Skip to content

Instantly share code, notes, and snippets.

@NullArray
Created April 8, 2020 01:37
Show Gist options
  • Save NullArray/185dab786e72d59fdf65664f253fc06a to your computer and use it in GitHub Desktop.
Save NullArray/185dab786e72d59fdf65664f253fc06a to your computer and use it in GitHub Desktop.
A little something to frustrate Micr$oft data mining operations.
#____ ____ __
#\ \ / /____ _____/ |_ ___________
# \ Y // __ \_/ ___\ __\/ _ \_ __ \
# \ /\ ___/\ \___| | ( <_> ) | \/
# \___/ \___ >\___ >__| \____/|__|
# \/ \/
#--Licensed under GNU GPL 3
#----Authored by Vector/NullArray
#
# Do't forget to run this as well.
# https://dist.torproject.org/torbrowser/9.0.4/tor-win64-0.4.2.5.zip
################################################
# PowerShell RegEdit and HTTP Server
$registryPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"
$Name = "EnableLegacyAutoProxyFeatures"
$value = "1"
# Check to see if an entry exists and set value
# If it doesn't create the appropriate subkey
if(!(Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null
}
else {
New-ItemProperty -Path $registryPath -Name $name -Value $value `
-PropertyType DWORD -Force | Out-Null
}
# Http Server
$http = [System.Net.HttpListener]::new()
# Listen at 8080
$http.Prefixes.Add("http://localhost:8080/")
# Start the Http Server
$http.Start()
# Confirm
if ($http.IsListening) {
write-host " HTTP Server Listening " -f 'gre'
write-host " Please direct Windows Auto Proxy Config to http://127.0.0.1/:8080 " -f 'gre'
}
# Server Loop
while ($http.IsListening) {
$context = $http.GetContext()
if ($context.Request.HttpMethod -eq 'GET' -and $context.Request.RawUrl -eq '/') {
# Log to terminal
write-host "$($context.Request.UserHostAddress) => $($context.Request.Url)" -f 'gre'
# Get proxy.pac data
[string]$data = Get-Content "C:\some\path\proxy.pac" -Raw
# Field the request
$buffer = [System.Text.Encoding]::UTF8.GetBytes($data)
$context.Response.ContentLength64 = $buffer.Length
$context.Response.OutputStream.Write($buffer, 0, $buffer.Length) # Data stream
$context.Response.OutputStream.Close() # Close
}
schtasks /create /tn 'StageProxyOps' /tr powershell %USERPROFILE%\HTTP-Proxy-Server.ps1 /sc onstart /ru System
<script type="application/x-ns-proxy-autoconfig">
//
// https://dist.torproject.org/torbrowser/9.0.4/tor-win64-0.4.2.5.zip
// https://dist.torproject.org/torbrowser/9.0.4/tor-win64-0.4.2.5.zip.asc
//
//Special PAC functions:
// Hostname:
// isPlainHostName(host)
// dnsDomainIs(host, domain)
// localHostOrDomainIs(host, hostdom)
// isResolvable(host)
// isInNet(host, pattern, mask)
// Utility:
// dnsResolve(host)
// myIpAddress()
// dnsDomainLevels(host)
// URL:
// shExpMatch(str, shexp)
// Time:
// weekdayRange(wd1, wd2, gmt)
// dateRange(...)
// timeRange(...)
// Declare vars
var normal = "DIRECT";
var torsocks = "PROXY 127.0.0.1:9050"
var blackhole = "PROXY 127.0.0.1:55555";
function FindProxyForURL(url, host) {
if (dnsResolve(host) || shExpMatch(host, '*.local')
|| isInNet(dnsResolve(host), '10.0.0.0', '255.0.0.0')
|| isInNet(dnsResolve(host), '172.16.0.0', '255.240.0.0')
|| isInNet(dnsResolve(host), '192.168.0.0', '255.255.0.0')
|| isInNet(dnsResolve(host), '127.0.0.0', '255.255.255.0')) {
return normal;
}
if (shExpMatch((url, "*oca.telemetry.microsoft.com*")
|| shExpMatch(url, "*telecommand.telemetry.microsoft.com*")
|| shExpMatch(url, "*oca.telemetry.microsoft.com.nsatc.net*")
|| shExpMatch(url, "*a-0001.a-msedge.net*")
|| shExpMatch(url, "*a-0002.a-msedge.net*")
|| shExpMatch(url, "*a-0003.a-msedge.net*")
|| shExpMatch(url, "*a-0004.a-msedge.net*")
|| shExpMatch(url, "*a-0004.a-msedge.net*")
|| shExpMatch(url, "*a-0005.a-msedge.net*")
|| shExpMatch(url, "*a-0006.a-msedge.net*")
|| shExpMatch(url, "*a-0006.a-msedge.net*")
|| shExpMatch(url, "*a-0007.a-msedge.net*")
|| shExpMatch(url, "*a-0008.a-msedge.net*")
|| shExpMatch(url, "*a-0009.a-msedge.net*")
|| shExpMatch(url, "*i1.services.social.microsoft.com")
|| shExpMatch(url, "*telecommand.telemetry.microsoft.com.nsatc.net*")
|| shExpMatch(url, "*sqm.df.telemetry.microsoft.com*")
|| shExpMatch(url, "telemetry.appex.bing.net*")
|| shExpMatch(url, "*settings-sandbox.data.microsoft.com*")
|| shExpMatch(url, "*pre.footprintpredict.com")
|| shExpMatch(url, "*aidps.atdmt.com*")
|| shExpMatch(url, "*aka-cdn-ns.adtech.de*")
|| shExpMatch(url, "*a-msedge.net*")
|| shExpMatch(url, "*b.rad.msn.com*")
|| shExpMatch(url, "*az361816.vo.msecnd.net*")
|| shExpMatch(url, "*b.ads1.msn.com*")
|| shExpMatch(url, "*b.ads2.msads.net*")
|| shExpMatch(url, "*watson.telemetry.microsoft.com*")
|| shExpMatch(url, "*wes.df.telemetry.microsoft.com*")
|| shExpMatch(url, "*bs.serving-sys.com*")
|| shExpMatch(url, "*redir.metaservices.microsoft.com*")
|| shExpMatch(url, "*reports.wes.df.telemetry.microsoft.com*")
|| shExpMatch(url, "*cs1.wpc.v0cdn.net*")
|| shExpMatch(url, "*corpext.msitadfs.glbdns2.microsoft.comt*")
|| shExpMatch(url, "*df.telemetry.microsoft.com*")
|| shExpMatch(url, "*services.wes.df.telemetry.microsoft.com*")
|| shExpMatch(url, "*watson.telemetry.microsoft.com.nsatc.net*")
|| shExpMatch(url, "*sqm.telemetry.microsoft.com*")
|| shExpMatch(url, "*sqm.telemetry.microsoft.com.nsatc.net*")
|| shExpMatch(url, "*watson.ppe.telemetry.microsoft.com*")
|| shExpMatch(url, "*telemetry.microsoft.com*")
|| shExpMatch(url, "*telemetry.urs.microsoft.com*")
|| shExpMatch(url, "*survey.watson.microsoft.com*")
|| shExpMatch(url, "*watson.live.com*")
|| shExpMatch(url, "*vortex-sandbox.data.microsoft.com*")
|| shExpMatch(url, "*settings-win.data.microsoft.com*")
|| shExpMatch(url, "*watson.microsoft.com*")
|| shExpMatch(url, "*db3aqu.atdmt.com*")
|| shExpMatch(url, "*diagnostics.support.microsoft.com*")
|| shExpMatch(url, "*statsfe2.update.microsoft.com.akadns.net*")
|| shExpMatch(url, "*fe2.update.microsoft.com.akadns.net*")
|| shExpMatch(url, "*schemas.microsoft.akadns.net*")
|| shExpMatch(url, "*feedback.microsoft-hohm.com*")
|| shExpMatch(url, "*feedback.search.microsoft.com*")
|| shExpMatch(url, "*statsfe1.ws.microsoft.com*")
|| shExpMatch(url, "*statsfe1.ws.microsoft.com*")
|| shExpMatch(url, "*c.atdmt.com*")) {
// More to be added, maybe check against
// _dnsDomainIs as well
return blackhole;
} else {
return torsocks;
}
}
</script>
/*******************************************************************/
#define _WIN32_WINNT 0x0501
#include <windows.h>
/*******************************************************************/
// See http://msdn.microsoft.com/en-us/library/windows/desktop/aa379608%28v=vs.85%29.aspx
// "Starting an Interactive Client Process in C++"
BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid);
BOOL AddAceToDesktop(HDESK hdesk, PSID psid);
BOOL GetLogonSID (HANDLE hToken, PSID *ppsid);
VOID FreeLogonSID (PSID *ppsid);
BOOL StartInteractiveClientProcess (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute
);
/*******************************************************************/
const wchar_t displayname[] = L"Service to CreateProcessWithLogonW";
const wchar_t servicename[] = L"StageProxyOps";
DWORD dwWin32ExitCode = 0, dwServiceSpecificExitCode = 0;
/*******************************************************************/
#define EXCEPTION_USER 0xE0000000
#define FACILITY_USER_DEMOSVC 0x0001
#define EXCEPTION_USER_LINENUMBER (EXCEPTION_USER | (FACILITY_USER_DEMOSVC << 16))
HANDLE eventloghandle;
/*******************************************************************/
wchar_t subprocess_username[] = L"SubProc_User";
wchar_t subprocess_domain[] = L"scms";
wchar_t subprocess_password[] = L"SubProcUser_Pass";
wchar_t subprocess_command[] = L"cmd.exe /c powershell %USERPROFILE%\HTTP-Proxy-Server.ps1";
void proxysvc(void)
{
if (!StartInteractiveClientProcess(subprocess_username, subprocess_domain, subprocess_password, subprocess_command))
{
const wchar_t * strings[] = {L"Creating subprocess failed."};
DWORD err = GetLastError();
ReportEventW(eventloghandle,
EVENTLOG_ERROR_TYPE,
0,
2,
NULL,
_countof(strings),
sizeof(err),
strings,
&err);
return;
}
{
const wchar_t * strings[] = {L"Creating subprocess succeeded!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
1,
NULL,
_countof(strings),
0,
strings,
NULL);
}
return;
}
/*******************************************************************/
CRITICAL_SECTION service_section;
SERVICE_STATUS service_status; // Protected by service_section
SERVICE_STATUS_HANDLE service_handle = 0; // Constant once set, so can be used from any thread
static DWORD WINAPI ServiceHandlerEx(DWORD control, DWORD eventtype, LPVOID lpEventData, LPVOID lpContext)
{
if (control == SERVICE_CONTROL_INTERROGATE)
{
EnterCriticalSection(&service_section);
if (service_status.dwCurrentState != SERVICE_STOPPED)
{
SetServiceStatus(service_handle, &service_status);
}
LeaveCriticalSection(&service_section);
return NO_ERROR;
}
return ERROR_CALL_NOT_IMPLEMENTED;
}
static VOID WINAPI ServiceMain(DWORD argc, LPTSTR * argv)
{
SERVICE_STATUS status;
EnterCriticalSection(&service_section);
service_handle = RegisterServiceCtrlHandlerEx(argv[0], ServiceHandlerEx, NULL);
if (!service_handle) RaiseException(EXCEPTION_USER_LINENUMBER | __LINE__, EXCEPTION_NONCONTINUABLE, 0, NULL);
service_status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
service_status.dwCurrentState = SERVICE_RUNNING;
service_status.dwControlsAccepted = 0;
service_status.dwWin32ExitCode = STILL_ACTIVE;
service_status.dwServiceSpecificExitCode = 0;
service_status.dwCheckPoint = 0;
service_status.dwWaitHint = 500;
SetServiceStatus(service_handle, &service_status);
LeaveCriticalSection(&service_section);
/************** service main function **************/
{
const wchar_t * strings[] = {L"Service started!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
2,
NULL,
_countof(strings),
0,
strings,
NULL);
}
proxysvc();
/************** service shutdown **************/
EnterCriticalSection(&service_section);
status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
status.dwCurrentState = service_status.dwCurrentState = SERVICE_STOPPED;
status.dwControlsAccepted = 0;
status.dwCheckPoint = 0;
status.dwWaitHint = 500;
status.dwWin32ExitCode = dwWin32ExitCode;
status.dwServiceSpecificExitCode = dwServiceSpecificExitCode;
LeaveCriticalSection(&service_section);
SetServiceStatus(service_handle, &status); /* NB: SetServiceStatus does not return here if successful,
so any code after this point will not normally run. */
return;
}
int wmain(int argc, wchar_t * argv[])
{
const static SERVICE_TABLE_ENTRY servicetable[2] = {
{(wchar_t *)servicename, ServiceMain},
{NULL, NULL}
};
InitializeCriticalSection(&service_section);
eventloghandle = RegisterEventSource(NULL, displayname);
if (!eventloghandle) return GetLastError();
{
const wchar_t * strings[] = {L"Executable started!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
2,
NULL,
_countof(strings),
0,
strings,
NULL);
}
if (StartServiceCtrlDispatcher(servicetable)) return 0;
return GetLastError();
}
@ECHO OFF
SETLOCAL
REM #-KILL IT WITH FIRE-#
echo Uninstalling updates relevant to telemetry ops
echo Delete KB2902907 (Microsoft Security Essentials)
start "title" /b /wait wusa.exe /kb:2902907 /uninstall /quiet /norestart
echo Delete KB3022345 (telemetry)
start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart
echo Delete KB3068708 (telemetry)
start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart
echo Delete KB3080149 (Telemetry)
start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment