├── README.MD ├── proxy_calls ├── README.md └── TpSimpleTryPost.cpp └── LICENSE.md /README.MD: -------------------------------------------------------------------------------- 1 | # misc 2 | 3 | This repo contains the PoC codes I wrote for some topics. 4 | -------------------------------------------------------------------------------- /proxy_calls/README.md: -------------------------------------------------------------------------------- 1 | Custom Call Stack for LoadLibrary with TrySubmitThreadpoolCallback/TpSimpleTryPost. It can also be extended for system calls, [more 2 | info](https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/). 3 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Halil Dalabasmaz 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /proxy_calls/TpSimpleTryPost.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | #define ALLOC_ON_CODE _Pragma("section(\".text\")") __declspec(allocate(".text")) 6 | 7 | 8 | ALLOC_ON_CODE unsigned char CallbackStub[] = { 9 | 10 | 0x48, 0x89, 0xd3, // mov rbx, rdx 11 | 0x48, 0x8b, 0x03, // mov rax, QWORD PTR[rbx] 12 | 0x48, 0x8b, 0x4b, 0x08, // mov rcx, QWORD PTR[rbx + 0x8] 13 | 0xff, 0xe0 // jmp rax 14 | 15 | }; 16 | 17 | 18 | typedef struct _LOADLIBRARY_ARGS { 19 | UINT_PTR pLoadLibraryA; 20 | LPCSTR lpLibFileName; 21 | } LOADLIBRARY_ARGS, *PLOADLIBRARY_ARGS; 22 | 23 | 24 | int main() { 25 | 26 | LOADLIBRARY_ARGS loadLibraryArgs = { 0 }; 27 | loadLibraryArgs.pLoadLibraryA = (UINT_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); 28 | loadLibraryArgs.lpLibFileName = "user32.dll"; 29 | 30 | // NOTE: The TrySubmitThreadpoolCallback API is located in kernel32.dll and is directed to TpSimpleTryPost in ntdll.dll. 31 | // TrySubmitThreadpoolCallback((PTP_SIMPLE_CALLBACK)(unsigned char*)CallbackStub, &loadLibraryArgs, 0) 32 | 33 | typedef NTSTATUS(NTAPI* TPSIMPLETRYPOST)(_In_ PTP_SIMPLE_CALLBACK Callback, _Inout_opt_ PVOID Context, _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); 34 | FARPROC pTpSimpleTryPost = GetProcAddress(GetModuleHandleA("ntdll.dll"), "TpSimpleTryPost"); 35 | 36 | ((TPSIMPLETRYPOST)pTpSimpleTryPost)((PTP_SIMPLE_CALLBACK)(unsigned char*)CallbackStub, &loadLibraryArgs, 0); 37 | 38 | WaitForSingleObject(GetCurrentProcess(), 1000); 39 | 40 | printf("user32.dll Address: %p\n", GetModuleHandleA("user32.dll")); 41 | 42 | return 0; 43 | 44 | } --------------------------------------------------------------------------------