Initial commit +scmrexec

author: Bryan McNulty <bryanmcnulty@protonmail.com> 2025-02-26 19:42:55 -0600
committer: Bryan McNulty <bryanmcnulty@protonmail.com> 2025-02-26 19:42:55 -0600
commit: 0591eed275fd24e5c1b959e1a182bea6f6275c34 (patch)
tree: d32e53640e65627180de9a290449309591bae771
parent: 930699ae66d1ddaf44fec71e04c33ab193531584 (diff)
download: goexec-0591eed275fd24e5c1b959e1a182bea6f6275c34.tar.gz
goexec-0591eed275fd24e5c1b959e1a182bea6f6275c34.zip
15 files changed, 1073 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..62e4c1f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/.idea
+/goexec
+/patch
diff --git a/cmd/root.go b/cmd/root.go
new file mode 100644
index 0000000..00563c6
--- /dev/null
+++ b/cmd/root.go
@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/bryanmcnulty/adauth"
+	"github.com/rs/zerolog"
+	"github.com/spf13/cobra"
+	"os"
+	"regexp"
+)
+
+var (
+	//logFile string
+	log      zerolog.Logger
+	ctx      context.Context
+	authOpts *adauth.Options
+
+	debug, trace   bool
+	command        string
+	executablePath string
+	executableArgs string
+
+	rootCmd = &cobra.Command{
+		Use: "goexec",
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) {
+			// For modules that require a full executable path
+			if executablePath != "" && !regexp.MustCompile(`^([a-zA-Z]:)?\\`).MatchString(executablePath) {
+				return fmt.Errorf("executable path (-e) must be an absolute Windows path, i.e. C:\\Windows\\System32\\cmd.exe")
+			}
+			log = zerolog.New(zerolog.ConsoleWriter{Out: os.Stderr}).Level(zerolog.InfoLevel).With().Timestamp().Logger()
+			if debug {
+				log = log.Level(zerolog.DebugLevel)
+			}
+			return
+		},
+	}
+)
+
+func init() {
+	ctx = context.Background()
+
+	rootCmd.InitDefaultVersionFlag()
+	rootCmd.InitDefaultHelpCmd()
+	rootCmd.PersistentFlags().BoolVarP(&debug, "debug", "d", false, "Enable debug logging")
+
+	authOpts = &adauth.Options{Debug: log.Debug().Msgf}
+	authOpts.RegisterFlags(rootCmd.PersistentFlags())
+
+	scmrCmdInit()
+	rootCmd.AddCommand(scmrCmd)
+}
+
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
diff --git a/cmd/scmr.go b/cmd/scmr.go
new file mode 100644
index 0000000..e142cd7
--- /dev/null
+++ b/cmd/scmr.go
@@ -0,0 +1,126 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"github.com/bryanmcnulty/adauth"
+	"github.com/spf13/cobra"
+
+	"github.com/FalconOpsLLC/goexec/pkg/exec"
+	scmrexec "github.com/FalconOpsLLC/goexec/pkg/exec/scmr"
+	"github.com/FalconOpsLLC/goexec/pkg/windows"
+)
+
+func scmrCmdInit() {
+	scmrCmd.PersistentFlags().StringVarP(&executablePath, "executable-path", "e", "", "Full path to remote Windows executable")
+	scmrCmd.PersistentFlags().StringVarP(&executableArgs, "args", "a", "", "Arguments to pass to executable")
+	scmrCmd.PersistentFlags().StringVarP(&scmrName, "service-name", "s", "", "Name of service to create or modify")
+
+	scmrCmd.MarkPersistentFlagRequired("executable-path")
+	scmrCmd.MarkPersistentFlagRequired("service-name")
+
+	scmrCmd.AddCommand(scmrChangeCmd)
+	scmrCreateCmdInit()
+	scmrCmd.AddCommand(scmrCreateCmd)
+	scmrChangeCmdInit()
+}
+
+func scmrChangeCmdInit() {
+	scmrChangeCmd.Flags().StringVarP(&scmrDisplayName, "display-name", "n", "", "Display name of service to create")
+	scmrChangeCmd.Flags().BoolVar(&scmrNoStart, "no-start", false, "Don't start service")
+}
+
+func scmrCreateCmdInit() {
+	scmrCreateCmd.Flags().BoolVar(&scmrNoDelete, "no-delete", false, "Don't delete service after execution")
+}
+
+var (
+	// scmr arguments
+	scmrName        string
+	scmrDisplayName string
+	scmrNoDelete    bool
+	scmrNoStart     bool
+
+	scmrArgs = func(cmd *cobra.Command, args []string) (err error) {
+		if len(args) != 1 {
+			return fmt.Errorf("expected exactly 1 positional argument, got %d", len(args))
+		}
+		if creds, target, err = authOpts.WithTarget(ctx, "cifs", args[0]); err != nil {
+			return fmt.Errorf("failed to parse target: %w", err)
+		}
+		log.Debug().Str("target", args[0]).Msg("Resolved target")
+		return nil
+	}
+
+	creds  *adauth.Credential
+	target *adauth.Target
+
+	scmrCmd = &cobra.Command{
+		Use:   "scmr",
+		Short: "Establish execution via SCMR",
+		Args: func(cmd *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				return errors.New(`command not set. Choose from (change, create)`)
+			}
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := cmd.Help(); err != nil {
+				panic(err)
+			}
+		},
+	}
+	scmrCreateCmd = &cobra.Command{
+		Use:   "create [target]",
+		Short: "Create & run a new Windows service to gain execution",
+		Args:  scmrArgs,
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			if scmrNoDelete {
+				log.Warn().Msg("Service will not be deleted after execution")
+			}
+			if scmrDisplayName == "" {
+				scmrDisplayName = scmrName
+				log.Warn().Msg("No display name specified, using service name as display name")
+			}
+			executor := scmrexec.Executor{}
+			execCfg := &exec.ExecutionConfig{
+				ExecutablePath:  executablePath,
+				ExecutableArgs:  executableArgs,
+				ExecutionMethod: scmrexec.MethodCreate,
+
+				ExecutionMethodConfig: scmrexec.MethodCreateConfig{
+					NoDelete:    scmrNoDelete,
+					ServiceName: scmrName,
+					DisplayName: scmrDisplayName,
+					ServiceType: windows.SERVICE_WIN32_OWN_PROCESS,
+					StartType:   windows.SERVICE_DEMAND_START,
+				},
+			}
+			if err := executor.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
+				log.Fatal().Err(err).Msg("SCMR execution failed")
+			}
+			return nil
+		},
+	}
+	scmrChangeCmd = &cobra.Command{
+		Use:   "change [target]",
+		Short: "Change an existing Windows service to gain execution",
+		Args:  scmrArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			executor := scmrexec.Executor{}
+			execCfg := &exec.ExecutionConfig{
+				ExecutablePath:  executablePath,
+				ExecutableArgs:  executableArgs,
+				ExecutionMethod: scmrexec.MethodModify,
+
+				ExecutionMethodConfig: scmrexec.MethodModifyConfig{
+					NoStart:     scmrNoStart,
+					ServiceName: scmrName,
+				},
+			}
+			if err := executor.Exec(log.WithContext(ctx), creds, target, execCfg); err != nil {
+				log.Fatal().Err(err).Msg("SCMR execution failed")
+			}
+		},
+	}
+)
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..9da0e5e
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,33 @@
+module github.com/FalconOpsLLC/goexec
+
+go 1.24.0
+
+require (
+	github.com/bryanmcnulty/adauth v0.0.0-20250227005704-df9302d730c2
+	github.com/oiweiwei/go-msrpc v1.2.1
+	github.com/rs/zerolog v1.33.0
+	github.com/spf13/cobra v1.9.1
+)
+
+require (
+	github.com/geoffgarside/ber v1.1.0 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/indece-official/go-ebcdic v1.2.0 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/oiweiwei/go-smb2.fork v1.0.0 // indirect
+	github.com/oiweiwei/gokrb5.fork/v9 v9.0.2 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.5.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..439cca5
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,116 @@
+github.com/bryanmcnulty/adauth v0.0.0-20250227005704-df9302d730c2 h1:AxVqt9SbxfGqhEO8wwssTq0PYQfxuSIFUt4hMGV6KZw=
+github.com/bryanmcnulty/adauth v0.0.0-20250227005704-df9302d730c2/go.mod h1:h0dSYNaF2657vK+RY1ntfWKnSd6LlZHIWHyJq8D4VUA=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
+github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/indece-official/go-ebcdic v1.2.0 h1:nKCubkNoXrGvBp3MSYuplOQnhANCDEY512Ry5Mwr4a0=
+github.com/indece-official/go-ebcdic v1.2.0/go.mod h1:RBddVJt0Ks0eDLRG5dhPwBDRiTNA7n+yv0dVFpSs46Q=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/oiweiwei/go-msrpc v1.2.1 h1:jpt7DYCefrJhDS+C9GvhgFls9zTh05eWDw3mwRToqKc=
+github.com/oiweiwei/go-msrpc v1.2.1/go.mod h1:ev+Bg4HdktdaLvwQ2RcwTlgvx7boe+fskcdUlesepdM=
+github.com/oiweiwei/go-smb2.fork v1.0.0 h1:xHq/eYPM8hQEO/nwCez8YwHWHC8mlcsgw/Neu52fPN4=
+github.com/oiweiwei/go-smb2.fork v1.0.0/go.mod h1:h0CzLVvGAmq39izdYVHKyI5cLv6aHdbQAMKEe4dz4N8=
+github.com/oiweiwei/gokrb5.fork/v9 v9.0.2 h1:JNkvXMuOEWNXJKzLiyROGfdK31/1RQWA9e5gJxAsl50=
+github.com/oiweiwei/gokrb5.fork/v9 v9.0.2/go.mod h1:KEnkAYUYqZ5VwzxLFbv3JHlRhCvdFahjrdjjssMJJkI=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+software.sslmate.com/src/go-pkcs12 v0.5.0 h1:EC6R394xgENTpZ4RltKydeDUjtlM5drOYIG9c6TVj2M=
+software.sslmate.com/src/go-pkcs12 v0.5.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
diff --git a/internal/util/util.go b/internal/util/util.go
new file mode 100644
index 0000000..252815e
--- /dev/null
+++ b/internal/util/util.go
@@ -0,0 +1,35 @@
+package util
+
+import (
+	"math/rand" // not crypto secure
+	"regexp"
+)
+
+const randHostnameCharset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-"
+const randStringCharset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+var (
+	// Up to 15 characters; only letters, digits, and hyphens (with hyphens not at the start or end).
+	randHostnameRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9-]{0,14}[a-zA-Z0-9]$`)
+)
+
+func RandomHostname() (hostname string) {
+	for {
+		// between 2 and 10 characters
+		if hostname = RandomStringFromCharset(randHostnameCharset, rand.Intn(8)+2); randHostnameRegex.MatchString(hostname) {
+			return
+		}
+	}
+}
+
+func RandomString() string {
+	return RandomStringFromCharset(randStringCharset, rand.Intn(10)+6)
+}
+
+func RandomStringFromCharset(charset string, length int) string {
+	b := make([]byte, length)
+	for i := range length {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..6d0d8ad
--- /dev/null
+++ b/main.go
@@ -0,0 +1,7 @@
+package main
+
+import "github.com/FalconOpsLLC/goexec/cmd"
+
+func main() {
+	cmd.Execute()
+}
diff --git a/pkg/client/dcerpc/client.go b/pkg/client/dcerpc/client.go
new file mode 100644
index 0000000..5b5b935
--- /dev/null
+++ b/pkg/client/dcerpc/client.go
@@ -0,0 +1,11 @@
+package dcerpc
+
+import (
+	"context"
+	"github.com/bryanmcnulty/adauth"
+)
+
+type Client interface {
+	Connect(ctx context.Context, creds *adauth.Credential, target *adauth.Target) error
+	Close(ctx context.Context) error
+}
diff --git a/pkg/client/dcerpc/dcerpc.go b/pkg/client/dcerpc/dcerpc.go
new file mode 100644
index 0000000..a22bff7
--- /dev/null
+++ b/pkg/client/dcerpc/dcerpc.go
@@ -0,0 +1,102 @@
+package dcerpc
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/bryanmcnulty/adauth"
+	"github.com/bryanmcnulty/adauth/dcerpcauth"
+	"github.com/oiweiwei/go-msrpc/dcerpc"
+	"github.com/oiweiwei/go-msrpc/msrpc/epm/epm/v3"
+	"github.com/oiweiwei/go-msrpc/msrpc/scmr/svcctl/v2"
+	"github.com/oiweiwei/go-msrpc/smb2"
+	"github.com/oiweiwei/go-msrpc/ssp/gssapi"
+	"github.com/rs/zerolog"
+)
+
+const (
+	DceDefaultProto string = "ncacn_np"
+	DceDefaultPort  uint16 = 445
+)
+
+type DCEClient struct {
+	Port  uint16
+	Proto string
+
+	log      zerolog.Logger
+	conn     dcerpc.Conn
+	opts     []dcerpc.Option
+	authOpts dcerpcauth.Options
+}
+
+func NewDCEClient(ctx context.Context, insecure bool, smbConfig *SmbConfig) (client *DCEClient) {
+	client = &DCEClient{
+		Port:     DceDefaultPort,
+		Proto:    DceDefaultProto,
+		log:      zerolog.Ctx(ctx).With().Str("client", "DCE").Logger(),
+		authOpts: dcerpcauth.Options{},
+	}
+	client.opts = []dcerpc.Option{dcerpc.WithLogger(client.log)}
+	client.authOpts = dcerpcauth.Options{Debug: client.log.Trace().Msgf}
+
+	if smbConfig != nil {
+		if smbConfig.Port != 0 {
+			client.Port = smbConfig.Port
+			client.opts = append(client.opts, dcerpc.WithSMBPort(int(smbConfig.Port)))
+		}
+	}
+	if insecure {
+		client.log.Debug().Msg("Using insecure DCERPC connection")
+		client.opts = append(client.opts, dcerpc.WithInsecure())
+	} else {
+		client.log.Debug().Msg("Using secure DCERPC connection")
+		client.authOpts.SMBOptions = append(client.authOpts.SMBOptions, smb2.WithSeal())
+	}
+	return
+}
+
+func (client *DCEClient) OpenSvcctl(ctx context.Context) (ctl svcctl.SvcctlClient, err error) {
+	if client.conn == nil {
+		return nil, errors.New("DCE connection not open")
+	}
+	if ctl, err = svcctl.NewSvcctlClient(ctx, client.conn, dcerpc.WithInsecure()); err != nil {
+		client.log.Debug().Err(err).Msg("Failed to open Svcctl client")
+	}
+	return
+}
+
+func (client *DCEClient) Connect(ctx context.Context, creds *adauth.Credential, target *adauth.Target, dialOpts ...dcerpc.Option) (err error) {
+	if creds != nil && target != nil {
+		authCtx := gssapi.NewSecurityContext(ctx)
+
+		binding := fmt.Sprintf(`%s:%s`, client.Proto, target.AddressWithoutPort())
+		mapper := epm.EndpointMapper(ctx, fmt.Sprintf("%s:%d", target.AddressWithoutPort(), client.Port), dcerpc.WithLogger(client.log))
+		dceOpts := []dcerpc.Option{dcerpc.WithLogger(client.log), dcerpc.WithSeal()}
+
+		if dceOpts, err = dcerpcauth.AuthenticationOptions(authCtx, creds, target, &client.authOpts); err == nil {
+			dceOpts = append(dceOpts, mapper)
+			dceOpts = append(dceOpts, client.opts...)
+			dceOpts = append(dceOpts, dialOpts...)
+
+			if client.conn, err = dcerpc.Dial(authCtx, binding, dceOpts...); err == nil {
+				client.log.Debug().Msg("Bind successful")
+				return nil
+			}
+			client.log.Debug().Err(err).Msg("DCERPC bind failed")
+			return errors.New("bind failed")
+		}
+		return errors.New("unable to parse DCE authentication options")
+	}
+	return errors.New("invalid arguments")
+}
+
+func (client *DCEClient) Close(ctx context.Context) (err error) {
+	if client.conn == nil {
+		client.log.Debug().Msg("Connection already closed")
+	} else if err = client.conn.Close(ctx); err == nil {
+		client.log.Debug().Msg("Connection closed successfully")
+	} else {
+		client.log.Error().Err(err).Msg("Failed to close connection")
+	}
+	return
+}
diff --git a/pkg/client/dcerpc/smb.go b/pkg/client/dcerpc/smb.go
new file mode 100644
index 0000000..cab82eb
--- /dev/null
+++ b/pkg/client/dcerpc/smb.go
@@ -0,0 +1,13 @@
+package dcerpc
+
+import "github.com/oiweiwei/go-msrpc/smb2"
+
+const (
+	SmbDefaultPort = 445
+)
+
+type SmbConfig struct {
+	Port         uint16
+	FullSecurity bool
+	ForceDialect smb2.Dialect
+}
diff --git a/pkg/exec/exec.go b/pkg/exec/exec.go
new file mode 100644
index 0000000..6e18378
--- /dev/null
+++ b/pkg/exec/exec.go
@@ -0,0 +1,38 @@
+package exec
+
+import (
+	"context"
+	"github.com/bryanmcnulty/adauth"
+)
+
+type ExecutionConfig struct {
+	ExecutableName string // ExecutableName represents the name of the executable; i.e. "notepad.exe", "calc"
+	ExecutablePath string // ExecutablePath represents the full path to the executable; i.e. `C:\Windows\explorer.exe`
+	ExecutableArgs string // ExecutableArgs represents the arguments to be passed to the executable during execution; i.e. "/C whoami"
+
+	ExecutionMethod       string // ExecutionMethod represents the specific execution strategy used by the module.
+	ExecutionMethodConfig interface{}
+	ExecutionOutput       string      // not implemented
+	ExecutionOutputConfig interface{} // not implemented
+}
+
+type ShellConfig struct {
+	ShellName string // ShellName specifies the name of the shell executable; i.e. "cmd.exe", "powershell"
+	ShellPath string // ShellPath is the full Windows path to the shell executable; i.e. `C:\Windows\System32\cmd.exe`
+}
+
+type Executor interface {
+	// Exec performs a single execution task without the need to call Init.
+	Exec(ctx context.Context, creds *adauth.Credential, target *adauth.Target, config *ExecutionConfig)
+
+	// Init assigns the provided TODO
+	//Init(ctx context.Context, creds *adauth.Credential, target *adauth.Target)
+	//Shell(ctx context.Context, input chan *ExecutionConfig, output chan []byte)
+}
+
+func (cfg *ExecutionConfig) GetRawCommand() string {
+	if cfg.ExecutableArgs != "" {
+		return cfg.ExecutablePath + " " + cfg.ExecutableArgs
+	}
+	return cfg.ExecutablePath
+}
diff --git a/pkg/exec/scmr/exec.go b/pkg/exec/scmr/exec.go
new file mode 100644
index 0000000..b3c1531
--- /dev/null
+++ b/pkg/exec/scmr/exec.go
@@ -0,0 +1,224 @@
+package scmrexec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/bryanmcnulty/adauth"
+	"github.com/rs/zerolog"
+	"github.com/FalconOpsLLC/goexec/pkg/client/dcerpc"
+	"github.com/FalconOpsLLC/goexec/pkg/exec"
+	"github.com/FalconOpsLLC/goexec/pkg/windows"
+)
+
+const (
+	MethodCreate string = "create"
+	MethodModify string = "modify"
+
+	ServiceModifyAccess uint32 = windows.SERVICE_QUERY_CONFIG | windows.SERVICE_CHANGE_CONFIG | windows.SERVICE_STOP | windows.SERVICE_START | windows.SERVICE_DELETE
+	ServiceCreateAccess uint32 = windows.SC_MANAGER_CREATE_SERVICE | windows.SERVICE_START | windows.SERVICE_STOP | windows.SERVICE_DELETE
+	ServiceAllAccess    uint32 = ServiceCreateAccess | ServiceModifyAccess
+)
+
+func (executor *Executor) createClients(ctx context.Context) (cleanup func(cCtx context.Context), err error) {
+
+	cleanup = func(context.Context) {
+		if executor.dce != nil {
+			executor.log.Debug().Msg("Cleaning up clients")
+			if err := executor.dce.Close(ctx); err != nil {
+				executor.log.Error().Err(err).Msg("Failed to destroy DCE connection")
+			}
+		}
+	}
+	cleanup(ctx)
+	executor.dce = dcerpc.NewDCEClient(ctx, false, &dcerpc.SmbConfig{Port: 445})
+	cleanup = func(context.Context) {}
+
+	if err = executor.dce.Connect(ctx, executor.creds, executor.target); err != nil {
+		return nil, fmt.Errorf("connection to DCERPC failed: %w", err)
+	}
+	executor.ctl, err = executor.dce.OpenSvcctl(ctx)
+	return
+}
+
+func (executor *Executor) Exec(ctx context.Context, creds *adauth.Credential, target *adauth.Target, ecfg *exec.ExecutionConfig) (err error) {
+
+	vctx := context.WithoutCancel(ctx)
+	executor.log = zerolog.Ctx(ctx).With().
+		Str("module", "scmr").
+		Str("method", ecfg.ExecutionMethod).Logger()
+	executor.creds = creds
+	executor.target = target
+
+	if ecfg.ExecutionMethod == MethodCreate {
+		if cfg, ok := ecfg.ExecutionMethodConfig.(MethodCreateConfig); !ok || cfg.ServiceName == "" {
+			return errors.New("invalid configuration")
+		} else {
+			if cleanup, err := executor.createClients(ctx); err != nil {
+				return fmt.Errorf("failed to create client: %w", err)
+			} else {
+				executor.log.Debug().Msg("Created clients")
+				defer cleanup(ctx)
+			}
+			svc := &service{
+				createConfig: &cfg,
+				name:         cfg.ServiceName,
+			}
+			scm, code, err := executor.openSCM(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to open SCM with code %d: %w", code, err)
+			}
+			executor.log.Debug().Msg("Opened handle to SCM")
+			code, err = executor.createService(ctx, scm, svc, ecfg)
+			if err != nil {
+				return fmt.Errorf("failed to create service with code %d: %w", code, err)
+			}
+			executor.log.Info().Str("service", svc.name).Msg("Service created")
+			// From here on out, make sure the service is properly deleted, even if the connection drops or something fails.
+			if !cfg.NoDelete {
+				defer func() {
+					// TODO: stop service?
+					if code, err = executor.deleteService(ctx, scm, svc); err != nil {
+						executor.log.Error().Err(err).Msg("Failed to delete service") // TODO
+					}
+					executor.log.Info().Str("service", svc.name).Msg("Service deleted successfully")
+				}()
+			}
+			if code, err = executor.startService(ctx, scm, svc); err != nil {
+				if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+					// In case of timeout or cancel, try to reestablish a connection to restore the service
+					executor.log.Info().Msg("Service start timeout/cancelled. Execution likely successful")
+					executor.log.Info().Msg("Reconnecting for cleanup procedure")
+					ctx = vctx
+
+					if _, err = executor.createClients(ctx); err != nil {
+						executor.log.Error().Err(err).Msg("Reconnect failed")
+
+					} else if scm, code, err = executor.openSCM(ctx); err != nil {
+						executor.log.Error().Err(err).Msg("Failed to reopen SCM")
+
+					} else if svc.handle, code, err = executor.openService(ctx, scm, svc.name); err != nil {
+						executor.log.Error().Str("service", svc.name).Err(err).Msg("Failed to reopen service handle")
+
+					} else {
+						executor.log.Debug().Str("service", svc.name).Msg("Reconnection successful")
+					}
+				} else {
+					executor.log.Error().Err(err).Msg("Failed to start service")
+				}
+			} else {
+				executor.log.Info().Str("service", svc.name).Msg("Execution successful")
+			}
+		}
+	} else if ecfg.ExecutionMethod == MethodModify {
+		// Use service modification method
+		if cfg, ok := ecfg.ExecutionMethodConfig.(MethodModifyConfig); !ok || cfg.ServiceName == "" {
+			return errors.New("invalid configuration")
+
+		} else {
+			// Ensure that a command (executable full path + args) is supplied
+			cmd := ecfg.GetRawCommand()
+			if cmd == "" {
+				return errors.New("no command provided")
+			}
+
+			// Initialize protocol clients
+			if cleanup, err := executor.createClients(ctx); err != nil {
+				return fmt.Errorf("failed to create client: %w", err)
+			} else {
+				executor.log.Debug().Msg("Created clients")
+				defer cleanup(ctx)
+			}
+			svc := &service{modifyConfig: &cfg, name: cfg.ServiceName}
+
+			// Open SCM handle
+			scm, code, err := executor.openSCM(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to create service with code %d: %w", code, err)
+			}
+			executor.log.Debug().Msg("Opened handle to SCM")
+
+			// Open service handle
+			if svc.handle, code, err = executor.openService(ctx, scm, svc.name); err != nil {
+				return fmt.Errorf("failed to open service with code %d: %w", code, err)
+			}
+			executor.log.Debug().Str("service", svc.name).Msg("Opened service")
+
+			// Stop service before editing
+			if !cfg.NoStart {
+				if code, err = executor.stopService(ctx, scm, svc); err != nil {
+					executor.log.Warn().Err(err).Msg("Failed to stop existing service")
+				} else if code == windows.ERROR_SERVICE_NOT_ACTIVE {
+					executor.log.Debug().Str("service", svc.name).Msg("Service is not running")
+				} else {
+					executor.log.Info().Str("service", svc.name).Msg("Stopped existing service")
+					defer func() {
+						if code, err = executor.startService(ctx, scm, svc); err != nil {
+							executor.log.Error().Err(err).Msg("Failed to restore service state to running")
+						}
+					}()
+				}
+			}
+			if code, err = executor.queryServiceConfig(ctx, svc); err != nil {
+				return fmt.Errorf("failed to query service configuration with code %d: %w", code, err)
+			}
+			executor.log.Debug().
+				Str("service", svc.name).
+				Str("command", svc.svcConfig.BinaryPathName).Msg("Fetched existing service configuration")
+
+			// Change service configuration
+			if code, err = executor.changeServiceConfigBinary(ctx, svc, cmd); err != nil {
+				return fmt.Errorf("failed to edit service configuration with code %d: %w", code, err)
+			}
+			defer func() {
+				// Revert configuration
+				if code, err = executor.changeServiceConfigBinary(ctx, svc, svc.svcConfig.BinaryPathName); err != nil {
+					executor.log.Error().Err(err).Msg("Failed to restore service configuration")
+				} else {
+					executor.log.Info().Str("service", svc.name).Msg("Restored service configuration")
+				}
+			}()
+			executor.log.Info().
+				Str("service", svc.name).
+				Str("command", cmd).Msg("Changed service configuration")
+
+			// Start service
+			if !cfg.NoStart {
+				if code, err = executor.startService(ctx, scm, svc); err != nil {
+					if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+						// In case of timeout or cancel, try to reestablish a connection to restore the service
+						executor.log.Info().Msg("Service start timeout/cancelled. Execution likely successful")
+						executor.log.Info().Msg("Reconnecting for cleanup procedure")
+						ctx = vctx
+
+						if _, err = executor.createClients(ctx); err != nil {
+							executor.log.Error().Err(err).Msg("Reconnect failed")
+
+						} else if scm, code, err = executor.openSCM(ctx); err != nil {
+							executor.log.Error().Err(err).Msg("Failed to reopen SCM")
+
+						} else if svc.handle, code, err = executor.openService(ctx, scm, svc.name); err != nil {
+							executor.log.Error().Str("service", svc.name).Err(err).Msg("Failed to reopen service handle")
+
+						} else {
+							executor.log.Debug().Str("service", svc.name).Msg("Reconnection successful")
+						}
+					} else {
+						executor.log.Error().Err(err).Msg("Failed to start service")
+					}
+				} else {
+					executor.log.Info().Str("service", svc.name).Msg("Started service")
+				}
+				defer func() {
+					// Stop service
+					if code, err = executor.stopService(ctx, scm, svc); err != nil {
+						executor.log.Error().Err(err).Msg("Failed to stop service")
+					} else {
+						executor.log.Info().Str("service", svc.name).Msg("Stopped service")
+					}
+				}()
+			}
+		}
+	}
+	return err
+}
diff --git a/pkg/exec/scmr/module.go b/pkg/exec/scmr/module.go
new file mode 100644
index 0000000..1c855fb
--- /dev/null
+++ b/pkg/exec/scmr/module.go
@@ -0,0 +1,31 @@
+package scmrexec
+
+import (
+	"github.com/bryanmcnulty/adauth"
+	"github.com/oiweiwei/go-msrpc/msrpc/scmr/svcctl/v2"
+	"github.com/rs/zerolog"
+	"github.com/FalconOpsLLC/goexec/pkg/client/dcerpc"
+)
+
+type Executor struct {
+	creds    *adauth.Credential
+	target   *adauth.Target
+	hostname string
+
+	log zerolog.Logger
+	dce *dcerpc.DCEClient
+	ctl svcctl.SvcctlClient
+}
+
+type MethodCreateConfig struct {
+	NoDelete    bool
+	ServiceName string
+	DisplayName string
+	ServiceType uint32
+	StartType   uint32
+}
+
+type MethodModifyConfig struct {
+	NoStart     bool
+	ServiceName string
+}
diff --git a/pkg/exec/scmr/scmr.go b/pkg/exec/scmr/scmr.go
new file mode 100644
index 0000000..fbbb108
--- /dev/null
+++ b/pkg/exec/scmr/scmr.go
@@ -0,0 +1,238 @@
+package scmrexec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/oiweiwei/go-msrpc/msrpc/scmr/svcctl/v2"
+	"github.com/FalconOpsLLC/goexec/internal/util"
+	"github.com/FalconOpsLLC/goexec/pkg/exec"
+	"github.com/FalconOpsLLC/goexec/pkg/windows"
+)
+
+type service struct {
+	name         string
+	exec         string
+	createConfig *MethodCreateConfig
+	modifyConfig *MethodModifyConfig
+
+	svcState  uint32
+	svcConfig *svcctl.QueryServiceConfigW
+	handle    *svcctl.Handle
+}
+
+// openSCM opens a handle to SCM via ROpenSCManagerW
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/dc84adb3-d51d-48eb-820d-ba1c6ca5faf2
+func (executor *Executor) openSCM(ctx context.Context) (scm *svcctl.Handle, code uint32, err error) {
+	if executor.ctl != nil {
+
+		hostname := executor.hostname
+		if hostname == "" {
+			hostname = util.RandomHostname()
+		}
+		if response, err := executor.ctl.OpenSCMW(ctx, &svcctl.OpenSCMWRequest{
+			MachineName:   hostname + "\x00",    // lpMachineName; The server's name (i.e. DC01, dc01.domain.local)
+			DatabaseName:  "ServicesActive\x00", // lpDatabaseName; must be "ServicesActive" or "ServicesFailed"
+			DesiredAccess: ServiceModifyAccess,  // dwDesiredAccess; requested access - appears to be ignored?
+		}); err != nil {
+
+			if response != nil {
+				return nil, response.Return, fmt.Errorf("open scm response: %w", err)
+			}
+			return nil, 0, fmt.Errorf("open scm: %w", err)
+		} else {
+			return response.SCM, 0, nil
+		}
+	}
+	return nil, 0, errors.New("invalid arguments")
+}
+
+// createService creates a service with the provided configuration via RCreateServiceW
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e
+func (executor *Executor) createService(ctx context.Context, scm *svcctl.Handle, scfg *service, ecfg *exec.ExecutionConfig) (code uint32, err error) {
+	if executor.ctl != nil && scm != nil && scfg != nil && scfg.createConfig != nil {
+		cfg := scfg.createConfig
+		if response, err := executor.ctl.CreateServiceW(ctx, &svcctl.CreateServiceWRequest{
+			ServiceManager: scm,
+			ServiceName:    cfg.ServiceName + "\x00",
+			DisplayName:    cfg.DisplayName + "\x00",
+			BinaryPathName: ecfg.GetRawCommand() + "\x00",
+			ServiceType:    cfg.ServiceType,
+			StartType:      cfg.StartType,
+			DesiredAccess:  ServiceCreateAccess,
+		}); err != nil {
+
+			if response != nil {
+				return response.Return, fmt.Errorf("create service response: %w", err)
+			}
+			return 0, fmt.Errorf("create service: %w", err)
+		} else {
+			scfg.handle = response.Service
+			return response.Return, err
+		}
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// openService opens a handle to a service given the service name (lpServiceName)
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6d0a4225-451b-4132-894d-7cef7aecfd2d
+func (executor *Executor) openService(ctx context.Context, scm *svcctl.Handle, svcName string) (*svcctl.Handle, uint32, error) {
+	if executor.ctl != nil && scm != nil {
+		if openResponse, err := executor.ctl.OpenServiceW(ctx, &svcctl.OpenServiceWRequest{
+			ServiceManager: scm,
+			ServiceName:    svcName,
+			DesiredAccess:  ServiceAllAccess,
+		}); err != nil {
+			if openResponse != nil {
+				if openResponse.Return == windows.ERROR_SERVICE_DOES_NOT_EXIST {
+					return nil, openResponse.Return, fmt.Errorf("remote service does not exist: %s", svcName)
+				}
+				return nil, openResponse.Return, fmt.Errorf("open service response: %w", err)
+			}
+			return nil, 0, fmt.Errorf("open service: %w", err)
+		} else {
+			return openResponse.Service, 0, nil
+		}
+	}
+	return nil, 0, errors.New("invalid arguments")
+}
+
+// deleteService deletes an existing service with RDeleteService
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6744cdb8-f162-4be0-bb31-98996b6495be
+func (executor *Executor) deleteService(ctx context.Context, scm *svcctl.Handle, svc *service) (code uint32, err error) {
+	if executor.ctl != nil && scm != nil && svc != nil {
+		if deleteResponse, err := executor.ctl.DeleteService(ctx, &svcctl.DeleteServiceRequest{Service: svc.handle}); err != nil {
+			defer func() {}()
+			if deleteResponse != nil {
+				return deleteResponse.Return, fmt.Errorf("delete service response: %w", err)
+			}
+			return 0, fmt.Errorf("delete service: %w", err)
+		}
+		return 0, nil
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// controlService sets the state of the provided process
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/e1c478be-117f-4512-9b67-17c20a48af97
+func (executor *Executor) controlService(ctx context.Context, scm *svcctl.Handle, svc *service, control uint32) (code uint32, err error) {
+	if executor.ctl != nil && scm != nil && svc != nil {
+		if controlResponse, err := executor.ctl.ControlService(ctx, &svcctl.ControlServiceRequest{
+			Service: svc.handle,
+			Control: control,
+		}); err != nil {
+			if controlResponse != nil {
+				return controlResponse.Return, fmt.Errorf("control service response: %w", err)
+			}
+			return 0, fmt.Errorf("control service: %w", err)
+		}
+		return 0, nil
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// stopService sends stop signal to existing service using controlService
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/e1c478be-117f-4512-9b67-17c20a48af97
+func (executor *Executor) stopService(ctx context.Context, scm *svcctl.Handle, svc *service) (code uint32, err error) {
+	if code, err = executor.controlService(ctx, scm, svc, windows.SERVICE_CONTROL_STOP); code == windows.ERROR_SERVICE_NOT_ACTIVE {
+		err = nil
+	}
+	return
+}
+
+// startService starts the specified service with RStartServiceW
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/d9be95a2-cf01-4bdc-b30f-6fe4b37ada16
+func (executor *Executor) startService(ctx context.Context, scm *svcctl.Handle, svc *service) (code uint32, err error) {
+	if executor.ctl != nil && scm != nil && svc != nil {
+		if startResponse, err := executor.ctl.StartServiceW(ctx, &svcctl.StartServiceWRequest{Service: svc.handle}); err != nil {
+			if startResponse != nil {
+				// TODO: check if service is already running, return nil error if so
+				if startResponse.Return == windows.ERROR_SERVICE_REQUEST_TIMEOUT {
+					return 0, nil
+				}
+				return startResponse.Return, fmt.Errorf("start service response: %w", err)
+			}
+			return 0, fmt.Errorf("start service: %w", err)
+		}
+		return 0, nil
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// closeService closes the specified service handle using RCloseServiceHandle
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/a2a4e174-09fb-4e55-bad3-f77c4b13245c
+func (executor *Executor) closeService(ctx context.Context, svc *svcctl.Handle) (code uint32, err error) {
+	if executor.ctl != nil && svc != nil {
+		if closeResponse, err := executor.ctl.CloseService(ctx, &svcctl.CloseServiceRequest{ServiceObject: svc}); err != nil {
+			if closeResponse != nil {
+				return closeResponse.Return, fmt.Errorf("close service response: %w", err)
+			}
+			return 0, fmt.Errorf("close service: %w", err)
+		}
+		return 0, nil
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// getServiceConfig fetches the configuration details of a service given a handle passed in a service{} structure.
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/89e2d5b1-19cf-44ca-969f-38eea9fe7f3c
+func (executor *Executor) queryServiceConfig(ctx context.Context, svc *service) (code uint32, err error) {
+	if executor.ctl != nil && svc != nil && svc.handle != nil {
+		if getResponse, err := executor.ctl.QueryServiceConfigW(ctx, &svcctl.QueryServiceConfigWRequest{
+			Service:      svc.handle,
+			BufferLength: 1024 * 8,
+		}); err != nil {
+			if getResponse != nil {
+				return getResponse.Return, fmt.Errorf("get service config response: %w", err)
+			}
+			return 0, fmt.Errorf("get service config: %w", err)
+		} else {
+			svc.svcConfig = getResponse.ServiceConfig
+			return code, err
+		}
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// queryServiceStatus fetches the state of the specified service
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/cf94d915-b4e1-40e5-872b-a9cb3ad09b46
+func (executor *Executor) queryServiceStatus(ctx context.Context, svc *service) (uint32, error) {
+	if executor.ctl != nil && svc != nil {
+		if queryResponse, err := executor.ctl.QueryServiceStatus(ctx, &svcctl.QueryServiceStatusRequest{Service: svc.handle}); err != nil {
+			if queryResponse != nil {
+				return queryResponse.Return, fmt.Errorf("query service status response: %w", err)
+			}
+			return 0, fmt.Errorf("query service status: %w", err)
+		} else {
+			svc.svcState = queryResponse.ServiceStatus.CurrentState
+			return 0, nil
+		}
+	}
+	return 0, errors.New("invalid arguments")
+}
+
+// changeServiceConfigBinary edits the provided service's lpBinaryPathName
+// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/61ea7ed0-c49d-4152-a164-b4830f16c8a4
+func (executor *Executor) changeServiceConfigBinary(ctx context.Context, svc *service, bin string) (code uint32, err error) {
+	if executor.ctl != nil && svc != nil && svc.handle != nil {
+		if changeResponse, err := executor.ctl.ChangeServiceConfigW(ctx, &svcctl.ChangeServiceConfigWRequest{
+			Service:        svc.handle,
+			ServiceType:    svc.svcConfig.ServiceType,
+			StartType:      svc.svcConfig.StartType,
+			ErrorControl:   svc.svcConfig.ErrorControl,
+			BinaryPathName: bin + "\x00",
+			LoadOrderGroup: svc.svcConfig.LoadOrderGroup,
+			TagID:          svc.svcConfig.TagID,
+			// Dependencies: svc.svcConfig.Dependencies // TODO
+			ServiceStartName: svc.svcConfig.ServiceStartName,
+			DisplayName:      svc.svcConfig.DisplayName,
+		}); err != nil {
+			if changeResponse != nil {
+				return changeResponse.Return, fmt.Errorf("change service config response: %w", err)
+			}
+			return 0, fmt.Errorf("change service config: %w", err)
+		}
+		return
+	}
+	return 0, errors.New("invalid arguments")
+}
diff --git a/pkg/windows/const.go b/pkg/windows/const.go
new file mode 100644
index 0000000..4c4fbe6
--- /dev/null
+++ b/pkg/windows/const.go
@@ -0,0 +1,37 @@
+package windows
+
+const (
+	// Windows error codes
+	ERROR_FILE_NOT_FOUND          uint32 = 0x00000002
+	ERROR_SERVICE_REQUEST_TIMEOUT uint32 = 0x0000041d
+	ERROR_SERVICE_DOES_NOT_EXIST  uint32 = 0x00000424
+	ERROR_SERVICE_NOT_ACTIVE      uint32 = 0x00000426
+
+	// Windows service/scm constants
+	SERVICE_BOOT_START   uint32 = 0x00000000
+	SERVICE_SYSTEM_START uint32 = 0x00000001
+	SERVICE_AUTO_START   uint32 = 0x00000002
+	SERVICE_DEMAND_START uint32 = 0x00000003
+	SERVICE_DISABLED     uint32 = 0x00000004
+
+	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/4e91ff36-ab5f-49ed-a43d-a308e72b0b3c
+	SERVICE_CONTINUE_PENDING uint32 = 0x00000005
+	SERVICE_PAUSE_PENDING    uint32 = 0x00000006
+	SERVICE_PAUSED           uint32 = 0x00000007
+	SERVICE_RUNNING          uint32 = 0x00000004
+	SERVICE_START_PENDING    uint32 = 0x00000002
+	SERVICE_STOP_PENDING     uint32 = 0x00000003
+	SERVICE_STOPPED          uint32 = 0x00000001
+
+	SERVICE_WIN32_OWN_PROCESS uint32 = 0x00000010
+
+	SERVICE_CONTROL_STOP      uint32 = 0x00000001
+	SC_MANAGER_CREATE_SERVICE uint32 = 0x00000002
+
+	// https://learn.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
+	SERVICE_QUERY_CONFIG  uint32 = 0x00000001
+	SERVICE_CHANGE_CONFIG uint32 = 0x00000002
+	SERVICE_START         uint32 = 0x00000010
+	SERVICE_STOP          uint32 = 0x00000020
+	SERVICE_DELETE        uint32 = 0x00010000 // special permission
+)
author	Bryan McNulty <bryanmcnulty@protonmail.com>	2025-02-26 19:42:55 -0600
committer	Bryan McNulty <bryanmcnulty@protonmail.com>	2025-02-26 19:42:55 -0600
commit	0591eed275fd24e5c1b959e1a182bea6f6275c34 (patch)
tree	d32e53640e65627180de9a290449309591bae771
parent	930699ae66d1ddaf44fec71e04c33ab193531584 (diff)
download	goexec-0591eed275fd24e5c1b959e1a182bea6f6275c34.tar.gz goexec-0591eed275fd24e5c1b959e1a182bea6f6275c34.zip