https://github.com/refiaa/greedyplasma

green green what is your problem green
https://github.com/refiaa/greedyplasma

Last synced: 16 days ago
JSON representation

green green what is your problem green

• Host: GitHub
• URL: https://github.com/refiaa/greedyplasma
• Owner: refiaa
• Created: 2026-05-13T14:15:32.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2026-05-14T14:18:38.000Z (about 1 month ago)
• Last Synced: 2026-05-14T14:43:42.173Z (about 1 month ago)
• Language: C++
• Homepage: https://github.com/Nightmare-Eclipse/GreenPlasma
• Size: 24.4 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# GreedyPlasma



PoC harness for validating a Windows HKCU registry-follow primitive toward LPE.

Inspired by the original [`GreenPlasma`](https://github.com/Nightmare-Eclipse/GreenPlasma) symbolic-link direction, but this harness currently explores a different registry-follow vector.

## Current Status

Current primary path: StartMenuExperienceHost HAM LU registry-follow primitive.

Paint HAM remains as the earlier baseline that first demonstrated the same style of HKCU registry-follow behavior. The current PoC is centered on StartMenuExperienceHost because it is easier to trigger through Explorer/Start menu activity and now covers both observed StartMenuExperienceHost HAM layouts.

The current StartMenuExperienceHost HAM LU PoC has been reproduced on both builds below:

```

Windows 11 Pro 24H2

OS build 26100.2

```

```

Windows 11 Pro 25H2

OS build 26200.8037

```

Confirmed:

- Medium, non-elevated user context.

- Protected HKCU policy target rejects direct value writes and `WRITE_DAC`.

- StartMenuExperienceHost HAM LU source can be backed up, replaced with a `REG_LINK`, triggered, and restored.

- Redirected protected HKCU target is mutated after Explorer/StartMenuExperienceHost activity.

- Source rollback is verified after the run.

- The PoC automatically selects the observed StartMenuExperienceHost source variant:

  - `source_variant=app` on the 24H2 layout.

  - `source_variant=fulltrust` on the 25H2 layout.

Redirected target receives StartMenuExperienceHost/HAM writer-selected values such as:

```

Mixed = REG_QWORD 0

PCT = REG_QWORD

PTT = REG_QWORD

ICT = REG_QWORD

ITT = REG_QWORD

```

Current claim:

**target-mutated-unattributed**

LPE remains under investigation. The current primitive reaches controlled staging of a StartMenuExperienceHost HAM source and mutation of a protected HKCU policy target. The practical gap to LPE is token context: executable follow-up attempts have produced medium-user process activity so far. In the COM LocalServer follow-up tests, activation reached `Process Create`, but the marker child process was created with the user's medium token rather than SYSTEM. The registry-follow primitive is confirmed; the remaining LPE work is finding a service path where redirected state results in SYSTEM-token execution or a security-relevant privileged write.

## Proof Command

Build the executable with `scripts\build_exe.ps1`, then run:

```powershell

.\GreedyPlasma.exe --startmenu-ham-lu-poc --trigger-mode explorer-restart --observe-ms 180000 --settle-ms 30000 --no-hold

```

Successful runs contain:

```

start_token ... integrity=medium ... elevated=0

source_select variant=app|fulltrust ...

target_boundary ... set_value=0 write_dac=0 ... reason=direct-write-blocked

reg_link_stage=ok

target_notify fired=1

target_registry_diff snapshot_changed=1 value_changed=1 material_changed=1

rollback_verified=1

startmenu_ham_lu_poc_summary ... target_changed=1 ... claim=target-mutated-unattributed

done=ok

```

## Default Source And Target

**Legacy source (Paint HAM baseline):**

```

HKCU\Software\Microsoft\Windows NT\CurrentVersion\HostActivityManager\CommitHistory\Microsoft.Paint_8wekyb3d8bbwe!App

```

Paint HAM is retained only as historical context for the earlier baseline.

**Primary source, 24H2 layout (StartMenuExperienceHost HAM LU):**

```

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU

```

**Primary source, 25H2 layout (StartMenuExperienceHost HAM LU):**

```

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\FullTrustApp\V1\LU

```

**Target:**

```

HKCU\Software\Policies\Microsoft\Windows\CloudContent

```

## Primary Source (StartMenuExperienceHost HAM LU)

The strongest current source family is StartMenuExperienceHost HAM LU:

```

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU

HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\FullTrustApp\V1\LU

```

The first layout was observed on 24H2, and the second layout was observed on 25H2. The PoC checks both and uses the existing candidate. The selected key is backed up with `RegRenameKey`, replaced with a `REG_LINK`, and then restored after observation.

The trigger is Explorer restart. Unlike the earlier Paint-only baseline, this route is not tied to launching Paint or to the Paint first-run lifecycle.

Observed with ProcMon:

- The staged StartMenuExperienceHost HAM LU source is opened and redirected through `REG_LINK`.

- When the target is `HKCU\Software\Policies\Microsoft\Windows\CloudContent`, the redirected key receives HAM value writes such as:

```

PCT = REG_QWORD

PTT = REG_QWORD

ICT = REG_QWORD

ITT = REG_QWORD

```

The current practical control is:

- Choose the protected HKCU target used by the PoC.

- Stage and remove the `REG_LINK` source.

- Trigger the writer through Explorer/StartMenuExperienceHost activity.

- Cause mutation of the redirected target with values selected by the HAM writer.

- Verify rollback of the source key.

- Drive the current PoC execution path through Explorer restart.

Executable follow-up remains the active LPE research track. COM LocalServer tests showed activation and `Process Create` for a user-controlled marker executable, but the marker ran as the medium user. Reaching SYSTEM shell requires a path where the redirected state affects a SYSTEM-token execution or privileged security/write decision.

Current state:

```

REG_LINK follow: confirmed

HKCU target mutation: confirmed

Service-mediated Process Create: observed

LPE/SYSTEM shell: still being explored

```

**Tested Targets:**

* HKCU Target: `HKCU\Software\Policies\Microsoft\Windows\CloudContent`

> [!CAUTION]

> **LEGAL AND TECHNICAL DISCLAIMER**

>

> This code is for controlled research and analysis. The author assumes no liability for damages, system instability, or legal consequences arising from use or misuse of this software.