├── .gitignore ├── DoubleAgent.sln ├── DoubleAgent ├── DoubleAgent.vcxproj ├── DoubleAgent.vcxproj.filters ├── OS.c ├── OS.h ├── Path.c ├── Path.h ├── Verifier.c ├── Verifier.h └── main.c ├── DoubleAgentDll ├── DoubleAgentDll.vcxproj ├── DoubleAgentDll.vcxproj.filters ├── Memory.c ├── Memory.h ├── Process.c ├── Process.h ├── VerifierDll.c ├── VerifierDll.h └── main.c ├── DoubleAgentShared ├── DoubleAgentShared.vcxproj ├── DoubleAgentShared.vcxproj.filters └── Status.h ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | artifacts/ 46 | 47 | *_i.c 48 | *_p.c 49 | *_i.h 50 | *.ilk 51 | *.meta 52 | *.obj 53 | *.pch 54 | *.pdb 55 | *.pgc 56 | *.pgd 57 | *.rsp 58 | *.sbr 59 | *.tlb 60 | *.tli 61 | *.tlh 62 | *.tmp 63 | *.tmp_proj 64 | *.log 65 | *.vspscc 66 | *.vssscc 67 | .builds 68 | *.pidb 69 | *.svclog 70 | *.scc 71 | 72 | # Chutzpah Test files 73 | _Chutzpah* 74 | 75 | # Visual C++ cache files 76 | ipch/ 77 | *.aps 78 | *.ncb 79 | *.opendb 80 | *.opensdf 81 | *.sdf 82 | *.cachefile 83 | *.VC.db 84 | *.VC.VC.opendb 85 | 86 | # Visual Studio profiler 87 | *.psess 88 | *.vsp 89 | *.vspx 90 | *.sap 91 | 92 | # TFS 2012 Local Workspace 93 | $tf/ 94 | 95 | # Guidance Automation Toolkit 96 | *.gpState 97 | 98 | # ReSharper is a .NET coding add-in 99 | _ReSharper*/ 100 | *.[Rr]e[Ss]harper 101 | *.DotSettings.user 102 | 103 | # JustCode is a .NET coding add-in 104 | .JustCode 105 | 106 | # TeamCity is a build add-in 107 | _TeamCity* 108 | 109 | # DotCover is a Code Coverage Tool 110 | *.dotCover 111 | 112 | # NCrunch 113 | _NCrunch_* 114 | .*crunch*.local.xml 115 | nCrunchTemp_* 116 | 117 | # MightyMoose 118 | *.mm.* 119 | AutoTest.Net/ 120 | 121 | # Web workbench (sass) 122 | .sass-cache/ 123 | 124 | # Installshield output folder 125 | [Ee]xpress/ 126 | 127 | # DocProject is a documentation generator add-in 128 | DocProject/buildhelp/ 129 | DocProject/Help/*.HxT 130 | DocProject/Help/*.HxC 131 | DocProject/Help/*.hhc 132 | DocProject/Help/*.hhk 133 | DocProject/Help/*.hhp 134 | DocProject/Help/Html2 135 | DocProject/Help/html 136 | 137 | # Click-Once directory 138 | publish/ 139 | 140 | # Publish Web Output 141 | *.[Pp]ublish.xml 142 | *.azurePubxml 143 | # TODO: Comment the next line if you want to checkin your web deploy settings 144 | # but database connection strings (with potential passwords) will be unencrypted 145 | *.pubxml 146 | *.publishproj 147 | 148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 149 | # checkin your Azure Web App publish settings, but sensitive information contained 150 | # in these scripts will be unencrypted 151 | PublishScripts/ 152 | 153 | # NuGet Packages 154 | *.nupkg 155 | # The packages folder can be ignored because of Package Restore 156 | **/packages/* 157 | # except build/, which is used as an MSBuild target. 158 | !**/packages/build/ 159 | # Uncomment if necessary however generally it will be regenerated when needed 160 | #!**/packages/repositories.config 161 | # NuGet v3's project.json files produces more ignoreable files 162 | *.nuget.props 163 | *.nuget.targets 164 | 165 | # Microsoft Azure Build Output 166 | csx/ 167 | *.build.csdef 168 | 169 | # Microsoft Azure Emulator 170 | ecf/ 171 | rcf/ 172 | 173 | # Windows Store app package directories and files 174 | AppPackages/ 175 | BundleArtifacts/ 176 | Package.StoreAssociation.xml 177 | _pkginfo.txt 178 | 179 | # Visual Studio cache files 180 | # files ending in .cache can be ignored 181 | *.[Cc]ache 182 | # but keep track of directories ending in .cache 183 | !*.[Cc]ache/ 184 | 185 | # Others 186 | ClientBin/ 187 | ~$* 188 | *~ 189 | *.dbmdl 190 | *.dbproj.schemaview 191 | *.pfx 192 | *.publishsettings 193 | node_modules/ 194 | orleans.codegen.cs 195 | 196 | # Since there are multiple workflows, uncomment next line to ignore bower_components 197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 198 | #bower_components/ 199 | 200 | # RIA/Silverlight projects 201 | Generated_Code/ 202 | 203 | # Backup & report files from converting an old project file 204 | # to a newer Visual Studio version. Backup files are not needed, 205 | # because we have git ;-) 206 | _UpgradeReport_Files/ 207 | Backup*/ 208 | UpgradeLog*.XML 209 | UpgradeLog*.htm 210 | 211 | # SQL Server files 212 | *.mdf 213 | *.ldf 214 | 215 | # Business Intelligence projects 216 | *.rdl.data 217 | *.bim.layout 218 | *.bim_*.settings 219 | 220 | # Microsoft Fakes 221 | FakesAssemblies/ 222 | 223 | # GhostDoc plugin setting file 224 | *.GhostDoc.xml 225 | 226 | # Node.js Tools for Visual Studio 227 | .ntvs_analysis.dat 228 | 229 | # Visual Studio 6 build log 230 | *.plg 231 | 232 | # Visual Studio 6 workspace options file 233 | *.opt 234 | 235 | # Visual Studio LightSwitch build output 236 | **/*.HTMLClient/GeneratedArtifacts 237 | **/*.DesktopClient/GeneratedArtifacts 238 | **/*.DesktopClient/ModelManifest.xml 239 | **/*.Server/GeneratedArtifacts 240 | **/*.Server/ModelManifest.xml 241 | _Pvt_Extensions 242 | 243 | # Paket dependency manager 244 | .paket/paket.exe 245 | paket-files/ 246 | 247 | # FAKE - F# Make 248 | .fake/ 249 | 250 | # JetBrains Rider 251 | .idea/ 252 | *.sln.iml 253 | -------------------------------------------------------------------------------- /DoubleAgent.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25123.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgent", "DoubleAgent\DoubleAgent.vcxproj", "{37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {0358B01A-8542-482B-87C0-F141655BD802} = {0358B01A-8542-482B-87C0-F141655BD802} 9 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5} = {532786D5-D713-455E-AE4A-2E68BF7DFFD5} 10 | EndProjectSection 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgentDll", "DoubleAgentDll\DoubleAgentDll.vcxproj", "{0358B01A-8542-482B-87C0-F141655BD802}" 13 | ProjectSection(ProjectDependencies) = postProject 14 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5} = {532786D5-D713-455E-AE4A-2E68BF7DFFD5} 15 | EndProjectSection 16 | EndProject 17 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgentShared", "DoubleAgentShared\DoubleAgentShared.vcxproj", "{532786D5-D713-455E-AE4A-2E68BF7DFFD5}" 18 | EndProject 19 | Global 20 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 21 | Debug|x64 = Debug|x64 22 | Debug|x86 = Debug|x86 23 | Release|x64 = Release|x64 24 | Release|x86 = Release|x86 25 | EndGlobalSection 26 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 27 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x64.ActiveCfg = Debug|x64 28 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x64.Build.0 = Debug|x64 29 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x86.ActiveCfg = Debug|Win32 30 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x86.Build.0 = Debug|Win32 31 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x64.ActiveCfg = Release|x64 32 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x64.Build.0 = Release|x64 33 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x86.ActiveCfg = Release|Win32 34 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x86.Build.0 = Release|Win32 35 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x64.ActiveCfg = Debug|x64 36 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x64.Build.0 = Debug|x64 37 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x86.ActiveCfg = Debug|Win32 38 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x86.Build.0 = Debug|Win32 39 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x64.ActiveCfg = Release|x64 40 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x64.Build.0 = Release|x64 41 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x86.ActiveCfg = Release|Win32 42 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x86.Build.0 = Release|Win32 43 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x64.ActiveCfg = Debug|x64 44 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x64.Build.0 = Debug|x64 45 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x86.ActiveCfg = Debug|Win32 46 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x86.Build.0 = Debug|Win32 47 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x64.ActiveCfg = Release|x64 48 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x64.Build.0 = Release|x64 49 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x86.ActiveCfg = Release|Win32 50 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x86.Build.0 = Release|Win32 51 | EndGlobalSection 52 | GlobalSection(SolutionProperties) = preSolution 53 | HideSolutionNode = FALSE 54 | EndGlobalSection 55 | EndGlobal 56 | -------------------------------------------------------------------------------- /DoubleAgent/DoubleAgent.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4} 23 | DoubleAgent 24 | 8.1 25 | 26 | 27 | 28 | Application 29 | true 30 | v141 31 | Unicode 32 | 33 | 34 | Application 35 | false 36 | v141 37 | true 38 | Unicode 39 | 40 | 41 | Application 42 | true 43 | v141 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v141 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | $(SolutionDir)bin\ 73 | $(ProjectName)_x86 74 | 75 | 76 | $(SolutionDir)bin\ 77 | $(ProjectName)_x86 78 | 79 | 80 | $(SolutionDir)bin\ 81 | $(ProjectName)_x64 82 | 83 | 84 | $(SolutionDir)bin\ 85 | $(ProjectName)_x64 86 | 87 | 88 | 89 | Level4 90 | Disabled 91 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 92 | MultiThreadedDebug 93 | 94 | 95 | shlwapi.lib;%(AdditionalDependencies) 96 | RequireAdministrator 97 | 98 | 99 | 100 | 101 | Level4 102 | Disabled 103 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 104 | MultiThreadedDebug 105 | 106 | 107 | shlwapi.lib;%(AdditionalDependencies) 108 | RequireAdministrator 109 | 110 | 111 | 112 | 113 | Level4 114 | MaxSpeed 115 | true 116 | true 117 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 118 | MultiThreaded 119 | 120 | 121 | true 122 | true 123 | shlwapi.lib;%(AdditionalDependencies) 124 | RequireAdministrator 125 | 126 | 127 | 128 | 129 | Level4 130 | MaxSpeed 131 | true 132 | true 133 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 134 | MultiThreaded 135 | 136 | 137 | true 138 | true 139 | shlwapi.lib;%(AdditionalDependencies) 140 | RequireAdministrator 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | -------------------------------------------------------------------------------- /DoubleAgent/DoubleAgent.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 11 | 12 | 13 | {34e3579a-db9c-44c6-a083-5a4799b577a0} 14 | 15 | 16 | {953868bc-5d8d-4ec6-be5d-76777ae32700} 17 | 18 | 19 | {03118afc-539e-446b-b67a-8fefeba32d90} 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files\Verifier 28 | 29 | 30 | Source Files\OS 31 | 32 | 33 | Source Files\Path 34 | 35 | 36 | 37 | 38 | Source Files\Verifier 39 | 40 | 41 | Source Files\OS 42 | 43 | 44 | Source Files\Path 45 | 46 | 47 | -------------------------------------------------------------------------------- /DoubleAgent/OS.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include "Status.h" 4 | #include "OS.h" 5 | 6 | /* Public Function Definitions ***********************************************/ 7 | DOUBLEAGENT_STATUS OS_GetArchitecture(OUT POS_ARCHITECTURE peOsArchitecture) 8 | { 9 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 10 | OS_ARCHITECTURE eOsArchitectureLocal = OS_ARCHITECTURE_INVALID_VALUE; 11 | #ifndef _WIN64 12 | BOOL bIsWow64 = FALSE; 13 | #endif 14 | 15 | /* Validates the parameters */ 16 | if (NULL == peOsArchitecture) 17 | { 18 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_INVALID_PARAMS); 19 | goto lbl_cleanup; 20 | } 21 | 22 | #ifdef _WIN64 23 | /* The program is executing 64 bit code, the OS must be 64 bit */ 24 | eOsArchitectureLocal = OS_ARCHITECTURE_X64; 25 | #else 26 | /* The program is executing 32 bit code, checks the OS architecture */ 27 | if (FALSE == IsWow64Process(GetCurrentProcess(), &bIsWow64)) 28 | { 29 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_ISWOW64PROCESS_FAILED); 30 | goto lbl_cleanup; 31 | } 32 | 33 | if (FALSE != bIsWow64) 34 | { 35 | /* The process is running under WOW64, the OS is 64 bit */ 36 | eOsArchitectureLocal = OS_ARCHITECTURE_X64; 37 | } 38 | else 39 | { 40 | /* The process is not running under WOW64, the OS is 32 bit */ 41 | eOsArchitectureLocal = OS_ARCHITECTURE_X86; 42 | } 43 | #endif 44 | 45 | /* Sets the received parameters */ 46 | *peOsArchitecture = eOsArchitectureLocal; 47 | 48 | /* Succeeded */ 49 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 50 | 51 | lbl_cleanup: 52 | /* Returns status */ 53 | return eStatus; 54 | } 55 | -------------------------------------------------------------------------------- /DoubleAgent/OS.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Types *********************************************************************/ 8 | typedef enum _OS_ARCHITECTURE 9 | { 10 | OS_ARCHITECTURE_INVALID_VALUE = -1, 11 | OS_ARCHITECTURE_X86, 12 | OS_ARCHITECTURE_X64, 13 | 14 | /* Must be last */ 15 | OS_ARCHITECTURE_COUNT 16 | } OS_ARCHITECTURE, *POS_ARCHITECTURE; 17 | 18 | /* Function Declarations *****************************************************/ 19 | /* 20 | * Gets the operating system architecture 21 | */ 22 | DOUBLEAGENT_STATUS OS_GetArchitecture(OUT POS_ARCHITECTURE peOsArchitecture); 23 | -------------------------------------------------------------------------------- /DoubleAgent/Path.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include 4 | #include "Status.h" 5 | #include "Path.h" 6 | 7 | /* Public Function Definitions ***********************************************/ 8 | DOUBLEAGENT_STATUS PATH_GetDirectory(IN PCWSTR pcwszFilePath, OUT PWSTR *ppwszDirPath) 9 | { 10 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 11 | PWSTR pwszDirPathLocal = NULL; 12 | SIZE_T nFilePathLenInBytes = 0; 13 | 14 | /* Validates the parameters */ 15 | if ((NULL == pcwszFilePath) || (NULL == ppwszDirPath)) 16 | { 17 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_INVALID_PARAMS); 18 | goto lbl_cleanup; 19 | } 20 | 21 | /* Gets the file path length in bytes */ 22 | nFilePathLenInBytes = (wcslen(pcwszFilePath) + 1) * sizeof(*pcwszFilePath); 23 | 24 | /* Allocates the directory path */ 25 | pwszDirPathLocal = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nFilePathLenInBytes); 26 | if (NULL == pwszDirPathLocal) 27 | { 28 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_HEAPALLOC_FAILED); 29 | goto lbl_cleanup; 30 | } 31 | 32 | /* Copies the file path to the directory path */ 33 | CopyMemory(pwszDirPathLocal, pcwszFilePath, nFilePathLenInBytes); 34 | 35 | /* Creates the directory path by removing the file name */ 36 | if (FALSE == PathRemoveFileSpecW(pwszDirPathLocal)) 37 | { 38 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_PATHREMOVEFILESPECW_FAILED); 39 | goto lbl_cleanup; 40 | } 41 | 42 | /* Sets the received parameters */ 43 | *ppwszDirPath = pwszDirPathLocal; 44 | pwszDirPathLocal = NULL; 45 | 46 | /* Succeeded */ 47 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 48 | 49 | lbl_cleanup: 50 | /* Frees the directory path */ 51 | if (NULL != pwszDirPathLocal) 52 | { 53 | (VOID)HeapFree(GetProcessHeap(), 0, pwszDirPathLocal); 54 | pwszDirPathLocal = NULL; 55 | } 56 | 57 | /* Returns status */ 58 | return eStatus; 59 | } 60 | 61 | DOUBLEAGENT_STATUS PATH_Combine(IN PCWSTR pcwszPath1, IN PCWSTR pcwszPath2, OUT PWSTR *ppwszCombined) 62 | { 63 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 64 | PWSTR pwszCombinedLocal = NULL; 65 | 66 | /* Validates the parameters */ 67 | if ((NULL == pcwszPath1) || (NULL == pcwszPath2) || (NULL == ppwszCombined)) 68 | { 69 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_INVALID_PARAMS); 70 | goto lbl_cleanup; 71 | } 72 | 73 | /* Allocates the combined path */ 74 | pwszCombinedLocal = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_PATH * sizeof(*pwszCombinedLocal)); 75 | if (NULL == pwszCombinedLocal) 76 | { 77 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_HEAPALLOC_FAILED); 78 | goto lbl_cleanup; 79 | } 80 | 81 | /* Combines the paths */ 82 | if (NULL == PathCombineW(pwszCombinedLocal, pcwszPath1, pcwszPath2)) 83 | { 84 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_PATHCOMBINEW_FAILED); 85 | goto lbl_cleanup; 86 | } 87 | 88 | /* Sets the received parameters */ 89 | *ppwszCombined = pwszCombinedLocal; 90 | pwszCombinedLocal = NULL; 91 | 92 | /* Succeeded */ 93 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 94 | 95 | lbl_cleanup: 96 | /* Frees the combined path */ 97 | if (NULL != pwszCombinedLocal) 98 | { 99 | (VOID)HeapFree(GetProcessHeap(), 0, pwszCombinedLocal); 100 | pwszCombinedLocal = NULL; 101 | } 102 | 103 | /* Returns status */ 104 | return eStatus; 105 | } 106 | -------------------------------------------------------------------------------- /DoubleAgent/Path.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Function Declarations *****************************************************/ 8 | /* 9 | * Receives a file path and returns its directory path 10 | * The directory path must be freed via HeapFree 11 | */ 12 | DOUBLEAGENT_STATUS PATH_GetDirectory(IN PCWSTR pcwszFilePath, OUT PWSTR *ppwszDirPath); 13 | /* 14 | * Receives two file paths and combines them into a single valid path 15 | * The combined path must be freed via HeapFree 16 | */ 17 | DOUBLEAGENT_STATUS PATH_Combine(IN PCWSTR pcwszPath1, IN PCWSTR pcwszPath2, OUT PWSTR *ppwszCombined); 18 | -------------------------------------------------------------------------------- /DoubleAgent/Verifier.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include 4 | #include 5 | #include "Status.h" 6 | #include "OS.h" 7 | #include "Path.h" 8 | #include "Verifier.h" 9 | 10 | /* Macros ********************************************************************/ 11 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME L"Image File Execution Options" 12 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP L"3cf9a53d-a1f5-4945-ac5b-5e87bbf46ad2" 13 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY (L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" ## VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME) 14 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP (L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" ## VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP) 15 | #define VERIFIER_SYSWOW64_PATH (L"C:\\Windows\\SysWOW64") 16 | #define VERIFIER_SYSNATIVE_PATH (L"C:\\Windows\\Sysnative") 17 | #define VERIFIER_SYSTEM32_PATH (L"C:\\Windows\\System32") 18 | #define VERIFIER_VERIFIERDLLS_VALUE_NAME (L"VerifierDlls") 19 | #define VERIFIER_GLOBALFLAG_VALUE_NAME (L"GlobalFlag") 20 | #define VERIFIER_FLG_APPLICATION_VERIFIER (0x100) 21 | 22 | /* Function Declarations *****************************************************/ 23 | /* 24 | * Registers the verifier dll to the process 25 | */ 26 | static DOUBLEAGENT_STATUS verifier_Register(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName); 27 | /* 28 | * Unregisters the verifier dll from the process 29 | */ 30 | static VOID verifier_Unregister(IN PCWSTR pcwszProcessName); 31 | /* 32 | * Gets the installation path for the x86 verifier dll 33 | * The installation path must be freed via HeapFree 34 | */ 35 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX86(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath); 36 | /* 37 | * Gets the installation path for the x64 verifier dll 38 | * The installation path must be freed via HeapFree 39 | */ 40 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX64(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath); 41 | 42 | /* Public Function Definitions ***********************************************/ 43 | DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName, IN PCWSTR pcwszVrfDllPathX86, IN PCWSTR pcwszVrfDllPathX64) 44 | { 45 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 46 | OS_ARCHITECTURE eOsArchitecture = OS_ARCHITECTURE_INVALID_VALUE; 47 | PWSTR pwszVrfDllInstallPathX86 = NULL; 48 | PWSTR pwszVrfDllInstallPathX64 = NULL; 49 | BOOL bRegistered = FALSE; 50 | BOOL bCopiedX86 = FALSE; 51 | BOOL bCopiedX64 = FALSE; 52 | 53 | /* Validates the parameters */ 54 | if ((NULL == pcwszProcessName) || (NULL == pcwszVrfDllName) || (NULL == pcwszVrfDllPathX86) || (NULL == pcwszVrfDllPathX64)) 55 | { 56 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_INVALID_PARAMS); 57 | goto lbl_cleanup; 58 | } 59 | 60 | /* Gets the operating system architecture */ 61 | eStatus = OS_GetArchitecture(&eOsArchitecture); 62 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 63 | { 64 | goto lbl_cleanup; 65 | } 66 | 67 | /* Registers the verifier dll to the process */ 68 | eStatus = verifier_Register(pcwszProcessName, pcwszVrfDllName); 69 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 70 | { 71 | goto lbl_cleanup; 72 | } 73 | bRegistered = TRUE; 74 | 75 | switch (eOsArchitecture) 76 | { 77 | case OS_ARCHITECTURE_X64: 78 | /* Gets the install path for the x64 verifier dll */ 79 | eStatus = verifier_GetInstallPathX64(pcwszVrfDllName, &pwszVrfDllInstallPathX64); 80 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 81 | { 82 | goto lbl_cleanup; 83 | } 84 | 85 | /* Copies the x64 verifier dll to its installation path */ 86 | if (FALSE == CopyFileW(pcwszVrfDllPathX64, pwszVrfDllInstallPathX64, FALSE)) 87 | { 88 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X64); 89 | goto lbl_cleanup; 90 | } 91 | bCopiedX64 = TRUE; 92 | /* Falls into the x86 case */ 93 | case OS_ARCHITECTURE_X86: 94 | /* Gets the install path for the x86 verifier dll */ 95 | eStatus = verifier_GetInstallPathX86(pcwszVrfDllName, &pwszVrfDllInstallPathX86); 96 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 97 | { 98 | goto lbl_cleanup; 99 | } 100 | 101 | /* Copies the x86 verifier dll to its installation path */ 102 | if (FALSE == CopyFileW(pcwszVrfDllPathX86, pwszVrfDllInstallPathX86, FALSE)) 103 | { 104 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X86); 105 | goto lbl_cleanup; 106 | } 107 | bCopiedX86 = TRUE; 108 | break; 109 | default: 110 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_UNSUPPORTED_SWITCH_CASE); 111 | goto lbl_cleanup; 112 | } 113 | 114 | /* Succeeded */ 115 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 116 | 117 | lbl_cleanup: 118 | /* If failed, reverts the changes */ 119 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 120 | { 121 | if (FALSE != bCopiedX86) 122 | { 123 | /* Deletes the x86 verifier dll */ 124 | (VOID)DeleteFileW(pwszVrfDllInstallPathX86); 125 | bCopiedX86 = FALSE; 126 | } 127 | 128 | if (FALSE != bCopiedX64) 129 | { 130 | /* Deletes the x64 verifier dll */ 131 | (VOID)DeleteFileW(pwszVrfDllInstallPathX64); 132 | bCopiedX64 = FALSE; 133 | } 134 | 135 | /* Unregisters the verifier dll */ 136 | if (FALSE != bRegistered) 137 | { 138 | verifier_Unregister(pcwszProcessName); 139 | bRegistered = FALSE; 140 | } 141 | } 142 | 143 | /* Frees the x86 install path */ 144 | if (NULL != pwszVrfDllInstallPathX86) 145 | { 146 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX86); 147 | pwszVrfDllInstallPathX86 = NULL; 148 | } 149 | 150 | /* Frees the x64 install path */ 151 | if (NULL != pwszVrfDllInstallPathX64) 152 | { 153 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX64); 154 | pwszVrfDllInstallPathX64 = NULL; 155 | } 156 | 157 | /* Returns status */ 158 | return eStatus; 159 | } 160 | 161 | DOUBLEAGENT_STATUS VERIFIER_Repair(VOID) 162 | { 163 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 164 | HKEY hIfeoKey = NULL; 165 | LONG lOpenKeyStatus = 0; 166 | 167 | /* 168 | * In some cases (application crash, exception, etc.) the install\uninstall functions may accidentally leave the IFEO key with its temporary name 169 | * Checks if the temporary name exists 170 | */ 171 | lOpenKeyStatus = RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_WRITE | KEY_WOW64_64KEY, &hIfeoKey); 172 | if (ERROR_SUCCESS == lOpenKeyStatus) 173 | { 174 | /* Repairs the IFEO key by restoring it to its original name */ 175 | if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME)) 176 | { 177 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGRENAMEKEY_FAILED); 178 | goto lbl_cleanup; 179 | } 180 | } 181 | else if (ERROR_FILE_NOT_FOUND == lOpenKeyStatus) 182 | { 183 | /* Everything is OK, nothing to repair */ 184 | } 185 | else 186 | { 187 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGOPENKEYEXW_FAILED); 188 | goto lbl_cleanup; 189 | } 190 | 191 | /* Succeeded */ 192 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 193 | 194 | lbl_cleanup: 195 | /* Closes the IFEO key */ 196 | if (NULL != hIfeoKey) 197 | { 198 | (VOID)RegCloseKey(hIfeoKey); 199 | hIfeoKey = NULL; 200 | } 201 | 202 | /* Returns status */ 203 | return eStatus; 204 | } 205 | 206 | VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName) 207 | { 208 | OS_ARCHITECTURE eOsArchitecture = OS_ARCHITECTURE_INVALID_VALUE; 209 | PWSTR pwszVrfDllInstallPathX86 = NULL; 210 | PWSTR pwszVrfDllInstallPathX64 = NULL; 211 | 212 | /* Validates the parameters */ 213 | if ((NULL != pcwszProcessName) && (NULL != pcwszVrfDllName)) 214 | { 215 | /* Gets the operating system architecture */ 216 | if (FALSE != DOUBLEAGENT_SUCCESS(OS_GetArchitecture(&eOsArchitecture))) 217 | { 218 | switch (eOsArchitecture) 219 | { 220 | case OS_ARCHITECTURE_X64: 221 | /* Gets the install path for the x64 verifier dll */ 222 | if (FALSE != DOUBLEAGENT_SUCCESS(verifier_GetInstallPathX64(pcwszVrfDllName, &pwszVrfDllInstallPathX64))) 223 | { 224 | /* Deletes the x64 verifier dll */ 225 | (VOID)DeleteFileW(pwszVrfDllInstallPathX64); 226 | 227 | /* Frees the x64 install path */ 228 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX64); 229 | pwszVrfDllInstallPathX64 = NULL; 230 | } 231 | /* Falls into the x86 case */ 232 | case OS_ARCHITECTURE_X86: 233 | /* Gets the install path for the x86 verifier dll */ 234 | if (FALSE != DOUBLEAGENT_SUCCESS(verifier_GetInstallPathX86(pcwszVrfDllName, &pwszVrfDllInstallPathX86))) 235 | { 236 | /* Deletes the x86 verifier dll */ 237 | (VOID)DeleteFileW(pwszVrfDllInstallPathX86); 238 | 239 | /* Frees the x86 install path */ 240 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX86); 241 | pwszVrfDllInstallPathX86 = NULL; 242 | } 243 | break; 244 | } 245 | } 246 | 247 | /* Unregisters the verifier dll */ 248 | verifier_Unregister(pcwszProcessName); 249 | } 250 | } 251 | 252 | /* Private Function Definitions **********************************************/ 253 | static DOUBLEAGENT_STATUS verifier_Register(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName) 254 | { 255 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 256 | HKEY hIfeoKey = NULL; 257 | HKEY hIfeoKeyTemp = NULL; 258 | DWORD dwGlobalFlag = VERIFIER_FLG_APPLICATION_VERIFIER; 259 | DWORD dwVrfDllNameLenInBytes = 0; 260 | BOOL bKeyRenamed = FALSE; 261 | BOOL bCreatedVerifierDlls = FALSE; 262 | BOOL bCreatedVerifierDllsTemp = FALSE; 263 | BOOL bCreatedGlobalFlag = FALSE; 264 | BOOL bCreatedGlobalFlagTemp = FALSE; 265 | 266 | /* Validates the parameters */ 267 | _ASSERT(NULL != pcwszProcessName); 268 | _ASSERT(NULL != pcwszVrfDllName); 269 | 270 | /* Gets the verifier dll name length in bytes */ 271 | dwVrfDllNameLenInBytes = (DWORD)(wcslen(pcwszVrfDllName) + 1) * sizeof(*pcwszVrfDllName); 272 | 273 | /* Opens the IFEO key */ 274 | if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY, 0, KEY_WRITE | KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKey)) 275 | { 276 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_IFEO); 277 | goto lbl_cleanup; 278 | } 279 | 280 | /* Creates the VerifierDlls value and sets it to the verifier dll name */ 281 | bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes)); 282 | 283 | /* 284 | * Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER 285 | * Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/ff542875(v=vs.85).aspx 286 | */ 287 | bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag))); 288 | 289 | /* 290 | * The key creation might fail because some antiviruses protect the keys of their processes under the IFEO 291 | * One possible bypass is to rename the IFEO key name to a temporary name, create the keys, and restores the IFEO key name 292 | */ 293 | if ((FALSE == bCreatedVerifierDlls) || (FALSE == bCreatedGlobalFlag)) 294 | { 295 | /* Renames the IFEO key name to a temporary name */ 296 | if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP)) 297 | { 298 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGRENAMEKEY_FAILED); 299 | goto lbl_cleanup; 300 | } 301 | bKeyRenamed = TRUE; 302 | 303 | /* 304 | * Opens the temporary IFEO key 305 | * The key is reopened because some antiviruses continue monitoring and blocking the handle that opened the original IFEO 306 | */ 307 | if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKeyTemp)) 308 | { 309 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_TEMP_IFEO); 310 | goto lbl_cleanup; 311 | } 312 | 313 | if (FALSE == bCreatedVerifierDlls) 314 | { 315 | /* Tries again to create the VerifierDlls value */ 316 | if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes)) 317 | { 318 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_VERIFIERDLLS); 319 | goto lbl_cleanup; 320 | } 321 | bCreatedVerifierDllsTemp = TRUE; 322 | } 323 | 324 | if (FALSE == bCreatedGlobalFlag) 325 | { 326 | /* Tries again to create the GlobalFlag value */ 327 | if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag))) 328 | { 329 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_GLOBALFLAG); 330 | goto lbl_cleanup; 331 | } 332 | bCreatedGlobalFlagTemp = TRUE; 333 | } 334 | } 335 | 336 | /* Succeeded */ 337 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 338 | 339 | lbl_cleanup: 340 | /* If failed, reverts the changes */ 341 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 342 | { 343 | /* Deletes the GlobalFlag temp value */ 344 | if (FALSE != bCreatedGlobalFlagTemp) 345 | { 346 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME); 347 | bCreatedGlobalFlagTemp = FALSE; 348 | } 349 | 350 | /* Deletes the VerifierDlls temp value */ 351 | if (FALSE != bCreatedVerifierDllsTemp) 352 | { 353 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME); 354 | bCreatedVerifierDllsTemp = FALSE; 355 | } 356 | 357 | /* Deletes the GlobalFlag value */ 358 | if (FALSE != bCreatedGlobalFlag) 359 | { 360 | (VOID)RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME); 361 | bCreatedGlobalFlag = FALSE; 362 | } 363 | 364 | /* Deletes the VerifierDlls value */ 365 | if (FALSE != bCreatedVerifierDlls) 366 | { 367 | (VOID)RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME); 368 | bCreatedVerifierDlls = FALSE; 369 | } 370 | } 371 | 372 | /* Closes the temporary IFEO key */ 373 | if (NULL != hIfeoKeyTemp) 374 | { 375 | (VOID)RegCloseKey(hIfeoKeyTemp); 376 | hIfeoKeyTemp = NULL; 377 | } 378 | 379 | /* Restores the IFEO key name */ 380 | if (FALSE != bKeyRenamed) 381 | { 382 | (VOID)RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME); 383 | bKeyRenamed = FALSE; 384 | } 385 | 386 | /* Closes the IFEO key */ 387 | if (NULL != hIfeoKey) 388 | { 389 | (VOID)RegCloseKey(hIfeoKey); 390 | hIfeoKey = NULL; 391 | } 392 | 393 | /* Returns status */ 394 | return eStatus; 395 | } 396 | 397 | static VOID verifier_Unregister(IN PCWSTR pcwszProcessName) 398 | { 399 | HKEY hIfeoKey = NULL; 400 | HKEY hIfeoKeyTemp = NULL; 401 | BOOL bDeletedVerifierDlls = FALSE; 402 | BOOL bDeletedGlobalFlag = FALSE; 403 | 404 | /* Validates the parameters */ 405 | _ASSERT(NULL != pcwszProcessName); 406 | 407 | /* Opens the IFEO key */ 408 | if (ERROR_SUCCESS == RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY, 0, KEY_WRITE | KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKey)) 409 | { 410 | /* Deletes the VerifierDlls value */ 411 | bDeletedVerifierDlls = (ERROR_SUCCESS == RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME)); 412 | 413 | /* Deletes the GlobalFlag value */ 414 | bDeletedGlobalFlag = (ERROR_SUCCESS == RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME)); 415 | 416 | /* 417 | * The key deletion might fail because some antiviruses protect the keys of their processes under the IFEO 418 | * One possible bypass is to rename the IFEO key name to a temporary name, delete the keys, and restores the IFEO key name 419 | */ 420 | if ((FALSE == bDeletedVerifierDlls) || (FALSE == bDeletedGlobalFlag)) 421 | { 422 | /* Renames the IFEO key name to a temporary name */ 423 | if (ERROR_SUCCESS == RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP)) 424 | { 425 | /* 426 | * Opens the temporary IFEO key 427 | * The key is reopened because some antiviruses continue monitoring and blocking the handle that opened the original IFEO 428 | */ 429 | if (ERROR_SUCCESS == RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKeyTemp)) 430 | { 431 | /* Tries again to delete the VerifierDlls value */ 432 | if (FALSE == bDeletedVerifierDlls) 433 | { 434 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME); 435 | bDeletedVerifierDlls = TRUE; 436 | } 437 | 438 | /* Tries again to delete the GlobalFlag value */ 439 | if (FALSE == bDeletedGlobalFlag) 440 | { 441 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME); 442 | bDeletedGlobalFlag = TRUE; 443 | } 444 | 445 | /* Closes the temporary IFEO key */ 446 | (VOID)RegCloseKey(hIfeoKeyTemp); 447 | hIfeoKeyTemp = NULL; 448 | } 449 | 450 | /* Restores the IFEO key name */ 451 | (VOID)RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME); 452 | } 453 | } 454 | 455 | /* Closes the IFEO key */ 456 | (VOID)RegCloseKey(hIfeoKey); 457 | hIfeoKey = NULL; 458 | } 459 | } 460 | 461 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX86(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath) 462 | { 463 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 464 | PWSTR pwszVrfDllInstallPathLocal = NULL; 465 | 466 | /* Validates the parameters */ 467 | _ASSERT(NULL != pcwszVrfDllName); 468 | _ASSERT(NULL != ppwszVrfDllInstallPath); 469 | 470 | #ifndef _WIN64 471 | /* 472 | * x86 OS - Path should be System32 473 | * x64 OS - Path should be SysWOW64 (File system redirection would implicitly convert System32 to SysWOW64) 474 | */ 475 | eStatus = PATH_Combine(VERIFIER_SYSTEM32_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal); 476 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 477 | { 478 | goto lbl_cleanup; 479 | } 480 | #else 481 | /* 482 | * x86 OS - Impossible (Can't run x64 code on x86 OS) 483 | * x64 OS - Path should be SysWOW64 484 | */ 485 | eStatus = PATH_Combine(VERIFIER_SYSWOW64_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal); 486 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 487 | { 488 | goto lbl_cleanup; 489 | } 490 | #endif 491 | 492 | /* Sets the received parameters */ 493 | *ppwszVrfDllInstallPath = pwszVrfDllInstallPathLocal; 494 | pwszVrfDllInstallPathLocal = NULL; 495 | 496 | /* Succeeded */ 497 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 498 | 499 | lbl_cleanup: 500 | /* Frees the install path */ 501 | if (NULL != pwszVrfDllInstallPathLocal) 502 | { 503 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathLocal); 504 | pwszVrfDllInstallPathLocal = NULL; 505 | } 506 | 507 | /* Returns status */ 508 | return eStatus; 509 | } 510 | 511 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX64(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath) 512 | { 513 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 514 | PWSTR pwszVrfDllInstallPathLocal = NULL; 515 | 516 | /* Validates the parameters */ 517 | _ASSERT(NULL != pcwszVrfDllName); 518 | _ASSERT(NULL != ppwszVrfDllInstallPath); 519 | 520 | #ifndef _WIN64 521 | /* x64 OS - Path should be System32 (File system redirection would implicitly convert Sysnative to System32) */ 522 | eStatus = PATH_Combine(VERIFIER_SYSNATIVE_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal); 523 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 524 | { 525 | goto lbl_cleanup; 526 | } 527 | #else 528 | /* x64 OS - Path should be System32 */ 529 | eStatus = PATH_Combine(VERIFIER_SYSTEM32_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal); 530 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 531 | { 532 | goto lbl_cleanup; 533 | } 534 | #endif 535 | 536 | /* Sets the received parameters */ 537 | *ppwszVrfDllInstallPath = pwszVrfDllInstallPathLocal; 538 | pwszVrfDllInstallPathLocal = NULL; 539 | 540 | /* Succeeded */ 541 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 542 | 543 | lbl_cleanup: 544 | /* Frees the install path */ 545 | if (NULL != pwszVrfDllInstallPathLocal) 546 | { 547 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathLocal); 548 | pwszVrfDllInstallPathLocal = NULL; 549 | } 550 | 551 | /* Returns status */ 552 | return eStatus; 553 | } 554 | -------------------------------------------------------------------------------- /DoubleAgent/Verifier.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Function Declarations *****************************************************/ 8 | /* 9 | * Installs an application verifier for the process 10 | */ 11 | DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName, IN PCWSTR pcwszVrfDllPathX86, IN PCWSTR pcwszVrfDllPathX64); 12 | /* 13 | * In some cases (application crash, exception, etc.) the install\uninstall functions may accidentally leave the machine in an undefined state 14 | * Repairs the machine to its original state 15 | */ 16 | DOUBLEAGENT_STATUS VERIFIER_Repair(VOID); 17 | /* 18 | * Uninstalls the application verifier from the process 19 | */ 20 | VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName); 21 | -------------------------------------------------------------------------------- /DoubleAgent/main.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include 4 | #include 5 | #include "Path.h" 6 | #include "Verifier.h" 7 | 8 | /* Macros ********************************************************************/ 9 | #define DOUBLEAGENT_ACTION_INSTALL (L"install") 10 | #define DOUBLEAGENT_ACTION_REPAIR (L"repair") 11 | #define DOUBLEAGENT_ACTION_UNINSTALL (L"uninstall") 12 | #define DOUBLEAGENT_VERIFIER_DLL_NAME L"DoubleAgentDll.dll" 13 | #define DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X86 (L".\\x86\\" ## DOUBLEAGENT_VERIFIER_DLL_NAME) 14 | #define DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X64 (L".\\x64\\" ## DOUBLEAGENT_VERIFIER_DLL_NAME) 15 | 16 | /* Types *********************************************************************/ 17 | typedef enum _DOUBLEAGENT_ARGUMENTS 18 | { 19 | DOUBLEAGENT_ARGUMENTS_INVALID_VALUE = -1, 20 | DOUBLEAGENT_ARGUMENTS_SELF_PATH, 21 | DOUBLEAGENT_ARGUMENTS_ACTION_TYPE, 22 | DOUBLEAGENT_ARGUMENTS_PROCESS_NAME, 23 | 24 | /* Must be last */ 25 | DOUBLEAGENT_ARGUMENTS_COUNT 26 | } DOUBLEAGENT_ARGUMENTS, *PDOUBLEAGENT_ARGUMENTS; 27 | 28 | /* Function Declarations *****************************************************/ 29 | /* 30 | * Handles the install action 31 | */ 32 | static DOUBLEAGENT_STATUS main_Install(IN PCWSTR *ppcwszArgv); 33 | /* 34 | * Handles the repair action 35 | */ 36 | static DOUBLEAGENT_STATUS main_Repair(IN PCWSTR *ppcwszArgv); 37 | /* 38 | * Handles the uninstall action 39 | */ 40 | static DOUBLEAGENT_STATUS main_Uninstall(IN PCWSTR *ppcwszArgv); 41 | 42 | /* Function Definitions ******************************************************/ 43 | INT wmain(IN SIZE_T nArgc, IN PCWSTR *ppcwszArgv) 44 | { 45 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 46 | 47 | /* Prints usage */ 48 | if (1 == nArgc) 49 | { 50 | (VOID)wprintf(L"Usage:\tDoubleAgent.exe install\\uninstall\\repair process_name\n"); 51 | (VOID)wprintf(L"e.g.\tDoubleAgent.exe install cmd.exe\n"); 52 | return 0; 53 | } 54 | 55 | /* Validates the arguments */ 56 | if (DOUBLEAGENT_ARGUMENTS_COUNT != nArgc) 57 | { 58 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_INVALID_ARGS_COUNT); 59 | goto lbl_cleanup; 60 | } 61 | 62 | /* Install action */ 63 | if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_INSTALL)) 64 | { 65 | eStatus = main_Install(ppcwszArgv); 66 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 67 | { 68 | goto lbl_cleanup; 69 | } 70 | } 71 | /* Repair action */ 72 | else if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_REPAIR)) 73 | { 74 | eStatus = main_Repair(ppcwszArgv); 75 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 76 | { 77 | goto lbl_cleanup; 78 | } 79 | } 80 | /* Uninstall action */ 81 | else if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_UNINSTALL)) 82 | { 83 | eStatus = main_Uninstall(ppcwszArgv); 84 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 85 | { 86 | goto lbl_cleanup; 87 | } 88 | } 89 | /* Unsupported action */ 90 | else 91 | { 92 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_UNSUPPORTED_ACTION); 93 | goto lbl_cleanup; 94 | } 95 | 96 | /* Succeeded */ 97 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 98 | 99 | lbl_cleanup: 100 | if (FALSE != DOUBLEAGENT_SUCCESS(eStatus)) 101 | { 102 | (VOID)wprintf(L"Succeeded"); 103 | } 104 | else 105 | { 106 | (VOID)wprintf(L"Failed (error code %lu)", eStatus); 107 | } 108 | /* Returns status */ 109 | return eStatus; 110 | } 111 | 112 | static DOUBLEAGENT_STATUS main_Install(IN PCWSTR *ppcwszArgv) 113 | { 114 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 115 | PWSTR pwszExeDirPath = NULL; 116 | PWSTR pwszVerifierDllPathX86 = NULL; 117 | PWSTR pwszVerifierDllPathX64 = NULL; 118 | 119 | /* Validates the parameters */ 120 | _ASSERT(NULL != ppcwszArgv); 121 | 122 | /* Gets the executable directory */ 123 | eStatus = PATH_GetDirectory(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_SELF_PATH], &pwszExeDirPath); 124 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 125 | { 126 | goto lbl_cleanup; 127 | } 128 | 129 | /* Gets the x86 verifier dll path */ 130 | eStatus = PATH_Combine(pwszExeDirPath, DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X86, &pwszVerifierDllPathX86); 131 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 132 | { 133 | goto lbl_cleanup; 134 | } 135 | 136 | /* Gets the x64 verifier dll path */ 137 | eStatus = PATH_Combine(pwszExeDirPath, DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X64, &pwszVerifierDllPathX64); 138 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 139 | { 140 | goto lbl_cleanup; 141 | } 142 | 143 | /* Installs the application verifier for the process */ 144 | eStatus = VERIFIER_Install(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_PROCESS_NAME], DOUBLEAGENT_VERIFIER_DLL_NAME, pwszVerifierDllPathX86, pwszVerifierDllPathX64); 145 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 146 | { 147 | goto lbl_cleanup; 148 | } 149 | 150 | /* Succeeded */ 151 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 152 | 153 | lbl_cleanup: 154 | /* Frees the x64 verifier dll path */ 155 | if (NULL != pwszVerifierDllPathX64) 156 | { 157 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVerifierDllPathX64); 158 | pwszVerifierDllPathX64 = NULL; 159 | } 160 | 161 | /* Frees the x86 verifier dll path */ 162 | if (NULL != pwszVerifierDllPathX86) 163 | { 164 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVerifierDllPathX86); 165 | pwszVerifierDllPathX86 = NULL; 166 | } 167 | 168 | /* Frees the executable directory */ 169 | if (NULL != pwszExeDirPath) 170 | { 171 | (VOID)HeapFree(GetProcessHeap(), 0, pwszExeDirPath); 172 | pwszExeDirPath = NULL; 173 | } 174 | 175 | /* Returns status */ 176 | return eStatus; 177 | } 178 | 179 | static DOUBLEAGENT_STATUS main_Repair(IN PCWSTR *ppcwszArgv) 180 | { 181 | UNREFERENCED_PARAMETER(ppcwszArgv); 182 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 183 | 184 | /* Validates the parameters */ 185 | _ASSERT(NULL != ppcwszArgv); 186 | 187 | /* Repairs the machine to its original state */ 188 | eStatus = VERIFIER_Repair(); 189 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 190 | { 191 | goto lbl_cleanup; 192 | } 193 | 194 | /* Succeeded */ 195 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 196 | 197 | lbl_cleanup: 198 | /* Returns status */ 199 | return eStatus; 200 | } 201 | 202 | static DOUBLEAGENT_STATUS main_Uninstall(IN PCWSTR *ppcwszArgv) 203 | { 204 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 205 | 206 | /* Validates the parameters */ 207 | _ASSERT(NULL != ppcwszArgv); 208 | 209 | /* Uninstalls the application verifier from the process */ 210 | VERIFIER_Uninstall(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_PROCESS_NAME], DOUBLEAGENT_VERIFIER_DLL_NAME); 211 | 212 | /* Succeeded */ 213 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 214 | 215 | /* Returns status */ 216 | return eStatus; 217 | } 218 | -------------------------------------------------------------------------------- /DoubleAgentDll/DoubleAgentDll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {0358B01A-8542-482B-87C0-F141655BD802} 23 | DoubleAgentDll 24 | 8.1 25 | 26 | 27 | 28 | DynamicLibrary 29 | true 30 | v141 31 | Unicode 32 | 33 | 34 | DynamicLibrary 35 | false 36 | v141 37 | true 38 | Unicode 39 | 40 | 41 | DynamicLibrary 42 | true 43 | v141 44 | Unicode 45 | 46 | 47 | DynamicLibrary 48 | false 49 | v141 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | $(SolutionDir)bin\x86\ 73 | 74 | 75 | $(SolutionDir)bin\x86\ 76 | 77 | 78 | $(SolutionDir)bin\x64\ 79 | 80 | 81 | $(SolutionDir)bin\x64\ 82 | 83 | 84 | 85 | Level4 86 | Disabled 87 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 88 | MultiThreadedDebug 89 | true 90 | 91 | false 92 | 93 | 94 | 95 | true 96 | Console 97 | DllMain 98 | 99 | 100 | 101 | 102 | Level4 103 | Disabled 104 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 105 | MultiThreadedDebug 106 | true 107 | 108 | false 109 | 110 | 111 | 112 | true 113 | Console 114 | DllMain 115 | 116 | 117 | 118 | 119 | Level4 120 | MaxSpeed 121 | true 122 | true 123 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 124 | MultiThreaded 125 | true 126 | 127 | false 128 | false 129 | 130 | 131 | true 132 | true 133 | true 134 | Console 135 | DllMain 136 | 137 | 138 | 139 | 140 | Level4 141 | MaxSpeed 142 | true 143 | true 144 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories) 145 | MultiThreaded 146 | true 147 | 148 | false 149 | false 150 | 151 | 152 | true 153 | true 154 | true 155 | Console 156 | DllMain 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /DoubleAgentDll/DoubleAgentDll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {4b3ed967-99c9-47f0-ad82-5da2f1ce36e4} 10 | 11 | 12 | {6c53491b-d7aa-4e59-adf2-bad8e68cf7a0} 13 | 14 | 15 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 16 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 17 | 18 | 19 | {c59faa4b-63c3-4193-9387-f639ffe77113} 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files\Verifier 28 | 29 | 30 | Source Files\Process 31 | 32 | 33 | Source Files\Memory 34 | 35 | 36 | 37 | 38 | Source Files\Verifier 39 | 40 | 41 | Source Files\Process 42 | 43 | 44 | Source Files\Memory 45 | 46 | 47 | -------------------------------------------------------------------------------- /DoubleAgentDll/Memory.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include "Status.h" 4 | #include "Memory.h" 5 | 6 | /* Public Function Definitions ***********************************************/ 7 | void* memset(void *pvBuffer, int iValue, size_t nBufferLen) 8 | { 9 | SIZE_T nBufferIndex = 0; 10 | 11 | /* Sets the buffer */ 12 | for (nBufferIndex = 0; nBufferIndex < nBufferLen; nBufferIndex++) 13 | { 14 | ((PBYTE)pvBuffer)[nBufferIndex] = (BYTE)iValue; 15 | } 16 | 17 | return pvBuffer; 18 | } 19 | -------------------------------------------------------------------------------- /DoubleAgentDll/Memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Function Declarations *****************************************************/ 8 | /* 9 | * Override the compiler memset intrinsic functions 10 | * This may be used to solve linkage problems with the CRT 11 | */ 12 | #pragma function(memset) 13 | void* memset(void *pvBuffer, int iValue, size_t nBufferLen); 14 | -------------------------------------------------------------------------------- /DoubleAgentDll/Process.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include "Status.h" 4 | #include "Process.h" 5 | 6 | /* Public Function Definitions ***********************************************/ 7 | DOUBLEAGENT_STATUS PROCESS_Create(IN PCWSTR pcwszExePath) 8 | { 9 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 10 | STARTUPINFOW tStartup = { 0 }; 11 | PROCESS_INFORMATION tProcess = { 0 }; 12 | 13 | /* Validates the parameters */ 14 | if (NULL == pcwszExePath) 15 | { 16 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_INVALID_PARAMS); 17 | goto lbl_cleanup; 18 | } 19 | 20 | /* Creates the process */ 21 | tStartup.cb = sizeof(tStartup); 22 | if (FALSE == CreateProcessW(pcwszExePath, NULL, NULL, NULL, 0, 0, NULL, NULL, &tStartup, &tProcess)) 23 | { 24 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_CREATEPROCESSW_FAILED); 25 | goto lbl_cleanup; 26 | } 27 | 28 | /* Succeeded */ 29 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 30 | 31 | lbl_cleanup: 32 | /* Closes the thread handle */ 33 | if (NULL != tProcess.hThread) 34 | { 35 | (VOID)CloseHandle(tProcess.hThread); 36 | tProcess.hThread = NULL; 37 | } 38 | 39 | /* Closes the process handle */ 40 | if (NULL != tProcess.hProcess) 41 | { 42 | (VOID)CloseHandle(tProcess.hProcess); 43 | tProcess.hProcess = NULL; 44 | } 45 | 46 | /* Returns status */ 47 | return eStatus; 48 | } 49 | -------------------------------------------------------------------------------- /DoubleAgentDll/Process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Function Declarations *****************************************************/ 8 | /* 9 | * Receives an executable path and executes it 10 | */ 11 | DOUBLEAGENT_STATUS PROCESS_Create(IN PCWSTR pcwszExePath); 12 | -------------------------------------------------------------------------------- /DoubleAgentDll/VerifierDll.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include "Status.h" 4 | 5 | /* Types *********************************************************************/ 6 | typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR 7 | { 8 | PWSTR pwszDllName; 9 | DWORD dwDllFlags; 10 | PVOID pvDllAddress; 11 | PVOID pvDllThunks; 12 | } RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR; 13 | 14 | typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR 15 | { 16 | DWORD dwLength; 17 | PVOID pvProviderDlls; 18 | PVOID pvProviderDllLoadCallback; 19 | PVOID pvProviderDllUnloadCallback; 20 | PWSTR pwszVerifierImage; 21 | DWORD dwVerifierFlags; 22 | DWORD dwVerifierDebug; 23 | PVOID pvRtlpGetStackTraceAddress; 24 | PVOID pvRtlpDebugPageHeapCreate; 25 | PVOID pvRtlpDebugPageHeapDestroy; 26 | PVOID pvProviderNtdllHeapFreeCallback; 27 | } RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR; 28 | 29 | typedef struct _RTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR 30 | { 31 | DWORD dwLength; 32 | DWORD dwReserved; 33 | DWORD dwReserved1; 34 | DWORD dwReserved2; 35 | DWORD dwReserved3; 36 | DWORD dwReserved4; 37 | DWORD dwReserved5; 38 | DWORD dwReserved6; 39 | PDWORD pdwAVrfDphGlobalFlags; 40 | PVOID pvAVrfpHeapTable; 41 | PRTL_VERIFIER_PROVIDER_DESCRIPTOR ptAVrfpProvider; 42 | CHAR szReserved7[0x18]; 43 | } RTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR; 44 | 45 | /* Global Variables **********************************************************/ 46 | RTL_VERIFIER_DLL_DESCRIPTOR atDLLs[] = { { 0 } }; 47 | RTL_VERIFIER_PROVIDER_DESCRIPTOR tVpd = { sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR), atDLLs }; 48 | 49 | /* Function Definitions ******************************************************/ 50 | BOOL VERIFIERDLL_DllMainProcessVerifier(IN PVOID pvReserved) 51 | { 52 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 53 | 54 | /* Validates the parameters */ 55 | if (NULL == pvReserved) 56 | { 57 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_VERIFIERDLL_DLLMAINPROCESSVERIFIER_INVALID_PARAMS); 58 | goto lbl_cleanup; 59 | } 60 | 61 | /* Sets the reserved parameter */ 62 | *((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)pvReserved) = &tVpd; 63 | 64 | /* Succeeded */ 65 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 66 | 67 | lbl_cleanup: 68 | /* Returns status */ 69 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus); 70 | } 71 | -------------------------------------------------------------------------------- /DoubleAgentDll/VerifierDll.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Includes ******************************************************************/ 4 | #include 5 | #include "Status.h" 6 | 7 | /* Macros ********************************************************************/ 8 | #define VERIFIERDLL_DLL_PROCESS_VERIFIER (0x4) 9 | 10 | /* Function Declarations *****************************************************/ 11 | /* 12 | * The default main function for VERIFIERDLL_DLL_PROCESS_VERIFIER 13 | * The verifier dll should call this function from DllMain when VERIFIERDLL_DLL_PROCESS_VERIFIER == nReason 14 | */ 15 | BOOL VERIFIERDLL_DllMainProcessVerifier(IN PVOID pvReserved); 16 | -------------------------------------------------------------------------------- /DoubleAgentDll/main.c: -------------------------------------------------------------------------------- 1 | /* Includes ******************************************************************/ 2 | #include 3 | #include "Status.h" 4 | #include "Process.h" 5 | #include "VerifierDll.h" 6 | 7 | /* Function Declarations *****************************************************/ 8 | /* 9 | * The event handler for DLL attach events 10 | */ 11 | static BOOL main_DllMainProcessAttach(VOID); 12 | /* 13 | * The event handler for DLL detach events 14 | */ 15 | static BOOL main_DllMainProcessDetach(VOID); 16 | 17 | /* Function Definitions ******************************************************/ 18 | BOOL WINAPI DllMain(IN HINSTANCE hInstDLL, IN SIZE_T nReason, IN PVOID pvReserved) 19 | { 20 | UNREFERENCED_PARAMETER(hInstDLL); 21 | 22 | /* Process Attach */ 23 | if (VERIFIERDLL_DLL_PROCESS_VERIFIER == nReason) 24 | { 25 | return VERIFIERDLL_DllMainProcessVerifier(pvReserved); 26 | } 27 | 28 | else if (DLL_PROCESS_ATTACH == nReason) 29 | { 30 | return main_DllMainProcessAttach(); 31 | } 32 | 33 | /* Process Detach */ 34 | else if (DLL_PROCESS_DETACH == nReason) 35 | { 36 | return main_DllMainProcessDetach(); 37 | } 38 | 39 | /* Thread Attach\Detach */ 40 | else 41 | { 42 | return TRUE; 43 | } 44 | } 45 | 46 | static BOOL main_DllMainProcessAttach(VOID) 47 | { 48 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 49 | 50 | /* 51 | ************************************************************************** 52 | Enter Your Code Here 53 | Remarks: DoubleAgentDll is loaded extremely early during the process boot, while the process is still not completely initialized 54 | This may pose limitations regarding what libraries may be used from main_DllMainProcessAttach 55 | The only library that is guaranteed to work properly and may be used safely is ntdll.dll 56 | Other libraries (e.g. kernel32.dll) may or may not work and should preferably be avoided 57 | 58 | One solution for using additional libraries except from ntdll.dll would be to delay code execution and avoid "heavy" operations from main_DllMainProcessAttach 59 | This can be done in a verity of ways, including setting a hook on the end of the process boot and only then executing the "heavy" code 60 | ************************************************************************** 61 | */ 62 | 63 | /* 64 | * Sample Code - Launch cmd.exe 65 | * As stated above, calling non ntdll.dll libraries may or may not work 66 | * The sample code below uses kernel32.dll and therefore may cause undefined behavior on some operating systems 67 | * This specific code has been tested and found working on Windows 10 x64 but fails on Windows 7 x64 68 | */ 69 | //eStatus = PROCESS_Create(L"C:\\Windows\\System32\\cmd.exe"); 70 | //if (FALSE == DOUBLEAGENT_SUCCESS(eStatus)) 71 | //{ 72 | // goto lbl_cleanup; 73 | //} 74 | 75 | /* Succeeded */ 76 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 77 | 78 | //lbl_cleanup: 79 | /* Returns status */ 80 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus); 81 | } 82 | 83 | static BOOL main_DllMainProcessDetach(VOID) 84 | { 85 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE; 86 | 87 | /* Succeeded */ 88 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS); 89 | 90 | /* Returns status */ 91 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus); 92 | } 93 | -------------------------------------------------------------------------------- /DoubleAgentShared/DoubleAgentShared.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5} 23 | DoubleAgentShared 24 | 8.1 25 | 26 | 27 | 28 | StaticLibrary 29 | true 30 | v141 31 | Unicode 32 | 33 | 34 | StaticLibrary 35 | false 36 | v141 37 | true 38 | Unicode 39 | 40 | 41 | StaticLibrary 42 | true 43 | v141 44 | Unicode 45 | 46 | 47 | StaticLibrary 48 | false 49 | v141 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | Level3 75 | Disabled 76 | true 77 | 78 | 79 | 80 | 81 | Level3 82 | Disabled 83 | true 84 | 85 | 86 | 87 | 88 | Level3 89 | MaxSpeed 90 | true 91 | true 92 | true 93 | 94 | 95 | true 96 | true 97 | 98 | 99 | 100 | 101 | Level3 102 | MaxSpeed 103 | true 104 | true 105 | true 106 | 107 | 108 | true 109 | true 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | -------------------------------------------------------------------------------- /DoubleAgentShared/DoubleAgentShared.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 11 | 12 | 13 | {411d5b91-27e2-4947-a634-7083829f9822} 14 | 15 | 16 | 17 | 18 | Source Files\Status 19 | 20 | 21 | -------------------------------------------------------------------------------- /DoubleAgentShared/Status.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* Macros ********************************************************************/ 4 | #define DOUBLEAGENT_SUCCESS(status) (DOUBLEAGENT_STATUS_SUCCESS == (status)) 5 | #define DOUBLEAGENT_FAILED(status) (FALSE == DOUBLEAGENT_SUCCESS((status))) 6 | #define DOUBLEAGENT_SET(status, value) ((status) = (value)) 7 | 8 | /* Types *********************************************************************/ 9 | typedef enum _DOUBLEAGENT_STATUS 10 | { 11 | DOUBLEAGENT_STATUS_INVALID_VALUE = -1, 12 | DOUBLEAGENT_STATUS_SUCCESS, 13 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_CREATEPROCESSW_FAILED, 14 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_INVALID_PARAMS, 15 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_VERIFIERDLL_DLLMAINPROCESSVERIFIER_INVALID_PARAMS, 16 | DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_INVALID_PARAMS, 17 | DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_ISWOW64PROCESS_FAILED, 18 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_HEAPALLOC_FAILED, 19 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_INVALID_PARAMS, 20 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_PATHCOMBINEW_FAILED, 21 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_HEAPALLOC_FAILED, 22 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_INVALID_PARAMS, 23 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_PATHREMOVEFILESPECW_FAILED, 24 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X64, 25 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X86, 26 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_INVALID_PARAMS, 27 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_UNSUPPORTED_SWITCH_CASE, 28 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_IFEO, 29 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_TEMP_IFEO, 30 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGRENAMEKEY_FAILED, 31 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_GLOBALFLAG, 32 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_VERIFIERDLLS, 33 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGOPENKEYEXW_FAILED, 34 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGRENAMEKEY_FAILED, 35 | DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_INVALID_ARGS_COUNT, 36 | DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_UNSUPPORTED_ACTION, 37 | 38 | /* Must be last */ 39 | DOUBLEAGENT_STATUS_COUNT 40 | } DOUBLEAGENT_STATUS, *PDOUBLEAGENT_STATUS; 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DoubleAgent 2 | DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). 3 | 4 | DoubleAgent can exploit: 5 | 6 | * Every Windows version (Windows XP to Windows 10) 7 | * Every Windows architecture (x86 and x64) 8 | * Every Windows user (SYSTEM/Admin/etc.) 9 | * Every target process, including privileged processes (OS/Antivirus/etc.) 10 | 11 | DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched. 12 | 13 | ## Code Injection 14 | 15 | DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself. 16 | The code injection technique is so unique that it’s not detected or blocked by any antivirus. 17 | 18 | ## Persistency 19 | 20 | DoubleAgent can continue injecting code even after reboot making it a perfect persistence technique to “survive” reboots/updates/reinstalls/patches/etc. 21 | Once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes. 22 | 23 | ## Attack Vectors 24 | 25 | * Attacking Antivirus & Next Generation Antivirus – Taking full control of any antivirus by injecting code into it while bypassing all of its self-protection mechanism. The attack has been verified and works on all the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro. 26 | For more details, checkout our [Taking Full Control Over Your Antivirus](http://cybellum.com/doubleagent-taking-full-control-antivirus/) article. 27 | 28 | * Installing Persistent Malware – Installing malware that can “survive” reboots and are automatically executed once the operating system boots. 29 | 30 | * Hijacking Permissions – Hijacking the permissions of an existing trusted process to perform malicious operations in disguise of the trusted process. e.g. Exfiltrating data, C&C communication, lateral movement, stealing and encrypting sensitive data. 31 | 32 | * Altering Process Behavior – Modifying the behavior of the process. e.g. Installing backdoors, weakening encryption algorithms, etc. 33 | 34 | * Attacking Other Users/Sessions – Injecting code to processes of other users/sessions (SYSTEM/Admin/etc.). 35 | 36 | ## Technical Deep Dive 37 | For more details, checkout our [technical](http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/) article. 38 | 39 | ## Installation 40 | 1. Clone/Download the DoubleAgent source code. 41 | 2. Build the [main solution](https://github.com/Cybellum/DoubleAgent) twice, once in x86 and once in x64. 42 | This step is crucial as it creates both x86 and x64 versions of DoubleAgentDll.dll which is required in order to perform a successful installation. 43 | 3. Copy the entire bin folder to the target machine. 44 | 4. Execute the installer: 45 | ``` 46 | Usage: DoubleAgent.exe install\uninstall\repair process_name 47 | 48 | e.g. DoubleAgent.exe install cmd.exe 49 | ``` 50 | Note that the 32bit installer (DoubleAgent_x86.exe) can be used both on Windows x86 and Windows x64. 51 | But the 64bit installer (DoubleAgent_x64.exe) can be used only on Windows x64. 52 | 5. The next time the target process loads [DoubleAgentDll.dll](https://github.com/Cybellum/DoubleAgent/tree/master/DoubleAgentDll) would be injected into it. 53 | 54 | ## Authors 55 | Cybellum Technologies LTD (http://cybellum.com/) 56 | --------------------------------------------------------------------------------