external/source/DLLHijackAuditKit/audit.js
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */
function print_status(msg) {
try {
WScript.StdOut.WriteLine("[*] "+ msg);
} catch(e) {}
}
function process_list() {
var res = new Array();
var wbemFlagReturnImmediately = 0x10;
var wbemFlagForwardOnly = 0x20;
var oWMI = GetObject("winmgmts:\\\\localhost\\root\\CIMV2");
var cPID = oWMI.ExecQuery("SELECT * FROM Win32_Process", "WQL", wbemFlagReturnImmediately | wbemFlagForwardOnly);
var enumItems = new Enumerator(cPID);
for (; !enumItems.atEnd(); enumItems.moveNext()) {
var p = enumItems.item();
if (p.ExecutablePath && p.ExecutablePath.toLowerCase().indexOf("taskmgr") != -1) continue;
res.push(p.ProcessId);
}
return res;
}
var pause_interval = 100000;
var oFso = new ActiveXObject("Scripting.FileSystemObject");
var oShl = new ActiveXObject("WScript.Shell");
var oLoc = new ActiveXObject("WbemScripting.SWbemLocator");
var oSvc = oLoc.ConnectServer(null, "root\\default");
var oReg = oSvc.Get("StdRegProv");
var oCWD = oShl.CurrentDirectory + "";
var oMethod = oReg.Methods_.Item("EnumKey");
var oInParam = oMethod.InParameters.SpawnInstance_();
oInParam.hDefKey = 0x80000002;
oInParam.sSubKeyName = "Software\\Classes";
var oOutParam = oReg.ExecMethod_(oMethod.Name, oInParam);
var aNames = oOutParam.sNames.toArray();
try { oFso.CreateFolder("DLLAudit"); } catch(e) { }
try { oFso.CreateFolder("DLLAudit\\ext"); } catch(e) { }
if (! oFso.FileExists("procmon.exe")) {
print_status("Downloading procmon.exe from \\\\live.sysinternals.com ...")
try { oFso.CopyFile("\\\\live.sysinternals.com\\Tools\\procmon.exe", "procmon.exe"); } catch(e) {}
}
if (! oFso.FileExists("procmon.exe")) {
print_status("Failed to download procmon.exe, copy here manually.");
WScript.Quit();
}
print_status("Starting the process monitor...");
oShl.Run("procmon.exe /AcceptEULA /Quiet /LoadConfig DLLAudit.pmc", 10);
WScript.Sleep(5000);
var total = 0;
print_status("Creating test cases for each file extension...");
for (var i = 0; i < aNames.length; i++) {
if (aNames[i].substr(0,1) != ".") continue;
var ext = aNames[i].substr(1,32).toLowerCase();
if (ext == "com") continue;
if (ext == "pif") continue;
if (ext == "exe") continue;
if (ext == "bat") continue;
if (ext == "scr") continue;
if (ext == "dos") continue;
if (ext == "386") continue;
if (ext == "cpl") continue;
if (ext == "sys") continue;
if (ext == "dll") continue;
if (ext == "drv") continue;
if (ext == "rb") continue;
if (ext == "py") continue;
if (ext == "pl") continue;
if (ext == "crds") continue;
if (ext == "crd") continue;
if (ext == "pml") continue;
if (ext == "pmc") continue;
try { oFso.CreateFolder("DLLAudit\\ext\\" + ext); } catch(e) { }
try {
var a = oFso.CreateTextFile("DLLAudit\\ext\\" + ext + "\\exploit." + ext);
a.WriteLine("HOWDY!");
a.Close();
} catch(e) { }
total++;
}
print_status("Created " + total + " test cases");
var procs = process_list();
print_status("Protecting " + procs.length + " processes");
var tries = 0;
var base = oFso.GetFolder("DLLAudit\\ext");
var subs = new Enumerator(base.SubFolders);
for (; !subs.atEnd(); subs.moveNext()) {
var path = subs.item() + "";
var bits = path.split("\\");
var ext = bits[bits.length - 1];
print_status("Auditing extension: " + ext);
oShl.CurrentDirectory = path + "\\";
oShl.Run("cmd.exe /c start exploit." + ext, 0);
WScript.Sleep(500);
var nprocs = process_list();
var cnt = 0;
while(nprocs.length == procs.length && cnt < 2) {
cnt++;
WScript.Sleep(500);
nprocs = process_list();
}
// If an application spawned, give it three seconds
// This helps with ProcMon memory usage as well
if (nprocs.length > procs.length) {
WScript.Sleep(3000);
}
var killer = "taskkill /F ";
for (var i=0; i < nprocs.length; i++) {
var found = false;
for (var x=0; x < procs.length; x++) {
if (nprocs[i] == procs[x]) {
found = true;
break;
}
}
if (found) continue;
killer = killer + "/PID " + nprocs[i] + " ";
}
oShl.Run(killer, 0, true);
tries++;
if (tries % pause_interval == 0) {
print_status("Completed " + tries + " extensions, hit enter to continue.")
WScript.Stdin.ReadLine();
print_status("Continuing...")
}
}
print_status("Data collection phase complete, export Logfile.CSV from ProcMon.")