Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Commit

Permalink
Merge pull request #4 from fireeye/service_persist_bugs
Browse files Browse the repository at this point in the history
service persistence bug fixes
  • Loading branch information
h4wkst3r authored Jan 5, 2020
2 parents 29e23d6 + 0488046 commit e32f3eb
Show file tree
Hide file tree
Showing 6 changed files with 564 additions and 118 deletions.
4 changes: 2 additions & 2 deletions SharPersist/Properties/AssemblyInfo.cs
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,5 @@
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyVersion("1.0.1")]
[assembly: AssemblyFileVersion("1.0.1")]
147 changes: 111 additions & 36 deletions SharPersist/Service.cs
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ namespace SharPersist
{
public class Service : Persistence
{
public Service(string persistMethod, string command, string commandArg, string theKey, string theVal, string theName, string filePath, string status, string option) : base(persistMethod, command, commandArg, theKey, theVal, theName, filePath, status,option)
public Service(string persistMethod, string command, string commandArg, string theKey, string theVal, string theName, string filePath, string status, string option) : base(persistMethod, command, commandArg, theKey, theVal, theName, filePath, status, option)
{
initialize(persistMethod, command, commandArg, theKey, theVal, theName, filePath, status, option);

Expand Down Expand Up @@ -82,26 +82,55 @@ public void addPersistence(string command, string commandArg, string theName)
{

try
{
ServiceProcessInstaller ProcessServiceInstaller = new ServiceProcessInstaller();
ProcessServiceInstaller.Account = ServiceAccount.User;

ServiceInstaller ServiceInstallerObj = new ServiceInstaller();
InstallContext Context = new System.Configuration.Install.InstallContext();
String path = String.Format("/assemblypath={0}", command + " " + commandArg);
string[] cmdline = { path };

Context = new InstallContext("", cmdline);

ServiceInstallerObj.DisplayName = theName;
ServiceInstallerObj.ServiceName = theName;
ServiceInstallerObj.Description = theName;
ServiceInstallerObj.StartType = ServiceStartMode.Automatic;
ServiceInstallerObj.Parent = ProcessServiceInstaller;
ServiceInstallerObj.Context = Context;

System.Collections.Specialized.ListDictionary state = new System.Collections.Specialized.ListDictionary();
ServiceInstallerObj.Install(state);
{


// open a handle to the service control manager
using (var scmHandle = lib.NativeMethods.OpenSCManager(Environment.MachineName, null, lib.NativeMethods.SCM_ACCESS.SC_MANAGER_CREATE_SERVICE))
{

// if unable to open service manager, display message and return
if (scmHandle.IsInvalid)
{
Console.WriteLine("");
Console.WriteLine("[-] ERROR: Unable to open service manager on host.");
return;

}

else
{
try
{

// if able to open service manager, continue to create the service
var serviceHandle = lib.NativeMethods.CreateService(
scmHandle,
theName,
theName,
lib.NativeMethods.SERVICE_ACCESS.SERVICE_ALL_ACCESS,
lib.NativeMethods.SERVICE_TYPES.SERVICE_WIN32_OWN_PROCESS,
lib.NativeMethods.SERVICE_START_TYPES.SERVICE_AUTO_START,
lib.NativeMethods.SERVICE_ERROR_CONTROL.SERVICE_ERROR_IGNORE,
command + " " + commandArg,
null,
IntPtr.Zero,
null,
null,
null);
}
catch (Exception ex)
{

Console.WriteLine("");
Console.WriteLine("[-] ERROR: Unable to create service.");
return;
}

}

}

}

catch (Exception ex)
Expand Down Expand Up @@ -153,16 +182,45 @@ public void removePersistence(string theName)
{

try
{

// remove service by deleting its reg key
Registry.LocalMachine.DeleteSubKey("SYSTEM\\CurrentControlSet\\Services\\" + theName);

{

// open a handle to the service control manager
using (var scmHandle = lib.NativeMethods.OpenSCManager(Environment.MachineName, null, lib.NativeMethods.SCM_ACCESS.SC_MANAGER_ALL_ACCESS))
{

// if unable to open service manager, display message and return
if (scmHandle.IsInvalid)
{
Console.WriteLine("");
Console.WriteLine("[-] ERROR: Unable to open service manager on machine.");
return;

}

else
{

try
{
var serviceHandle = lib.NativeMethods.OpenService(scmHandle, theName, lib.NativeMethods.SERVICE_ACCESS.SERVICE_ALL_ACCESS);
lib.NativeMethods.DeleteService(serviceHandle);
}
catch (Exception ex)
{
Console.WriteLine("");
Console.WriteLine("[-] ERROR: Unable to delete service.");
return;
}
}

} // end using handle


}

catch (ArgumentException ex)
{
Console.WriteLine("[-] ERROR: Service has already been removed from registry.");
Console.WriteLine("[-] ERROR: Service has already been removed.");
return;
}
catch (Exception ex)
Expand All @@ -172,7 +230,7 @@ public void removePersistence(string theName)
}

Console.WriteLine("");
Console.WriteLine("[+] SUCCESS: Service persistence removed from registry. Change will take effect upon next reboot.");
Console.WriteLine("[+] SUCCESS: Service persistence removed.");

} // end if service exists

Expand All @@ -192,9 +250,9 @@ public void checkPersistence(string persistMethod, string command, string comman
{

Console.WriteLine("");
Console.WriteLine("[*] INFO: Checking if service with that name already exists");

Console.WriteLine("[*] INFO: Checking if service with that name already exists");


bool serviceExists = lib.Utils.ServiceExists(theName);


Expand All @@ -220,7 +278,24 @@ public void checkPersistence(string persistMethod, string command, string comman
return;
}

Console.WriteLine("[+] SUCCESS: Correct arguments given");
Console.WriteLine("[+] SUCCESS: Correct arguments given");


Console.WriteLine("");
Console.WriteLine("[*] INFO: Checking that current user has administrative privileges");

bool isUserAdmin = lib.Utils.IsUserAnAdmin();

if (isUserAdmin)
{
Console.WriteLine("[+] SUCCESS: Current user has administrative privileges");

}
else
{
Console.WriteLine("[-] ERROR: Current user does NOT have administrative privileges. Ensure you are running in high integrity context.");
}



} // end check persistences
Expand Down Expand Up @@ -316,10 +391,10 @@ public void listPersistence(string persistMethod, string command, string command

Console.WriteLine("");
Console.WriteLine("");
Console.WriteLine("");


Console.WriteLine("");



} // end iterating through services


Expand Down
158 changes: 80 additions & 78 deletions SharPersist/SharPersist.csproj
Original file line number Diff line number Diff line change
@@ -1,79 +1,81 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="..\packages\Costura.Fody.3.3.3\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.3.3.3\build\Costura.Fody.props')" />
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{9D1B853E-58F1-4BA5-AEFC-5C221CA30E48}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>SharPersist</RootNamespace>
<AssemblyName>SharPersist</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="Costura, Version=3.3.3.0, Culture=neutral, PublicKeyToken=9919ef960d84173d, processorArchitecture=MSIL">
<HintPath>..\packages\Costura.Fody.3.3.3\lib\net40\Costura.dll</HintPath>
</Reference>
<Reference Include="Microsoft.CSharp">
<HintPath>..\..\..\..\..\..\..\..\Program Files\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0\Microsoft.CSharp.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Win32.TaskScheduler, Version=2.8.11.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233, processorArchitecture=MSIL">
<HintPath>..\packages\TaskScheduler.2.8.11\lib\net40\Microsoft.Win32.TaskScheduler.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.Configuration.Install" />
<Reference Include="System.Core" />
<Reference Include="System.Drawing" />
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="KeePassBackdoor.cs" />
<Compile Include="lib\Utils.cs" />
<Compile Include="Persistence.cs" />
<Compile Include="RegistryPersist.cs" />
<Compile Include="SchTask.cs" />
<Compile Include="SchTaskBackdoor.cs" />
<Compile Include="Service.cs" />
<Compile Include="SharPersist.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="StartupFolder.cs" />
<Compile Include="TortoiseSVNHookScripts.cs" />
</ItemGroup>
<ItemGroup>
<None Include="app.config" />
<None Include="packages.config" />
</ItemGroup>
<ItemGroup />
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<Import Project="..\packages\Fody.4.2.1\build\Fody.targets" Condition="Exists('..\packages\Fody.4.2.1\build\Fody.targets')" />
<Import Project="..\packages\Fody.4.0.2\build\Fody.targets" Condition="Exists('..\packages\Fody.4.0.2\build\Fody.targets')" />
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="..\packages\Costura.Fody.3.3.3\build\Costura.Fody.props" Condition="Exists('..\packages\Costura.Fody.3.3.3\build\Costura.Fody.props')" />
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{9D1B853E-58F1-4BA5-AEFC-5C221CA30E48}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>SharPersist</RootNamespace>
<AssemblyName>SharPersist</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
<NuGetPackageImportStamp>
</NuGetPackageImportStamp>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="Costura, Version=3.3.3.0, Culture=neutral, PublicKeyToken=9919ef960d84173d, processorArchitecture=MSIL">
<HintPath>..\packages\Costura.Fody.3.3.3\lib\net40\Costura.dll</HintPath>
</Reference>
<Reference Include="Microsoft.CSharp">
<HintPath>..\..\..\..\..\..\..\..\Program Files\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0\Microsoft.CSharp.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Win32.TaskScheduler, Version=2.8.11.0, Culture=neutral, PublicKeyToken=c416bc1b32d97233, processorArchitecture=MSIL">
<HintPath>..\packages\TaskScheduler.2.8.11\lib\net40\Microsoft.Win32.TaskScheduler.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.Configuration.Install" />
<Reference Include="System.Core" />
<Reference Include="System.Drawing" />
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="KeePassBackdoor.cs" />
<Compile Include="lib\NativeMethods.cs" />
<Compile Include="lib\ServiceControlHandler.cs" />
<Compile Include="lib\Utils.cs" />
<Compile Include="Persistence.cs" />
<Compile Include="RegistryPersist.cs" />
<Compile Include="SchTask.cs" />
<Compile Include="SchTaskBackdoor.cs" />
<Compile Include="Service.cs" />
<Compile Include="SharPersist.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="StartupFolder.cs" />
<Compile Include="TortoiseSVNHookScripts.cs" />
</ItemGroup>
<ItemGroup>
<None Include="app.config" />
<None Include="packages.config" />
</ItemGroup>
<ItemGroup />
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<Import Project="..\packages\Fody.4.2.1\build\Fody.targets" Condition="Exists('..\packages\Fody.4.2.1\build\Fody.targets')" />
<Import Project="..\packages\Fody.4.0.2\build\Fody.targets" Condition="Exists('..\packages\Fody.4.0.2\build\Fody.targets')" />
</Project>
Loading

0 comments on commit e32f3eb

Please sign in to comment.