Sunday, October 21, 2018

C# .NET Bug - Environment.CurrentDirectory does not work with escalated privileges

In a arduous session to figure out some production code, I have discovered that Environment.CurrentDirectory does not work in when running with elevated privileges.

Specifically if you set app.config to get your app to run as Administrator with UAC prompt
 <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
this will return the location of the exe, not the current directory the exe is run from.

Super frustrating and a bug in .NET.

Here's the simple source code


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace TestExe
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine(Environment.CurrentDirectory);
            Console.Read();
        }
    }
}

Here's app.config code


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <!-- UAC Manifest Options
            If you want to change the Windows User Account Control level replace the 
            requestedExecutionLevel node with one of the following.

        <requestedExecutionLevel  level="asInvoker" uiAccess="false" />
        <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
        <requestedExecutionLevel  level="highestAvailable" uiAccess="false" />

            Specifying requestedExecutionLevel node will disable file and registry virtualization.
            If you want to utilize File and Registry Virtualization for backward 
            compatibility then delete the requestedExecutionLevel node.
        -->
        <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>

  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <!-- A list of all Windows versions that this application is designed to work with. 
      Windows will automatically select the most compatible environment.-->

      <!-- If your application is designed to work with Windows Vista, uncomment the following supportedOS node-->
      <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>-->

      <!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->
      <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>-->

      <!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node-->
      <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>-->

      <!-- If your application is designed to work with Windows 8.1, uncomment the following supportedOS node-->
      <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>-->

    </application>
  </compatibility>

  <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
  <!-- <dependency>
    <dependentAssembly>
      <assemblyIdentity
          type="win32"
          name="Microsoft.Windows.Common-Controls"
          version="6.0.0.0"
          processorArchitecture="*"
          publicKeyToken="6595b64144ccf1df"
          language="*"
        />
    </dependentAssembly>
  </dependency>-->

</asmv1:assembly>


Here's output running TestExe.exe from the c:\windows\system32 directory

Thursday, October 18, 2018

Powershell - Get all Windows file extensions from registry at HKEY_CLASSES_ROOT

Here's a Powershell script to traverse all the keys in the registry at HKEY-CLASSES-ROOT to get all Windows file extensions that start with a dot. 


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#============================================================================================================================================================ 
# AUTHOR:         metadataconsult@gmail.com 
# WEBSITE:        http://metadataconsulting.blogspot.com 
# 
# SCRIPT NAME:    GetAllFileExtensions.ps1   
# DATE:           17/10/2018  
# VERSION:        1.0.0.0
# 
# SYNPOSIS:       Get all file extensions from registry at HKEY_CLASSES_ROOT  
#
#============================================================================================================================================================ 

#set HKCR hack
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$i=0
Get-ChildItem 'HKCR:\' | ForEach-Object {  

 If($_.name -Match "^HKEY_CLASSES_ROOT\\\..+") {
    $i++
    Write-Host  $_.Name.Replace("HKEY_CLASSES_ROOT\","")
 }

}
"$i file extensions in Registry @ HKEY_CLASSES_ROOT\"


$i=0
Get-ChildItem 'HKLM:\Software\Classes\' | ForEach-Object {  
 
 If($_.name -Match "^HKEY_LOCAL_MACHINE\\Software\\Classes\\\..+") {
    $i++
    Write-Host  $_.Name.Replace("HKEY_LOCAL_MACHINE\Software\Classes\","")
 }

}
"$i file extensions in Registry @ HKEY_LOCAL_MACHINE\Software\Classes\"

$i=0
Get-ChildItem 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\' | ForEach-Object {  
 
 If($_.name -Match "^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\\..+") {
    $i++
    Write-Host  $_.Name.Replace("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\","")
 }

}
"$i file extensions in Registry @ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\"

My other Powershell scripts

Tuesday, October 16, 2018

Apple Phishing Email - Re: RE : [ Attentions Report Session ] [ Reminder Supports ] Your Details Accounts Has Been Locked Sessions

For the record, this is an Apple phishing email attempt that is recently going around and made it through spam filters. What to do?  Report them, goto bottom of page.


From : Apple Support 


Subject
 :
Re: RE : [ Attentions Report Session ] [ Reminder Supports ] Your Details Accounts Has Been Locked Sessions



It contains infected DOCX file: Apple-SupportIDAlert-ID1.8.docx

PHISHING LINKs;  

1. https://lihi.cc/iEPYq expands to -> https://secureserviced.serveirc.com/Auths

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.