Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Introducing ProcMon, "Hack" software process

views
     
TSTullamarine
post Jul 24 2020, 04:42 PM, updated 2y ago

Getting Started
**
Validating
163 posts

Joined: Apr 2020
I saw two hacking threads on this forum this afternoon and thought I would share something in addition to disassembling/decompiling. Microsoft SysInternals understands how underlying stuffs work in Windows kernel, they have this powerful ProcMon (monitor and dump process) and PortMon (monitor and dump serial/parallel port incoming/outgoing data).

I am far from being a hacker, but I think to hack a software, not just to look at what it is, but what it does, too.
Normally we hex dump binary file. But ProcMon allows us to monitor and dump Windows process.

Let's get started.

What is ProcMon?

QUOTE
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon,


Download: https://docs.microsoft.com/en-us/sysinterna...wnloads/procmon
(SysInternals was acquired by Microsoft a long time ago)

So I want to show you how to "hack" software process, I take "Run as admin" compatiblity setting as an example.(I will try to change Properties of Google chrome.exe app shortcut)

Normally users need to open the Properties of the app shortcut, go to Compatibility, and tick "Run as adminstrator" to enable it, as pic shown below:

user posted image

But what if you want this to be done programmatically? How do we know what Windows does when we tick "Run as administrator"? Here is where ProcMon comes handy.

You need to actually open the app shortcut, go to Compatibility, tick "Run as administrator", then click "OK" to commit changes.

Spot on! The changes to this particular registry key seem like what Windows did to enable "Run as admin", as pic shown below:
user posted image

Similar to disassembling / decompiling, you need patience to find out what are really useful info and get rid of the rest.
CODE
9364 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags SUCCESS Desired Access: Write, Query Value, Enumerate Sub Keys, Disposition: REG_OPENED_EXISTING_KEY
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags SUCCESS
9364 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS Desired Access: Write, Query Value, Enumerate Sub Keys, Disposition: REG_OPENED_EXISTING_KEY
9364 RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe SUCCESS Type: REG_SZ, Length: 26, Data: ~ RUNASADMIN
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS


So I go to RegEdit, and found exactly the registry key that has been written to, as pic shown below:
user posted image

Then we can write code to do that (enable / disable RunAsAdmin for all shortcut of a particular app), programmatically:

Sample code in C# .NET
CODE
           Console.Write("Press 1 to RunAsAdmin, Press 0 to disable RunAsAdmin");
           string input = Console.ReadLine();
           RegistryKey key;

           if (input == "1")
           {
 
               key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", true);
               key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "~ RUNASADMIN");
               key.Close();
           }
           else if (input == "0")
           {
               //Registry.SetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", @"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
               key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.SetValue);
               //key.DeleteSubKey(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe");
               key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
               key.Close();
           }


If you do not already know, I hope this info would be useful for you..... Happy "hacking".
matiko95
post Jul 24 2020, 04:56 PM

Enthusiast
*****
Senior Member
910 posts

Joined: Dec 2006
thanks. ive always done simple browser hijacking my friends laptop

TSTullamarine
post Jul 24 2020, 08:56 PM

Getting Started
**
Validating
163 posts

Joined: Apr 2020
QUOTE(matiko95 @ Jul 24 2020, 04:56 PM)
thanks. ive always done simple browser hijacking my friends laptop
*
Cool!
TSTullamarine
post Mar 20 2023, 10:47 PM

Getting Started
**
Validating
163 posts

Joined: Apr 2020
Sysinternals also have other good tools, like PortMon, SysMon besides ProcMon that is introduced in this topic.

 

Change to:
| Lo-Fi Version
0.0114sec    0.40    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 02:12 PM