diff --git a/atomics/T1547.012/T1547.012.yaml b/atomics/T1547.012/T1547.012.yaml index 98bb61e6..7a8fa7ea 100644 --- a/atomics/T1547.012/T1547.012.yaml +++ b/atomics/T1547.012/T1547.012.yaml @@ -18,19 +18,19 @@ atomic_tests: default: 0 executor: command: | + if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic} net stop spooler - Copy-Item $PathToAtomicsFolder\T1547.012\bin\PrintProcessor.dll C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "PrintProcessor.dll" /t REG_SZ /f - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1 + Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f net start spooler if(#{restart}){ Restart-Computer } cleanup_command: | net stop spooler - rm -force C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll - rm -force C:\Users\Public\AtomicRedTeam.txt - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1 + rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue + rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue + remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue net start spooler name: powershell elevation_required: true diff --git a/atomics/T1547.012/bin/AtomicTest.dll b/atomics/T1547.012/bin/AtomicTest.dll new file mode 100644 index 00000000..b9e063ca Binary files /dev/null and b/atomics/T1547.012/bin/AtomicTest.dll differ diff --git a/atomics/T1547.012/bin/PrintProcessor.dll b/atomics/T1547.012/bin/PrintProcessor.dll deleted file mode 100644 index b47936b4..00000000 Binary files a/atomics/T1547.012/bin/PrintProcessor.dll and /dev/null differ diff --git a/atomics/T1547.012/src/dllmain.cpp b/atomics/T1547.012/src/AtomicTest.c similarity index 51% rename from atomics/T1547.012/src/dllmain.cpp rename to atomics/T1547.012/src/AtomicTest.c index 515a143c..ba8fe068 100644 --- a/atomics/T1547.012/src/dllmain.cpp +++ b/atomics/T1547.012/src/AtomicTest.c @@ -1,23 +1,33 @@ -#include "pch.h" #include #include -#include #define DllExport __declspec(dllexport) -extern "C" __declspec(dllexport) void PayloadFunction() +__declspec(dllexport) void PayloadFunction() { - std::ofstream outfile("C:\\Users\\Public\\AtomicTest.txt"); - outfile << "AtomicRedTeam test for T1547.012" << std::endl; - outfile.close(); + HANDLE hFile; + hFile = CreateFile("C:\\Users\\Public\\AtomicTest.txt", + GENERIC_WRITE, + 0, + NULL, + CREATE_ALWAYS, + FILE_ATTRIBUTE_NORMAL, + NULL); + + if (hFile == INVALID_HANDLE_VALUE) + { + printf("Unable to create file\n"); + return -1; + } + } -extern "C" DllExport BOOL ClosePrintProcessor(HANDLE hPrintProcessor) +BOOL ClosePrintProcessor(HANDLE hPrintProcessor) { return 1; } -extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command) +BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command) { return 1; } @@ -25,10 +35,11 @@ extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Co BOOL EnumPrintProcessorDatatypesW(LPWSTR pName, LPWSTR pPrintProcessorName, DWORD Level, LPBYTE pDatatypes, DWORD cbBuf, LPDWORD pcbNeeded, LPDWORD pcReturned) { // executes when DLL is loaded + PayloadFunction(); return 1; } -extern "C" DllExport DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded) +DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded) { return 0; } @@ -43,12 +54,12 @@ typedef struct _PRINTPROCESSOROPENDATA { LPWSTR pPrinterName; } PRINTPROCESSOROPENDATA, * PPRINTPROCESSOROPENDATA, * LPPRINTPROCESSOROPENDATA; -extern "C" DllExport HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData) +HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData) { return (HANDLE)11; } -extern "C" DllExport BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName) +BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName) { return 1; } @@ -58,10 +69,11 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) switch (fdwReason) { case DLL_PROCESS_ATTACH: - PayloadFunction(); break; case DLL_THREAD_ATTACH: + break; case DLL_PROCESS_DETACH: + break; case DLL_THREAD_DETACH: break; } diff --git a/atomics/T1547.012/src/AtomicTest.def b/atomics/T1547.012/src/AtomicTest.def new file mode 100644 index 00000000..7a8a11e1 --- /dev/null +++ b/atomics/T1547.012/src/AtomicTest.def @@ -0,0 +1,7 @@ +EXPORTS + ClosePrintProcessor + ControlPrintProcessor + EnumPrintProcessorDatatypesW + GetPrintProcessorCapabilities + OpenPrintProcessor + PrintDocumentOnPrintProcessor \ No newline at end of file diff --git a/atomics/T1547.012/src/build.bat b/atomics/T1547.012/src/build.bat new file mode 100644 index 00000000..e87c0a8c --- /dev/null +++ b/atomics/T1547.012/src/build.bat @@ -0,0 +1 @@ +cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll \ No newline at end of file