Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Svchost.exe ( Windows update ) not working #31

Open
eix128 opened this issue Oct 9, 2020 · 1 comment
Open

Svchost.exe ( Windows update ) not working #31

eix128 opened this issue Oct 9, 2020 · 1 comment

Comments

@eix128
Copy link

eix128 commented Oct 9, 2020

Hi , i am using windows Administrator account and i got no UAC.
Tried below command :

D:\repo\NetRipper\x64>NetRipper.x64.exe DLL.x64.dll svchost.exe
INFO: Trying to inject DLL.x64.dll in svchost.exe
SUCCESS: Reflectively injected in: 1876
SUCCESS: Reflectively injected in: 1900
SUCCESS: Reflectively injected in: 2020
SUCCESS: Reflectively injected in: 1188
SUCCESS: Reflectively injected in: 1428
SUCCESS: Reflectively injected in: 1504
SUCCESS: Reflectively injected in: 1236
SUCCESS: Reflectively injected in: 1828
SUCCESS: Reflectively injected in: 1748
SUCCESS: Reflectively injected in: 1652
SUCCESS: Reflectively injected in: 2120
SUCCESS: Reflectively injected in: 2164
SUCCESS: Reflectively injected in: 2180
SUCCESS: Reflectively injected in: 2272
SUCCESS: Reflectively injected in: 2436
SUCCESS: Reflectively injected in: 2472
SUCCESS: Reflectively injected in: 2528
SUCCESS: Reflectively injected in: 2572
SUCCESS: Reflectively injected in: 2688
SUCCESS: Reflectively injected in: 2800
SUCCESS: Reflectively injected in: 2920
SUCCESS: Reflectively injected in: 2940
SUCCESS: Reflectively injected in: 2952
SUCCESS: Reflectively injected in: 2960
SUCCESS: Reflectively injected in: 3056
SUCCESS: Reflectively injected in: 2392
SUCCESS: Reflectively injected in: 2748
SUCCESS: Reflectively injected in: 2912
SUCCESS: Reflectively injected in: 3172
SUCCESS: Reflectively injected in: 3304
SUCCESS: Reflectively injected in: 3392
SUCCESS: Reflectively injected in: 3496
SUCCESS: Reflectively injected in: 3580
SUCCESS: Reflectively injected in: 3700
SUCCESS: Reflectively injected in: 3756
SUCCESS: Reflectively injected in: 3988
SUCCESS: Reflectively injected in: 3888
SUCCESS: Reflectively injected in: 4072
SUCCESS: Reflectively injected in: 3164
SUCCESS: Reflectively injected in: 4308
SUCCESS: Reflectively injected in: 4316
SUCCESS: Reflectively injected in: 4472
SUCCESS: Reflectively injected in: 4512
SUCCESS: Reflectively injected in: 4884
SUCCESS: Reflectively injected in: 4928
SUCCESS: Reflectively injected in: 4172
SUCCESS: Reflectively injected in: 5412
SUCCESS: Reflectively injected in: 5420
SUCCESS: Reflectively injected in: 5428
SUCCESS: Reflectively injected in: 5452
SUCCESS: Reflectively injected in: 5468
SUCCESS: Reflectively injected in: 5476
SUCCESS: Reflectively injected in: 5876
SUCCESS: Reflectively injected in: 5964
SUCCESS: Reflectively injected in: 6020
SUCCESS: Reflectively injected in: 5300
SUCCESS: Reflectively injected in: 5316
SUCCESS: Reflectively injected in: 7520
SUCCESS: Reflectively injected in: 8048
SUCCESS: Reflectively injected in: 9120
SUCCESS: Reflectively injected in: 7508
SUCCESS: Reflectively injected in: 2296
SUCCESS: Reflectively injected in: 4956
ERROR: Failed to open the target process
ERROR: Cannot reflectively inject in: 5572
SUCCESS: Reflectively injected in: 9128
SUCCESS: Reflectively injected in: 7480
SUCCESS: Reflectively injected in: 6088
SUCCESS: Reflectively injected in: 8616
SUCCESS: Reflectively injected in: 5804
SUCCESS: Reflectively injected in: 8164
SUCCESS: Reflectively injected in: 3548
SUCCESS: Reflectively injected in: 9680
SUCCESS: Reflectively injected in: 2364
SUCCESS: Reflectively injected in: 13172
SUCCESS: Reflectively injected in: 12400
SUCCESS: Reflectively injected in: 12992
SUCCESS: Reflectively injected in: 14720
SUCCESS: Reflectively injected in: 13488
SUCCESS: Reflectively injected in: 12860
ERROR: Failed to open the target process
ERROR: Cannot reflectively inject in: 15760
SUCCESS: Reflectively injected in: 16976
SUCCESS: Reflectively injected in: 4248

But i want only to sniff service process (svchost.exe) id ( pid:3164 Windows Update ) :
The command i tried doesnt try inject pid:3164 Windows update

How can i sniff Windows Update Service ?
@NytroRST
Copy link
Owner

Hi, it worked for me: (the injection only)
SUCCESS: Reflectively injected in: 16176 (this was the update process)

Here is some text found (because the communication is HTTP I think): User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31

GET /c/msdownload/update/others/2020/10/32719421_c34e6cf04e4216d9b80a657f0cfbec53579d7e84.cab HTTP/1.1
Connection: Keep-Alive
Accept: /
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31
Host: download.windowsupdate.com

However, it looks like NetRipper does not hook the function used by Windows Update to encrypt the data, when I will have time I will look into it. So a big part of data cannot be displayed as it captured it after it was encrypted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eix128 @NytroRST