shramos/mitigate_service.py Secret

## mitigate_service.py
import win32service
import win32serviceutil
import win32event
import win32security
import select
from multiprocessing.connection import Listener, Client
from winreg import *
from _winreg import HKEY_LOCAL_MACHINE as HKLM
from _winreg import HKEY_USERS
import os


class MitigateSvc(win32serviceutil.ServiceFramework):
    """Service class.

    Note
    ----
    _svc_name_ : str
        You can NET START/STOP the service by the following name.
    _svc_display_name_ : str
        This text shows up as the service name in the Service.
    _svc_description_ : str
        This text shows up as the description in the SCM.

    Attributes
    ----------
    hWaitStop : :obj:`Event`
        Event to listen for stop requests.
    conn : :obj:`Connection`
        Handles the connection of a Client.

    """
    _svc_name_ = "MitigateSvc"
    _svc_display_name_ = "Mitigate Service"
    _svc_description_ = "This service mitigates the UAC bypass and DLL Hijacking"
    DEBUG_KEY = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"

    def __init__(self, args):
        win32serviceutil.ServiceFramework.__init__(self, args)
        self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
        self.conn = None
        self.binlist = ['sdclt.exe']
        self.user_name = 'santi'

    def SvcDoRun(self):
        """Core logic of the service."""
        registry = Registry()
        rc = None
        self.add_debugger(self.binlist)
        while rc != win32event.WAIT_OBJECT_0:
            print "Waiting for the listener..."
            listener = Listener(('localhost', 5555), authkey="password")
            self.conn = listener.accept()
            rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
            # if the service stops while it is waiting in the Listener
            if rc == win32event.WAIT_OBJECT_0:
                break
            while True:
                ready = select.select([self.conn], [], [], 999999)
                if ready[0]:
                    print "Mensaje recibido, escribiendo..."
                    try:
                        data = self.conn.recv()
                    except:
                        print "Saliendo..."
                        self.conn = None
                        break
                    if type(data) is list and len(data) == 2 and data[0] in self.binlist:
                        self.del_debugger([data[0]])
                        # Managing the "bad" path
                        reg_path = self.get_hkcu() + "\\" + data[1]
                        k = registry.open_key(HKEY_USERS, reg_path)
                        if k:
                            registry.delete_key(HKEY_USERS, reg_path)
                        # Ejecucion del binario
                        print "Sending message to execute"
                        self.conn.send(["execute", data[0]])
                        ready2 = select.select([self.conn], [], [], 20)
                        # Setting the debugger key before breaking connection
                        self.add_debugger([data[0]])
                        self.conn.close()
                        listener.close()
                        self.conn = None
                        break
            rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
        # Aqui el codigo de finalizacion
        self.del_debugger(self.binlist)
        print "Cerrando el servicio"

    # called when we're being shut down
    def SvcStop(self):
        # tell the SCM we're shutting down
        self.ReportServiceStatus(win32service.SERVICE_STOP_PENDING)
        # fire the stop event
        win32event.SetEvent(self.hWaitStop)
        # Close the listener
        if self.conn:
            self.conn.close()
        else:
            Client(('localhost', 5555), authkey='password')

    def add_debugger(self, binlist):
        """Adds debugger registry key for each of the processes
        in the list."""
        registry = Registry()
        for binary in binlist:
            path = self.DEBUG_KEY + binary
            k = registry.open_key(HKLM, path)
            if not(k):
                k = registry.create_key(HKLM, path)
            payload = self.build_payload(binary[:-3] + "pyw")
            registry.create_value(k,
                                  "debugger",
                                  payload)

    def del_debugger(self, binlist):
        """Deletes debugger registry key for each of the processes
        in the list."""
        registry = Registry()
        for binary in binlist:
            path = self.DEBUG_KEY + binary
            k = registry.open_key(HKLM, path)
            if not(k):
                return
            registry.del_value(k, "debugger")

    def build_payload(self, binary):
        return "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -Command \"\"\"\"& '%s%s'\"\"\"\"\"\", 0 : window.close\")" % (self.agents_path(), binary)

    def agents_path(self):
        dirpath = os.path.dirname(os.path.realpath(__file__))
        return str(dirpath) + "\\agents\\"

    def get_hkcu(self):
        sid = win32security.LookupAccountName(None, self.user_name)[0]
        return str(win32security.ConvertSidToStringSid(sid))


if __name__ == '__main__':
    win32serviceutil.HandleCommandLine(MitigateSvc)
	import win32service
	import win32serviceutil
	import win32event
	import win32security
	import select
	from multiprocessing.connection import Listener, Client
	from winreg import *
	from _winreg import HKEY_LOCAL_MACHINE as HKLM
	from _winreg import HKEY_USERS
	import os


	class MitigateSvc(win32serviceutil.ServiceFramework):
	"""Service class.

	Note
	----
	_svc_name_ : str
	You can NET START/STOP the service by the following name.
	_svc_display_name_ : str
	This text shows up as the service name in the Service.
	_svc_description_ : str
	This text shows up as the description in the SCM.

	Attributes
	----------
	hWaitStop : :obj:`Event`
	Event to listen for stop requests.
	conn : :obj:`Connection`
	Handles the connection of a Client.

	"""
	_svc_name_ = "MitigateSvc"
	_svc_display_name_ = "Mitigate Service"
	_svc_description_ = "This service mitigates the UAC bypass and DLL Hijacking"
	DEBUG_KEY = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"

	def __init__(self, args):
	win32serviceutil.ServiceFramework.__init__(self, args)
	self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
	self.conn = None
	self.binlist = ['sdclt.exe']
	self.user_name = 'santi'

	def SvcDoRun(self):
	"""Core logic of the service."""
	registry = Registry()
	rc = None
	self.add_debugger(self.binlist)
	while rc != win32event.WAIT_OBJECT_0:
	print "Waiting for the listener..."
	listener = Listener(('localhost', 5555), authkey="password")
	self.conn = listener.accept()
	rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
	# if the service stops while it is waiting in the Listener
	if rc == win32event.WAIT_OBJECT_0:
	break
	while True:
	ready = select.select([self.conn], [], [], 999999)
	if ready[0]:
	print "Mensaje recibido, escribiendo..."
	try:
	data = self.conn.recv()
	except:
	print "Saliendo..."
	self.conn = None
	break
	if type(data) is list and len(data) == 2 and data[0] in self.binlist:
	self.del_debugger([data[0]])
	# Managing the "bad" path
	reg_path = self.get_hkcu() + "\\" + data[1]
	k = registry.open_key(HKEY_USERS, reg_path)
	if k:
	registry.delete_key(HKEY_USERS, reg_path)
	# Ejecucion del binario
	print "Sending message to execute"
	self.conn.send(["execute", data[0]])
	ready2 = select.select([self.conn], [], [], 20)
	# Setting the debugger key before breaking connection
	self.add_debugger([data[0]])
	self.conn.close()
	listener.close()
	self.conn = None
	break
	rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
	# Aqui el codigo de finalizacion
	self.del_debugger(self.binlist)
	print "Cerrando el servicio"

	# called when we're being shut down
	def SvcStop(self):
	# tell the SCM we're shutting down
	self.ReportServiceStatus(win32service.SERVICE_STOP_PENDING)
	# fire the stop event
	win32event.SetEvent(self.hWaitStop)
	# Close the listener
	if self.conn:
	self.conn.close()
	else:
	Client(('localhost', 5555), authkey='password')

	def add_debugger(self, binlist):
	"""Adds debugger registry key for each of the processes
	in the list."""
	registry = Registry()
	for binary in binlist:
	path = self.DEBUG_KEY + binary
	k = registry.open_key(HKLM, path)
	if not(k):
	k = registry.create_key(HKLM, path)
	payload = self.build_payload(binary[:-3] + "pyw")
	registry.create_value(k,
	"debugger",
	payload)

	def del_debugger(self, binlist):
	"""Deletes debugger registry key for each of the processes
	in the list."""
	registry = Registry()
	for binary in binlist:
	path = self.DEBUG_KEY + binary
	k = registry.open_key(HKLM, path)
	if not(k):
	return
	registry.del_value(k, "debugger")

	def build_payload(self, binary):
	return "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -Command \"\"\"\"& '%s%s'\"\"\"\"\"\", 0 : window.close\")" % (self.agents_path(), binary)

	def agents_path(self):
	dirpath = os.path.dirname(os.path.realpath(__file__))
	return str(dirpath) + "\\agents\\"

	def get_hkcu(self):
	sid = win32security.LookupAccountName(None, self.user_name)[0]
	return str(win32security.ConvertSidToStringSid(sid))


	if __name__ == '__main__':
	win32serviceutil.HandleCommandLine(MitigateSvc)