├── .gitignore
├── DoubleAgent.sln
├── DoubleAgent
├── DoubleAgent.vcxproj
├── DoubleAgent.vcxproj.filters
├── OS.c
├── OS.h
├── Path.c
├── Path.h
├── Verifier.c
├── Verifier.h
└── main.c
├── DoubleAgentDll
├── DoubleAgentDll.vcxproj
├── DoubleAgentDll.vcxproj.filters
├── Memory.c
├── Memory.h
├── Process.c
├── Process.h
├── VerifierDll.c
├── VerifierDll.h
└── main.c
├── DoubleAgentShared
├── DoubleAgentShared.vcxproj
├── DoubleAgentShared.vcxproj.filters
└── Status.h
├── LICENSE
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opendb
80 | *.opensdf
81 | *.sdf
82 | *.cachefile
83 | *.VC.db
84 | *.VC.VC.opendb
85 |
86 | # Visual Studio profiler
87 | *.psess
88 | *.vsp
89 | *.vspx
90 | *.sap
91 |
92 | # TFS 2012 Local Workspace
93 | $tf/
94 |
95 | # Guidance Automation Toolkit
96 | *.gpState
97 |
98 | # ReSharper is a .NET coding add-in
99 | _ReSharper*/
100 | *.[Rr]e[Ss]harper
101 | *.DotSettings.user
102 |
103 | # JustCode is a .NET coding add-in
104 | .JustCode
105 |
106 | # TeamCity is a build add-in
107 | _TeamCity*
108 |
109 | # DotCover is a Code Coverage Tool
110 | *.dotCover
111 |
112 | # NCrunch
113 | _NCrunch_*
114 | .*crunch*.local.xml
115 | nCrunchTemp_*
116 |
117 | # MightyMoose
118 | *.mm.*
119 | AutoTest.Net/
120 |
121 | # Web workbench (sass)
122 | .sass-cache/
123 |
124 | # Installshield output folder
125 | [Ee]xpress/
126 |
127 | # DocProject is a documentation generator add-in
128 | DocProject/buildhelp/
129 | DocProject/Help/*.HxT
130 | DocProject/Help/*.HxC
131 | DocProject/Help/*.hhc
132 | DocProject/Help/*.hhk
133 | DocProject/Help/*.hhp
134 | DocProject/Help/Html2
135 | DocProject/Help/html
136 |
137 | # Click-Once directory
138 | publish/
139 |
140 | # Publish Web Output
141 | *.[Pp]ublish.xml
142 | *.azurePubxml
143 | # TODO: Comment the next line if you want to checkin your web deploy settings
144 | # but database connection strings (with potential passwords) will be unencrypted
145 | *.pubxml
146 | *.publishproj
147 |
148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
149 | # checkin your Azure Web App publish settings, but sensitive information contained
150 | # in these scripts will be unencrypted
151 | PublishScripts/
152 |
153 | # NuGet Packages
154 | *.nupkg
155 | # The packages folder can be ignored because of Package Restore
156 | **/packages/*
157 | # except build/, which is used as an MSBuild target.
158 | !**/packages/build/
159 | # Uncomment if necessary however generally it will be regenerated when needed
160 | #!**/packages/repositories.config
161 | # NuGet v3's project.json files produces more ignoreable files
162 | *.nuget.props
163 | *.nuget.targets
164 |
165 | # Microsoft Azure Build Output
166 | csx/
167 | *.build.csdef
168 |
169 | # Microsoft Azure Emulator
170 | ecf/
171 | rcf/
172 |
173 | # Windows Store app package directories and files
174 | AppPackages/
175 | BundleArtifacts/
176 | Package.StoreAssociation.xml
177 | _pkginfo.txt
178 |
179 | # Visual Studio cache files
180 | # files ending in .cache can be ignored
181 | *.[Cc]ache
182 | # but keep track of directories ending in .cache
183 | !*.[Cc]ache/
184 |
185 | # Others
186 | ClientBin/
187 | ~$*
188 | *~
189 | *.dbmdl
190 | *.dbproj.schemaview
191 | *.pfx
192 | *.publishsettings
193 | node_modules/
194 | orleans.codegen.cs
195 |
196 | # Since there are multiple workflows, uncomment next line to ignore bower_components
197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
198 | #bower_components/
199 |
200 | # RIA/Silverlight projects
201 | Generated_Code/
202 |
203 | # Backup & report files from converting an old project file
204 | # to a newer Visual Studio version. Backup files are not needed,
205 | # because we have git ;-)
206 | _UpgradeReport_Files/
207 | Backup*/
208 | UpgradeLog*.XML
209 | UpgradeLog*.htm
210 |
211 | # SQL Server files
212 | *.mdf
213 | *.ldf
214 |
215 | # Business Intelligence projects
216 | *.rdl.data
217 | *.bim.layout
218 | *.bim_*.settings
219 |
220 | # Microsoft Fakes
221 | FakesAssemblies/
222 |
223 | # GhostDoc plugin setting file
224 | *.GhostDoc.xml
225 |
226 | # Node.js Tools for Visual Studio
227 | .ntvs_analysis.dat
228 |
229 | # Visual Studio 6 build log
230 | *.plg
231 |
232 | # Visual Studio 6 workspace options file
233 | *.opt
234 |
235 | # Visual Studio LightSwitch build output
236 | **/*.HTMLClient/GeneratedArtifacts
237 | **/*.DesktopClient/GeneratedArtifacts
238 | **/*.DesktopClient/ModelManifest.xml
239 | **/*.Server/GeneratedArtifacts
240 | **/*.Server/ModelManifest.xml
241 | _Pvt_Extensions
242 |
243 | # Paket dependency manager
244 | .paket/paket.exe
245 | paket-files/
246 |
247 | # FAKE - F# Make
248 | .fake/
249 |
250 | # JetBrains Rider
251 | .idea/
252 | *.sln.iml
253 |
--------------------------------------------------------------------------------
/DoubleAgent.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25123.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgent", "DoubleAgent\DoubleAgent.vcxproj", "{37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}"
7 | ProjectSection(ProjectDependencies) = postProject
8 | {0358B01A-8542-482B-87C0-F141655BD802} = {0358B01A-8542-482B-87C0-F141655BD802}
9 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5} = {532786D5-D713-455E-AE4A-2E68BF7DFFD5}
10 | EndProjectSection
11 | EndProject
12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgentDll", "DoubleAgentDll\DoubleAgentDll.vcxproj", "{0358B01A-8542-482B-87C0-F141655BD802}"
13 | ProjectSection(ProjectDependencies) = postProject
14 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5} = {532786D5-D713-455E-AE4A-2E68BF7DFFD5}
15 | EndProjectSection
16 | EndProject
17 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DoubleAgentShared", "DoubleAgentShared\DoubleAgentShared.vcxproj", "{532786D5-D713-455E-AE4A-2E68BF7DFFD5}"
18 | EndProject
19 | Global
20 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
21 | Debug|x64 = Debug|x64
22 | Debug|x86 = Debug|x86
23 | Release|x64 = Release|x64
24 | Release|x86 = Release|x86
25 | EndGlobalSection
26 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
27 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x64.ActiveCfg = Debug|x64
28 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x64.Build.0 = Debug|x64
29 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x86.ActiveCfg = Debug|Win32
30 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Debug|x86.Build.0 = Debug|Win32
31 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x64.ActiveCfg = Release|x64
32 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x64.Build.0 = Release|x64
33 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x86.ActiveCfg = Release|Win32
34 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}.Release|x86.Build.0 = Release|Win32
35 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x64.ActiveCfg = Debug|x64
36 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x64.Build.0 = Debug|x64
37 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x86.ActiveCfg = Debug|Win32
38 | {0358B01A-8542-482B-87C0-F141655BD802}.Debug|x86.Build.0 = Debug|Win32
39 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x64.ActiveCfg = Release|x64
40 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x64.Build.0 = Release|x64
41 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x86.ActiveCfg = Release|Win32
42 | {0358B01A-8542-482B-87C0-F141655BD802}.Release|x86.Build.0 = Release|Win32
43 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x64.ActiveCfg = Debug|x64
44 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x64.Build.0 = Debug|x64
45 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x86.ActiveCfg = Debug|Win32
46 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Debug|x86.Build.0 = Debug|Win32
47 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x64.ActiveCfg = Release|x64
48 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x64.Build.0 = Release|x64
49 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x86.ActiveCfg = Release|Win32
50 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}.Release|x86.Build.0 = Release|Win32
51 | EndGlobalSection
52 | GlobalSection(SolutionProperties) = preSolution
53 | HideSolutionNode = FALSE
54 | EndGlobalSection
55 | EndGlobal
56 |
--------------------------------------------------------------------------------
/DoubleAgent/DoubleAgent.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {37D9ADC4-76B6-49EE-A4F9-A02A581B55C4}
23 | DoubleAgent
24 | 8.1
25 |
26 |
27 |
28 | Application
29 | true
30 | v141
31 | Unicode
32 |
33 |
34 | Application
35 | false
36 | v141
37 | true
38 | Unicode
39 |
40 |
41 | Application
42 | true
43 | v141
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v141
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 | $(SolutionDir)bin\
73 | $(ProjectName)_x86
74 |
75 |
76 | $(SolutionDir)bin\
77 | $(ProjectName)_x86
78 |
79 |
80 | $(SolutionDir)bin\
81 | $(ProjectName)_x64
82 |
83 |
84 | $(SolutionDir)bin\
85 | $(ProjectName)_x64
86 |
87 |
88 |
89 | Level4
90 | Disabled
91 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
92 | MultiThreadedDebug
93 |
94 |
95 | shlwapi.lib;%(AdditionalDependencies)
96 | RequireAdministrator
97 |
98 |
99 |
100 |
101 | Level4
102 | Disabled
103 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
104 | MultiThreadedDebug
105 |
106 |
107 | shlwapi.lib;%(AdditionalDependencies)
108 | RequireAdministrator
109 |
110 |
111 |
112 |
113 | Level4
114 | MaxSpeed
115 | true
116 | true
117 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
118 | MultiThreaded
119 |
120 |
121 | true
122 | true
123 | shlwapi.lib;%(AdditionalDependencies)
124 | RequireAdministrator
125 |
126 |
127 |
128 |
129 | Level4
130 | MaxSpeed
131 | true
132 | true
133 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
134 | MultiThreaded
135 |
136 |
137 | true
138 | true
139 | shlwapi.lib;%(AdditionalDependencies)
140 | RequireAdministrator
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
--------------------------------------------------------------------------------
/DoubleAgent/DoubleAgent.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
11 |
12 |
13 | {34e3579a-db9c-44c6-a083-5a4799b577a0}
14 |
15 |
16 | {953868bc-5d8d-4ec6-be5d-76777ae32700}
17 |
18 |
19 | {03118afc-539e-446b-b67a-8fefeba32d90}
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files\Verifier
28 |
29 |
30 | Source Files\OS
31 |
32 |
33 | Source Files\Path
34 |
35 |
36 |
37 |
38 | Source Files\Verifier
39 |
40 |
41 | Source Files\OS
42 |
43 |
44 | Source Files\Path
45 |
46 |
47 |
--------------------------------------------------------------------------------
/DoubleAgent/OS.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include "Status.h"
4 | #include "OS.h"
5 |
6 | /* Public Function Definitions ***********************************************/
7 | DOUBLEAGENT_STATUS OS_GetArchitecture(OUT POS_ARCHITECTURE peOsArchitecture)
8 | {
9 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
10 | OS_ARCHITECTURE eOsArchitectureLocal = OS_ARCHITECTURE_INVALID_VALUE;
11 | #ifndef _WIN64
12 | BOOL bIsWow64 = FALSE;
13 | #endif
14 |
15 | /* Validates the parameters */
16 | if (NULL == peOsArchitecture)
17 | {
18 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_INVALID_PARAMS);
19 | goto lbl_cleanup;
20 | }
21 |
22 | #ifdef _WIN64
23 | /* The program is executing 64 bit code, the OS must be 64 bit */
24 | eOsArchitectureLocal = OS_ARCHITECTURE_X64;
25 | #else
26 | /* The program is executing 32 bit code, checks the OS architecture */
27 | if (FALSE == IsWow64Process(GetCurrentProcess(), &bIsWow64))
28 | {
29 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_ISWOW64PROCESS_FAILED);
30 | goto lbl_cleanup;
31 | }
32 |
33 | if (FALSE != bIsWow64)
34 | {
35 | /* The process is running under WOW64, the OS is 64 bit */
36 | eOsArchitectureLocal = OS_ARCHITECTURE_X64;
37 | }
38 | else
39 | {
40 | /* The process is not running under WOW64, the OS is 32 bit */
41 | eOsArchitectureLocal = OS_ARCHITECTURE_X86;
42 | }
43 | #endif
44 |
45 | /* Sets the received parameters */
46 | *peOsArchitecture = eOsArchitectureLocal;
47 |
48 | /* Succeeded */
49 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
50 |
51 | lbl_cleanup:
52 | /* Returns status */
53 | return eStatus;
54 | }
55 |
--------------------------------------------------------------------------------
/DoubleAgent/OS.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Types *********************************************************************/
8 | typedef enum _OS_ARCHITECTURE
9 | {
10 | OS_ARCHITECTURE_INVALID_VALUE = -1,
11 | OS_ARCHITECTURE_X86,
12 | OS_ARCHITECTURE_X64,
13 |
14 | /* Must be last */
15 | OS_ARCHITECTURE_COUNT
16 | } OS_ARCHITECTURE, *POS_ARCHITECTURE;
17 |
18 | /* Function Declarations *****************************************************/
19 | /*
20 | * Gets the operating system architecture
21 | */
22 | DOUBLEAGENT_STATUS OS_GetArchitecture(OUT POS_ARCHITECTURE peOsArchitecture);
23 |
--------------------------------------------------------------------------------
/DoubleAgent/Path.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include
4 | #include "Status.h"
5 | #include "Path.h"
6 |
7 | /* Public Function Definitions ***********************************************/
8 | DOUBLEAGENT_STATUS PATH_GetDirectory(IN PCWSTR pcwszFilePath, OUT PWSTR *ppwszDirPath)
9 | {
10 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
11 | PWSTR pwszDirPathLocal = NULL;
12 | SIZE_T nFilePathLenInBytes = 0;
13 |
14 | /* Validates the parameters */
15 | if ((NULL == pcwszFilePath) || (NULL == ppwszDirPath))
16 | {
17 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_INVALID_PARAMS);
18 | goto lbl_cleanup;
19 | }
20 |
21 | /* Gets the file path length in bytes */
22 | nFilePathLenInBytes = (wcslen(pcwszFilePath) + 1) * sizeof(*pcwszFilePath);
23 |
24 | /* Allocates the directory path */
25 | pwszDirPathLocal = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nFilePathLenInBytes);
26 | if (NULL == pwszDirPathLocal)
27 | {
28 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_HEAPALLOC_FAILED);
29 | goto lbl_cleanup;
30 | }
31 |
32 | /* Copies the file path to the directory path */
33 | CopyMemory(pwszDirPathLocal, pcwszFilePath, nFilePathLenInBytes);
34 |
35 | /* Creates the directory path by removing the file name */
36 | if (FALSE == PathRemoveFileSpecW(pwszDirPathLocal))
37 | {
38 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_PATHREMOVEFILESPECW_FAILED);
39 | goto lbl_cleanup;
40 | }
41 |
42 | /* Sets the received parameters */
43 | *ppwszDirPath = pwszDirPathLocal;
44 | pwszDirPathLocal = NULL;
45 |
46 | /* Succeeded */
47 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
48 |
49 | lbl_cleanup:
50 | /* Frees the directory path */
51 | if (NULL != pwszDirPathLocal)
52 | {
53 | (VOID)HeapFree(GetProcessHeap(), 0, pwszDirPathLocal);
54 | pwszDirPathLocal = NULL;
55 | }
56 |
57 | /* Returns status */
58 | return eStatus;
59 | }
60 |
61 | DOUBLEAGENT_STATUS PATH_Combine(IN PCWSTR pcwszPath1, IN PCWSTR pcwszPath2, OUT PWSTR *ppwszCombined)
62 | {
63 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
64 | PWSTR pwszCombinedLocal = NULL;
65 |
66 | /* Validates the parameters */
67 | if ((NULL == pcwszPath1) || (NULL == pcwszPath2) || (NULL == ppwszCombined))
68 | {
69 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_INVALID_PARAMS);
70 | goto lbl_cleanup;
71 | }
72 |
73 | /* Allocates the combined path */
74 | pwszCombinedLocal = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_PATH * sizeof(*pwszCombinedLocal));
75 | if (NULL == pwszCombinedLocal)
76 | {
77 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_HEAPALLOC_FAILED);
78 | goto lbl_cleanup;
79 | }
80 |
81 | /* Combines the paths */
82 | if (NULL == PathCombineW(pwszCombinedLocal, pcwszPath1, pcwszPath2))
83 | {
84 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_PATHCOMBINEW_FAILED);
85 | goto lbl_cleanup;
86 | }
87 |
88 | /* Sets the received parameters */
89 | *ppwszCombined = pwszCombinedLocal;
90 | pwszCombinedLocal = NULL;
91 |
92 | /* Succeeded */
93 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
94 |
95 | lbl_cleanup:
96 | /* Frees the combined path */
97 | if (NULL != pwszCombinedLocal)
98 | {
99 | (VOID)HeapFree(GetProcessHeap(), 0, pwszCombinedLocal);
100 | pwszCombinedLocal = NULL;
101 | }
102 |
103 | /* Returns status */
104 | return eStatus;
105 | }
106 |
--------------------------------------------------------------------------------
/DoubleAgent/Path.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Function Declarations *****************************************************/
8 | /*
9 | * Receives a file path and returns its directory path
10 | * The directory path must be freed via HeapFree
11 | */
12 | DOUBLEAGENT_STATUS PATH_GetDirectory(IN PCWSTR pcwszFilePath, OUT PWSTR *ppwszDirPath);
13 | /*
14 | * Receives two file paths and combines them into a single valid path
15 | * The combined path must be freed via HeapFree
16 | */
17 | DOUBLEAGENT_STATUS PATH_Combine(IN PCWSTR pcwszPath1, IN PCWSTR pcwszPath2, OUT PWSTR *ppwszCombined);
18 |
--------------------------------------------------------------------------------
/DoubleAgent/Verifier.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include
4 | #include
5 | #include "Status.h"
6 | #include "OS.h"
7 | #include "Path.h"
8 | #include "Verifier.h"
9 |
10 | /* Macros ********************************************************************/
11 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME L"Image File Execution Options"
12 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP L"3cf9a53d-a1f5-4945-ac5b-5e87bbf46ad2"
13 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY (L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" ## VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME)
14 | #define VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP (L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" ## VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP)
15 | #define VERIFIER_SYSWOW64_PATH (L"C:\\Windows\\SysWOW64")
16 | #define VERIFIER_SYSNATIVE_PATH (L"C:\\Windows\\Sysnative")
17 | #define VERIFIER_SYSTEM32_PATH (L"C:\\Windows\\System32")
18 | #define VERIFIER_VERIFIERDLLS_VALUE_NAME (L"VerifierDlls")
19 | #define VERIFIER_GLOBALFLAG_VALUE_NAME (L"GlobalFlag")
20 | #define VERIFIER_FLG_APPLICATION_VERIFIER (0x100)
21 |
22 | /* Function Declarations *****************************************************/
23 | /*
24 | * Registers the verifier dll to the process
25 | */
26 | static DOUBLEAGENT_STATUS verifier_Register(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName);
27 | /*
28 | * Unregisters the verifier dll from the process
29 | */
30 | static VOID verifier_Unregister(IN PCWSTR pcwszProcessName);
31 | /*
32 | * Gets the installation path for the x86 verifier dll
33 | * The installation path must be freed via HeapFree
34 | */
35 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX86(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath);
36 | /*
37 | * Gets the installation path for the x64 verifier dll
38 | * The installation path must be freed via HeapFree
39 | */
40 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX64(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath);
41 |
42 | /* Public Function Definitions ***********************************************/
43 | DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName, IN PCWSTR pcwszVrfDllPathX86, IN PCWSTR pcwszVrfDllPathX64)
44 | {
45 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
46 | OS_ARCHITECTURE eOsArchitecture = OS_ARCHITECTURE_INVALID_VALUE;
47 | PWSTR pwszVrfDllInstallPathX86 = NULL;
48 | PWSTR pwszVrfDllInstallPathX64 = NULL;
49 | BOOL bRegistered = FALSE;
50 | BOOL bCopiedX86 = FALSE;
51 | BOOL bCopiedX64 = FALSE;
52 |
53 | /* Validates the parameters */
54 | if ((NULL == pcwszProcessName) || (NULL == pcwszVrfDllName) || (NULL == pcwszVrfDllPathX86) || (NULL == pcwszVrfDllPathX64))
55 | {
56 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_INVALID_PARAMS);
57 | goto lbl_cleanup;
58 | }
59 |
60 | /* Gets the operating system architecture */
61 | eStatus = OS_GetArchitecture(&eOsArchitecture);
62 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
63 | {
64 | goto lbl_cleanup;
65 | }
66 |
67 | /* Registers the verifier dll to the process */
68 | eStatus = verifier_Register(pcwszProcessName, pcwszVrfDllName);
69 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
70 | {
71 | goto lbl_cleanup;
72 | }
73 | bRegistered = TRUE;
74 |
75 | switch (eOsArchitecture)
76 | {
77 | case OS_ARCHITECTURE_X64:
78 | /* Gets the install path for the x64 verifier dll */
79 | eStatus = verifier_GetInstallPathX64(pcwszVrfDllName, &pwszVrfDllInstallPathX64);
80 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
81 | {
82 | goto lbl_cleanup;
83 | }
84 |
85 | /* Copies the x64 verifier dll to its installation path */
86 | if (FALSE == CopyFileW(pcwszVrfDllPathX64, pwszVrfDllInstallPathX64, FALSE))
87 | {
88 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X64);
89 | goto lbl_cleanup;
90 | }
91 | bCopiedX64 = TRUE;
92 | /* Falls into the x86 case */
93 | case OS_ARCHITECTURE_X86:
94 | /* Gets the install path for the x86 verifier dll */
95 | eStatus = verifier_GetInstallPathX86(pcwszVrfDllName, &pwszVrfDllInstallPathX86);
96 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
97 | {
98 | goto lbl_cleanup;
99 | }
100 |
101 | /* Copies the x86 verifier dll to its installation path */
102 | if (FALSE == CopyFileW(pcwszVrfDllPathX86, pwszVrfDllInstallPathX86, FALSE))
103 | {
104 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X86);
105 | goto lbl_cleanup;
106 | }
107 | bCopiedX86 = TRUE;
108 | break;
109 | default:
110 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_UNSUPPORTED_SWITCH_CASE);
111 | goto lbl_cleanup;
112 | }
113 |
114 | /* Succeeded */
115 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
116 |
117 | lbl_cleanup:
118 | /* If failed, reverts the changes */
119 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
120 | {
121 | if (FALSE != bCopiedX86)
122 | {
123 | /* Deletes the x86 verifier dll */
124 | (VOID)DeleteFileW(pwszVrfDllInstallPathX86);
125 | bCopiedX86 = FALSE;
126 | }
127 |
128 | if (FALSE != bCopiedX64)
129 | {
130 | /* Deletes the x64 verifier dll */
131 | (VOID)DeleteFileW(pwszVrfDllInstallPathX64);
132 | bCopiedX64 = FALSE;
133 | }
134 |
135 | /* Unregisters the verifier dll */
136 | if (FALSE != bRegistered)
137 | {
138 | verifier_Unregister(pcwszProcessName);
139 | bRegistered = FALSE;
140 | }
141 | }
142 |
143 | /* Frees the x86 install path */
144 | if (NULL != pwszVrfDllInstallPathX86)
145 | {
146 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX86);
147 | pwszVrfDllInstallPathX86 = NULL;
148 | }
149 |
150 | /* Frees the x64 install path */
151 | if (NULL != pwszVrfDllInstallPathX64)
152 | {
153 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX64);
154 | pwszVrfDllInstallPathX64 = NULL;
155 | }
156 |
157 | /* Returns status */
158 | return eStatus;
159 | }
160 |
161 | DOUBLEAGENT_STATUS VERIFIER_Repair(VOID)
162 | {
163 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
164 | HKEY hIfeoKey = NULL;
165 | LONG lOpenKeyStatus = 0;
166 |
167 | /*
168 | * In some cases (application crash, exception, etc.) the install\uninstall functions may accidentally leave the IFEO key with its temporary name
169 | * Checks if the temporary name exists
170 | */
171 | lOpenKeyStatus = RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_WRITE | KEY_WOW64_64KEY, &hIfeoKey);
172 | if (ERROR_SUCCESS == lOpenKeyStatus)
173 | {
174 | /* Repairs the IFEO key by restoring it to its original name */
175 | if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME))
176 | {
177 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGRENAMEKEY_FAILED);
178 | goto lbl_cleanup;
179 | }
180 | }
181 | else if (ERROR_FILE_NOT_FOUND == lOpenKeyStatus)
182 | {
183 | /* Everything is OK, nothing to repair */
184 | }
185 | else
186 | {
187 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGOPENKEYEXW_FAILED);
188 | goto lbl_cleanup;
189 | }
190 |
191 | /* Succeeded */
192 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
193 |
194 | lbl_cleanup:
195 | /* Closes the IFEO key */
196 | if (NULL != hIfeoKey)
197 | {
198 | (VOID)RegCloseKey(hIfeoKey);
199 | hIfeoKey = NULL;
200 | }
201 |
202 | /* Returns status */
203 | return eStatus;
204 | }
205 |
206 | VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName)
207 | {
208 | OS_ARCHITECTURE eOsArchitecture = OS_ARCHITECTURE_INVALID_VALUE;
209 | PWSTR pwszVrfDllInstallPathX86 = NULL;
210 | PWSTR pwszVrfDllInstallPathX64 = NULL;
211 |
212 | /* Validates the parameters */
213 | if ((NULL != pcwszProcessName) && (NULL != pcwszVrfDllName))
214 | {
215 | /* Gets the operating system architecture */
216 | if (FALSE != DOUBLEAGENT_SUCCESS(OS_GetArchitecture(&eOsArchitecture)))
217 | {
218 | switch (eOsArchitecture)
219 | {
220 | case OS_ARCHITECTURE_X64:
221 | /* Gets the install path for the x64 verifier dll */
222 | if (FALSE != DOUBLEAGENT_SUCCESS(verifier_GetInstallPathX64(pcwszVrfDllName, &pwszVrfDllInstallPathX64)))
223 | {
224 | /* Deletes the x64 verifier dll */
225 | (VOID)DeleteFileW(pwszVrfDllInstallPathX64);
226 |
227 | /* Frees the x64 install path */
228 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX64);
229 | pwszVrfDllInstallPathX64 = NULL;
230 | }
231 | /* Falls into the x86 case */
232 | case OS_ARCHITECTURE_X86:
233 | /* Gets the install path for the x86 verifier dll */
234 | if (FALSE != DOUBLEAGENT_SUCCESS(verifier_GetInstallPathX86(pcwszVrfDllName, &pwszVrfDllInstallPathX86)))
235 | {
236 | /* Deletes the x86 verifier dll */
237 | (VOID)DeleteFileW(pwszVrfDllInstallPathX86);
238 |
239 | /* Frees the x86 install path */
240 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathX86);
241 | pwszVrfDllInstallPathX86 = NULL;
242 | }
243 | break;
244 | }
245 | }
246 |
247 | /* Unregisters the verifier dll */
248 | verifier_Unregister(pcwszProcessName);
249 | }
250 | }
251 |
252 | /* Private Function Definitions **********************************************/
253 | static DOUBLEAGENT_STATUS verifier_Register(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName)
254 | {
255 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
256 | HKEY hIfeoKey = NULL;
257 | HKEY hIfeoKeyTemp = NULL;
258 | DWORD dwGlobalFlag = VERIFIER_FLG_APPLICATION_VERIFIER;
259 | DWORD dwVrfDllNameLenInBytes = 0;
260 | BOOL bKeyRenamed = FALSE;
261 | BOOL bCreatedVerifierDlls = FALSE;
262 | BOOL bCreatedVerifierDllsTemp = FALSE;
263 | BOOL bCreatedGlobalFlag = FALSE;
264 | BOOL bCreatedGlobalFlagTemp = FALSE;
265 |
266 | /* Validates the parameters */
267 | _ASSERT(NULL != pcwszProcessName);
268 | _ASSERT(NULL != pcwszVrfDllName);
269 |
270 | /* Gets the verifier dll name length in bytes */
271 | dwVrfDllNameLenInBytes = (DWORD)(wcslen(pcwszVrfDllName) + 1) * sizeof(*pcwszVrfDllName);
272 |
273 | /* Opens the IFEO key */
274 | if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY, 0, KEY_WRITE | KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKey))
275 | {
276 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_IFEO);
277 | goto lbl_cleanup;
278 | }
279 |
280 | /* Creates the VerifierDlls value and sets it to the verifier dll name */
281 | bCreatedVerifierDlls = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes));
282 |
283 | /*
284 | * Creates the GlobalFlag value and sets it to FLG_APPLICATION_VERIFIER
285 | * Read more: https://msdn.microsoft.com/en-us/library/windows/hardware/ff542875(v=vs.85).aspx
286 | */
287 | bCreatedGlobalFlag = (ERROR_SUCCESS == RegSetKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag)));
288 |
289 | /*
290 | * The key creation might fail because some antiviruses protect the keys of their processes under the IFEO
291 | * One possible bypass is to rename the IFEO key name to a temporary name, create the keys, and restores the IFEO key name
292 | */
293 | if ((FALSE == bCreatedVerifierDlls) || (FALSE == bCreatedGlobalFlag))
294 | {
295 | /* Renames the IFEO key name to a temporary name */
296 | if (ERROR_SUCCESS != RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP))
297 | {
298 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGRENAMEKEY_FAILED);
299 | goto lbl_cleanup;
300 | }
301 | bKeyRenamed = TRUE;
302 |
303 | /*
304 | * Opens the temporary IFEO key
305 | * The key is reopened because some antiviruses continue monitoring and blocking the handle that opened the original IFEO
306 | */
307 | if (ERROR_SUCCESS != RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKeyTemp))
308 | {
309 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_TEMP_IFEO);
310 | goto lbl_cleanup;
311 | }
312 |
313 | if (FALSE == bCreatedVerifierDlls)
314 | {
315 | /* Tries again to create the VerifierDlls value */
316 | if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME, REG_SZ, pcwszVrfDllName, dwVrfDllNameLenInBytes))
317 | {
318 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_VERIFIERDLLS);
319 | goto lbl_cleanup;
320 | }
321 | bCreatedVerifierDllsTemp = TRUE;
322 | }
323 |
324 | if (FALSE == bCreatedGlobalFlag)
325 | {
326 | /* Tries again to create the GlobalFlag value */
327 | if (ERROR_SUCCESS != RegSetKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME, REG_DWORD, &dwGlobalFlag, sizeof(dwGlobalFlag)))
328 | {
329 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_GLOBALFLAG);
330 | goto lbl_cleanup;
331 | }
332 | bCreatedGlobalFlagTemp = TRUE;
333 | }
334 | }
335 |
336 | /* Succeeded */
337 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
338 |
339 | lbl_cleanup:
340 | /* If failed, reverts the changes */
341 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
342 | {
343 | /* Deletes the GlobalFlag temp value */
344 | if (FALSE != bCreatedGlobalFlagTemp)
345 | {
346 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME);
347 | bCreatedGlobalFlagTemp = FALSE;
348 | }
349 |
350 | /* Deletes the VerifierDlls temp value */
351 | if (FALSE != bCreatedVerifierDllsTemp)
352 | {
353 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME);
354 | bCreatedVerifierDllsTemp = FALSE;
355 | }
356 |
357 | /* Deletes the GlobalFlag value */
358 | if (FALSE != bCreatedGlobalFlag)
359 | {
360 | (VOID)RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME);
361 | bCreatedGlobalFlag = FALSE;
362 | }
363 |
364 | /* Deletes the VerifierDlls value */
365 | if (FALSE != bCreatedVerifierDlls)
366 | {
367 | (VOID)RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME);
368 | bCreatedVerifierDlls = FALSE;
369 | }
370 | }
371 |
372 | /* Closes the temporary IFEO key */
373 | if (NULL != hIfeoKeyTemp)
374 | {
375 | (VOID)RegCloseKey(hIfeoKeyTemp);
376 | hIfeoKeyTemp = NULL;
377 | }
378 |
379 | /* Restores the IFEO key name */
380 | if (FALSE != bKeyRenamed)
381 | {
382 | (VOID)RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME);
383 | bKeyRenamed = FALSE;
384 | }
385 |
386 | /* Closes the IFEO key */
387 | if (NULL != hIfeoKey)
388 | {
389 | (VOID)RegCloseKey(hIfeoKey);
390 | hIfeoKey = NULL;
391 | }
392 |
393 | /* Returns status */
394 | return eStatus;
395 | }
396 |
397 | static VOID verifier_Unregister(IN PCWSTR pcwszProcessName)
398 | {
399 | HKEY hIfeoKey = NULL;
400 | HKEY hIfeoKeyTemp = NULL;
401 | BOOL bDeletedVerifierDlls = FALSE;
402 | BOOL bDeletedGlobalFlag = FALSE;
403 |
404 | /* Validates the parameters */
405 | _ASSERT(NULL != pcwszProcessName);
406 |
407 | /* Opens the IFEO key */
408 | if (ERROR_SUCCESS == RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY, 0, KEY_WRITE | KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKey))
409 | {
410 | /* Deletes the VerifierDlls value */
411 | bDeletedVerifierDlls = (ERROR_SUCCESS == RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME));
412 |
413 | /* Deletes the GlobalFlag value */
414 | bDeletedGlobalFlag = (ERROR_SUCCESS == RegDeleteKeyValueW(hIfeoKey, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME));
415 |
416 | /*
417 | * The key deletion might fail because some antiviruses protect the keys of their processes under the IFEO
418 | * One possible bypass is to rename the IFEO key name to a temporary name, delete the keys, and restores the IFEO key name
419 | */
420 | if ((FALSE == bDeletedVerifierDlls) || (FALSE == bDeletedGlobalFlag))
421 | {
422 | /* Renames the IFEO key name to a temporary name */
423 | if (ERROR_SUCCESS == RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME_TEMP))
424 | {
425 | /*
426 | * Opens the temporary IFEO key
427 | * The key is reopened because some antiviruses continue monitoring and blocking the handle that opened the original IFEO
428 | */
429 | if (ERROR_SUCCESS == RegOpenKeyExW(HKEY_LOCAL_MACHINE, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_SUB_KEY_TEMP, 0, KEY_SET_VALUE | KEY_WOW64_64KEY, &hIfeoKeyTemp))
430 | {
431 | /* Tries again to delete the VerifierDlls value */
432 | if (FALSE == bDeletedVerifierDlls)
433 | {
434 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_VERIFIERDLLS_VALUE_NAME);
435 | bDeletedVerifierDlls = TRUE;
436 | }
437 |
438 | /* Tries again to delete the GlobalFlag value */
439 | if (FALSE == bDeletedGlobalFlag)
440 | {
441 | (VOID)RegDeleteKeyValueW(hIfeoKeyTemp, pcwszProcessName, VERIFIER_GLOBALFLAG_VALUE_NAME);
442 | bDeletedGlobalFlag = TRUE;
443 | }
444 |
445 | /* Closes the temporary IFEO key */
446 | (VOID)RegCloseKey(hIfeoKeyTemp);
447 | hIfeoKeyTemp = NULL;
448 | }
449 |
450 | /* Restores the IFEO key name */
451 | (VOID)RegRenameKey(hIfeoKey, NULL, VERIFIER_IMAGE_FILE_EXECUTION_OPTIONS_NAME);
452 | }
453 | }
454 |
455 | /* Closes the IFEO key */
456 | (VOID)RegCloseKey(hIfeoKey);
457 | hIfeoKey = NULL;
458 | }
459 | }
460 |
461 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX86(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath)
462 | {
463 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
464 | PWSTR pwszVrfDllInstallPathLocal = NULL;
465 |
466 | /* Validates the parameters */
467 | _ASSERT(NULL != pcwszVrfDllName);
468 | _ASSERT(NULL != ppwszVrfDllInstallPath);
469 |
470 | #ifndef _WIN64
471 | /*
472 | * x86 OS - Path should be System32
473 | * x64 OS - Path should be SysWOW64 (File system redirection would implicitly convert System32 to SysWOW64)
474 | */
475 | eStatus = PATH_Combine(VERIFIER_SYSTEM32_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal);
476 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
477 | {
478 | goto lbl_cleanup;
479 | }
480 | #else
481 | /*
482 | * x86 OS - Impossible (Can't run x64 code on x86 OS)
483 | * x64 OS - Path should be SysWOW64
484 | */
485 | eStatus = PATH_Combine(VERIFIER_SYSWOW64_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal);
486 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
487 | {
488 | goto lbl_cleanup;
489 | }
490 | #endif
491 |
492 | /* Sets the received parameters */
493 | *ppwszVrfDllInstallPath = pwszVrfDllInstallPathLocal;
494 | pwszVrfDllInstallPathLocal = NULL;
495 |
496 | /* Succeeded */
497 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
498 |
499 | lbl_cleanup:
500 | /* Frees the install path */
501 | if (NULL != pwszVrfDllInstallPathLocal)
502 | {
503 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathLocal);
504 | pwszVrfDllInstallPathLocal = NULL;
505 | }
506 |
507 | /* Returns status */
508 | return eStatus;
509 | }
510 |
511 | static DOUBLEAGENT_STATUS verifier_GetInstallPathX64(IN PCWSTR pcwszVrfDllName, OUT PVOID *ppwszVrfDllInstallPath)
512 | {
513 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
514 | PWSTR pwszVrfDllInstallPathLocal = NULL;
515 |
516 | /* Validates the parameters */
517 | _ASSERT(NULL != pcwszVrfDllName);
518 | _ASSERT(NULL != ppwszVrfDllInstallPath);
519 |
520 | #ifndef _WIN64
521 | /* x64 OS - Path should be System32 (File system redirection would implicitly convert Sysnative to System32) */
522 | eStatus = PATH_Combine(VERIFIER_SYSNATIVE_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal);
523 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
524 | {
525 | goto lbl_cleanup;
526 | }
527 | #else
528 | /* x64 OS - Path should be System32 */
529 | eStatus = PATH_Combine(VERIFIER_SYSTEM32_PATH, pcwszVrfDllName, &pwszVrfDllInstallPathLocal);
530 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
531 | {
532 | goto lbl_cleanup;
533 | }
534 | #endif
535 |
536 | /* Sets the received parameters */
537 | *ppwszVrfDllInstallPath = pwszVrfDllInstallPathLocal;
538 | pwszVrfDllInstallPathLocal = NULL;
539 |
540 | /* Succeeded */
541 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
542 |
543 | lbl_cleanup:
544 | /* Frees the install path */
545 | if (NULL != pwszVrfDllInstallPathLocal)
546 | {
547 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVrfDllInstallPathLocal);
548 | pwszVrfDllInstallPathLocal = NULL;
549 | }
550 |
551 | /* Returns status */
552 | return eStatus;
553 | }
554 |
--------------------------------------------------------------------------------
/DoubleAgent/Verifier.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Function Declarations *****************************************************/
8 | /*
9 | * Installs an application verifier for the process
10 | */
11 | DOUBLEAGENT_STATUS VERIFIER_Install(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName, IN PCWSTR pcwszVrfDllPathX86, IN PCWSTR pcwszVrfDllPathX64);
12 | /*
13 | * In some cases (application crash, exception, etc.) the install\uninstall functions may accidentally leave the machine in an undefined state
14 | * Repairs the machine to its original state
15 | */
16 | DOUBLEAGENT_STATUS VERIFIER_Repair(VOID);
17 | /*
18 | * Uninstalls the application verifier from the process
19 | */
20 | VOID VERIFIER_Uninstall(IN PCWSTR pcwszProcessName, IN PCWSTR pcwszVrfDllName);
21 |
--------------------------------------------------------------------------------
/DoubleAgent/main.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include
4 | #include
5 | #include "Path.h"
6 | #include "Verifier.h"
7 |
8 | /* Macros ********************************************************************/
9 | #define DOUBLEAGENT_ACTION_INSTALL (L"install")
10 | #define DOUBLEAGENT_ACTION_REPAIR (L"repair")
11 | #define DOUBLEAGENT_ACTION_UNINSTALL (L"uninstall")
12 | #define DOUBLEAGENT_VERIFIER_DLL_NAME L"DoubleAgentDll.dll"
13 | #define DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X86 (L".\\x86\\" ## DOUBLEAGENT_VERIFIER_DLL_NAME)
14 | #define DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X64 (L".\\x64\\" ## DOUBLEAGENT_VERIFIER_DLL_NAME)
15 |
16 | /* Types *********************************************************************/
17 | typedef enum _DOUBLEAGENT_ARGUMENTS
18 | {
19 | DOUBLEAGENT_ARGUMENTS_INVALID_VALUE = -1,
20 | DOUBLEAGENT_ARGUMENTS_SELF_PATH,
21 | DOUBLEAGENT_ARGUMENTS_ACTION_TYPE,
22 | DOUBLEAGENT_ARGUMENTS_PROCESS_NAME,
23 |
24 | /* Must be last */
25 | DOUBLEAGENT_ARGUMENTS_COUNT
26 | } DOUBLEAGENT_ARGUMENTS, *PDOUBLEAGENT_ARGUMENTS;
27 |
28 | /* Function Declarations *****************************************************/
29 | /*
30 | * Handles the install action
31 | */
32 | static DOUBLEAGENT_STATUS main_Install(IN PCWSTR *ppcwszArgv);
33 | /*
34 | * Handles the repair action
35 | */
36 | static DOUBLEAGENT_STATUS main_Repair(IN PCWSTR *ppcwszArgv);
37 | /*
38 | * Handles the uninstall action
39 | */
40 | static DOUBLEAGENT_STATUS main_Uninstall(IN PCWSTR *ppcwszArgv);
41 |
42 | /* Function Definitions ******************************************************/
43 | INT wmain(IN SIZE_T nArgc, IN PCWSTR *ppcwszArgv)
44 | {
45 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
46 |
47 | /* Prints usage */
48 | if (1 == nArgc)
49 | {
50 | (VOID)wprintf(L"Usage:\tDoubleAgent.exe install\\uninstall\\repair process_name\n");
51 | (VOID)wprintf(L"e.g.\tDoubleAgent.exe install cmd.exe\n");
52 | return 0;
53 | }
54 |
55 | /* Validates the arguments */
56 | if (DOUBLEAGENT_ARGUMENTS_COUNT != nArgc)
57 | {
58 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_INVALID_ARGS_COUNT);
59 | goto lbl_cleanup;
60 | }
61 |
62 | /* Install action */
63 | if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_INSTALL))
64 | {
65 | eStatus = main_Install(ppcwszArgv);
66 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
67 | {
68 | goto lbl_cleanup;
69 | }
70 | }
71 | /* Repair action */
72 | else if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_REPAIR))
73 | {
74 | eStatus = main_Repair(ppcwszArgv);
75 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
76 | {
77 | goto lbl_cleanup;
78 | }
79 | }
80 | /* Uninstall action */
81 | else if (0 == _wcsicmp(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_ACTION_TYPE], DOUBLEAGENT_ACTION_UNINSTALL))
82 | {
83 | eStatus = main_Uninstall(ppcwszArgv);
84 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
85 | {
86 | goto lbl_cleanup;
87 | }
88 | }
89 | /* Unsupported action */
90 | else
91 | {
92 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_UNSUPPORTED_ACTION);
93 | goto lbl_cleanup;
94 | }
95 |
96 | /* Succeeded */
97 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
98 |
99 | lbl_cleanup:
100 | if (FALSE != DOUBLEAGENT_SUCCESS(eStatus))
101 | {
102 | (VOID)wprintf(L"Succeeded");
103 | }
104 | else
105 | {
106 | (VOID)wprintf(L"Failed (error code %lu)", eStatus);
107 | }
108 | /* Returns status */
109 | return eStatus;
110 | }
111 |
112 | static DOUBLEAGENT_STATUS main_Install(IN PCWSTR *ppcwszArgv)
113 | {
114 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
115 | PWSTR pwszExeDirPath = NULL;
116 | PWSTR pwszVerifierDllPathX86 = NULL;
117 | PWSTR pwszVerifierDllPathX64 = NULL;
118 |
119 | /* Validates the parameters */
120 | _ASSERT(NULL != ppcwszArgv);
121 |
122 | /* Gets the executable directory */
123 | eStatus = PATH_GetDirectory(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_SELF_PATH], &pwszExeDirPath);
124 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
125 | {
126 | goto lbl_cleanup;
127 | }
128 |
129 | /* Gets the x86 verifier dll path */
130 | eStatus = PATH_Combine(pwszExeDirPath, DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X86, &pwszVerifierDllPathX86);
131 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
132 | {
133 | goto lbl_cleanup;
134 | }
135 |
136 | /* Gets the x64 verifier dll path */
137 | eStatus = PATH_Combine(pwszExeDirPath, DOUBLEAGENT_VERIFIER_DLL_RELATIVE_PATH_X64, &pwszVerifierDllPathX64);
138 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
139 | {
140 | goto lbl_cleanup;
141 | }
142 |
143 | /* Installs the application verifier for the process */
144 | eStatus = VERIFIER_Install(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_PROCESS_NAME], DOUBLEAGENT_VERIFIER_DLL_NAME, pwszVerifierDllPathX86, pwszVerifierDllPathX64);
145 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
146 | {
147 | goto lbl_cleanup;
148 | }
149 |
150 | /* Succeeded */
151 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
152 |
153 | lbl_cleanup:
154 | /* Frees the x64 verifier dll path */
155 | if (NULL != pwszVerifierDllPathX64)
156 | {
157 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVerifierDllPathX64);
158 | pwszVerifierDllPathX64 = NULL;
159 | }
160 |
161 | /* Frees the x86 verifier dll path */
162 | if (NULL != pwszVerifierDllPathX86)
163 | {
164 | (VOID)HeapFree(GetProcessHeap(), 0, pwszVerifierDllPathX86);
165 | pwszVerifierDllPathX86 = NULL;
166 | }
167 |
168 | /* Frees the executable directory */
169 | if (NULL != pwszExeDirPath)
170 | {
171 | (VOID)HeapFree(GetProcessHeap(), 0, pwszExeDirPath);
172 | pwszExeDirPath = NULL;
173 | }
174 |
175 | /* Returns status */
176 | return eStatus;
177 | }
178 |
179 | static DOUBLEAGENT_STATUS main_Repair(IN PCWSTR *ppcwszArgv)
180 | {
181 | UNREFERENCED_PARAMETER(ppcwszArgv);
182 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
183 |
184 | /* Validates the parameters */
185 | _ASSERT(NULL != ppcwszArgv);
186 |
187 | /* Repairs the machine to its original state */
188 | eStatus = VERIFIER_Repair();
189 | if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
190 | {
191 | goto lbl_cleanup;
192 | }
193 |
194 | /* Succeeded */
195 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
196 |
197 | lbl_cleanup:
198 | /* Returns status */
199 | return eStatus;
200 | }
201 |
202 | static DOUBLEAGENT_STATUS main_Uninstall(IN PCWSTR *ppcwszArgv)
203 | {
204 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
205 |
206 | /* Validates the parameters */
207 | _ASSERT(NULL != ppcwszArgv);
208 |
209 | /* Uninstalls the application verifier from the process */
210 | VERIFIER_Uninstall(ppcwszArgv[DOUBLEAGENT_ARGUMENTS_PROCESS_NAME], DOUBLEAGENT_VERIFIER_DLL_NAME);
211 |
212 | /* Succeeded */
213 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
214 |
215 | /* Returns status */
216 | return eStatus;
217 | }
218 |
--------------------------------------------------------------------------------
/DoubleAgentDll/DoubleAgentDll.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {0358B01A-8542-482B-87C0-F141655BD802}
23 | DoubleAgentDll
24 | 8.1
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v141
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | false
36 | v141
37 | true
38 | Unicode
39 |
40 |
41 | DynamicLibrary
42 | true
43 | v141
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v141
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 | $(SolutionDir)bin\x86\
73 |
74 |
75 | $(SolutionDir)bin\x86\
76 |
77 |
78 | $(SolutionDir)bin\x64\
79 |
80 |
81 | $(SolutionDir)bin\x64\
82 |
83 |
84 |
85 | Level4
86 | Disabled
87 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
88 | MultiThreadedDebug
89 | true
90 |
91 | false
92 |
93 |
94 |
95 | true
96 | Console
97 | DllMain
98 |
99 |
100 |
101 |
102 | Level4
103 | Disabled
104 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
105 | MultiThreadedDebug
106 | true
107 |
108 | false
109 |
110 |
111 |
112 | true
113 | Console
114 | DllMain
115 |
116 |
117 |
118 |
119 | Level4
120 | MaxSpeed
121 | true
122 | true
123 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
124 | MultiThreaded
125 | true
126 |
127 | false
128 | false
129 |
130 |
131 | true
132 | true
133 | true
134 | Console
135 | DllMain
136 |
137 |
138 |
139 |
140 | Level4
141 | MaxSpeed
142 | true
143 | true
144 | ..\DoubleAgentShared;%(AdditionalIncludeDirectories)
145 | MultiThreaded
146 | true
147 |
148 | false
149 | false
150 |
151 |
152 | true
153 | true
154 | true
155 | Console
156 | DllMain
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
--------------------------------------------------------------------------------
/DoubleAgentDll/DoubleAgentDll.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {4b3ed967-99c9-47f0-ad82-5da2f1ce36e4}
10 |
11 |
12 | {6c53491b-d7aa-4e59-adf2-bad8e68cf7a0}
13 |
14 |
15 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
16 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
17 |
18 |
19 | {c59faa4b-63c3-4193-9387-f639ffe77113}
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files\Verifier
28 |
29 |
30 | Source Files\Process
31 |
32 |
33 | Source Files\Memory
34 |
35 |
36 |
37 |
38 | Source Files\Verifier
39 |
40 |
41 | Source Files\Process
42 |
43 |
44 | Source Files\Memory
45 |
46 |
47 |
--------------------------------------------------------------------------------
/DoubleAgentDll/Memory.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include "Status.h"
4 | #include "Memory.h"
5 |
6 | /* Public Function Definitions ***********************************************/
7 | void* memset(void *pvBuffer, int iValue, size_t nBufferLen)
8 | {
9 | SIZE_T nBufferIndex = 0;
10 |
11 | /* Sets the buffer */
12 | for (nBufferIndex = 0; nBufferIndex < nBufferLen; nBufferIndex++)
13 | {
14 | ((PBYTE)pvBuffer)[nBufferIndex] = (BYTE)iValue;
15 | }
16 |
17 | return pvBuffer;
18 | }
19 |
--------------------------------------------------------------------------------
/DoubleAgentDll/Memory.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Function Declarations *****************************************************/
8 | /*
9 | * Override the compiler memset intrinsic functions
10 | * This may be used to solve linkage problems with the CRT
11 | */
12 | #pragma function(memset)
13 | void* memset(void *pvBuffer, int iValue, size_t nBufferLen);
14 |
--------------------------------------------------------------------------------
/DoubleAgentDll/Process.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include "Status.h"
4 | #include "Process.h"
5 |
6 | /* Public Function Definitions ***********************************************/
7 | DOUBLEAGENT_STATUS PROCESS_Create(IN PCWSTR pcwszExePath)
8 | {
9 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
10 | STARTUPINFOW tStartup = { 0 };
11 | PROCESS_INFORMATION tProcess = { 0 };
12 |
13 | /* Validates the parameters */
14 | if (NULL == pcwszExePath)
15 | {
16 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_INVALID_PARAMS);
17 | goto lbl_cleanup;
18 | }
19 |
20 | /* Creates the process */
21 | tStartup.cb = sizeof(tStartup);
22 | if (FALSE == CreateProcessW(pcwszExePath, NULL, NULL, NULL, 0, 0, NULL, NULL, &tStartup, &tProcess))
23 | {
24 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_CREATEPROCESSW_FAILED);
25 | goto lbl_cleanup;
26 | }
27 |
28 | /* Succeeded */
29 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
30 |
31 | lbl_cleanup:
32 | /* Closes the thread handle */
33 | if (NULL != tProcess.hThread)
34 | {
35 | (VOID)CloseHandle(tProcess.hThread);
36 | tProcess.hThread = NULL;
37 | }
38 |
39 | /* Closes the process handle */
40 | if (NULL != tProcess.hProcess)
41 | {
42 | (VOID)CloseHandle(tProcess.hProcess);
43 | tProcess.hProcess = NULL;
44 | }
45 |
46 | /* Returns status */
47 | return eStatus;
48 | }
49 |
--------------------------------------------------------------------------------
/DoubleAgentDll/Process.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Function Declarations *****************************************************/
8 | /*
9 | * Receives an executable path and executes it
10 | */
11 | DOUBLEAGENT_STATUS PROCESS_Create(IN PCWSTR pcwszExePath);
12 |
--------------------------------------------------------------------------------
/DoubleAgentDll/VerifierDll.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include "Status.h"
4 |
5 | /* Types *********************************************************************/
6 | typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR
7 | {
8 | PWSTR pwszDllName;
9 | DWORD dwDllFlags;
10 | PVOID pvDllAddress;
11 | PVOID pvDllThunks;
12 | } RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
13 |
14 | typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR
15 | {
16 | DWORD dwLength;
17 | PVOID pvProviderDlls;
18 | PVOID pvProviderDllLoadCallback;
19 | PVOID pvProviderDllUnloadCallback;
20 | PWSTR pwszVerifierImage;
21 | DWORD dwVerifierFlags;
22 | DWORD dwVerifierDebug;
23 | PVOID pvRtlpGetStackTraceAddress;
24 | PVOID pvRtlpDebugPageHeapCreate;
25 | PVOID pvRtlpDebugPageHeapDestroy;
26 | PVOID pvProviderNtdllHeapFreeCallback;
27 | } RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
28 |
29 | typedef struct _RTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR
30 | {
31 | DWORD dwLength;
32 | DWORD dwReserved;
33 | DWORD dwReserved1;
34 | DWORD dwReserved2;
35 | DWORD dwReserved3;
36 | DWORD dwReserved4;
37 | DWORD dwReserved5;
38 | DWORD dwReserved6;
39 | PDWORD pdwAVrfDphGlobalFlags;
40 | PVOID pvAVrfpHeapTable;
41 | PRTL_VERIFIER_PROVIDER_DESCRIPTOR ptAVrfpProvider;
42 | CHAR szReserved7[0x18];
43 | } RTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_MINILOADATTACH_PROVIDER_DESCRIPTOR;
44 |
45 | /* Global Variables **********************************************************/
46 | RTL_VERIFIER_DLL_DESCRIPTOR atDLLs[] = { { 0 } };
47 | RTL_VERIFIER_PROVIDER_DESCRIPTOR tVpd = { sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR), atDLLs };
48 |
49 | /* Function Definitions ******************************************************/
50 | BOOL VERIFIERDLL_DllMainProcessVerifier(IN PVOID pvReserved)
51 | {
52 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
53 |
54 | /* Validates the parameters */
55 | if (NULL == pvReserved)
56 | {
57 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_VERIFIERDLL_DLLMAINPROCESSVERIFIER_INVALID_PARAMS);
58 | goto lbl_cleanup;
59 | }
60 |
61 | /* Sets the reserved parameter */
62 | *((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)pvReserved) = &tVpd;
63 |
64 | /* Succeeded */
65 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
66 |
67 | lbl_cleanup:
68 | /* Returns status */
69 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus);
70 | }
71 |
--------------------------------------------------------------------------------
/DoubleAgentDll/VerifierDll.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Includes ******************************************************************/
4 | #include
5 | #include "Status.h"
6 |
7 | /* Macros ********************************************************************/
8 | #define VERIFIERDLL_DLL_PROCESS_VERIFIER (0x4)
9 |
10 | /* Function Declarations *****************************************************/
11 | /*
12 | * The default main function for VERIFIERDLL_DLL_PROCESS_VERIFIER
13 | * The verifier dll should call this function from DllMain when VERIFIERDLL_DLL_PROCESS_VERIFIER == nReason
14 | */
15 | BOOL VERIFIERDLL_DllMainProcessVerifier(IN PVOID pvReserved);
16 |
--------------------------------------------------------------------------------
/DoubleAgentDll/main.c:
--------------------------------------------------------------------------------
1 | /* Includes ******************************************************************/
2 | #include
3 | #include "Status.h"
4 | #include "Process.h"
5 | #include "VerifierDll.h"
6 |
7 | /* Function Declarations *****************************************************/
8 | /*
9 | * The event handler for DLL attach events
10 | */
11 | static BOOL main_DllMainProcessAttach(VOID);
12 | /*
13 | * The event handler for DLL detach events
14 | */
15 | static BOOL main_DllMainProcessDetach(VOID);
16 |
17 | /* Function Definitions ******************************************************/
18 | BOOL WINAPI DllMain(IN HINSTANCE hInstDLL, IN SIZE_T nReason, IN PVOID pvReserved)
19 | {
20 | UNREFERENCED_PARAMETER(hInstDLL);
21 |
22 | /* Process Attach */
23 | if (VERIFIERDLL_DLL_PROCESS_VERIFIER == nReason)
24 | {
25 | return VERIFIERDLL_DllMainProcessVerifier(pvReserved);
26 | }
27 |
28 | else if (DLL_PROCESS_ATTACH == nReason)
29 | {
30 | return main_DllMainProcessAttach();
31 | }
32 |
33 | /* Process Detach */
34 | else if (DLL_PROCESS_DETACH == nReason)
35 | {
36 | return main_DllMainProcessDetach();
37 | }
38 |
39 | /* Thread Attach\Detach */
40 | else
41 | {
42 | return TRUE;
43 | }
44 | }
45 |
46 | static BOOL main_DllMainProcessAttach(VOID)
47 | {
48 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
49 |
50 | /*
51 | **************************************************************************
52 | Enter Your Code Here
53 | Remarks: DoubleAgentDll is loaded extremely early during the process boot, while the process is still not completely initialized
54 | This may pose limitations regarding what libraries may be used from main_DllMainProcessAttach
55 | The only library that is guaranteed to work properly and may be used safely is ntdll.dll
56 | Other libraries (e.g. kernel32.dll) may or may not work and should preferably be avoided
57 |
58 | One solution for using additional libraries except from ntdll.dll would be to delay code execution and avoid "heavy" operations from main_DllMainProcessAttach
59 | This can be done in a verity of ways, including setting a hook on the end of the process boot and only then executing the "heavy" code
60 | **************************************************************************
61 | */
62 |
63 | /*
64 | * Sample Code - Launch cmd.exe
65 | * As stated above, calling non ntdll.dll libraries may or may not work
66 | * The sample code below uses kernel32.dll and therefore may cause undefined behavior on some operating systems
67 | * This specific code has been tested and found working on Windows 10 x64 but fails on Windows 7 x64
68 | */
69 | //eStatus = PROCESS_Create(L"C:\\Windows\\System32\\cmd.exe");
70 | //if (FALSE == DOUBLEAGENT_SUCCESS(eStatus))
71 | //{
72 | // goto lbl_cleanup;
73 | //}
74 |
75 | /* Succeeded */
76 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
77 |
78 | //lbl_cleanup:
79 | /* Returns status */
80 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus);
81 | }
82 |
83 | static BOOL main_DllMainProcessDetach(VOID)
84 | {
85 | DOUBLEAGENT_STATUS eStatus = DOUBLEAGENT_STATUS_INVALID_VALUE;
86 |
87 | /* Succeeded */
88 | DOUBLEAGENT_SET(eStatus, DOUBLEAGENT_STATUS_SUCCESS);
89 |
90 | /* Returns status */
91 | return FALSE != DOUBLEAGENT_SUCCESS(eStatus);
92 | }
93 |
--------------------------------------------------------------------------------
/DoubleAgentShared/DoubleAgentShared.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {532786D5-D713-455E-AE4A-2E68BF7DFFD5}
23 | DoubleAgentShared
24 | 8.1
25 |
26 |
27 |
28 | StaticLibrary
29 | true
30 | v141
31 | Unicode
32 |
33 |
34 | StaticLibrary
35 | false
36 | v141
37 | true
38 | Unicode
39 |
40 |
41 | StaticLibrary
42 | true
43 | v141
44 | Unicode
45 |
46 |
47 | StaticLibrary
48 | false
49 | v141
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | Level3
75 | Disabled
76 | true
77 |
78 |
79 |
80 |
81 | Level3
82 | Disabled
83 | true
84 |
85 |
86 |
87 |
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 |
94 |
95 | true
96 | true
97 |
98 |
99 |
100 |
101 | Level3
102 | MaxSpeed
103 | true
104 | true
105 | true
106 |
107 |
108 | true
109 | true
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
--------------------------------------------------------------------------------
/DoubleAgentShared/DoubleAgentShared.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
11 |
12 |
13 | {411d5b91-27e2-4947-a634-7083829f9822}
14 |
15 |
16 |
17 |
18 | Source Files\Status
19 |
20 |
21 |
--------------------------------------------------------------------------------
/DoubleAgentShared/Status.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /* Macros ********************************************************************/
4 | #define DOUBLEAGENT_SUCCESS(status) (DOUBLEAGENT_STATUS_SUCCESS == (status))
5 | #define DOUBLEAGENT_FAILED(status) (FALSE == DOUBLEAGENT_SUCCESS((status)))
6 | #define DOUBLEAGENT_SET(status, value) ((status) = (value))
7 |
8 | /* Types *********************************************************************/
9 | typedef enum _DOUBLEAGENT_STATUS
10 | {
11 | DOUBLEAGENT_STATUS_INVALID_VALUE = -1,
12 | DOUBLEAGENT_STATUS_SUCCESS,
13 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_CREATEPROCESSW_FAILED,
14 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_PROCESS_CREATE_INVALID_PARAMS,
15 | DOUBLEAGENT_STATUS_DOUBLEAGENTDLL_VERIFIERDLL_DLLMAINPROCESSVERIFIER_INVALID_PARAMS,
16 | DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_INVALID_PARAMS,
17 | DOUBLEAGENT_STATUS_DOUBLEAGENT_OS_GETARCHITECTURE_ISWOW64PROCESS_FAILED,
18 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_HEAPALLOC_FAILED,
19 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_INVALID_PARAMS,
20 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_COMBINE_PATHCOMBINEW_FAILED,
21 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_HEAPALLOC_FAILED,
22 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_INVALID_PARAMS,
23 | DOUBLEAGENT_STATUS_DOUBLEAGENT_PATH_GETDIRECTORY_PATHREMOVEFILESPECW_FAILED,
24 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X64,
25 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_COPYFILEW_FAILED_X86,
26 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_INVALID_PARAMS,
27 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_INSTALL_UNSUPPORTED_SWITCH_CASE,
28 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_IFEO,
29 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGOPENKEYEXW_FAILED_TEMP_IFEO,
30 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGRENAMEKEY_FAILED,
31 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_GLOBALFLAG,
32 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REGISTER_REGSETKEYVALUEW_FAILED_VERIFIERDLLS,
33 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGOPENKEYEXW_FAILED,
34 | DOUBLEAGENT_STATUS_DOUBLEAGENT_VERIFIER_REPAIR_REGRENAMEKEY_FAILED,
35 | DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_INVALID_ARGS_COUNT,
36 | DOUBLEAGENT_STATUS_DOUBLEAGENT_WMAIN_UNSUPPORTED_ACTION,
37 |
38 | /* Must be last */
39 | DOUBLEAGENT_STATUS_COUNT
40 | } DOUBLEAGENT_STATUS, *PDOUBLEAGENT_STATUS;
41 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "{}"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright {yyyy} {name of copyright owner}
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DoubleAgent
2 | DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
3 |
4 | DoubleAgent can exploit:
5 |
6 | * Every Windows version (Windows XP to Windows 10)
7 | * Every Windows architecture (x86 and x64)
8 | * Every Windows user (SYSTEM/Admin/etc.)
9 | * Every target process, including privileged processes (OS/Antivirus/etc.)
10 |
11 | DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.
12 |
13 | ## Code Injection
14 |
15 | DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself.
16 | The code injection technique is so unique that it’s not detected or blocked by any antivirus.
17 |
18 | ## Persistency
19 |
20 | DoubleAgent can continue injecting code even after reboot making it a perfect persistence technique to “survive” reboots/updates/reinstalls/patches/etc.
21 | Once the attacker decides to inject a DLL into a process, they are forcefully bounded forever. Even if the victim would completely uninstall and reinstall its program, the attacker’s DLL would still be injected every time the process executes.
22 |
23 | ## Attack Vectors
24 |
25 | * Attacking Antivirus & Next Generation Antivirus – Taking full control of any antivirus by injecting code into it while bypassing all of its self-protection mechanism. The attack has been verified and works on all the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro.
26 | For more details, checkout our [Taking Full Control Over Your Antivirus](http://cybellum.com/doubleagent-taking-full-control-antivirus/) article.
27 |
28 | * Installing Persistent Malware – Installing malware that can “survive” reboots and are automatically executed once the operating system boots.
29 |
30 | * Hijacking Permissions – Hijacking the permissions of an existing trusted process to perform malicious operations in disguise of the trusted process. e.g. Exfiltrating data, C&C communication, lateral movement, stealing and encrypting sensitive data.
31 |
32 | * Altering Process Behavior – Modifying the behavior of the process. e.g. Installing backdoors, weakening encryption algorithms, etc.
33 |
34 | * Attacking Other Users/Sessions – Injecting code to processes of other users/sessions (SYSTEM/Admin/etc.).
35 |
36 | ## Technical Deep Dive
37 | For more details, checkout our [technical](http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/) article.
38 |
39 | ## Installation
40 | 1. Clone/Download the DoubleAgent source code.
41 | 2. Build the [main solution](https://github.com/Cybellum/DoubleAgent) twice, once in x86 and once in x64.
42 | This step is crucial as it creates both x86 and x64 versions of DoubleAgentDll.dll which is required in order to perform a successful installation.
43 | 3. Copy the entire bin folder to the target machine.
44 | 4. Execute the installer:
45 | ```
46 | Usage: DoubleAgent.exe install\uninstall\repair process_name
47 |
48 | e.g. DoubleAgent.exe install cmd.exe
49 | ```
50 | Note that the 32bit installer (DoubleAgent_x86.exe) can be used both on Windows x86 and Windows x64.
51 | But the 64bit installer (DoubleAgent_x64.exe) can be used only on Windows x64.
52 | 5. The next time the target process loads [DoubleAgentDll.dll](https://github.com/Cybellum/DoubleAgent/tree/master/DoubleAgentDll) would be injected into it.
53 |
54 | ## Authors
55 | Cybellum Technologies LTD (http://cybellum.com/)
56 |
--------------------------------------------------------------------------------