Create a gist now

Instantly share code, notes, and snippets.

@shramos /mitigate_service.py Secret
Last active Feb 16, 2018

What would you like to do?
import win32service
import win32serviceutil
import win32event
import win32security
import select
from multiprocessing.connection import Listener, Client
from winreg import *
from _winreg import HKEY_LOCAL_MACHINE as HKLM
from _winreg import HKEY_USERS
import os
class MitigateSvc(win32serviceutil.ServiceFramework):
"""Service class.
Note
----
_svc_name_ : str
You can NET START/STOP the service by the following name.
_svc_display_name_ : str
This text shows up as the service name in the Service.
_svc_description_ : str
This text shows up as the description in the SCM.
Attributes
----------
hWaitStop : :obj:`Event`
Event to listen for stop requests.
conn : :obj:`Connection`
Handles the connection of a Client.
"""
_svc_name_ = "MitigateSvc"
_svc_display_name_ = "Mitigate Service"
_svc_description_ = "This service mitigates the UAC bypass and DLL Hijacking"
DEBUG_KEY = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"
def __init__(self, args):
win32serviceutil.ServiceFramework.__init__(self, args)
self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
self.conn = None
self.binlist = ['sdclt.exe']
self.user_name = 'santi'
def SvcDoRun(self):
"""Core logic of the service."""
registry = Registry()
rc = None
self.add_debugger(self.binlist)
while rc != win32event.WAIT_OBJECT_0:
print "Waiting for the listener..."
listener = Listener(('localhost', 5555), authkey="password")
self.conn = listener.accept()
rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
# if the service stops while it is waiting in the Listener
if rc == win32event.WAIT_OBJECT_0:
break
while True:
ready = select.select([self.conn], [], [], 999999)
if ready[0]:
print "Mensaje recibido, escribiendo..."
try:
data = self.conn.recv()
except:
print "Saliendo..."
self.conn = None
break
if type(data) is list and len(data) == 2 and data[0] in self.binlist:
self.del_debugger([data[0]])
# Managing the "bad" path
reg_path = self.get_hkcu() + "\\" + data[1]
k = registry.open_key(HKEY_USERS, reg_path)
if k:
registry.delete_key(HKEY_USERS, reg_path)
# Ejecucion del binario
print "Sending message to execute"
self.conn.send(["execute", data[0]])
ready2 = select.select([self.conn], [], [], 20)
# Setting the debugger key before breaking connection
self.add_debugger([data[0]])
self.conn.close()
listener.close()
self.conn = None
break
rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
# Aqui el codigo de finalizacion
self.del_debugger(self.binlist)
print "Cerrando el servicio"
# called when we're being shut down
def SvcStop(self):
# tell the SCM we're shutting down
self.ReportServiceStatus(win32service.SERVICE_STOP_PENDING)
# fire the stop event
win32event.SetEvent(self.hWaitStop)
# Close the listener
if self.conn:
self.conn.close()
else:
Client(('localhost', 5555), authkey='password')
def add_debugger(self, binlist):
"""Adds debugger registry key for each of the processes
in the list."""
registry = Registry()
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
k = registry.create_key(HKLM, path)
payload = self.build_payload(binary[:-3] + "pyw")
registry.create_value(k,
"debugger",
payload)
def del_debugger(self, binlist):
"""Deletes debugger registry key for each of the processes
in the list."""
registry = Registry()
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
return
registry.del_value(k, "debugger")
def build_payload(self, binary):
return "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -Command \"\"\"\"& '%s%s'\"\"\"\"\"\", 0 : window.close\")" % (self.agents_path(), binary)
def agents_path(self):
dirpath = os.path.dirname(os.path.realpath(__file__))
return str(dirpath) + "\\agents\\"
def get_hkcu(self):
sid = win32security.LookupAccountName(None, self.user_name)[0]
return str(win32security.ConvertSidToStringSid(sid))
if __name__ == '__main__':
win32serviceutil.HandleCommandLine(MitigateSvc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment