├── d-vehlab ├── README.md ├── Engine.h ├── d-vehmisuse.cpp ├── d-vehmisuse.vcxproj.filters ├── stdafx.h ├── InternalStructs.h └── d-vehlab.vcxproj ├── d-thread-start ├── Engine.h ├── d-thread-start.cpp ├── stdafx.h ├── d-thread-start.vcxproj.filters └── d-thread-start.vcxproj ├── d-teb ├── Engine.h ├── d-teb.cpp ├── d-teb.vcxproj.filters ├── README.md ├── stdafx.h ├── d-teb.vcxproj └── Engine.cpp ├── d-dr-registers ├── Engine.h ├── stdafx.h ├── d-dr-registers.cpp ├── d-dr-registers.vcxproj.filters ├── README.md ├── Engine.cpp └── d-dr-registers.vcxproj ├── d-apc-callbacks ├── d-apc-callbacks.cpp ├── Engine.cpp ├── d-apc-callbacks.vcxproj.filters └── d-apc-callbacks.vcxproj ├── d-alpc-callbacks ├── Engine.h ├── d-alpc-callbacks.cpp ├── d-alpc-callbacks.vcxproj.filters └── d-alpc-callbacks.vcxproj ├── d-peb-dll-loadreason ├── Engine.h ├── d-peb-dll-loadreason.cpp ├── d-peb-dll-loadreason.vcxproj.filters └── d-peb-dll-loadreason.vcxproj ├── d-criticalsections ├── Engine.h ├── d-criticalsections.cpp ├── d-criticalsections.vcxproj.filters ├── README.md ├── d-criticalsections.vcxproj └── stdafx.h ├── d-nonmodulecallstack ├── Engine.h ├── d-nonmodulecallstack.cpp ├── d-nonmodulecallstack.vcxproj.filters ├── README.md ├── d-nonmodulecallstack.vcxproj └── stdafx.h ├── d-cow ├── Engine.h ├── XGetopt.h ├── d-cow.cpp ├── d-cow.vcxproj.filters ├── stdafx.h ├── README.md ├── XGetopt.cpp ├── d-cow.vcxproj └── Engine.cpp ├── d-vehimplant ├── Engine.h ├── d-vehimplant.cpp ├── d-vehimplant.vcxproj.filters ├── stdafx.h ├── README.md ├── d-vehimplant.vcxproj └── InternalStructs.h ├── .gitignore └── README.md /d-vehlab/README.md: -------------------------------------------------------------------------------- 1 | VEH Lab 2 | ====================== 3 | A sandbox for experimentation -------------------------------------------------------------------------------- /d-thread-start/Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "stdafx.h" 4 | 5 | void EnumerateProcesses(); -------------------------------------------------------------------------------- /d-teb/Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "stdafx.h" 4 | 5 | void EnumerateProcesses(); 6 | 7 | 8 | -------------------------------------------------------------------------------- /d-dr-registers/Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "stdafx.h" 4 | 5 | void EnumerateProcesses(); 6 | 7 | 8 | -------------------------------------------------------------------------------- /d-apc-callbacks/d-apc-callbacks.cpp: -------------------------------------------------------------------------------- 1 | // d-apc-callbacks.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | 6 | int main() 7 | { 8 | std::cout << "Hello World!\n"; 9 | } 10 | -------------------------------------------------------------------------------- /d-teb/d-teb.cpp: -------------------------------------------------------------------------------- 1 | // Includes 2 | #include "stdafx.h" 3 | #include "Engine.h" 4 | 5 | bool bService = false; 6 | bool bConsole = false; 7 | 8 | // Globals 9 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 10 | 11 | /// 12 | int _tmain(int argc, _TCHAR* argv[]) 13 | { 14 | fwprintf(stdout, _TEXT("[i] Running..\n")); 15 | EnumerateProcesses(); 16 | 17 | return 0; 18 | } -------------------------------------------------------------------------------- /d-alpc-callbacks/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | Enmumerate ALPC call backs 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | 15 | void EnumerateProcesses(); 16 | 17 | -------------------------------------------------------------------------------- /d-thread-start/d-thread-start.cpp: -------------------------------------------------------------------------------- 1 | // Includes 2 | #include "stdafx.h" 3 | #include "Engine.h" 4 | 5 | bool bService = false; 6 | bool bConsole = false; 7 | 8 | // Globals 9 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 10 | 11 | /// 12 | int _tmain(int argc, _TCHAR* argv[]) 13 | { 14 | fwprintf(stdout, _TEXT("[i] Running..\n")); 15 | EnumerateProcesses(); 16 | 17 | return 0; 18 | } -------------------------------------------------------------------------------- /d-apc-callbacks/Engine.cpp: -------------------------------------------------------------------------------- 1 | 2 | 3 | // 4 | // https://repnz.github.io/posts/apc/wow64-user-apc/ 5 | // http://www.nynaeve.net/?p=202 6 | // http://www.nynaeve.net/Code/KiUserApcDispatcher.c 7 | // http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtQueueApcThread.html 8 | // https://github.com/blaquee/APCHook 9 | // https://github.com/repnz/apc-research 10 | //c -------------------------------------------------------------------------------- /d-peb-dll-loadreason/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | DLL Load Reason Enumerator for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | 15 | void EnumerateProcesses(); 16 | -------------------------------------------------------------------------------- /d-peb-dll-loadreason/d-peb-dll-loadreason.cpp: -------------------------------------------------------------------------------- 1 | // Includes 2 | #include "stdafx.h" 3 | #include "Engine.h" 4 | 5 | bool bService = false; 6 | bool bConsole = false; 7 | 8 | // Globals 9 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 10 | 11 | /// 12 | int _tmain(int argc, _TCHAR* argv[]) 13 | { 14 | fwprintf(stdout, _TEXT("[i] Running..\n")); 15 | EnumerateProcesses(); 16 | 17 | return 0; 18 | } -------------------------------------------------------------------------------- /d-criticalsections/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | Critical Section Enumerator for Windows Processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | 15 | void EnumerateProcesses(); 16 | 17 | -------------------------------------------------------------------------------- /d-nonmodulecallstack/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | Discover non-module call stack functions in threads 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | 15 | void EnumerateProcesses(); 16 | 17 | -------------------------------------------------------------------------------- /d-cow/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | A copy on write detector for Windows APIs across processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | #pragma once 14 | 15 | void EnumerateProcesses(); 16 | 17 | -------------------------------------------------------------------------------- /d-dr-registers/stdafx.h: -------------------------------------------------------------------------------- 1 | 2 | #pragma once 3 | 4 | #include "stdafx.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | // 18 | extern bool bFirstRun; 19 | extern bool bConsole; 20 | extern bool bService; 21 | 22 | -------------------------------------------------------------------------------- /d-vehimplant/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | VEH misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | #pragma once 14 | 15 | #include "stdafx.h" 16 | 17 | void EnumerateProcesses(); 18 | -------------------------------------------------------------------------------- /d-vehlab/Engine.h: -------------------------------------------------------------------------------- 1 | /* 2 | A copy on write detector for Windows APIs across processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | #pragma once 14 | 15 | #include "stdafx.h" 16 | 17 | void EnumerateProcesses(); 18 | 19 | 20 | -------------------------------------------------------------------------------- /d-dr-registers/d-dr-registers.cpp: -------------------------------------------------------------------------------- 1 | // d-dr-registers.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | // Includes 5 | #include "stdafx.h" 6 | #include "Engine.h" 7 | 8 | bool bService = false; 9 | bool bConsole = false; 10 | 11 | // Globals 12 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 13 | 14 | /// 15 | int _tmain(int argc, _TCHAR* argv[]) 16 | { 17 | fwprintf(stdout, _TEXT("[i] Running..\n")); 18 | EnumerateProcesses(); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /d-alpc-callbacks/d-alpc-callbacks.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Enmumerate ALPC call backs 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | // Includes 12 | #include "stdafx.h" 13 | #include "Engine.h" 14 | 15 | bool bService = false; 16 | bool bConsole = false; 17 | 18 | // Globals 19 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 20 | 21 | /// 22 | int _tmain(int argc, _TCHAR* argv[]) 23 | { 24 | fwprintf(stdout, _TEXT("[i] Running..\n")); 25 | EnumerateProcesses(); 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /d-criticalsections/d-criticalsections.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Critical Section Enumerator for Windows Processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | // Includes 12 | #include "stdafx.h" 13 | #include "Engine.h" 14 | 15 | bool bService = false; 16 | bool bConsole = false; 17 | 18 | // Globals 19 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 20 | 21 | /// 22 | int _tmain(int argc, _TCHAR* argv[]) 23 | { 24 | fwprintf(stdout, _TEXT("[i] Running..\n")); 25 | EnumerateProcesses(); 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /d-nonmodulecallstack/d-nonmodulecallstack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Discover non-module call stack functions in threads 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | // Includes 12 | #include "stdafx.h" 13 | #include "Engine.h" 14 | 15 | bool bService = false; 16 | bool bConsole = false; 17 | 18 | // Globals 19 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 20 | 21 | /// 22 | int _tmain(int argc, _TCHAR* argv[]) 23 | { 24 | fwprintf(stdout, _TEXT("[i] Running..\n")); 25 | EnumerateProcesses(); 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /d-cow/XGetopt.h: -------------------------------------------------------------------------------- 1 | // XGetopt.h Version 1.2 2 | // 3 | // Author: Hans Dietrich 4 | // hdietrich2@hotmail.com 5 | // 6 | // This software is released into the public domain. 7 | // You are free to use it in any way you like. 8 | // 9 | // This software is provided "as is" with no expressed 10 | // or implied warranty. I accept no liability for any 11 | // damage or loss of business that this software may cause. 12 | // 13 | /////////////////////////////////////////////////////////////////////////////// 14 | 15 | #ifndef XGETOPT_H 16 | #define XGETOPT_H 17 | 18 | extern int optind, opterr; 19 | extern TCHAR *optarg; 20 | 21 | int getopt(int argc, TCHAR *argv[], TCHAR *optstring); 22 | 23 | #endif //XGETOPT_H 24 | -------------------------------------------------------------------------------- /d-cow/d-cow.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | A copy on write detector for Windows APIs across processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | // Includes 14 | #include "stdafx.h" 15 | 16 | bool bService = false; 17 | bool bConsole = false; 18 | 19 | // Globals 20 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 21 | 22 | /// 23 | int _tmain(int argc, _TCHAR* argv[]) 24 | { 25 | fwprintf(stdout, _TEXT("[i] Running..\n")); 26 | EnumerateProcesses(); 27 | 28 | return 0; 29 | } 30 | 31 | -------------------------------------------------------------------------------- /d-vehlab/d-vehmisuse.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | VEH misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | // Includes 14 | #include "stdafx.h" 15 | #include "Engine.h" 16 | 17 | bool bService = false; 18 | bool bConsole = false; 19 | 20 | // Globals 21 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 22 | 23 | /// 24 | int _tmain(int argc, _TCHAR* argv[]) 25 | { 26 | fwprintf(stdout, _TEXT("[i] Running..\n")); 27 | EnumerateProcesses(); 28 | 29 | return 0; 30 | } -------------------------------------------------------------------------------- /d-vehimplant/d-vehimplant.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | VEH misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | // Includes 14 | #include "stdafx.h" 15 | #include "Engine.h" 16 | 17 | bool bService = false; 18 | bool bConsole = false; 19 | 20 | // Globals 21 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 22 | 23 | /// 24 | int _tmain(int argc, _TCHAR* argv[]) 25 | { 26 | fwprintf(stdout, _TEXT("[i] Running..\n")); 27 | EnumerateProcesses(); 28 | 29 | return 0; 30 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ####################### 2 | # Visual Studio files # 3 | ####################### 4 | *.suo 5 | *.user 6 | *.sdf 7 | ipch/ 8 | .vs/ 9 | 10 | ################## 11 | # Python Ness # 12 | ################## 13 | __pycache__/ 14 | env/ 15 | *.pyc 16 | 17 | ################## 18 | # Compiled files # 19 | ################## 20 | linux/ 21 | bin/ 22 | obj/ 23 | Release/ 24 | Debug/ 25 | *.dll 26 | *.exe 27 | *.pdb 28 | *.obj 29 | *.log 30 | *.tlog 31 | *.htm 32 | *.pch 33 | watchlist.db 34 | 35 | ##################### 36 | # OS-specific files # 37 | ##################### 38 | .DS_Store 39 | .DS_Store? 40 | ._* 41 | .Spotlight-V100 42 | .Trashes 43 | Icon? 44 | ehthumbs.db 45 | Thumbs.db 46 | *.pyproj 47 | *.pyd 48 | ip2asn-v4.tsv 49 | *.tsv 50 | -------------------------------------------------------------------------------- /d-thread-start/stdafx.h: -------------------------------------------------------------------------------- 1 | /* 2 | Thread Start Address Enumerator for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | // 28 | extern bool bFirstRun; 29 | extern bool bConsole; 30 | extern bool bService; 31 | 32 | 33 | // https://github.com/edouarda/thread_explorer/blob/master/thread_explorer/thread_explorer.cpp 34 | typedef struct _THREAD_BASIC_INFORMATION 35 | { 36 | NTSTATUS ExitStatus; 37 | PTEB TebBaseAddress; 38 | CLIENT_ID ClientId; 39 | ULONG_PTR AffinityMask; 40 | KPRIORITY Priority; 41 | LONG BasePriority; 42 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION; 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Windows Process Property Enumeration Tools for Threat Hunting 2 | ====================== 3 | 4 | Background 5 | ------------- 6 | The purpose of these tools is to enumerate traits of Windows processes that support the detection of process injection tradecraft used by threat actors. 7 | 8 | Tools 9 | ------------- 10 | * d-cow - Windows Copy on Write Detector for shared Windows APIs (e.g. EtwEventWrite) to detect in memory patching 11 | * d-criticalsections - Enumerates how many critical sections a Windows process has 12 | * d-dr-registers - Enumerates processes which have debug registers set indicating hardware breakpoints 13 | * d-nonmodulecallstack - Enumerates the call stack and associated modules and functions for all threads 14 | * d-peb-dll-loadreason - Enumerates the reason and the date/time stamp along with a delta from the main binary for DLL loading 15 | * d-teb - Enumerate threads which are impersonating other users 16 | * d-threat-start - Enumerate the starting address and which module that points to for each thread 17 | * d-vehimplant - Enumerate the Vectored Exception Handlers and which modules they point to 18 | * d-vehlab - sandbox for the VEH work 19 | -------------------------------------------------------------------------------- /d-apc-callbacks/d-apc-callbacks.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | -------------------------------------------------------------------------------- /d-teb/d-teb.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-dr-registers/d-dr-registers.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-thread-start/d-thread-start.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-alpc-callbacks/d-alpc-callbacks.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-criticalsections/d-criticalsections.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-nonmodulecallstack/d-nonmodulecallstack.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-peb-dll-loadreason/d-peb-dll-loadreason.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /d-vehlab/d-vehmisuse.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /d-vehimplant/d-vehimplant.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /d-cow/d-cow.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /d-cow/stdafx.h: -------------------------------------------------------------------------------- 1 | /* 2 | A copy on write detector for Windows APIs across processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | #pragma once 14 | 15 | #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. 16 | // 0x0501 17 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 18 | #endif 19 | 20 | #include "stdafx.h" 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include "Engine.h" 33 | 34 | 35 | // 36 | extern bool bFirstRun; 37 | extern bool bConsole; 38 | extern bool bService; 39 | 40 | // Reimplement from Winternal.h 41 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)( 42 | IN HANDLE ProcessHandle, 43 | IN PROCESSINFOCLASS ProcessInformationClass, 44 | OUT DWORD_PTR* ProcessInformation, 45 | IN ULONG ProcessInformationLength, 46 | OUT PULONG ReturnLength OPTIONAL 47 | ); 48 | 49 | // http://downloads.securityfocus.com/vulnerabilities/exploits/26556.c 50 | typedef PIMAGE_NT_HEADERS(NTAPI* RTLIMAGENTHEADER)(DWORD_PTR); 51 | 52 | 53 | // http://uninformed.org/index.cgi?v=6&a=3&p=2 54 | //typedef struct _IMAGE_BASE_RELOCATION { 55 | // ULONG VirtualAddress; 56 | // ULONG SizeOfBlock; 57 | // USHORT TypeOffset[1]; 58 | //} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION; -------------------------------------------------------------------------------- /d-teb/README.md: -------------------------------------------------------------------------------- 1 | Impersonating Thread Enumerator for Windows 2 | ====================== 3 | Enumerates which threads are impersonating on Windows. This will help detect where a threat actor has injected code into another process and is doing impersonation from it. 4 | 5 | Example of it running 6 | 7 | 8 | ``` 9 | [i] Running.. 10 | [!] [0][UNKNOWN] Failed to OpenProcess - 87 11 | [i] [4][UNKNOWN] not analysed 31 12 | [i] [56][UNKNOWN] not analysed 31 13 | [i] [108][UNKNOWN] not analysed 31 14 | [i] [576][C:\Windows\System32\smss.exe] not analysed 5 15 | [i] [868][C:\Windows\System32\csrss.exe] not analysed 5 16 | [i] [660][C:\Windows\System32\wininit.exe] not analysed 5 17 | [i] [856][C:\Windows\System32\csrss.exe] not analysed 5 18 | [i] [1040][C:\Windows\System32\services.exe] not analysed 5 19 | [i] [1064][C:\Windows\System32\LsaIso.exe] not analysed 998 20 | [i] [2544][svchost.exe] is impersonating 21 | [i] [4016][UNKNOWN] not analysed 31 22 | [i] [5500][svchost.exe] is impersonating 23 | [i] [5500][svchost.exe] is impersonating 24 | [i] [6608][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe] not analysed 5 25 | [i] [9996][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe] not analysed 5 26 | [i] [7468][C:\Windows\System32\SecurityHealthService.exe] not analysed 5 27 | [i] [14732][C:\Windows\System32\SgrmBroker.exe] not analysed 5 28 | [i] [6676][C:\Windows\System32\svchost.exe] not analysed 5 29 | [i] [16612][C:\Windows\System32\svchost.exe] not analysed 5 30 | [i] [20628][C:\Windows\System32\svchost.exe] not analysed 5 31 | [!] [18480][UNKNOWN] Failed to OpenProcess - 87 32 | [!] [25680][UNKNOWN] Failed to OpenProcess - 87 33 | [!] [25304][UNKNOWN] Failed to OpenProcess - 87 34 | [i] Total of 360 processes - didn't open 17 35 | ``` -------------------------------------------------------------------------------- /d-dr-registers/README.md: -------------------------------------------------------------------------------- 1 | Hardware Debug Register Enumerator for Windows 2 | ====================== 3 | Enumerates which threads have hardware debug registers set. This will help detect where VEHs are being used to do function hooking to avoid copy on write detection (d-cow). This tool (d-dr-registers) is complemented by d-vehimplant to detect the other half of the technique. 4 | 5 | Example of it running 6 | 7 | ``` 8 | [i] Running.. 9 | [!] [0][UNKNOWN] Failed to OpenProcess - 87 10 | [i] [4][UNKNOWN] not analysed 31 11 | [i] [56][UNKNOWN] not analysed 31 12 | [i] [108][UNKNOWN] not analysed 31 13 | [i] [576][C:\Windows\System32\smss.exe] not analysed 5 14 | [i] [868][C:\Windows\System32\csrss.exe] not analysed 5 15 | [i] [660][C:\Windows\System32\wininit.exe] not analysed 5 16 | [i] [856][C:\Windows\System32\csrss.exe] not analysed 5 17 | [i] [1040][C:\Windows\System32\services.exe] not analysed 5 18 | [i] [1064][C:\Windows\System32\LsaIso.exe] not analysed 998 19 | [i] [4016][UNKNOWN] not analysed 31 20 | [i] [6608][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe] not analysed 5 21 | [i] [9996][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe] not analysed 5 22 | [i] [7468][C:\Windows\System32\SecurityHealthService.exe] not analysed 5 23 | [i] [14732][C:\Windows\System32\SgrmBroker.exe] not analysed 5 24 | [i] [6676][C:\Windows\System32\svchost.exe] not analysed 5 25 | [i] [16612][C:\Windows\System32\svchost.exe] not analysed 5 26 | [i] [20076][MEMGUARD.exe] has a thread (10208) with debug registers set - 7fff5e074570 0 0 0 27 | [i] [20076][MEMGUARD.exe] has a thread (13564) with debug registers set - 7fff5e074570 0 0 0 28 | [i] [20076][MEMGUARD.exe] has a thread (9832) with debug registers set - 7fff5e074570 0 0 0 29 | [i] [20076][MEMGUARD.exe] has a thread (24988) with debug registers set - 7fff5e074570 0 0 0 30 | [i] [20628][C:\Windows\System32\svchost.exe] not analysed 5 31 | [i] Total of 359 processes - didn't open 17 32 | ``` -------------------------------------------------------------------------------- /d-cow/README.md: -------------------------------------------------------------------------------- 1 | Windows Copy on Write Detector 2 | ====================== 3 | 4 | A copy on write detector for Windows APIs across processes. 5 | 6 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 7 | 8 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 9 | 10 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 11 | 12 | Released under AGPL see LICENSE for more information 13 | 14 | Blog 15 | ------------- 16 | TBC 17 | 18 | Hypothesis 19 | ------------- 20 | By default Microsoft Windows will back copies of the same DLL against the same physical memory to save space. When a patch occurs a copy on write operation will happen. 21 | 22 | From the Microsoft documentation: 23 | https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualquery 24 | 25 | *If a shared copy-on-write page is modified, it becomes private to the process that modified the page. However, the VirtualQuery function will continue to report such pages as MEM_MAPPED (for data views) or MEM_IMAGE (for executable image views) rather than MEM_PRIVATE. To detect whether copy-on-write has occurred for a specific page, either access the page or lock it using the VirtualLock function to make sure the page is resident in memory, then use the QueryWorkingSetEx function to check the Shared bit in the extended working set information for the page. If the Shared bit is clear, the page is private.* 26 | 27 | Due to this bahaviour we can: 28 | * Open processes 29 | * Search for the address of EtwEventWrite 30 | * Use QueryWorkingSetEx to check the page is shared OR not 31 | * If not then it is an indication a patch has occurred 32 | 33 | This should be a performant way to detect any memory patches to the .text section of DLLs. 34 | 35 | Compatibility 36 | ------------- 37 | Only Windows 10/11 tested 38 | 39 | What it does 40 | ------------- 41 | * GetProcAddress of EtwEventWrite 42 | * Open processes 43 | * Validate that NTDLL.dll is loaded and that EtwEventWrite is within the .text segement 44 | * Use QueryWorkingSetEx to check the page is shared OR not 45 | * If not then it is an indication a patch has occurred and alert 46 | 47 | Running 48 | ------------- 49 | 50 | The below is an example where we have patched the EtwEventWrite function 51 | 52 | ``` 53 | x64\Release>d-cow.exe 54 | [i] Running.. 55 | [i] [11960][Calculator.exe] EtwEventWrite is located in NONE shared memory - indication of copy of write 56 | ``` 57 | 58 | Prior work 59 | ------------- 60 | thanks for Peter Winter-Smith for pointing out this technique is implemented in Moneta by Forrest Orr 61 | 62 | https://github.com/forrest-orr/moneta/blob/master/Source/Subregions.cpp 63 | 64 | Offesnive tradecraft we detect 65 | ------------- 66 | * https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ 67 | * https://github.com/outflanknl/TamperETW 68 | * https://github.com/ajpc500/BOFs/blob/main/ETW/etw.c 69 | * https://github.com/boku7/injectEtwBypass 70 | -------------------------------------------------------------------------------- /d-vehimplant/stdafx.h: -------------------------------------------------------------------------------- 1 | /* 2 | VEH misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | #pragma once 14 | 15 | #include "stdafx.h" 16 | #include "InternalStructs.h" 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | // 30 | extern bool bFirstRun; 31 | extern bool bConsole; 32 | extern bool bService; 33 | 34 | // Reimplement from Winternal.h 35 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)( 36 | IN HANDLE ProcessHandle, 37 | IN PROCESSINFOCLASS ProcessInformationClass, 38 | OUT DWORD_PTR* ProcessInformation, 39 | IN ULONG ProcessInformationLength, 40 | OUT PULONG ReturnLength OPTIONAL 41 | ); 42 | 43 | // Used for ProcessCookie stuff using a different version 44 | // of the ProcessInfoClass 45 | typedef NTSTATUS(WINAPI* _MyNtQueryInformationProcess)( 46 | IN HANDLE ProcessHandle, 47 | IN MYPROCESSINFOCLASS ProcessInformationClass, 48 | OUT DWORD_PTR* ProcessInformation, 49 | IN ULONG ProcessInformationLength, 50 | OUT PULONG ReturnLength OPTIONAL 51 | ); 52 | 53 | // From ReactOS 54 | struct VEH_ENTRY_VISTA 55 | { 56 | VEH_ENTRY_VISTA* Flink; 57 | VEH_ENTRY_VISTA* Blink; 58 | }; 59 | 60 | // From ReactOS 61 | #pragma pack(2) 62 | struct VEH_HANDLER_ENTRY 63 | { 64 | LIST_ENTRY Entry; 65 | PVOID VectoredHandler; 66 | PVOID VectoredHandler2; 67 | PVOID VectoredHandler3; 68 | }; 69 | 70 | typedef struct _VECTORED_HANDLER_LIST_OW { 71 | void* mutex_exception; 72 | VEH_ENTRY_VISTA* first_exception_handler; 73 | VEH_ENTRY_VISTA* last_exception_handler; 74 | void* mutex_continue; 75 | VEH_ENTRY_VISTA* first_continue_handler; 76 | VEH_ENTRY_VISTA* last_continue_handler; 77 | } VECTORED_HANDLER_LIST_OW; 78 | 79 | 80 | // VEH Stuff 81 | typedef struct _VECTORED_HANDLER_ENTRY { 82 | _VECTORED_HANDLER_ENTRY* next; 83 | _VECTORED_HANDLER_ENTRY* previous; 84 | ULONG refs; 85 | PVECTORED_EXCEPTION_HANDLER handler; 86 | } VECTORED_HANDLER_ENTRY; 87 | 88 | 89 | typedef struct _VECTORED_HANDLER_LIST { 90 | void* mutex_exception; 91 | VECTORED_HANDLER_ENTRY* first_exception_handler; 92 | VECTORED_HANDLER_ENTRY* last_exception_handler; 93 | void* mutex_continue; 94 | VECTORED_HANDLER_ENTRY* first_continue_handler; 95 | VECTORED_HANDLER_ENTRY* last_continue_handler; 96 | } VECTORED_HANDLER_LIST; 97 | 98 | // http://downloads.securityfocus.com/vulnerabilities/exploits/26556.c 99 | typedef PIMAGE_NT_HEADERS(NTAPI* RTLIMAGENTHEADER)(DWORD_PTR); 100 | 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /d-vehlab/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | A copy on write detector for Windows APIs across processes 5 | 6 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 7 | 8 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 9 | 10 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 11 | 12 | Released under AGPL see LICENSE for more information 13 | */ 14 | 15 | #pragma once 16 | 17 | #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. 18 | // 0x0501 19 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 20 | #endif 21 | 22 | #include "stdafx.h" 23 | #include "InternalStructs.h" 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | // 37 | extern bool bFirstRun; 38 | extern bool bConsole; 39 | extern bool bService; 40 | 41 | 42 | // Reimplement from Winternal.h 43 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)( 44 | IN HANDLE ProcessHandle, 45 | IN PROCESSINFOCLASS ProcessInformationClass, 46 | OUT DWORD_PTR* ProcessInformation, 47 | IN ULONG ProcessInformationLength, 48 | OUT PULONG ReturnLength OPTIONAL 49 | ); 50 | 51 | 52 | typedef NTSTATUS(WINAPI* _MyNtQueryInformationProcess)( 53 | IN HANDLE ProcessHandle, 54 | IN MYPROCESSINFOCLASS ProcessInformationClass, 55 | OUT DWORD_PTR* ProcessInformation, 56 | IN ULONG ProcessInformationLength, 57 | OUT PULONG ReturnLength OPTIONAL 58 | ); 59 | 60 | 61 | // From ReactOS 62 | struct VEH_ENTRY_VISTA 63 | { 64 | VEH_ENTRY_VISTA *Flink; 65 | VEH_ENTRY_VISTA *Blink; 66 | }; 67 | 68 | // From ReactOS 69 | #pragma pack(2) 70 | struct VEH_HANDLER_ENTRY 71 | { 72 | LIST_ENTRY Entry; 73 | PVECTORED_EXCEPTION_HANDLER VectoredHandler; 74 | ULONG Refs; 75 | }; 76 | 77 | typedef struct _VECTORED_HANDLER_LIST_OW { 78 | void* mutex_exception; 79 | VEH_ENTRY_VISTA* first_exception_handler; 80 | VEH_ENTRY_VISTA* last_exception_handler; 81 | void* mutex_continue; 82 | VEH_ENTRY_VISTA* first_continue_handler; 83 | VEH_ENTRY_VISTA* last_continue_handler; 84 | } VECTORED_HANDLER_LIST_OW; 85 | 86 | 87 | // VEH Stuff 88 | typedef struct _VECTORED_HANDLER_ENTRY { 89 | _VECTORED_HANDLER_ENTRY* next; 90 | _VECTORED_HANDLER_ENTRY* previous; 91 | ULONG refs; 92 | PVECTORED_EXCEPTION_HANDLER handler; 93 | } VECTORED_HANDLER_ENTRY; 94 | 95 | 96 | typedef struct _VECTORED_HANDLER_LIST { 97 | void* mutex_exception; 98 | VECTORED_HANDLER_ENTRY* first_exception_handler; 99 | VECTORED_HANDLER_ENTRY* last_exception_handler; 100 | void* mutex_continue; 101 | VECTORED_HANDLER_ENTRY* first_continue_handler; 102 | VECTORED_HANDLER_ENTRY* last_continue_handler; 103 | } VECTORED_HANDLER_LIST; 104 | 105 | // http://downloads.securityfocus.com/vulnerabilities/exploits/26556.c 106 | typedef PIMAGE_NT_HEADERS(NTAPI* RTLIMAGENTHEADER)(DWORD_PTR); 107 | 108 | 109 | // http://uninformed.org/index.cgi?v=6&a=3&p=2 110 | //typedef struct _IMAGE_BASE_RELOCATION { 111 | // ULONG VirtualAddress; 112 | // ULONG SizeOfBlock; 113 | // USHORT TypeOffset[1]; 114 | //} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION; -------------------------------------------------------------------------------- /d-criticalsections/README.md: -------------------------------------------------------------------------------- 1 | Critical Section Count Enumerator for Windows 2 | ====================== 3 | Enumerates how many critical sections a process has. This will help detect processes which have had an implant injected causing a significant variance in the total number of expected Critical Sections. 4 | 5 | Example of it running 6 | 7 | ``` 8 | [i] Running.. 9 | [!] [0][UNKNOWN] Failed to OpenProcess - 87 10 | [i] [4][UNKNOWN] not analysed 31 11 | [i] [56][UNKNOWN] not analysed 31 12 | [i] [108][UNKNOWN] not analysed 31 13 | [i] [576][C:\Windows\System32\smss.exe] not analysed 5 14 | [i] [868][C:\Windows\System32\csrss.exe] not analysed 5 15 | [i] [660][C:\Windows\System32\wininit.exe] not analysed 5 16 | [i] [856][C:\Windows\System32\csrss.exe] not analysed 5 17 | [i] [1040][C:\Windows\System32\services.exe] not analysed 5 18 | [i] [1064][C:\Windows\System32\LsaIso.exe] not analysed 998 19 | [i] [1072][lsass.exe] has 513 Critical Sections 20 | [i] [1128][winlogon.exe] has 20 Critical Sections 21 | [i] [1248][svchost.exe] has 33 Critical Sections 22 | [i] [1260][fontdrvhost.exe] has 4 Critical Sections 23 | [i] [1268][fontdrvhost.exe] has 6 Critical Sections 24 | [i] [1388][svchost.exe] has 21 Critical Sections 25 | [i] [1432][svchost.exe] has 64 Critical Sections 26 | [i] [1508][dwm.exe] has 33 Critical Sections 27 | [i] [1544][WUDFHost.exe] has 37 Critical Sections 28 | [i] [1612][WUDFHost.exe] has 6 Critical Sections 29 | [i] [1680][svchost.exe] has 51 Critical Sections 30 | [i] [1688][svchost.exe] has 2 Critical Sections 31 | [i] [1760][svchost.exe] has 2 Critical Sections 32 | [i] [1776][svchost.exe] has 5 Critical Sections 33 | [i] [1824][svchost.exe] has 7 Critical Sections 34 | [i] [1832][svchost.exe] has 8 Critical Sections 35 | [i] [1856][svchost.exe] has 14 Critical Sections 36 | [i] [1868][svchost.exe] has 4 Critical Sections 37 | [i] [1900][svchost.exe] has 8 Critical Sections 38 | [i] [1992][svchost.exe] has 11 Critical Sections 39 | [i] [1816][svchost.exe] has 17 Critical Sections 40 | [i] [2072][IntelCpHDCPSvc.exe] has 7 Critical Sections 41 | [i] [2080][svchost.exe] has 4 Critical Sections 42 | [i] [2136][svchost.exe] has 8 Critical Sections 43 | [i] [2192][svchost.exe] has 3 Critical Sections 44 | [i] [2216][svchost.exe] has 3 Critical Sections 45 | [i] [2236][WUDFHost.exe] has 9 Critical Sections 46 | [i] [2288][svchost.exe] has 20 Critical Sections 47 | [i] [2584][svchost.exe] has 3 Critical Sections 48 | [i] [2596][IntelCpHeciSvc.exe] has 6 Critical Sections 49 | [i] [2608][WUDFHost.exe] has 9 Critical Sections 50 | [i] [2624][svchost.exe] has 10 Critical Sections 51 | [i] [2924][svchost.exe] has 2 Critical Sections 52 | [i] [2936][WUDFHost.exe] has 9 Critical Sections 53 | [i] [2988][svchost.exe] has 13 Critical Sections 54 | [i] [3024][svchost.exe] has 17 Critical Sections 55 | [i] [2544][svchost.exe] has 8 Critical Sections 56 | [i] [2312][spaceman.exe] has 5 Critical Sections 57 | [i] [3104][svchost.exe] has 8 Critical Sections 58 | [i] [3204][svchost.exe] has 24 Critical Sections 59 | [i] [3212][svchost.exe] has 12 Critical Sections 60 | [i] [3240][svchost.exe] has 8 Critical Sections 61 | [i] [3260][svchost.exe] has 24 Critical Sections 62 | [i] [3312][svchost.exe] has 7 Critical Sections 63 | [i] [3424][svchost.exe] has 21 Critical Sections 64 | [i] [3488][svchost.exe] has 19 Critical Sections 65 | [i] [3508][svchost.exe] has 19 Critical Sections 66 | [i] [3532][svchost.exe] has 13 Critical Sections 67 | [i] [3708][vmms.exe] has 18 Critical Sections 68 | [i] [3856][dashost.exe] has 25 Critical Sections 69 | [i] [3932][svchost.exe] has 6 Critical Sections 70 | [i] [3940][svchost.exe] has 10 Critical Sections 71 | ``` -------------------------------------------------------------------------------- /d-vehimplant/README.md: -------------------------------------------------------------------------------- 1 | Vectored Exception Handler Enumerator for Windows 2 | ====================== 3 | This will enumerate which Vectored Exception Handlers are present for a process and which module they point to. This will help detect where VEH is used to do function hooking to avoid copy on write detection (d-cow). This tool (d-vehimplant) is complemented by d-dr-registers to detect the other half of the technique. 4 | 5 | This is known to work in Windows 10 x64, the key function which is fragile is the VEH linked list enumerator. This uses a heuristic to do so and thus may break if NTDLL changes materialy 6 | ``` 7 | ULONGLONG GetVEHOffset() { 8 | HMODULE ntdll = LoadLibraryA("ntdll.dll"); 9 | 10 | ULONGLONG procAddress = (ULONGLONG)GetProcAddress(ntdll, "RtlRemoveVectoredExceptionHandler"); 11 | BYTE* Buffer = (BYTE*)(GetProcAddress(ntdll, "RtlRemoveVectoredExceptionHandler")); 12 | 13 | fwprintf(stdout, _TEXT("[i] RtlRemoveVectoredExceptionHandler [%llx]\n"), (procAddress)); 14 | 15 | 16 | DWORD dwCount = 0; 17 | DWORD dwOffset = 0; 18 | for (dwCount = 0; dwCount < 60; dwCount++) { 19 | 20 | if ((*(Buffer + dwCount) == 0x4c) && (*(Buffer + dwCount + 1) == 0x8d) && (*(Buffer + dwCount + 2) == 0x25)) { 21 | memcpy(&dwOffset, (Buffer + dwCount + 3), 4); 22 | break; 23 | } 24 | } 25 | 26 | // ptr return by GetProcAddress + the seek until our pattern + the instruction to load the RVA 27 | fwprintf(stdout, _TEXT("[i] LdrpVectorHandlerList [%llx]\n"), ((LONGLONG)Buffer + dwCount + 7 + dwOffset)); 28 | 29 | return ((LONGLONG)Buffer + dwCount + 7 + dwOffset); 30 | } 31 | ``` 32 | 33 | Example of it running 34 | 35 | ``` 36 | [i] Running.. 37 | [!] [0][UNKNOWN] Failed to OpenProcess - 87 38 | [i] [4][UNKNOWN] not analysed 31 39 | [i] [56][UNKNOWN] not analysed 31 40 | [i] [108][UNKNOWN] not analysed 31 41 | [i] [576][C:\Windows\System32\smss.exe] not analysed 5 42 | [i] [868][C:\Windows\System32\csrss.exe] not analysed 5 43 | [i] [660][C:\Windows\System32\wininit.exe] not analysed 5 44 | [i] [856][C:\Windows\System32\csrss.exe] not analysed 5 45 | [i] [1040][C:\Windows\System32\services.exe] not analysed 5 46 | [i] [1064][C:\Windows\System32\LsaIso.exe] not analysed 998 47 | [i] [4016][UNKNOWN] not analysed 31 48 | [i] [5660][com.docker.service] is using VEH - Vectored Exception Handler 49 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 50 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 51 | [d] [5660][com.docker.service] VEH handler(decoded) 0x00007FFF3C3F5230 which is in clr.dll 52 | [d] [5660][com.docker.service] # of VEH: 1 53 | [i] [6608][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe] not analysed 5 54 | [i] [9996][C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\NisSrv.exe] not analysed 5 55 | [i] [7468][C:\Windows\System32\SecurityHealthService.exe] not analysed 5 56 | [i] [15288][slack.exe] is using VEH - Vectored Exception Handler 57 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 58 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 59 | [d] [15288][slack.exe] VEH handler(decoded) 0x00007FF753B7EE20 which is in slack.exe 60 | [d] [15288][slack.exe] # of VEH: 1 61 | [i] [14732][C:\Windows\System32\SgrmBroker.exe] not analysed 5 62 | [i] [6676][C:\Windows\System32\svchost.exe] not analysed 5 63 | [i] [13084][msedgewebview2.exe] is using VEH - Vectored Exception Handler 64 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 65 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 66 | [d] [13084][msedgewebview2.exe] VEH handler(decoded) 0x00007FFEDE523880 which is in msedge.dll 67 | [d] [13084][msedgewebview2.exe] # of VEH: 1 68 | [i] [15580][msedgewebview2.exe] is using VEH - Vectored Exception Handler 69 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 70 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 71 | [d] [15580][msedgewebview2.exe] VEH handler(decoded) 0x00007FFEDE523880 which is in msedge.dll 72 | [d] [15580][msedgewebview2.exe] # of VEH: 1 73 | [i] [15508][msedge.exe] is using VEH - Vectored Exception Handler 74 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 75 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 76 | [d] [15508][msedge.exe] VEH handler(decoded) 0x00007FFEDE523880 which is in msedge.dll 77 | [d] [15508][msedge.exe] # of VEH: 1 78 | [i] [16612][C:\Windows\System32\svchost.exe] not analysed 5 79 | [i] [15304][OUTLOOK.EXE] is using VEH - Vectored Exception Handler 80 | [i] RtlRemoveVectoredExceptionHandler [7fff5df92070] 81 | [i] LdrpVectorHandlerList [7fff5e08f3e8] 82 | [d] [15304][OUTLOOK.EXE] VEH handler(decoded) 0x00007FFF3C3F5230 which is in clr.dll 83 | [d] [15304][OUTLOOK.EXE] VEH handler(decoded) 0x00007FFF025BA7A0 which is in InkObj.dll 84 | [d] [15304][OUTLOOK.EXE] VEH handler(decoded) 0x00007FFF33FE3450 which is in rtscom.dll 85 | [d] [15304][OUTLOOK.EXE] # of VEH: 3 86 | ``` 87 | 88 | -------------------------------------------------------------------------------- /d-nonmodulecallstack/README.md: -------------------------------------------------------------------------------- 1 | Call Stack Enumerator for Microsoft Windows 2 | ====================== 3 | Enumerates the call stack and associated symbols for each thread. This will help detect threads which are running code not from a module due to the instruction pointer being somewhere unexpected. Caveat will be JIT (Just In Time) compiled code. 4 | 5 | Example of it running showing a suspicious call stack 6 | ``` 7 | [i] [25852][20616][MEMGUARD.exe] Frame 0 - 0x0000018DA14C0001 -> . ?? 8 | [i] [25852][20616][MEMGUARD.exe] Frame 1 - 0x00007FFF5DF88A3C -> C:\WINDOWS\SYSTEM32\ntdll.dll.RtlDeleteAce 9 | [i] [25852][20616][MEMGUARD.exe] Frame 2 - 0x00007FFF5DF61276 -> C:\WINDOWS\SYSTEM32\ntdll.dll.RtlRaiseException 10 | [i] [25852][20616][MEMGUARD.exe] Frame 3 - 0x00007FFF5DFB0BFE -> C:\WINDOWS\SYSTEM32\ntdll.dll.KiUserExceptionDispatcher 11 | [i] [25852][20616][MEMGUARD.exe] Frame 4 - 0x00007FFF2BF11427 -> C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll.memcpy 12 | [i] [25852][20616][MEMGUARD.exe] Frame 5 - 0x00007FF6549D2128 -> C:\Data\NCC\!Code\Slop\MEMGUARD\x64\Debug\MEMGUARD.exe.main 13 | [i] [25852][20616][MEMGUARD.exe] Frame 6 - 0x00007FF6549D2E49 -> C:\Data\NCC\!Code\Slop\MEMGUARD\x64\Debug\MEMGUARD.exe.invoke_main 14 | [i] [25852][20616][MEMGUARD.exe] Frame 7 - 0x00007FF6549D2CEE -> C:\Data\NCC\!Code\Slop\MEMGUARD\x64\Debug\MEMGUARD.exe.__scrt_common_main_seh 15 | [i] [25852][20616][MEMGUARD.exe] Frame 8 - 0x00007FF6549D2BAE -> C:\Data\NCC\!Code\Slop\MEMGUARD\x64\Debug\MEMGUARD.exe.__scrt_common_main 16 | [i] [25852][20616][MEMGUARD.exe] Frame 9 - 0x00007FF6549D2ED9 -> C:\Data\NCC\!Code\Slop\MEMGUARD\x64\Debug\MEMGUARD.exe.mainCRTStartup 17 | [i] [25852][20616][MEMGUARD.exe] Frame 10 - 0x00007FFF5D327034 -> C:\WINDOWS\System32\KERNEL32.DLL.BaseThreadInitThunk 18 | [i] [25852][20616][MEMGUARD.exe] Frame 11 - 0x00007FFF5DF62651 -> C:\WINDOWS\SYSTEM32\ntdll.dll.RtlUserThreadStart 19 | [i] [25852][20616][MEMGUARD.exe] ----- 20 | [i] [25852][9896][MEMGUARD.exe] Frame 0 - 0x00007FFF5DFB07C4 -> C:\WINDOWS\SYSTEM32\ntdll.dll.ZwWaitForWorkViaWorkerFactory 21 | [i] [25852][9896][MEMGUARD.exe] Frame 1 - 0x00007FFF5DF62DC7 -> C:\WINDOWS\SYSTEM32\ntdll.dll.TpReleaseCleanupGroupMembers 22 | [i] [25852][9896][MEMGUARD.exe] Frame 2 - 0x00007FFF5D327034 -> C:\WINDOWS\System32\KERNEL32.DLL.BaseThreadInitThunk 23 | [i] [25852][9896][MEMGUARD.exe] Frame 3 - 0x00007FFF5DF62651 -> C:\WINDOWS\SYSTEM32\ntdll.dll.RtlUserThreadStart 24 | [i] [25852][9896][MEMGUARD.exe] ----- 25 | [i] [25852][6452][MEMGUARD.exe] Frame 0 - 0x00007FFF5DFB07C4 -> C:\WINDOWS\SYSTEM32\ntdll.dll.ZwWaitForWorkViaWorkerFactory 26 | [i] [25852][6452][MEMGUARD.exe] Frame 1 - 0x00007FFF5DF62DC7 -> C:\WINDOWS\SYSTEM32\ntdll.dll.TpReleaseCleanupGroupMembers 27 | [i] [25852][6452][MEMGUARD.exe] Frame 2 - 0x00007FFF5D327034 -> C:\WINDOWS\System32\KERNEL32.DLL.BaseThreadInitThunk 28 | [i] [25852][6452][MEMGUARD.exe] Frame 3 - 0x00007FFF5DF62651 -> C:\WINDOWS\SYSTEM32\ntdll.dll.RtlUserThreadStart 29 | [i] [25852][6452][MEMGUARD.exe] ----- 30 | ``` 31 | The above was produced with by this code: 32 | ``` 33 | 34 | LPVOID myMalHandler = NULL; 35 | myMalHandler = VirtualAlloc(NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 36 | memset(myMalHandler, 0xcc, 1000); 37 | HANDLE hHal = AddVectoredExceptionHandler(false, (PVECTORED_EXCEPTION_HANDLER)myMalHandler); 38 | ``` 39 | Then causing an exception. 40 | 41 | In an unscientific sample set of one host searching for the output `. ??` in the result we only saw the following - one of which was the test case: 42 | ``` 43 | [i] [5516][7280][cb.exe] Frame 0 - 0x00007FF74E50EF77 -> C:\WINDOWS\CarbonBlack\cb.exe. ?? 44 | [i] [5516][7280][cb.exe] Frame 1 - 0x00007FF74E50FC51 -> C:\WINDOWS\CarbonBlack\cb.exe. ?? 45 | [i] [5516][7280][cb.exe] Frame 2 - 0x00007FF74E4A1AA2 -> C:\WINDOWS\CarbonBlack\cb.exe. ?? 46 | [i] [24212][21104][MEMGUARD.exe] Frame 0 - 0x000002CF87690000 -> . ?? 47 | ``` 48 | Example command line is below: 49 | ``` 50 | C:\Data\NCC\!Code\Git.Public\DetectWindowsCopyOnWriteForAPI\d-cow\x64\Release>d-nonmodulecallstack.exe | findstr /N /R /C:". ??" 51 | [!] [0][UNKNOWN] Failed to OpenProcess - 87 52 | [!] [4][UNKNOWN] Failed to OpenProcess - 5 53 | [!] [56][UNKNOWN] Failed to OpenProcess - 5 54 | [!] [108][UNKNOWN] Failed to OpenProcess - 5 55 | [!] [576][UNKNOWN] Failed to OpenProcess - 5 56 | [!] [868][UNKNOWN] Failed to OpenProcess - 5 57 | [!] [660][UNKNOWN] Failed to OpenProcess - 5 58 | [!] [856][UNKNOWN] Failed to OpenProcess - 5 59 | [!] [1040][UNKNOWN] Failed to OpenProcess - 5 60 | [!] [4016][UNKNOWN] Failed to OpenProcess - 5 61 | [!] [6608][UNKNOWN] Failed to OpenProcess - 5 62 | [!] [9996][UNKNOWN] Failed to OpenProcess - 5 63 | [!] [7468][UNKNOWN] Failed to OpenProcess - 5 64 | [!] [14732][UNKNOWN] Failed to OpenProcess - 5 65 | [!] [6676][UNKNOWN] Failed to OpenProcess - 5 66 | [!] [25616][UNKNOWN] Failed to OpenProcess - 5 67 | [!] [26024][UNKNOWN] Failed to OpenProcess - 5 68 | 26126:[i] [24212][21104][MEMGUARD.exe] Frame 0 - 0x000002CF87690000 -> . ?? 69 | [!] [23700][UNKNOWN] Failed to OpenProcess - 87 70 | ``` -------------------------------------------------------------------------------- /d-dr-registers/Engine.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Debug register (hardware breakpoint) misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | 14 | #include "stdafx.h" 15 | 16 | // Globals 17 | HANDLE hProcess; 18 | TCHAR strErrMsg[1024]; 19 | DWORD dwModuleRelocs = 0; 20 | DWORD dwCountError = 0; 21 | DWORD dwCountOK = 0; 22 | DWORD dwOpen = 0; 23 | 24 | // Structures to hold process information 25 | #pragma pack(push, 1) 26 | struct procNfoStuct { 27 | DWORD PID; 28 | TCHAR Name[MAX_PATH]; 29 | unsigned long long TotalExecMem = 0; 30 | }; 31 | #pragma pack(pop) 32 | procNfoStuct Procs[4098]; 33 | DWORD NumOfProcs = 0; 34 | 35 | 36 | // 37 | // Function : SetDebugPrivilege 38 | // Role : Gets privs for our process 39 | // Notes : 40 | // 41 | BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv) 42 | { 43 | LUID luid; 44 | TOKEN_PRIVILEGES privs; 45 | HANDLE hToken = NULL; 46 | DWORD dwBufLen = 0; 47 | char buf[1024]; 48 | 49 | ZeroMemory(&luid, sizeof(luid)); 50 | 51 | if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false; 52 | 53 | privs.PrivilegeCount = 1; 54 | privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 55 | memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid)); 56 | 57 | 58 | if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) 59 | return false; 60 | 61 | if (!AdjustTokenPrivileges(hToken, FALSE, &privs, 62 | sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen)) 63 | return false; 64 | 65 | CloseHandle(hProcess); 66 | CloseHandle(hToken); 67 | 68 | return true; 69 | } 70 | 71 | ///

72 | /// Analyze the process and its memory regions 73 | ///

74 | /// Process ID 75 | void AnalyzeProc(DWORD dwPID) 76 | { 77 | DWORD dwRet, dwMods; 78 | HANDLE hProcess; 79 | HMODULE hModule[4096]; 80 | TCHAR cProcess[MAX_PATH]; // Process name 81 | BOOL bIsWow64 = FALSE; 82 | BOOL bIsWow64Other = FALSE; 83 | DWORD dwRES = 0; 84 | 85 | 86 | // Get process handle by hook or by crook 87 | hProcess = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 88 | if (hProcess == NULL) 89 | { 90 | if (GetLastError() == 5) { 91 | hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 92 | if (hProcess == NULL) { 93 | 94 | hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPID); 95 | if (hProcess == NULL) { 96 | 97 | fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 98 | dwCountError++; 99 | return; 100 | } 101 | } 102 | } 103 | else { 104 | fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 105 | dwCountError++; 106 | return; 107 | } 108 | } 109 | 110 | 111 | // Enumerate the process modules 112 | if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE) 113 | { 114 | DWORD dwSz = MAX_PATH; 115 | if (QueryFullProcessImageName(hProcess, 0, cProcess, &dwSz) == TRUE) { 116 | fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, cProcess, GetLastError()); 117 | dwOpen++; 118 | } 119 | else { 120 | fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, _TEXT("UNKNOWN"), GetLastError()); 121 | dwOpen++; 122 | } 123 | 124 | if (GetLastError() == 299) { 125 | //fprintf(stderr, "64bit process and we're 32bit - sad panda! skipping PID %d\n", dwPID); 126 | } 127 | else { 128 | //fprintf(stderr, "Error in EnumProcessModules(%d),%d\n", dwPID, GetLastError()); 129 | } 130 | 131 | dwCountError++; 132 | if (hProcess != NULL)CloseHandle(hProcess); 133 | return; 134 | } 135 | dwMods = dwRet / sizeof(HMODULE); 136 | 137 | // Get the processes name from the first module returned by the above 138 | GetModuleBaseName(hProcess, hModule[0], cProcess, MAX_PATH); 139 | Procs[NumOfProcs].PID = dwPID; 140 | _tcscpy_s(Procs[NumOfProcs].Name, MAX_PATH, cProcess); 141 | //fwprintf(stdout, _TEXT("[i] [%d][%s] analyzing\n"), dwPID, cProcess); 142 | NumOfProcs++; 143 | 144 | // 145 | // Get the 146 | // 147 | 148 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 149 | if (h != INVALID_HANDLE_VALUE) { 150 | THREADENTRY32 te; 151 | te.dwSize = sizeof(te); 152 | if (Thread32First(h, &te)) { 153 | do { 154 | if (te.th32OwnerProcessID == dwPID && GetProcessId(NULL) != dwPID) { 155 | HANDLE hThread = INVALID_HANDLE_VALUE; 156 | hThread = OpenThread(THREAD_ALL_ACCESS, false, te.th32ThreadID); 157 | if (hThread != INVALID_HANDLE_VALUE) { 158 | CONTEXT threadContext = { 0 }; 159 | threadContext.ContextFlags = CONTEXT_DEBUG_REGISTERS; 160 | 161 | if (GetThreadContext(hThread, &threadContext) == TRUE) { 162 | //fwprintf(stdout, _TEXT("[i] [%d][%s] analyzing %d %08x %llx\n"), dwPID, cProcess,te.th32ThreadID, threadContext.ContextFlags, threadContext.Dr0); 163 | 164 | if (threadContext.Dr0 || threadContext.Dr1 || threadContext.Dr2 || threadContext.Dr3) { 165 | fwprintf(stdout, _TEXT("[i] [%d][%s] has a thread (%d) with debug registers set - %llx %llx %llx %llx\n"), dwPID, cProcess, te.th32ThreadID, threadContext.Dr0, threadContext.Dr1, threadContext.Dr2, threadContext.Dr3); 166 | } 167 | 168 | //ResumeThread(hThread); 169 | 170 | } 171 | CloseHandle(hThread); 172 | } 173 | } 174 | 175 | } while (Thread32Next(h, &te)); 176 | } 177 | CloseHandle(h); 178 | } 179 | 180 | 181 | // fwprintf(stdout, _TEXT("[d] [%d][%s] # of VEH: %d\n"), dwPID, cProcess, dwVEHs); 182 | 183 | dwCountOK++; 184 | CloseHandle(hProcess); 185 | } 186 | 187 | ///

188 | /// Enumerate all the processes on the system and 189 | /// pass off to the analysis function 190 | ///

191 | void EnumerateProcesses() 192 | { 193 | DWORD dwPIDArray[4096], dwRet, dwPIDS, intCount; 194 | NumOfProcs = 0; 195 | 196 | // Privs 197 | SetPrivilege(GetCurrentProcess(), SE_DEBUG_NAME); 198 | 199 | // Be clean 200 | memset(Procs, 0x00, sizeof(Procs)); 201 | 202 | // 203 | // Enumerate 204 | // 205 | if (EnumProcesses(dwPIDArray, 4096 * sizeof(DWORD), &dwRet) == 0) 206 | { 207 | DWORD dwRet = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError(), 0, strErrMsg, 1023, NULL); 208 | if (dwRet != 0) { 209 | _ftprintf(stderr, TEXT("[!] EnumProcesses() failed - %s"), strErrMsg); 210 | } 211 | else 212 | { 213 | _ftprintf(stderr, TEXT("[!] EnumProcesses() - Error: %d\n"), GetLastError()); 214 | } 215 | return; 216 | } 217 | 218 | // Total nuber of process IDs 219 | dwPIDS = dwRet / sizeof(DWORD); 220 | 221 | // 222 | // Analyze 223 | // 224 | for (intCount = 0; intCount < dwPIDS; intCount++) 225 | { 226 | //fwprintf(stdout, _TEXT("[i] Analyzing PID %d\n"), dwPIDArray[intCount]); 227 | AnalyzeProc(dwPIDArray[intCount]); 228 | } 229 | 230 | fwprintf(stdout, _TEXT("[i] Total of %d processes - didn't open %d \n"), dwPIDS, dwOpen); 231 | } -------------------------------------------------------------------------------- /d-teb/stdafx.h: -------------------------------------------------------------------------------- 1 | /* 2 | TEB Detect Impersonating Threads for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | #include "stdafx.h" 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | // 27 | extern bool bFirstRun; 28 | extern bool bConsole; 29 | extern bool bService; 30 | 31 | 32 | // https://github.com/edouarda/thread_explorer/blob/master/thread_explorer/thread_explorer.cpp 33 | typedef struct _THREAD_BASIC_INFORMATION 34 | { 35 | NTSTATUS ExitStatus; 36 | PTEB TebBaseAddress; 37 | CLIENT_ID ClientId; 38 | ULONG_PTR AffinityMask; 39 | KPRIORITY Priority; 40 | LONG BasePriority; 41 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION; 42 | 43 | 44 | // http://daaxr.blogspot.com/2016/07/teb-structure-for-windows-10-pro-x64.html 45 | 46 | typedef struct _MYNT_TIB 47 | { 48 | EXCEPTION_REGISTRATION_RECORD* ExceptionList; 49 | void* StackBase; 50 | void* StackLimit; 51 | void* SubSystemTib; 52 | union 53 | { 54 | void* FiberData; 55 | unsigned int Version; 56 | }; 57 | void* ArbitraryUserPointer; 58 | _MYNT_TIB* Self; 59 | } MYNT_TIB, * PMYNT_TIB; 60 | 61 | typedef struct _MYCLIENT_ID 62 | { 63 | void* UniqueProcess; 64 | void* UniqueThread; 65 | } MYCLIENT_ID, * PMYCLIENT_ID; 66 | 67 | typedef struct _GDI_TEB_BATCH 68 | { 69 | unsigned __int32 Offset : 31; 70 | unsigned __int32 HasRenderingCommand : 1; 71 | unsigned __int64 HDC; 72 | unsigned int Buffer[310]; 73 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 74 | 75 | typedef const struct _TEB_ACTIVE_FRAME_CONTEXT 76 | { 77 | unsigned int Flags; 78 | const char* FrameName; 79 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 80 | 81 | typedef struct _TEB_ACTIVE_FRAME 82 | { 83 | unsigned int Flags; 84 | _TEB_ACTIVE_FRAME* Previous; 85 | _TEB_ACTIVE_FRAME_CONTEXT* Context; 86 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 87 | 88 | 89 | typedef struct _myTEB 90 | { 91 | MYNT_TIB NtTib; 92 | void* EnvironmentPointer; 93 | CLIENT_ID ClientId; 94 | void* ActiveRpcHandle; 95 | void* ThreadLocalStoragePointer; 96 | PEB* ProcessEnvironmentBlock; 97 | unsigned int LastErrorValue; 98 | unsigned int CountOfOwnedCriticalSections; 99 | void* CsrClientThread; 100 | void* Win32ThreadInfo; 101 | unsigned int User32Reserved[26]; 102 | unsigned int UserReserved[5]; 103 | void* WOW32Reserved; 104 | unsigned int CurrentLocale; 105 | unsigned int FpSoftwareStatusRegister; 106 | void* ReservedForDebuggerInstrumentation[16]; 107 | void* SystemReserved1[38]; 108 | int ExceptionCode; 109 | char Padding0[4]; 110 | __int64* ActivationContextStackPointer; 111 | unsigned __int64 InstrumentationCallbackSp; 112 | unsigned __int64 InstrumentationCallbackPreviousPc; 113 | unsigned __int64 InstrumentationCallbackPreviousSp; 114 | unsigned int TxFsContext; 115 | char InstrumentationCallbackDisabled; 116 | char Padding1[3]; 117 | GDI_TEB_BATCH GdiTebBatch; 118 | CLIENT_ID RealClientId; 119 | void* GdiCachedProcessHandle; 120 | unsigned int GdiClientPID; 121 | unsigned int GdiClientTID; 122 | void* GdiThreadLocalInfo; 123 | unsigned __int64 Win32ClientInfo[62]; 124 | void* glDispatchTable[233]; 125 | unsigned __int64 glReserved1[29]; 126 | void* glReserved2; 127 | void* glSectionInfo; 128 | void* glSection; 129 | void* glTable; 130 | void* glCurrentRC; 131 | void* glContext; 132 | unsigned int LastStatusValue; 133 | char Padding2[4]; 134 | UNICODE_STRING StaticUnicodeString; 135 | wchar_t StaticUnicodeBuffer[261]; 136 | char Padding3[6]; 137 | void* DeallocationStack; 138 | void* TlsSlots[64]; 139 | LIST_ENTRY TlsLinks; 140 | void* Vdm; 141 | void* ReservedForNtRpc; 142 | void* DbgSsReserved[2]; 143 | unsigned int HardErrorMode; 144 | char Padding4[4]; 145 | void* Instrumentation[11]; 146 | GUID ActivityId; 147 | void* SubProcessTag; 148 | void* PerflibData; 149 | void* EtwTraceData; 150 | void* WinSockData; 151 | unsigned int GdiBatchCount; 152 | union 153 | { 154 | _PROCESSOR_NUMBER CurrentIdealProcessor; 155 | unsigned int IdealProcessorValue; 156 | struct DUMMYSTRUCTNAME 157 | { 158 | char ReservedPad0; 159 | char ReservedPad1; 160 | char ReservedPad2; 161 | char IdealProcessor; 162 | }; 163 | }; 164 | unsigned int GuaranteedStackBytes; 165 | char Padding5[4]; 166 | void* ReservedForPerf; 167 | void* ReservedForOle; 168 | unsigned int WaitingOnLoaderLock; 169 | char Padding6[4]; 170 | void* SavedPriorityState; 171 | unsigned __int64 ReservedForCodeCoverage; 172 | void* ThreadPoolData; 173 | void** TlsExpansionSlots; 174 | void* DeallocationBStore; 175 | void* BStoreLimit; 176 | unsigned int MuiGeneration; 177 | unsigned int IsImpersonating; 178 | void* NlsCache; 179 | void* pShimData; 180 | unsigned __int16 HeapVirtualAffinity; 181 | unsigned __int16 LowFragHeapDataSlot; 182 | char Padding7[4]; 183 | void* CurrentTransactionHandle; 184 | TEB_ACTIVE_FRAME* ActiveFrame; 185 | void* FlsData; 186 | void* PreferredLanguages; 187 | void* UserPrefLanguages; 188 | void* MergedPrefLanguages; 189 | unsigned int MuiImpersonation; 190 | union 191 | { 192 | volatile unsigned __int16 CrossTebFlags; 193 | struct DUMMYSTRUCTNAME 194 | { 195 | unsigned __int16 SpareCrossTebBits : 16; 196 | }; 197 | }; 198 | union 199 | { 200 | unsigned __int16 SameTebFlags; 201 | struct DUMMYSTRUCTNAME 202 | { 203 | unsigned __int16 SafeThunkCall : 1; 204 | unsigned __int16 InDebugPrint : 1; 205 | unsigned __int16 HasFiberData : 1; 206 | unsigned __int16 SkipThreadAttach : 1; 207 | unsigned __int16 WerInShipAssertCode : 1; 208 | unsigned __int16 RanProcessInit : 1; 209 | unsigned __int16 ClonedThread : 1; 210 | unsigned __int16 SuppressDebugMsg : 1; 211 | unsigned __int16 DisableUserStackWalk : 1; 212 | unsigned __int16 RtlExceptionAttached : 1; 213 | unsigned __int16 InitialThread : 1; 214 | unsigned __int16 SessionAware : 1; 215 | unsigned __int16 LoadOwner : 1; 216 | unsigned __int16 LoaderWorker : 1; 217 | unsigned __int16 SpareSameTebBits : 2; 218 | }; 219 | }; 220 | void* TxnScopeEnterCallback; 221 | void* TxnScopeExitCallback; 222 | void* TxnScopeContext; 223 | unsigned int LockCount; 224 | int WowTebOffset; 225 | void* ResourceRetValue; 226 | void* ReservedForWdf; 227 | unsigned __int64 ReservedForCrt; 228 | GUID EffectiveContainerId; 229 | } MYTEB, * PMYTEB; 230 | 231 | 232 | -------------------------------------------------------------------------------- /d-vehlab/InternalStructs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | typedef enum _MYPROCESSINFOCLASS 4 | { 5 | myProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 6 | myProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 7 | myProcessIoCounters, // q: IO_COUNTERS 8 | myProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 9 | myProcessTimes, // q: KERNEL_USER_TIMES 10 | myProcessBasePriority, // s: KPRIORITY 11 | myProcessRaisePriority, // s: ULONG 12 | myProcessDebugPort, // q: HANDLE 13 | myProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT 14 | myProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 15 | myProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 16 | myProcessLdtSize, // s: PROCESS_LDT_SIZE 17 | myProcessDefaultHardErrorMode, // qs: ULONG 18 | myProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION 19 | myProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 20 | myProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 21 | myProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) 22 | myProcessEnableAlignmentFaultFixup, // s: BOOLEAN 23 | myProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 24 | myProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) 25 | myProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 26 | myProcessAffinityMask, // s: KAFFINITY 27 | myProcessPriorityBoost, // qs: ULONG 28 | myProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 29 | myProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 30 | myProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 31 | myProcessWow64Information, // q: ULONG_PTR 32 | myProcessImageFileName, // q: UNICODE_STRING 33 | myProcessLUIDDeviceMapsEnabled, // q: ULONG 34 | myProcessBreakOnTermination, // qs: ULONG 35 | myProcessDebugObjectHandle, // q: HANDLE // 30 36 | myProcessDebugFlags, // qs: ULONG 37 | myProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 38 | myProcessIoPriority, // qs: IO_PRIORITY_HINT 39 | myProcessExecuteFlags, // qs: ULONG 40 | myProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement 41 | myProcessCookie, // q: ULONG 42 | myProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 43 | myProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 44 | myProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION 45 | myProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 46 | myProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 47 | myProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 48 | myProcessImageFileNameWin32, // q: UNICODE_STRING 49 | myProcessImageFileMapping, // q: HANDLE (input) 50 | myProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 51 | myProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 52 | myProcessGroupInformation, // q: USHORT[] 53 | myProcessTokenVirtualizationEnabled, // s: ULONG 54 | myProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation 55 | myProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 56 | myProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 57 | myProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 58 | myProcessDynamicFunctionTableInformation, 59 | myProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables 60 | myProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 61 | myProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 62 | myProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL 63 | myProcessHandleTable, // q: ULONG[] // since WINBLUE 64 | myProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) 65 | myProcessCommandLineInformation, // q: UNICODE_STRING // 60 66 | myProcessProtectionInformation, // q: PS_PROTECTION 67 | myProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 68 | myProcessFaultInformation, // PROCESS_FAULT_INFORMATION 69 | myProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION 70 | myProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 71 | myProcessDefaultCpuSetsInformation, 72 | myProcessAllowedCpuSetsInformation, 73 | myProcessSubsystemProcess, 74 | myProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO 75 | myProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 76 | myProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables 77 | myProcessIumChallengeResponse, 78 | myProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION 79 | myProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) 80 | myProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 81 | myProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 82 | myProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE 83 | myProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY 84 | myProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER 85 | myProcessDisableSystemAllowedCpuSets, // 80 86 | myProcessWakeInformation, // PROCESS_WAKE_INFORMATION 87 | myProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE 88 | myProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 89 | myProcessCaptureTrustletLiveDump, 90 | myProcessTelemetryCoverage, 91 | myProcessEnclaveInformation, 92 | myProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION 93 | myProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION 94 | myProcessImageSection, // q: HANDLE 95 | myProcessDebugAuthInformation, // since REDSTONE4 // 90 96 | myProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT 97 | myProcessSequenceNumber, // q: ULONGLONG 98 | myProcessLoaderDetour, // since REDSTONE5 99 | myProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION 100 | myProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION 101 | myProcessEnableLogging, // PROCESS_LOGGING_INFORMATION 102 | myProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION 103 | myProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 104 | myProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION 105 | myProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // INT2E // since 20H1 // 100 106 | myProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION 107 | myProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 108 | myProcessCreateStateChange, // since WIN11 109 | myProcessApplyStateChange, 110 | myProcessEnableOptionalXStateFeatures, 111 | myMaxProcessInfoClass 112 | } MYPROCESSINFOCLASS; 113 | -------------------------------------------------------------------------------- /d-cow/XGetopt.cpp: -------------------------------------------------------------------------------- 1 | // XGetopt.cpp Version 1.2 2 | // 3 | // Author: Hans Dietrich 4 | // hdietrich2@hotmail.com 5 | // 6 | // Description: 7 | // XGetopt.cpp implements getopt(), a function to parse command lines. 8 | // 9 | // History 10 | // Version 1.2 - 2003 May 17 11 | // - Added Unicode support 12 | // 13 | // Version 1.1 - 2002 March 10 14 | // - Added example to XGetopt.cpp module header 15 | // 16 | // This software is released into the public domain. 17 | // You are free to use it in any way you like. 18 | // 19 | // This software is provided "as is" with no expressed 20 | // or implied warranty. I accept no liability for any 21 | // damage or loss of business that this software may cause. 22 | // 23 | /////////////////////////////////////////////////////////////////////////////// 24 | 25 | 26 | /////////////////////////////////////////////////////////////////////////////// 27 | // if you are using precompiled headers then include this line: 28 | #include "stdafx.h" 29 | /////////////////////////////////////////////////////////////////////////////// 30 | 31 | 32 | /////////////////////////////////////////////////////////////////////////////// 33 | // if you are not using precompiled headers then include these lines: 34 | //#include 35 | //#include 36 | //#include 37 | /////////////////////////////////////////////////////////////////////////////// 38 | 39 | 40 | #include "XGetopt.h" 41 | 42 | 43 | /////////////////////////////////////////////////////////////////////////////// 44 | // 45 | // X G e t o p t . c p p 46 | // 47 | // 48 | // NAME 49 | // getopt -- parse command line options 50 | // 51 | // SYNOPSIS 52 | // int getopt(int argc, TCHAR *argv[], TCHAR *optstring) 53 | // 54 | // extern TCHAR *optarg; 55 | // extern int optind; 56 | // 57 | // DESCRIPTION 58 | // The getopt() function parses the command line arguments. Its 59 | // arguments argc and argv are the argument count and array as 60 | // passed into the application on program invocation. In the case 61 | // of Visual C++ programs, argc and argv are available via the 62 | // variables __argc and __argv (double underscores), respectively. 63 | // getopt returns the next option letter in argv that matches a 64 | // letter in optstring. (Note: Unicode programs should use 65 | // __targv instead of __argv. Also, all character and string 66 | // literals should be enclosed in _T( ) ). 67 | // 68 | // optstring is a string of recognized option letters; if a letter 69 | // is followed by a colon, the option is expected to have an argument 70 | // that may or may not be separated from it by white space. optarg 71 | // is set to point to the start of the option argument on return from 72 | // getopt. 73 | // 74 | // Option letters may be combined, e.g., "-ab" is equivalent to 75 | // "-a -b". Option letters are case sensitive. 76 | // 77 | // getopt places in the external variable optind the argv index 78 | // of the next argument to be processed. optind is initialized 79 | // to 0 before the first call to getopt. 80 | // 81 | // When all options have been processed (i.e., up to the first 82 | // non-option argument), getopt returns EOF, optarg will point 83 | // to the argument, and optind will be set to the argv index of 84 | // the argument. If there are no non-option arguments, optarg 85 | // will be set to NULL. 86 | // 87 | // The special option "--" may be used to delimit the end of the 88 | // options; EOF will be returned, and "--" (and everything after it) 89 | // will be skipped. 90 | // 91 | // RETURN VALUE 92 | // For option letters contained in the string optstring, getopt 93 | // will return the option letter. getopt returns a question mark (?) 94 | // when it encounters an option letter not included in optstring. 95 | // EOF is returned when processing is finished. 96 | // 97 | // BUGS 98 | // 1) Long options are not supported. 99 | // 2) The GNU double-colon extension is not supported. 100 | // 3) The environment variable POSIXLY_CORRECT is not supported. 101 | // 4) The + syntax is not supported. 102 | // 5) The automatic permutation of arguments is not supported. 103 | // 6) This implementation of getopt() returns EOF if an error is 104 | // encountered, instead of -1 as the latest standard requires. 105 | // 106 | // EXAMPLE 107 | // BOOL CMyApp::ProcessCommandLine(int argc, TCHAR *argv[]) 108 | // { 109 | // int c; 110 | // 111 | // while ((c = getopt(argc, argv, _T("aBn:"))) != EOF) 112 | // { 113 | // switch (c) 114 | // { 115 | // case _T('a'): 116 | // TRACE(_T("option a\n")); 117 | // // 118 | // // set some flag here 119 | // // 120 | // break; 121 | // 122 | // case _T('B'): 123 | // TRACE( _T("option B\n")); 124 | // // 125 | // // set some other flag here 126 | // // 127 | // break; 128 | // 129 | // case _T('n'): 130 | // TRACE(_T("option n: value=%d\n"), atoi(optarg)); 131 | // // 132 | // // do something with value here 133 | // // 134 | // break; 135 | // 136 | // case _T('?'): 137 | // TRACE(_T("ERROR: illegal option %s\n"), argv[optind-1]); 138 | // return FALSE; 139 | // break; 140 | // 141 | // default: 142 | // TRACE(_T("WARNING: no handler for option %c\n"), c); 143 | // return FALSE; 144 | // break; 145 | // } 146 | // } 147 | // // 148 | // // check for non-option args here 149 | // // 150 | // return TRUE; 151 | // } 152 | // 153 | /////////////////////////////////////////////////////////////////////////////// 154 | 155 | TCHAR *optarg; // global argument pointer 156 | int optind = 0; // global argv index 157 | 158 | int getopt(int argc, TCHAR *argv[], TCHAR *optstring) 159 | { 160 | static TCHAR *next = NULL; 161 | if (optind == 0) 162 | next = NULL; 163 | 164 | optarg = NULL; 165 | 166 | if (next == NULL || *next == _T('\0')) 167 | { 168 | if (optind == 0) 169 | optind++; 170 | 171 | if (optind >= argc || argv[optind][0] != _T('-') || argv[optind][1] == _T('\0')) 172 | { 173 | optarg = NULL; 174 | if (optind < argc) 175 | optarg = argv[optind]; 176 | return EOF; 177 | } 178 | 179 | if (_tcscmp(argv[optind], _T("--")) == 0) 180 | { 181 | optind++; 182 | optarg = NULL; 183 | if (optind < argc) 184 | optarg = argv[optind]; 185 | return EOF; 186 | } 187 | 188 | next = argv[optind]; 189 | next++; // skip past - 190 | optind++; 191 | } 192 | 193 | TCHAR c = *next++; 194 | TCHAR *cp = _tcschr(optstring, c); 195 | 196 | if (cp == NULL || c == _T(':')) 197 | return _T('?'); 198 | 199 | cp++; 200 | if (*cp == _T(':')) 201 | { 202 | if (*next != _T('\0')) 203 | { 204 | optarg = next; 205 | next = NULL; 206 | } 207 | else if (optind < argc) 208 | { 209 | optarg = argv[optind]; 210 | optind++; 211 | } 212 | else 213 | { 214 | return _T('?'); 215 | } 216 | } 217 | 218 | return c; 219 | } 220 | -------------------------------------------------------------------------------- /d-apc-callbacks/d-apc-callbacks.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {686c7a7c-476a-4ad9-a84f-50025c4ab9f2} 25 | dapccallbacks 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /d-teb/d-teb.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {b18bf56d-df9a-4e33-8dbe-ef4d8d191178} 25 | dteb 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-dr-registers/d-dr-registers.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {9be06370-f3e2-453e-a874-bd855c0d2c20} 25 | ddrregisters 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-thread-start/d-thread-start.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {30cc60b1-02ab-48b8-b5e1-eadc3120c2a9} 25 | dthreadstart 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-alpc-callbacks/d-alpc-callbacks.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {8c454112-8a90-4a23-b4fa-0791d5d3ac73} 25 | dalpccallbacks 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-criticalsections/d-criticalsections.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {d1a58b2c-92b6-495b-8d1a-cb29a7622007} 25 | dcriticalsections 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-nonmodulecallstack/d-nonmodulecallstack.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {68c896b3-e485-454b-b270-3d026161a0a1} 25 | dnonmodulecallstack 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-peb-dll-loadreason/d-peb-dll-loadreason.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {03297dd6-83e3-4283-ac2b-f3f159453e48} 25 | dpebdllloadreason 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /d-vehimplant/d-vehimplant.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {1451969c-9bec-4345-9950-3b777aecadc1} 25 | dvehimplant 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | Psapi.lib;%(AdditionalDependencies) 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /d-vehimplant/InternalStructs.h: -------------------------------------------------------------------------------- 1 | /* 2 | VEH misuse detector for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | // 14 | // Original source: https://github.com/mirror/processhacker/blob/master/2.x/trunk/phlib/include/ntpsapi.h 15 | // 16 | // used for the Process Cookie stuff 17 | // 18 | 19 | #pragma once 20 | 21 | typedef enum _MYPROCESSINFOCLASS 22 | { 23 | myProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 24 | myProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 25 | myProcessIoCounters, // q: IO_COUNTERS 26 | myProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 27 | myProcessTimes, // q: KERNEL_USER_TIMES 28 | myProcessBasePriority, // s: KPRIORITY 29 | myProcessRaisePriority, // s: ULONG 30 | myProcessDebugPort, // q: HANDLE 31 | myProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT 32 | myProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 33 | myProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 34 | myProcessLdtSize, // s: PROCESS_LDT_SIZE 35 | myProcessDefaultHardErrorMode, // qs: ULONG 36 | myProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION 37 | myProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 38 | myProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 39 | myProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) 40 | myProcessEnableAlignmentFaultFixup, // s: BOOLEAN 41 | myProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 42 | myProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) 43 | myProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 44 | myProcessAffinityMask, // s: KAFFINITY 45 | myProcessPriorityBoost, // qs: ULONG 46 | myProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 47 | myProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 48 | myProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 49 | myProcessWow64Information, // q: ULONG_PTR 50 | myProcessImageFileName, // q: UNICODE_STRING 51 | myProcessLUIDDeviceMapsEnabled, // q: ULONG 52 | myProcessBreakOnTermination, // qs: ULONG 53 | myProcessDebugObjectHandle, // q: HANDLE // 30 54 | myProcessDebugFlags, // qs: ULONG 55 | myProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 56 | myProcessIoPriority, // qs: IO_PRIORITY_HINT 57 | myProcessExecuteFlags, // qs: ULONG 58 | myProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement 59 | myProcessCookie, // q: ULONG 60 | myProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 61 | myProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 62 | myProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION 63 | myProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 64 | myProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 65 | myProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 66 | myProcessImageFileNameWin32, // q: UNICODE_STRING 67 | myProcessImageFileMapping, // q: HANDLE (input) 68 | myProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 69 | myProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 70 | myProcessGroupInformation, // q: USHORT[] 71 | myProcessTokenVirtualizationEnabled, // s: ULONG 72 | myProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation 73 | myProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 74 | myProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 75 | myProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 76 | myProcessDynamicFunctionTableInformation, 77 | myProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables 78 | myProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 79 | myProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 80 | myProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL 81 | myProcessHandleTable, // q: ULONG[] // since WINBLUE 82 | myProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) 83 | myProcessCommandLineInformation, // q: UNICODE_STRING // 60 84 | myProcessProtectionInformation, // q: PS_PROTECTION 85 | myProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 86 | myProcessFaultInformation, // PROCESS_FAULT_INFORMATION 87 | myProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION 88 | myProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 89 | myProcessDefaultCpuSetsInformation, 90 | myProcessAllowedCpuSetsInformation, 91 | myProcessSubsystemProcess, 92 | myProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO 93 | myProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 94 | myProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables 95 | myProcessIumChallengeResponse, 96 | myProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION 97 | myProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) 98 | myProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 99 | myProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 100 | myProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE 101 | myProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY 102 | myProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER 103 | myProcessDisableSystemAllowedCpuSets, // 80 104 | myProcessWakeInformation, // PROCESS_WAKE_INFORMATION 105 | myProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE 106 | myProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 107 | myProcessCaptureTrustletLiveDump, 108 | myProcessTelemetryCoverage, 109 | myProcessEnclaveInformation, 110 | myProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION 111 | myProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION 112 | myProcessImageSection, // q: HANDLE 113 | myProcessDebugAuthInformation, // since REDSTONE4 // 90 114 | myProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT 115 | myProcessSequenceNumber, // q: ULONGLONG 116 | myProcessLoaderDetour, // since REDSTONE5 117 | myProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION 118 | myProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION 119 | myProcessEnableLogging, // PROCESS_LOGGING_INFORMATION 120 | myProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION 121 | myProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 122 | myProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION 123 | myProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // INT2E // since 20H1 // 100 124 | myProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION 125 | myProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 126 | myProcessCreateStateChange, // since WIN11 127 | myProcessApplyStateChange, 128 | myProcessEnableOptionalXStateFeatures, 129 | myMaxProcessInfoClass 130 | } MYPROCESSINFOCLASS; 131 | -------------------------------------------------------------------------------- /d-vehlab/d-vehlab.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {446d6c05-67c6-4de2-a4da-a6fb1f1ade78} 25 | dvehmisuse 26 | 10.0 27 | d-vehlab 28 | 29 | 30 | 31 | Application 32 | true 33 | v142 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v142 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v142 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v142 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | Psapi.lib;%(AdditionalDependencies) 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | -------------------------------------------------------------------------------- /d-cow/d-cow.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {e4a07ea1-9763-4a1a-ba47-70ae25fe9f20} 25 | dcow 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | Psapi.lib;%(AdditionalDependencies) 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | -------------------------------------------------------------------------------- /d-criticalsections/stdafx.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #pragma once 4 | 5 | #include "stdafx.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | // 20 | extern bool bFirstRun; 21 | extern bool bConsole; 22 | extern bool bService; 23 | 24 | // Reimplement from Winternal.h 25 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)( 26 | IN HANDLE ProcessHandle, 27 | IN PROCESSINFOCLASS ProcessInformationClass, 28 | OUT DWORD_PTR* ProcessInformation, 29 | IN ULONG ProcessInformationLength, 30 | OUT PULONG ReturnLength OPTIONAL 31 | ); 32 | 33 | // 34 | // Original source: https://github.com/mirror/processhacker/blob/master/2.x/trunk/phlib/include/ntpsapi.h 35 | // 36 | // used for the Process Cookie stuff 37 | // 38 | 39 | #pragma once 40 | 41 | typedef enum _MYPROCESSINFOCLASS 42 | { 43 | myProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 44 | myProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 45 | myProcessIoCounters, // q: IO_COUNTERS 46 | myProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 47 | myProcessTimes, // q: KERNEL_USER_TIMES 48 | myProcessBasePriority, // s: KPRIORITY 49 | myProcessRaisePriority, // s: ULONG 50 | myProcessDebugPort, // q: HANDLE 51 | myProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT 52 | myProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 53 | myProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 54 | myProcessLdtSize, // s: PROCESS_LDT_SIZE 55 | myProcessDefaultHardErrorMode, // qs: ULONG 56 | myProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION 57 | myProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 58 | myProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 59 | myProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) 60 | myProcessEnableAlignmentFaultFixup, // s: BOOLEAN 61 | myProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 62 | myProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) 63 | myProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 64 | myProcessAffinityMask, // s: KAFFINITY 65 | myProcessPriorityBoost, // qs: ULONG 66 | myProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 67 | myProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 68 | myProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 69 | myProcessWow64Information, // q: ULONG_PTR 70 | myProcessImageFileName, // q: UNICODE_STRING 71 | myProcessLUIDDeviceMapsEnabled, // q: ULONG 72 | myProcessBreakOnTermination, // qs: ULONG 73 | myProcessDebugObjectHandle, // q: HANDLE // 30 74 | myProcessDebugFlags, // qs: ULONG 75 | myProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 76 | myProcessIoPriority, // qs: IO_PRIORITY_HINT 77 | myProcessExecuteFlags, // qs: ULONG 78 | myProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement 79 | myProcessCookie, // q: ULONG 80 | myProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 81 | myProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 82 | myProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION 83 | myProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 84 | myProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 85 | myProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 86 | myProcessImageFileNameWin32, // q: UNICODE_STRING 87 | myProcessImageFileMapping, // q: HANDLE (input) 88 | myProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 89 | myProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 90 | myProcessGroupInformation, // q: USHORT[] 91 | myProcessTokenVirtualizationEnabled, // s: ULONG 92 | myProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation 93 | myProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 94 | myProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 95 | myProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 96 | myProcessDynamicFunctionTableInformation, 97 | myProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables 98 | myProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 99 | myProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 100 | myProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL 101 | myProcessHandleTable, // q: ULONG[] // since WINBLUE 102 | myProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) 103 | myProcessCommandLineInformation, // q: UNICODE_STRING // 60 104 | myProcessProtectionInformation, // q: PS_PROTECTION 105 | myProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 106 | myProcessFaultInformation, // PROCESS_FAULT_INFORMATION 107 | myProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION 108 | myProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 109 | myProcessDefaultCpuSetsInformation, 110 | myProcessAllowedCpuSetsInformation, 111 | myProcessSubsystemProcess, 112 | myProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO 113 | myProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 114 | myProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables 115 | myProcessIumChallengeResponse, 116 | myProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION 117 | myProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) 118 | myProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 119 | myProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 120 | myProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE 121 | myProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY 122 | myProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER 123 | myProcessDisableSystemAllowedCpuSets, // 80 124 | myProcessWakeInformation, // PROCESS_WAKE_INFORMATION 125 | myProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE 126 | myProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 127 | myProcessCaptureTrustletLiveDump, 128 | myProcessTelemetryCoverage, 129 | myProcessEnclaveInformation, 130 | myProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION 131 | myProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION 132 | myProcessImageSection, // q: HANDLE 133 | myProcessDebugAuthInformation, // since REDSTONE4 // 90 134 | myProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT 135 | myProcessSequenceNumber, // q: ULONGLONG 136 | myProcessLoaderDetour, // since REDSTONE5 137 | myProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION 138 | myProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION 139 | myProcessEnableLogging, // PROCESS_LOGGING_INFORMATION 140 | myProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION 141 | myProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 142 | myProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION 143 | myProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // INT2E // since 20H1 // 100 144 | myProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION 145 | myProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 146 | myProcessCreateStateChange, // since WIN11 147 | myProcessApplyStateChange, 148 | myProcessEnableOptionalXStateFeatures, 149 | myMaxProcessInfoClass 150 | } MYPROCESSINFOCLASS; 151 | 152 | // Used for ProcessCookie stuff using a different version 153 | // of the ProcessInfoClass 154 | typedef NTSTATUS(WINAPI* _MyNtQueryInformationProcess)( 155 | IN HANDLE ProcessHandle, 156 | IN MYPROCESSINFOCLASS ProcessInformationClass, 157 | OUT DWORD_PTR* ProcessInformation, 158 | IN ULONG ProcessInformationLength, 159 | OUT PULONG ReturnLength OPTIONAL 160 | ); 161 | 162 | 163 | -------------------------------------------------------------------------------- /d-nonmodulecallstack/stdafx.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #pragma once 4 | 5 | #include "stdafx.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | // 20 | extern bool bFirstRun; 21 | extern bool bConsole; 22 | extern bool bService; 23 | 24 | // Reimplement from Winternal.h 25 | typedef NTSTATUS(WINAPI* _NtQueryInformationProcess)( 26 | IN HANDLE ProcessHandle, 27 | IN PROCESSINFOCLASS ProcessInformationClass, 28 | OUT DWORD_PTR* ProcessInformation, 29 | IN ULONG ProcessInformationLength, 30 | OUT PULONG ReturnLength OPTIONAL 31 | ); 32 | 33 | // 34 | // Original source: https://github.com/mirror/processhacker/blob/master/2.x/trunk/phlib/include/ntpsapi.h 35 | // 36 | // used for the Process Cookie stuff 37 | // 38 | 39 | #pragma once 40 | 41 | typedef enum _MYPROCESSINFOCLASS 42 | { 43 | myProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 44 | myProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 45 | myProcessIoCounters, // q: IO_COUNTERS 46 | myProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 47 | myProcessTimes, // q: KERNEL_USER_TIMES 48 | myProcessBasePriority, // s: KPRIORITY 49 | myProcessRaisePriority, // s: ULONG 50 | myProcessDebugPort, // q: HANDLE 51 | myProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT 52 | myProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 53 | myProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 54 | myProcessLdtSize, // s: PROCESS_LDT_SIZE 55 | myProcessDefaultHardErrorMode, // qs: ULONG 56 | myProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION 57 | myProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 58 | myProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 59 | myProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) 60 | myProcessEnableAlignmentFaultFixup, // s: BOOLEAN 61 | myProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 62 | myProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) 63 | myProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 64 | myProcessAffinityMask, // s: KAFFINITY 65 | myProcessPriorityBoost, // qs: ULONG 66 | myProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 67 | myProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 68 | myProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 69 | myProcessWow64Information, // q: ULONG_PTR 70 | myProcessImageFileName, // q: UNICODE_STRING 71 | myProcessLUIDDeviceMapsEnabled, // q: ULONG 72 | myProcessBreakOnTermination, // qs: ULONG 73 | myProcessDebugObjectHandle, // q: HANDLE // 30 74 | myProcessDebugFlags, // qs: ULONG 75 | myProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 76 | myProcessIoPriority, // qs: IO_PRIORITY_HINT 77 | myProcessExecuteFlags, // qs: ULONG 78 | myProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement 79 | myProcessCookie, // q: ULONG 80 | myProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 81 | myProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 82 | myProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION 83 | myProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 84 | myProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 85 | myProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 86 | myProcessImageFileNameWin32, // q: UNICODE_STRING 87 | myProcessImageFileMapping, // q: HANDLE (input) 88 | myProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 89 | myProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 90 | myProcessGroupInformation, // q: USHORT[] 91 | myProcessTokenVirtualizationEnabled, // s: ULONG 92 | myProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation 93 | myProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 94 | myProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 95 | myProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 96 | myProcessDynamicFunctionTableInformation, 97 | myProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables 98 | myProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 99 | myProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 100 | myProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL 101 | myProcessHandleTable, // q: ULONG[] // since WINBLUE 102 | myProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) 103 | myProcessCommandLineInformation, // q: UNICODE_STRING // 60 104 | myProcessProtectionInformation, // q: PS_PROTECTION 105 | myProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 106 | myProcessFaultInformation, // PROCESS_FAULT_INFORMATION 107 | myProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION 108 | myProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 109 | myProcessDefaultCpuSetsInformation, 110 | myProcessAllowedCpuSetsInformation, 111 | myProcessSubsystemProcess, 112 | myProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO 113 | myProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 114 | myProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables 115 | myProcessIumChallengeResponse, 116 | myProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION 117 | myProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) 118 | myProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 119 | myProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 120 | myProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE 121 | myProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY 122 | myProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER 123 | myProcessDisableSystemAllowedCpuSets, // 80 124 | myProcessWakeInformation, // PROCESS_WAKE_INFORMATION 125 | myProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE 126 | myProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 127 | myProcessCaptureTrustletLiveDump, 128 | myProcessTelemetryCoverage, 129 | myProcessEnclaveInformation, 130 | myProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION 131 | myProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION 132 | myProcessImageSection, // q: HANDLE 133 | myProcessDebugAuthInformation, // since REDSTONE4 // 90 134 | myProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT 135 | myProcessSequenceNumber, // q: ULONGLONG 136 | myProcessLoaderDetour, // since REDSTONE5 137 | myProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION 138 | myProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION 139 | myProcessEnableLogging, // PROCESS_LOGGING_INFORMATION 140 | myProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION 141 | myProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 142 | myProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION 143 | myProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // INT2E // since 20H1 // 100 144 | myProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION 145 | myProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 146 | myProcessCreateStateChange, // since WIN11 147 | myProcessApplyStateChange, 148 | myProcessEnableOptionalXStateFeatures, 149 | myMaxProcessInfoClass 150 | } MYPROCESSINFOCLASS; 151 | 152 | // Used for ProcessCookie stuff using a different version 153 | // of the ProcessInfoClass 154 | typedef NTSTATUS(WINAPI* _MyNtQueryInformationProcess)( 155 | IN HANDLE ProcessHandle, 156 | IN MYPROCESSINFOCLASS ProcessInformationClass, 157 | OUT DWORD_PTR* ProcessInformation, 158 | IN ULONG ProcessInformationLength, 159 | OUT PULONG ReturnLength OPTIONAL 160 | ); 161 | 162 | 163 | -------------------------------------------------------------------------------- /d-teb/Engine.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | TEB Detect Impersonating Threads for Microsoft Windows 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | Released under AGPL see LICENSE for more information 9 | */ 10 | 11 | #pragma once 12 | 13 | 14 | #include "stdafx.h" 15 | 16 | // Globals 17 | HANDLE hProcess; 18 | TCHAR strErrMsg[1024]; 19 | DWORD dwModuleRelocs = 0; 20 | DWORD dwCountError = 0; 21 | DWORD dwCountOK = 0; 22 | DWORD dwOpen = 0; 23 | 24 | // Manual import 25 | typedef NTSTATUS(WINAPI* NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG); 26 | NTQUERYINFOMATIONTHREAD myNtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationThread"); 27 | 28 | // Structures to hold process information 29 | #pragma pack(push, 1) 30 | struct procNfoStuct { 31 | DWORD PID; 32 | TCHAR Name[MAX_PATH]; 33 | unsigned long long TotalExecMem = 0; 34 | }; 35 | #pragma pack(pop) 36 | procNfoStuct Procs[4098]; 37 | DWORD NumOfProcs = 0; 38 | 39 | 40 | // 41 | // Function : SetDebugPrivilege 42 | // Role : Gets privs for our process 43 | // Notes : 44 | // 45 | BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv) 46 | { 47 | LUID luid; 48 | TOKEN_PRIVILEGES privs; 49 | HANDLE hToken = NULL; 50 | DWORD dwBufLen = 0; 51 | char buf[1024]; 52 | 53 | ZeroMemory(&luid, sizeof(luid)); 54 | 55 | if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false; 56 | 57 | privs.PrivilegeCount = 1; 58 | privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 59 | memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid)); 60 | 61 | 62 | if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) 63 | return false; 64 | 65 | if (!AdjustTokenPrivileges(hToken, FALSE, &privs, 66 | sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen)) 67 | return false; 68 | 69 | CloseHandle(hProcess); 70 | CloseHandle(hToken); 71 | 72 | return true; 73 | } 74 | 75 | void AnalyzeTEB(HANDLE hProcess, HANDLE hThread, DWORD dwPID, TCHAR *cProcess, LPCVOID ptrTEB) { 76 | 77 | MYTEB myTEB; 78 | SIZE_T szRead=0; 79 | 80 | memset(&myTEB, 0x00, sizeof(myTEB)); 81 | 82 | if (ReadProcessMemory(hProcess, ptrTEB, &myTEB, sizeof(myTEB), &szRead) == TRUE) { 83 | 84 | if(szRead != sizeof(myTEB)) fwprintf(stdout, _TEXT("[i] [%d][%s] Size Delta\n"), dwPID, cProcess); 85 | 86 | // fwprintf(stdout, _TEXT("[i] [%d][%s] Got TEB %llx\n"), dwPID, cProcess, ptrTEB); 87 | 88 | //if(myTEB.InitialThread>0)fwprintf(stdout, _TEXT("[i] [%d][%s] Initial thread: %d\n"), dwPID, cProcess, myTEB.InitialThread); 89 | 90 | if (myTEB.CountOfOwnedCriticalSections >0) fwprintf(stdout, _TEXT("[i] [%d][%s] Count of Owned Critical Sections: %d\n"), dwPID, cProcess, myTEB.CountOfOwnedCriticalSections); 91 | 92 | if(myTEB.IsImpersonating > 0 ) fwprintf(stdout, _TEXT("[i] [%d][%s] is impersonating\n"), dwPID, cProcess); 93 | 94 | if(myTEB.RtlExceptionAttached == 1) fwprintf(stdout, _TEXT("[i] [%d][%s] cloned\n"), dwPID, cProcess); 95 | /* 96 | //fwprintf(stdout, _TEXT("[i] [%d][%s] %llx %llx - Size %d\n"), dwPID, cProcess,myTEB.NtTib.StackBase, myTEB.NtTib.StackLimit, ((LONGLONG)myTEB.NtTib.StackBase- (LONGLONG)myTEB.NtTib.StackLimit)); 97 | LONGLONG dwSSize = (LONGLONG)myTEB.NtTib.StackBase - (LONGLONG)myTEB.NtTib.StackLimit; 98 | FLOAT dwFoo = dwSSize / 1024; 99 | 100 | DWORD dwStackSize = (unsigned int)(unsigned short)__rdtsc() + 1021 & 0xfffff000; 101 | FLOAT dwFoo2 = dwStackSize / 1024; 102 | 103 | if (dwFoo != 8.0 && dwFoo != 16.0 && dwFoo != 32.0 && dwFoo != 64.000000) { 104 | fwprintf(stdout, _TEXT("[i] [%d][%s] -- %d - %f\n"), dwPID, cProcess, dwSSize, dwFoo); 105 | } 106 | 107 | //fwprintf(stdout, _TEXT("[i] [%d][%s] -- %d - %f\n"), dwPID, _TEXT("SAMPLE"), dwStackSize,dwFoo2); 108 | 109 | if (dwSSize < 1000) { 110 | fwprintf(stdout, _TEXT("[i] [%d][%s] Alert\n"), dwPID, cProcess); 111 | } 112 | */ 113 | 114 | } 115 | 116 | 117 | } 118 | 119 | ///

120 | /// Analyze the process and its memory regions 121 | ///

122 | /// Process ID 123 | void AnalyzeProc(DWORD dwPID) 124 | { 125 | DWORD dwRet, dwMods; 126 | HANDLE hProcess; 127 | HMODULE hModule[4096]; 128 | TCHAR cProcess[MAX_PATH]; // Process name 129 | BOOL bIsWow64 = FALSE; 130 | BOOL bIsWow64Other = FALSE; 131 | DWORD dwRES = 0; 132 | 133 | 134 | // Get process handle by hook or by crook 135 | hProcess = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 136 | if (hProcess == NULL) 137 | { 138 | if (GetLastError() == 5) { 139 | hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 140 | if (hProcess == NULL) { 141 | 142 | hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPID); 143 | if (hProcess == NULL) { 144 | 145 | fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 146 | dwCountError++; 147 | return; 148 | } 149 | } 150 | } 151 | else { 152 | fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 153 | dwCountError++; 154 | return; 155 | } 156 | } 157 | 158 | 159 | // Enumerate the process modules 160 | if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE) 161 | { 162 | DWORD dwSz = MAX_PATH; 163 | if (QueryFullProcessImageName(hProcess, 0, cProcess, &dwSz) == TRUE) { 164 | fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, cProcess, GetLastError()); 165 | dwOpen++; 166 | } 167 | else { 168 | fwprintf(stdout, _TEXT("[i] [%d][%s] not analysed %d\n"), dwPID, _TEXT("UNKNOWN"), GetLastError()); 169 | dwOpen++; 170 | } 171 | 172 | if (GetLastError() == 299) { 173 | //fprintf(stderr, "64bit process and we're 32bit - sad panda! skipping PID %d\n", dwPID); 174 | } 175 | else { 176 | //fprintf(stderr, "Error in EnumProcessModules(%d),%d\n", dwPID, GetLastError()); 177 | } 178 | 179 | dwCountError++; 180 | if (hProcess != NULL)CloseHandle(hProcess); 181 | return; 182 | } 183 | dwMods = dwRet / sizeof(HMODULE); 184 | 185 | // Get the processes name from the first module returned by the above 186 | GetModuleBaseName(hProcess, hModule[0], cProcess, MAX_PATH); 187 | Procs[NumOfProcs].PID = dwPID; 188 | _tcscpy_s(Procs[NumOfProcs].Name, MAX_PATH, cProcess); 189 | //fwprintf(stdout, _TEXT("[i] [%d][%s] analyzing\n"), dwPID, cProcess); 190 | NumOfProcs++; 191 | 192 | // 193 | // Get the 194 | // 195 | 196 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 197 | if (h != INVALID_HANDLE_VALUE) { 198 | THREADENTRY32 te; 199 | te.dwSize = sizeof(te); 200 | if (Thread32First(h, &te)) { 201 | do { 202 | if (te.th32OwnerProcessID == dwPID && GetProcessId(NULL) != dwPID) { 203 | HANDLE hThread = INVALID_HANDLE_VALUE; 204 | hThread = OpenThread(THREAD_QUERY_INFORMATION, false, te.th32ThreadID); 205 | if (hThread != INVALID_HANDLE_VALUE) { 206 | 207 | THREAD_BASIC_INFORMATION threadTBI; 208 | 209 | NTSTATUS statRes = myNtQueryInformationThread(hThread, (THREADINFOCLASS)(0), &threadTBI, sizeof(threadTBI), NULL); 210 | if (statRes == 0) { 211 | //fwprintf(stdout, _TEXT("[i] [%d][%s] Address of TEB %llx\n"), dwPID, cProcess, threadTBI.TebBaseAddress); 212 | AnalyzeTEB(hProcess, hThread, dwPID,cProcess,threadTBI.TebBaseAddress); 213 | } 214 | else 215 | { 216 | fwprintf(stdout, _TEXT("[!] [%d][%s] Failed to get TBI %d\n"), dwPID, cProcess,(DWORD)statRes); 217 | } 218 | 219 | /* 220 | PVOID startAddress = 0; 221 | statRes = myNtQueryInformationThread(hThread, (THREADINFOCLASS)(9), &startAddress, sizeof(startAddress), NULL); 222 | if (statRes == 0) { 223 | fwprintf(stdout, _TEXT("[i] [%d][%s] Start Address of Thread %llx\n"), dwPID, cProcess, startAddress); 224 | } 225 | */ 226 | 227 | CloseHandle(hThread); 228 | } 229 | } 230 | 231 | } while (Thread32Next(h, &te)); 232 | } 233 | CloseHandle(h); 234 | } 235 | 236 | dwCountOK++; 237 | CloseHandle(hProcess); 238 | } 239 | 240 | ///

241 | /// Enumerate all the processes on the system and 242 | /// pass off to the analysis function 243 | ///

244 | void EnumerateProcesses() 245 | { 246 | DWORD dwPIDArray[4096], dwRet, dwPIDS, intCount; 247 | NumOfProcs = 0; 248 | 249 | // Privs 250 | SetPrivilege(GetCurrentProcess(), SE_DEBUG_NAME); 251 | 252 | // Be clean 253 | memset(Procs, 0x00, sizeof(Procs)); 254 | 255 | // 256 | // Enumerate 257 | // 258 | if (EnumProcesses(dwPIDArray, 4096 * sizeof(DWORD), &dwRet) == 0) 259 | { 260 | DWORD dwRet = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError(), 0, strErrMsg, 1023, NULL); 261 | if (dwRet != 0) { 262 | _ftprintf(stderr, TEXT("[!] EnumProcesses() failed - %s"), strErrMsg); 263 | } 264 | else 265 | { 266 | _ftprintf(stderr, TEXT("[!] EnumProcesses() - Error: %d\n"), GetLastError()); 267 | } 268 | return; 269 | } 270 | 271 | // Total nuber of process IDs 272 | dwPIDS = dwRet / sizeof(DWORD); 273 | 274 | // 275 | // Analyze 276 | // 277 | for (intCount = 0; intCount < dwPIDS; intCount++) 278 | { 279 | //fwprintf(stdout, _TEXT("[i] Analyzing PID %d\n"), dwPIDArray[intCount]); 280 | AnalyzeProc(dwPIDArray[intCount]); 281 | } 282 | 283 | fwprintf(stdout, _TEXT("[i] Total of %d processes - didn't open %d \n"), dwPIDS, dwOpen); 284 | } -------------------------------------------------------------------------------- /d-cow/Engine.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | A copy on write detector for Windows APIs across processes 3 | 4 | Released as open source by NCC Group Plc - http://www.nccgroup.com/ 5 | 6 | Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com 7 | 8 | https://github.com/nccgroup/DetectWindowsCopyOnWriteForAPI 9 | 10 | Released under AGPL see LICENSE for more information 11 | */ 12 | 13 | // Includes 14 | #include "stdafx.h" 15 | #include "XGetopt.h" 16 | 17 | // Globals 18 | TCHAR strErrMsg[1024]; 19 | DWORD dwModuleRelocs = 0; 20 | void* eventWrite = GetProcAddress(LoadLibraryA("ntdll"), "EtwEventWrite"); 21 | DWORD dwCountError = 0; 22 | DWORD dwCountOK = 0; 23 | 24 | // Structures to hold process information 25 | #pragma pack(push, 1) 26 | struct procNfoStuct { 27 | DWORD PID; 28 | TCHAR Name[MAX_PATH]; 29 | unsigned long long TotalExecMem = 0; 30 | }; 31 | #pragma pack(pop) 32 | procNfoStuct Procs[4098]; 33 | DWORD NumOfProcs = 0; 34 | 35 | // Manual imports 36 | _NtQueryInformationProcess __NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "NtQueryInformationProcess"); 37 | typedef BOOL(WINAPI* LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); 38 | LPFN_ISWOW64PROCESS fnIsWow64Process = fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process"); 39 | 40 | // 41 | // Function : SetDebugPrivilege 42 | // Role : Gets privs for our process 43 | // Notes : 44 | // 45 | BOOL SetPrivilege(HANDLE hProcess, LPCTSTR lPriv) 46 | { 47 | LUID luid; 48 | TOKEN_PRIVILEGES privs; 49 | HANDLE hToken = NULL; 50 | DWORD dwBufLen = 0; 51 | char buf[1024]; 52 | 53 | ZeroMemory(&luid, sizeof(luid)); 54 | 55 | if (!LookupPrivilegeValue(NULL, lPriv, &luid)) return false; 56 | 57 | privs.PrivilegeCount = 1; 58 | privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 59 | memcpy(&privs.Privileges[0].Luid, &luid, sizeof(privs.Privileges[0].Luid)); 60 | 61 | 62 | if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken)) 63 | return false; 64 | 65 | if (!AdjustTokenPrivileges(hToken, FALSE, &privs, 66 | sizeof(buf), (PTOKEN_PRIVILEGES)buf, &dwBufLen)) 67 | return false; 68 | 69 | CloseHandle(hProcess); 70 | CloseHandle(hToken); 71 | 72 | return true; 73 | } 74 | 75 | // 76 | // https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx 77 | // 78 | BOOL IsWow64() 79 | { 80 | BOOL bIsWow64 = FALSE; 81 | 82 | if (NULL != fnIsWow64Process) 83 | { 84 | if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) 85 | { 86 | return false; 87 | } 88 | } 89 | return bIsWow64; 90 | } 91 | 92 | 93 | 94 | 95 | ///

96 | /// Analyze the process and its memory regions 97 | ///

98 | /// Process ID 99 | void AnalyzeProc(DWORD dwPID) 100 | { 101 | DWORD dwRet, dwMods; 102 | HANDLE hProcess; 103 | HMODULE hModule[4096]; 104 | TCHAR cProcess[MAX_PATH]; // Process name 105 | BOOL bIsWow64 = FALSE; 106 | BOOL bIsWow64Other = FALSE; 107 | DWORD dwRES = 0; 108 | 109 | 110 | // Get process handle by hook or by crook 111 | hProcess = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 112 | if (hProcess == NULL) 113 | { 114 | if (GetLastError() == 5) { 115 | hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 116 | if (hProcess == NULL) { 117 | 118 | hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPID); 119 | 120 | DWORD dwBuffSize = MAX_PATH; 121 | if (QueryFullProcessImageName(hProcess, 0, cProcess, &dwBuffSize) == TRUE) { 122 | //fwprintf(stderr, _TEXT("[!] [%d][%s] Failed to OpenProcess - %d\n"), dwPID,cProcess, GetLastError()); 123 | dwCountError++; 124 | return; 125 | } 126 | else { 127 | //fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 128 | dwCountError++; 129 | return; 130 | } 131 | } 132 | } 133 | else { 134 | //fwprintf(stderr, _TEXT("[!] [%d][UNKNOWN] Failed to OpenProcess - %d\n"), dwPID, GetLastError()); 135 | dwCountError++; 136 | return; 137 | } 138 | } 139 | 140 | 141 | // Enumerate the process modules 142 | if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE) 143 | { 144 | if (GetLastError() == 299) { 145 | //fprintf(stderr, "64bit process and we're 32bit - sad panda! skipping PID %d\n", dwPID); 146 | } 147 | else { 148 | //fprintf(stderr, "Error in EnumProcessModules(%d),%d\n", dwPID, GetLastError()); 149 | } 150 | 151 | dwCountError++; 152 | if (hProcess != NULL)CloseHandle(hProcess); 153 | return; 154 | } 155 | dwMods = dwRet / sizeof(HMODULE); 156 | 157 | // Get the processes name from the first module returned by the above 158 | GetModuleBaseName(hProcess, hModule[0], cProcess, MAX_PATH); 159 | Procs[NumOfProcs].PID = dwPID; 160 | _tcscpy_s(Procs[NumOfProcs].Name, MAX_PATH, cProcess); 161 | NumOfProcs++; 162 | 163 | 164 | // Print the process name 165 | //fwprintf(stdout, _TEXT("[i] --> %s\n"), cProcess); 166 | 167 | 168 | // Now for each of the modules check that NTDLL is present 169 | DWORD dwCnt = 0; 170 | for (dwCnt = 1; dwCnt < dwMods; dwCnt++) { 171 | 172 | TCHAR cModule[MAX_PATH]; // Process name 173 | GetModuleBaseName(hProcess, hModule[dwCnt], cModule, MAX_PATH); 174 | 175 | 176 | // Found the module we care about 177 | if (_tcsicmp(cModule, _TEXT("ntdll.dll")) == 0) { 178 | // fwprintf(stdout, _TEXT("[i] ----> Found %s\n"), cModule); 179 | 180 | MODULEINFO modNFO; 181 | 182 | if (GetModuleInformation(hProcess, hModule[dwCnt], &modNFO, sizeof(modNFO)) == TRUE) { 183 | // fwprintf(stdout, _TEXT("[i] ----> %p\n"), modNFO.lpBaseOfDll); 184 | 185 | PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)modNFO.lpBaseOfDll; 186 | PIMAGE_NT_HEADERS NtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)modNFO.lpBaseOfDll + DosHeader->e_lfanew); 187 | 188 | for (WORD i = 0; i < NtHeader->FileHeader.NumberOfSections; i++) { 189 | PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(NtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); 190 | 191 | // Found the section we care about 192 | if (!strcmp((char*)SectionHeader->Name, (char*)".text")) { 193 | 194 | // Calculate the address 195 | // DWORD64 dwAddress = (DWORD64)modNFO.lpBaseOfDll + SectionHeader->VirtualAddress; 196 | 197 | 198 | // We are using the address we have resolved in our local process 199 | // this is fragile and will need fixing 200 | DWORD64 dwAddress = (DWORD64)eventWrite; 201 | 202 | // fwprintf(stdout, _TEXT("[i] ----> .text section at %p\n"), dwAddress); 203 | DWORD dwSize = SectionHeader->Misc.VirtualSize; 204 | 205 | /* 206 | MEMORY_BASIC_INFORMATION mbNFO; 207 | if (VirtualQuery((LPCVOID)dwAddress, &mbNFO, sizeof(MEMORY_BASIC_INFORMATION)) == TRUE) { 208 | if (mbNFO.Protect != MEM_IMAGE) { 209 | fwprintf(stdout, _TEXT("[i] NTDLL .text section not MEM_IMAGE for %s (%d)\n"), cProcess, dwPID); 210 | } 211 | } 212 | else 213 | { 214 | fprintf(stderr, "[!] Error in VirtualQuery(%d),%d\n", dwPID, GetLastError()); 215 | }*/ 216 | 217 | // Make sure the function is the expected range 218 | if (dwAddress > (DWORD64)modNFO.lpBaseOfDll && dwAddress < ((DWORD64)modNFO.lpBaseOfDll + dwSize)) { 219 | 220 | // Query the working set 221 | PSAPI_WORKING_SET_EX_INFORMATION info; 222 | info.VirtualAddress = (LPVOID)dwAddress; 223 | 224 | //fwprintf(stdout, _TEXT("[i] [%d][%s] text section from %p - %p of %d bytes \n"), dwPID, cProcess, info.VirtualAddress, (dwAddress + dwSize), dwSize); 225 | 226 | if (QueryWorkingSetEx(hProcess, &info, sizeof(info)) == TRUE) { 227 | 228 | //fwprintf(stdout, _TEXT("[i] [%d][%s] %x)\n"), dwPID, cProcess,info.VirtualAttributes); 229 | if (info.VirtualAttributes.Shared == 0) fwprintf(stdout, _TEXT("[i] [%d][%s] EtwEventWrite is located in NONE shared memory - indication of copy of write\n"), dwPID, cProcess); 230 | } 231 | else 232 | { 233 | fprintf(stderr, "[!] Error in QueryWorkingSetEx(%d),%d\n", dwPID, GetLastError()); 234 | dwCountError++; 235 | return; 236 | } 237 | } 238 | 239 | } 240 | } 241 | 242 | } 243 | else 244 | { 245 | fprintf(stderr, "Error in GetModuleInformation(%d),%d\n", dwPID, GetLastError()); 246 | dwCountError++; 247 | return; 248 | } 249 | 250 | } 251 | } 252 | 253 | dwCountOK++; 254 | CloseHandle(hProcess); 255 | } 256 | 257 | ///

258 | /// Enumerate all the processes on the system and 259 | /// pass off to the analysis function 260 | ///

261 | void EnumerateProcesses() 262 | { 263 | DWORD dwPIDArray[4096], dwRet, dwPIDS, intCount; 264 | NumOfProcs = 0; 265 | 266 | 267 | // Privs 268 | SetPrivilege(GetCurrentProcess(), SE_DEBUG_NAME); 269 | 270 | // Be clean 271 | memset(Procs, 0x00, sizeof(Procs)); 272 | 273 | // 274 | // Enumerate 275 | // 276 | if (EnumProcesses(dwPIDArray, 4096 * sizeof(DWORD), &dwRet) == 0) 277 | { 278 | DWORD dwRet = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, GetLastError(), 0, strErrMsg, 1023, NULL); 279 | if (dwRet != 0) { 280 | _ftprintf(stderr, TEXT("[!] EnumProcesses() failed - %s"), strErrMsg); 281 | } 282 | else 283 | { 284 | _ftprintf(stderr, TEXT("[!] EnumProcesses() - Error: %d\n"), GetLastError()); 285 | } 286 | return; 287 | } 288 | 289 | // Total nuber of process IDs 290 | dwPIDS = dwRet / sizeof(DWORD); 291 | // 292 | // Test case 293 | // Remote process patch 294 | // 295 | //DWORD oldOldProt; 296 | //DWORD oldProt; 297 | //HANDLE hProcPatch = INVALID_HANDLE_VALUE; 298 | //hProcPatch = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, 11960); 299 | //VirtualProtectEx(hProcPatch, eventWrite, 4, PAGE_EXECUTE_READWRITE, &oldProt); 300 | //WriteProcessMemory(hProcPatch, eventWrite, "\xff\xff\xff\xff", 4, NULL); 301 | //VirtualProtectEx(hProcPatch, eventWrite, 4, oldProt, &oldOldProt); 302 | // 303 | 304 | // 305 | // Analyze 306 | // 307 | for (intCount = 0; intCount < dwPIDS; intCount++) 308 | { 309 | //fwprintf(stdout, _TEXT("[i] Analyzing PID %d\n"), dwPIDArray[intCount]); 310 | AnalyzeProc(dwPIDArray[intCount]); 311 | } 312 | 313 | fwprintf(stdout, _TEXT("[i] Total of %d processes %d didn't open \n"), dwPIDS, dwCountError); 314 | 315 | } --------------------------------------------------------------------------------