I would qualify this tool as an _advanced Proof-of-Concept_. You should think twice before using it on a real engagement. It is safe to use as long as it is __not interrupted__, which cannot be guaranteed in the presence of an EDR for instance.
16
16
17
17
It modifies important registry keys related to the Windows Update Medic service. At worst, if those registry keys are not restored properly, this service will fail to function properly, but this __will not crash__ the OS.
18
18
19
-
## Usage 📝
19
+
## 📝 Usage
20
20
21
21
Prerequisites:
22
22
skipped 42 lines
65
65
[...]
66
66
```
67
67
68
-
## Tests 📋
68
+
## 📋 Tests
69
69
70
70
| Windows version | PPL-Windows | PPL-WinTcb | Observation |
71
-
| --- | --- | --- | --- |
72
-
| Windows10 22H2 Build 19045.2673 | ✔ | ✔ | N/A |
73
-
| Windows11 22H2 Build 22621.1344 | ⚠ | ❌ | Frequent service crash + Fake cached signature exploit does not seem to work. |
74
-
| Windows Server 2019 Version 1809 Build 17763.4010 | ✔ | ✔ | N/A |
75
-
| Windows Server 2022 Version 21H2 Build 20348.1547 | ✔ | ✔ | N/A |
| __Windows11__ 22H2 Build 22621.1344 | ⚠ | ❌ | Frequent service crash + Fake cached signature exploit does not seem to work. |
74
+
| __Windows Server 2019__ Version 1809 Build 17763.4010 | ✔ | ✔ | N/A |
75
+
| __Windows Server 2022__ Version 21H2 Build 20348.1547 | ✔ | ✔ | N/A |
76
76
77
-
## Known issues⚠
77
+
## Known issues
78
78
79
79
You get the following error because the exploit __timed out__ while trying to create a remote `TaskHandler` COM object. This is usually the sign that the target service `WaaSMedicSvc` crashed. This can be confirmed with the next message: `[!] Service WaaSMedicSvc is no longer running`. __You should try to run the tool again.__
80
80
skipped 46 lines
127
127
[...]
128
128
```
129
129
130
-
## Build instructions
130
+
## Build instructions
131
131
132
132
This Visual Studio Solution comprises two projects (the executable and a payload DLL) that need to be compiled in a specific order. Everything is pre-configured, so you just have to follow these simple instructions. The compiled payload DLL is automatically embedded into the final executable.
133
133
skipped 1 lines
135
135
2. Select `Release / x64` (`x86` is not supported!).
136
136
3. `Build > Build Solution`.
137
137
138
-
## Credits
138
+
## Credits
139
139
140
140
- [@tiraniddo](https://infosec.exchange/@tiraniddo) - Injecting Code into Windows Protected Processes using COM - Part 1