Permalink
Please
sign in to comment.
Browse files
Adding unicode/non-printable service tool
We can create services using Unicode and/or non-printable characters that function as intended but don't show in Task Manager, services.msc, sc.exe, etc, making them difficult for defenders to spot and remove. This tool allows us to check for and remove them. This is only the defensive portion. The offensive POC will be added shortly.
- Loading branch information
Showing
with
173 additions
and 0 deletions.
- +50 −0 PhantomService/PhantomService.csproj
- +25 −0 PhantomService/PhantomService.sln
- +61 −0 PhantomService/Program.cs
- +36 −0 PhantomService/Properties/AssemblyInfo.cs
- +1 −0 README.md
| @@ -0,0 +1,50 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" /> | ||
| <PropertyGroup> | ||
| <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration> | ||
| <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform> | ||
| <ProjectGuid>{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}</ProjectGuid> | ||
| <OutputType>Exe</OutputType> | ||
| <RootNamespace>PhantomService</RootNamespace> | ||
| <AssemblyName>PhantomService</AssemblyName> | ||
| <TargetFrameworkVersion>v4.0</TargetFrameworkVersion> | ||
| <FileAlignment>512</FileAlignment> | ||
| <Deterministic>true</Deterministic> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' "> | ||
| <PlatformTarget>AnyCPU</PlatformTarget> | ||
| <DebugSymbols>true</DebugSymbols> | ||
| <DebugType>full</DebugType> | ||
| <Optimize>false</Optimize> | ||
| <OutputPath>bin\Debug\</OutputPath> | ||
| <DefineConstants>DEBUG;TRACE</DefineConstants> | ||
| <ErrorReport>prompt</ErrorReport> | ||
| <WarningLevel>4</WarningLevel> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> | ||
| <PlatformTarget>AnyCPU</PlatformTarget> | ||
| <DebugType>pdbonly</DebugType> | ||
| <Optimize>true</Optimize> | ||
| <OutputPath>bin\Release\</OutputPath> | ||
| <DefineConstants>TRACE</DefineConstants> | ||
| <ErrorReport>prompt</ErrorReport> | ||
| <WarningLevel>4</WarningLevel> | ||
| </PropertyGroup> | ||
| <ItemGroup> | ||
| <Reference Include="System" /> | ||
| <Reference Include="System.Configuration.Install" /> | ||
| <Reference Include="System.Core" /> | ||
| <Reference Include="System.ServiceProcess" /> | ||
| <Reference Include="System.Xml.Linq" /> | ||
| <Reference Include="System.Data.DataSetExtensions" /> | ||
| <Reference Include="Microsoft.CSharp" /> | ||
| <Reference Include="System.Data" /> | ||
| <Reference Include="System.Xml" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <Compile Include="Program.cs" /> | ||
| <Compile Include="Properties\AssemblyInfo.cs" /> | ||
| </ItemGroup> | ||
| <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" /> | ||
| </Project> |
| @@ -0,0 +1,25 @@ | ||
| | ||
| Microsoft Visual Studio Solution File, Format Version 12.00 | ||
| # Visual Studio Version 16 | ||
| VisualStudioVersion = 16.0.29326.143 | ||
| MinimumVisualStudioVersion = 10.0.40219.1 | ||
| Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PhantomService", "PhantomService.csproj", "{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}" | ||
| EndProject | ||
| Global | ||
| GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
| Debug|Any CPU = Debug|Any CPU | ||
| Release|Any CPU = Release|Any CPU | ||
| EndGlobalSection | ||
| GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
| {FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU | ||
| {FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Debug|Any CPU.Build.0 = Debug|Any CPU | ||
| {FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
| {FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Release|Any CPU.Build.0 = Release|Any CPU | ||
| EndGlobalSection | ||
| GlobalSection(SolutionProperties) = preSolution | ||
| HideSolutionNode = FALSE | ||
| EndGlobalSection | ||
| GlobalSection(ExtensibilityGlobals) = postSolution | ||
| SolutionGuid = {0B98B26A-1374-479D-8E83-8146E519ABC4} | ||
| EndGlobalSection | ||
| EndGlobal |
| @@ -0,0 +1,61 @@ | ||
| using System; | ||
| using System.ServiceProcess; | ||
| using System.Text; | ||
| using System.Configuration.Install; | ||
| using System.ComponentModel; | ||
|
|
||
| namespace PhantomService | ||
| { | ||
| class Program | ||
| { | ||
| public static void Main(string[] args) | ||
| { | ||
| string usage = "PhantomService.exe (audit|remove)"; | ||
| if (args.Length == 1 && args[0].ToLower() == "audit") | ||
| { | ||
| RemovePhantomServices(false); | ||
| } | ||
| else if (args.Length == 1 && args[0].ToLower() == "remove") | ||
| { | ||
| RemovePhantomServices(true); | ||
| } | ||
| else | ||
| { | ||
| Console.WriteLine(usage); | ||
| } | ||
|
|
||
| } | ||
|
|
||
| static void RemovePhantomServices(bool remove) | ||
| { | ||
| Console.OutputEncoding = Encoding.Unicode; | ||
| ServiceController[] services = ServiceController.GetServices(); | ||
|
|
||
| foreach (ServiceController service in services) | ||
| { | ||
| string serviceName = service.ServiceName; | ||
|
|
||
| if (Encoding.UTF8.GetByteCount(serviceName) != serviceName.Length) | ||
| { | ||
| Console.WriteLine("[*] Found non-ASCII service: " + service.ServiceName); | ||
| if (remove) | ||
| { | ||
| try | ||
| { | ||
| ServiceInstaller ServiceInstallerObj = new ServiceInstaller(); | ||
| InstallContext Context = new InstallContext(null, null); | ||
| ServiceInstallerObj.Context = Context; | ||
| ServiceInstallerObj.ServiceName = service.ServiceName; | ||
| ServiceInstallerObj.Uninstall(null); | ||
| Console.WriteLine(); | ||
| } | ||
| catch (Win32Exception w) | ||
| { | ||
| Console.WriteLine("[-] Failed to remove {0} -> {1}", service.ServiceName, w.Message); | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
| @@ -0,0 +1,36 @@ | ||
| using System.Reflection; | ||
| using System.Runtime.CompilerServices; | ||
| using System.Runtime.InteropServices; | ||
|
|
||
| // General Information about an assembly is controlled through the following | ||
| // set of attributes. Change these attribute values to modify the information | ||
| // associated with an assembly. | ||
| [assembly: AssemblyTitle("PhantomService")] | ||
| [assembly: AssemblyDescription("")] | ||
| [assembly: AssemblyConfiguration("")] | ||
| [assembly: AssemblyCompany("")] | ||
| [assembly: AssemblyProduct("PhantomService")] | ||
| [assembly: AssemblyCopyright("Copyright © 2020")] | ||
| [assembly: AssemblyTrademark("")] | ||
| [assembly: AssemblyCulture("")] | ||
|
|
||
| // Setting ComVisible to false makes the types in this assembly not visible | ||
| // to COM components. If you need to access a type in this assembly from | ||
| // COM, set the ComVisible attribute to true on that type. | ||
| [assembly: ComVisible(false)] | ||
|
|
||
| // The following GUID is for the ID of the typelib if this project is exposed to COM | ||
| [assembly: Guid("ff8d99a9-df69-4df5-8423-ada62334c9bd")] | ||
|
|
||
| // Version information for an assembly consists of the following four values: | ||
| // | ||
| // Major Version | ||
| // Minor Version | ||
| // Build Number | ||
| // Revision | ||
| // | ||
| // You can specify all the values or you can default the Build and Revision Numbers | ||
| // by using the '*' as shown below: | ||
| // [assembly: AssemblyVersion("1.0.*")] | ||
| [assembly: AssemblyVersion("1.0.0.0")] | ||
| [assembly: AssemblyFileVersion("1.0.0.0")] |
0 comments on commit
089c1db