecompiledHeader>
162 |     </ClCompile>
163 |     <ClCompile Include="MessageBox.cpp" />
164 |     <ClCompile Include="stdafx.cpp">
165 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
166 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
167 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
168 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
169 |     </ClCompile>
170 |   </ItemGroup>
171 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
172 |   <ImportGroup Label="ExtensionTargets">
173 |   </ImportGroup>
174 | </Project>


--------------------------------------------------------------------------------
/src/MessageBox/MessageBox.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="MessageBox.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="dllmain.cpp">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/src/MessageBox/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | // dllmain.cpp : Defines the entry point for the DLL application.
 2 | #include "stdafx.h"
 3 | #include <windows.h>
 4 | 
 5 | BOOL IsElevated() {
 6 | 	BOOL fRet = FALSE;
 7 | 	HANDLE hToken = NULL;
 8 | 	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
 9 | 		TOKEN_ELEVATION Elevation;
10 | 		DWORD cbSize = sizeof(TOKEN_ELEVATION);
11 | 		if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
12 | 			fRet = Elevation.TokenIsElevated;
13 | 		}
14 | 	}
15 | 	if (hToken) {
16 | 		CloseHandle(hToken);
17 | 	}
18 | 	return fRet;
19 | }
20 | 
21 | BOOL APIENTRY DllMain(HMODULE hModule,
22 | 	DWORD  ul_reason_for_call,
23 | 	LPVOID lpReserved
24 | 	)
25 | {
26 | 	switch (ul_reason_for_call)
27 | 	{
28 | 	case DLL_PROCESS_ATTACH:
29 | 		BOOL isAdmin;
30 | 		isAdmin = IsElevated();
31 | 		if (isAdmin) {
32 | 			MessageBox(0, L"High Integrity!", 0, 0);
33 | 			break;
34 | 		}
35 | 		else {
36 | 			MessageBox(0, L"Not High Integrity", 0, 0);
37 | 			break;
38 | 		}
39 | 	case DLL_THREAD_ATTACH:
40 | 	case DLL_THREAD_DETACH:
41 | 	case DLL_PROCESS_DETACH:
42 | 		break;
43 | 	}
44 | 	return TRUE;
45 | }
46 | 


--------------------------------------------------------------------------------
/src/MessageBox/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // MessageBox.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/src/MessageBox/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include <windows.h>
13 | 
14 | 
15 | 
16 | // TODO: reference additional headers your program requires here
17 | 


--------------------------------------------------------------------------------
/src/MessageBox/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------