├── x64 ├── test.bat └── SDD.dll ├── x86 ├── test.bat └── SDD.dll ├── exports.def ├── .gitattributes ├── stdafx.cpp ├── stdafx.h └── POC.cpp /x64/test.bat: -------------------------------------------------------------------------------- 1 | regsvr32 /s sdd.dll -------------------------------------------------------------------------------- /x86/test.bat: -------------------------------------------------------------------------------- 1 | regsvr32 /s sdd.dll -------------------------------------------------------------------------------- /x64/SDD.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/SDD/HEAD/x64/SDD.dll -------------------------------------------------------------------------------- /x86/SDD.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/SDD/HEAD/x86/SDD.dll -------------------------------------------------------------------------------- /exports.def: -------------------------------------------------------------------------------- 1 | LIBRARY "SDD" 2 | 3 | EXPORTS 4 | DllRegisterServer PRIVATE 5 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | void* __cdecl operator new[](size_t ByteSize) 4 | { 5 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 6 | } 7 | 8 | void* __cdecl operator new(size_t ByteSize) 9 | { 10 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 11 | } 12 | 13 | void __cdecl operator delete(void* Buffer) 14 | { 15 | HeapFree(GetProcessHeap(), 0, Buffer); 16 | } 17 | 18 | void __cdecl operator delete(void* Buffer, size_t) 19 | { 20 | HeapFree(GetProcessHeap(), 0, Buffer); 21 | } 22 | 23 | void __cdecl operator delete[](void* Buffer) 24 | { 25 | HeapFree(GetProcessHeap(), 0, Buffer); 26 | } 27 | 28 | void __cdecl operator delete[](void* Buffer, size_t) 29 | { 30 | HeapFree(GetProcessHeap(), 0, Buffer); 31 | } -------------------------------------------------------------------------------- /stdafx.h: -------------------------------------------------------------------------------- 1 | #define DECLSPEC_DEPRECATED_DDK 2 | 3 | #define _CRT_SECURE_NO_DEPRECATE 4 | #define _CRT_NON_CONFORMING_SWPRINTFS 5 | #define _NO_CRT_STDIO_INLINE 6 | #define _CRT_SECURE_CPP_OVERLOAD_SECURE_NAMES 0 7 | #define _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH 8 | #define __EDG__ 9 | #define USE_ATL_THUNK2 10 | 11 | #define CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS 12 | #define CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS 13 | 14 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4392 4480 4530 4706 5040) 15 | #include 16 | //#include 17 | #include 18 | #include 19 | 20 | #include 21 | #include 22 | #include 23 | #undef WIN32_NO_STATUS 24 | #include 25 | #include 26 | 27 | //#include 28 | //#include 29 | 30 | EXTERN_C IMAGE_DOS_HEADER __ImageBase; 31 | 32 | #ifndef PHNT_MODE 33 | #define PHNT_MODE PHNT_MODE_USER 34 | #endif 35 | 36 | #ifndef PHNT_VERSION 37 | #define PHNT_VERSION PHNT_WIN11_22H2 38 | #endif 39 | 40 | #define _NTLSA_ 41 | 42 | #if PHNT_MODE == PHNT_MODE_USER 43 | #define SECURITY_WIN32 44 | #endif 45 | 46 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4471 4480 4530 4706 5040) 47 | 48 | typedef GUID *PGUID; 49 | 50 | #include "phnt.h" 51 | 52 | #pragma warning(default : 4392) 53 | 54 | -------------------------------------------------------------------------------- /POC.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #define __movsp __movsq 5 | #else 6 | #define __movsp __movsd 7 | #endif 8 | 9 | #ifdef _X86_ 10 | 11 | #pragma warning(disable: 4483) // Allow use of __identifier 12 | 13 | #define __imp_VirtualAlloc __identifier("_imp__VirtualAlloc@16") 14 | 15 | #endif 16 | 17 | EXTERN_C_START 18 | 19 | extern IMAGE_DOS_HEADER __ImageBase; 20 | extern PVOID __imp_VirtualAlloc; 21 | 22 | EXTERN_C_END 23 | 24 | void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, PVOID VirtualAlloc) 25 | { 26 | if (UnmapViewOfFile(ImageBase)) 27 | { 28 | if (ImageBase == reinterpret_cast(VirtualAlloc) 29 | (ImageBase, SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)) 30 | { 31 | __movsp((ULONG_PTR*)ImageBase, (ULONG_PTR*)TempBase, SizeOfImage / sizeof(ULONG_PTR)); 32 | return ; 33 | } 34 | 35 | __debugbreak(); 36 | } 37 | } 38 | 39 | void RemapSelf() 40 | { 41 | if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(&__ImageBase)) 42 | { 43 | ULONG SizeOfImage = pinth->OptionalHeader.SizeOfImage; 44 | 45 | if (PVOID TempBase = VirtualAlloc(0, SizeOfImage, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) 46 | { 47 | memcpy(TempBase, &__ImageBase, SizeOfImage); 48 | 49 | PVOID Cookie; 50 | 51 | if (0 <= LdrLockLoaderLock(0, 0, &Cookie)) 52 | { 53 | reinterpret_cast 54 | (RtlOffsetToPointer(TempBase, RtlPointerToOffset(&__ImageBase, RemapSelfInternal))) 55 | (&__ImageBase, TempBase, SizeOfImage, __imp_VirtualAlloc); 56 | 57 | LdrUnlockLoaderLock(0, Cookie); 58 | } 59 | 60 | VirtualFree(TempBase, 0, MEM_RELEASE); 61 | } 62 | } 63 | } 64 | 65 | void ShowErrorBox(HRESULT hr, PCWSTR pzCaption, UINT uType) 66 | { 67 | WCHAR msg[0x100]; 68 | 69 | ULONG dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS|FORMAT_MESSAGE_FROM_SYSTEM; 70 | HMODULE hmod = 0; 71 | 72 | if ((hr & FACILITY_NT_BIT) || (0 > hr && HRESULT_FACILITY(hr) == FACILITY_NULL)) 73 | { 74 | hr &= ~FACILITY_NT_BIT; 75 | __nt: 76 | dwFlags = FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS; 77 | hmod = GetModuleHandle(L"ntdll"); 78 | } 79 | 80 | if (FormatMessageW(dwFlags, hmod, hr, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), msg, _countof(msg), 0)) 81 | { 82 | MessageBoxW(0, msg, pzCaption, uType); 83 | } 84 | else if (FORMAT_MESSAGE_FROM_SYSTEM & dwFlags) 85 | { 86 | goto __nt; 87 | } 88 | } 89 | 90 | HRESULT WINAPI DllRegisterServer() 91 | { 92 | NTSTATUS status = STATUS_NO_MEMORY; 93 | 94 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, OBJ_CASE_INSENSITIVE }; 95 | 96 | SIZE_T cb; 97 | if (oa.ObjectName = (PUNICODE_STRING)LocalAlloc(LMEM_FIXED, cb = 0x10000)) 98 | { 99 | if (0 > (status = ZwQueryVirtualMemory(NtCurrentProcess(), &__ImageBase, 100 | MemoryMappedFilenameInformation, oa.ObjectName, cb, &cb))) 101 | { 102 | ShowErrorBox(HRESULT_FROM_NT(status), L"MemoryMappedFilenameInformation", MB_ICONHAND); 103 | } 104 | else 105 | { 106 | LONG f = 0; 107 | 108 | static const PCWSTR sz[] = { L"#2 try delete", L"#1 try delete" }; 109 | ULONG n = _countof(sz); 110 | 111 | do 112 | { 113 | status = ZwDeleteFile(&oa); 114 | 115 | ShowErrorBox(status ? HRESULT_FROM_NT(status) : S_OK, sz[--n], status ? MB_ICONWARNING : MB_ICONINFORMATION); 116 | 117 | if (!_bittestandset(&f, 0)) 118 | { 119 | RemapSelf(); 120 | } 121 | 122 | } while (n); 123 | } 124 | 125 | LocalFree(oa.ObjectName); 126 | } 127 | 128 | return RtlNtStatusToDosError(status); 129 | } --------------------------------------------------------------------------------