OP 02 October, 2024 - 06:03 PM
(This post was last modified: 02 October, 2024 - 06:04 PM by fireworks. Edited 1 time in total.)
[align=start]There is a computer with a clean copy of Windows, no internet access and no development tools installed. Just one clean user "venda". You won't believe it, but even in such Spartan conditions it is possible to write and run a full-fledged program. And now I will tell you how.
![[Image: fe580dba685bd8bb82eaa625cbfbd7d7.png]](https://i.ibb.co/GTzy5F3/fe580dba685bd8bb82eaa625cbfbd7d7.png)
For this screenshot, I honestly deployed a custom version of Windows 11 in a virtual machine. What wouldn't you do for art!
The Horrors of Knowledge
In fact, the Windows family of operating systems has had so many interesting things inside since the very beginning that no article would be enough to describe them, so there will be many releases ;)
But for some reason, few people know about this, even among developers, especially modern ones.
Just for fun, ask your developer friends if it is possible to program on a “clean” user Windows without installing Visual Studio - you will be surprised by the answers.
And of course, the imposed “user” approach by Microsoft itself, which, to put it mildly, never encouraged poking around in the insides of its products, created a kind of aura of simplicity and reliability, without the need to understand how it works inside.
Therefore, what is described below will probably cause a certain horror among both ordinary users and some developers - especially if they were trained using video courses and do not know anything about the history of the Windows OS.
I'll start with a quote from an interesting article : https://learn.microsoft.com/en-us/archiv...-of-the-os
Over the past few months, I've received several variations on this question for other operating systems and all of the released versions of the .NET Framework. When the .NET Framework is installed as a part of the OS, it does not appear in the Programs and Features (or Add/Remove Programs) control panel. The following is a complete list of which version of the .NET Framework is included in which version of the OS
And below is a long list of versions. And here is another one if the first one was not enough : https://learn.microsoft.com/en-us/dotnet...pendencies
Well, it would seem so... what? What's wrong with that?
Everyone already knows about the .NET SDK ; sometimes it needs to be installed “to run games,” sometimes it installs itself as a dependent library and doesn’t bother anyone.
That's all true, yes.
But something tells me you haven't looked inside, have you? So you have no idea what this thing is actually capable of.
And I imagine and will tell you now.
Go to the Windows folder on your computer, here:
![[Image: 6ad7ff8c589e0ff86484014f2647034a.png]](https://i.ibb.co/VmFWw4c/6ad7ff8c589e0ff86484014f2647034a.png)
This screenshot is from Windows 10, it uses the system .NET SDK 3.5, Windows 11 will have 4.0
The csc.exe file is a real compiler , essentially a portal to hell on your regular home computer.
Why is everything so scary?
Because after some time you will find yourself very overgrown, with a beard and red eyes, spending nights at the computer and slowly mutating into a programmer.
Kidding.
But seriously:
it becomes possible to create native programs directly on your computer, bypassing the stage of checking the electronic signature, checking the antivirus, checking the email, and so on.
Unlike VB or PowerShell scripts, which are analyzed before launch by any decent antivirus, antiviruses do not analyze the source code of C# programs and are much more loyal to programs compiled locally on the same machine.
So the fun begins.
A simple example
To begin with, there will be a simple example that simply shows a standard dialog with a message. It is this one in its running form that you can see in the title image in the article.
Source from someone who recorded the entire process from code to launch on video:
https://www.youtube.com/watch?v=Dg6sUY88NPg
The source code here would seem to be as simple as possible, but with one interesting nuance , which is discussed below:
Save this text in a regular notepad into the yoba.cs file and run the build:
This, I ran the build on Windows 10, but keep in mind that the version of the system .NET SDK may differ and, for example, in Windows 11 it will already be:
After the build, next to the original yoba.cs file , there will also be an executable binary yoba.exe that you can run.
Now about the nuance.
Nuance
There is a certain prejudice against managed languages like Java and C# - they are not suitable for serious work like writing exploits, exploiting zero-day vulnerabilities and kernel penetration.
explanation : https://en.wikipedia.org/wiki/Zero-day_vulnerability
That all such things are done in deep secrecy in pure C, or at most in C++, and all these Java/C# of yours are nothing more than “rattles for children”, not worthy of even a sidelong glance from a serious professional.
This is where the nuance begins , look at this joy:
[DllImport("user32.dll")]
public static extern int MessageBox(IntPtr hWnd,
string lpText, string lpCaption, uint uType);
This, my dear readers, is nothing more than a call to the native WinAPI , with the help of which they did all sorts of bad things in the distant 90s.
C# and .NET have a very deep integration with Windows, despite all its “security” and manageability, so it can easily and simply replace both C and C++ as a tool for bad deeds.
And it lives on your computer, at home and in the office, with permanent registration and residence.
But of course such a simple example is not enough to understand the depth of the problem, so I have prepared something more serious.
Complex example: turning off Windows
So, it will be a relatively small C# application that will shut down the computer without warning or confirmation from the user. And of course, without administrator rights.
Just like that, suddenly.
I think each reader will be able to assess the consequences for themselves.
The whole process is on video (of course, this is a virtual machine):
https://www.youtube.com/watch?v=E2RnqDXpQWw
And now the code:
Please note that this is not an exploit, a hole, a bug or a vulnerability , but a completely standard functionality. It just so happens that few people know about it.
It is assembled in the same way as the previous example:
After starting, the computer will shut down almost immediately:
tested both in a virtual machine and on hardware, on Windows 10 and 11.
I'll tell you how it works.
The key function is ExitWindowsEx , which is responsible for shutting down the OS. This function is very old and well-known, it has existed since Windows 95.
source : https://learn.microsoft.com/en-us/window...twindowsex
But to call it, you need “privileges”, which are set programmatically by the TokenHelper class .
Constants below:
are used in conjunction with " bitwise or " to indicate the desired action.
source : https://learn.microsoft.com/en-us/dotnet...r-operator-
Here are some other acceptable options:
The description of all of them is still there - in the official manual, believe it or not.
source : https://learn.microsoft.com/en-us/window...twindowsex
Now let's figure out how such a tough ignoring of the protection system works, also using standard means:
And we'll start with imports.
The first thing that is imported is the OpenProcessToken function :
source : https://learn.microsoft.com/en-us/window...ocesstoken
The function is responsible for obtaining data about the set of "privileges" associated with a specific process. The set of such privileges is actually called a "token".
Here's how this function is called:
Here it is necessary to note the transfer by reference in the C style ( ref hToken ), when a reference to a C# object is passed to the function, then the function fills this object with data. And it simply returns true or false - the execution status, whether the function has worked or not.
Next, a simple and banal resource release function is imported :
source : https://learn.microsoft.com/en-us/window...losehandle
It is called at the very end, after all the logic, and is only needed to free up the memory used for the privilege token:
Finally, the main function , directly responsible for switching privileges:
source : https://learn.microsoft.com/en-us/window...privileges
Here is the entire key block of privilege change logic:
As you can see, the call is quite complex, using the C procedural approach to filling the structure fields and passing it by reference to the called function.
After the call, the presence of an error is checked, also in C style:
0 is the return code for a successful call, if there is one, it is considered that the privilege change operation was successful.
Finally, the last function worth talking about:
source: https://learn.microsoft.com/en-us/window...legevaluea
It is responsible for searching for a privilege by name, I suppose you noticed that we pass a certain code name when calling TokenHelper :
This function is responsible for searching for a specific privilege by the name " SeShutdownPrivilege ", this is how its call looks like:
The variable bEnablePrivilege is a boolean, this is the same true passed as the second argument, and the block:
is responsible for forming the correct call using system constants ( SE_PRIVILEGE_ENABLED ).
The call also passes a reference ( ref tLUID ) to the LUID object , which will contain a reference to the privilege found after the call.
That's how things are.
Total
All of this is not a call for immediate action, but merely a reason to reflect on the meaning of existence . Well, about reliability, safety and all that stuff that a large foreign corporation sells you.
Think about it if you see your favorite Windows at a nuclear power plant or military facility - without any CIA or hackers, Windows OS has a hellish mountain of functionality that can be easily and simply used for harm.
I can tell you a lot more about the world of Windows and its internal structure, so there will be more articles on this topic. And I hope at least someone will think about it, draw conclusions and understand that a "mass" product has no place in serious places where real protection and real security are needed.
This is a slightly edited version of my article, the original is available on our blog. The second part of this article is currently being prepared, where there will be a story about modern web development in the same conditions - stay tuned for announcements!
source: https://blog.0x08.ru/develop-on-windows-without-tools
0x08 Software
We are a small team of IT industry veterans, we create and refine a wide variety of software, our software automates business processes on three continents, in a wide variety of industries and conditions.
For this screenshot, I honestly deployed a custom version of Windows 11 in a virtual machine. What wouldn't you do for art!
The Horrors of Knowledge
In fact, the Windows family of operating systems has had so many interesting things inside since the very beginning that no article would be enough to describe them, so there will be many releases ;)
But for some reason, few people know about this, even among developers, especially modern ones.
Just for fun, ask your developer friends if it is possible to program on a “clean” user Windows without installing Visual Studio - you will be surprised by the answers.
And of course, the imposed “user” approach by Microsoft itself, which, to put it mildly, never encouraged poking around in the insides of its products, created a kind of aura of simplicity and reliability, without the need to understand how it works inside.
Therefore, what is described below will probably cause a certain horror among both ordinary users and some developers - especially if they were trained using video courses and do not know anything about the history of the Windows OS.
I'll start with a quote from an interesting article : https://learn.microsoft.com/en-us/archiv...-of-the-os
Over the past few months, I've received several variations on this question for other operating systems and all of the released versions of the .NET Framework. When the .NET Framework is installed as a part of the OS, it does not appear in the Programs and Features (or Add/Remove Programs) control panel. The following is a complete list of which version of the .NET Framework is included in which version of the OS
And below is a long list of versions. And here is another one if the first one was not enough : https://learn.microsoft.com/en-us/dotnet...pendencies
Well, it would seem so... what? What's wrong with that?
Everyone already knows about the .NET SDK ; sometimes it needs to be installed “to run games,” sometimes it installs itself as a dependent library and doesn’t bother anyone.
That's all true, yes.
But something tells me you haven't looked inside, have you? So you have no idea what this thing is actually capable of.
And I imagine and will tell you now.
Go to the Windows folder on your computer, here:
This screenshot is from Windows 10, it uses the system .NET SDK 3.5, Windows 11 will have 4.0
The csc.exe file is a real compiler , essentially a portal to hell on your regular home computer.
Why is everything so scary?
Because after some time you will find yourself very overgrown, with a beard and red eyes, spending nights at the computer and slowly mutating into a programmer.
Kidding.
But seriously:
it becomes possible to create native programs directly on your computer, bypassing the stage of checking the electronic signature, checking the antivirus, checking the email, and so on.
Unlike VB or PowerShell scripts, which are analyzed before launch by any decent antivirus, antiviruses do not analyze the source code of C# programs and are much more loyal to programs compiled locally on the same machine.
So the fun begins.
A simple example
To begin with, there will be a simple example that simply shows a standard dialog with a message. It is this one in its running form that you can see in the title image in the article.
Source from someone who recorded the entire process from code to launch on video:
https://www.youtube.com/watch?v=Dg6sUY88NPg
The source code here would seem to be as simple as possible, but with one interesting nuance , which is discussed below:
Save this text in a regular notepad into the yoba.cs file and run the build:
This, I ran the build on Windows 10, but keep in mind that the version of the system .NET SDK may differ and, for example, in Windows 11 it will already be:
After the build, next to the original yoba.cs file , there will also be an executable binary yoba.exe that you can run.
Now about the nuance.
Nuance
There is a certain prejudice against managed languages like Java and C# - they are not suitable for serious work like writing exploits, exploiting zero-day vulnerabilities and kernel penetration.
explanation : https://en.wikipedia.org/wiki/Zero-day_vulnerability
That all such things are done in deep secrecy in pure C, or at most in C++, and all these Java/C# of yours are nothing more than “rattles for children”, not worthy of even a sidelong glance from a serious professional.
This is where the nuance begins , look at this joy:
[DllImport("user32.dll")]
public static extern int MessageBox(IntPtr hWnd,
string lpText, string lpCaption, uint uType);
This, my dear readers, is nothing more than a call to the native WinAPI , with the help of which they did all sorts of bad things in the distant 90s.
C# and .NET have a very deep integration with Windows, despite all its “security” and manageability, so it can easily and simply replace both C and C++ as a tool for bad deeds.
And it lives on your computer, at home and in the office, with permanent registration and residence.
But of course such a simple example is not enough to understand the depth of the problem, so I have prepared something more serious.
Complex example: turning off Windows
So, it will be a relatively small C# application that will shut down the computer without warning or confirmation from the user. And of course, without administrator rights.
Just like that, suddenly.
I think each reader will be able to assess the consequences for themselves.
The whole process is on video (of course, this is a virtual machine):
https://www.youtube.com/watch?v=E2RnqDXpQWw
And now the code:
Please note that this is not an exploit, a hole, a bug or a vulnerability , but a completely standard functionality. It just so happens that few people know about it.
It is assembled in the same way as the previous example:
After starting, the computer will shut down almost immediately:
tested both in a virtual machine and on hardware, on Windows 10 and 11.
I'll tell you how it works.
The key function is ExitWindowsEx , which is responsible for shutting down the OS. This function is very old and well-known, it has existed since Windows 95.
source : https://learn.microsoft.com/en-us/window...twindowsex
But to call it, you need “privileges”, which are set programmatically by the TokenHelper class .
Constants below:
are used in conjunction with " bitwise or " to indicate the desired action.
source : https://learn.microsoft.com/en-us/dotnet...r-operator-
Here are some other acceptable options:
The description of all of them is still there - in the official manual, believe it or not.
source : https://learn.microsoft.com/en-us/window...twindowsex
Now let's figure out how such a tough ignoring of the protection system works, also using standard means:
And we'll start with imports.
The first thing that is imported is the OpenProcessToken function :
source : https://learn.microsoft.com/en-us/window...ocesstoken
The function is responsible for obtaining data about the set of "privileges" associated with a specific process. The set of such privileges is actually called a "token".
Here's how this function is called:
Here it is necessary to note the transfer by reference in the C style ( ref hToken ), when a reference to a C# object is passed to the function, then the function fills this object with data. And it simply returns true or false - the execution status, whether the function has worked or not.
Next, a simple and banal resource release function is imported :
source : https://learn.microsoft.com/en-us/window...losehandle
It is called at the very end, after all the logic, and is only needed to free up the memory used for the privilege token:
Finally, the main function , directly responsible for switching privileges:
source : https://learn.microsoft.com/en-us/window...privileges
Here is the entire key block of privilege change logic:
As you can see, the call is quite complex, using the C procedural approach to filling the structure fields and passing it by reference to the called function.
After the call, the presence of an error is checked, also in C style:
0 is the return code for a successful call, if there is one, it is considered that the privilege change operation was successful.
Finally, the last function worth talking about:
source: https://learn.microsoft.com/en-us/window...legevaluea
It is responsible for searching for a privilege by name, I suppose you noticed that we pass a certain code name when calling TokenHelper :
This function is responsible for searching for a specific privilege by the name " SeShutdownPrivilege ", this is how its call looks like:
The variable bEnablePrivilege is a boolean, this is the same true passed as the second argument, and the block:
is responsible for forming the correct call using system constants ( SE_PRIVILEGE_ENABLED ).
The call also passes a reference ( ref tLUID ) to the LUID object , which will contain a reference to the privilege found after the call.
That's how things are.
Total
All of this is not a call for immediate action, but merely a reason to reflect on the meaning of existence . Well, about reliability, safety and all that stuff that a large foreign corporation sells you.
Think about it if you see your favorite Windows at a nuclear power plant or military facility - without any CIA or hackers, Windows OS has a hellish mountain of functionality that can be easily and simply used for harm.
I can tell you a lot more about the world of Windows and its internal structure, so there will be more articles on this topic. And I hope at least someone will think about it, draw conclusions and understand that a "mass" product has no place in serious places where real protection and real security are needed.
This is a slightly edited version of my article, the original is available on our blog. The second part of this article is currently being prepared, where there will be a story about modern web development in the same conditions - stay tuned for announcements!
source: https://blog.0x08.ru/develop-on-windows-without-tools
0x08 Software
We are a small team of IT industry veterans, we create and refine a wide variety of software, our software automates business processes on three continents, in a wide variety of industries and conditions.
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)
![[Image: PeAsULK.gif]](https://i.imgur.com/PeAsULK.gif)
