Fixed multiple issues with the atomic test which was broken: (#2490)
- Added a spool service startype check / update required to execute at boot as the service is dissabled in many VMs, - Removed reg delete in test preventing successful execution, - Updated commands to deal more gracefully with errors which were sometimes interrupting cleanup, - Fixed DLL which was also broken: - The EnumPrintProcessorDatatypesW needed for execution was not exported - The Payload code was outside of the EnumPrintProcessorDatatypesW which is the function that gets called when the procesor gets loaded - Added fixed source and build commands Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Thomas de Brelaz
@@ -18,19 +18,19 @@ atomic_tests:
|
||||
default: 0
|
||||
executor:
|
||||
command: |
|
||||
if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
|
||||
net stop spooler
|
||||
Copy-Item $PathToAtomicsFolder\T1547.012\bin\PrintProcessor.dll C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "PrintProcessor.dll" /t REG_SZ /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
|
||||
Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
|
||||
net start spooler
|
||||
if(#{restart}){
|
||||
Restart-Computer
|
||||
}
|
||||
cleanup_command: |
|
||||
net stop spooler
|
||||
rm -force C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
|
||||
rm -force C:\Users\Public\AtomicRedTeam.txt
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
|
||||
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
|
||||
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
|
||||
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
|
||||
net start spooler
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -1,23 +1,33 @@
|
||||
#include "pch.h"
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <fstream>
|
||||
|
||||
#define DllExport __declspec(dllexport)
|
||||
|
||||
extern "C" __declspec(dllexport) void PayloadFunction()
|
||||
__declspec(dllexport) void PayloadFunction()
|
||||
{
|
||||
std::ofstream outfile("C:\\Users\\Public\\AtomicTest.txt");
|
||||
outfile << "AtomicRedTeam test for T1547.012" << std::endl;
|
||||
outfile.close();
|
||||
HANDLE hFile;
|
||||
hFile = CreateFile("C:\\Users\\Public\\AtomicTest.txt",
|
||||
GENERIC_WRITE,
|
||||
0,
|
||||
NULL,
|
||||
CREATE_ALWAYS,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL);
|
||||
|
||||
if (hFile == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
printf("Unable to create file\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
extern "C" DllExport BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
|
||||
BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
|
||||
BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@@ -25,10 +35,11 @@ extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Co
|
||||
BOOL EnumPrintProcessorDatatypesW(LPWSTR pName, LPWSTR pPrintProcessorName, DWORD Level, LPBYTE pDatatypes, DWORD cbBuf, LPDWORD pcbNeeded, LPDWORD pcReturned)
|
||||
{
|
||||
// executes when DLL is loaded
|
||||
PayloadFunction();
|
||||
return 1;
|
||||
}
|
||||
|
||||
extern "C" DllExport DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
|
||||
DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@@ -43,12 +54,12 @@ typedef struct _PRINTPROCESSOROPENDATA {
|
||||
LPWSTR pPrinterName;
|
||||
} PRINTPROCESSOROPENDATA, * PPRINTPROCESSOROPENDATA, * LPPRINTPROCESSOROPENDATA;
|
||||
|
||||
extern "C" DllExport HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
|
||||
HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
|
||||
{
|
||||
return (HANDLE)11;
|
||||
}
|
||||
|
||||
extern "C" DllExport BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
|
||||
BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@@ -58,10 +69,11 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
|
||||
switch (fdwReason)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
PayloadFunction();
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
EXPORTS
|
||||
ClosePrintProcessor
|
||||
ControlPrintProcessor
|
||||
EnumPrintProcessorDatatypesW
|
||||
GetPrintProcessorCapabilities
|
||||
OpenPrintProcessor
|
||||
PrintDocumentOnPrintProcessor
|
||||
@@ -0,0 +1 @@
|
||||
cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll
|
||||
Reference in New Issue
Block a user