Windows

Bruteforce Windows Logon (PoC)

May 15, 2020
Bruteforce, Crack, Exploit, Logon, Password, User, Vulnerability, Windows

Weakness Description Microsoft Windows suffer from a serious lack of protection in their authentication mechanism which could led in privilege escalation. Indeed, in default installation of Windows (all version), the account lockdown policy is disabled plus authentication API’s doesn’t limit number of attempts per seconds which could led to a medium to fast brute-force attacks. Using our PoC and depending of the number of cores available in the target system you could test from few thousands to dozen of thousands of password per second. ...

Enum Attached Files

March 24, 2020
Windows, Delphi, Attached Files, Enumerate, Open Files, Open Handles

Above snippet demonstrate how to enumerate files openned by running programs on Windows. Some file unlocker use that technique to find where a specific file is attached and then force processes using that file to release it handle (via code injection techniques). I will write an example in a future snippet thread. Notice: At the bottom of that page, you will see a concreate example about how to use that unit. ...

Enum DLL Exported Functions

March 12, 2020
Windows, Delphi, DLL, Export, Library, PE Header, Exported Functions

This unit demonstrate how to enumerate DLL exported functions through PE Header manipulation. Features Support both 32 and 64bit DLL’s. Identify exported function names. Identify exported function ordinal value. Support and resolve forwarded function. Identify export function address and relative address. Unit Code (******************************************************************************* Author: -> Jean-Pierre LESUEUR (@DarkCoderSc) https://github.com/DarkCoderSc https://gist.github.com/DarkCoderSc https://www.phrozen.io/ License: -> MIT *******************************************************************************) unit UntEnumDLLExport; interface uses Classes, Windows, Generics.Collections, SysUtils; type TExportEntry = class private FName : String; FForwarded : Boolean; FForwardName : String; FRelativeAddr : Cardinal; FAddress : Int64; FOrdinal : Word; {@M} function GetFormatedAddress() : String; function GetFormatedRelativeAddr() : String; public {@C} constructor Create(); {@G/S} property Name : String read FName write FName; property Forwarded : Boolean read FForwarded write FForwarded; property ForwardName : String read FForwardName write FForwardName; property Address : Int64 read FAddress write FAddress; property RelativeAddr : Cardinal read FRelativeAddr write FRelativeAddr; property Ordinal : Word read FOrdinal write FOrdinal; {@G} property FormatedAddress : String read GetFormatedAddress; property FormatedRelativeAddress : String read GetFormatedRelativeAddr; end; TEnumDLLExport = class private FItems : TObjectList<TExportEntry>; FFileName : String; {@M} public {@C} constructor Create(AFileName : String); destructor Destroy(); override; {@M} function Enum() : Integer; {@G} property Items : TObjectList<TExportEntry> read FItems; property FileName : String read FFileName; end; implementation {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Local Functions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} function IntToHexF(AValue : Int64; APad : Word = 0 {0=Auto}) : String; begin if (APad = 0) then begin if (AValue <= High(Word)) then APad := 2 else if (AValue <= High(DWORD)) and (AValue > High(Word)) then APad := 8 else if (AValue <= High(Int64)) and (AValue > High(DWORD)) then APad := 16; end; result := '0x' + IntToHex(AValue, APad); end; {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TExportEntry +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} constructor TExportEntry. ...

Enum Modules Method 1

March 12, 2020
Windows, Delphi, Enumerate, DLL, Libraries, Modules

You will find below an example of how to enumerate process modules using the well known Windows API CreateToolHelp32Snapshot(), I will cover additional methods soon. You may notice that when using CreateToolHelp32Snapshot(), first result (row) is generally the Image Path of the process owning module. I ignore that row by checking the value of szExePath with owner process image path. GetProcessName() is compatible since Windows Vista. It is possible to support Windows XP and below but not in this example. ...

Terminate Process Techniques

March 6, 2020
Windows, Delphi, Injection, Kill Process, Techniques, Terminate Process

You will find below 4 different techniques to close/kill/terminate Windows process in pure WinAPI. Techniques TerminateProcess() : Classic method. ExitProcess() : via Code Injection (32bit to 32bit ; 64bit to 64bit). Crash Process : Inject code that will crash the process (32bit to 32bit ; 64bit to 64bit). CTRL_CLOSE_EVENT / WM_CLOSE : Send “close” messages to target process windows. TerminateAProcess() Method Kill target process id following desired method : tmpAll, tpmTerminateProcess, tpmExitProcess, tpmCrash, tpmMessage ...