CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/DLLHijackAuditKit/audit.js
Views: 11766
1
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */

2


3
function print_status(msg) {

4
	try {

5
		WScript.StdOut.WriteLine("[*] "+ msg);

6
	} catch(e) {}

7
}

8


9
function process_list() {

10
	var res = new Array();

11
	var wbemFlagReturnImmediately = 0x10;

12
	var wbemFlagForwardOnly = 0x20;

13
	var oWMI = GetObject("winmgmts:\\\\localhost\\root\\CIMV2");

14
	var cPID = oWMI.ExecQuery("SELECT * FROM Win32_Process", "WQL", wbemFlagReturnImmediately | wbemFlagForwardOnly);

15
	var enumItems = new Enumerator(cPID);

16
	for (; !enumItems.atEnd(); enumItems.moveNext()) {

17
		var p = enumItems.item();

18
		if (p.ExecutablePath && p.ExecutablePath.toLowerCase().indexOf("taskmgr") != -1) continue;

19
		res.push(p.ProcessId);

20
	}

21
	return res;

22
}

23


24


25


26
var pause_interval = 100000;

27


28
var oFso = new ActiveXObject("Scripting.FileSystemObject");

29
var oShl = new ActiveXObject("WScript.Shell");

30
var oLoc = new ActiveXObject("WbemScripting.SWbemLocator");

31
var oSvc = oLoc.ConnectServer(null, "root\\default");

32
var oReg = oSvc.Get("StdRegProv");

33


34
var oCWD = oShl.CurrentDirectory + "";

35


36
var oMethod = oReg.Methods_.Item("EnumKey");

37
var oInParam = oMethod.InParameters.SpawnInstance_();

38
oInParam.hDefKey = 0x80000002;

39
oInParam.sSubKeyName = "Software\\Classes";

40


41
var oOutParam = oReg.ExecMethod_(oMethod.Name, oInParam);

42
var aNames = oOutParam.sNames.toArray();

43


44


45
try { oFso.CreateFolder("DLLAudit"); } catch(e) { }

46
try { oFso.CreateFolder("DLLAudit\\ext"); } catch(e) { }

47


48


49
if (! oFso.FileExists("procmon.exe")) {

50
	print_status("Downloading procmon.exe from \\\\live.sysinternals.com ...")

51
	try { oFso.CopyFile("\\\\live.sysinternals.com\\Tools\\procmon.exe", "procmon.exe"); } catch(e) {}

52
}

53


54
if (! oFso.FileExists("procmon.exe")) {

55
	print_status("Failed to download procmon.exe, copy here manually.");

56
	WScript.Quit();

57
}

58


59


60
print_status("Starting the process monitor...");

61
oShl.Run("procmon.exe /AcceptEULA /Quiet /LoadConfig DLLAudit.pmc", 10);

62
WScript.Sleep(5000);

63


64
var total = 0;

65
print_status("Creating test cases for each file extension...");

66


67
for (var i = 0; i < aNames.length; i++) {

68
	if (aNames[i].substr(0,1) != ".") continue;

69
	var ext = aNames[i].substr(1,32).toLowerCase();

70


71
	if (ext == "com") continue;

72
	if (ext == "pif") continue;

73
	if (ext == "exe") continue;

74
	if (ext == "bat") continue;

75
	if (ext == "scr") continue;

76
	if (ext == "dos") continue;

77
	if (ext == "386") continue;

78
	if (ext == "cpl") continue;

79
	if (ext == "sys") continue;

80
	if (ext == "dll") continue;

81
	if (ext == "drv") continue;

82
	if (ext == "rb") continue;

83
	if (ext == "py") continue;

84
	if (ext == "pl") continue;

85
	if (ext == "crds") continue;

86
	if (ext == "crd") continue;

87
	if (ext == "pml") continue;

88
	if (ext == "pmc") continue;

89


90
	try { oFso.CreateFolder("DLLAudit\\ext\\" + ext); } catch(e) { }

91
	try {

92
		var a = oFso.CreateTextFile("DLLAudit\\ext\\" + ext + "\\exploit." + ext);

93
		a.WriteLine("HOWDY!");

94
		a.Close();

95
	} catch(e) { }

96


97
	total++;

98
}

99


100
print_status("Created " + total + " test cases");

101
var procs = process_list();

102
print_status("Protecting " + procs.length + " processes");

103


104
var tries = 0;

105


106
var base = oFso.GetFolder("DLLAudit\\ext");

107
var subs = new Enumerator(base.SubFolders);

108
for (; !subs.atEnd(); subs.moveNext()) {

109
	var path = subs.item() + "";

110
	var bits = path.split("\\");

111
	var ext  = bits[bits.length - 1];

112


113
	print_status("Auditing extension: " + ext);

114
	oShl.CurrentDirectory = path + "\\";

115


116
	oShl.Run("cmd.exe /c start exploit." + ext, 0);

117
	WScript.Sleep(500);

118


119
	var nprocs = process_list();

120
	var cnt = 0;

121
	while(nprocs.length == procs.length && cnt < 2) {

122
		cnt++;

123
		WScript.Sleep(500);

124
		nprocs = process_list();

125
	}

126


127
	// If an application spawned, give it three seconds

128
	// This helps with ProcMon memory usage as well

129
	if (nprocs.length > procs.length) {

130
		WScript.Sleep(3000);

131
	}

132


133
	var killer = "taskkill /F ";

134
	for (var i=0; i < nprocs.length; i++) {

135
		var found = false;

136
		for (var x=0; x < procs.length; x++) {

137
			if (nprocs[i] == procs[x]) {

138
				found = true;

139
				break;

140
			}

141
		}

142
		if (found) continue;

143
		killer = killer + "/PID " + nprocs[i] + " ";

144
	}

145
	oShl.Run(killer, 0, true);

146


147
	tries++;

148


149
	if (tries % pause_interval == 0) {

150
		print_status("Completed " + tries + " extensions, hit enter to continue.")

151
		WScript.Stdin.ReadLine();

152
		print_status("Continuing...")

153
	}

154
}

155


156
print_status("Data collection phase complete, export Logfile.CSV from ProcMon.")

157


158


159