├── FakeDebuggerWindows ├── .vs │ └── FakeDebuggerWindows │ │ └── v14 │ │ └── .suo ├── FakeDebuggerWindows.opensdf ├── FakeDebuggerWindows.sdf ├── FakeDebuggerWindows.sln ├── FakeDebuggerWindows │ ├── Debug │ │ ├── FakeDebuggerWindows.obj │ │ ├── FakeDebuggerWindows.pch │ │ ├── FakeDebuggerWindows.res │ │ ├── stdafx.obj │ │ ├── vc140.idb │ │ └── vc140.pdb │ ├── FakeDebuggerWindows.cpp │ ├── FakeDebuggerWindows.h │ ├── FakeDebuggerWindows.ico │ ├── FakeDebuggerWindows.rc │ ├── FakeDebuggerWindows.vcxproj │ ├── FakeDebuggerWindows.vcxproj.filters │ ├── ReadMe.txt │ ├── Release │ │ ├── FakeDebuggerWindows.obj │ │ ├── FakeDebuggerWindows.pch │ │ ├── FakeDebuggerWindows.res │ │ ├── stdafx.obj │ │ └── vc140.pdb │ ├── Resource.h │ ├── small.ico │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── Release │ ├── FakeDebuggerWindows.exe │ ├── FakeDebuggerWindows.iobj │ ├── FakeDebuggerWindows.ipdb │ └── FakeDebuggerWindows.pdb ├── FindWindow ├── .vs │ └── FindWindow │ │ └── v14 │ │ └── .suo ├── FindWindow.sdf ├── FindWindow.sln ├── FindWindow │ ├── Debug │ │ ├── FindWindow.obj │ │ ├── FindWindow.pch │ │ ├── stdafx.obj │ │ ├── vc140.idb │ │ └── vc140.pdb │ ├── FindWindow.cpp │ ├── FindWindow.vcxproj │ ├── FindWindow.vcxproj.filters │ ├── ReadMe.txt │ ├── Release │ │ ├── FindWindow.obj │ │ ├── FindWindow.pch │ │ ├── stdafx.obj │ │ └── vc140.pdb │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── Release │ ├── FindWindow.exe │ ├── FindWindow.iobj │ ├── FindWindow.ipdb │ └── FindWindow.pdb ├── LICENSE.md ├── fakevm ├── README.md ├── controller.py └── vstudio_fakevm │ ├── .vs │ └── fakevm │ │ └── v14 │ │ └── .suo │ ├── Debug │ ├── fakevm.cer │ ├── fakevm.inf │ ├── fakevm.pdb │ ├── fakevm.sys │ └── fakevm │ │ ├── WdfCoinstaller01009.dll │ │ ├── fakevm.cat │ │ ├── fakevm.inf │ │ └── fakevm.sys │ ├── Release │ ├── fakevm.cer │ ├── fakevm.inf │ ├── fakevm.pdb │ ├── fakevm.sys │ └── fakevm │ │ ├── WdfCoinstaller01009.dll │ │ ├── fakevm.cat │ │ ├── fakevm.inf │ │ └── fakevm.sys │ ├── fakevm.opensdf │ ├── fakevm.sdf │ ├── fakevm.sln │ └── fakevm │ ├── Debug │ ├── driver.obj │ ├── fakevm.inf │ └── vc140.pdb │ ├── Release │ ├── driver.obj │ ├── fakevm.inf │ └── vc140.pdb │ ├── driver.c │ ├── driver.h │ ├── fakevm.inf │ ├── fakevm.vcxproj │ ├── fakevm.vcxproj.filters │ └── fakevm.vcxproj.user └── mutex_grabber ├── lock.ico ├── mutex_grabber.py └── wannacry_mutex.txt /FakeDebuggerWindows/.vs/FakeDebuggerWindows/v14/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/.vs/FakeDebuggerWindows/v14/.suo -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows.opensdf: -------------------------------------------------------------------------------- 1 | csabyDEV -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows.sdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows.sdf -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.23107.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FakeDebuggerWindows", "FakeDebuggerWindows\FakeDebuggerWindows.vcxproj", "{418E52A3-96BF-41C0-9F14-5D30DB5DD395}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Debug|x64.ActiveCfg = Debug|x64 17 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Debug|x64.Build.0 = Debug|x64 18 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Debug|x86.ActiveCfg = Debug|Win32 19 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Debug|x86.Build.0 = Debug|Win32 20 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Release|x64.ActiveCfg = Release|x64 21 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Release|x64.Build.0 = Release|x64 22 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Release|x86.ActiveCfg = Release|Win32 23 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.obj -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.pch -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/FakeDebuggerWindows.res -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/stdafx.obj -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/vc140.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/vc140.idb -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Debug/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Debug/vc140.pdb -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.cpp: -------------------------------------------------------------------------------- 1 | // FakeDebuggerWindows.cpp : Defines the entry point for the application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "FakeDebuggerWindows.h" 6 | 7 | #ifndef UNICODE 8 | #define UNICODE 9 | #endif 10 | 11 | #include 12 | 13 | //window program source: https ://msdn.microsoft.com/en-us/library/windows/desktop/ff381409(v=vs.85).aspx 14 | LRESULT CALLBACK OllyWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam); 15 | LRESULT CALLBACK WindbgWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam); 16 | 17 | int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE, PWSTR pCmdLine, int nCmdShow) 18 | { 19 | // Register the window class. 20 | const wchar_t CLASS_NAME_OLLY[] = L"OLLYDBG"; 21 | WNDCLASS wc_olly = {}; 22 | wc_olly.lpfnWndProc = OllyWindowProc; 23 | wc_olly.hInstance = hInstance; 24 | wc_olly.lpszClassName = CLASS_NAME_OLLY; 25 | RegisterClass(&wc_olly); 26 | 27 | const wchar_t CLASS_NAME_WINDBG[] = L"WinDbgFrameClass"; 28 | WNDCLASS wc_windbg = {}; 29 | wc_windbg.lpfnWndProc = WindbgWindowProc; 30 | wc_windbg.hInstance = hInstance; 31 | wc_windbg.lpszClassName = CLASS_NAME_WINDBG; 32 | RegisterClass(&wc_windbg); 33 | 34 | // Create the windows. 35 | HWND hwnd_Olly = CreateWindowEx( 36 | 0, // Optional window styles. 37 | CLASS_NAME_OLLY, // Window class 38 | L"OllyDBG", // Window text 39 | WS_OVERLAPPEDWINDOW, // Window style 40 | // Size and position 41 | CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, 42 | NULL, // Parent window 43 | NULL, // Menu 44 | hInstance, // Instance handle 45 | NULL // Additional application data 46 | ); 47 | 48 | HWND hwnd_WinDBG = CreateWindowEx( 49 | 0, // Optional window styles. 50 | CLASS_NAME_WINDBG, // Window class 51 | L"WinDBG", // Window text 52 | WS_OVERLAPPEDWINDOW, // Window style 53 | // Size and position 54 | CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, 55 | NULL, // Parent window 56 | NULL, // Menu 57 | hInstance, // Instance handle 58 | NULL // Additional application data 59 | ); 60 | 61 | //If either of the windows couldn't be created, exit 62 | if ((hwnd_Olly == NULL) || (hwnd_WinDBG == NULL)) 63 | { 64 | return 0; 65 | } 66 | //ShowWindow(hwnd, nCmdShow); 67 | 68 | // Run the message loop. 69 | MSG msg = {}; 70 | while (GetMessage(&msg, NULL, 0, 0)) 71 | { 72 | TranslateMessage(&msg); 73 | DispatchMessage(&msg); 74 | } 75 | return 0; 76 | } 77 | 78 | LRESULT CALLBACK OllyWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 79 | { 80 | switch (uMsg) 81 | { 82 | case WM_DESTROY: 83 | PostQuitMessage(0); 84 | return 0; 85 | 86 | case WM_PAINT: 87 | { 88 | PAINTSTRUCT ps; 89 | HDC hdc = BeginPaint(hwnd, &ps); 90 | 91 | FillRect(hdc, &ps.rcPaint, (HBRUSH)(COLOR_WINDOW + 1)); 92 | 93 | EndPaint(hwnd, &ps); 94 | } 95 | return 0; 96 | 97 | } 98 | return DefWindowProc(hwnd, uMsg, wParam, lParam); 99 | } 100 | 101 | LRESULT CALLBACK WindbgWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 102 | { 103 | switch (uMsg) 104 | { 105 | case WM_DESTROY: 106 | PostQuitMessage(0); 107 | return 0; 108 | 109 | case WM_PAINT: 110 | { 111 | PAINTSTRUCT ps; 112 | HDC hdc = BeginPaint(hwnd, &ps); 113 | 114 | FillRect(hdc, &ps.rcPaint, (HBRUSH)(COLOR_WINDOW + 1)); 115 | 116 | EndPaint(hwnd, &ps); 117 | } 118 | return 0; 119 | 120 | } 121 | return DefWindowProc(hwnd, uMsg, wParam, lParam); 122 | } 123 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "resource.h" 4 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.ico -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.rc -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {418E52A3-96BF-41C0-9F14-5D30DB5DD395} 23 | Win32Proj 24 | FakeDebuggerWindows 25 | 8.1 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v140 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Use 87 | Level3 88 | Disabled 89 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Windows 94 | true 95 | 96 | 97 | 98 | 99 | Use 100 | Level3 101 | Disabled 102 | _DEBUG;_WINDOWS;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Windows 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | Use 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Windows 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | Use 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Windows 139 | true 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | Create 157 | Create 158 | Create 159 | Create 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/FakeDebuggerWindows.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | 43 | 44 | Resource Files 45 | 46 | 47 | 48 | 49 | Resource Files 50 | 51 | 52 | Resource Files 53 | 54 | 55 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | WIN32 APPLICATION : FakeDebuggerWindows Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this FakeDebuggerWindows application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your FakeDebuggerWindows application. 9 | 10 | 11 | FakeDebuggerWindows.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | FakeDebuggerWindows.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | FakeDebuggerWindows.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | AppWizard has created the following resources: 29 | 30 | FakeDebuggerWindows.rc 31 | This is a listing of all of the Microsoft Windows resources that the 32 | program uses. It includes the icons, bitmaps, and cursors that are stored 33 | in the RES subdirectory. This file can be directly edited in Microsoft 34 | Visual C++. 35 | 36 | Resource.h 37 | This is the standard header file, which defines new resource IDs. 38 | Microsoft Visual C++ reads and updates this file. 39 | 40 | FakeDebuggerWindows.ico 41 | This is an icon file, which is used as the application's icon (32x32). 42 | This icon is included by the main resource file FakeDebuggerWindows.rc. 43 | 44 | small.ico 45 | This is an icon file, which contains a smaller version (16x16) 46 | of the application's icon. This icon is included by the main resource 47 | file FakeDebuggerWindows.rc. 48 | 49 | ///////////////////////////////////////////////////////////////////////////// 50 | Other standard files: 51 | 52 | StdAfx.h, StdAfx.cpp 53 | These files are used to build a precompiled header (PCH) file 54 | named FakeDebuggerWindows.pch and a precompiled types file named StdAfx.obj. 55 | 56 | ///////////////////////////////////////////////////////////////////////////// 57 | Other notes: 58 | 59 | AppWizard uses "TODO:" comments to indicate parts of the source code you 60 | should add to or customize. 61 | 62 | ///////////////////////////////////////////////////////////////////////////// 63 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.obj -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.pch -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Release/FakeDebuggerWindows.res -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Release/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Release/stdafx.obj -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Release/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/Release/vc140.pdb -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/Resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by FakeDebuggerWindows.rc 4 | // 5 | 6 | #define IDS_APP_TITLE 103 7 | 8 | #define IDR_MAINFRAME 128 9 | #define IDD_FAKEDEBUGGERWINDOWS_DIALOG 102 10 | #define IDD_ABOUTBOX 103 11 | #define IDM_ABOUT 104 12 | #define IDM_EXIT 105 13 | #define IDI_FAKEDEBUGGERWINDOWS 107 14 | #define IDI_SMALL 108 15 | #define IDC_FAKEDEBUGGERWINDOWS 109 16 | #define IDC_MYICON 2 17 | #ifndef IDC_STATIC 18 | #define IDC_STATIC -1 19 | #endif 20 | // Next default values for new objects 21 | // 22 | #ifdef APSTUDIO_INVOKED 23 | #ifndef APSTUDIO_READONLY_SYMBOLS 24 | 25 | #define _APS_NO_MFC 130 26 | #define _APS_NEXT_RESOURCE_VALUE 129 27 | #define _APS_NEXT_COMMAND_VALUE 32771 28 | #define _APS_NEXT_CONTROL_VALUE 1000 29 | #define _APS_NEXT_SYMED_VALUE 110 30 | #endif 31 | #endif 32 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/small.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/FakeDebuggerWindows/small.ico -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // FakeDebuggerWindows.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | 14 | // C RunTime Header Files 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | 21 | // TODO: reference additional headers your program requires here 22 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/FakeDebuggerWindows/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /FakeDebuggerWindows/Release/FakeDebuggerWindows.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/Release/FakeDebuggerWindows.exe -------------------------------------------------------------------------------- /FakeDebuggerWindows/Release/FakeDebuggerWindows.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/Release/FakeDebuggerWindows.iobj -------------------------------------------------------------------------------- /FakeDebuggerWindows/Release/FakeDebuggerWindows.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/Release/FakeDebuggerWindows.ipdb -------------------------------------------------------------------------------- /FakeDebuggerWindows/Release/FakeDebuggerWindows.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FakeDebuggerWindows/Release/FakeDebuggerWindows.pdb -------------------------------------------------------------------------------- /FindWindow/.vs/FindWindow/v14/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/.vs/FindWindow/v14/.suo -------------------------------------------------------------------------------- /FindWindow/FindWindow.sdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow.sdf -------------------------------------------------------------------------------- /FindWindow/FindWindow.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.23107.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FindWindow", "FindWindow\FindWindow.vcxproj", "{7508BF30-E373-43BD-89FE-40559AB72F9E}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Debug|x64.ActiveCfg = Debug|x64 17 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Debug|x64.Build.0 = Debug|x64 18 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Debug|x86.ActiveCfg = Debug|Win32 19 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Debug|x86.Build.0 = Debug|Win32 20 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Release|x64.ActiveCfg = Release|x64 21 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Release|x64.Build.0 = Release|x64 22 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Release|x86.ActiveCfg = Release|Win32 23 | {7508BF30-E373-43BD-89FE-40559AB72F9E}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/Debug/FindWindow.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Debug/FindWindow.obj -------------------------------------------------------------------------------- /FindWindow/FindWindow/Debug/FindWindow.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Debug/FindWindow.pch -------------------------------------------------------------------------------- /FindWindow/FindWindow/Debug/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Debug/stdafx.obj -------------------------------------------------------------------------------- /FindWindow/FindWindow/Debug/vc140.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Debug/vc140.idb -------------------------------------------------------------------------------- /FindWindow/FindWindow/Debug/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Debug/vc140.pdb -------------------------------------------------------------------------------- /FindWindow/FindWindow/FindWindow.cpp: -------------------------------------------------------------------------------- 1 | // FindWindow.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "windows.h" 6 | 7 | int main() 8 | { 9 | HWND nHwnd_olly = FindWindow((LPCWSTR)L"OLLYDBG", NULL); 10 | HWND nHwnd_windbg = FindWindow((LPCWSTR)L"WinDbgFrameClass", NULL); 11 | 12 | if (nHwnd_olly == NULL) 13 | { 14 | printf("Olly window not found\n"); 15 | } 16 | else 17 | { 18 | printf("Olly window found\n"); 19 | } 20 | 21 | if (nHwnd_windbg == NULL) 22 | { 23 | printf("WinDBG window not found\n"); 24 | } 25 | else 26 | { 27 | printf("WinDBG window found\n"); 28 | } 29 | return 0; 30 | } 31 | 32 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/FindWindow.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {7508BF30-E373-43BD-89FE-40559AB72F9E} 23 | Win32Proj 24 | FindWindow 25 | 8.1 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | 34 | 35 | Application 36 | false 37 | v140 38 | true 39 | Unicode 40 | 41 | 42 | Application 43 | true 44 | v140 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v140 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | true 74 | 75 | 76 | true 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | Use 87 | Level3 88 | Disabled 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Use 100 | Level3 101 | Disabled 102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 103 | true 104 | 105 | 106 | Console 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | Use 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | Use 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | true 136 | 137 | 138 | Console 139 | true 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | Create 155 | Create 156 | Create 157 | Create 158 | 159 | 160 | 161 | 162 | 163 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/FindWindow.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : FindWindow Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this FindWindow application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your FindWindow application. 9 | 10 | 11 | FindWindow.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | FindWindow.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | FindWindow.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named FindWindow.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/Release/FindWindow.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Release/FindWindow.obj -------------------------------------------------------------------------------- /FindWindow/FindWindow/Release/FindWindow.pch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Release/FindWindow.pch -------------------------------------------------------------------------------- /FindWindow/FindWindow/Release/stdafx.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Release/stdafx.obj -------------------------------------------------------------------------------- /FindWindow/FindWindow/Release/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/FindWindow/Release/vc140.pdb -------------------------------------------------------------------------------- /FindWindow/FindWindow/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // FindWindow.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /FindWindow/FindWindow/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /FindWindow/Release/FindWindow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/Release/FindWindow.exe -------------------------------------------------------------------------------- /FindWindow/Release/FindWindow.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/Release/FindWindow.iobj -------------------------------------------------------------------------------- /FindWindow/Release/FindWindow.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/Release/FindWindow.ipdb -------------------------------------------------------------------------------- /FindWindow/Release/FindWindow.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/FindWindow/Release/FindWindow.pdb -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) <2015> Csaba Fitzl 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /fakevm/README.md: -------------------------------------------------------------------------------- 1 | fakevm 2 | ====== 3 | POC kernel driver to make a normal Windows desktop show up as a VM. More details in my blog entry: 4 | [Make your desktop a fake Virtual Machine to defend against malware](http://theevilbit.blogspot.com/2015/10/make-your-desktop-fake-virtual-machine.html) 5 | 6 | usage of the controller: 7 | ======================== 8 | ``` 9 | controller.py [options] 10 | 11 | Options: 12 | -h, --help show this help message and exit 13 | -w, --vmware Switch fake VMware ON/OFF 14 | -x, --vbox Switch fake VBox ON/OFF 15 | -o, --hook Hook all functions 16 | -u, --unhook Unhook all functions 17 | ``` -------------------------------------------------------------------------------- /fakevm/controller.py: -------------------------------------------------------------------------------- 1 | from ctypes import * 2 | from ctypes.wintypes import * 3 | import struct, sys, os, time 4 | import optparse 5 | 6 | kernel32 = windll.kernel32 7 | ntdll = windll.ntdll 8 | 9 | #GLOBAL VARIABLES 10 | 11 | if __name__ == '__main__': 12 | usage = "Usage: %prog [options]" 13 | parser = optparse.OptionParser(usage=usage) 14 | parser.add_option('-w', '--vmware', action='store_true', dest='vmware', default=False, help='Switch fake VMware ON/OFF') 15 | parser.add_option('-x', '--vbox', action='store_true', dest='vbox', default=False, help='Switch fake VBox ON/OFF') 16 | parser.add_option('-o', '--hook', action='store_true', dest='hook', default=False, help='Hook all functions') 17 | parser.add_option('-u', '--unhook', action='store_true', dest='unhook', default=False, help='Unhook all functions') 18 | options, args = parser.parse_args() 19 | 20 | #get driver handle 21 | GENERIC_READ = 0x80000000 22 | GENERIC_WRITE = 0x40000000 23 | OPEN_EXISTING = 0x3 24 | DEVICE_NAME = "\\\\.\\fakevm" 25 | dwReturn = c_ulong() 26 | driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) 27 | 28 | #calculate IOCTL values 29 | FILE_DEVICE_UNKNOWN = 0x00000022 30 | METHOD_IN_DIRECT = 0x1 31 | FILE_READ_DATA = 0x1 32 | FILE_WRITE_DATA = 0x2 33 | CTL_CODE = lambda devtype, func, meth, acc: (devtype << 16) | (acc << 14) | (func << 2) | meth 34 | 35 | IOCTL_VMWARE = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 36 | IOCTL_VBOX = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 37 | IOCTL_HOOKALL = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 38 | IOCTL_UNHOOKALL = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 39 | 40 | 41 | IoStatusBlock = c_ulong() 42 | if(options.hook): 43 | ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), IOCTL_HOOKALL, None, 0, None, 0) 44 | elif(options.unhook): 45 | ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), IOCTL_UNHOOKALL, None, 0, None, 0) 46 | 47 | if(options.vmware): 48 | ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), IOCTL_VMWARE, None, 0, None, 0) 49 | if(options.vbox): 50 | ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), IOCTL_VBOX, None, 0, None, 0) 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/.vs/fakevm/v14/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/.vs/fakevm/v14/.suo -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm.cer -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,18.51.58.500 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm.pdb -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm.sys -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm/WdfCoinstaller01009.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm/WdfCoinstaller01009.dll -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm/fakevm.cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm/fakevm.cat -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,18.51.58.500 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Debug/fakevm/fakevm.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Debug/fakevm/fakevm.sys -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm.cer -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,20.6.39.138 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm.pdb -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm.sys -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm/WdfCoinstaller01009.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm/WdfCoinstaller01009.dll -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm/fakevm.cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm/fakevm.cat -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,20.6.39.138 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/Release/fakevm/fakevm.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/Release/fakevm/fakevm.sys -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm.opensdf: -------------------------------------------------------------------------------- 1 | csabyWIN-66UB3B6GUPT -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm.sdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm.sdf -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.23107.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "fakevm", "fakevm\fakevm.vcxproj", "{41EC602A-EF9F-4E25-9729-48E98D270998}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|ARM.ActiveCfg = Debug|ARM 21 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|ARM.Build.0 = Debug|ARM 22 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|ARM64.ActiveCfg = Debug|ARM64 23 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|ARM64.Build.0 = Debug|ARM64 24 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|x64.ActiveCfg = Debug|x64 25 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|x64.Build.0 = Debug|x64 26 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|x86.ActiveCfg = Debug|Win32 27 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Debug|x86.Build.0 = Debug|Win32 28 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|ARM.ActiveCfg = Release|ARM 29 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|ARM.Build.0 = Release|ARM 30 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|ARM64.ActiveCfg = Release|ARM64 31 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|ARM64.Build.0 = Release|ARM64 32 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|x64.ActiveCfg = Release|x64 33 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|x64.Build.0 = Release|x64 34 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|x86.ActiveCfg = Release|Win32 35 | {41EC602A-EF9F-4E25-9729-48E98D270998}.Release|x86.Build.0 = Release|Win32 36 | EndGlobalSection 37 | GlobalSection(SolutionProperties) = preSolution 38 | HideSolutionNode = FALSE 39 | EndGlobalSection 40 | EndGlobal 41 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Debug/driver.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm/Debug/driver.obj -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Debug/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,18.51.58.500 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Debug/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm/Debug/vc140.pdb -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Release/driver.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm/Release/driver.obj -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Release/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer=10/25/2015,20.6.39.138 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NTx86 37 | 38 | [Standard.NTx86] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller01009.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller01009.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller01009.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = 1.9 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/Release/vc140.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm/Release/vc140.pdb -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/driver.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "driver.h" 3 | 4 | typedef char * string; 5 | 6 | //Define IOCTL codes 7 | #define IOCTL_VMWARE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 8 | #define IOCTL_VBOX CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 9 | #define IOCTL_HOOKALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 10 | #define IOCTL_UNHOOKALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) 11 | 12 | 13 | //Global state variables used to switch on/off cheks 14 | BOOLEAN FAKE_VMWARE = TRUE; 15 | BOOLEAN FAKE_VBOX = TRUE; 16 | BOOLEAN HOOKED = FALSE; 17 | 18 | // The structure of the SSDT. 19 | 20 | typedef struct SystemServiceDescriptorTable 21 | { 22 | PULONG ServiceTableBase; 23 | PULONG ServiceCounterTableBase; 24 | ULONG NumberOfServices; 25 | PUCHAR ParamTableBase; 26 | } SSDT, *PSSDT; 27 | 28 | extern PSSDT KeServiceDescriptorTable; // Pointer to the SSDT. 29 | 30 | #define GetServiceNumber(Function)(*(PULONG)((PUCHAR)Function+1)); // Used the get the service number. 31 | 32 | /* 33 | NTSTATUS ZwOpenKeyEx( 34 | _Out_ PHANDLE KeyHandle, 35 | _In_ ACCESS_MASK DesiredAccess, 36 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 37 | _In_ ULONG OpenOptions 38 | ); 39 | */ 40 | 41 | ULONG Orig_NtOpenKeyEx, SSDTAddress_NtOpenKeyEx; 42 | typedef NTSTATUS(*prototype_NtOpenKeyEx)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, ULONG); 43 | prototype_NtOpenKeyEx fnNtOpenKeyEx = NULL; 44 | 45 | /* 46 | NTSTATUS NtQueryAttributesFile( 47 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 48 | _Out_ PFILE_BASIC_INFORMATION FileInformation 49 | ); 50 | */ 51 | 52 | ULONG Orig_NtQueryAttributesFile, SSDTAddress_NtQueryAttributesFile; 53 | typedef NTSTATUS(*prototype_NtQueryAttributesFile)(POBJECT_ATTRIBUTES, PFILE_BASIC_INFORMATION); 54 | prototype_NtQueryAttributesFile fnNtQueryAttributesFile = NULL; 55 | 56 | /* 57 | NTSTATUS NtCreateFile( 58 | _Out_ PHANDLE FileHandle, 59 | _In_ ACCESS_MASK DesiredAccess, 60 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 61 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 62 | _In_opt_ PLARGE_INTEGER AllocationSize, 63 | _In_ ULONG FileAttributes, 64 | _In_ ULONG ShareAccess, 65 | _In_ ULONG CreateDisposition, 66 | _In_ ULONG CreateOptions, 67 | _In_ PVOID EaBuffer, 68 | _In_ ULONG EaLength 69 | ); 70 | */ 71 | 72 | ULONG Orig_NtCreateFile, SSDTAddress_NtCreateFile; 73 | typedef NTSTATUS(*prototype_NtCreateFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG); 74 | prototype_NtCreateFile fnNtCreateFile = NULL; 75 | 76 | 77 | /* 78 | * Disable the WP bit in CR0 register. 79 | */ 80 | void DisableWP() { 81 | __asm { 82 | push edx; 83 | mov edx, cr0; 84 | and edx, 0xFFFEFFFF; 85 | mov cr0, edx; 86 | pop edx; 87 | } 88 | } 89 | 90 | /* 91 | * Enable the WP bit in CR0 register. 92 | */ 93 | void EnableWP() { 94 | __asm { 95 | push edx; 96 | mov edx, cr0; 97 | or edx, 0x00010000; 98 | mov cr0, edx; 99 | pop edx; 100 | } 101 | } 102 | 103 | //NtQueryAttributesFile custom function 104 | 105 | NTSTATUS my_NtQueryAttributesFile(POBJECT_ATTRIBUTES ObjectAttributes, PFILE_BASIC_INFORMATION FileInformation) 106 | { 107 | if (FAKE_VMWARE && (wcsstr(ObjectAttributes->ObjectName->Buffer, L"vmmouse.sys") || wcsstr(ObjectAttributes->ObjectName->Buffer, L"vmhgfs.sys"))) 108 | { 109 | LARGE_INTEGER a; 110 | a.HighPart = 0; 111 | a.LowPart = 0; 112 | a.QuadPart = 0; 113 | a.u.HighPart = 0; 114 | a.u.LowPart = 0; 115 | 116 | FileInformation->ChangeTime = a; 117 | FileInformation->CreationTime = a; 118 | FileInformation->LastAccessTime = a; 119 | FileInformation->LastWriteTime = a; 120 | FileInformation->FileAttributes = FILE_ATTRIBUTE_NORMAL; 121 | return STATUS_SUCCESS; 122 | } 123 | else if (FAKE_VBOX) 124 | { 125 | string filenames[17]; 126 | filenames[0] = L"C:\\WINDOWS\\system32\\vboxdisp.dll"; 127 | filenames[1] = L"C:\\WINDOWS\\system32\\vboxhook.dll"; 128 | filenames[2] = L"C:\\WINDOWS\\system32\\vboxmrxnp.dll"; 129 | filenames[3] = L"C:\\WINDOWS\\system32\\vboxogl.dll"; 130 | filenames[4] = L"C:\\WINDOWS\\system32\\vboxoglarrayspu.dll"; 131 | filenames[5] = L"C:\\WINDOWS\\system32\\vboxoglcrutil.dll"; 132 | filenames[6] = L"C:\\WINDOWS\\system32\\vboxoglerrorspu.dll"; 133 | filenames[7] = L"C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll"; 134 | filenames[8] = L"C:\\WINDOWS\\system32\\vboxoglpackspu.dll"; 135 | filenames[9] = L"C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll"; 136 | filenames[10] = L"C:\\WINDOWS\\system32\\vboxservice.exe"; 137 | filenames[11] = L"C:\\WINDOWS\\system32\\vboxtray.exe"; 138 | filenames[12] = L"C:\\WINDOWS\\system32\\VBoxControl.exe"; 139 | filenames[13] = L"C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys"; 140 | filenames[14] = L"C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys"; 141 | filenames[15] = L"C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys"; 142 | filenames[16] = L"C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys"; 143 | int i = 0; 144 | for (i = 0; i < 17; i++) 145 | { 146 | if (wcsstr(ObjectAttributes->ObjectName->Buffer, filenames[i])) 147 | { 148 | LARGE_INTEGER a; 149 | a.HighPart = 0; 150 | a.LowPart = 0; 151 | a.QuadPart = 0; 152 | a.u.HighPart = 0; 153 | a.u.LowPart = 0; 154 | 155 | FileInformation->ChangeTime = a; 156 | FileInformation->CreationTime = a; 157 | FileInformation->LastAccessTime = a; 158 | FileInformation->LastWriteTime = a; 159 | FileInformation->FileAttributes = FILE_ATTRIBUTE_NORMAL; 160 | return STATUS_SUCCESS; 161 | } 162 | } 163 | return fnNtQueryAttributesFile(ObjectAttributes, FileInformation); 164 | } 165 | else 166 | { 167 | return fnNtQueryAttributesFile(ObjectAttributes, FileInformation); 168 | } 169 | } 170 | 171 | //NtOpenKeyEx custom function 172 | 173 | NTSTATUS my_NtOpenKeyEx(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG OpenOptions) 174 | { 175 | if (FAKE_VMWARE && wcsstr(ObjectAttributes->ObjectName->Buffer, L"SOFTWARE\\VMware, Inc.\\VMware Tools") != NULL) 176 | { 177 | //TBD: set KeyHandle 178 | return STATUS_SUCCESS; 179 | } 180 | else if(FAKE_VBOX && (wcsstr(ObjectAttributes->ObjectName->Buffer, L"HARDWARE\\ACPI\\DSDT\\VBOX__") != NULL 181 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"HARDWARE\\ACPI\\FADT\\VBOX__") != NULL 182 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"HARDWARE\\ACPI\\RSDT\\VBOX__") != NULL 183 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"ControlSet001\\Services\\VBoxGuest") != NULL 184 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"ControlSet001\\Services\\VBoxMouse") != NULL 185 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"ControlSet001\\Services\\VBoxService") != NULL 186 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"ControlSet001\\Services\\VBoxSF") != NULL 187 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"ControlSet001\\Services\\VBoxVideo") != NULL 188 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"SOFTWARE\\Oracle\\VirtualBox Guest Additions") != NULL)) 189 | { 190 | //TBD: set KeyHandle 191 | return STATUS_SUCCESS; 192 | } 193 | else 194 | { 195 | return fnNtOpenKeyEx(KeyHandle, DesiredAccess, ObjectAttributes, OpenOptions); 196 | } 197 | } 198 | 199 | //Custom NtCreateFile function 200 | 201 | NTSTATUS my_NtCreateFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength) 202 | { 203 | __try 204 | { 205 | if (FAKE_VBOX && (wcsstr(ObjectAttributes->ObjectName->Buffer, L"VBox") != NULL 206 | || wcsstr(ObjectAttributes->ObjectName->Buffer, L"VBoxMiniRdDN") != NULL)) 207 | { 208 | UNICODE_STRING uniName; 209 | OBJECT_ATTRIBUTES objAttr; 210 | RtlInitUnicodeString(&uniName, L"\\??\\C:\\Windows\\win.ini"); 211 | InitializeObjectAttributes(&objAttr, &uniName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); 212 | return ZwCreateFile(FileHandle, DesiredAccess, &objAttr, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); 213 | } 214 | else if(FAKE_VMWARE && (wcsstr(ObjectAttributes->ObjectName->Buffer, L"HGFS") != NULL || wcsstr(ObjectAttributes->ObjectName->Buffer, L"vmci") != NULL)) 215 | { 216 | UNICODE_STRING uniName; 217 | OBJECT_ATTRIBUTES objAttr; 218 | RtlInitUnicodeString(&uniName, L"\\??\\C:\\Windows\\win.ini"); 219 | InitializeObjectAttributes(&objAttr, &uniName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); 220 | return ZwCreateFile(FileHandle, DesiredAccess, &objAttr, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); 221 | } 222 | else 223 | { 224 | return fnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); 225 | } 226 | } 227 | __except (EXCEPTION_EXECUTE_HANDLER) 228 | { 229 | return fnNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); 230 | } 231 | } 232 | 233 | void UnHookFunctions() 234 | { 235 | // Disable write protection. 236 | DisableWP(); 237 | 238 | // Unhook the SSDT. 239 | InterlockedExchange(SSDTAddress_NtOpenKeyEx, (ULONG)Orig_NtOpenKeyEx); 240 | InterlockedExchange(SSDTAddress_NtQueryAttributesFile, (ULONG)Orig_NtQueryAttributesFile); 241 | InterlockedExchange(SSDTAddress_NtCreateFile, (ULONG)Orig_NtCreateFile); 242 | HOOKED = FALSE; 243 | // Restore write protection. 244 | EnableWP(); 245 | } 246 | 247 | void HookFunctions() 248 | { 249 | if (!HOOKED) 250 | { 251 | ULONG ServiceNumber_NtQueryAttributesFile; 252 | ULONG ServiceNumber_NtOpenKeyEx; 253 | ULONG ServiceNumber_NtCreateFile; 254 | 255 | // Get the service number. 256 | ServiceNumber_NtOpenKeyEx = GetServiceNumber(ZwOpenKeyEx); 257 | //ServiceNumber_NtQueryAttributesFile = GetServiceNumber(ZwQueryAttributesFile); //ZwQueryAttributesFile is undefined, need to use hardcoded index 258 | ServiceNumber_NtQueryAttributesFile = 0xd9; 259 | ServiceNumber_NtCreateFile = GetServiceNumber(ZwCreateFile); 260 | // Disable write protection. 261 | DisableWP(); 262 | 263 | //Hook the address 264 | 265 | //Get the address of function in SSDT 266 | SSDTAddress_NtOpenKeyEx = (ULONG)KeServiceDescriptorTable->ServiceTableBase + ServiceNumber_NtOpenKeyEx * 4; 267 | SSDTAddress_NtQueryAttributesFile = (ULONG)KeServiceDescriptorTable->ServiceTableBase + ServiceNumber_NtQueryAttributesFile * 4; 268 | SSDTAddress_NtCreateFile = (ULONG)KeServiceDescriptorTable->ServiceTableBase + ServiceNumber_NtCreateFile * 4; 269 | 270 | //Store the value stored at the address - original function value 271 | Orig_NtOpenKeyEx = *(PULONG)SSDTAddress_NtOpenKeyEx; 272 | Orig_NtQueryAttributesFile = *(PULONG)SSDTAddress_NtQueryAttributesFile; 273 | Orig_NtCreateFile = *(PULONG)SSDTAddress_NtCreateFile; 274 | 275 | //Function reference? 276 | fnNtOpenKeyEx = (prototype_NtOpenKeyEx)Orig_NtOpenKeyEx; 277 | fnNtQueryAttributesFile = (prototype_NtQueryAttributesFile)Orig_NtQueryAttributesFile; 278 | fnNtCreateFile = (prototype_NtCreateFile)Orig_NtCreateFile; 279 | 280 | //Replace function pointer in SSDT 281 | InterlockedExchange(SSDTAddress_NtOpenKeyEx, (ULONG)my_NtOpenKeyEx); 282 | InterlockedExchange(SSDTAddress_NtQueryAttributesFile, (ULONG)my_NtQueryAttributesFile); 283 | InterlockedExchange(SSDTAddress_NtCreateFile, (ULONG)my_NtCreateFile); 284 | 285 | HOOKED = TRUE; 286 | // Restore write protection. 287 | 288 | EnableWP(); 289 | } 290 | } 291 | 292 | NTSTATUS my_UnSupportedFunction(PDEVICE_OBJECT DeviceObject, PIRP Irp) 293 | { 294 | //DbgPrint("my_UnSupportedFunction Called \r\n"); 295 | return STATUS_NOT_SUPPORTED; 296 | } 297 | 298 | /* 299 | IOCTL control function. IOCTL codes used to switch ON/OFF faking VMs 300 | */ 301 | 302 | NTSTATUS my_IOCTLControl(PDEVICE_OBJECT DeviceObject, PIRP Irp) 303 | { 304 | NTSTATUS my_status = STATUS_NOT_SUPPORTED; 305 | PIO_STACK_LOCATION pIoStackIrp = NULL; 306 | ULONG dwDataWritten = 0; 307 | 308 | pIoStackIrp = IoGetCurrentIrpStackLocation(Irp); 309 | if (pIoStackIrp) /* Should Never Be NULL! */ 310 | { 311 | switch (pIoStackIrp->Parameters.DeviceIoControl.IoControlCode) 312 | { 313 | case IOCTL_VMWARE: 314 | FAKE_VMWARE = !FAKE_VMWARE; 315 | my_status = STATUS_SUCCESS; 316 | break; 317 | case IOCTL_VBOX: 318 | FAKE_VBOX = !FAKE_VBOX; 319 | my_status = STATUS_SUCCESS; 320 | break; 321 | case IOCTL_HOOKALL: 322 | HookFunctions(); 323 | break; 324 | case IOCTL_UNHOOKALL: 325 | UnHookFunctions(); 326 | break; 327 | } 328 | } 329 | 330 | Irp->IoStatus.Status = my_status; 331 | Irp->IoStatus.Information = dwDataWritten; 332 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 333 | return my_status; 334 | } 335 | 336 | void my_Unload(PDRIVER_OBJECT pDriverObject) 337 | { 338 | DbgPrint("Unload routine called.\n"); 339 | 340 | UnHookFunctions(); 341 | 342 | UNICODE_STRING usDosDeviceName; 343 | RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\fakevm"); 344 | IoDeleteSymbolicLink(&usDosDeviceName); 345 | IoDeleteDevice(pDriverObject->DeviceObject); 346 | } 347 | 348 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) 349 | { 350 | 351 | UNICODE_STRING usDriverName, usDosDeviceName; 352 | PDEVICE_OBJECT pDeviceObject = NULL; 353 | NTSTATUS my_status = STATUS_SUCCESS; 354 | HOOKED = FALSE; 355 | unsigned int uiIndex = 0; 356 | 357 | DbgPrint("DriverEntry Called.\n"); 358 | 359 | RtlInitUnicodeString(&usDriverName, L"\\Device\\fakevm"); 360 | RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\fakevm"); 361 | 362 | my_status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject); 363 | 364 | if (my_status == STATUS_SUCCESS) 365 | { 366 | /* MajorFunction: is a list of function pointers for entry points into the driver. */ 367 | for (uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++) 368 | pDriverObject->MajorFunction[uiIndex] = my_UnSupportedFunction; 369 | 370 | //set IOCTL control function 371 | pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = my_IOCTLControl; 372 | 373 | /* DriverUnload is required to be able to dynamically unload the driver. */ 374 | pDriverObject->DriverUnload = my_Unload; 375 | pDeviceObject->Flags |= 0; 376 | pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING); 377 | 378 | /* Create a Symbolic Link to the device. MyDriver -> \Device\MyDriver */ 379 | IoCreateSymbolicLink(&usDosDeviceName, &usDriverName); 380 | HookFunctions(); 381 | 382 | } 383 | 384 | return my_status; 385 | } 386 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/driver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/fakevm/vstudio_fakevm/fakevm/driver.h -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/fakevm.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; fakevm.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=fakevm.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | fakevm.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NT$ARCH$ 37 | 38 | [Standard.NT$ARCH$] 39 | %fakevm.DeviceDesc%=fakevm_Device, Root\fakevm ; TODO: edit hw-id 40 | 41 | [fakevm_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | fakevm.sys 46 | 47 | ;-------------- Service installation 48 | [fakevm_Device.NT.Services] 49 | AddService = fakevm,%SPSVCINST_ASSOCSERVICE%, fakevm_Service_Inst 50 | 51 | ; -------------- fakevm driver install sections 52 | [fakevm_Service_Inst] 53 | DisplayName = %fakevm.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\fakevm.sys 58 | 59 | ; 60 | ;--- fakevm_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | fakevm_Device_CoInstaller_CopyFiles = 11 65 | 66 | [fakevm_Device.NT.CoInstallers] 67 | AddReg=fakevm_Device_CoInstaller_AddReg 68 | CopyFiles=fakevm_Device_CoInstaller_CopyFiles 69 | 70 | [fakevm_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 72 | 73 | [fakevm_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [fakevm_Device.NT.Wdf] 80 | KmdfService = fakevm, fakevm_wdfsect 81 | [fakevm_wdfsect] 82 | KmdfLibraryVersion = $KMDFVERSION$ 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "fakevm Installation Disk" 89 | fakevm.DeviceDesc = "fakevm Device" 90 | fakevm.SVCDESC = "fakevm Service" 91 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/fakevm.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {41EC602A-EF9F-4E25-9729-48E98D270998} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | fakevm 45 | 46 | 47 | 48 | Windows7 49 | true 50 | WindowsKernelModeDriver10.0 51 | Driver 52 | KMDF 53 | Desktop 54 | true 55 | 56 | 57 | Windows7 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Desktop 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Windows10 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | KMDF 78 | Universal 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | KMDF 86 | Universal 87 | 88 | 89 | Windows10 90 | false 91 | WindowsKernelModeDriver10.0 92 | Driver 93 | KMDF 94 | Universal 95 | 96 | 97 | Windows10 98 | true 99 | WindowsKernelModeDriver10.0 100 | Driver 101 | KMDF 102 | Universal 103 | 104 | 105 | Windows10 106 | false 107 | WindowsKernelModeDriver10.0 108 | Driver 109 | KMDF 110 | Universal 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | 123 | 124 | DbgengKernelDebugger 125 | 126 | 127 | DbgengKernelDebugger 128 | 129 | 130 | DbgengKernelDebugger 131 | 132 | 133 | DbgengKernelDebugger 134 | 135 | 136 | DbgengKernelDebugger 137 | 138 | 139 | DbgengKernelDebugger 140 | 141 | 142 | DbgengKernelDebugger 143 | 144 | 145 | 146 | false 147 | 148 | 149 | 150 | 151 | false 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/fakevm.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /fakevm/vstudio_fakevm/fakevm/fakevm.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | True 6 | x86 7 | x86 8 | CN="WDKTestCert csaby,130890535146694165" | C992B908C81355153A62D0DDAD628F28B497C4E2 9 | True 10 | HardwareId 11 | Root\fakevm 12 | 13 | C:\Program Files (x86)\Windows Kits\10\Testing\Tests\Utilities\DefaultDriverPackageInstallationTask.dll 14 | 15 | Microsoft.DriverKit.DefaultDriverPackageInstallationClass.PerformDefaultDriverPackageInstallation 16 | 17 | 18 | -------------------------------------------------------------------------------- /mutex_grabber/lock.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/theevilbit/vaccination/37bec5af25055627187446c88e1b85e080950e21/mutex_grabber/lock.ico -------------------------------------------------------------------------------- /mutex_grabber/mutex_grabber.py: -------------------------------------------------------------------------------- 1 | """ 2 | Create mutexes on a PC so malware won't install itself 3 | 4 | """ 5 | 6 | import re 7 | import time 8 | import sys 9 | 10 | import json 11 | import requests 12 | from bs4 import BeautifulSoup 13 | 14 | from ctypes import * 15 | from ctypes.wintypes import * 16 | 17 | import Tkinter as tk 18 | from tkinter import BOTH, YES 19 | from tkFileDialog import askopenfilename 20 | from tkFileDialog import asksaveasfilename 21 | 22 | import traceback 23 | 24 | from functools import partial 25 | from multiprocessing import Queue 26 | import multiprocessing 27 | 28 | 29 | def add_to_fifo(l,element): 30 | """ 31 | Remove last element if queue = 50, and insert one 32 | """ 33 | if len(l) == 50: 34 | l.pop(0) 35 | l.append(element) 36 | return l 37 | 38 | def check_mutex(q): 39 | """ 40 | Function to track malwr.com for new analysis pages, and if there is a new, open it and extract mutexes 41 | """ 42 | visited = [] 43 | user_agent = {'User-agent': 'Mozilla/5.0'} 44 | known_malware_sig = 'File has been identified by at least one AntiVirus on VirusTotal as malicious' 45 | print '[*] Mutex grabber started...' 46 | while True: 47 | try: 48 | result = requests.get('https://malwr.com/analysis/', headers=user_agent) 49 | print '[+] Refreshed main page' 50 | matches = re.findall(r'analysis/[a-zA-Z0-9]*/',result.content) 51 | if matches: 52 | for match in matches: 53 | try: 54 | if match not in visited: 55 | visited = add_to_fifo(visited,match) 56 | analysis_result = requests.get('https://malwr.com/' + match, headers=user_agent) 57 | print '[+] Downloaded analysis: ' + 'https://malwr.com/' + match 58 | parsed_analysis_result = BeautifulSoup(analysis_result.content, "html.parser") 59 | summary_mutexes = parsed_analysis_result.find(id="summary_mutexes") 60 | summary_mutexes = str(summary_mutexes).split() 61 | for entry in summary_mutexes: 62 | if 'br' in entry: 63 | mutex = entry.replace('
','').strip() 64 | q.put(mutex) 65 | except Exception,ex: 66 | template = "An exception of type {0} occurred. Arguments:\n{1!r}" 67 | message = template.format(type(ex).__name__, ex.args) 68 | print message 69 | traceback.print_exc(file=sys.stdout) 70 | except Exception,ex: 71 | template = "An exception of type {0} occurred. Arguments:\n{1!r}" 72 | message = template.format(type(ex).__name__, ex.args) 73 | print message 74 | traceback.print_exc(file=sys.stdout) 75 | time.sleep(60) 76 | 77 | class MutexTracker(tk.Frame): 78 | def __init__(self, *args, **kwargs): 79 | tk.Frame.__init__(self, root, background="#ffffff") 80 | self.canvas = tk.Canvas(root, borderwidth=0, background="#ffffff") 81 | self.frame = tk.Frame(self.canvas, background="#ffffff") 82 | self.canvas.pack(fill=BOTH, expand=YES) 83 | self.frame.pack(fill=BOTH, expand=YES) 84 | self.vsb = tk.Scrollbar(root, orient="vertical", command=self.canvas.yview) 85 | self.canvas.configure(yscrollcommand=self.vsb.set) 86 | 87 | self.vsb.pack(side="right", fill="y") 88 | self.canvas.pack(side="left", fill="both", expand=True) 89 | self.canvas.create_window((4,4), window=self.frame, anchor="nw", tags="self.frame") 90 | 91 | self.frame.bind("", self.on_frameconfigure) 92 | self.canvas.bind_all("", self._on_mousewheel) 93 | root.protocol("WM_DELETE_WINDOW", self.on_exit) 94 | 95 | self.grid_columnconfigure(1, weight=1) 96 | 97 | tk.Button(self, text='Load mutexes from file', command=self.open_mutex_file).grid(row=0, column=0, sticky="ew") 98 | tk.Button(self, text='Save mutexes to file', command=self.save_mutex_file).grid(row=1, column=0, sticky="ew") 99 | tk.Button(self, text='Load whitelist from file', command=self.open_whitelist_file).grid(row=2, column=0, sticky="ew") 100 | tk.Button(self, text='Save whitelist to file', command=self.save_whitelist_file).grid(row=3, column=0, sticky="ew") 101 | tk.Button(self, text='Show whitelist', command=self.show_whitelist).grid(row=4, column=0, sticky="ew") 102 | 103 | tk.Label(self.frame, text="Name", anchor="w").grid(row=0, column=0, sticky="ew") 104 | tk.Label(self.frame, text="Active", anchor="w").grid(row=0, column=1, sticky="ew") 105 | tk.Label(self.frame, text="Whitelisted", anchor="w").grid(row=0, column=2, sticky="ew") 106 | 107 | self.row = 1 108 | self.q = Queue() 109 | self.new_process = multiprocessing.Process( 110 | target=check_mutex, 111 | args=(self.q,)) 112 | self.new_process.start() 113 | self.after(100, self.listen_for_result) 114 | 115 | self.mutexes = {} 116 | self.whitelist = [] 117 | self.temp_mutex_file = 'temp_mutex.txt' 118 | self.temp_whitelist_file = 'temp_whitelist.txt' 119 | self.clear_temp_files() 120 | 121 | def on_exit(self): 122 | """ 123 | When you click to exit, this function is called 124 | """ 125 | self.save_mutexes(self.temp_mutex_file) 126 | self.save_mutex_whitelist(self.temp_whitelist_file) 127 | self.new_process.terminate() 128 | root.destroy() 129 | 130 | def on_frameconfigure(self, event): 131 | ''' 132 | Reset the scroll region to encompass the inner frame 133 | ''' 134 | self.canvas.configure(scrollregion=self.canvas.bbox("all")) 135 | 136 | def _on_mousewheel(self, event): 137 | ''' 138 | Scroll window on mousewheel event 139 | ''' 140 | self.canvas.yview_scroll(-1*(event.delta/120), "units") #Windows 141 | #self.canvas.yview_scroll(-1*(event.delta), "units") #osx 142 | 143 | def show_whitelist(self): 144 | toplevel = tk.Toplevel() 145 | toplevel.iconbitmap(r'lock.ico') 146 | toplevel.title('Mutex grabber') 147 | toplevel.configure(background='white') 148 | label = tk.Label(toplevel, text='\n'.join(self.whitelist), height=0, width=100) 149 | label.pack() 150 | 151 | def add_mutex(self, mutex): 152 | if mutex in self.mutexes: 153 | pass 154 | else: 155 | row = self.row 156 | name_label = tk.Label(self.frame, text=mutex, anchor="w") 157 | wl_state = tk.IntVar() 158 | mutex_state = tk.IntVar() 159 | mutex_state_cb = tk.Checkbutton(self.frame, variable=mutex_state, onvalue=True, offvalue=False) 160 | whitelist_state_cb = tk.Checkbutton(self.frame, variable=wl_state, onvalue=True, offvalue=False) 161 | action_state = partial(self.mutex_state_change, mutex, mutex_state_cb, whitelist_state_cb, mutex_state, wl_state) 162 | action_whitelist = partial(self.whitelist_state_change, mutex, mutex_state_cb, whitelist_state_cb, mutex_state, wl_state) 163 | mutex_state_cb.configure(command=action_state) 164 | whitelist_state_cb.configure(command=action_whitelist) 165 | name_label.grid(row=row, column=0, sticky="ew") 166 | mutex_state_cb.grid(row=row, column=1, sticky="ew") 167 | whitelist_state_cb.grid(row=row, column=2, sticky="ew") 168 | self.row += 1 169 | if mutex in self.whitelist: 170 | self.mutexes[mutex] = None 171 | whitelist_state_cb.select() 172 | else: 173 | hMutex = windll.kernel32.CreateMutexA(None,True,mutex) 174 | if hMutex: 175 | self.mutexes[mutex] = hMutex 176 | mutex_state_cb.select() 177 | print '[+] Created mutex: ' + mutex 178 | else: 179 | self.mutexes[mutex] = None 180 | print '[-] Couldn\'t create mutex: ' + mutex 181 | 182 | def whitelist_state_change(self, mutex, mutex_state_cb, whitelist_state_cb, mutex_state, wl_state): 183 | if wl_state.get() == 1: 184 | self.whitelist.append(mutex) 185 | if mutex_state.get() == 1: 186 | success = windll.kernel32.CloseHandle(self.mutexes[mutex]) 187 | if success: 188 | self.mutexes[mutex] = None 189 | mutex_state_cb.deselect() 190 | elif wl_state.get() == 0: 191 | self.whitelist.remove(mutex) 192 | 193 | def mutex_state_change(self, mutex, mutex_state_cb, whitelist_state_cb, mutex_state, wl_state): 194 | ''' 195 | Enable/disbale a given mutex (update checkbox and create/disable it) 196 | ''' 197 | if wl_state.get() == 1: 198 | mutex_state_cb.deselect() 199 | elif wl_state.get() == 0: 200 | if mutex_state.get() == 0: 201 | success = windll.kernel32.CloseHandle(self.mutexes[mutex]) 202 | if success: 203 | self.mutexes[mutex] = None 204 | mutex_state_cb.deselect() 205 | if mutex_state.get() == 1: 206 | hMutex = windll.kernel32.CreateMutexA(None,True,mutex) 207 | if hMutex: 208 | self.mutexes[mutex] = hMutex 209 | else: 210 | mutex_state_cb.deselect() 211 | 212 | 213 | def clear_temp_files(self): 214 | f = open(self.temp_mutex_file,'w') 215 | f.close() 216 | f = open(self.temp_whitelist_file,'w') 217 | f.close() 218 | 219 | def open_mutex_file(self): 220 | """ 221 | Button handler - opening file with mutexes 222 | """ 223 | filename = askopenfilename() 224 | if filename: 225 | self.load_mutexes(filename) 226 | 227 | def save_mutex_file(self): 228 | """ 229 | Button handler - Saving mutexes to file 230 | """ 231 | filename = asksaveasfilename() 232 | if filename: 233 | self.save_mutexes(filename) 234 | 235 | def open_whitelist_file(self): 236 | """ 237 | Button handler - opening file with whitelisted mutexes 238 | """ 239 | filename = askopenfilename() 240 | if filename: 241 | self.load_mutex_whitelist(filename) 242 | 243 | def save_whitelist_file(self): 244 | """ 245 | Button handler - Saving whitelist to a file 246 | """ 247 | filename = asksaveasfilename() 248 | if filename: 249 | self.save_mutex_whitelist(filename) 250 | 251 | def load_mutexes(self, filename): 252 | ''' 253 | load mutexes from file 254 | ''' 255 | with open(filename,'r') as f: 256 | for line in f: 257 | self.add_mutex(line.strip()) 258 | 259 | def save_mutexes(self, filename): 260 | ''' 261 | Save current mutexes to a file 262 | ''' 263 | with open(filename,'w') as f: 264 | for mutex in self.mutexes: 265 | f.write(mutex + '\n') 266 | 267 | def load_mutex_whitelist(self, filename): 268 | ''' 269 | load mutex whitelist from file 270 | ''' 271 | with open(filename,'r') as f: 272 | for line in f: 273 | mutex = line.strip() 274 | if mutex in self.whitelist: 275 | pass 276 | else: 277 | self.whitelist.append(mutex) 278 | 279 | def save_mutex_whitelist(self, filename): 280 | ''' 281 | Save current whitelist to a file 282 | ''' 283 | with open(filename,'w') as f: 284 | for item in self.whitelist: 285 | f.write(item + '\n') 286 | 287 | def listen_for_result(self): 288 | ''' 289 | Check if there is something in the queue 290 | ''' 291 | try: 292 | mutex = self.q.get(0) 293 | self.add_mutex(mutex) 294 | self.after(100, self.listen_for_result) 295 | except Exception,ex: 296 | if type(ex).__name__ == 'Empty': 297 | self.after(100, self.listen_for_result) 298 | pass 299 | else: 300 | template = "An exception of type {0} occurred. Arguments:\n{1!r}" 301 | message = template.format(type(ex).__name__, ex.args) 302 | print message 303 | traceback.print_exc(file=sys.stdout) 304 | self.after(100, self.listen_for_result) 305 | 306 | if __name__ == "__main__": 307 | root = tk.Tk() 308 | MutexTracker(root, text="Mutex list").pack(side="top", fill="both", expand=True, padx=10, pady=10) 309 | root.iconbitmap(r'lock.ico') 310 | root.title('Mutex grabber') 311 | root.configure(background='white') 312 | root.mainloop() 313 | -------------------------------------------------------------------------------- /mutex_grabber/wannacry_mutex.txt: -------------------------------------------------------------------------------- 1 | MsWinZonesCacheCounterMutexA 2 | Global\MsWinZonesCacheCounterMutexA0 --------------------------------------------------------------------------------