Hunt-Sleeping-Beacons icon indicating copy to clipboard operation
Hunt-Sleeping-Beacons copied to clipboard

Published 20 hours ago verified publisher icon thefLink

Update Hunt-Sleeping-Beacons.c

Open theLangsam opened this issue 2 years ago • 0 comments

Adding SeDebugPrivilege in order to still be able to open processes running as the same user that have modified the DACL of itself.

Before the pull:

C:\Users\User\Desktop>Hunt-Sleeping-Beacons.exe
* Hunt-Sleeping-Beacons
* Checking for threads in state wait:DelayExecution
* Found 20 threads in state DelayExecution, now checking for suspicious callstacks
- Failed to open process: System (4)
- Failed to open process: dwm.exe (1008)
- Failed to open process: MsMpEng.exe (3748)
- Failed to open process: BuildService.exe (3808)
- Failed to open process: bdvpnService.exe (944)
- Failed to open process: uhssvc.exe (9648)
- Failed to open process: DACL.exe (1996)
* Done
* Now enumerating all thread in state wait:UserRequest
* Found 799 threads, now checking for delays caused by APC or Callbacks of waitable timers
* End

C:\Users\User\Desktop>

A user process like DACL.exe that modified the DACL of itself was able to prevent Hunt Sleeping Beacons from opening the process even if they run as same user by setting the DACL of itself to an empty ACL.

When Hunt Sleeping Beacons was not able to open the process, no scanning could be done.

Example Code for DACL Patch to an empty ACL to avoid the process opening (as done in DACL.exe):

#include <Windows.h>
#include <stdio.h>
#include <AclAPI.h>

int main() {
	PACL pACL = NULL;
	DWORD dwSuccess = 0;
	HANDLE hProcess = NULL;
	SE_OBJECT_TYPE objecttype = SE_KERNEL_OBJECT;

	SECURITY_INFORMATION securityInformation = DACL_SECURITY_INFORMATION;

	hProcess = GetCurrentProcess();

	pACL = VirtualAlloc(NULL, 200, MEM_COMMIT, PAGE_READWRITE);
	if (pACL == NULL) {
		goto exit;
	}
	dwSuccess = InitializeAcl(pACL, 200, ACL_REVISION);
	printf("%d\n", dwSuccess);
	dwSuccess = SetSecurityInfo(hProcess, objecttype, securityInformation, NULL, NULL, pACL, NULL);
	printf("%d\n", dwSuccess);
	Sleep(1000000);

exit:
	if (pACL) {
		VirtualFree(pACL, 0, MEM_RELEASE);
	}
	if (hProcess) {
		CloseHandle(hProcess);
	}
	return;

}

Another possible fix would be to start Hunt Sleeping Beacons always as System.

NOTE: All of the code used to fixed was taken from Outflanks Dumpert Project :).

theLangsam avatar Aug 30 '22 18:08 theLangsam