-
-
Save rvrsh3ll/fa6825664378e9d2226c61b3dd628e37 to your computer and use it in GitHub Desktop.
A PoC in C# to enable WebClient Programmatically
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Runtime.InteropServices; | |
| using System; | |
| /* | |
| * Simple C# PoC to enable WebClient Service Programmatically | |
| * Based on the C++ version from @tirannido (James Forshaw) | |
| * Twitter: https://twitter.com/tiraniddo | |
| * URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html | |
| * | |
| * Compile with: | |
| * - 32-bit: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe .\EtwStartWebClient.cs /unsafe | |
| * - 64-bit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\EtwStartWebClient.cs /unsafe | |
| */ | |
| namespace EtwStartWebClient | |
| { | |
| class EtwStartWebClient | |
| { | |
| static void Main(string[] args) | |
| { | |
| if (StartWebClientService()) { | |
| Console.WriteLine("[+] WebClient Service started successfully"); | |
| } | |
| else { | |
| Console.WriteLine("[-] Failed to start WebClient Service"); | |
| } | |
| } | |
| static bool StartWebClientService() | |
| { | |
| Guid _MS_Windows_WebClntLookupServiceTrigger_Provider = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7); | |
| Win32.EVENT_DESCRIPTOR eventDescriptor = new Win32.EVENT_DESCRIPTOR(); | |
| ulong regHandle = 0; | |
| Win32.WINERROR winError = Win32.EventRegister( | |
| ref _MS_Windows_WebClntLookupServiceTrigger_Provider, | |
| IntPtr.Zero, | |
| IntPtr.Zero, | |
| ref regHandle | |
| ); | |
| if (winError == ((ulong)Win32.WINERROR.ERROR_SUCCESS)) | |
| { | |
| unsafe { | |
| if (Win32.EventWrite( | |
| regHandle, | |
| ref eventDescriptor, | |
| 0, | |
| null | |
| ) == Win32.WINERROR.ERROR_SUCCESS) { | |
| Win32.EventUnregister(regHandle); | |
| return true; | |
| } | |
| } | |
| } | |
| return false; | |
| } | |
| } | |
| class Win32 | |
| { | |
| public enum WINERROR : ulong { | |
| ERROR_SUCCESS = 0x0, | |
| ERROR_INVALID_PARAMETER = 0x57, | |
| ERROR_INVALID_HANDLE = 0x6, | |
| ERROR_ARITHMETIC_OVERFLOW = 0x216, | |
| ERROR_MORE_DATA = 0xEA, | |
| ERROR_NOT_ENOUGH_MEMORY = 0x8, | |
| STATUS_LOG_FILE_FULL = 0xC0000188, | |
| } | |
| [StructLayout(LayoutKind.Explicit, Size = 16)] | |
| public class EVENT_DESCRIPTOR | |
| { | |
| [FieldOffset(0)] ushort Id = 1; | |
| [FieldOffset(2)] byte Version = 0; | |
| [FieldOffset(3)] byte Channel = 0; | |
| [FieldOffset(4)] byte Level = 4; | |
| [FieldOffset(5)] byte Opcode = 0; | |
| [FieldOffset(6)] ushort Task = 0; | |
| [FieldOffset(8)] long Keyword = 0; | |
| } | |
| [StructLayout(LayoutKind.Explicit, Size = 16)] | |
| public struct EVENT_DATA_DESCRIPTOR | |
| { | |
| [FieldOffset(0)] | |
| internal UInt64 DataPointer; | |
| [FieldOffset(8)] | |
| internal uint Size; | |
| [FieldOffset(12)] | |
| internal int Reserved; | |
| } | |
| [DllImport("Advapi32.dll", SetLastError = true)] | |
| public static extern WINERROR EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref ulong RegHandle); | |
| [DllImport("Advapi32.dll", SetLastError = true)] | |
| public static extern unsafe WINERROR EventWrite(ulong RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EVENT_DATA_DESCRIPTOR* UserData); | |
| [DllImport("Advapi32.dll", SetLastError = true)] | |
| public static extern WINERROR EventUnregister(ulong RegHandle); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment