Skip to content

Instantly share code, notes, and snippets.

@blaquee

blaquee/MSHTA-Notes.md

Last active September 13, 2021 15:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save blaquee/adf1010bef545bfe69e6a5c837d9add1 to your computer and use it in GitHub Desktop.
Save blaquee/adf1010bef545bfe69e6a5c837d9add1 to your computer and use it in GitHub Desktop.
Download ZIP
gistpad-scratch
Raw
May 19, 2020---11:28 AM.md

Service Triggers

Enumerate Services that can be triggered and assess the triggers and the services themselves.

Bluetooth Network Service

Service Name: BluetoothUserService_d94b0 Device Instance Service Information PNP

Class                       : Bluetooth
FriendlyName                : Realtek Bluetooth Adapter
InstanceId                  : USB\VID_0B05&PID_185C\00E04C000001
Problem                     : CM_PROB_NONE
ConfigManagerErrorCode      : CM_PROB_NONE
ProblemDescription          : 
Caption                     : Realtek Bluetooth Adapter
Description                 : Realtek Bluetooth Adapter
InstallDate                 : 
Name                        : Realtek Bluetooth Adapter
Status                      : OK
Availability                : 
ConfigManagerUserConfig     : False
CreationClassName           : Win32_PnPEntity
DeviceID                    : USB\VID_0B05&PID_185C\00E04C000001
ErrorCleared                : 
ErrorDescription            : 
LastErrorCode               : 
PNPDeviceID                 : USB\VID_0B05&PID_185C\00E04C000001
PowerManagementCapabilities : 
PowerManagementSupported    : 
StatusInfo                  : 
SystemCreationClassName     : Win32_ComputerSystem
SystemName                  : DESKTOP-FG22M69
ClassGuid                   : {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
CompatibleID                : {USB\Class_E0&SubClass_01&Prot_01, USB\Class_E0&SubClass_01, USB\Class_E0}
HardwareID                  : {USB\VID_0B05&PID_185C&REV_0110, USB\VID_0B05&PID_185C}
Manufacturer                : Realtek Semiconductor Corp.
PNPClass                    : Bluetooth
Present                     : True
Service                     : BTHUSB
PSComputerName              : 
CimClass                    : ROOT/cimv2:Win32_PnPEntity
CimInstanceProperties       : {Caption, Description, InstallDate, Name...}
CimSystemProperties         : Microsoft.Management.Infrastructure.CimSystemProperties
Raw
MSHTA-Notes.md

Mshta executable is invoked and calls the WldpGetLockdownPolicy function.

It sets the WLDP_HOST_INFORMATION members to: dwRevision = 1 and dwHostId = WLDP_HOST_ID_GLOBAL (1)

This checks the state of a lockdown policy

Checks the registry for the CLSID of the mhtml dll. RegOpenKeyExA(HKEY_CLASSES_ROOT, "clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", 0, 1u, &hKey)

Loads that library, converts the commandline args to wide characters and calls the RunHTMLApplication export function.

Raw
RPC Interface Notes
## RPC Notes
When analyzing a client implementation, look for `RpcServerRegisterIf` which registers an interface specification over RPC server. This contains the definition of the RPC interface hosted by the RPC server.
When a server registers with `RpcServerRegisterIf` the first parameter is a pointer a struct `_RPC_SERVER_INTERFACE`.
```
struct _RPC_SERVER_INTERFACE
{
unsigned int Length;
RPC_SYNTAX_IDENTIFIER InterfaceId;
RPC_SYNTAX_IDENTIFIER TransferSyntax;
PRPC_DISPATCH_TABLE DispatchTable;
unsigned int RpcProtseqEndpointCount;
PRPC_PROTSEQ_ENDPOINT RpcProtseqEndpoint;
void *DefaultManagerEpv;
const void *InterpreterInfo;
unsigned int Flags;
};
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment