All credit goes to @filip_dragovic

JavaScript is not available.

https://github.com/Wh04m1001/SysmonEoP

Symbolic Link

Windows Interal Part II page.166

The focus of the note is to understand how Filip tied a arbitary write/delete vuln using “Symbolic link”. Everything else is not within scope of this article.

| \\\\.\\ | To access the DosDevices namespace from user mode, specify \\.\ when you open a file name. You can open a corresponding device in user mode by calling CreateFile() . The function will usually find \\Sessions\\0\\DosDevices\\00000000-XXXXXXXX\\Global\\ | https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-ms-dos-device-names https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/local-and-global-ms-dos-device-names https://learn.microsoft.com/en-us/windows/win32/fileio/defining-an-ms-dos-device-name https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew | | | --- | --- | --- | --- | | \\\\?\\ | Tell the API that this is not a filesystems path. Interpret as it is. Goes beyond MAX_PATH for length; | | | | \\\\??\\ | prepended to object maanger functions related to namespace management. It will eventually points Global \\DosDevices namespace in object manager, Executive namespace, allowing them to share resources. On windows, the global \\DosDevices directory is named \\Global?? the local \\DosDevices dir are identified by luid. | | | | | | | |

Winmain()

1. Load() → resolves couple Win32API dynamically.

1. find() → find the ALPC port string from \\\\RPC Control namespace under object manager

he

1. CreateDirectory(”C:\SYSMON”) + CreateFileW() → Create SYSMON folder and obtain a handle with permissions.
2. CreateDirectory(”C:\SYSMON”) + CreateFileW() → Create SYSMON folder and obtain a handle with permissions.