feat: coverage for diskshadow delete shadows

Neo23x0 · Oct 18, 2020 · 317a4c1 · 317a4c1
1 parent 2957771
commit 317a4c1
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ Disadvantages / Blind Spots:
 
 Malicious combinations:
 
-- `delete` and `shadows` (vssadmin)
+- `delete` and `shadows` (vssadmin, diskshadow)
 - `resize` and `shadowstorage` (vssadmin)
 - `delete` and `shadowstorage` (vssadmin)
 - `delete` and `shadowcopy` (wmic)
@@ -88,6 +88,8 @@ If you have a solid security monitoring that logs all process executions, you co
 - 0.8.0 - Creates a log file with all intercepted requests and actions performed `C:\ProgramData\Raccine_log.txt`
 - 0.9.0 - Logs to Windows Eventlog by @JohnLaTwC
 - 0.10.0 - Simulation mode only
+- 0.10.1 - Fix for Simulation mode
+- 0.10.2 - Includes `diskshadow.exe delete shadows` command
 
 ## Installation
 

diff --git a/install-raccine.bat b/install-raccine.bat
@@ -90,6 +90,7 @@ REGEDIT.EXE /S raccine-reg-patch-wmic.reg
 REGEDIT.EXE /S raccine-reg-patch-wbadmin.reg
 REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
 REGEDIT.EXE /S raccine-reg-patch-powershell.reg
+REGEDIT.EXE /S raccine-reg-patch-diskshadow.reg
 ECHO Registering Eventlog Events
 eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
 eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
@@ -119,6 +120,7 @@ REGEDIT.EXE /S raccine-reg-patch-wmic.reg
 REGEDIT.EXE /S raccine-reg-patch-wbadmin.reg
 REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
 REGEDIT.EXE /S raccine-reg-patch-powershell.reg
+REGEDIT.EXE /S raccine-reg-patch-diskshadow.reg
 ECHO Registering Eventlog Events
 eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
 eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
@@ -164,7 +166,7 @@ GOTO MENU
 :: Uninstall
 :UNINSTALL
 ECHO.
-ECHO Uninstalling Registry patch ...
+ECHO Uninstalling Registry patches ...
 REGEDIT.EXE /S raccine-reg-patch-uninstall.reg
 ECHO Removing Raccine.exe from the Windows folder ...
 DEL /Q C:\Windows\Raccine.exe

diff --git a/raccine-reg-patch-diskshadow.reg b/raccine-reg-patch-diskshadow.reg
@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exe]
+"Debugger"="C:\\Windows\\Raccine.exe"
diff --git a/raccine-reg-patch-uninstall.reg b/raccine-reg-patch-uninstall.reg
@@ -10,6 +10,8 @@ Windows Registry Editor Version 5.00
 
 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe]
 
+[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exe]
+
 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine]
 
 [-HKEY_CURRENT_USER\SOFTWARE\Raccine]
diff --git a/raccine.cpp b/raccine.cpp
@@ -25,7 +25,7 @@
 #pragma comment(lib,"advapi32.lib")
 
 // Version
-#define VERSION "0.10.1"
+#define VERSION "0.10.2"
 
 // Log Config and Flags
 BOOL g_fLogToEventLog = FALSE;
@@ -304,10 +304,11 @@ int wmain(int argc, WCHAR* argv[]) {
     bool bWbadmin = false;
     bool bcdEdit = false;
     bool bPowerShell = false;
+    bool bDiskshadow = false;
 
     // Command line params
     bool bDelete = false;
-    bool bShadow = false;
+    bool bShadows = false;
     bool bResize = false;
     bool bShadowStorage = false;
     bool bShadowCopy = false;
@@ -352,6 +353,10 @@ int wmain(int argc, WCHAR* argv[]) {
             (_wcsicmp(L"powershell", argv[1]) == 0)) {
             bPowerShell = true;
         }
+        else if ((_wcsicmp(L"diskshadow.exe", argv[1]) == 0) ||
+            (_wcsicmp(L"diskshadow", argv[1]) == 0)) {
+            bDiskshadow = true;
+        }
     }
 
     // Check for keywords in command line parameters
@@ -375,7 +380,7 @@ int wmain(int argc, WCHAR* argv[]) {
             bDelete = true;
         }
         else if (_wcsicmp(L"shadows", argv[iCount]) == 0) {
-            bShadow = true;
+            bShadows = true;
         }
         else if (_wcsicmp(L"shadowstorage", argv[iCount]) == 0) {
             bShadowStorage = true;
@@ -442,13 +447,14 @@ int wmain(int argc, WCHAR* argv[]) {
     }
 
     // Check all combinations (our blocklist)
-    if ((bVssadmin && bDelete && bShadow) ||             // vssadmin.exe
+    if ((bVssadmin && bDelete && bShadows) ||             // vssadmin.exe
         (bVssadmin && bDelete && bShadowStorage) ||      // vssadmin.exe
         (bVssadmin && bResize && bShadowStorage) ||      // vssadmin.exe
         (bWmic && bDelete && bShadowCopy) ||             // wmic.exe
         (bWbadmin && bDelete && bCatalog && bQuiet) || 	 // wbadmin.exe 
         (bcdEdit && bIgnoreallFailures) ||               // bcdedit.exe
         (bcdEdit && bRecoveryEnabled) ||                 // bcdedit.exe
+        (bDiskshadow && bDelete && bShadows) ||          // diskshadow.exe
         (bPowerShell && bwin32ShadowCopy) ||             // powershell.exe
         (bPowerShell && bEncodedCommand)) {              // powershell.exe