forked from wietze/windows-dll-hijacking
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate_pmc_files.py
36 lines (26 loc) · 12.3 KB
/
generate_pmc_files.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/python3
def generate_pmc_file(target):
with open('procmon_template.pmc', 'rb') as f:
data = f.read()
# This is hardcoded in the enclosed above PMC template file
original = 'XXXXXXXXXXXXXXXXXXXXXX'
payload = target
original_enc = bytes(original, 'utf-16le')
payload_enc = bytes(payload, 'utf-16le')
original_len = len(original_enc)
payload_len = len(payload_enc)
# Replace placeholder with new payload
result = data.replace(original_enc, payload_enc)
# Replace bytes containing lengths
result = result[:0x614] + (0x76 + payload_len).to_bytes(1, 'little') + result[0x615:]
result = result[:0x63E] + (0x02 + payload_len).to_bytes(1, 'little') + result[0x63F:]
result = result[:0x608] + (0x9E + payload_len).to_bytes(1, 'little') + result[0x609:]
result = result[:0x4f6] + (0x01).to_bytes(1, 'little') + result[0x4f7:]
with open('{}.pmc'.format(target), 'wb') as w:
w.write(result)
if __name__ == "__main__":
# Hardcoded list of targets, can be obtained by running the following on the target Windows machine:
# powershell /c "Get-ChildItem c:\windows\system32 -File | ForEach-Object { if($_ -match '.+?exe$') {Get-AuthenticodeSignature $_.fullname} } | where {$_.IsOSBinary} | ForEach-Object {$_.path }"
target_executables = ['agentactivationruntimestarter.exe', 'AgentService.exe', 'aitstatic.exe', 'alg.exe', 'AppHostRegistrationVerifier.exe', 'appidcertstorecheck.exe', 'appidpolicyconverter.exe', 'appidtel.exe', 'ApplicationFrameHost.exe', 'ApplySettingsTemplateCatalog.exe', 'ApplyTrustOffline.exe', 'ApproveChildRequest.exe', 'AppVClient.exe', 'AppVDllSurrogate.exe', 'AppVNice.exe', 'AppVShNotify.exe', 'ARP.EXE', 'at.exe', 'AtBroker.exe', 'attrib.exe', 'audiodg.exe', 'auditpol.exe', 'AuthHost.exe', 'autochk.exe', 'autoconv.exe', 'autofmt.exe', 'AxInstUI.exe', 'baaupdate.exe', 'backgroundTaskHost.exe', 'BackgroundTransferHost.exe', 'bcdboot.exe', 'bcdedit.exe', 'bdechangepin.exe', 'BdeHdCfg.exe', 'BdeUISrv.exe', 'bdeunlock.exe', 'BioIso.exe', 'BitLockerDeviceEncryption.exe', 'BitLockerWizard.exe', 'BitLockerWizardElev.exe', 'bitsadmin.exe', 'bootcfg.exe', 'bootim.exe', 'bootsect.exe', 'bridgeunattend.exe', 'browserexport.exe', 'browser_broker.exe', 'bthudtask.exe', 'ByteCodeGenerator.exe', 'cacls.exe', 'calc.exe', 'CameraSettingsUIHost.exe', 'CastSrv.exe', 'CertEnrollCtrl.exe', 'certreq.exe', 'certutil.exe', 'change.exe', 'changepk.exe', 'charmap.exe', 'CheckNetIsolation.exe', 'chglogon.exe', 'chgport.exe', 'chgusr.exe', 'chkdsk.exe', 'chkntfs.exe', 'choice.exe', 'CIDiag.exe', 'cipher.exe', 'cleanmgr.exe', 'cliconfg.exe', 'clip.exe', 'ClipRenew.exe', 'ClipUp.exe', 'CloudExperienceHostBroker.exe', 'CloudNotifications.exe', 'cmd.exe', 'cmdkey.exe', 'cmdl32.exe', 'cmmon32.exe', 'cmstp.exe', 'cofire.exe', 'colorcpl.exe', 'comp.exe', 'compact.exe', 'CompatTelRunner.exe', 'CompMgmtLauncher.exe', 'CompPkgSrv.exe', 'ComputerDefaults.exe', 'conhost.exe', 'consent.exe', 'control.exe', 'convert.exe', 'convertvhd.exe', 'coredpussvr.exe', 'CredentialEnrollmentManager.exe', 'CredentialUIBroker.exe', 'credwiz.exe', 'cscript.exe', 'csrss.exe', 'ctfmon.exe', 'cttune.exe', 'cttunesvr.exe', 'curl.exe', 'CustomInstallExec.exe', 'dasHost.exe', 'DataExchangeHost.exe', 'DataStoreCacheDumpTool.exe', 'DataUsageLiveTileTask.exe', 'dccw.exe', 'dcomcnfg.exe', 'ddodiag.exe', 'Defrag.exe', 'deploymentcsphelper.exe', 'desktopimgdownldr.exe', 'DeviceCensus.exe', 'DeviceCredentialDeployment.exe', 'DeviceEject.exe', 'DeviceEnroller.exe', 'DevicePairingWizard.exe', 'DeviceProperties.exe', 'DFDWiz.exe', 'dfrgui.exe', 'dialer.exe', 'directxdatabaseupdater.exe', 'diskpart.exe', 'diskperf.exe', 'diskraid.exe', 'DiskSnapshot.exe', 'Dism.exe', 'dispdiag.exe', 'DisplaySwitch.exe', 'djoin.exe', 'dllhost.exe', 'dllhst3g.exe', 'dmcertinst.exe', 'dmcfghost.exe', 'dmclient.exe', 'DmNotificationBroker.exe', 'DmOmaCpMo.exe', 'dnscacheugc.exe', 'doskey.exe', 'dpapimig.exe', 'DpiScaling.exe', 'dpnsvr.exe', 'driverquery.exe', 'drvcfg.exe', 'drvinst.exe', 'DsmUserTask.exe', 'dsregcmd.exe', 'dstokenclean.exe', 'DTUHandler.exe', 'dusmtask.exe', 'dvdplay.exe', 'dwm.exe', 'DWWIN.EXE', 'dxdiag.exe', 'dxgiadaptercache.exe', 'Dxpserver.exe', 'Eap3Host.exe', 'EaseOfAccessDialog.exe', 'easinvoker.exe', 'EASPolicyManagerBrokerHost.exe', 'EDPCleanup.exe', 'edpnotify.exe', 'EduPrintProv.exe', 'efsui.exe', 'EhStorAuthn.exe', 'esentutl.exe', 'eudcedit.exe', 'eventcreate.exe', 'eventvwr.exe', 'expand.exe', 'extrac32.exe', 'fc.exe', 'fhmanagew.exe', 'FileHistory.exe', 'find.exe', 'findstr.exe', 'finger.exe', 'fixmapi.exe', 'fltMC.exe', 'fodhelper.exe', 'Fondue.exe', 'fontdrvhost.exe', 'fontview.exe', 'forfiles.exe', 'fsavailux.exe', 'FsIso.exe', 'fsquirt.exe', 'fsutil.exe', 'ftp.exe', 'fvenotify.exe', 'fveprompt.exe', 'FXSCOVER.exe', 'FXSSVC.exe', 'FXSUNATD.exe', 'GameBarPresenceWriter.exe', 'GamePanel.exe', 'GenValObj.exe', 'getmac.exe', 'gpresult.exe', 'gpscript.exe', 'gpupdate.exe', 'grpconv.exe', 'hdwwiz.exe', 'help.exe', 'HOSTNAME.EXE', 'hvax64.exe', 'hvix64.exe', 'hvsievaluator.exe', 'icacls.exe', 'IcsEntitlementHost.exe', 'icsunattend.exe', 'ie4uinit.exe', 'ie4ushowIE.exe', 'ieUnatt.exe', 'iexpress.exe', 'immersivetpmvscmgrsvr.exe', 'InfDefaultInstall.exe', 'InputSwitchToastHandler.exe', 'iotstartup.exe', 'ipconfig.exe', 'iscsicli.exe', 'iscsicpl.exe', 'isoburn.exe', 'klist.exe', 'ksetup.exe', 'ktmutil.exe', 'label.exe', 'LanguageComponentsInstallerComHandler.exe', 'LaunchTM.exe', 'LaunchWinApp.exe', 'LegacyNetUXHost.exe', 'LicenseManagerShellext.exe', 'licensingdiag.exe', 'LicensingUI.exe', 'LocationNotificationWindows.exe', 'Locator.exe', 'LockAppHost.exe', 'LockScreenContentServer.exe', 'lodctr.exe', 'logagent.exe', 'logman.exe', 'logoff.exe', 'LogonUI.exe', 'lpkinstall.exe', 'lpksetup.exe', 'lpremove.exe', 'LsaIso.exe', 'lsass.exe', 'Magnify.exe', 'makecab.exe', 'manage-bde.exe', 'mavinject.exe', 'MbaeParserTask.exe', 'mblctr.exe', 'MBR2GPT.EXE', 'mcbuilder.exe', 'MDEServer.exe', 'MDMAgent.exe', 'MDMAppInstaller.exe', 'MdmDiagnosticsTool.exe', 'MdRes.exe', 'MdSched.exe', 'mfpmp.exe', 'Microsoft.Uev.CscUnpinTool.exe', 'Microsoft.Uev.SyncController.exe', 'MicrosoftEdgeBCHost.exe', 'MicrosoftEdgeCP.exe', 'MicrosoftEdgeDevTools.exe', 'MicrosoftEdgeSH.exe', 'mitigationscanner.exe', 'mmc.exe', 'mmgaserver.exe', 'mobsync.exe', 'mountvol.exe', 'mousocoreworker.exe', 'mpnotify.exe', 'MRINFO.EXE', 'MSchedExe.exe', 'msconfig.exe', 'msdt.exe', 'msdtc.exe', 'msfeedssync.exe', 'msg.exe', 'mshta.exe', 'msiexec.exe', 'msinfo32.exe', 'mspaint.exe', 'msra.exe', 'MsSpellCheckingHost.exe', 'mstsc.exe', 'mtstocom.exe', 'MuiUnattend.exe', 'MultiDigiMon.exe', 'MusNotification.exe', 'MusNotificationUx.exe', 'MusNotifyIcon.exe', 'Narrator.exe', 'nbtstat.exe', 'ndadmin.exe', 'NDKPing.exe', 'net.exe', 'net1.exe', 'netbtugc.exe', 'netcfg.exe', 'NetCfgNotifyObjectHost.exe', 'NetEvtFwdr.exe', 'NetHost.exe', 'netiougc.exe', 'Netplwiz.exe', 'netsh.exe', 'NETSTAT.EXE', 'newdev.exe', 'NgcIso.exe', 'nltest.exe', 'notepad.exe', 'nslookup.exe', 'ntoskrnl.exe', 'ntprint.exe', 'odbcad32.exe', 'odbcconf.exe', 'ofdeploy.exe', 'omadmclient.exe', 'omadmprc.exe', 'openfiles.exe', 'OpenWith.exe', 'OptionalFeatures.exe', 'osk.exe', 'pacjsworker.exe', 'PackagedCWALauncher.exe', 'PackageInspector.exe', 'PasswordOnWakeSettingFlyout.exe', 'PATHPING.EXE', 'pcalua.exe', 'pcaui.exe', 'pcwrun.exe', 'perfmon.exe', 'phoneactivate.exe', 'PickerHost.exe', 'PinEnrollmentBroker.exe', 'PING.EXE', 'PkgMgr.exe', 'PktMon.exe', 'plasrv.exe', 'PnPUnattend.exe', 'pnputil.exe', 'poqexec.exe', 'pospaymentsworker.exe', 'powercfg.exe', 'PresentationHost.exe', 'PresentationSettings.exe', 'prevhost.exe', 'print.exe', 'PrintBrmUi.exe', 'printfilterpipelinesvc.exe', 'PrintIsolationHost.exe', 'printui.exe', 'proquota.exe', 'provlaunch.exe', 'provtool.exe', 'ProximityUxHost.exe', 'prproc.exe', 'psr.exe', 'pwcreator.exe', 'pwlauncher.exe', 'qappsrv.exe', 'qprocess.exe', 'query.exe', 'quickassist.exe', 'quser.exe', 'qwinsta.exe', 'rasautou.exe', 'rasdial.exe', 'raserver.exe', 'rasphone.exe', 'rdpclip.exe', 'rdpinit.exe', 'rdpinput.exe', 'RdpSa.exe', 'RdpSaProxy.exe', 'RdpSaUacHelper.exe', 'rdpshell.exe', 'rdpsign.exe', 'rdrleakdiag.exe', 'RDVGHelper.exe', 'ReAgentc.exe', 'recdisc.exe', 'recover.exe', 'RecoveryDrive.exe', 'refsutil.exe', 'reg.exe', 'regedt32.exe', 'regini.exe', 'Register-CimProvider.exe', 'regsvr32.exe', 'rekeywiz.exe', 'relog.exe', 'RelPost.exe', 'RemoteAppLifetimeManager.exe', 'RemotePosWorker.exe', 'repair-bde.exe', 'replace.exe', 'reset.exe', 'ResetEngine.exe', 'resmon.exe', 'RMActivate.exe', 'RMActivate_isv.exe', 'RMActivate_ssp.exe', 'RMActivate_ssp_isv.exe', 'RmClient.exe', 'rmttpmvscmgrsvr.exe', 'Robocopy.exe', 'ROUTE.EXE', 'RpcPing.exe', 'rrinstaller.exe', 'rstrui.exe', 'runas.exe', 'rundll32.exe', 'runexehelper.exe', 'RunLegacyCPLElevated.exe', 'runonce.exe', 'RuntimeBroker.exe', 'rwinsta.exe', 'sc.exe', 'schtasks.exe', 'ScriptRunner.exe', 'sdbinst.exe', 'sdchange.exe', 'sdclt.exe', 'sdiagnhost.exe', 'SearchFilterHost.exe', 'SearchIndexer.exe', 'SearchProtocolHost.exe', 'SecEdit.exe', 'secinit.exe', 'securekernel.exe', 'SecurityHealthHost.exe', 'SecurityHealthService.exe', 'SecurityHealthSystray.exe', 'SensorDataService.exe', 'services.exe', 'sessionmsg.exe', 'sethc.exe', 'setspn.exe', 'SettingSyncHost.exe', 'setupcl.exe', 'setupugc.exe', 'setx.exe', 'sfc.exe', 'SgrmBroker.exe', 'SgrmLpac.exe', 'shrpubw.exe', 'shutdown.exe', 'sigverif.exe', 'SIHClient.exe', 'sihost.exe', 'SlideToShutDown.exe', 'slui.exe', 'smartscreen.exe', 'smss.exe', 'SndVol.exe', 'SnippingTool.exe', 'snmptrap.exe', 'sort.exe', 'SpaceAgent.exe', 'spaceman.exe', 'SpatialAudioLicenseSrv.exe', 'Spectrum.exe', 'spoolsv.exe', 'SppExtComObj.Exe', 'sppsvc.exe', 'srdelayed.exe', 'SrTasks.exe', 'stordiag.exe', 'subst.exe', 'svchost.exe', 'sxstrace.exe', 'SyncAppvPublishingServer.exe', 'SyncHost.exe', 'SysResetErr.exe', 'systeminfo.exe', 'SystemPropertiesAdvanced.exe', 'SystemPropertiesComputerName.exe', 'SystemPropertiesDataExecutionPrevention.exe', 'SystemPropertiesHardware.exe', 'SystemPropertiesPerformance.exe', 'SystemPropertiesProtection.exe', 'SystemPropertiesRemote.exe', 'systemreset.exe', 'SystemSettingsAdminFlows.exe', 'SystemSettingsBroker.exe', 'SystemSettingsRemoveDevice.exe', 'SystemUWPLauncher.exe', 'systray.exe', 'tabcal.exe', 'takeown.exe', 'TapiUnattend.exe', 'tar.exe', 'taskhostw.exe', 'taskkill.exe', 'tasklist.exe', 'Taskmgr.exe', 'tcblaunch.exe', 'tcmsetup.exe', 'TCPSVCS.EXE', 'ThumbnailExtractionHost.exe', 'TieringEngineService.exe', 'timeout.exe', 'TokenBrokerCookies.exe', 'TpmInit.exe', 'tpmvscmgr.exe', 'tpmvscmgrsvr.exe', 'tracerpt.exe', 'TRACERT.EXE', 'tscon.exe', 'tsdiscon.exe', 'tskill.exe', 'TSTheme.exe', 'TSWbPrxy.exe', 'ttdinject.exe', 'tttracer.exe', 'typeperf.exe', 'tzsync.exe', 'tzutil.exe', 'ucsvc.exe', 'UevAgentPolicyGenerator.exe', 'UevAppMonitor.exe', 'UevTemplateBaselineGenerator.exe', 'UevTemplateConfigItemGenerator.exe', 'UIMgrBroker.exe', 'unlodctr.exe', 'unregmp2.exe', 'upfc.exe', 'UpgradeResultsUI.exe', 'upnpcont.exe', 'UserAccountBroker.exe', 'UserAccountControlSettings.exe', 'userinit.exe', 'UsoClient.exe', 'usocoreworker.exe', 'UtcDecoderHost.exe', 'Utilman.exe', 'VaultCmd.exe', 'vds.exe', 'vdsldr.exe', 'verclsid.exe', 'verifier.exe', 'verifiergui.exe', 'vssadmin.exe', 'VSSVC.exe', 'w32tm.exe', 'WaaSMedicAgent.exe', 'waitfor.exe', 'WallpaperHost.exe', 'wbadmin.exe', 'wbengine.exe', 'wecutil.exe', 'WerFault.exe', 'WerFaultSecure.exe', 'wermgr.exe', 'wevtutil.exe', 'wextract.exe', 'WFS.exe', 'where.exe', 'whoami.exe', 'wiaacmgr.exe', 'wiawow64.exe', 'wifitask.exe', 'wimserv.exe', 'WinBioDataModelOOBE.exe', 'Windows.Media.BackgroundPlayback.exe', 'Windows.WARP.JITService.exe', 'WindowsActionDialog.exe', 'WindowsUpdateElevatedInstaller.exe', 'wininit.exe', 'winload.exe', 'winlogon.exe', 'winresume.exe', 'winrs.exe', 'winrshost.exe', 'WinRTNetMUAHostServer.exe', 'WinSAT.exe', 'winver.exe', 'wkspbroker.exe', 'wksprt.exe', 'wlanext.exe', 'wlrmdr.exe', 'WMPDMC.exe', 'WorkFolders.exe', 'wowreg32.exe', 'WpcMon.exe', 'WpcTok.exe', 'WPDShextAutoplay.exe', 'wpnpinst.exe', 'wpr.exe', 'write.exe', 'wscadminui.exe', 'WSCollect.exe', 'wscript.exe', 'WSManHTTPConfig.exe', 'wsmprovhost.exe', 'wsqmcons.exe', 'WSReset.exe', 'wuapihost.exe', 'wuauclt.exe', 'WUDFCompanionHost.exe', 'WUDFHost.exe', 'wusa.exe', 'WWAHost.exe', 'XblGameSaveTask.exe', 'xcopy.exe', 'xwizard.exe']
# Generate PMC files
[generate_pmc_file(target) for target in target_executables]