├── injector ├── injector │ ├── SetPriv.h │ ├── stdafx.cpp │ ├── targetver.h │ ├── stdafx.h │ ├── ReadMe.txt │ ├── SetPriv.cpp │ ├── injector.vcxproj.filters │ ├── injector.cpp │ └── injector.vcxproj └── injector.sln ├── GetSignatureMitigation ├── GetSignatureMitigation │ ├── GetMitigation.h │ ├── SetPriv.h │ ├── stdafx.cpp │ ├── targetver.h │ ├── stdafx.h │ ├── SetPriv.cpp │ ├── GetSignatureMitigation.cpp │ ├── GetMitigation.cpp │ ├── ReadMe.txt │ ├── GetSignatureMitigation.vcxproj.filters │ └── GetSignatureMitigation.vcxproj └── GetSignatureMitigation.sln └── README.md /injector/injector/SetPriv.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | class SetPriv 4 | { 5 | public: 6 | bool CheckPriv(); 7 | bool Set(LPCTSTR Privilege, BOOL bEnablePrivilege); 8 | private: 9 | HANDLE Token; 10 | }; 11 | 12 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/GetMitigation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | class GetMitigation 5 | { 6 | public: 7 | bool OpenPID(int PID); 8 | void PrintMitigation(); 9 | private: 10 | HANDLE GM_HProcess; 11 | }; 12 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/SetPriv.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | class SetPriv 4 | { 5 | public: 6 | bool CheckPriv(); 7 | bool Set(LPCTSTR Privilege, BOOL bEnablePrivilege); 8 | private: 9 | HANDLE Token; 10 | }; 11 | 12 | -------------------------------------------------------------------------------- /injector/injector/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // injector.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /injector/injector/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // GetSignatureMitigation.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /injector/injector/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /injector/injector/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ## Tool 2: injector 2 | The purpose of this tool is to inject code in a running process. We created it to test the signature loading mitigation of Edge TH2. 3 | Here is the syntax: 4 | 5 | ``` 6 | C:\>injector.exe 7 | Usage of the injector. 8 | 9 | injector.exe /d dll_file PID 10 | injector.exe /s shellcode_file PID 11 | /d dll_file PID: dll injection via LoadLibrary(). 12 | /s shellcode_file PID: shellcode injection. 13 | ``` 14 | 15 | The /d option uses the LoadLibrary() function in order to load a DLL. 16 | the /s option push the shellcode in memory and execute it directly. 17 | -------------------------------------------------------------------------------- /injector/injector/SetPriv.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "SetPriv.h" 3 | #include 4 | #include 5 | using namespace std; 6 | 7 | 8 | bool SetPriv::CheckPriv() 9 | { 10 | HANDLE hToken; 11 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 12 | { 13 | Token = hToken; 14 | return TRUE; 15 | } 16 | else { 17 | return FALSE; 18 | } 19 | } 20 | 21 | bool SetPriv::Set(LPCTSTR Privilege, BOOL bEnablePrivilege) 22 | { 23 | TOKEN_PRIVILEGES tp = { 0 }; 24 | LUID luid; 25 | DWORD cb = sizeof(TOKEN_PRIVILEGES); 26 | if (!LookupPrivilegeValue(NULL, Privilege, &luid)) 27 | return FALSE; 28 | tp.PrivilegeCount = 1; 29 | tp.Privileges[0].Luid = luid; 30 | if (bEnablePrivilege) { 31 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 32 | } 33 | else { 34 | tp.Privileges[0].Attributes = 0; 35 | } 36 | AdjustTokenPrivileges(Token, FALSE, &tp, cb, NULL, NULL); 37 | if (GetLastError() != ERROR_SUCCESS) 38 | return FALSE; 39 | 40 | return TRUE; 41 | } 42 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/SetPriv.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "SetPriv.h" 3 | #include 4 | #include 5 | using namespace std; 6 | 7 | 8 | bool SetPriv::CheckPriv() 9 | { 10 | HANDLE hToken; 11 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 12 | { 13 | Token = hToken; 14 | return TRUE; 15 | } 16 | else { 17 | return FALSE; 18 | } 19 | } 20 | 21 | bool SetPriv::Set(LPCTSTR Privilege, BOOL bEnablePrivilege) 22 | { 23 | TOKEN_PRIVILEGES tp = { 0 }; 24 | LUID luid; 25 | DWORD cb = sizeof(TOKEN_PRIVILEGES); 26 | if (!LookupPrivilegeValue(NULL, Privilege, &luid)) 27 | return FALSE; 28 | tp.PrivilegeCount = 1; 29 | tp.Privileges[0].Luid = luid; 30 | if (bEnablePrivilege) { 31 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 32 | } 33 | else { 34 | tp.Privileges[0].Attributes = 0; 35 | } 36 | AdjustTokenPrivileges(Token, FALSE, &tp, cb, NULL, NULL); 37 | if (GetLastError() != ERROR_SUCCESS) 38 | return FALSE; 39 | 40 | return TRUE; 41 | } 42 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/GetSignatureMitigation.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include "GetMitigation.h" 4 | #include "SetPriv.h" 5 | using namespace std; 6 | 7 | void usage(char *binary) 8 | { 9 | cerr << "Usage: " << binary << " PID" << endl; 10 | exit(1); 11 | } 12 | 13 | 14 | int main(int argc, char *argv[]) 15 | { 16 | if (argc == 2) 17 | { 18 | //Get SeDebugPrivilege 19 | SetPriv debug; 20 | cout << "Get SeDebugPrivilege: "; 21 | if (!debug.CheckPriv()) 22 | { 23 | cout << "Cannot obtain the adjust|query privilege." << endl; 24 | exit(1); 25 | } 26 | if (!debug.Set(SE_DEBUG_NAME, TRUE)) 27 | { 28 | cout << "Cannot obtain the Debug privilege." << endl; 29 | exit(1); 30 | } 31 | cout << "OK" << endl; 32 | 33 | //GetMitigation 34 | GetMitigation hGM; 35 | int PID = atoi(argv[1]); 36 | cout << "Open process " << PID << ": "; 37 | if (hGM.OpenPID(PID)) 38 | { 39 | cout << "OK" << endl; 40 | hGM.PrintMitigation(); 41 | } 42 | else { 43 | cout << "KO" << endl; 44 | } 45 | } 46 | else { 47 | usage(argv[0]); 48 | } 49 | } 50 | 51 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/GetMitigation.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include "GetMitigation.h" 5 | using namespace std; 6 | 7 | bool GetMitigation::OpenPID(int PID) 8 | { 9 | HANDLE HProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); 10 | if (HProcess != NULL) 11 | { 12 | GM_HProcess = HProcess; 13 | return TRUE; 14 | } else { 15 | return FALSE; 16 | } 17 | } 18 | 19 | void GetMitigation::PrintMitigation() 20 | { 21 | cout << endl; 22 | try 23 | { 24 | PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY sign_policy; 25 | if (GetProcessMitigationPolicy(GM_HProcess, ProcessSignaturePolicy, &sign_policy, sizeof(sign_policy))) 26 | { 27 | cout << "Signature Microsoft Signed Only: " << sign_policy.MicrosoftSignedOnly << endl; 28 | cout << "Signature Store Signed Only: " << sign_policy.StoreSignedOnly << endl; 29 | cout << "Signature Mitigation Opt-In: " << sign_policy.MitigationOptIn << endl; 30 | } else { 31 | cout << "Signature Microsoft Signed Only: KO" << endl; 32 | } 33 | } catch(int e) { 34 | cout << "ProcessSignaturePolicy error: "; 35 | cout << e << endl; 36 | } 37 | cout << endl; 38 | } 39 | 40 | -------------------------------------------------------------------------------- /injector/injector.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injector", "injector\injector.vcxproj", "{89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Debug|x64.ActiveCfg = Debug|x64 17 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Debug|x64.Build.0 = Debug|x64 18 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Debug|x86.Build.0 = Debug|Win32 20 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Release|x64.ActiveCfg = Release|x64 21 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Release|x64.Build.0 = Release|x64 22 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Release|x86.ActiveCfg = Release|Win32 23 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.24720.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetSignatureMitigation", "GetSignatureMitigation\GetSignatureMitigation.vcxproj", "{EBE454EA-2522-46B6-B105-0906A4F28114}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Debug|x64.ActiveCfg = Debug|x64 17 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Debug|x64.Build.0 = Debug|x64 18 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Debug|x86.ActiveCfg = Debug|Win32 19 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Debug|x86.Build.0 = Debug|Win32 20 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Release|x64.ActiveCfg = Release|x64 21 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Release|x64.Build.0 = Release|x64 22 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Release|x86.ActiveCfg = Release|Win32 23 | {EBE454EA-2522-46B6-B105-0906A4F28114}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ## Tool 1: GetSignatureMitigation 2 | The purpose of this tool is to list the signature mitigation flags in a running process. 3 | Example of usage on the PID 3704 (MicrosoftEdgeCP.exe in my case): 4 | 5 | ``` 6 | C:\>GetSignatureMitigation.exe 3704 7 | Get SeDebugPrivilege: OK 8 | Open process 3704: OK 9 | 10 | Signature Microsoft Signed Only: 0 11 | Signature Store Signed Only: 1 12 | Signature Mitigation Opt-In: 1 13 | ``` 14 | 15 | The code used the following undocumented structure: 16 | 17 | ``` 18 | typedef enum _PROCESS_MITIGATION_POLICY { 19 | ProcessDEPPolicy, 20 | ProcessASLRPolicy, 21 | ProcessDynamicCodePolicy, 22 | ProcessStrictHandleCheckPolicy, 23 | ProcessSystemCallDisablePolicy, 24 | ProcessMitigationOptionsMask, 25 | ProcessExtensionPointDisablePolicy, 26 | ProcessControlFlowGuardPolicy, 27 | ProcessSignaturePolicy, 28 | ProcessFontDisablePolicy, 29 | ProcessImageLoadPolicy, 30 | MaxProcessMitigationPolicy 31 | } PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY; 32 | 33 | typedef struct _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY { 34 | union { 35 | DWORD Flags; 36 | struct { 37 | DWORD MicrosoftSignedOnly : 1; 38 | DWORD StoreSignedOnly : 1; 39 | DWORD MitigationOptIn : 1; 40 | DWORD ReservedFlags : 29; 41 | } DUMMYSTRUCTNAME; 42 | } DUMMYUNIONNAME; 43 | } PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY; 44 | ``` 45 | -------------------------------------------------------------------------------- /injector/injector/injector.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/GetSignatureMitigation.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | Source Files 43 | 44 | 45 | Source Files 46 | 47 | 48 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BinaryInjectionMitigation 2 | Two tools used during our analysis of the Microsoft binary injection mitigation implemented in Edge TH2. 3 | More information on this blog post: http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/ 4 | 5 | ## Tool 1: GetSignatureMitigation 6 | The purpose of this tool is to list the signature mitigation flags in a running process. 7 | To compile this binary, please download and install the latest Windows SDK version (in my case Version 1511 - updated on November 30th, 2015). 8 | 9 | Example of usage on the PID 3704 (MicrosoftEdgeCP.exe in my case): 10 | 11 | ``` 12 | C:\>GetSignatureMitigation.exe 3704 13 | Get SeDebugPrivilege: OK 14 | Open process 3704: OK 15 | 16 | Signature Microsoft Signed Only: 0 17 | Signature Store Signed Only: 1 18 | Signature Mitigation Opt-In: 1 19 | ``` 20 | 21 | The code used the following undocumented structure: 22 | 23 | ``` 24 | typedef enum _PROCESS_MITIGATION_POLICY { 25 | ProcessDEPPolicy, 26 | ProcessASLRPolicy, 27 | ProcessDynamicCodePolicy, 28 | ProcessStrictHandleCheckPolicy, 29 | ProcessSystemCallDisablePolicy, 30 | ProcessMitigationOptionsMask, 31 | ProcessExtensionPointDisablePolicy, 32 | ProcessControlFlowGuardPolicy, 33 | ProcessSignaturePolicy, 34 | ProcessFontDisablePolicy, 35 | ProcessImageLoadPolicy, 36 | MaxProcessMitigationPolicy 37 | } PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY; 38 | 39 | typedef struct _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY { 40 | union { 41 | DWORD Flags; 42 | struct { 43 | DWORD MicrosoftSignedOnly : 1; 44 | DWORD StoreSignedOnly : 1; 45 | DWORD MitigationOptIn : 1; 46 | DWORD ReservedFlags : 29; 47 | } DUMMYSTRUCTNAME; 48 | } DUMMYUNIONNAME; 49 | } PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY; 50 | ``` 51 | 52 | ## Tool 2: injector 53 | The purpose of this tool is to inject code in a running process. We created it to test the signature loading mitigation of Edge TH2. 54 | Here is the syntax: 55 | 56 | ``` 57 | C:\>injector.exe 58 | Usage of the injector. 59 | 60 | injector.exe /d dll_file PID 61 | injector.exe /s shellcode_file PID 62 | /d dll_file PID: dll injection via LoadLibrary(). 63 | /s shellcode_file PID: shellcode injection. 64 | ``` 65 | 66 | The /d option uses the LoadLibrary() function in order to load a DLL. 67 | the /s option push the shellcode in memory and execute it directly. 68 | 69 | P. 70 | -------------------------------------------------------------------------------- /injector/injector/injector.cpp: -------------------------------------------------------------------------------- 1 | // injector.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "Shlwapi.h" 11 | #include "SetPriv.h" 12 | #pragma comment(lib, "Shlwapi.lib") 13 | using namespace std; 14 | 15 | void usage(_TCHAR* binary) { 16 | wcerr << "Usage of the injector. " << endl; 17 | wcerr << endl; 18 | wcerr << binary << " /d dll_file PID" << endl; 19 | wcerr << binary << " /s shellcode_file PID" << endl; 20 | wcerr << " /d dll_file PID: dll injection via LoadLibrary()." << endl; 21 | wcerr << " /s shellcode_file PID: shellcode injection." << endl; 22 | exit(1); 23 | } 24 | 25 | int _tmain(int argc, _TCHAR* argv[]) 26 | { 27 | int option = 0; 28 | DWORD PID; 29 | SetPriv SeDebug; 30 | 31 | if (argc != 4) 32 | usage(argv[0]); 33 | 34 | if (!wcscmp(argv[1], _T("/d"))) 35 | option = 1; 36 | else if (!wcscmp(argv[1], _T("/s"))) 37 | option = 2; 38 | else 39 | usage(argv[0]); 40 | 41 | if (!PathFileExists(argv[2])) 42 | usage(argv[0]); 43 | 44 | PID = _ttoi(argv[3]); 45 | 46 | //Set SeDebugPriviliege 47 | cout << "Set SeDebugPrivilege: "; 48 | if (!SeDebug.CheckPriv()) 49 | { 50 | wcout << "KO: cannot obtain the adjust|query privilege." << endl; 51 | exit(1); 52 | } 53 | if (!SeDebug.Set(SE_DEBUG_NAME, TRUE)) 54 | { 55 | wcout << "KO: cannot obtain the SeDebug privilege." << endl; 56 | exit(1); 57 | } 58 | cout << "OK" << endl; 59 | 60 | if (option == 1) { 61 | //DLL injection 62 | HANDLE hProcess; 63 | HMODULE hKernel32; 64 | HANDLE hLoadLibrary; 65 | LPVOID hAllocatedMem; 66 | HANDLE hThread; 67 | char dllpath[1024]; 68 | size_t i; 69 | 70 | wcstombs_s(&i, dllpath, 1024, argv[2], 1024); 71 | 72 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); 73 | if (hProcess == NULL) 74 | { 75 | wcerr << "Cannot open process: " << PID << " error: " << GetLastError() << endl; 76 | exit(1); 77 | } 78 | wcout << "Open process " << PID << ": OK" << endl; 79 | 80 | hKernel32 = GetModuleHandle(L"Kernel32"); 81 | if (hKernel32 == NULL) 82 | { 83 | wcerr << "Cannot get module handle on Kernel32, error: " << GetLastError() << endl; 84 | exit(1); 85 | } 86 | wcout << "Kernel 32 handle: OK" << endl; 87 | 88 | hLoadLibrary = GetProcAddress(hKernel32, "LoadLibraryA"); 89 | if (hLoadLibrary == NULL) 90 | { 91 | wcerr << "Cannot get LoadLibraryA() handle, error: " << GetLastError() << endl; 92 | exit(1); 93 | } 94 | wcout << "LoadLibrary() handle: OK" << endl; 95 | 96 | hAllocatedMem = VirtualAllocEx(hProcess, NULL, sizeof(dllpath) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 97 | if (hAllocatedMem == NULL) 98 | { 99 | wcerr << "Cannot allocate memory in " << PID << ", error: " << GetLastError() << endl; 100 | exit(1); 101 | } 102 | wcout << "Memory allocation: OK" << endl; 103 | 104 | if (!WriteProcessMemory(hProcess, hAllocatedMem, dllpath, sizeof(dllpath) + 1, NULL)) 105 | { 106 | wcerr << "Cannot write in the process memory, error: " << GetLastError() << endl; 107 | exit(1); 108 | } 109 | wcout << "Data copied in memory: OK" << endl; 110 | 111 | hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)hLoadLibrary, hAllocatedMem, NULL, 0); 112 | if (hThread == NULL) 113 | { 114 | wcerr << "Thread creation failed, error: " << GetLastError() << endl; 115 | exit(1); 116 | } 117 | wcout << "Injection: OK" << endl; 118 | 119 | return(0); 120 | 121 | } 122 | else if (option == 2) { 123 | //Shellcode injection 124 | HANDLE hProcess; 125 | LPVOID hAllocatedMem; 126 | HANDLE hThread; 127 | ifstream file; 128 | string line; 129 | char *sc; 130 | 131 | file.open(argv[2], ios::binary); 132 | if (!file.is_open()) 133 | { 134 | wcerr << "Cannot open the file " << argv[2] << endl; 135 | exit(1); 136 | } 137 | getline(file, line); 138 | file.close(); 139 | sc = new char[line.size()+1]; 140 | sc = (char*)line.c_str(); 141 | 142 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); 143 | if (hProcess == NULL) 144 | { 145 | wcerr << "Cannot open process: " << PID << " error: " << GetLastError() << endl; 146 | exit(1); 147 | } 148 | wcout << "Open process " << PID << ": OK" << endl; 149 | 150 | hAllocatedMem = VirtualAllocEx(hProcess, NULL, sizeof(sc), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 151 | if (hAllocatedMem == NULL) 152 | { 153 | wcerr << "Cannot allocate memory in " << PID << ", error: " << GetLastError() << endl; 154 | exit(1); 155 | } 156 | wcout << "Memory allocation: OK" << endl; 157 | 158 | if (!WriteProcessMemory(hProcess, hAllocatedMem, sc, sizeof(sc) + 1, NULL)) 159 | { 160 | wcerr << "Cannot write the shellcode in the process memory, error: " << GetLastError() << endl; 161 | exit(1); 162 | } 163 | wcout << "Shellcode copied in memory: OK" << endl; 164 | 165 | hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)hAllocatedMem, NULL, NULL, 0); 166 | if (hThread == NULL) 167 | { 168 | wcerr << "Thread creation failed, error: " << GetLastError() << endl; 169 | exit(1); 170 | } 171 | wcout << "Injection: OK" << endl; 172 | } 173 | 174 | return 0; 175 | } -------------------------------------------------------------------------------- /injector/injector/injector.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {89A1FC6A-76F4-422F-9DEB-3B2069C69BF4} 23 | Win32Proj 24 | injector 25 | 8.1 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v140 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Use 87 | Level3 88 | Disabled 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Use 100 | Level3 101 | Disabled 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Console 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | Use 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | Use 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | Create 157 | Create 158 | Create 159 | Create 160 | 161 | 162 | 163 | 164 | 165 | -------------------------------------------------------------------------------- /GetSignatureMitigation/GetSignatureMitigation/GetSignatureMitigation.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {EBE454EA-2522-46B6-B105-0906A4F28114} 23 | Win32Proj 24 | GetSignatureMitigation 25 | 10.0.10586.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v140 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Use 87 | Level3 88 | Disabled 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Use 100 | Level3 101 | Disabled 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Console 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | Use 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | Use 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | Create 159 | Create 160 | Create 161 | Create 162 | 163 | 164 | 165 | 166 | 167 | --------------------------------------------------------------------------------