gremlinbeet

//
// onexit.h
//
// Defines ON_EXIT macro to create finalizer objects.
// These objects execute specified code when they go out of scope.
// 
// Useful when you can't be bothered writing RAII wrappers for every little thing in 3rd-party code,
// but still want to reduce cognitive load by not tracking stuff you might need to cleanup.
//
// Usage example:

gremlinbeet

// Pseudocode and structs for nt!PsSyscallProviderDispatch.
// For ntosknrl win11 24H2 10.0.26100.1742.
// Restored by Cyra, adjusted by @sixtyvividtails.
//
// See actual research:
// by @gal_kristal: https://gist.github.com/Kristal-g/eec050b3fcea2a77715ef0cff4acf841
// by @0xfluxsec: https://fluxsec.red/alt-syscalls-for-windows-11


// name's mine  // @gal_kristal: _PS_SYSCALL_PROVIDER_SERVICE_DESCRIPTOR_GROUP

smx-smx

XZ Backdoor symbol deobfuscation. Updated as i make progress

rbmm

void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, HANDLE hSection)
{
	if (UnmapViewOfFile(ImageBase))
	{
		PVOID BaseAddress = ImageBase;
		SIZE_T ViewSize = SizeOfImage;

    // for x64 only, because we not pass address of ZwMapViewOfSection
		if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 
			0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE) && ImageBase == BaseAddress)

rbmm

BOOL UnhookNT()
{
	BOOL fOk = FALSE;

	if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
	{
		if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
		{

			PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;

rbmm

#include "stdafx.h"

_NT_BEGIN

NTSTATUS CreatePlaceHolder(PCWSTR lpFileName, ULONG SizeOfImage)
{
	struct SEF : IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER
	{
	} y {};

monoxgas

using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;

antonioCoco

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

namazso

meta:
  id: coff
  title: Common Object Format File
  file-extension:
    - obj
  license: CC0-1.0
  ks-version: 0.9
  endian: le
doc-ref: https://wiki.osdev.org/COFF
seq:

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.