-
Notifications
You must be signed in to change notification settings - Fork 1
/
Program.cs
170 lines (143 loc) · 6.38 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Session;
using System;
using System.Collections.Generic;
using System.Management;
using System.Net.NetworkInformation;
using System.Security.Principal;
using System.Threading.Tasks;
namespace Wonk
{
class Program
{
public static async Task Main()
{
Banner.PrintBanner();
if (IsAdministrator())
{
IDictionary<string, string> RemoteConnections = GatherConns();
List<Utils.UserProc> usernames = GatherProcs();
var eventIDs = await EventTracing();
// TODO Wonk the user
await Wonked(eventIDs, RemoteConnections);
}
else
{
Console.WriteLine("Make sure you have the right privs noob");
}
}
// used to make sure that the account is the built-in Administrator
private static bool IsAdministrator()
{
var identity = WindowsIdentity.GetCurrent();
var principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
// TODO Change to Use events to keep track of this. global value?
private static IDictionary<string, string> GatherConns()
{
IDictionary<string, string> RemoteConnections = new Dictionary<string, string>();
// supposed to show all active TCP connections
// from the docs,
// https://learn.microsoft.com/en-us/dotnet/api/system.net.networkinformation.ipglobalproperties.getactivetcpconnections?view=net-7.0#system-net-networkinformation-ipglobalproperties-getactivetcpconnections
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
TcpConnectionInformation[] tcpConnections = properties.GetActiveTcpConnections();
// strip the port number out of the local endpoint
foreach (TcpConnectionInformation connection in tcpConnections)
{
if (Enum.TryParse(connection.LocalEndPoint.ToString(), out Utils.RemotePorts _))
{
RemoteConnections.Add(connection.LocalEndPoint.ToString(), connection.LocalEndPoint.Port.ToString());
}
else
{
continue;
}
}
return RemoteConnections;
}
// gather the processes on the system with the username along with it
private static List<Utils.UserProc> GatherProcs()
{
// The call to InvokeMethod below will fail if the Handle property is not retrieved
string[] propertiesToSelect = new[] { "Handle", "ProcessId" };
SelectQuery processQuery = new SelectQuery("Win32_Process", "Name = 'taskhost.exe'", propertiesToSelect);
List<Utils.UserProc> users = new List<Utils.UserProc>();
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(processQuery))
using (ManagementObjectCollection processes = searcher.Get())
foreach (ManagementObject process in processes)
{
object[] outParameters = new object[2];
uint result = (uint)process.InvokeMethod("GetOwner", outParameters);
if (result == 0)
{
string username = (string)outParameters[0];
// string domain = (string)outParameters[1];
uint processId = (uint)process["ProcessId"];
// set the class objects and store in a list
users.Add(new Utils.UserProc(username, processId));
}
else
{
// TODO handle failure...
}
}
return users;
}
private static async Task<List<int>> EventTracing()
{
List<Tuple<string, int>> providersAndEvents = Utils.GenProvidersEvents();
var eventIDs = new List<int>();
TraceEventSession session = null;
using (session = new TraceEventSession("WonkWatch"))
{
// enable provider and event ID in the list.
foreach (var providerAndEvent in providersAndEvents)
{
string providerName = providerAndEvent.Item1;
int eventID = providerAndEvent.Item2;
session.EnableProvider(providerName, TraceEventLevel.Verbose, (ulong)eventID);
}
var taskCompletionSource = new TaskCompletionSource<bool>();
session.Source.Dynamic.All += delegate (TraceEvent data)
{
foreach (var providerAndEvent in providersAndEvents)
{
string providerName = providerAndEvent.Item1;
int eventID = providerAndEvent.Item2;
if (data.ProviderName == providerName && (int)data.ID == eventID)
{
taskCompletionSource.SetResult(true);
ProcessEventIDs(data, eventIDs);
}
}
};
session.Source.Clr.All += delegate (TraceEvent data)
{
// TODO figure out how to fix/cleanup and shutdown on errors
// close the session and cleanup
session.Dispose();
};
// start listening for events
await Task.Run(() => session.Source.Process());
}
return eventIDs;
}
// just to keep things async
private static void ProcessEventIDs(TraceEvent data, List<int> eventIDs)
{
eventIDs.Add((int)data.ID);
}
// Wonks the intended user for committing an offensive action
private static async Task<int> Wonked(List<int> eventIDs, IDictionary<string, string> remote_connections)
{
// kill the main process of the users connection
List<Utils.UserProc> users = GatherProcs();
foreach (Utils.UserProc process in users)
{
process.Kill();
}
return 0;
}
}
}