├── .gitattributes
├── LICENSE
├── NtCreateUserProcess-Native
├── NtCreateUserProcess-Native.sln
└── NtCreateUserProcess-Native
│ ├── NtCreateUserProcess-Native.vcxproj
│ ├── NtCreateUserProcess-Native.vcxproj.filters
│ ├── NtCreateUserProcess-Native.vcxproj.user
│ ├── csrss.cpp
│ ├── csrss.hpp
│ ├── main.cpp
│ ├── misc.cpp
│ ├── misc.hpp
│ ├── ntapi.hpp
│ ├── syscalls.cpp
│ ├── syscalls.hpp
│ ├── syscalls0.asm
│ ├── syscalls1.asm
│ └── syscalls2.asm
├── NtCreateUserProcess-Post.sln
├── NtCreateUserProcess-Post
├── NtCreateUserProcess-Post.vcxproj
├── NtCreateUserProcess-Post.vcxproj.filters
├── NtCreateUserProcess-Post.vcxproj.user
├── csrss.cpp
├── csrss.hpp
├── main.cpp
├── ntapi.hpp
├── output.cpp
├── output.hpp
├── syscalls.asm
├── syscalls.cpp
└── syscalls.hpp
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.asm linguist-language=cpp
2 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 je5442804
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.5.33516.290
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtCreateUserProcess-Native", "NtCreateUserProcess-Native\NtCreateUserProcess-Native.vcxproj", "{AF7CAC28-3678-43B9-AC92-490C73E1E845}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Debug|x64.ActiveCfg = Debug|x64
17 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Debug|x64.Build.0 = Debug|x64
18 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Debug|x86.ActiveCfg = Debug|Win32
19 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Debug|x86.Build.0 = Debug|Win32
20 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Release|x64.ActiveCfg = Release|x64
21 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Release|x64.Build.0 = Release|x64
22 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Release|x86.ActiveCfg = Release|Win32
23 | {AF7CAC28-3678-43B9-AC92-490C73E1E845}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {2D352AB4-4D20-47B4-AC0E-0F4D151291AD}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/NtCreateUserProcess-Native.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {af7cac28-3678-43b9-ac92-490c73e1e845}
25 | NtCreateUserProcessNative
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | false
53 | Unicode
54 | SpectreLoadCF
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | false
76 | false
77 |
78 |
79 |
80 | Level3
81 | true
82 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
83 | true
84 |
85 |
86 | Console
87 | true
88 |
89 |
90 |
91 |
92 | Level3
93 | true
94 | true
95 | true
96 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
97 | true
98 |
99 |
100 | Console
101 | true
102 | true
103 | true
104 |
105 |
106 |
107 |
108 | Level3
109 | true
110 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
111 | true
112 |
113 |
114 | Console
115 | true
116 |
117 |
118 |
119 |
120 | Level3
121 | true
122 | true
123 | true
124 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
125 | true
126 | true
127 | None
128 | MinSpace
129 | true
130 | false
131 | Size
132 | Guard
133 | true
134 | stdcpplatest
135 | stdc17
136 | MultiThreadedDLL
137 | StreamingSIMDExtensions2
138 | true
139 | true
140 | true
141 | true
142 | None
143 |
144 |
145 | Console
146 | true
147 | true
148 | false
149 | true
150 | true
151 | %(DelayLoadDLLs)
152 | true
153 |
154 |
155 |
156 |
157 | /EMITPOGOPHASEINFO %(AdditionalOptions)
158 |
159 |
160 |
161 | false
162 |
163 |
164 | false
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 | Document
176 | ml64 /c %(fileName).asm
177 | %(fileName).obj
178 | true
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 | true
190 |
191 |
192 | Document
193 | ml64 /c %(fileName).asm
194 | %(fileName).obj
195 |
196 |
197 |
198 |
199 |
200 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/NtCreateUserProcess-Native.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 | 源文件
23 |
24 |
25 | 源文件
26 |
27 |
28 | 源文件
29 |
30 |
31 |
32 |
33 | 头文件
34 |
35 |
36 | 头文件
37 |
38 |
39 | 头文件
40 |
41 |
42 | 头文件
43 |
44 |
45 |
46 |
47 | 源文件
48 |
49 |
50 | 源文件
51 |
52 |
53 |
54 |
55 | 源文件
56 |
57 |
58 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/NtCreateUserProcess-Native.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/csrss.cpp:
--------------------------------------------------------------------------------
1 | #include "csrss.hpp"
2 | #include "ntapi.hpp"
3 | #include
4 |
5 | // CsrPortHandle and CsrPortMemoryRemoteDelta can be init from CsrpConnectToServer? but we won't do it... Ovo
6 | NTSTATUS CsrClientCallServer(PCSR_API_MSG ApiMessage, PCSR_CAPTURE_BUFFER CaptureBuffer, ULONG ApiNumber, ULONG DataLength)
7 | {
8 | //Without Any SecureCheck is Unsafe but Faster!
9 | ApiMessage->ApiNumber = ApiNumber & ~0x10000000;
10 | ApiMessage->h.u2.ZeroInit = 0;
11 |
12 | // ApiMessage->h.u1.Length = (DataLength | (DataLength << 16)) + (((sizeof(CSR_API_MSG) - sizeof(ApiMessage->u)) << 16) | (FIELD_OFFSET(CSR_API_MSG, u) - sizeof(ApiMessage->h)));// +0x400018
13 | ApiMessage->h.u1.s1.DataLength = (USHORT)DataLength + FIELD_OFFSET(CSR_API_MSG, u) - sizeof(ApiMessage->h);
14 | ApiMessage->h.u1.s1.TotalLength = (USHORT)DataLength + sizeof(CSR_API_MSG) - sizeof(ApiMessage->u);
15 | ApiMessage->CaptureBuffer = (PCSR_CAPTURE_BUFFER)((ULONG_PTR)CaptureBuffer + CsrPortMemoryRemoteDelta);
16 | CaptureBuffer->FreeSpace = 0;//Mark the fact that we are done allocating space from the end of the capture buffer.
17 |
18 | if (NtCurrentPeb()->IsProtectedProcess &&
19 | CSR_APINUMBER_TO_SERVERDLLINDEX(ApiNumber) == CONSRV_SERVERDLL_INDEX || (ApiNumber & 0x10000000) && !NtCurrentPeb()->IsProtectedProcessLight)
20 | {
21 | ApiMessage->ReturnValue = STATUS_ACCESS_DENIED;
22 | return STATUS_ACCESS_DENIED;
23 | }
24 |
25 | ULONG_PTR Pointer = 0;
26 | ULONG CountPointers = CaptureBuffer->CountMessagePointers;
27 | PULONG_PTR PointerOffsets = CaptureBuffer->MessagePointerOffsets;
28 | while (CountPointers--) {
29 | Pointer = *PointerOffsets++;
30 | if (Pointer != 0) {
31 | *(PULONG_PTR)Pointer += CsrPortMemoryRemoteDelta;
32 | PointerOffsets[-1] = Pointer - (ULONG_PTR)ApiMessage;
33 | }
34 | }
35 | SIZE_T CsrBufferMaxLength = 952;
36 | NTSTATUS Status = NtAlpcSendWaitReceivePort(//in csrclientcallserver,since win 10 2004 but work well in win 7/2008/2012....
37 | CsrPortHandle,
38 | ALPC_MSGFLG_SYNC_REQUEST,
39 | (PPORT_MESSAGE)ApiMessage,
40 | 0,
41 | (PPORT_MESSAGE)ApiMessage,
42 | &CsrBufferMaxLength,// [Optional]
43 | 0,
44 | 0
45 | );
46 | ApiMessage->CaptureBuffer = (PCSR_CAPTURE_BUFFER)((ULONG_PTR)CaptureBuffer - CsrPortMemoryRemoteDelta);
47 | //
48 | // Loop over all of the pointers to Port Memory within the message
49 | // itself and convert them into client pointers. Also, convert
50 | // the offsets pointers to pointers into back into pointers
51 | //
52 | PointerOffsets = CaptureBuffer->MessagePointerOffsets;
53 | CountPointers = CaptureBuffer->CountMessagePointers;
54 | while (CountPointers--) {
55 | Pointer = *PointerOffsets++;
56 | if (Pointer != 0) {
57 | Pointer += (ULONG_PTR)ApiMessage;//Length
58 | PointerOffsets[-1] = Pointer;
59 | *(PULONG_PTR)Pointer -= CsrPortMemoryRemoteDelta;
60 | }
61 | }
62 | if (!NT_SUCCESS(Status))
63 | ApiMessage->ReturnValue = Status;
64 | return ApiMessage->ReturnValue;
65 | }
66 |
67 | void Fastmemcpy(void* dest, void* src, int size)
68 | {
69 | unsigned char* pdest = (unsigned char*)dest;
70 | unsigned char* psrc = (unsigned char*)src;
71 | //Fast 4 bytes->1 byte
72 | int loops = (size / sizeof(ULONG));
73 | for (int index = 0; index < loops; ++index)
74 | {
75 | *((ULONG*)pdest) = *((ULONG*)psrc);
76 | pdest += sizeof(ULONG);
77 | psrc += sizeof(ULONG);
78 | }
79 |
80 | loops = (size % sizeof(ULONG));
81 | for (int index = 0; index < loops; ++index)
82 | {
83 | *pdest = *psrc;
84 | ++pdest;
85 | ++psrc;
86 | }
87 | }
88 |
89 | ULONG CsrAllocateMessagePointer(PCSR_CAPTURE_BUFFER CaptureBuffer, ULONG Length, PVOID* Pointer)
90 | {
91 | if (Length == 0) {
92 | *Pointer = NULL;
93 | Pointer = NULL;
94 | }
95 | else {
96 | *Pointer = CaptureBuffer->FreeSpace;
97 | if (Length >= MAXLONG) {
98 | return 0;
99 | }
100 | Length = (Length + 3) & ~3;
101 | CaptureBuffer->FreeSpace += Length;
102 | }
103 | CaptureBuffer->MessagePointerOffsets[CaptureBuffer->CountMessagePointers++] = (ULONG_PTR)Pointer;
104 | return Length;
105 | }
106 |
107 | void CsrCaptureMessageString(PCSR_CAPTURE_BUFFER CaptureBuffer, PWSTR String, ULONG Length, ULONG MaximumLength, PUNICODE_STRING CapturedString)
108 | {
109 | CapturedString->Length = (USHORT)Length;
110 | CapturedString->MaximumLength = (USHORT)CsrAllocateMessagePointer(CaptureBuffer, MaximumLength, (PVOID*)&CapturedString->Buffer);
111 | Fastmemcpy(CapturedString->Buffer, String, MaximumLength);
112 | }
113 |
114 | NTSTATUS CsrCaptureMessageMultiUnicodeStringsInPlace(PCSR_CAPTURE_BUFFER* InOutCaptureBuffer, ULONG NumberOfStringsToCapture, const PUNICODE_STRING* StringsToCapture)
115 | {
116 | ULONG Length = 0;
117 | if (!InOutCaptureBuffer || !NumberOfStringsToCapture)
118 | return STATUS_INVALID_PARAMETER;
119 | PCSR_CAPTURE_BUFFER CaptureBuffer = *InOutCaptureBuffer;
120 | if (CaptureBuffer == NULL)
121 | {
122 | for (int i = 0; i != NumberOfStringsToCapture; ++i) {
123 | if (StringsToCapture[i] != NULL) {
124 | Length += StringsToCapture[i]->MaximumLength;
125 | }
126 | }
127 | //CsrAllocateCaptureBuffer
128 | Length += FIELD_OFFSET(CSR_CAPTURE_BUFFER, MessagePointerOffsets) + (NumberOfStringsToCapture * sizeof(PVOID));//32 is the [MessagePointerOffsets] FIELD_OFFSET
129 | Length = (Length + (3 * (NumberOfStringsToCapture + 1))) & ~3;
130 | if (Length >= MAXLONG)//Post btter
131 | return STATUS_INVALID_PARAMETER;
132 |
133 | //wprintf(L"(char)NtCurrentPeb()->ReadOnlyStaticServerData-(char*)NtCurrentPeb()->ReadOnlySharedMemoryBase = 0x%08x\n", (char*)NtCurrentPeb()->ReadOnlyStaticServerData - (NtCurrentPeb()->ReadOnlySharedMemoryBase));
134 | CaptureBuffer = (PCSR_CAPTURE_BUFFER)((ULONG_PTR)CsrPortHeap + ((ULONG_PTR)NtCurrentPeb()->ReadOnlyStaticServerData - (ULONG_PTR)NtCurrentPeb()->ReadOnlySharedMemoryBase));//Thank you!
135 |
136 | if (!CaptureBuffer)
137 | return STATUS_NO_MEMORY;
138 |
139 | wprintf(L"[+] CaptureBuffer FakeAlloc = 0x%p\n", CaptureBuffer);
140 |
141 | CaptureBuffer->Length = Length;
142 | CaptureBuffer->CountMessagePointers = 0;
143 | CaptureBuffer->FreeSpace = (char*)CaptureBuffer->MessagePointerOffsets + NumberOfStringsToCapture * sizeof(ULONG_PTR);
144 | *InOutCaptureBuffer = CaptureBuffer;
145 | }
146 | for (int i = 0; i != NumberOfStringsToCapture && StringsToCapture[i] != NULL; ++i) {
147 | CsrCaptureMessageString(
148 | CaptureBuffer,
149 | StringsToCapture[i]->Buffer,
150 | StringsToCapture[i]->Length,
151 | StringsToCapture[i]->MaximumLength,
152 | StringsToCapture[i]
153 | );
154 | if (StringsToCapture[i]->MaximumLength > StringsToCapture[i]->Length && (StringsToCapture[i]->MaximumLength - StringsToCapture[i]->Length) >= sizeof(WCHAR)) {
155 | StringsToCapture[i]->Buffer[StringsToCapture[i]->Length / sizeof(WCHAR)] = 0;
156 | }
157 | }
158 | return 0;
159 | }
160 |
161 | NTSTATUS CallCsrss(HANDLE hProcess, HANDLE hThread, PS_CREATE_INFO CreateInfo, UNICODE_STRING Win32ImagePath, UNICODE_STRING NtImagePath, CLIENT_ID ClientId, SECTION_IMAGE_INFORMATION SectionImageInfomation)
162 | {
163 | NTSTATUS Status = NULL;
164 | PCSR_CAPTURE_BUFFER CaptureBuffer = 0;
165 | BASE_API_MSG BaseAPIMessage = { 0 };
166 | PBASE_CREATEPROCESS_MSG BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess;
167 | PUNICODE_STRING CsrStringsToCapture[6] = { 0 };
168 | CSR_API_NUMBER CSRAPINumber = CSR_MAKE_API_NUMBER(BASESRV_SERVERDLL_INDEX, BasepCreateProcess);
169 | ULONG DataLength = 0;
170 | UNICODE_STRING CultureFallBacks = { 0 };
171 | UNICODE_STRING AssemblyName = { 0 };
172 | USHORT ImageProcessorArchitecture = 0;
173 | ULONG RtlUserProcessParametersFlags = RTL_USER_PROC_IMAGE_KEY_MISSING | RTL_USER_PROC_APP_MANIFEST_PRESENT | RTL_USER_PROC_PARAMS_NORMALIZED;
174 |
175 | switch (SectionImageInfomation.Machine)
176 | {
177 | case IMAGE_FILE_MACHINE_I386:
178 | //If this is a .NET ILONLY that needs to run in a 64-bit addressspace, then let SXS be aware of this
179 | if (CreateInfo.SuccessState.u2.s2.AddressSpaceOverride)
180 | ImageProcessorArchitecture = SharedUserData->NativeProcessorArchitecture;
181 | else
182 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64;
183 | break;
184 | case IMAGE_FILE_MACHINE_ARMNT:
185 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_ARM;
186 | break;
187 | case IMAGE_FILE_MACHINE_HYBRID_X86:
188 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64;
189 | break;
190 | case IMAGE_FILE_MACHINE_AMD64:
191 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
192 | break;
193 | case IMAGE_FILE_MACHINE_ARM64:
194 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_ARM64;
195 | break;
196 | default:
197 | wprintf(L"[*] Kernel32: No mapping for ImageInformation.Machine == %04x\n", SectionImageInfomation.Machine);//DbgPrint_0
198 | ImageProcessorArchitecture = PROCESSOR_ARCHITECTURE_UNKNOWN;
199 | break;
200 | }
201 |
202 | // Weird L":" auto appended behind 2 bytes L"zh-CN\0zh-Hans\0zh\0en-US\0en" in LLVM (e.n...:.)
203 | CultureFallBacks.Buffer = (PWSTR)L"zh-CN\0zh-Hans\0zh\0en-US\0en\0"; // zh-CN en-US
204 | CultureFallBacks.Length = 54;//8?
205 | CultureFallBacks.MaximumLength = 54;//8
206 |
207 | AssemblyName.Buffer = (PWSTR)L"-----------------------------------------------------------";
208 | AssemblyName.Length = 118;
209 | AssemblyName.MaximumLength = 120;
210 |
211 | BaseCreateProcessMessage->ProcessHandle = hProcess;
212 | BaseCreateProcessMessage->ThreadHandle = hThread;
213 | BaseCreateProcessMessage->ClientId = ClientId;
214 | BaseCreateProcessMessage->CreationFlags = 0;
215 | BaseCreateProcessMessage->VdmBinaryType = NULL;
216 |
217 | wprintf(L"[*] OS: %d\n", OSBuildNumber);
218 | wprintf(L"============================================================================================\n");
219 |
220 | if (OSBuildNumber >= 18985)//19041 ? 19000
221 | {
222 | wprintf(L"[*] Windows 10 2004+ | Windows 11+ | Windows Server 2022+\n");
223 | CustomSecureZeroMemory(&BaseCreateProcessMessage->u.win2022.Sxs, sizeof((BaseCreateProcessMessage->u).win2022.Sxs));
224 | BaseCreateProcessMessage->u.win2022.Sxs.FileHandle = CreateInfo.SuccessState.FileHandle;
225 | BaseCreateProcessMessage->u.win2022.Sxs.ManifestAddress = (PVOID)CreateInfo.SuccessState.ManifestAddress;
226 | BaseCreateProcessMessage->u.win2022.Sxs.ManifestSize = CreateInfo.SuccessState.ManifestSize;
227 | BaseCreateProcessMessage->u.win2022.Sxs.Flags = BASE_MSG_SXS_ALTERNATIVE_MODE;
228 | BaseCreateProcessMessage->u.win2022.Sxs.ProcessParameterFlags = RtlUserProcessParametersFlags;
229 | BaseCreateProcessMessage->u.win2022.PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
230 | BaseCreateProcessMessage->u.win2022.PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
231 | BaseCreateProcessMessage->u.win2022.ProcessorArchitecture = ImageProcessorArchitecture;
232 | CsrStringsToCapture[0] = &(BaseCreateProcessMessage->u.win2022.Sxs.Win32ImagePath = Win32ImagePath);
233 | CsrStringsToCapture[1] = &(BaseCreateProcessMessage->u.win2022.Sxs.NtImagePath = NtImagePath);
234 | CsrStringsToCapture[2] = &(BaseCreateProcessMessage->u.win2022.Sxs.CultureFallBacks = CultureFallBacks);
235 | CsrStringsToCapture[3] = &(BaseCreateProcessMessage->u.win2022.Sxs.AssemblyName = AssemblyName);
236 |
237 | CSRAPINumber = CSR_MAKE_API_NUMBER(BASESRV_SERVERDLL_INDEX, BasepCreateProcess2);//since 2004
238 | DataLength = sizeof(*BaseCreateProcessMessage);//536 = 456(0x1c8) + 80
239 | }
240 | else if (OSBuildNumber >= 18214 || (OSBuildNumber <= 9600 && OSBuildNumber >= 8423) || (OSBuildNumber <= 7601 && OSBuildNumber >= 7600))//18362 | 9200
241 | {
242 | wprintf(L"[*] Windows 10 1903 | Windows 10 1909\n");
243 | wprintf(L"[*] Windows 8 | Windows 8.1 | Windows Server 2012 | Windows Server 2012 R2\n");
244 | wprintf(L"[*] Windows 7 | Windows Server 2008 R2\n");
245 | CustomSecureZeroMemory(&BaseCreateProcessMessage->u.win2012.Sxs, sizeof((BaseCreateProcessMessage->u).win2012.Sxs));
246 | BaseCreateProcessMessage->u.win2012.Sxs.FileHandle = CreateInfo.SuccessState.FileHandle;
247 | BaseCreateProcessMessage->u.win2012.Sxs.ManifestAddress = (PVOID)CreateInfo.SuccessState.ManifestAddress;
248 | BaseCreateProcessMessage->u.win2012.Sxs.ManifestSize = CreateInfo.SuccessState.ManifestSize;
249 | BaseCreateProcessMessage->u.win2012.Sxs.Flags = BASE_MSG_SXS_ALTERNATIVE_MODE;
250 | BaseCreateProcessMessage->u.win2012.Sxs.ProcessParameterFlags = RtlUserProcessParametersFlags;
251 | BaseCreateProcessMessage->u.win2012.PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
252 | BaseCreateProcessMessage->u.win2012.PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
253 | BaseCreateProcessMessage->u.win2012.ProcessorArchitecture = ImageProcessorArchitecture;
254 | CsrStringsToCapture[0] = &(BaseCreateProcessMessage->u.win2012.Sxs.Win32ImagePath = Win32ImagePath);
255 | CsrStringsToCapture[1] = &(BaseCreateProcessMessage->u.win2012.Sxs.NtImagePath = NtImagePath);
256 | CsrStringsToCapture[2] = &(BaseCreateProcessMessage->u.win2012.Sxs.CultureFallBacks = CultureFallBacks);
257 | CsrStringsToCapture[3] = &(BaseCreateProcessMessage->u.win2012.Sxs.AssemblyName = AssemblyName);
258 |
259 | DataLength = sizeof((BaseCreateProcessMessage->u).win2012.Sxs) + 80;//272 = 192 + 80
260 | }
261 | else if (OSBuildNumber >= 6000)
262 | {
263 | wprintf(L"[*] Windows 10 1803 | Windows 10 1809 | Windows Server 2019\n");
264 | wprintf(L"[*] Windows 10 1703 | Windows 10 1709\n");
265 | wprintf(L"[*] Windows 10 1507 | Windows 10 1511 | Windows 10 1607 | Windows Server 2016\n");
266 | wprintf(L"[*] Windows Vista | Windows Server 2008\n");
267 | CustomSecureZeroMemory(&BaseCreateProcessMessage->u.win2016.Sxs, sizeof((BaseCreateProcessMessage->u).win2016.Sxs));
268 | BaseCreateProcessMessage->u.win2016.Sxs.FileHandle = CreateInfo.SuccessState.FileHandle;
269 | BaseCreateProcessMessage->u.win2016.Sxs.ManifestAddress = (PVOID)CreateInfo.SuccessState.ManifestAddress;
270 | BaseCreateProcessMessage->u.win2016.Sxs.ManifestSize = CreateInfo.SuccessState.ManifestSize;
271 | BaseCreateProcessMessage->u.win2016.Sxs.Flags = BASE_MSG_SXS_ALTERNATIVE_MODE;
272 | BaseCreateProcessMessage->u.win2016.Sxs.ProcessParameterFlags = RtlUserProcessParametersFlags;
273 | BaseCreateProcessMessage->u.win2016.PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
274 | BaseCreateProcessMessage->u.win2016.PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
275 | BaseCreateProcessMessage->u.win2016.ProcessorArchitecture = ImageProcessorArchitecture;
276 | CsrStringsToCapture[0] = &(BaseCreateProcessMessage->u.win2016.Sxs.Win32ImagePath = Win32ImagePath);
277 | CsrStringsToCapture[1] = &(BaseCreateProcessMessage->u.win2016.Sxs.NtImagePath = NtImagePath);
278 | CsrStringsToCapture[2] = &(BaseCreateProcessMessage->u.win2016.Sxs.CultureFallBacks = CultureFallBacks);
279 | CsrStringsToCapture[3] = &(BaseCreateProcessMessage->u.win2016.Sxs.AssemblyName = AssemblyName);
280 |
281 | DataLength = sizeof((BaseCreateProcessMessage->u).win2016.Sxs) + 80;//264 = 184 + 80
282 | }
283 | else
284 | {
285 | wprintf(L"[-] Unknow OSBuildNumber or it isn't supported.\n");
286 | return STATUS_NOT_SUPPORTED;
287 | }
288 |
289 | if (CsrStringsToCapture[0]->Length != 0)
290 | {
291 | wprintf(L"BaseCreateProcessMessage->Sxs.Win32ImagePath: %ls\n", CsrStringsToCapture[0]->Buffer);
292 | wprintf(L"BaseCreateProcessMessage->Sxs.NtImagePath: %ls\n", CsrStringsToCapture[1]->Buffer);
293 | wprintf(L"BaseCreateProcessMessage->Sxs.CultureFallBacks: ");
294 | WriteConsoleW(GetStdHandle(STD_OUTPUT_HANDLE), CsrStringsToCapture[2]->Buffer, CsrStringsToCapture[2]->Length / 2, NULL, 0);
295 | wprintf(L"\nBaseCreateProcessMessage->Sxs.AssemblyName: %ls\n", CsrStringsToCapture[3]->Buffer);
296 |
297 | //DbgPrint( "*** CSRSS: CaptureBuffer outside of ClientView\n" );
298 | //CaptureBuffer should in ClientView [CsrPortHeap] or return STATUS_INVALID_PARAMETER(0xC000000D)
299 | wprintf(L"[+] CsrCaptureMessageMultiUnicodeStringsInPlace: 0x%08x\n", CsrCaptureMessageMultiUnicodeStringsInPlace(&CaptureBuffer, 4, CsrStringsToCapture));
300 | return CsrClientCallServer((PCSR_API_MSG)&BaseAPIMessage, CaptureBuffer, CSRAPINumber, DataLength);
301 | }
302 | else
303 | {
304 | return STATUS_ACCESS_VIOLATION;
305 | }
306 | }
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/csrss.hpp:
--------------------------------------------------------------------------------
1 | //#pragma once
2 | #include "syscalls.hpp"
3 |
4 | NTSTATUS CallCsrss(HANDLE hProcess,HANDLE hThread, PS_CREATE_INFO CreateInfo,UNICODE_STRING Win32Path, UNICODE_STRING NtPath,CLIENT_ID ClientId, SECTION_IMAGE_INFORMATION SectionImageInfomation);
5 | #define CSRSRV_SERVERDLL_INDEX 0
6 | #define CSRSRV_FIRST_API_NUMBER 0
7 |
8 | #define BASESRV_SERVERDLL_INDEX 1
9 | #define BASESRV_FIRST_API_NUMBER 0
10 |
11 | #define CONSRV_SERVERDLL_INDEX 2
12 | #define CONSRV_FIRST_API_NUMBER 512
13 |
14 | #define WINSRV_SERVERDLL_INDEX 3
15 | #define WINSRV_FIRST_API_NUMBER 1024
16 |
17 | #define SXSSRV_SERVERDLL_INDEX 4
18 | //#define SXSSRV_FIRST_API_NUMBER 0
19 |
20 | #define ALPC_MSGFLG_REPLY_MESSAGE 0x1
21 | #define ALPC_MSGFLG_LPC_MODE 0x2 // ?
22 | #define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg
23 | #define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg
24 | #define ALPC_MSGFLG_WAIT_USER_MODE 0x100000
25 | #define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000
26 | #define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg
27 |
28 | #define BASE_MSG_SXS_MANIFEST_PRESENT (0x0001)
29 | #define BASE_MSG_SXS_POLICY_PRESENT (0x0002)
30 | #define BASE_MSG_SXS_SYSTEM_DEFAULT_TEXTUAL_ASSEMBLY_IDENTITY_PRESENT (0x0004)
31 | #define BASE_MSG_SXS_TEXTUAL_ASSEMBLY_IDENTITY_PRESENT (0x0008)
32 | #define BASE_MSG_SXS_APP_RUNNING_IN_SAFEMODE (0x0010)
33 | #define BASE_MSG_SXS_NO_ISOLATION (0x0020) // rev
34 | #define BASE_MSG_SXS_ALTERNATIVE_MODE (0x0040) // rev
35 | #define BASE_MSG_SXS_DEV_OVERRIDE_PRESENT (0x0080) // rev
36 | #define BASE_MSG_SXS_MANIFEST_OVERRIDE_PRESENT (0x0100) // rev
37 | #define BASE_MSG_SXS_PACKAGE_IDENTITY_PRESENT (0x0400) // rev
38 | #define BASE_MSG_SXS_FULL_TRUST_INTEGRITY_PRESENT (0x0800) // rev
39 |
40 | #define BASE_CREATE_PROCESS_MSG_PROCESS_FLAG_FEEDBACK_ON 1
41 | #define BASE_CREATE_PROCESS_MSG_PROCESS_FLAG_GUI_WAIT 2
42 | #define BASE_CREATE_PROCESS_MSG_THREAD_FLAG_CROSS_SESSION 1
43 | #define BASE_CREATE_PROCESS_MSG_THREAD_FLAG_PROTECTED_PROCESS 2
44 |
45 | typedef ULONG CSR_API_NUMBER;
46 | #define CSR_MAKE_API_NUMBER( DllIndex, ApiIndex ) \
47 | (CSR_API_NUMBER)(((DllIndex) << 16) | (ApiIndex))
48 |
49 | #define CSR_APINUMBER_TO_SERVERDLLINDEX( ApiNumber ) \
50 | ((ULONG)((ULONG)(ApiNumber) >> 16))
51 |
52 | #define CSR_APINUMBER_TO_APITABLEINDEX( ApiNumber ) \
53 | ((ULONG)((USHORT)(ApiNumber)))
54 |
55 | typedef struct _BASESRV_API_CONNECTINFO {
56 | IN ULONG ExpectedVersion;
57 | OUT HANDLE DefaultObjectDirectory;
58 | OUT ULONG WindowsVersion;
59 | OUT ULONG CurrentVersion;
60 | OUT ULONG DebugFlags;
61 | OUT WCHAR WindowsDirectory[MAX_PATH];
62 | OUT WCHAR WindowsSystemDirectory[MAX_PATH];
63 | } BASESRV_API_CONNECTINFO, * PBASESRV_API_CONNECTINFO;
64 |
65 | #define BASESRV_VERSION 0x10000
66 | //
67 | // Message format for messages sent from the client to the server
68 | typedef enum _BASESRV_API_NUMBER {
69 | BasepCreateProcess = BASESRV_FIRST_API_NUMBER, // in: TBaseCreateProcessMsgV1
70 | BasepDeadEntry1,
71 | BasepDeadEntry2,
72 | BasepDeadEntry3,
73 | BasepDeadEntry4,
74 | BasepCheckVDM,
75 | BasepUpdateVDMEntry,
76 | BasepGetNextVDMCommand,
77 | BasepExitVDM,
78 | BasepIsFirstVDM,
79 | BasepGetVDMExitCode,
80 | BasepSetReenterCount,
81 | BasepSetProcessShutdownParam, // in: TBaseShutdownParamMsg
82 | BasepGetProcessShutdownParam, // out: TBaseShutdownParamMsg
83 | BasepSetVDMCurDirs,
84 | BasepGetVDMCurDirs,
85 | BasepBatNotification,
86 | BasepRegisterWowExec,
87 | BasepSoundSentryNotification,
88 | BasepRefreshIniFileMapping,
89 | BasepDefineDosDevice, // in: TBaseDefineDosDeviceMsg
90 | BasepSetTermsrvAppInstallMode,
91 | BasepSetTermsrvClientTimeZone,
92 | BasepCreateActivationContext, // in/out: TBaseSxsCreateActivationContextMsg
93 | BasepDeadEntry24,
94 | BasepRegisterThread,
95 | BasepDeferredCreateProcess,
96 | BasepNlsGetUserInfo,
97 | BasepNlsUpdateCacheCount,
98 | BasepCreateProcess2, // in: TBaseCreateProcessMsgV2, Win 10 20H1+
99 | BasepCreateActivationContext2 // in/out: TBaseSxsCreateActivationContextMsgV2, Win 10 20H1+
100 | } BASESRV_API_NUMBER, * PBASESRV_API_NUMBER;
101 |
102 | #define PORT_CONNECT 0x0001
103 | #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)
104 |
105 | typedef struct _CSR_API_CONNECTINFO {
106 | PVOID SharedSectionBase;
107 | PVOID SharedStaticServerData;
108 | PVOID ServerProcessId;
109 | PVOID Reserved;//8 bytes
110 | DWORD Reserved2;//4 bytes
111 | DWORD Reserved3;//4 bytes
112 | PVOID Reserved4;//8 bytes
113 | } CSR_API_CONNECTINFO, * PCSR_API_CONNECTINFO; //0x30
114 |
115 | typedef struct _CSR_CLIENTCONNECT_MSG {
116 | ULONG ServerDllIndex;
117 | PVOID ConnectionInformation;
118 | ULONG ConnectionInformationLength;
119 | } CSR_CLIENTCONNECT_MSG, * PCSR_CLIENTCONNECT_MSG;
120 |
121 | typedef struct _CSR_CAPTURE_BUFFER {
122 | ULONG Length;//0 0x184 = 388
123 | PVOID RelatedCaptureBuffer;//8 PCSR_CAPTURE_HEADER 0x baadf00d baadf00d = 0xbaadf00dbaadf00d
124 | ULONG CountMessagePointers; //16
125 | PCHAR FreeSpace;//24
126 | ULONG_PTR MessagePointerOffsets[6];//32 // Offsets within CSR_API_MSG of pointers ->previously as pointer at 0x10 [ANYSIZE_ARRAY]
127 | } CSR_CAPTURE_BUFFER, * PCSR_CAPTURE_BUFFER;
128 |
129 | typedef struct _CSR_API_MSG {
130 | PORT_MESSAGE h;
131 | union {
132 | CSR_API_CONNECTINFO ConnectionRequest;
133 | struct {
134 | PCSR_CAPTURE_BUFFER CaptureBuffer;
135 | CSR_API_NUMBER ApiNumber;
136 | ULONG ReturnValue;
137 | ULONG Reserved;
138 | union {
139 | CSR_CLIENTCONNECT_MSG ClientConnect;
140 | ULONG_PTR ApiMessageData[0x2E];// 6.2+ BASE_CREATEPROCESS_MSG here size = [368]
141 | } u;
142 | };
143 | };
144 | } CSR_API_MSG, * PCSR_API_MSG;
145 |
146 | typedef struct _SXS_CONSTANT_WIN32_NT_PATH_PAIR
147 | {
148 | PCUNICODE_STRING Win32;
149 | PCUNICODE_STRING Nt;
150 | } SXS_CONSTANT_WIN32_NT_PATH_PAIR;
151 | typedef SXS_CONSTANT_WIN32_NT_PATH_PAIR* PSXS_CONSTANT_WIN32_NT_PATH_PAIR;
152 | typedef CONST SXS_CONSTANT_WIN32_NT_PATH_PAIR* PCSXS_CONSTANT_WIN32_NT_PATH_PAIR;
153 |
154 | typedef struct _SXS_WIN32_NT_PATH_PAIR
155 | {
156 | PRTL_UNICODE_STRING_BUFFER Win32;
157 | PRTL_UNICODE_STRING_BUFFER Nt;
158 | } SXS_WIN32_NT_PATH_PAIR;
159 | typedef SXS_WIN32_NT_PATH_PAIR* PSXS_WIN32_NT_PATH_PAIR;
160 | typedef CONST SXS_WIN32_NT_PATH_PAIR* PCSXS_WIN32_NT_PATH_PAIR;
161 |
162 | typedef struct _BASE_MSG_SXS_STREAM {
163 | IN BYTE FileType;//0
164 | IN BYTE PathType;//1
165 | IN BYTE HandleType;//2
166 | IN UNICODE_STRING Path;//8
167 | IN HANDLE FileHandle;//24 [24/8=3]
168 | IN HANDLE SectionHandle;// 32 SectionHandle
169 |
170 | IN ULONGLONG Offset; // 40 OK
171 | IN SIZE_T Size; //48 OK
172 | } BASE_MSG_SXS_STREAM, * PBASE_MSG_SXS_STREAM;
173 | typedef const BASE_MSG_SXS_STREAM* PCBASE_MSG_SXS_STREAM;
174 |
175 | typedef struct _SXS_OVERRIDE_STREAM {
176 | UNICODE_STRING Name;
177 | //Length = 0
178 | //MaximumLength = 2
179 | //Buffer = 8
180 | PVOID Address;//16
181 | SIZE_T Size;//24
182 | } SXS_OVERRIDE_STREAM, * PSXS_OVERRIDE_STREAM;//sizeof = 32
183 | typedef const SXS_OVERRIDE_STREAM* PCSXS_OVERRIDE_STREAM;
184 |
185 | typedef struct _BASE_MSG_SXS_HANDLES {
186 | HANDLE File;
187 | //
188 | // Process is the process to map section into, it can
189 | // be NtCurrentProcess; ensure that case is optimized.
190 | //
191 | HANDLE Process;
192 | HANDLE Section;
193 | PVOID ViewBase; // Don't use this is in 32bit code on 64bit. This is ImageBaseAddress
194 | } BASE_MSG_SXS_HANDLES, * PBASE_MSG_SXS_HANDLES;
195 |
196 | //uncorrected
197 |
198 |
199 |
200 | // Old: 136 = 0x88 New: 456 = 0x1C8
201 | //========================================================================================================================
202 | typedef struct _BASE_SXS_CREATEPROCESS_MSG_2012 {//win 10 new
203 | ULONG Flags; //0
204 | ULONG ProcessParameterFlags;//4
205 | //=====================================================
206 | HANDLE FileHandle;//8
207 | UNICODE_STRING Win32ImagePath;//16
208 | UNICODE_STRING NtImagePath;//32;
209 | PVOID AppCompatSxsData;//48
210 | SIZE_T AppCompatSxsDataSize;//56
211 | BYTE Reserved1[8];//64
212 | BYTE Reserved2[8];//72 Path???
213 | PVOID ManifestAddress;//80
214 | ULONG ManifestSize;//88
215 | BYTE Reserved3[16];//92->108 error
216 | USHORT UnknowFlags;//1 + 2 //2012 ONLY && Value = -1
217 | BYTE Reserved4[8];//112->120
218 | UNICODE_STRING AssemblyDirectory;//120->136
219 | UNICODE_STRING CultureFallBacks; //136->152 ===== [17]-[18]
220 | ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION ActCtx_RunLevel;//[19]-[20]/2 152->164 [ (00 00 00 00 | 01 00 00 00)
221 | ULONG UnknowAppCompat;// [20] + 4 164->168
222 | ULONG_PTR Reversed;
223 | //01 00 00 00->ACTCTX_RUN_LEVEL_AS_INVOKER = 1 [应用程序清单请求最低权限级别来运行应用程序]
224 | UNICODE_STRING AssemblyName; //176->192 L"-----------------------------------------------------------" [21]-[22]
225 |
226 | //Microsoft.Windows.Shell.notepad
227 |
228 | } BASE_SXS_CREATEPROCESS_MSG_2012, * PNEW_BASE_SXS_CREATEPROCESS_MSG_2012; //192 Message
229 |
230 | //====================================================================================================
231 |
232 | typedef struct _BASE_SXS_CREATEPROCESS_MSG_2016 {//win 10 new
233 | ULONG Flags; //0
234 | ULONG ProcessParameterFlags;//4
235 | //=====================================================
236 | HANDLE FileHandle;//8
237 | UNICODE_STRING Win32ImagePath;//16
238 | UNICODE_STRING NtImagePath;//32;
239 | PVOID AppCompatSxsData;//48
240 | SIZE_T AppCompatSxsDataSize;//56
241 | BYTE Reserved1[8];//64
242 | BYTE Reserved2[8];//72 Path???
243 | PVOID ManifestAddress;//80
244 | ULONG ManifestSize;//88 +4
245 | BYTE Reserved3[16];//92->108 error
246 | USHORT UnknowFlags;//1 + 2
247 | BYTE Reserved4[8];//112->120
248 | UNICODE_STRING AssemblyDirectory;//120->136
249 | UNICODE_STRING CultureFallBacks; //136->152 ===== [17]-[18]
250 | ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION ActCtx_RunLevel;//[19]-[20]/2 152->164 [ (00 00 00 00 | 01 00 00 00)
251 | ULONG UnknowAppCompat;// [20] + 4 164->168 //01 00 00 00->ACTCTX_RUN_LEVEL_AS_INVOKER = 1 [应用程序清单请求最低权限级别来运行应用程序]
252 | UNICODE_STRING AssemblyName; //168->184 L"-----------------------------------------------------------" [21]-[22]
253 | //Microsoft.Windows.Shell.notepad
254 | } BASE_SXS_CREATEPROCESS_MSG_2016, * PNEW_BASE_SXS_CREATEPROCESS_MSG_2016;
255 |
256 | #ifndef APPLICATION_USER_MODEL_ID_MAX_LENGTH
257 | #define APPLICATION_USER_MODEL_ID_MAX_LENGTH 130
258 | #endif // !APPLICATION_USER_MODEL_ID_MAX_LENGTH
259 |
260 | typedef struct _BASE_SXS_CREATEPROCESS_MSG {//win 10 new
261 | ULONG Flags; //0
262 | ULONG ProcessParameterFlags;//4
263 | //=====================================================
264 | union
265 | {
266 | struct
267 | {
268 | HANDLE FileHandle;//8
269 | UNICODE_STRING Win32ImagePath;//16
270 | UNICODE_STRING NtImagePath;//32;
271 | PVOID ManifestOverrideOffset;//48 AppCompatSxsData
272 | SIZE_T ManifestOverrideSize;//56 AppCompatSxsDataSize
273 | //============================
274 | PVOID PolicyOverrideOffset;//64
275 | SIZE_T PolicyOverrideSize;//72 Path???
276 | PVOID ManifestAddress;//80
277 | ULONG ManifestSize;//88
278 | //BYTE Reserved3[16];//96->112
279 | //BYTE Reserved4[8];//112->120
280 | };//Vista new Alternative
281 | struct
282 | {
283 | BASE_MSG_SXS_STREAM Manifest;//8
284 | BASE_MSG_SXS_STREAM Policy;//64
285 | UNICODE_STRING AssemblyDirectory;//120->136
286 | }; //SafeMode old Classic
287 | };
288 | //=================================================================
289 | UNICODE_STRING CultureFallBacks; //136->152 ===== [17]-[18]
290 | ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION ActivationContextRunLevel;//[19]-[20]/2 152->164
291 | SUPPORTED_OS_INFO SxsSupportOSInfo;// [20] + 4 164->168 [SwitchBackSupportOSInfo]
292 | UNICODE_STRING AssemblyName; //168->184 L"-----------------------------------------------------------" [21]-[22] //Microsoft.Windows.Shell.notepad
293 | ULONGLONG SxsMaxVersionTested;//184->192 [23]
294 | WCHAR ApplicationUserModelId[APPLICATION_USER_MODEL_ID_MAX_LENGTH];//192
295 | ULONG ApplicationUserModelIdLength;//452
296 | } BASE_SXS_CREATEPROCESS_MSG, * PBASE_SXS_CREATEPROCESS_MSG; //0x1C8 = 456
297 |
298 |
299 |
300 | typedef struct _BASE_CREATE_PROCESS {
301 | HANDLE ProcessHandle;//0
302 | HANDLE ThreadHandle;//8
303 | CLIENT_ID ClientId;//16
304 | ULONG CreationFlags;//32
305 | ULONG VdmBinaryType;//36
306 | ULONG VdmTask;//40
307 | HANDLE hVDM;//48
308 | union {
309 | struct
310 | {
311 | BASE_SXS_CREATEPROCESS_MSG Sxs;
312 | ULONGLONG PebAddressNative;
313 | ULONGLONG PebAddressWow64;//
314 | USHORT ProcessorArchitecture;
315 | }win2022;
316 | struct
317 | {
318 | BASE_SXS_CREATEPROCESS_MSG_2016 Sxs;
319 | ULONGLONG PebAddressNative;
320 | ULONGLONG PebAddressWow64;//
321 | USHORT ProcessorArchitecture;
322 | }win2016;
323 | struct
324 | {
325 | BASE_SXS_CREATEPROCESS_MSG_2012 Sxs;
326 | ULONGLONG PebAddressNative;
327 | ULONGLONG PebAddressWow64;//
328 | USHORT ProcessorArchitecture;
329 | }win2012;
330 | }u;
331 |
332 | } BASE_CREATEPROCESS_MSG, * PBASE_CREATEPROCESS_MSG; //536
333 | //64+56=120
334 | typedef struct _BASE_API_MSG
335 | {
336 | PORT_MESSAGE PortMessage;//0
337 | PCSR_CAPTURE_BUFFER CaptureBuffer;//40
338 | CSR_API_NUMBER ApiNumber;//48
339 | ULONG Status;//52
340 | ULONG Reserved;//56
341 | union
342 | {
343 | BASE_CREATEPROCESS_MSG BaseCreateProcess;//+8 64
344 | }u;
345 | }BASE_API_MSG, * PBASE_API_MSG;
346 |
347 | typedef NTSTATUS(WINAPI* CsrCaptureMessageMultiUnicodeStringsInPlace_)(PCSR_CAPTURE_BUFFER* InOutCaptureBuffer, ULONG NumberOfStringsToCapture, const PUNICODE_STRING* StringsToCapture);
348 | typedef NTSTATUS(WINAPI* CsrClientCallServer_)(PCSR_API_MSG ApiMessage, PCSR_CAPTURE_BUFFER CaptureBuffer, ULONG ApiNumber, ULONG DataLength);
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include "ntapi.hpp"
3 | #include "misc.hpp"
4 | #include "csrss.hpp"
5 |
6 | //#define OUTPUT
7 | void helpinfo()
8 | {
9 | wprintf(L"[*] Example: \n"
10 | "NtCreateUserProcess-Native.exe -c C:\\Windows\\system32\\notepad.exe\n"
11 | "NtCreateUserProcess-Native.exe -c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -i 1\n\n"
12 | "[*] -c (Optional) ImagePath, Notice double quote is requied when blankspace in path like\n"
13 | " C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\n\n"
14 | "[*] -i (Optional) Interact for console process like C:\\Windows\\system32\\cmd.exe\n"
15 | "-i 0: (Default) None of any interact mode will be used, like CREATE_NEW_CONSOLE\n"
16 | "-i 1: StdHandle via AttributeList, like bInheritHandles = FALSE\n"
17 | "-i 2: Set ProcessParameters Std Input,Output,OutError with CurrentProcessParameters Value, like bInheritHandles = TRUE\n\n");
18 | wprintf(L"[!] On Windows 11 Notepad.exe is AppX so it doesn't work. (AppX isn't supported in this project)\n");
19 | }
20 | int wmain(int argc, wchar_t* argv[])
21 | {
22 | LPCWSTR ImageName = NULL;
23 | BOOLEAN EnableDebugOutput = FALSE;
24 | int Interact = 0;
25 | while ((argc > 1) && (argv[1][0] == '-'))
26 | {
27 | switch (argv[1][1])
28 | {
29 | case 'h':
30 | case 'H':
31 | helpinfo();
32 | return 0;
33 | case 'd':
34 | case 'D':
35 | ++argv;
36 | --argc;
37 | EnableDebugOutput = TRUE;
38 | break;
39 | case 'c':
40 | case 'C':
41 | ++argv;
42 | --argc;
43 | if (argc > 1 && argv[1][0] != '-')
44 | {
45 | ImageName = argv[1];
46 | wprintf(L"[*] ImageName = %ls\n", ImageName);
47 | }
48 | else
49 | {
50 | wprintf(L"[-] Missing value for option: -c\n");
51 | helpinfo();
52 | return -1;
53 | }
54 | break;
55 | case 'i':
56 | case 'I':
57 | ++argv;
58 | --argc;
59 | if (argc > 1 && argv[1][0] != '-' && argv[1])
60 | {
61 | swscanf_s(argv[1], L"%d", &Interact);
62 | if (Interact < 0 || Interact > 3)
63 | {
64 | wprintf(L"[-] Invaid value for option: -i\n");
65 | return -1;
66 | }
67 | }
68 | else
69 | {
70 | wprintf(L"[-] Missing value for option: -i\n");
71 | helpinfo();
72 | return -1;
73 | }
74 | break;
75 | default:
76 | wprintf(L"[-] Invalid argument: %ls\n", argv[1]);
77 | helpinfo();
78 | return -1;
79 | }
80 | ++argv;
81 | --argc;
82 | }
83 | if (!ImageName)
84 | {
85 | ImageName = L"C:\\Windows\\System32\\dfrgui.exe";
86 | wprintf(L"[*] Default ImageName: %ls\n", ImageName);
87 | }
88 | wprintf(L"[*] Interact Mode = %d\n", Interact);
89 |
90 | NTSTATUS Status = 0;
91 | SECTION_IMAGE_INFORMATION SectionImageInfomation = { 0 };
92 | HANDLE TokenHandle = NULL;
93 | HANDLE ParentProcessHandle = NULL;
94 | OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
95 | InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
96 | CLIENT_ID ClientId = { 0 };
97 | ClientId.UniqueProcess = NtCurrentTeb()->ClientId.UniqueProcess;
98 | ClientId.UniqueThread = (HANDLE)0;
99 |
100 | HANDLE hProcess = NULL;
101 | HANDLE hThread = NULL;
102 | ULONG ProcessFlags = 0;
103 | ULONG ReturnLength = 0;
104 | PEB peb = { 0 };
105 | PEB peb2 = { 0 };
106 | PROCESS_BASIC_INFORMATION ProcessBasicInfo = { 0 };
107 | //THREAD_BASIC_INFORMATION ThreadBasicInfo = { 0 };
108 | PS_CREATE_INFO CreateInfo = { 0 };
109 | PS_ATTRIBUTE_LIST AttributeList = { 0 };
110 | PS_STD_HANDLE_INFO StdHandle = { 0 };
111 | ACTIVATION_CONTEXT_DATA ActivationContextData = { 0 };
112 | PRTL_USER_PROCESS_PARAMETERS OwnParameters = NtCurrentPeb()->ProcessParameters;
113 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
114 | UNICODE_STRING NtImagePath = { 0 };
115 | UNICODE_STRING Win32ImagePath = { 0 };
116 | UNICODE_STRING CommandLine = { 0 };
117 |
118 | Status = NtOpenProcess(&ParentProcessHandle, PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE, &ObjectAttributes, &ClientId);
119 | ClientId = { 0 };
120 | if (!NT_SUCCESS(Status))
121 | {
122 | //wprintf(L"[-] NtOpenProcess: 0x%08x\n", Status);
123 | return Status;
124 | }
125 |
126 | wprintf(L"[+] Parent ProcessHandle: %p\n", ParentProcessHandle);
127 | Status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &TokenHandle);
128 | if (!NT_SUCCESS(Status))
129 | {
130 | wprintf(L"[-] NtOpenProcessToken: 0x%08x\n", Status);
131 | return Status;
132 | }
133 |
134 | wprintf(L"[+] TokenHandle: 0x%p\n", TokenHandle);
135 | NtClose(ParentProcessHandle);
136 | ParentProcessHandle = NULL;//ov0
137 |
138 | if (ImageName != NULL)
139 | {
140 | WCHAR NtImageName[MAX_PATH] = { 0 };
141 | wcscat_s(NtImageName, L"\\??\\");
142 | wcscat_s(NtImageName, ImageName);
143 | NtImagePath.Buffer = NtImageName;
144 | NtImagePath.Length = (USHORT)(sizeof(WCHAR) * lstrlenW(NtImageName));
145 | NtImagePath.MaximumLength = NtImagePath.Length + sizeof(UNICODE_NULL);
146 |
147 | Win32ImagePath.Buffer = (PWSTR)ImageName;
148 | Win32ImagePath.Length = (USHORT)(sizeof(WCHAR) * lstrlenW(ImageName));
149 | Win32ImagePath.MaximumLength = Win32ImagePath.Length + sizeof(UNICODE_NULL);
150 |
151 | WCHAR cmdline[MAX_PATH] = { 0 };
152 | wcscat_s(cmdline, L"\"");// required while blankspace exist =.=
153 | wcscat_s(cmdline, ImageName);
154 | wcscat_s(cmdline, L"\"");
155 | CommandLine.Buffer = (PWSTR)cmdline;
156 | CommandLine.Length = (USHORT)(sizeof(WCHAR) * lstrlenW(cmdline));
157 | CommandLine.MaximumLength = CommandLine.Length + sizeof(UNICODE_NULL);
158 | }
159 | else
160 | {
161 | return -1;
162 | }
163 |
164 | CustomSecureZeroMemory(&CreateInfo, sizeof(PS_CREATE_INFO));
165 | CreateInfo.State = PsCreateInitialState;
166 | CreateInfo.Size = sizeof(PS_CREATE_INFO);
167 | CreateInfo.InitState.u1.s1.WriteOutputOnExit = TRUE;
168 | CreateInfo.InitState.u1.s1.DetectManifest = TRUE;
169 |
170 | // ImageFile is s DLL, which isn't loaded(map/section?) in any process yet, since both dll&exe are PE File
171 | // copy ntdll.dll to other folder, and execute with ProcessFlags |= PROCESS_CREATE_FLAGS_PROTECTED_PROCESS;
172 | // It will be the ProtectProcessFull (Authenticode), hmmm but what's the use of it lol?
173 |
174 | // Allow to Execute DllFile.
175 | //
176 | // CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics = IMAGE_FILE_DLL;
177 | CreateInfo.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
178 |
179 | //1088 + 520 = 1608
180 | ULONG ProcessParametersLength = GetProcessParametersStructsLength(OSBuildNumber);// It's doesn't matter if bigger than expectation.
181 |
182 | ProcessParametersLength += (MAX_PATH * sizeof(WCHAR));//CurrentDirectory
183 | ProcessParametersLength += ALIGN(OwnParameters->DesktopInfo.MaximumLength, sizeof(ULONG_PTR)); //DesktopInfo
184 | // ProcessParametersLength += ALIGN(OwnParameters->ShellInfo.MaximumLength, sizeof(ULONG_PTR)); //ShellInfo
185 | ProcessParametersLength += ALIGN(Win32ImagePath.MaximumLength, sizeof(ULONG_PTR)); //ImagePathName
186 | ProcessParametersLength += ALIGN(Win32ImagePath.MaximumLength, sizeof(ULONG_PTR)); //WindowTitle = ImagePathName
187 | ProcessParametersLength += ALIGN(CommandLine.MaximumLength, sizeof(ULONG_PTR));//CommandLine
188 |
189 | // ProcessParametersLength += ALIGN(OwnParameters->RuntimeData.MaximumLength, sizeof(ULONG_PTR)); //RuntimeData
190 | ProcessParametersLength += ALIGN(OwnParameters->DllPath.MaximumLength, sizeof(ULONG_PTR));//DllPath NtCurrentProcess()
191 | // ProcessParametersLength += ALIGN(OwnParameters->RedirectionDllName.MaximumLength, sizeof(ULONG_PTR));// AppXDllDirectory: RedirectionDllName
192 |
193 | ProcessParameters = (PRTL_USER_PROCESS_PARAMETERS)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, ProcessParametersLength);
194 | if (!ProcessParameters)
195 | return STATUS_NO_MEMORY;
196 |
197 | ProcessParameters->Length = ProcessParametersLength;
198 | ProcessParameters->MaximumLength = ProcessParametersLength;
199 |
200 | ProcessParameters->Flags = RTL_USER_PROC_IMAGE_KEY_MISSING | RTL_USER_PROC_APP_MANIFEST_PRESENT | RTL_USER_PROC_PARAMS_NORMALIZED;
201 | ProcessParameters->ImagePathName = Win32ImagePath;
202 | ProcessParameters->CommandLine = CommandLine;
203 | ProcessParameters->DllPath = OwnParameters->DllPath;//old
204 | ProcessParameters->DesktopInfo = OwnParameters->DesktopInfo;
205 | //ProcessParameters->ShellInfo = OwnParameters->ShellInfo;
206 | ProcessParameters->CurrentDirectory.DosPath = OwnParameters->CurrentDirectory.DosPath;
207 | ProcessParameters->WindowTitle = Win32ImagePath;
208 |
209 | ProcessParameters->Environment = OwnParameters->Environment;
210 | ProcessParameters->EnvironmentSize = OwnParameters->EnvironmentSize;
211 | ProcessParameters->EnvironmentVersion = OwnParameters->EnvironmentVersion; //EnvironmentVersion should be zero?
212 | //==================================================================================
213 | ProcessParameters->ProcessGroupId = NtCurrentPeb()->ProcessParameters->ProcessGroupId; //dwCreationFlags & CREATE_NEW_PROCESS_GROUP == 0
214 |
215 | // 7601 and below OS std io are not hold with conhost.exe directly
216 | if (Interact == 0)
217 | {
218 | wprintf(L"[*] Separate I/O Buffers\n");
219 |
220 | //
221 | // ProcessParameters->ConsoleHandle = NULL;
222 | // ProcessParameters->ConsoleHandle = HANDLE_CREATE_NO_WINDOW; [Console Process: cmd.exe, powershell.exe]
223 | //
224 | ProcessParameters->ConsoleHandle = HANDLE_CREATE_NEW_CONSOLE;//(HANDLE)-2i64 = CONSOLE_NEW_CONSOLE HANDLE_CREATE_NEW_CONSOLE
225 | }
226 | else
227 | {
228 | ProcessParameters->ConsoleHandle = !ConhostConsoleHandle || OSBuildNumber <= 7601 ? OwnParameters->ConsoleHandle : ConhostConsoleHandle;
229 | }
230 |
231 | // [bInheritHandles == TRUE <->ProcessFlags & 4 (PROCESS_CREATE_FLAGS_INHERIT_HANDLES) ...]
232 | //
233 | // if ParentProcessHandle != NULL, need to set for StdHandle Mode 2 ???
234 | // I don't know...
235 | // ProcessParameters->StandardInput = StartInfo->hStdInput;
236 | // ProcessParameters->StandardOutput = StartInfo->hStdOutput;
237 | // ProcessParameters->StandardError = StartInfo->hStdError;
238 |
239 | if (Interact == 2 || OSBuildNumber <= 7601)// OSBuildNumber >= ? && ParentProcessHandle
240 | {
241 | //7601 and below OS std io are not hold with conhost.exe directly
242 | wprintf(L"[*] Redirect the Child Process's Standard File IO via ProcessParameters!\n");
243 | ProcessParameters->StandardInput = OwnParameters->StandardInput;
244 | ProcessParameters->StandardOutput = OwnParameters->StandardOutput;
245 | ProcessParameters->StandardError = OwnParameters->StandardError;
246 | }
247 | if (Interact == 2)//bInheritHandles == TRUE
248 | ProcessFlags |= PROCESS_CREATE_FLAGS_INHERIT_HANDLES;
249 | else
250 | ProcessFlags &= ~PROCESS_CREATE_FLAGS_INHERIT_HANDLES;
251 |
252 | // Note: WindowFlags is 0 and ShowWindowFlags is 0x1 when launched from the command line,
253 | // and both are 0x1 when launched from explorer. This is why the program checks both flags for 0.(x64dbg issue)???
254 | ProcessParameters->WindowFlags = 0x0;
255 | ProcessParameters->ShowWindowFlags = SW_SHOWNORMAL;//SW_SHOWNORMAL SW_HIDE
256 |
257 | AttributeList.Attributes[0].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
258 | AttributeList.Attributes[0].Size = NtImagePath.Length;
259 | AttributeList.Attributes[0].Value = (ULONG_PTR)NtImagePath.Buffer;
260 |
261 | AttributeList.Attributes[1].Attribute = PS_ATTRIBUTE_IMAGE_INFO;
262 | AttributeList.Attributes[1].Size = sizeof(SECTION_IMAGE_INFORMATION);
263 | AttributeList.Attributes[1].ValuePtr = &SectionImageInfomation;
264 |
265 | AttributeList.Attributes[2].Attribute = PS_ATTRIBUTE_CLIENT_ID;
266 | AttributeList.Attributes[2].Size = sizeof(CLIENT_ID);
267 | AttributeList.Attributes[2].Value = (ULONG_PTR)&ClientId;
268 |
269 | AttributeList.Attributes[3].Attribute = PS_ATTRIBUTE_TOKEN;
270 | AttributeList.Attributes[3].Size = sizeof(HANDLE);
271 | AttributeList.Attributes[3].Value = (ULONG_PTR)TokenHandle;// [Optional] LPE, CreateProcessWithToken
272 | ULONG AttributeCount = 4;
273 |
274 | if (ParentProcessHandle)
275 | {
276 | wprintf(L"[*] Set ParentProcess Handle!\n");
277 | AttributeList.Attributes[AttributeCount].Attribute = PS_ATTRIBUTE_PARENT_PROCESS;
278 | AttributeList.Attributes[AttributeCount].Size = sizeof(HANDLE);
279 | AttributeList.Attributes[AttributeCount].ValuePtr = ParentProcessHandle;//PPID
280 | AttributeCount++;
281 | }
282 | if (Interact == 1 && (OSBuildNumber > 9600 || !ParentProcessHandle))
283 | {
284 | StdHandle.StdHandleSubsystemType = IMAGE_SUBSYSTEM_WINDOWS_CUI;
285 | if (!ParentProcessHandle)// none of CREATE_NO_WINDOW CREATE_NEW_CONSOLE DETACHED_PROCESS
286 | {
287 | wprintf(L"[*] StdHandle Mode 1\n");
288 | StdHandle.StdHandleState = PsRequestDuplicate;
289 | StdHandle.PseudoHandleMask = 0;
290 | }
291 | else//StdHandle with ParentProcessHandle is supported since...
292 | {
293 | wprintf(L"[*] StdHandle Mode 2, not work...\n");
294 | StdHandle.StdHandleState = PsAlwaysDuplicate;
295 | StdHandle.PseudoHandleMask = 0;
296 | }
297 | if (OSBuildNumber <= 7601)
298 | {
299 | StdHandle.PseudoHandleMask |= CONSOLE_HANDLE(ProcessParameters->StandardInput) ? PS_STD_INPUT_HANDLE : 0;
300 | StdHandle.PseudoHandleMask |= CONSOLE_HANDLE(ProcessParameters->StandardOutput) ? PS_STD_OUTPUT_HANDLE : 0;
301 | StdHandle.PseudoHandleMask |= CONSOLE_HANDLE(ProcessParameters->StandardError) ? PS_STD_ERROR_HANDLE : 0;
302 | wprintf(L"[*] Old StdHandle.HandleMask Set!\n");
303 | }
304 |
305 | AttributeList.Attributes[AttributeCount].Attribute = PS_ATTRIBUTE_STD_HANDLE_INFO;
306 | AttributeList.Attributes[AttributeCount].Size = sizeof(PS_STD_HANDLE_INFO);
307 | AttributeList.Attributes[AttributeCount].ReturnLength = 0;
308 | AttributeList.Attributes[AttributeCount].ValuePtr = &StdHandle;
309 | AttributeCount++;
310 | }
311 | AttributeList.TotalLength = AttributeCount * sizeof(PS_ATTRIBUTE) + sizeof(SIZE_T);
312 | wprintf(L"[*] AttributeList.TotalLength = %lld, AttributeCount = %ld\n", AttributeList.TotalLength, AttributeCount);
313 |
314 | Status = NtCreateUserProcess(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED, NULL, NULL, ProcessFlags, THREAD_CREATE_FLAGS_CREATE_SUSPENDED, ProcessParameters, &CreateInfo, &AttributeList);
315 | wprintf(L"[*] NtCreateUserProcess: 0x%08x\n", Status);
316 |
317 | if (EnableDebugOutput)
318 | {
319 | CreateInfoOutPut(CreateInfo);
320 | SectionImageInfomationOutPut(SectionImageInfomation);
321 | }
322 |
323 | if (NT_SUCCESS(Status))
324 | {
325 | wprintf(L"[*] PID=%lld, TID=%lld\n", (ULONGLONG)ClientId.UniqueProcess, (ULONGLONG)ClientId.UniqueThread);
326 | wprintf(L"[*] CustomCallCsrss: 0x%08x\n", CallCsrss(hProcess, hThread, CreateInfo, Win32ImagePath, NtImagePath, ClientId, SectionImageInfomation));
327 |
328 | Status = NtReadVirtualMemory(hProcess, (PVOID)CreateInfo.SuccessState.PebAddressNative, &peb2, sizeof(peb2), 0);
329 | if (NT_SUCCESS(Status))
330 | {
331 | wprintf(L"[*] ActivationContextData 0x%p\n", peb2.ActivationContextData);
332 | wprintf(L"[*] SystemDefaultActivationContextData 0x%p\n", peb2.SystemDefaultActivationContextData);
333 | }
334 |
335 | wprintf(L"[*] NtResumeThread: 0x%08x\n", NtResumeThread(hThread, 0));
336 |
337 | if (Interact != 0)
338 | {
339 | wprintf(L"[!] New Process Exited: ");
340 | Status = NtWaitForSingleObject(hThread, FALSE, NULL);
341 |
342 | Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcessBasicInfo, sizeof(PROCESS_BASIC_INFORMATION), &ReturnLength);
343 | if (NT_SUCCESS(Status))
344 | {
345 | wprintf(L"0x%08lx\n", ProcessBasicInfo.ExitStatus);
346 | }
347 | }
348 | }
349 |
350 | if (ParentProcessHandle)
351 | {
352 | NtClose(ParentProcessHandle);
353 | ParentProcessHandle = NULL;
354 |
355 | }
356 |
357 | NtClose(TokenHandle);
358 | NtClose(hProcess);
359 | NtClose(hThread);
360 | NtClose(CreateInfo.SuccessState.FileHandle);
361 | NtClose(CreateInfo.SuccessState.SectionHandle);
362 |
363 | CustomSecureZeroMemory(ProcessParameters, ProcessParametersLength);
364 | CustomSecureZeroMemory(&AttributeList, AttributeList.TotalLength);
365 | CustomSecureZeroMemory(&ProcessBasicInfo, sizeof(PROCESS_BASIC_INFORMATION));
366 |
367 | ProcessParameters = NULL;
368 | AttributeList = { 0 };
369 | return 0;
370 | }
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/misc.cpp:
--------------------------------------------------------------------------------
1 | #include "misc.hpp"
2 | #include
3 |
4 | void CustomSecureZeroMemory(IN OUT PVOID ptr, IN SIZE_T cnt)
5 | {
6 | volatile char* force;
7 | force = (volatile char*)ptr;
8 | while (cnt)
9 | {
10 | *force++ = 0;
11 | cnt--;
12 | }
13 | }
14 |
15 | ULONG GetProcessParametersStructsLength(USHORT BuildNumber)
16 | {
17 | ULONG ProcessParametersLength = 0;
18 | if (BuildNumber > 22000)
19 | {
20 | ProcessParametersLength = sizeof(RTL_USER_PROCESS_PARAMETERS);// 0x448 1096
21 | }
22 | else if (BuildNumber > 17763 && BuildNumber <= 22000)
23 | {
24 | ProcessParametersLength = 0x440;// 1088
25 | }
26 | else if (BuildNumber > 16299 && BuildNumber <= 17763)
27 | {
28 | ProcessParametersLength = 0x420;
29 | }
30 | else if (BuildNumber > 7601 && BuildNumber <= 16299)
31 | {
32 | ProcessParametersLength = 0x410;
33 | }
34 | else if (BuildNumber >= 7600 && BuildNumber <= 7601)
35 | {
36 | ProcessParametersLength = 0x400;
37 | }
38 | else if (BuildNumber >= 6000 && BuildNumber < 7600)
39 | {
40 | ProcessParametersLength = 0x3F8;//1016
41 | }
42 | //wprintf(L"[+] OS: %d, ProcessParametersLength = 0x%x\n", BuildNumber, ProcessParametersLength);
43 | return ProcessParametersLength;
44 | }
45 | void CreateInfoOutPut(PS_CREATE_INFO CreateInfo)
46 | {
47 |
48 | wprintf(L"CreateInfo.InitFlags: 0x%08x\n", CreateInfo.InitState.u1.InitFlags);
49 | wprintf(L"CreateInfo.WriteOutputOnExit: 0x%08x\n", CreateInfo.InitState.u1.s1.WriteOutputOnExit);
50 | wprintf(L"CreateInfo.DetectManifest: 0x%08x\n", CreateInfo.InitState.u1.s1.DetectManifest);
51 | wprintf(L"CreateInfo.IFEOSkipDebugger: 0x%08x\n", CreateInfo.InitState.u1.s1.IFEOSkipDebugger);
52 | wprintf(L"CreateInfo.IFEODoNotPropagateKeyState: 0x%08x\n", CreateInfo.InitState.u1.s1.IFEODoNotPropagateKeyState);
53 | //wprintf(L"CreateInfo.SpareBits1: 0x%08x\n", CreateInfo.InitState.u1.s1.SpareBits1);
54 | //wprintf(L"CreateInfo.SpareBits2: 0x%08x\n", CreateInfo.InitState.u1.s1.SpareBits2);
55 | wprintf(L"CreateInfo.ProhibitedImageCharacteristics: 0x%08x\n", CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics);
56 | wprintf(L"============================================================================================\n");
57 | wprintf(L"CreateInfo.OutputFlags: 0x%x\n", CreateInfo.SuccessState.u2.OutputFlags);
58 | wprintf(L"CreateInfo.ProtectedProcess: %d\n", CreateInfo.SuccessState.u2.s2.ProtectedProcess);
59 | wprintf(L"CreateInfo.ProtectedProcessLight: %d\n", CreateInfo.SuccessState.u2.s2.ProtectedProcessLight);
60 | wprintf(L"CreateInfo.AddressSpaceOverride: %d\n", CreateInfo.SuccessState.u2.s2.AddressSpaceOverride);
61 | wprintf(L"CreateInfo.DevOverrideEnabled: %d\n", CreateInfo.SuccessState.u2.s2.DevOverrideEnabled);
62 | wprintf(L"CreateInfo.ManifestDetected: %d\n", CreateInfo.SuccessState.u2.s2.ManifestDetected);
63 | //wprintf(L"CreateInfo.SpareBits1: 0x%03x\n", CreateInfo.SuccessState.u2.s2.SpareBits1);
64 | //wprintf(L"CreateInfo.SpareBits2: 0x%08x\n", CreateInfo.SuccessState.u2.s2.SpareBits2);
65 | //wprintf(L"CreateInfo.SpareBits3: 0x%08x\n", CreateInfo.SuccessState.u2.s2.SpareBits3);
66 | wprintf(L"--------------------------------------------------------------------------------------------\n");
67 | wprintf(L"CreateInfo.FileHandle:0x%p\n", CreateInfo.SuccessState.FileHandle);
68 | wprintf(L"CreateInfo.SectionHandle: 0x%p\n", CreateInfo.SuccessState.SectionHandle);
69 | wprintf(L"CreateInfo.UserProcessParametersNative: 0x%p\n", (PVOID)CreateInfo.SuccessState.UserProcessParametersNative);
70 | wprintf(L"CreateInfo.CurrentParameterFlags: 0x%08x\n", CreateInfo.SuccessState.CurrentParameterFlags);
71 | wprintf(L"CreateInfo.PebAddressNative: 0x%p\n", (PVOID)CreateInfo.SuccessState.PebAddressNative);
72 | wprintf(L"CreateInfo.ManifestAddress: 0x%p\n", (PVOID)CreateInfo.SuccessState.ManifestAddress);
73 | wprintf(L"CreateInfo.ManifestSize: %d\n", CreateInfo.SuccessState.ManifestSize);
74 | wprintf(L"--------------------------------------------------------------------------------------------\n");
75 | wprintf(L"CreateInfo.ExeFormat.DllCharacteristics: 0x%08x\n", CreateInfo.ExeFormat.DllCharacteristics);
76 | //IMAGE_FILE_EXECUTABLE_IMAGE
77 | wprintf(L"============================================================================================\n");
78 | }
79 | void SectionImageInfomationOutPut(SECTION_IMAGE_INFORMATION SectionImageInfomation)
80 | {
81 | wprintf(L"ImageInformation.Machine: 0x%x\n", SectionImageInfomation.Machine);//PROCESSOR_ARCHITECTURE_AMD64 - IMAGE_FILE_MACHINE_AMD64
82 | wprintf(L"ImageInformation.SubSystemType: %d\n", SectionImageInfomation.SubSystemType);
83 | wprintf(L"ImageInformation.SubSystemMinorVersion: %d\n", SectionImageInfomation.SubSystemMinorVersion);
84 | wprintf(L"ImageInformation.SubSystemMajorVersion: %d\n", SectionImageInfomation.SubSystemMajorVersion);
85 | wprintf(L"ImageInformation.SubSystemVersion: %d\n", SectionImageInfomation.SubSystemVersion);
86 | wprintf(L"ImageInformation.MajorOperatingSystemVersion: %d\n", SectionImageInfomation.MajorOperatingSystemVersion);
87 | wprintf(L"ImageInformation.MinorOperatingSystemVersion: %d\n", SectionImageInfomation.MinorOperatingSystemVersion);
88 | wprintf(L"ImageInformation.OperatingSystemVersion: %d\n", SectionImageInfomation.OperatingSystemVersion);
89 | wprintf(L"ImageInformation.ImageFileSize: %d\n", SectionImageInfomation.ImageFileSize);
90 | wprintf(L"ImageInformation.TransferAddress: 0x%p\n", SectionImageInfomation.TransferAddress);
91 | wprintf(L"ImageInformation.LoaderFlags: %d\n", SectionImageInfomation.LoaderFlags);
92 | wprintf(L"ImageInformation.DllCharacteristics: 0x%08x\n", SectionImageInfomation.DllCharacteristics);
93 | wprintf(L"============================================================================================\n");
94 | }
95 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/misc.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "syscalls.hpp"
3 |
4 | void CreateInfoOutPut(PS_CREATE_INFO CreateInfo);
5 | void SectionImageInfomationOutPut(SECTION_IMAGE_INFORMATION SectionImageInfomation);
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/syscalls.cpp:
--------------------------------------------------------------------------------
1 | #include "syscalls.hpp"
2 | #include "ntapi.hpp"
3 | #include
4 | #include
5 |
6 | #define JUMPER
7 |
8 | const static BYTE signaturecode[] = { 0x00, 0x48, 0x85, 0xc9, 0x48, 0x89, 0x35 };//0x75 0x07, 0xeb, 0x0a
9 | SW3_SYSCALL_LIST SW3_SyscallList = { 0 };
10 | PVOID CsrPortHeap = 0;
11 | HANDLE CsrPortHandle = NULL;
12 | ULONG_PTR CsrPortMemoryRemoteDelta = 0;
13 | USHORT OSBuildNumber = 0;
14 | HANDLE ConhostConsoleHandle = NULL;
15 | RtlAllocateHeap_ RtlAllocateHeap;
16 | const static BYTE signaturecode2[] = { 0x48, 0x89, 0x05, 0x00, 0xe8, 0x00, 0x4c, 0x8b, 0x45, 0x00, 0x4c, 0x8b, 0x84, 0x24 };
17 |
18 |
19 | ULONG_PTR SW3_HashSyscall(PCSTR FunctionName)
20 | {
21 | DWORD i = 0;
22 | ULONG_PTR Hash = SW3_SEED;
23 |
24 | while (FunctionName[i])
25 | {
26 | WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++);
27 | Hash ^= (ULONG_PTR)PartialName * SW3_ROR8(Hash);
28 | Hash *= 2;
29 | }
30 |
31 | return Hash;
32 | }
33 |
34 | PVOID SC_Address(PVOID NtApiAddress)
35 | {
36 | DWORD searchLimit = 520;
37 | PVOID SyscallAddress;
38 | BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 };
39 | ULONG distance_to_syscall = 0x12;
40 | if (OSBuildNumber != 0 && OSBuildNumber < 10586) //Beta 10525
41 | {
42 | distance_to_syscall = 0x08;
43 | }
44 | // we don't really care if there is a 'jmp' between
45 | // NtApiAddress and the 'syscall; ret' instructions
46 | SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall);
47 |
48 | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
49 | {
50 | // we can use the original code for this system call :)
51 | return SyscallAddress;
52 | }
53 | // the 'syscall; ret' intructions have not been found,
54 | // we will try to use one near it, similarly to HalosGate
55 | for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++)
56 | {
57 | // let's try with an Nt* API below our syscall
58 | SyscallAddress = SW3_RVA2VA(
59 | PVOID,
60 | NtApiAddress,
61 | distance_to_syscall + num_jumps * 0x20);
62 | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
63 | {
64 | return SyscallAddress;
65 | }
66 |
67 | // let's try with an Nt* API above our syscall
68 | SyscallAddress = SW3_RVA2VA(
69 | PVOID,
70 | NtApiAddress,
71 | distance_to_syscall - num_jumps * 0x20);
72 | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
73 | {
74 | return SyscallAddress;
75 | }
76 | }
77 | return NULL;
78 | }
79 |
80 | int GetGlobalVariable(PVOID Ntdll, DWORD SizeOfNtdll, PVOID KernelBase, DWORD SizeofKernelBase)
81 | {
82 | //48 8B 4C 24 50 这个也可以?
83 | SizeOfNtdll -= 0x100;
84 | const static BYTE signaturecode3[] = { 0xb9, 0x00, 0x80, 0x00, 0x00 };
85 |
86 | //Try to evade use HeapAlloc|RtlAllocHeap,however this way is really unsafe & dangerous...
87 | //Well, we are likely on the razor's edge..... 游走于刀尖之上...
88 | //What if CaptureBuffer to Allocated is bigger than excepted, try to alloc new memroy?
89 | //How to get CsrPortHeap Address?
90 | //1: A HeapMemroy ID=2 ,type = Mapped:Commited, BaseAddress < NtCurrentPeb()->ProcessHeap(EZ)
91 | //2: find with signcode
92 | CsrPortHeap = *(PVOID*)((ULONG_PTR)(NtCurrentPeb()->ProcessHeaps) + 8);//id = 2,so the second heap is +8
93 |
94 | // mov r8, ...
95 | // 4C 8B 84 24
96 | // 4C 8B 45
97 | PVOID tempaddress = 0;
98 | DWORD i = 0;
99 | DWORD addresscount = 2;
100 | for (i = 0; i < SizeOfNtdll && addresscount; i++)
101 | {
102 | tempaddress = (char*)Ntdll + i;
103 | if (!memcmp(signaturecode, tempaddress, 4)
104 | && memcmp(signaturecode, (char*)tempaddress - 1, 1)
105 | && memcmp(signaturecode, (char*)tempaddress - 2, 1) //Badsense: memcmp(signaturecode, (char*)tempaddress - 2(or 3), 1)
106 | && !memcmp((char*)signaturecode + 4, (char*)tempaddress - 6, 3))
107 | {
108 | //wprintf(L"found: 0x%p\n", tempaddress);
109 | if (!CsrPortHeap)
110 | {
111 | // Windows 11 24H2 Insider
112 | PVOID x = (char*)tempaddress;
113 | for (int j = 0; j <= 0x80; j++)
114 | {
115 | if (!memcmp(signaturecode3, (char*)x - j, 5))
116 | {
117 | x = (char*)x - j + 5;
118 | for (int z = 0; z <= 0x40; z++)
119 | {
120 | if (!memcmp(signaturecode2, (char*)x + z, 3))
121 | {
122 | x = (char*)x + z + 3;
123 | PVOID CsrPortHeapAddress = (char*)x + 4 + *(DWORD*)x;
124 | CsrPortHeap = *(PVOID*)CsrPortHeapAddress;
125 | break;
126 | }
127 | }
128 | break;
129 | }
130 | }
131 |
132 | }
133 | PVOID CsrPortHandleAddress = ((char*)tempaddress + 1) + *((DWORD*)((__int64)tempaddress - 3));
134 | //wprintf(L"[+] Get CsrPortHandle Address: 0x%p\n", CsrPortHandleAddress);
135 | CsrPortHandle = *(PVOID*)CsrPortHandleAddress;
136 | wprintf(L"[+] CsrPortHandle: 0x%p\n", CsrPortHandle);
137 | addresscount--;
138 | }
139 |
140 | if (!memcmp(signaturecode2, tempaddress, 3)
141 | && !memcmp((char*)signaturecode2 + 3, (char*)tempaddress + 6, 2)
142 | && (!memcmp((char*)signaturecode2 + 5, (char*)tempaddress + 11, 4) || !memcmp((char*)signaturecode2 + 9, (char*)tempaddress + 11, 5)))
143 | {
144 | //wprintf(L"found: 0x%p\n", tempaddress);
145 | tempaddress = (char*)tempaddress + 3;
146 | //wprintf(L"tempaddress= %p\n", tempaddress);
147 | //wprintf(L"hex test2 RSVA: %p\n", (PVOID) * ((DWORD*)(tempaddress)));
148 | PVOID CsrPortMemoryRemoteDeltaAddress = (char*)tempaddress + 4 + *((DWORD*)(tempaddress));
149 | //wprintf(L"[+] Get CsrPortMemoryRemoteDelta Address: 0x%p\n", CsrPortMemoryRemoteDeltaAddress);
150 | CsrPortMemoryRemoteDelta = *(ULONG_PTR*)CsrPortMemoryRemoteDeltaAddress;
151 |
152 | wprintf(L"[+] CsrPortMemoryRemoteDelta: 0x%p\n", (PVOID)CsrPortMemoryRemoteDelta);
153 | addresscount--;
154 | }
155 | }
156 |
157 | //find consolehandle
158 | /*
159 | typedef _CONSOLE_INFO{
160 | ULONGLONG ConsoleConnectionState;//0 <--- PS_STD_* likly
161 | HANDLE CurrentConsoleHandle;//8
162 | HANDLE ConhostConsoleHandle;//16 <-- This one!
163 | HANDLE StandardInput;/24
164 | HANDLE StandardOutput;//32
165 | HANDLE StandardError;//40
166 | BOOLEAN CreateConsoleSuccess;//48
167 | }CONSOLE_INFO, *PCONSOLE_INFO;//56
168 | */
169 |
170 | if (OSBuildNumber > 7601 && KernelBase)
171 | {
172 | PVOID FreeConsoleAddress = (PVOID)GetProcAddress((HMODULE)KernelBase, "FreeConsole");
173 | //BYTE signaturecode3[] = { 0xB9,0x58,0x02,0x00,0x00,0x66,0x3B,0xC1 };
174 | BYTE signaturecode3[] = { 0x48, 0x8D, 0x0D };
175 | for (int i = 0; i < 0x100; i++)
176 | {
177 | tempaddress = (char*)FreeConsoleAddress + i;
178 | if (*(BYTE*)((char*)tempaddress + 7) == 0xE8 && !memcmp(signaturecode3, tempaddress, 3))
179 | {
180 | tempaddress = (char*)tempaddress + 3;
181 | PVOID ConhostConsoleHandleAddress = (char*)tempaddress + 4 + *((DWORD*)(tempaddress)) + 0x10;
182 | //wprintf(L"[+] Get ConhostConsoleHandleAddress Address: 0x%p\n", ConhostConsoleHandleAddress);
183 | ConhostConsoleHandle = *(HANDLE*)ConhostConsoleHandleAddress;
184 |
185 |
186 | break;
187 | }
188 | }
189 |
190 | }
191 |
192 | wprintf(L"[+] CsrPortHeap: 0x%p\n", CsrPortHeap);
193 | wprintf(L"[+] ConhostConsoleHandle: 0x%p\n", (PVOID)ConhostConsoleHandle);
194 |
195 | return 0;
196 | }
197 |
198 | BOOL SW3_PopulateSyscallList()
199 | {
200 | // Return early if the list is already populated.
201 | if (SW3_SyscallList.Entries[0].Address)
202 | return TRUE;
203 |
204 | PSW3_PEB_LDR_DATA Ldr = NtCurrentPeb()->Ldr;
205 | PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
206 | PIMAGE_EXPORT_DIRECTORY ExportDirectoryNtdll = NULL;
207 | PVOID DllBase = NULL;
208 | // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second
209 | // in the list, so it's safer to loop through the full list and find it.
210 | PSW3_LDR_DATA_TABLE_ENTRY LdrEntry;
211 | PVOID Ntdll = 0;
212 | DWORD SizeOfNtdll = 0;
213 | PVOID KernelBase = 0;
214 | DWORD SizeofKernelBase = 0;
215 | for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])
216 | {
217 | DllBase = LdrEntry->DllBase;
218 | PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;
219 | PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);
220 | PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;
221 |
222 | DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
223 | if (VirtualAddress == 0) continue;
224 |
225 | ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);
226 | // If this is NTDLL.dll, exit loop.
227 | PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);
228 |
229 | if ((*(ULONG*)DllName | 0x20202020) == 'nrek' && (*(ULONG*)(DllName + 4) | 0x20202020) == 'able')
230 | {
231 | wprintf(L"[+] KernelBase: 0x%p\n", DllBase);
232 | KernelBase = DllBase;
233 | SizeofKernelBase = NtHeaders->OptionalHeader.SizeOfImage;
234 | }
235 | if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue;
236 | if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c)
237 | {
238 | wprintf(L"[+] NtdllBase: 0x%p\n", DllBase);
239 | Ntdll = DllBase;
240 | SizeOfNtdll = NtHeaders->OptionalHeader.SizeOfImage;
241 | ExportDirectoryNtdll = ExportDirectory;
242 | }
243 | if (Ntdll && KernelBase)
244 | break;
245 | DllBase = 0;
246 | }
247 | if (!ExportDirectoryNtdll || !Ntdll)
248 | return FALSE;
249 | OSBuildNumber = NtCurrentPeb()->OSBuildNumber;
250 | RtlAllocateHeap = (RtlAllocateHeap_)GetProcAddress((HMODULE)Ntdll, "RtlAllocateHeap");
251 |
252 | GetGlobalVariable(Ntdll, SizeOfNtdll, KernelBase, SizeofKernelBase);
253 |
254 | DWORD NumberOfNames = ExportDirectoryNtdll->NumberOfNames;
255 |
256 | PDWORD Functions = SW3_RVA2VA(PDWORD, Ntdll, ExportDirectoryNtdll->AddressOfFunctions);
257 | PDWORD Names = SW3_RVA2VA(PDWORD, Ntdll, ExportDirectoryNtdll->AddressOfNames);
258 | PWORD Ordinals = SW3_RVA2VA(PWORD, Ntdll, ExportDirectoryNtdll->AddressOfNameOrdinals);
259 |
260 | // Populate SW3_SyscallList with unsorted Zw* entries.
261 | DWORD i = 0;
262 | PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries;
263 |
264 | do
265 | {
266 | PCHAR FunctionName = SW3_RVA2VA(PCHAR, Ntdll, Names[NumberOfNames - 1]);
267 |
268 | // Is this a system call?
269 | if (*(USHORT*)FunctionName == 0x775a)
270 | {
271 | Entries[i].Hash = SW3_HashSyscall(FunctionName);
272 | Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];
273 | Entries[i].SyscallAddress = (PVOID)((ULONG_PTR)SC_Address(SW3_RVA2VA(PVOID, Ntdll, Entries[i].Address)) << (Entries[i].Hash % 8));
274 |
275 | i++;
276 | if (i == SW3_MAX_ENTRIES) break;
277 | }
278 | } while (--NumberOfNames);
279 |
280 | // Save total number of system calls found.
281 | SW3_SyscallList.Count = i;
282 |
283 | // Sort the list by address in ascending order.
284 | for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++)
285 | {
286 | for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++)
287 | {
288 | if (Entries[j].Address > Entries[j + 1].Address)
289 | {
290 | // Swap entries.
291 | SW3_SYSCALL_ENTRY TempEntry;
292 |
293 | TempEntry.Hash = Entries[j].Hash;
294 | TempEntry.Address = Entries[j].Address;
295 | TempEntry.SyscallAddress = Entries[j].SyscallAddress;
296 |
297 | Entries[j].Hash = Entries[j + 1].Hash;
298 | Entries[j].Address = Entries[j + 1].Address;
299 | Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress;
300 |
301 | Entries[j + 1].Hash = TempEntry.Hash;
302 | Entries[j + 1].Address = TempEntry.Address;
303 | Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress;
304 | }
305 | }
306 | }
307 | for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++)
308 | {
309 | Entries[i].Address = Entries[i].Hash * (DWORD)Entries[i].SyscallAddress << i;
310 | }
311 |
312 | return TRUE;
313 | }
314 |
315 | EXTERN_C ULONG_PTR ABCDEFG(float a1, float a2, float a3, float a4, ULONG_PTR FunctionHash, PVOID* lpSyscallAddress)
316 | {
317 | if (!SW3_PopulateSyscallList())
318 | return 0;
319 |
320 | ULONG Index = ((ULONG_PTR)lpSyscallAddress | (ULONG_PTR)&FunctionHash * FunctionHash + (ULONG_PTR)(a1 + a2 + a3 + a4)) % SW3_SyscallList.Count;
321 | *lpSyscallAddress = (PVOID)((ULONG_PTR)SW3_SyscallList.Entries[Index].SyscallAddress >> (SW3_SyscallList.Entries[Index].Hash % 8));
322 |
323 | for (DWORD i = 0; i < SW3_SyscallList.Count; i++)
324 | {
325 | if (FunctionHash == SW3_SyscallList.Entries[i].Hash)
326 | {
327 | return i|(((ULONG_PTR)&i * FunctionHash) << 32);
328 | }
329 | }
330 | a1 = a2 - a3;
331 |
332 | return a1*a3+ (a2 / (a1+a2+a3+a4)); //| a3 * a4;
333 | }
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/syscalls1.asm:
--------------------------------------------------------------------------------
1 | .code
2 |
3 | EXTERN ABCDEFG: PROC
4 |
5 | ;; https://www.felixcloutier.com/x64/
6 | ;; https://stackoverflow.com/questions/7210034/how-can-i-exchange-the-low-128-bits-and-high-128-bits-in-a-256-bit-avx-ymm-reg
7 | ;; https://stackoverflow.com/questions/71555826/cant-set-the-higher-half-of-ymm-registers
8 | ;; https://stackoverflow.com/questions/52309909/how-to-move-double-in-rax-into-particular-qword-position-on-ymm-or-zmm-kaby
9 | ;; https://stackoverflow.com/questions/41222574/how-to-split-an-xmm-128-bit-register-into-two-64-bit-integer-registers
10 | ;; https://stackoverflow.com/questions/53490407/how-to-load-two-packed-64-bit-quadwords-into-a-128-bit-xmm-register
11 | NtFastCall PROC
12 | push rbx
13 | push rbp
14 | push rsi
15 | push rdi
16 | push r12
17 | push r13
18 | push r14
19 | push r15
20 | lea rbp, [rsp-58h]
21 | sub rsp, 098h
22 |
23 | movq xmm1, rax
24 | movq xmm0, rcx
25 | shufpd xmm0, xmm1, 0
26 | mulsd xmm1, xmm0
27 | ;;vinsertf128 ymm0, ymm0, xmm0, 1
28 |
29 | mov [rbp+50h], rcx
30 | mov [rbp+48h], rdx
31 | lea rcx, [rbp+58h]
32 | lea rdx, [rbp+30h]
33 | imul rax, rcx
34 |
35 | mov [rbp+40h], r8
36 | mov [rbp+38h], r9
37 |
38 | movupd xmm1, [rbp+38h]
39 | vinsertf128 ymm1, ymm1, xmm1, 1
40 |
41 | xchg [rbp+38h], rbx
42 | add r8, r9
43 | imul r9, rcx
44 | xchg [rbp+40h], r9
45 |
46 | movupd xmm2, [rbp+48h]
47 | vinsertf128 ymm2, ymm2, xmm2, 1
48 |
49 | xchg [rbp+40h], r9
50 | mov [rbp+38h], r8
51 | add rcx, r9
52 | imul rdx, rax
53 |
54 | ;;mov rax, 0CD52CEDCh
55 | movhlps xmm4, xmm0
56 | movups [rsp+20h], xmm4
57 | mov [rsp+28h], rbp
58 |
59 | call ABCDEFG
60 | cmp rax, [rbp+30h]
61 | jnz NtFastCall2
62 | NtFastCall ENDP
63 |
64 | NtOpenProcess PROC
65 | mov rax, 0CD52CEDCh
66 | cmp rax, [rsp+20h]
67 | jnz NtFastCall
68 | ;;movups [rsp-0B8h], xmm0
69 | NtOpenProcess ENDP
70 |
71 | NtAlpcSendWaitReceivePort PROC
72 | mov rax, 02AB20B2Eh
73 | cmp rax, [rsp+28h]
74 | jnz NtFastCall
75 | NtAlpcSendWaitReceivePort ENDP
76 |
77 | NtCreateUserProcess PROC
78 | mov rax, 0D1972FFBh
79 | mov r10d, eax
80 | test r10d, DWORD ptr [rsp+30h]
81 | jz NtFastCall
82 | NtCreateUserProcess ENDP
83 |
84 | NtFastCall2 PROC
85 | xchg r12, [rsp+28h]
86 | mov rcx, [r12]
87 |
88 | vperm2f128 ymm0, ymm2, ymm1, 3
89 | movq r9, xmm0
90 | punpckhqdq xmm0, xmm0 ;; broadcast the high half of xmm0 to both halves
91 | movq r8, xmm0
92 |
93 | vperm2f128 ymm0, ymm2, ymm1, 1
94 | movq rdx, xmm0
95 | punpckhqdq xmm0, xmm0 ;; broadcast the high half of xmm0 to both halves
96 | movq r10, xmm0
97 |
98 | add rsp, 098h
99 | pop r15
100 | pop r14
101 | pop r13
102 | pop r12
103 | pop rdi
104 | pop rsi
105 | pop rbp
106 | pop rbx
107 | jmp rcx
108 | ret
109 | NtFastCall2 ENDP
110 |
111 | NtClose PROC
112 | mov rax, 09D2DB77Ch
113 | mov r10d, eax
114 | cmp r10, rdx
115 | jnz NtFastCall ; Jump to -> Invoke system call.
116 | NtClose ENDP
117 |
118 | NtOpenProcessToken PROC
119 | mov rax, 093930B9Eh
120 | cmp rax, rcx
121 | jnz NtFastCall
122 | NtOpenProcessToken ENDP
123 |
124 | NtReadVirtualMemory PROC
125 | mov rax, 047CF7949h
126 | cmp rax, r8
127 | jnz NtFastCall
128 | NtReadVirtualMemory ENDP
129 |
130 | NtQueryInformationProcess PROC
131 | mov rax, 0DD1BF288h
132 | lea r10, [rsp+28h]
133 | cmp rax, r10
134 | jnz NtFastCall
135 | NtQueryInformationProcess ENDP
136 |
137 | NtWaitForSingleObject PROC
138 | mov rax, 02C93A78Ch
139 | cmp rax, rcx
140 | jnz NtFastCall
141 | NtWaitForSingleObject ENDP
142 |
143 | NtResumeThread PROC
144 | mov rax, 016BEDCE8h
145 | cmp rax, rcx
146 | jnz NtFastCall
147 | test rdx, rdx
148 | ja NtOpenProcess
149 | NtResumeThread ENDP
150 |
151 | end
--------------------------------------------------------------------------------
/NtCreateUserProcess-Native/NtCreateUserProcess-Native/syscalls2.asm:
--------------------------------------------------------------------------------
1 | .code
2 |
3 | EXTERN ABCDEFG: PROC
4 |
5 | ;; https://stackoverflow.com/questions/41222574/how-to-split-an-xmm-128-bit-register-into-two-64-bit-integer-registers
6 | ;; https://stackoverflow.com/questions/53490407/how-to-load-two-packed-64-bit-quadwords-into-a-128-bit-xmm-register
7 | NtFastCall PROC
8 | push rbx
9 | push rbp
10 | push rsi
11 | push rdi
12 | push r12
13 | push r13
14 | push r14
15 | push r15
16 | lea rbp, [rsp-58h]
17 | sub rsp, 098h
18 |
19 | movups [rbp+10h], xmm6
20 | movups [rbp+20h], xmm7
21 |
22 | movq xmm1, rax
23 | movq xmm0, rcx
24 | shufpd xmm0, xmm1, 0
25 | mulsd xmm1, xmm0
26 |
27 | mov [rbp+50h], rcx
28 | mov [rbp+48h], rdx
29 | lea rcx, [rbp+58h]
30 | lea rdx, [rbp+30h]
31 | imul rax, rcx
32 |
33 | mov [rbp+40h], r8
34 | mov [rbp+38h], r9
35 |
36 | movupd xmm6, [rbp+38h]
37 | xchg [rbp+38h], rbx
38 | add r8, r9
39 | imul r9, rcx
40 | xchg [rbp+40h], r9
41 |
42 | movupd xmm7, [rbp+48h]
43 | xchg [rbp+40h], r9
44 | mov [rbp+38h], r8
45 | add rcx, r9
46 | imul rdx, rax
47 |
48 | movhlps xmm4, xmm0
49 | movups [rsp+20h], xmm4
50 | mov [rsp+28h], rbp
51 |
52 | call ABCDEFG
53 | cmp rax, [rbp+30h]
54 | jnz NtFastCall2
55 | NtFastCall ENDP
56 |
57 | NtOpenProcess PROC
58 | mov rax, 046C762A52F8C8406h
59 | cmp rax, r9
60 | jnz NtFastCall
61 | ;;movups [rsp-0B8h], xmm0
62 | NtOpenProcess ENDP
63 |
64 | NtAlpcSendWaitReceivePort PROC
65 | mov rax, 04C0702ABD6319B20h
66 | cmp rax, [rsp+28h]
67 | jnz NtFastCall
68 | NtAlpcSendWaitReceivePort ENDP
69 |
70 | NtCreateUserProcess PROC
71 | mov rax, 0A56C609DF1D1A7FAh
72 | mov r10d, eax
73 | test r10d, DWORD ptr [rsp+30h]
74 | jz NtFastCall
75 | NtCreateUserProcess ENDP
76 |
77 | NtFastCall2 PROC
78 | xchg r12, [rsp+28h]
79 | mov rcx, [r12]
80 |
81 | movq r9, xmm6
82 | punpckhqdq xmm6, xmm7
83 | movq r8, xmm6
84 | punpckhqdq xmm6, xmm7
85 | movq r10, xmm6
86 | shufpd xmm6, xmm7, 0
87 | punpckhdq xmm7, xmm6
88 | punpckhqdq xmm6, xmm6
89 |
90 | movq rdx, xmm6
91 | movq rbx, xmm7
92 |
93 | cmp rbx, r12
94 | jz NtClose
95 |
96 | ucomisd xmm7, xmm6
97 | jo NtClose
98 |
99 | movups xmm6, [rbp+10h]
100 | movups xmm7, [rbp+20h]
101 | add rsp, 098h
102 | pop r15
103 | pop r14
104 | pop r13
105 | pop r12
106 | pop rdi
107 | pop rsi
108 | pop rbp
109 | pop rbx
110 | jmp rcx
111 | ret
112 | NtFastCall2 ENDP
113 |
114 | NtClose PROC
115 | mov rax, 05AACDBA3C5FCDDD6h
116 | mov r10d, eax
117 | cmp r10, rdx
118 | jnz NtFastCall ; Jump to -> Invoke system call.
119 |
120 | movups xmm6, [rbp+10h]
121 | movups xmm7, [rbp+20h]
122 | add rsp, 098h
123 | pop r15
124 | pop r14
125 | pop r13
126 | pop r12
127 | pop rdi
128 | pop rsi
129 | pop rbp
130 | pop rbx
131 | ret
132 | NtClose ENDP
133 |
134 | NtOpenProcessToken PROC
135 | mov rax, 06CDE0960D150C840h
136 | cmp rax, rcx
137 | jnz NtFastCall
138 | NtOpenProcessToken ENDP
139 |
140 | NtReadVirtualMemory PROC
141 | mov rax, 03D86579FD523AF76h
142 | cmp rax, r8
143 | jnz NtFastCall
144 | NtReadVirtualMemory ENDP
145 |
146 | NtQueryInformationProcess PROC
147 | mov rax, 0220D195D40B9AB80h
148 | lea r10, [rsp+28h]
149 | cmp rax, r10
150 | jnz NtFastCall
151 | NtQueryInformationProcess ENDP
152 |
153 | NtWaitForSingleObject PROC
154 | mov rax, 0E76E43D73BFB18D8h
155 | cmp rax, rcx
156 | jnz NtFastCall
157 | NtWaitForSingleObject ENDP
158 |
159 | NtResumeThread PROC
160 | mov rax, 01B1BDA7E957E564Ch
161 | cmp rax, rcx
162 | jnz NtFastCall
163 | test rdx, rdx
164 | ja NtOpenProcess
165 | NtResumeThread ENDP
166 |
167 | end
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32505.173
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtCreateUserProcess-Post", "NtCreateUserProcess-Post\NtCreateUserProcess-Post.vcxproj", "{CD92026E-3549-445D-894D-2CAA8341C9D3}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Debug|x64.ActiveCfg = Debug|x64
17 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Debug|x64.Build.0 = Debug|x64
18 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Debug|x86.ActiveCfg = Debug|Win32
19 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Debug|x86.Build.0 = Debug|Win32
20 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Release|x64.ActiveCfg = Release|x64
21 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Release|x64.Build.0 = Release|x64
22 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Release|x86.ActiveCfg = Release|Win32
23 | {CD92026E-3549-445D-894D-2CAA8341C9D3}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {7E624EC8-F82B-4EEC-86D6-06767F5ADCA3}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/NtCreateUserProcess-Post.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {cd92026e-3549-445d-894d-2caa8341c9d3}
25 | NtCreateUserProcessPost
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 | Disabled
122 | MultiThreadedDLL
123 |
124 |
125 | Console
126 | true
127 | true
128 | true
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 | Document
140 | false
141 | ml64 /c %(fileName).asm
142 | %(fileName).obj
143 | ml64 /c %(fileName).asm
144 | %(fileName).obj
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/NtCreateUserProcess-Post.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 | 源文件
23 |
24 |
25 | 源文件
26 |
27 |
28 | 源文件
29 |
30 |
31 |
32 |
33 | 头文件
34 |
35 |
36 | 头文件
37 |
38 |
39 | 头文件
40 |
41 |
42 | 头文件
43 |
44 |
45 |
46 |
47 | 源文件
48 |
49 |
50 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/NtCreateUserProcess-Post.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/csrss.cpp:
--------------------------------------------------------------------------------
1 | #include "csrss.hpp"
2 | #include "ntapi.hpp"
3 | #include
4 |
5 | // CsrPortHandle and CsrPortMemoryRemoteDelta can be init from CsrpConnectToServer? but we won't do it... Ovo
6 | NTSTATUS CsrClientCallServer(PCSR_API_MSG ApiMessage, PCSR_CAPTURE_BUFFER CaptureBuffer, ULONG ApiNumber, ULONG DataLength)
7 | {
8 | //Without Any SecureCheck is Unsafe but Faster!
9 | NTSTATUS Status = -1;
10 | ApiMessage->ApiNumber = ApiNumber & 0xEFFFFFFF;
11 | ApiMessage->h.u2.ZeroInit = 0;
12 | ApiMessage->h.u1.Length = (DataLength | (DataLength << 16)) + (((sizeof(CSR_API_MSG) - sizeof(ApiMessage->u)) << 16) | (FIELD_OFFSET(CSR_API_MSG, u) - sizeof(ApiMessage->h)));// +0x400018
13 | ApiMessage->CaptureBuffer = (PCSR_CAPTURE_BUFFER)((char*)CaptureBuffer + CsrPortMemoryRemoteDelta);
14 | CaptureBuffer->FreeSpace = 0;//Mark the fact that we are done allocating space from the end of the capture buffer.
15 | ULONG_PTR Pointer = 0;
16 | ULONG CountPointers = CaptureBuffer->CountMessagePointers;
17 | PULONG_PTR PointerOffsets = CaptureBuffer->MessagePointerOffsets;
18 | while (CountPointers--) {
19 | Pointer = *PointerOffsets++;
20 | if (Pointer != 0) {
21 | *(PULONG_PTR)Pointer += CsrPortMemoryRemoteDelta;
22 | PointerOffsets[-1] = Pointer - (ULONG_PTR)ApiMessage;
23 | }
24 | }
25 | /* SIZE
26 | CSR_API_MSG = 432
27 | DataLength = 536
28 | BASE_API_MSG = 600?
29 | */
30 | SIZE_T ALPC_Size = 952;//unknow size? TotalLength??
31 | //tip: CsrPortHandle is related to OS version and (debug?)
32 | Status = NtAlpcSendWaitReceivePort(//in csrclientcallserver,since win 10 2004 but work well in win 7/2008/2012....
33 | CsrPortHandle,
34 | ALPC_MSGFLG_SYNC_REQUEST,
35 | (PPORT_MESSAGE)ApiMessage,
36 | 0,
37 | (PPORT_MESSAGE)ApiMessage,
38 | &ALPC_Size,// [Optional]
39 | 0,
40 | 0
41 | );
42 | // STATUS_ILLEGAL_FUNCTION?
43 | wprintf(L"[*] ALPC Status: 0x%08x\n", Status);
44 | wprintf(L"[*] ALPC ApiMessage ReturnStatus : 0x%08x\n", ApiMessage->ReturnValue);
45 | /*
46 | if (!NT_SUCCESS(Status) || !NT_SUCCESS(ApiMessage->ReturnValue))
47 | {
48 | wprintf(L"[-] NtAlpcSendWaitReceivePort Fail,retry with LPC...\n");
49 | Status = NtRequestWaitReplyPort(CsrPortHandle, &TempApiMessage, (PPORT_MESSAGE)ApiMessage);
50 | wprintf(L"[*] LPC Status: 0x%08x\n", Status);
51 | wprintf(L"[*] LPC ApiMessage ReturnStatus: 0x%08x\n", ApiMessage->ReturnValue);
52 | }
53 | */
54 |
55 | ApiMessage->CaptureBuffer = (PCSR_CAPTURE_BUFFER)((char*)CaptureBuffer - CsrPortMemoryRemoteDelta);
56 | //
57 | // Loop over all of the pointers to Port Memory within the message
58 | // itself and convert them into client pointers. Also, convert
59 | // the offsets pointers to pointers into back into pointers
60 | //
61 | PointerOffsets = CaptureBuffer->MessagePointerOffsets;
62 | CountPointers = CaptureBuffer->CountMessagePointers;
63 | while (CountPointers--) {
64 | Pointer = *PointerOffsets++;
65 | if (Pointer != 0) {
66 | Pointer += (ULONG_PTR)ApiMessage;//Length
67 | PointerOffsets[-1] = Pointer;
68 | *(PULONG_PTR)Pointer -= CsrPortMemoryRemoteDelta;
69 | }
70 | }
71 | if (!NT_SUCCESS(Status))
72 | ApiMessage->ReturnValue = Status;
73 | return ApiMessage->ReturnValue;
74 | }
75 | NTSTATUS CallCsrss(HANDLE hProcess, HANDLE hThread, PS_CREATE_INFO CreateInfo, UNICODE_STRING Win32Path, UNICODE_STRING NtPath, CLIENT_ID ClientId,USHORT DllCharacteristics)
76 | {
77 | //ULONG NtMajorVersion = *(PULONG)(0x7FFE0000 + 0x26C);
78 | //ULONG NtMinorVersion = *(PULONG)(0x7FFE0000 + 0x270);
79 | //wprintf(L"Pre CsrPortHandle: 0x%08x\n", CsrPortHandle);
80 | //wprintf(L"Pre CsrPortMemoryRemoteDelta: 0x%p\n", CsrPortMemoryRemoteDelta);
81 | //wprintf(L"Pre BasepConstructSxsCreateProcessMessage_2008_Address: 0x%p\n", BasepConstructSxsCreateProcessMessage_2008_Address);
82 |
83 | HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
84 | HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll");
85 | CsrCaptureMessageMultiUnicodeStringsInPlace_t CsrCaptureMessageMultiUnicodeStringsInPlace = (CsrCaptureMessageMultiUnicodeStringsInPlace_t)GetProcAddress(ntdll, "CsrCaptureMessageMultiUnicodeStringsInPlace");
86 | _BasepConstructSxsCreateProcessMessage BasepConstructSxsCreateProcessMessage_18 = (_BasepConstructSxsCreateProcessMessage)GetProcAddress(kernel32, "BasepConstructSxsCreateProcessMessage");
87 | _CsrClientCallServer CsrClientCallServer_ntdll = (_CsrClientCallServer)GetProcAddress(ntdll, "CsrClientCallServer");
88 | if (BasepConstructSxsCreateProcessMessage_2008_Address)
89 | BasepConstructSxsCreateProcessMessage_18 = (_BasepConstructSxsCreateProcessMessage)BasepConstructSxsCreateProcessMessage_2008_Address;
90 | wprintf(L"============================================================================================\n");
91 | wprintf(L"[*] kernel32!BasepConstructSxsCreateProcessMessage address: %p\n", BasepConstructSxsCreateProcessMessage_18);
92 | wprintf(L"[*] ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace address: %p\n", CsrCaptureMessageMultiUnicodeStringsInPlace);
93 | wprintf(L"[*] ntdll!CsrClientCallServer_ntdll address: %p\n", CsrClientCallServer_ntdll);
94 |
95 | HANDLE TokenHandle = NULL;
96 | NTSTATUS Status = NULL;
97 | wprintf(L"[*] NtOpenProcessToken: %d\n", NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &TokenHandle));
98 | wprintf(L"[*] TokenHandle: 0x%p\n", TokenHandle);
99 |
100 | PCSR_CAPTURE_BUFFER CaptureBuffer = 0;
101 | Sxs_CreateProcess_UtilityStruct SxsCreateProcessUtilityStruct = { 0 };//88
102 | RtlSecureZeroMemory(&SxsCreateProcessUtilityStruct, sizeof(SxsCreateProcessUtilityStruct));
103 | BASE_API_MSG BaseAPIMessage = { 0 };
104 | PUNICODE_STRING CsrStringsToCapture[6] = { 0 };
105 | CSR_API_NUMBER CSRAPINumber = 0x10000;
106 | ULONG DataLength = 0;
107 | wprintf(L"OS: %d\n", OSBuildNumber);
108 | if (OSBuildNumber >= 18985)//19041 ? 19000
109 | {
110 | wprintf(L"[*] Windows 10 2004+ | Windows Server 2022\n");
111 | PBASE_CREATEPROCESS_MSG BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess;
112 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
113 | BaseCreateProcessMessage->ProcessHandle = hProcess;
114 | BaseCreateProcessMessage->ThreadHandle = hThread;
115 | BaseCreateProcessMessage->ClientId = ClientId;
116 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;//0x80040 ?? &0xFFFFFFFC
117 | BaseCreateProcessMessage->VdmBinaryType = NULL;
118 | Status = BasepConstructSxsCreateProcessMessage_18(
119 | &NtPath,
120 | &Win32Path,
121 | CreateInfo.SuccessState.FileHandle,
122 | hProcess,
123 | CreateInfo.SuccessState.SectionHandle,
124 | TokenHandle,
125 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,//0x4
126 | 0,
127 | 0,//AppCompatSxsData
128 | 0,//AppCompatSxsDataSize
129 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,//DllCharacteristics
130 | NULL,
131 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
132 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
133 | CreateInfo.SuccessState.ManifestSize,
134 | &CreateInfo.SuccessState.CurrentParameterFlags,
135 | &BaseCreateProcessMessage->Sxs,
136 | &SxsCreateProcessUtilityStruct
137 | );
138 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
139 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
140 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
141 |
142 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;//CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
143 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;//8+8 Manifest.Path (UNICODE_STRING) | FileHandle? ??????
144 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;//Win32AssemblyDirectory 136
145 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
146 |
147 | CSRAPINumber = 0x1001D;//since 2004
148 | DataLength = sizeof(*BaseCreateProcessMessage);//536 = 0x1c8
149 |
150 | }
151 | else if (OSBuildNumber >= 18214)//18362
152 | {
153 | wprintf(L"[*] Windows 10 1903 | Windows 10 1909\n");
154 | PBASE_CREATEPROCESS_MSG_2012 BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2012;//OMG
155 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
156 | BaseCreateProcessMessage->ProcessHandle = hProcess;
157 | BaseCreateProcessMessage->ThreadHandle = hThread;
158 | BaseCreateProcessMessage->ClientId = ClientId;
159 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
160 | BaseCreateProcessMessage->VdmBinaryType = NULL;
161 |
162 | Status = BasepConstructSxsCreateProcessMessage_18(
163 | &NtPath,
164 | &Win32Path,
165 | CreateInfo.SuccessState.FileHandle,
166 | hProcess,
167 | CreateInfo.SuccessState.SectionHandle,
168 | TokenHandle,
169 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,//0x4
170 | 0,
171 | 0,//AppCompatSxsData
172 | 0,//AppCompatSxsDataSize
173 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,//DllCharacteristics
174 | NULL,
175 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
176 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
177 | CreateInfo.SuccessState.ManifestSize,
178 | &CreateInfo.SuccessState.CurrentParameterFlags,
179 | &BaseCreateProcessMessage->Sxs,
180 | &SxsCreateProcessUtilityStruct
181 | );
182 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
183 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
184 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
185 |
186 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
187 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
188 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
189 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
190 |
191 | DataLength = sizeof(*BaseCreateProcessMessage);//536 = 0x1c8
192 | }
193 | else if (OSBuildNumber >= 15025)//15063
194 | {
195 | wprintf(L"[*] Windows 10 1803 | Windows 10 1809 | Windows Server 2019\n");
196 | wprintf(L"[*] Windows 10 1703 | Windows 10 1709\n");
197 | PBASE_CREATEPROCESS_MSG_2016 BaseCreateProcessMessage;
198 | BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2016;
199 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
200 |
201 | BaseCreateProcessMessage->ProcessHandle = hProcess;
202 | BaseCreateProcessMessage->ThreadHandle = hThread;
203 | BaseCreateProcessMessage->ClientId = ClientId;
204 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
205 | BaseCreateProcessMessage->VdmBinaryType = NULL;
206 |
207 | Status = BasepConstructSxsCreateProcessMessage_18(
208 | &NtPath,
209 | &Win32Path,
210 | CreateInfo.SuccessState.FileHandle,
211 | hProcess,
212 | CreateInfo.SuccessState.SectionHandle,
213 | TokenHandle,
214 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
215 | 0,
216 | 0,
217 | 0,
218 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,
219 | NULL,
220 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
221 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
222 | CreateInfo.SuccessState.ManifestSize,
223 | &CreateInfo.SuccessState.CurrentParameterFlags,
224 | &BaseCreateProcessMessage->Sxs,
225 | &SxsCreateProcessUtilityStruct
226 | );
227 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
228 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
229 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
230 |
231 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
232 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
233 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
234 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
235 |
236 | DataLength = sizeof(*BaseCreateProcessMessage);//264
237 | }
238 | else if (OSBuildNumber >= 10041)//10240
239 | {
240 | wprintf(L"[*] Windows 10 1507 | Windows 10 1511 | Windows 10 1607 | Windows Server 2016\n");
241 | PBASE_CREATEPROCESS_MSG_2016 BaseCreateProcessMessage;
242 | BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2016;
243 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
244 |
245 | BaseCreateProcessMessage->ProcessHandle = hProcess;
246 | BaseCreateProcessMessage->ThreadHandle = hThread;
247 | BaseCreateProcessMessage->ClientId = ClientId;
248 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
249 | BaseCreateProcessMessage->VdmBinaryType = NULL;
250 |
251 | _BasepConstructSxsCreateProcessMessage_2016 BasepConstructSxsCreateProcessMessage_2016 = (_BasepConstructSxsCreateProcessMessage_2016)BasepConstructSxsCreateProcessMessage_18;
252 | Status = BasepConstructSxsCreateProcessMessage_2016(
253 | &NtPath,
254 | &Win32Path,
255 | CreateInfo.SuccessState.FileHandle,
256 | hProcess,
257 | CreateInfo.SuccessState.SectionHandle,
258 | TokenHandle,
259 | FALSE,//AlreadyCheck
260 | FALSE,//IsRemovableMedia
261 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
262 | 0,
263 | 0,
264 | 0,
265 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,
266 | NULL,
267 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
268 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
269 | CreateInfo.SuccessState.ManifestSize,
270 | &CreateInfo.SuccessState.CurrentParameterFlags,
271 | &BaseCreateProcessMessage->Sxs,
272 | &SxsCreateProcessUtilityStruct
273 | );
274 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
275 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
276 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
277 |
278 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
279 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
280 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
281 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
282 |
283 | DataLength = sizeof(*BaseCreateProcessMessage);//264
284 | }
285 | else if (OSBuildNumber >= 8423)//9200
286 | {
287 | //sizeof(BASE_SXS_CREATEPROCESS_MSG_2012);//->sxs = 192
288 | //sizeof(BASE_CREATEPROCESS_MSG_2012);// createprocess total-> 272
289 |
290 | PBASE_CREATEPROCESS_MSG_2012 BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2012;
291 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
292 |
293 | BaseCreateProcessMessage->ProcessHandle = hProcess;
294 | BaseCreateProcessMessage->ThreadHandle = hThread;
295 | BaseCreateProcessMessage->ClientId = ClientId;
296 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
297 | BaseCreateProcessMessage->VdmBinaryType = NULL;
298 |
299 | if (OSBuildNumber <= 9200)
300 | {
301 | wprintf(L"[*] Windows 8 | Windows Server 2012 \n");
302 | _BasepConstructSxsCreateProcessMessage_2012_old BasepConstructSxsCreateProcessMessage_2012 = (_BasepConstructSxsCreateProcessMessage_2012_old)BasepConstructSxsCreateProcessMessage_18;
303 | Status = BasepConstructSxsCreateProcessMessage_2012(
304 | &NtPath,
305 | &Win32Path,
306 | CreateInfo.SuccessState.FileHandle,
307 | hProcess,
308 | CreateInfo.SuccessState.SectionHandle,
309 | FALSE,//AlreadyCheck
310 | FALSE,//IsRemovableMedia
311 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
312 | 0,
313 | 0,
314 | 0,
315 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,
316 | NULL,
317 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
318 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
319 | CreateInfo.SuccessState.ManifestSize,
320 | &CreateInfo.SuccessState.CurrentParameterFlags,
321 | &BaseCreateProcessMessage->Sxs,
322 | &SxsCreateProcessUtilityStruct
323 | );
324 | }
325 | else
326 | {
327 | wprintf(L"[*] Windows 8.1 | Windows Server 2012 R2\n");
328 | BaseCreateProcessMessage->Sxs.UnknowFlags = -1;
329 | _BasepConstructSxsCreateProcessMessage_2016 BasepConstructSxsCreateProcessMessage_2012 = (_BasepConstructSxsCreateProcessMessage_2016)BasepConstructSxsCreateProcessMessage_18;
330 | Status = BasepConstructSxsCreateProcessMessage_2012(
331 | &NtPath,
332 | &Win32Path,
333 | CreateInfo.SuccessState.FileHandle,
334 | hProcess,
335 | CreateInfo.SuccessState.SectionHandle,
336 | TokenHandle,
337 | FALSE,//AlreadyCheck
338 | FALSE,//IsRemovableMedia
339 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
340 | 0,
341 | 0,
342 | 0,
343 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0,
344 | NULL,
345 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
346 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
347 | CreateInfo.SuccessState.ManifestSize,
348 | &CreateInfo.SuccessState.CurrentParameterFlags,
349 | &BaseCreateProcessMessage->Sxs,
350 | &SxsCreateProcessUtilityStruct
351 | );
352 | }
353 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
354 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
355 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
356 |
357 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
358 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
359 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
360 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
361 |
362 | DataLength = sizeof(*BaseCreateProcessMessage);//272 win server 2012
363 | }
364 | else if (OSBuildNumber >= 6000)
365 | {
366 | _BasepConstructSxsCreateProcessMessage_2008 BasepConstructSxsCreateProcessMessage_2008 = (_BasepConstructSxsCreateProcessMessage_2008)BasepConstructSxsCreateProcessMessage_18;
367 | Sxs_CreateProcess_UtilityStruct_2008 SxsCreateProcessUtilityStruct_2008 = { 0 };
368 | RtlSecureZeroMemory(&SxsCreateProcessUtilityStruct_2008, sizeof(SxsCreateProcessUtilityStruct_2008));
369 | if (OSBuildNumber >= 7600)
370 | {
371 | wprintf(L"[*] Windows 7 | Windows Server 2008 | Windows Server 2008 R2\n");
372 | PBASE_CREATEPROCESS_MSG_2012 BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2012;
373 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
374 | BaseCreateProcessMessage->ProcessHandle = hProcess;
375 | BaseCreateProcessMessage->ThreadHandle = hThread;
376 | BaseCreateProcessMessage->ClientId = ClientId;
377 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
378 | BaseCreateProcessMessage->VdmBinaryType = NULL;
379 | Status = BasepConstructSxsCreateProcessMessage_2008(
380 | &NtPath,
381 | &Win32Path,
382 | CreateInfo.SuccessState.FileHandle,
383 | hProcess,
384 | CreateInfo.SuccessState.SectionHandle,
385 | FALSE,//AlreadyCheck
386 | FALSE,//IsRemovableMedia
387 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
388 | 0,
389 | 0,
390 | 0,
391 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0, //No AppX
392 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
393 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
394 | CreateInfo.SuccessState.ManifestSize,
395 | &CreateInfo.SuccessState.CurrentParameterFlags,
396 | &BaseCreateProcessMessage->Sxs,//192
397 | &SxsCreateProcessUtilityStruct_2008 //472
398 | );
399 | if (!NT_SUCCESS(Status) || BaseCreateProcessMessage->Sxs.Win32Path.Length <= 2)
400 | {
401 | wprintf(L"Error?\n");
402 | }
403 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
404 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
405 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
406 |
407 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
408 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
409 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
410 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
411 | DataLength = sizeof(*BaseCreateProcessMessage);//272
412 | }
413 | else
414 | {
415 | wprintf(L"[*] Windows Vista (6000-6002)| Windows Server 2008 (6002-6003)\n");
416 | PBASE_CREATEPROCESS_MSG_2016 BaseCreateProcessMessage = &BaseAPIMessage.u.BaseCreateProcess_2016;
417 | RtlSecureZeroMemory(&BaseCreateProcessMessage->Sxs, sizeof(BaseCreateProcessMessage->Sxs));
418 | BaseCreateProcessMessage->ProcessHandle = hProcess;
419 | BaseCreateProcessMessage->ThreadHandle = hThread;
420 | BaseCreateProcessMessage->ClientId = ClientId;
421 | BaseCreateProcessMessage->CreationFlags = EXTENDED_STARTUPINFO_PRESENT | IDLE_PRIORITY_CLASS;
422 | BaseCreateProcessMessage->VdmBinaryType = NULL;
423 |
424 | Status = BasepConstructSxsCreateProcessMessage_2008(
425 | &NtPath,
426 | &Win32Path,
427 | CreateInfo.SuccessState.FileHandle,
428 | hProcess,
429 | CreateInfo.SuccessState.SectionHandle,
430 | FALSE,//AlreadyCheck
431 | FALSE,//IsRemovableMedia
432 | (CreateInfo.InitState.u1.InitFlags & 0x4) != 0,
433 | 0,
434 | 0,
435 | 0,
436 | (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) != 0, //No AppX
437 | (PPEB)CreateInfo.SuccessState.PebAddressNative,
438 | (PVOID)CreateInfo.SuccessState.ManifestAddress,
439 | CreateInfo.SuccessState.ManifestSize,
440 | &CreateInfo.SuccessState.CurrentParameterFlags,
441 | &BaseCreateProcessMessage->Sxs,//184 old vista
442 | &SxsCreateProcessUtilityStruct_2008 //472
443 | );
444 | BaseCreateProcessMessage->PebAddressNative = CreateInfo.SuccessState.PebAddressNative;
445 | BaseCreateProcessMessage->PebAddressWow64 = CreateInfo.SuccessState.PebAddressWow64;
446 | BaseCreateProcessMessage->ProcessorArchitecture = PROCESSOR_ARCHITECTURE_AMD64;
447 |
448 | CsrStringsToCapture[0] = &BaseCreateProcessMessage->Sxs.Win32Path;
449 | CsrStringsToCapture[1] = &BaseCreateProcessMessage->Sxs.NtPath;
450 | CsrStringsToCapture[2] = &BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer;
451 | CsrStringsToCapture[3] = &BaseCreateProcessMessage->Sxs.AssemblyIdentity;
452 | DataLength = sizeof(*BaseCreateProcessMessage);//264
453 | }
454 | }
455 | else
456 | {
457 | return 0xC00000BB;//STATUS_NOT_SUPPORTED
458 | }
459 | wprintf(L"[+] BasepConstructSxsCreateProcessMessage: 0x%08x\n", Status);
460 | if (!NT_SUCCESS(Status))
461 | return Status;
462 | if (CsrStringsToCapture[0] != NULL)
463 | {
464 | wprintf(L"BaseCreateProcessMessage->Sxs.Win32Path: %ls\n", CsrStringsToCapture[0]->Buffer);
465 | wprintf(L"BaseCreateProcessMessage->Sxs.NtPath: %ls\n", CsrStringsToCapture[1]->Buffer);
466 | wprintf(L"BaseCreateProcessMessage->Sxs.CacheSxsLanguageBuffer: %ls\n", CsrStringsToCapture[2]->Buffer);
467 | wprintf(L"BaseCreateProcessMessage->Sxs.AssemblyIdentity: %ls\n", CsrStringsToCapture[3]->Buffer);
468 | wprintf(L"[+] CsrCaptureMessageMultiUnicodeStringsInPlace: 0x%08x\n", CsrCaptureMessageMultiUnicodeStringsInPlace(&CaptureBuffer, 4, CsrStringsToCapture));
469 | if (CsrPortHandle && CsrPortMemoryRemoteDelta)
470 | {
471 | wprintf(L"[+] Custom CsrClientCallServer\n");
472 | Status = CsrClientCallServer((PCSR_API_MSG)&BaseAPIMessage, CaptureBuffer, CSRAPINumber, DataLength);
473 | }
474 | else
475 | {
476 | wprintf(L"[*] Ntdll CsrClientCallServer\n");
477 | Status = CsrClientCallServer_ntdll((PCSR_API_MSG)&BaseAPIMessage, CaptureBuffer, CSRAPINumber, DataLength);
478 | }
479 | }
480 | else
481 | {
482 | Status = 0xc0000005;
483 | }
484 | return Status;
485 | }
486 | //CREATE_SECURE_PROCESS
487 |
488 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/csrss.hpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/je5442804/NtCreateUserProcess-Post/bc220e5f0e3f6911f678214aa246054562dc6f24/NtCreateUserProcess-Post/csrss.hpp
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include "ntapi.hpp"
3 | #include "output.hpp"
4 | #include "csrss.hpp"
5 | #define ALIGN(x,align) (((ULONG)(x)+(align)-1UL)&(~((align)-1UL)))
6 |
7 | //#define OUTPUT
8 | int wmain(int argc, wchar_t* argv[])
9 | {
10 | LPCWSTR ImageName = NULL;
11 | if (argc == 1)
12 | {
13 | ImageName = L"C:\\Windows\\System32\\dfrgui.exe";
14 | wprintf(L"[*] Default: %ls\n", ImageName);
15 | }
16 | else if (argc == 2)
17 | {
18 | ImageName = argv[1];
19 | }
20 | else
21 | {
22 | wprintf(L"[*] Example: NtCreateUserProcess-Post.exe C:\\Windows\\system32\\notepad.exe\n[!] On Windows 11 Notepad.exe is AppX so it doesn't work.(AppX no supported yet)\n");
23 | return -1;
24 | }
25 | NTSTATUS Status = 0;
26 | SECTION_IMAGE_INFORMATION SectionImageInfomation = { 0 };
27 | ULONG sizeReturn = 0;
28 | HANDLE ParentProcessHandle = NULL;
29 | OBJECT_ATTRIBUTES objectAttributes = { 0 };
30 | InitializeObjectAttributes(&objectAttributes, NULL, 0, NULL, NULL);
31 | CLIENT_ID clientId = { 0 };
32 | CLIENT_ID ClientId = { 0 };
33 | HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
34 | t_RtlCreateProcessParametersEx RtlCreateProcessParametersEx = (t_RtlCreateProcessParametersEx)GetProcAddress(ntdll, "RtlCreateProcessParametersEx");
35 | clientId.UniqueProcess = UlongToHandle(GetCurrentProcessId());
36 | clientId.UniqueThread = (HANDLE)0;
37 |
38 | Status = NtOpenProcess(&ParentProcessHandle, PROCESS_ALL_ACCESS, &objectAttributes, &clientId);
39 | wprintf(L"[*] NtOpenProcess: 0x%08x\n", Status);
40 | if (!NT_SUCCESS(Status))
41 | return Status;
42 | wprintf(L"[+] Parent process handle: %p\n", ParentProcessHandle);
43 |
44 | PROCESS_BASIC_INFORMATION mesInfos = { 0 };
45 | wprintf(L"[*] NtQueryInformationProcess: 0x%08x\n", NtQueryInformationProcess(ParentProcessHandle, ProcessBasicInformation, &mesInfos, sizeof(PROCESS_BASIC_INFORMATION), &sizeReturn));
46 | wprintf(L"[+] ProcessBasicInformation sizereturn %d\n", sizeReturn);
47 | PEB peb = { 0 };
48 | SIZE_T val1 = 0;
49 | wprintf(L"[*] PebBaseAddress NtReadVirtualMemory: 0x%08x\n", NtReadVirtualMemory(ParentProcessHandle, mesInfos.PebBaseAddress, &peb, sizeof(peb), &val1));
50 | wprintf(L"[+] peb readsize: %zd\n", val1);
51 |
52 | ACTIVATION_CONTEXT_DATA ActivationContextData = { 0 };
53 | wprintf(L"[*] ParentProcess Peb.ActivationContextData: 0x%p\n", peb.ActivationContextData);
54 | wprintf(L"[*] ParentProcess Peb.SystemDefaultActivationContextData: 0x%p\n", peb.SystemDefaultActivationContextData);
55 |
56 | UNICODE_STRING NtPath = { 0 };
57 | UNICODE_STRING Win32Path = { 0 };
58 | UNICODE_STRING CommandLine = { 0 };
59 |
60 | if (ImageName != NULL)
61 | {
62 | //Use Heap will be better?
63 | WCHAR NtImageName[MAX_PATH] = { 0 };
64 | wcscat_s(NtImageName, L"\\??\\");
65 | wcscat_s(NtImageName, ImageName);
66 | NtPath.Buffer = NtImageName;
67 | NtPath.Length = sizeof(WCHAR)*lstrlenW(NtImageName) ;
68 | NtPath.MaximumLength = sizeof(WCHAR) * lstrlenW(NtImageName)+ sizeof(UNICODE_NULL);
69 |
70 | Win32Path.Buffer = (PWSTR)ImageName;
71 | Win32Path.Length = sizeof(WCHAR) * lstrlenW(ImageName);
72 | Win32Path.MaximumLength = sizeof(WCHAR) * lstrlenW(ImageName) + sizeof(UNICODE_NULL);
73 |
74 | WCHAR cmdline[MAX_PATH] = { 0 };
75 | wcscat_s(cmdline, L"\"");// required while blankspace exist =.=
76 | wcscat_s(cmdline, ImageName);
77 | wcscat_s(cmdline, L"\"");
78 | CommandLine.Buffer = (PWSTR)cmdline;
79 | CommandLine.Length = sizeof(WCHAR) * lstrlenW(cmdline);
80 | CommandLine.MaximumLength = sizeof(WCHAR) * lstrlenW(cmdline) + sizeof(UNICODE_NULL);
81 | }
82 | else
83 | {
84 | exit(-1);
85 | }
86 | PS_CREATE_INFO CreateInfo = { 0 };
87 | RtlSecureZeroMemory(&CreateInfo, sizeof(PS_CREATE_INFO));
88 | CreateInfo.State = PsCreateInitialState;
89 | CreateInfo.Size = sizeof(PS_CREATE_INFO);
90 | CreateInfo.InitState.u1.InitFlags = 3;
91 | //CreateInfo.InitState.u1.s1.WriteOutputOnExit = TRUE;
92 | //CreateInfo.InitState.u1.s1.DetectManifest = TRUE;
93 | //CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics = IMAGE_FILE_DLL;
94 | CreateInfo.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
95 |
96 | PRTL_USER_PROCESS_PARAMETERS OwnParameters = NtCurrentPeb()->ProcessParameters;
97 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
98 | //UNICODE_STRING defaultDesktop;
99 | //RtlInitUnicodeString(&defaultDesktop, L"Winsta0\\Default");
100 |
101 | if (RtlCreateProcessParametersEx == NULL)
102 | {
103 | wprintf(L"[-] RtlCreateProcessParametersEx = 0x%08x\n", RtlCreateProcessParametersEx);
104 | exit(-1);
105 | }
106 | Status = RtlCreateProcessParametersEx(&ProcessParameters,
107 | &Win32Path,
108 | NULL, // Create a new DLL path
109 | &OwnParameters->CurrentDirectory.DosPath,
110 | &CommandLine,
111 | NULL, // If null, a new environment will be created
112 | &Win32Path, // Window title is the exe path - needed for console apps
113 | &OwnParameters->DesktopInfo, // Copy our desktop name
114 | NULL,
115 | NULL,
116 | RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
117 | wprintf(L"[*] RtlCreateProcessParametersEx: 0x%08x\n", Status);
118 | if (!NT_SUCCESS(Status))
119 | return Status;
120 | ULONG AttributeListCount = 4;
121 | SIZE_T TotalLength = AttributeListCount * sizeof(PS_ATTRIBUTE) + sizeof(SIZE_T);
122 | PS_ATTRIBUTE_LIST AttributeList;
123 | RtlSecureZeroMemory(&AttributeList, TotalLength);
124 | AttributeList.TotalLength = TotalLength;
125 | //ReturnLength no need to set in most of time
126 | AttributeList.Attributes[0].Attribute = PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE);
127 | AttributeList.Attributes[0].Size = NtPath.Length;
128 | AttributeList.Attributes[0].Value = (ULONG_PTR)NtPath.Buffer;
129 |
130 | AttributeList.Attributes[1].Attribute = PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE);
131 | AttributeList.Attributes[1].Size = sizeof(HANDLE);
132 | AttributeList.Attributes[1].ValuePtr = ParentProcessHandle;//PPID
133 |
134 | AttributeList.Attributes[2].Attribute = PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE);
135 | AttributeList.Attributes[2].Size = sizeof(SECTION_IMAGE_INFORMATION);
136 | AttributeList.Attributes[2].ValuePtr = &SectionImageInfomation;
137 |
138 | AttributeList.Attributes[3].Attribute = PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE);
139 | AttributeList.Attributes[3].Size = sizeof(CLIENT_ID);
140 | AttributeList.Attributes[3].Value = (ULONG_PTR)&ClientId;
141 |
142 | HANDLE hProcess = NULL;
143 | HANDLE hThread = NULL;
144 | Status = NtCreateUserProcess(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED, NULL, NULL, 0, 1, ProcessParameters, &CreateInfo, &AttributeList);
145 | wprintf(L"[*] NtCreateUserProcess: 0x%08x\n", Status);
146 | if (!NT_SUCCESS(Status))
147 | return Status;
148 | PEB peb2 = { 0 };
149 | ActivationContextData = { 0 };
150 | #ifdef OUTPUT
151 | CreateInfoOutPut(CreateInfo);
152 | SectionImageInfomationOutPut(SectionImageInfomation);
153 | #endif
154 |
155 | wprintf(L"[*] PID=%d, TID=%d\n", ClientId.UniqueProcess,ClientId.UniqueThread);
156 | wprintf(L"[*] CustomCallCsrss: 0x%08x\n",
157 | CallCsrss(hProcess, hThread, CreateInfo, Win32Path, NtPath, ClientId, SectionImageInfomation.DllCharacteristics));
158 |
159 | wprintf(L"[*] PEB2Address NtReadVirtualMemory: 0x%08x\n", NtReadVirtualMemory(hProcess, (PVOID)CreateInfo.SuccessState.PebAddressNative, &peb2, sizeof(peb2), &val1));
160 | wprintf(L"[*] peb2.SystemDefaultActivationContextData 0x%p\n", peb2.SystemDefaultActivationContextData);
161 | wprintf(L"[*] peb2.ActivationContextData 0x%p\n", peb2.ActivationContextData);
162 | wprintf(L"[*] NtResumeThread: 0x%08x\n", NtResumeThread(hThread, 0));
163 | return 0;
164 | }
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/output.cpp:
--------------------------------------------------------------------------------
1 | #include "output.hpp"
2 | #include
3 |
4 |
5 | void CreateInfoOutPut(PS_CREATE_INFO CreateInfo)
6 | {
7 |
8 | wprintf(L"CreateInfo.InitFlags: 0x%08x\n", CreateInfo.InitState.u1.InitFlags);
9 | wprintf(L"CreateInfo.WriteOutputOnExit: 0x%08x\n", CreateInfo.InitState.u1.s1.WriteOutputOnExit);
10 | wprintf(L"CreateInfo.DetectManifest: 0x%08x\n", CreateInfo.InitState.u1.s1.DetectManifest);
11 | wprintf(L"CreateInfo.IFEOSkipDebugger: 0x%08x\n", CreateInfo.InitState.u1.s1.IFEOSkipDebugger);
12 | wprintf(L"CreateInfo.IFEODoNotPropagateKeyState: 0x%08x\n", CreateInfo.InitState.u1.s1.IFEODoNotPropagateKeyState);
13 | wprintf(L"CreateInfo.SpareBits1: 0x%08x\n", CreateInfo.InitState.u1.s1.SpareBits1);
14 | wprintf(L"CreateInfo.SpareBits2: 0x%08x\n", CreateInfo.InitState.u1.s1.SpareBits2);
15 | wprintf(L"CreateInfo.ProhibitedImageCharacteristics: 0x%08x\n", CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics);
16 | wprintf(L"============================================================================================\n");
17 | wprintf(L"CreateInfo.OutputFlags: %d\n", CreateInfo.SuccessState.u2.OutputFlags);
18 | wprintf(L"CreateInfo.ProtectedProcess: %d\n", CreateInfo.SuccessState.u2.s2.ProtectedProcess);
19 | wprintf(L"CreateInfo.ProtectedProcessLight: %d\n", CreateInfo.SuccessState.u2.s2.ProtectedProcessLight);
20 | wprintf(L"CreateInfo.AddressSpaceOverride: %d\n", CreateInfo.SuccessState.u2.s2.AddressSpaceOverride);
21 | wprintf(L"CreateInfo.DevOverrideEnabled: %d\n", CreateInfo.SuccessState.u2.s2.DevOverrideEnabled);
22 | wprintf(L"CreateInfo.ManifestDetected: %d\n", CreateInfo.SuccessState.u2.s2.ManifestDetected);
23 | wprintf(L"CreateInfo.SpareBits1: 0x%03x\n", CreateInfo.SuccessState.u2.s2.SpareBits1);
24 | wprintf(L"CreateInfo.SpareBits2: 0x%08x\n", CreateInfo.SuccessState.u2.s2.SpareBits2);
25 | wprintf(L"CreateInfo.SpareBits3: 0x%08x\n", CreateInfo.SuccessState.u2.s2.SpareBits3);
26 | wprintf(L"--------------------------------------------------------------------------------------------\n");
27 | wprintf(L"CreateInfo.FileHandle:0x%p\n", CreateInfo.SuccessState.FileHandle);
28 | wprintf(L"CreateInfo.SectionHandle: 0x%p\n", CreateInfo.SuccessState.SectionHandle);
29 | wprintf(L"CreateInfo.UserProcessParametersNative: 0x%p\n", CreateInfo.SuccessState.UserProcessParametersNative);
30 | wprintf(L"CreateInfo.CurrentParameterFlags: 0x%08x\n", CreateInfo.SuccessState.CurrentParameterFlags);
31 | wprintf(L"CreateInfo.PebAddressNative: 0x%p\n", CreateInfo.SuccessState.PebAddressNative);
32 | wprintf(L"CreateInfo.ManifestAddress: 0x%p\n", CreateInfo.SuccessState.ManifestAddress);
33 | wprintf(L"CreateInfo.ManifestSize: %d\n", CreateInfo.SuccessState.ManifestSize);
34 | wprintf(L"--------------------------------------------------------------------------------------------\n");
35 | wprintf(L"CreateInfo.ExeFormat.DllCharacteristics: 0x%08x\n", CreateInfo.ExeFormat.DllCharacteristics);
36 | //IMAGE_FILE_EXECUTABLE_IMAGE
37 | wprintf(L"============================================================================================\n");
38 | }
39 | void SectionImageInfomationOutPut(SECTION_IMAGE_INFORMATION SectionImageInfomation)
40 | {
41 | wprintf(L"ImageInformation.Machine: %d\n", SectionImageInfomation.Machine);//PROCESSOR_ARCHITECTURE_AMD64 34404 = IMAGE_FILE_MACHINE_AMD64
42 | wprintf(L"ImageInformation.SubSystemType: %d\n", SectionImageInfomation.SubSystemType);
43 | wprintf(L"ImageInformation.SubSystemMinorVersion: %d\n", SectionImageInfomation.SubSystemMinorVersion);
44 | wprintf(L"ImageInformation.SubSystemMajorVersion: %d\n", SectionImageInfomation.SubSystemMajorVersion);
45 | wprintf(L"ImageInformation.SubSystemVersion: %d\n", SectionImageInfomation.SubSystemVersion);
46 | wprintf(L"ImageInformation.MajorOperatingSystemVersion: %d\n", SectionImageInfomation.MajorOperatingSystemVersion);
47 | wprintf(L"ImageInformation.MinorOperatingSystemVersion: %d\n", SectionImageInfomation.MinorOperatingSystemVersion);
48 | wprintf(L"ImageInformation.OperatingSystemVersion: %d\n", SectionImageInfomation.OperatingSystemVersion);
49 | wprintf(L"ImageInformation.ImageFileSize: %d\n", SectionImageInfomation.ImageFileSize);
50 | wprintf(L"ImageInformation.TransferAddress: 0x%p\n", SectionImageInfomation.TransferAddress);
51 | wprintf(L"ImageInformation.LoaderFlags: %d\n", SectionImageInfomation.LoaderFlags);
52 | wprintf(L"ImageInformation.DllCharacteristics: 0x%08x\n", SectionImageInfomation.DllCharacteristics);
53 | wprintf(L"============================================================================================\n");
54 | }
55 |
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/output.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "syscalls.hpp"
3 |
4 | void CreateInfoOutPut(PS_CREATE_INFO CreateInfo);
5 | void SectionImageInfomationOutPut(SECTION_IMAGE_INFORMATION SectionImageInfomation);
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/syscalls.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/je5442804/NtCreateUserProcess-Post/bc220e5f0e3f6911f678214aa246054562dc6f24/NtCreateUserProcess-Post/syscalls.cpp
--------------------------------------------------------------------------------
/NtCreateUserProcess-Post/syscalls.hpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/je5442804/NtCreateUserProcess-Post/bc220e5f0e3f6911f678214aa246054562dc6f24/NtCreateUserProcess-Post/syscalls.hpp
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NtCreateUserProcess-Post && NtCreateUserProcess-Native
2 | NtCreateUserProcess with CsrClientCallServer for mainstream Windows x64 version.
3 |
4 | Reimplement this: __NtCreateUserProcess->BasepConstructSxsCreateProcessMessage->
5 | ->CsrCaptureMessageMultiUnicodeStringsInPlace->CsrClientCallServer__
6 |
7 | __This project could be useless, however it's also useful to learn!__
8 |
9 | I'll try to fix some known bugs, Any questions,suggestions and pulls are welcomed __:)__
10 | __I will mainly try to support ALL Windows x64 verison from win 7 to win 11.__
11 |
12 | NtCreateUserProcess-Native support Standard IO Redirect.
13 | NtCreateUserProcess-Native is the Native Edition which remove BasepConstructSxsCreateProcessMessage, RtlCreateProcessParametersEx, CsrCaptureMessageMultiUnicodeStringsInPlace... just prevent any function hook?
14 |
15 | NtCreateUserProcess-Native is created for OPSEC, RedTeam purpose.
16 | __I have enabled CFG in NtCreateUserProcess-Native Project Settings.__
17 |
18 | __There is no plan to support AppX Package in this project.__
19 | __I have nearly finished Reverse Engineering of CreateProcessInternalW of Windows 21H*,__
20 | __but a few improvement,struct, data type... required, I need more time...__
21 | __Try [CreateProcessInternalW-Full](https://github.com/je5442804/CreateProcessInternalW-Full) instead__
22 | Hope the later CreateProcessInternalW project will help you gain different knowledge and understanding,
23 | which reimplement to support AppX, 16 bit RaiseError, .bat && .cmd File.
24 |
25 | ## Reverse Engineering
26 | After the release of [Direct-NtCreateUserProcess](https://github.com/D0pam1ne705/Direct-NtCreateUserProcess) and article by D0pam1ne705,
27 | I think I should also share my the Reverse Engineering results of CreateProcessInternalW (there's no need to keep it private).
28 | Different from his reverse route, I didn't kernel debug ALPC and csrss.exe,
29 | but mainly depends on IDA and memory analysis parameter.
30 |
31 | ## Example
32 | __NtCreateUserProcess-Post.exe (ImagePath)__
33 | (NtCreateUserProcess-Post Temporarily Deprecated??? I'm lazy...ovO)
34 | (Default is C:\Windows\System32\dfrgui.exe without special ImagePath)
35 | (1) NtCreateUserProcess-Post.exe
36 | (2) NtCreateUserProcess-Post.exe C:\Windows\System32\notepad.exe
37 | (3) NtCreateUserProcess-Post.exe C:\Windows\System32\taskmgr.exe
38 | (4) NtCreateUserProcess-Post.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
39 | and so on...
40 | C:\Windows\System32\DisplaySwitch.exe
41 | "C:\Program Files\Google\Chrome\Application\chrome.exe"
42 | C:\Windows\System32\Magnify.exe
43 | ......
44 |
45 | __NtCreateUserProcess-Native.exe (-c ImagePath) (-i InteractType)__
46 | __(Standard File IO redirect is already supportd in NtCreateUserProcess-Native!)__
47 |
48 | -i 0: (Default) None of any interact mode will be used, like CREATE_NEW_CONSOLE
49 | -i 1: StdHandle via AttributeList, like bInheritHandles = FALSE
50 | -i 2: Set ProcessParameters Std Input,Output,OutError with CurrentProcessParameters Value, like bInheritHandles = TRUE
51 |
52 | (Default is C:\Windows\System32\dfrgui.exe without special Argument)
53 | (1) NtCreateUserProcess-Native.exe
54 | (2) NtCreateUserProcess-Native.exe -c C:\Windows\system32\cmd.exe -i 1
55 | (3) NtCreateUserProcess-Native.exe -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -i 2
56 | (4) NtCreateUserProcess-Native.exe -c "C:\Program Files\Google\Chrome\Application\chrome.exe" -i 0
57 | ......
58 |
59 | ## My Build Environment
60 | Visual Studio 2022 (Visual Studio 2019 should work)
61 | __Relase x64__
62 |
63 | ## BasepConstructSxsCreateProcessMessage???
64 | Well, if you think this one is complex and redundant,
65 | Try the Native Edition [__NtCreateUserProcess-Native__](https://github.com/je5442804/NtCreateUserProcess-Post/tree/main/NtCreateUserProcess-Native)
66 |
67 | ## Tested on (x64 Only):
68 | __Notice: On Windows 11 notepad.exe is AppX so it doesn't work__
69 | Windows 11 23H2 Insider x64 (26020.1000)
70 | Windows 11 21H2 x64 (22000.613)
71 | Windows 10 21H2 x64 (19044.1706)
72 | Windows 10 21H1 x64 (19043.1023)
73 | Windows 10 2004 x64 (19041.264)
74 | Windows 10 1909 x64 (18363.2274)
75 | Windows Server 2019 x64 (17763.107)
76 | Windows 10 1709 x64 (16299.125)
77 | Windows 10 1703 x64 (15063.2078)
78 | Windows Server 2016 x64 (14393.5066)
79 | Windows 10 1607 x64 (14393.447)
80 | Windows 10 1511 x64 (10586.164)
81 | Windows 10 1507 x64 (10240)
82 | Windows Server 2012 R2 x64 (9600)
83 | Windows Server 2012 x64 (9200)
84 | Windows Server 2008 R2 x64 (7601)
85 | Windows 7 SP1 x64 (7601)
86 | Windows Server 2008 R2 x64 (7600)
87 | Windows Server 2008 x64 (6002)
88 | Windows Vista SP2 x64 (6002)
89 | Windows Vista x64 (6000)
90 |
91 |
92 | ## References && Credits
93 |
94 | 1: https://github.com/Microwave89/createuserprocess
95 | 2: https://github.com/PorLaCola25/PPID-Spoofing
96 | 3: https://github.com/processhacker/processhacker
97 | 4: https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/apireqst/api_msg.htm
98 | 5: https://github.com/leecher1337/ntvdmx64
99 | 6: https://github.com/klezVirus/SysWhispers3
100 | 7: https://bbs.pediy.com/thread-207429.htm
101 | 8: https://doxygen.reactos.org
102 | 9: https://github.com/waleedassar/NativeDebugger
103 | 10: https://stackoverflow.com/questions/69599435/running-programs-using-rtlcreateuserprocess-only-works-occasionally
104 | 11: https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd
105 | 12: https://github.com/ShashankKumarSaxena/nt5src
106 | 13: https://github.com/D4stiny/spectre
107 | 14: https://github.com/x64dbg/TitanEngine
108 | 15: https://github.com/x64dbg/ScyllaHide
109 | 16: https://github.com/deroko/activationcontext
110 | 17: https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd
111 | 18: https://wasm.in/threads/csrclientcallserver-v-windows-7.29743/
112 | 19: https://bbs.csdn.net/topics/360229611
113 | 20: https://www.exploit-db.com/exploits/46712
114 | 11: https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html
115 | 22: https://ii4gsp.tistory.com/288
116 | 23: https://www.unknowncheats.me/forum/c-and-c-/121045-ntdll-module-callback.html
117 |
--------------------------------------------------------------------------------